Merge pull request #9950 from Icinga/probot/sync-changelog/support/2.14/9fa41f3b4fbae83d4ca5bbfce4771031b6bd1fa4

CHANGELOG.md: add v2.13.9
2025-04-08 17:05:25 +02:00 · 2023-12-20 17:30:01 +01:00 · 2023-12-20 16:27:56 +00:00 · 2023-12-20 17:27:43 +01:00 · 2023-12-20 12:44:07 +01:00 · 2023-12-20 12:40:41 +01:00
226 changed files with 3567 additions and 5954 deletions
--- a/.github/ISSUE_TEMPLATE/release.md
+++ b/.github/ISSUE_TEMPLATE/release.md
@ -1,48 +0,0 @@
---
-name: '[INTERNAL] Release'
-about: Release a version
-title: 'Release Version v$version'
-labels: ''
-assignees: ''
-
---
-
-# Release Workflow
-
- [ ] Update `ICINGA2_VERSION`
- [ ] Update bundled Windows dependencies
- [ ] Harden global TLS defaults (consult https://ssl-config.mozilla.org)
- [ ] Update `CHANGELOG.md`
- [ ] Create and push a signed tag for the version
- [ ] Build and release DEB and RPM packages
- [ ] Build and release Windows packages
- [ ] Merge dependency updates in https://github.com/Icinga/docker-icinga2/pulls
- [ ] Create release on GitHub
- [ ] Update public docs
- [ ] Announce release
-
-## Update Bundled Windows Dependencies
-
-### Update packages.icinga.com
-
-Add the latest Boost and OpenSSL versions to
-https://packages.icinga.com/windows/dependencies/, e.g.:
-
-* https://master.dl.sourceforge.net/project/boost/boost-binaries/1.82.0/boost_1_82_0-msvc-14.2-64.exe
-* https://master.dl.sourceforge.net/project/boost/boost-binaries/1.82.0/boost_1_82_0-msvc-14.2-32.exe
-* https://slproweb.com/download/Win64OpenSSL-3_0_9.exe
-* https://slproweb.com/download/Win32OpenSSL-3_0_9.exe
-
-### Update Build Server, CI/CD and Documentation
-
-* [doc/win-dev.ps1](doc/win-dev.ps1) (also affects CI/CD)
-* [tools/win32/configure.ps1](tools/win32/configure.ps1)
-* [tools/win32/configure-dev.ps1](tools/win32/configure-dev.ps1)
-
-### Re-provision Build Server
-
-Even if there aren't any new releases of dependencies with versions
-hardcoded in the repos and files listed above (Boost, OpenSSL).
-There may be new build versions of other dependencies (VS, MSVC).
-Our GitHub actions (tests) use the latest ones automatically,
-but the GitLab runner (release packages) doesn't.
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@ -1,7 +0,0 @@
-version: 2
-updates:
-
- package-ecosystem: github-actions
-  directory: /
-  schedule:
-    interval: daily
--- a/.github/workflows/alpine-bash.Dockerfile
+++ b/.github/workflows/alpine-bash.Dockerfile
@ -1,8 +0,0 @@
-# This Dockerfile is used in the linux job for Alpine Linux.
-#
-# As the linux.bash script is, in fact, a bash script and Alpine does not ship
-# a bash by default, the "alpine:bash" container will be built using this
-# Dockerfile in the GitHub Action.
-
-FROM alpine:3
-RUN ["apk", "--no-cache", "add", "bash"]
--- a/.github/workflows/authors-file.yml
+++ b/.github/workflows/authors-file.yml
@ -20,8 +20,8 @@ jobs:
          sort -uo AUTHORS AUTHORS
          git add AUTHORS
          git log --format='format:%aN <%aE>' "$(
-            git merge-base HEAD^1 HEAD^2
-          )..HEAD^2" >> AUTHORS
+            git merge-base "origin/$GITHUB_BASE_REF" "origin/$GITHUB_HEAD_REF"
+          )..origin/$GITHUB_HEAD_REF" >> AUTHORS
          sort -uo AUTHORS AUTHORS
          git diff AUTHORS >> AUTHORS.diff

--- a/.github/workflows/docker.yml
+++ b/.github/workflows/docker.yml
@ -5,6 +5,7 @@ on:
  push:
    branches:
      - master
+      - 'support/*'
  release:
    types:
      - published
--- a/.github/workflows/linux.bash
+++ b/.github/workflows/linux.bash
@ -1,33 +1,19 @@
 #!/bin/bash
 set -exo pipefail

-export PATH="/usr/lib/ccache/bin:/usr/lib/ccache:/usr/lib64/ccache:$PATH"
+export PATH="/usr/lib/ccache:/usr/lib64/ccache:/opt/rh/devtoolset-11/root/usr/bin:$PATH"
 export CCACHE_DIR=/icinga2/ccache
 export CTEST_OUTPUT_ON_FAILURE=1
-CMAKE_OPTS=()
+CMAKE_OPTS=''

 case "$DISTRO" in
-  alpine:*)
-    # Packages inspired by the Alpine package, just
-    # - LibreSSL instead of OpenSSL 3 and
-    # - no MariaDB or libpq as they depend on OpenSSL.
-    # https://gitlab.alpinelinux.org/alpine/aports/-/blob/master/community/icinga2/APKBUILD
-    apk add bison boost-dev ccache cmake flex g++ libedit-dev libressl-dev ninja-build tzdata
-    ln -vs /usr/lib/ninja-build/bin/ninja /usr/local/bin/ninja
-
-    # This test fails due to some glibc/musl mismatch regarding timezone PST/PDT.
-    # - https://www.openwall.com/lists/musl/2024/03/05/2
-    # - https://gitlab.alpinelinux.org/alpine/aports/-/blob/b3ea02e2251451f9511086e1970f21eb640097f7/community/icinga2/disable-failing-tests.patch
-    sed -i '/icinga_legacytimeperiod\/dst$/d' /icinga2/test/CMakeLists.txt
-    ;;
-
  amazonlinux:2)
    amazon-linux-extras install -y epel
-    yum install -y bison ccache cmake3 gcc-c++ flex ninja-build system-rpm-config \
+    yum install -y bison ccache cmake3 gcc-c++ flex ninja-build \
      {libedit,mariadb,ncurses,openssl,postgresql,systemd}-devel

    yum install -y bzip2 tar wget
-    wget https://archives.boost.io/release/1.69.0/source/boost_1_69_0.tar.bz2
+    wget https://boostorg.jfrog.io/artifactory/main/release/1.69.0/source/boost_1_69_0.tar.bz2
    tar -xjf boost_1_69_0.tar.bz2

    (
@ -38,30 +24,38 @@ case "$DISTRO" in

    ln -vs /usr/bin/cmake3 /usr/local/bin/cmake
    ln -vs /usr/bin/ninja-build /usr/local/bin/ninja
-    CMAKE_OPTS+=(-DBOOST_{INCLUDEDIR=/boost_1_69_0,LIBRARYDIR=/boost_1_69_0/stage/lib})
+    CMAKE_OPTS='-DBOOST_INCLUDEDIR=/boost_1_69_0 -DBOOST_LIBRARYDIR=/boost_1_69_0/stage/lib'
    export LD_LIBRARY_PATH=/boost_1_69_0/stage/lib
    ;;

  amazonlinux:20*)
-    dnf install -y amazon-rpm-config bison cmake flex gcc-c++ ninja-build \
+    dnf install -y bison cmake flex gcc-c++ ninja-build \
      {boost,libedit,mariadb1\*,ncurses,openssl,postgresql,systemd}-devel
    ;;

+  centos:*)
+    yum install -y centos-release-scl epel-release
+    yum install -y bison ccache cmake3 devtoolset-11-gcc-c++ flex ninja-build \
+      {boost169,libedit,mariadb,ncurses,openssl,postgresql,systemd}-devel
+
+    ln -vs /usr/bin/cmake3 /usr/local/bin/cmake
+    ln -vs /usr/bin/ccache /usr/lib64/ccache/g++
+    CMAKE_OPTS='-DBOOST_INCLUDEDIR=/usr/include/boost169 -DBOOST_LIBRARYDIR=/usr/lib64/boost169'
+    ;;
+
  debian:*|ubuntu:*)
    apt-get update
-    DEBIAN_FRONTEND=noninteractive apt-get install --no-install-{recommends,suggests} -y \
-      bison ccache cmake dpkg-dev flex g++ ninja-build tzdata \
-      lib{boost-all,edit,mariadb,ncurses,pq,ssl,systemd}-dev
+    DEBIAN_FRONTEND=noninteractive apt-get install --no-install-{recommends,suggests} -y bison \
+      ccache cmake flex g++ lib{boost-all,edit,mariadb,ncurses,pq,ssl,systemd}-dev ninja-build tzdata
    ;;

  fedora:*)
-    dnf install -y bison ccache cmake flex gcc-c++ ninja-build redhat-rpm-config \
+    dnf install -y bison ccache cmake flex gcc-c++ ninja-build \
      {boost,libedit,mariadb,ncurses,openssl,postgresql,systemd}-devel
    ;;

-  *suse*)
-    zypper in -y bison ccache cmake flex gcc-c++ ninja rpm-config-SUSE \
-      {lib{edit,mariadb,openssl},ncurses,postgresql,systemd}-devel \
+  opensuse/*)
+    zypper in -y bison ccache cmake flex gcc-c++ ninja {lib{edit,mariadb,openssl},ncurses,postgresql,systemd}-devel \
      libboost_{context,coroutine,filesystem,iostreams,program_options,regex,system,test,thread}-devel
    ;;

@ -77,38 +71,24 @@ case "$DISTRO" in
        ;;
    esac

-    dnf install -y bison ccache cmake gcc-c++ flex ninja-build redhat-rpm-config \
+    dnf install -y bison ccache cmake gcc-c++ flex ninja-build \
      {boost,libedit,mariadb,ncurses,openssl,postgresql,systemd}-devel
    ;;
 esac

-case "$DISTRO" in
-  alpine:*)
-    CMAKE_OPTS+=(-DUSE_SYSTEMD=OFF -DICINGA2_WITH_MYSQL=OFF -DICINGA2_WITH_PGSQL=OFF)
-    ;;
-  debian:*|ubuntu:*)
-    CMAKE_OPTS+=(-DICINGA2_LTO_BUILD=ON)
-    source <(dpkg-buildflags --export=sh)
-    ;;
-  *)
-    CMAKE_OPTS+=(-DCMAKE_{C,CXX}_FLAGS="$(rpm -E '%{optflags} %{?march_flag}')")
-    export LDFLAGS="$(rpm -E '%{?build_ldflags}')"
-    ;;
-esac
-
 mkdir /icinga2/build
 cd /icinga2/build

 cmake \
  -GNinja \
-  -DCMAKE_BUILD_TYPE=RelWithDebInfo \
+  -DCMAKE_BUILD_TYPE=Release \
  -DICINGA2_UNITY_BUILD=ON \
  -DUSE_SYSTEMD=ON \
  -DICINGA2_USER=$(id -un) \
  -DICINGA2_GROUP=$(id -gn) \
-  "${CMAKE_OPTS[@]}" ..
+  $CMAKE_OPTS ..

-ninja -v
+ninja

 ninja test
 ninja install
--- a/.github/workflows/linux.yml
+++ b/.github/workflows/linux.yml
@ -13,7 +13,7 @@ concurrency:

 jobs:
  linux:
-    name: ${{ matrix.distro }}${{ matrix.platform != 'linux/amd64' && format(' ({0})', matrix.platform) || '' }}
+    name: ${{ matrix.distro }}
    runs-on: ubuntu-latest

    strategy:
@ -21,46 +21,24 @@ jobs:
      max-parallel: 2
      matrix:
        distro:
-          # Alpine Linux to build Icinga 2 with LibreSSL, OpenBSD's default.
-          # The "alpine:bash" image will be built below based on "alpine:3".
-          - alpine:bash
-
          - amazonlinux:2
          - amazonlinux:2023
-
-          # Raspberry Pi OS is close enough to Debian to test just one of them.
-          # Its architecture is different, though, and covered by the Docker job.
-          - debian:11
-          - debian:12
-
+          - centos:7 # and RHEL 7
+          - debian:10
+          - debian:11 # and Raspbian 11
+          - debian:12 # and Raspbian 12
+          - fedora:37
+          - fedora:38
          - fedora:39
-          - fedora:40
-          - fedora:41
-
-          - opensuse/leap:15.5
-          - opensuse/leap:15.6
-
-          # We don't actually support Rocky Linux as such!
-          # We just use that RHEL clone to test the original.
-          - rockylinux:8
-          - rockylinux:9
-
-          - registry.suse.com/suse/sle15:15.5
-          - registry.suse.com/suse/sle15:15.6
-
+          - opensuse/leap:15.3 # SLES 15.3
+          - opensuse/leap:15.4 # and SLES 15.4
+          - opensuse/leap:15.5 # and SLES 15.5
+          - rockylinux:8 # RHEL 8
+          - rockylinux:9 # RHEL 9
          - ubuntu:20.04
          - ubuntu:22.04
-          - ubuntu:24.04
-          - ubuntu:24.10
-
-        platform:
-          - linux/amd64
-
-        include:
-          - distro: debian:11
-            platform: linux/386
-          - distro: debian:12
-            platform: linux/386
+          - ubuntu:23.04
+          - ubuntu:23.10

    steps:
      - name: Checkout HEAD
@ -72,13 +50,7 @@ jobs:
          path: ccache
          key: ccache/${{ matrix.distro }}

-      - name: Build Alpine Docker Image
-        if: "matrix.distro == 'alpine:bash'"
-        run: >-
-          docker build --file .github/workflows/alpine-bash.Dockerfile
-          --tag alpine:bash `mktemp -d`
-
-      - name: Build Icinga
+      - name: Build
        run: >-
          docker run --rm -v "$(pwd):/icinga2" -e DISTRO=${{ matrix.distro }}
-          --platform ${{ matrix.platform }} ${{ matrix.distro }} /icinga2/.github/workflows/linux.bash
+          ${{ matrix.distro }} /icinga2/.github/workflows/linux.bash
--- a/.github/workflows/rpm.yml
+++ b/.github/workflows/rpm.yml
@ -0,0 +1,116 @@
+name: .rpm
+
+on:
+  push:
+    branches:
+      - master
+      - 'support/*'
+  pull_request: {}
+
+concurrency:
+  group: rpm-${{ github.event_name == 'push' && github.sha || github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  rpm:
+    name: .rpm (${{ matrix.distro.name }}, ${{ matrix.distro.release }})
+
+    strategy:
+      fail-fast: false
+      max-parallel: 1
+      matrix:
+        distro:
+          - name: sles
+            release: '12.5'
+            subscription: true
+
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Vars
+        id: vars
+        env:
+          GITLAB_RO_TOKEN: '${{ secrets.GITLAB_RO_TOKEN }}'
+        run: |
+          if [ ${{ matrix.distro.subscription }} = true ]; then
+            if [ "$(tr -d '\n' <<<"$GITLAB_RO_TOKEN" |wc -c)" -eq 0 ]; then
+              echo '::set-output name=CAN_BUILD::false'
+              echo '::set-output name=NEED_LOGIN::false'
+            else
+              echo '::set-output name=CAN_BUILD::true'
+              echo '::set-output name=NEED_LOGIN::true'
+            fi
+          else
+            echo '::set-output name=CAN_BUILD::true'
+            echo '::set-output name=NEED_LOGIN::false'
+          fi
+
+      - name: Checkout HEAD
+        if: "steps.vars.outputs.CAN_BUILD == 'true'"
+        uses: actions/checkout@v1
+
+      - name: Login
+        if: "steps.vars.outputs.NEED_LOGIN == 'true'"
+        env:
+          GITLAB_RO_TOKEN: '${{ secrets.GITLAB_RO_TOKEN }}'
+        run: |
+          docker login registry.icinga.com -u github-actions --password-stdin <<<"$GITLAB_RO_TOKEN"
+
+      - name: rpm-icinga2
+        if: "steps.vars.outputs.CAN_BUILD == 'true' && !matrix.distro.subscription"
+        run: |
+          set -exo pipefail
+          git clone https://git.icinga.com/packaging/rpm-icinga2.git
+          chmod o+w rpm-icinga2
+
+      - name: subscription-rpm-icinga2
+        if: "steps.vars.outputs.CAN_BUILD == 'true' && matrix.distro.subscription"
+        env:
+          GITLAB_RO_TOKEN: '${{ secrets.GITLAB_RO_TOKEN }}'
+        run: |
+          set -exo pipefail
+          git config --global credential.helper store
+          cat <<EOF >~/.git-credentials
+          https://github-actions:${GITLAB_RO_TOKEN}@git.icinga.com
+          EOF
+          git clone https://git.icinga.com/packaging/subscription-rpm-icinga2.git rpm-icinga2
+          chmod o+w rpm-icinga2
+
+      - name: Restore/backup ccache
+        if: "steps.vars.outputs.CAN_BUILD == 'true'"
+        id: ccache
+        uses: actions/cache@v1
+        with:
+          path: rpm-icinga2/ccache
+          key: |-
+            ${{ matrix.distro.name }}/${{ matrix.distro.release }}-ccache-${{ hashFiles('rpm-icinga2/ccache') }}
+
+      - name: Binary
+        if: "steps.vars.outputs.CAN_BUILD == 'true'"
+        run: |
+          set -exo pipefail
+          git checkout -B master
+          if [ -e rpm-icinga2/ccache ]; then
+            chmod -R o+w rpm-icinga2/ccache
+          fi
+          docker run --rm \
+            -v "$(pwd)/rpm-icinga2:/rpm-icinga2" \
+            -v "$(pwd)/.git:/icinga2.git:ro" \
+            -w /rpm-icinga2 \
+            -e ICINGA_BUILD_PROJECT=icinga2 \
+            -e ICINGA_BUILD_TYPE=snapshot \
+            -e UPSTREAM_GIT_URL=file:///icinga2.git \
+            registry.icinga.com/build-docker/${{ matrix.distro.name }}/${{ matrix.distro.release }} \
+            icinga-build-package
+
+      - name: Test
+        if: "steps.vars.outputs.CAN_BUILD == 'true'"
+        run: |
+          set -exo pipefail
+          docker run --rm \
+            -v "$(pwd)/rpm-icinga2:/rpm-icinga2" \
+            -w /rpm-icinga2 \
+            -e ICINGA_BUILD_PROJECT=icinga2 \
+            -e ICINGA_BUILD_TYPE=snapshot \
+            registry.icinga.com/build-docker/${{ matrix.distro.name }}/${{ matrix.distro.release }} \
+            icinga-build-test
--- a/.github/workflows/windows.yml
+++ b/.github/workflows/windows.yml
@ -25,24 +25,29 @@ jobs:

    env:
      BITS: '${{ matrix.bits }}'
-      CMAKE_BUILD_TYPE: RelWithDebInfo
+      ICINGA_BUILD_TYPE: snapshot
+      UPSTREAM_GIT_URL: file://D:/a/icinga2/icinga2/.git

    steps:
      - name: Checkout HEAD
        uses: actions/checkout@v1

+      - name: windows-icinga2
+        run: |
+          git clone https://git.icinga.com/packaging/windows-icinga2.git
+
      - name: Build tools
        run: |
-          Set-PSDebug -Trace 1
          & .\doc\win-dev.ps1

-      - name: Binary
+      - name: Source
        run: |
-          Set-PSDebug -Trace 1
-          & .\tools\win32\load-vsenv.ps1
-          & powershell.exe .\tools\win32\configure.ps1
-          if ($LastExitCode -ne 0) { throw "Error during configure" }
-          & powershell.exe .\tools\win32\build.ps1
-          if ($LastExitCode -ne 0) { throw "Error during build" }
-          & powershell.exe .\tools\win32\test.ps1
-          if ($LastExitCode -ne 0) { throw "Error during test" }
+          git checkout -B master
+          cd windows-icinga2
+          & .\source.ps1
+
+      - name: Binary
+        working-directory: windows-icinga2
+        run: |
+          New-Item -ItemType Directory -Path 'C:\Program Files\Icinga2\WillBeRemoved' -ErrorAction SilentlyContinue
+          & .\build.ps1
--- a/.mailmap
+++ b/.mailmap
@ -1,7 +1,6 @@
 <alexander.klimov@icinga.com> <alexander.klimov@netways.de>
 Alexander A. Klimov <alexander.klimov@icinga.com> <alexander.klimov@icinga.com>
 <alexander.klimov@icinga.com> <grandmaster@al2klimov.de>
-Alexander A. Klimov <alexander.klimov@icinga.com> <al2klimov@gmail.com>
 <assaf@aikilinux.com> <assaf.flatto@livepopuli.com>
 <atj@pulsewidth.org.uk> <adam.james@transitiv.co.uk>
 <bernd.erk@icinga.com> <bernd.erk@icinga.org>
--- a/14
+++ b/14
@ -21,7 +21,6 @@ Andres Ivanov <andres@andres.wtf>
 Andrew Jaffie <ajaffie@gmail.com>
 Andrew Meyer <ameyer+secure@nodnetwork.org>
 Andy Grunwald <andygrunwald@gmail.com>
-Angel Roman <angel.r.roman77@gmail.com>
 Ant1x <37016240+Ant1x@users.noreply.github.com>
 Arnd Hannemann <arnd@arndnet.de>
 Assaf Flatto <assaf@aikilinux.com>
@ -53,7 +52,6 @@ Christian Gut <cycloon@is-root.org>
 Christian Harke <ch.harke@gmail.com>
 Christian Jonak <christian@jonak.org>
 Christian Lehmann <christian_lehmann@gmx.de>
-Christian Lauf <github.com@christian-lauf.info>
 Christian Loos <cloos@netsandbox.de>
 Christian Schmidt <github@chsc.dk>
 Christopher Peterson <3893680+cspeterson@users.noreply.github.com>
@ -74,7 +72,6 @@ Denis <zaharden@gmail.com>
 Dennis Lichtenthäler <dennis.lichtenthaeler@stiftung-tannenhof.de>
 dh.harald <dh.harald@gmail.com>
 Diana Flach <diana.flach@icinga.com>
-Didier 'OdyX' Raboud <didier.raboud@liip.ch>
 Dinesh Majrekar <dinesh.majrekar@serverchoice.com>
 Dirk Goetz <dirk.goetz@icinga.com>
 Dirk Melchers <dirk@dirk-melchers.de>
@ -137,7 +134,6 @@ Jochen Friedrich <j.friedrich@nwe.de>
 Johannes Meyer <johannes.meyer@icinga.com>
 Jonas Meurer <jonas@freesources.org>
 Jordi van Scheijen <jordi.vanscheijen@solvinity.com>
-Josef Friedrich <josef@friedrich.rocks>
 Joseph L. Casale <jcasale@activenetwerx.com>
 jre3brg <jorge.rebelo@pt.bosch.com>
 Julian Brost <julian.brost@icinga.com>
@ -165,7 +161,6 @@ Luca Lesinigo <luca@lm-net.it>
 Lucas Bremgartner <breml@users.noreply.github.com>
 Lucas Fairchild-Madar <lucas.madar@gmail.com>
 Luiz Amaral <luiz.amaral@innogames.com>
-Maciej Dems <maciej.dems@p.lodz.pl>
 Magnus Bäck <magnus@noun.se>
 Maik Stuebner <maik@stuebner.info>
 Malte Rabenseifner <mail@malte-rabenseifner.de>
@ -212,9 +207,7 @@ mocruz <mocruz@theworkshop.com>
 Muhammad Mominul Huque <nahidbinbaten1995@gmail.com>
 nemtrif <ntrifunovic@hotmail.com>
 Nicolai <nbuchwitz@users.noreply.github.com>
-Nicolas Berens <nicolas.berens@planet.com>
 Nicolas Limage <github@xephon.org>
-Nicolas Rodriguez <nico@nicoladmin.fr>
 Nicole Lang <nicole.lang@icinga.com>
 Niflou <dubuscyr@gmail.com>
 Noah Hilverling <noah.hilverling@icinga.com>
@ -228,7 +221,6 @@ Patrick Dolinic <pdolinic@netways.de>
 Patrick Huy <frz@frz.cc>
 Paul Denning <paul.denning@dimensiondata.com>
 Paul Richards <paul@minimoo.org>
-Pavel Motyrev <legioner.r@gmail.com>
 Pawel Szafer <pszafer@gmail.com>
 Per von Zweigbergk <pvz@itassistans.se>
 Peter Eckel <6815386+peteeckel@users.noreply.github.com>
@ -242,7 +234,7 @@ pv2b <pvz@pvz.pp.se>
 Ralph Breier <ralph.breier@roedl.com>
 Reto Zeder <reto.zeder@arcade.ch>
 Ricardo Bartels <ricardo@bitchbrothers.com>
-Richard Mortimer <richm@oldelvet.org.uk>
+RincewindsHat <12514511+RincewindsHat@users.noreply.github.com>
 Rinck H. Sonnenberg <r.sonnenberg@netson.nl>
 Robert Lindgren <robert.lindgren@gmail.com>
 Robert Scheck <robert@fedoraproject.org>
@ -259,7 +251,6 @@ Sascha Westermann <sascha.westermann@hl-services.de>
 Sebastian Brückner <mail@invlid.com>
 Sebastian Chrostek <sebastian@chrostek.net>
 Sebastian Eikenberg <eikese@mail.uni-paderborn.de>
-Sebastian Grund <s.grund@openinfrastructure.de>
 Sebastian Marsching <sebastian-git-2016@marsching.com>
 Silas <67681686+Tqnsls@users.noreply.github.com>
 Simon Murray <spjmurray@yahoo.co.uk>
@ -280,7 +271,6 @@ Sven Wegener <swegener@gentoo.org>
 sysadt <sysadt@protonmail.com>
 T. Mulyana <nothinux@gmail.com>
 teclogi <27726999+teclogi@users.noreply.github.com>
-Theo Buehler <tb@openbsd.org>
 Thomas Forrer <thomas.forrer@wuerth-phoenix.com>
 Thomas Gelf <thomas.gelf@icinga.com>
 Thomas Niedermeier <tniedermeier@thomas-krenn.com>
@ -288,7 +278,6 @@ Thomas Widhalm <thomas.widhalm@icinga.com>
 Tim Hardeck <thardeck@suse.de>
 Tim Weippert <weiti@weiti.eu>
 Timo Buhrmester <van.fstd@gmail.com>
-Tobias Bauriedel <tobias.bauriedel@netways.de>
 Tobias Birnbaum <osterd@gmx.de>
 Tobias Deiminger <haxtibal@posteo.de>
 Tobias von der Krone <tobias.vonderkrone@profitbricks.com>
@ -303,7 +292,6 @@ Winfried Angele <winfried.angele@gmail.com>
 Wolfgang Nieder <wnd@gmx.net>
 XnS <git@xns.be>
 Yannick Charton <tontonitch-pro@yahoo.fr>
-Yannick Martin <yannick.martin@ovhcloud.com>
 Yohan Jarosz <yohanjarosz@yahoo.fr>
 Yonas Habteab <yonas.habteab@icinga.com>
 Zachary McGibbon <zachary.mcgibbon@gmail.com>
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -7,24 +7,6 @@ documentation before upgrading to a new release.

 Released closed milestones can be found on [GitHub](https://github.com/Icinga/icinga2/milestones?state=closed).

-## 2.14.3 (2024-11-12)
-
-This security release fixes a TLS certificate validation bypass.
-Given the severity of that issue, users are advised to upgrade all nodes immediately.
-
-* Security: fix TLS certificate validation bypass. CVE-2024-49369
-* Security: update OpenSSL shipped on Windows to v3.0.15.
-* Windows: sign MSI packages with a certificate the OS trusts by default.
-
-## 2.14.2 (2024-01-18)
-
-Version 2.14.2 is a hotfix release for master nodes that mainly
-fixes excessive disk usage caused by the InfluxDB writers.
-
-* InfluxDB: truncate timestamps to whole seconds to save disk space. #9969
-* HttpServerConnection: log request processing time as well. #9970
-* Update Boost shipped on Windows to v1.84. #9970
-
 ## 2.14.1 (2023-12-21)

 Version 2.14.1 is a hotfix release for masters and satellites that mainly
@ -243,15 +225,6 @@ Add `linux_netdev` check command. #9045
 * Several code quality improvements. #8815 #9106 #9250
  #9508 #9517 #9537 #9594 #9605 #9606 #9641 #9658 #9702 #9717 #9738

-## 2.13.10 (2024-11-12)
-
-This security release fixes a TLS certificate validation bypass.
-Given the severity of that issue, users are advised to upgrade all nodes immediately.
-
-* Security: fix TLS certificate validation bypass. CVE-2024-49369
-* Security: update OpenSSL shipped on Windows to v3.0.15.
-* Windows: sign MSI packages with a certificate the OS trusts by default.
-
 ## 2.13.9 (2023-12-21)

 Version 2.13.9 is a hotfix release for masters and satellites that mainly
@ -985,15 +958,6 @@ Thanks to all contributors:
  * Code quality fixes
  * Small documentation fixes

-## 2.11.12 (2024-11-12)
-
-This security release fixes a TLS certificate validation bypass.
-Given the severity of that issue, users are advised to upgrade all nodes immediately.
-
-* Security: fix TLS certificate validation bypass. CVE-2024-49369
-* Security: update OpenSSL shipped on Windows to v3.0.15.
-* Windows: sign MSI packages with a certificate the OS trusts by default.
-
 ## 2.11.11 (2021-08-19)

 The main focus of these versions is a security vulnerability in the TLS certificate verification of our metrics writers ElasticsearchWriter, GelfWriter and InfluxdbWriter.
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@ -1,12 +1,17 @@
 # Icinga 2 | (c) 2012 Icinga GmbH | GPLv2+

-# CMake 3.8 is required, CMake policy compatibility was verified up to 3.17.
-cmake_minimum_required(VERSION 3.8...3.17)
+cmake_minimum_required(VERSION 2.8.12)
 set(BOOST_MIN_VERSION "1.66.0")

-set(CMAKE_CXX_STANDARD 17)
-set(CMAKE_CXX_STANDARD_REQUIRED ON)
-set(CMAKE_CXX_EXTENSIONS OFF)
+if("${CMAKE_VERSION}" VERSION_LESS "3.8") # SLES 12.5
+  if(NOT MSVC)
+    set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -std=c++17")
+  endif()
+else()
+  set(CMAKE_CXX_STANDARD 17)
+  set(CMAKE_CXX_STANDARD_REQUIRED ON)
+  set(CMAKE_CXX_EXTENSIONS OFF)
+endif()

 project(icinga2)
 list(APPEND CMAKE_MODULE_PATH "${CMAKE_CURRENT_SOURCE_DIR}/cmake")
@ -18,10 +23,6 @@ if(NOT CMAKE_BUILD_TYPE)
    FORCE)
 endif()

-# Include symbols in executables so that function names can be printed in stack traces, for example in crash dumps.
-set(CMAKE_ENABLE_EXPORTS ON) # Added in CMake 3.4
-set(CMAKE_EXECUTABLE_ENABLE_EXPORTS ON) # Added in CMake 3.27 and supersedes the above one.
-
 if(WIN32)
  set(ICINGA2_MASTER OFF)
 else()
@ -185,21 +186,21 @@ add_definitions(-DBOOST_FILESYSTEM_NO_DEPRECATED)
 add_definitions(-DBOOST_ASIO_USE_TS_EXECUTOR_AS_DEFAULT)

 link_directories(${Boost_LIBRARY_DIRS})
-include_directories(SYSTEM ${Boost_INCLUDE_DIRS})
+include_directories(${Boost_INCLUDE_DIRS})

 find_package(OpenSSL REQUIRED)
-include_directories(SYSTEM ${OPENSSL_INCLUDE_DIR})
+include_directories(${OPENSSL_INCLUDE_DIR})

 set(base_DEPS ${CMAKE_DL_LIBS} ${Boost_LIBRARIES} ${OPENSSL_LIBRARIES})
 set(base_OBJS $<TARGET_OBJECTS:mmatch> $<TARGET_OBJECTS:socketpair> $<TARGET_OBJECTS:base>)

 # JSON
 find_package(JSON)
-include_directories(SYSTEM ${JSON_INCLUDE})
+include_directories(${JSON_INCLUDE})

 # UTF8CPP
 find_package(UTF8CPP)
-include_directories(SYSTEM ${UTF8CPP_INCLUDE})
+include_directories(${UTF8CPP_INCLUDE})

 find_package(Editline)
 set(HAVE_EDITLINE "${EDITLINE_FOUND}")
@ -222,23 +223,22 @@ endif()

 if(EDITLINE_FOUND)
  list(APPEND base_DEPS ${EDITLINE_LIBRARIES})
-  include_directories(SYSTEM ${EDITLINE_INCLUDE_DIR})
+  include_directories(${EDITLINE_INCLUDE_DIR})
 endif()

 if(TERMCAP_FOUND)
  list(APPEND base_DEPS ${TERMCAP_LIBRARIES})
-  include_directories(SYSTEM ${TERMCAP_INCLUDE_DIR})
+  include_directories(${TERMCAP_INCLUDE_DIR})
 endif()

 if(WIN32)
  list(APPEND base_DEPS ws2_32 dbghelp shlwapi msi)
 endif()

+set(CMAKE_MACOSX_RPATH 1)
 set(CMAKE_INSTALL_RPATH "${CMAKE_INSTALL_RPATH};${CMAKE_INSTALL_FULL_LIBDIR}/icinga2")

 if(CMAKE_CXX_COMPILER_ID MATCHES "Clang")
-  set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -Winconsistent-missing-override")
-
  set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Qunused-arguments -fcolor-diagnostics -fno-limit-debug-info")
  set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -Qunused-arguments -fcolor-diagnostics -fno-limit-debug-info")

