Permalink
Fetching contributors…
Cannot retrieve contributors at this time
7871 lines (6366 sloc) 357 KB
### Stable BOA-3.2.2 Release - Full Edition
### Date: Sat Jan 20 11:03:34 PST 2018
### Milestone URL: https://github.com/omega8cc/boa/milestones/3.2.2
# Release Notes:
This BOA release provides system security upgrades, many bug fixes,
latest Aegir version, plus all supported Drupal distributions updated
to latest versions, and supplied with latest Drupal 7 core, if possible.
Thanks to Drush 8.1.15-dev we support also the newest Drupal 8.4.4 core.
@=> Important changes planned in the next BOA feature release
BOA-3.2.2 is the last release still supporting PHP 5.3, 5.4 and 5.5 versions.
These versions will be *removed* in the next release, and instead
there will be support for PHP 7.1 and 7.2 added.
Future releases will no longer include Pressflow 6 platforms, but Pressflow 6
will be fully supported, and can still use PHP 5.6 -- We recommend to use
our version: https://github.com/omega8cc/pressflow6/tree/pressflow-plus
# Changes:
* Add support for WOFF 2.0
* Commerce 2.51
* Guardr 2.40
* OpenAtrium 2.624
* Panopoly 1.49
# System upgrades:
* Adminer 4.3.1
* Galera 10.0.33
* MariaDB 10.1.30
* MariaDB 10.2.12
* MariaDB 5.5.59
* Nginx 1.13.8
* OpenSSL 1.0.2n (used only in Nginx)
* PHP 5.6.33
* PHP 7.0.27
* PHP extension for Redis 3.1.6
* Pure-FTPd 1.0.47
* Redis Server 4.0.6
* Ruby 2.4.2
* Use Redis integration mod-30-12-2017 (D7)
# Fixes:
* Add mongo to the list of permissions exceptions, if installed
* Do not delete empty platforms if ~/static/control/platforms.info is used
* Do not restart Redis daily if /root/.high_traffic.cnf exists
* Fix Drupal 8 detection for distros with vendor dir moved out of docroot
* Fix requirements for the latest compass version
* Hints config update
* LE not renewing expired certificates due to IPv6 DNS entries -- #1179
* Notifications about new BOA editions are sent to notify@omega8.cc -- #1219
* Override fastcgi_params to make geoip headers work again
* Redirect module conflict with manual cron execution in D8 -- #1215
* Remove hmac-ripemd160 MAC, deprecated in OpenSSH 7.6 -- #1217
* The _SSH_ARMOUR=YES not compatible with OpenSSH 7.6 -- #1218
* Update keys for rvm.io
* Update LE License to LE-SA-v1.2-November-15-2017.pdf
* Use advagg-7.x-2.30
* Use modified rvm-installer.sh for user-level installations
* Use reroute_email-7.x-1.3
* Use rvm_silence_path_mismatch_check_flag=1
### Stable BOA-3.2.1 Release - Full Edition
### Date: Sat Oct 7 19:58:53 PDT 2017
### Milestone URL: https://github.com/omega8cc/boa/milestones/3.2.1
# Release Notes:
This BOA release provides system security upgrades, many bug fixes,
latest Aegir version, plus all supported Drupal distributions updated
to latest versions, and supplied with latest Drupal 7 core, if possible.
Thanks to Drush 8.1.15-dev we support also the newest Drupal 8.4 core.
@=> Important changes planned in the next BOA release
BOA-3.2.1 is the last release still supporting PHP 5.3, 5.4 and 5.5 versions.
These versions will be *removed* in the next release, and instead
there will be support for PHP 7.1 and 7.2 added.
Future releases will no longer include Pressflow 6 platforms, but Pressflow 6
will be fully supported, and can still use PHP 5.6 -- We recommend to use
our version: https://github.com/omega8cc/pressflow6/tree/pressflow-plus
@=> Drupal 6 vanilla core is deprecated starting with BOA-3.2.1
Drupal 6 vanilla core is no longer supported. It was never really supported,
but could still work. Those running Drupal 6 instead of supported Pressflow 6
will notice that their site displays only the homepage and all links/menus
no longer display expected content. This change is a result of new rewrite
in the Nginx configuration, required to properly support both Drupal 8 and
Drupal 7. Time to migrate to latest, included in this release, Pressflow 6!
# Changes:
* Add chained commands to forbidden list in lshell
* Add Nginx Headers More module support
* Add support for --include/exclude-filelist for duplicity -- #1158
* Add support for upcoming MariaDB 10.2
* Auto-update duplicity if installed
* Deny bots on non-prod domains, not only on aliases -- #1178
* Do not pause the tasks queue during mysql backup
* Do not truncate queue and accesslog tables by default
* Enable New Relic integration for PHP 7.0
* Install ipset to improve CSF performance
* mongodb.so for D8.2 and PHP7.0 -- #1128
* Run 3 queue tasks in parallel by default
* Use redis_scan_enable = FALSE by default
# System upgrades:
* CSF 10.22
* Drush micro-8-07-10-2017
* Galera 10.0.32
* MariaDB 10.1.28
* MariaDB 10.2.9
* MariaDB 5.5.57
* Nginx 1.13.5
* Node 6.x version bump -- #1129
* OpenSSH 7.6p1
* OpenSSL 1.0.2l (used only in Nginx)
* PHP 5.6.31
* PHP 7.0.24
* PHP extension for Redis 3.1.4
* Pure-FTPd 1.0.46
* Redis Server 4.0.2
* Update Redis module for Drupal 8
* Upgrade drush to support Drupal 8.4 -- #1206
* Upgrade wkhtmltopdf and wkhtmltoimage to 0.12.4
# Fixes:
* Add SSH (RSA) keys how-to
* Add support for tar.xz archives
* Add symlink suggested in #999
* Allow a bit higher load limits for queue runner
* Barracuda is not installing ipset so csf doesn't work -- #1203
* Deprecate no longer working distros
* Disable innodb_corrupt_table_action in 10.2
* Do not enable entitycache in the Commons distro
* Exclude special https.* proxy vhosts from daily cleanup
* Fix permissions on password files for HTTP Basic Auth -- #1187
* Fix syntax and race conditions in fire/water
* Galera compatibility: do not edit mysql.user directly
* Improve CSF race conditions protection
* Improve default system cron queue
* Improve repo.psand.net/pubkey update
* Improved PHP OPCache default configuration
* Linux kernel CVE-2017-2636 hotfix
* Linux kernel CVE-2017-6074 hotfix
* Make sure that not supported tools are not re-installed on VServer
* Move excludes first as they are more specific than includes -- #1168
* PHP not installed after Wheezy to Jessie upgrade -- #999
* Redirect module breaks Drupal 8 sites in BOA if present -- #1061
* Remove --numeric-ids option from xboa -- #1146
* Restart DB server on upgrade only if config has changed
* Run fast enough fire.sh again
* Silence mysql cleanup output -- #1180
* Site in subdirectory cookie is not set correctly -- #1211
* Sync PHP disable_functions across all versions
* Update default robots.txt -- #1172
* Use --skip-add-locks — Galera Cluster compatibility
* Use absolutely graceful MySQLD restart procedure
* VServer 4.1.42-vs2.3.8.6-beng compatibility
* Wait for MySQLD availability before running DB backup
* Whitelist known search engines bots IPs
### Stable BOA-3.2.0 Release - Full Edition
### Date: Sun Feb 26 09:11:39 PST 2017
### Milestone URL: https://github.com/omega8cc/boa/milestones/3.2.0
# Release Notes:
This BOA release provides many new features, system security upgrades, many
improvements and bug fixes, latest Aegir version, plus all supported Drupal
platforms updated to latest versions, and supplied with latest Drupal 7 core,
if possible.
The reason we list here also new features and changes already listed in
previous BOA-3.1.4 version is that they were supposed to be included in this
(3.2.0) release, since we normally don't include new features in bugfix
releases, but we had to publish more bugfix/security releases in the 3.1.x
series than initially expected, while new features were already pushed to HEAD
in anticipation of delayed 3.2.0 release.
We have also moved some new features originally intended to be included
in the (3.2.0) release to the next 3.3.0 milestone, which is expected
in about one month after 3.2.0 release.
@=> Magic permissions fix now happens on-the-fly
The most interesting new Aegir feature is probably the ability to fix files
permissions and ownership on any site and platform, without waiting for
the running daily magic fix. Now it happens on-the-fly, when you run normal
platform and site Verify tasks.
@=> MariaDB 10.1 is now the new default version
If you are already running 10.0, BOA will upgrade it to _DB_SERIES=10.1
but if you still run _DB_SERIES=5.5 it will continue to use MariaDB 5.5
on your system (not recommended).
# New features and enhancements:
* Add Microsoft Hyper-V to supported virtualization systems
* Add support for _HOURLY_DB_BACKUPS=YES via Percona XtraBackup
* Add support for ‘boa version’ command
* Add support for /root/.my.batch_innodb.cnf weekly procedure
* Add support for /root/.my.restart_after_optimize.cnf procedure
* Add support for fix_ownership and fix_permissions on-the-fly
* Add support for latest 3.18.44-vs2.3.7.5-beng VS kernel
* Add support for latest 4.1.33-vs2.3.8.5.2-beng VS kernel
* Add support for the Open Lucius Distribution to Aegir —- #888
* Add support for the Opigno LMS Distribution to Aegir —- #953
* Automatically whitelist CloudFlare and Sucuri IPs (faster version)
* Bundle Opigno LMS dependencies: TinCanPHP and pdf.js
* Configure _INNODB_LOG_FILE_SIZE automatically
* Docs for Twig Debbuging in Drupal 8.2.x and BOA #1085
* Improve InnoDB performance
* Improve Let's Encrypt docs
* Include advagg, cdn, and robotstxt in o_contrib_eight -- #1096
* Install ClamAV and RKhunter by default —- #1019
* Make boost cache clearing configurable via _CLEAR_BOOST variable -- #1115
* MariaDB 10.1 support (new default version) -- #866
* Open LDAP ports 389 and 3268 for outgoing TCP connections
* Speed up mysql stop/start
* Update S3 regions list for backboa backups
* Use blazing fast Redis (SCAN) method on wildcard cache delete
* Use Redis_CacheCompressed mode, if available (saves a ton of RAM)
# Changes:
* Allow to run global OPTIMIZE only once per month, on the last Sunday
* Always update barracuda, boa and octopus wrappers, ignore _SKYNET_MODE=OFF
* Enable ARCHIVE Storage Engine in MariaDB 10.1
* Force _CUSTOM_CONFIG_SQL=NO on MariaDB major upgrade/reinstall
* Remove exception for cache_form bin in Redis configuration
* Remove no longer supported textile module
* Run db OPTIMIZE only weekly, if configured
* Use bzip2 also for standard db backups
* Use lower system load limit for queue runner
* Use MySQLTuner to configure SQL limits — enabled by default
# System upgrades:
* CSF/LFD 9.30
* Drupal 7.54.2
* Drush micro-8-07-02-2017
* Duplicity 0.7.11 (please run 'backboa install' to upgrade)
* MariaDB 10.1.21
* MariaDB 5.5.54
* MariaDB Galera Cluster 10.0.29
* Nginx 1.11.10
* OpenSSL 1.0.2k (used only in Nginx)
* PHP 5.6.30
* PHP 7.0.16
* Pure-FTPd 1.0.45
* Redis 3.2.8
* Redis D8/D7 integration mod-09-02-2017
* Use ImageMagick 7.0.4-6 if built from sources
* Use Redis integration mod-14-02-2017 (D7)
# Fixes:
* Can't add clients on BOA3 -- #926
* Do not add newer InnoDB settings when old server version is in use -- #1122
* Do not disable site_readonly daily on migrated instances
* Fix the not working hostmaster LE cert auto-update (typo)
* Force vnstat restart on version upgrade
* Improve disable_chattr() and enable_chattr() logic
* Improve docs/FAQ.txt as suggested in #1119
* Improve userprotect initial-only setup -- #926
* MariaDB server not running properly alert -- #1122
* Migration should re-use Let's Encrypt certs in HTTPS proxy vhosts -- #1106
* Randomize SQL backup schedule
* Rebuild hosting_custom_settings feature after enabling Redis on install
* Sync db server (optional) restart with optimize
* Sync max_execution_time for PHP-FPM
* Sync max_input_time for PHP-FPM
* Update docs/SSL.txt -- #1109
* Whitelist /dev/urandom in open_basedir
### Stable BOA-3.1.4 Release - Full Edition
### Date: Tue Dec 20 14:09:21 PST 2016
### Milestone URL: https://github.com/omega8cc/boa/milestones/3.1.4
### Latest hotfix added on: Wed Dec 21 12:44:58 PST 2016
# Release Notes:
This BOA release provides system security upgrades, many improvements
and bug fixes, latest Aegir version, plus all supported Drupal platforms
updated to latest versions, and supplied with latest Drupal 7 core,
if possible.
@=> Magic permissions fix now happens on-the-fly
The most interesting new Aegir feature included in this release is probably
the ability to fix files permissions and ownership on any site and platform,
without waiting for the running daily magic fix. Now it happens on-the-fly,
when you run normal platform and site Verify tasks.
@=> MariaDB 10.1 is now the new default version
If you are already running _DB_SERIES=10.0, this BOA release will upgrade it
to _DB_SERIES=10.1 -- but if you still run _DB_SERIES=5.5 it will continue
to use MariaDB 5.5 on your system.
# New features and enhancements:
* Add Microsoft Hyper-V to supported virtualization systems
* Add support for ‘boa version’ command
* Add support for fix_ownership and fix_permissions on-the-fly
* Add support for latest 3.18.44-vs2.3.7.5-beng VS kernel
* Add support for latest 4.1.33-vs2.3.8.5.2-beng VS kernel
* Automatically whitelist CloudFlare and Sucuri IPs (faster version)
* Configure _INNODB_LOG_FILE_SIZE automatically
* MariaDB 10.1 support (new default version) -- #866
* Use Redis_CacheCompressed mode, if available (saves a ton of RAM)
# Changes:
* Always update barracuda, boa and octopus wrappers, ignore _SKYNET_MODE=OFF
* Enable ARCHIVE Storage Engine in MariaDB 10.1
* Force _CUSTOM_CONFIG_SQL=NO on MariaDB major upgrade/reinstall
* Remove no longer supported textile module
* Run db OPTIMIZE only weekly, if configured
* Use MySQLTuner to configure SQL limits — enabled by default
# System upgrades:
* CSF 9.28
* Drush micro-8-17-12-2016
* MariaDB 10.1.20
* MariaDB Galera Cluster 10.0.28
* Nginx 1.11.7
* OpenSSH 7.4p1 (if installed from sources)
* OpenSSL 1.0.2j (used only in Nginx)
* PHP 5.6.29
* PHP 7.0.14
* PHPRedis 3.1.0
* Redis 3.2.6
* Use mydropwizard-6.x-1.6
* Use Redis module mod-20-12-2016
# Fixes:
* Allow to run downgrade to _DB_SERIES 5.5 (experimental, not recommended!)
* Always reinstall cURL from packages if broken
* AMP support -- #948
* Archive PHP logs in /var/backups/php-logs/
* Check if bind should be installed early enough
* Do not enable innodb-defragment — it may crash the server
* Fix for check_root_keys_pwd()
* Fix for disable_chattr()
* Fix for missing PHP config regression -- #1105
* Fix for VnStat sysconfdir
* Fix the check in detect_deprecated_php()
* Ignore search lines to avoid breaking pdnsd config -- #1069
* Improve SQL defaults
* Make sure innodb_buffer_pool_instances is always defined
* Migration between installation profiles -- #1076
* Monitor more lines when /root/.hr.monitor.cnf exists
* Multiply already high opcache.max_accelerated_files
* Nginx: Set Access-Control-Allow-Origin header only for static files
* Remove duplicate config updates and restarts
* Remove various tmp/dot files breaking du command
* Sync the new on-the-fly permissions magic with BOA daily.sh logic
* The .git/* files are downloadable -- #1091
* Triple check that all sql tables are upgraded
* Update JS module to 7.x-2.1 -- #586
* Update migrate docs to avoid issues with already migrated instances
* Use long enough wait times for big SQL servers restarts
* Use Open Atrium own patched Drupal core -- #1083
### Stable BOA-3.1.3 Release - Barracuda Edition
### Date: Mon Sep 12 17:54:50 PDT 2016
### Milestone URL: https://github.com/omega8cc/boa/milestones/3.1.3
# Release Notes:
This BOA release provides important security upgrades and bug fixes.
You should upgrade via 'barracuda up-stable system' immediately.
Note: Octopus upgrade is **not** included in this BOA release.
Technically, even by running normal system update with previous BOA release
you would apply all security upgrades, since they are provided by MariaDB
packages, and thus enforced no matter if we release new BOA version, or not,
so we are doing this purely to make sure that all users have been alerted
about the situation affecting their systems.
# Changes:
* Move Nginx cache cleanup to daily cleanup procedure
* Use standard hourly schedule for self-update in clear.sh
# System upgrades:
* Add all Tika versions from 1.1 to 1.13 in /opt/tika9/
* MariaDB 10.0.27 (critical security upgrade)
* MariaDB Galera Cluster 10.0.27 (critical security upgrade)
* MongoDB database driver 1.6.14 for all PHP versions < 7 -- fixes #981
* Pure-FTPd 1.0.43
# Fixes:
* Check if curl works and re-install if needed before running auto-update
* Log LE renewal attempts
* Log out all users after lshell em upgrade
* Make sure that cURL is always listed in packages
* Move permissions fix overrides check to the correct place
* Nginx: default FastCGI cache levels value may exhaust all inodes -- #2791885
# Known problems:
https://github.com/omega8cc/boa/milestones/3.1.x
### Stable BOA-3.1.2 Release - Full Edition
### Date: Sat Aug 20 14:43:43 PDT 2016
### Milestone URL: https://github.com/omega8cc/boa/milestones/3.1.2
### Latest hotfix added on: Thu Aug 25 09:17:59 PDT 2016
# Release Notes:
This BOA release provides system security upgrades, improvements
and bug fixes, plus all supported Drupal platforms updated to latest
versions, and supplied with latest Drupal 7 core.
@=> You can use NPM to install Grunt/Gulp/Bower -- #1028 by @pricejn2 (thanks!)
Now the same ~/static/control/compass.info file will activate not only
RVM, which can be used to install Compass Tools, but also NPM, which
can be used to install Grunt/Gulp/Bower.
You will need to re-initialize your account to have it added, by
deleting the control file, and adding it again after ~10 minutes.
More details: https://github.com/omega8cc/boa/blob/master/docs/RVM.txt
@=> Redis integration works with Drupal 8 -- with no effort on your side
We have added a smart activation procedure, to meet the D8 Redis module
requirements. The system will add Redis integration to your Drupal 8
sites automatically, but will keep it inactive, until the module will be
installed properly, during nightly system autonomous maintenance.
This means that Redis will start working in every existing and newly
installed Drupal 8 site with some initial delay, to get things installed
in the correct order, and still without any effort on your side.
# Other enhancements:
* Add mydropwizard to Drush extensions for Drush Make D6 support
* Add support for Drupal 8 specific development.services.yml file
* Allow to configure stable/head BOA auto-upgrades via _AUTO_VER variable
* Compatibility with Multi-byte UTF-8 support in Drupal 7
# Changes:
* Add Adminer database manager and deprecate Chive manager -- #1036
* Enable Let's Encrypt LIVE mode via ~/static/control/ssl-live-mode.info
* Force /root/.use.curl.from.packages.cnf to install cURL from packages
* Run db sqlmagic auto conversion also on test/dev sites, if activated
# System upgrades:
* CSF 9.11
* Drush micro-8-23-07-2016
* Lshell 0.9.18.8 (security update for shell escalation issues)
* MariaDB 10.0.26
* MariaDB 5.5.51
* Mysqltuner v1.6.15
* Nginx 1.11.3
* OpenSSH 7.3p1 (if installed from sources)
* PHP 5.5.38
* PHP 5.6.25
* PHP 7.0.10
* PHPRedis dev5-11-08-2016
* PHPRedis dev7-11-08-2016
* Redis 3.2.3
* Redis D8 integration mod-12-08-2016
* vnStat 1.15
# Fixes:
* Avoid race conditions on web system user update
* Debian Jessie 8.3+ needs grub update -- fixes #912
* Detection of Amazon AWS / EC2 instance -- fixes #930
* Disable Redis integration until module is installed (D8 only)
* Do not force --default-character-set=utf8 -- see #1020
* Don’t set $MANPATH when npm support is enabled
* Fix for openssh-sftp-server status on Jessie
* FMG installation hangs on keyring install -- fixes #1050
* Force InnoDB in sqlmagic for Drupal 7+ -- see #1020
* Ignore ~/control/multi-fpm.info on too old Octopus (2.4) instances
* Linux Kernel CVE-2016-5696 mitigation
* Mitigate httpoxy vulnerability
* Nginx: Fix for not working autodiscover flood protection
* Nginx: Fix for the add_header inheritance
* Nginx: Improve fastcgi_cache_valid TTL settings
* Octopus auto-upgrade should set _AUTOPILOT=YES on the fly -- fixes #1041
* Remove deprecated MyISAM exceptions in sqlmagic command
* Run detect_cdorked_malware() only if /usr/sbin/nginx exists
* Run registry-rebuild directly after hostmaster upgrade
* Single _tmp_ dir is enough to require forced cleanup (Drush cache)
* Sync keyring install command with BOA standard -- #1052
* Sync modules auto en/dis for Drupal 8
* Update check_boa_php_compatibility()
* Upgrade to panels-7.x-3.7 (security) in all distros using the module
* Whitelist elFinder requests
* Workaround for aegir_backup_export_path
# Known problems:
https://github.com/omega8cc/boa/milestones/3.1.x
### Stable BOA-3.1.1 Release - Full Edition
### Date: Wed Jun 22 12:24:17 PDT 2016
### Milestone URL: https://github.com/omega8cc/boa/milestones/3.1.1
### Latest hotfix added on: Fri Jun 24 06:01:07 PDT 2016
# Release Notes:
This BOA release provides system security upgrades, improvements
and bug fixes, plus all supported Drupal platforms updated to latest
versions, and supplied with latest Drupal 7 core (security release).
# New features and enhancements:
* Add _SSH_ARMOUR feature
* Add strict check for supported virtualization systems
* Allow to install ImageMagick from sources when _MAGICK_FROM_SOURCES=YES
# Changes:
* Deprecate support for old Solr versions <4
* Switch cluster support to 3.x
# System upgrades:
* Drush micro-8-15-06-2016
* MariaDB 5.5.50
* Nginx 1.11.1
* PHP 5.5.37
* PHP 5.6.23
* PHP 7.0.8
* Redis 3.2.1
# Fixes:
* Add compatibility with magick src
* Add ToC (Table of Contents) for the Let’s Encrypt section in docs/SSL.txt
* Downgrade JSmin from 2.0.1 to 2.0.0 -- fixes #993
* Fix for legacy cluster support
* Fix for virtualbox detection -- see #972
* Fix permissions on sites directories
* Fix sites/all/drush permissions compatibility with Drush 8.2
* Improve protection for custom solrconfig.xml and schema.xml -- fixes #969
* Migration: xboa supports only Aegir 2.x -- #960
* Reinstall default-jre on major OS upgrade, if needed -- fixes #986
* Remote Drush support regression -- fixes #984
* The ~/static/control/README.txt is not updated on octopus upgrade #965
* Update docs/SOLR.txt to match currently supported procedures -- fixes #963
* Use st_runner() wrapper only for apt-get/aptitude
# Known problems:
https://github.com/omega8cc/boa/milestones/3.1.x
### Stable BOA-3.1.0 Release - Full Edition
### Date: Thu May 26 16:41:40 PDT 2016
### Milestone URL: https://github.com/omega8cc/boa/milestones/3.1.0
### Latest hotfix added on: Mon May 30 08:55:03 PDT 2016
@=> Includes Aegir Hostmaster 3.x-head with improvements
@=> Includes Aegir Provision 3.x-head with improvements
@=> Includes Drush 8 customized for BOA
# Release Notes:
This BOA release includes new features, system upgrades, improvements
and bug fixes, with most notable features and changes listed below.
