New operating systems supported

Debian 13 and Red Hat Enterprise Linux/Rocky/AlmaLinux/Oracle Linux 10 are now fully supported by Rudder 9.0, both as server and agent OS.

Security benchmarks

The security benchmarks feature is officially out of beta, and comes with many improvements over the 8.3 version. They include a new visualization interface by benchmark, and a detailed view by item or by nodes.

CVE by group

The vulnerability management interface now allows filtering by group, making it easier to get an overview of the risk by categories of nodes.

Patch campaign hooks

It was already possible to run actions locally on the nodes before and after the upgrades. We added an additional mechanism, on the server side, with action running globally for each patch management event. It is possible to trigger actions before the start of an event or after it finished.

Technique editor

The interface was improved with a redesigned drag-and-drop behavior and other quality of life improvements.

CSV export for tables

We added CSV export to several tables in the interface, allowing easy reuse of Rudder data in other contexts (in addition to the HTTP API).

[Technical preview] HTTPS communication

It is now possible to use HTTPS for policy download on Linux. It allows disabling the custom protocol (by default on port 5309) and to only use HTTPS for all communications.

When in HTTPS-only mode, a few features are disabled:

• Remote run on Linux agents
• Recursive file copies from the server
• Relays require the rsync synchronization mode

This mode will become the default once the remaining limitations are lifted.

[Technical preview] Certificate validation

When in HTTPS-only mode, it is possible to switch all HTTPS communications to use standard certificate validation instead of the default pinning-based mode. It requires managing the HTTPS certificates with a user-managed PKI. The certificate authorities can be specific to Rudder or system-wide.

Improved template management

We introduced a versatile templating method, based on a multi-platform module running on both Linux and Windows agents. It allows using the existing template engines, mustache and jinja2, plus a new option, minijinja, which provides most jinja2 features with a fast native implementation, without external dependencies.

This method also allows passing a JSON object as data for the template, as an alternative to the global agent context.

It also improves reporting, with a diff-like display of changes and non-compliances.

Agent can run with /var mounted with noexec

It is now possible to run Linux agents on systems where the /var partition is mounted with the noexec option, as recommended by several hardening guides.

Safer local passwords

The default hash algorithm is now argon2id, and bcrypt is still supported. Deprecated unsafe algorithms support is dropped.

Under the hood

• The strict Content-Security-Policy header configuration is now enabled everywhere.
• The backend code base was migrated to Scala 3 (from 2.13 to 3.7).
• The relayd daemon, written in Rust, was updated to the hyper 1.0 stack.
• All Linux methods were migrated to a new reporting implementation based on stable unique identifiers, which will make UX improvements possible in future versions.

What's Changed

• Fixes #27715: systemUpdate/targets requieres a POST to get the list of nodes by @clarktsiory in #6646
• Fixes #27734: hasPolicyServer group computation in deployment service should only include valid agents by @VinceMacBuche in #6648

Full Changelog: 9.0.0.rc1...9.0.0.rc2

What's Changed

• Fixes #27684: Pin the typos-cli version by @amousset in #6637
• Fixes #27683: Error with command_execution_results but everything looks ok by @m4rtinh4rt in #6638
• Fixes #27612: Notifications hides the button by @RaphaelGauthier in #6633
• Fixes #27625: Drag-and-drop icon appears when hovering a method over a block by @RaphaelGauthier in #6614
• Fixes #27574: Post-hooks for campaigns should be executed even even if pre-hooks are in failure by @fanf in #6611
• Fixes #24486: The migrate button in directive pages is always displayed and often useless and ugly by @RaphaelGauthier in #6632
• Fixes #27596: Multiple JS error on properties page by @RaphaelGauthier in #6619
• Fixes #27703: Enforce proper permissions for policies in archive by @amousset in #6639
• Fixes #27711: Enforce proper permissions for policies in archive - broken syntax by @amousset in #6640
• Fixes #27564: Frozen method in the technique editor after reset of a draft by @RaphaelGauthier in #6623
• Fixes #27663: add metadata to the GM of the modules by @m4rtinh4rt in #6630
• Fixes #27639: Test the file_from_template_options method by @Fdall in #6624
• Fixes #27604: Update onboarding documentations by @P4uline in #6621
• Fixes #27713: "Close" button in API account modals uses the wrong CSS class by @RaphaelGauthier in #6643
• Fixes #27717: fix warnings in commands module tests by @m4rtinh4rt in #6641
• Fixes #27644: Rudder 9.0 Beta 2 : Error message when deleting technique in editor by @fanf in #6634
• Fixes #27264: Random error after node-to-relay is applied and other dynamic group and node accepted by API problems by @fanf in #6608
• Fixes #27725: fix supported_targets in augeas module metadata by @m4rtinh4rt in #6645

