Drupal module support matrix
BOA ships a curated set of performance + utility contrib modules with every D6 +
D7 platform, and a maintenance pass enforces enable/disable state for known-good
and known-bad modules. This page documents the flag legend, where the enforcement
lives, and the control variables that govern it. The per-module bundle itself is
built into every platform's shared o_contrib / o_contrib_seven module trees at
platform-build time. This is not limited to the platforms BOA builds for you —
register your own custom platform under the ~/static directory tree and the
same maintenance pass symlinks the shared o_contrib / o_contrib_seven bundle
into it too, so you never wire these modules into a custom platform by hand.
The flag legend
Each module carries one or more flags:
| Flag | Meaning |
|---|---|
[S] |
Supported — BOA-side Nginx rewrites + config are in place so this module works without .htaccess. |
[B] |
Bundled — ships with the BOA platform automatically. |
[FE] |
Force-Enabled — maintenance enables it if disabled. |
[SE] |
Soft-Enabled — enabled on initial install but not forced by maintenance. |
[FD] |
Force-Disabled — maintenance disables it if enabled. |
[NA] |
Not applicable — used without needing to be enabled. |
A module can carry multiple flags. [D6] / [D7] indicate which Drupal version
supports it.
Where the enable/disable decisions live
The module enforcement runs from the nightly maintenance pass
(aegir/tools/system/night/20-sites.sh, driven by owl.sh). owl.sh
computes the ISO weekday with _DOW=$(date +%u) (Mon=1…Sun=7) and builds two
different enable/disable lists depending on the day:
- On Tuesday (
_DOW=2) the broad force-disable lists apply — for D7 that iscoder,devel,filefield_nginx_progress,hacked,l10n_update,linkchecker,performance,security_review,site_audit,watchdog_live,xhprof(D6 has a parallel list). The day-dependent force-enable list (robotstxt, pluspath_alias_cacheon D6) is empty on Tuesday. - On every other day only a minimal list applies: enable
robotstxt(pluspath_alias_cacheon D6), disabledblog,syslog,backup_migrate.
entitycache is a special case: it is force-enabled on every nightly pass
(including Tuesday), gated only by _ENTITYCACHE_DONT_ENABLE, independently of the
day-dependent enable list.
A _MODULES_FORCE blacklist (automated_cron, backup_migrate, coder,
cookie_cache_bypass, hacked, poormanscron, security_review, site_audit,
syslog, watchdog_live, xhprof) is not an independent always-on disable
pass. It is consulted only inside the disable routine, applied to the day-gated
OFF list above: for a module already in that day's OFF list, membership in
_MODULES_FORCE forces the disable past the "Required by" dependency check (below).
So a _MODULES_FORCE member is only acted on when the day's OFF list already
contains it — e.g. on non-Tuesday the D7 OFF list is just dblog, syslog,
backup_migrate, so the other members are not iterated that day.
Sites whose main name carries .dev., .devel., .temp., .tmp.,
.temporary., .test., or .testing. are skipped entirely by the maintenance
pass.
Two host-level variables in /root/.barracuda.cnf govern the pass:
_MODULES_FIX— setNOto disable the entire enforcement (defaultYES)._MODULES_SKIP— modules that should never be force-disabled (an operator-managed safelist).
The enforcement is dependency-aware: a module otherwise force-disabled is not disabled if it is required by an enabled feature or another module, avoiding cascade-disable failures.
Bundled, supported, and force-disabled sets
- Bundled
[B]— performance and utility modules that ship in every D6/D7 platform; the full[B]-flagged set (catalogued below) is what BOA seeds into each platform's sharedo_contrib/o_contrib_sevenmodule tree. - Supported but not bundled
[S]without[B]— modules BOA has Nginx rewrites and config support for, but does not bundle; operators or tenants enable them via Composer or Drush (full list below). Some are[S]only when a specific XTRAS package is present — e.g.imageapi_optimizeis[S]only when theIMGXTRAS image binaries are installed (see_XTRAS_LIST& install modes). - Force-disabled
[FD]— modules BOA actively disables for security or operational reasons (devel,coder,security_review,site_audit,hacked,xhprof, plus coredblog/syslog). To keep one enabled after auditing it, add it to_MODULES_SKIP.