All supported Drupal platforms have been updated to latest versions.
@=> Let’s Encrypt free SSL certificates are supported directly in Aegir
@=> PHP-FPM version can be switched per site hosted on the same instance
@=> Both Aegir control panel and its backend are compatible with PHP 7.0.7
@=> Support for forced Drush cache clear in the Aegir backend
@=> BOA can run Debian Wheezy to Debian Jessie upgrades easily
More details on new features, enhancements and changes can be found below.
###
#-### Let’s Encrypt free SSL certificates are supported directly in Aegir
###
You can find these important Let’s Encrypt topics discussed below:
# Introduction
# How it works?
# How to add Letsencrypt.org SSL certificate to hosted site?
# How to add Letsencrypt.org SSL certificate to the Aegir Hostmaster site?
# How to modify/renew Letsencrypt.org SSL certificate for SSL enabled site?
# Are there any requirements, limitations or exceptions?
# How to enable live mode?
# How to replace Let's Encrypt certificate with custom certificate?
[ Available also at: https://omega8.cc/node/381 ]
This BOA release opens a new era in SSL support for all hosted Drupal sites.
The old method of creating SSL proxy vhosts is officially deprecated,
as explained in the docs/SSL.txt how-to:
NOTE ###===>>>
The old how-to is still useful if you prefer to use SSL termination separated
from your Aegir system, or if you don't want to use built-in Letsencrypt.org
SSL certificates support (available since BOA-3.1.0).
But if you can use Letsencrypt.org SSL certificates, or you are willing to use
also built-in BOA feature which allows you to replace Letsencrypt.org SSL
certificate with any third-party certificate per site, while still managing SSL
via Aegir control panel (for redirects, forced/required SSL mode), we highly
recommend to use Aegir built-in SSL support, which is enabled and ready to use
in all Octopus instances since BOA-3.1.0 release.
NOTE ###===>>>
* How it works?
BOA leverages letsencrypt.sh utility to talk to Letsencrypt.org servers,
and on the Aegir side it's using new `hosting_le` extension, which replaces
self-signed SSL certificates generated by Aegir with Let's Encrypt ones.
You can find more information on both at these URLs:
https://github.com/lukas2511/letsencrypt.sh
https://github.com/omega8cc/hosting_le
* How to add Letsencrypt.org SSL certificate to hosted site?
In your Aegir control panel please go to the site's node Edit tab, then
under `SSL Settings > Encryption` choose either `Enabled` or `Required`,
if you want to enable HTTP->HTTPS redirection on the fly. Now click `Save`
and wait until you will see the Verify task completed. Done!
NOTE: SSL Settings are not available in the Add Site form, only in Edit.
* How to add Letsencrypt.org SSL certificate to the Aegir Hostmaster site?
!!! WARNING
!!! ###===>>> Don't enable SSL option for the Hostmaster site in Aegir
!!! WARNING
Let’s Encrypt SSL for Aegir control panel is handled in BOA outside of
the control panel, and you should never enable it within control panel.
During octopus upgrade you will see this message, explaining what to do:
BOA [02:44:59] ==> UPGRADE B: Letsencrypt SSL initial mode: DEMO
BOA [02:44:59] ==> UPGRADE B: LE -- No real SSL certs will be generated
BOA [02:44:59] ==> UPGRADE B: LE -- To enable live SSL mode, please delete file:
BOA [02:44:59] ==> UPGRADE B: LE -- /data/disk/o1/tools/le/.ctrl/ssl-demo-mode.pid
BOA [02:44:59] ==> UPGRADE B: LE -- Then run octopus forced upgrade
* How to modify/renew Letsencrypt.org SSL certificate for SSL enabled site?
When you modify aliases or redirections, Aegir will re-create the SSL
certificate on the fly, to match current settings and aliases to list.
BOA runs auto-renewal checks for you weekly, and forces renewal if there is
less than 30 days to the certificate expiration date (Let’s Encrypt certs
are valid for up to 90 days before they have to be renewed).
Also every Verify task against SSL enabled site runs this check on the fly.
* Are there any requirements, limitations or exceptions?
Yes, there are some:
* All aliases must have valid DNS names pointing to your server IP address
* Even with aliases redirection enabled all aliases are listed as SAN names
* Avoid renaming SSL-enabled sites; move aliases between site's clones instead
* Before you rename a site, disable SSL first; then re-enable once it's renamed
NOTE: The Subject Alternative Names (SAN) is a feature which allows to issue
multi-domain / multi-subdomain SSL certificates -- it is automated in BOA.
Let's Encrypt API for live, real certificates has its own requirements
and limits you should be aware of. Please visit their website for details:
https://letsencrypt.org/docs/rate-limits/
To make this new BOA feature easy to test before you will be ready to
generate real, live SSL certificates, BOA comes with Let's Encrypt demo
mode enabled by default, so it will not hit limits enforced for live,
real Let's Encrypt SSL certificates. It allows to generate "fake" certs,
similar to self-signed certificate used in BOA by default.
NOTE: All sites with one or more keywords (listed below) in the site's
main name (this exception rule doesn't apply to aliases) will be ignored,
and they will receive only self-signed SSL certificates generated by Aegir,
once you will switch their SSL settings to `Enabled` or `Required`.
`.(dev|devel|temp|tmp|temporary|test|testing|stage|staging).`
Examples: `foo.temp.bar.org`, `foo.test.bar.org`, `foo.dev.bar.org`
NOTE: This exception rule doesn't apply to aliases which are not used
as a redirection target. Even aliases with listed special keywords in their
names will be listed as SAN entries, as long as they are valid DNS names.
* How to enable live mode?
It is enough to delete the `[aegir_root]/tools/le/.ctrl/ssl-demo-mode.pid`
control file and run Verify task on any SSL enabled site again.
NOTE: If you are on hosted BOA, you don't have an access to this location
on your system, so please open a ticket at: https://omega8.cc/support
You could switch it back and forth to demo/live mode by adding and deleting
the control file, and it will re-register your system via Let's Encrypt API,
but we have not tested how it may affect already generated live certificates
once you will run the switch many times, so please try not to abuse
this feature.
It is important to remember that once you will switch the Let's Encrypt mode
to demo from live, or from live to demo, by adding or removing the
`[aegir_root]/tools/le/.ctrl/ssl-demo-mode.pid` control file, it will not
replace all previously issued certificates instantly, because certificates
are updated, if needed, only when you (or the BOA system for you during its
daily maintenance, if used) will run Verify tasks on SSL enabled sites.
These BOA specific Verify tasks are normally scheduled to run weekly,
between Monday and Sunday, depending on the first character in the site's
main name, so both live and demo certificates may still work in parallel
for SSL enabled sites until it will be their turn to run Verify and update
the certificate according to currently set Let's Encrypt mode.
NOTE: You may find some helpful details in the Verify task log -- look for
lines with `[hosting_le]` prefix.
* How to replace Let's Encrypt certificate with custom certificate?
1. Create an empty control file (replace `example.com` with your site name):
`[aegir_root]/tools/le/.ctrl/dont-overwrite-example.com.pid`
2. Replace `privkey.pem` symlink with single file containing your custom
certificate key -- use `privkey.pem` as a filename in the directory:
`[aegir_root]/tools/le/certs/example.com/`
3. Replace `fullchain.pem` symlink with single file containing your custom
certificate and all intermediate certificates beneath it -- use
`fullchain.pem` as a filename in the same directory:
`[aegir_root]/tools/le/certs/example.com/`
4. Run Verify task for your site in the Aegir control panel. Done!
NOTE: If you are on hosted BOA, you don't have an access to this location
on your system, so please open a ticket at: https://omega8.cc/support
###
#-### Support for PHP-FPM version switch per Octopus instance (also per site)
###
### ~/static/control/fpm.info
###
### This file, if exists and contains supported and installed PHP-FPM version,
### will be used by running every 2-3 minutes system agent to switch PHP-FPM
### version used for serving web requests by this Octopus instance.
###
### IMPORTANT: If used, it will switch PHP-FPM for all Drupal sites
### hosted on the instance, unless multi-fpm.info control file also exists.
###
### Supported values for single PHP-FPM mode which can be written in this file:
###
### 7.0
### 5.6
### 5.5
### 5.4
### 5.3
###
### NOTE: There must be only one line and one value (like: 7.0) in this file.
### Otherwise it will be ignored.
###
### It is now possible to make all installed PHP-FPM versions available
### simultaneously for sites on the Octopus instance with additional
### control file:
###
### ~/static/control/multi-fpm.info
###
### This file, if exists, will switch all hosted sites to highest
### available PHP-FPM version within the 5.3-5.6 range, with ability
### to override PHP-FPM version per site, if the site's name is listed
### in this additional control file, as shown below:
###
### foo.com 7.0
### bar.com 5.5
### old.com 5.3
###
### NOTE: Each line in the multi-fpm.info file must start with main site name,
### followed by single space, and then the PHP-FPM version to use.
###
###
#-### Support for PHP-CLI version switch per Octopus instance (all sites)
###
### ~/static/control/cli.info
###
### This file, while similar to fpm.info, if exists and contains supported
### and installed PHP version, will be used by running every 2-3 minutes
### system agent to switch PHP-CLI version for this Octopus instance, but
### it will do this for all hosted sites. There is no option to switch this
### or override per site hosted.
###
### NOTE: While current Aegir version 3.x included in BOA works fine with
### latest PHP 7.0, many hosted sites, especially using Pressflow 6 core or
### older Drupal 7 core without required patch we have included since 7.43.2,
### will not work properly and Aegir tasks run against those sites may fail,
### so it's recommended to use PHP-CLI 5.6, unless you have verified that all
### sites on the instance support PHP 7.0 without issues.
###
### Supported values which can be written in this file:
###
### 7.0
### 5.6
### 5.5
### 5.4
### 5.3
###
### There must be only one line and one value (like: 5.6) in this control file.
### Otherwise it will be ignored.
###
###
#-### Support for forced Drush cache clear in the Aegir backend
###
### ~/static/control/clear-drush-cache.info
###
### Octopus instance will pause all scheduled tasks in its queue, if it will
### detect a platform build from the makefile in progress, to make sure
### that no other running task could break the build.
###
### This is great, until there will be a broken build, and Drush will fail
### to clean up all leftovers from its .tmp/cache directory, which in turn
### will pause all tasks in the queue for up to 24-48 hours, until the cache
### directory will be automatically purged by running daily cleanup tasks,
### designed to not touch anything not old enough (24 hours at minimum)
### to not break any running builds.
###
### If you need to unlock the tasks queue by forcefully removing everything
### from the Aegir backend Drush cache, you can create an empty control file:
### ~/static/control/clear-drush-cache.info
###
###
#-### BOA can run Debian Wheezy to Debian Jessie upgrades easily
###
This feature works like it worked before for `_LENNY_TO_SQUEEZE=YES` and then
for `_SQUEEZE_TO_WHEEZY=YES`. But make sure you follow all the steps exactly
as listed below:
1. Upgrade both barracuda and octopus to current stable:
$ cd;wget -q -U iCab http://files.aegir.cc/BOA.sh.txt;bash BOA.sh.txt
$ barracuda up-stable
$ octopus up-stable all both
NOTE: You can upgrade octopus selectively, if you still need one running
the old stable BOA-2.4.9 version, example:
$ octopus up-2.4 o1 force
$ octopus up-stable o2 force
$ octopus up-stable o3 force
2. Add to your /root/.barracuda.cnf this line:
_WHEEZY_TO_JESSIE=YES
3. Run another barracuda upgrade with command:
$ barracuda up-stable
4. If there are no errors reported, try to run manual update:
$ aptitude update
$ aptitude full-upgrade
It should tell you that there are no packages to upgrade left.
5. Reboot your system (preferably via remote console)
$ reboot
6. Run barracuda upgrade again:
$ barracuda up-stable
7. Try to run manual update:
$ aptitude update
$ aptitude full-upgrade
It should tell you that there are no packages to upgrade left.
8. Congrats! You are running BOA stable on Debian Jessie.
# New features and enhancements:
* Add all aliases as Subject Alternative Names in Let's encrypt certs -- #941
* Add auto-renewal procedure for Let's encrypt certs -- #942
* Add option to exclude *.tar.gz Drush archives in backboa -- #936
* Add Restaurant 1.11
* Add support for arbitrarily selected redirection targets as valid SSL names
* Allow to define PHP-FPM version per site hosted -- #935
* Allow to use drush7 and drush8 on command line directly
* Even with redirection enabled all aliases are listed as SAN names -- #964
* Feature: _WHEEZY_TO_JESSIE major upgrade procedure -- #870
* Let's encrypt support -- #500
* New Relic integration compatibility with multi-FPM mode
* Support for forced Drush cache clear in the Aegir backend
* Use Let's encrypt for Hostmaster site (after Octopus upgrade) -- #940
# Changes:
* Do not allow XtraDB to crash the server due to single broken cache table
* Nginx: Use faster 301/302 redirects
* Nginx: Use only TLSv1.1 TLSv1.2
* Redis: Exclude cache_form bin again to avoid rare issues with contrib
* Use dynamic httpredir.debian.org mirrors
# System upgrades:
* cURL 7.49.0 (if installed from sources)
* Jetty 9.2.16.v20160414
* Nginx 1.11.0
* PHP 5.5.36
* PHP 5.6.22
* PHP 7.0.7
* Redis 3.2.0
* SLF4J 1.7.21
# Fixes:
* Add compatibility with "config.sh" renamed to "config" in letsencrypt.sh
* Add ssl_trusted_certificate directive required by ssl_stapling
* Add warning: "Don't enable SSL option for the Hostmaster site in Aegir" -- #962
* Check if parent dir exists before touching ctrl file -- #945
* Do not clear drush cache on every hosting-dispatch -- #943
* Do not create Letsencrypt cert for Hostmaster if still in demo mode
* Do not force PHP rebuild on new cURL install from sources
* Drush is broken error -- clear drush cache before testing it -- #946
* Fix for backward compatibility with FPM pool tpl in 2.4
* Fix for Chive auth (via SSH) access filtering
* Fix for conflicting Jetty libs
* Fix ownership and attr on usr home dirs / subdirs
* Improve sub-accounts zombie cleanup
* Let's Encrypt SSL - switching from demo to live -- #959
* Make backboa sub-tasks delays optional and disable them by default -- #919
* Nginx: Fix for ssl_dhparam if/else logic
* Remove deprecated wildcard HTTPS warning
* Run registry-rebuild before updatedb with --no-cache-clear -- #938
* Set LE mode to DEMO on initial setup -- both on octopus install and upgrade
* Skynet upgrades for limited shell configuration -- #950
* Something is stuck after BOA upgrade to 3.0.2 -- #951
* The makefile based platform creation fails with permissions error -- #943
* The site's files should have Aegir backend user as an owner
* Use strict paths checks to avoid running chown/chmod on parent dirs
# Known problems:
https://github.com/omega8cc/boa/milestones/3.1.x
### Stable BOA-3.0.2 Release - Full Edition
### Date: Tue May 3 22:26:09 PDT 2016
### Milestone URL: https://github.com/omega8cc/boa/milestones/3.0.2
### Latest hotfix added on: Fri May 6 08:42:13 PDT 2016
@=> Includes Aegir Hostmaster 3.x-head with improvements
@=> Includes Aegir Provision 3.x-head with improvements
@=> Includes Drush 8 customized for BOA
# Release Notes:
This BOA release includes several important system upgrades, improvements
and bug fixes. All supported platforms have been updated to latest versions.
@=> Latest Drupal 7 core version used in BOA in all built-in platforms is
compatible with latest PHP 7.0.6 -- you can switch your Octopus instance
easily via fpm.info control file: https://omega8.cc/node/330 but please
don't use 7.0 in cli.info, because it is not supported in the Aegir
backend yet. PHP 7.0 can't be used if you have any Pressflow 6 site.
# New features and enhancements:
* Add idna_convert to hostmaster for IDN domain names auto-conversion -- #916
* Allow to disable redis.path.inc feature via INI variable -- #815
* Drupal 7.43.2 (with PHP 7 compatibility patch)
* PHP 7 compatibility improvements -- #716
* Pressflow 6.38.2 (only version update)
* Truncate giant watchdog tables
# Changes:
* Disable (temporarily) support for outdated ERPAL distro
* Disable auto-upgrade for legacy Octopus instances
* Disable page cache only in hostmaster
* Disable PAMAuthentication in pure-ftpd
* Force PHP 5.6 or 5.5 cli.info in Octopus 2.4.9
* Force Redis SOCKET mode if PORT was used before
* Redis module mod-03-05-2016
* Redis: Limit methods to define site prefix
* Redis: Use maxmemory-policy volatile-ttl
* Set redis_client_base
* Use Redis in hostmaster
* Use standard profile by default
# System upgrades:
* Drush micro-8-24-04-2016
* MariaDB 10.0.25
* MariaDB 5.5.49
* MariaDB Galera Cluster 10.0.25
* Nginx 1.9.15
* OpenSSL 1.0.2h (used only in custom built Nginx)
* PHP 5.5.35
* PHP 5.6.21
* PHP 7.0.6
# Fixes:
* Add check_boa_php_compatibility() procedure -- fixes #906
* Add patch for registration error (Commons)
* Avoid duplicate entries in hosting_cron on hostmaster install -- #928
* Cron not running on cloned sites -- fixes #922
* Disable hosting-pause / Provision -- not needed in BOA, may hang upgrade
* Do not force TERM
* Do not set $conf['redis_eval_enabled'] = TRUE;
* Enable _DEBUG_MODE=YES on Octopus upgrade from BOA-2.4.9
* Experimental hosting_git error, platform not installed -- fixes #904
* Improve the provision_autoload_register_prefix check
* Make sure that auto-generated robots.txt is OK -- fixes #925
* Make sure that hostmaster cron is never disabled
* Make sure to not set PHP 7 as system default
* Restart php-fpm on upgrade as soon as possible
* Run registry-rebuild directly after hostmaster-migrate
* Run update_php_cli_cron() twice
* Use inetutils-syslogd on VZ systems -- fixes #905
* Use syncpass during hostmaster upgrade
* Workaround for hostmaster upgrade from 2.x
# Known problems:
https://github.com/omega8cc/boa/milestones/3.1.1
### Stable BOA-3.0.1 Release - Full Edition
### Date: Mon Apr 11 18:49:43 PDT 2016
### Milestone URL: https://github.com/omega8cc/boa/milestones/3.0.1
@=> Includes Aegir Hostmaster 3.x-head with improvements
@=> Includes Aegir Provision 3.x-head with improvements
@=> Includes Drush 8 customized for BOA
# Release Notes:
This BOA release includes important fixes and improvements in the upgrade
procedure from BOA-2.4.9 and in the initial install procedures, along with
support for latest Drupal 8.0.x and 8.1.x as custom platforms you can create
in the ~/static directory tree. We list here also all hot-fixes applied
after initial BOA-3.0.1 release.
@=> BOA will not include built-in Drupal 8 platforms until Drupal 8 will
support symlinks in the codebase, like all previous core versions.
@=> Octopus Aegir instances hosted on Power Engine option will *not* receive
upgrade to BOA-3.x unless requested via https://omega8.cc/support
to prevent issues with (often) customized Hostmaster modules not ready
for Drupal 7 based Aegir control panel. All hosted BOA systems will still
continue to receive the Barracuda system upgrades.
@=> It is possible to host previous stable BOA-2.4.9 Octopus instances
on systems with Barracuda upgraded to BOA-3.0.1
# Known problems:
https://github.com/omega8cc/boa/milestones/3.0.2
# New features and enhancements:
* Allow boa in-octopus to specify version {stable|head|2.4}
# Changes:
* Allow to execute compass over SSH
* Allow to upload dot-files via SFTP
* Remove/don't install not used blocks in Hostmaster
# System upgrades:
* Add mydropwizard-6.x-1.4 to all existing D6 platforms
* Drush micro-8-08-04-2016
* Lshell 0.9.18.3 -- #895
* Nginx 1.9.14
* PHP 5.5.34
* PHP 5.6.20
* PHP 7.0.5 (for testing only)
* Redis module 7.x-3.12
# Fixes:
* 3.0.0 clean install is broken -- #899
* boa in-2.4 fails to install on Debian Jessie -- #898
* Can't git pull -- #890
* CiviCRM error on verification D6 site -- #897
* D7 API compatibility fix for node_save() in Hostmaster
* Do not switch default PHP to 7.0 if installed
* Drush issues: no aliases available -- #887
* Fix for 3.x to 3.x upgrades
* Fix for FPM master proc monitor
* Fix for input filters upgrade path
* Fix for series test to avoid downgrade attempts
* Fix the legacy install mode -- #898
* Less and more no longer allowed -- #896
* Limit the list of allowed_shell_escape commands
* Missing VBO options -- #892
* Overlay header title not showing -- #889
* Problems installing rvm / compass -- #895
* Remove deprecated sftp restriction
* Require BOA-2.4.9 before upgrade to BOA-3.x also in barracuda -- #886
* Switch octopus upgrade mode automatically to legacy if needed
* tar and gunzip fails because of permission denied -- #894
* Use Drush 8 on command line -- #887
* vi and vim both open nano instead of vim -- #893
### Stable BOA-3.0.0 Release - Full Edition
### Date: Wed Mar 30 10:48:54 PDT 2016
### Milestone URL: https://github.com/omega8cc/boa/milestones/3.0.0
### Latest hotfix added on: Wed Apr 6 17:40:12 PDT 2016
@=> Includes Aegir Hostmaster 3.x-head with improvements
@=> Includes Aegir Provision 3.x-head with improvements
@=> Includes Drush 8 customized for BOA
# Release Notes:
This BOA release includes complete Aegir 3 with Drush 8, and introduces
full support for latest Drupal 8.0.5 and Drupal 8.1.0-beta2 as custom
platforms you can create in the ~/static directory tree.
@=> BOA will not include built-in Drupal 8 platforms until Drupal 8 will
support symlinks in the codebase, like all previous core versions.
@=> All supported Aegir platforms have been updated to their latest releases
@=> Octopus Aegir instances hosted on Power Engine option will *not* receive
upgrade to BOA-3.x unless requested via https://omega8.cc/support
to prevent issues with (often) customized Hostmaster modules not ready
for Drupal 7 based Aegir control panel. All hosted BOA systems will still
continue to receive the Barracuda system upgrades.
