Control-file reference
Every documented BOA control file, indexed straight from the documentation pages — each entry links back to the page that documents it. Most are markers or one-line files whose presence (or single value) changes behaviour; for the few settings-store files listed here (barracuda.cnf, octopus.cnf, the two boa_*_control.ini templates) the individual settings are indexed separately under Variables.
| File | Location | Purpose | Documented in |
|---|---|---|---|
.${USER}.octopus.cnf |
/root/ |
Per-instance settings store for one Octopus instance (o1, o2), sourced by the octopus/boa installer and upgrade runs - holds instance identity, platform-tree control, per-instance PHP-FPM sizing, SQL conversion, cleanup retention and the _CLIENT_OPTION plan selector; individual settings indexed separately | /operating/control-files-ini/octopus-cnf |
.activate.apparmor.cnf |
/root/ |
Presence under /root/ loads the AppArmor profile set in complain mode via aa-complain - violations logged but not blocked. Needs a reboot with the grub apparmor=1 flag to take effect. Absent by default. | /operating/security/apparmor |
.allow-codebasecheck.cnf |
/etc/boa/ |
Presence marker - when it exists the nightly owl maintenance runs single-codebase codebasecheck per platform, recording per-platform Percona 8 readiness findings under each account log/ctrl/ directory. | /operating/database/percona8-readiness |
.allow-php-multi-install-cleanup.cnf |
/root/ |
Presence marker in /root/ gating automatic deactivation of unused PHP versions on an UPGRADE pass - written by barracuda php-idle disable, removed by php-idle enable, or set by hand to opt a classic-path host into the _AUTO_PHP_CLEANUP prune. | /operating/os-lifecycle/major-os-upgrade |
.allow.aegir.queue.cnf |
/etc/boa/ |
On CI or Jenkins-style boxes where the automatic queue is off by default, its presence lets the automatic task queue run - still requires at least one instance to opt in via run-aegir-queue.info. | /operating/architecture/task-queue |
.allow.any.virt.cnf |
/root/ |
Opt-in expert override control file - its presence lets BOA install when it cannot detect a virtualisation layer and would otherwise treat the host as unsupported bare metal and stop. Emphatically unsupported - use a VM for a first server instead. | /self-hosting/before-you-install |
.allow.auto.reboot.cnf |
/root/ |
Operator-created marker opting a non-hosted box into unattended reboot after a scheduled kernel upgrade - its presence (or _hostedSys=YES) makes autoupboa run _if_new_kernel_reboot and trigger boa reboot when a new kernel is pending. Stays in /root, not relocated to /etc/boa. | /operating/os-lifecycle/selfupgrade-reference |
.allow.mc.cnf |
/root/ |
Presence opens Midnight Commander to lshell users - MC can spawn sub-shells and thus bypasses the lshell layer, so do not enable on untrusted-tenant hosts. | /operating/security/lshell-ltd-users |
.allow.node.lshell.cnf |
/root/ |
Presence allows Node and NPM for lshell users - Node can bypass lshell, so only enable on trusted-tenant hosts. | /operating/security/lshell-ltd-users |
.allow.php.fpm.reload.cnf |
/etc/boa/ |
Operator-created host marker that enables the self-service run-php-fpm-reload.pid FPM-reload sentinel on any host, regardless of the per-account plan gate (POWER/PHANTOM/CLUSTER/ULTRA/MONSTER); on hosts without it the sentinel works only for qualifying-plan accounts. | /operating/php-fpm-performance/cache-tuning |
.allow.sendmail.cnf |
/etc/boa/ |
Box-wide toggle that re-opens /usr/sbin/sendmail for hosted-site local delivery - present flips the binary to mode 755, absent keeps it 750 so sites cannot send locally. While present, _smtp_check also clears the Postfix relayhost, forcing direct delivery for all mail. | /operating/security/mailing-policy |
.backboa.exclude |
/root/ |
Optional singular-named path list (one path per line) passed to Duplicity as --exclude-filelist to fine-tune what backboa omits beyond _AWS_EXB. The duobackboa twin reads /root/.duobackboa.exclude instead - a trailing-s plural name is read by nothing. | /operating/backups/legacy-backboa |
.backboa.include |
/root/ |
Optional singular-named path list (one path per line) passed to Duplicity as --include-filelist to fine-tune what backboa backs up beyond _AWS_EXB. The duobackboa twin reads /root/.duobackboa.include instead - a trailing-s plural name is read by nothing. | /operating/backups/legacy-backboa |
.barracuda.cnf |
/root/ |
Master host-level BOA settings store - bash-assignment _VAR settings applied system-wide to every Octopus instance unless overridden per-instance in octopus.cnf, sourced on every barracuda pass; individual settings indexed separately in the Variables catalogue. | /operating/control-files-ini/barracuda-cnf |
.debug-barracuda-installer.cnf |
/root/ |
Presence marker enabling _DEBUG_MODE tracing for the barracuda chain via BOA.sh.txt - env dumps plus PROC and DEBUG lines in the Master install stage | /developing/install-internals/staged-setup |
.debug-boa-installer.cnf |
/root/ |
Presence marker enabling _DEBUG_MODE tracing across both the barracuda and octopus install chains - env dumps plus PROC and DEBUG lines throughout the staged run | /developing/install-internals/staged-setup |
.debug-octopus-installer.cnf |
/root/ |
Presence marker enabling _DEBUG_MODE tracing for the octopus chain only - env dumps plus PROC and DEBUG lines in the AegirSetup A, B and C stages | /developing/install-internals/staged-setup |
.debug.monitor.cnf |
/etc/boa/ |
Debug marker for the scan_nginx scorer - its presence turns on a set -x shell trace plus declare -p dumps of every scoring array on startup; relocated from /root under C-003 | /operating/abuse-guard/operations |
.debug.monitor.log.cnf |
/etc/boa/ |
Debug marker for the scan_nginx scorer - its presence forces _verbose_log on regardless of _NGINX_DOS_LOG, the way to restore debug logs when a box has _NGINX_DOS_LOG set to SILENT; relocated from /root under C-003 | /operating/abuse-guard/operations |