@ -256,8 +256,6 @@ if(CMAKE_C_COMPILER_ID STREQUAL "SunPro")
 endif()

 if(CMAKE_C_COMPILER_ID STREQUAL "GNU")
-  set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -Wsuggest-override")
-
  if(CMAKE_SYSTEM_NAME MATCHES AIX)
    set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -g -lpthread")
    set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -g -lpthread")
@ -367,7 +365,6 @@ check_function_exists(vfork HAVE_VFORK)
 check_function_exists(backtrace_symbols HAVE_BACKTRACE_SYMBOLS)
 check_function_exists(pipe2 HAVE_PIPE2)
 check_function_exists(nice HAVE_NICE)
-check_function_exists(malloc_info HAVE_MALLOC_INFO)
 check_library_exists(dl dladdr "dlfcn.h" HAVE_DLADDR)
 check_library_exists(execinfo backtrace_symbols "" HAVE_LIBEXECINFO)
 check_include_file_cxx(cxxabi.h HAVE_CXXABI_H)
@ -509,7 +506,6 @@ set(CPACK_WIX_UI_DIALOG "${CMAKE_CURRENT_SOURCE_DIR}/icinga-installer/dlgbmp.bmp
 set(CPACK_WIX_PATCH_FILE "${CMAKE_CURRENT_BINARY_DIR}/icinga-installer/icinga2.wixpatch.Debug")
 set(CPACK_WIX_PATCH_FILE "${CMAKE_CURRENT_BINARY_DIR}/icinga-installer/icinga2.wixpatch")
 set(CPACK_WIX_EXTENSIONS "WixUtilExtension" "WixNetFxExtension")
-set(CPACK_WIX_INSTALL_SCOPE NONE)

 set(CMAKE_INSTALL_SYSTEM_RUNTIME_DESTINATION "sbin")
 set(CMAKE_INSTALL_UCRT_LIBRARIES TRUE)
--- a/2
+++ b/2
@ -1,2 +1,2 @@
-Version: 2.14.0
+Version: 2.14.1
 Revision: 1
--- a/RELEASE.md
+++ b/RELEASE.md
@ -0,0 +1,421 @@
+# Release Workflow <a id="release-workflow"></a>
+
+#### Table of Content
+
+- [1. Preparations](#preparations)
+  - [1.1. Issues](#issues)
+  - [1.2. Backport Commits](#backport-commits)
+  - [1.3. Windows Dependencies](#windows-dependencies)
+- [2. Version](#version)
+- [3. Changelog](#changelog)
+- [4. Git Tag](#git-tag)
+- [5. Package Builds](#package-builds)
+  - [5.1. RPM Packages](#rpm-packages)
+  - [5.2. DEB Packages](#deb-packages)
+- [6. Build Server](#build-infrastructure)
+- [7. Release Tests](#release-tests)
+- [8. GitHub Release](#github-release)
+- [9. Docker](#docker)
+- [10. Post Release](#post-release)
+  - [10.1. Online Documentation](#online-documentation)
+  - [10.2. Announcement](#announcement)
+  - [10.3. Project Management](#project-management)
+
+## Preparations <a id="preparations"></a>
+
+Specify the release version.
+
+```bash
+VERSION=2.11.0
+```
+
+Add your signing key to your Git configuration file, if not already there.
+
+```
+vim $HOME/.gitconfig
+
+[user]
+        email = michael.friedrich@icinga.com
+        name = Michael Friedrich
+        signingkey = D14A1F16
+```
+
+### Issues <a id="issues"></a>
+
+Check issues at https://github.com/Icinga/icinga2
+
+### Backport Commits <a id="backport-commits"></a>
+
+For minor versions you need to manually backports any and all commits from the
+master branch which should be part of this release.
+
+### Windows Dependencies <a id="windows-dependencies"></a>
+
+In contrast to Linux, the bundled Windows dependencies
+(at least Boost and OpenSSL) aren't updated automatically.
+(Neither by Icinga administrators, nor at package build time.)
+
+To ensure the upcoming Icinga release ships the latest (i.e. most secure) dependencies on Windows:
+
+#### Update packages.icinga.com
+
+Add the latest Boost and OpenSSL versions to
+https://packages.icinga.com/windows/dependencies/ like this:
+
+```
+localhost:~$ ssh aptly.vm.icinga.com
+aptly:~$ sudo -i
+aptly:~# cd /var/www/html/aptly/public/windows/dependencies
+aptly:dependencies# wget https://master.dl.sourceforge.net/project/boost/boost-binaries/1.76.0/boost_1_76_0-msvc-14.2-64.exe
+aptly:dependencies# wget https://master.dl.sourceforge.net/project/boost/boost-binaries/1.76.0/boost_1_76_0-msvc-14.2-32.exe
+aptly:dependencies# wget https://slproweb.com/download/Win64OpenSSL-1_1_1k.exe
+aptly:dependencies# wget https://slproweb.com/download/Win32OpenSSL-1_1_1k.exe
+```
+
+#### Ensure Compatibility
+
+Preferably on a fresh Windows VM (not to accidentally build Icinga
+with old dependency versions) setup a dev environment using the new dependency versions:
+
+1. Download [doc/win-dev.ps1](doc/win-dev.ps1)
+2. Edit your local copy, adjust the dependency versions
+3. Ensure there are 35 GB free space on C:
+4. Run the following in an administrative Powershell:
+   1. `Enable-WindowsOptionalFeature -FeatureName "NetFx3" -Online`
+      (reboot when asked!)
+   2. `powershell -NoProfile -ExecutionPolicy Bypass -File "${Env:USERPROFILE}\Downloads\win-dev.ps1"`
+      (will take some time)
+
+Actually clone and build Icinga using the new dependency versions as described
+[here](https://github.com/Icinga/icinga2/blob/master/doc/21-development.md#tldr).
+Fix incompatibilities if any.
+
+#### Update Build Server, CI/CD and Documentation
+
+* https://git.icinga.com/infra/ansible-windows-build
+  (don't forget to provision!)
+* [doc/21-development.md](doc/21-development.md)
+* [doc/win-dev.ps1](doc/win-dev.ps1)
+  (also affects CI/CD)
+* [tools/win32/configure.ps1](tools/win32/configure.ps1)
+* [tools/win32/configure-dev.ps1](tools/win32/configure-dev.ps1)
+
+#### Re-provision Build Server
+
+Even if there aren't any new releases of dependencies with versions
+hardcoded in the repos and files listed above (Boost, OpenSSL).
+There may be new build versions of other dependencies (VS, MSVC).
+Our GitHub actions (tests) use the latest ones automatically,
+but the GitLab runner (release packages) doesn't.
+
+
+## Version <a id="version"></a>
+
+Update the version:
+
+```bash
+perl -pi -e "s/Version: .*/Version: $VERSION/g" ICINGA2_VERSION
+```
+
+## Changelog <a id="changelog"></a>
+
+Choose the most important issues and summarize them in multiple groups/paragraphs. Provide links to the mentioned
+issues/PRs. At the start include a link to the milestone's closed issues.
+
+
+## Git Tag  <a id="git-tag"></a>
+
+```bash
+git commit -v -a -m "Release version $VERSION"
+```
+
+Create a signed tag (tags/v<VERSION>) on the `master` branch (for major
+releases) or the `support` branch (for minor releases).
+
+```bash
+git tag -s -m "Version $VERSION" v$VERSION
+```
+
+Push the tag:
+
+```bash
+git push origin v$VERSION
+```
+
+**For major releases:** Create a new `support` branch:
+
+```bash
+git checkout master
+git push
+
+git checkout -b support/2.12
+git push -u origin support/2.12
+```
+
+
+## Package Builds  <a id="package-builds"></a>
+
+```bash
+mkdir $HOME/dev/icinga/packaging
+cd $HOME/dev/icinga/packaging
+```
+
+### RPM Packages  <a id="rpm-packages"></a>
+
+```bash
+git clone git@git.icinga.com:packaging/rpm-icinga2.git && cd rpm-icinga2
+```
+
+### DEB Packages <a id="deb-packages"></a>
+
+```bash
+git clone git@git.icinga.com:packaging/deb-icinga2.git && cd deb-icinga2
+```
+
+### Raspbian Packages
+
+```bash
+git clone git@git.icinga.com:packaging/raspbian-icinga2.git && cd raspbian-icinga2
+```
+
+### Windows Packages
+
+```bash
+git clone git@git.icinga.com:packaging/windows-icinga2.git && cd windows-icinga2
+```
+
+
+### Branch Workflow
+
+For each support branch in this repo (e.g. support/2.12), there exists a corresponding branch in the packaging repos
+(e.g. 2.12). Each package revision is a tagged commit on these branches. When doing a major release, create the new
+branch, otherweise switch to the existing one.
+
+
+### Switch Build Type
+
+Ensure that `ICINGA_BUILD_TYPE` is set to `release` in `.gitlab-ci.yml`. This should only be necessary after creating a
+new branch.
+
+```yaml
+variables:
+  ...
+  ICINGA_BUILD_TYPE: release
+  ...
+```
+
+Commit the change.
+
+```bash
+git commit -av -m "Switch build type for 2.13"
+```
+
+#### RPM Release Preparations
+
+Set the `Version`, `revision` and `%changelog` inside the spec file:
+
+```
+perl -pi -e "s/Version:.*/Version:        $VERSION/g" icinga2.spec
+
+vim icinga2.spec
+
+%changelog
+* Thu Sep 19 2019 Michael Friedrich <michael.friedrich@icinga.com> 2.11.0-1
+- Update to 2.11.0
+```
+
+#### DEB and Raspbian Release Preparations
+
+Update file `debian/changelog` and add at the beginning:
+
+```
+icinga2 (2.11.0-1) icinga; urgency=medium
+
+  * Release 2.11.0
+
+ -- Michael Friedrich <michael.friedrich@icinga.com>  Thu, 19 Sep 2019 10:50:31 +0200
+```
+
+
+#### Windows Release Preparations
+
+Update the file `.gitlab-ci.yml`:
+
+```
+perl -pi -e "s/^  UPSTREAM_GIT_BRANCH: .*/  UPSTREAM_GIT_BRANCH: v$VERSION/g" .gitlab-ci.yml
+perl -pi -e "s/^  ICINGA_FORCE_VERSION: .*/  ICINGA_FORCE_VERSION: v$VERSION/g" .gitlab-ci.yml
+```
+
+
+### Release Commit
+
+Commit the changes and push the branch.
+
+```bash
+git commit -av -m "Release $VERSION-1"
+git push origin 2.11
+```
+
+GitLab will now build snapshot packages based on the tag `v2.11.0` of Icinga 2.
+
+### Package Tests
+
+In order to test the created packages you can download a job's artifacts:
+
+Visit [git.icinga.com](https://git.icinga.com/packaging/rpm-icinga2)
+and navigate to the respective pipeline under `CI / CD -> Pipelines`.
+
+There click on the job you want to download packages from.
+
+The job's output appears. On the right-hand sidebar you can browse its artifacts.
+
+Once there, navigate to `build/RPMS/noarch` where you'll find the packages.
+
+### Release Packages
+
+To build release packages and upload them to [packages.icinga.com](https://packages.icinga.com)
+tag the release commit and push it.
+
+RPM/DEB/Raspbian:
+
+```bash
+git tag -s $VERSION-1 -m "Release v$VERSION-1"
+git push origin $VERSION-1
+```
+
+Windows:
+
+```bash
+git tag -s $VERSION -m "Release v$VERSION"
+git push origin $VERSION
+```
+
+
+Now cherry pick the release commit to `master` so that the changes are transferred back to it.
+
+**Attention**: Only the release commit. *NOT* the one switching the build type!
+
+
+## Build Infrastructure <a id="build-infrastructure"></a>
+
+https://git.icinga.com/packaging/rpm-icinga2/pipelines
+https://git.icinga.com/packaging/deb-icinga2/pipelines
+https://git.icinga.com/packaging/windows-icinga2/pipelines
+https://git.icinga.com/packaging/raspbian-icinga2/pipelines
+
+* Verify package build changes for this version.
+* Test the snapshot packages for all distributions beforehand.
+
+Once the release repository tags are pushed, release builds
+are triggered and automatically published to packages.icinga.com
+
+## Release Tests  <a id="release-tests"></a>
+
+* Test DB IDO with MySQL and PostgreSQL.
+* Provision the vagrant boxes and test the release packages.
+* Test the [setup wizard](https://packages.icinga.com/windows/) inside a Windows VM.
+* Start a new docker container and install/run icinga2.
+
+### CentOS
+
+```bash
+docker run -ti centos:7 bash
+
+yum -y install https://packages.icinga.com/epel/icinga-rpm-release-7-latest.noarch.rpm
+yum -y install epel-release
+yum -y install icinga2
+icinga2 daemon -C
+```
+
+### Ubuntu
+
+```bash
+docker run -ti ubuntu:bionic bash
+
+apt-get update
+apt-get -y install apt-transport-https wget gnupg
+
+wget -O - https://packages.icinga.com/icinga.key | apt-key add -
+
+. /etc/os-release; if [ ! -z ${UBUNTU_CODENAME+x} ]; then DIST="${UBUNTU_CODENAME}"; else DIST="$(lsb_release -c| awk '{print $2}')"; fi; \
+ echo "deb https://packages.icinga.com/ubuntu icinga-${DIST} main" > \
+ /etc/apt/sources.list.d/${DIST}-icinga.list
+ echo "deb-src https://packages.icinga.com/ubuntu icinga-${DIST} main" >> \
+ /etc/apt/sources.list.d/${DIST}-icinga.list
+
+apt-get update
+
+apt-get -y install icinga2
+icinga2 daemon -C
+```
+
+
+## GitHub Release  <a id="github-release"></a>
+
+Create a new release for the newly created Git tag: https://github.com/Icinga/icinga2/releases
+
+> Hint: Choose [tags](https://github.com/Icinga/icinga2/tags), pick one to edit and
+> make this a release. You can also create a draft release.
+
+The release body should contain a short changelog, with links
+into the roadmap, changelog and blogpost.
+
+
+## Post Release  <a id="post-release"></a>
+
+### Online Documentation  <a id="online-documentation"></a>
+
+> Only required for major releases.
+
+Navigate to `puppet-customer/icinga.git` and do the following steps:
+
+#### Testing
+
+```bash
+git checkout testing && git pull
+vim files/var/www/docs/config/icinga2-latest.yml
+
+git commit -av -m "icinga-web: Update docs for Icinga 2"
+
+git push
+```
+
+SSH into the webserver and do a manual Puppet dry run with the testing environment.
+
+```bash
+puppet agent -t --environment testing --noop
+```
+
+Once succeeded, continue with production deployment.
+
+#### Production
+
+```bash
+git checkout master && git pull
+git merge testing
+git push
+```
+
+SSH into the webserver and do a manual Puppet run from the production environment (default).
+
+```bash
+puppet agent -t
+```
+
+#### Manual Generation
+
+SSH into the webserver or ask @bobapple.
+
+```bash
+cd /usr/local/icinga-docs-tools && ./build-docs.rb -c /var/www/docs/config/icinga2-latest.yml
+```
+
+### Announcement  <a id="announcement"></a>
+
+* Create a new blog post on [icinga.com/blog](https://icinga.com/blog) including a featured image
+* Create a release topic on [community.icinga.com](https://community.icinga.com)
+* Release email to net-tech & team
+
+### Project Management  <a id="project-management"></a>
+
+* Add new minor version on [GitHub](https://github.com/Icinga/icinga2/milestones).
--- a/config.h.cmake
+++ b/config.h.cmake
@ -8,7 +8,6 @@
 #cmakedefine HAVE_LIBEXECINFO
 #cmakedefine HAVE_CXXABI_H
 #cmakedefine HAVE_NICE
-#cmakedefine HAVE_MALLOC_INFO
 #cmakedefine HAVE_EDITLINE
 #cmakedefine HAVE_SYSTEMD

--- a/doc/01-about.md
+++ b/doc/01-about.md
@ -67,3 +67,4 @@ Read more about development builds in the [development chapter](21-development.m
 Icinga 2 and the Icinga 2 documentation are licensed under the terms of the GNU
 General Public License Version 2. You will find a copy of this license in the
 LICENSE file included in the source package.
+
--- a/doc/02-installation.md
+++ b/doc/02-installation.md
@ -14,16 +14,9 @@ In case you are upgrading an existing setup, please ensure to
 follow the [upgrade documentation](16-upgrading-icinga-2.md#upgrading-icinga-2).
 <!-- {% else %} -->

-<!-- {% if not windows %} -->
 ## Add Icinga Package Repository <a id="add-icinga-package-repository"></a>

-We recommend using our official repositories.
-
-All the following commands should be executed as the root user.
-As pipes and nested commands are used, it is recommended to switch to a root user session, e.g., using `sudo -i`.
-
-Here's how to add it to your system:
-<!-- {% endif %} -->
+We recommend using our official repositories. Here's how to add it to your system:

 <!-- {% if debian %} -->

@ -31,13 +24,9 @@ Here's how to add it to your system:

 ```bash
 apt update
-apt -y install apt-transport-https wget
+apt -y install apt-transport-https wget gnupg

-wget -O icinga-archive-keyring.deb "https://packages.icinga.com/icinga-archive-keyring_latest+debian$(
- . /etc/os-release; echo "$VERSION_ID"
-).deb"
-
-apt install ./icinga-archive-keyring.deb
+wget -O - https://packages.icinga.com/icinga.key | gpg --dearmor -o /usr/share/keyrings/icinga-archive-keyring.gpg

 DIST=$(awk -F"[)(]+" '/VERSION=/ {print $2}' /etc/os-release); \
 echo "deb [signed-by=/usr/share/keyrings/icinga-archive-keyring.gpg] https://packages.icinga.com/debian icinga-${DIST} main" > \
@ -47,6 +36,21 @@ DIST=$(awk -F"[)(]+" '/VERSION=/ {print $2}' /etc/os-release); \

 apt update
 ```
+
+#### Debian Backports Repository <a id="debian-backports-repository"></a>
+
+This repository is required for Debian Stretch since Icinga v2.11.
+
+Debian Stretch:
+
+```bash
+DIST=$(awk -F"[)(]+" '/VERSION=/ {print $2}' /etc/os-release); \
+ echo "deb https://deb.debian.org/debian ${DIST}-backports main" > \
+ /etc/apt/sources.list.d/${DIST}-backports.list
+
+apt update
+```
+
 <!-- {% endif %} -->

 <!-- {% if ubuntu %} -->
@ -54,13 +58,9 @@ apt update

 ```bash
 apt update
-apt -y install apt-transport-https wget
+apt -y install apt-transport-https wget gnupg

-wget -O icinga-archive-keyring.deb "https://packages.icinga.com/icinga-archive-keyring_latest+ubuntu$(
- . /etc/os-release; echo "$VERSION_ID"
-).deb"
-
-apt install ./icinga-archive-keyring.deb
+wget -O - https://packages.icinga.com/icinga.key | gpg --dearmor -o /usr/share/keyrings/icinga-archive-keyring.gpg

 . /etc/os-release; if [ ! -z ${UBUNTU_CODENAME+x} ]; then DIST="${UBUNTU_CODENAME}"; else DIST="$(lsb_release -c| awk '{print $2}')"; fi; \
 echo "deb [signed-by=/usr/share/keyrings/icinga-archive-keyring.gpg] https://packages.icinga.com/ubuntu icinga-${DIST} main" > \
@ -72,6 +72,41 @@ apt update
 ```
 <!-- {% endif %} -->

+<!-- {% if raspbian %} -->
+### Raspbian Repository <a id="raspbian-repository"></a>
+
+```bash
+apt update
+apt -y install apt-transport-https wget gnupg
+
+wget -O - https://packages.icinga.com/icinga.key | gpg --dearmor -o /usr/share/keyrings/icinga-archive-keyring.gpg
+
+DIST=$(awk -F"[)(]+" '/VERSION=/ {print $2}' /etc/os-release); \
+ echo "deb [signed-by=/usr/share/keyrings/icinga-archive-keyring.gpg] https://packages.icinga.com/raspbian icinga-${DIST} main" > \
+ /etc/apt/sources.list.d/icinga.list
+ echo "deb-src [signed-by=/usr/share/keyrings/icinga-archive-keyring.gpg] https://packages.icinga.com/raspbian icinga-${DIST} main" >> \
+ /etc/apt/sources.list.d/icinga.list
+
+apt update
+```
+<!-- {% endif %} -->
+
+<!-- {% if centos %} -->
+### CentOS Repository <a id="centos-repository"></a>
+
+```bash
+rpm --import https://packages.icinga.com/icinga.key
+wget https://packages.icinga.com/centos/ICINGA-release.repo -O /etc/yum.repos.d/ICINGA-release.repo
+```
+
+The packages for CentOS depend on other packages which are distributed
+as part of the [EPEL repository](https://fedoraproject.org/wiki/EPEL):
+
+```bash
+yum install epel-release
+```
+<!-- {% endif %} -->
+
 <!-- {% if rhel %} -->
 ### RHEL Repository <a id="rhel-repository"></a>

@ -83,6 +118,7 @@ apt update
    Don't forget to fill in the username and password section with your credentials in the local .repo file.

 ```bash
+rpm --import https://packages.icinga.com/icinga.key
 wget https://packages.icinga.com/subscription/rhel/ICINGA-release.repo -O /etc/yum.repos.d/ICINGA-release.repo
 ```

@ -100,12 +136,21 @@ subscription-manager repos --enable "codeready-builder-for-rhel-${OSVER}-${ARCH}
 dnf install https://dl.fedoraproject.org/pub/epel/epel-release-latest-${OSVER}.noarch.rpm
 ```

+#### RHEL 7
+
+```bash
+subscription-manager repos --enable rhel-7-server-optional-rpms
+
+yum install https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
+```
 <!-- {% endif %} -->

+
 <!-- {% if fedora %} -->
 ### Fedora Repository <a id="fedora-repository"></a>

 ```bash
+rpm --import https://packages.icinga.com/icinga.key
 dnf install -y 'dnf-command(config-manager)'
 dnf config-manager --add-repo https://packages.icinga.com/fedora/$(. /etc/os-release; echo "$VERSION_ID")/release
 ```
@ -122,6 +167,8 @@ dnf config-manager --add-repo https://packages.icinga.com/fedora/$(. /etc/os-rel
    Don't forget to fill in the username and password section with your credentials in the local .repo file.

 ```bash
+rpm --import https://packages.icinga.com/icinga.key
+
 zypper ar https://packages.icinga.com/subscription/sles/ICINGA-release.repo
 zypper ref
 ```
@ -139,9 +186,17 @@ SUSEConnect -p PackageHub/$VERSION_ID/x86_64
 ### openSUSE Repository <a id="opensuse-repository"></a>

 ```bash
+rpm --import https://packages.icinga.com/icinga.key
+
 zypper ar https://packages.icinga.com/openSUSE/ICINGA-release.repo
 zypper ref
 ```
+
+You need to additionally add the `server:monitoring` repository to fulfill dependencies:
+
+```bash
+zypper ar https://download.opensuse.org/repositories/server:/monitoring/15.3/server:monitoring.repo
+```
 <!-- {% endif %} -->

 <!-- {% if amazon_linux %} -->
@ -155,6 +210,7 @@ zypper ref
    Don't forget to fill in the username and password section with your credentials in the local .repo file.

 ```bash
+rpm --import https://packages.icinga.com/icinga.key
 wget https://packages.icinga.com/subscription/amazon/ICINGA-release.repo -O /etc/yum.repos.d/ICINGA-release.repo
 ```

@ -183,21 +239,36 @@ You can install Icinga 2 by using your distribution's package manager
 to install the `icinga2` package. The following commands must be executed
 with `root` permissions unless noted otherwise.

-<!-- {% if rhel or fedora or amazon_linux %} -->
+<!-- {% if centos or rhel or fedora or amazon_linux %} -->
 !!! tip

    If you have [SELinux](22-selinux.md) enabled, the package `icinga2-selinux` is also required.
 <!-- {% endif %} -->

-<!-- {% if debian or ubuntu %} -->
+<!-- {% if debian or ubuntu or raspbian %} -->
 <!-- {% if not icingaDocs %} -->
-#### Debian / Ubuntu / Raspberry Pi OS
+#### Debian / Ubuntu / Raspbian
 <!-- {% endif %} -->
 ```bash
 apt install icinga2
 ```
 <!-- {% endif %} -->

+<!-- {% if centos %} -->
+<!-- {% if not icingaDocs %} -->
+#### CentOS
+<!-- {% endif %} -->
+!!! info
+
+    Note that installing Icinga 2 is only supported on CentOS 7 as CentOS 8 is EOL.
+
+```bash
+yum install icinga2
+systemctl enable icinga2
+systemctl start icinga2
+```
+<!-- {% endif %} -->
+
 <!-- {% if rhel %} -->
 #### RHEL 8 or Later

@ -206,6 +277,14 @@ dnf install icinga2
 systemctl enable icinga2
 systemctl start icinga2
 ```
+
+#### RHEL 7
+
+```bash
+yum install icinga2
+systemctl enable icinga2
+systemctl start icinga2
+```
 <!-- {% endif %} -->

 <!-- {% if fedora %} -->
@ -278,15 +357,26 @@ to determine where to find the plugin binaries.
    additional check plugins into your Icinga 2 setup.


-<!-- {% if debian or ubuntu %} -->
+<!-- {% if debian or ubuntu or raspbian %} -->
 <!-- {% if not icingaDocs %} -->
-#### Debian / Ubuntu / Raspberry Pi OS
+#### Debian / Ubuntu / Raspbian
 <!-- {% endif %} -->
 ```bash
 apt install monitoring-plugins
 ```
 <!-- {% endif %} -->

+<!-- {% if centos %} -->
+<!-- {% if not icingaDocs %} -->
+#### CentOS
+<!-- {% endif %} -->
+The packages for CentOS depend on other packages which are distributed as part of the EPEL repository.
+
+```bash
+yum install nagios-plugins-all
+```
+<!-- {% endif %} -->
+
 <!-- {% if rhel %} -->
 <!-- {% if not icingaDocs %} -->
 #### RHEL
@ -298,6 +388,12 @@ The packages for RHEL depend on other packages which are distributed as part of
 ```bash
 dnf install nagios-plugins-all
 ```
+
+#### RHEL 7
+
+```bash
+yum install nagios-plugins-all
+```
 <!-- {% endif %} -->

 <!-- {% if fedora %} -->
@ -368,7 +464,7 @@ Restart Icinga 2 for these changes to take effect.
 systemctl restart icinga2
 ```

-<!-- {% if amazon_linux or debian or rhel or sles or ubuntu %} -->
+<!-- {% if amazon_linux or centos or debian or rhel or sles or ubuntu %} -->
 ## Set up Icinga DB <a id="set-up-icinga-db"></a>

 Icinga DB is a set of components for publishing, synchronizing and
@ -420,9 +516,23 @@ yum install icingadb-redis
 ```
 <!-- {% endif %} -->

+<!-- {% if centos %} -->
+<!-- {% if not icingaDocs %} -->
+##### CentOS
+<!-- {% endif %} -->
+
+!!! info
+
+    Note that installing Icinga DB Redis is only supported on CentOS 7 as CentOS 8 is EOL.
+
+```bash
+yum install icingadb-redis
+```
+<!-- {% endif %} -->
+
 <!-- {% if debian or ubuntu %} -->
 <!-- {% if not icingaDocs %} -->
-##### Debian / Ubuntu / Raspberry Pi OS
+##### Debian / Ubuntu
 <!-- {% endif %} -->
 ```bash
 apt install icingadb-redis
@ -435,6 +545,12 @@ apt install icingadb-redis
 ```bash
 dnf install icingadb-redis
 ```
+
+##### RHEL 7
+
+```bash
+yum install icingadb-redis
+```
 <!-- {% endif %} -->

 <!-- {% if sles %} -->
@ -525,19 +641,22 @@ the Icinga DB daemon that synchronizes monitoring data between the Redis server
 The Icinga DB daemon package is also included in the Icinga repository, and since it is already set up,
 you have completed the instructions here and can proceed to
 <!-- {% if amazon_linux %} -->
-[install the Icinga DB daemon on Amazon Linux](https://icinga.com/docs/icinga-db/latest/doc/02-Installation/Amazon-Linux/#installing-the-package),
+[install the Icinga DB daemon on Amazon Linux](https://icinga.com/docs/icinga-db/latest/doc/02-Installation/01-Amazon-Linux/#installing-icinga-db-package),
+<!-- {% endif %} -->
+<!-- {% if centos %} -->
+[install the Icinga DB daemon on CentOS](https://icinga.com/docs/icinga-db/latest/doc/02-Installation/02-CentOS/#installing-icinga-db-package),
 <!-- {% endif %} -->
 <!-- {% if debian %} -->
-[install the Icinga DB daemon on Debian](https://icinga.com/docs/icinga-db/latest/doc/02-Installation/Debian/#installing-the-package),
+[install the Icinga DB daemon on Debian](https://icinga.com/docs/icinga-db/latest/doc/02-Installation/03-Debian/#installing-icinga-db-package),
 <!-- {% endif %} -->
 <!-- {% if rhel %} -->
-[install the Icinga DB daemon on RHEL](https://icinga.com/docs/icinga-db/latest/doc/02-Installation/RHEL/#installing-the-package),
+[install the Icinga DB daemon on RHEL](https://icinga.com/docs/icinga-db/latest/doc/02-Installation/04-RHEL/#installing-icinga-db-package),
 <!-- {% endif %} -->
 <!-- {% if sles %} -->
-[install the Icinga DB daemon on SLES](https://icinga.com/docs/icinga-db/latest/doc/02-Installation/SLES/#installing-the-package),
+[install the Icinga DB daemon on SLES](https://icinga.com/docs/icinga-db/latest/doc/02-Installation/05-SLES/#installing-icinga-db-package),
 <!-- {% endif %} -->
 <!-- {% if ubuntu %} -->
-[install the Icinga DB daemon on Ubuntu](https://icinga.com/docs/icinga-db/latest/doc/02-Installation/Ubuntu/#installing-the-package),
+[install the Icinga DB daemon on Ubuntu](https://icinga.com/docs/icinga-db/latest/doc/02-Installation/06-Ubuntu/#installing-icinga-db-package),
 <!-- {% endif %} -->
 which will also guide you through the setup of the database and Icinga DB Web.
 <!-- {% endif %} -->
--- a/doc/02-installation.md.d/03-Raspberry-Pi-OS.md
+++ b/doc/02-installation.md.d/03-Raspberry-Pi-OS.md
@ -1,3 +0,0 @@
-# Install Icinga 2 on Raspberry Pi OS
-<!-- {% set debian = True %} -->
-<!-- {% include "02-installation.md" %} -->
--- a/doc/02-installation.md.d/03-Raspbian.md
+++ b/doc/02-installation.md.d/03-Raspbian.md
@ -0,0 +1,3 @@
+# Install Icinga 2 on Raspbian
+<!-- {% set raspbian = True %} -->
+<!-- {% include "02-installation.md" %} -->
--- a/doc/02-installation.md.d/05-CentOS.md
+++ b/doc/02-installation.md.d/05-CentOS.md
@ -0,0 +1,3 @@
+# Install Icinga 2 on CentOS
+<!-- {% set centos = True %} -->
+<!-- {% include "02-installation.md" %} -->
--- a/doc/03-monitoring-basics.md
+++ b/doc/03-monitoring-basics.md
@ -1599,7 +1599,7 @@ A common pattern is to store the users and user groups
 on the host or service objects instead of the notification
 object itself.

-The sample configuration provided in [hosts.conf](04-configuration.md#hosts-conf) and [notifications.conf](04-configuration.md#notifications-conf)
+The sample configuration provided in [hosts.conf](04-configuration.md#hosts-conf) and [notifications.conf](notifications-conf)
 already provides an example for this question.

 > **Tip**
@ -2135,7 +2135,7 @@ In order to find out about the command argument, call the plugin's help
 or consult the README.

 ```
-./check_systemd --help
+./check_systemd.py --help

 ...

@ -2194,7 +2194,7 @@ With the [example above](03-monitoring-basics.md#command-arguments-value),
 inspect the parameter's help text.

 ```
-./check_systemd --help
+./check_systemd.py --help

 ...

@ -2579,7 +2579,6 @@ information.
  `notification_useremail`       | **Required.** The notification's recipient(s). Defaults to `$user.email$`.
  `notification_hoststate`       | **Required.** Current state of host. Defaults to `$host.state$`.
  `notification_type`            | **Required.** Type of notification. Defaults to `$notification.type$`.
-  `notification_hostnotes`       | **Optional.** The host's notes. Defaults to `$host.notes$`.
  `notification_address`         | **Optional.** The host's IPv4 address. Defaults to `$address$`.
  `notification_address6`        | **Optional.** The host's IPv6 address. Defaults to `$address6$`.
  `notification_author`          | **Optional.** Comment author. Defaults to `$notification.author$`.
@ -2608,8 +2607,6 @@ information.
  `notification_useremail`          | **Required.** The notification's recipient(s). Defaults to `$user.email$`.
  `notification_servicestate`       | **Required.** Current state of host. Defaults to `$service.state$`.
  `notification_type`               | **Required.** Type of notification. Defaults to `$notification.type$`.
-  `notification_hostnotes`          | **Optional.** The host's notes. Defaults to `$host.notes$`.
-  `notification_servicenotes`       | **Optional.** The service's notes. Defaults to `$service.notes$`.
  `notification_address`            | **Optional.** The host's IPv4 address. Defaults to `$address$`.
  `notification_address6`           | **Optional.** The host's IPv6 address. Defaults to `$address6$`.
  `notification_author`             | **Optional.** Comment author. Defaults to `$notification.author$`.
@ -2732,7 +2729,7 @@ Requirements:
 * Icinga 2 as client on the remote node
 * icinga user with sudo permissions to the httpd daemon

-Example on RHEL:
+Example on CentOS 7:

 ```
 # visudo
--- a/doc/04-configuration.md
+++ b/doc/04-configuration.md
@ -593,7 +593,7 @@ Read more on that topic [here](03-monitoring-basics.md#notification-commands).

 #### groups.conf <a id="groups-conf"></a>

-The example host defined in [hosts.conf](#hosts-conf) already has the
+The example host defined in [hosts.conf](hosts-conf) already has the
 custom variable `os` set to `Linux` and is therefore automatically
 a member of the host group `linux-servers`.

--- a/doc/05-service-monitoring.md
+++ b/doc/05-service-monitoring.md
@ -51,7 +51,7 @@ described. Try running the plugin after setup and [ensure it works](05-service-m
 Prior to using the check plugin with Icinga 2 you should ensure that it is working properly
 by trying to run it on the console using whichever user Icinga 2 is running as:

-RHEL/Fedora
+RHEL/CentOS/Fedora

 ```bash
 sudo -u icinga /usr/lib64/nagios/plugins/check_mysql_health --help
@ -111,7 +111,7 @@ Can't locate Net/SNMP.pm in @INC (you may need to install the Net::SNMP module)

 Prior to installing the Perl module via CPAN, look for a distribution
 specific package, e.g. `libnet-snmp-perl` on Debian/Ubuntu or `perl-Net-SNMP`
-on RHEL.
+on RHEL/CentOS.


 #### Optional: Custom Path <a id="service-monitoring-plugins-custom-path"></a>
@ -281,10 +281,10 @@ that [it works](05-service-monitoring.md#service-monitoring-plugins-it-works). T
 `--help` parameter to see the actual parameters (docs might be outdated).

 ```
-./check_systemd --help
+./check_systemd.py --help

-usage: check_systemd [-h] [-c SECONDS] [-e UNIT | -u UNIT] [-v] [-V]
-                     [-w SECONDS]
+usage: check_systemd.py [-h] [-c SECONDS] [-e UNIT | -u UNIT] [-v] [-V]
+                        [-w SECONDS]

 ...

@ -319,7 +319,7 @@ Start with the basic plugin call without any parameters.

 ```
 object CheckCommand "systemd" { // Plugin name without 'check_' prefix
-  command = [ PluginContribDir + "/check_systemd" ] // Use the 'PluginContribDir' constant, see the contributed ITL commands
+  command = [ PluginContribDir + "/check_systemd.py" ] // Use the 'PluginContribDir' constant, see the contributed ITL commands
 }
 ```

--- a/doc/06-distributed-monitoring.md
+++ b/doc/06-distributed-monitoring.md
@ -264,7 +264,7 @@ The setup wizard will ensure that the following steps are taken:
 * Update the [ApiListener](06-distributed-monitoring.md#distributed-monitoring-apilistener) and [constants](04-configuration.md#constants-conf) configuration.
 * Update the [icinga2.conf](04-configuration.md#icinga2-conf) to disable the `conf.d` inclusion, and add the `api-users.conf` file inclusion.