Full Changelog: 9.0.0.beta2...9.0.0.rc1

What's Changed

• Fixes #27486: Add includeSystem parameter to filter system groups in API by @clarktsiory in #6574
• Fixes #27384: Missleading format for parameter category in API by @ElaadF in #6572
• Fixes #27538: Upmerge makes tests fail in 8.3 by @clarktsiory in #6589
• Fixes #27539: Ignore adler advisory in 8.2 by @clarktsiory in #6590
• Fixes #27544: Campaign hook readme is incorrect by @fanf in #6592
• Fixes #27548: Allow empty string in JSON fields by @amousset in #6593
• Fixes #27428: Missing migration for existing directives with the bad select input identifier by @VinceMacBuche in #6576
• Fixes #27550: Incorrect serialization of the parameters passed by the command_execution_options method to its underlying module by @Fdall in #6594
• Fixes #27459: Error trying to compile rudder-agent 8.3.4~git202508191033 on armhf Debian 13 trixie (libapt) by @amousset in #6595
• Fixes #27498: Make group tree API not include system by default by @clarktsiory in #6579
• Fixes #27553: Document how the services to restart and reboot state are computed by @amousset in #6597
• Fixes #27551: Switch back to info for info logs by @amousset in #6596
• Fixes #27523: Port the file from shared folder method on Linux to allow HTTPS by @amousset in #6591
• Fixes #27531: Return categoryId in JSON groups API by @clarktsiory in #6587
• Fixes #27456: Inherited properties API change in parent by @VinceMacBuche in #6588
• Fixes #27578: Nodes server list can no longer be exported to CSV by @clarktsiory in #6601
• Fixes #27561: Plugins error callouts width are same as title width by @clarktsiory in #6598
• Fixes #27577: Nodes table has CSP error with column containing JSON property by @clarktsiory in #6602
• Fixes #27584: Allow using a different certificate for server usage by @amousset in #6603
• Fixes #27587: Allow a deeper SSLVerifyDepth by @amousset in #6605
• Fixes #27568: Better logging for custom promise type protocol when a CFEngine request is malformed by @Fdall in #6600
• Fixes #27594: Error at rudder-server Debian 12 install in 9.0-nightly - Could not retrieve the UUID of the policy server by @amousset in #6609
• Fixes #26637: System info API changed format in v21 and needs new documentation by @P4uline in #6607
• Fixes #27615: XSS vulnerability in ammonia dep by @amousset in #6612
• Fixes #27620: We need latest cargo deny to check licenses by @amousset in #6613
• Fixes #27598: The command module should avoid using custom parsing methods for lists by @Fdall in #6610
• Fixes #27627: [Regression] Rudder 9.0 Beta 2 : sysctl generic method causes apparent repair loops by @Fdall in #6617
• Fixes #27588: Copy button on first login page for creating user not working anymore by @RaphaelGauthier in #6606
• Fixes #27638: Scala compilation should happen in maven compile phase by @fanf in #6622
• Fixes #27636: The file_from_template_options method should accept inline JSON in its data field by @Fdall in #6620
• Fixes #27622: Password setting from standard user technique fails after upgrade to Rudder 9.0 Beta 2 by @Fdall in #6616
• Fixes #27595: In technique editor the number of techniqes is under "techniques" big title by @RaphaelGauthier in #6615
• Fixes #27585: Test the command_execution_options generic method by @Fdall in #6604
• Fixes #27649: APT agents are built without apt support in system-updates by @amousset in #6626
• Fixes #27646: Document the file_from_template_options method by @Fdall in #6625
• Fixes #27651: add uid/gid lookup by name for the commands module by @m4rtinh4rt in #6627
• Fixes #27659: Typo in rudder-web.properties by @amousset in #6628
• Fixes #27662: Use agent cert for HTTP in CA mode by @amousset in #6629
• Fixes #27674: Inconsistency in campaigneventstate between init and DB migration by @fanf in #6635

New Contributors

• @P4uline made their first contribution in #6607

Full Changelog: 9.0.0.beta1...9.0.0.beta2

A small release mainly motivated by a bug that prevent update campaigns on debian like systems, apart debian 13

🐛 Bug fixes

• System update campaign are now working again on debian , prior debian 13, and ubuntu systems
• Some techniques had missing reporting (aptPackageManagerSettings ...)
• More optimistic score on benchmarks and add some missing score display
• Fifteen fixes in windows agent

A quite important release, around 60 issues fixed in Rudder, and 60 more in plugins, but it was quite a long time between 8.3.3 and 8.3.4 (almost 2 months), with important changes in CVE and security benchmarks plugins, and we added Debian 13 support.