.deny.java.cnf |
/root/ |
Operator opt-out marker - its presence skips the entire Solr and Java subsystem on an UPGRADE pass regardless of _XTRAS_LIST, so _if_install_upgrade_solr is never called. Drop the file on a box to disable all Solr install and upgrade activity. | /developing/web-search-internals/solr-installer |
.dev.server.cnf |
/root/ |
Marks a box as a dev-server - autoupboa never writes auto-upgrade cron lines (barracuda up / octopus up in /etc/crontab) on boxes carrying this marker. | /developing/release-model/serial-pipeline |
.disable.apparmor.cnf |
/root/ |
Presence under /root/ keeps AppArmor torn down - identical to the shipped no-control-file default. Profiles go to complain mode, then apparmor is stopped, removed from boot, and aa-teardown runs. | /operating/security/apparmor |
.disable_mysql_cleanup.cnf |
/etc/boa/ |
Kill-switch - create this file to stop the pre-dump inline TRUNCATE of giant transient tables (queue, batch, watchdog, accesslog) whose .ibd has grown into the gigabyte range, leaving them untouched during the nightly run. | /operating/database/dumps-mydumper |
.enable.newrelic.sysmond.cnf |
/etc/boa/ |
Opt-in flag for the newrelic_sysmond service guard. When present and the New Relic server monitor (nrsysmond) is down, the guard restarts it. When absent and nrsysmond is running, the guard stops it. | /operating/monitoring/process-guards |
.enforce.apparmor.cnf |
/root/ |
Presence under /root/ loads the AppArmor profile set in enforce mode via aa-enforce - violations blocked and logged. Needs a reboot with the grub apparmor=1 flag. Operators set this file to switch confinement on. | /operating/security/apparmor |
.extended.firewall.exceptions.cnf |
/root/ |
Operator marker that extends guest-water.sh csf.allow provider-range refresh beyond the defaults (Cloudflare, Googlebot, Bingbot, Pingdom) to also whitelist Imperva, Sucuri, Auth0 and Site24x7 ranges. | /operating/abuse-guard/ban-pipeline |
.fast.cron.cnf |
/root/ |
Forces Fast queue cadence - runner.sh loops the per-Octopus action ten times with 5 s sleeps at concurrency 8 - set by the Octopus installer from the instance plan tier. | /operating/architecture/task-queue |
.force.queue.runner.cnf |
/root/ |
Presence forces the monitor box-class to NORMAL, overriding the slow-marker and the RAM-at-or-below-4096-MB heuristic so an operator can keep full watchdog cadence on a small box. Only this marker forces NORMAL. | /operating/monitoring/cadence-and-throttle |
.force.queue.runner.cnf |
/root/ |
Its presence is the single box-level full-cadence escape - it overrides the SLOW test in _monitor_box_class so a box that is small or carries .slow.cron.cnf still runs the full monitor fan-out at NORMAL cadence. | /developing/monitor-abuse-internals/monitor-deploy-surfaces |
.full.csf.cleanup |
/etc/boa/ |
CSF-firewall relocation-group toggle read by two tools with different roots - guest/instance-side guest-water.sh reads /etc/boa while proxy/host-side host-water.sh reads /root, so on a proxy host it must exist in BOTH /root and /etc/boa. Migrated marker, touch to enable. | /operating/control-files-ini/overview |
.full.csf.cleanup.cnf |
/etc/boa/ |
Operator marker whose presence makes guest-water.sh strip every do-not-delete line from csf.deny via sed - the explicit override to wipe even the persistent 24-hit Brute force Web Server bans on the next pass. | /operating/abuse-guard/ban-pipeline |
.hr.monitor.cnf |
/root/ |
Host-level marker - touch it to enable aggressive crawl protection in the Nginx Abuse Guard - deep scoring, ban mechanics and full defaults are covered in the Abuse Guard topic. | /operating/security/security-model |
.ignore.site24x7.firewall |
/etc/boa/ |
CSF-firewall relocation-group toggle read by two tools with different roots - guest/instance-side guest-water.sh reads /etc/boa while proxy/host-side host-water.sh reads /root, so on a proxy host it must exist in BOTH /root and /etc/boa. Migrated marker, touch to enable. | /operating/control-files-ini/overview |
.instant.csf.block.cnf |
/etc/boa/ |
Presence-marker read by scan_nginx _block_ip - when it exists a blocked offender also receives an immediate csf -td 900 temporary ban on ports 80 and 443, shaving one hop off the web.log-to-guest-fire ban pipeline. | /operating/abuse-guard/scan-nginx-scoring |
.instant.csf.block.cnf |
/etc/boa/ |
Optional operator marker - when present makes _block_ip also issue an immediate csf -td 900 ban on ports 80/443 in addition to the normal post-hoc web.log ban pipeline, shaving one hop off. Still fires from the post-hoc pass, not in-request. | /developing/monitor-abuse-internals/abuse-guard-internals |
.local.IP.list |
/root/ |
Operator-maintained IP exemption list - guest-water.sh skips any IP listed here (never re-denies it) and proactively unblocks (csf -dr/csf -tr) the IPs it finds here during its initial pass. | /operating/abuse-guard/ban-pipeline |
.look.like.jenkins.cnf |
/etc/boa/ |
Explicit CI marker whose presence forces the monitor box-class classifier to resolve to CI, the quietest cadence - minute.sh runs a single pass and second.sh runs its heavy fan-out once per minute. Highest precedence, so a CI box stays CI even when also small. | /operating/monitoring/cadence-and-throttle |
.look.like.jenkins.cnf |
/etc/boa/ |
Its presence makes _monitor_box_class resolve the box to the CI class - the top-precedence class - collapsing minute.sh monitor fan-out to a single pass and running the heavy second.sh fan-out only every 10th pass. | /developing/monitor-abuse-internals/monitor-deploy-surfaces |
.migration.proxy.ips.cnf |
/root/ |
Persists the migration-proxy IPs that migration_proxy_trust.sh whitelists in CSF (csf.allow ports 80 and 443 plus csf.ignore) so the water.sh ticks re-assert L4 proxy trust across reloads until the migration ends. | /operating/security/csf-firewall |