-Here is an example of a master setup for the `icinga2-master1.localdomain` node:
+Here is an example of a master setup for the `icinga2-master1.localdomain` node on CentOS 7:

 ```
 [root@icinga2-master1.localdomain /]# icinga2 node wizard
@ -1031,7 +1031,9 @@ in `/etc/icinga2/icinga2.conf`.
 > Defaults to disabled.

 Now it is time to validate the configuration and to restart the Icinga 2 daemon
-on both nodes:
+on both nodes.
+
+Example on CentOS 7:

 ```
 [root@icinga2-agent1.localdomain /]# icinga2 daemon -C
@ -1110,8 +1112,7 @@ Save the changes and validate the configuration on the master node:
 ```
 [root@icinga2-master1.localdomain /]# icinga2 daemon -C
 ```
-
-Restart the Icinga 2 daemon:
+Restart the Icinga 2 daemon (example for CentOS 7):

 ```
 [root@icinga2-master1.localdomain /]# systemctl restart icinga2
@ -1220,7 +1221,9 @@ object ApiListener "api" {
 ```

 Now it is time to validate the configuration and to restart the Icinga 2 daemon
-on both nodes:
+on both nodes.
+
+Example on CentOS 7:

 ```
 [root@icinga2-satellite1.localdomain /]# icinga2 daemon -C
@ -1282,7 +1285,7 @@ Save the changes and validate the configuration on the master node:
 [root@icinga2-master1.localdomain /]# icinga2 daemon -C
 ```

-Restart the Icinga 2 daemon:
+Restart the Icinga 2 daemon (example for CentOS 7):

 ```
 [root@icinga2-master1.localdomain /]# systemctl restart icinga2
@ -3131,7 +3134,7 @@ object Endpoint "icinga2-master2.localdomain" {
 > **Note**
 >
 > This is required if you decide to change an already running single endpoint production
-> environment into an HA-enabled cluster zone with two endpoints.
+> environment into a HA-enabled cluster zone with two endpoints.
 > The [initial setup](06-distributed-monitoring.md#distributed-monitoring-scenarios-ha-master-clients)
 > with 2 HA masters doesn't require this step.

@ -3180,7 +3183,7 @@ Create a certificate signing request (CSR) for the local instance:
 Sign the CSR with the previously created CA:

 ```
-[root@icinga2-master1.localdomain /root]# icinga2 pki sign-csr --csr icinga2-master1.localdomain.csr --cert icinga2-master1.localdomain.crt
+[root@icinga2-master1.localdomain /root]# icinga2 pki sign-csr --csr icinga2-master1.localdomain.csr --cert icinga2-master1.localdomain
 ```

 Repeat the steps for all instances in your setup.
@ -3227,53 +3230,6 @@ information/pki: Writing certificate to file 'icinga2-satellite1.localdomain.crt

 Copy and move these certificates to the respective instances e.g. with SSH/SCP.

-#### External CA/PKI
-
-Icinga works best with its own certificates.
-The commands described above take care of the optimal certificate properties.
-Also, Icinga renews them periodically at runtime to avoid expiry.
-But you can also provide your own certificates,
-just like to any other application which uses TLS.
-
-!!! warning
-
-    The only serious reasons to generate own certificates are company policies.
-    You are responsible for making Icinga working with your certificates,
-    as well as for [expiry monitoring](10-icinga-template-library.md#plugin-check-command-ssl_cert)
-    and renewal.
-    
-    Especially `icinga2 pki` CLI commands do not expect such certificates.
-    
-    Also, do not provide your custom CA private key to Icinga 2!
-    Otherwise, it will automatically renew leaf certificates
-    with our hardcoded properties, not your custom ones.
-
-The CA certificate must be located in `/var/lib/icinga2/certs/ca.crt`.
-The basic requirements for all leaf certificates are:
-
-* Located in `/var/lib/icinga2/certs/NODENAME.crt`
-  and `/var/lib/icinga2/certs/NODENAME.key`
-* Subject with CN matching the endpoint name
-* A DNS SAN matching the endpoint name
-
-Pretty much everything else is limited only by your company policy
-and the OpenSSL versions your Icinga nodes use. E.g. the following works:
-
-* Custom key sizes, e.g. 2048 bits
-* Custom key types, e.g. ECC
-* Any number of intermediate CAs (but see limitations below)
-* Multiple trusted root CAs in `/var/lib/icinga2/certs/ca.crt`
-* Different root CAs per cluster subtree, as long as each node trusts the
-  certificate issuers of all nodes it's directly connected to
-
-Intermediate CA restrictions:
-
-* Each side has to provide its intermediate CAs along with the leaf certificate
-  in `/var/lib/icinga2/certs/NODENAME.crt`, ordered from leaf to root.
-* Intermediate CAs may not be used directly as root CAs. To trust only specific
-  intermediate CAs, cross-sign them with themselves, so that you get equal
-  certificates except that they're self-signed. Use them as root CAs in Icinga.
-
 ## Automation <a id="distributed-monitoring-automation"></a>

 These hints should get you started with your own automation tools (Puppet, Ansible, Chef, Salt, etc.)
--- a/doc/08-advanced-topics.md
+++ b/doc/08-advanced-topics.md
@ -484,7 +484,7 @@ host or service is considered flapping until it drops below the low flapping thr
 The attribute `flapping_ignore_states` allows to ignore state changes to specified states during the flapping calculation.

 `FlappingStart` and `FlappingEnd` notifications will be sent out accordingly, if configured. See the chapter on
-[notifications](03-monitoring-basics.md#notifications) for details
+[notifications](alert-notifications) for details

 > Note: There is no distinctions between hard and soft states with flapping. All state changes count and notifications
 > will be sent out regardless of the objects state.
--- a/doc/09-object-types.md
+++ b/doc/09-object-types.md
@ -393,6 +393,7 @@ Runtime Attributes:
  last\_check\_result       | CheckResult           | The current [check result](08-advanced-topics.md#advanced-value-types-checkresult).
  last\_state\_change       | Timestamp             | When the last state change occurred (as a UNIX timestamp).
  last\_hard\_state\_change | Timestamp             | When the last hard state change occurred (as a UNIX timestamp).
+  last\_in\_downtime        | Boolean               | Whether the host was in a downtime when the last check occurred.
  acknowledgement           | Number                | The acknowledgement type (0 = NONE, 1 = NORMAL, 2 = STICKY).
  acknowledgement\_expiry   | Timestamp             | When the acknowledgement expires (as a UNIX timestamp; 0 = no expiry).
  downtime\_depth           | Number                | Whether the host has one or more active downtimes.
@ -757,6 +758,7 @@ Runtime Attributes:
  last\_check\_result           | CheckResult       | The current [check result](08-advanced-topics.md#advanced-value-types-checkresult).
  last\_state\_change           | Timestamp         | When the last state change occurred (as a UNIX timestamp).
  last\_hard\_state\_change     | Timestamp         | When the last hard state change occurred (as a UNIX timestamp).
+  last\_in\_downtime            | Boolean           | Whether the service was in a downtime when the last check occurred.
  acknowledgement               | Number            | The acknowledgement type (0 = NONE, 1 = NORMAL, 2 = STICKY).
  acknowledgement\_expiry       | Timestamp         | When the acknowledgement expires (as a UNIX timestamp; 0 = no expiry).
  acknowledgement\_last\_change | Timestamp         | When the acknowledgement has been set/cleared
@ -1387,9 +1389,7 @@ Configuration Attributes:
  host                      | String                | **Optional.** Redis host. Defaults to `127.0.0.1`.
  port                      | Number                | **Optional.** Redis port. Defaults to `6380` since the Redis server provided by the `icingadb-redis` package listens on that port.
  path                      | String                | **Optional.** Redis unix socket path. Can be used instead of `host` and `port` attributes.
-  username                  | String                | **Optional.** Redis auth username. Only possible if Redis ACLs are used. Requires `password` to be set as well.
  password                  | String                | **Optional.** Redis auth password.
-  db\_index                 | Number                | **Optional.** Redis logical database by its number. Defaults to `0`.
  enable\_tls               | Boolean               | **Optional.** Whether to use TLS.
  cert\_path                | String                | **Optional.** Path to the certificate.
  key\_path                 | String                | **Optional.** Path to the private key.
--- a/doc/10-icinga-template-library.md
+++ b/doc/10-icinga-template-library.md
@ -75,10 +75,8 @@ plugin scripts.

 ### icinga <a id="itl-icinga"></a>

-Check command for the built-in `icinga` check. This check returns performance data for the current Icinga instance,
-reports as warning if the last reload or config sync failed and optionally allows for minimum version checks.
-
-For the config sync check to work, it must be run on the satellite or agent.
+Check command for the built-in `icinga` check. This check returns performance
+data for the current Icinga instance, reports as warning if the last reload failed and optionally allows for minimum version checks.

 Custom variables passed as [command parameters](03-monitoring-basics.md#command-passing-parameters):

@ -270,6 +268,7 @@ Custom variables passed as [command parameters](03-monitoring-basics.md#command-

 Name                    | Description
 ------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
+apt_extra_opts          | **Optional.** Read options from an ini file.
 apt_upgrade             | **Optional.** [Default] Perform an upgrade. If an optional OPTS argument is provided, apt-get will be run with these command line options instead of the default.
 apt_dist_upgrade        | **Optional.** Perform a dist-upgrade instead of normal upgrade. Like with -U OPTS can be provided to override the default options.
 apt_include             | **Optional.** Include only packages matching REGEXP. Can be specified multiple times the values will be combined together.
@ -278,7 +277,6 @@ apt_critical            | **Optional.** If the full package information of any o
 apt_timeout             | **Optional.** Seconds before plugin times out (default: 10).
 apt_only_critical       | **Optional.** Only warn about critical upgrades.
 apt_list                | **Optional.** List packages available for upgrade.
-apt_extra_opts          | **Optional.** Read extra plugin options from an ini file.


 ### breeze <a id="plugin-check-command-breeze"></a>
@ -319,7 +317,6 @@ by_ssh_options     | **Optional.** Call ssh with '-o OPTION' (multiple options m
 by_ssh_ipv4        | **Optional.** Use IPv4 connection. Defaults to false.
 by_ssh_ipv6        | **Optional.** Use IPv6 connection. Defaults to false.
 by_ssh_skip_stderr | **Optional.** Ignore all or (if specified) first n lines on STDERR.
-by_ssh_extra_opts  | **Optional.** Read extra plugin options from an ini file.


 ### clamd <a id="plugin-check-command-clamd"></a>
@ -351,7 +348,6 @@ clamd_ctime          | **Optional.** Response time to result in critical status
 clamd_timeout        | **Optional.** Seconds before connection times out. Defaults to 10.
 clamd_ipv4           | **Optional.** Use IPv4 connection. Defaults to false.
 clamd_ipv6           | **Optional.** Use IPv6 connection. Defaults to false.
-clamd_extra_opts     | **Optional.** Read extra plugin options from an ini file.


 ### dhcp <a id="plugin-check-command-dhcp"></a>
@ -369,7 +365,6 @@ dhcp_timeout    | **Optional.** The timeout in seconds.
 dhcp_interface  | **Optional.** The interface to use.
 dhcp_mac        | **Optional.** The MAC address to use in the DHCP request.
 dhcp_unicast    | **Optional.** Whether to use unicast requests. Defaults to false.
-dhcp_extra_opts | **Optional.** Read extra plugin options from an ini file.


 ### dig <a id="plugin-check-command-dig"></a>
@ -393,7 +388,6 @@ dig_critical         | **Optional.** Response time to result in critical status
 dig_timeout          | **Optional.** Seconds before connection times out (default: 10).
 dig_ipv4             | **Optional.** Force dig to only use IPv4 query transport. Defaults to false.
 dig_ipv6             | **Optional.** Force dig to only use IPv6 query transport. Defaults to false.
-dig_extra_opts       | **Optional.** Read extra plugin options from an ini file.


 ### disk <a id="plugin-check-command-disk"></a>
@ -431,11 +425,9 @@ disk\_ignore\_eregi\_path | **Optional.** Regular expression to ignore selected
 disk\_ignore\_ereg\_path  | **Optional.** Regular expression to ignore selected path or partition. Multiple regular expression strings must be defined as array.
 disk\_timeout             | **Optional.** Seconds before connection times out (default: 10).
 disk\_units               | **Optional.** Choose bytes, kB, MB, GB, TB.
-disk\_exclude\_type       | **Optional.** Ignore all filesystems of indicated type. Multiple regular expression strings must be defined as array. Defaults to "none", "tmpfs", "sysfs", "proc", "configfs", "devtmpfs", "devfs", "mtmfs", "tracefs", "cgroup", "fuse.\*" (only Monitoring Plugins support this so far), "fuse.gvfsd-fuse", "fuse.gvfs-fuse-daemon", "fuse.sshfs", "fdescfs", "overlay", "nsfs", "squashfs".
+disk\_exclude\_type       | **Optional.** Ignore all filesystems of indicated type. Multiple regular expression strings must be defined as array. Defaults to "none", "tmpfs", "sysfs", "proc", "configfs", "devtmpfs", "devfs", "mtmfs", "tracefs", "cgroup", "fuse.gvfsd-fuse", "fuse.gvfs-fuse-daemon", "fdescfs", "overlay", "nsfs", "squashfs".
 disk\_include\_type       | **Optional.** Check only filesystems of indicated type. Multiple regular expression strings must be defined as array.
 disk\_inode\_perfdata     | **Optional.** Display inode usage in perfdata
-disk\_np\_inode\_perfdata | **Optional.** Enable performance data for inode-based statistics (Requires: nagios-plugins >= 2.3.0)
-disk\_extra\_opts         | **Optional.** Read extra plugin options from an ini file.

 ### disk_smb <a id="plugin-check-command-disk-smb"></a>

@ -477,7 +469,6 @@ dns_accept_cname     | **Optional.** Accept cname responses as a valid result to
 dns_wtime            | **Optional.** Return warning if elapsed time exceeds value.
 dns_ctime            | **Optional.** Return critical if elapsed time exceeds value.
 dns_timeout          | **Optional.** Seconds before connection times out. Defaults to 10.
-dns_extra_opts       | **Optional.** Read extra plugin options from an ini file.



@ -534,7 +525,6 @@ fping_bytes	| **Optional.** The size of ICMP packet.
 fping_target_timeout | **Optional.** The target timeout in milli-seconds.
 fping_source_ip | **Optional.** The name or ip address of the source ip.
 fping_source_interface | **Optional.** The source interface name.
-fping_extra_opts | **Optional.** Read extra plugin options from an ini file.


 ### fping6 <a id="plugin-check-command-fping6"></a>
@ -560,7 +550,6 @@ fping_bytes	| **Optional.** The size of ICMP packet.
 fping_target_timeout | **Optional.** The target timeout in milli-seconds.
 fping_source_ip | **Optional.** The name or ip address of the source ip.
 fping_source_interface | **Optional.** The source interface name.
-fping_extra_opts | **Optional.** Read extra plugin options from an ini file.


 ### ftp <a id="plugin-check-command-ftp"></a>
@ -592,7 +581,6 @@ ftp_ctime          | **Optional.** Response time to result in critical status (s
 ftp_timeout        | **Optional.** Seconds before connection times out. Defaults to 10.
 ftp_ipv4           | **Optional.** Use IPv4 connection. Defaults to false.
 ftp_ipv6           | **Optional.** Use IPv6 connection. Defaults to false.
-ftp_extra_opts     | **Optional.** Read extra plugin options from an ini file.


 ### game <a id="plugin-check-command-game"></a>
@ -616,7 +604,6 @@ game_mapfield      | **Optional.** Field number in raw qstat output that contain
 game_pingfield     | **Optional.** Field number in raw qstat output that contains ping time.
 game_gametime      | **Optional.** Field number in raw qstat output that contains game time.
 game_hostname      | **Optional.** Name of the host running the game.
-game_extra_opts    | **Optional.** Read extra plugin options from an ini file.


 ### hostalive <a id="plugin-check-command-hostalive"></a>
@ -635,8 +622,7 @@ ping_wpl        | **Optional.** The packet loss warning threshold in %. Defaults
 ping_crta       | **Optional.** The RTA critical threshold in milliseconds. Defaults to 5000.
 ping_cpl        | **Optional.** The packet loss critical threshold in %. Defaults to 100.
 ping_packets    | **Optional.** The number of packets to send. Defaults to 5.
-ping_timeout    | **Optional.** The plugin timeout in seconds. Defaults to 10.
-ping_extra_opts | **Optional.** Read extra plugin options from an ini file.
+ping_timeout    | **Optional.** The plugin timeout in seconds. Defaults to 0 (no timeout).


 ### hostalive4 <a id="plugin-check-command-hostalive4"></a>
@ -655,7 +641,6 @@ ping_crta       | **Optional.** The RTA critical threshold in milliseconds. Defa
 ping_cpl        | **Optional.** The packet loss critical threshold in %. Defaults to 100.
 ping_packets    | **Optional.** The number of packets to send. Defaults to 5.
 ping_timeout    | **Optional.** The plugin timeout in seconds. Defaults to 0 (no timeout).
-ping_extra_opts | **Optional.** Read extra plugin options from an ini file.


 ### hostalive6 <a id="plugin-check-command-hostalive6"></a>
@ -674,7 +659,6 @@ ping_crta       | **Optional.** The RTA critical threshold in milliseconds. Defa
 ping_cpl        | **Optional.** The packet loss critical threshold in %. Defaults to 100.
 ping_packets    | **Optional.** The number of packets to send. Defaults to 5.
 ping_timeout    | **Optional.** The plugin timeout in seconds. Defaults to 0 (no timeout).
-ping_extra_opts | **Optional.** Read extra plugin options from an ini file.


 ### hpjd <a id="plugin-check-command-hpjd"></a>
@ -690,7 +674,6 @@ Name            | Description
 hpjd_address    | **Optional.** The host's address. Defaults to "$address$" if the host's `address` attribute is set, "$address6$" otherwise.
 hpjd_port       | **Optional.** The host's SNMP port. Defaults to 161.
 hpjd_community  | **Optional.** The SNMP community. Defaults  to "public".
-hpjd_extra_opts | **Optional.** Read extra plugin options from an ini file.


 ### http <a id="plugin-check-command-http"></a>
@ -733,7 +716,6 @@ http_warn_time                   | **Optional.** The warning threshold.
 http_critical_time               | **Optional.** The critical threshold.
 http_expect                      | **Optional.** Comma-delimited list of strings, at least one of them is expected in the first (status) line of the server response. Default: HTTP/1.
 http_certificate                 | **Optional.** Minimum number of days a certificate has to be valid. Port defaults to 443. When this option is used the URL is not checked. The first parameter defines the warning threshold (in days), the second parameter the critical threshold (in days). (Example `http_certificate = "30,20"`).
-http_certificate_continue        | **Optional.** Allows the HTTP check to continue after performing the certificate check. Does nothing unless http_certificate is used.
 http_clientcert                  | **Optional.** Name of file contains the client certificate (PEM format).
 http_privatekey                  | **Optional.** Name of file contains the private key (PEM format).
 http_headerstring                | **Optional.** String to expect in the response headers.
@ -753,68 +735,6 @@ http_ipv6                        | **Optional.** Use IPv6 connection. Defaults t
 http_link                        | **Optional.** Wrap output in HTML link. Defaults to false.
 http_verbose                     | **Optional.** Show details for command-line debugging. Defaults to false.
 http_verify_host                 | **Optional.** Verify SSL certificate is for the -H hostname (with --sni and -S). Defaults to false. **Only supported by the Nagios plugins version of check\_http, not by the monitoring plugins one.**
-http_extra_opts                  | **Optional.** Read extra plugin options from an ini file.
-
-### curl <a id="plugin-check-command-curl"></a>
-
-The [check_curl](https://www.monitoring-plugins.org/doc/man/check_curl.html) plugin
-tests the HTTP service on the specified host. It can test normal (http) and secure
-(https) servers, follow redirects, search for strings and regular expressions,
-check connection times, and report on certificate expiration times.
-
-The plugin can either test the HTTP response of a server, or if `curl_certificate_valid_days_min_warning`/`curl_certificate_valid_days_min_critical` is set to a non-empty value, the TLS certificate age for a HTTPS host.
-
-Custom variables passed as [command parameters](03-monitoring-basics.md#command-passing-parameters):
-
-Name                             | Description
---------------------------------|---------------------------------
-curl_vhost                       | **Optional.** The virtual host that should be sent in the "Host" header.
-curl_ip							 | **Optional.** The host's address. Defaults to "$address$" if the host's `address` attribute is set, "$address6$" otherwise.
-curl_port                        | **Optional.** The TCP port. Defaults to 80 when not using SSL, 443 otherwise.
-curl_ipv4                        | **Optional.** Use IPv4 connection. Defaults to false.
-curl_ipv6                        | **Optional.** Use IPv6 connection. Defaults to false.
-curl_tls						 | **Optional.** Whether to use SSL. Defaults to false.
-curl_tls_version	             | **Optional.** Connect via SSL. Port defaults to 443. VERSION is optional, and prevents auto-negotiation (2 = SSLv2, 3 = SSLv3, 1 = TLSv1, 1.1 = TLSv1.1, 1.2 = TLSv1.2, 1.3 = TLSv1.3). With a '+' suffix, newer versions are also accepted. Note: SSLv2 and SSLv3 are deprecated and are usually disabled in libcurl.
-curl_sni                         | **Optional.** Whether to use SNI. This is the  default of `check_curl` in *most* cases and this option will not change this behaviour then. For obscure and old setup it might be necessary to manually activate it. The variable itself defaults to false.
-curl_certificate_valid_days_min_warning  | **Optional.** Minimum number of days a certificate has to be valid. Port defaults to 443. When this option is used, the URL is not checked (by default). This defines the warning threshold (in days).
-curl_certificate_valid_days_min_critical  | **Optional.** Minimum number of days a certificate has to be valid. This parameter defines the critical threshold (in days). See also `curl_certificate_valid_days_min_warning` above for more information.
-curl_continue_after_certificate  | **Optional.** Allows the HTTP check to continue after performing the certificate check. Does nothing unless tls certificate check mode is used (`curl_certificate_valid_days_min_warning`/`curl_certificate_valid_days_min_critical`). (available since Monitoring Plugins v2.3.2)
-curl_client_certificate_file     | **Optional.** Name of file contains the client certificate (PEM format).
-curl_client_certificate_key_file | **Optional.** Name of file contains the private key (PEM format).
-curl_ca_cert_file                | **Optional.** CA certificate file to verify peer against.
-curl_verify_peer_cert            | **Optional.** Verify that the peers certificate matches against the hostname
-curl_expect_string               | **Optional.** Comma-delimited list of strings, at least one of them is expected in the first (status) line of the server response. Default: HTTP/1.
-curl_expect_header_string        | **Optional.** String to expect in the response headers.
-curl_expect_content_string		 | **Optional.** String to expect in the content.
-curl_url                         | **Optional.** The request URL for GET or POST. Defaults to `/`.
-curl_post_data                   | **Optional.** URL encoded curl POST data.
-curl_http_method                 | **Optional.** Set curl method (for example: HEAD, OPTIONS, TRACE, PUT, DELETE).
-curl_no_body                     | **Optional.** Don't wait for document body: stop reading after headers. (Note that this stilldoes an HTTP GET or POST, not a HEAD.).
-curl_max_age                      | **Optional.** Warn if document is more than seconds old.
-curl_content_type                 | **Optional.** Specify Content-Type header when POSTing.
-curl_linespan                    | **Optional.** Allow regex to span newline.
-curl_ereg			             | **Optional.** A regular expression which the body must match against. Incompatible with curl_no-body.
-curl_eregi 				         | **Optional.** A case-insensitive expression which the body must match against. Incompatible with curl_no-body.
-curl_invert_regex                | **Optional.** Changes behavior of curl_ereg and curl_eregi to return CRITICAL if found, OK if not.
-curl_state_regex                 | **Optional.** Return STATE if regex is found, OK if not. STATE can be one of "critical","warning"
-curl_authorization               | **Optional.** Add 'username:password' authorization pair.
-curl_proxy_authorization         | **Optional.** Add 'username:password' authorization pair for proxy.
-curl_user_agent                   | **Optional.** String to be sent in curl header as User Agent.
-curl_header                      | **Optional.** Any other tags to be sent in curl header. Can be an array if multiple headers should be passed to `check_curl`.
-curl_extended_perfdata            | **Optional.** Print additional perfdata. Defaults to false.
-curl_show_body                   | **Optional.** Print body content below status line
-curl_link                        | **Optional.** Wrap output in HTML link. Defaults to false.
-curl_onredirect                  | **Optional.** How to handle redirect pages. Possible values: "ok" (default), "warning", "critical", "follow", "sticky" (like follow but stick to address), "stickyport" (like sticky but also to port)
-curl_max_redirs                   | **Optional.** Maximum number of redirects
-curl_pagesize                    | **Optional.** Minimum page size required:Maximum page size required.
-curl_http_version                | **Optional.** Connect via specific HTTP protocol. 1.0 = HTTP/1.0, 1.1 = HTTP/1.1, 2.0 = HTTP/2 (HTTP/2 will fail without -S)
-curl_enable_automatic_decompression |  **Optional.** Enable automatic decompression of body (CURLOPT_ACCEPT_ENCODING).
-curl_haproxy_protocol            | **Optional.** Send HAProxy proxy protocol v1 header (CURLOPT_HAPROXYPROTOCOL) (available since Monitoring Plugins v2.4.0)
-curl_cookie_jar_file             | **Optional.** Path to a cookie jar file. Store cookies in the cookie jar and send them out when requested. (available since Monitoring Plugins v2.3.4)
-curl_warning                     | **Optional.** The warning threshold.
-curl_critical 	                 | **Optional.** The critical threshold.
-curl_timeout                     | **Optional.** Seconds before connection times out.
-curl_extra_opts                  | **Optional.** Read options from an ini file.


 ### icmp <a id="plugin-check-command-icmp"></a>
@ -842,7 +762,6 @@ icmp_hosts_alive | **Optional.** The number of hosts which have to be alive for
 icmp_data_bytes | **Optional.** Payload size for each ICMP request. Defaults to 8.
 icmp_timeout    | **Optional.** The plugin timeout in seconds. Defaults to 10 (seconds).
 icmp_ttl        | **Optional.** The TTL on outgoing packets.
-icmp_extra_opts | **Optional.** Read extra plugin options from an ini file.


 ### imap <a id="plugin-check-command-imap"></a>
@ -873,7 +792,6 @@ imap_critical         | **Optional.** Response time to result in critical status
 imap_timeout          | **Optional.** Seconds before connection times out (default: 10).
 imap_ipv4             | **Optional.** Use IPv4 connection. Defaults to false.
 imap_ipv6             | **Optional.** Use IPv6 connection. Defaults to false.
-imap_extra_opts       | **Optional.** Read extra plugin options from an ini file.


 ### ldap <a id="plugin-check-command-ldap"></a>
@ -904,7 +822,6 @@ ldap_warning_entries	| **Optional.** Number of found entries to result in warnin
 ldap_critical_entries	| **Optional.** Number of found entries to result in critical status.
 ldap_timeout		| **Optional.** Seconds before connection times out (default: 10).
 ldap_verbose		| **Optional.** Show details for command-line debugging (disabled by default)
-ldap_extra_opts 	| **Optional.** Read extra plugin options from an ini file.

 ### load <a id="plugin-check-command-load"></a>

@ -922,7 +839,6 @@ load_cload1     | **Optional.** The 1-minute critical threshold. Defaults to 10.
 load_cload5     | **Optional.** The 5-minute critical threshold. Defaults to 6.
 load_cload15    | **Optional.** The 15-minute critical threshold. Defaults to 4.
 load_percpu     | **Optional.** Divide the load averages by the number of CPUs (when possible). Defaults to false.
-load_extra_opts | **Optional.** Read extra plugin options from an ini file.

 ### mailq <a id="plugin-check-command-mailq"></a>

@ -969,7 +885,6 @@ mysql_cert		| **Optional.** Path to SSL certificate.
 mysql_key		| **Optional.** Path to private SSL key.
 mysql_cadir		| **Optional.** Path to CA directory.
 mysql_ciphers		| **Optional.** List of valid SSL ciphers.
-mysql_extra_opts	| **Optional.** Read extra plugin options from an ini file.


 ### mysql_query <a id="plugin-check-command-mysql-query"></a>
@ -995,7 +910,6 @@ mysql_query_password    | **Optional.** Use the indicated password to authentica
 mysql_query_execute     | **Required.** SQL Query to run on the MySQL Server.
 mysql_query_warning     | **Optional.** Exit with WARNING status if query is outside of the range (format: start:end).
 mysql_query_critical    | **Optional.** Exit with CRITICAL status if query is outside of the range.
-mysql_query_extra_opts  | **Optional.** Read extra plugin options from an ini file.


 ### negate <a id="plugin-check-command-negate"></a>
@ -1067,7 +981,6 @@ nscp_warn       | **Optional.** The warning threshold.
 nscp_crit       | **Optional.** The critical threshold.
 nscp_timeout    | **Optional.** The query timeout in seconds.
 nscp_showall    | **Optional.** Use with SERVICESTATE to see working services or PROCSTATE for running processes. Defaults to false.
-nscp_extra_opts | **Optional.** Read extra plugin options from an ini file.


 ### ntp_time <a id="plugin-check-command-ntp-time"></a>
@ -1090,7 +1003,6 @@ ntp_timeoffset  | **Optional.** Expected offset of the ntp server relative to lo
 ntp_timeout     | **Optional.** Seconds before connection times out (default: 10).
 ntp_ipv4        | **Optional.** Use IPv4 connection. Defaults to false.
 ntp_ipv6        | **Optional.** Use IPv6 connection. Defaults to false.
-ntp_extra_opts  | **Optional.** Read extra plugin options from an ini file.


 ### ntp_peer <a id="plugin-check-command-ntp-peer"></a>
@ -1118,7 +1030,6 @@ ntp_csource     | **Optional.** Critical threshold for number of usable time sou
 ntp_timeout     | **Optional.** Seconds before connection times out (default: 10).
 ntp_ipv4        | **Optional.** Use IPv4 connection. Defaults to false.
 ntp_ipv6        | **Optional.** Use IPv6 connection. Defaults to false.
-ntp_extra_opts  | **Optional.** Read extra plugin options from an ini file.


 ### pgsql <a id="plugin-check-command-pgsql"></a>
@ -1146,7 +1057,6 @@ pgsql_timeout		| **Optional.** Seconds before connection times out (default: 10)
 pgsql_query		| **Optional.** SQL query to run. Only first column in first row will be read.
 pgsql_query_warning	| **Optional.** SQL query value to result in warning status (double).
 pgsql_query_critical	| **Optional.** SQL query value to result in critical status (double).
-pgsql_extra_opts	| **Optional.** Read extra plugin options from an ini file.

 ### ping <a id="plugin-check-command-ping"></a>

@ -1168,7 +1078,6 @@ ping_crta       | **Optional.** The RTA critical threshold in milliseconds. Defa
 ping_cpl        | **Optional.** The packet loss critical threshold in %. Defaults to 15.
 ping_packets    | **Optional.** The number of packets to send. Defaults to 5.
 ping_timeout    | **Optional.** The plugin timeout in seconds. Defaults to 0 (no timeout).
-ping_extra_opts | **Optional.** Read extra plugin options from an ini file.


 ### ping4 <a id="plugin-check-command-ping4"></a>
@ -1191,7 +1100,6 @@ ping_crta       | **Optional.** The RTA critical threshold in milliseconds. Defa
 ping_cpl        | **Optional.** The packet loss critical threshold in %. Defaults to 15.
 ping_packets    | **Optional.** The number of packets to send. Defaults to 5.
 ping_timeout    | **Optional.** The plugin timeout in seconds. Defaults to 0 (no timeout).
-ping_extra_opts | **Optional.** Read extra plugin options from an ini file.

 ### ping6 <a id="plugin-check-command-ping6"></a>

@ -1213,7 +1121,6 @@ ping_crta       | **Optional.** The RTA critical threshold in milliseconds. Defa
 ping_cpl        | **Optional.** The packet loss critical threshold in %. Defaults to 15.
 ping_packets    | **Optional.** The number of packets to send. Defaults to 5.
 ping_timeout    | **Optional.** The plugin timeout in seconds. Defaults to 0 (no timeout).
-ping_extra_opts | **Optional.** Read extra plugin options from an ini file.


 ### pop <a id="plugin-check-command-pop"></a>
@ -1244,7 +1151,6 @@ pop_critical         | **Optional.** Response time to result in critical status
 pop_timeout          | **Optional.** Seconds before connection times out (default: 10).
 pop_ipv4             | **Optional.** Use IPv4 connection. Defaults to false.
 pop_ipv6             | **Optional.** Use IPv6 connection. Defaults to false.
-pop_extra_opts       | **Optional.** Read extra plugin options from an ini file.


 ### procs <a id="plugin-check-command-processes"></a>
@ -1256,25 +1162,23 @@ of processes. Search filters can be applied to limit the processes to check.

 Custom variables passed as [command parameters](03-monitoring-basics.md#command-passing-parameters):

-Name                  | Description
----------------------|--------------
-procs_warning         | **Optional.** The process count warning threshold. Defaults to 250.
-procs_critical        | **Optional.** The process count critical threshold. Defaults to 400.
-procs_metric          | **Optional.** Check thresholds against metric.
-procs_timeout         | **Optional.** Seconds before plugin times out.
-procs_traditional     | **Optional.** Filter own process the traditional way by PID instead of /proc/pid/exe. Defaults to false.
-procs_state           | **Optional.** Only scan for processes that have one or more of the status flags you specify.
-procs_ppid            | **Optional.** Only scan for children of the parent process ID indicated.
-procs_vsz             | **Optional.** Only scan for processes with VSZ higher than indicated.
-procs_rss             | **Optional.** Only scan for processes with RSS higher than indicated.
-procs_pcpu            | **Optional.** Only scan for processes with PCPU higher than indicated.
-procs_user            | **Optional.** Only scan for processes with user name or ID indicated.
-procs_argument        | **Optional.** Only scan for processes with args that contain STRING.
-procs_argument_regex  | **Optional.** Only scan for processes with args that contain the regex STRING.
-procs_command         | **Optional.** Only scan for exact matches of COMMAND (without path).
-procs_exclude_process | **Optional.** Exclude processes which match this comma separated list.
-procs_nokthreads      | **Optional.** Only scan for non kernel threads. Defaults to false.
-procs_extra_opts      | **Optional.** Read extra plugin options from an ini file.
+Name                 | Description
+---------------------|--------------
+procs_warning        | **Optional.** The process count warning threshold. Defaults to 250.
+procs_critical       | **Optional.** The process count critical threshold. Defaults to 400.
+procs_metric         | **Optional.** Check thresholds against metric.
+procs_timeout        | **Optional.** Seconds before plugin times out.
+procs_traditional    | **Optional.** Filter own process the traditional way by PID instead of /proc/pid/exe. Defaults to false.
+procs_state          | **Optional.** Only scan for processes that have one or more of the status flags you specify.
+procs_ppid           | **Optional.** Only scan for children of the parent process ID indicated.
+procs_vsz            | **Optional.** Only scan for processes with VSZ higher than indicated.
+procs_rss            | **Optional.** Only scan for processes with RSS higher than indicated.
+procs_pcpu           | **Optional.** Only scan for processes with PCPU higher than indicated.
+procs_user           | **Optional.** Only scan for processes with user name or ID indicated.
+procs_argument       | **Optional.** Only scan for processes with args that contain STRING.
+procs_argument_regex | **Optional.** Only scan for processes with args that contain the regex STRING.
+procs_command        | **Optional.** Only scan for exact matches of COMMAND (without path).
+procs_nokthreads     | **Optional.** Only scan for non kernel threads. Defaults to false.


 ### radius <a id="plugin-check-command-radius"></a>
@ -1304,7 +1208,6 @@ radius_nas_address | **Optional.** The NAS IP address.
 radius_expect      | **Optional.** The response string to expect from the server.
 radius_retries     | **Optional.** The number of times to retry a failed connection.
 radius_timeout     | **Optional.** The number of seconds before connection times out (default: 10).
-radius_extra_opts  | **Optional.** Read extra plugin options from an ini file.

 ### rpc <a id="plugin-check-command-rpc"></a>

@ -1351,7 +1254,6 @@ simap_critical         | **Optional.** Response time to result in critical statu
 simap_timeout          | **Optional.** Seconds before connection times out (default: 10).
 simap_ipv4             | **Optional.** Use IPv4 connection. Defaults to false.
 simap_ipv6             | **Optional.** Use IPv6 connection. Defaults to false.
-simap_extra_opts       | **Optional.** Read extra plugin options from an ini file.

 ### smart <a id="plugin-check-command-smart"></a>

@ -1360,10 +1262,9 @@ checks a local hard drive with the (Linux specific) SMART interface. Requires in

 Custom variables passed as [command parameters](03-monitoring-basics.md#command-passing-parameters):

-Name             | Description
-----------------|--------------
-smart_device     | **Required.** The name of a local hard drive to monitor.
-smart_extra_opts | **Optional.** Read extra plugin options from an ini file.
+Name            | Description
+----------------|--------------
+smart_device    | **Required.** The name of a local hard drive to monitor.


 ### smtp <a id="plugin-check-command-smtp"></a>
@ -1393,7 +1294,6 @@ smtp_critical         | **Optional.** Response time to result in critical status
 smtp_timeout          | **Optional.** Seconds before connection times out (default: 10).
 smtp_ipv4             | **Optional.** Use IPv4 connection. Defaults to false.
 smtp_ipv6             | **Optional.** Use IPv6 connection. Defaults to false.
-smtp_extra_opts       | **Optional.** Read extra plugin options from an ini file.


 ### snmp <a id="plugin-check-command-snmp"></a>
@ -1422,7 +1322,6 @@ snmp_invert_search  | **Optional.** Invert search result and return CRITICAL sta
 snmp_units          | **Optional.** Units label(s) for output value (e.g., 'sec.').
 snmp_version        | **Optional.** Version to use. E.g. 1, 2, 2c or 3.
 snmp_miblist        | **Optional.** MIB's to use, comma separated. Defaults to "ALL".
-snmp_multiplier     |**Optional.** Multiplies current value, 0 < n < 1 works as divider, defaults to 1
 snmp_rate_multiplier | **Optional.** Converts rate per second. For example, set to 60 to convert to per minute.
 snmp_rate           | **Optional.** Boolean. Enable rate calculation.
 snmp_getnext        | **Optional.** Boolean. Use SNMP GETNEXT. Defaults to false.
@ -1430,7 +1329,6 @@ snmp_timeout        | **Optional.** The command timeout in seconds. Defaults to
 snmp_offset         | **Optional.** Add/subtract the specified OFFSET to numeric sensor data.
 snmp_output_delimiter | **Optional.** Separates output on multiple OID requests.
 snmp_perf_oids      | **Optional.** Label performance data with OIDs instead of --label's.
-snmp_extra_opts     | **Optional.** Read extra plugin options from an ini file.

 ### snmpv3 <a id="plugin-check-command-snmpv3"></a>

@ -1459,11 +1357,9 @@ snmpv3_eregi         | **Optional.** Return OK state (for that OID) if case-inse
 snmpv3_invert_search | **Optional.** Invert search result and return CRITICAL if found
 snmpv3_label         | **Optional.** Prefix label for output value.
 snmpv3_units         | **Optional.** Units label(s) for output value (e.g., 'sec.').
-snmp3_multiplier     |**Optional.** Multiplies current value, 0 < n < 1 works as divider, defaults to 1
 snmpv3_rate_multiplier | **Optional.** Converts rate per second. For example, set to 60 to convert to per minute.
 snmpv3_rate          | **Optional.** Boolean. Enable rate calculation.
 snmpv3_timeout       | **Optional.** The command timeout in seconds. Defaults to 10 seconds.
-snmpv3_extra_opts    | **Optional.** Read extra plugin options from an ini file.

 ### snmp-uptime <a id="plugin-check-command-snmp-uptime"></a>

@ -1477,7 +1373,6 @@ Name            | Description
 snmp_address    | **Optional.** The host's address. Defaults to "$address$" if the host's `address` attribute is set, "$address6$" otherwise.
 snmp_oid        | **Optional.** The SNMP OID. Defaults to "1.3.6.1.2.1.1.3.0".
 snmp_community  | **Optional.** The SNMP community. Defaults to "public".
-snmp_extra_opts | **Optional.** Read extra plugin options from an ini file.


 ### spop <a id="plugin-check-command-spop"></a>
@ -1508,7 +1403,6 @@ spop_critical         | **Optional.** Response time to result in critical status
 spop_timeout          | **Optional.** Seconds before connection times out (default: 10).
 spop_ipv4             | **Optional.** Use IPv4 connection. Defaults to false.
 spop_ipv6             | **Optional.** Use IPv6 connection. Defaults to false.
-spop_extra_opts       | **Optional.** Read extra plugin options from an ini file.


 ### ssh <a id="plugin-check-command-ssh"></a>
@ -1518,16 +1412,13 @@ connects to an SSH server at a specified host and port.

 Custom variables passed as [command parameters](03-monitoring-basics.md#command-passing-parameters):

-Name                | Description
--------------------|--------------
-ssh_address         | **Optional.** The host's address. Defaults to "$address$" if the host's `address` attribute is set, "$address6$" otherwise.
-ssh_port            | **Optional.** The port that should be checked. Defaults to 22.
-ssh_timeout         | **Optional.** Seconds before connection times out. Defaults to 10.
-ssh_ipv4            | **Optional.** Use IPv4 connection. Defaults to false.
-ssh_ipv6            | **Optional.** Use IPv6 connection. Defaults to false.
-ssh_remote_version  | **Optional.** Alert if string doesn't match expected server version (ex: OpenSSH_3.9p1).
-ssh_remote_protocol | **Optional.** Alert if protocol doesn't match expected protocol version (ex: 2.0).
-ssh_extra_opts      | **Optional.** Read extra plugin options from an ini file.
+Name            | Description
+----------------|--------------
+ssh_address     | **Optional.** The host's address. Defaults to "$address$" if the host's `address` attribute is set, "$address6$" otherwise.
+ssh_port        | **Optional.** The port that should be checked. Defaults to 22.
+ssh_timeout     | **Optional.** Seconds before connection times out. Defaults to 10.
+ssh_ipv4        | **Optional.** Use IPv4 connection. Defaults to false.
+ssh_ipv6        | **Optional.** Use IPv6 connection. Defaults to false.


 ### ssl <a id="plugin-check-command-ssl"></a>
@ -1545,7 +1436,6 @@ ssl_timeout                   | **Optional.** Timeout in seconds for the connect
 ssl_cert_valid_days_warn      | **Optional.** Warning threshold for days before the certificate will expire. When used, the default for ssl_cert_valid_days_critical is 0.
 ssl_cert_valid_days_critical  | **Optional.** Critical threshold for days before the certificate will expire. When used, ssl_cert_valid_days_warn must also be set.
 ssl_sni                       | **Optional.** The `server_name` that is sent to select the SSL certificate to check. Important if SNI is used.
-ssl_extra_opts                | **Optional.** Read extra plugin options from an ini file.


 ### ssmtp <a id="plugin-check-command-ssmtp"></a>
@ -1576,7 +1466,6 @@ ssmtp_critical         | **Optional.** Response time to result in critical statu
 ssmtp_timeout          | **Optional.** Seconds before connection times out (default: 10).
 ssmtp_ipv4             | **Optional.** Use IPv4 connection. Defaults to false.
 ssmtp_ipv6             | **Optional.** Use IPv6 connection. Defaults to false.
-ssmtp_extra_opts       | **Optional.** Read extra plugin options from an ini file.


 ### swap <a id="plugin-check-command-swap"></a>
@ -1593,7 +1482,6 @@ swap_cfree      | **Optional.** The free swap space critical threshold in % (ena
 swap_integer    | **Optional.** Specifies whether the thresholds are passed as number or percent value. Defaults to false (percent values).
 swap_allswaps   | **Optional.** Conduct comparisons for all swap partitions, one by one. Defaults to false.
 swap_noswap     | **Optional.** Resulting state when there is no swap regardless of thresholds. Possible values are "ok", "warning", "critical", "unknown". Defaults to "critical".
-swap_extra_opts | **Optional.** Read extra plugin options from an ini file.


 ### tcp <a id="plugin-check-command-tcp"></a>
@ -1626,7 +1514,6 @@ tcp_ctime       | **Optional.** Response time to result in critical status (seco
 tcp_timeout     | **Optional.** Seconds before connection times out. Defaults to 10.
 tcp_ipv4        | **Optional.** Use IPv4 connection. Defaults to false.
 tcp_ipv6        | **Optional.** Use IPv6 connection. Defaults to false.
-tcp_extra_opts  | **Optional.** Read extra plugin options from an ini file.


 ### udp <a id="plugin-check-command-udp"></a>
@ -1645,7 +1532,6 @@ udp_expect      | **Required.** The payload to expect in the response datagram.
 udp_quit        | **Optional.** The payload to send to 'close' the session.
 udp_ipv4        | **Optional.** Use IPv4 connection. Defaults to false.
 udp_ipv6        | **Optional.** Use IPv6 connection. Defaults to false.
-udp_extra_opts  | **Optional.** Read extra plugin options from an ini file.


 ### ups <a id="plugin-check-command-ups"></a>
@ -1666,7 +1552,6 @@ ups_warning     | **Optional.** The warning threshold for the selected variable.
 ups_critical    | **Optional.** The critical threshold for the selected variable.
 ups_celsius     | **Optional.** Display the temperature in degrees Celsius instead of Fahrenheit. Defaults to `false`.
 ups_timeout     | **Optional.** The number of seconds before the connection times out. Defaults to 10.
-ups_extra_opts  | **Optional.** Read extra plugin options from an ini file.


 ### users <a id="plugin-check-command-users"></a>
@ -1677,11 +1562,10 @@ error if the number exceeds the thresholds specified.

 Custom variables passed as [command parameters](03-monitoring-basics.md#command-passing-parameters):

-Name             | Description
-----------------|--------------
-users_wgreater   | **Optional.** The user count warning threshold. Defaults to 20.
-users_cgreater   | **Optional.** The user count critical threshold. Defaults to 50.
-users_extra_opts | **Optional.** Read extra plugin options from an ini file.
+Name            | Description
+----------------|--------------
+users_wgreater  | **Optional.** The user count warning threshold. Defaults to 20.
+users_cgreater  | **Optional.** The user count critical threshold. Defaults to 50.


 ### uptime <a id="plugin-check-command-uptime"></a>
@ -3563,7 +3447,7 @@ thola_identify_discover_timeouts   | **Optional.** The number of discover timeou

 > **Note**:
 >
-> One of the variables `thola_identify_model`, `thola_identify_os_version`,
+> One of the variables `thola_identify_model`, `thola_identify_os_version`, 
 > `thola_identify_vendor` or `thola_identify_serial_number` must be set

 ##### thola-memory-usage <a id="plugin-contrib-command-thola-memory-usage"></a>
@ -3768,33 +3652,22 @@ iostat\_cwrite | **Required.** Critical threshold for KB/s writes (default: 200)

 #### systemd <a id="plugin-contrib-command-systemd"></a>

-The [check_systemd](https://github.com/Josef-Friedrich/check_systemd) plugin
-will report a degraded system to your monitoring solution.
+The [check_systemd.py](https://github.com/Josef-Friedrich/check_systemd) plugin
+will report a degraded system to your monitoring solution. It requires only the [nagiosplugin](https://nagiosplugin.readthedocs.io/en/stable) library.

 Custom variables passed as [command parameters](03-monitoring-basics.md#command-passing-parameters):

-Name                             | Description
---------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------
-systemd\_verbose\_level          | **Optional.** Increase verbosity level (Accepted values: `1`, `2` or `3`). (Defaults to none)
-systemd\_ignore\_inactive\_state | **Optional.** Ignore an inactive state on a specific unit. Only affective if used with `systemd_unit`.
-systemd\_include                 | **Optional.** Include systemd units to the checks, regular expressions are supported. This option can be applied multiple times.
-systemd\_unit                    | **Optional.** Name of the systemd unit that is being tested.
-systemd\_include\_type           | **Optional.** Unit types to be tested (for example: `service`, `timer`). This option can be applied multiple times.
-systemd\_exclude\_unit           | **Optional.** Exclude a systemd unit from the checks, regular expressions are supported. This option can be applied multiple times.
-systemd\_exclude\_unit\_name     | **Optional.** Exclude a systemd unit from the checks. This option can be applied multiple times.
-systemd\_exclude\_type           | **Optional.** Exclude a systemd unit type (for example: `service`, `timer`)
-systemd\_state                   | **Optional.** Specify the active state that the systemd unit must have (for example: `active`, `inactive`)
-systemd\_dead\_timers            | **Optional.** Detect dead / inactive timers, see `systemd_dead_timers_{warning,critical}`. (Default `false`)
-systemd\_dead\_timers\_warning   | **Optional.** Time ago in seconds for dead / inactive timers to trigger a warning state. (Default 6 days)
-systemd\_dead\_timers\_critical  | **Optional.** Time ago in seconds for dead / inactive timers to trigger a critical state. (Default 7 days)
-systemd\_no\_startup\_time       | **Optional.** Don't check the startup time. Using this option, the options `systemd_{warning,critical}` have no effect. (Default `false`)
-systemd\_warning                 | **Optional.** Startup time in seconds to result in a warning status. (Default 60 seconds)
-systemd\_critical                | **Optional.** Startup time in seconds to result in a critical status. (Default 120 seconds)
-systemd\_dbus                    | **Optional.** Use systemd's D-Bus API instead of parsing command output. Only partially implemented!
-systemd\_cli                     | **Optional.** Use text output from parsing command output. (Default)
-systemd\_user                    | **Optional.** Also show user (systemctl --user) units.
-
-
+Name                            | Description
+--------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------
+systemd\_unit                   | **Optional.** Name of the systemd unit that is being tested.
+systemd\_exclude\_unit          | **Optional.** Exclude a systemd unit from the checks. This option can be applied multiple times. Also supports regular expressions.
+systemd\_no\_startup\_time      | **Optional.** Don’t check the startup time. Using this option the options `systemd_warning` and `systemd_critical` have no effect. (Default: `false`)
+systemd\_warning                | **Optional.** Startup time in seconds to result in a warning status. (Default: `60s`)
+systemd\_critical               | **Optional.** Startup time in seconds to result in a critical status. (Default: `120s`)
+systemd\_dead\_timers           | **Optional.** Detect dead / inactive timers. (Default: `false`)
+systemd\_dead\_timers\_warning  | **Optional.** Time ago in seconds for dead / inactive timers to trigger a warning state (by default 6 days).
+systemd\_dead\_timers\_critical | **Optional.** Time ago in seconds for dead / inactive timers to trigger a critical state (by default 7 days).
+systemd\_verbose\_level         | **Optional.** Increase verbosity level (Accepted values: `1`, `2` or `3`). (Defaults to none)

 #### yum <a id="plugin-contrib-command-yum"></a>

@ -4441,24 +4314,23 @@ Check command object for the `check_vmware_esx` plugin. Shows net info.

 Custom variables passed as [command parameters](03-monitoring-basics.md#command-passing-parameters):

-Name                        | Description
----------------------------|--------------
-vmware_host                 | **Required.** ESX or ESXi hostname.
-vmware_datacenter           | **Optional.** Datacenter/vCenter hostname. In case the check is done through a Datacenter/vCenter host.
-vmware_sslport              | **Optional.** SSL port connection. Defaults to "443".
-vmware_ignoreunknown        | **Optional.** Sometimes 3 (unknown) is returned from a component. But the check itself is ok. With this option the plugin will return OK (0) instead of UNKNOWN (3). Defaults to "false".
-vmware_ignorewarning        | **Optional.** Sometimes 2 (warning) is returned from a component. But the check itself is ok (from an operator view). With this option the plugin will return OK (0) instead of WARNING (1). Defaults to "false".
-vmware_timeout              | **Optional.** Seconds before plugin times out. Defaults to "90".
-vmware_trace                | **Optional.** Set verbosity level of vSphere API request/respond trace.
-vmware_sessionfile          | **Optional.** Session file name enhancement.
-vmware_sessionfiledir       | **Optional.** Path to store the **vmware_sessionfile** file. Defaults to "/var/spool/icinga2/tmp".
-vmware_nosession            | **Optional.** No auth session -- IT SHOULD BE USED FOR TESTING PURPOSES ONLY!. Defaults to "false".
-vmware_username             | **Optional.** The username to connect to Host or vCenter server. No value defined as default.
-vmware_password             | **Optional.** The username's password. No value defined as default.
-vmware_authfile             | **Optional.** Use auth file instead username/password to session connect. No effect if **vmware_username** and **vmware_password** are defined <br> **Authentication file content:** <br>  username=vmuser <br> password=p@ssw0rd
-vmware_exclude              | **Optional.** Blacklist NICs. No value defined as default.
-vmware_isregexp             | **Optional.** Treat blacklist expression as regexp.
-vmware_unplugged_nics_state | **Optional.** Sets status for unplugged nics (Possible values are: [OK | ok] or [CRITICAL | critical | CRIT | crit] or [WARNING | warning | WARN | warn]. Default is WARNING. Values are case insensitive.)
+Name                    | Description
+------------------------|--------------
+vmware_host             | **Required.** ESX or ESXi hostname.
+vmware_datacenter       | **Optional.** Datacenter/vCenter hostname. In case the check is done through a Datacenter/vCenter host.
+vmware_sslport          | **Optional.** SSL port connection. Defaults to "443".
+vmware_ignoreunknown    | **Optional.** Sometimes 3 (unknown) is returned from a component. But the check itself is ok. With this option the plugin will return OK (0) instead of UNKNOWN (3). Defaults to "false".
+vmware_ignorewarning    | **Optional.** Sometimes 2 (warning) is returned from a component. But the check itself is ok (from an operator view). With this option the plugin will return OK (0) instead of WARNING (1). Defaults to "false".
+vmware_timeout          | **Optional.** Seconds before plugin times out. Defaults to "90".
+vmware_trace            | **Optional.** Set verbosity level of vSphere API request/respond trace.
+vmware_sessionfile      | **Optional.** Session file name enhancement.
+vmware_sessionfiledir   | **Optional.** Path to store the **vmware_sessionfile** file. Defaults to "/var/spool/icinga2/tmp".
+vmware_nosession        | **Optional.** No auth session -- IT SHOULD BE USED FOR TESTING PURPOSES ONLY!. Defaults to "false".
+vmware_username         | **Optional.** The username to connect to Host or vCenter server. No value defined as default.
+vmware_password         | **Optional.** The username's password. No value defined as default.
+vmware_authfile         | **Optional.** Use auth file instead username/password to session connect. No effect if **vmware_username** and **vmware_password** are defined <br> **Authentication file content:** <br>  username=vmuser <br> password=p@ssw0rd
+vmware_exclude          | **Optional.** Blacklist NICs. No value defined as default.
+vmware_isregexp         | **Optional.** Treat blacklist expression as regexp.


 **vmware-esx-soap-host-net-usage**
@ -4542,24 +4414,23 @@ Check command object for the `check_vmware_esx` plugin. Check all active NICs.

 Custom variables passed as [command parameters](03-monitoring-basics.md#command-passing-parameters):

-Name                        | Description
----------------------------|--------------
-vmware_host                 | **Required.** ESX or ESXi hostname.
-vmware_datacenter           | **Optional.** Datacenter/vCenter hostname. In case the check is done through a Datacenter/vCenter host.
-vmware_sslport              | **Optional.** SSL port connection. Defaults to "443".
-vmware_ignoreunknown        | **Optional.** Sometimes 3 (unknown) is returned from a component. But the check itself is ok. With this option the plugin will return OK (0) instead of UNKNOWN (3). Defaults to "false".
-vmware_ignorewarning        | **Optional.** Sometimes 2 (warning) is returned from a component. But the check itself is ok (from an operator view). With this option the plugin will return OK (0) instead of WARNING (1). Defaults to "false".
-vmware_timeout              | **Optional.** Seconds before plugin times out. Defaults to "90".
-vmware_trace                | **Optional.** Set verbosity level of vSphere API request/respond trace.
-vmware_sessionfile          | **Optional.** Session file name enhancement.
-vmware_sessionfiledir       | **Optional.** Path to store the **vmware_sessionfile** file. Defaults to "/var/spool/icinga2/tmp".
-vmware_nosession            | **Optional.** No auth session -- IT SHOULD BE USED FOR TESTING PURPOSES ONLY!. Defaults to "false".
-vmware_username             | **Optional.** The username to connect to Host or vCenter server. No value defined as default.
-vmware_password             | **Optional.** The username's password. No value defined as default.
-vmware_authfile             | **Optional.** Use auth file instead username/password to session connect. No effect if **vmware_username** and **vmware_password** are defined <br> **Authentication file content:** <br>  username=vmuser <br> password=p@ssw0rd
-vmware_exclude              | **Optional.** Blacklist NICs. No value defined as default.
-vmware_isregexp             | **Optional.** Treat blacklist expression as regexp.
-vmware_unplugged_nics_state | **Optional.** Sets status for unplugged nics (Possible values are: [OK | ok] or [CRITICAL | critical | CRIT | crit] or [WARNING | warning | WARN | warn]. Default is WARNING. Values are case insensitive.)
+Name                    | Description
+------------------------|--------------
+vmware_host             | **Required.** ESX or ESXi hostname.
+vmware_datacenter       | **Optional.** Datacenter/vCenter hostname. In case the check is done through a Datacenter/vCenter host.
+vmware_sslport          | **Optional.** SSL port connection. Defaults to "443".
+vmware_ignoreunknown    | **Optional.** Sometimes 3 (unknown) is returned from a component. But the check itself is ok. With this option the plugin will return OK (0) instead of UNKNOWN (3). Defaults to "false".
+vmware_ignorewarning    | **Optional.** Sometimes 2 (warning) is returned from a component. But the check itself is ok (from an operator view). With this option the plugin will return OK (0) instead of WARNING (1). Defaults to "false".
+vmware_timeout          | **Optional.** Seconds before plugin times out. Defaults to "90".
+vmware_trace            | **Optional.** Set verbosity level of vSphere API request/respond trace.
+vmware_sessionfile      | **Optional.** Session file name enhancement.
+vmware_sessionfiledir   | **Optional.** Path to store the **vmware_sessionfile** file. Defaults to "/var/spool/icinga2/tmp".
+vmware_nosession        | **Optional.** No auth session -- IT SHOULD BE USED FOR TESTING PURPOSES ONLY!. Defaults to "false".
+vmware_username         | **Optional.** The username to connect to Host or vCenter server. No value defined as default.
+vmware_password         | **Optional.** The username's password. No value defined as default.
+vmware_authfile         | **Optional.** Use auth file instead username/password to session connect. No effect if **vmware_username** and **vmware_password** are defined <br> **Authentication file content:** <br>  username=vmuser <br> password=p@ssw0rd
+vmware_exclude          | **Optional.** Blacklist NICs. No value defined as default.
+vmware_isregexp         | **Optional.** Treat blacklist expression as regexp.


 **vmware-esx-soap-host-volumes**
@ -5957,43 +5828,40 @@ Custom variables passed as [command parameters](03-monitoring-basics.md#command-

 Name                      | Description
 --------------------------|--------------
-ssl_cert_address                        | **Optional.** The host's address. Defaults to "$address$" if the host's `address` attribute is set, "$address6$" otherwise.
-ssl_cert_port                           | **Optional.** TCP port number (default: 443).
-ssl_cert_proxy                          | **Optional.** Proxy server to use for connecting to the host. Sets http_proxy and the s_client -proxy option.
-ssl_cert_file                           | **Optional.** Local file path. Works only if `ssl_cert_address` is set to "localhost".
-ssl_cert_warn                           | **Optional.** Minimum number of days a certificate has to be valid.
-ssl_cert_critical                       | **Optional.** Minimum number of days a certificate has to be valid to issue a critical status.
-ssl_cert_maximum_validity               | **Optional.** Maximum number of days a certificate is allowed to be valid (default: 397)
-ssl_cert_ignore_maximum_validity        | **Optional.** Ignore the certificate maximum validity
-ssl_cert_cn                             | **Optional.** Pattern to match the CN or AltName of the certificate.
-ssl_cert_issuer                         | **Optional.** Pattern to match the issuer of the certificate.
-ssl_cert_org                            | **Optional.** Pattern to match the organization of the certificate.
-ssl_cert_email                          | **Optional.** Pattern to match the email address contained in the certificate.
-ssl_cert_serial                         | **Optional.** Pattern to match the serial number.
-ssl_cert_noauth                         | **Optional.** Ignore authority warnings (expiration only)
-ssl_cert_match_host                     | **Optional.** Match CN with the host name.
-ssl_cert_selfsigned                     | **Optional.** Allow self-signed certificate.
-ssl_cert_sni                            | **Optional.** Sets the TLS SNI (Server Name Indication) extension.
-ssl_cert_timeout                        | **Optional.** Seconds before connection times out (default: 15)
-ssl_cert_protocol                       | **Optional.** Use the specific protocol {http,smtp,pop3,imap,ftp,xmpp,irc,ldap} (default: http).
-ssl_cert_http_url                       | **Optional.** HTTP Request URL (default: /)
-ssl_cert_clientcert                     | **Optional.** Use client certificate to authenticate.
-ssl_cert_clientpass                     | **Optional.** Set passphrase for client certificate.
-ssl_cert_ssllabs                        | **Optional.** SSL Labs assessment
-ssl_cert_ssllabs_nocache                | **Optional.** Forces a new check by SSL Labs
-ssl_cert_rootcert                       | **Optional.** Root certificate or directory to be used for certificate validation.
-ssl_cert_ignore_signature               | **Optional.** Do not check if the certificate was signed with SHA1 od MD5.
-ssl_cert_ssl_version                    | **Optional.** Force specific SSL version out of {ssl2,ssl3,tls1,tls1_1,tls1_2}.
-ssl_cert_disable_ssl_versions           | **Optional.** Disable specific SSL versions out of {ssl2,ssl3,tls1,tls1_1,tls1_2}. Multiple versions can be given as array.
-ssl_cert_cipher                         | **Optional.** Cipher selection: force {ecdsa,rsa} authentication.
-ssl_cert_ignore_expiration              | **Optional.** Ignore expiration date.
-ssl_cert_ignore_host_cn                 | **Optional.** Do not complain if the CN does not match.
-ssl_cert_ignore_ocsp                    | **Optional.** Do not check revocation with OCSP.
-ssl_cert_ignore_ocsp_errors             | **Optional.** Continue if the OCSP status cannot be checked.
-ssl_cert_ignore_ocsp_timeout            | **Optional.** Ignore OCSP result when timeout occurs while checking.
-ssl_cert_ignore_sct                     | **Optional.** Do not check for signed certificate timestamps.
-ssl_cert_ignore_tls_renegotiation       | **Optional.** Do not check for renegotiation.
-ssl_cert_dane                           | **Optional.** Verify that valid DANE records exist ({211,301,302,311,312} or empty string).
+ssl_cert_address              | **Optional.** The host's address. Defaults to "$address$" if the host's `address` attribute is set, "$address6$" otherwise.
+ssl_cert_port                 | **Optional.** TCP port number (default: 443).
+ssl_cert_proxy                | **Optional.** Proxy server to use for connecting to the host. Sets http_proxy and the s_client -proxy option.
+ssl_cert_file                 | **Optional.** Local file path. Works only if `ssl_cert_address` is set to "localhost".
+ssl_cert_warn                 | **Optional.** Minimum number of days a certificate has to be valid.
+ssl_cert_critical             | **Optional.** Minimum number of days a certificate has to be valid to issue a critical status.
+ssl_cert_cn                   | **Optional.** Pattern to match the CN of the certificate.
+ssl_cert_altnames             | **Optional.** Matches the pattern specified in -n with alternate
+ssl_cert_issuer               | **Optional.** Pattern to match the issuer of the certificate.
+ssl_cert_org                  | **Optional.** Pattern to match the organization of the certificate.
+ssl_cert_email                | **Optional.** Pattern to match the email address contained in the certificate.
+ssl_cert_serial               | **Optional.** Pattern to match the serial number.
+ssl_cert_noauth               | **Optional.** Ignore authority warnings (expiration only)
+ssl_cert_match_host           | **Optional.** Match CN with the host name.
+ssl_cert_selfsigned           | **Optional.** Allow self-signed certificate.
+ssl_cert_sni                  | **Optional.** Sets the TLS SNI (Server Name Indication) extension.
+ssl_cert_timeout              | **Optional.** Seconds before connection times out (default: 15)
+ssl_cert_protocol             | **Optional.** Use the specific protocol {http,smtp,pop3,imap,ftp,xmpp,irc,ldap} (default: http).
+ssl_cert_clientcert           | **Optional.** Use client certificate to authenticate.
+ssl_cert_clientpass           | **Optional.** Set passphrase for client certificate.
+ssl_cert_ssllabs              | **Optional.** SSL Labs assessment
+ssl_cert_ssllabs_nocache      | **Optional.** Forces a new check by SSL Labs
+ssl_cert_rootcert             | **Optional.** Root certificate or directory to be used for certificate validation.
+ssl_cert_ignore_signature     | **Optional.** Do not check if the certificate was signed with SHA1 od MD5.
+ssl_cert_ssl_version          | **Optional.** Force specific SSL version out of {ssl2,ssl3,tls1,tls1_1,tls1_2}.
+ssl_cert_disable_ssl_versions | **Optional.** Disable specific SSL versions out of {ssl2,ssl3,tls1,tls1_1,tls1_2}. Multiple versions can be given as array.
+ssl_cert_cipher               | **Optional.** Cipher selection: force {ecdsa,rsa} authentication.
+ssl_cert_ignore_expiration    | **Optional.** Ignore expiration date.
+ssl_cert_ignore_host_cn       | **Optional.** Do not complain if the CN does not match.
+ssl_cert_ignore_ocsp          | **Optional.** Do not check revocation with OCSP.
+ssl_cert_ignore_ocsp_errors   | **Optional.** Continue if the OCSP status cannot be checked.
+ssl_cert_ignore_ocsp_timeout  | **Optional.** Ignore OCSP result when timeout occurs while checking.
+ssl_cert_ignore_sct           | **Optional.** Do not check for signed certificate timestamps.
+ssl_cert_ignore_tls_renegotiation  | **Optional.** Do not check for renegotiation.


 #### jmx4perl <a id="plugin-contrib-command-jmx4perl"></a>
--- a/doc/11-cli-commands.md
+++ b/doc/11-cli-commands.md
@ -22,7 +22,7 @@ Supported commands:
  * api setup (setup for API)
  * ca list (lists all certificate signing requests)
  * ca restore (restores a removed certificate request)
-  * ca remove (removes an outstanding certificate request)
+  * ca remove (removes an outstanding certificate request)  
  * ca sign (signs an outstanding certificate request)
  * console (Icinga debug console)
  * daemon (starts Icinga 2)
@ -73,7 +73,7 @@ RPM and Debian packages install the bash completion files into

 You need to install the `bash-completion` package if not already installed.

-RHEL/Fedora:
+RHEL/CentOS/Fedora:

 ```bash
 yum install bash-completion
--- a/doc/12-icinga2-api.md
+++ b/doc/12-icinga2-api.md
@ -115,7 +115,7 @@ You can also use [jq](https://stedolan.github.io/jq/) or `python -m json.tool`
 in combination with curl on the CLI.

 ```bash
-curl ... | jq
+curl ... | jq 
 curl ... | python -m json.tool
 ```

@ -288,7 +288,6 @@ Available permissions for specific URL endpoints:
  config/query                  | /v1/config    | No                | 1
  config/modify                 | /v1/config    | No                | 512
  console                       | /v1/console   | No                | 1
-  debug                         | /v1/debug     | No                | 1
  events/&lt;type&gt;           | /v1/events    | No                | 1
  objects/query/&lt;type&gt;    | /v1/objects   | Yes               | 1
  objects/create/&lt;type&gt;   | /v1/objects   | No                | 1
@ -566,7 +565,7 @@ created by the API.
 ### Querying Objects <a id="icinga2-api-config-objects-query"></a>

 You can request information about configuration objects by sending
-a `GET` query to the `/v1/objects/<type>` URL endpoint. `<type>` has
+a `GET` query to the `/v1/objects/<type>` URL endpoint. `<type` has
 to be replaced with the plural name of the object type you are interested
 in:

@ -814,7 +813,7 @@ parameters need to be passed inside the JSON body:

  Parameters        | Type         | Description
  ------------------|--------------|--------------------------
-  templates         | Array        | **Optional.** Import existing configuration templates for this object type. Note: These templates must either be statically configured or provided in [config packages](12-icinga2-api.md#icinga2-api-config-management).
+  templates         | Array        | **Optional.** Import existing configuration templates for this object type. Note: These templates must either be statically configured or provided in [config packages](12-icinga2-api.md#icinga2-api-config-management)-
  attrs             | Dictionary   | **Required.** Set specific object attributes for this [object type](09-object-types.md#object-types).
  ignore\_on\_error | Boolean      | **Optional.** Ignore object creation errors and return an HTTP 200 status instead.

@ -951,7 +950,7 @@ list the latter in the `restore_attrs` parameter. E.g.:
 ```bash
 curl -k -s -S -i -u root:icinga -H 'Accept: application/json' \
 -X POST 'https://localhost:5665/v1/objects/hosts/example.localdomain' \
- -d '{ "restore_attrs": [ "address", "vars.os" ], "pretty": true }'
+ -d '{ "restore_attrs": [ "address", "vars.os" ] }, "pretty": true }'
 ```

 ```json
@ -1009,7 +1008,7 @@ curl -k -s -S -i -u root:icinga -H 'Accept: application/json' \
 There are several actions available for Icinga 2 provided by the `/v1/actions`
 URL endpoint. You can run actions by sending a `POST` request.

-The following actions are also used by [Icinga Web 2](https://icinga.com/docs/icinga-web/latest/):
+The following actions are also used by [Icinga Web 2](https://icinga.com/products/icinga-web-2/):

 * sending check results to Icinga from scripts, remote agents, etc.
 * scheduling downtimes from external scripts or cronjobs
@ -1658,14 +1657,14 @@ Send a `POST` request to the URL endpoint `/v1/actions/execute-command`.
  --------------|------------|--------------
  ttl           | Number     | **Required.** The time to live of the execution expressed in seconds.
  command_type  | String     | **Optional.** The command type: `CheckCommand` or `EventCommand` or `NotificationCommand`. Default: `EventCommand`
-  command       | String     | **Optional.** The command to execute. Its type must the same as `command_type`. It can be a macro string. Default: depending on the `command_type` it's either `$check_command$`, `$event_command$` or `$notification_command$`
+  command       | String     | **Optional.** The command to execute. Its type must the same as `command_type`. It can be a macro string. Default: depending on the `command_type` it's either `$check_command$`, `$event_command$` or `$notification_command$`   
  endpoint      | String     | **Optional.** The endpoint to execute the command on. It can be a macro string. Default: `$command_endpoint$`.
  macros        | Dictionary | **Optional.** Macro overrides. Default: `{}`
-  user          | String     | **Optional.** The user used for the notification command.
+  user          | String     | **Optional.** The user used for the notification command. 
  notification  | String     | **Optional.** The notification used for the notification command.
-
+  
 Example:
-
+  
 ```bash
 curl -k -s -S -i -u root:icinga -H 'Accept: application/json' \
 -X POST 'https://localhost:5665/v1/actions/execute-command' \
@ -1879,32 +1878,6 @@ Example for all object events:
  timestamp     | Timestamp     | Unix timestamp when the event happened.
  downtime      | Dictionary    | Serialized [Downtime](09-object-types.md#objecttype-downtime) object.