🆕 Features

• Add Debian 13 support (agent and server)
• Remove the need to update CVE database in related plugin
• new flag to filter system groups in system API
• Lots of improvements on security benchmark user interface (new reporting/scoring, new dashboard ...)

🔧 Maintenance

• Security update of webapp/relay dependencies

🐛 Bug fix

• Lots of fixes on Windows agent (25 issues fixed)
• Fix detection of vulnerabilities (adapt to changes in our remote detection server)
• Lots of small UI fixes
• ignored nodes still counted in score display (dashboard ...)

Mostly a near EOL patch release, mostly light bug fixes, and security updates of dependencies

🔧 Maintenance

• Security update of webapp/relay dependencies

🐛 Bug fix

• Missing dependencies on rhel 6 agent
• Missing enable/disable button for groups
• Small UI fixes (hover compliance, error in properties, fixes in user management, event logs ...)

First beta release of 9.0 branch, it can now be installed on test platforms with quite reliable state

What's Changed

• Fixes #27329: Move the graph creation functions from homepage.js to another js file. by @RaphaelGauthier in #6536
• Fixes #27358: Add an ID for node details tab content container by @fanf in #6538
• Fixes #27305: Add all nodes certificate behind policy server in nodescerts.pem by @fanf in #6535
• Fixes #27167: When the component value of a method is too long, the reporting can be missing by @amousset in #6542
• Fixes #27239: When a technique is enabled, the directive page button to disabled it is way too exposed by @RaphaelGauthier in #6537
• Fixes #27367: Log restarted services by @amousset in #6544
• Fixes #27371: Quiet option still show spinner in rudder package by @amousset in #6545
• Fixes #27365: Allow per-hook-kind logger by @fanf in #6543
• Fixes #25361: Event logs restore button creates as many confirmation blocks as clicks by @RaphaelGauthier in #6539
• Fixes #26855: Security updates not applied on Debian 12, but campaign ends without error by @amousset in #6546
• Fixes #27381: Fixing rudder_module_type.yml for the template module by @m4rtinh4rt in #6548
• Fixes #27379: Users cleanup configuration is still too strict for disabling/deleting by @fanf in #6547
• Fixes #27363: Constraint doesn't allow to change variable by @amousset in #6551
• Fixes #27386: There is no explanation as to why Save button is disabled by @RaphaelGauthier in #6550
• Fixes #27364: Add a generic json codec for enumeratum by @fanf in #6541
• Fixes #27370: Dashboard will not display charts when switching between bechmarks by @clarktsiory in #6553
• Fixes #27369: Nodes API payload for agentKey has the wrong JSON format by @fanf in #6549
• Fixes #27391: Make doughnut graphs accessible and manipulable by @RaphaelGauthier in #6554
• Fixes #26767: by @clarktsiory in #6515
• Fixes #27400: Remove unused promises from rudderc generated techniques by @Fdall in #6557
• Fixes #27402: We need to resolve directory real path in our path trasversal check by @fanf in #6558
• Fixes #26883: Add campaign hooks in the campaign workflow engine by @fanf in #6556
• Fixes #27392: Refactor campaign service so that it's testable by @fanf in #6555
• Fixes #27081: Update to last version of Scala 3 by @fanf in #6448
• Fixes #27404: Finish Rust dependency update by @amousset in #6560
• Fixes #27437: Ignore CVEs for icu4j by @clarktsiory in #6563
• Fixes #27438: Allow building with newer APT versions by @amousset in #6564
• Fixes #27310: User management API permissions in responses are empty when not updating them by @clarktsiory in #6562
• Fixes #27449: Fix spotless in 27310 by @clarktsiory in #6567
• Fixes #27450: Fix the rudder_info! macro to make it usable in audit mode by @m4rtinh4rt in #6568
• Fixes #27448: Fix audit bug for the template module by @m4rtinh4rt in #6566
• Fixes #27469: fix broken agent installation on CI by @m4rtinh4rt in #6569
• Fixes #27218: Adding command module by @m4rtinh4rt in #6506
• Fixes #27387: Cannot delete a technique from technique tree with grayed screen by @RaphaelGauthier in #6571
• Fixes #27412: Using Cons for big lists can blow the compiler stack and prevent scala project compilation entirely by @mbaechler in #6561
• Fixes #22595: Move & update AuthorizationType into rudder-core by @clarktsiory in #6570
• Fixes #26813: No manual when a filter for methods in the technique editor right panel by @RaphaelGauthier in #6577
• Fixes #26718: When the JSON property is invalid in global properties, the error is nasty by @clarktsiory in #6578
• Fixes #27515: File_from_template_options fails to render a file when using a custom data as source by @Fdall in #6581
• Fixes #27446: Ignored nodes should be excluded from compliance and score processing by @VinceMacBuche in #6565
• Fixes #27086: Change validation method to find steps need to know if user has rights by @clarktsiory in #6453
• Fixes #27519: Vulnerability in tracing by @amousset in #6582
• Fixes #27112: Hosts table contains local ipv6 address by @fanf in #6583
• Fixes #27522: Fix logs for users configuration properties with a duration by @clarktsiory in #6584
• Fixes #27451: Allow configuring the HTTPS certificates by @amousset in #6575
• Fixes #27524: Missing install of apache template by @amousset in #6586
• Fixes #27521: User API update documentation is incorrect by @fanf in #6585

