Skip to content

Version 4.1

Unreleased

Ansible

  • FEAT: Trigger Ansible playbook runs from the host UI with live output and per-host run history
  • FEAT: Modernized default Ansible roles for current OS versions
  • FEAT: Playbook Fire Rule outcome is a dropdown of cataloged playbooks
  • FEAT: Playbook catalog with friendly names and a .local override
  • FEAT: Preview button shows --check --diff against a host before triggering a real run
  • FEAT: Cross-module inventory provider registry — any plugin can register an inventory source
  • FEAT: Ansible Projects let teams scope inventories to subsets of hosts
  • FEAT: Project-centric Ansible workspace with auto-default project
  • FEAT: CLI moved under cmdbsyncer ansible … with backward-compat shims
  • FIX: Inventory URL now resolves at /api/v1/ansible/inventory/<provider>
  • FIX: ansible/inventory, ansible/inventory_single and ansible/cmk_server_inventory find the pip-installed cmdbsyncer on PATH instead of failing with "No such file or directory" when ansible/ lives at /opt/cmdbsyncer/ansible/, and they export CMDBSYNCER_CONFIG_DIR pointing at the shim's parent directory so the called CLI loads local_config.py regardless of ansible-playbook's cwd
  • FIX: Offline bundle install.sh no longer swallows the playbook copy when pip install fails — both steps run independently and report their own status, and ANSIBLE_TARGET is replaced by default (no more FORCE=1 dance for re-installs)

Hosts

  • FEAT: New "Inventory Tree" tab on the host detail page shows the full raw inventory tree per source, separate from the curated rule-engine inventory, with an "added / removed / changed since last import" diff banner
  • FEAT: Host list quick-search also matches inventory values
  • FEAT: Click the filter icon on a template badge in a host row to group all hosts that share that template
  • FEAT: CMDB template fields support Jinja and can reference the host's labels, inventory and HOSTNAME
  • FIX: Editing a CMDB template invalidates the rule-engine cache on every host that references it
  • FIX: Host list row icons (clone, history, debug) now show hover tooltips
  • FIX: CSV importer log entries carry filename, row counts, per-row errors and deleted-host count instead of Undefined
  • FIX: Bulk label edit and bulk template assignment fetch selected hosts in a single query
  • FEAT: Bulk actions return to the list page you came from with pagination, sort and filters intact
  • FEAT: Host Lifecycle states (Planned, Staged, Active, Decommissioned, Archived) with badge column, filter and bulk action
  • FEAT: Hosts no longer found on import are archived instead of hard-deleted; new Archive view with Restore and admin-only Hard Delete
  • FEAT: sys maintenance now archives stale hosts so they can still be inspected and restored
  • FEAT: Objects and Templates now expose the same Lifecycle column, filter and bulk actions as Hosts
  • FIX: Deleting a host from the UI archives it instead of dropping it from the database
  • FIX: Only Lifecycle "Active" hosts and objects are pushed to Checkmk, Netbox and other downstream syncers
  • FEAT: Per-account stale_after_days flags hosts as Stale when no import has touched them; optional auto_archive_when_stale archives them, new sys mark_stale ACCOUNT cron runs the check
  • FEAT: New "Permanently delete archived objects" user role gates the irreversible Hard Delete action in the Archive view
  • FEAT: Typed Host relations (depends_on, runs_on, member_of, parent_of, connects_to) with outgoing/inbound view in the Detail page (Impact Chain)
  • FEAT: First-class CI types Service and Location (in addition to Application) with default-field schemas operators can override
  • FIX: Bulk Label Edit refuses an empty value in Add mode and aborts on key drift instead of silently dropping unrelated labels
  • FEAT: New Data Quality dashboard with per-source counts, lifecycle distribution, possible duplicate hostnames and configured-but-empty CMDB fields
  • FEAT: Data Quality dashboard gained a KPI scorecard, per-object-type breakdown, most-missed-field ranking, silent-source detection, source-freshness badges and per-section CSV export
  • FEAT: Saved Searches on the Hosts list — capture the current filter / sort / search as a named preset (private or shared) and re-open it with one click
  • FEAT: Opt-in approval queue: list label keys in APPROVAL_REQUIRED_LABELS to send their UI edits through a four-eyes review (Approve/Reject) before they hit the host, with a navbar badge showing the pending count
  • REFACTOR: Removed the redundant available flag — Lifecycle state "Active" replaces it. Imports flip new hosts to active automatically; an explicit non-active state is preserved across re-imports
  • FIX: Outbound plugins (Checkmk groups/rules/DCD/downtimes/BI, Ansible filter debug, autorules) now consistently respect Lifecycle — only Active, non-archived hosts and objects are processed