-#### <a id="icinga2-api-event-streams-type-objectcreated"></a> Event Stream Type: ObjectCreated
-
-| Name         | Type      | Description                                                    |
-|--------------|-----------|----------------------------------------------------------------|
-| type         | String    | Event type `ObjectCreated`.                                    |
-| timestamp    | Timestamp | Unix timestamp when the event happened.                        |
-| object\_type | String    | Type of the newly created object, such as `Host` or `Service`. |
-| object\_name | String    | The full name of the object.                                   |
-
-#### <a id="icinga2-api-event-streams-type-objectmodified"></a> Event Stream Type: ObjectModified
-
-| Name         | Type      | Description                                               |
-|--------------|-----------|-----------------------------------------------------------|
-| type         | String    | Event type `ObjectModified`.                              |
-| timestamp    | Timestamp | Unix timestamp when the event happened.                   |
-| object\_type | String    | Type of the modified object, such as `Host` or `Service`. |
-| object\_name | String    | The full name of the object.                              |
-
-#### <a id="icinga2-api-event-streams-type-objectdeleted"></a> Event Stream Type: ObjectDeleted
-
-| Name         | Type      | Description                                              |
-|--------------|-----------|----------------------------------------------------------|
-| type         | String    | Event type `ObjectDeleted`.                              |
-| timestamp    | Timestamp | Unix timestamp when the event happened.                  |
-| object\_type | String    | Type of the deleted object, such as `Host` or `Service`. |
-| object\_name | String    | The full name of the object.                             |

 ### Event Stream Filter <a id="icinga2-api-event-streams-filter"></a>

@ -2374,7 +2347,7 @@ Creation, modification and deletion of templates at runtime is not supported.
 ### Querying Templates <a id="icinga2-api-config-templates-query"></a>

 You can request information about configuration templates by sending
-a `GET` query to the `/v1/templates/<type>` URL endpoint. `<type>` has
+a `GET` query to the `/v1/templates/<type>` URL endpoint. `<type` has
 to be replaced with the plural name of the object type you are interested
 in:

@ -2529,72 +2502,6 @@ curl -k -s -S -i -u root:icinga -H 'Accept: application/json' \
 }
 ```

-## Memory Usage Analysis <a id="icinga2-api-memory"></a>
-
-The GNU libc function `malloc_info(3)` provides memory allocation and usage
-statistics of Icinga 2 itself. You can call it directly by sending a `GET`
-request to the URL endpoint `/v1/debug/malloc_info`.
-
-The [API permission](12-icinga2-api.md#icinga2-api-permissions) `debug` is required.
-
-Example:
-
-```bash
-curl -k -s -S -i -u root:icinga https://localhost:5665/v1/debug/malloc_info
-```
-
-In contrast to other API endpoints, the response is not JSON,
-but the raw XML output from `malloc_info(3)`. See also the
-[glibc malloc(3) internals](https://sourceware.org/glibc/wiki/MallocInternals).
-
-```xml
-<malloc version="1">
-  <heap nr="0">
-    <sizes>
-      <size from="33" to="48" total="96" count="2"/>
-      <size from="49" to="64" total="192" count="3"/>
-      <size from="65" to="80" total="80" count="1"/>
-      <unsorted from="84817" to="84817" total="84817" count="1"/>
-    </sizes>
-    <total type="fast" count="6" size="368"/>
-    <total type="rest" count="2" size="859217"/>
-    <system type="current" size="7409664"/>
-    <system type="max" size="7409664"/>
-    <aspace type="total" size="7409664"/>
-    <aspace type="mprotect" size="7409664"/>
-  </heap>
-  <!-- ... -->
-  <heap nr="30">
-    <sizes>
-      <size from="17" to="32" total="96" count="3"/>
-      <size from="33" to="48" total="576" count="12"/>
-      <size from="49" to="64" total="64" count="1"/>
-      <size from="97" to="112" total="3584" count="32"/>
-      <size from="49" to="49" total="98" count="2"/>
-      <size from="81" to="81" total="810" count="10"/>
-      <size from="257" to="257" total="2827" count="11"/>
-      <size from="689" to="689" total="689" count="1"/>
-      <size from="705" to="705" total="705" count="1"/>
-      <unsorted from="81" to="81" total="81" count="1"/>
-    </sizes>
-    <total type="fast" count="48" size="4320"/>
-    <total type="rest" count="27" size="118618"/>
-    <system type="current" size="135168"/>
-    <system type="max" size="135168"/>
-    <aspace type="total" size="135168"/>
-    <aspace type="mprotect" size="135168"/>
-    <aspace type="subheaps" size="1"/>
-  </heap>
-  <total type="fast" count="938" size="79392"/>
-  <total type="rest" count="700" size="4409469"/>
-  <total type="mmap" count="0" size="0"/>
-  <system type="current" size="15114240"/>
-  <system type="max" size="15114240"/>
-  <aspace type="total" size="15114240"/>
-  <aspace type="mprotect" size="15114240"/>
-</malloc>
-```
-
 ## API Clients <a id="icinga2-api-clients"></a>

 After its initial release in 2015, community members
@ -2638,7 +2545,7 @@ Name												| Language	| Description
 [BitBar for OSX](https://getbitbar.com/plugins/Dev/Icinga2/icinga2.24m.py)			| Python	| macOS tray app for highlighting the host/service status
 [Icinga 2 Multistatus](https://chrome.google.com/webstore/detail/icinga-multi-status/khabbhcojgkibdeipanmiphceeoiijal/related)	| - 	| Chrome Extension
 [Naglite4](https://github.com/wftech/icinga2-naglite4)						| Python	| Naglite3 rewrite using the Icinga 2 REST API.
-[icinga-telegram-bot](https://github.com/joni1993/icinga-telegram-bot)				| Python	| Telegram Bot using the Icinga 2 REST API
+[icinga-telegram-bot](https://github.com/joni1993/icinga-telegram-bot)				| Python	| Telegram Bot using the Icinga 2 REST API 

 ### Manage Objects <a id="icinga2-api-clients-management"></a>

@ -2699,7 +2606,7 @@ The following languages are covered:
 * [Golang](12-icinga2-api.md#icinga2-api-clients-programmatic-examples-golang)
 * [Powershell](12-icinga2-api.md#icinga2-api-clients-programmatic-examples-powershell)

-The [request method](#icinga2-api-requests) is `POST` using [X-HTTP-Method-Override: GET](12-icinga2-api.md#icinga2-api-requests-method-override)
+The [request method](icinga2-api-requests) is `POST` using [X-HTTP-Method-Override: GET](12-icinga2-api.md#icinga2-api-requests-method-override)
 which allows you to send a JSON request body. The examples request specific service
 attributes joined with host attributes. `attrs` and `joins` are therefore specified
 as array.
--- a/doc/13-addons.md
+++ b/doc/13-addons.md
@ -32,7 +32,7 @@ vim /etc/icinga2/conf.d/templates.conf

 Install the package `nano-icinga2` with your distribution's package manager.

-**Note:** On Debian, Ubuntu and Raspberry Pi OS, the syntax files are installed with the `icinga2-common` package already.
+**Note:** On Debian, Ubuntu and Raspbian, the syntax files are installed with the `icinga2-common` package already.

 Copy the `/etc/nanorc` sample file to your home directory.

@ -71,6 +71,9 @@ via email.

 ![Icinga Reporting](images/addons/icinga_reporting.png)

+Follow along in this [hands-on blog post](https://icinga.com/2019/06/17/icinga-reporting-hands-on/).
+
+
 ## Graphs and Metrics <a id="addons-graphs-metrics"></a>

 ### Graphite <a id="addons-graphing-graphite"></a>
@ -182,7 +185,7 @@ in a tree or list overview and can be added to any dashboard.

 ![Icinga Web 2 Business Process](images/addons/icingaweb2_businessprocess.png)

-Read more [here](https://icinga.com/docs/icinga-business-process-modeling/latest/).
+Read more [here](https://icinga.com/products/icinga-business-process-modelling/).

 ### Certificate Monitoring <a id="addons-visualization-certificate-monitoring"></a>

@ -191,7 +194,8 @@ actions and view all details at a glance.

 ![Icinga Certificate Monitoring](images/addons/icinga_certificate_monitoring.png)

-Read more [here](https://icinga.com/products/icinga-certificate-monitoring/).
+Read more [here](https://icinga.com/products/icinga-certificate-monitoring/)
+and [here](https://icinga.com/2019/06/03/monitoring-automation-with-icinga-certificate-monitoring/).

 ### Dashing Dashboard <a id="addons-visualization-dashing-dashboard"></a>

@ -200,7 +204,7 @@ on top of Dashing and uses the [REST API](12-icinga2-api.md#icinga2-api) to visu
 on with your monitoring. It combines several popular widgets and provides development
 instructions for your own implementation.

-The dashboard also allows to embed the [Icinga Web 2](https://icinga.com/docs/icinga-web/latest/)
+The dashboard also allows to embed the [Icinga Web 2](https://icinga.com/products/icinga-web-2/)
 host and service problem lists as Iframe.

 ![Dashing dashboard](images/addons/dashing_icinga2.png)
@ -230,6 +234,10 @@ There's a variety of resources available, for example different notification scr
 * Ticket systems
 * etc.

+Blog posts and howtos:
+
+* [Environmental Monitoring and Alerting](https://icinga.com/2019/09/02/environmental-monitoring-and-alerting-via-text-message/)
+
 Additionally external services can be [integrated with Icinga 2](https://icinga.com/products/integrations/):

 * [Pagerduty](https://icinga.com/products/integrations/pagerduty/)
--- a/doc/14-features.md
+++ b/doc/14-features.md
@ -52,7 +52,7 @@ Icinga DB is a set of components for publishing, synchronizing and
 visualizing monitoring data in the Icinga ecosystem, consisting of:

 * Icinga 2 with its `icingadb` feature enabled,
-  responsible for publishing monitoring data to a Redis server, i.e. configuration and its runtime updates,
+  responsible for publishing monitoring data to a Redis server, i.e. configuration and its runtime updates,  
  check results, state changes, downtimes, acknowledgements, notifications, and other events such as flapping
 * The [Icinga DB daemon](https://icinga.com/docs/icinga-db),
  which synchronizes the data between the Redis server and a database
@ -106,7 +106,7 @@ The current naming schema is defined as follows. The [Icinga Web 2 Graphite modu
 depends on this schema.

 The default prefix for hosts and services is configured using
-[runtime macros](03-monitoring-basics.md#runtime-macros) like this:
+[runtime macros](03-monitoring-basics.md#runtime-macros)like this:

 ```
 icinga2.$host.name$.host.$host.check_command$
@ -815,6 +815,16 @@ apt-get install icinga2-ido-mysql
    default. You can skip the automated setup and install/upgrade the
    database manually if you prefer.

+###### CentOS 7
+
+!!! info
+
+    Note that installing `icinga2-ido-mysql` is only supported on CentOS 7 as CentOS 8 is EOL.
+
+```bash
+yum install icinga2-ido-mysql
+```
+
 ###### RHEL 8

 ```bash
@ -904,6 +914,16 @@ apt-get install icinga2-ido-pgsql
    You can skip the automated setup and install/upgrade the database manually
    if you prefer that.

+###### CentOS 7
+
+!!! info
+
+    Note that installing `icinga2-ido-pgsql` is only supported on CentOS 7 as CentOS 8 is EOL.
+
+```bash
+yum install icinga2-ido-pgsql
+```
+
 ###### RHEL 8

 ```bash
--- a/doc/15-troubleshooting.md
+++ b/doc/15-troubleshooting.md
@ -19,8 +19,8 @@ findings and details please.
 	* `icinga2 --version`
 	* `icinga2 feature list`
 	* `icinga2 daemon -C`
-	* [Icinga Web 2](https://icinga.com/docs/icinga-web/latest/) version (screenshot from System - About)
-	* Icinga Web 2 modules e.g. the Icinga Director (optional)
+	* [Icinga Web 2](https://icinga.com/products/icinga-web-2/) version (screenshot from System - About)
+	* [Icinga Web 2 modules](https://icinga.com/products/icinga-web-2-modules/) e.g. the Icinga Director (optional)
 * Configuration insights:
 	* Provide complete configuration snippets explaining your problem in detail
 	* Your [icinga2.conf](04-configuration.md#icinga2-conf) file
@ -176,64 +176,6 @@ C:\> cd C:\ProgramData\icinga2\var\log\icinga2
 C:\ProgramData\icinga2\var\log\icinga2> Get-Content .\debug.log -tail 10 -wait
 ```

-### Enable/Disable Debug Output on the fly <a id="troubleshooting-enable-disable-debug-output-api"></a>
-
-The `debuglog` feature can also be created and deleted at runtime without having to restart Icinga 2.
-Technically, this is possible because this feature is a [FileLogger](09-object-types.md#objecttype-filelogger)
-that can be managed through the [API](12-icinga2-api.md#icinga2-api-config-objects).
-
-This is a good alternative to `icinga2 feature enable debuglog` as object
-creation/deletion via API happens immediately and requires no restart.
-
-The above matters in setups large enough for the reload to take a while.
-Especially these produce a lot of debug log output until disabled again.
-
-!!! info
-
-    In case of [an HA zone](06-distributed-monitoring.md#distributed-monitoring-scenarios-ha-master-agents),
-    the following API examples toggle the feature on both nodes.
-
-#### Enable Debug Output on the fly <a id="troubleshooting-enable-debug-output-api"></a>
-
-```bash
-curl -k -s -S -i -u root:icinga -H 'Accept: application/json' \
- -X PUT 'https://localhost:5665/v1/objects/fileloggers/on-the-fly-debug-file' \
- -d '{ "attrs": { "severity": "debug", "path": "/var/log/icinga2/on-the-fly-debug.log" }, "pretty": true }'
-```
-
-```json
-{
-    "results": [
-        {
-            "code": 200.0,
-            "status": "Object was created."
-        }
-    ]
-}
-```
-
-#### Disable Debug Output on the fly <a id="troubleshooting-disable-debug-output-api"></a>
-
-This works only for debug loggers enabled on the fly as above!
-
-```bash
-curl -k -s -S -i -u root:icinga -H 'Accept: application/json' \
- -X DELETE 'https://localhost:5665/v1/objects/fileloggers/on-the-fly-debug-file?pretty=1'
-```
-
-```json
-{
-    "results": [
-        {
-            "code": 200.0,
-            "name": "on-the-fly-debug-file",
-            "status": "Object was deleted.",
-            "type": "FileLogger"
-        }
-    ]
-}
-```
-
 ## Icinga starts/restarts/reloads very slowly

 ### Try swapping out the allocator
@ -872,7 +814,7 @@ trying because you probably have a problem that requires manual intervention.

 ### Late Check Results <a id="late-check-results"></a>

-[Icinga Web 2](https://icinga.com/docs/icinga-web/latest/) provides
+[Icinga Web 2](https://icinga.com/products/icinga-web-2/) provides
 a dashboard overview for `overdue checks`.

 The REST API provides the [status](12-icinga2-api.md#icinga2-api-status) URL endpoint with some generic metrics
@ -887,7 +829,8 @@ You can also calculate late check results via the REST API:
 * Fetch the `last_check` timestamp from each object
 * Compare the timestamp with the current time and add `check_interval` multiple times (change it to see which results are really late, like five times check_interval)

-You can use the [icinga2 console](11-cli-commands.md#cli-command-console) to connect to the instance, fetch all data and calculate the differences.
+You can use the [icinga2 console](11-cli-commands.md#cli-command-console) to connect to the instance, fetch all data
+and calculate the differences. More infos can be found in [this blogpost](https://icinga.com/2016/08/11/analyse-icinga-2-problems-using-the-console-api/).

 ```
 # ICINGA2_API_USERNAME=root ICINGA2_API_PASSWORD=icinga icinga2 console --connect 'https://localhost:5665/'
@ -935,7 +878,7 @@ actively attempts to schedule and execute checks. Otherwise the node does not fe
 }
 ```

-You may ask why this analysis is important? Fair enough - if the numbers are not inverted in an HA zone
+You may ask why this analysis is important? Fair enough - if the numbers are not inverted in a HA zone
 with two members, this may give a hint that the cluster nodes are in a split-brain scenario, or you've
 found a bug in the cluster.

@ -1697,9 +1640,6 @@ Typical errors are:
 * The api feature doesn't [accept config](06-distributed-monitoring.md#distributed-monitoring-top-down-config-sync). This is logged into `/var/lib/icinga2/icinga2.log`.
 * The received configuration zone is not configured in [zones.conf](04-configuration.md#zones-conf) and Icinga denies it. This is logged into `/var/lib/icinga2/icinga2.log`.
 * The satellite/agent has local configuration in `/etc/icinga2/zones.d` and thinks it is authoritive for this zone. It then denies the received update. Purge the content from `/etc/icinga2/zones.d`, `/var/lib/icinga2/api/zones/*` and restart Icinga to fix this.
-* Configuration parts stored outside of `/etc/icinga2/zones.d` on the master, for example a constant in `/etc/icinga2/constants.conf`, are then missing on the satellite/agent.
-
-Note that if set up, the [built-in icinga CheckCommand](10-icinga-template-library.md#icinga) will notify you in case the config sync wasn't successful.

 #### New configuration does not trigger a reload <a id="troubleshooting-cluster-config-sync-no-reload"></a>

--- a/doc/17-language-reference.md
+++ b/doc/17-language-reference.md
@ -97,7 +97,6 @@ Character                 | Escape sequence
 --------------------------|------------------------------------
 "                         | \\"
 \\                        | \\\\
-$                         | $$
 &lt;TAB&gt;               | \\t
 &lt;CARRIAGE-RETURN&gt;   | \\r
 &lt;LINE-FEED&gt;         | \\n
@ -108,10 +107,6 @@ In addition to these pre-defined escape sequences you can specify
 arbitrary ASCII characters using the backslash character (\\) followed
 by an ASCII character in octal encoding.

-In Icinga 2, the `$` character is reserved for resolving [runtime macros](03-monitoring-basics.md#runtime-macros).
-However, in situations where a string that isn't intended to be used as a runtime macro contains the `$` character,
-it is necessary to escape it with another `$` character.
-
 ### Multi-line String Literals <a id="multiline-string-literals"></a>

 Strings spanning multiple lines can be specified by enclosing them in
--- a/doc/18-library-reference.md
+++ b/doc/18-library-reference.md
@ -1648,9 +1648,9 @@ Example:
 function set_x(val) {
  this.x = val
 }
-
+	
 dict = {}
-
+	
 set_x.call(dict, 7) /* Invokes set_x using `dict` as `this` */
 ```

@ -1671,7 +1671,7 @@ Example:
 function set_x(val) {
  this.x = val
 }
-
+	
 var dict = {}

 var args = [ 7 ]
--- a/doc/19-technical-concepts.md
+++ b/doc/19-technical-concepts.md
@ -651,7 +651,7 @@ authority = endpoints[Utility::SDBM(object->GetName()) % endpoints.size()] == my
 that by querying the `paused` attribute for all objects via REST API
 or debug console on both endpoints.

-Endpoints inside an HA zone calculate the object authority independent from each other.
+Endpoints inside a HA zone calculate the object authority independent from each other.
 This object authority is important for selected features explained below.

 Since features are configuration objects too, you must ensure that all nodes
@ -1887,7 +1887,7 @@ source         | String        | The execution UUID

 Special handling, calls `ClusterEvents::EnqueueCheck()` for command endpoint checks.
 This function enqueues check tasks into a queue which is controlled in `RemoteCheckThreadProc()`.
-If the `endpoint` parameter is specified and is not equal to the local endpoint then the message is forwarded to the correct endpoint zone.
+If the `endpoint` parameter is specified and is not equal to the local endpoint then the message is forwarded to the correct endpoint zone. 

 ##### Permissions

@ -1932,7 +1932,7 @@ executions     | Dictionary    | Executions to be updated
 ##### Functions

 **Event Sender:** `ClusterEvents::ExecutedCommandAPIHandler`, `ClusterEvents::UpdateExecutionsAPIHandler`, `ApiActions::ExecuteCommand`
-**Event Receiver:** `ClusterEvents::UpdateExecutionsAPIHandler`
+**Event Receiver:** `ClusterEvents::UpdateExecutionsAPIHandler` 

 ##### Permissions

@ -1962,7 +1962,7 @@ Key            | Type          | Description
 host           | String        | Host name.
 service        | String        | Service name.
 execution      | String        | The execution ID executed.
-exitStatus     | Number        | The command exit status.
+exitStatus     | Number        | The command exit status. 
 output         | String        | The command output.
 start          | Number        | The unix timestamp at the start of the command execution
 end            | Number        | The unix timestamp at the end of the command execution
@ -1970,7 +1970,7 @@ end            | Number        | The unix timestamp at the end of the command ex
 ##### Functions

 **Event Sender:** `ClusterEvents::ExecuteCheckFromQueue`, `ClusterEvents::ExecuteCommandAPIHandler`
-**Event Receiver:** `ClusterEvents::ExecutedCommandAPIHandler`
+**Event Receiver:** `ClusterEvents::ExecutedCommandAPIHandler` 

 ##### Permissions

--- a/doc/21-development.md
+++ b/doc/21-development.md
@ -48,7 +48,7 @@ or `icinga2-ido-mysql`.
 Distribution       | Command
 -------------------|------------------------------------------
 Debian/Ubuntu      | `apt-get install icinga2-dbg`
-RHEL               | `yum install icinga2-debuginfo`
+RHEL/CentOS        | `yum install icinga2-debuginfo`
 Fedora             | `dnf install icinga2-debuginfo icinga2-bin-debuginfo icinga2-ido-mysql-debuginfo`
 SLES/openSUSE      | `zypper install icinga2-bin-debuginfo icinga2-ido-mysql-debuginfo`

@ -65,7 +65,7 @@ Install GDB in your development environment.
 Distribution       | Command
 -------------------|------------------------------------------
 Debian/Ubuntu      | `apt-get install gdb`
-RHEL               | `yum install gdb`
+RHEL/CentOS        | `yum install gdb`
 Fedora             | `dnf install gdb`
 SLES/openSUSE      | `zypper install gdb`

@ -477,18 +477,18 @@ File Type: EXECUTABLE IMAGE

  Image has the following dependencies:

-    boost_coroutine-vc142-mt-gd-x64-1_85.dll
-    boost_date_time-vc142-mt-gd-x64-1_85.dll
-    boost_filesystem-vc142-mt-gd-x64-1_85.dll
-    boost_thread-vc142-mt-gd-x64-1_85.dll
-    boost_regex-vc142-mt-gd-x64-1_85.dll
+    boost_coroutine-vc142-mt-gd-x64-1_83.dll
+    boost_date_time-vc142-mt-gd-x64-1_83.dll
+    boost_filesystem-vc142-mt-gd-x64-1_83.dll
+    boost_thread-vc142-mt-gd-x64-1_83.dll
+    boost_regex-vc142-mt-gd-x64-1_83.dll
    libssl-3_0-x64.dll
    libcrypto-3_0-x64.dll
    WS2_32.dll
    dbghelp.dll
    SHLWAPI.dll
    msi.dll
-    boost_unit_test_framework-vc142-mt-gd-x64-1_85.dll
+    boost_unit_test_framework-vc142-mt-gd-x64-1_83.dll
    KERNEL32.dll
    SHELL32.dll
    ADVAPI32.dll
@ -537,7 +537,7 @@ packages.
 If you encounter a problem, please [open a new issue](https://github.com/Icinga/icinga2/issues/new/choose)
 on GitHub and mention that you're testing the snapshot packages.

-#### RHEL <a id="development-tests-snapshot-packages-rhel"></a>
+#### RHEL/CentOS <a id="development-tests-snapshot-packages-rhel"></a>

 2.11+ requires the EPEL repository for Boost 1.66+.

@ -1332,6 +1332,9 @@ autocmd BufWinLeave * call clearmatches()

 ### Linux Dev Environment <a id="development-linux-dev-env"></a>

+Based on CentOS 7, we have an early draft available inside the Icinga Vagrant boxes:
+[centos7-dev](https://github.com/Icinga/icinga-vagrant/tree/master/centos7-dev).
+
 If you're compiling Icinga 2 natively without any virtualization layer in between,
 this usually is faster. This is also the reason why developers on macOS prefer native builds
 over Linux or Windows VMs. Don't forget to test the actual code on Linux later! Socket specific
@ -1354,20 +1357,21 @@ mkdir -p release debug
 Proceed with the specific distribution examples below. Keep in mind that these instructions
 are best effort and sometimes out-of-date. Git Master may contain updates.

-* [Fedora 40](21-development.md#development-linux-dev-env-fedora)
+* [CentOS 7](21-development.md#development-linux-dev-env-centos)
 * [Debian 10 Buster](21-development.md#development-linux-dev-env-debian)
 * [Ubuntu 18 Bionic](21-development.md#development-linux-dev-env-ubuntu)

-#### Fedora 40 <a id="development-linux-dev-env-fedora"></a>
+
+#### CentOS 7 <a id="development-linux-dev-env-centos"></a>

 ```bash
-yum -y install gdb vim git bash-completion htop
+yum -y install gdb vim git bash-completion htop centos-release-scl

 yum -y install rpmdevtools ccache \
- cmake make gcc-c++ flex bison \
- openssl-devel boost-devel systemd-devel \
+ cmake make devtoolset-11-gcc-c++ flex bison \
+ openssl-devel boost169-devel systemd-devel \
 mysql-devel postgresql-devel libedit-devel \
- libstdc++-devel
+ devtoolset-11-libstdc++-devel

 groupadd icinga
 groupadd icingacmd
@ -1385,42 +1389,47 @@ slower but allows for better debugging insights.
 For benchmarks, change `CMAKE_BUILD_TYPE` to `RelWithDebInfo` and
 build inside the `release` directory.

-First, override the default prefix path.
+First, off export some generics for Boost.

 ```bash
-export I2_GENERIC="-DCMAKE_INSTALL_PREFIX=/usr/local/icinga2"
+export I2_BOOST="-DBoost_NO_BOOST_CMAKE=TRUE -DBoost_NO_SYSTEM_PATHS=TRUE -DBOOST_LIBRARYDIR=/usr/lib64/boost169 -DBOOST_INCLUDEDIR=/usr/include/boost169 -DBoost_ADDITIONAL_VERSIONS='1.69;1.69.0'"
 ```

-Second, define the two build types with their specific CMake variables.
+Second, add the prefix path to it.
+
+```bash
+export I2_GENERIC="$I2_BOOST -DCMAKE_INSTALL_PREFIX=/usr/local/icinga2"
+```
+
+Third, define the two build types with their specific CMake variables.

 ```bash
 export I2_DEBUG="-DCMAKE_BUILD_TYPE=Debug -DICINGA2_UNITY_BUILD=OFF $I2_GENERIC"
 export I2_RELEASE="-DCMAKE_BUILD_TYPE=RelWithDebInfo -DICINGA2_WITH_TESTS=ON -DICINGA2_UNITY_BUILD=ON $I2_GENERIC"
 ```

-Third, depending on your likings, you may use a bash alias for building,
+Fourth, depending on your likings, you may add a bash alias for building,
 or invoke the commands inside:

 ```bash
-alias i2_debug="cd /root/icinga2; mkdir -p debug; cd debug; cmake $I2_DEBUG ..; make -j2; sudo make -j2 install; cd .."
-alias i2_release="cd /root/icinga2; mkdir -p release; cd release; cmake $I2_RELEASE ..; make -j2; sudo make -j2 install; cd .."
+alias i2_debug="cd /root/icinga2; mkdir -p debug; cd debug; scl enable devtoolset-11 -- cmake $I2_DEBUG ..; make -j2; sudo make -j2 install; cd .."
+alias i2_release="cd /root/icinga2; mkdir -p release; cd release; scl enable devtoolset-11 -- cmake $I2_RELEASE ..; make -j2; sudo make -j2 install; cd .."
 ```

-```bash
-i2_debug
-```
+This is taken from the [centos7-dev](https://github.com/Icinga/icinga-vagrant/tree/master/centos7-dev) Vagrant box.
+

 The source installation doesn't set proper permissions, this is
 handled in the package builds which are officially supported.

 ```bash
-chown -R icinga:icinga /usr/local/icinga2/{etc,var}/
+chown -R icinga:icinga /usr/local/icinga2/var/

 /usr/local/icinga2/lib/icinga2/prepare-dirs /usr/local/icinga2/etc/sysconfig/icinga2
 /usr/local/icinga2/sbin/icinga2 api setup
 vim /usr/local/icinga2/etc/icinga2/conf.d/api-users.conf

-/usr/local/icinga2/lib64/icinga2/sbin/icinga2 daemon
+/usr/local/icinga2/lib/icinga2/sbin/icinga2 daemon
 ```

 #### Debian 10 <a id="development-linux-dev-env-debian"></a>
@ -1467,7 +1476,7 @@ The source installation doesn't set proper permissions, this is
 handled in the package builds which are officially supported.

 ```bash
-chown -R icinga:icinga /usr/local/icinga2/{etc,var}/
+chown -R icinga:icinga /usr/local/icinga2/var/

 /usr/local/icinga2/lib/icinga2/prepare-dirs /usr/local/icinga2/etc/sysconfig/icinga2
 /usr/local/icinga2/sbin/icinga2 api setup
@ -1531,7 +1540,7 @@ The source installation doesn't set proper permissions, this is
 handled in the package builds which are officially supported.

 ```bash
-chown -R icinga:icinga /usr/local/icinga2/{etc,var}/
+chown -R icinga:icinga /usr/local/icinga2/var/

 /usr/local/icinga2/lib/icinga2/prepare-dirs /usr/local/icinga2/etc/sysconfig/icinga2
 /usr/local/icinga2/sbin/icinga2 api setup
@ -1736,12 +1745,10 @@ and don't care for the details,

 1. ensure there are 35 GB free space on C:
 2. run the following in an administrative Powershell:
-    1. Windows Server only:
-       `Enable-WindowsOptionalFeature -FeatureName NetFx3ServerFeatures -Online`
-    2. `Enable-WindowsOptionalFeature -FeatureName NetFx3 -Online`
-       (reboot when asked!)
-    3. `powershell -NoProfile -ExecutionPolicy Bypass -Command "Invoke-Expression (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/Icinga/icinga2/master/doc/win-dev.ps1')"`
-       (will take some time)
+  1. `Enable-WindowsOptionalFeature -FeatureName "NetFx3" -Online`
+     (reboot when asked!)
+  2. `powershell -NoProfile -ExecutionPolicy Bypass -Command "Invoke-Expression (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/Icinga/icinga2/master/doc/win-dev.ps1')"`
+    (will take some time)

 This installs everything needed for cloning and building Icinga 2
 on the command line (Powershell) as follows:
@ -1756,7 +1763,7 @@ mkdir build
 cd .\build\

 & "C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\Common7\IDE\CommonExtensions\Microsoft\CMake\CMake\bin\cmake.exe" `
-  -DICINGA2_UNITY_BUILD=OFF -DBoost_INCLUDE_DIR=C:\local\boost_1_85_0-Win64 `
+  -DICINGA2_UNITY_BUILD=OFF -DBoost_INCLUDE_DIR=C:\local\boost_1_83_0-Win64 `
  -DBISON_EXECUTABLE=C:\ProgramData\chocolatey\lib\winflexbison3\tools\win_bison.exe `
  -DFLEX_EXECUTABLE=C:\ProgramData\chocolatey\lib\winflexbison3\tools\win_flex.exe ..

@ -1928,16 +1935,16 @@ Download the [boost-binaries](https://sourceforge.net/projects/boost/files/boost
 - 64 for 64 bit builds

 ```
-https://sourceforge.net/projects/boost/files/boost-binaries/1.85.0/boost_1_85_0-msvc-14.2-64.exe/download
+https://sourceforge.net/projects/boost/files/boost-binaries/1.82.0/boost_1_83_0-msvc-14.2-64.exe/download
 ```

-Run the installer and leave the default installation path in `C:\local\boost_1_85_0`.
+Run the installer and leave the default installation path in `C:\local\boost_1_83_0`.


 ##### Source & Compile

 In order to use the boost development header and library files you need to [download](https://www.boost.org/users/download/)
-Boost and then extract it to e.g. `C:\local\boost_1_85_0`.
+Boost and then extract it to e.g. `C:\local\boost_1_83_0`.

 > **Note**
 >
@ -1945,12 +1952,12 @@ Boost and then extract it to e.g. `C:\local\boost_1_85_0`.
 > the archive contains more than 70k files.

 In order to integrate Boost into Visual Studio, open the `Developer Command Prompt` from the start menu,
-and navigate to `C:\local\boost_1_85_0`.
+and navigate to `C:\local\boost_1_83_0`.

 Execute `bootstrap.bat` first.

 ```
-cd C:\local\boost_1_85_0
+cd C:\local\boost_1_83_0
 bootstrap.bat
 ```

@ -2033,8 +2040,8 @@ You need to specify the previously installed component paths.

 Variable              | Value                                                                | Description
 ----------------------|----------------------------------------------------------------------|-------------------------------------------------------
-`BOOST_ROOT`          | `C:\local\boost_1_85_0`                                                    | Root path where you've extracted and compiled Boost.
-`BOOST_LIBRARYDIR`    | Binary: `C:\local\boost_1_85_0\lib64-msvc-14.2`, Source: `C:\local\boost_1_85_0\stage` | Path to the static compiled Boost libraries, directory must contain `lib`.
+`BOOST_ROOT`          | `C:\local\boost_1_83_0`                                                    | Root path where you've extracted and compiled Boost.
+`BOOST_LIBRARYDIR`    | Binary: `C:\local\boost_1_83_0\lib64-msvc-14.2`, Source: `C:\local\boost_1_83_0\stage` | Path to the static compiled Boost libraries, directory must contain `lib`.
 `BISON_EXECUTABLE`    | `C:\ProgramData\chocolatey\lib\winflexbison\tools\win_bison.exe`     | Path to the Bison executable.
 `FLEX_EXECUTABLE`     | `C:\ProgramData\chocolatey\lib\winflexbison\tools\win_flex.exe`      | Path to the Flex executable.
 `ICINGA2_UNITY_BUILD` | OFF                                                                  | Disable unity builds for development environments.
@ -2069,8 +2076,8 @@ $env:ICINGA2_INSTALLPATH = 'C:\Program Files\Icinga2-debug'
 $env:ICINGA2_BUILDPATH='debug'
 $env:CMAKE_BUILD_TYPE='Debug'
 $env:OPENSSL_ROOT_DIR='C:\OpenSSL-Win64'
-$env:BOOST_ROOT='C:\local\boost_1_85_0'
-$env:BOOST_LIBRARYDIR='C:\local\boost_1_85_0\lib64-msvc-14.2'
+$env:BOOST_ROOT='C:\local\boost_1_83_0'
+$env:BOOST_LIBRARYDIR='C:\local\boost_1_83_0\lib64-msvc-14.2'
 ```

 #### Icinga 2 in Visual Studio
@ -2196,7 +2203,7 @@ Icinga application using a dist tarball (including notes for distributions):
    * Debian/Ubuntu: libpq-dev
    * postgresql-dev on Alpine
 * libedit (CLI console)
-    * RHEL/Fedora: libedit-devel (RHEL requires rhel-7-server-optional-rpms)
+    * RHEL/Fedora: libedit-devel on CentOS (RHEL requires rhel-7-server-optional-rpms)
    * Debian/Ubuntu/Alpine: libedit-dev
 * Termcap (only required if libedit doesn't already link against termcap/ncurses)
    * RHEL/Fedora: libtermcap-devel
@ -2336,7 +2343,7 @@ for implementation details.

