BOA-5.88.8 — Continuity Edition
BOA-5.88.8 PRO/LTS is a milestone for the 5.x tree — a continuity release in every sense of the word. It gives every generation of the Drupal family a first-class, supported home on one platform: Backdrop CMS support ships enabled by default, a complete Drupal 6 → 7 → Backdrop upgrade chain runs as ordinary control-panel tasks, classic Ægir estates can be imported wholesale, and a rebuilt server-to-server migration suite moves whole servers across Percona generations. Around the code, the project's public face is renewed: docs.boa.io — the new unified documentation site — and the new omega8.cc website with a /news section are both live. And yes, the version says 5.88.8: we are staying in the 5.x tree, and after a cycle this large the eights felt earned — turn one on its side and you get ∞, which is rather the point of a Continuity Edition.
In total, 422 commits across six repositories went into this release:
| Repository | Branch | Commits |
|---|---|---|
| omega8cc/boa | 5.x-dev | 341 |
| omega8cc/provision | 5.x-dev | 57 |
| omega8cc/hosting | 5.x-dev | 19 |
| omega8cc/drush | 8-boa-micro | 2 |
| omega8cc/eldir | 5.x-dev | 2 |
| omega8cc/hosting_tasks_extra | 5.x-dev | 1 |
One more piece of continuity worth stating plainly: the LTS edition remains fully current alongside PRO. The code freeze once pencilled in for the free edition did not take effect — every headline feature in this release ships for both PRO and LTS.
A New Home: docs.boa.io and the New omega8.cc
- docs.boa.io consolidates years of BOA documentation into one unified, searchable site, organised by audience: Using Ægir, Self-Hosting, Operating, and Developing — plus quick-start cheat sheets and a generated reference of configuration variables, commands and control files.
- The new omega8.cc is live, including a /news section (with RSS) where every BOA release and platform milestone is announced from now on.
- Release notes have a permanent home in the documentation as well, so the full technical record of each release stays one click away from the docs it relates to.
Backdrop CMS Support — Enabled by Default
Backdrop CMS — the community continuation of the Drupal 7 lineage — is now
a first-class citizen on every BOA server, and it ships enabled by
default (_BACKDROP_SUPPORT=YES, opt-out in /root/.barracuda.cnf).
- Full lifecycle in the control panel. Backdrop platforms are built automatically alongside the Drupal set, and Backdrop sites install, verify, clone, back up, restore and renew HTTPS certificates through the same Ægir tasks Drupal sites use. Backdrop platforms and sites carry a clear BDR badge in the panel.
beecommand-line support. Backdrop's CLI companion is installed and wired into the same safe shell environment as Drush, and follows the same per-site PHP-CLI selection.- Valkey/Redis object cache for Backdrop platforms, matching the caching Drupal sites get.
- Site cron routed to
core/cron.phpwith the cron key handled natively;core/update.phpis gated in the vhost like its Drupal counterpart. - The upgrade chain is the headline. Two new clone-preserving site
tasks carry a legacy site forward without ever touching the original:
Drupal 7 → Backdrop (
backdrop_upgrade) runs the whole conversion on a dark copy, and Drupal 6 → Drupal 7 (backdrop_d6_upgrade) covers the first hop with a pinned contrib kit and a dark D7 intermediate — so a D6 site can travel D6 → D7 → Backdrop entirely through control-panel tasks. When the copy is ready, thebackdrop_cutovertask takes over the original domain in one step, so the site keeps its URL. - Backdrop-to-Backdrop Migrate works across Backdrop platforms; stock cross-lineage Migrate between Drupal and Backdrop is deliberately refused — the dedicated upgrade tasks are the supported path.
utf8mb4_convert— a new front-end task (via hosting_tasks_extra) that converts imported Drupal 7 estates still on 3-byte utf8 tables, a common blocker for imported legacy databases.
Operator reference: docs/BACKDROP.md (new).
Import from Classic Ægir
Vanilla Ægir estates — often orphaned on ageing Apache servers — now have a supported road into BOA. The aegir2boa toolset ships in the standard tools distribution:
aegir2boa-preflightsurveys a vanilla Ægir server and reports exactly what stage 1 and stage 2 will do to it.- Stage 1 converts a vanilla Ægir 3.x server from Apache to Nginx in place, with revert paths at every step.