.migration_proxy_trust.cnf |
/data/conf/ |
Holds the migration-proxy IP(s) that migration_proxy_realip.sh turns into nginx set_real_ip_from lines so the new host recovers the real client behind the proxy hop - CIDR validators reject /0 and an empty or all-invalid file triggers teardown of the L7 trust include. | /operating/security/csf-firewall |
.my.batch_innodb.cnf |
/root/ |
Weekly forced repair-and-convert marker - when present it runs on Saturday inside the 01:15 mysql_backup.sh pass to repair databases, truncate the cache tables, and convert tables to InnoDB. | /operating/database/dumps-mydumper |
.my.cluster_root_pwd.txt |
/root/ |
Cluster marker - its presence (together with .my.cluster_write_node.txt) is what lets the shipped-but-dormant mysql_cluster_backup.sh actually run - without both files it self-exits immediately on a normal single-server host. | /operating/database/dumps-mydumper |
.my.cluster_write_node.txt |
/root/ |
Cluster marker - its presence (together with .my.cluster_root_pwd.txt) is what lets the shipped-but-dormant mysql_cluster_backup.sh actually run - without both files it self-exits immediately on a normal single-server host. | /operating/database/dumps-mydumper |
.my.optimize.cnf |
/root/ |
Monthly forced repair-and-optimize marker - when present it runs on the last Sunday of the month to repair and optimize all databases. | /operating/database/dumps-mydumper |
.mysql.force.legacy.backup.cnf |
/root/ |
When present - forces nightly dumps into legacy single-file mysqldump output gzipped to .sql.gz per database instead of the faster mydumper split-file default - kept only for old tooling that expects a .sql file. | /operating/database/dumps-mydumper |
.owl.sh.off |
/var/xdrago/ |
Toggle marker disabling the nightly owl.sh maintenance run on a box - xoct and xcopy park owl.sh here during operations that must not collide with maintenance then restore it - xmass does not manage it - legacy .daily.sh.off is converted to it on self-update. | /operating/monitoring/nightly-owl |
.owl.sh.off |
/var/xdrago/ |
Rename-aside disable switch for the nightly owl.sh run - when present the nightly maintenance sweep does not run; xoct/xcopy/xmass toggle the nightly run between owl.sh and .owl.sh.off, and self-update carries a legacy .daily.sh.off disable state forward into it. | /developing/monitor-abuse-internals/nightly-worker-internals |
.pause_heavy_tasks_maint.cnf |
/root/ |
Honoured by all four off-site backup tools and by mysql_backup.sh - presence makes each exit 0 immediately to pause heavy tasks during maintenance. | /operating/backups/overview |
.pause_tasks_maint.cnf |
/etc/boa/ |
Maintenance-pause switch for all task processing on the host - runner.sh checks it every run and exits immediately while it exists - create it to pause during a maintenance window or manual DB fix, remove it to resume - the same flag autoupboa self-upgrade sets. | /operating/architecture/task-queue |
.randomize_duplicity_full_backup_day.cnf |
/root/ |
Presence marker - creating it switches backboa and duobackboa from the fixed default full-backup weekday to a randomised persisted weekday (stored in /var/log/boa/bucket.randomize.full.log) and staggers each step with a short random sleep to spread fleet load off the Sunday peak. | /operating/backups/legacy-backboa |
.restrict_this_vm.cnf |
/root/ |
Presence marks a restricted VM so autoupboa deliberately sets mode 700 on /usr/bin/rsync and /usr/bin/mysqldump and runs killall -9 rsync instead of the normal 755, which blocks the aegir user and breaks per-site backups. | /operating/backups/overview |
.run-to-<codename>.cnf |
/root/ |
Presence marker - drop exactly one of run-to-daedalus.cnf, run-to-excalibur.cnf, run-to-chimaera.cnf or run-to-beowulf.cnf - then start the clean-boa-env service to launch the matching auto codename driver, which chains barracuda up-<tier> system passes and reboots until the host reaches that Devuan codename. | /operating/os-lifecycle/devuan-os-upgrades |
.silent.update.cnf |
/root/ |
Host-level presence marker - when it exists the stage A finalize block skips preparing and sending the Satellite welcome and setup-mail email | /developing/install-internals/staged-setup |
.skip-aegir-master-upgrade.cnf |
/root/ |
Operator marker with the same effect as .debug-barracuda-installer.cnf - presence forces _SYSTEM_UP_ONLY=YES, skipping the frontend upgrade and the system-wide Drush refresh. | /developing/install-internals/hostmaster-upgrade |
.skip_duplicity_monthly_cleanup.cnf |
/root/ |
Presence marker suppressing the monthly cleanup --force run that otherwise fires once a month on a per-bucket random day-of-month 1-5 (persisted in /var/log/boa/bucket.randomize.cleanup.log). Age retention via remove-older-than after a full-day run is unaffected. | /operating/backups/legacy-backboa |
.slow.cron.cnf |
/root/ |
Presence forces the monitor box-class to SLOW - minute.sh does 3 passes with sleep 18 and second.sh runs its heavy fan-out every 4th pass. Auto-created immutable via chattr +i by runner.sh on boxes with 4096 MB RAM or less. Overridden by .force.queue.runner.cnf. | /operating/monitoring/cadence-and-throttle |
.slow.cron.cnf |
/root/ |
Its presence - or total RAM at or below 4096 MB - with .force.queue.runner.cnf absent selects the SLOW box class in _monitor_box_class, throttling monitor fan-out to 3 minute.sh passes and heavy second.sh fan-out every 4th pass. runner.sh auto-creates an immutable one on small hosts. | /developing/monitor-abuse-internals/monitor-deploy-surfaces |
.slow.cron.cnf.protected |
/root/ |
Protection marker runner.sh writes beside the immutable .slow.cron.cnf on low-RAM boxes so the forced Slow cadence survives Octopus plan changes. | /operating/architecture/task-queue |
.small_hop_on_major_os_upgrade.info |
/root/ |