 CMake determines the Icinga 2 version number using `git describe` if the
 source directory is contained in a Git repository. Otherwise the version number
-is extracted from the `ICINGA2_VERSION` file. This behavior can be
+is extracted from the [ICINGA2_VERSION](ICINGA2_VERSION) file. This behavior can be
 overridden by creating a file called `icinga-version.h.force` in the source
 directory. Alternatively the `-DICINGA2_GIT_VERSION_INFO=OFF` option for CMake
 can be used to disable the usage of `git describe`.
@ -2344,7 +2351,7 @@ can be used to disable the usage of `git describe`.

 ### Building RPMs <a id="development-package-builds-rpms"></a>

-#### Build Environment on RHEL, Fedora, Amazon Linux
+#### Build Environment on RHEL, CentOS, Fedora, Amazon Linux

 Setup your build environment:

@ -2400,7 +2407,7 @@ spectool -g ../SPECS/icinga2.spec
 cd $HOME/rpmbuild
 ```

-Install the build dependencies:
+Install the build dependencies. Example for CentOS 7:

 ```bash
 yum -y install libedit-devel ncurses-devel gcc-c++ libstdc++-devel openssl-devel \
@ -2429,9 +2436,21 @@ rpmbuild -ba SPECS/icinga2.spec
 The following packages are required to build the SELinux policy module:

 * checkpolicy
-* selinux-policy-devel
+* selinux-policy (selinux-policy on CentOS 6, selinux-policy-devel on CentOS 7)
 * selinux-policy-doc

+##### RHEL/CentOS 7
+
+The RedHat Developer Toolset is required for building Icinga 2 beforehand.
+This contains a C++ compiler which supports C++17 features.
+
+```bash
+yum install centos-release-scl
+```
+
+Dependencies to devtools-11 are used in the RPM SPEC, so the correct tools
+should be used for building.
+
 ##### Amazon Linux

 If you prefer to build packages offline, a suitable Vagrant box is located
@ -2522,7 +2541,7 @@ chmod +x /etc/init.d/icinga2

 Icinga 2 reads a single configuration file which is used to specify all
 configuration settings (global settings, hosts, services, etc.). The
-configuration format is explained in detail in the `doc/` directory.
+configuration format is explained in detail in the [doc/](doc/) directory.

 By default `make install` installs example configuration files in
 `/usr/local/etc/icinga2` unless you have specified a different prefix or
--- a/doc/22-selinux.md
+++ b/doc/22-selinux.md
@ -116,19 +116,19 @@ The policy provides a role `icinga2adm_r` for confining an user which enables an

 SELinux is based on the least level of access required for a service to run. Using booleans you can grant more access in a defined way. The Icinga 2 policy package provides the following booleans.

-**icinga2_can_connect_all**
+**icinga2_can_connect_all** 

 Having this boolean enabled allows icinga2 to connect to all ports. This can be necessary if you use features which connect to unconfined services, for example the [influxdb writer](14-features.md#influxdb-writer).

-**icinga2_run_sudo**
+**icinga2_run_sudo** 

 To allow Icinga 2 executing plugins via sudo you can toogle this boolean. It is disabled by default, resulting in error messages like `execvpe(sudo) failed: Permission denied`.

-**httpd_can_write_icinga2_command**
+**httpd_can_write_icinga2_command** 

 To allow httpd to write to the command pipe of icinga2 this boolean has to be enabled. This is enabled by default, if not needed you can disable it for more security.

-**httpd_can_connect_icinga2_api**
+**httpd_can_connect_icinga2_api** 

 Enabling this boolean allows httpd to connect to the API of icinga2 (Ports labeled `icinga2_port_t`). This is enabled by default, if not needed you can disable it for more security.

--- a/doc/23-migrating-from-icinga-1x.md
+++ b/doc/23-migrating-from-icinga-1x.md
@ -1,8 +1,4 @@
-# Migration from Icinga 1.x or Nagios <a id="migration"></a>
-
-!!! note
-
-    Icinga 1.x was originally a fork of Nagios. The information provided here also applies to Nagios.
+# Migration from Icinga 1.x <a id="migration"></a>