- Stage 2 adopts the
/var/aegirestate into a BOA Octopus instance, via two routes: per-site adoption for mixed or unknown estates, and a whole-DB import for homogeneous, current-3.x estates. aegir3-install— an unattended vanilla Ægir 3.x installer for Debian — rounds out the set for building rehearsal estates before touching a production one.
Both routes were rehearsed end-to-end on disposable machines, with every
revert path drilled. Operator runbook: docs/AEGIR2BOA.md (new).
Local Development: BOA Local and DDEV
- BOA Local is back.
boa in-lts localinstalls a slim, local-development BOA profile on a VM or laptop — no public DNS, no licence gate, no manufacturer checks — so the full stack can be developed against locally. ddev-boa— a public DDEV add-on (ddev add-on get omega8cc/ddev-boa) that pulls a BOA-hosted site's database and files into a local DDEV project through the client's own limited shell, no root involved. Operator reference:docs/DDEV-BOA.md(new).
Native Files-Directory Symlinking
New sites and clones now keep their files/ and private/ directories in
a per-site static store outside the platform tree, symlinked into
place (on by default for new installs and clones, kill-switchable):
- Codebases stay disposable: platform upgrades, migrations and renames move code while file assets stay put.
- Clones get their own symlinked copy — no accidental sharing.
- New
symlinkinfotool reports any site's symlink state and archive history;updatesymlinksgains a gated nightly auto-fix mode and a read-only daily orphan report (both opt-in; stale and orphaned stores are archived, never deleted). - Per-account backup directories can relocate onto the same static filesystem overnight, freeing the system disk.
Operator reference: docs/FILES-SYMLINK.md (new, admin + per-site).
Prebuilt Stack Packages on Devuan Daedalus
On Devuan Daedalus boxes, BOA now installs its heavy stack — Nginx,
Valkey, OpenSSL, PHP and friends — from prebuilt boa-* Debian
packages instead of compiling from source (_USE_PREBUILT_PKGS
auto-resolves to YES on Daedalus; explicit cnf setting always wins; other
OS releases keep building from source). Installs and upgrades get
dramatically shorter, and every component quietly falls back to the
source build if its package cannot be fetched or installed. The phase-2
set adds boa-valkey (major 9) and a boa-nginx overlay. Operator
reference: docs/PREBUILT.md (new).
Night Maintenance, Rebuilt
The venerable nightly daily.sh monolith is now owl.sh plus a set of
single-purpose night workers:
- Per-account work runs as isolated subprocesses under a run-freeze, so one account's maintenance can never wedge the whole night.
- All nightly cleanup blocks while a Provision task runs — night jobs and control-panel tasks no longer race.
- Classified ghost-site handling. The night pass now tells a genuine
ghost (alias and vhost present, site directory gone) apart from
front-end records, platform-gone cases and stranded migrations. By
default it detects, reports and notifies — the affected account's
client contact gets one actionable email per site per month
(
_GHOST_CLIENT_NOTIFY=YES) — while every destructive cleanup move stays opt-in (_GHOST_*_CLEANUP=NO), moves things aside into anundo/area rather than deleting, and arms itself one night before the first real move. - HTTPS renewal failures now reach humans. Each account's failed
Let's Encrypt renewals are reported per account to the operator, and the
client contact receives one throttled, actionable notice per site per
week (
_LE_CLIENT_NOTIFY=YES, with a Reply-To that reaches a person).
The Server Migration Suite
The migration family — xoct (one instance), xcopy (one account),
xmass (replication-based whole-server moves) — was overhauled end to end
this cycle and validated as a full matrix on disposable VMs:
- Percona 8.0/8.4-aware replication.
xmassnow speaks the modern replication dialect end to end (REPLICA/SOURCE verbs on 8.4, GTID persistence in the include dirmy.cnfactually reads,binlog_expire_logs_seconds,GET_SOURCE_PUBLIC_KEYreplica auth, matching xtrabackup repos) — and refuses a cross-version 5.7 → 8.x replication move by design, wherexocthandles the cross-version path. - Storage-aware, DRY-gated file transfer. All three tools detect
attached
/mntstorage, relocate shared archives, fold Solr indices into the disk-space gate, and support dry runs before touching data. migratefs(new) relocates heavy site data onto attached storage safely, refusing ambiguous multi-mount setups.renameaegirhostis now fully self-contained for in-place hostname renames: site directory, control files, hostmaster verify and stalesites.phprecords are all handled, with an account axis for rename-mode migrations and documented recovery for aborted runs.- Migration renames fail loudly and resumably — a failed rename parks
the account for resume instead of half-moving it; panel database access
is rewired on
xmasstargets before cutover; the migrated-in503gate clears the moment an import completes. - Modern Drupal arrives warm: per-site PHP version pins are preserved through migration, and Drupal 8+ sites get a cold Valkey flush plus a PHP-FPM restart on arrival, clearing stale caches (the service container finishes rebuilding on the follow-up verify).