@=> It is possible to host previous stable BOA-2.4.9 Octopus instances
on systems with Barracuda upgraded to BOA-3.0.0
# Known problems:
https://github.com/omega8cc/boa/milestones/3.0.1
While clean 3.0.0 install worked in our tests before the release, it doesn't
work for others. Until this problem is fixed properly without regressions,
we are switching boa installer back to 2.4.9, which makes getting 3.0.0
on initial installation a two step operation: first 'boa in-stable' install
to get 2.4.9, and then 'barracuda up-stable' plus 'octopus up-stable' upgrade
to get 3.0.0, because upgrades for barracuda and octopus from 2.4.9 to 3.0.0
work fine.
This also means that 'boa in-octopus' will still install the legacy 2.4.9
octopus extra instances, and you can upgrade them to 3.0.0 with standard
'octopus up-stable' mode.
It is still possible to test/debug boa 3.0.0 clean installs -- just create
an empty /root/.debug-boa-installer.cnf file before running the installer.
# New features and enhancements:
* Add Hosting Git optional feature -- fixes #753
* Add mydropwizard module to D6 o_contrib by default
* Add support for ap-northeast-2 Asia Pacific (Seoul) S3
* Add support for PHP 7.0 -- experimental ! -- fixes #716
* Add support for VServer kernel 4.1.19-vs2.3.8.4-beng
* BOA with Aegir Hostmaster 3.x -- fixes #715
* Switch to Drush 8 for Drupal 8 -- fixes #729
* Allow to randomize duplicity full backup schedule
* Monitor and block SSH connections flood
* Run registry-rebuild in drush_provision_drupal_post_provision_deploy()
# Changes:
* Add linkchecker module to Contrib [F]orce[D]isabled
* Deny sudo/su switch if used for root access - fixes #879
* Do not install / remove auditd on VServer systems
* Do not install / remove udev on VServer systems
* Merge hosting_advanced_cron into Aegir core cron
* Use Redis 7.x-3.x integration module
# System upgrades:
* Boto 2.39.0-fix-python-2.7.9 (please run 'backboa install' to upgrade)
* CSF 8.16
* Drush mini-8-08-03-2016
* Duplicity 0.7.06 (please run 'backboa install' to upgrade)
* Lshell 0.9.18.3
* MongoDB database driver 1.6.13 for all PHP versions < 7 -- fixes #521
* Nginx 1.9.14
* OpenSSH 7.2p2 (if installed from sources)
* OpenSSL 1.0.2g (used only in custom built Nginx)
* PHP 5.5.34
* PHP 5.6.20
* PHP 7.0.5 (for testing only)
* Twig C extension for PHP - v.1.24.0
* Use PHP jsmin 2.0.1 ext with newer PHP versions - fixes #878
# Fixes:
* [system] sync fix_locales for root -- fixes #880
* Add mydropwizard-6.x-1.4 to all existing D6 platforms
* Auto-Update lshell.conf on all systems
* Fix for 3.x to 3.x upgrades
* Fix for entitycache 1.2 to 1.5 upgrade problem #868
* Fix for FPM master proc monitor
* Fix for series test to avoid downgrade attempts
* Numerous lshell problems -- fixes #896 #895 #894 #893 #890
* Problems installing rvm / compass -- fixes #895
* Require 2.4.9 before upgrade to 3.0.0 also in barracuda -- fixes #886
* Restart rsyslog/sysklogd aggressively enough
* Switch boa meta installer to 2.4.9 until #899 is fixed
* Switch octopus upgrade mode automatically to legacy if needed
* Sync max_user_connections
* Update map $http_user_agent $is_crawler
* Use Drush 7 on command line until #887 is fixed
### Stable BOA-2.4.9 Release - Full Edition
### Date: Sat Feb 27 15:22:11 GMT 2016
### Milestone URL: https://github.com/omega8cc/boa/milestones/2.4.9
@=> Includes Aegir Hostmaster 2.x-head with improvements
@=> Includes Aegir Provision 3.x-head with improvements
@=> Includes Drush 7 customized for BOA
# Release Notes:
This BOA release includes latest Drupal 7 and Pressflow 6 security updates,
along with bug fixes and other system software updates.
@=> All supported Aegir platforms have been updated to their latest releases
@=> What are BOA plans for Drupal 6 support after February 24th, 2016?
We will support Drupal/Pressflow 6 in all new releases, as long as
available PHP versions will allow to use it (we run our own Pressflow 6
based site on PHP 5.6 for many months with zero issues). For more details
please check: https://github.com/omega8cc/boa/issues/824
@=> Even if deprecated PHP versions are still included in this release,
any Octopus instance running PHP older than 5.5 will not be able to
receive upgrade to BOA-2.4.9, as announced before -- Please switch your
Octopus to PHP 5.6 or at least 5.5 to be able to upgrade not only
the Barracuda system part of BOA, but also Octopus Satellite --
The how-to can be found at: https://omega8.cc/node/330
@=> Drupal 8 support for custom platforms in the ~/static directory tree
will be included, along with Drush 8 and Hostmaster 3.x in the upcoming
BOA-3.0.0 release: https://github.com/omega8cc/boa/milestones/3.0.0
Note: BOA will not include built-in Drupal 8 platforms until Drupal 8
will support symlinks in the codebase, like all previous core versions
# System upgrades:
* MariaDB Galera Cluster 10.0.24
* Nginx 1.9.12
# Fixes:
* Do not force Ruby with RVM for root on every upgrade
* SQL max_user_connections autoconf value can be too low -- fixes #873
### Stable BOA-2.4.8 Release - Full Edition
### Date: Sat Feb 20 11:28:05 GMT 2016
### Milestone URL: https://github.com/omega8cc/boa/milestones/2.4.8
### Latest hotfix added on: Mon Feb 22 18:28:51 GMT 2016
@=> Includes Aegir Hostmaster 2.x-head with improvements
@=> Includes Aegir Provision 3.x-head with improvements
@=> Includes Drush 7 customized for BOA
# Release Notes:
This BOA release includes several important system upgrades and bug fixes,
with most notable features and changes listed below.
@=> Debian 8 Jessie is fully supported, but includes only PHP 5.5 and 5.6
@=> All supported Aegir platforms have been updated with latest Drupal cores
@=> Even if deprecated PHP versions are still included in this release,
any Octopus instance running PHP older than 5.5 will not be able to
receive upgrade to BOA-2.4.8, as announced before -- Please switch your
Octopus to PHP 5.6 or at least 5.5 to be able to upgrade not only
the Barracuda system part of BOA, but also Octopus Satellite --
The how-to can be found at: https://omega8.cc/node/330
@=> Drupal 8 support for custom platforms in the ~/static directory tree
will be included, along with Drush 8 and PHP 7 in the *upcoming*
BOA-3.0.0 release: https://github.com/omega8cc/boa/milestones/3.0.0
Note: BOA will not include built-in Drupal 8 platforms until Drupal 8
will support symlinks in the codebase, like all previous core versions
@=> What are BOA plans for Drupal 6 support after February 24th, 2016?
We will support Drupal/Pressflow 6 in all new releases, as long as
available PHP versions will allow to use it (we run our own Pressflow 6
based site on PHP 5.6 for many months with zero issues). For more details
please check: https://github.com/omega8cc/boa/issues/824
# Changes:
* Add "boa info" and 'boa info more' helper command
* Add branch support in the boa wrapper
* Allow to force re-install with /root/.force.reinstall.cnf present
* Allow to run existing Octopus 2.4 on the upcoming Barracuda 3.0
* Deny Octopus upgrade unless it is running on a compatible PHP version 5.5+
* Full backboa backups are scheduled on Sunday, unless custom _AWS_FLC is set
* Full duobackboa backups will run on Saturday, unless custom _AWS_FLC is set
* Make base nice configurable via _B_NICE variable
* Nginx: Sync htaccess level protection with Drupal core
* Nginx: Update map $http_user_agent $is_crawler
* Only instance already running 2.4.8 can upgrade to upcoming 3.0.0
* Remove no longer supported T1lib in PHP
* Remove support for deprecated OS versions -- fixes #802
* Replace in-legacy and up-legacy with version specific commands
* Revert "Issue #2377819: Gzipping backups suppresses file permissions errors"
* Run minimal modules en/dis procedure on Wednesday and full on Saturday
* Skip legacy PHP 5.3 and 5.4 on Jessie
* Support for Debian 8 Jessie -- fixes #702
* The _MODULES_FIX variable is set to YES by default
* The _PERMISSIONS_FIX variable is set to YES by default -- fixes #593
# System upgrades:
* Git 2.7.0 (if installed from sources)
* MariaDB 10.0.24
* MariaDB 5.5.48
* Nginx 1.9.11
* OpenSSH 7.1p2 (if installed from sources)
* OpenSSL 1.0.2f (used only in custom built Nginx)
* PHP 5.5.32
* PHP 5.6.18
* PHP: Imagick 3.3.0
* Redis 3.0.7
* Ruby 2.3.0
# Fixes:
* Add duobackboa docs
* Add missing libs in Jessie
* Allow to install a specific PHP version on a local install -- fixes #848
* Allow to run upgrade from not really 3.x HEAD to 2.4.8
* Automate /root/.force.reinstall.cnf and improve docs
* Disable Octopus 3.x specific version check (tmp) for 2.4.8
* Disable spinner on Jessie
* Do not force rebuild on systems installed with 2.4.8
* Do not kill long running php-fpm childs
* Do not run the old D7 core fix on newer BOA versions -- fixes #842
* Do not wait for simple sed replacements -- fixes #838
* Fix a typo in some locCnf variable calls -- fixes #854
* Fix for ignored boa_platform_control.ini
* Fix for MariaDB version check
* Fix for not working S3 bucket connection test
* Fix for process.max and pm.max_children
* Fix for undefined locCnf variable in BOND - fixes #748
* Fix the logic in mysql_proc_kill()
* Fix too aggressive Jetty monitoring
* Force clean rsyslog/sysklogd restart if required
* Force rebuild for affected services built from sources -- CVE-2015-7547
* Improve backup sub-tasks randomized schedule
* Improve initial install how-to with screen
* Locales check should not be used with screen session -- fixes #871
* Nginx: Remove duplicate $args on redirects
* Nginx: Workaround for broken autocomplete
* Remove dependency on _MODULES_FIX=YES -- fixes #592
* Remove no longer used _SSL_FROM_SOURCES logic
* Remove systemd on Debian Jessie -- fixes #840
* Restart syslog hourly
* Run drush cache cleanup only once per account
* Speed up backup tasks by removing extra conn_test
* Speed up backup tasks by running extended cleanup and reporting weekly
* Speed up initial setup procedure
* Sync wait randomizer max value
* Upgrade wkhtmltopdf and wkhtmltoimage to 0.12.3 - fixes #858
* Use date %u day of week (1..7); 1 is Monday
* Whitelist missing upload progress path
### Stable BOA-2.4.7 Release - Full Edition
### Date: Fri Dec 4 08:09:21 PST 2015
### Milestone URL: https://github.com/omega8cc/boa/milestones/2.4.7
### Latest hotfix added on: Thu Dec 10 10:10:26 PST 2015
@=> Includes Aegir Hostmaster 2.x-head with improvements
@=> Includes Aegir Provision 3.x-head with improvements
@=> Includes Drush 7 customized for BOA
# Release Notes:
This BOA release includes several important system upgrades and bug fixes,
with most notable features and changes listed below.
@=> All supported Aegir platforms have been updated with latest Drupal cores
@=> Drupal 8 support for custom platforms in the ~/static directory tree
will be included, along with Drush 8 and PHP 7 in the *upcoming*
BOA-3.0.0 release: https://github.com/omega8cc/boa/milestones/3.0.0
@=> This BOA release (2.4.7) is the last release which still supports
deprecated PHP versions: 5.3 and 5.4 -- You should switch to PHP 5.6
or at least 5.5 as soon as possible, or you will not be able to upgrade
to newer BOA versions after 2.4.7 -- https://omega8.cc/node/330
@=> What are BOA plans for Drupal 6 support after February 24th, 2016?
We will support Drupal/Pressflow 6 in all new releases, as long as
available PHP versions will allow to use it (we run our own Pressflow 6
based site on PHP 5.6 for many months with zero issues). For more details
please check: https://github.com/omega8cc/boa/issues/824
@=> SSH (RSA) keys for root are required by newer OpenSSH versions used in BOA
BOA installs SSH from sources by default (Debian only). This means that
password based access for root will not work once BOA is installed or
upgraded to current stable version. It is a result of OpenSSH changes
in recent releases and not BOA specific change. BOA will deny the initial
install and Barracuda will refuse to run upgrade if it detects that system
root has no SSH (RSA) keys added and only password based access is available.
You can still modify this behaviour in /usr/etc/sshd_config but future
OpenSSH versions may still revert such changes, so it is not recommended.
@=> BOA switched from SPDY to HTTP/2 + PFS on all supported OS versions
# Changes:
* Allow to disable SQL monitoring with /root/.no.sql.cpu.limit.cnf -- #799
* Disable page caching on the fly where needed
* Disable temporarily support for broken Restaurant distro
* Do not rebuild features and entities on cache clear
* Document new requirement: SSH (RSA) keys for root -- fixes #786 #833
* Make ioncube_loader optional and disable by default with _PHP_IONCUBE=NO
* Nginx SSL: enable OCSP stapling by default
* Nginx SSL: enable OCSP stapling for existing HTTPS vhosts
* Nginx: Add ssl_dhparam to existing vhosts, if needed
* Nginx: HTTP/2 replaces SPDY -- fixes #624
* PHP: Add YAML extension with LibYAML
* Preserve customized /etc/sysctl.conf -- fixes #789
* Run modules ON/OFF only weekly -- requires _MODULES_FIX=YES (default is NO)
* Run most of crontab, install and upgrade tasks with low priority using
nice and ionice -- fixes #780
# System upgrades:
* cURL 7.45.0 (if installed from sources)
* GEOS 3.5.0 (requires _PHP_GEOS=YES)
* Git 2.6.1 (if installed from sources)
* MariaDB 10.0.22
* MariaDB 5.5.47
* MariaDB Galera Cluster 10.0.22
* Nginx 1.9.7
* OpenSSL 1.0.2e (used only in custom built Nginx)
* PHP 5.5.30
* PHP 5.6.16
* Redis 3.0.5
# Fixes:
* Add /root/.skip_cleanup.cnf support
* Add feature branch testing in HEAD
* Avoid load spikes caused by long running tasks
* Avoid race conditions on multi-line sed replacement -- fixes #806
* Clean up any remaining procs zombies
* Clean up postfix queue to get rid of bounced emails
* Disable ioncube and opcache for HHVM
* Disable Redis for Hostmaster in the backend
* Do not allow to install non-standard OpenSSH on Ubuntu
* Do not break /data/all/cpuinfo permissions on Octopus upgrade
* Do not run 'apt-get autoremove' automatically
* Do not use wrapper for dot-files cleanup
* Document better BOA aggressive installation behavior -- fixes #811
* Document boa in-octopus command -- fixes #817
* Don't strip $args from $request_uri in redirects
* Fix cron schedule for upgrades
* Fix for /etc/sudoers on _SQUEEZE_TO_WHEEZY
* Fix for broken Git on Ubuntu
* Fix for DNS on _SQUEEZE_TO_WHEEZY
* Fix for not working PHP rebuild check
* Fix for not working syncpass tool
* Fix for Ruby rebuild on _SQUEEZE_TO_WHEEZY
* Fix PHP deprecated warning in D8 -- fixes #804
* Ignore 'env COLUMNS' sent by Drush remotely -- fixes #373
* Ignore daily.sh in clear.sh
* Improve _SQUEEZE_TO_WHEEZY procedure -- #627
* Improve cron tasks schedule
* Improve daily cleanup performance + support for /root/.giant_traffic.cnf
* Improve devpts check -- fixes #788
* Improve docs/MIGRATE.txt
* Improve resolv.conf auto-recovery procedure
* Improve system check -- fixes #811
* Move Redis restart procedure to correct script
* PHP: Add missing path to open_basedir for CLI
* Remove debug code to not kill the initial install
* Remove not working /etc/logrotate.d/lshell -- fixes #823
* Update advagg auto configuration variables -- fixes #792
* Update boa/lib/functions/helper.sh.inc with current OS -- fixes #787
* Update FPM workers autoconf logic
* Update the cache cleanup logic
* Use better placeholder for solr_integration_module variable
* Use correct DPkg::Options for dist-upgrade -- fixes #627
* Use known MySQLTuner version -- fixes #827
* Use LibYAML 0.1.6
* Use opcache.restrict_api
* Use sha256 for self-signed certs
### Stable BOA-2.4.6 Release - Full Edition
### Date: Sat Sep 19 11:09:09 PDT 2015
### Milestone URL: https://github.com/omega8cc/boa/milestones/2.4.6
### Latest hotfix added on: Mon Sep 21 05:18:33 PDT 2015
@=> Includes Aegir Hostmaster 2.x-head with improvements
@=> Includes Aegir Provision 3.x-head with improvements
@=> Includes Drush 7 customized for BOA
# Release Notes:
This BOA release includes several important system upgrades and bug fixes.
All supported Aegir platforms have been updated with latest Drupal cores.
# Changes:
* Add Twig C extension to PHP - v.1.22.1
* Allow to customize auto-upgrades mode
* Disable support for broken OpenScholar and Recruiter
* Open default Postgres port for outgoing connections
* Remove support for deprecated Feature Server distro
* Remove support for deprecated OpenAcademy distro
* Remove support for deprecated OpenBlog distro
* Remove support for deprecated OpenChurch v.1 distro
* Remove support for deprecated OpenDeals distro
* Use distro specific Drupal core for problematic distros
# System upgrades:
* cURL 7.44.0 (if installed from sources)
* Duplicity 0.7.05 (please run 'backboa install' to upgrade)
* Jetty 7.6.17.v20150415
* Jetty 8.1.17.v20150415
* MariaDB 10.0.21
* MariaDB 5.5.45
* MariaDB Galera Cluster 10.0.21
* Nginx 1.9.4
* OpenSSH 7.1p1 (if installed from sources)
* PHP 5.6.13, 5.5.29, 5.4.45
* PHP: ionCube loader 5.0.18
* Pure-FTPd 1.0.42
* Redis 3.0.4
* Ruby 2.2.3, 2.0.0-p647
* Use pecl-jsmin-1.1.0
# Fixes:
* Allow to re-install deleted D7/D6 platforms when dev doesn't exist
* Do not install phpunit -- it adds many PHP tools we don't need
* Drush requires php-eval to run drush_find_tmp() in sql-sync
* Fix apache cleanup
* Fix invalid regex in the INI docs
* Improve auto-healing for SSHd
* Improve Nginx DoS an DDoS protection
* Improve pdnsd auto-healing
* Improve SSL Docs to add more detail about multidomain certificates #757
* Issue #766 - Fix for broken boa in-octopus procedure
* Nginx: Fix support for s3/files/styles (s3fs)
* Restart PHP-FPM if too many running childs are detected
* Sync .htaccess with D7 core
* Sync keywords for exceptions in daily.sh with global.inc
* Use short sleep on firewall temp blocks cleanup
### Stable BOA-2.4.5 Release - Full Edition
### Date: Fri Jul 10 11:25:43 PDT 2015
### Milestone URL: https://github.com/omega8cc/boa/milestones/2.4.5
### Latest hotfix added on: Fri Jul 10 14:49:11 PDT 2015
@=> Includes Aegir Hostmaster 2.x-head with improvements
@=> Includes Aegir Provision 3.x-head with improvements
@=> Includes Drush 7 customized for BOA
# Release Notes:
This BOA release includes PHP security upgrade for versions 5.6, 5.5 and 5.4
plus security upgrade for Redis server and four updated Octopus platforms.
Support for Drupal 8 is temporarily removed, because now it would require
an upgrade to Drush 8, which in turn completely removes support for PHP 5.3,
while it's still more important to support legacy Pressflow 6 sites, if they
are not ready to move beyond PHP 5.3 yet, than trying to support some
(too fast) moving targets like Drupal 8 beta, and Drush 8 head.
# Updated Octopus platforms:
Commerce 2.26 ---------------- https://drupal.org/project/commerce_kickstart
Commons 3.28 ----------------- https://drupal.org/project/commons
OpenAtrium 2.43 -------------- https://drupal.org/project/openatrium
Panopoly 1.25 ---------------- https://drupal.org/project/panopoly
# Changes:
* Drupal 8 is not supported until we can switch to Drush 8 and remove PHP 5.3
# System upgrades:
* Nginx 1.9.2
* PHP 5.4.43
* PHP 5.5.27
* PHP 5.6.11
* Redis 3.0.2
### Stable BOA-2.4.4 Release - Full Edition
### Date: Fri Jul 3 12:08:29 PDT 2015
### Milestone URL: https://github.com/omega8cc/boa/milestones/2.4.4
### Latest hotfix added on: Thu Jul 9 10:28:42 PDT 2015
@=> Includes Aegir Hostmaster 2.x-head with improvements
@=> Includes Aegir Provision 3.x-head with improvements
@=> Includes Drush 7 customized for BOA
# Release Notes:
This BOA release includes several important system upgrades and bug fixes.
All supported Aegir platforms have been updated with latest Drupal cores.
This version automatically switches all hosted sites to PHP 5.5 on systems
hosted and managed remotely by Omega8.cc support team, unless you have
explicitly switched your Octopus instance to use PHP version you prefer.
Using PHP older than 5.5 is strongly discouraged, for security, stability and
performance reasons.
# Changes:
* Do not change mysql root password by default -- workaround for #642
* Enable advagg_async_generation by default
* Logic update for /root/.high_traffic.cnf
* Redis Integration Module: Update to version mod-26-06-2015
* Use modern ssl_ciphers in all templates by default
# System upgrades:
* cURL 7.43.0 (if installed from sources)
* Drush mini-7-30-06-2015 -- fixes #734
* MariaDB 5.5.44
* MariaDB Galera Cluster 10.0.20
* Nginx 1.9.1
* OpenSSH 6.9p1 (if installed from sources)
* OpenSSL 1.0.1p (if installed from sources)
* PHP 5.4.42
* PHP 5.5.26
* PHP 5.6.10
* PHPRedis master-27-06-2015
* Pure-FTPd 1.0.41
* vnStat 1.14
# Fixes:
* Add 'grep' to overssh -- a list of commands allowed to execute over SSH
* Broken pdnsd configuration breaks DNS resolver -- fixes #701
* Do not force update_agents()
* Do not modify rkey/debug args in barracuda log/system upgrade mode
* Don't remove Drupal 6 core themes -- fixes #738
* Fix for legacy vnStat config
* Fixed backboa/duobackboa retrieve from remote host -- fixes #741
* Improve system cron tasks queue
* Incorrect permissions on /usr/bin/optipng - fixes #722
* Mitigate LOGJAM - fixes #723
* Restart Postfix after system DNS update -- #701
* Skip daily reload on high traffic instances
* Sync SQL connection limits with _PHP_FPM_WORKERS variable - fixes #699
* Use _AWS_URL to properly handle us-east-1 exception
* Use 2048 bit where possible - see #723
* Use better default value for advagg_cache_level - fixes #726
### Stable BOA-2.4.3 Release - Full Edition
### Date: Tue May 19 13:40:40 PDT 2015
### Milestone URL: https://github.com/omega8cc/boa/milestones/2.4.3
### Latest hotfix added on: Fri Jun 5 04:43:50 PDT 2015
@=> Includes Aegir Hostmaster 2.x-head with improvements
@=> Includes Aegir Provision 3.x-head with improvements
@=> Includes Drush 7 customized for BOA
# Release Notes:
This BOA release is focused on Aegir platforms update with latest Drupal core
included. There are also a few system updates and bug fixes, as listed below.