State marker written during the major OS upgrade run to record whether a codename hop is a small hop or a big hop. BOA touches .small_hop_on_major_os_upgrade.info for the same-generation Debian-to-Devuan sidegrades - Debian Buster to Beowulf, Bullseye to Chimaera and Bookworm to Daedalus - and .big_hop_on_major_os_upgrade.info for every other jump. The full per-installed-version PHP source rebuild in the post-upgrade phase runs only when the big-hop marker is present, so small hops skip reinstalling and rebuilding every PHP version. | /operating/os-lifecycle/devuan-os-upgrades |
.sql.problematic.users.cnf |
/etc/boa/ |
Lists MySQL usernames held to the lower per-query kill ceiling _SQL_LOW_MAX_TTL (default 60s) rather than _SQL_MAX_TTL when the high-load monitor kills over-TTL queries - root-owned processes are always skipped. | /operating/database/percona-setup-tuning |
.ssh.auth.keys.only.cnf |
/root/ |
Presence marker enforcing key-only SSH - when it exists system.sh.inc re-appends PasswordAuthentication no at upgrade instead of the template default PasswordAuthentication yes. | /operating/security/ssh-sftp |
.ssh.root.auth.keys.only.cnf |
/root/ |
Presence marker forcing PermitRootLogin to prohibit-password at upgrade - BOA also forces this on all hosted systems, so the file matters mainly on non-hosted hosts. | /operating/security/ssh-sftp |
.top-<codename>.cnf |
/root/ |
State marker recording the top Devuan codename the host has reached - for example .top-daedalus.cnf or .top-excalibur.cnf. On either hop into Excalibur the old .top-daedalus.cnf is renamed to .old-top-daedalus.cnf and a fresh .top-excalibur.cnf is created; a first Trixie-to-Devuan hop touches .top-excalibur.cnf. | /operating/os-lifecycle/devuan-os-upgrades |
.turn.off.auto.update.cnf |
/root/ |
Per-box lock file whose presence opts the box out of BOA weekly auto-updates - one of two opt-outs alongside _SKYNET_MODE=OFF in .barracuda.cnf, though SKYNET-on with auto-updates live is the assumed default. | /developing/release-model/branches-and-editions |
.use.default.nameservers.cnf |
/root/ |
Forces BOA default public-nameserver handling - when both nameserver toggles exist this one wins and .use.local.nameservers.cnf is deleted | /operating/troubleshooting/dns-resolver |
.use.local.nameservers.cnf |
/root/ |
Sets _USE_PROVIDER_DNS=YES - skips the remote lookup test and the unbound install path forced public-set rewrites, leaving a provider-managed resolv.conf in place; the BOA-DNS-Config header check is not gated by this toggle so a header-less provider file can still be rewritten to canonical | /operating/troubleshooting/dns-resolver |
.whitelist.dont.cleanup |
/etc/boa/ |
CSF-firewall relocation-group toggle read by two tools with different roots - guest/instance-side guest-water.sh reads /etc/boa while proxy/host-side host-water.sh reads /root, so on a proxy host it must exist in BOTH /root and /etc/boa. Migrated marker, touch to enable. | /operating/control-files-ini/overview |
<oN>_civicrm.txt |
/data/conf/ |
Presence-only root-owned per-instance marker - lets backend Octopus user oN load the CiviCRM drush extensions civicrm.drush.inc, cv.drush.inc and civicrm_drush.drush.inc that the deny-filter otherwise blocks. Content irrelevant, existence is the signal. | /developing/aegir-apis/drush-fork-internals |
<oN>_elysia_cron.txt |
/data/conf/ |
Presence-only root-owned per-instance marker - lets backend Octopus user oN load elysia_cron.drush.inc, keeping Elysia backend-mode cron granularity instead of degrading to core cron. A deliberate explicit trust widening, off by default. | /developing/aegir-apis/drush-fork-internals |
<octopus-user>_civicrm.txt |
/data/conf/ |
Per-Octopus opt-in allowlist - when present the three CiviCRM command-file basenames are loaded during backend tasks - absent by default they stay blocked by the drush.inc filter. | /operating/troubleshooting/task-failures |
<service>.txt |
/root/.remote_backups/credentials/ |
Per-backend credential template - one <service>.txt per storage backend carrying that backend key/secret export lines plus KEEP_WITHIN and FULL_BACKUPFREQUENCY retention vars, mode 600. Fill the your placeholders to enable a backend - a template still matching your_ is skipped and not scheduled. Also written per-tenant under static/control/remote_backups/credentials/. | /operating/backups/multiback-operations |
<user>_use_proxysql.txt |
/data/conf/ |
Presence flips the per-instance DB port _THIS_DB_PORT from 3306 to 6033 for ProxySQL - a remnant of the discontinued Simple Cluster, inert on supported single-server hosts; host-wide variant is /var/aegir/use_proxysql.txt and _THIS_DB_PORT is auto-recomputed from the marker, never hand-edited. | /operating/database/percona-setup-tuning |
<user>_use_proxysql.txt |
/data/conf/ |
Per-instance marker whose presence makes stage A pre-install route the backend through ProxySQL at 127.0.0.1 port 6033 rather than the direct SQL port | /developing/install-internals/staged-setup |
ClassicTrack.info |
~/static/control/ |
Empty on-switch that restores the verify-first behaviour after FastTrack.info was used - deleting FastTrack.info alone is not enough - you also touch this file to switch the clone and migrate pre-flight checks back on. | /using/sites-and-platforms/cloning-and-migrating |
ClassicTrack.info |
~/static/control/ |
Explicit FastTrack opt-back-in marker - create it (and remove FastTrack.info) to force classic verifying Ægir behaviour on clone and migrate. Written automatically by the periodic barracuda pass, which is why verifies run by default. | /operating/migration-cloning/site-cloning |
FastTrack.info |
~/static/control/ |
Empty marker whose presence makes clone and migrate skip the site and platform pre-flight verifications so each job starts sooner - trades safety for speed - use only for bulk jobs on setups already confirmed healthy. | /using/sites-and-platforms/cloning-and-migrating |
