1 month after 9.0.1 release, here comes 9.0.2, 95 issues fixed in Rudder, and 22 more in plugins.

🆕 Features & enhancements

• New trigger inventory button
• Display last agent run date in inventory display
• Improve display of reports message with mono font and with pre field, much more like a cli output
• Better handling of fatal errors, now correctly logged with better separator in webapp log when it restarts
• [Security benchmarks] New display of item documentation, including more fields for benchmark like CIS
• [Security benchmarks] Add group reporting, and improve node and groupe reporting display (details ..)
• Highlight technique used in technique editor (with number of Directives!)
• Add a CLI to template module

🐛 Bug fix

• System logs were polluted by agent logs
• Lots of fixes on augeas and templating modules
• Several fixes on import API which was failling on some import cases
• On plugins: Fixes on techniques for Windows and some UI bugs in security benchmark

What's Changed

• Fixes #27614: Missing last agent run on the node details by @P4uline in #6647
• Fixes #26541: Highlight techniques which has associated directives in editor by @ElaadF in #6699
• Fixes #27897: Deprecate file_fom_remote_source[_recursion] by @amousset in #6727
• Fixes #27784: There is no way to know that the OS is a dropdown list when creating a group by @skaerg in #6721
• Fixes #27907: Log about node status must be lower than info by @amousset in #6728
• Fixes #27885: Template method fails on second call with datastate by @amousset in #6719
• Fixes #27883: "dispayName" typo in unserialisation of Group XML lead to change log revert error by @fanf in #6718
• Fixes #27884: Improve the display of the resource editing modal by @RaphaelGauthier in #6717
• Fixes #27881: Read event hooks from /opt/ in priority by @amousset in #6716
• Fixes #27798: variable method don't prevent from create variable with a - in their names by @m4rtinh4rt in #6708
• Fixes #27890: allow_white_space semantics is wrong in rudderc by @amousset in #6729
• Fixes #27892: “Sysctl value” generic method with “max” option improperly behaves in Rudder 9.0 by @Fdall in #6730
• Fixes #27611: Add a trigger inventory button by @P4uline in #6684
• Fixes #27912: Missing delete button for directive instance by @VinceMacBuche in #6732
• Fixes #27864: Fix pass order in condition_from_*_match methods by @Fdall in #6705
• Fixes #27911: Incorrect error reporting in jinja2 templates in module by @m4rtinh4rt in #6734
• Fixes #27891: IncludeSystem in import library is always false and can't be true by @fanf in #6722
• Fixes #27704: When a technique has blocks its directive has empty sections by @VinceMacBuche in #6733
• Fixes #27878: Error when rollbacking a change by @fanf in #6724
• Fixes #27887: Missing diff in report in case of repaired/non-compliance in template module by @m4rtinh4rt in #6731
• Fixes #27928: Dubious code in PendingHistoryGrid generate warn about argon2 hash by @amousset in #6740
• Fixes #27930: Update the publication credentials by @amousset in #6742
• Fixes #27943: datastate file not created while running in audit mode by @m4rtinh4rt in #6745
• Fixes #27888: Use the serialization trick used for templating for all other modules by @m4rtinh4rt in #6746
• Fixes #27908: Multiple reports are concatenated by @skaerg in #6737
