Merge pull request #10403 from Icinga/drop-superfluous-cmake-modules

Drop superfluous cmake modules

.github/ISSUE_TEMPLATE/release.md

@@ -0,0 +1,48 @@
+---
+name: '[INTERNAL] Release'
+about: Release a version
+title: 'Release Version v$version'
+labels: ''
+assignees: ''
+
+---
+
+# Release Workflow
+
+- [ ] Update `ICINGA2_VERSION`
+- [ ] Update bundled Windows dependencies
+- [ ] Harden global TLS defaults (consult https://ssl-config.mozilla.org)
+- [ ] Update `CHANGELOG.md`
+- [ ] Create and push a signed tag for the version
+- [ ] Build and release DEB and RPM packages
+- [ ] Build and release Windows packages
+- [ ] Merge dependency updates in https://github.com/Icinga/docker-icinga2/pulls
+- [ ] Create release on GitHub
+- [ ] Update public docs
+- [ ] Announce release
+
+## Update Bundled Windows Dependencies
+
+### Update packages.icinga.com
+
+Add the latest Boost and OpenSSL versions to
+https://packages.icinga.com/windows/dependencies/, e.g.:
+
+* https://master.dl.sourceforge.net/project/boost/boost-binaries/1.82.0/boost_1_82_0-msvc-14.2-64.exe
+* https://master.dl.sourceforge.net/project/boost/boost-binaries/1.82.0/boost_1_82_0-msvc-14.2-32.exe
+* https://slproweb.com/download/Win64OpenSSL-3_0_9.exe
+* https://slproweb.com/download/Win32OpenSSL-3_0_9.exe
+
+### Update Build Server, CI/CD and Documentation
+
+* [doc/win-dev.ps1](doc/win-dev.ps1) (also affects CI/CD)
+* [tools/win32/configure.ps1](tools/win32/configure.ps1)
+* [tools/win32/configure-dev.ps1](tools/win32/configure-dev.ps1)
+
+### Re-provision Build Server
+
+Even if there aren't any new releases of dependencies with versions
+hardcoded in the repos and files listed above (Boost, OpenSSL).
+There may be new build versions of other dependencies (VS, MSVC).
+Our GitHub actions (tests) use the latest ones automatically,
+but the GitLab runner (release packages) doesn't.

.github/dependabot.yml

@@ -0,0 +1,7 @@
+version: 2
+updates:
+
+- package-ecosystem: github-actions
+  directory: /
+  schedule:
+    interval: daily

.github/workflows/alpine-bash.Dockerfile

@@ -0,0 +1,8 @@
+# This Dockerfile is used in the linux job for Alpine Linux.
+#
+# As the linux.bash script is, in fact, a bash script and Alpine does not ship
+# a bash by default, the "alpine:bash" container will be built using this
+# Dockerfile in the GitHub Action.
+
+FROM alpine:3
+RUN ["apk", "--no-cache", "add", "bash"]

.github/workflows/authors-file.yml

@@ -0,0 +1,39 @@
+name: AUTHORS file
+
+on:
+  pull_request: { }
+
+jobs:
+  authors-file:
+    name: AUTHORS file
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout HEAD
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+
+      - name: Check whether ./AUTHORS is up-to-date
+        run: |
+          set -exo pipefail
+          sort -uo AUTHORS AUTHORS
+          git add AUTHORS
+          git log --format='format:%aN <%aE>' "$(
+            git merge-base HEAD^1 HEAD^2
+          )..HEAD^2" >> AUTHORS
+          sort -uo AUTHORS AUTHORS
+          git diff AUTHORS >> AUTHORS.diff
+
+      - name: Complain if ./AUTHORS isn't up-to-date
+        run: |
+          if [ -s AUTHORS.diff ]; then
+            cat <<'EOF' >&2
+          There are the following new authors. If the commit author data is correct,
+          either add them to the AUTHORS file or update .mailmap. See gitmailmap(5) or:
+          https://git-scm.com/docs/gitmailmap
+          Don't hesitate to ask us for help if necessary.
+          EOF
+            cat AUTHORS.diff
+            exit 1
+          fi

.github/workflows/docker.yml

@@ -5,13 +5,12 @@ on:
   push:
     branches:
       - master
-      - 'support/*'
   release:
     types:
       - published
 
 concurrency:
-  group: docker-${{ github.ref }}
+  group: docker-${{ github.event_name == 'push' && github.sha || github.ref }}
   cancel-in-progress: true
 
 jobs:

.github/workflows/linux.bash

@@ -1,19 +1,33 @@
 #!/bin/bash
 set -exo pipefail
 
-export PATH="/usr/lib/ccache:/usr/lib64/ccache:/opt/rh/devtoolset-11/root/usr/bin:$PATH"
+export PATH="/usr/lib/ccache/bin:/usr/lib/ccache:/usr/lib64/ccache:$PATH"
 export CCACHE_DIR=/icinga2/ccache
 export CTEST_OUTPUT_ON_FAILURE=1
-CMAKE_OPTS=''
+CMAKE_OPTS=()
 
 case "$DISTRO" in
+  alpine:*)
+    # Packages inspired by the Alpine package, just
+    # - LibreSSL instead of OpenSSL 3 and
+    # - no MariaDB or libpq as they depend on OpenSSL.
+    # https://gitlab.alpinelinux.org/alpine/aports/-/blob/master/community/icinga2/APKBUILD
+    apk add bison boost-dev ccache cmake flex g++ libedit-dev libressl-dev ninja-build tzdata
+    ln -vs /usr/lib/ninja-build/bin/ninja /usr/local/bin/ninja
+
+    # This test fails due to some glibc/musl mismatch regarding timezone PST/PDT.
+    # - https://www.openwall.com/lists/musl/2024/03/05/2
+    # - https://gitlab.alpinelinux.org/alpine/aports/-/blob/b3ea02e2251451f9511086e1970f21eb640097f7/community/icinga2/disable-failing-tests.patch
+    sed -i '/icinga_legacytimeperiod\/dst$/d' /icinga2/test/CMakeLists.txt
+    ;;
+
   amazonlinux:2)
     amazon-linux-extras install -y epel
-    yum install -y bison ccache cmake3 gcc-c++ flex ninja-build \
+    yum install -y bison ccache cmake3 gcc-c++ flex ninja-build system-rpm-config \
       {libedit,mariadb,ncurses,openssl,postgresql,systemd}-devel
 
     yum install -y bzip2 tar wget
-    wget https://boostorg.jfrog.io/artifactory/main/release/1.69.0/source/boost_1_69_0.tar.bz2
+    wget https://archives.boost.io/release/1.69.0/source/boost_1_69_0.tar.bz2
     tar -xjf boost_1_69_0.tar.bz2
 
     (
@@ -24,38 +38,30 @@ case "$DISTRO" in
 
     ln -vs /usr/bin/cmake3 /usr/local/bin/cmake
     ln -vs /usr/bin/ninja-build /usr/local/bin/ninja
-    CMAKE_OPTS='-DBOOST_INCLUDEDIR=/boost_1_69_0 -DBOOST_LIBRARYDIR=/boost_1_69_0/stage/lib'
+    CMAKE_OPTS+=(-DBOOST_{INCLUDEDIR=/boost_1_69_0,LIBRARYDIR=/boost_1_69_0/stage/lib})
     export LD_LIBRARY_PATH=/boost_1_69_0/stage/lib
     ;;
 
   amazonlinux:20*)
-    dnf install -y bison cmake flex gcc-c++ ninja-build \
+    dnf install -y amazon-rpm-config bison cmake flex gcc-c++ ninja-build \
       {boost,libedit,mariadb1\*,ncurses,openssl,postgresql,systemd}-devel
     ;;
 
-  centos:*)
-    yum install -y centos-release-scl epel-release
-    yum install -y bison ccache cmake3 devtoolset-11-gcc-c++ flex ninja-build \
-      {boost169,libedit,mariadb,ncurses,openssl,postgresql,systemd}-devel
-
-    ln -vs /usr/bin/cmake3 /usr/local/bin/cmake
-    ln -vs /usr/bin/ccache /usr/lib64/ccache/g++
-    CMAKE_OPTS='-DBOOST_INCLUDEDIR=/usr/include/boost169 -DBOOST_LIBRARYDIR=/usr/lib64/boost169'
-    ;;
-
   debian:*|ubuntu:*)
     apt-get update
-    DEBIAN_FRONTEND=noninteractive apt-get install --no-install-{recommends,suggests} -y bison \
-      ccache cmake flex g++ lib{boost-all,edit,mariadb,ncurses,pq,ssl,systemd}-dev ninja-build tzdata
+    DEBIAN_FRONTEND=noninteractive apt-get install --no-install-{recommends,suggests} -y \
+      bison ccache cmake dpkg-dev flex g++ ninja-build tzdata \
+      lib{boost-all,edit,mariadb,ncurses,pq,ssl,systemd}-dev
     ;;
 
   fedora:*)
-    dnf install -y bison ccache cmake flex gcc-c++ ninja-build \
+    dnf install -y bison ccache cmake flex gcc-c++ ninja-build redhat-rpm-config \
       {boost,libedit,mariadb,ncurses,openssl,postgresql,systemd}-devel
     ;;
 
