Icinga 2 v2.14.4

This bugfix release is focused on improving HA cluster stability and easing
troubleshooting of issues in this area. It also addresses several crashes,
in the core itself and both in Icinga DB and IDO (numbers out of range).
In addition, it fixes several other issues such as lost notifications
or TimePeriod/ScheduledDowntime exceeding specified date ranges.

Crash Fixes

• Invalid DateTime#format() arguments in config and console on Windows Server 2016 and older. #10112
• Downtime scheduling at runtime with non-existent trigger. #10049
• Object creation at runtime during Icinga DB initialization. #10151
• Comment on a service of a non-existent host. #9861

Miscellaneous Bugfixes

• Lost notifications after recovery outside the notification time period. #10187
• TimePeriod/ScheduledDowntime exceeding specified date range. #9983 #10107
• Clean up failure for obsolete Downtimes. #10062
• ifw-api check command: use correct process-finished handler. #10140
• Email notification scripts: strip 0x0D (CR) for a proper Content-Type. #10061
• Several fixes and improvements of the code quality. #10066 #10214 #10254 #10263 #10264

Cluster and API

• Sync runtime objects in topological order to honor their dependencies. #10000
• Make parallel config syncs more robust. #10013
• After object creation via API fails, clean up properly for the next try. #10111
• Close HTTPS connections properly to prevent leaks. #10005 #10006
• Reduce the number of cluster messages in memory at the same time. #9991 #9999 #10210
• Once a cluster connection shall be closed, stop communicating. #10213 #10221
• Remove unnecessary blocking of semaphores. #9992 #9994
• Reduce unnecessary cluster messages setting the next check time. #10011

Icinga DB and IDO

• IDO: fix object relations after aborted synchronization. #10065
• Icinga DB, IDO: limit all timestamps to four year digits. #10058 #10059
• Icinga DB: limit execution_time and latency (milliseconds) to database schema. #10060

Troubleshooting

• Add /v1/debug/malloc_info which calls malloc_info(3) if available. #10015
• Add log messages about own network I/O. #9993 #10141 #10207
• Several fixes and improvements of log messages. #9997 #10021 #10209

Windows

• Update OpenSSL shipped on Windows to v3.0.15. #10170
• Update Boost shipped on Windows to v1.86. #10114
• Support CMake v3.29. #10037
• Don't require to build .msi as admin. #10137
• Build configuration scripts: allow custom $CMAKE_ARGS. #10312

Documentation

• Distributed Monitoring: add section "External CA/PKI". #9825
• Explain how to enable/disable debug logging on the fly. #9981
• Update supported OS versions and repository configuration. #10064 #10090 #10120 #10135 #10136 #10205
• Several fixes and improvements. #9960 #10050 #10071 #10156 #10194
• Replace broken links. #10115 #10118 #10282
• Fix typographical and similarly trivial errors. #9953 #9967 #10056 #10116 #10152 #10153 #10204

Icinga 2 v2.13.11

This bugfix release addresses several crashes,
both in the core itself and in Icinga DB (numbers out of range).
In addition, it fixes several other issues such as lost notifications
or TimePeriod/ScheduledDowntime exceeding specified date ranges.

Crash Fixes

• Invalid DateTime#format() arguments in config and console on Windows Server 2016 and older. #10165
• Downtime scheduling at runtime with non-existent trigger. #10127
• Object creation at runtime during Icinga DB initialization. #10164
• Icinga DB: several numbers out of database schema range. #10244

Miscellaneous Bugfixes

• Lost notifications after recovery outside the notification time period. #10241
• TimePeriod/ScheduledDowntime exceeding specified date range. #10128 #10133
• Make parallel config syncs more robust. #10126
• Reduce unnecessary cluster messages setting the next check time. #10168

Windows

• Update OpenSSL shipped on Windows to v3.0.15. #10175
• Update Boost shipped on Windows to v1.86. #10134
• Support CMake v3.29. #10087
• Don't require to build .msi as admin. #10305
• Build configuration scripts: allow custom $CMAKE_ARGS. #10315

Icinga 2 v2.14.3

This security release fixes a TLS certificate validation bypass.
Given the severity of that issue, users are advised to upgrade all nodes immediately.

• Security: fix TLS certificate validation bypass. CVE-2024-49369
• Security: update OpenSSL shipped on Windows to v3.0.15.
• Windows: sign MSI packages with a certificate the OS trusts by default.

Icinga 2 v2.13.10

This security release fixes a TLS certificate validation bypass.
Given the severity of that issue, users are advised to upgrade all nodes immediately.

• Security: fix TLS certificate validation bypass. CVE-2024-49369
• Security: update OpenSSL shipped on Windows to v3.0.15.
• Windows: sign MSI packages with a certificate the OS trusts by default.