• Fixes #27848: add args in rudder-module-augeas documentation by @m4rtinh4rt in #6696
• Fixes #27909: Use pre+mono font for reports by @RaphaelGauthier in #6735
• Fixes #27947: Error on augeas check method to compare numeric by @m4rtinh4rt in #6748
• Fixes #27785: Remove AIX, BSD and Solaris from the OS list selectable in the group by @fanf in #6738
• Fixes #27945: Multiple reports are concatenated by @skaerg in #6749
• Fixes #25061: Archive API for import/export doesn't know about rule categories by @clarktsiory in #6720
• Fixes #27937: Technical logs are truncated on smaller display by @RaphaelGauthier in #6750
• Fixes #27953: If we give the same category id two times in export API, it's included two time in archive by @fanf in #6752
• Fixes #27958: Update the publication credentials - missing changes by @amousset in #6754
• Fixes #27961: Update the publication credentials - missing changes by @amousset in #6756
• Fixes #27962: Enforce TLS 1.3 in demo webapp apache config by @amousset in #6757
• Fixes #27963: Update the publication credentials - missing changes for relayd by @amousset in #6758
• Fixes #27910: Content of rudder-users.xml file can somehow be duplicated by @fanf in #6736
• Fixes #27964: Use nextest as test runner for policies-methods tests by @Fdall in #6759
• Fixes #27959: Upmerge of 25061 fails test compilation due to scala 3 macros by @clarktsiory in #6755
• Fixes #27967: Add back the augeas install in method docker by @amousset in #6760
• Fixes #27968: Add rustfmt and clippy as required components by @amousset in #6761
• Fixes #27975: Parent change breaks activeTechniqueLibraryVersion by @fanf in #6764
• Fixes #27989: fix rust version in GitHub Actions workflow by @m4rtinh4rt in #6769
• Fixes #27979: Fatal error are not displayed in the webapp.log by @fanf in #6765
• Fixes #27993: Upmerge of 27979 fails pattern matching in Scala 3 by @clarktsiory in #6770
• Fixes #27773: Modify result conditioning of method "condition_from_string_match" in the UI by @skaerg in #6763
• Fixes #27811: Improve modules dry-run implementation - 9.0 by @amousset in #6715
• Fixes #27996: move diff functionality behind a feature flag in rudder-module-type by @m4rtinh4rt in #6771
• Fixes #27820: Allow using SAN for node policy dl by @amousset in #6689
• Fixes #27997: Flaky relayd test by @amousset in #6773
• Fixes #27987: variable_from* should forbid the usage of some chars as the variable definition will fail anyway when using them by @Fdall in #6767
• Fixes #28001: remove power architecture from README by @m4rtinh4rt in #6775
• Fixes #27988: API documentation should not mention Solaris AIX and BSD anymore by @clarktsiory in #6776
• Fixes #28008: Missing reporting for the condition_from_*_match methods by @Fdall in #6779
• Fixes #28007: Archive import in 9.0.1 from export in 8.3 leads to missing categoryId error on group by @clarktsiory in #6778
• Fixes #27675: Add diff reporting for the template module CLI by @m4rtinh4rt in #6636
• Fixes #28011: Event log link in Setting -> Audit logs section lead to 404 not found by @ElaadF in #6781
• Fixes #28010: Node agent run cache only contains latest entries, clearing cache of previous values by @VinceMacBuche in #6780
• Fixes #28013: Missing report in case of error in template module by @amousset in #6782
• Fixes #28012: Generic method “File from template”, minijinja, endline issues by @amousset in #6784