-  opensuse/*)
-    zypper in -y bison ccache cmake flex gcc-c++ ninja {lib{edit,mariadb,openssl},ncurses,postgresql,systemd}-devel \
+  *suse*)
+    zypper in -y bison ccache cmake flex gcc-c++ ninja rpm-config-SUSE \
+      {lib{edit,mariadb,openssl},ncurses,postgresql,systemd}-devel \
       libboost_{context,coroutine,filesystem,iostreams,program_options,regex,system,test,thread}-devel
     ;;
 
@@ -71,24 +77,38 @@ case "$DISTRO" in
         ;;
     esac
 
-    dnf install -y bison ccache cmake gcc-c++ flex ninja-build \
+    dnf install -y bison ccache cmake gcc-c++ flex ninja-build redhat-rpm-config \
       {boost,libedit,mariadb,ncurses,openssl,postgresql,systemd}-devel
     ;;
 esac
 
+case "$DISTRO" in
+  alpine:*)
+    CMAKE_OPTS+=(-DUSE_SYSTEMD=OFF -DICINGA2_WITH_MYSQL=OFF -DICINGA2_WITH_PGSQL=OFF)
+    ;;
+  debian:*|ubuntu:*)
+    CMAKE_OPTS+=(-DICINGA2_LTO_BUILD=ON)
+    source <(dpkg-buildflags --export=sh)
+    ;;
+  *)
+    CMAKE_OPTS+=(-DCMAKE_{C,CXX}_FLAGS="$(rpm -E '%{optflags} %{?march_flag}')")
+    export LDFLAGS="$(rpm -E '%{?build_ldflags}')"
+    ;;
+esac
+
 mkdir /icinga2/build
 cd /icinga2/build
 
 cmake \
   -GNinja \
-  -DCMAKE_BUILD_TYPE=Release \
+  -DCMAKE_BUILD_TYPE=RelWithDebInfo \
   -DICINGA2_UNITY_BUILD=ON \
   -DUSE_SYSTEMD=ON \
   -DICINGA2_USER=$(id -un) \
   -DICINGA2_GROUP=$(id -gn) \
-  $CMAKE_OPTS ..
+  "${CMAKE_OPTS[@]}" ..
 
-ninja
+ninja -v
 
 ninja test
 ninja install

.github/workflows/linux.yml

@@ -8,12 +8,12 @@ on:
   pull_request: {}
 
 concurrency:
-  group: linux-${{ github.ref }}
+  group: linux-${{ github.event_name == 'push' && github.sha || github.ref }}
   cancel-in-progress: true
 
 jobs:
   linux:
-    name: ${{ matrix.distro }}
+    name: ${{ matrix.distro }}${{ matrix.platform != 'linux/amd64' && format(' ({0})', matrix.platform) || '' }}
     runs-on: ubuntu-latest
 
     strategy:
@@ -21,24 +21,46 @@ jobs:
       max-parallel: 2
       matrix:
         distro:
+          # Alpine Linux to build Icinga 2 with LibreSSL, OpenBSD's default.
+          # The "alpine:bash" image will be built below based on "alpine:3".
+          - alpine:bash
+
           - amazonlinux:2
           - amazonlinux:2023
-          - centos:7 # and RHEL 7
-          - debian:10
-          - debian:11 # and Raspbian 11
-          - debian:12 # and Raspbian 12
-          - fedora:36
-          - fedora:37
-          - fedora:38
-          - opensuse/leap:15.3 # SLES 15.3
-          - opensuse/leap:15.4 # and SLES 15.4
-          - opensuse/leap:15.5 # and SLES 15.5
-          - rockylinux:8 # RHEL 8
-          - rockylinux:9 # RHEL 9
+
+          # Raspberry Pi OS is close enough to Debian to test just one of them.
+          # Its architecture is different, though, and covered by the Docker job.
+          - debian:11
+          - debian:12
+
+          - fedora:39
+          - fedora:40
+          - fedora:41
+
+          - opensuse/leap:15.5
+          - opensuse/leap:15.6
+
+          # We don't actually support Rocky Linux as such!
+          # We just use that RHEL clone to test the original.
+          - rockylinux:8
+          - rockylinux:9
+
+          - registry.suse.com/suse/sle15:15.5
+          - registry.suse.com/suse/sle15:15.6
+
           - ubuntu:20.04
           - ubuntu:22.04
-          - ubuntu:22.10
-          - ubuntu:23.04
+          - ubuntu:24.04
+          - ubuntu:24.10
+
+        platform:
+          - linux/amd64
+
+        include:
+          - distro: debian:11
+            platform: linux/386
+          - distro: debian:12
+            platform: linux/386
 