# Changes:
* Redis Integration Module: Update to version mod-08-05-2015
* Use HTTPS intermediate mode to support legacy systems like XP/IE8 - see #718
# System upgrades:
* Drush mini-7-08-05-2015
* MariaDB 10.0.19
* MariaDB Galera Cluster 10.0.19
* PHP 5.4.41
* PHP 5.5.25
* PHP 5.6.9
* Redis 3.0.1
# Fixes:
* CiviCRM known bugs and regressions fixed
* Improve drush aliases cleanup
* Redis: sync net.core.somaxconn with tcp-backlog
* sqlmagic: do not escape backslashes and EOL character - fixes #672
* SQL dump definer regexp causes invalid SQL during migrate/clone - #2497091
* Fix for backward compatibility with old Galera versions
### Stable BOA-2.4.2 Release - Full Edition
### Date: Mon Apr 27 11:12:09 PDT 2015
### Milestone URL: https://github.com/omega8cc/boa/milestones/2.4.2
### Latest hotfix added on: Fri May 1 02:07:54 PDT 2015
@=> Includes Aegir Hostmaster 2.x-head with improvements
@=> Includes Aegir Provision 3.x-head with improvements
@=> Includes Drush 7 customized for BOA
# Release Notes:
This BOA release includes 15 updated Aegir platforms with latest Drupal core,
2 new features and enhancements, 13 new software versions, 3 other changes,
plus over 20 bug fixes.
# Updated Octopus platforms:
aGov 1.7 --------------------- https://drupal.org/project/agov
Commerce 1.36 ---------------- https://drupal.org/project/commerce_kickstart
Commerce 2.23 ---------------- https://drupal.org/project/commerce_kickstart
Commons 2.24 ----------------- https://drupal.org/project/commons
Commons 3.25 ----------------- https://drupal.org/project/commons
Guardr 2.11 ------------------ https://drupal.org/project/guardr
OpenAid 2.1 ------------------ https://drupal.org/project/openaid
OpenAtrium 2.33 -------------- https://drupal.org/project/openatrium
OpenChurch 1.17-b2 ----------- https://drupal.org/project/openchurch
OpenChurch 2.1-b7 ------------ https://drupal.org/project/openchurch
OpenOutreach 1.19 ------------ https://drupal.org/project/openoutreach
OpenPublic 1.5 --------------- https://drupal.org/project/openpublic
Panopoly 1.21 ---------------- https://drupal.org/project/panopoly
Recruiter 1.6 ---------------- https://drupal.org/project/recruiter
Restaurant 1.0-b12 ----------- https://drupal.org/project/restaurant
@=> NOTE: Drupal 8 support is broken in this release, because latest Drush
doesn't support older Drupal 8 beta versions, while new D8 beta is not
released and tested yet, and we really need latest Drush to fix broken
D6->D7 upgrade path, so we could prepare for full Aegir 3, which comes
with D7 in the frontend.
# New features and enhancements:
* Re-create files/robots.txt if older than 7 days
* Restore default DNS when /root/.use.default.nameservers.cnf exists
# Changes:
* Enable SPDY and PFS by default - fixes #545
* Use GitLab as a secondary mirror
* Whitelist drush pm-updatestatus
# System upgrades:
* cURL 7.42.1 (if installed from sources)
* Drush mini-7-25-04-2015
* Duplicity 0.7.02 (please run 'backboa install' to upgrade)
* MariaDB 5.5.43
* MariaDB Galera Cluster 10.0.17
* MySecureShell master-20-03-2015
* Nginx 1.8.0
* OpenSSH 6.8p1 (if installed from sources)
* OpenSSL 1.0.2a (if installed from sources)
* PHP 5.6.8, 5.5.24, 5.4.40
* PHPRedis master-18-03-2015
* Redis 3.0.0
* Ruby 2.2.2
# Fixes:
* Add service cron start to migrate docs - fixes #654
* BOA.sh.txt should update installers when invoked interactively - fixes #644
* Do not add Google DNS when custom DNS is expected
* Do not count requests for images derivatives if private files mode is used
* Do not create conflicting plain HTTP proxy for single IP mode - fixes #465
* Force csf/lfd update before and after running barracuda upgrade - fixes #685
* How to enable permanent redirect to HTTPS with single IP - #465
* Improve DNS self-healing magic - see #674
* Improve FPM auto-healing to properly detect conflicting instances
* Make sure that dl mirrors never get blocked
* Nginx: Stop the POST flood to /autodiscover/autodiscover.xml
* Nginx: Use dummy db fastcgi_param placeholders if any of them is empty
* Remove aggresive firewall cleanup - fixes #688
* Remove onetime fix intended to sync new defaults - fixes #678
* Update absolute URLs to files for sites cloned/migrated/renamed
* Update composer on barracuda upgrade
* Use _TOMCAT_TO_JETTY=NO in cnf template to avoid confusion - see #676
* Use correct placeholder in the xboa proxy - fixes #655
* Use MAIN_SITE_NAME instead of possibly fake SERVER_NAME - see #385
* Where to add the SSL redirect configuration snippet - fixes #681
### Stable BOA-2.4.1 Release - Full Edition
### Date: Sun Mar 8 14:56:51 PDT 2015
### Milestone URL: https://github.com/omega8cc/boa/milestones/2.4.1
### Latest hotfix added on: Wed Mar 11 11:58:52 PDT 2015
@=> Includes Aegir Hostmaster 2.x-head with improvements
@=> Includes Aegir Provision 3.x-head with improvements
@=> Includes Drush 7.0.0-alpha9 customized for BOA
# Release Notes:
This new BOA release includes one new and 12 updated Aegir platforms,
8 new features and enhancements, 15 new software versions, 10 other changes,
plus over 38 bug fixes, with most notable features and changes listed below:
@=> Add duobackboa with /root/.duobackboa.cnf file to run duplicate backups
@=> Add SSL with TLS/SNI on server with one IP, multiple certificates support
@=> Add support for Octopus batch migration - see docs/MIGRATE.txt for details
@=> Allow to use _PHP_GEOS=YES with all PHP versions
# New Octopus platforms:
OpenAid 2.0 ------------------ https://drupal.org/project/openaid
# Updated Octopus platforms:
Commerce 1.33 ---------------- https://drupal.org/project/commerce_kickstart
Commerce 2.21 ---------------- https://drupal.org/project/commerce_kickstart
Commons 2.22 ----------------- https://drupal.org/project/commons
Commons 3.22 ----------------- https://drupal.org/project/commons
Drupal 8.0.0-b7 -------------- https://drupal.org/drupal-8.0
Guardr 2.8 ------------------- https://drupal.org/project/guardr
OpenAtrium 2.32 -------------- https://drupal.org/project/openatrium
OpenChurch 2.1-b5 ------------ https://drupal.org/project/openchurch
OpenOutreach 1.16 ------------ https://drupal.org/project/openoutreach
OpenScholar 3.20.0 ----------- http://theopenscholar.org
Panopoly 1.18 ---------------- https://drupal.org/project/panopoly
Recruiter 1.5 ---------------- https://drupal.org/project/recruiter
# New features and enhancements:
* Add compatibility with latest VS beng kernel
* Add duobackboa with /root/.duobackboa.cnf file to run duplicate backups
* Add support for multivalued fields in SOLR 4 - pull request #626
* Add support for mysqladmin proc logging
* Add support for Octopus batch migration - see docs/MIGRATE.txt for details
* Add support for scout/mysql monitoring
* CSF: Add popular ports 222 and 2222 to TCP_OUT by default
* SSL with TLS/SNI on server with one IP, multiple certificates - fixes #465
# Changes:
* Allow to run automated SQL conversion only weekly
* Allow to use _PHP_GEOS=YES with all PHP versions
* Do not send extra nocache cookie on GET requests
* Drush mini-7-07-03-2015
* Make barracuda wrapper available on initial install to avoid confusion
* Nginx: Update for crawlers exceptions list
* Redis Integration Module: Update to version mod-05-03-2015
* Remove dependency on legacy Drush 4
* Use latest Apache Solr Search 6.x-3.x config
* Use latest Apache Solr Search 7.x-1.x config
# System upgrades:
* Apache Solr 4.9.1
* cURL 7.41.0 (if installed from sources)
* Git 2.3.0 (if installed from sources)
* Jetty 9.2.7.v20150116
* MariaDB 10.0.17
* MariaDB 5.5.42
* MariaDB Galera Cluster 10.0.17
* Nginx 1.7.10
* OpenSSL 1.0.2 (if installed from sources)
* PHP 5.4.38
* PHP 5.5.22
* PHP 5.6.6
* PHP: ionCube loader 4.7.4
* Pure-FTPd 1.0.37
* Ruby 2.2.1
* Use duplicity 0.7.01 and boto 2.36.0 - fixes #630
* Vnstat 1.13
# Fixes:
* [provision] False "load on system too heavy" messages - fixes #619
* [provision] Issue #2350695 - Profile is registered twice, also as a module
* [provision] Nginx: Remove webform keyword from regex locations - fixes #599
* Add also manage_ltd_users to the list - fixes #616
* Avoid installing New Relic with no valid license key provided - fixes #608
* Do not add no longer used symlink
* Do not create conflicting plain HTTP proxy for single IP mode - fixes #465
* Do not delete backboa while duplicity is running
* Do not replace any contrib in latest OA - fixes #2420131
* Do not run D7 core hotfix on already fixed instances
* Fix for legacy systems autoupdate logic
* Fix for missing chattr -i on web user update
* Fix for missing datestamp
* Fix for too dangerous pdnsd auto-config logic
* Fix pdnsd restarts procedures - fixes #610
* Fix permissions for pdnsd if needed
* Fix variable in autoupboa - pull request #629
* Force php.ini update
* Hotfix for cluster instances
* Hotfix for OpenSSL/cURL versions out of sync
* How to enable permanent redirect to HTTPS with single IP - #465
* Issue #2425963 - Broken slider in Commerce Kickstart 2.21
* Make sure that @hostmaster alias works after migration
* Provide a patch for older civicrm versions to make them Drush 7 compatible
* Randomize backups schedule to avoid issues with AWS limits
* Reload nginx service automatically - #465
* Remove conflicting pdnsd restarts to avoid race conditions - fixes #610
* Remove deprecated sysctl options
* Remove post-install leftovers if needed
* Single PHP-version installation fails - fixes #598
* Typo - fixes #539
* Unable to connect to SOLR on latest head - fixes #623
* Update installers as expected, also with _SKYNET_MODE=OFF - fixes #644
* Update meta-installers for new stable
* Update the upgrade procedure how-to - fixes ##616
* Use civicrm-4.5.6 compatible with Drush 7
* Use correct AWS Endpoint when us-east-1 Region is specified
* Use correct open_basedir for lshell user - fixes #603
* Use separate loops for symlinks and ghost cleanup
* Workaround for EntityMalformedException in Open Outreach - fixes #229
* Workaround for missing interface/lo.pdnsd on legacy systems
* Workaround for SA-CONTRIB-2015-063 - Webform - Cross Site Scripting
### Stable BOA-2.4.0 Release - Full Edition
### Date: Wed Feb 4 20:30:04 CET 2015
### Milestone URL: https://github.com/omega8cc/boa/milestones/2.4.0
### Latest hotfix added on: Sat Feb 21 10:18:15 UTC 2015
@=> Includes Aegir Hostmaster 2.x-head with improvements
@=> Includes Aegir Provision 3.x-head with improvements
@=> Includes Drush 7.0.0-alpha8 customized for BOA
# Release Notes:
This new BOA release includes 7 updated Aegir platforms, over 28 new features
and enhancements, 12 new software versions, over 36 important changes, plus
over 100 bug fixes, with most notable features and changes listed below:
@=> Added Support for latest Drupal 8.0.0-beta with D8B platform keyword
@=> Added Support for latest Drupal 8.0.0-dev with D8D platform keyword
@=> Added Support for latest PHP 5.6
@=> BOA can auto-detect its fastest download mirror on install, upgrade etc.
@=> BOA Code Refactoring to make it modular and easier to read (in progress)
@=> BOA Skynet auto-updates can be turned off with _SKYNET_MODE=OFF
@=> Cron is run only for live sites with no tmp, temp, dev, test etc keywords
@=> Force single PHP version with command keyword on install and upgrade
@=> Introducing Support for HHVM -- see docs/HHVM.txt for details.
@=> PHP 5.5 is used by default on new installs instead of old 5.3
@=> PHP-FPM (and HHVM) runs now as a separate, very limited system user
@=> Removed Support for legacy PHP 5.2
@=> Sites Names Exceptions and Special Keywords have changed
@=> The _MODULES_FIX variable is set to NO by default
@=> The _PERMISSIONS_FIX variable is set to NO by default
@=> The built-in registry-rebuild on every Verify task is not run by default
@=> The Dev-Mode works only for site aliases, no longer for main site name
Please read further below for more details.
# Caveats for self-hosted BOA:
We recommend to proceed with major upgrade procedure as follows:
$ cd;wget -q -U iCab http://files.aegir.cc/BOA.sh.txt;bash BOA.sh.txt
$ barracuda up-stable
$ barracuda up-stable system
$ octopus up-stable all both
$ bash /var/xdrago/manage_ltd_users.sh
$ bash /var/xdrago/daily.sh
# Updated Octopus platforms:
aGov 1.6 --------------------- https://drupal.org/project/agov
Commerce 1.32 (with 1.11) ---- https://drupal.org/project/commerce_kickstart
Guardr 2.7 ------------------- https://drupal.org/project/guardr
OpenAtrium 2.26 -------------- https://drupal.org/project/openatrium
OpenChurch 1.17-b1 ----------- https://drupal.org/project/openchurch
OpenPublic 1.4 --------------- https://drupal.org/project/openpublic
Panopoly 1.15 ---------------- https://drupal.org/project/panopoly
# New features and enhancements:
* Add backboa variables to configure full backup cycle and log verbosity.
* Add Backdrop CMS compatibility in global.inc (experimental)
* Add Drupal 8 compatibility in global.inc
* Add Drush Make Local - fixes #332
* Add safe_cache_form_clear Drush extension by default - fixes #568
* Add support for writable .aws directory in the web user home.
* Allow to set _PHP_SINGLE_INSTALL on command line - on install and upgrade.
* Allow to use both platform specific and ALL keyword in _PLATFORMS_LIST.
* BOA auto-selects the fastest download mirror on install, upgrade and update.
* Detect critically low free RAM and forcefully restart services if needed.
* Detect OOM incidents and forcefully restart services if needed.
* Improve backboa with AWS connection testing.
* Install latest D8-dev with D8D keyword specified.
* Monitor and rotate PHP error logs if too big (over 1 GB).
* Monitor the number of master PHP-FPM processes and force restart if needed.
* New 'nodns' option to skip DNS and SMTP checks on the fly.
* Nginx: Add support for images derivatives with URI shortcuts - fixes #481
* Nginx: Add support for URI shortcuts for sites in subdirectories.
* PHP: Add HHVMinfo.
* PHP: Add support for latest 5.6
* PHP: Allow to define version to install and use on command line - fixes #536
* PHP: Disable not used CLI versions if _PHP_SINGLE_INSTALL is defined.
* PHP: Disable not used FPM and CLI versions.
* PHP: HHVM experimental support - fixes #443
* Provide default value for composer_manager_vendor_dir variable - fixes #385
* Redis: Allow to configure remote IP via _REDIS_LISTEN_MODE /cluster support.
* Use cron scheduler fast mode (every 10 sec) if /root/.fast.cron.cnf exists.
* Use Drush Make Local for Hostmaster with download mirrors auto-detection.
# Changes:
* Alter the cron_interval for existing sites to match Aegir default.
* Change required exceptions keywords to .temporary. and .testing.
* Dev mode detection and URLs protection - now works only for aliases.
* Do not display .cnf files contents if _DEBUG_MODE is not set to YES.
* Do not restart Redis daily if /root/.high_traffic.cnf exists - fixes #533
* Drush 7 is now used by default instead of Drush 6.
* Drush: Upgrade to mini-7-02-02-2015
* Force _TOMCAT_TO_JETTY=YES - fixes #570
* Hostmaster: Use Drush Make Local instead of downloading contrib with Drush
* Limit status messages verbosity if _DEBUG_MODE is not set to YES
* Make it possible to opt-out from BOA Skynet auto-updates - fixes #557
* Nginx: Block SEOkicks crawler.
* PHP: Always use by default version 5.5
* PHP: Disable legacy 5.2 version if installed.
* PHP: Ignore --with-curlwrappers defined in _PHP_EXTRA_CONF for 5.5 and 5.6
* PHP: Rebuild to remove --with-curlwrappers unless added in _PHP_EXTRA_CONF
* PHP: Remove no longer working custom config protection - see #559
* PHP: Tune FPM defaults for speed and RAM optimization.
* PHP: Use built-in Zend OPcache in 5.5
* PHP: Use built-in Zend OPcache in 5.6
* Redis Integration Module: Update to version mod-14-12-2014
* Reload system cron hourly.
* Remove deprecated RC4 from ssl_protocols.
* Remove the _O_CONTRIB_UP variable/feature.
* Run cron for 3 sites at once max.
* Set _MODULES_FIX=NO by default
* Set _PERMISSIONS_FIX=NO by default
* Site mode detection and cron protection - cron works only for live sites
* Split huge BARRACUDA script into lib includes.
* Switch to special limited system user also in PHP-FPM mode - fixes #551
* There is no need to update drupalgeddon every 5 minutes.
* Use 86400 as a default cron_interval to sync with Drupal default.
* Use MySQLTuner only if _USE_MYSQLTUNER=YES is set in .barracuda.cnf
* Use provision_civicrm 6.x-2.x directly.
* Use separate versioning for Aegir extensions download URLs.
* Run built-in registry-rebuild on Verify only if empty ctrl file
sites/all/modules/registry-rebuild.ini exists.
# System upgrades:
* cURL 7.40.0 (if installed from sources)
* Git 2.2.1 (if installed from sources)
* MariaDB 10.0.16
* MariaDB 5.5.42
* MariaDB Galera Cluster 10.0.16
* Nginx 1.7.9
* PHP 5.4.37
* PHP 5.5.21
* PHP 5.6.5
* PHP: ionCube loader 4.7.3
* Redis 2.8.19
* Ruby 2.2.0
# Fixes:
* Add CONTRIBUTING.txt guidelines.
* Add in docs/HINTS.txt Helper locations to avoid 404 on legacy images paths.
* Add still missing updates for migrated instances.
* Add warning about vCloud Air incompatibility with Drupal.
* Aliases are wiped out after site rename - fixes #542
* Allow slower DNS response.
* Always disable spinner when running boa in-octopus.
* Avoid broken install on D8 core where sites/all doesn't exist by default.
* Avoid confusing EXIT: You must specify already installed PHP version.
* Avoid sed warnings in old stable and legacy modes.
* Backward compatibility with Drush 6.
* Block attempts to lookup /etc/passwd via web shell.
* Check only LANG environment variable in locale test - fixes #584
* Compare $new_uri with d()->name and not d()->uri in the Site Rename Check.
* Delete duplicity ghost pid file if older than 2 days.
* Do not confuse D7 with D8 or Backdrop CMS.
* Do not force cURL reinstall from packages - fixes #565
* Do not try to add platforms nodes if no new platform has been installed.
* Do not update backboa if duplicity is running.
* Document when to use /root/.fast.cron.cnf
* Drupal 8 removed drupal_mail()
* Drupal 8 requires container_yamls defined.
* Drupal 8 requires read permissions in sites/all
* Drupal 8 requires trusted_host_patterns defined in settings.php
* Drupal 8 with $clean_urls=1 should use /cron/ URI.
* Drush 7 requires composer.
* Fix and Improve Squeeze to Wheezy upgrade procedure.
* Fix for $HOME detection if not set for some reason.
* Fix for Drush aliases protection.
* Fix for octopus batch upgrade mode.
* Fix for octopus single upgrade mode.
* Fix for pdnsd install/update logic.
* Fix missing symlinks after broken openjdk-6 upgrade.
* Fix path to PHP-CLI if needed.
* Fix public IP auto-detection on AWS in Octopus.
* Fix the logic for aegir/platforms upgrade mode.
* Fix the logic for TMPDIR set on the fly - fixes #552
* Fix: LANGUAGE (en_US.UTF-8) is not compatible with LC_ALL (). Disabling it.
* Force _PHP_MULTI_INSTALL to match defined _PHP_FPM_VERSION on cluster nodes.
* Force _THIS_DB_HOST=localhost on AWS.
* HHVM: Add /home/ to open_basedir so access to the .tmp works - fixes #569
* HHVM: Add workarounds for potential security issues - fixes #443
* Improve Aegir tasks scheduling and load spikes protection.
* Improve docs for backboa.
* Improve pdnsd configuration update by removing non-IP lines early enough.
* Improve procs monitor.
* Improve web wrapper.
* Increase inotify defaults to improve lsyncd support.
* Issue #2372653: Add --no-autocommit when dumping MySQL tables.
* Jetty: Detect if running as zombie and force restart if needed.
* Make sure that AcceptEnv is set in sshd_config.
* Make sure to never run cron on just cloned site.
* MariaDB patch is no longer needed.
* Monitor lsyncd and xinetd if installed and expected to run.
* Never delete tmp dirs to avoid Drush/PHP segfaults and race conditions.
* Nginx: Add missing variables in subdirectory config template.
* Nginx: Fix for D8-specific /cron/ location regex.
* Nginx: Force clean URLs for Drupal 8.
* Nginx: Helper locations to avoid 404 on legacy images paths (subdir only)
* Nginx: Hide X-Drupal-Cache-Tags header.
* Nginx: Use safe fallback for mysteriously empty $db_port
* PHP: Avoid version guessing for Octopus when _PHP_SINGLE_INSTALL is used.
* PHP: Make sure that _PHP_SINGLE_INSTALL takes precedence.
* PHP: OPcache configuration for Drupal 8 - fixes #419
* PHP: Re-install libmagickwand-dev to avoid broken extension build.
* PHP: The fallback version should be detected and not hardcoded.
* Prevent 'Could not change permissions' warnings with CiviCRM - fixes #523
* Remove Drupal 8 specific code from settings template used in older Drupal.
* Remove known sensitive credentials from barracuda upgrade log.
* Revert "Issue #2313327: Fixed Unknown options for provision-verify."
* Run agents update on cluster nodes.
* Run single mirror check - fixes #565
* RVM: Install also eventmachine-1.0.3
* Set files paths on D8 install to avoid using system default /tmp.
* Silence confusing noise - fixes #589
* Skip auto-update for agents not compatible with older versions.
* Skip extra SQL connection test on AWS.
* Standardize platforms version and naming convention.
* Support for _NGINX_NAXSI is experimental (don't use)
* Symlinks directories expected by Drush/Aegir in D8 root.