FastTrack.info |
~/static/control/ |
Empty account-level marker - when present, skips the defensive pre-clone and pre-migrate verify tasks (source platform, target platform, source site) for both clone and migrate. OFF by default - a periodic barracuda pass deletes it and writes ClassicTrack.info. | /operating/migration-cloning/site-cloning |
MyClassic.info |
~/static/control/ |
Account-wide switch - present turns the fast parallel per-table database copy off so clone, migrate and backup produce the classic single-file mysqldump the Restore task needs - at the cost of slower jobs on large databases - remove to return to the fast default. | /using/sites-and-platforms/cloning-and-migrating |
MyClassic.info |
~/static/control/ |
MyQuick opt-out marker - create it (and remove MyQuick.info) to stop the periodic barracuda pass rewriting MyQuick.info, restoring the slower single-stream dump that the Ægir Restore task can read. | /operating/migration-cloning/site-cloning |
MyQuick.info |
~/static/control/ |
Empty account-level marker - when present, the DB phase of backup, clone, migrate and delete uses per-table parallel mydumper/myloader instead of a single-stream dump. ON by default (barracuda pass rewrites it unless MyClassic.info exists); breaks the Ægir Restore task. | /operating/migration-cloning/site-cloning |
_no_codebase_lock_unlock.ctrl |
/data/conf/ |
Kill-switch that gates reverting and re-applying the Ægir core and console patches around the D8+ platform site-install run - present disables the installer lock-unlock cycle. | /developing/aegir-apis/provision-backend |
access.txt |
/data/disk/<oct>/static/control/ip/ |
Per-instance control file read by the ip_access generator - one site per line followed by space-separated allowed IPv4/IPv6 addresses or CIDR ranges - locks the whole site to that allow-list at Nginx with a 403 for anything else - the master sqladmin context uses /var/aegir/control/ip/access.txt | /operating/security/admin-url-protection |
access.txt |
~/static/control/ip/ |
Whole-site IP lock - one line per site giving the site name and space-separated allowed IPv4/IPv6 addresses or CIDR ranges; all other clients get 403. Loopback, the server, and SSH-connected addresses are always allowed. Delete a site line to lift the lock. | /using/on-your-site/access-control |
backup_schedule.txt |
/root/.remote_backups/schedule/ |
Backup schedule list - one <service> <user> line per configured backup. The sequential_backups.sh wrapper iterates it and runs multiback backup <service> <user> for each in turn. Written by create_cron_entries.sh (dcysetup setup); inspect with cat to see the live schedule. | /operating/backups/multiback-operations |
boa_platform_control.ini |
sites/all/modules/ |
Per-platform INI settings store - tenant-editable template copied from the shipped default into the platform modules directory - exposes 34 settable variables that override the compiled-in defaults and the host cnf layer, and is itself overridden by the per-site INI. | /operating/control-files-ini/ini-precedence |
boa_site_control.ini |
sites/<domain>/modules/ |
Per-site INI settings store - the narrowest and highest-priority layer of the four-layer precedence chain - tenant-editable template copied into the site modules directory that exposes 33 settable variables overriding platform INI, octopus cnf and barracuda cnf. | /operating/control-files-ini/ini-precedence |
clear-drush-cache.info |
~/static/control/ |
Touch to force an immediate purge of the account backend build workspace and Drush caches, clearing crashed-build debris left in the hidden .tmp workspace so a rebuild does not trip over it - BOA deletes the control file once the purge finishes. | /using/deploying-code/building-a-platform |
cli.info |
~/static/control/ |
Single-line file naming the command-line PHP version for the whole account - governs drush, composer and bee in the oN.ftp shell - read every three minutes - a platform carrying path_alias_cache with PHP 5.6 installed forces 5.6 here | /using/tuning/php-version |
clstr.cnf |
/data/conf/ |
Presence marks the host as a cluster node - when readable BOA keeps the bootstrap, discovery and config cache bins on cache.backend.redis (shared tier only) instead of overriding them to chainedfast, so the per-worker APCu tier and redis_exclude_bins do not apply. | /operating/php-fpm-performance/cache-tuning |
compass.info |
~/static/control/ |
Account-level toggle - touch it, then log out and log back in after up to five minutes, to install the server-provided Ruby with Sass and Compass gems for your main account and any client sub-accounts; deleting it removes the gems again a few minutes later. | /using/deploying-code/dev-workflow |
cron-proxy.info |
~/static/control/ |
Presence-only account switch that forces every scheduled cron request to skip the public domain and hit your server directly with the domain in the Host header, for all sites on the account. Contents ignored - create via shell or SFTP, delete to revert. | /using/sites-and-platforms/site-cron |
custom_paths.txt |
/root/.remote_backups/paths/ |
Root-side custom path-set - one of the three root path-set config files (global/data/custom), a shell file sourced before each run carrying the underscore-prefixed _SOURCE/_INCLUDE_PATHS/_EXCLUDE_PATHS/_INCLUDE_LIST/_EXCLUDE_LIST path variables. Written by create_global_paths_config.sh; edit to change the paths captured. | /operating/backups/multiback-operations |
dBackupCycle.info |
/data/disk/<user>/static/control/ |
Per-tenant override for local-disk DB-dump retention under static/files/dbackup/ - holds a single integer number of days - default is 14 days when the file is absent. | /operating/backups/retention |
dBackupCycle.info |
~/static/control/ |