Checkmk

  • FEAT: HW/SW Inventorize now stores the full Checkmk inventory tree per host under Host → Inventory Tree; only the configured paths are still promoted to Host.inventory for the rule engine
  • FIX: Rule, BI, DCD, downtime, group and folderpool exports skip CMDB template objects so a template host's labels never drive real rule conditions
  • FIX: export_rules reorder skips rulesets that use the default folder_index, uses CMK's actual rule_id field and surfaces reorder failures; rendered folder paths are normalised before being sent
  • FEAT: Rule-export progress labels spell out that the n/n counter is rulesets, not individual rules
  • FEAT: Rule Management list groups by ruleset with collapsible group headers
  • FEAT: Long ruleset names and templates wrap inside their card instead of overflowing the table
  • FEAT: New "Ruleset contains" filter with autocomplete from existing rulesets
  • FEAT: Quick-search on Rule Management matches name and ruleset
  • FIX: Saving a rule with outcomes that target different rulesets is rejected with a flash
  • FEAT: New "Manage Notification Rules" view exports notification rules to Checkmk 2.4 / 2.5 with cmdbsyncer checkmk export_notifications; admin edits are detected and corrected on the next run
  • FIX: Host debug page — clicking the "Setup Rules" group on a Checkmk host now expands its rule table (the space in the group name was breaking the collapse anchor)
  • FIX: HW/SW inventorize fetches the inventory tree via the REST API's host_mk_inventory Livestatus column instead of the legacy host_inv_api.py endpoint — works behind OIDC/SSO proxies that block the Multisite path. Parses both Checkmk 2.5's JSON blob and older releases' Python-repr blob. Each multiprocessing worker also gets its own MongoDB connection, and on failure the failing hostname, exception type and full traceback are reported instead of a misleading "Timeout error"

Jira

  • FEAT: Jira Cloud plugin can now export host fields to Jira Assets objects. Configure target object type and per-attribute field mapping (with autocomplete from the cached Jira schema) in Modules → Jira Cloud → Export Rules, run with cmdbsyncer jira sync_schema <account> and cmdbsyncer jira export_cloud <account>. Multiple rules let one run write to several object types; create-on-missing is opt-in and unchanged objects are not re-sent

API

  • FEAT: /api/v1/objects/<hostname>/relations reads, adds and removes typed Host relations (CMDB_MODE only)
  • FIX: /api/v1/objects/all rejects limit > 10000
  • FIX: /api/v1/rules/<type> logs corrupt rule documents instead of dropping them silently

Auth & Email

  • SEC: Webhook trigger tokens are stored as SHA-256 hashes; plaintext is shown once after generate/rotate
  • SEC: New "Regenerate webhook token on save" checkbox on the cron group form
  • SEC: Password-reset tokens use a UTC-safe clock so expiry works on non-UTC hosts
  • SEC: Forgot-password no longer leaks whether an email is registered via response time
  • FIX: SMTP errors are now logged instead of silently dropped
  • FIX: API login emits an audit event when a login string matches multiple users
  • FIX: Login form accepts bare usernames in addition to email addresses, so LDAP / Kerberos / Basic-Auth deployments where the user identifier is not an email can sign in instead of being rejected by the email-format validator
  • FEAT: New AUTH_DEBUG config switch (also exposed in the LDAP login preset) writes every step of the LDAP and remote_user login flow to Settings → Log, so a failed sign-in can be diagnosed without grepping container logs. Off by default; turn on temporarily and back off when done. No password is ever logged.
  • FEAT: Forgot-password page redesigned to match the login screen
  • FEAT: Password-reset email rebuilt as a branded HTML message with a clear CTA and 60-minute validity

