Tags

NEW:
[file] temp()- generate a temporary file.
[PHP Pools] phpinfo() section.
[UI] clear(), exists() helper methods in menu to empty/check entries in menu templates (see Customizing.md).

FIXED:
[DNS] removing similar records dumps record cache.
[Filesystem] disable project quotas if XFS features cannot support concurrent group + project quotas.
[misc] notify-installed() always uses IP address.
[Opcenter] deletion blocked by missing "apache" user.
[Opcenter] double-parsing "null" is converted to null literal for provider default.

CHANGED:
[Ansible] apply 2.9.16 hotfix for C7 platforms.
[apnscp.js] preserve hash keys for future compatibility with named argument invocation.
[DNS] bypass uneditable NS apex records.
[FST] relocate p11-kit into siteinfo for imagick dependency.
[Let's Encrypt] admin can toggle between EC/RSA server certificate.
[UI] check for plan-specific menus.

NEW:
[admin] get_site_id_from_admin()- efficient lookup to determine which site has specified siteinfo,admin_user value.
[Backups] backup_dbs.php helper now accepts --keep, --force flags to retain existing database backups and skip backup schedule.
[DNS] show apex NS records. Must be enabled via Account > Settings > App Settings > DNS Manager.
[PHP] PHP-FPM version selection now available under PHP Pools.
[PHP] expose recent log in PHP Pools.
[PHP] policy maps. Set a variety of PHP-FPM values administratively. See PHP-FPM.md.
[UI] Add [frontend] configuration, https_only restricts access to HTTPS endpoints. content_security_policy= sets a default CSP. Sample CSP supplied in config.ini.

FIXED:
[apnscpd] exporting LC_ALL to backend breaks float formatting, such as in multiPHP. Limit numeric localization to authentication context.
[Bootstrapper] CentOS Stream workaround for #1853736, "systemctl show" emits "Invalid argument" in property trailer.
[DNS] always encapsulate TXT records in quotes.
[EditDomain] exceptions lose stack.
[EditDomain] delayed journaling causes a flood of logging messages at shutdown.
[misc] command_info() an incomplete docblock creates a null dereferencing exception.
[upcp] Composer timestamp check ineffective.
[Web Apps] use app pretty name in presentation. Always show primary domain name.

CHANGED:
[Auth] add domainmap.tch size validation on boot.
[Backups] backup_dbs.php may be manually triggered. Set manual_database_backups=true in Bootstrapper, then run apnscp/crons role.
[Bootstrapper] allow MySQL overrides via mysql_custom_config.
[DNS] changing providers performs zone provision.
[DNS] honor [dns] => default_ttl value for new records.
[EditDomain] allow null/None values in plan definitions to update on --reset. Previously any None value is skipped such as apache,subnum.
[Network] bypass hairpin check if IP address exists on interface.
[PHP] relocate Remi to /.socket/php/multiphp.
[PostgreSQL] use named socket to connect instead of 127.0.0.1 for connectivity. Designed for interoperability when PrivateNetworking=yes in cp-proxy configuration.
[PowerDNS] listen on 127.0.0.1 on CentOS 8+/PowerDNS 4.3+ builds. Previously changed from 0.0.0.0 to accommodate systemd-resolved. On basic setups; however, with a local nameserver configuration, 127.0.0.1 cannot return an authoritative response.
[Rampart] an "ignorelist" delegated whitelisting target has been added, which applies all firewall rules but ignores brute-force blocks for these IPs. Previously the target was "whitelist" which absolutely permits access before other rules. "ignorelist" rules only affect whitelisting done by Site Administrators. rampart:whitelist by Appliance Administrator still places the IP address in "whitelist". Policy may be changed by setting [rampart] => delegation_set.
[Scripts] mapCheck rebuild TokyoCabinet database before performing reverse sweep.

REMOVED:
[dns] remove_zone() no longer accessible directy by Site Administrator.
[dns] authoritative-only flag causes hang in multiple DNS providers. Rely on setting recursion=0 to validate successful provisioning.
[PowerDNS] PowerDNS 4.3/CentOS 8 limitation. MySQL backend driver RPM no longer depends on MySQL 8.