References: docs/MIGRATE-XOCT.md (updated), docs/MIGRATE-PERCONA8.md
(new cross-version Percona reference), plus a Percona 8 readiness How-To.
Security and the Web IDS
The Nginx Abuse Guard and the wider intrusion-detection stack take another major step this cycle:
- Distributed UA-burst scanner-fleet detector (on by default,
_NGINX_UA_BURST_DETECT). A scanner fleet sharing one User-Agent across many IPs — each IP too quiet to trip per-IP limits — is recognised by the shared fingerprint's aggregate behaviour (many distinct IPs, high request count, overwhelmingly bad statuses) and banned as a unit. - Foreign-CMS probe guard. Requests for admin paths that cannot exist
on a Drupal, Backdrop or hostmaster docroot —
wp-admin,wp-login,phpmyadminand friends — are dropped with444at the edge before PHP ever sees them. (Adminer paths are untouched — BOA ships Adminer.) - IPv6 joins the adaptive web ban. The web IDS now scores IPv6 clients
and bans them through an nginx-native, self-expiring store — closing the
gap left by the IPv4-only firewall layer — with IPv6 and CIDR support
added to the per-site
ip_accessallow-list as well. - Per-site
/user+/adminIP allow-list (user_admin_access). One root-managed control file per Octopus instance locks any site's login and admin paths to listed IPv4/IPv6 addresses or subnets; the rest of the site stays public, and an anti-lockout rule always admits the server itself and established SSH peers. - Drush extension hygiene, default-secure. Ægir backend identities no
longer load
*.drush.incextensions from tenant-writable locations — closing a long-standing upstream attack path — with per-instance root-created opt-ins for CiviCRM and Elysia cron, and BOA's own extensions always loading. A verification runbook ships alongside (docs/DRUSH-FILTER-TESTING.md). - A quieter, harder edge everywhere else: SSH/Web/FTP IDS input
validation and a ban-evasion fix; log-scanner guards anchored to parsed
log fields (an attacker-controlled username can no longer spoof its way
past the SSH or FTP scanners); every
/etc/sudoerswrite is visudo-validated and de-duplicated; thefix-drupal-*NOPASSWD wrappers are scoped to the calling tenant's own tree; Ægir install values hand off through sealed, per-spawn, owner-scoped includes; the TCP SACK mitigation persists across firewall restarts; a rebuiltsshd_configis validated before sshd restarts; and an invalid legacy ssh_config option that silently broke outbound SSH is removed. - Cloudflare-fronted sites: the intermittent 502 is gone. The
wild-ssl proxy path pinned its upstream to a dead IPv6 localhost
candidate under load; the upstream is now pinned to
127.0.0.1, Cloudflare ranges are whitelisted on port 443 as well as 80, and the proxied HTTPS path is enforced, observed and scored like any other.
Modern Drupal (10/11) Reliability
- The container-poison class of failures is fixed. Drupal 10/11 sites
could come out of a clone, deploy or fresh install with a service
container compiled while Ægir's compatibility patches were reverted —
poisoning the cached container and breaking the site until the next
verify. All service-container rebuilds now run inside a chmod-only
window that keeps the patches applied (deploy
updatedb, freshsite-install, and the post-deploy cache rebuild alike). - Fresh D11 installs fail loudly or succeed cleanly: a failed
site-installnow errors the task out instead of limping on, the one-time login link is generated correctly again, and the installer's policy-module cleanup actually runs. - New Drupal 11.4 platform joins the auto-built set, and the whole tested core/distro catalogue moves to the 2026-07-17 build (below).
The Ægir Panel and Client Experience
- Welcome emails now include a working control-panel login. A new client account is tied to the instance's SSH identity, so the recipient can sign into Ægir from day one — no more "random password nobody ever saw". The welcome email was rewritten around the new documentation, and every BOA-sent email is now vendor-agnostic, pointing at docs.boa.io and signed by The BOA Dev Team.