     steps:
       - name: Checkout HEAD
@@ -50,7 +72,13 @@ jobs:
           path: ccache
           key: ccache/${{ matrix.distro }}
 
-      - name: Build
+      - name: Build Alpine Docker Image
+        if: "matrix.distro == 'alpine:bash'"
+        run: >-
+          docker build --file .github/workflows/alpine-bash.Dockerfile
+          --tag alpine:bash `mktemp -d`
+
+      - name: Build Icinga
         run: >-
           docker run --rm -v "$(pwd):/icinga2" -e DISTRO=${{ matrix.distro }}
-          ${{ matrix.distro }} /icinga2/.github/workflows/linux.bash
+          --platform ${{ matrix.platform }} ${{ matrix.distro }} /icinga2/.github/workflows/linux.bash

.github/workflows/rpm.yml

@@ -1,116 +0,0 @@
-name: .rpm
-
-on:
-  push:
-    branches:
-      - master
-      - 'support/*'
-  pull_request: {}
-
-concurrency:
-  group: rpm-${{ github.ref }}
-  cancel-in-progress: true
-
-jobs:
-  rpm:
-    name: .rpm (${{ matrix.distro.name }}, ${{ matrix.distro.release }})
-
-    strategy:
-      fail-fast: false
-      max-parallel: 1
-      matrix:
-        distro:
-          - name: sles
-            release: '12.5'
-            subscription: true
-
-    runs-on: ubuntu-latest
-
-    steps:
-      - name: Vars
-        id: vars
-        env:
-          GITLAB_RO_TOKEN: '${{ secrets.GITLAB_RO_TOKEN }}'
-        run: |
-          if [ ${{ matrix.distro.subscription }} = true ]; then
-            if [ "$(tr -d '\n' <<<"$GITLAB_RO_TOKEN" |wc -c)" -eq 0 ]; then
-              echo '::set-output name=CAN_BUILD::false'
-              echo '::set-output name=NEED_LOGIN::false'
-            else
-              echo '::set-output name=CAN_BUILD::true'
-              echo '::set-output name=NEED_LOGIN::true'
-            fi
-          else
-            echo '::set-output name=CAN_BUILD::true'
-            echo '::set-output name=NEED_LOGIN::false'
-          fi
-
-      - name: Checkout HEAD
-        if: "steps.vars.outputs.CAN_BUILD == 'true'"
-        uses: actions/checkout@v1
-
-      - name: Login
-        if: "steps.vars.outputs.NEED_LOGIN == 'true'"
-        env:
-          GITLAB_RO_TOKEN: '${{ secrets.GITLAB_RO_TOKEN }}'
-        run: |
-          docker login registry.icinga.com -u github-actions --password-stdin <<<"$GITLAB_RO_TOKEN"
-
-      - name: rpm-icinga2
-        if: "steps.vars.outputs.CAN_BUILD == 'true' && !matrix.distro.subscription"
-        run: |
-          set -exo pipefail
-          git clone https://git.icinga.com/packaging/rpm-icinga2.git
-          chmod o+w rpm-icinga2
-
-      - name: subscription-rpm-icinga2
-        if: "steps.vars.outputs.CAN_BUILD == 'true' && matrix.distro.subscription"
-        env:
-          GITLAB_RO_TOKEN: '${{ secrets.GITLAB_RO_TOKEN }}'
-        run: |
-          set -exo pipefail
-          git config --global credential.helper store
-          cat <<EOF >~/.git-credentials
-          https://github-actions:${GITLAB_RO_TOKEN}@git.icinga.com
-          EOF
-          git clone https://git.icinga.com/packaging/subscription-rpm-icinga2.git rpm-icinga2
-          chmod o+w rpm-icinga2
-
-      - name: Restore/backup ccache
-        if: "steps.vars.outputs.CAN_BUILD == 'true'"
-        id: ccache
-        uses: actions/cache@v1
-        with:
-          path: rpm-icinga2/ccache
-          key: |-
-            ${{ matrix.distro.name }}/${{ matrix.distro.release }}-ccache-${{ hashFiles('rpm-icinga2/ccache') }}
-
-      - name: Binary
-        if: "steps.vars.outputs.CAN_BUILD == 'true'"
-        run: |
-          set -exo pipefail
-          git checkout -B master
-          if [ -e rpm-icinga2/ccache ]; then
-            chmod -R o+w rpm-icinga2/ccache
-          fi
-          docker run --rm \
-            -v "$(pwd)/rpm-icinga2:/rpm-icinga2" \
-            -v "$(pwd)/.git:/icinga2.git:ro" \
-            -w /rpm-icinga2 \
-            -e ICINGA_BUILD_PROJECT=icinga2 \
-            -e ICINGA_BUILD_TYPE=snapshot \
-            -e UPSTREAM_GIT_URL=file:///icinga2.git \
-            registry.icinga.com/build-docker/${{ matrix.distro.name }}/${{ matrix.distro.release }} \
-            icinga-build-package
-
-      - name: Test
-        if: "steps.vars.outputs.CAN_BUILD == 'true'"
-        run: |
-          set -exo pipefail
-          docker run --rm \
-            -v "$(pwd)/rpm-icinga2:/rpm-icinga2" \
-            -w /rpm-icinga2 \
-            -e ICINGA_BUILD_PROJECT=icinga2 \
-            -e ICINGA_BUILD_TYPE=snapshot \
-            registry.icinga.com/build-docker/${{ matrix.distro.name }}/${{ matrix.distro.release }} \
-            icinga-build-test