 ## Configuration Migration <a id="configuration-migration"></a>

@ -808,7 +804,7 @@ define service {
 }
 ```

-Icinga 2 supports objects and (global) variables, but does not make a difference
+Icinga 2 supports objects and (global) variables, but does not make a difference 
 between the main configuration file or any other included file.

 icinga2.conf:
--- a/doc/24-appendix.md
+++ b/doc/24-appendix.md
@ -692,3 +692,4 @@ the [servicegroups](24-appendix.md#schema-livestatus-servicegroups-table-attribu

 All [services](24-appendix.md#schema-livestatus-services-table-attributes) table attributes grouped with
 the [hostgroups](24-appendix.md#schema-livestatus-hostgroups-table-attributes) table prefixed with `hostgroup_`.
+
--- a/doc/win-dev.ps1
+++ b/doc/win-dev.ps1
@ -13,8 +13,8 @@ function ThrowOnNativeFailure {

 $VsVersion = 2019
 $MsvcVersion = '14.2'
-$BoostVersion = @(1, 86, 0)
-$OpensslVersion = '3_0_15'
+$BoostVersion = @(1, 83, 0)
+$OpensslVersion = '3_0_12'

 switch ($Env:BITS) {
 	32 { }
--- a/etc/icinga2/scripts/mail-host-notification.sh
+++ b/etc/icinga2/scripts/mail-host-notification.sh
@ -165,15 +165,13 @@ if [ -n "$MAILFROM" ] ; then

  ## Debian/Ubuntu use mailutils which requires `-a` to append the header
  if [ -f /etc/debian_version ]; then
-    /usr/bin/printf "%b" "$NOTIFICATION_MESSAGE" | tr -d '\015' \
-    | $MAILBIN -a "From: $MAILFROM" -s "$SUBJECT" $USEREMAIL
+    /usr/bin/printf "%b" "$NOTIFICATION_MESSAGE" | $MAILBIN -a "From: $MAILFROM" -s "$SUBJECT" $USEREMAIL
  ## Other distributions (RHEL/SUSE/etc.) prefer mailx which sets a sender address with `-r`
  else
-    /usr/bin/printf "%b" "$NOTIFICATION_MESSAGE" | tr -d '\015' \
-    | $MAILBIN -r "$MAILFROM" -s "$SUBJECT" $USEREMAIL
+    /usr/bin/printf "%b" "$NOTIFICATION_MESSAGE" | $MAILBIN -r "$MAILFROM" -s "$SUBJECT" $USEREMAIL
  fi

 else
-  /usr/bin/printf "%b" "$NOTIFICATION_MESSAGE" | tr -d '\015' \
+  /usr/bin/printf "%b" "$NOTIFICATION_MESSAGE" \
  | $MAILBIN -s "$SUBJECT" $USEREMAIL
 fi
--- a/etc/icinga2/scripts/mail-service-notification.sh
+++ b/etc/icinga2/scripts/mail-service-notification.sh
@ -178,15 +178,13 @@ if [ -n "$MAILFROM" ] ; then

  ## Debian/Ubuntu use mailutils which requires `-a` to append the header
  if [ -f /etc/debian_version ]; then
-    /usr/bin/printf "%b" "$NOTIFICATION_MESSAGE" | tr -d '\015' \
-    | $MAILBIN -a "From: $MAILFROM" -s "$SUBJECT" $USEREMAIL
+    /usr/bin/printf "%b" "$NOTIFICATION_MESSAGE" | $MAILBIN -a "From: $MAILFROM" -s "$SUBJECT" $USEREMAIL
  ## Other distributions (RHEL/SUSE/etc.) prefer mailx which sets a sender address with `-r`
  else
-    /usr/bin/printf "%b" "$NOTIFICATION_MESSAGE" | tr -d '\015' \
-    | $MAILBIN -r "$MAILFROM" -s "$SUBJECT" $USEREMAIL
+    /usr/bin/printf "%b" "$NOTIFICATION_MESSAGE" | $MAILBIN -r "$MAILFROM" -s "$SUBJECT" $USEREMAIL
  fi

 else
-  /usr/bin/printf "%b" "$NOTIFICATION_MESSAGE" | tr -d '\015' \
+  /usr/bin/printf "%b" "$NOTIFICATION_MESSAGE" \
  | $MAILBIN -s "$SUBJECT" $USEREMAIL
 fi
--- a/icinga-app/CMakeLists.txt
+++ b/icinga-app/CMakeLists.txt
@ -19,7 +19,7 @@ set_target_properties (
  FOLDER Lib
 )

-include_directories(SYSTEM ${Boost_INCLUDE_DIRS})
+include_directories(${Boost_INCLUDE_DIRS})

 if(ICINGA2_WITH_CHECKER)
  list(APPEND icinga_app_SOURCES $<TARGET_OBJECTS:checker>)
@ -95,8 +95,6 @@ install(
  RUNTIME DESTINATION ${InstallPath}
 )

-if(NOT WIN32)
-  install(CODE "file(MAKE_DIRECTORY \"\$ENV{DESTDIR}${ICINGA2_FULL_LOGDIR}\")")
-  install(CODE "file(MAKE_DIRECTORY \"\$ENV{DESTDIR}${ICINGA2_FULL_DATADIR}\")")
-  install(CODE "file(MAKE_DIRECTORY \"\$ENV{DESTDIR}${ICINGA2_FULL_INITRUNDIR}\")")
-endif()
+install(CODE "file(MAKE_DIRECTORY \"\$ENV{DESTDIR}${ICINGA2_FULL_LOGDIR}\")")
+install(CODE "file(MAKE_DIRECTORY \"\$ENV{DESTDIR}${ICINGA2_FULL_DATADIR}\")")
+install(CODE "file(MAKE_DIRECTORY \"\$ENV{DESTDIR}${ICINGA2_FULL_INITRUNDIR}\")")
--- a/itl/command-plugins.conf
+++ b/itl/command-plugins.conf
@ -24,10 +24,6 @@ template CheckCommand "ping-common" {
 			value = "$ping_address$"
 			description = "host to ping"
 		}
-		"--extra-opts" = {
-			value = "$ping_extra_opts$"
-			description = "Read extra plugin options from an ini file."
-		}
 		"-w" = {
 			value = "$ping_wrta$,$ping_wpl$%"
 			description = "warning threshold pair"
@ -105,10 +101,6 @@ template CheckCommand "fping-common" {
 	]

 	arguments = {
-		"--extra-opts" = {
-			value = "$fping_extra_opts$"
-			description = "Read extra plugin options from an ini file."
-		}
 		"-w" = {
 			value = "$fping_wrta$,$fping_wpl$%"
 			description = "warning threshold pair"
@ -177,10 +169,6 @@ object CheckCommand "tcp" {
 			value =  "$tcp_address$"
 			description = "Host name, IP Address, or unix socket (must be an absolute path)."
 		}
-		"--extra-opts" = {
-			value = "$tcp_extra_opts$"
-			description = "Read extra plugin options from an ini file."
-		}
 		"-p" = {
 			value =  "$tcp_port$"
 			description = "The TCP port number."
@ -288,10 +276,6 @@ object CheckCommand "ssl" {
 			value = "$ssl_address$"
 			description = "Host address"
 		}
-		"--extra-opts" = {
-			value = "$ssl_extra_opts$"
-			description = "Read extra plugin options from an ini file."
-		}
 		"-p" = {
 			value = "$ssl_port$"
 			description ="TCP port (default: 443)"
@ -337,10 +321,6 @@ object CheckCommand "udp" {
 	]

 	arguments = {
-		"--extra-opts" = {
-			value = "$udp_extra_opts$"
-			description = "Read extra plugin options from an ini file."
-		}
 		"-s" = {
 			value = "$udp_send$"
 			required = true
@ -380,11 +360,6 @@ object CheckCommand "http" {
 			value = "$http_vhost$"
 			description = "Host name argument for servers using host headers (virtual host)"
 		}
-		"--extra-opts" = {
-			set_if = {{ string(macro("$http_extra_opts$")) != "" }}
-			value = "$http_extra_opts$"
-			description = "Read extra plugin options from an ini file"
-		}
 		"-I" = {
 			set_if = {{ string(macro("$http_address$")) != "" }}
 			value = "$http_address$"
@ -444,16 +419,12 @@ object CheckCommand "http" {
 		}
 		"--sni" = {
 			set_if = "$http_sni$"
-			description = "Enable SSL/TLS hostname extension support (SNI). This is (normally) the default in modern setups"
+			description = "Enable SSL/TLS hostname extension support (SNI)"
 		}
 		"-C" = {
 			value = "$http_certificate$"
 			description = "Minimum number of days a certificate has to be valid. This parameter explicitely sets the port to 443 and ignores the URL if passed."
 		}
-		"--continue-after-certificate" = {
-			set_if = "$http_certificate_continue$"
-			description = "Allows the HTTP check to continue after performing the certificate check. Does nothing unless -C is used"
-		}
 		"-J" = {
 			value = "$http_clientcert$"
 			description = "Name of file contains the client certificate (PEM format)"
@ -586,212 +557,6 @@ object CheckCommand "http" {
 	vars.http_verbose = false
 }

-object CheckCommand "curl" {
-	import "ipv4-or-ipv6"
-
-	command = [ PluginDir + "/check_curl" ]
-
-	arguments += {
-		"--extra-opts" = {
-			value = "$curl_extra_opts$"
-			description = "Read options from an ini file"
-		}
-		"-H" = {
-			value = "$curl_vhost$"
-			description = "Host name argument for servers using host headers (virtual host). Append a port to include it in the header (eg: example.com:5000)"
-		}
-		"-I" = {
-			value = "$curl_ip$"
-			set_if = {{ string(macro("$curl_ip$")) != "" }}
-			description = "IP address or name (use numeric address if possible to bypass DNS lookup)."
-		}
-		"-p" = {
-			value = "$curl_port$"
-			description = "Port number (default: 80)"
-		}
-		"-4" = {
-			set_if = "$curl_ipv4$"
-			description = "Force `check_curl` to use IPv4 instead of choosing automatically"
-		}
-		"-6" = {
-			set_if = "$curl_ipv6$"
-			description = "Force `check_curl` to use IPv6 instead of choosing automatically"
-		}
-		"(-S w/ value)" = {
-			set_if = {{ macro("$curl_tls$") && string(macro("$curl_tls_version$")) != "" }}
-			key = "-S"
-			value = "$curl_tls_version$"
-			description = "Connect via SSL. Port defaults to 443. VERSION is optional, and prevents auto-negotiation"
-		}
-		"(-S w/o value)" = {
-			set_if = {{ macro("$curl_tls$") && string(macro("$curl_tls_version$")) == "" }}
-			key = "-S"
-			description = "Connect via SSL. Port defaults to 443. VERSION is optional, and prevents auto-negotiation"
-		}
-		"--sni" = {
-			set_if = "$curl_sni$"
-			description = "Enable SSL/TLS hostname extension support (SNI). Default if TLS version > 1.0"
-		}
-		"-C" = {
-			value = "$curl_certificate_valid_days_min_warning$,$curl_certificate_valid_days_min_critical$"
-			description = "Minimum number of days a certificate has to be valid."
-		}
-		"--continue-after-certificate" = {
-			value = "$curl_continue_after_certificate$"
-			description = "Allows the HTTP check to continue after performing the certificate check. Does nothing unless -C is used."
-		}
-		"-J" = {
-			value = "$curl_client_certificate_file$"
-			description = "Name of file that contains the client certificate (PEM format) to be used in establishing the SSL session"
-		}
-		"-K" = {
-			value = "$curl_client_certificate_key_file$"
-			description = "Name of file containing the private key (PEM format) matching the client certificate"
-		}
-		"--ca-cert" = {
-			value = "$curl_ca_cert_file$"
-			description = "CA certificate file to verify peer against"
-		}
-		"-D" = {
-			set_if = "$curl_verify_peer_cert$"
-			description = "Verify the peer's SSL certificate and hostname"
-		}
-		"-e" = {
-			value = "$curl_expect_string$"
-			description = "Comma-delimited list of strings, at least one of them is expected in the first (status) line of the server response (default: HTTP/), If specified skips all other status line logic (ex: 3xx, 4xx, 5xx processing)"
-		}
-		"-d" = {
-			value = "$curl_expect_header_string$"
-			description = "String to expect in the response headers"
-		}
-		"-s" = {
-			value = "$curl_expect_content_string$"
-			description = "String to expect in the content"
-		}
-		"-u" = {
-			value = "$curl_url$"
-			description = "URL to GET or POST (default: /)"
-		}
-		"-P" = {
-			value = "$curl_post_data$"
-			description = "URL encoded http POST data"
-		}
-		"-j" = {
-			value = "$curl_http_method$"
-			description = "Set HTTP method (for example: HEAD, OPTIONS, TRACE, PUT, DELETE, CONNECT)"
-		}
-		"-N" = {
-			value = "$curl_no_body$"
-			description = "Don't wait for document body: stop reading after headers. (Note that this still does an HTTP GET or POST, not a HEAD.)"
-		}
-		"-M" = {
-			value = "$curl_max_age$"
-			description = "Warn if document is more than SECONDS old. the number can also be of the form '10m' for minutes, '10h' for hours, or '10d' for days."
-		}
-		"-T" = {
-			value = "$curl_content_type$"
-			description = "specify Content-Type header media type when POSTing"
-		}
-		"-l" = {
-			value = "$curl_linespan$"
-			description = "Allow regex to span newlines (must precede -r or -R)"
-		}
-		"-r" = {
-			value = "$curl_ereg$"
-			description = "Search page for regex STRING"
-		}
-		"-R" = {
-			value = "$curl_eregi$"
-			description = "Search page for case-insensitive regex STRING"
-		}
-		"--invert-regex" = {
-			set_if = "$curl_invert_regex$"
-			description = "When using regex, return CRITICAL if found, OK if not"
-		}
-		"--state-regex" = {
-			value = "$curl_state_regex$"
-			description = "Return STATE if regex is found, OK if not"
-		}
-		"-a" = {
-			value = "$curl_authorization$"
-			description = "Username:password on sites with basic authentication"
-		}
-		"-b" = {
-			value = "$curl_proxy_authorization$"
-			description = "Username:password on proxy-servers with basic authentication"
-		}
-		"-A" = {
-			value = "$curl_user_agent$"
-			description = "String to be sent in http header as 'User Agent'"
-		}
-		"-k" = {
-			value = "$curl_header$"
-			repeat_key = true
-			description = "Any other tags to be sent in http header. Use multiple times for additional headers"
-		}
-		"-E" = {
-			set_if = "$curl_extended_perfdata$"
-			description = "Print additional performance data"
-		}
-		"-B" = {
-			set_if = "$curl_show_body$"
-			description = "Print body content below status line"
-		}
-		"-L" = {
-			set_if = "$curl_link$"
-			description = "Wrap output in HTML link (obsoleted by urlize)"
-		}
-		"-f" = {
-			value = "$curl_onredirect$"
-			description = "Options: <ok|warning|critical|follow|sticky|stickyport|curl> How to handle redirected pages."
-		}
-		"--max-redirs" = {
-			value = "$curl_max_redirs$"
-			description = "Maximal number of redirects (default: 15)"
-		}
-		"-m" = {
-			value = "$curl_pagesize$"
-			description = "Minimum page size required (bytes) : Maximum page size required (bytes)"
-		}
-		"--http-version" = {
-			value = "$curl_http_version$"
-			description = "Connect via specific HTTP protocol. 1.0 = HTTP/1.0, 1.1 = HTTP/1.1, 2.0 = HTTP/2 (HTTP/2 will fail without -S)"
-		}
-		"--enable-automatic-decompression" = {
-			set_if = "$curl_enable_automatic_decompression$"
-			description = "Enable automatic decompression of body (CURLOPT_ACCEPT_ENCODING)."
-		}
-		"--haproxy-protocol" = {
-			set_if = "$curl_haproxy_protocol$"
-			description = "Send HAProxy proxy protocol v1 header (CURLOPT_HAPROXYPROTOCOL)"
-		}
-		"--cookie-jar" = {
-			value = "$curl_cookie_jar_file$"
-			description = "Store cookies in the cookie jar file and send them out when requested."
-		}
-		"-w" = {
-			value = "$curl_warning$"
-			description = "Response time to result in warning status (seconds)"
-		}
-		"-c" = {
-			value = "$curl_critical$"
-			description = "Response time to result in critical status (seconds)"
-		}
-		"-t" = {
-			value = "$curl_timeout$"
-			description = "Seconds before connection times out (default: 10)"
-		}
-	}
-
-	vars.curl_ip = "$check_address$"
-	vars.curl_link = false
-	vars.curl_invert_regex = false
-	vars.curl_show_body = false
-	vars.curl_extended_perfdata = false
-	vars.check_ipv4 = "$curl_ipv4$"
-	vars.check_ipv6 = "$curl_ipv6$"
-}
-
 object CheckCommand "ftp" {
 	import "ipv4-or-ipv6"

@ -802,10 +567,6 @@ object CheckCommand "ftp" {
 			value = "$ftp_address$"
 			description = "The host's address. Defaults to $address$ or $address6$ if the address attribute is not set."
 		}
-		"--extra-opts" = {
-			value = "$ftp_extra_opts$"
-			description = "Read extra plugin options from an ini file."
-		}
 		"-p" = {
 			value = "$ftp_port$"
 			description = "The FTP port number. Defaults to none"
@ -909,10 +670,6 @@ object CheckCommand "smtp" {
 			value = "$smtp_address$"
 			description = "Host name, IP Address, or unix socket (must be an absolute path)"
 		}
-		"--extra-opts" = {
-			value = "$smtp_extra_opts$"
-			description = "Read extra plugin options from an ini file."
-		}
 		"-p" = {
 			value = "$smtp_port$"
 			description = "Port number (default: 25)"
@ -998,10 +755,6 @@ object CheckCommand "ssmtp" {
 			value = "$ssmtp_address$"
 			description = "Host name, IP Address, or unix socket (must be an absolute path)"
 		}
-		"--extra-opts" = {
-			value = "$ssmtp_extra_opts$"
-			description = "Read extra plugin options from an ini file."
-		}
 		"-p" = {
 			value = "$ssmtp_port$"
 			description = "Port number (default: none)"
@ -1091,10 +844,6 @@ object CheckCommand "imap" {
 			value = "$imap_address$"
 			description = "Host name, IP Address, or unix socket (must be an absolute path)"
 		}
-		"--extra-opts" = {
-			value = "$imap_extra_opts$"
-			description = "Read extra plugin options from an ini file."
-		}
 		"-p" = {
 			value = "$imap_port$"
 			description = "Port number (default: none)"
@ -1184,10 +933,6 @@ object CheckCommand "simap" {
 			value = "$simap_address$"
 			description = "Host name, IP Address, or unix socket (must be an absolute path)"
 		}
-		"--extra-opts" = {
-			value = "$simap_extra_opts$"
-			description = "Read extra plugin options from an ini file."
-		}
 		"-p" = {
 			value = "$simap_port$"
 			description = "Port number (default: none)"
@ -1277,10 +1022,6 @@ object CheckCommand "pop" {
 			value = "$pop_address$"
 			description = "Host name, IP Address, or unix socket (must be an absolute path)"
 		}
-		"--extra-opts" = {
-			value = "$pop_extra_opts$"
-			description = "Read extra plugin options from an ini file."
-		}
 		"-p" = {
 			value = "$pop_port$"
 			description = "Port number (default: none)"
@ -1370,10 +1111,6 @@ object CheckCommand "spop" {
 			value = "$spop_address$"
 			description = "Host name, IP Address, or unix socket (must be an absolute path)"
 		}
-		"--extra-opts" = {
-			value = "$spop_extra_opts$"
-			description = "Read extra plugin options from an ini file."
-		}
 		"-p" = {
 			value = "$spop_port$"
 			description = "Port number (default: none)"
@ -1463,10 +1200,6 @@ object CheckCommand "ntp_time" {
 			value = "$ntp_address$"
 			description = "Host name, IP Address, or unix socket (must be an absolute path)"
 		}
-		"--extra-opts" = {
-			value = "$ntp_extra_opts$"
-			description = "Read extra plugin options from an ini file."
-		}
 		"-p" = {
 			value = "$ntp_port$"
 			description = "Port number (default: 123)"
@ -1516,10 +1249,6 @@ object CheckCommand "ntp_peer" {
 			value = "$ntp_address$"
 			description = "Host name, IP Address, or unix socket (must be an absolute path)"
 		}
-		"--extra-opts" = {
-			value = "$ntp_extra_opts$"
-			description = "Read extra plugin options from an ini file."
-		}
 		"-p" = {
 			value = "$ntp_port$"
 			description = "Port number (default: 123)"
@ -1585,10 +1314,6 @@ object CheckCommand "ssh" {
 	command = [ PluginDir + "/check_ssh" ]

 	arguments = {
-		"--extra-opts" = {
-			value = "$ssh_extra_opts$"
-			description = "Read extra plugin options from an ini file."
-		}
 		"-p" = {
 			value = "$ssh_port$"
 			description = "Port number (default: 22)"
@ -1610,14 +1335,6 @@ object CheckCommand "ssh" {
 			set_if = "$ssh_ipv6$"
 			description = "Use IPv6 connection"
 		}
-		"-r" = {
-			value = "$ssh_remote_version$"
-			description = "Alert if string doesn't match expected server version (ex: OpenSSH_3.9p1)"
-		}
-		"-P" = {
-			value = "$ssh_remote_protocol$"
-			description = "Alert if protocol doesn't match expected protocol version (ex: 2.0)"
-		}
 	}

 	vars.ssh_address = "$check_address$"
@ -1629,10 +1346,6 @@ object CheckCommand "disk" {
 	command = [ PluginDir + "/check_disk" ]

 	arguments = {
-		"--extra-opts" = {
-			value = "$disk_extra_opts$"
-			description = "Read extra plugin options from an ini file."
-		}
 		"-w" = {
 			value = "$disk_wfree$"
 			description = "Exit with WARNING status if less than INTEGER units of disk are free or Exit with WARNING status if less than PERCENT of disk space is free"
@ -1659,10 +1372,6 @@ object CheckCommand "disk" {
 			description = "Display inode usage in perfdata"
 			set_if = "$disk_inode_perfdata$"
 		}
-		"--inode-perfdata" = {
-			description = "Enable performance data for inode-based statistics (nagios-plugins)"
-			set_if = "$disk_np_inode_perfdata$"
-		}
 		"-p" = {
 			value = "$disk_partitions$"
 			description = "Path or partition (may be repeated)"
@ -1782,11 +1491,9 @@ object CheckCommand "disk" {
 		"mtmfs",
 		"tracefs",
 		"cgroup",
-		"fuse.*", // only Monitoring Plugins support this so far
 		"fuse.gvfsd-fuse",
 		"fuse.gvfs-fuse-daemon",
 		"fuse.portal",
-		"fuse.sshfs",
 		"fdescfs",
 		"overlay",
 		"nsfs",
@ -1844,10 +1551,6 @@ object CheckCommand "users" {
 	command = [ PluginDir + "/check_users" ]

 	arguments = {
-		"--extra-opts" = {
-			value = "$users_extra_opts$"
-			description = "Read extra plugin options from an ini file."
-		}
 		"-w" = {
 			value = "$users_wgreater$"
 			description = "Set WARNING status if more than INTEGER users are logged in"
@ -1866,10 +1569,6 @@ object CheckCommand "procs" {
 	command = [ PluginDir + "/check_procs" ]

 	arguments = {
-		"--extra-opts" = {
-			value = "$procs_extra_opts$"
-			description = "Read extra plugin options from an ini file."
-		}
 		"-w" = {
 			value = "$procs_warning$"
 			description = "Generate warning state if metric is outside this range"
@ -1926,10 +1625,6 @@ object CheckCommand "procs" {
 			value = "$procs_command$"
 			description = "Only scan for exact matches of COMMAND (without path)"
 		}
-		"-X" = {
-			value = "$procs_exclude_process$"
-			description = "Exclude processes which match this comma separated list"
-		}
 		"-k" = {
 			set_if = "$procs_nokthreads$"
 			description = "Only scan for non kernel threads"
@ -1946,10 +1641,6 @@ object CheckCommand "swap" {
 	command = [ PluginDir + "/check_swap" ]

 	arguments = {
-		"--extra-opts" = {
-			value = "$swap_extra_opts$"
-			description = "Read extra plugin options from an ini file."
-		}
 		"-w" = {{
 			if (macro("$swap_integer$")) {
 				return macro("$swap_wfree$")
@ -1984,10 +1675,6 @@ object CheckCommand "load" {
 	command = [ PluginDir + "/check_load" ]

 	arguments = {
-		"--extra-opts" = {
-			value = "$load_extra_opts$"
-			description = "Read extra plugin options from an ini file."
-		}
 		"-w" = {
 			value = "$load_wload1$,$load_wload5$,$load_wload15$"
 			description = "Exit with WARNING status if load average exceeds WLOADn"
@ -2021,10 +1708,6 @@ object CheckCommand "snmp" {
 			value = "$snmp_address$"
 			description = "Host name, IP Address, or unix socket (must be an absolute path)"
 		}
-		"--extra-opts" = {
-			value = "$snmp_extra_opts$"
-			description = "Read extra plugin options from an ini file."
-		}
 		"-o" = {
 			value = "$snmp_oid$"
 			description = "Object identifier(s) or SNMP variables whose value you wish to query"
@ -2085,10 +1768,6 @@ object CheckCommand "snmp" {
 			value = "$snmp_miblist$"
 			description = "List of MIBS to be loaded (default = none if using numeric OIDs or 'ALL' for symbolic OIDs.)"
 		}
-		"-M" = {
-			value = "$snmp_multiplier$"
-			description = "Multiplies current value, 0 < n < 1 works as divider, defaults to 1"
-		}
 		"--rate-multiplier" = {
 			value = "$snmp_rate_multiplier$"
 			description = "Converts rate per second. For example, set to 60 to convert to per minute"
@ -2141,10 +1820,6 @@ object CheckCommand "snmpv3" {
 			value = "$snmpv3_address$"
 			description = "Host name, IP Address, or unix socket (must be an absolute path)"
 		}
-		"--extra-opts" = {
-			value = "$snmpv3_extra_opts$"
-			description = "Read extra plugin options from an ini file."
-		}
 		"-p" = {
 			value = "$snmpv3_port$"
 			description = "Port number"
@ -2221,10 +1896,6 @@ object CheckCommand "snmpv3" {
 			value = "$snmpv3_miblist$"
 			description = "List of SNMP MIBs for translating OIDs between numeric and textual representation"
 		}
-		"-M" = {
-			value = "$snmpv3_multiplier$"
-			description = "Multiplies current value, 0 < n < 1 works as divider, defaults to 1"
-		}
 		"-u" = {
 			value = "$snmpv3_units$"
 			description = "Units label(s) for output data (e.g., 'sec.')"
@ -2330,10 +2001,6 @@ object CheckCommand "dhcp" {
 	command = [ PluginDir + "/check_dhcp" ]

 	arguments = {
-		"--extra-opts" = {
-			value = "$dhcp_extra_opts$"
-			description = "Read extra plugin options from an ini file."
-		}
 		"-s" = {
 			value = "$dhcp_serverip$"
 			description = "IP address of DHCP server that we must hear from"
@ -2373,10 +2040,6 @@ object CheckCommand "dns" {
 			value = "$dns_lookup$"
 			description = "The name or address you want to query."
 		}
-		"--extra-opts" = {
-			value = "$dns_extra_opts$"
-			description = "Read extra plugin options from an ini file."
-		}
 		"-s" = {
 			value = "$dns_server$"
 			description = "Optional DNS server you want to use for the lookup."
@ -2429,10 +2092,6 @@ object CheckCommand "dig" {
 			value = "$dig_server$"
 			description = "Host name, IP Address, or unix socket (must be an absolute path)"
 		}
-		"--extra-opts" = {
-			value = "$dig_extra_opts$"
-			description = "Read extra plugin options from an ini file."
-		}
 		"-p" = {
 			value = "$dig_port$"
 			description = "Port number (default: 53)"
@ -2491,10 +2150,6 @@ object CheckCommand "nscp" {
 			value = "$nscp_address$"
 			description = "Name of the host to check"
 		}
-		"--extra-opts" = {
-			value = "$nscp_extra_opts$"
-			description = "Read extra plugin options from an ini file."
-		}
 		"-p" = {
 			value = "$nscp_port$"
 			description = "Optional port number (default: 1248)"
@ -2546,10 +2201,6 @@ object CheckCommand "by_ssh" {
 			value = "$by_ssh_address$"
 			description = "Host name, IP Address, or unix socket (must be an absolute path)"
 		}
-		"--extra-opts" = {
-			value = "$by_ssh_extra_opts$"
-			description = "Read extra plugin options from an ini file."
-		}
 		"-p" = {
 			value = "$by_ssh_port$"
 			description = "Port number (default: none)"
@ -2627,10 +2278,6 @@ object CheckCommand "ups" {
 			description = "Address of the upsd server"
 			required = true
 		}
-		"--extra-opts" = {
-			value = "$ups_extra_opts$"
-			description = "Read extra plugin options from an ini file."
-		}
 		"-u" = {
 			value = "$ups_name$"
 			description = "Name of the UPS to monitor"
@ -2768,10 +2415,6 @@ object CheckCommand "hpjd" {
 			value = "$hpjd_address$"
 			description = "Host address"
 		}
-		"--extra-opts" = {
-			value = "$hpjd_extra_opts$"
-			description = "Read extra plugin options from an ini file."
-		}
 		"-C" = {
 			value = "$hpjd_community$"
 			description = "The SNMP community name (default=public)"
@ -2795,10 +2438,6 @@ object CheckCommand "icmp" {
 			order = 1
 			description = "Host address"
 		}
-		"--extra-opts" = {
-			value = "$icmp_extra_opts$"
-			description = "Read extra plugin options from an ini file."
-		}
 		"-w" = {
 			value = "$icmp_wrta$,$icmp_wpl$%"
 			description = "warning threshold (currently 200.000ms,10%)"
@ -2858,10 +2497,6 @@ object CheckCommand "ldap" {
 			value = "$ldap_address$"
 			description = "Host name, IP Address, or unix socket (must be an absolute path)"
 		}
-		"--extra-opts" = {
-			value = "$ldap_extra_opts$"
-			description = "Read extra plugin options from an ini file."
-		}
 		"-p" = {
 			value = "$ldap_port$"
 			description = "Port number (default: 389)"
@ -2941,10 +2576,6 @@ object CheckCommand "clamd" {
 			description = "The host's address or unix socket (must be an absolute path)."
 			required = true
 		}
-		"--extra-opts" = {
-			value = "$clamd_extra_opts$"
-			description = "Read extra plugin options from an ini file."
-		}
 		"-p" = {
 			value = "$clamd_port$"
 			description = "Port number (default: none)."
@ -3089,10 +2720,6 @@ object CheckCommand "pgsql" {
 			value = "$pgsql_hostname$"
 			description = "Host name, IP Address, or unix socket (must be an absolute path)"
 		}
-		"--extra-opts" = {
-			value = "$pgsql_extra_opts$"
-			description = "Read extra plugin options from an ini file."
-		}
 		"-P" = {
 			value = "$pgsql_port$"
 			description = "Port number (default: 5432)"
@ -3157,10 +2784,6 @@ object CheckCommand "mysql" {
 			value = "$mysql_hostname$"
 			description = "Host name, IP Address, or unix socket (must be an absolute path)"
 		}
-		"--extra-opts" = {
-			value = "$mysql_extra_opts$"
-			description = "Read extra plugin options from an ini file."
-		}
 		"-P" = {
 			value = "$mysql_port$"
 			description = "Port number (default: 3306)"
@ -3322,10 +2945,6 @@ object CheckCommand "smart" {
 	command = [ PluginDir + "/check_ide_smart" ]

 	arguments = {
-		"--extra-opts" = {
-			value = "$smart_extra_opts$"
-			description = "Read extra plugin options from an ini file."
-		}
 		"-d" = {
 			value = "$smart_device$"
 			description = "Name of a local hard drive to monitor"
@ -3388,10 +3007,6 @@ object CheckCommand "game" {
 	command = [ PluginDir + "/check_game" ]

 	arguments = {
-		"--extra-opts" = {
-			value = "$game_extra_opts$"
-			description = "Read extra plugin options from an ini file."
-		}
 		"-P" = {
 			value = "$game_port$"
 			description = "Port to connect to"
@ -3445,10 +3060,6 @@ object CheckCommand "mysql_query" {
 			value = "$mysql_query_hostname$"
 			description = "Host name, IP Address, or unix socket (must be an absolute path)"
 		}
-		"--extra-opts" = {
-			value = "$mysql_query_extra_opts$"
-			description = "Read extra plugin options from an ini file."
-		}
 		"-P" = {
 			value = "$mysql_query_port$"
 			description = "Port number (default: 3306)"
@ -3502,10 +3113,6 @@ object CheckCommand "radius" {
 			value = "$radius_address$",
 			description = "Host name, IP Address, or unix socket (must be an absolute path)"
 		}
-		"--extra-opts" = {
-			value = "$radius_extra_opts$"
-			description = "Read extra plugin options from an ini file."
-		}
 		"-F" = {
 			value = "$radius_config_file$",
 			description = "Configuration file"
--- a/itl/plugins-contrib.d/systemd.conf
+++ b/itl/plugins-contrib.d/systemd.conf
@ -1,10 +1,42 @@
 /* Icinga 2 | (c) 2012 Icinga GmbH | GPLv2+ */

 object CheckCommand "systemd" {
-	command = [ PluginContribDir + "/check_systemd" ]
+	command = [ PluginContribDir + "/check_systemd.py" ]

 	arguments = {
-		/* General options */
+		"--unit" = {
+			value = "$systemd_unit$"
+			description = "Name of the systemd unit that is being tested."
+		}
+		"--exclude" = {
+			value = "$systemd_exclude_unit$"
+			description = "Exclude a systemd unit from the checks. This option can be applied multiple times. Also supports regular expressions."
+			repeat_key = true
+		}
+		"--no-startup-time" = {
+			set_if = "$systemd_no_startup_time$"
+			description = "Don’t check the startup time. Using this option the options `systemd_warning` and `systemd_critical` have no effect. (Default: `false`)"
+		}
+		"--warning" = {
+			value = "$systemd_warning$"
+			description = "Startup time in seconds to result in a warning status. (Default: `60s`)"
+		}
+		"--critical" = {
+			value = "$systemd_critical$"
+			description = "Startup time in seconds to result in a critical status. (Default: `120s`)"
+		}
+		"--dead-timers" = {
+			set_if = "$systemd_dead_timers$"
+			description = "Detect dead / inactive timers. (Default: `false`)"
+		}
+		"--dead-timers-warning" = {
+			value = "$systemd_dead_timers_warning$"
+			description = "Time ago in seconds for dead / inactive timers to trigger a warning state (by default 6 days)."
+		}
+		"--dead-timers-critical" = {
+			value = "$systemd_dead_timers_critical$"
+			description = "Time ago in seconds for dead / inactive timers to trigger a critical state (by default 7 days)."
+		}
 		"-v" = {
 			set_if = {{ macro("$systemd_verbose_level$") == 1 }}
 			description = "Increase verbosity level (Accepted values: `1`, `2` or `3`). Defaults to none."
@ -15,85 +47,5 @@ object CheckCommand "systemd" {
 		"-vvv" = {
 			set_if = {{ macro("$systemd_verbose_level$") == 3 }}
 		}
-
-		/* Options related to unit selection */
-		"--ignore-inactive-state" = {
-			set_if = "$systemd_ignore_inactive_state$"
-			description = "Ignore an inactive state on a specific unit. Only affective if used with `systemd_unit`."
-		}
-		"--include" = {
-			value = "$systemd_include$"
-			description = "Include systemd units to the checks, regular expressions are supported. This option can be applied multiple times."
-			repeat_key = true
-		}
-		"--unit" = {
-			value = "$systemd_unit$"
-			description = "Name of the systemd unit that is being tested."
-		}
-		"--include-type" = {
-			value = "$systemd_include_type$"
-			description = "Unit types to be tested (for example: `service`, `timer`). This option can be applied multiple times."
-			repeat_key = true
-		}
-		"--exclude" = {
-			value = "$systemd_exclude_unit$"
-			description = "Exclude a systemd unit from the checks, regular expressions are supported. This option can be applied multiple times."
-			repeat_key = true
-		}
-		"--exclude-unit" = {
-			value = "$systemd_exclude_unit_name$"
-			description = "Exclude a systemd unit from the checks. This option can be applied multiple times."
-			repeat_key = true
-		}
-		"--exclude-type" = {
-			value = "$systemd_exclude_type$"
-			description = "Exclude a systemd unit type (for example: `service`, `timer`)"
-		}
-		"--state" = {
-			value = "$systemd_state$"
-			description = "Specify the active state that the systemd unit must have (for example: `active`, `inactive`)"
-		}
-
-		/* Timers related options */
-		"--dead-timers" = {
-			set_if = "$systemd_dead_timers$"
-			description = "Detect dead / inactive timers, see `systemd_dead_timers_{warning,critical}`. (Default `false`)"
-		}
-		"--dead-timers-warning" = {
-			value = "$systemd_dead_timers_warning$"
-			description = "Time ago in seconds for dead / inactive timers to trigger a warning state. (Default 6 days)"
-		}
-		"--dead-timers-critical" = {
-			value = "$systemd_dead_timers_critical$"
-			description = "Time ago in seconds for dead / inactive timers to trigger a critical state. (Default 7 days)"
-		}
-
-		/* Startup time related options */
-		"--no-startup-time" = {
-			set_if = "$systemd_no_startup_time$"
-			description = "Don't check the startup time. Using this option, the options `systemd_{warning,critical}` have no effect. (Default `false`)"
-		}
-		"--warning" = {
-			value = "$systemd_warning$"
-			description = "Startup time in seconds to result in a warning status. (Default 60 seconds)"
-		}
-		"--critical" = {
-			value = "$systemd_critical$"
-			description = "Startup time in seconds to result in a critical status. (Default 120 seconds)"
-		}
-
-		/* Monitoring data acquisition */
-		"--dbus" = {
-			set_if = "$systemd_dbus$"
-			description = "Use systemd's D-Bus API instead of parsing command output. Only partially implemented!"
-		}
-		"--cli" = {
-			set_if = "$systemd_cli$"
-			description = "Use text output from parsing command output. (Default)"
-		}
-		"--user" = {
-			set_if = "$systemd_user$"
-			description = "Also show user (systemctl --user) units."
-		}
 	}
 }
--- a/itl/plugins-contrib.d/vmware.conf
+++ b/itl/plugins-contrib.d/vmware.conf
@ -421,10 +421,6 @@ object CheckCommand "vmware-esx-soap-host-net" {
 		"--isregexp" = {
 			set_if = "$vmware_isregexp$"
 		}
-		"--unplugged_nics_state" = {
-			value = "$vmware_unplugged_nics_state$"
-			description = "Sets status for unplugged nics (Possible values are: [OK | ok] or [CRITICAL | critical | CRIT | crit] or [WARNING | warning | WARN | warn]. Default is WARNING. Values are case insensitive.)"
-		}
 	}
 }

@ -471,10 +467,6 @@ object CheckCommand "vmware-esx-soap-host-net-nic" {
 		"--isregexp" = {
 			set_if = "$vmware_isregexp$"
 		}
-		"--unplugged_nics_state" = {
-			value = "$vmware_unplugged_nics_state$"
-			description = "Sets status for unplugged nics (Possible values are: [OK | ok] or [CRITICAL | critical | CRIT | crit] or [WARNING | warning | WARN | warn]. Default is WARNING. Values are case insensitive.)"
-		}
 	}
 }

--- a/itl/plugins-contrib.d/web.conf
+++ b/itl/plugins-contrib.d/web.conf
@ -396,9 +396,13 @@ object CheckCommand "ssl_cert" {
 			value = "$ssl_cert_critical$"
 			description = "Minimum number of days a certificate has to be valid to issue a critical status"
 		}
-		"--match" = {
+		"-n" = {
 			value = "$ssl_cert_cn$"
-			description = "Pattern to match the CN or AltNames of the certificate"
+			description = "Pattern to match the CN of the certificate"
+		}
+		"--altnames" = {
+			set_if = "$ssl_cert_altnames$"
+			description = "Matches the pattern specified in -n with alternate"
 		}
 		"-i" = {
 			value = "$ssl_cert_issuer$"
@ -440,10 +444,6 @@ object CheckCommand "ssl_cert" {
 			value = "$ssl_cert_protocol$"
 			description = "Use the specific protocol {http|smtp|pop3|imap|ftp|xmpp|irc|ldap} (default: http)"
 		}
-		"--url" = {
-				value = "$ssl_cert_http_url$"
-				description = "HTTP request URL (default: /)"
-		}
 		"-C" = {
 			value = "$ssl_cert_clientssl_cert$"
 			description = "Use client certificate to authenticate"
@ -578,25 +578,11 @@ object CheckCommand "ssl_cert" {
 			set_if = "$ssl_cert_ignore_tls_renegotiation$"
 			description = "Do not check for renegotiation"
 		}
-		"--maximum-validity" = {
-			value = "$ssl_cert_maximum_validity$"
-			description = "The maximum validity of the certificate in days (default: 397)"
-		}
-		"--dane" = {
-			value = "$ssl_cert_dane$"
-			description = "verify that valid DANE records exist (since OpenSSL 1.1.0)"
-			repeat_key = false
-		}
-		"--ignore-maximum-validity" = {
-			description = "Ignore the certificate maximum validity"
-			set_if = "$ssl_cert_ignore_maximum_validity$"
-                }

 	}

 	vars.ssl_cert_address = "$check_address$"
 	vars.ssl_cert_port = 443
-	vars.ssl_cert_cn = "$ssl_cert_altnames$"
 }

 object CheckCommand "varnish" {
--- a/lib/base/CMakeLists.txt
+++ b/lib/base/CMakeLists.txt
@ -38,7 +38,6 @@ set(base_SOURCES
  filelogger.cpp filelogger.hpp filelogger-ti.hpp
  function.cpp function.hpp function-ti.hpp function-script.cpp functionwrapper.hpp
  initialize.cpp initialize.hpp
-  intrusive-ptr.hpp
  io-engine.cpp io-engine.hpp
  journaldlogger.cpp journaldlogger.hpp journaldlogger-ti.hpp
  json.cpp json.hpp json-script.cpp
@ -131,7 +130,7 @@ if(HAVE_SYSTEMD)
  find_path(SYSTEMD_INCLUDE_DIR
    NAMES systemd/sd-daemon.h
    HINTS ${SYSTEMD_ROOT_DIR})
-  include_directories(SYSTEM ${SYSTEMD_INCLUDE_DIR})
+  include_directories(${SYSTEMD_INCLUDE_DIR})
  set_property(
    SOURCE ${CMAKE_CURRENT_SOURCE_DIR}/journaldlogger.cpp
    APPEND PROPERTY COMPILE_DEFINITIONS
@ -141,13 +140,13 @@ endif()

 add_library(base OBJECT ${base_SOURCES})

-include_directories(SYSTEM ${icinga2_SOURCE_DIR}/third-party/execvpe)
+include_directories(${icinga2_SOURCE_DIR}/third-party/execvpe)
 link_directories(${icinga2_BINARY_DIR}/third-party/execvpe)

-include_directories(SYSTEM ${icinga2_SOURCE_DIR}/third-party/mmatch)
+include_directories(${icinga2_SOURCE_DIR}/third-party/mmatch)
 link_directories(${icinga2_BINARY_DIR}/third-party/mmatch)

-include_directories(SYSTEM ${icinga2_SOURCE_DIR}/third-party/socketpair)
+include_directories(${icinga2_SOURCE_DIR}/third-party/socketpair)
 link_directories(${icinga2_BINARY_DIR}/third-party/socketpair)

 set_target_properties (
@ -155,9 +154,7 @@ set_target_properties (
  FOLDER Lib
 )

-if(NOT WIN32)
-  install(CODE "file(MAKE_DIRECTORY \"\$ENV{DESTDIR}${ICINGA2_FULL_CACHEDIR}\")")
-  install(CODE "file(MAKE_DIRECTORY \"\$ENV{DESTDIR}${ICINGA2_FULL_LOGDIR}/crash\")")
-endif()
+install(CODE "file(MAKE_DIRECTORY \"\$ENV{DESTDIR}${ICINGA2_FULL_CACHEDIR}\")")
+install(CODE "file(MAKE_DIRECTORY \"\$ENV{DESTDIR}${ICINGA2_FULL_LOGDIR}/crash\")")

 set(CPACK_NSIS_EXTRA_INSTALL_COMMANDS "${CPACK_NSIS_EXTRA_INSTALL_COMMANDS}" PARENT_SCOPE)
--- a/lib/base/atomic.hpp
+++ b/lib/base/atomic.hpp
@ -12,12 +12,7 @@ namespace icinga
 {

 /**
- * Like std::atomic, but enforces usage of its only safe constructor.
- *
- * "The default-initialized std::atomic<T> does not contain a T object,
- * and its only valid uses are destruction and
- * initialization by std::atomic_init, see LWG issue 2334."
- *  -- https://en.cppreference.com/w/cpp/atomic/atomic/atomic
+ * Extends std::atomic with an atomic constructor.
 *
 * @ingroup base
 */
@ -25,12 +20,24 @@ template<class T>
 class Atomic : public std::atomic<T> {
 public:
 	/**
-	 * The only safe constructor of std::atomic#atomic
+	 * Like std::atomic#atomic, but operates atomically
 	 *
 	 * @param desired Initial value
 	 */
-	inline Atomic(T desired) : std::atomic<T>(desired)
+	inline Atomic(T desired)
 	{
+		this->store(desired);
+	}
+
+	/**
+	 * Like std::atomic#atomic, but operates atomically
+	 *
+	 * @param desired Initial value
+	 * @param order Initial store operation's memory order
+	 */
+	inline Atomic(T desired, std::memory_order order)
+	{
+		this->store(desired, order);
 	}
 };

--- a/lib/base/boolean-script.cpp
+++ b/lib/base/boolean-script.cpp
@ -23,3 +23,4 @@ Object::Ptr Boolean::GetPrototype()

 	return prototype;
 }
+
--- a/lib/base/boolean.cpp
+++ b/lib/base/boolean.cpp
@ -6,3 +6,4 @@
 using namespace icinga;

 REGISTER_BUILTIN_TYPE(Boolean, Boolean::GetPrototype());
+
--- a/lib/base/configobject-script.cpp
+++ b/lib/base/configobject-script.cpp
@ -33,3 +33,4 @@ Object::Ptr ConfigObject::GetPrototype()

 	return prototype;
 }
+
--- a/lib/base/configtype.hpp
+++ b/lib/base/configtype.hpp
@ -9,13 +9,11 @@
 #include "base/dictionary.hpp"
 #include <shared_mutex>
 #include <unordered_map>
-#include <boost/signals2.hpp>

 namespace icinga
 {

 class ConfigObject;
-class ConfigItems;

 class ConfigType
 {
@ -50,13 +48,6 @@ for (const auto& object : objects) {

 	int GetObjectCount() const;

-	/**
-	 * Signal that allows hooking into the config loading process just before ConfigObject::OnAllConfigLoaded() is
-	 * called for a bunch of objects. A vector of pointers to these objects is passed as an argument. All elements
-	 * are of the object type the signal is called on.
-	 */
-	boost::signals2::signal<void (const ConfigItems&)> BeforeOnAllConfigLoaded;
-
 private:
 	typedef std::unordered_map<String, intrusive_ptr<ConfigObject> > ObjectMap;
 	typedef std::vector<intrusive_ptr<ConfigObject> > ObjectVector;
--- a/lib/base/datetime-script.cpp
+++ b/lib/base/datetime-script.cpp
@ -25,3 +25,4 @@ Object::Ptr DateTime::GetPrototype()

 	return prototype;
 }
+
--- a/lib/base/debuginfo.cpp
+++ b/lib/base/debuginfo.cpp
@ -95,3 +95,4 @@ void icinga::ShowCodeLocation(std::ostream& out, const DebugInfo& di, bool verbo
 		}
 	}
 }
+
--- a/lib/base/defer.hpp
+++ b/lib/base/defer.hpp
@ -22,8 +22,6 @@ public:
 	{
 	}

-	Defer() = default;
-
 	Defer(const Defer&) = delete;
 	Defer(Defer&&) = delete;
 	Defer& operator=(const Defer&) = delete;
@ -41,11 +39,6 @@ public:
 		}
 	}

-	inline void SetFunc(std::function<void()> func)
-	{
-		m_Func = std::move(func);
-	}
-
 	inline
 	void Cancel()
 	{
--- a/lib/base/dependencygraph.cpp
+++ b/lib/base/dependencygraph.cpp
@ -5,68 +5,46 @@
 using namespace icinga;

 std::mutex DependencyGraph::m_Mutex;
-DependencyGraph::DependencyMap DependencyGraph::m_Dependencies;
+std::map<Object *, std::map<Object *, int> > DependencyGraph::m_Dependencies;

-void DependencyGraph::AddDependency(ConfigObject* child, ConfigObject* parent)
+void DependencyGraph::AddDependency(Object *parent, Object *child)
 {
 	std::unique_lock<std::mutex> lock(m_Mutex);
-	if (auto [it, inserted] = m_Dependencies.insert(Edge(parent, child)); !inserted) {
-		m_Dependencies.modify(it, [](Edge& e) { e.count++; });
-	}
+	m_Dependencies[child][parent]++;
 }

-void DependencyGraph::RemoveDependency(ConfigObject* child, ConfigObject* parent)
+void DependencyGraph::RemoveDependency(Object *parent, Object *child)
 {
 	std::unique_lock<std::mutex> lock(m_Mutex);

-	if (auto it(m_Dependencies.find(Edge(parent, child))); it != m_Dependencies.end()) {
-		if (it->count > 1) {
-			// Remove a duplicate edge from child to node, i.e. decrement the corresponding counter.
-			m_Dependencies.modify(it, [](Edge& e) { e.count--; });
-		} else {
-			// Remove the last edge from child to node (decrementing the counter would set it to 0),