- Password reset requests route to host support instead of the disabled sendmail path, and the dormant "Request new password" link is hidden in the eldir theme.
- One-step www/non-www rename in the Migrate form: a site can move
between
example.comandwww.example.comas a single rename, with the old alias handled correctly. - Imported installed sites land ENABLED in the panel instead of parked in a queued state.
Task Queue and Dispatch Reliability
- The task-queue dispatcher is serialized — concurrent dispatcher runs can no longer double-launch a task batch — backed by a per-instance lock on the queue runner itself.
- A stale queue lock clears far sooner after a crash (shortened lock timeout), the dispatcher re-enables itself after instance installs and upgrades and when a setup self-test fails, orphaned build temporaries no longer wedge the queue, and an empty upstream database record can no longer wipe stored database credentials.
Operator Tools and Platform Ops
boa suspend <user>/boa unsuspend <user>(new, root-only): gate every site of an Octopus instance behind an HTTP 503 (withRetry-After) while backend, Drush and cron keep working — the clean billing-grade switch. The flag lives outside the account tree, so the account owner cannot remove it. Reference:docs/SUSPEND.md(new)./root/.barracuda.cnfnow shows effective defaults for all YES/NO options — no more guessing what an empty line means — and the self-heal never overwrites an operator-set value.codebasecheckgains a box-wide Percona 8 readiness report and a--deepcontrib/schema analysis that cuts false-OK results before a database major upgrade._NGINX_KTLSopt-out lever for the OpenSSL 3.2+ kernel-TLS receive-path noise seen on some kernels (docs/NGINX-KTLS.md, new); kTLS remains on by default./etc/apt/sources.listself-heals: a missing or half-written file is regenerated crash-safely (Debian trixie aware), and a failed fetch now enforces the canonical mirror rather than restoring a possibly stale backup.staticbuild(new): the mirror-source build tool that assembles and publishes the tested Drupal/Backdrop codebases — versions derived from the actual build, so the catalogue below is always real.- Sturdier plumbing: versioned-fetch is now content-aware (a stale
serial marker self-heals), lock-pid ownership guards ported to
barracudaandoctopus,webshis single-sourced, and the Debian-to-Devuanautoinitconversion helper rides out DNS and network flaps with a safe re-entry gate.
Operator Notes
This release has no mandatory action — no forced reboot beyond the usual upgrade flow, and no custom values to re-pin. Two default changes are worth a conscious decision:
- Backdrop support is on by default. On upgrade, a box that never set
_BACKDROP_SUPPORTgetsYESappended to/root/.barracuda.cnf, enabling Backdrop platforms,beeand the panel integration. Set_BACKDROP_SUPPORT=NOfirst if you do not want Backdrop platforms built. - Prebuilt packages are on by default on Devuan Daedalus only. Set
_USE_PREBUILT_PKGS=NOto keep compiling from source on Daedalus; all other OS releases are unaffected. - Everything else new ships either safe-by-default (detectors, notices, reports) or strictly opt-in (ghost-cleanup moves, nightly symlink auto-fix, per-site allow-lists, suspend).
Component Versions
| Component | Version |
|---|---|
| Nginx | 1.31.3 (was 1.31.2) |
| OpenSSH | 10.4p1 (was 10.3p1) |
| PHP | 8.5.8, 8.4.23, 8.3.32 (default set; 8.4 remains the default CLI/FPM), 8.2.32 available |
| Composer | 2.10.2 (was 2.8.2) |
| Drush 8 (classic) | 8.5.4 (was 8.5.3) |
| New Relic | 12.8.0.37 (was 12.7.0.36) |
| Backup stack | Python 3.14.6 + Duplicity 3.1.0 (was 3.13.9 / 3.0.6) |
| Backdrop CMS | 1.34.2 (new) |
| ImageMagick | distro-packaged (the dormant source-build path was removed) |
Unchanged since BOA-5.10.3: OpenSSL 3.5.7 LTS, cURL 8.21.0, Apache Solr
9.10.1, Valkey 9.1.0 (now also delivered as the prebuilt boa-valkey
package on Daedalus), Percona Server (8.4 current, 5.7 legacy), mydumper.