* Sync defaults for hosting_advanced_cron_default_interval
* Syntax error - fixes #587
* Syntax error - fixes #588
* The _NGINX_FORWARD_SECRECY=YES is ignored on Debian Wheezy - fixes #591
* The /login suffix is no longer supported in Drupal 8 and results with 404.
* The backend verify sub-task breaks site import for Drupal 8.
* Tomcat is not used anymore - see #570
* Use consistent stderr 2 stdout redirects in grep checks.
* Use correct _THIS_DB_HOST on master instance.
* Use correct pid file in procs monitor.
* Use correct user to run drush test commands.
* Use extended display mode for messages longer than 200 chars.
* Use faster mysqldump mode/flags.
* Use mirror to download complete vendor directory for Drush 7.
* Use more intuitive PHP keyword naming convention.
* Use mutatable interface in install_8.inc - fxes #2409085
* Use recommended releases for views404 and views_accelerator - fixes #578
* Use release specific o_contrib downloads.
* Use safe tmp cleanup to avoid race conditions.
* Where to set _USE_MYSQLTUNER variable - fixes #594
### Stable BOA-2.3.8 Release - Full Edition
### Date: Sat Nov 29 09:58:45 SGT 2014
### Includes Aegir 2.x-head with improvements
# Release Notes:
This new BOA release includes new features, improvements and bug fixes.
#-### Support for optional Drupalgeddon daily checks on all hosted D7 sites
~/static/control/drupalgeddon.info
Previously enabled by default, now requires this control file to still
run daily, because it may generate some false positives not always possible
to avoid or silence, so it no longer makes sense to run this check daily,
especially after BOA has run it automatically for a month and finally even
disabled automatically all clearly compromised sites.
Note that your system administrator may still enable this with root level
control file /root/.force.drupalgeddon.cnf, so it will still run, even
if you will not create the Octopus instance level empty control file:
~/static/control/drupalgeddon.info
Please note that current version of Drupalgeddon Drush extension needs
the 'update' module to be enabled to avoid even more false positives,
so BOA will enable the 'update' module temporarily while running this
check, which in turn will result with even more emails notices sent
to the site admin email, if these notices are enabled.
#-### Support for automated BOA upgrades: weekly and one-time
You can configure BOA to run automated upgrades to latest stable version
for both Barracuda and all Octopus instances with three variables, empty
by default. All three variables must be defined to enable auto-upgrade.
You can set _AUTO_UP_MONTH and _AUTO_UP_DAY to any date in the past
if you wish to enable only weekly system upgrades.
Remember that one-time upgrades will include complete upgrade to latest BOA
stable for Barracuda and all Octopus instances, while weekly upgrade is
designed to run only 'barracuda up-stable system' upgrade.
_AUTO_UP_WEEKLY= #------ Day of week (1-7) for weekly system upgrades
_AUTO_UP_MONTH= #------- Month (1-12) to define date of one-time upgrade
_AUTO_UP_DAY= #--------- Day (1-31) to define date of one-time upgrade
All three variables should be added in your /root/.barracuda.cnf file.
# Updated Octopus platforms:
ERPAL 2.2 -------------------- https://drupal.org/project/erpal
# New features and enhancements in this release:
* Support for automated BOA upgrades: weekly and one-time.
# Changes in this release:
* Drupalgeddon daily checks on all hosted D7 sites are now optional.
# Fixes in this release:
* Issue #508 - The _EASY_HOSTNAME is not required in local install mode.
* Issue #516 - Do not break binaries detection with 'which'.
### Stable BOA-2.3.7 Release - Full Edition
### Date: Tue Nov 25 15:44:48 PST 2014
### Includes Aegir 2.x-head with improvements
# Release Notes:
This new BOA release includes updated versions of all supported Drupal
platforms to provide latest Drupal 7.34 and Pressflow 6.34 cores, plus
new features, improvements and bug fixes.
We recommend that you upgrade your D7 sites using this safe workflow:
https://omega8.cc/your-drupal-site-upgrade-safe-workflow-298
For up-to-date information on #Drupageddon please check:
https://omega8.cc/drupageddon-psa-2014-003-342
#-### Support for locking/unlocking web server write access in all codebases
This new, auto-enabled by default protection will enhance your system
security, especially for sites in custom platforms you maintain
in the ~/static directory tree.
It is important to understand that your web server / PHP-FPM runs as your
shell/ftps user, although with a different group. This allows to maintain
virtual chroot for Octopus instances, which significantly improves security.
However, it had a serious drawback: the web server had write access in all
your platforms codebases located in the ~/static directory tree, because
all files you have uploaded there have the same owner.
While it allows you to use code management which requires web hooks, it also
opens a door for possible attack vectors, like for the infamous #drupageddon
disaster, where Drupal allowed attackers to create .php files intended
to be used as backdoors in future attacks - inside your codebase.
Even if it could affect only custom platforms you maintain in the ~/static
directory tree, since all built-in Octopus platforms always had Drupal core
completely write-protected, plus, even if created by attacking bot, these
extra .php files are completely useless for attackers, because BOA default
restricted configuration doesn't allow to execute not whitelisted, unknown
.php files, having codebase writable by your web server is still dangerous,
because at least theoretically it may open a possibility to overwrite valid
.php files, so they could be used as an entry point in a future attack.
BOA now protects all your codebases by reverting (daily) ownership on all
files and directories in your codebase (modules and themes) so they are
owned by the Aegir backend user and not your shell/ftps user.
While this new default procedure protects all your codebases in the ~/static
directory tree, and even in the sites/all directory tree, and even in the
sites/foo.com/modules|themes tree in all your built-in Octopus platforms,
you can still manage the code and themes with your main and extra shell
accounts as usual, because your codebase is still group writable, and your
shell accounts are members of the group not available for the web server.
You can easily disable this default daily procedure with a single switch:
~/static/control/unlock.info
You can also exclude any custom platform you maintain in the ~/static
directory tree from this global procedure by adding an empty skip.info
control file in the given platform root directory, so all other platforms
are still protected, and only excluded platform is open for write access
also for the web server. But normally you should never need this unlock!
Please note that this procedure will not affect any platform if you have
the non-default _PERMISSIONS_FIX=NO setting in your /root/.barracuda.cnf
file. It will also skip any platform with fix_files_permissions_daily
variable set to FALSE in the given platform active INI file.
# Updated Octopus platforms:
Commerce 1.32 ---------------- https://drupal.org/project/commerce_kickstart
Commerce 2.20 ---------------- https://drupal.org/project/commerce_kickstart
Commons 2.21 ----------------- https://drupal.org/project/commons
Commons 3.20 ----------------- https://drupal.org/project/commons
Guardr 2.5 ------------------- https://drupal.org/project/guardr
Open Atrium 2.25 ------------- https://drupal.org/project/openatrium
Open Outreach 1.13 ----------- https://drupal.org/project/openoutreach
Panopoly 1.14 ---------------- https://drupal.org/project/panopoly
# New features and enhancements in this release:
* Support for locking/unlocking web server write access in all codebases.
# Changes in this release:
* Do not force site_readonly to be disabled on non-dev sites.
# System upgrades in this release:
* MariaDB 10.0.15
# Fixes in this release:
* Allow any single site to use 1/2 of available SQL connections max.
* Clean up dot files after installing or updating RVM.
* Do not run extra updates on systems running latest head version.
* Improve ghost sites cleanup.
* Issue #467 - Centralize control files outside of codebases tree.
* Issue #498 - ERPAL: Fatal error: Unsupported operand types.
* Issue #499 - RVM: Add oily_png gem version 1.1.1
* Issue #504 - Add docs/RVM.txt
* Issue #504 - Remove ~/.rvm/scripts/notes script breaking lshell.
* Issue #509 - Do not delete anything from hostmaster site level modules.
* It is safe to run manage_ltd_users every minute.
* Never touch hostmaster aliases and vhosts even they appear broken.
* Nginx: Fix for possible problem with files/imagecache in legacy D6 sites.
* Use gnupg2 by default.
* Use latest Ruby 2.1.x or 2.0.x available.
* Use verbose RVM install mode to improve debugging.
### Stable BOA-2.3.6 Release - Full Edition
### Date: Mon Nov 17 08:11:17 SGT 2014
### Includes Aegir 2.x-head with improvements
# Release Notes:
This new BOA release includes updated versions of all supported Drupal
platforms to provide latest Drupal 7.33 core, plus great new features,
improvements and bug fixes.
We recommend that you upgrade your D7 sites using this safe workflow:
https://omega8.cc/your-drupal-site-upgrade-safe-workflow-298
For up-to-date information on #Drupageddon please check:
https://omega8.cc/drupageddon-psa-2014-003-342
#-### Support for automated, encrypted, daily backups to Amazon S3
* This new feature is available on self-hosted BOA and hosted Power Engines.
* Note that provided 'backboa' tool uses symmetric password-only encryption.
* You can configure AWS Region you prefer to use and Backup Rotation policy.
It will archive all directories required to restore your data (sites files,
databases archives, Nginx configuration and more) on a freshly installed BOA:
/etc /var/aegir /var/www /home /data
It will start to run nightly at 2:08 AM (server time) only once you will add
five required _AWS_* variables in the /root/.barracuda.cnf file and run the
special command 'backboa install' while logged in as root.
To restore any file from backups created with 'backboa' tool, you can use
the same script on the same or any other BOA server.
Please read docs/BACKUPS.txt at https://github.com/omega8cc/boa for details.
# Updated Octopus platforms:
Commons 3.19 ----------------- https://drupal.org/project/commons
Open Atrium 2.24 ------------- https://drupal.org/project/openatrium
Open Deals 1.35 -------------- https://drupal.org/project/opendeals
OpenChurch 1.15 -------------- https://drupal.org/project/openchurch
OpenChurch 2.0-b2 ------------ https://drupal.org/project/openchurch
OpenScholar 3.16.0 ----------- http://theopenscholar.org
Panopoly 1.13 ---------------- https://drupal.org/project/panopoly
Restaurant 1.0-b10 ----------- https://drupal.org/project/restaurant
Ubercart 2.14 ---------------- https://drupal.org/project/ubercart
Ubercart 3.8 ----------------- https://drupal.org/project/ubercart
# New features and enhancements in this release:
* Add support for automated, encrypted, daily backups to Amazon S3.
* Automatic shutdown for sites with known #Drupageddon users/roles added.
* Drush drupalgeddon extension added in all accounts.
* Make _STRONG_PASSWORDS length configurable: 8-128, YES (32), NO (8).
* Support for web and db clusters with MariaDB Galera (work in progress).
* Apply SA-CORE-2014-005 hot-fix daily everywhere, also on BOA (any version)
servers left on the auto-pilot.
# Changes in this release:
* Do not force site_readonly to be disabled on non-dev sites.
* Ignore disabled sites in daily monitoring and healing procedures.
* Remove support for abandoned Managing News distro.
* Remove support for abandoned Open Atrium 6.x distro.
* Remove support for abandoned Spark distro.
* Remove support for abandoned Totem distro.
* Set _PERMISSIONS_FIX=YES by default, so important fixes can be applied.
* Update BOA wrappers hourly.
# System upgrades in this release:
* cURL 7.39.0 (if installed from sources)
* Drush: Upgrade command line version 6 to mini-6-30-10-2014
* Nginx 1.7.7
* PHP 5.4.35
* PHP 5.5.19
* PHP: Zend OPcache master-08-11-2014
# Fixes in this release:
* Add scout user if _SCOUT_KEY is not empty or cron entry exists.
* Always escape dots in preg_replace() to not truncate www. by mistake.
* Check if directory tree exists before running extended checks/fixes.
* Clear drush cache directly before running hostmaster-migrate.
* Disable scout if installed and enable later.
* Do not export LC_CTYPE on initial install.
* Do not use Redis on provision-save.
* Fix for edge case when incorrect permissions were set in custom platform.
* Fix for openatrium-7.x-2.22-7.32.1
* Fix for site_readonly mode in migrated instances.
* Force setting to avoid issues with not expected to work RVM self-update.
* Hint for Apache Solr Attachments and Java path possible confusion.
* Improve web wrapper filtering.
* Issue #2163979 - Check if field_info_field_map() is available.
* Issue #2373923 - HTTPS and aliases redirection problem with Nginx.
* Issue #438 - PHP: Remove support for 5.5 built-in Zend OPcache.
* Issue #452 - PHP build could be broken also with MariaDB newer than 5.5.40
* Issue #456 - Aliases redirection: problems with AdvAgg paths.
* Issue #457 - Aliases redirection: 404 file not found for resources.
* Issue #461 - Remote Import needs Drush strict=0 mode.
* Issue #463 - The yajl-ruby gem needs native binaries building.
* Issue #480 - Normalize /etc/hosts to avoid FQDN mapped to 127.0.1.1
* Issue #490 - Nginx: Block semalt botnet.
* Issue #496 - RVM 1.26.0 introduces signed releases (rvm: not found error).
* Make sure that hostmaster site usage is not counted.
* Move DB GRANTS setup for master instance to the correct level.
* Move redis server daily restart to daily.sh agent.
* Nginx: Fail if required db creds are empty to never create a broken vhost.
* Remove hardcoded DNS for files.aegir.cc
* Strict Permissions on All Binaries are default, not optional.
* There is no point in running MySQLTuner on initial install.
* Whitelist mysql command for overssh in lshell.
### Stable BOA-2.3.5 Release - Full Edition
### Date: Wed Oct 15 16:28:25 PDT 2014
### Includes Aegir 2.1 with improvements
### Latest hotfix added on: Thu Oct 16 08:55:02 PDT 2014
# Release Notes:
This new BOA release includes important updates and bug fixes.
* All new Drupal 7 platforms received Drupal core security upgrade.
For details please read: https://www.drupal.org/SA-CORE-2014-005
* All existing Drupal 7 built-in platforms will receive a hot-fix for
this known vulnerability: https://www.drupal.org/SA-CORE-2014-005
once you will run 'barracuda up-stable' command on your server.
This procedure is automated on hosted and managed Aegir at Omega8.cc
* Your custom D7 platforms created in the ~/static directory tree
will be checked in the next 12 hours after the upgrade, and if you
have not applied this patch yet, it will be applied automatically
for you - but only if there is at least one active site present
in the given custom D7 platform. Note that while this procedure is
automated on hosted and managed Aegir at Omega8.cc, on self-hosted
BOA systems it will work only if you will set _PERMISSIONS_FIX=YES
in /root/.barracuda.cnf (default is NO)
We recommend that you upgrade your D7 sites using safe workflow:
https://omega8.cc/your-drupal-site-upgrade-safe-workflow-298
# Updated Octopus platforms:
aGov 1.5 --------------------- https://drupal.org/project/agov
Commerce 1.31 ---------------- https://drupal.org/project/commerce_kickstart
Commerce 2.19 ---------------- https://drupal.org/project/commerce_kickstart
ERPAL 2.1 -------------------- https://drupal.org/project/erpal
Guardr 1.14 ------------------ https://drupal.org/project/guardr
Open Atrium 2.22 ------------- https://drupal.org/project/openatrium
Open Outreach 1.12 ----------- https://drupal.org/project/openoutreach
OpenPublic 1.2 --------------- https://drupal.org/project/openpublic
Panopoly 1.12 ---------------- https://drupal.org/project/panopoly
Recruiter 1.3 ---------------- https://drupal.org/project/recruiter
# New features and enhancements in this release:
* Explain that Solr self-provisioning works only if _MODULES_FIX=YES is set.
* Reverify all sites daily if /root/.force.sites.verify.cnf ctrl file exists
and _PERMISSIONS_FIX=YES is set in /root/.barracuda.cnf (default is NO)
# Changes in this release:
* Security: Remove support for SSLv3 due to POODLE vulnerability.
* Disable Redis in Hostmaster until we will fix the Views based pages/blocks.
* Disable site_readonly for non-dev sites by default.
* Drush: Upgrade command line version 6 to mini-6-04-10-2014
* Enable AllowUserFXP in Pure-FTPd config by default.
* Remove support for already deprecated non-LTS Ubuntu versions.
* Run manage_ip_auth_access only once per minute.
* The INI variable redis_flush_forced_mode is enabled by default (again).
* Use sysklogd instead of rsyslog on Ubuntu.
# System upgrades in this release:
* MariaDB 5.5.40
* Nginx 1.7.6
* OpenSSH 6.7p1 (if installed from sources)
* OpenSSL 1.0.1j (if installed from sources) - security upgrade.
* PHP 5.5.18
* PHPRedis: master-03-10-2014
# Fixes in this release:
* Add auto-detection of Legacy Ruby patch level update on old systems.
* Add cleanup for ghost/broken sites dirs leftovers.
* Add missing cleanup for backup_migrate leftovers.
* Always cleanup pid files on exit/abort.
* Apply patch for SA-CORE-2014-005 in all shared D7 cores/built-in platforms.
* Compass Tools: Install 1.9.3 ffi expected by older themes.
* Fix db_port entry in all vhosts hourly.
* Fix for broken erpal-7.x-2.0-7.31.1
* Fix for broken site level drushrc.php file.
* Fix for false alarm caused by ghost sites leftovers.
* Fix for incorrect hash filtering on systems with OpenSSL built from sources.
* Fix locales: Numerous fixes and improvements -- thanks ar-jan!
* Fix typo in REVISIONS.
* Force site Verify via frontend if drushrc.php has been fixed.
* Issue #435 - SQL: Remove deprecated table_cache +update table_open_cache
* Issue #440 - Improve innodb_buffer_pool_size calculation and add 10%
* Issue #441 - New Relic is not disabled after removing newrelic.info file.
* Issue #442 - Skip locked/fpmcheck if /root/.high_traffic.cnf exists.
* Issue #444 - PHP: Remove useless sed replacement in pool.d/www{*}.conf
* Issue #445 - Remote Import: update 6.x-2.x branch for Aegir 2.x and Drush 6
* Issue #447 - Export LANG, LANGUAGE and all LC_ environment variables.
* Issue #447 - Improve locales consistency.
* Issue #447 - Set default LC_CTYPE and LC_COLLATE environment variables.
* Issue #447 - Simplify locales configuration on Ubuntu.
* Issue #448 - Enforce locale settings by configuring defaults.
* Issue #452 - PHP build is broken with latest MariaDB 5.5.40
* Make sure that db_port is never empty and defaults to 3306.
* Make sure that firewall monitoring scripts never run simultaneously.
* Make sure that standard caching is enabled in hostmaster.
* Pause hostmaster tasks when RVM install for any user is running.
* PHP: Do not run rebuilds if not needed.
* PHP: Fix for broken upgrade logic on libcurl or libssl packages upgrade.
* Remove acquia_connector from latest Commons to avoid broken installs.
* Remove all legacy gems and re-install RVM/Ruby for root from scratch.
* Remove legacy replacement to avoid converting symlinked includes into files.
* SQL: Use correct defaults if MySQLTuner test failed.
* Workaround for Drupal flood using 127.0.0.1 for all requests behind proxy.
### Stable BOA-2.3.4 Release - Full Edition
### Date: Wed Oct 15 09:51:08 PDT 2014
### Includes Aegir 2.1 with improvements
Release Notes and changelog for BOA-2.3.4 has been merged into BOA-2.3.5
above after security upgrades related to OpenSSL and SSLv3 have been added
shortly after 2.3.4 release.
### Stable BOA-2.3.3 Release - Full Edition
### Date: Sat Sep 27 01:25:46 PDT 2014
### Includes Aegir 2.1 with improvements
# Release Notes:
This BOA Edition includes important fixes to address some issues discovered
after BOA-2.3.1 release. Please read also the release notes for BOA-2.3.1
further below before running the upgrade!
#-### Important details on CiviCRM versions compatibility and profiles support
* All BOA-2.3.x Editions fully support latest CiviCRM 4.5.0 for Drupal 7.
* CiviCRM for Drupal 6 is not supported because of known CiviCRM issues.
* CiviCRM support for Drupal 7 works great when added in sites/all/modules
* CiviCRM support for Drupal 7 also works when added in profiles/foo/modules
but no CiviCRM cron is currently managed until this known issue is fixed,
therefore BOA-2.3.3 will check all platforms on the Octopus instance and if
it will detect any with CiviCRM added in the installation profile directory
tree, it will refuse to upgrade such instance to not break things for those
using currently not fully supported CiviCRM codebase structure.
# New Octopus platforms:
OpenChurch 2.0-b1 ------------ https://drupal.org/project/openchurch
# Updated Octopus platforms:
ERPAL 2.0 -------------------- https://drupal.org/project/erpal
Guardr 1.13 ------------------ https://drupal.org/project/guardr
Open Outreach 1.11 ----------- https://drupal.org/project/openoutreach
OpenChurch 1.14 -------------- https://drupal.org/project/openchurch
OpenPublic 1.0-rc5 ----------- https://drupal.org/project/openpublic
OpenScholar 3.15.1 ----------- http://theopenscholar.org
# New features and enhancements in this release:
* Add makefiles for CiviCRM 4.4.7
* Add makefiles for CiviCRM 4.5.0
# Changes in this release:
* Drush: Upgrade command line version 6 to mini-6-27-09-2014
* Restart SSH hourly.
* The INI variable redis_flush_forced_mode is now disabled by default.
* Use aegir_custom_settings-6.x-3.12
* Use Provision CiviCRM boa-2.3.3-dev
# System upgrades in this release:
* MariaDB 10.0.14
* Nginx 1.7.5
* PHP 5.4.33
* PHP 5.5.17
* PHPRedis: master-02-09-2014
* Redis 2.8.17
# Fixes in this release:
* Add extra cleanup for Drush related caches.
* Always respect _SSH_PORT if set.
* Always start cron before aborting on error.
* Do not add duplicate cron entry for runner.sh
* Do not allow system only upgrades if Master Instance is still on 2.2.x
* Do not disable _DNS_SETUP_TEST
* Enable path_alias_cache by default also in the hostmaster site.
* Fix for broken pdnsd configuration if wrong IPs are detected.
* Fix for insufficient permissions on files/civicrm/ConfigAndLog
* Fix for insufficient permissions on files/civicrm/custom
* Fix for insufficient permissions on files/civicrm/dynamic
* Fix for missing cron entry for Scout, if _SCOUT_KEY is not empty.
* Fix the not working procedure to revert hostmaster features.
* Force problematic gems install to add them on accounts with enabled RVM.
* Fox for Java version for Jetty 9 on newer systems.
* Hardcode files.aegir.cc DNS entry.
* Improve docs/ctrl/system.ctrl readability.
* Install openjdk on CI instances by default.
* Issue #411 - Unable to update Octopus Instance - Reports PHP on 5.2
* Issue #423 - Make sure that innodb_buffer_pool_size is not smaller than 64M
* Issue #424 - Update mysqltuner.pl to support MariaDB 10.0
* Make sure that lsb-release is installed properly.
* Make the check_civicrm_compatibility more reliable to avoid false alarms.
* New Relic not enabled if no custom ~/static/control/{fpm|cli}.info exists.
* Nginx: Auto-Switch to wildcard all vhosts existing in the Master Instance.
* Nginx: Avoid any downtime on upgrade by using www53.fpm.socket temporarily.
* Nginx: Convert all config templates to wildcard mode in legacy instances.
* Nginx: Convert all Octopus vhosts to wildcard mode on Barracuda upgrade.