Full Changelog: 9.0.1-1...9.0.2

1 month after 8.3.6 release, here comes 8.3.7, 57 issues fixed in Rudder, and 10 more in plugins

🆕 Features & enhancements

• New trigger inventory button
• Display last agent run date in inventory display
• Improve display of reports message with mono font and with pre field, much more like a cli output
• Better handling of fatal errors, now correctly logged with better separator in webapp log when it restarts

🐛 Bug fix

• System logs were polluted by agent logs
• Lots of fixes on augeas and templating modules
• Several fixes on import API which was failling on some import cases
• On plugins: Fixes on techniques for Windows and some UI bugs in security benchmark

What's Changed

• Fixes #27614: Missing last agent run on the node details by @P4uline in #6647
• Fixes #27784: There is no way to know that the OS is a dropdown list when creating a group by @skaerg in #6721
• Fixes #27907: Log about node status must be lower than info by @amousset in #6728
• Fixes #27884: Improve the display of the resource editing modal by @RaphaelGauthier in #6717
• Fixes #27798: variable method don't prevent from create variable with a - in their names by @m4rtinh4rt in #6708
• Fixes #27890: allow_white_space semantics is wrong in rudderc by @amousset in #6729
• Fixes #27611: Add a trigger inventory button by @P4uline in #6684
• Fixes #27891: IncludeSystem in import library is always false and can't be true by @fanf in #6722
• Fixes #27704: When a technique has blocks its directive has empty sections by @VinceMacBuche in #6733
• Fixes #27878: Error when rollbacking a change by @fanf in #6724
• Fixes #27930: Update the publication credentials by @amousset in #6742
• Fixes #27908: Multiple reports are concatenated by @skaerg in #6737
• Fixes #27848: add args in rudder-module-augeas documentation by @m4rtinh4rt in #6696
• Fixes #27909: Use pre+mono font for reports by @RaphaelGauthier in #6735
• Fixes #27947: Error on augeas check method to compare numeric by @m4rtinh4rt in #6748
• Fixes #27945: Multiple reports are concatenated by @skaerg in #6749
• Fixes #25061: Archive API for import/export doesn't know about rule categories by @clarktsiory in #6720
• Fixes #27937: Technical logs are truncated on smaller display by @RaphaelGauthier in #6750
• Fixes #27953: If we give the same category id two times in export API, it's included two time in archive by @fanf in #6752
• Fixes #27958: Update the publication credentials - missing changes by @amousset in #6754
• Fixes #27961: Update the publication credentials - missing changes by @amousset in #6756
• Fixes #27962: Enforce TLS 1.3 in demo webapp apache config by @amousset in #6757
• Fixes #27963: Update the publication credentials - missing changes for relayd by @amousset in #6758
• Fixes #27910: Content of rudder-users.xml file can somehow be duplicated by @fanf in #6736
• Fixes #27964: Use nextest as test runner for policies-methods tests by @Fdall in #6759
• Fixes #27959: Upmerge of 25061 fails test compilation due to scala 3 macros by @clarktsiory in #6755
• Fixes #27968: Add rustfmt and clippy as required components by @amousset in #6761
• Fixes #27979: Fatal error are not displayed in the webapp.log by @fanf in #6765
• Fixes #27773: Modify result conditioning of method "condition_from_string_match" in the UI by @skaerg in #6763
• Fixes #27997: Flaky relayd test by @amousset in #6773
• Fixes #27987: variable_from* should forbid the usage of some chars as the variable definition will fail anyway when using them by @Fdall in #6767
• Fixes #28001: remove power architecture from README by @m4rtinh4rt in #6775
• Fixes #28011: Event log link in Setting -> Audit logs section lead to 404 not found by @ElaadF in #6781

Full Changelog: 8.3.6-1...8.3.7

36 issues fixed in Rudder 9.0.1, and 14 more on plugins,

🐛 Bug fix

• Nodes were able to bypass acl and download policies for other nodes: https://github.com/Normation/rudder/security/advisories/GHSA-x92w-5577-fr2c
• Version was available in login page, through js/css file path, remove it
• Lots of fixes and documentation to augeas module and scheduling module
• Around 10 small UI fixes in Rudder, a few more in plugins (specially in cve plugin)