NEW:
[Scopes] mail.rspamd-piggyback, set rspamd in piggyback mode.

FIXED:
[Ansible] #72985 hotfix.
[Login] invalid admin username causes white screen.
[PHP] FPM service group missing from php-fpm service wants.
[PHP] 8.0 version setting parsed as "8" in UI.
[Powerdns] TXT concatenation changes introduced in 3.2.17 resulted in an off-by-one error for TXT records.
[Scopes] renamed scopes, such as apache.php-version => php.version do not load view overrides when accessed from prior name.

NEW:
[Bootstrapper] add has_proxy_only build type, provisions a server to act as a cp-proxy relay. See Panel proxy.md for further information.

FIXED:
[Backups] database backups may never terminate when the number of snapshots exceeds the number of preserved backups.
[Bootstrapper] Node, PHP tarballs accounted under admin1.
[Bootstrapper] sofware/passenger role from an interactive terminal in which Rake is installed suspends tty to background.
[CentOS] version detection incorrect on 8+ paltforms resulting in invalid comparisons.
[DNS] moving providers no longer automatically provisions DNS on the new provider.
[Ghost] mail cannot deliver due to firewall restrictions on "direct" mail transport.

CHANGED:
[Auth] redirection DNS check now optional via [auth] => server_validity. Useful in cp-proxy installs with internal hostnames.
[Auth] log attempts and Anvil blocks now logged to /var/log/secure.
[Bootstrapper] always use local connection in panel
[ClamAV] FreshClam usage dependent upon server mode.
[Digitalocean] honor 30s minimum DNS TTL.
[DNS] record names may be optionally split on 255 octet boundaries now.
[File Manager] cleanup incomplete extractions.
[mail] disable mailbox management for third-party mail providers.

FIXED:
[Opcenter] mail/dns provider list merged in Nexus
[PHP-FPM] unlink stray php-fpm Wants= target from earlier efforts

NEW:
[Opcenter] registration of custom DNS, mail providers. See DNS.md.

FIXED:
[Bootstrapper] duplicate notifications generated for jobs.
[Ghost] Fails to start on fresh install from missing interpreter.
[Opcenter] apache,subnum off-by-one error.
[PHP] move socket after PHP-FPM pool operation. During stop/start operations in Bootstrapper a rare race condition (<0.5%) was observed in which one or more pools may after the socket has been restarted thus inhibiting socket activation.
[systemd] verify systemd-resolved enabled in local presets. Images provisioned with systemd-resolved enabled will lose this setting whenever systemd package updates per rules in /usr/lib/systemd/system-preset/90-default.preset.
[upcp] always cleanup SSH agent directory.

CHANGED:
[Bootstrapper] SCL may be controlled individually via has_scl setting.
[ClamAV] disable freshclam in client-only mode.
[Network] enable bidirectional explicit congestion notification. This has been the default in iOS 11+ and network infrastructure sufficiently new since introduction 20 years ago.
[Opcenter] aliases,max=0 disables end-user addon domain management while retaining administrative alias usage.
[PHP] reset failed state on pool restart.
[Scopes] cp.nightly-update- permit systemd.time(7)-style updates

FIXED:
[DNS Manager] fetch all domains before dropping privileges as admin.
[Filesystem] remove incorrect device-mapper block name from FST, which may block migrations from completing.
[SSO] cookie helper does not replicate when /var is on its own mount-point.
[upcp] restore git 2.2 behavior in overwriting tags if a tag moves during production.

NEW:
[OS] CentOS 8.3+ support.
[upcp] Automatically log updates and report failures.

FIXED:
[Bootstrapper] job daemon authentication changes prevented email summaries from generating for Bootstrapper + integrity check emails.
[cgroups] a mount change in 3.2.13 attempted to unmount the reference cgroup controller instead of bind-mounted controller within the filesystem template.
[UI] downloaded files buffer in-memory potentially resulting in OOM conditions for larger files.
[Web Apps] screenshots on CentOS 8 do not honor /etc/hosts restrictions.