Supported / Tested Drupal & Backdrop Distributions
The tested catalogue moves to the 2026-07-17 static build:
- Backdrop CMS 1.34.2 (new)
- Drupal CMS 2.1.3 (Drupal 11.4.4)
- Commerce Kickstart 5.1.0 (11.4.4) (major refresh), plus CK2 2.40 and CK1 2.77 for older lineages
- LocalGov 4.0.2 (11.4.4), Thunder 8.4.0 (11.4.4), farmOS 4.0.4 (11.3.14), OpenCulturas 3.0.3 (11.3.14)
- Vanilla cores: 6.60.1, 7.105.1, 9.5.11, 10.0.11 → 10.6.13, 11.1.10, 11.2.14, 11.3.14, and the new 11.4.4
- Varbase stays available as its last working 10.1.0 build (upstream's project template is currently broken; frozen until fixed upstream)
Important Fixes
- Intermittent box-wide 502s behind Cloudflare on proxied HTTPS, root-caused and fixed (dead IPv6 upstream candidate in the wild-ssl proxy path).
- Drupal 10/11 cached-container poisoning after clone/deploy/install, fixed via patch-preserving rebuild windows (above).
- Composer works for shell users again: Composer 2.8.3+ switched its
subprocess model and collided with the safe-shell wrapper;
webshnow executes those calls correctly, unblocking the Composer 2.10.2 update. _SMTP_RELAY_HOSTwas never written to Postfixmain.cf— the outbound relay opt-in now actually configures the relay.- Special files can no longer break site backups: device/special files are excluded from backups and all tree transfers, so a stray device node no longer aborts a restore or deploy.
- Octopus bundle installs set the instance email again (regression),
and an empty
_PHP_CLI_VERSIONcan no longer abort an Ægir install. - FTP log scanning anchors on the real pure-ftpd tag and handles
IPv6/
::ffff:peers, so a crafted username can no longer confuse the FTP scanner. - Nightly log preparation no longer grows a pid-file name without
bound; the argless unlock path in the lock library is fixed; a false
space-check failure in
autosymlinkwhen the static base was absent is fixed; Java initd disabling no longer collides on a path; GRUB rewrites are skipped when config is already in sync and applied when it really changed.
New Documentation
New operator references in this release — all also woven into docs.boa.io:
docs/BACKDROP.md— Backdrop CMS operator guide (platforms, tasks, upgrade chain, cutover, limitations).docs/AEGIR2BOA.md— the classic-Ægir-to-BOA migration runbook.docs/DDEV-BOA.md— local development against a BOA-hosted site.docs/FILES-SYMLINK.md— native files symlinking (admin + per-site).docs/PREBUILT.md— prebuilt stack packages.docs/SUSPEND.md— instance suspend/unsuspend.docs/NGINX-KTLS.md— the kTLS opt-out lever.docs/MIGRATE-PERCONA8.md— cross-version Percona 8 migration and verification, plus a Percona 8 upgrade-readiness How-To.docs/DRUSH-FILTER-TESTING.md— verifying the Drush extension filter.docs/USER-ADMIN-ACCESS.md— the per-site/user+/adminallow-list.docs/BUILDTESTS.md— rebuilt around thestaticbuildprocedure.
Upgrade Instructions
Run inside a screen session as root:
screen
wget -qO- https://files.boa.io/BOA.sh.txt | bash
barracuda up-lts
octopus up-lts all force
boa reboot
For silent, logged mode (output to /var/backups/reports/up/, emailed on
completion — useful for cron):
screen
wget -qO- https://files.boa.io/BOA.sh.txt | bash
barracuda up-lts log
octopus up-lts all force log
Full upgrade documentation: https://github.com/omega8cc/boa/blob/5.x-dev/docs/UPGRADE.md Self-upgrade automation: https://github.com/omega8cc/boa/blob/5.x-dev/docs/SELFUPGRADE.md
Links
- Documentation: https://docs.boa.io
- News & announcements: https://omega8.cc/news
- Commit history (BOA): https://github.com/omega8cc/boa/commits/5.x-dev/
- Commit history (Provision): https://github.com/omega8cc/provision/commits/5.x-dev/
- Full changelog: https://github.com/omega8cc/boa/blob/5.x-dev/CHANGELOG.txt
- License: https://github.com/omega8cc/boa/blob/5.x-dev/DUALLICENSE.md