* Nginx: Convert config to use PHP 5.2 if the instance still depends on it.
* Nginx: Delete ghost, outdated or broken config includes in all instances.
* Nginx: Delete ghost, outdated or broken vhosts in all instances.
* Nginx: Force special vhosts access rules rebuild hourly.
* Nginx: Improve wildcard conversion procedure on some really old instances.
* Purge all ghost delete tasks before running hostmaster-migrate / upgrade.
* Purge Drush related caches cleanly when needed.
* Recreate possibly broken vhosts.
* Remove duplicate cron entry for runner.sh to avoid critical system load.
* Remove legacy replacement to not convert config symlinks into regular files.
* Run check_civicrm_compatibility only on upgrade.
* Single feature revert may not be enough.
* Update contrib in Open Atrium D7 to maintain upgrade path.
* Update cron defaults and remove legacy code.
* Update default SSL Wildcard Nginx Proxy to use wildcard listen mode.
* Use strict regex in vhosts listen mode conversion to not break ports.
### Stable BOA-2.3.2 Release - Full Edition
### Date: Thu Sep 18 15:16:33 PDT 2014
### Includes Aegir 2.1 with improvements
Release Notes and changelog for BOA-2.3.2 has been merged into BOA-2.3.3
above after several hotfixes and various updates have been added shortly
after 2.3.2 release to address all identified post-release issues.
### Stable BOA-2.3.1 Release - Full Edition
### Date: Sun Sep 14 15:53:25 SGT 2014
### Includes Aegir 2.1 with improvements
### Latest hotfix added on: Mon Sep 15 19:10:07 SGT 2014
# Release Notes:
This major BOA Edition introduces many new features, changes and fixes.
You should carefully read about some caveats further below **before** running
this major upgrade on your system. Please secure a fresh system backup first.
If you haven't run full barracuda+octopus upgrade to latest BOA Stable
Edition yet, don't use any partial/system upgrade modes.
Once new BOA Stable is released, you must run *full* upgrades with commands:
$ cd;wget -q -U iCab http://files.aegir.cc/BOA.sh.txt;bash BOA.sh.txt
$ barracuda up-stable
$ octopus up-stable all both
@=> Key new features:
* BOA-2.3.1 comes with new, shiny Aegir 2.1 stable version!
* Support for Drupal sites in subdirectories is enabled by default
* Solr 4 cores can be added/updated/deleted via site level INI settings
* Super-easy to use New Relic support with per Octopus license key
* Ability to add new Octopus instances with new, simple command syntax
@=> Aegir control panel new features:
* The list of sites is searchable by name or installation profile
* Sites have dedicated tabs: Backups, Task log, Edit and Packages
* Platform have tabs: Add site, Clients, Task log, Edit and Packages
* You can schedule tasks against filtered sites in batches
* Scheduling tasks in batches is available also on the platform view
* Scheduling tasks in batches is available also on the profile view
* Scheduling tasks in batches is available also on the client view
* You can schedule tasks also against platforms in batches
* You can safely apply db updates via 'Run db updates' task on any site
* The new 'Clients' menu item allows to list and manage sub-accounts
* Profiles are listed with both human-readable and machine names
* It is now possible to choose any existing alias or the main site name
as a redirect target, but without the need to rename the site --
it will just re-verify the site and create new vhost automatically
@=> Aegir control panel changes:
* The hosting/signup form is still available but not included in the menu
* The node/add/site form is no longer included in the main menu
* The optional pseudo-CDN-aliases feature is now disabled by default
@=> Other important changes:
* Support for PHP 5.2 has been officially deprecated
* The www53 PHP-FPM pool has been switched from port to default socket mode
* All existing vhosts must use wildcard in the Nginx 'listen' directive
* Legacy mode for Install and Upgrade moves to 2.2.x branch
* DB credentials are no longer in settings.php, only in drushrc.php
* Latest Drush 6 version is used in the Aegir backend by default
But what if you are not ready for this major upgrade and you would like
to have more time for testing, but still be able to run system upgrades,
thus effectively still using previous version 2.2.9 ?
#-### Legacy mode for Install and Upgrade moves to 2.2.x branch
From now on, the 'legacy' install and upgrade mode available in all meta-
installers will utilize branch 2.2.x instead of deprecated 2.1.x series.
This means that starting with meta installers updated to use BOA-2.3.1
version you can use commands like shown below to update Barracuda, Octopus
and also to install more Octopus instances, while still using version 2.2.9:
$ boa in-legacy public server.mydomain.org my@email o1
$ barracuda up-legacy system
$ octopus up-legacy o1
$ boa in-legacy public server.mydomain.org my@email o2 mini
etc.
Remember to update your meta-installers first!
$ cd;wget -q -U iCab http://files.aegir.cc/BOA.sh.txt;bash BOA.sh.txt
Note also that if you will upgrade to current 'stable', it is not possible
to downgrade back to the 'old stable' with 'legacy' mode, so please proceed
with care!
Remember also that current legacy version will not receive any further
updates, even for security issues (besides those provided as packages by
your OS vendor - Debian or Ubuntu, which will still work), because it is
already different enough from current 2.3.1 stable, so we can't reliably
maintain both with working upgrade path.
#-### Caveats: This upgrade will force wildcard in the Nginx 'listen' directive
If you have old enough BOA system which still uses legacy IP mode and not
a wildcard in the Nginx 'listen' directive, which is both Aegir and BOA
standard for a long time already, this upgrade will fix the problem and
update directives only in vhosts known and controlled by BOA.
If you have any other vhosts, located in standard or non-standard Nginx/BOA
directories for vhosts, you have to update them manually after upgrade to
BOA-2.3.0 or newer, or they will take over all other vhosts on the system
and cause redirects to /install.php which results with Nginx error 403 or 404,
depending on the prior configuration.
It will happen because IP based 'listen' directive in Nginx has higher
priority, and will mess things horribly if there are vhosts using wildcard
and some using the main system IP address.
What and how to replace? Here are the commands you need to run as root:
$ sed -i "s/.*listen.*:80;/ listen \*:80;/g" /path/to/vhost.file
$ service nginx reload
Note: this **doesn't** affect special vhosts for SSL enabled sites, if used,
because they are designed to use IP based 'listen' directives to provide
separation between SSL enabled IPs and their associated certificates,
while their associated 'upstream' block may even point to either local or
remote IP address, so there is no wildcard to use in this case, and it will
not conflict with all other vhosts managed by Aegir, because all SSL enabled
vhosts listen on other IP addresses than the main system IP, which is
by default used by all vhosts with wildcard in the 'listen' directive.
The problem may happen only when you have vhosts using wildcard and also
some vhosts using **main** system IP address in the 'listen' directive,
which may happen also unintentionally during upgrade to BOA-2.3.0 or never,
if there are either vhosts BOA doesn't control, or there are ghost vhosts
not yet purged if you didn't upgrade to BOA-2.2.9 before, or there are
some disabled sites, so their vhosts will not be re-created by Aegir
during this major upgrade (because only active sites can be re-verified).
While BOA will fix also any such ghost vhosts anyway, it will not be able
to detect and fix vhosts outside of the standard directories managed by Aegir.
#-### Ability to add new Octopus instances with new, simple command syntax
It is now possible to add stable Octopus instances w/o forcing Barracuda
upgrade, plus optionally with no platforms added by default -- usage:
$ boa {in-octopus} {email} {o2} {mini|max|none}
#-### The www53 PHP-FPM pool has been switched from port to default socket mode.
Note that we are breaking backward compatibility here, so it will cause
downtime on upgrade from any too old BOA version, until you will upgrade also
Octopus instance(s) and update any other non-standard vhosts or includes
still using legacy port mode for 'fastcgi_pass' Nginx directive.
If you have 'fastcgi_pass 127.0.0.1:9090;' in any custom vhost or Nginx
include file on the Octopus instance, you should replace it with:
fastcgi_pass unix:/var/run/o1.fpm.socket;
where 'o1' is your corresponding Octopus system username.
Note that if you have custom vhosts or includes in the Aegir Master Instance,
you should instead replace 'fastcgi_pass 127.0.0.1:9090;' with:
fastcgi_pass unix:/var/run/www53.fpm.socket;
where '53' is related to PHP version defined via _PHP_FPM_VERSION in your
/root/.barracuda.cnf file. Note that while variable has a dot, the socket
name doesn't.
#-### Support for PHP 5.2 has been officially deprecated
While Barracuda 2.3.1 can continue to run and even upgrade if needed also
the very old PHP 5.2 version, only Octopus instances running at least PHP 5.3
or newer in both FPM and CLI mode can be upgraded to Octopus 2.3.1 Edition.
If you are still using PHP 5.2 in your Octopus instance, you will not
receive Aegir nor Drupal Platforms upgrade, but the Barracuda part of your
system will receive upgrade to 2.3.1 anyway, so it will be ready to support
your outdated Octopus instance upgrade as soon as you will switch it to
modern and secure PHP version -- which is easy!
Let's quote the original how-to for reference:
#-### Support for PHP FPM/CLI version safe switch per Octopus instance
This allows to easily switch PHP version by the instance owner w/o system
admin (root) help. All you need to do is to create ~/static/control/fpm.info
and ~/static/control/cli.info file with a single line telling the system
which available PHP version should be used (if installed): 5.5 or 5.4 or 5.3
Only one of them can be set, but you can use separate versions for web access
(fpm.info) and the Aegir backend (cli.info). The system will switch versions
defined via these control files in 5 minutes or less. We use external control
files and not any option in the Aegir interface to make sure you will never
lock yourself by switching to version which may cause unexpected problems.
#-### Support for New Relic monitoring with per Octopus instance license key
This new feature will disable global New Relic monitoring by deactivating
server-level license key, so it can safely auto-enable or auto-disable it
every 5 minutes, but per Octopus instance -- for all sites hosted on
the given instance -- when a valid license key is present in the special
new ~/static/control/newrelic.info control file.
Please note that valid license key is a 40-character hexadecimal string
that New Relic provides when you sign up for an account.
To disable New Relic monitoring for the Octopus instance, simply delete
its ~/static/control/newrelic.info control file and wait a few minutes.
Please note that on a self-hosted BOA you still need to add your valid
license key as _NEWRELIC_KEY in the /root/.barracuda.cnf file and run
system upgrade with at least 'barracuda up-stable' first. This step is
not required on Omega8.cc hosted service, where New Relic agent is already
pre-installed for you.
#-### Solr 4 cores can be added/updated/deleted via site level INI settings
;;
;; This option allows to activate Solr 4 core configuration for the site.
;;
;; Only Solr 4 powered by Jetty server is available. Supported integration
;; modules are limited to latest versions of either search_api_solr (D7 only)
;; or apachesolr (will use Drupal core specific version automatically).
;;
;; Currently used versions are listed below:
;;
;; http://ftp.drupal.org/files/projects/search_api_solr-7.x-1.6.tar.gz
;; http://ftp.drupal.org/files/projects/apachesolr-7.x-1.7.tar.gz
;; http://ftp.drupal.org/files/projects/apachesolr-6.x-3.0.tar.gz
;;
;; Note that you still need to add preferred integration module along with
;; any its dependencies in your codebase since this feature doesn't modify
;; your platform or site - it only creates Solr core with configuration
;; files provided by integration module: schema.xml and solrconfig.xml
;;
;; This setting affects only the running daily maintenance system behaviour,
;; so you need to wait until next morning to be able to use new Solr 4 core.
;;
;; Once the Solr core is ready to use, you will find a special file in your
;; site directory: sites/foo.com/solr.php with details on how to access
;; your new Solr core with correct credentials.
;;
;; The site with enabled Solr core can be safely migrated between platforms,
;; integration module can be moved within your codebase and even upgraded,
;; as long as it is using compatible schema.xml and solrconfig.xml files.
;;
;; Supported values for the solr_integration_module variable:
;;
;; apachesolr
;; search_api_solr
;;
;; To delete existing Solr core simply comment out this line.
;; The system will cleanly delete existing Solr core next morning.
;;
;; IMPORTANT if you are using self-hosted BOA: _MODULES_FIX=YES must be set
;; in the /root/.barracuda.cnf file (this is default value) to make this
;; feature active.
;;
;solr_integration_module = your_module_name_here
;;
;; This option allows to auto-update your Solr 4 core configuration files:
;;
;; schema.xml
;; solrconfig.xml
;;
;; If there is new release for either apachesolr or search_api_solr, your
;; Solr core will not be automatically upgraded to use newer schema.xml and
;; solrconfig.xml, unless allowed by switching solr_update_config to YES.
;;
;; This option will be ignored if you will set solr_custom_config to YES.
;;
;solr_update_config = NO
;;
;; This option allows to protect custom Solr 4 core configuration files:
;;
;; schema.xml
;; solrconfig.xml
;;
;; To use customized version of either schema.xml or solrconfig.xml, you need
;; to switch solr_custom_config to YES below and if you are using hosted
;; Aegir service, submit a support ticket to get these files updated with
;; your custom versions. On self-hosted BOA simply update these files directly.
;;
;; Please remember to use Solr 4 compatible config files.
;;
;solr_custom_config = NO
# Updated Octopus platforms:
aGov 1.4 --------------------- https://drupal.org/project/agov
Guardr 1.12 ------------------ https://drupal.org/project/guardr
Open Academy 1.1 ------------- https://drupal.org/project/openacademy
Restaurant 1.0-b9 ------------ https://drupal.org/project/restaurant
Ubercart 3.7 ----------------- https://drupal.org/project/ubercart
# New features and enhancements in this release:
* Ability to add new Octopus instances with new, simple command syntax
* Add default aggressive php-fpm monitoring + /root/.no.fpm.cpu.limit.cnf
* Allow to define always disabled modules via _MODULES_FORCE variable.
* Better wait limits on connection testing for slow network / long distance.
* Issue #1927522 - Add support for easy Solr cores self-management.
* Issue #362 - Add imageapi_optimize binaries via IMG in _XTRAS_LIST
* Issue #376 - Add New Relic support with per Octopus instance license key.
* Make firewall management faster with randomized schedule.
* Procs monitor runs every 3 seconds.
* Run mysql_proc_control every 5 seconds for better results.
* You can safely apply db updates via 'Run db updates' task on any site.
# Changes in this release:
* DB credentials are no longer visible in settings.php, only in drushrc.php
* Delete default profiles in the hostmaster platform.
* Disable _DEBUG_MODE if not enabled on the fly.
* Disable newrelic-sysmond unless /root/.enable.newrelic.sysmond.cnf exists.
* Drush: Upgrade command line version 6 to mini-6-14-09-2014
* Nginx: Remove deprecated code - _HTTP_WILDCARD is already used by default.
* Nginx: Use limit_conn protection only for known dynamic requests.
* Redis Integration Module (cache_backport): Update to version 6.x-1.0-rc2
* Redis Integration Module: Update to version mod-12-09-2014
* Remove _ALLOW_UNSUPPORTED legacy and no longer working properly feature.
* Remove dependency on Update Manager globally.
* Remove deprecated multi-instance labels in the New Relic configuration.
* Replace old hosting_civicrm_cron with newer hosting_civicrm module.
* Set hosting_default_profile to 'minimal' to improve Ubercart 3 visibility.
* The www53 PHP-FPM pool has been switched from port to default socket mode.
* Use Provision CiviCRM boa-2.3.1-dev
# System upgrades in this release:
* cURL 7.38.0 (if installed from sources)
* Git 2.1.0 (if installed from sources)
* Jetty 7.6.16.v20140903
* Jetty 8.1.16.v20140903
* Jetty 9.2.3.v20140905
* PHP 5.3.29 EOL! Please read: http://php.net/archive/2014.php#id2014-08-14-1
* PHP 5.4.32
* PHP 5.5.16
* Redis 2.8.14
# Fixes in this release:
* Add cleanup for _GIT_FORCE_REINSTALL if added in .barracuda.cnf
* Add missing drush cache-clear drush to improve upgrade path.
* Add new features in the README.txt
* Add wheezy to the exceptions list where required.
* Allow to clear drush cache without directory restrictions.
* Always set correct TMP path for supported users.
* Cleanup for cron pid files in user specific .tmp dirs.
* Count properly also symlinked files directories (improved).
* D6 colorbox module requires old 1.3.18 library.
* Delete drush_make leftovers.
* Delete duplicate menu items on upgrade.
* Do not allow to install SSH from sources on Trusty to avoid problems.
* Do not skip daily.sh during barracuda system only update.
* Eldir theme: Use max width for buttons, if possible.
* Explain why installing RVM may take longer than expected.
* Fix cleanup for drush aliases in sub-accounts.
* Fix daily cleanup for user specific .tmp directories.
* Fix docs/HINTS.txt
* Fix for broken mariadb.list
* Fix for broken, way too aggressive PHP-FPM monitoring.
* Fix for ghost dirs cleanup.
* Fix for ghost vhosts cleanup.
* Fix for missing symlinks to existing platforms.
* Fix for not working protection from blocking local IPs on multi-IP systems.
* Fix for subdirs_support universal check.
* Fix for unreliable _IS_OLD check on Octopus instances upgrade.
* Fix for warning "Could not create directory ." on Hostmaster site Verify.
* Fix the fields order in the site edit form.
* Fix the regex to not whitelist unexpected IP ranges inadvertently.
* Force cURL rebuild if installed with outdated OpenSSL version.
* Guard against destructive or insecure tasks run on the hostmaster site.
* Improve cleanup for empty platforms directories.
* Improve monitoring to protect against convert trying to overload the system.
* Issue #2330781 - Use Drush dt() wrapper instead of not always available t()
* Issue #357 - Fix the logic for Git (re)install from sources.
* Issue #360 - Exclude special --CDN vhosts from daily cleanup.
* Issue #361 - Update and improve docs/FAQ.txt
* Issue #369 - Automatically download and fix /bin/websh if missing.
* Issue #369 - Restore classic /bin/sh symlink automatically if needed.
* Issue #373 - Set correct TMP, TEMP, TMPDIR env variables in limited shell.
* Issue #373 - Too restrictive lshell forbidden list breaks drush sql-sync.
* Issue #380 - Nameserver / pdnsd problem -- Fixes also Issue #2007990.
* Issue #381 - Zend OPcache forced adds useless noise in the log.
* Issue #388 - Version 6.x-2.x of provision_civicrm requires hosting_civicrm
* Issue #389 - hosting_civicrm breaks site install form with confusing error.
* Issue #390 - Duplicate platforms nodes are created after upgrade to 2.3.0
* Issue #395 - Validate username isn't reserved before running install script.
* Issue #396 - Locale isn't getting set properly.
* Issue #397 - Not actually prompted for platforms during installation.
* Issue #398 - Make locales setup/fix for Debian always OS compatible.
* Issue #399 - The hitimes gem needs to be pre-installed to support Omega4.
* Issue #400 - CiviCRM is not installed on 2.3.0
* Issue #401 - Create sites/all/* subdirs in Hostmaster early enough.
* Issue #402 - Fix for ghost or disabled vhosts which still listen on IP.
* Issue #405 - Installer hangs due to yes/no dialog - "Untrusted packages"
* Issue #406 - Force keyring reinstall also upon 'GPG error'.
* Issue #407 - Fix for 'username is already taken' error on a local VM install
* Issue #408 - Fix for multiple funny typos. Thanks ar-jan!
* Make it clear that subdomain and subdirectory name must be identical.
* Make sure that keys subdirectory exists to avoid active platforms cleanup.
* Make the PHP-FPM processes monitor less aggressive by default.
* New Relic not enabled if no custom ~/static/control/{fpm|cli}.info exists.
* Nginx: Add config symlinks only on legacy instances.
* Nginx: Add cron access support for subdir sites.
* Nginx: Convert all vhosts to wildcard mode on Barracuda upgrade.
* Nginx: Disable monitoring for POST requests related to cart/checkout URI.
* Nginx: Do not touch nginx_wild_ssl.conf during this upgrade.
* Nginx: Improve wildcard conversion procedure on some really old instances.
* Nginx: Remove deprecated code and config templates.
* Nginx: Sanitize aliases in vhost_disabled.tpl.php to avoid warnings.
* Nginx: Update config includes to match optional BOA features improvements.
* Nginx: Update unified configuration templates in Provision to unfork BOA.
* Nginx: Update vhosts templates to match BOA improvements.
* PHP: Avoid unintended duplicate rebuilds.
* PHP: Sync disable_functions list.
* Protect sites/all/drush
* Provision: Backport provision_hosting_feature_enabled()
* Provision: Remove legacy subdir code and update checks.
* Redis config should sync with PHP-CLI, not PHP-FPM.
* Remove legacy procs monitoring code.
* Remove no longer needed limreq global fixes.
* Remove no longer needed/used contrib updates.
* Remove redundant file_exists() if is_readable() is also used.
* Replace old hosting_civicrm_cron with newer hosting_civicrm module.
* Restart pdnsd before running barracuda upgrade.
* Restore BOA formatting for tasks log to improve readability.
* Restore BOA naming convention and docs in Hostmaster.
* Restore BOA naming convention for Installation profiles in Hostmaster.
* Restore BOA strict _hosting_valid_fqdn* testing procedures in Hostmaster.
* Restore BOA weight defaults in the form in Hostmaster.
* Restore punycode in Hostmaster.
* Restore tasks sort to always show tasks scheduled and running at the top.
* Sanitize cli.info and fpm.info
* Set _PLATFORMS_LIST properly.
* Silence early sed replacements to avoid confusion.
* Simplify colorbox-1.3.18 download.
* Simplify colorbox-1.5.13 download.
* Switch branch on the fly and add support for Aegir vanilla mode.
* Sync /tmp access restrictions.
* The hosting_civicrm_cron is now a submodule and should be also auto-enabled.
* The wildcard transition **doesn't** affect vhosts for SSL enabled sites.
* There is no need to force backend clone from GitHub on initial upgrade.
* Update for the Hostmaster welcome page.
* Update FPM monitoring settings.
* Use as short labels on the site node as possible.
* Use control files properly to not run redundant Jetty/Solr upgrade.
* Use correct paths to platform level drushrc.php file.
* Use correct Provision version on initial upgrade to 2.3.0
* Use Drush6 with @hostmaster.
* Use is_dir() instead of file_exists() when checking directory existence.
* Use is_file() and is_link() instead of file_exists() before trying unlink()
* Use is_readable() and file_exists() instead of file_exists() for backup.
* Use is_readable() check instead of insufficient file_exists() for includes.
* Use is_readable() instead of file_exists() when checking alias existence.
* Install latest Git even if not specified via _XTRAS_LIST but previous
version built from sources is detected.
* Issue #2278847 - Derivatives can't be created on install with Drush and
Aegir or when no vhost is available yet (Drupal Commons)
### Stable BOA-2.3.0 Release - Full Edition
### Date: Mon Sep 8 08:42:01 PDT 2014
### Includes Aegir 2.1 with improvements
Release Notes and changelog for BOA-2.3.0 has been merged into BOA-2.3.1
above after several hotfixes and some great new features have been added
shortly after 2.3.0 release to address all identified post-release issues.
### Stable BOA-2.2.9 Release - Full Edition
### Date: Wed Aug 6 17:08:10 PDT 2014
### Includes Aegir 2.x-boa-custom version.
### Latest hotfix added on: Fri Aug 15 09:37:04 PDT 2014
# Release Notes:
This release includes updated versions of all supported Drupal platforms to
provide latest Drupal 7 and Pressflow 6 core, plus some changes, improvements,
bug fixes, and many updated Octopus platforms.