What's Changed

• Fixes #27747: add documentation and bugfix for rudder-module-augeas by @m4rtinh4rt in #6654
• Fixes #27766: Adapt the Windows technique generation to support ID based resulting conditions by @Fdall in #6662
• Fixes #27775: Campaings hooks readme.adoc starts with wrong comment (… by @m-bouissou in #6663
• Fixes #27780: Update docker requiring the Rudder agent to Debian 12 or 13 by @amousset in #6665
• Fixes #27667: The audit/enforce mode status is not passed to the augeas module by @Fdall in #6631
• Fixes #27731: Endpoint name are not unique cause /info API endpoint to be inexhaustive by @clarktsiory in #6652
• Fixes #27789: Fix upmerge of duplicate endpoints API tests by @clarktsiory in #6666
• Fixes #27796: Add arch doc about remote run by @amousset in #6670
• Fixes #27795: Fix definition of system utilities paths for Manjaro Linux by @m-bouissou in #6671
• Fixes #27801: Fix warning in augeas module by @amousset in #6673
• Fixes #27790: Improve modules dry-run implementation by @amousset in #6669
• Fixes #27720: Update onboarding documentations by @P4uline in #6642
• Fixes #27803: Update api doc tooling by @amousset in #6675
• Fixes #27810: Fix theme in parent change by @amousset in #6678
• Fixes #27799: add documentation for rudder-module-augeas by @m4rtinh4rt in #6674
• Fixes #27805: Return error when no file associated with path in rudder-module-augeas by @m4rtinh4rt in #6676
• Fixes #27813: Fix API doc lint issues by @clarktsiory in #6680
• Fixes #27124: Use ESM modules in rudder-web by @clarktsiory in #6580
• Fixes #27580: Nodes properties cannot be exported to CSV by @VinceMacBuche in #6659
• Fixes #27816: by @amousset in #6686
• Fixes #27822: by @amousset in #6687
• Fixes #27824: by @amousset in #6691
• Fixes #27819: Node properties diff in change logs show whole diff of all properties by @clarktsiory in #6682
• Fixes #27835: Revert upgrading jsondiffpatch in 9.0 by @clarktsiory in #6694
• Fixes #27849: by @amousset in #6697
• Fixes #27845: Don't use datastate for apache config templating by @amousset in #6698
• Fixes #27857: report file not deleted while running in audit mode by @m4rtinh4rt in #6700
• Fixes #27733: by @VinceMacBuche in #6688
• Fixes #27861: Incorrect data passed to the apache template in the postinst relay script by @Fdall in #6702
• Fixes #27865: Node properties cannot be exported in 9.0 since 27580 by @clarktsiory in #6707
• Fixes #27836: Rollback buttons in change logs are out of reach by @ElaadF in #6695
• Fixes #27812: update help flag for rudder-module-augeas by @m4rtinh4rt in #6679
• Fixes #27782: The 1000 reports of the technical log is not enough with a benchmark by @clarktsiory in #6703
• Fixes #27880: Broken policy mode in augeas method by @amousset in #6714

Full Changelog: 9.0.0...9.0.1-1

New operating systems supported

Debian 13 and Red Hat Enterprise Linux/Rocky/AlmaLinux/Oracle Linux 10 are now fully supported by Rudder 9.0, both as server and agent OS.

Security benchmarks

The security benchmarks feature is officially out of beta, and comes with many improvements over the 8.3 version. They include a new visualization interface by benchmark, and a detailed view by item or by nodes.

CVE by group

The vulnerability management interface now allows filtering by group, making it easier to get an overview of the risk by categories of nodes.

Patch campaign hooks

It was already possible to run actions locally on the nodes before and after the upgrades. We added an additional mechanism, on the server side, with action running globally for each patch management event. It is possible to trigger actions before the start of an event or after it finished.

Technique editor

The interface was improved with a redesigned drag-and-drop behavior and other quality of life improvements.

CSV export for tables

We added CSV export to several tables in the interface, allowing easy reuse of Rudder data in other contexts (in addition to the HTTP API).

[Technical preview] HTTPS communication

It is now possible to use HTTPS for policy download on Linux. It allows disabling the custom protocol (by default on port 5309) and to only use HTTPS for all communications.

When in HTTPS-only mode, a few features are disabled:

• Remote run on Linux agents
• Recursive file copies from the server
• Relays require the rsync synchronization mode

This mode will become the default once the remaining limitations are lifted.

[Technical preview] Certificate validation

When in HTTPS-only mode, it is possible to switch all HTTPS communications to use standard certificate validation instead of the default pinning-based mode. It requires managing the HTTPS certificates with a user-managed PKI. The certificate authorities can be specific to Rudder or system-wide.

Improved template management

We introduced a versatile templating method, based on a multi-platform module running on both Linux and Windows agents. It allows using the existing template engines, mustache and jinja2, plus a new option, minijinja, which provides most jinja2 features with a fast native implementation, without external dependencies.

This method also allows passing a JSON object as data for the template, as an alternative to the global agent context.

It also improves reporting, with a diff-like display of changes and non-compliances.

Agent can run with /var mounted with noexec

It is now possible to run Linux agents on systems where the /var partition is mounted with the noexec option, as recommended by several hardening guides.