CHANGED:
[Apache] apply 2 GB memory limit to control group slice intended to prevent runaway processes.
[Let's Encrypt] disable renewal of SSL for suspended accounts. Move renewal to activation of suspended accounts. A minor change to suspend-rules template is added to allow /.well-known requests to succeed while a site is undergoing activation.
[Let's Encrypt] honor global strict_mode/verify_ip settings under [letsencrypt] in config.ini.
[Network] switch queueing algorithm to fq, which supports TCP pacing in pre-4.13 kernels necessary for BBR congestion control.
[Nexus] report total accounts in addition to total domains.
[PowerDNS] report connectivity errors.
[Process] always inherit unshared mount's permissions.
[UI] use Brotli compression. Periodically cull HTTP processes above resource watermark (195 MB).
[Utilities] mapCheck will reverse populate appldb.siteinfo table with any missing domains.

ApisCP benchmark

See https://github.com/apisnetworks/apnscp-bootstrapper#benchmarking-providers

NEW:
[Bootstrapper] ARA builds.
[Panel Proxy] support for a singular control panel URL. See @apisnetworks/cp-proxy or Panel proxy.md in the bundled documentation.
[PHP] PHP8 support. Enabling PHP8 disables Horde webmail + ionCube features until supported.
[PowerDNS] centralized DNS management within UI. Any DNS zone in a cluster may be managed from the UI now regardless of server.
[Scopes] php.composer-autoupdate, manage Composer auto updates. virus-scanner.remote-scan, use a centralized ClamAV scanner (see ModSecurity.md).

FIXED:
[Bootstrapper] "php-fpm" service fires on each notify usage that can result in php-fpm-MAIN as well as other services from deactivating.
[File Manager] uploads rejected when diskquota is disabled for site.
[Pagespeed] disable gzip compression when Brotli support enabled. Corrects situation in which content compressed using gzip despite client wanting br
[PHP-FPM] correct race condition in which PHP-FPM starts in parallel before cgconfig.service cgroup hierarchy is created.
[upcp] builds ignored in edge-major.

CHANGED:
[Frontend] reduce memory usage.
[Let's Encrypt] enhance registration reporting errors. Attempt dns-01 solver on root domain when self-check fails.
[Let's Encrypt] detection of new R1 signing root.
[License] enforce DNS-only domain checks early.
[Opcenter] preserve file/inode quotas when diskquota,enabled is disabled. Allows temporary toggles to preserve previous quota settings.
[Opcenter] apache,enabled may be disabled.
[PHP] allow override of configure script location via "php_configure".
[PHP-FPM] write cgroup task only to tracked cgroup controllers.

[Scopes] rename apache.php-multi => php.multi, apache.php-version => php.version. Deprecated beginning 3.3
[UI] migrate all application.spec XML files to Yaml.

REMOVED:
[Postgresql] 9.6 support on CentOS 8.
[System] sssd service.

CHANGED:
[systemd-resolved] Apply CentOS #16988 hotfix for missing PrivateTmp=/ProtectSystem= declarations resulting in 222/NAMESPACE failure
[SysV] apply rc-compatibility changes to /etc/rc.d/rc.local

NEW:
[OS] Stream 8 support.
[upcp] "edge-major" mode to set ApisCP on edge releases until next official release.
[webapp] snapshot(), rollback() API helpers to facilitate app snapshots and rollbacks. API signature applies to all compatible Web Apps.

FIXED:
[Composer] specify "name" field on config/custom/composer.json creation.
[git] commit() does not report failure reason.
[Ghost] LTS version fails to set on pristine account.
[MySQL] imports cannot read from backups that begin with a dot.
[PHP] apply g+x to home directories when subdomains are located within if PHP-FPM is used.
[PHP] socket activation may be disabled on boot.
[Python] Python3 libraries missing on CentOS 8 platforms.
[Settings] Cannot unset "Strict SSL" setting.