Holds a single whole number - the days of local database dumps in static/files/dbackup to keep before BOA prunes older ones. Default is 14 days. Empty or deleted falls back to 14; a non-number value skips cleanup so dumps are never deleted on bad input. | /using/backups/mybackup-and-quota |
data_paths.txt |
/root/.remote_backups/paths/ |
Root-side data path-set - a shell file sourced before each run carrying the same underscore-prefixed _SOURCE/_INCLUDE_PATHS/_EXCLUDE_PATHS/_INCLUDE_LIST/_EXCLUDE_LIST variables. Ships an empty _SOURCE plus a generated per-tenant include set. Written by create_global_paths_config.sh; edit to change the data path-set captured. | /operating/backups/multiback-operations |
development.services.yml |
sites/example.com/files/ |
Per-site Drupal 8+ file whose presence on a .dev. request makes BOA load it - routing Drupal render and dynamic page caches through a null backend instead of Valkey and enabling Twig template debug annotations - clear the site caches once after adding or removing it. | /using/deploying-code/dev-workflow |
disable_backups_on_static_fs.cnf |
/data/conf/ |
Box-wide kill-switch for the nightly backups-on-static-fs relocation - while present the per-account nightly pass returns before acting on any account on this host, stopping future relocation but never moving already-relocated data back. | /operating/files-symlinking/backups-on-static-fs |
disable_backups_on_static_fs.cnf |
/data/conf/ |
Box-wide kill-switch for the nightly backups relocation - when present _relocate_backups_to_static_fs self-skips, so account backups/ and backup-exports/ are not moved onto the static-files filesystem behind symlinks. | /developing/monitor-abuse-internals/nightly-worker-internals |
disable_native_files_symlink.cnf |
/data/conf/ |
Box-wide kill-switch for native symlinking - new sites get plain real files/private directories and the clone task leaves cloned files as-is - existing symlinked sites are untouched - touch to activate, rm to restore the default. | /operating/files-symlinking/configuration |
disable_native_files_symlink.cnf |
/data/conf/ |
Box-wide kill-switch that disables the post-install native symlink step which re-homes a new site files and private dirs into the per-account static store and symlinks them back - warn-not-fail. | /developing/aegir-apis/provision-backend |
disable_orphan_store_archiving.cnf |
/data/conf/ |
Box-wide switch that reverts the nightly sweep to report-only for deleted-site orphan stores - archiving of a reused name on install/clone/migrate is unaffected - touch to activate, rm to restore the default. | /operating/files-symlinking/configuration |
dont-overwrite-<site>.pid |
<aegir-root>/tools/le/.ctrl/ |
Per-site immutable-cert marker - when present Provision treats the site cert as immutable so daily renewal and Verify never re-issue LE over your PEM files, and the Encryption-disable cleanup branch is skipped entirely; create before installing a custom cert, remove to revert to LE. | /operating/nginx-internals/ssl-operations |
drush_extension_filter_disabled.txt |
/data/conf/ |
Presence-only root-owned global kill switch - turns the drush.inc extension deny-filter OFF for every identity. Single-tenant boxes only, since it re-opens the drupal.org 762138 arbitrary-code path. Content irrelevant, existence is the signal. | /developing/aegir-apis/drush-fork-internals |
exclude.txt |
/data/disk/<user>/static/control/remote_backups/config/ |
Tenant exclude directive file - optional, one --exclude line per path the hosted user wants left out. Merged by create_user_paths_config.sh (dcysetup setup) under the same absolute-path and allowed-prefix validation as include.txt; an exclude wins over an overlapping include. | /operating/backups/multiback-operations |
exclude.txt |
~/static/control/remote_backups/config/ |
Optional --exclude directives removing absolute paths from the off-site backup. Same path rules as include.txt, and where an include and exclude overlap the exclude wins. | /using/backups/mybackup-and-quota |
exclude_regexp.txt |
/data/disk/<user>/static/control/remote_backups/config/ |
Tenant exclude-pattern file - optional, one --exclude-regexp line per pattern to drop. Validated and merged by create_user_paths_config.sh (dcysetup setup); exclude patterns take precedence over include patterns. | /operating/backups/multiback-operations |
exclude_regexp.txt |
~/static/control/remote_backups/config/ |
Optional --exclude-regexp patterns for the off-site backup. Each pattern begins with ^ then an allowed base path, and exclude overrides include on overlap. | /using/backups/mybackup-and-quota |
force-ssl-certs-rebuild.info |
~/static/control/ |
Per-account marker - when present the nightly night-workers add --force to dehydrated so the account frontend cert and every per-site LE cert are force-rebuilt on the next daily pass, same as the roughly-monthly random force day. | /operating/nginx-internals/ssl-operations |
fpm.info |
~/static/control/ |
Single-line file naming the PHP-FPM version that serves all account sites to visitors - a background helper reads it every three minutes and switches every site - absent means BOA runs a sensible default | /using/tuning/php-version |
global_paths.txt |
/root/.remote_backups/paths/ |
Root-side global path-set - a shell file sourced before each run carrying the underscore-prefixed _SOURCE, _INCLUDE_PATHS, _EXCLUDE_PATHS, _INCLUDE_LIST and _EXCLUDE_LIST variables. Ships a populated _SOURCE (host paths like /etc, /var/aegir, /var/www, /var/xdrago). Written by create_global_paths_config.sh; edit to change what host-level paths are captured. | /operating/backups/multiback-operations |
http-off.pid |
~/static/control/ |
Per-account write-freeze marker written by xoct export and xmass cutover - contents are a TTL in seconds (3600 via xoct export, 7200 via xmass cutover); global.inc short-circuits every site in the account with a PHP-level 503; removed at proxy conversion. xcopy never writes it. | /operating/migration-cloning/cross-host-migration |