Icinga 2 v2.12.11

This security release fixes a TLS certificate validation bypass.
Given the severity of that issue, users are advised to upgrade all nodes immediately.

• Security: fix TLS certificate validation bypass. CVE-2024-49369
• Security: update OpenSSL shipped on Windows to v3.0.15.
• Windows: sign MSI packages with a certificate the OS trusts by default.

Icinga 2 v2.11.12

This security release fixes a TLS certificate validation bypass. Given the severity of that issue, users are advised to upgrade all nodes immediately.

• Security: fix TLS certificate validation bypass. CVE-2024-49369
• Security: update OpenSSL shipped on Windows to v3.0.15.
• Windows: sign MSI packages with a certificate the OS trusts by default.

Icinga 2 v2.14.2

Version 2.14.2 is a hotfix release for master nodes that mainly fixes excessive disk usage caused by the InfluxDB writers.

• InfluxDB: truncate timestamps to whole seconds to save disk space. #9969
• HttpServerConnection: log request processing time as well. #9970
• Update Boost shipped on Windows to v1.84. #9970

Icinga 2 v2.14.1

Version 2.14.1 is a hotfix release for masters and satellites that mainly
prevents permanent disintegration of a whole cluster due to root CA expiry.

Security

• Automatically renew own root CA and distribute it to all nodes. #9933
• Update OpenSSL shipped on Windows to v3.0.12. #9946
• Disable TLS renegotiation (handshake on existing connection). #9946

Bugfixes

• Icinga DB feature: fix crash due to missing NULL pointer check. #9946
• Icinga DB feature: fix data written into Redis crashing the Go daemon. #9946
• GelfWriter: fix deadlock on stop/reload caused by busy queue. #9947
• Don't lose notifications due to too long output, truncate it. #9947

Enhancements

• Discard duplicate problem notifications due to state filtering. #9932
• Speed up API filters targeting specific hosts/services to O(1). #9944
• POST /v1/console/*: return HTTP 503 while Icinga is reloading. #9947
• Update Boost shipped on Windows to v1.83. #9946
• Documentation: several fixes and improvements. #9921

Icinga 2 v2.13.9

Version 2.13.9 is a hotfix release for masters and satellites that mainly
prevents permanent disintegration of a whole cluster due to root CA expiry.

Security

• Automatically renew own root CA and distribute it to all nodes. #9934
• Update OpenSSL shipped on Windows to v3.0.12. #9945
• Disable TLS renegotiation (handshake on existing connection). #9945

Bugfixes

• Icinga DB feature: fix crash due to missing NULL pointer check. #9945
• Icinga DB feature: fix data written into Redis crashing the Go daemon. #9945

Updates

• Update Boost shipped on Windows to v1.83. #9945

Icinga 2 v2.14.0

Issues and PRs

Notes

Upgrading docs: https://icinga.com/docs/icinga2/snapshot/doc/16-upgrading-icinga-2/#upgrading-to-2-14

Thanks to all contributors: atj, atwebm, cspeterson, cycloon, DamianoChini, efuss, fabieins, haxtibal, jaapmarcus, log1-c, lrupp, maggu, mcodato, Napsty, orbison, peteeckel, slalomsk8er, stevie-sy, Tqnsls

Breaking Changes

• Remove CheckResultReader (which has been deprecated since v2.9). #9714
• Remove StatusDataWriter (which has been deprecated since v2.9). #9715
• ElasticsearchWriter: drop support for Elasticsearch < v7. #9812
• Consider a checkable unreachable once one Dependency fails.
  Previously all of them had to fail. (Consult the upgrading docs.) #8218
• API: reject config modifications during reload with HTTP status 503. #9445
• icinga2 daemon: to reduce config load time, write file needed by
  icinga2 object list only if --dump-objects is given. #9586 #9591
• Default email notification scripts: link to Icinga DB Web,
  not the monitoring module. (Consult the upgrading docs.) #9742 #9757
• API: for security reasons hide TicketSalt in /v1/variables. #7863

Icinga 2 Config DSL

• Disallow global variable modification after config commit start (i.e.
  inside object/apply T "x" { ... }) to reduce config load time. #9740
• Forbid Dependency cycles at config load time. #8389
• Allow only strings in the arrays Host#groups, Service#groups and
  User#groups. Needed for consistency, especially by the IDO. #9057
• Disallow empty object names. (They worked only partially anyway.) #9409

Windows Agent only

The official MSIs don't include the following features anymore.
They weren't intended, tested or needed on Windows and only waste build time,
bandwidth and disk space. Both new installations and upgrades are affected.

• ElasticsearchWriter #9704
• GelfWriter #9704
• GraphiteWriter #9704
• InfluxdbWriter and Influxdb2Writer #9704
• OpenTsdbWriter #9704
• PerfdataWriter #9704

We also don't ship the following files anymore.
(You can still obtain them manually.)