UI

  • FIX: Host detail labels show "empty" instead of "NoneType" for missing values, and the "manual" origin badge is hidden when CMDB mode is off
  • FIX: Host Debug page, Host Relations graph, Host tabs, Ansible Project detail, Ansible Rule list and Ansible Playbook run picker honour the user theme — no more white-on-dark surfaces in Gruvbox Dark / Nord / Dracula
  • FEAT: Host Debug page can preview a Checkmk Setup Rule's outcomes (ruleset, folder, value, condition) against the selected host, with loop_over_list expanded per value
  • FEAT: Rule Preview on the Host Debug page now warns when the selected rule would not match the current host, including the first failing condition
  • FEAT: Host Debug page rules table now shows the matching condition for every hit, not just the first failing condition for misses
  • FEAT: Inline list editors gained a visible "remove entry" button on every card
  • FIX: Drag-and-drop reordering of inline list entries works on older Firefox (140+)
  • FEAT: Per-user theme picker under Account → Theme with Default, Gruvbox Dark, Gruvbox Light, Nord and Dracula
  • FEAT: Drop a .css file into plugins/themes/ to add your own theme to the picker
  • FEAT: Set Theme, Set 2FA and Change Password pages now keep the admin navigation
  • FIX: Settings → License menu entry is hidden on Community Edition installs (no enterprise package present), so admins are not pointed at a page with no upload form and an empty feature table
  • FIX: PyPI installs ship the bundled theme CSS files (Gruvbox Dark / Light, Nord, Dracula) so the theme picker actually shows themes other than Default
  • FIX: Log details and traceback boxes pick up theme colours so they no longer render as a half-white card on Gruvbox Dark / Nord / Dracula, and the key column inside the details sub-table is now explicitly transparent so it stops showing as white cells

Plugin runtime

  • FIX: HTTP sessions and CA-cert temp files are released even when a plugin's init fails

Setup

  • FEAT: cmdbsyncer sys self_configure now creates a default app.wsgi so PyPI installs can be served by Apache/mod_wsgi or uWSGI without writing one by hand
  • FIX: Edit local_config.py GUI now writes to the same local_config.py Python actually imports. PyPI installs previously wrote into site-packages instead of the deployment directory next to app.wsgi
  • FIX: local_config.py is now found reliably across PyPI console scripts, mod_wsgi / gunicorn and source checkouts — CRYPTOGRAPHY_KEY and friends are no longer silently None, so Account passwords decrypt correctly. A misplaced deployment now surfaces as a startup warning instead of failing silently
  • FIX: cmdbsyncer CLI searches $CMDBSYNCER_CONFIG_DIR, the venv parent directory and /etc/cmdbsyncer/ for local_config.py so the binary works regardless of the caller's working directory (cron / systemd / shell aliases). If no local_config.py is found the operator now sees a clear stderr message, and any later attempt to decrypt an Account password raises a readable CRYPTOGRAPHY_KEY is not set error instead of an opaque Fernet(None) traceback
  • FIX: PyPI installs now ship every plugin's plugin.json (was only the .py files), and the user plugins/ directory plus disabled_plugins.json next to app.wsgi are picked up correctly instead of being looked for inside site-packages
  • FEAT: Offline installation bundle always ships base, extras and ansible Python dependencies plus the default Ansible playbook collection, and the bundled install.sh deploys the playbooks to /opt/cmdbsyncer/ansible (override via ANSIBLE_TARGET, skip with SKIP_ANSIBLE=1, replace existing target with FORCE=1)
  • FEAT: New make release-pre target ships sequential pre-release builds (.devN / aN / bN / rcN) to PyPI without requiring a hand-edit before each upload; tools/build_offline_bundle.sh --syncer-version 4.1.0.dev3 --enterprise-version 0.3.9.dev1 pins the offline bundle to those pre-releases so QA can test them on air-gapped systems

Refactor

  • REFACTOR: application/views/host.py split into focused modules (widgets, filters, renderers)
  • REFACTOR: Plugin discovery walks the plugin packages once instead of twice at startup

Version 4.1.0

(Initial 4.1 release — entries currently live in the Unreleased section above. They get folded down into this section when the release is cut.)