CHANGED:
[Bootstrapper] changing hostname in net.hostname update
[dns] remove_zone() accepts optional $force parameter bypassing any sanity checks in removal.
[Internal] Improve self-referential timeouts for misbehaving routers.
[Laravel] db_config()- cache configuration if needed.
[PHP] Increase default upload filesize limit.
[PHP] Permit fpm-config-custom to override php_admin directives.
[Rampart] reduce port ban on postfix-sasl violation to Postfix ports (25, 465, 587).
[web] remove_subdomain()- add optional $keepdns parameter to retain DNS after a subdomain is removed.

NEW:
[Web Apps] prune() API method removes invalid document roots.

FIXED:
[PEAR] conflicting PEAR_Exception declaration triggered in specific setting where SMTP server sends mail and PEAR dependency had been previously included by a forced inclusion via require_once. Notably this situation was encountered on Let's Encrypt renewal where a certificate failed renewal and ApisCP configured to use an external SMTP service.

CHANGED:
[MySQL] Force update to November 9 security release for local privilege vulernability.
[Terminal] backport IPv6 support

FIXED:
[MariaDB] "Malformed communication packet" error in PHP-linked PDO library present in 10.3.26. Force downgrade to 10.3.25 and version-lock until this bug is resolved upstream.
[Panel] listen on IPv6 addresses.
[Perl] add missing perl-interpreter package

CHANGED:
[File Manager] clipboard split button toggles clipboard dropdown.
[MariaDB] missing libmariadb library from FST.
[PHP] patch system, including OpenSSL fixes in PHP 5.6 on CentOS 8+ systems.
[Web Apps] honor skip preferences before calculating update candidates.

FIXED:
[imagick] Severe performance regression in 3.4.4 impacting WordPress media uploads. Switch to dev releases until resolved.
[polkit] GDBus errors on service restart in CentOS 7.

CHANGED:
[Add User] add link back to Manage Users.
[ghost] follow recommended Node version.
[MXRoute] implement API lookups to determine public MX/fallback MX records.
[WordPress] squelch plugin/theme version query warnings for commercial plugins.

NEW:
[AddDomain] --bootstrap will automatically issue SSL for the domain upon creation. See Plans.md for further details. May be configured globally by setting [letsencrypt] => auto_bootstrap.
[Composer] Composer 2.0 support for new installs.
[Kernel] add support for querying BLS layouts.
[ImageMagick] policy management via software/imagick role.
[UI] alter login appearance via [style] => verbose_login.
[Yum] implement post-transaction actions for dnf-based systems (CentOS 8+).

FIXED:
[Bootstrapper] various idempotency fixes.
[file] takeover_user() applies permissions as if previous user still owner.
[PHP-FPM] Restarting PHP-FPM services could result in vanishing socket caused by out-of-order execution.
[PostgreSQL] Startup may not always have /run/postgresql available.

CHANGED:
[bwcron] Suspension logic rotated such that stopgap > notify, stopgap is now checked before notify threshold.
[Cloudflare] restrict API management of .cf, .ga, .gq, .ml, .tk TLDs per Cloudflare's policy.
[Nexus] implement password sharing in welcome email.
[Postfix] relax mandatory header insertion to locally originating mail only. Resolves potential condition where forwarded mail breaks DKIM.

REMOVED:
[Laravel] cache priming while apache,jail=1

FIXED:
[MySQL] database grants on newly-created databases lack privilege editing.

CHANGED:
[Discourse] follow Docker guidelines with Node version (v10). Pass HTTP protocol type to backend for CSP conformance.
[Node] installed() allows weak matching on versions, i.e. node:installed 10.2 will match 10.2 or 10.2.5.
[Ruby] installed() allows weak matching on versions, i.e. ruby:installed 2 will match 2, 2.7, or 2.7.5.
[WordPress] suspend versioning support on theme updates. A nasty bug exists in WP-CLI that leaves a theme deleted if an update fails. See wp-cli/extension-command#263.