Full Changelog: 9.0.0.alpha1-1...9.0.0.beta1

First pre release of 9.0 branch, details of features will be done in 9.0.0 releases

What's Changed

• Fixes #26169: License information and credentials management in plugins API by @clarktsiory in #6123
• Fixes #26505: Adds the template module to the CI by @m4rtinh4rt in #6238
• Feat 26507: add a cli to the template module by @m4rtinh4rt in #6240
• Fixes #26513: makes agent template module compile on windows by @m4rtinh4rt in #6241
• Fixes 26517: Adds diff to report in template module by @m4rtinh4rt in #6244
• Fixes #26527: Adding a parameter to hide diffs in the report of the template module by @m4rtinh4rt in #6246
• Fixes #26588: Use 8.3 package in 9.0 tests for now by @amousset in #6270
• Fixes #26567: Adding support for calling Jinja2 from python in template module by @m4rtinh4rt in #6263
• Fixes #26614: Adding Ansible compatible filters for minijinja engine by @m4rtinh4rt in #6283
• Fixes #26732: Migrate methods to logger v4 by @amousset in #6319
• Fixes #26714: Migrate WorkflowService to use ZIO by @skaerg in #6320
• Fixes #26848: Updating rust-mustache dependency by @m4rtinh4rt in #6347
• Fixes #26736: Port to log v4 and test more legacy methods by @Fdall in #6322
• Fixes #26870: Allow LGPL license 2.1 dependencies by @Fdall in #6355
• Fixes #26865: Clean-up insertion in ruddersysevents by @fanf in #6352
• Fixes #26872: Advisories in Rust deps by @amousset in #6358
• Fixes #26884: Change default template engine to Minijinja by @m4rtinh4rt in #6361
• Fixes #26853: Migration from Box to ZIO : Refactoring of classes ChangeRequest and ModificationValidationPopup by @skaerg in #6350
• Fixes #26887: Compatibility fixe for scala 3 in Rudder 9.0 by @fanf in #6363
• Fixes #26792: Update scala dependencies by @VinceMacBuche in #6337
• Fixes #26914: fixing windows compatibility for the template module by @m4rtinh4rt in #6377
• Fixes #26866: Port technique API to lift-json into zio-json by @fanf in #6353
• Fixes #26861: Migration from Box to ZIO : Refactor XmlUnserialisation by @skaerg in #6357
• Fixes #26930: Adding a Windows runner from GitHub Actions to the template module by @m4rtinh4rt in #6387
• Fixes #26921: Improve drag'n drop ergonomics in the techniques editor by @RaphaelGauthier in #6382
• Fixes #26859: Port more generic methods to logger v4 by @Fdall in #6351
• Fixes #26971: Adding audit flag to the CLI by @m4rtinh4rt in #6400
• Fixes #26998: Assigning permissions to GitHub Actions by @m4rtinh4rt in #6409
• Fixes #27006: Update jgit to last version against XXE by @fanf in #6411
• Fixes #26901: Removing test_generic_methods.py:TestNcfBundles.test_methods_should_have_only_one_agent_bundle by @m4rtinh4rt in #6372
• Fixes #27014: Deprecated method in chimney by @fanf in #6416
• Fixes #27012: Scala3 - reorganize imports, clean unused values by @fanf in #6415
• Fixes #27016: Scala3: port RestDataExtractorTest to ZIO by @fanf in #6417
• Fixes #26746: Migrate user methods to logger v4 by @VinceMacBuche in #6326
• Fixes #27009: Adding documentation for the template module by @m4rtinh4rt in #6412
• Fixes #26934: Enable CSP on all pages and add tag to exclude a page by @clarktsiory in #6394
• Fixes #27044: Port the permissions_user_acl_absent and permissions_user_acl_present methods to logger v4 by @Fdall in #6434
• Fixes #27057: Make ncf compatible with old and new path of modules by @peckpeck in #6438
• Fixes #27061: Rudder server depends on cf-promises being in old path by @peckpeck in #6439
• Fixes #27065: double path in parent code by @peckpeck in #6440
• Fixes #27074: rpmvercmp can be called from its old path by @peckpeck in #6443
• Fixes #27066: Updating Rust dependencies and compiler version by @m4rtinh4rt in #6441
• Fixes #27034: Switch to Scala 3 by @fanf in #6421
• Fixes #27031: Export node inventories tables into CSV by @clarktsiory in #6420