Safer local passwords

The default hash algorithm is now argon2id, and bcrypt is still supported. Deprecated unsafe algorithms support is dropped.

Under the hood

• The strict Content-Security-Policy header configuration is now enabled everywhere.
• The backend code base was migrated to Scala 3 (from 2.13 to 3.7).
• The relayd daemon, written in Rust, was updated to the hyper 1.0 stack.
• All Linux methods were migrated to a new reporting implementation based on stable unique identifiers, which will make UX improvements possible in future versions.

What's Changed

• Fixes #27715: systemUpdate/targets requieres a POST to get the list of nodes by @clarktsiory in #6646
• Fixes #27734: hasPolicyServer group computation in deployment service should only include valid agents by @VinceMacBuche in #6648

Full Changelog: 9.0.0.rc1...9.0.0.rc2

What's Changed

• Fixes #27684: Pin the typos-cli version by @amousset in #6637
• Fixes #27683: Error with command_execution_results but everything looks ok by @m4rtinh4rt in #6638
• Fixes #27612: Notifications hides the button by @RaphaelGauthier in #6633
• Fixes #27625: Drag-and-drop icon appears when hovering a method over a block by @RaphaelGauthier in #6614
• Fixes #27574: Post-hooks for campaigns should be executed even even if pre-hooks are in failure by @fanf in #6611
• Fixes #24486: The migrate button in directive pages is always displayed and often useless and ugly by @RaphaelGauthier in #6632
• Fixes #27596: Multiple JS error on properties page by @RaphaelGauthier in #6619
• Fixes #27703: Enforce proper permissions for policies in archive by @amousset in #6639
• Fixes #27711: Enforce proper permissions for policies in archive - broken syntax by @amousset in #6640
• Fixes #27564: Frozen method in the technique editor after reset of a draft by @RaphaelGauthier in #6623
• Fixes #27663: add metadata to the GM of the modules by @m4rtinh4rt in #6630
• Fixes #27639: Test the file_from_template_options method by @Fdall in #6624
• Fixes #27604: Update onboarding documentations by @P4uline in #6621
• Fixes #27713: "Close" button in API account modals uses the wrong CSS class by @RaphaelGauthier in #6643
• Fixes #27717: fix warnings in commands module tests by @m4rtinh4rt in #6641
• Fixes #27644: Rudder 9.0 Beta 2 : Error message when deleting technique in editor by @fanf in #6634
• Fixes #27264: Random error after node-to-relay is applied and other dynamic group and node accepted by API problems by @fanf in #6608
• Fixes #27725: fix supported_targets in augeas module metadata by @m4rtinh4rt in #6645