.github/workflows/windows.yml

@@ -8,7 +8,7 @@ on:
   pull_request: {}
 
 concurrency:
-  group: windows-${{ github.ref }}
+  group: windows-${{ github.event_name == 'push' && github.sha || github.ref }}
   cancel-in-progress: true
 
 jobs:
@@ -25,29 +25,24 @@ jobs:
 
     env:
       BITS: '${{ matrix.bits }}'
-      ICINGA_BUILD_TYPE: snapshot
-      UPSTREAM_GIT_URL: file://D:/a/icinga2/icinga2/.git
+      CMAKE_BUILD_TYPE: RelWithDebInfo
 
     steps:
       - name: Checkout HEAD
         uses: actions/checkout@v1
 
-      - name: windows-icinga2
-        run: |
-          git clone https://git.icinga.com/packaging/windows-icinga2.git
-
       - name: Build tools
         run: |
+          Set-PSDebug -Trace 1
           & .\doc\win-dev.ps1
 
-      - name: Source
-        run: |
-          git checkout -B master
-          cd windows-icinga2
-          & .\source.ps1
-
       - name: Binary
-        working-directory: windows-icinga2
         run: |
-          New-Item -ItemType Directory -Path 'C:\Program Files\Icinga2\WillBeRemoved' -ErrorAction SilentlyContinue
-          & .\build.ps1
+          Set-PSDebug -Trace 1
+          & .\tools\win32\load-vsenv.ps1
+          & powershell.exe .\tools\win32\configure.ps1
+          if ($LastExitCode -ne 0) { throw "Error during configure" }
+          & powershell.exe .\tools\win32\build.ps1
+          if ($LastExitCode -ne 0) { throw "Error during build" }
+          & powershell.exe .\tools\win32\test.ps1
+          if ($LastExitCode -ne 0) { throw "Error during test" }

.mailmap

@@ -1,6 +1,7 @@
 <alexander.klimov@icinga.com> <alexander.klimov@netways.de>
 Alexander A. Klimov <alexander.klimov@icinga.com> <alexander.klimov@icinga.com>
 <alexander.klimov@icinga.com> <grandmaster@al2klimov.de>
+Alexander A. Klimov <alexander.klimov@icinga.com> <al2klimov@gmail.com>
 <assaf@aikilinux.com> <assaf.flatto@livepopuli.com>
 <atj@pulsewidth.org.uk> <adam.james@transitiv.co.uk>
 <bernd.erk@icinga.com> <bernd.erk@icinga.org>
@@ -23,6 +24,7 @@ Alexander A. Klimov <alexander.klimov@icinga.com> <alexander.klimov@icinga.com>
 <marius@graylog.com> <marius@torch.sh>
 <markus.frosch@icinga.com> <lazyfrosch@icinga.org>
 <markus.frosch@icinga.com> <markus@lazyfrosch.de>
+<mathias.aerts@delta.blue> <mathiasaerts@users.noreply.github.com>
 <michael.friedrich@icinga.com> <michael.friedrich@gmail.com>
 <michael.friedrich@icinga.com> <Michael.Friedrich@netways.de>
 <nicole.lang@icinga.com> <nicole.lang@netways.de>