NOTE: Since the first Edition in the BOA-2.3.x series is not ready for release
yet, and new Drupal core has been released to fix security issues, followed
by yet another release to fix serious regressions, followed by yet another
security release, we have decided to make it available to everyone and release
yet another stable BOA-2.2.x Edition.
IMPORTANT! This is the last Edition in the 2.2.x series, which marks the end
of Drupal 5, PHP 5.2 and Drush 4 support. Next Edition will open 2.3.x series,
which will allow us to provide newer Aegir version with built-in Drush 6
support, sites in subdirectories, and many Aegir User Interface improvements.
If you still host any Drupal 5 sites or you are using PHP 5.2 for D6 sites,
you will not be able to upgrade to the next 2.3.x Edition and you will have to
stay on the 'legacy' BOA 2.2.x version, which will receive only system
security upgrades, but no further feature nor bugfix releases.
This also means that from now on the 'legacy' 2.2.x version will no longer
receive Drupal core upgrades, even if there will be security core releases.
It is time to upgrade away from Drupal 5 and away from PHP 5.2, if still used.
# Updated Octopus platforms:
aGov 1.2 --------------------- https://drupal.org/project/agov
Commerce 1.29 ---------------- https://drupal.org/project/commerce_kickstart
Commerce 2.17 ---------------- https://drupal.org/project/commerce_kickstart
Commons 2.20 ----------------- https://drupal.org/project/commons
Commons 3.17 ----------------- https://drupal.org/project/commons
ERPAL 2.0-b5 ----------------- https://drupal.org/project/erpal
Guardr 1.11 ------------------ https://drupal.org/project/guardr
Open Atrium 2.21 ------------- https://drupal.org/project/openatrium
Open Outreach 1.10 ----------- https://drupal.org/project/openoutreach
OpenPublic 1.0-rc4 ----------- https://drupal.org/project/openpublic
Panopoly 1.11 ---------------- https://drupal.org/project/panopoly
Restaurant 1.0-b2 ------------ https://drupal.org/project/restaurant
# New features and enhancements in this release:
* Allow to define always disabled modules via _MODULES_FORCE variable.
* Eldir: Add subtle 3D and round some edges.
* Eldir: Improve spacing and hide useless headers.
* Fix permissions on sites/all/{modules,libraries,themes} on Platform Verify.
* Make firewall management faster with randomized schedule.
* Merge pull request #362 from pricejn2/imageapi-optimize-binaries
* RVM: Add exceptions for gems which can't be installed in Limited Shell.
* Shell: Compass Tools: Allow to access guard.
* Shell: Improve config to better support advanced Drush commands over SSH.
# Changes in this release:
* Drush: Upgrade command line version 6 to mini-6-14-08-2014
* Nginx: Add DBot to is_crawler list.
* Remove no longer supported NodeStream distro.
* Run complete modules-dis-list weekly (Saturday) and basic list daily.
# System upgrades in this release:
* MariaDB 10.0.13
* MariaDB 5.5.39
* Nginx 1.7.4
* OpenSSL 1.0.1i (if installed from sources)
* PHP: ionCube loader 4.6.1
* PHP: Zend OPcache master-30-07-2014
# Fixes in this release:
* Add cleanup for .tmp in sub-accounts.
* Add cleanup for drush-backups leftovers.
* Add cleanup for various /var/backups/* leftovers.
* Add daily auto-cleanup for ghost vhosts, platforms and drush aliases.
* Add exception for symlinked /data/all
* Add hint for HTTPS-only mode forced in local.settings.php
* Allow to clear drush cache without directory restrictions.
* Avoid "Is a directory" noise in the log.
* Commons 2.20 has changed its profile name from drupal_commons to commons.
* Do not modify site_footer on hostmaster upgrade.
* Do not rename the legacy Commons profile name.
* Fix -mtime expected values.
* Fix cleanup for .restore vhost leftovers.
* Fix cleanup for drush aliases in sub-accounts.
* Fix for unreliable _IS_OLD check on Octopus instances upgrade.
* Fix Nginx monitor to respect all whitelisted POST requests in both modes.
* Fix permissions on sites/all/{modules,libraries,themes} globally.
* Fix weird typo in global.inc
* Improve cleanup for empty platforms directories.
* Improve RVM cleanup.
* Issue #2278847 - Derivatives (Drupal Commons) can't be created on install.
* Issue #334 - Backported provision_civicrm #1485920
* Issue #334 - Delete the civicrm_class_loader variable after deploying.
* Issue #334 - Install civicrm in any location (sites/ profiles + contrib).
* Issue #360 - Exclude special --CDN vhosts from daily cleanup.
* Make sure that /keys subdirectory exists to avoid active platforms cleanup.
* Make sure that local IPs are never blocked by mistake.
* Never touch websh wrapper to avoid high load because of redirect loop.
* Nginx: Detected $device is not used in Boost config, only in Speed Booster.
* Nginx: Fix limreq also for some really old vhosts.
* Nginx: Modify only vhosts known as included in the protected mode.
* Remove /var/run/daily-fix.pid if exists when it shouldn't.
* Remove debugging mode in old codebases cleanup.
* Remove no longer needed/used contrib updates.
* Restore default websh wrapper symlink as fast as possible.
* Run manage_ltd_users every 3 minutes instead of every minute.
* Simplify colorbox-1.3.18 download.
* Simplify colorbox-1.5.13 download.
* Uninstall css_emimage only on hostmaster upgrade.
* Update and improve docs/FAQ.txt
* Update regex for exceptions in Nginx monitoring.
### Stable BOA-2.2.8 Release - Full Edition
### Date: Sat Jul 26 15:31:29 PDT 2014
### Includes Aegir 2.x-boa-custom version.
### Latest hotfix added on: Tue Aug 5 14:47:17 PDT 2014
# Release Notes:
This release includes updated versions of all supported Drupal platforms to
provide latest Drupal 7 and Pressflow 6 core, plus some changes, improvements,
bug fixes, and six (6) updated Octopus platforms.
NOTE: Since the first Edition in the BOA-2.3.x series is not ready for release
yet, and new Drupal core has been released to fix security issues, followed by
yet another release to fix serious regressions, we have decided to make it
available to everyone and release yet another stable BOA-2.2.x Edition.
IMPORTANT! This is the last Edition in the 2.2.x series, which marks the end
of Drupal 5, PHP 5.2 and Drush 4 support. Next Edition will open 2.3.x series,
which will allow us to provide newer Aegir version with built-in Drush 6
support, sites in subdirectories, and many Aegir User Interface improvements.
If you still host any Drupal 5 sites or you are using PHP 5.2 for D6 sites,
you will not be able to upgrade to the next 2.3.x Edition and you will have to
stay on the 'legacy' BOA 2.2.x version, which will receive only system
security upgrades, but no further feature nor bugfix releases.
This also means that from now on the 'legacy' 2.2.x version will no longer
receive Drupal core upgrades, even if there will be security core releases.
It is time to upgrade away from Drupal 5 and away from PHP 5.2, if still used.
# Updated Octopus platforms:
Commerce 1.28 ---------------- https://drupal.org/project/commerce_kickstart
Commerce 2.16 ---------------- https://drupal.org/project/commerce_kickstart
Commons 3.16 ----------------- https://drupal.org/project/commons
Open Outreach 1.8 ------------ https://drupal.org/project/openoutreach
OpenBlog 1.0-v3 -------------- https://drupal.org/project/openblog
Panopoly 1.8 ----------------- https://drupal.org/project/panopoly
# New features and enhancements in this release:
* Allow to force OpenSSL etc. re-install with _SSL_FORCE_REINSTALL=YES
* Auto-Move no longer used shared codebases to /var/backups/codebases-cleanup
# Changes in this release:
* Drush: Upgrade command line version 6 to mini-6-29-07-2014
* Issue #334 - Update provision_civicrm version - code by ixiam - thanks!
* Redis Integration Module: Update to version mod-21-07-2014
* Uninstall css_emimage in hostmaster to avoid broken upgrades.
* Update for Contrib [F]orce[D]isabled modules list.
* Use more aggressive defaults for _PURGE_BACKUPS and _PURGE_TMP if not set.
# System upgrades in this release:
* PHP 5.4.31
* PHP 5.5.15
# Fixes in this release:
* Add auto-cleanup for civimail ghost leftovers.
* Add cleanup drush aliases in the main SSH account properly.
* Add cleanup for RVM archives and logs.
* Fix for default value on hot fix update.
* Fix for dev regression - it shouldn't set $conf['cache'] on valid dev URLs.
* Fix the logic for custom _DEL_OLD_EMPTY_PLATFORMS defaults.
* Issue #333 - Update BOA changelog URL shortcut.
* Nginx: Automate SPDY test to determine if OpenSSL re-install is required.
* Nginx: Silence access log for already protected /civicrm admin requests.
* Remove special one-time variables if set, once used.
* RVM: Install OS compatible Ruby version + various related adjustments.
* Silence useless noise in the log.
* Sync firewall limits.
### Stable BOA-2.2.7 Release - Full Edition
### Date: Thu Jul 17 03:11:47 CEST 2014
### Includes Aegir 2.x-boa-custom version.
### Latest hotfix added on: Fri Jul 18 18:21:40 CDT 2014
# Release Notes:
This release includes some nice new features, improvements, bug fixes, one
new Octopus platform, five (5) updated Octopus platforms, along with latest
Drupal core security upgrades for all supported platforms.
NOTE: Since the first Edition in the BOA-2.3.x series is not ready for release
yet, and new Drupal core has been released today to fix security issues,
we have decided to make it available to everyone and release yet another
stable BOA-2.2.x series Edition.
IMPORTANT! This is the last Edition in the 2.2.x series, which marks the end
of Drupal 5, PHP 5.2 and Drush 4 support. Next Edition will open 2.3.x series,
which will allow us to provide newer Aegir version with built-in Drush 6
support, sites in subdirectories, and many Aegir User Interface improvements.
If you still host any Drupal 5 sites or you are using PHP 5.2 for D6 sites,
you will not be able to upgrade to the next 2.3.x Edition and you will have to
stay on the 'legacy' BOA 2.2.x version, which will receive only system
security upgrades, but no further feature nor bugfix releases.
This also means that from now on the 'legacy' 2.2.x version will no longer
receive Drupal core upgrades, even if there will be security core releases.
It is time to upgrade away from Drupal 5 and away from PHP 5.2, if still used.
# New Octopus platforms:
OpenPublic 1.0-b23 ----------- https://drupal.org/project/openpublic
# Updated Octopus platforms:
Commerce 1.27 ---------------- https://drupal.org/project/commerce_kickstart
Commons 3.15 ----------------- https://drupal.org/project/commons
ERPAL 2.0-b4 ----------------- https://drupal.org/project/erpal
Guardr 1.9 ------------------- https://drupal.org/project/guardr
Open Deals 1.33 -------------- https://drupal.org/project/opendeals
# New features and enhancements in this release:
* Add early auto-repair procedure if Provision is missing for any reason.
* Add support for Debian Squeeze LTS updates.
* Add support for Debian Squeeze Stable Proposed Updates.
* Add views_accelerator in all D7 platforms by default via o_contrib bundle.
* Issue #307 - Support for Compass Tools via RVM with local user gems.
* Make $conf['cache'] configurable via disable_drupal_page_cache INI variable.
# Changes in this release:
* Nginx: Send Boost compatible Cache-Control headers also with Speed Booster.
This is to mimic Drupal core behaviour when full-page cache is disabled,
even if it is not really disabled via disable_drupal_page_cache INI variable.
Note that Speed Booster continues to ignore Cache-Control headers sent by
Drupal backend, as before, to force its own TTL set via INI variable:
speed_booster_anon_cache_ttl or in the custom local.settings.php code.
* Add css_emimage to hostmaster makefile to remove dependency on o_contrib.
* Do not upgrade existing o_contrib, only add new if missing in old platforms.
* Drush: Upgrade command line version 6 to mini-6-16-07-2014
* Limited Shell configuration update.
* Nginx: Do not log HTTPS redirects.
* PHP: AutoRemove 5.2 from _PHP_MULTI_INSTALL if no instance is using it.
* Prefer dash if available.
* Redis Integration Module: Update to version mod-10-07-2014
* The ?nocache=1 in the URL should also force $conf['cache'] = 0; on the fly.
* Update lfd default configuration.
# System upgrades in this release:
* cURL 7.37.1 (if installed from sources)
* Nginx 1.7.3
* PHP 5.4.30
* PHP 5.5.14
* PHPRedis: master-06-07-2014
* Redis 2.8.13
# Fixes in this release:
* Authorized IPs detection - it should ignore serial/remote console logins.
* BND --- Bind9 DNS Server (available on Debian only).
* Clear packages cache more aggressively to avoid issues during OS upgrades.
* Configure RVM env properly if installed in the user home directory.
* Contrib update: filefield-6.x-3.13
* Disable redis integration during hostmaster upgrade.
* Do not allow known bots to activate nocache and noredis URLs behaviour.
* Do not use css_emimage in hostmaster to avoid broken upgrades.
* Fix for o_contrib update logic.
* Fix for possible permissions problem with redis log file.
* Fix incorrect version in the permissions fix.
* Fix legacy test logic to allow head instances to upgrade to another 2.2.x
* Fix regex in procs monitor.
* Fix the check for legacy systems on upgrade.
* Force keyring reinstall if reported as broken.
* Issue #316 - Octopus upgrade fails because of missing cd $_ROOT/.drush/sys
* Issue #319 - XTRAS_LIST settings are being overwritten (Ubuntu).
* Issue #320 - Compass Tools available on Squeeze, Wheezy, Precise and Trusty.
* Issue #324 - HTTPS results in redirect loop on AWS due to ignored _MY_OWNIP.
* Issue #328 - The /bin/sh symlink modified daily causes false lfd alarm.
* Make it clear that we recommend and support Debian 64bit.
* Make sure that redis and cache_backport are available for hostmaster.
* Purge no longer used jdk leftovers.
* Readme improvements.
* Remove no longer needed tmp chown -R
* Remove no longer used /data/src directory.
* Remove remote_import if found if the wrong directory.
* Sanitize logs lines before analyzing them.
* The list of platforms symbols can be in a single line or one per line.
* There is no need to force SHELL in the websh wrapper.
* Update nginx documentation URL.
* Use static ftp.debian.org instead of unreliable http.debian.net mirrors.
### Stable BOA-2.2.6 Release - Full Edition
### Date: Sat Jun 21 06:14:18 PDT 2014
### Includes Aegir 2.x-boa-custom version.
### Latest hotfix added on: Mon Jul 14 14:54:04 CDT 2014
# Release Notes:
This release includes great new features, improvements, important changes,
many bug fixes, plus 3 new and 7 updated Octopus platforms.
IMPORTANT! This is the last Edition in the 2.2.x series, which marks the end
of Drupal 5, PHP 5.2 and Drush 4 support. Next Edition will open 2.3.x series,
which will allow us to provide newer Aegir version with built-in Drush 6
support, sites in subdirectories, and many Aegir User Interface improvements.
If you still host any Drupal 5 sites or you are using PHP 5.2 for D6 sites,
you will not be able to upgrade to the next 2.3.x Edition and you will have to
stay on the 'legacy' BOA 2.2.x version, which will receive only system
security upgrades, but no further feature nor bugfix releases.
This also means that from now on the 'legacy' 2.2.x version will no longer
receive Drupal core upgrades, even if there will be security core releases.
It is time to upgrade away from Drupal 5 and away from PHP 5.2, if still used.
# New Octopus platforms:
aGov 1.0-rc8 ----------------- https://drupal.org/project/agov
ERPAL 2.0-b2 ----------------- https://drupal.org/project/erpal
Restaurant 1.0-a5 ------------ https://drupal.org/project/restaurant
# Updated Octopus platforms:
Commerce 2.15 ---------------- https://drupal.org/project/commerce_kickstart
Commons 2.18 ----------------- https://drupal.org/project/commons
Commons 3.14 ----------------- https://drupal.org/project/commons
Guardr 1.5 ------------------- https://drupal.org/project/guardr
Open Atrium 2.19 ------------- https://drupal.org/project/openatrium
Open Outreach 1.7 ------------ https://drupal.org/project/openoutreach
Panopoly 1.6 ----------------- https://drupal.org/project/panopoly
# New features and enhancements in this release:
* Drush aliases based workflows are now supported also remotely over SSH.
This is significant improvement since we have added automatically generated
and updated Drush aliases for the on-the-server use in BOA-2.2.0
* Add gems: compass_radix v2 and compass_twitter_bootstrap
* Add support for automatic Scout App upgrade on RVM/Ruby/Gems upgrade.
* Install headless JRE and only if Solr is expected to run.
* Issue #2268889 - Allow to whitelist IPs for chive, cgp and sqlbuddy access.
* Issues #2248907 #1299526 - Allow to use comments for admin notes.
* Nginx: Disable proxy_buffering to avoid useless extra layer in local proxy.
* SQL: Allow to change InnoDB log file size via _INNODB_LOG_FILE_SIZE variable
* Use better subdirectory tree for Drush extensions.
* Add support for disable_user_register_protection INI variable on the
platform level - on self-hosted BOA and Power Engines only.
* Issue #2240277 - Customize Octopus platforms list via control file.
~/static/control/platforms.info
This file, if exists and contains a single line with supported platforms
symbols, allows to control/override the value of _PLATFORMS_LIST variable
normally defined in the /root/.${_USER}.octopus.cnf file, which can't be
modified by the Aegir instance owner with no system root access.
IMPORTANT: If used, it will replace/override the value defined on initial
instance install and all previous upgrades. It takes effect on every
future Octopus instance upgrade, which means that you will miss all newly
added distributions, if they will not be listed also in this control file.
Supported values which can be written in this file - remember: all in a
single line, space separated, so not one per line, as listed below
only for readability:
# D7P D7S D7D --- Drupal 7 prod/stage/dev
# D6P D6S D6D --- Pressflow 6 p/s/d
# AGV ----------- aGov
# CME ----------- Commerce v.2
# CS7 ----------- Commons 7
# DCE ----------- Commerce v.1
# DCS ----------- Commons 6
# ERP ----------- ERPAL
# FSR ----------- Feature Server
# GDR ----------- Guardr
# MNS ----------- Managing News
# OA7 ----------- Open Atrium D7
# OAM ----------- Open Atrium D6
# OAY ----------- Open Academy
# OBG ----------- OpenBlog
# OCH ----------- OpenChurch
# ODS ----------- Open Deals
# OOH ----------- Open Outreach
# OSR ----------- OpenScholar
# PPY ----------- Panopoly
# RER ----------- Recruiter
# RST ----------- Restaurant
# SRK ----------- Spark
# TTM ----------- Totem
# UC7 ----------- Ubercart D7
# UCT ----------- Ubercart D6
You can also use special keyword 'ALL' to have all available platforms
installed, including newly added in the future BOA system releases.
Examples:
ALL
D7P D6P OAM MNS OOH RST
* Issue #314 - Make _BACKEND_ITEMS configurable via _BACKEND_ITEMS_LIST
You can whitelist extra binaries to make them available for web server
requests, in addition to already whitelisted, known as safe binaries.
NOTE: This feature is available only on self-hosted BOA systems.
Please be aware that you could easily open security holes by whitelisting
commands which may provide access to otherwise not available parts of
the system, because the exec() in PHP doesn't respect other limitations
like open_basedir directive.
You should list only filenames, not full paths, for example:
_BACKEND_ITEMS_LIST="git foo bar"
# Changes in this release:
* Add memcache, memcache_admin to the list of automatically disabled modules.
* Add support for Debian Squeeze LTS updates.
* Add support for Debian Squeeze Stable Proposed Updates.
* Add varnish to the list of automatically disabled modules.
* Add watchdog_live to the list of automatically disabled modules.
* Disable and remove not used init scripts on known VM systems.
* Drush: Upgrade command line version 6 to mini-6-21-06-2014
* Fast DNS Cache Server (pdnsd) install is no longer optional.
* Install only vanilla core platforms by default (can be overridden)
* Nginx: Update default limit_conn settings.
* Nginx: Use only newer control file to force DoS monitor aggressive mode.
* Sync permissions with new defaults in the hardened setup.
* Update files ownership to match defaults in the hardened setup.
* Use dynamic mirror selection provided by Debian instead of forced static.
* The BOA project has moved to Github!
We no longer use repositories and issue queues on drupal.org, in an effort
to avoid fragmentation and duplication. We have moved all downloads used
by Barracuda and Octopus to our mirrors a few months ago, and it helped to
make BOA faster and more reliable during both system install and upgrades.
The next step is to use http://boa.readthedocs.org as a new home for all
future documentation efforts - it will build the docs, including printable
versions, on the fly, using dedicated Github repository as a backend, where
you can help migrate existing docs and improve them, both via boa-docs
project issue queue and pull requests:
https://github.com/omega8cc/boa-docs
We also encourage you to use drupal.stackexchange.com for BOA support:
http://drupal.stackexchange.com/questions/tagged/aegir
Please use our Github project for contributing code, reporting bugs,
and also suggesting new features and ideas:
https://github.com/omega8cc/boa
# System upgrades in this release:
* cURL 7.37.0 (if installed from sources)
* MariaDB 10.0.12
* MariaDB 5.5.38
* MySecureShell 1.33
* Nginx 1.7.2
* OpenSSL 1.0.1h (if installed from sources)
* PHP 5.4.29
* PHP 5.5.13
* PHP: Zend OPcache master-28-05-2014
* Redis 2.8.11
* Ruby 2.1.2
# Fixes in this release:
* Add caveats to docs/REMOTE.txt
* Add explicit whitelisting in websh wrapper to avoid any edge case problems.
* Add info about Two-Factor Auth for Chive in the welcome email template.
* Add missing exceptions in global.inc and simplify docs/REMOTE.txt
* Add missing wrapper exceptions required by daily.sh script.
* Clean up packages cache on finale()
* Create symlink for boa wrapper on the initial install only.
* Delete daily both files and directories in the ~/static/trash/
* Do not remove bundler in CI instances if /root/.keep.bundler.cnf exists.
* Explain that _ALLOW_UNSUPPORTED works only with head.
* Fix for _NGINX_DOS_LIMIT logical error in the scan_nginx template.
* Fix for already installed Open Atrium 2.18 7.28.1
* Fix for Postfix configuration.
* Fix incorrect version in the permissions fix.
* Fix permissions after every upgrade.
* Fix permissions and owner/group required for feeds (upload) support.
* Fix regex in procs monitor.
* Force apticron re-install if apticron.conf is outdated.
* Generate /data/all/cpuinfo daily to be used in Provision.
* GPL Ghostscript should be available for the web (PHP-FPM) access.
* Issue #2248037 - Add Platform and Site INI files Templates on Verify task.
* Issue #2262935 - Modules dir must be group writable in custom platforms.
* Issue #315 - Upgrading from older versions of BOA fails
* Issue #316 - Upgrade fails because of missing cd $_ROOT/.drush/sys line.
* Issue #319 - XTRAS_LIST settings are being overwritten (Ubuntu)
* Issue #324 - HTTPS results in redirect loop on AWS due to ignored _MY_OWNIP.