-			// thus remove that connection from the data structure completely.
-			m_Dependencies.erase(it);
+	auto& refs = m_Dependencies[child];
+	auto it = refs.find(parent);
+
+	if (it == refs.end())
+		return;
+
+	it->second--;
+
+	if (it->second == 0)
+		refs.erase(it);
+
+	if (refs.empty())
+		m_Dependencies.erase(child);
+}
+
+std::vector<Object::Ptr> DependencyGraph::GetParents(const Object::Ptr& child)
+{
+	std::vector<Object::Ptr> objects;
+
+	std::unique_lock<std::mutex> lock(m_Mutex);
+	auto it = m_Dependencies.find(child.get());
+
+	if (it != m_Dependencies.end()) {
+		typedef std::pair<Object *, int> kv_pair;
+		for (const kv_pair& kv : it->second) {
+			objects.emplace_back(kv.first);
 		}
 	}
-}
-
-/**
- * Returns all the parent objects of the given child object.
- *
- * @param child The child object.
- *
- * @returns A list of the parent objects.
- */
-std::vector<ConfigObject::Ptr> DependencyGraph::GetParents(const ConfigObject::Ptr& child)
-{
-	std::vector<ConfigObject::Ptr> objects;
-
-	std::unique_lock lock(m_Mutex);
-	auto [begin, end] = m_Dependencies.get<2>().equal_range(child.get());
-	std::transform(begin, end, std::back_inserter(objects), [](const Edge& edge) {
-		return edge.parent;
-	});
-
-	return objects;
-}
-
-/**
- * Returns all the dependent objects of the given parent object.
- *
- * @param parent The parent object.
- *
- * @returns A list of the dependent objects.
- */
-std::vector<ConfigObject::Ptr> DependencyGraph::GetChildren(const ConfigObject::Ptr& parent)
-{
-	std::vector<ConfigObject::Ptr> objects;
-
-	std::unique_lock lock(m_Mutex);
-	auto [begin, end] = m_Dependencies.get<1>().equal_range(parent.get());
-	std::transform(begin, end, std::back_inserter(objects), [](const Edge& edge) {
-		return edge.child;
-	});

 	return objects;
 }
--- a/lib/base/dependencygraph.hpp
+++ b/lib/base/dependencygraph.hpp
@ -4,10 +4,8 @@
 #define DEPENDENCYGRAPH_H

 #include "base/i2-base.hpp"
-#include "base/configobject.hpp"
-#include <boost/multi_index_container.hpp>
-#include <boost/multi_index/hashed_index.hpp>
-#include <boost/multi_index/member.hpp>
+#include "base/object.hpp"
+#include <map>
 #include <mutex>

 namespace icinga {
@ -20,84 +18,15 @@ namespace icinga {
 class DependencyGraph
 {
 public:
-	static void AddDependency(ConfigObject* child, ConfigObject* parent);
-	static void RemoveDependency(ConfigObject* child, ConfigObject* parent);
-	static std::vector<ConfigObject::Ptr> GetParents(const ConfigObject::Ptr& child);
-	static std::vector<ConfigObject::Ptr> GetChildren(const ConfigObject::Ptr& parent);
+	static void AddDependency(Object *parent, Object *child);
+	static void RemoveDependency(Object *parent, Object *child);
+	static std::vector<Object::Ptr> GetParents(const Object::Ptr& child);

 private:
 	DependencyGraph();

-	/**
-	 * Represents an undirected dependency edge between two objects.
-	 *
-	 * It allows to traverse the graph in both directions, i.e. from parent to child and vice versa.
-	 */
-	struct Edge
-	{
-		ConfigObject* parent; // The parent object of the child one.
-		ConfigObject* child; // The dependent object of the parent.
-		// Counter for the number of parent <-> child edges to allow duplicates.
-		int count;
-
-		Edge(ConfigObject* parent, ConfigObject* child, int count = 1): parent(parent), child(child), count(count)
-		{
-		}
-
-		struct Hash
-		{
-			/**
-			 * Generates a unique hash of the given Edge object.
-			 *
-			 * Note, the hash value is generated only by combining the hash values of the parent and child pointers.
-			 *
-			 * @param edge The Edge object to be hashed.
-			 *
-			 * @return size_t The resulting hash value of the given object.
-			 */
-			size_t operator()(const Edge& edge) const
-			{
-				size_t seed = 0;
-				boost::hash_combine(seed, edge.parent);
-				boost::hash_combine(seed, edge.child);
-
-				return seed;
-			}
-		};
-
-		struct Equal
-		{
-			/**
-			 * Compares whether the two Edge objects contain the same parent and child pointers.
-			 *
-			 * Note, the member property count is not taken into account for equality checks.
-			 *
-			 * @param a The first Edge object to compare.
-			 * @param b The second Edge object to compare.
-			 *
-			 * @return bool Returns true if the two objects are equal, false otherwise.
-			 */
-			bool operator()(const Edge& a, const Edge& b) const
-			{
-				return a.parent == b.parent && a.child == b.child;
-			}
-		};
-	};
-
-	using DependencyMap = boost::multi_index_container<
-		Edge, // The value type we want to sore in the container.
-		boost::multi_index::indexed_by<
-			// The first indexer is used for lookups by the Edge from child to parent, thus it
-			// needs its own hash function and comparison predicate.
-			boost::multi_index::hashed_unique<boost::multi_index::identity<Edge>, Edge::Hash, Edge::Equal>,
-			// These two indexers are used for lookups by the parent and child pointers.
-			boost::multi_index::hashed_non_unique<boost::multi_index::member<Edge, ConfigObject*, &Edge::parent>>,
-			boost::multi_index::hashed_non_unique<boost::multi_index::member<Edge, ConfigObject*, &Edge::child>>
-		>
-	>;
-
 	static std::mutex m_Mutex;
-	static DependencyMap m_Dependencies;
+	static std::map<Object *, std::map<Object *, int> > m_Dependencies;
 };

 }
--- a/lib/base/dictionary-script.cpp
+++ b/lib/base/dictionary-script.cpp
@ -116,3 +116,4 @@ Object::Ptr Dictionary::GetPrototype()

 	return prototype;
 }
+
--- a/lib/base/dictionary.cpp
+++ b/lib/base/dictionary.cpp
@ -314,3 +314,4 @@ Dictionary::Iterator icinga::end(const Dictionary::Ptr& x)
 {
 	return x->End();
 }
+
--- a/lib/base/fifo.cpp
+++ b/lib/base/fifo.cpp
@ -54,11 +54,26 @@ void FIFO::Optimize()
 	}
 }

+size_t FIFO::Peek(void *buffer, size_t count, bool allow_partial)
+{
+	ASSERT(allow_partial);
+
+	if (count > m_DataSize)
+		count = m_DataSize;
+
+	if (buffer)
+		std::memcpy(buffer, m_Buffer + m_Offset, count);
+
+	return count;
+}
+
 /**
 * Implements IOQueue::Read.
 */
-size_t FIFO::Read(void *buffer, size_t count)
+size_t FIFO::Read(void *buffer, size_t count, bool allow_partial)
 {
+	ASSERT(allow_partial);
+
 	if (count > m_DataSize)
 		count = m_DataSize;

--- a/lib/base/fifo.hpp
+++ b/lib/base/fifo.hpp
@ -23,7 +23,8 @@ public:

 	~FIFO() override;

-	size_t Read(void *buffer, size_t count) override;
+	size_t Peek(void *buffer, size_t count, bool allow_partial = false) override;
+	size_t Read(void *buffer, size_t count, bool allow_partial = false) override;
 	void Write(const void *buffer, size_t count) override;
 	void Close() override;
 	bool IsEof() const override;
--- a/lib/base/function-script.cpp
+++ b/lib/base/function-script.cpp
@ -47,3 +47,4 @@ Object::Ptr Function::GetPrototype()

 	return prototype;
 }
+
--- a/lib/base/initialize.cpp
+++ b/lib/base/initialize.cpp
@ -10,3 +10,4 @@ bool icinga::InitializeOnceHelper(const std::function<void()>& func, InitializeP
 	Loader::AddDeferredInitializer(func, priority);
 	return true;
 }
+
--- a/lib/base/initialize.hpp
+++ b/lib/base/initialize.hpp
@ -23,7 +23,6 @@ enum class InitializePriority {
 	RegisterBuiltinTypes,
 	RegisterFunctions,
 	RegisterTypes,
-	SortTypes,
 	EvaluateConfigFragments,
 	Default,
 	FreezeNamespaces,
--- a/lib/base/intrusive-ptr.hpp
+++ b/lib/base/intrusive-ptr.hpp
@ -1,22 +0,0 @@
-/* Icinga 2 | (c) 2025 Icinga GmbH | GPLv2+ */
-
-#pragma once
-
-#include "base/i2-base.hpp"
-#include <memory>
-#include <boost/smart_ptr/intrusive_ptr.hpp>
-#include <boost/version.hpp>
-
-// std::hash is only implemented starting from Boost 1.74. Implement it ourselves for older version to allow using
-// boost::intrusive_ptr inside std::unordered_set<> or as the key of std::unordered_map<>.
-// https://github.com/boostorg/smart_ptr/commit/5a18ffdc5609a0e64b63e47cb81c4f0847e0c087
-#if BOOST_VERSION < 107400
-template<class T>
-struct std::hash<boost::intrusive_ptr<T>>
-{
-	std::size_t operator()(const boost::intrusive_ptr<T>& ptr) const noexcept
-	{
-		return std::hash<T*>{}(ptr.get());
-	}
-};
-#endif /* BOOST_VERSION < 107400 */
--- a/lib/base/io-engine.cpp
+++ b/lib/base/io-engine.cpp
@ -146,14 +146,9 @@ void AsioConditionVariable::Wait(boost::asio::yield_context yc)
 	m_Timer.async_wait(yc[ec]);
 }

-/**
- * Cancels any pending timeout callback.
- *
- * Must be called in the strand in which the callback was scheduled!
- */
 void Timeout::Cancel()
 {
-	m_Cancelled->store(true);
+	m_Cancelled.store(true);

 	boost::system::error_code ec;
 	m_Timer.cancel(ec);
--- a/lib/base/io-engine.hpp
+++ b/lib/base/io-engine.hpp
@ -3,12 +3,10 @@
 #ifndef IO_ENGINE_H
 #define IO_ENGINE_H

-#include "base/atomic.hpp"
-#include "base/debug.hpp"
 #include "base/exception.hpp"
 #include "base/lazy-init.hpp"
 #include "base/logger.hpp"
-#include "base/shared.hpp"
+#include "base/shared-object.hpp"
 #include <atomic>
 #include <exception>
 #include <memory>
@ -111,7 +109,8 @@ public:
 					// https://github.com/boostorg/coroutine/issues/39
 					throw;
 				} catch (const std::exception& ex) {
-					Log(LogCritical, "IoEngine") << "Exception in coroutine: " << DiagnosticInformation(ex);
+					Log(LogCritical, "IoEngine", "Exception in coroutine!");
+					Log(LogDebug, "IoEngine") << "Exception in coroutine: " << DiagnosticInformation(ex);
 				} catch (...) {
 					Log(LogCritical, "IoEngine", "Exception in coroutine!");
 				}
@ -165,80 +164,51 @@ private:
 /**
 * I/O timeout emulator
 *
- * This class provides a workaround for Boost.ASIO's lack of built-in timeout support.
- * While Boost.ASIO handles asynchronous operations, it does not natively support timeouts for these operations.
- * This class uses a boost::asio::deadline_timer to emulate a timeout by scheduling a callback to be triggered
- * after a specified duration, effectively adding timeout behavior where none exists.
- * The callback is executed within the provided strand, ensuring thread-safety.
- *
- * The constructor returns immediately after scheduling the timeout callback.
- * The callback itself is invoked asynchronously when the timeout occurs.
- * This allows the caller to continue execution while the timeout is running in the background.
- *
- * The class provides a Cancel() method to unschedule any pending callback. If the callback has already been run,
- * calling Cancel() has no effect. This method can be used to abort the timeout early if the monitored operation
- * completes before the callback has been run. The Timeout destructor also automatically cancels any pending callback.
- * A callback is considered pending even if the timeout has already expired,
- * but the callback has not been executed yet due to a busy strand.
- *
 * @ingroup base
 */
-class Timeout
+class Timeout : public SharedObject
 {
 public:
-	using Timer = boost::asio::deadline_timer;
+	DECLARE_PTR_TYPEDEFS(Timeout);

-	/**
-	 * Schedules onTimeout to be triggered after timeoutFromNow on strand.
-	 *
-	 * @param strand The strand in which the callback will be executed.
-	 *				 The caller must also run in this strand, as well as Cancel() and the destructor!
-	 * @param timeoutFromNow The duration after which the timeout callback will be triggered.
-	 * @param onTimeout The callback to invoke when the timeout occurs.
-	 */
-	template<class OnTimeout>
-	Timeout(boost::asio::io_context::strand& strand, const Timer::duration_type& timeoutFromNow, OnTimeout onTimeout)
-		: m_Timer(strand.context(), timeoutFromNow), m_Cancelled(Shared<Atomic<bool>>::Make(false))
+	template<class Executor, class TimeoutFromNow, class OnTimeout>
+	Timeout(boost::asio::io_context& io, Executor& executor, TimeoutFromNow timeoutFromNow, OnTimeout onTimeout)
+		: m_Timer(io)
 	{
-		VERIFY(strand.running_in_this_thread());
+		Ptr keepAlive (this);

-		m_Timer.async_wait(boost::asio::bind_executor(
-			strand, [cancelled = m_Cancelled, onTimeout = std::move(onTimeout)](boost::system::error_code ec) {
-				if (!ec && !cancelled->load()) {
-					onTimeout();
+		m_Cancelled.store(false);
+		m_Timer.expires_from_now(std::move(timeoutFromNow));
+
+		IoEngine::SpawnCoroutine(executor, [this, keepAlive, onTimeout](boost::asio::yield_context yc) {
+			if (m_Cancelled.load()) {
+				return;
+			}
+
+			{
+				boost::system::error_code ec;
+
+				m_Timer.async_wait(yc[ec]);
+
+				if (ec) {
+					return;
 				}
 			}
-		));
-	}

-	Timeout(const Timeout&) = delete;
-	Timeout(Timeout&&) = delete;
-	Timeout& operator=(const Timeout&) = delete;
-	Timeout& operator=(Timeout&&) = delete;
+			if (m_Cancelled.load()) {
+				return;
+			}

-	/**
-	 * Cancels any pending timeout callback.
-	 *
-	 * Must be called in the strand in which the callback was scheduled!
-	 */
-	~Timeout()
-	{
-		Cancel();
+			auto f (onTimeout);
+			f(std::move(yc));
+		});
 	}

 	void Cancel();

 private:
-	Timer m_Timer;
-
-	/**
-	 * Indicates whether the Timeout has been cancelled.
-	 *
-	 * This must be Shared<> between the lambda in the constructor and Cancel() for the case
-	 * the destructor calls Cancel() while the lambda is already queued in the strand.
-	 * The whole Timeout instance can't be kept alive by the lambda because this would delay the destructor.
-	 */
-	Shared<Atomic<bool>>::Ptr m_Cancelled;
+	boost::asio::deadline_timer m_Timer;
+	std::atomic<bool> m_Cancelled;
 };

 }
--- a/lib/base/loader.cpp
+++ b/lib/base/loader.cpp
@ -35,3 +35,4 @@ void Loader::AddDeferredInitializer(const std::function<void()>& callback, Initi

 	initializers->push(DeferredInitializer(callback, priority));
 }
+
--- a/lib/base/logger.hpp
+++ b/lib/base/logger.hpp
@ -121,10 +121,7 @@ public:
 	template<typename T>
 	Log& operator<<(const T& val)
 	{
-		if (!m_IsNoOp) {
-			m_Buffer << val;
-		}
-
+		m_Buffer << val;
 		return *this;
 	}

--- a/lib/base/logger.ti
+++ b/lib/base/logger.ti
@ -9,7 +9,7 @@ namespace icinga

 abstract class Logger : ConfigObject
 {
-	[config, set_virtual] String severity {
+	[config, virtual] String severity {
 		default {{{ return "information"; }}}
 	};
 };
--- a/lib/base/namespace-script.cpp
+++ b/lib/base/namespace-script.cpp
@ -81,3 +81,4 @@ Object::Ptr Namespace::GetPrototype()

 	return prototype;
 }
+
--- a/lib/base/namespace.cpp
+++ b/lib/base/namespace.cpp
@ -186,3 +186,4 @@ Namespace::Iterator icinga::end(const Namespace::Ptr& x)
 {
 	return x->End();
 }
+
--- a/lib/base/networkstream.cpp
+++ b/lib/base/networkstream.cpp
@ -23,10 +23,12 @@ void NetworkStream::Close()
 * @param count The number of bytes to read from the queue.
 * @returns The number of bytes actually read.
 */
-size_t NetworkStream::Read(void *buffer, size_t count)
+size_t NetworkStream::Read(void *buffer, size_t count, bool allow_partial)
 {
 	size_t rc;

+	ASSERT(allow_partial);
+
 	if (m_Eof)
 		BOOST_THROW_EXCEPTION(std::invalid_argument("Tried to read from closed socket."));

--- a/lib/base/networkstream.hpp
+++ b/lib/base/networkstream.hpp
@ -22,7 +22,7 @@ public:

 	NetworkStream(Socket::Ptr socket);

-	size_t Read(void *buffer, size_t count) override;
+	size_t Read(void *buffer, size_t count, bool allow_partial = false) override;
 	void Write(const void *buffer, size_t count) override;

 	void Close() override;
--- a/lib/base/number-script.cpp
+++ b/lib/base/number-script.cpp
@ -22,3 +22,4 @@ Object::Ptr Number::GetPrototype()

 	return prototype;
 }
+
--- a/lib/base/number.cpp
+++ b/lib/base/number.cpp
@ -6,3 +6,4 @@
 using namespace icinga;

 REGISTER_BUILTIN_TYPE(Number, Number::GetPrototype());
+
--- a/lib/base/object-script.cpp
+++ b/lib/base/object-script.cpp
@ -42,3 +42,4 @@ Object::Ptr Object::GetPrototype()

 	return prototype;
 }
+
--- a/lib/base/object.hpp
+++ b/lib/base/object.hpp
@ -5,7 +5,6 @@

 #include "base/i2-base.hpp"
 #include "base/debug.hpp"
-#include "base/intrusive-ptr.hpp"
 #include <boost/smart_ptr/intrusive_ptr.hpp>
 #include <atomic>
 #include <cstddef>
@ -28,7 +27,7 @@ class String;
 struct DebugInfo;
 class ValidationUtils;

-extern const Value Empty;
+extern Value Empty;

 #define DECLARE_PTR_TYPEDEFS(klass) \
 	typedef intrusive_ptr<klass> Ptr
--- a/lib/base/objecttype.cpp
+++ b/lib/base/objecttype.cpp
@ -54,3 +54,4 @@ ObjectFactory ObjectType::GetFactory() const
 {
 	return DefaultObjectFactory<Object>;
 }
+
--- a/lib/base/perfdatavalue.cpp
+++ b/lib/base/perfdatavalue.cpp
@ -259,10 +259,6 @@ PerfdataValue::Ptr PerfdataValue::Parse(const String& perfdata)

 	double value = Convert::ToDouble(tokens[0].SubStr(0, pos));

-	if (!std::isfinite(value)) {
-		BOOST_THROW_EXCEPTION(std::invalid_argument("Invalid performance data value: " + perfdata + " is outside of any reasonable range"));
-	}
-
 	bool counter = false;
 	String unit;
 	Value warn, crit, min, max;
@ -367,27 +363,20 @@ String PerfdataValue::Format() const

 	result << unit;

-	std::string interm(";");
 	if (!GetWarn().IsEmpty()) {
-		result << interm << Convert::ToString(GetWarn());
-		interm.clear();
-	}
+		result << ";" << Convert::ToString(GetWarn());

-	interm += ";";
-	if (!GetCrit().IsEmpty()) {
-		result << interm << Convert::ToString(GetCrit());
-		interm.clear();
-	}
+		if (!GetCrit().IsEmpty()) {
+			result << ";" << Convert::ToString(GetCrit());

-	interm += ";";
-	if (!GetMin().IsEmpty()) {
-		result << interm << Convert::ToString(GetMin());
-		interm.clear();
-	}
+			if (!GetMin().IsEmpty()) {
+				result << ";" << Convert::ToString(GetMin());

-	interm += ";";
-	if (!GetMax().IsEmpty()) {
-		result << interm << Convert::ToString(GetMax());
+				if (!GetMax().IsEmpty()) {
+					result << ";" << Convert::ToString(GetMax());
+				}
+			}
+		}
 	}

 	return result.str();
--- a/lib/base/primitivetype.cpp
+++ b/lib/base/primitivetype.cpp
@ -61,3 +61,4 @@ ObjectFactory PrimitiveType::GetFactory() const
 {
 	return m_Factory;
 }
+
--- a/lib/base/process.cpp
+++ b/lib/base/process.cpp
@ -19,7 +19,6 @@
 #ifndef _WIN32
 #	include <execvpe.h>
 #	include <poll.h>
-#	include <signal.h>
 #	include <string.h>

 #	ifndef __APPLE__
@ -171,17 +170,6 @@ static Value ProcessSpawnImpl(struct msghdr *msgh, const Dictionary::Ptr& reques
 		}
 #endif /* HAVE_NICE */

-		{
-			struct sigaction sa;
-			memset(&sa, 0, sizeof(sa));
-
-			sa.sa_handler = SIG_DFL;
-
-			for (int sig = 1; sig <= 31; ++sig) {
-				(void)sigaction(sig, &sa, nullptr);
-			}
-		}
-
 		sigset_t mask;
 		sigemptyset(&mask);
 		sigprocmask(SIG_SETMASK, &mask, nullptr);
@ -1087,9 +1075,7 @@ bool Process::DoEvents()
 				Log(LogWarning, "Process")
 					<< "Couldn't kill the process group " << m_PID << " (" << PrettyPrintArguments(m_Arguments)
 					<< "): [errno " << error << "] " << strerror(error);
-				if (error != ESRCH) {
-					could_not_kill = true;
-				}
+				could_not_kill = true;
 			}
 #endif /* _WIN32 */

--- a/lib/base/process.hpp
+++ b/lib/base/process.hpp
@ -5,7 +5,6 @@

 #include "base/i2-base.hpp"
 #include "base/dictionary.hpp"
-#include <cstdint>
 #include <iosfwd>
 #include <deque>
 #include <vector>
@ -26,7 +25,7 @@ struct ProcessResult
 	pid_t PID;
 	double ExecutionStart;
 	double ExecutionEnd;
-	int_fast64_t ExitStatus;
+	long ExitStatus;
 	String Output;
 };

--- a/lib/base/registry.hpp
+++ b/lib/base/registry.hpp
@ -23,6 +23,16 @@ class Registry
 public:
 	typedef std::map<String, T> ItemMap;

+	void RegisterIfNew(const String& name, const T& item)
+	{
+		std::unique_lock<std::mutex> lock(m_Mutex);
+
+		if (m_Items.find(name) != m_Items.end())
+			return;
+
+		RegisterInternal(name, item, lock);
+	}
+
 	void Register(const String& name, const T& item)
 	{
 		std::unique_lock<std::mutex> lock(m_Mutex);
@ -30,6 +40,38 @@ public:
 		RegisterInternal(name, item, lock);
 	}

+	void Unregister(const String& name)
+	{
+		size_t erased;
+
+		{
+			std::unique_lock<std::mutex> lock(m_Mutex);
+			erased = m_Items.erase(name);
+		}
+
+		if (erased > 0)
+			OnUnregistered(name);
+	}
+
+	void Clear()
+	{
+		typename Registry<U, T>::ItemMap items;
+
+		{
+			std::unique_lock<std::mutex> lock(m_Mutex);
+			items = m_Items;
+		}
+
+		for (const auto& kv : items) {
+			OnUnregistered(kv.first);
+		}
+
+		{
+			std::unique_lock<std::mutex> lock(m_Mutex);
+			m_Items.clear();
+		}
+	}
+
 	T GetItem(const String& name) const
 	{
 		std::unique_lock<std::mutex> lock(m_Mutex);
--- a/lib/base/scriptglobal.cpp
+++ b/lib/base/scriptglobal.cpp
@ -107,3 +107,4 @@ void ScriptGlobal::WriteToFile(const String& filename)
 	sfp->Close();
 	fp.Commit();
 }
+
--- a/lib/base/scriptutils.cpp
+++ b/lib/base/scriptutils.cpp
@ -520,7 +520,7 @@ String ScriptUtils::MsiGetComponentPathShim(const String& component)

 Array::Ptr ScriptUtils::TrackParents(const Object::Ptr& child)
 {
-	return Array::FromVector(DependencyGraph::GetChildren(dynamic_pointer_cast<ConfigObject>(child)));
+	return Array::FromVector(DependencyGraph::GetParents(child));
 }

 double ScriptUtils::Ptr(const Object::Ptr& object)
--- a/lib/base/shared.hpp
+++ b/lib/base/shared.hpp
@ -4,7 +4,6 @@
 #define SHARED_H

 #include "base/atomic.hpp"
-#include "base/intrusive-ptr.hpp"
 #include <boost/smart_ptr/intrusive_ptr.hpp>
 #include <cstdint>
 #include <utility>
--- a/lib/base/stdiostream.cpp
+++ b/lib/base/stdiostream.cpp
@ -21,7 +21,7 @@ StdioStream::~StdioStream()
 	Close();
 }

-size_t StdioStream::Read(void *buffer, size_t size)
+size_t StdioStream::Read(void *buffer, size_t size, bool allow_partial)
 {
 	ObjectLock olock(this);

--- a/lib/base/stdiostream.hpp
+++ b/lib/base/stdiostream.hpp
@ -18,7 +18,7 @@ public:
 	StdioStream(std::iostream *innerStream, bool ownsStream);
 	~StdioStream() override;

-	size_t Read(void *buffer, size_t size) override;
+	size_t Read(void *buffer, size_t size, bool allow_partial = false) override;
 	void Write(const void *buffer, size_t size) override;

 	void Close() override;
--- a/lib/base/stream.cpp
+++ b/lib/base/stream.cpp
@ -29,6 +29,11 @@ void Stream::Shutdown()
 	BOOST_THROW_EXCEPTION(std::runtime_error("Stream does not support Shutdown()."));
 }

+size_t Stream::Peek(void *buffer, size_t count, bool allow_partial)
+{
+	BOOST_THROW_EXCEPTION(std::runtime_error("Stream does not support Peek()."));
+}
+
 void Stream::SignalDataAvailable()
 {
 	OnDataAvailable(this);
@ -124,7 +129,7 @@ bool StreamReadContext::FillFromStream(const Stream::Ptr& stream, bool may_wait)
 		if (stream->IsEof())
 			break;

-		size_t rc = stream->Read(Buffer + Size, 4096);
+		size_t rc = stream->Read(Buffer + Size, 4096, true);

 		Size += rc;
 		count += rc;
--- a/lib/base/stream.hpp
+++ b/lib/base/stream.hpp
@ -54,15 +54,27 @@ class Stream : public Object
 public:
 	DECLARE_PTR_TYPEDEFS(Stream);

+	/**
+	 * Reads data from the stream without removing it from the stream buffer.
+	 *
+	 * @param buffer The buffer where data should be stored. May be nullptr if you're
+	 *		 not actually interested in the data.
+	 * @param count The number of bytes to read from the queue.
+	 * @param allow_partial Whether to allow partial reads.
+	 * @returns The number of bytes actually read.
+	 */
+	virtual size_t Peek(void *buffer, size_t count, bool allow_partial = false);
+
 	/**
 	 * Reads data from the stream.
 	 *
 	 * @param buffer The buffer where data should be stored. May be nullptr if you're
 	 *		 not actually interested in the data.
 	 * @param count The number of bytes to read from the queue.
+	 * @param allow_partial Whether to allow partial reads.
 	 * @returns The number of bytes actually read.
 	 */
-	virtual size_t Read(void *buffer, size_t count) = 0;
+	virtual size_t Read(void *buffer, size_t count, bool allow_partial = false) = 0;

 	/**
 	 * Writes data to the stream.
--- a/lib/base/string-script.cpp
+++ b/lib/base/string-script.cpp
@ -135,3 +135,4 @@ Object::Ptr String::GetPrototype()

 	return prototype;
 }
+
--- a/lib/base/string.cpp
+++ b/lib/base/string.cpp
@ -33,7 +33,7 @@ String::String(const String& other)
 	: m_Data(other)
 { }

-String::String(String&& other) noexcept
+String::String(String&& other)
 	: m_Data(std::move(other.m_Data))
 { }

@ -47,7 +47,7 @@ String::String(Value&& other)
 String& String::operator=(Value&& other)
 {
 	if (other.IsString())
-		*this = std::move(other.Get<String>()); // Will atomically bind to the move assignment operator below.
+		m_Data = std::move(other.Get<String>());
 	else
 		*this = static_cast<String>(other);

@ -66,7 +66,7 @@ String& String::operator=(const String& rhs)
 	return *this;
 }

-String& String::operator=(String&& rhs) noexcept
+String& String::operator=(String&& rhs)
 {
 	m_Data = std::move(rhs.m_Data);
 	return *this;
--- a/lib/base/string.hpp
+++ b/lib/base/string.hpp
@ -44,7 +44,7 @@ public:
 	String(std::string data);
 	String(String::SizeType n, char c);
 	String(const String& other);
-	String(String&& other) noexcept;
+	String(String&& other);

 #ifndef _MSC_VER
 	String(Value&& other);
@ -56,7 +56,7 @@ public:
 	{ }

 	String& operator=(const String& rhs);
-	String& operator=(String&& rhs) noexcept;
+	String& operator=(String&& rhs);
 	String& operator=(Value&& rhs);
 	String& operator=(const std::string& rhs);
 	String& operator=(const char *rhs);
--- a/lib/base/tlsstream.cpp
+++ b/lib/base/tlsstream.cpp
@ -7,8 +7,6 @@
 #include "base/logger.hpp"
 #include "base/configuration.hpp"
 #include "base/convert.hpp"
-#include "base/defer.hpp"
-#include "base/io-engine.hpp"
 #include <boost/asio/ssl/context.hpp>
 #include <boost/asio/ssl/verify_context.hpp>
 #include <boost/asio/ssl/verify_mode.hpp>
@ -20,48 +18,14 @@

 using namespace icinga;

-/**
- * Checks whether the TLS handshake was completed with a valid peer certificate.
- *
- * @return true if the peer presented a valid certificate, false otherwise
- */
-bool UnbufferedAsioTlsStream::IsVerifyOK()
+bool UnbufferedAsioTlsStream::IsVerifyOK() const
 {
-	if (!SSL_is_init_finished(native_handle())) {
-		// handshake was not completed
-		return false;
-	}
-
-	if (GetPeerCertificate() == nullptr) {
-		// no peer certificate was sent
-		return false;
-	}
-
-	return SSL_get_verify_result(native_handle()) == X509_V_OK;
+	return m_VerifyOK;
 }

-/**
- * Returns a human-readable error string for situations where IsVerifyOK() returns false.
- *
- * If the handshake was completed and a peer certificate was provided,
- * the string additionally contains the OpenSSL verification error code.
- *
- * @return string containing the error message
- */
-String UnbufferedAsioTlsStream::GetVerifyError()
+String UnbufferedAsioTlsStream::GetVerifyError() const
 {
-	if (!SSL_is_init_finished(native_handle())) {
-		return "handshake not completed";
-	}
-
-	if (GetPeerCertificate() == nullptr) {
-		return "no peer certificate provided";
-	}
-
-	std::ostringstream buf;
-	long err = SSL_get_verify_result(native_handle());
-	buf << "code " << err << ": " << X509_verify_cert_error_string(err);
-	return buf.str();
+	return m_VerifyError;
 }

 std::shared_ptr<X509> UnbufferedAsioTlsStream::GetPeerCertificate()
@ -79,17 +43,17 @@ void UnbufferedAsioTlsStream::BeforeHandshake(handshake_type type)

 	set_verify_mode(ssl::verify_peer | ssl::verify_client_once);

-	set_verify_callback([](bool preverified, ssl::verify_context& ctx) {
-		(void) preverified;
-		(void) ctx;
+	set_verify_callback([this](bool preverified, ssl::verify_context& ctx) {
+		if (!preverified) {
+			m_VerifyOK = false;
+
+			std::ostringstream msgbuf;
+			int err = X509_STORE_CTX_get_error(ctx.native_handle());
+
+			msgbuf << "code " << err << ": " << X509_verify_cert_error_string(err);
+			m_VerifyError = msgbuf.str();
+		}

-		/* Continue the handshake even if an invalid peer certificate was presented. The verification result has to be
-		 * checked using the IsVerifyOK() method.
-		 *
-		 * Such connections are used for the initial enrollment of nodes where they use a self-signed certificate to
-		 * send a certificate request and receive their valid certificate after approval (manually by the administrator
-		 * or using a certificate ticket).
-		 */
 		return true;
 	});

@ -105,62 +69,3 @@ void UnbufferedAsioTlsStream::BeforeHandshake(handshake_type type)
 	}
 #endif /* SSL_CTRL_SET_TLSEXT_HOSTNAME */
 }
-
-/**
- * Forcefully close the connection, typically (details are up to the operating system) using a TCP RST.
- */
-void AsioTlsStream::ForceDisconnect()
-{
-	if (!lowest_layer().is_open()) {
-		// Already disconnected, nothing to do.
-		return;
-	}
-
-	boost::system::error_code ec;
-
-	// Close the socket. In case the connection wasn't shut down cleanly by GracefulDisconnect(), the operating system
-	// will typically terminate the connection with a TCP RST. Otherwise, this just releases the file descriptor.
-	lowest_layer().close(ec);
-}
-
-/**
- * Try to cleanly shut down the connection. This involves sending a TLS close_notify shutdown alert and terminating the
- * underlying TCP connection. Sending these additional messages can block, hence the method takes a yield context and
- * internally implements a timeout of 10 seconds for the operation after which the connection is forcefully terminated
- * using ForceDisconnect().
- *
- * @param strand Asio strand used for other operations on this connection.
- * @param yc Yield context for Asio coroutines
- */
-void AsioTlsStream::GracefulDisconnect(boost::asio::io_context::strand& strand, boost::asio::yield_context& yc)
-{
-	if (!lowest_layer().is_open()) {
-		// Already disconnected, nothing to do.
-		return;
-	}
-
-	{
-		Timeout shutdownTimeout (strand, boost::posix_time::seconds(10),
-			[this] {
-				// Forcefully terminate the connection if async_shutdown() blocked more than 10 seconds.
-				ForceDisconnect();
-			}
-		);
-
-		// Close the TLS connection, effectively uses SSL_shutdown() to send a close_notify shutdown alert to the peer.
-		boost::system::error_code ec;
-		next_layer().async_shutdown(yc[ec]);
-	}
-
-	if (!lowest_layer().is_open()) {
-		// Connection got closed in the meantime, most likely by the timeout, so nothing more to do.
-		return;
-	}
-
-	// Shut down the TCP connection.
-	boost::system::error_code ec;
-	lowest_layer().shutdown(lowest_layer_type::shutdown_both, ec);
-
-	// Clean up the connection (closes the file descriptor).
-	ForceDisconnect();
-}
--- a/lib/base/tlsstream.hpp
+++ b/lib/base/tlsstream.hpp
@ -70,12 +70,12 @@ class UnbufferedAsioTlsStream : public AsioTcpTlsStream
 public:
 	inline
 	UnbufferedAsioTlsStream(UnbufferedAsioTlsStreamParams& init)
-		: AsioTcpTlsStream(init.IoContext, init.SslContext), m_Hostname(init.Hostname)
+		: AsioTcpTlsStream(init.IoContext, init.SslContext), m_VerifyOK(true), m_Hostname(init.Hostname)
 	{
 	}

-	bool IsVerifyOK();
-	String GetVerifyError();
+	bool IsVerifyOK() const;
+	String GetVerifyError() const;
 	std::shared_ptr<X509> GetPeerCertificate();

 	template<class... Args>
@ -97,6 +97,8 @@ public:
 	}

 private:
+	bool m_VerifyOK;
+	String m_VerifyError;
 	String m_Hostname;

 	void BeforeHandshake(handshake_type type);
@ -111,9 +113,6 @@ public:
 	{
 	}

-	void ForceDisconnect();
-	void GracefulDisconnect(boost::asio::io_context::strand& strand, boost::asio::yield_context& yc);
-
 private:
 	inline
 	AsioTlsStream(UnbufferedAsioTlsStreamParams init)
--- a/lib/base/tlsutility.cpp
+++ b/lib/base/tlsutility.cpp
@ -93,9 +93,7 @@ static void InitSslContext(const Shared<boost::asio::ssl::context>::Ptr& context

 	flags |= SSL_OP_CIPHER_SERVER_PREFERENCE;

-#ifdef LIBRESSL_VERSION_NUMBER
-	flags |= SSL_OP_NO_CLIENT_RENEGOTIATION;
-#elif OPENSSL_VERSION_NUMBER < 0x10100000L
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
 	SSL_CTX_set_info_callback(sslContext, [](const SSL* ssl, int where, int) {
 		if (where & SSL_CB_HANDSHAKE_DONE) {
 			ssl->s3->flags |= SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS;
@ -1039,7 +1037,16 @@ int GetCertificateVersion(const std::shared_ptr<X509>& cert)

 String GetSignatureAlgorithm(const std::shared_ptr<X509>& cert)
 {
+	int alg;
 	int sign_alg;
+	X509_PUBKEY *key;
+	X509_ALGOR *algor;
+
+	key = X509_get_X509_PUBKEY(cert.get());
+
+	X509_PUBKEY_get0_param(nullptr, nullptr, 0, &algor, key); //TODO: Error handling
+
+	alg = OBJ_obj2nid (algor->algorithm);

 #if OPENSSL_VERSION_NUMBER < 0x10100000L
 	sign_alg = OBJ_obj2nid((cert.get())->sig_alg->algorithm);
--- a/lib/base/type.cpp
+++ b/lib/base/type.cpp
@ -1,13 +1,9 @@
 /* Icinga 2 | (c) 2012 Icinga GmbH | GPLv2+ */

 #include "base/type.hpp"
-#include "base/atomic.hpp"
-#include "base/configobject.hpp"
-#include "base/debug.hpp"
 #include "base/scriptglobal.hpp"
 #include "base/namespace.hpp"
 #include "base/objectlock.hpp"
-#include <functional>

 using namespace icinga;

@ -36,43 +32,6 @@ INITIALIZE_ONCE_WITH_PRIORITY([]() {
 	Type::Register(type);
 }, InitializePriority::RegisterTypeType);

-static std::vector<Type::Ptr> l_SortedByLoadDependencies;
-static Atomic l_SortingByLoadDependenciesDone (false);
-
-INITIALIZE_ONCE_WITH_PRIORITY([] {
-	std::unordered_set<Type*> visited;
-
-	std::function<void(Type*)> visit;
-	// Please note that this callback does not detect any cyclic load dependencies,
-	// instead, it relies on the "sort_by_load_after" unit test to fail.
-	visit = ([&visit, &visited](Type* type) {
-		if (visited.find(type) != visited.end()) {
-			return;
-		}
-		visited.emplace(type);
-
-		for (auto dependency : type->GetLoadDependencies()) {
-			visit(dependency);
-		}
-
-		// We have managed to reach the final/top node in this dependency graph,
-		// so let's place them in reverse order to their final place.
-		l_SortedByLoadDependencies.emplace_back(type);
-	});
-
-	// Sort the types by their load_after dependencies in a Depth-First search manner.
-	for (const Type::Ptr& type : Type::GetAllTypes()) {
-		// Note that only those types that are assignable to the dynamic ConfigObject type can have "load_after"
-		// dependencies, otherwise they are just some Icinga 2 primitive types such as Number, String, etc. and
-		// we need to ignore them.
-		if (ConfigObject::TypeInstance->IsAssignableFrom(type)) {
-			visit(type.get());
-		}
-	}
-
-	l_SortingByLoadDependenciesDone.store(true);
-}, InitializePriority::SortTypes);
-
 String Type::ToString() const
 {
 	return "type '" + GetName() + "'";
@ -113,12 +72,6 @@ std::vector<Type::Ptr> Type::GetAllTypes()
 	return types;
 }

-const std::vector<Type::Ptr>& Type::GetConfigTypesSortedByLoadDependencies()
-{
-	VERIFY(l_SortingByLoadDependenciesDone.load());
-	return l_SortedByLoadDependencies;
-}
-
 String Type::GetPluralName() const
 {
 	String name = GetName();
@ -261,3 +214,4 @@ ObjectFactory TypeType::GetFactory() const
 {
 	return nullptr;
 }
+
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Alexander Aleksandrovič Klimov	f2c83fbbf2	Merge pull request #9950 from Icinga/probot/sync-changelog/support/2.14/9fa41f3b4fbae83d4ca5bbfce4771031b6bd1fa4 CHANGELOG.md: add v2.13.9	2023-12-20 17:30:01 +01:00
Alexander A. Klimov	b85cd98eb1	CHANGELOG.md: add v2.13.9	2023-12-20 16:27:56 +00:00
Alexander Aleksandrovič Klimov	9fa41f3b4f	Merge pull request #9940 from Icinga/2141 Icinga 2.14.1	2023-12-20 17:27:43 +01:00
Alexander Aleksandrovič Klimov	61d190f892	Merge pull request #9947 from Icinga/2141morebackport Truncate too big notification command lines, fix GelfWriter deadlock and return 503 in /v1/console/* during reload	2023-12-20 12:44:07 +01:00
Alexander Aleksandrovič Klimov	3ddbbebc63	Merge pull request #9946 from Icinga/2141backport Disable TLS renegotiation, bump Windows deps and fix Icinga DB crashes	2023-12-20 12:40:41 +01:00
Alexander A. Klimov	41b692793b	Icinga 2.14.1	2023-12-20 10:56:15 +01:00
Alexander A. Klimov	fecb209fe0	GelfWriter: protect m_Stream via m_WorkQueue, not ObjectLock(this) On shutdown or HA re-connect ConfigObject#SetAuthority(false) is called which does ObjectLock(this) and ConfigObject#Pause(). GelfWriter#Pause(), with the above ObjectLock, calls m_WorkQueue.Join(). But items inside that also doing ObjectLock(this) cause a deadlock.	2023-12-20 10:46:51 +01:00
Mattia Codato	85c5a7c901	Prevent calls to command API while the configuration is reloading. Fixes #9840	2023-12-20 10:46:51 +01:00
Alexander A. Klimov	0eeac3b385	PluginNotificationTask::ScriptFunc(): on Linux truncate output and comment not to run into an exec(3) error E2BIG due to a too long argument. This sends a notification with truncated output instead of not sending.	2023-12-20 10:46:51 +01:00
Alexander A. Klimov	7efdae6a53	IcingaDB#SendConfigDelete(): fix missing nullptr check before deref	2023-12-20 10:30:01 +01:00
Alexander A. Klimov	79efda7a14	Icinga DB downtime history: provide cancel_time where has_been_cancelled may be 1 The table sla_history_downtime requires a downtime_end. The Go daemon takes the cancel_time if has_been_cancelled is 1. So we must supply a cancel_time whereever has_been_cancelled is 1. Otherwise the Go daemon can't process some entries.	2023-12-20 10:30:01 +01:00
Alexander A. Klimov	8c9f3ede4a	Bump OpenSSL shipped for Windows to v3.0.12	2023-12-20 10:14:00 +01:00
Alexander A. Klimov	4547c1e5a3	Bump Boost shipped for Windows to v1.83 Note: For doc/21-development.md use: perl -pi -e 's/(boost[-\w]*?1[-_]?)82/${1}83/g' doc/21-development.md	2023-12-20 10:14:00 +01:00
Alexander A. Klimov	ec77b6f1e3	Disable TLS renegotiation The API doesn't need it and a customer's security scanner is afraid of a potential DoS attack vector.	2023-12-20 10:14:00 +01:00
Alexander Aleksandrovič Klimov	bbb45894dd	Merge pull request #9944 from Icinga/targeted-api-filter-214 FilterUtility::GetFilterTargets(): don't run filter for specific object(s) for all objects	2023-12-19 17:40:59 +01:00
Alexander Aleksandrovič Klimov	b55a14d536	Merge pull request #9921 from Icinga/doc2141 Update documentation	2023-12-19 17:01:31 +01:00
Alexander A. Klimov	03aa5adb7a	Tests: config_apply/gettargetservices_*: use BOOST_CHECK_EQUAL_COLLECTIONS() to show the value diff in case of mismatch. Co-authored-by: Yonas Habteab <yonas.habteab@icinga.com>	2023-12-19 15:19:20 +01:00
Alexander A. Klimov	b99db24100	Test ApplyRule::GetTarget*s()	2023-12-19 15:19:20 +01:00
Alexander A. Klimov	bcbb1aee52	FilterUtility::GetFilterTargets(): don't run filter for specific object(s) for all objects	2023-12-19 15:19:20 +01:00
Alexander A. Klimov	60b7e96adc	ApplyRule::GetTarget*s(): support constant strings from variables in addition to literal strings. This is for sandboxed filters with some variables pre-set by the caller. They're "constant" in that scope, too.	2023-12-19 15:19:20 +01:00
Alexander A. Klimov	8248fa110c	Introduce DictExpression#GetExpressions()	2023-12-19 15:19:20 +01:00
Alexander A. Klimov	5c10bad86f	Introduce Dictionary#GetRef()	2023-12-19 15:19:20 +01:00
Alexander Aleksandrovič Klimov	5059d0f8b0	Merge pull request #9933 from Icinga/renew-the-ca-9890-214 ApiListener#Start(): auto-renew CA on its owner	2023-12-19 15:15:00 +01:00
Alexander A. Klimov	12c706a8ac	Update AUTHORS	2023-12-19 12:29:51 +01:00
Julian Brost	5835e2e03b	Update .mailmap	2023-12-19 12:29:51 +01:00
Alexander A. Klimov	61900b73e1	Doc: Troubleshooting: remove obsolete section "Analyze Notification Result" This feature has been reverted and won't be re-introduced anytime soon.	2023-12-19 12:29:51 +01:00
Alexander A. Klimov	4195f8d0f0	RequestCertificateHandler(): also renew if CA needs a renewal and a newer one is available.	2023-12-18 17:04:59 +01:00
Alexander A. Klimov	6b000fbce6	CertificateToString(): allow raw pointer input	2023-12-18 17:04:59 +01:00
Alexander A. Klimov	32f43c4873	ApiListener#Start(): auto-renew CA on its owner otherwise it would expire.	2023-12-18 17:04:59 +01:00
Alexander A. Klimov	b3dee0bb0a	ApiListener#RenewCert(): enable optional CA creation	2023-12-18 17:04:59 +01:00
Alexander A. Klimov	0cb037c698	CreateCertIcingaCA(EVP_PKEY, X509_NAME): enable optional CA creation	2023-12-18 17:04:59 +01:00
Alexander A. Klimov	17eac30868	Test IsCertUptodate() and IsCaUptodate()	2023-12-18 17:04:59 +01:00
Alexander A. Klimov	0f4723e567	Introduce IsCaUptodate() by splitting IsCertUptodate()	2023-12-18 17:04:59 +01:00
Alexander Aleksandrovič Klimov	bff7e69991	Merge pull request #9932 from Icinga/do-not-re-notify-if-filtered-states-don-t-change-4503-214 Discard likely duplicate problem notifications via Notification#last_notified_state_per_user	2023-12-13 18:15:56 +01:00
Alexander A. Klimov	d7500ca1bd	Notification#BeginExecuteNotification(): on recovery clear last_notified_state_per_user	2023-12-13 16:14:57 +01:00
Alexander A. Klimov	bbadf1f27b	Notification#BeginExecuteNotification(): discard likely duplicate problem notifications	2023-12-13 16:14:57 +01:00
Alexander A. Klimov	0ae2bdc444	Cluster-sync Notification#last_notified_state_per_user	2023-12-13 16:14:57 +01:00
Alexander A. Klimov	66ba9f446a	Notification#BeginExecuteNotification(): track state change notifications	2023-12-13 16:14:57 +01:00
Alexander A. Klimov	9a08472162	Docs: change "Amazon Linux 2" to "Amazon Linux" where applicable We also support Amazon Linux 2023 now.	2023-11-24 17:29:35 +01:00
Alvar Penning	0dd66f9886	Document host Common Runtime Attribute	2023-11-24 17:29:35 +01:00
Alvar Penning	bb717cf177	Fix link text for Downtime* Event Stream Types The link text for all Downtime* Event Stream Types contains "Comment" instead of "Downtime" even when pointing to the correct object.	2023-11-24 17:29:35 +01:00
Yonas Habteab	04dbf4aa13	Fix downtime host/service name attribute descriptions	2023-11-24 17:29:35 +01:00
Alexander Aleksandrovič Klimov	2e03a2e528	Doc: ITL: correct $ifw_api_crl$ default In contrast to cert/key/CA, no CRL means no CRL. (The behavior of the API is the same.)	2023-11-24 17:29:35 +01:00
Mathias Aerts	99aa33b85f	Fix typo	2023-11-24 17:29:35 +01:00
Alexander Aleksandrovič Klimov	0ceff4c09b	Merge pull request #9918 from Icinga/gha2141 Update GitHub actions	2023-11-24 17:26:27 +01:00
Alexander A. Klimov	9944437b7b	Update AUTHORS	2023-11-24 15:06:52 +01:00
Lord Hepipud	968f7401cf	Adds ProgressPreference SilentlyContinue We should use `$Global:ProgressPreference = 'SilentlyContinue';` to disable the progress bar during download. By doing so, information are directly written to the disk instead of written inside the memory and dumped to the disk afterwards	2023-11-24 14:43:52 +01:00
Alexander Aleksandrovič Klimov	d583598d08	GHA: drop EOL Fedora 36	2023-11-24 14:38:44 +01:00
Alexander A. Klimov	de47878991	GHA: complain if PR adds commits from people not yet listed in ./AUTHORS not to have to update ./AUTHORS or .mailmap after merging.	2023-11-24 14:38:40 +01:00
Alexander A. Klimov	3801b8a7cb	GHA: cancel runs on PR, but not on push In a PR one top commit replaces the previous one. But the central branches are more like timelines. It's nice to have red crosses in a such timeline as clear indicators that something was actually broken.	2023-11-24 14:38:00 +01:00
Alexander Aleksandrovič Klimov	35ef622cc6	GHA: add upcoming (already frozen) Ubuntu 23.10	2023-11-24 14:38:00 +01:00
Alexander Aleksandrovič Klimov	1f4ac7e651	GHA: add upcoming (already frozen) Fedora 39	2023-11-24 14:38:00 +01:00
Alexander Aleksandrovič Klimov	19927d0043	GHA: drop EOL Ubuntu 22.10	2023-11-24 14:38:00 +01:00