• NSCP.msi (NSClient++ installer) #9703
• doc/ (Icinga 2 markdown documentation) #9705

On the other hand MSIs are now 75% smaller than before.

Enhancements

• Significantly reduce config load time of large setups.
  #8118 #9555 #9557 #9572 #9577 #9603 #9608 #9627 #9648 #9657 #9662
• Allow to connect dependencies via redundancy groups. Only parents within
  one group are assumed to provide redundancy for each other. #8218
• Built-in check command ifw-api, communicates directly with the Icinga for
  Windows REST API. (Doesn't spawn a PowerShell process for that.) #9062
• JournaldLogger which logs to systemd journal. #9000
• API: POST /v1/objects: allow to discard some previously modified attributes,
  i.e. to restore the config files' values. #9783
• ElasticsearchWriter: support Elasticsearch v8. #9812
• Support $env.ENV_VAR_NAME$ macros. #8302
• Speed up Icinga DB config dump. #9524
• Default mail notification scripts: also print $host.notes$ and $service.notes$. #9713
• Enable built-in OpenSSL DH parameters to allow DHE TLS ciphers. #9811
• Clean up global default TLS cipher list to improve security. #9809
• Influxdb(2)Writer: write more precise timestamps (nanoseconds). #9599

Bugfixes

• Icinga DB feature: normalize several Redis data not to crash the Go daemon.
  #9772 #9775 #9792 #9793 #9794 #9805
• Fix parsing of perfdata across multiple lines in plugin output. #8969
• icinga check: fix last reload failure time. #8429 #9827
• Resolve macros inside custom vars of IcingaApplication. #9779
• SELinux: allow Icinga and its plugins to write to syslog. #9688
• ElasticsearchWriter: fix data buffer flush race condition during stop. #9810
• Trigger flexible downtimes not in the past if checkable is already down. #9726
• Send downtime expiration notifications immediately, not after up to a minute. #9726

Cluster

• Don't hang in timed out connection attempt. #9711 #9725
• Fix lost acknowledgements after re-connect. #9718
• cluster-zone check: don't complain about not connected
  other local zone members if there aren't any. #8595
• Allow agent to update executions delegated to it via /v1/actions/execute-command. #8627

API

• Disallow breaking inter-object relationships by changing
  relationship attributes at runtime, e.g. Service#host_name. #9407
• Correct several HTTP response status codes. #7958 #9354
• Correct Boolean field types previously reported by /v1/types as Number. #9514

CLI

• icinga2 daemon: fix -DConfiguration.Concurrency= flag
  which now allows to override the number of threads. #9643
• icinga2 node wizard: avoid unnecessary chown(2) which may fail and abort the wizard. #8744
• Correct several log messages. #8895 #8965 #9663

ITL

Add linux_netdev check command. #9045

Command Argument Changes

• disk: don't pass -m (disk_megabytes) by default. #9642
• disk: pass -X fuse.portal (disk_exclude_type) by default. #9459
• http: support multiple -k (http_header) as array. #8574
• icmp: double defaults for -w (icmp_wpl) and -c (icmp_cpl). #9041
• logfiles: pass --winwarncrit (logfiles_winwarncrit) without argument. #9056
• nwc_health: pass SNMPv3-only args only when using SNMPv3. #9095
• vmware-esx-dc-runtime-tools and vmware-esx-soap-vm-runtime-tools:
  rename --open-vm-tools to --open_vm_tools_ok (vmware_openvmtools). #9611

New Command Arguments

Command	Argument	Custom Variable	PR
disk	-P	disk_inode_perfdata	#9494
esxi_hardware	--format	esxi_hardware_format	#9435
esxi_hardware	--pretty	esxi_hardware_pretty	#9435
http	--verify-host	http_verify_host	#8005
icingacli-businessprocess	--ack-is-ok	icingacli_businessprocess_ackisok	#9103
icingacli-businessprocess	--blame	icingacli_businessprocess_blame	#9103
icingacli-businessprocess	--colors	icingacli_businessprocess_colors	#9103
icingacli-businessprocess	--downtime-is-ok	icingacli_businessprocess_downtimeisok	#9103
icingacli-businessprocess	--root-cause	icingacli_businessprocess_rootcause	#9103
mem	-a	mem_available	#9385
mongodb	--disable_retry_writes	mongodb_disableretrywrites	#9539
mongodb	--ssl-ca-cert-file	mongodb_ssl_ca_cert_file	#9610
mysql	--extra-opts	mysql_extra_opts	#9197
nrpe	-3	nrpe_version_3	#9296
nrpe	-D	nrpe_no_logging	#9016
nrpe	-P	nrpe_payload_size	#9032
pgsql	--extra-opts	pgsql_extra_opts	#9197
postgres	$PGCONTROLDATA (env. var.)	`postgres_pgcontroldata...