NEW:
[Auth] geolocation security notices may use self-hosted GeoLite2 database. See SECURITY.md.
[Databases] double-throw safety switch for mysql and pgsql services. Prior to, the only means to delete databases/grants on an account was to remove the account. A DTSS has been added that allows these to be removed by setting enabled=0 and dbaseprefix=None in the corresponding service definition. See MySQL.md.
[PHP] multiPHP role in Bootstrapper, php/multiphp. This role will update and build new native multiPHPs during a platform scrub. Setting apache.php-multi will persist settings now for use with php/multiphp.
[PowerDNS] turnkey AXFR clustering. See PowerDNS.md.

FIXED:
[Bootstrapper] ionCube work directory is not always created.
[Cloudflare] weak record check via $parameter omission always fails.
[Cloudflare] reformat parameter if "key" index looks like a token.
[Dovecot] rewriting a subject on learning spam as ham results in cache corruption/segfault in Dovecot 2.2.36.4.
[email] address_exists()- catch-alls always return false.
[Geoip] IPv6 geolocation reports as invalid.
[PostgreSQL] add missing v12 support in filesystem template.
[rspamd] event order isn't guaranteed on Firefox resulting in persistent authentication screen.
[ruby] incorrect coalesce order reports useless error reason in do().
[Scopes] mail.smart-host cannot be disabled.
[Settings] Cannot deselect Nexus app settings.
[Spam Filter] delivery threshold applied for User Administrator resulting in error.
[Systemd] non-existent services reported as present by incorrect status code comparison in systemctl.
[WordPress] prior skiplist entries are transmogrified on edit.

CHANGED:
[Bootstrapper] bypass account creation when license class disallows it.
[Bootstrapper] reduce has_low_memory requirement by 9 MB. Larger systems reserve more memory for hotpluggable CPUs that create adverse install conditions for low-memory mode.
[crontab] list_users()- ignore temporary files created as "#tmp".
[DAPHNIE] increase max_locks_per_transaction for large hypertable environments.
[DeleteDomain] error when --since and identifier arguments omitted.
[License] add language restrictions.
[Migrations] bogus catch-alls now deliver to the named user unless a separate passwd entry exists for user.
[MySQL] database_exists()- query INFORMATION_SCHEMA as a reliable oracle of database presence. Previously, grants were examined, which could result in spurious results.
[PowerDNS] add Monit profile.

REMOVED:
[Dashboard] Google Analytics loads only when needed.

NEW:
[Bootstrapper] MariaDB 10.5 support.
[DeleteDomain] --filter=XYZ may be specified to delete domains that match a suspension reason (see Plans.md).
[git] clean() removes untracked files from repository.
[SuspendDomain] suspension reasons may be given with --reason=XYZ. A template may be specified with --template=ABC. Reasons are shown upon login when [auth] => show_suspension_reason is enabled.

FIXED:
[PowerDNS] correct condition in which configuring PowerDNS as default provider, then installing PowerDNS on same server would utilize different API keys.
[SOAP] traits and proxied modules were improperly listed in WSDL.
[Terminal] discover non-standard SSH port.

CHANGED:
[Argos] monitoring of /home partition if different.
[Bandwidth] autofix missing spans.
[Bootstrap] bootstrapper-resume service may timeout on lower performing hardware during installation cycle. Increase timer to 3 minutes.
[Bootstrapper] SpamAssassin filter threshold may be configured using spamassassin_scan_threshold.
[DNS] add check to use systemd-resolve service ("resolve") in nsswitch.conf on derelict upstream DNS resolvers.
[UI] Upgrade jQuery 3.5.1.

REMOVED:
[MySQL] editing control user hostname (localhost). For remote connections for primary user, change 127.0.0.1. localhost is always used for phpMyAdmin access.

NEW:
[Web Apps] "Forget Application" option. Discards any stored information about the web app. Useful with previously detected subdirectories.

FIXED:
[Vacation] affected domains may be listed multiple times.
[Vacation] message does not immediately update on alteration.
[vsftpd] restart service after system SSL update.
[Web Apps] allow "Release Fortification" for unknown apps.
[Web Apps] add authorization check for HTTP/1.0 domain enroll/unenroll actions.

CHANGED:
[UI] add debug mode indicator.