• Fixes #27094: Improving the clarity of error messages in the template module. by @m4rtinh4rt in #6455
• Fixes #27098: Missing webapp dependency by @fanf in #6457
• Fixes #27104: Update chartjs version to 4 by @clarktsiory in #6458
• Fixes #27107: Still missing cats-effect-std_3 by @fanf in #6459
• Fixes #27083: Updating Rust dependencies by @m4rtinh4rt in #6449
• Fixes #27047: Export technical logs table into CSV by @clarktsiory in #6435
• Fixes #27096: Export change logs table into CSV by @clarktsiory in #6456
• Fixes #27122: Fix warnings in augeas module by @amousset in #6464
• Fixes #27118: Update the api doc toolchain by @amousset in #6462
• Fixes #27147: Enable fatal warning and disable variable initialization check by @fanf in #6473
• Fixes #27157: Add .scala.semanticdb in gitignore by @fanf in #6478
• Fixes #26996: Add argon2id support for local hash by @amousset in #6407
• Fixes #27168: Updating Rust version and dependencies by @m4rtinh4rt in #6481
• Fixes #27173: Add and Remove/deprecate API for Rudder 9.0 - version 22 by @fanf in #6484
• Fixes #27128: Drop support for legacy password hash algorithms by @amousset in #6483
• Fixes #27174: CA list is not initialized at installation by @peckpeck in #6485
• Fixes #27103: Update front-end dependencies by @clarktsiory in #6460
• Fixes #27138: Add apache configuration to publish policy archives by @peckpeck in #6471
• Fixes #27204: Add the x86_64-pc-windows-gnu cross compilation target to the rust toolchain by @Fdall in #6494
• Fixes #27198: Remove deprecated Windows versions from the technique editor by @amousset in #6488
• Fixes #27153: Add types to campaign event data structures by @fanf in #6476
• Fixes #27207: Add makefile for the inventory module by @amousset in #6498
• Fixes #27038: Remove the old methods test framework in 9.0 by @Fdall in #6472
• Fixes #27210: fix build after 27184 upmerge by @VinceMacBuche in #6499
• Fixes #26942: Add new settings to handle certificate trust by @fanf in #6395
• Fixes #27217: Syntax error in the upmerge of parent ticket by @Fdall in #6501
• Fixes #27084: Enforce UTC timezone for datetime by @fanf in #6452
• Fixes #27145: Creating global parameter with change-validation enabled leads to 404 by @skaerg in #6490
• Fixes #27234: Upmerge of user API definition breaks with Scala 3 by @clarktsiory in #6507
• Fixes #27236: Warning for unsafe hashes is not relevant in 9.0 by @clarktsiory in #6508
• Fixes #27230: Adding linux generic method for the template module by @m4rtinh4rt in #6504
• Fixes #27265: Synchronize scalafmt with plugins need by @fanf in #6516
• Fixes #27269: We must specify magnolia version, else it conflicts on difflicious by @fanf in #6517
• Fixes #27272: Export pending nodes tables into CSV by @clarktsiory in #6518
• Fixes #27213: Allow to distribute Linux policies in tar.gz by @fanf in #6500
• Fixes #27274: Migrate the ChangeRequestDetails snippet from Scala/lift to Elm...

🆕 Features

• Add Windows support to the Audit from osquery generic method
• Do not send CA list on client authentication
• Improved the rudder agent update performances
• Add a generic method to retrieve more than one file shared by other nodes
• Add a new agent command to reset package cache

🔧 Maintenance

• Update curl version to 8.14.1
• Update openssl version to 3.0.16
• Security update of webapp dependencies

🐛 Bug fix

• libpq may be missing on rudder-relay on Alma8
• Define the "suse" system condition on SLED systems
• Add a global warning and alert banner in user management with unsafe hashes
• History API ignores 'before' and 'order' keywords
• Event logs rollback does not work anymore
• Technique editor conditions do not differentiate between Alma/Rocky and CentOS
• Incorrect java dependency on AL2023
• Several small UI improvements