include.txt |
/data/disk/<user>/static/control/remote_backups/config/ |
Tenant include directive file - optional, one --include line per extra path a hosted user wants added to their off-site backup. Validated and merged into the tenant effective include set by create_user_paths_config.sh (dcysetup setup); every path must be absolute and stay inside the tenant static/ tree or their USER.ftp home, or the whole file is skipped and logged. | /operating/backups/multiback-operations |
include.txt |
~/static/control/remote_backups/config/ |
Optional --include directives adding absolute paths to the off-site backup. Each path must be absolute and stay inside static/ or the FTP home; a line breaking a rule is refused and logged for the host. Absent means the built-in default include set is used. | /using/backups/mybackup-and-quota |
include_regexp.txt |
/data/disk/<user>/static/control/remote_backups/config/ |
Tenant include-pattern file - optional, one --include-regexp line per pattern to add. Each pattern begins with a caret anchor followed by an allowed base path; validated and merged by create_user_paths_config.sh (dcysetup setup). | /operating/backups/multiback-operations |
include_regexp.txt |
~/static/control/remote_backups/config/ |
Optional --include-regexp patterns for the off-site backup. Each pattern begins with ^ then an allowed base path (static/ or the FTP home). | /using/backups/mybackup-and-quota |
le-notify.<domain>.info |
<account>/log/ctrl/ |
Per-site throttle marker for Let's Encrypt renewal-failure client notices - its mtime limits sending to once per 7 days per failing domain. Domain characters outside a-zA-Z0-9._- become underscore. Written by the nightly owl.sh account night worker. | /operating/security/mailing-policy |
local-allow.info |
sites/example.com/modules/ |
Control file you create to begin BOA supported procedure for editing local.settings.php - after creating it, run the Reset password task to make local.settings.php group-writable, edit and test as admin, then run Verify to restore read-only permissions. | /using/deploying-code/dev-workflow |
multi-fpm.info |
~/static/control/ |
Per-site PHP-FPM override listing one main-domain-plus-version per line - any site listed uses its own PHP-FPM version while unlisted sites fall back to the single default in fpm.info - works alongside fpm.info | /using/tuning/php-version |
native_files_archive_alert_kb.cnf |
/data/conf/ |
Box-wide value file - threshold in KB for the archived-store pile alert, default 1048576 KB (1 GiB) - only the first line is read and non-digit characters stripped, else the default stays - controls only the alert and never moves or deletes anything - remove to restore the default. | /operating/files-symlinking/configuration |
newrelic.info |
~/static/control/ |
Holds your New Relic 40-character hex license key on its own line - arming the PHP layer for your whole instance. A background agent picks it up within minutes. Deleting the file disarms the layer and stops reporting instance-wide. | /using/on-your-site/new-relic |
no_backups_on_static_fs.info |
/data/disk/<account>/static/control/ |
Per-account kill-switch disabling the nightly backups-on-static-fs relocation for one Octopus account - while present the nightly pass returns before acting, stopping future relocation but never moving already-relocated data back. | /operating/files-symlinking/backups-on-static-fs |
no_backups_on_static_fs.info |
~/static/control/ |
Per-account kill-switch for the nightly backups relocation - when present in an account, _relocate_backups_to_static_fs self-skips for that account so its backups/ and backup-exports/ stay in place rather than moving onto the static-files filesystem. | /developing/monitor-abuse-internals/nightly-worker-internals |
no_native_files_symlink.info |
/data/disk/<account>/static/control/ |
Per-account version of the native-symlinking kill-switch - disables native files/private symlinking for one Octopus account only - presence switch, touch to activate and rm to restore the default. | /operating/files-symlinking/configuration |
no_native_files_symlink.info |
~/static/control/ |
Per-account kill-switch that disables the post-install native symlink step for that account only so the new site files and private dirs are not re-homed into the static store - warn-not-fail. | /developing/aegir-apis/provision-backend |
nodnsupdate |
/etc/dhcp/dhclient-enter-hooks.d/ |
No-op dhclient enter-hook whose make_resolv_conf body is empty so dhclient can never overwrite /etc/resolv.conf on a DHCP lease renewal - installed by the BOA.sh.txt bootstrap and by dhcpfix, and re-installed on bootstrap self-heal when unbound runs but the hook is missing | /operating/troubleshooting/dns-resolver |
paths.txt |
/data/disk/<user>/remote_backups/paths/ |
Per-tenant path-set - a plain shell file sourced by multiback before each run, carrying the underscore-prefixed _SOURCE/_INCLUDE_PATHS/_EXCLUDE_PATHS/_INCLUDE_LIST/_EXCLUDE_LIST variables (a name without the leading underscore is read by nothing). Written by create_user_paths_config.sh; edit to change what the tenant captures. | /operating/backups/multiback-operations |
phpNN.info |
~/static/control/ |
Empty marker file named per version that switches the command-line PHP instantly for the next command - highest marked-and-installed version wins - markers for uninstalled versions are skipped - delete a higher marker to step down | /using/tuning/php-version |
platforms.info |
~/static/control/ |
Tenant-editable list of short platform keywords choosing which platforms install into your own Octopus instance - REPLACES the host default set rather than extending it - keeps only spaces-digits-capitals - the ALL keyword installs everything - an empty file falls back to the host default. | /using/sites-and-platforms/platforms |
platforms.info |
~/static/control/ |