Full Changelog: 9.0.0.beta2...9.0.0.rc1

What's Changed

• Fixes #27486: Add includeSystem parameter to filter system groups in API by @clarktsiory in #6574
• Fixes #27384: Missleading format for parameter category in API by @ElaadF in #6572
• Fixes #27538: Upmerge makes tests fail in 8.3 by @clarktsiory in #6589
• Fixes #27539: Ignore adler advisory in 8.2 by @clarktsiory in #6590
• Fixes #27544: Campaign hook readme is incorrect by @fanf in #6592
• Fixes #27548: Allow empty string in JSON fields by @amousset in #6593
• Fixes #27428: Missing migration for existing directives with the bad select input identifier by @VinceMacBuche in #6576
• Fixes #27550: Incorrect serialization of the parameters passed by the command_execution_options method to its underlying module by @Fdall in #6594
• Fixes #27459: Error trying to compile rudder-agent 8.3.4~git202508191033 on armhf Debian 13 trixie (libapt) by @amousset in #6595
• Fixes #27498: Make group tree API not include system by default by @clarktsiory in #6579
• Fixes #27553: Document how the services to restart and reboot state are computed by @amousset in #6597
• Fixes #27551: Switch back to info for info logs by @amousset in #6596
• Fixes #27523: Port the file from shared folder method on Linux to allow HTTPS by @amousset in #6591
• Fixes #27531: Return categoryId in JSON groups API by @clarktsiory in #6587
• Fixes #27456: Inherited properties API change in parent by @VinceMacBuche in #6588
• Fixes #27578: Nodes server list can no longer be exported to CSV by @clarktsiory in #6601
• Fixes #27561: Plugins error callouts width are same as title width by @clarktsiory in #6598
• Fixes #27577: Nodes table has CSP error with column containing JSON property by @clarktsiory in #6602
• Fixes #27584: Allow using a different certificate for server usage by @amousset in #6603
• Fixes #27587: Allow a deeper SSLVerifyDepth by @amousset in #6605
• Fixes #27568: Better logging for custom promise type protocol when a CFEngine request is malformed by @Fdall in #6600
• Fixes #27594: Error at rudder-server Debian 12 install in 9.0-nightly - Could not retrieve the UUID of the policy server by @amousset in #6609
• Fixes #26637: System info API changed format in v21 and needs new documentation by @P4uline in #6607
• Fixes #27615: XSS vulnerability in ammonia dep by @amousset in #6612
• Fixes #27620: We need latest cargo deny to check licenses by @amousset in #6613
• Fixes #27598: The command module should avoid using custom parsing methods for lists by @Fdall in #6610
• Fixes #27627: [Regression] Rudder 9.0 Beta 2 : sysctl generic method causes apparent repair loops by @Fdall in #6617
• Fixes #27588: Copy button on first login page for creating user not working anymore by @RaphaelGauthier in #6606
• Fixes #27638: Scala compilation should happen in maven compile phase by @fanf in #6622
• Fixes #27636: The file_from_template_options method should accept inline JSON in its data field by @Fdall in #6620
• Fixes #27622: Password setting from standard user technique fails after upgrade to Rudder 9.0 Beta 2 by @Fdall in #6616
• Fixes #27595: In technique editor the number of techniqes is under "techniques" big title by @RaphaelGauthier in #6615
• Fixes #27585: Test the command_execution_options generic method by @Fdall in #6604
• Fixes #27649: APT agents are built without apt support in system-updates by @amousset in #6626
• Fixes #27646: Document the file_from_template_options method by @Fdall in #6625
• Fixes #27651: add uid/gid lookup by name for the commands module by @m4rtinh4rt in #6627
• Fixes #27659: Typo in rudder-web.properties by @amousset in #6628
• Fixes #27662: Use agent cert for HTTP in CA mode by @amousset in #6629
• Fixes #27674: Inconsistency in campaigneventstate between init and DB migration by @fanf in #6635

New Contributors

• @P4uline made their first contribution in #6607

Full Changelog: 9.0.0.beta1...9.0.0.beta2

A small release mainly motivated by a bug that prevent update campaigns on debian like systems, apart debian 13

🐛 Bug fixes

• System update campaign are now working again on debian , prior debian 13, and ubuntu systems
• Some techniques had missing reporting (aptPackageManagerSettings ...)
• More optimistic score on benchmarks and add some missing score display
• Fifteen fixes in windows agent

A quite important release, around 60 issues fixed in Rudder, and 60 more in plugins, but it was quite a long time between 8.3.3 and 8.3.4 (almost 2 months), with important changes in CVE and security benchmarks plugins, and we added Debian 13 support.

🆕 Features

• Add Debian 13 support (agent and server)
• Remove the need to update CVE database in related plugin
• new flag to filter system groups in system API
• Lots of improvements on security benchmark user interface (new reporting/scoring, new dashboard ...)

🔧 Maintenance

• Security update of webapp/relay dependencies

🐛 Bug fix

• Lots of fixes on Windows agent (25 issues fixed)
• Fix detection of vulnerabilities (adapt to changes in our remote detection server)
• Lots of small UI fixes
• ignored nodes still counted in score display (dashboard ...)

Mostly a near EOL patch release, mostly light bug fixes, and security updates of dependencies

🔧 Maintenance

• Security update of webapp/relay dependencies

🐛 Bug fix

• Missing dependencies on rhel 6 agent
• Missing enable/disable button for groups
• Small UI fixes (hover compliance, error in properties, fixes in user management, event logs ...)