The full flagged catalogue
Every entry in the first table is both [S] supported and [B] bundled — BOA
seeds it into each platform's shared o_contrib (D6) / o_contrib_seven (D7)
tree. The Notes column flags the two variants: [SE] soft-enabled (on at
initial install but not forced afterwards) and [NA] not applicable (used
without ever being enabled). Two further bundled modules, entitycache and
robotstxt, carry [FE] and are covered with the force-enable rules above.
| Module | Drupal | Notes |
|---|---|---|
| admin | D6, D7 | [SE] |
| adminer | D7 | |
| advagg | D6, D7 | |
| autoslave | D7 | |
| blockcache_alter | D6, D7 | |
| boost | D6, D7 | |
| cache_backport | D6 | [NA] |
| cache_consistent | D7 | |
| cdn | D6, D7 | |
| config_perms | D6, D7 | |
| css_emimage | D6, D7 | |
| dbtuner | D6 | |
| display_cache | D7 | |
| entity_print | D7 | |
| esi | D6, D7 | |
| file_resup | D7 | |
| flood_control | D7 | |
| force_password_change | D6, D7 | |
| fpa | D6, D7 | |
| httprl | D6, D7 | |
| js | D6, D7 | |
| login_security | D6, D7 | |
| nocurrent_pass | D7 | |
| panels_content_cache | D6, D7 | |
| phpass | D6 | |
| private_upload | D6 | |
| readonlymode | D6–D10 | |
| redis | D6–D10 | [NA] |
| reroute_email | D6, D7 | |
| rubik | D6, D7 | [SE] admin theme |
| securesite | D6, D7 | |
| session_expire | D6, D7 | |
| site_verify | D6, D7 | |
| speedy | D7 | |
| tag1_d7es | D7 | |
| taxonomy_edge | D6, D7 | |
| variable_clean | D6, D7 | |
| views_accelerator | D7 | |
| views_cache_bully | D6, D7 | |
| views_content_cache | D6, D7 | |
| views404 | D6, D7 |
Supported but not bundled — [S] only. BOA ships the Nginx rewrites and
config so these work without .htaccess, but you enable the module yourself via
Composer or Drush:
| Module | Drupal | Notes |
|---|---|---|
| ais | D7 | |
| ckeditor | D6, D7 | |
| fbconnect | D6, D7 | |
| fckeditor | D6 | |
| imageapi_optimize | D6, D7 | [S] only with IMG XTRAS installed |
| imagecache | D6, D7 | |
| imagecache_external | D6, D7 | |
| responsive_images | D7 | |
| tinybrowser | D6, D7 | |
| tinymce | D6 | |
| wysiwyg_spellcheck | D6, D7 |
Enforcement troubleshooting
- "BOA keeps disabling my module." It is in a force-disable list — that is
expected. Add it to
_MODULES_SKIPin/root/.barracuda.cnfif you have audited it and want it on. - "BOA keeps re-enabling a module I disabled." It is in a force-enable list.
To keep it off, set
_MODULES_FIX=NOto disable the whole enforcement (less surgical but unambiguous;_MODULES_SKIPonly protects against disable, not enable). - "Modules I expect aren't installed." Either the module is
[S]but not[B](enable it manually), or the platform predates the bundled set including it (rebuild withoctopus up-lts o1 platforms).
D10+ platforms
The bundled-set + force-enable/disable mechanism is D6/D7-era. Modern Drupal (10+)
uses Composer-managed dependencies, so BOA's involvement is at the
platform-build level — which modules end up in the new platform's
composer.json — rather than runtime enforcement. For a D10+ platform, that
platform's own composer.json / composer.lock is the authoritative module list.
Related
barracuda.cnf— defines_MODULES_FIX/_MODULES_SKIP._XTRAS_LIST& install modes — host packages some modules depend on (e.g.IMG).- Reference appendix — consolidated variable index.
- Discontinued features — modules dropped from the bundled set.