Per-instance list of Drupal platforms to install on Octopus install or upgrade - BOA no longer installs every bundled platform automatically - edit this file in the instance then run octopus up-<tier> oN platforms to add the listed platforms. | /operating/os-lifecycle/manual-boa-upgrade |
policy.txt |
/data/disk/<oct>/static/control/ai/ |
Per-Octopus per-site control file - one line per site with flags train-allow, evasive-allow, search-block, user-block, utility-block - that flip the global AI bot policy per site; read by ai_policy.sh into a per-site nginx fragment. No record keeps global defaults. | /operating/nginx-internals/edge-policy |
policy.txt |
~/static/control/ai/ |
Per-site AI bot policy - one line per site giving the site name and space-separated flags that flip the host-wide AI defaults for that site (train-allow, evasive-allow, search-block, user-block, utility-block). AI training crawlers and the evasive Perplexity-User fetcher are blocked by default; AI search/index, honest assistant fetchers and utility bots are allowed and rate-limited. Sites with no line keep the defaults; comment lines and blank lines are ignored; delete a site line to restore the defaults. | /using/on-your-site/access-control |
proxied.pid |
~/log/ |
Per-account marker written by xoct proxy and xmass cutover for every source account once it is converted to a migration proxy; contents are COMPLETE. Read by owl as the proxied-state signal - a proxied account is skipped on nightly runs. | /operating/migration-cloning/cross-host-migration |
run-aegir-queue.info |
/data/disk/*/static/control/ |
Per-instance opt-in that enables the automatic task queue on CI or Jenkins-style boxes - an instance creates it under its static/control directory to participate once .allow.aegir.queue.cnf or a higher Octopus plan permits the queue. | /operating/architecture/task-queue |
run-php-fpm-reload.pid |
~/static/control/ |
Empty marker an account holder creates by hand (touch or over SFTP) to request a graceful reload of every installed PHP-FPM version - this recycles workers and clears stale APCu, then the monitor removes the file itself, with a roughly 30-second cooldown guarding against reload storms. | /using/caching/php-opcache-and-apcu |
run-php-fpm-reload.pid |
~/static/control/ |
Sentinel touched from an Octopus account to trigger a graceful pool-wide reload of every installed PHP-FPM version, clearing per-worker APCu without dropping connections - the php.sh monitor detects it, reloads, then removes it. Gated on POWER/PHANTOM/CLUSTER/ULTRA/MONSTER plans or the /etc/boa/.allow.php.fpm.reload.cnf host marker. | /operating/php-fpm-performance/cache-tuning |
run-upgrade.pid |
~/static/control/ |
Empty marker a tenant drops next to platforms.info to trigger an on-demand Octopus upgrade without root - it reinstalls exactly the platforms your platforms.info lists then BOA deletes the file automatically - ignored if no platforms.info exists. | /using/sites-and-platforms/platforms |
share.files.<site>.info |
/data/disk/<account>/static/control/ |
Declares a cross-site files symlink for the named site intentional (e.g. a staging copy reading the live site uploads) so the tools leave it in place instead of breaking it into a separate copy - cloning always gets its own copy via --force-unshare. | /operating/files-symlinking/configuration |
share.files.<site>.info |
/data/disk/your_username/static/control/ |
Optional file-sharing marker a customer creates in the account control directory - while it exists the intentional cross-site files link for the named site is kept instead of being replaced with a separate copy - remove it to return to independent per-site copies - a clone never inherits it | /using/backups/your-files-storage |
skip-name-resolve.txt |
/etc/mysql/ |
Presence marker that suppresses BOA enabling skip-name-resolve in my.cnf - when this file exists BOA leaves reverse-DNS on connect enabled instead of the shipped no-reverse-DNS default. | /operating/database/my-cnf-lifecycle |
ssl-live-mode.info |
~/static/control/ |
Per-account marker for migrating a site off the deprecated dedicated-IP xoct ssl-gen custom-cert model to Let's Encrypt - touch it and wait five minutes after clearing leftover proxy vhosts, then enable SSL for the affected sites. | /operating/nginx-internals/ssl-operations |
ssl-yes-dev-<domain>.info |
~/static/control/ |
Per-site override that gives a development-named site (main domain containing .dev. .devel. .test. .testing. .temp. .tmp. or .temporary.) a real browser-trusted Lets Encrypt certificate instead of the default self-signed placeholder - touch it from the oN.ftp shell then run Verify. Named after the site main domain. | /using/ssl/ssl-for-your-sites |
user_admin.txt |
/data/disk/<oct>/static/control/ip/ |
Per-instance control file read by the user_admin_access generator - one site per line followed by space-separated allowed IPv4/IPv6 addresses or CIDR ranges - restricts only the /user and /admin URIs to that allow-list at Nginx while the rest of the site stays public | /operating/security/admin-url-protection |
user_admin.txt |
~/static/control/ip/ |
Login/admin-only IP lock - like access.txt but guards only /user and /admin and pages under them while the rest of the site stays public; other clients hitting those get 403. Same one-line-per-site format, always-allowed loopback/server/SSH, and delete-to-lift behaviour. | /using/on-your-site/access-control |
xmass_state.cnf |
/data/conf/ |
Whole-server migration state file written by xmass through the phases init/syncing/cutover/complete; each subcommand refuses to run out of sequence, and cutover parks at rename-failed on a panel-rewire or renameaegirhost failure. Mode 600 - it holds the xmass_repl replication password. Remove to abandon a migration, but only after replication is torn down on the target. | /operating/migration-cloning/cross-host-migration |