* PHP: Add protection from switching to not installed CLI or FPM version.
* PHP: Do not block getenv function.
* Provision: Use /data/all/cpuinfo generated by BOA daily, if exists.
* Remove redundant downloads silencer.
* Remove remote_import if found in the wrong directory.
* Sanitize logs lines before analyzing them.
* SQL: Do not run update_innodb_log_file_size() if the size is the same.
* Sync BOND with BARRACUDA.
* Update for switch_to_bash procedure.
* Use already downloaded patches.
* Use Debian release specific proposed-updates.
* Use full path to sqlmagic in daily.sh to avoid 'command not found' error.
* Use static ftp.debian.org instead of unreliable http.debian.net mirrors.
* Fix for authorized IPs detection in the protected vhosts logic - it should
ignore serial/remote console logins.
* Provision: Use higher hardcoded threshold to avoid breaking tasks due to
high load on multi-CPU systems when provision can't determine the real load.
### Stable BOA-2.2.5 Release - Full Edition
### Date: Thu May 8 11:59:23 PDT 2014
### Includes Aegir 2.x-boa-custom version.
### Latest hotfix added on: Sat May 10 09:05:19 PDT 2014
# Release Notes:
This release includes no new features, but does include bug fixes plus latest
Drupal 7.28.1 and Pressflow 6.31.2 core in all built-in Octopus platforms.
There are also three updated distributions included, as listed below.
We also list here all hot-fixes applied to previous stable after its release.
# Important - Read This First! (for self-hosted BOA only)
If you haven't run full barracuda+octopus upgrade to latest BOA Stable
Edition yet, don't use any partial upgrade modes explained in docs/UPGRADE.txt
Once new BOA Stable is released, you must run *full* upgrades with commands:
$ barracuda up-stable
$ octopus up-stable all both
For silent, logged mode with email message sent once the upgrade is
complete, but no progress is displayed in the terminal window, you can run
alternatively, starting with screen session to avoid incomplete upgrade
if your SSH session will be closed for any reason before the upgrade
will complete:
$ screen
$ barracuda up-stable log
$ octopus up-stable all both log
Note that the silent, non-interactive mode will automatically say Y/Yes
to all prompts and is thus useful to run auto-upgrades scheduled in cron.
If you have skipped some recent BOA releases, and you have new default config
option: _PERMISSIONS_FIX=NO in your /root/.barracuda.cnf configuration file,
plus, you are not sure if you follow best practices for managing permissions
as recommended in our docs: https://omega8.cc/node/116 then we recommend
that you change it to _PERMISSIONS_FIX=YES temporarily, or even permanently
if your VPS is fast enough, and then run this powerful script as root:
$ bash /var/xdrago/daily.sh
Note that BOA 'legacy' mode is still at version 2.1.3
# Updated Octopus platforms:
Commons 3.12 ----------------- https://drupal.org/project/commons
Open Atrium 2.18 ------------- https://drupal.org/project/openatrium
Open Outreach 1.6 ------------ https://drupal.org/project/openoutreach
# Changes in this release:
* Add rsyslog/sysklogd to auto-healing procedures.
* Make the aggressive scan_nginx mode optional and use old mode by default.
* Nginx: Add HiScan to blocked crawlers list.
* Nginx: Add Riddler to blocked crawlers list.
* PHP: Use pm.process_idle_timeout = 10s for speed and RAM optimization.
# System upgrades in this release:
* MySecureShell 1.33
* PHP 5.4.28
* PHP 5.5.12
# Fixes in this release:
* Always define _PHP_CN variable properly.
* Firewall: Sync CONNLIMIT for web ports with updated limit_conn in Nginx.
* Fix for _NGINX_DOS_LIMIT logical error in the scan_nginx template.
* Force Pure-FTPd server re-install if key files are missing for any reason.
* Issue #2237167 - Improve authorized IPs detection in all protected vhosts.
* Issue #2262935 - Modules dir must be group writable in custom platforms.
* Nginx: Do not overwrite custom symlinks to the Under Construction template.
* Nginx: Update limit_conn in all instances and vhosts on Barracuda upgrade.
* PHP: Delete pear in legacy paths, if still exists.
* PHP: Fix for CVE-2014-0185 privilege escalation in FPM (doesn't affect BOA)
* Postfix: Force re-install if broken permissions detected on upgrade.
* Pressflow 6: Fix #GH 84 by using drupal_page_is_cacheable().
* Pressflow 6: Merge pull request #GH 85 from pressflow/SA-CORE-2014-002-fix.
* Pressflow 6: Remove duplicate openid_update_6001().
* Revert "Force MariaDB 5.5 re-install".
* Set the TERM env variable if missing to avoid errors.
* Skip packages set on hold when running apticron.
* The ~/static/control must be writeable by lshell user to manage ctrl files.
* Add extra cron semaphore to prevent concurrent cron invocations via
multiple running runner.sh instances.
### Stable BOA-2.2.4 Release - Full Edition
### Date: Wed Apr 30 17:03:36 PDT 2014
### Includes Aegir 2.x-boa-custom version.
### Latest hotfix added on: Fri May 2 04:54:25 PDT 2014
# Release Notes:
This release includes several bug fixes along with five updated platforms,
plus some hot-fixes applied to previous stable after its release. We have
also added a fix for known problem is recent Drupal 7.27 [#2245331] hence
the change from Drupal 7.27.1 to 7.27.2 in all D7 platforms.
# Updated Octopus platforms:
### Drupal 7.27.2
Commerce 1.25 ---------------- https://drupal.org/project/commerce_kickstart
Commerce 2.14 ---------------- https://drupal.org/project/commerce_kickstart
Commons 3.11 ----------------- https://drupal.org/project/commons
Panopoly 1.5 ----------------- https://drupal.org/project/panopoly
### Pressflow 6.31.1
Commons 2.17 ----------------- https://drupal.org/project/commons
Note: Always read and follow upgrade procedure if explained in the distro
release notes, like for Panopoly 1.5 at https://drupal.org/node/2255133
# New o_contrib modules:
* print-6.x-1.19 (includes patch to auto-detect /usr/bin/wkhtmltopdf)
* print-7.x-2.0 (includes patch to auto-detect /usr/bin/wkhtmltopdf)
# New features and enhancements in this release:
* Support for session.gc_maxlifetime configurable via INI files.
You can control session garbage collector (EOL) per site and per platform.
The value (in seconds) of the session_gc_eol variable is used as
session.gc_maxlifetime value and specifies the number of seconds after which
data will be seen as 'garbage' and potentially cleaned up, resulting with
$_SESSION variable discarded and affected authenticated users logged out.
BOA default defined in the system level global.inc file is 86400 == 24h.
# Changes in this release:
* Drush: Upgrade command line version 6 to mini-6-26-04-2014
* Nginx: Use higher defaults for limit_conn to avoid error 503 (CloudFlare)
* Nginx: Use more aggressive limits against spambots trying to rgstr accounts.
* Redis: Integration module (the modern variant) upgrade to 7.x-2.x-o8-2.6-B
# System upgrades in this release:
* Nginx 1.7.0
* PHP 5.5.12
* Redis 2.8.9
# Fixes in this release:
* Add symlinks in the home directory if missing (every 5 minutes).
* Add warning that Compass Tools install and upgrade may take a LONG time.
* Always define _PHP_CN variable properly.
* Do not delete symlinks to wrappers to avoid false LFD alarms.
* Fix for 'Force backward compatible SERVER_SOFTWARE'.
* Fix in websh for _IN_PATH logic to not break backend Drush tasks.
* Fix the logic for wrappers update and symlinks.
* Improve status messages to display when silent mode is used on upgrade.
* Improve whitelisting in the websh wrapper.
* Issue #2238805 - Command filtering - no word containing *drush* is allowed.
* Issue #2241495 - wkhtmltopdf stopped working after upgrade.
* Issue #2247997 - Update docs/REMOTE.txt with workaround for websh issue.
* Issue #2250397 - Always follow (limited) redirects in cURL requests.
* Issue #GH-304 - [rvm] use $_RUBY_VERSION as default.
* Issue #GH-305 - Check disk usage before running install/upgrade.
* Issue #GH-306 - Allow ruby 1.8 to remain installed.
* Nginx: Allow to configure keywords for aggressive requests rate monitoring.
* Nginx: Do not overwrite custom symlinks to the Under Construction template.
* Nginx: Sync FastCGI timeouts with other Nginx and PHP-FPM defaults.
* PHP: Add /opt/local/bin/php tmp symlink on barracuda/octopus upgrade.
* PHP: Allow to set custom _PHP_FPM_TIMEOUT but not lower than 60 (in seconds)
* PHP: Always respect _PHP_FPM_WORKERS variable if set to numeric value > 0
* PHP: Better defaults for realpath_cache_ttl and realpath_cache_size.
* PHP: Fix for CVE-2014-0185 privilege escalation in FPM (doesn't affect BOA)
* PHP: pm.max_children was not properly updated on FPM version self-switch.
* PHP: Sync incorrect default_socket_timeout with max_execution_time (180s).
* PHP: Use 30s for pm.process_idle_timeout - it prevents too high RAM usage.
* PHP: Variable _PROCESS_MAX_FPM is not used on the Satellite Instance level.
* Postfix: Force re-install if broken permissions detected on upgrade.
* Prevent duplicate cron invocations with more strict delays.
* Restart rsyslog once the install or upgrade is complete.
* Set the TERM env variable if missing to avoid errors.
* Shell: Proper fix for wildcard in the path (cd command only)
* Standardize install and upgrade for Chive, SQL Buddy and CGP.
* Sync Redis timeout with default FPM timeout (180s).
* Sync SQL connect_timeout with default mysql.connect_timeout in PHP (60s).
* The ~/static/control must be writeable by lshell user to manage ctrl files.
* Update the logic for multi-version PHP support in BOND.
* Update the logic for multi-version PHP support in docs/REMOTE.txt
### Stable BOA-2.2.3 Release - Full Edition
### Date: Fri Apr 18 12:57:40 PDT 2014
### Includes Aegir 2.x-boa-custom version.
# Release Notes:
This release includes several bug fixes and security upgrades both for the
system services and Drupal core, along with three updated platforms and new
features, including support for MariaDB 10.0 and Ubuntu 14.04 LTS Trusty.
# Updated Octopus platforms:
### Drupal 7.27.1
Guardr 1.3 ------------------- https://drupal.org/project/guardr
Open Atrium 2.17 ------------- https://drupal.org/project/openatrium
Recruiter 1.2 ---------------- https://drupal.org/project/recruiter
# New features and enhancements in this release:
* Add docs/FAQ.txt
* Add support for MariaDB 10.0 or 5.5 install via _DB_SERIES variable.
* Add support for Ubuntu 14.04 LTS Trusty.
* Improve auto-healing for multi-version PHP-FPM setup.
* Improve docs/UPGRADE.txt
* Improve health check for protected vhosts during live SSH-auth update.
* Nginx: More aggressive limits against spambots trying to register accounts.
# Changes in this release:
* Issue #GH-299 - Force disable LESS developer mode on production sites.
* Move custom scripts to /opt/local/bin/
* Nginx: Use higher defaults for limit_conn to avoid error 503 (CloudFlare)
* Normalize localhost entry in /etc/hosts to avoid FQDN mapped to 127.0.0.1
* PHP: Do not use separate FPM pool for cron if _PHP_FPM_DENY is empty.
# System upgrades in this release:
* MariaDB 5.5.37
# Fixes in this release:
* Add 'exit 0' line if missing.
* Add /opt/local/bin to PATH by default.
* Add symlinks for wrappers only temporarily.
* Add warning that Compass Tools install and upgrade may take a LONG time.
* Better gem uninstall options.
* Compass: Multiple fixes for various expected gems versions install/upgrades.
* Do not override lshell env_path in websh wrapper.
* Do not use monitored bin path for custom scripts to avoid LFD false alarms.
* Extra db GRANT for 127.0.0.1 not added when migrating site.
* Improve auto-healing to create required directories in /var/run/ if missing.
* Issue #2230269 - New Jetty 9 version overrides JETTY_PORT=8099 with 8080.
* Issue #2235991 - Drush make needs better exceptions in websh wrapper.
* Issue #2236475 - Clarify what the Legacy mode really means.
* Issue #2238965 - Add missing path to switch_to_bash().
* Issue #2241013 - Git commands should be whitelisted in websh wrapper.
* Issue #2241495 - wkhtmltopdf stopped working after upgrade.
* Issue #GH-301 - Update the list of restricted keywords for Octopus username.
* Issue #GH-304 - [rvm] use $_RUBY_VERSION as default.
* Make sure that permissions on Chive Manager dir/files are correct.
* Note: _SSL_FROM_SOURCES=YES is ignored and not needed on Wheezy and Precise.
* PHP: Add /opt/local/bin/php tmp symlink on barracuda/octopus upgrade.
* PHP: Allow to set custom _PHP_FPM_TIMEOUT but not lower than 60 (in seconds)
* PHP: Always respect _PHP_FPM_WORKERS variable if set to numeric value > 0
* PHP: pm.max_children was not properly updated on FPM version self-switch.
* PHP: Variable _PROCESS_MAX_FPM is not used on the Satellite Instance level.
* Remove the line with header TABLE_NAME (sqlmagic).
* Reset PATH to avoid RVM overrides after Compass Tools install/upgrade.
* Shell: Allow to run 'drush cache-clear drush' in any directory.
* The _PHP_MODERN_ONLY variable is no longer used.
* Ubuntu 14.04 LTS Trusty requires MariaDB 10.0
* Use hostname -b instead of deprecated hostname -v.
### Stable BOA-2.2.2 Release - Barracuda Edition
### Date: Tue Apr 8 07:24:18 PDT 2014
### Includes Aegir 2.x-boa-custom version.
# Release Notes:
This is a bug-fix only release to address issues discovered after recent
major BOA-2.2.0 and subsequent BOA-2.2.1 Releases.
The most important problem fixed in this Release is related to known OpenSSL
security issue, which has been fixed in OpenSSL 1.0.1g
To learn more please visit: http://heartbleed.com
@=> Note for those on self-hosted BOA (skip this if you are on a hosted Aegir)
We recommend that you enable _SSL_FROM_SOURCES=YES option in your system
/root/.barracuda.cnf file, to always build latest OpenSSL from sources.
Note that it will also trigger OpenSSH and cURL install from sources, plus
subsequent PHP rebuild to include latest SSL libraries.
Note that _SSL_FROM_SOURCES=YES will not force the build from sources on
Debian Wheezy and Ubuntu Precise, to avoid confirmed conflicts and because
both OS versions already provide custom, patched OpenSSL packages.
This Release doesn't include any updates to the Octopus installer, so there is
no point in running full upgrade. It is enough to run the barracuda only,
system upgrade in the "silent mode" with:
$ screen
$ barracuda up-stable system
The system will send you an email with results when the upgrade is complete,
but there will be no upgrade progress displayed in the console. You can watch
it, if you prefer, with command (DATE/TIME are placeholders for real values):
$ tail -f /var/backups/reports/up/barracuda/DATE/barracuda-up-DATE-TIME.log
# System upgrades in this release:
* Nginx 1.5.13
* OpenSSL 1.0.1g (if installed from sources)
* PHP 5.4.27
* PHP 5.5.11
# Fixes in this release:
* Chive Authentication via SSH session may break Nginx due to race conditions.
* Drush specific dt() wrapper is required in Provision for custom platforms.
* Fix Compass Tools support for Omega (gems dependencies via bundle install).
* Fix default shell for system level cron tasks.
* Fix for csf firewall compatibility test.
* Force better health check on protected vhosts on live SSH-auth update.
* Improved health check for protected vhosts during live SSH-auth update.
* Issue #2229555 - On fresh boa install link missing durring install.
* Issue #2229715 - Tasks queue doesn't work on the Master Instance.
* Issue #2231093 - Add new line before 'UseDNS no' in the sshd_config file.
* Issue #2235991 - Drush make needs better exceptions in websh wrapper.
* Issue #294 - New Relic ext not installed even if _NEWRELIC_KEY is not empty.
* Nginx: Backup and re-create default wildcard SSL cert/key with rsa:4096
* Nginx: Generate 4096 bit long DH parameters when _NGINX_FORWARD_SECRECY=YES
* Normalize localhost entry in /etc/hosts to avoid FQDN mapped to 127.0.0.1
* PHP: Better default workers limits for the ondemand mode.
* PHP: max_input_time should be set to 180 and not 60, by default.
* PHP: Zend OPcache directive opcache.enable=1 must be set in all ini files.
* Reset PATH to avoid RVM overrides after Compass Tools install/upgrade.
* The 'scp' command is broken in limited shell.
* Too broad whitelisting breaks commands in limited shell with 'tmp' keyword.
* Too restrictive open_basedir defaults break access to valid PEAR paths.
* Too restrictive open_basedir defaults break access to valid Tika paths.
* Use rsa:4096 by default in self-signed certs for Nginx and FTPS.
### Stable BOA-2.2.1 Release - Full Edition
### Date: Tue Apr 1 10:28:45 SGT 2014
### Includes Aegir 2.x-boa-custom version.
# Release Notes:
This is a bug-fix only release to address issues discovered after recent
major BOA-2.2.0 Release.
# Fixes in this release:
* Chive Authentication via SSH session doesn't work on some older instances.
* Compass Tools don't use correct paths to Ruby 2.1.1
* Cron for sites doesn't work on old instances without Nginx wildcard vhost.
* FTPS (FTP over SSL) connections may experience TLS problems.
* PHP: Disabled 'assert' may cause warnings on features revert.
* PHP: Disabled 'create_function' may break some contrib modules or code.
* The 'git pull' command is broken in limited shell.
* The 'rsync' command is broken in limited shell.
* The 'drush dl foo' command can't be run outside of site directory.
# Known Issues on systems upgraded to BOA-2.2.1 (and 2.2.0) releases
==> Updated on Tue Apr 8 01:26:47 PDT 2014
@=> Issues fixed in BOA head (running the hotfix in stable is enough):
* Chive Authentication via SSH session may break Nginx due to race conditions.
* Drush specific dt() wrapper is required in Provision for custom platforms.
* Issue #2229715 - Tasks queue doesn't work on the Master Instance.
* PHP: max_input_time should be set to 180 and not 60, by default.
* The 'scp' command is broken in limited shell.
* Too broad whitelisting breaks commands in limited shell with 'tmp' keyword.
* Too restrictive open_basedir defaults break access to valid Tika paths.
* Zend OPcache directive opcache.enable=1 must be set in all php.ini files.
To fix all those problems you can run as root on self-hosted system:
$ wget -q -U iCab http://files.aegir.cc/update/boa221fix.txt
$ bash boa221fix.txt
We have fixed this on all hosted and remotely managed Aegir instances already.
@=> Other issues fixed in BOA head (run 'barracuda up-head system' to apply):
* PHP: New Relic extension not installed even if _NEWRELIC_KEY is not empty.
* Too restrictive open_basedir defaults break access to valid PEAR paths.
### Stable BOA-2.2.0 Release - Full Edition
### Date: Mon Mar 31 06:44:08 SGT 2014
### Includes Aegir 2.x-boa-custom version.
# Release Notes:
There are many important changes and improvements in this release
you should be aware of *before* running your BOA system upgrade.
Even if you are on a hosted BOA system with upgrades managed for you,
it is very important to read at least this extensive release notes.
Here is a list of topics covered in detail further below:
* New 'legacy' mode available for installs and upgrades
* Important Note For Those Using Our Hosted Aegir Service!
* Custom php.ini protection has changed and will not honor old settings
* Barracuda no longer supports Percona since 2.2.0 release
* Support for PHP FPM/CLI version safe switch per Octopus instance
* All PHP FPM workers in 5.5, 5.4 and 5.3 now use the 'ondemand' mode
* Drush aliases are now automatically copied to all relevant accounts
* Drush is now restricted to use only trusted modules installed by default
* The ~/.drush and other important directories and symlinks are protected
* Support for safely configurable cache bins exceptions in Redis
* Two-Factor-like Authentication to protect access to Chive DB Manager
* Support for session.cookie_lifetime configurable via INI files
* Support for files permissions-fix exceptions via platform level INI file
* High-performance JavaScript callback handler (js) in all platforms
And if you are more curious, read also the big changelog further below,
which covers only a small number of over 560 commits since BOA-2.1.3 release.
But what if you are not ready for this major upgrade and you would like
to have more time for testing, but still be able to run system upgrades,
thus effectively still using previous version 2.1.3 with standard command
'barracuda up-stable system', as explained in the docs/UPGRADE.txt?
#-### New 'legacy' mode available for installs and upgrades
We are introducing special 'legacy' mode both for BOA installs and upgrades.
This means that starting with BOA-2.2.0 you can use commands like:
$ boa in-legacy public server.mydomain.org my@email o1
$ barracuda up-legacy system
$ octopus up-legacy o1
etc.
These special 'legacy' commands allow you to install and/or upgrade the 'old
stable', once the 'new stable' is released. But only until another 'stable'
is released, of course. Thus you can use it only as an interim solution
if you are not yet ready for latest 'stable' BOA Edition, for any reason,
but you want to update at least the low level system packages, kernel etc.
Note also that if you will upgrade to current 'stable', it is not possible
to downgrade back to the 'old stable' with 'legacy' mode, so please proceed
with care!
This option will be particularly important once we release *next* major BOA
Edition. It will come with terminated support for Drush 4, Drupal 5 and, yes,
PHP 5.2 (finally). This step is required to use latest Drush 6+ with supported
Drupal cores versions and supported PHP versions, which in fact is required
to introduce the real Aegir 2.0 in BOA -- we are still using older, customized
for backward compatibility, Aegir 2 HEAD version, so it is time to move on and
stay up to date with everything, get new features like ability to manage
Drupal sites in subdirectories etc.
Once that *next* major BOA Edition is released, we will freeze the 'legacy'
mode at 2.2.x series level, which will receive only security upgrades and
no further feature nor bugfix releases. At that point you will have to stick
to the 'legacy' BOA version if you will need to run PHP 5.2 and Drupal 5
with Aegir based on Drush 4. It will be still possible, but not recommended
and not really supported, besides security related issues outside of Drupal.
This also means that at that point the 'legacy' version will no longer
receive Drupal core upgrades, even if there will be security core releases.
Note that we don't use the term "major release" in the known convention
for versions naming. It is because the first digit, for historical reasons,
refers to the Aegir version supported, the second digit refers to BOA stack
major release, and the last digit refers to both feature and bugfix BOA
stack upgrades.
#-### Important Note For Those Using Our Hosted Aegir Service!
NOW is the time (and last chance) to upgrade all your legacy Drupal 5 sites
and outdated Drupal 6 sites still not compatible with at least PHP 5.3,
because once we upgrade to the *next* major BOA Edition, it will be no longer
possible to still run Drupal sites not compatible with PHP 5.3 -- there
were literally years of this legacy support provided, and this finally
comes to the end, because we will not use the BOA 'legacy' mode on our own
servers. It will be still available for remotely managed 'Aegir on Your Own
Server' option, though, but only on request: https://omega8.cc/support
#-### Custom php.ini protection has changed and will not honor old settings
If you have custom settings in any of your php.ini files protected with
old variable in the /root/.barracuda.cnf, make a backup of your ini files
before running this upgrade. While these files will not get overwritten,