AUTHORS

@@ -11,6 +11,7 @@ Alexander Fuhr <alexander.fuhr@netways.de>
 Alexander Schomburg <script.acc@alex.schomb.org>
 Alexander Stoll <astoll@netways.de>
 Alexander Wirt <formorer@debian.org>
+Alvar Penning <alvar.penning@icinga.com>
 Andrea Avancini <andrea.avancini@wuerth-phoenix.com>
 Andrea Kao <eirinikos@gmail.com>
 Andreas Maus <maus@badphish.ypbind.de>
@@ -20,6 +21,7 @@ Andres Ivanov <andres@andres.wtf>
 Andrew Jaffie <ajaffie@gmail.com>
 Andrew Meyer <ameyer+secure@nodnetwork.org>
 Andy Grunwald <andygrunwald@gmail.com>
+Angel Roman <angel.r.roman77@gmail.com>
 Ant1x <37016240+Ant1x@users.noreply.github.com>
 Arnd Hannemann <arnd@arndnet.de>
 Assaf Flatto <assaf@aikilinux.com>
@@ -51,6 +53,7 @@ Christian Gut <cycloon@is-root.org>
 Christian Harke <ch.harke@gmail.com>
 Christian Jonak <christian@jonak.org>
 Christian Lehmann <christian_lehmann@gmx.de>
+Christian Lauf <github.com@christian-lauf.info>
 Christian Loos <cloos@netsandbox.de>
 Christian Schmidt <github@chsc.dk>
 Christopher Peterson <3893680+cspeterson@users.noreply.github.com>
@@ -71,6 +74,7 @@ Denis <zaharden@gmail.com>
 Dennis Lichtenthäler <dennis.lichtenthaeler@stiftung-tannenhof.de>
 dh.harald <dh.harald@gmail.com>
 Diana Flach <diana.flach@icinga.com>
+Didier 'OdyX' Raboud <didier.raboud@liip.ch>
 Dinesh Majrekar <dinesh.majrekar@serverchoice.com>
 Dirk Goetz <dirk.goetz@icinga.com>
 Dirk Melchers <dirk@dirk-melchers.de>
@@ -133,6 +137,7 @@ Jochen Friedrich <j.friedrich@nwe.de>
 Johannes Meyer <johannes.meyer@icinga.com>
 Jonas Meurer <jonas@freesources.org>
 Jordi van Scheijen <jordi.vanscheijen@solvinity.com>
+Josef Friedrich <josef@friedrich.rocks>
 Joseph L. Casale <jcasale@activenetwerx.com>
 jre3brg <jorge.rebelo@pt.bosch.com>
 Julian Brost <julian.brost@icinga.com>
@@ -153,12 +158,14 @@ Lennart Betz <lennart.betz@icinga.com>
 Leon Stringer <leon@priorsvle.com>
 lihan <tclh123@gmail.com>
 log1-c <24474580+log1-c@users.noreply.github.com>
+Lord Hepipud <contact@lordhepipud.de>
 Lorenz Kästle <lorenz.kaestle@netways.de>
 Louis Sautier <sautier.louis@gmail.com>
 Luca Lesinigo <luca@lm-net.it>
 Lucas Bremgartner <breml@users.noreply.github.com>
 Lucas Fairchild-Madar <lucas.madar@gmail.com>
 Luiz Amaral <luiz.amaral@innogames.com>
+Maciej Dems <maciej.dems@p.lodz.pl>
 Magnus Bäck <magnus@noun.se>
 Maik Stuebner <maik@stuebner.info>
 Malte Rabenseifner <mail@malte-rabenseifner.de>
@@ -205,7 +212,9 @@ mocruz <mocruz@theworkshop.com>
 Muhammad Mominul Huque <nahidbinbaten1995@gmail.com>
 nemtrif <ntrifunovic@hotmail.com>
 Nicolai <nbuchwitz@users.noreply.github.com>
+Nicolas Berens <nicolas.berens@planet.com>
 Nicolas Limage <github@xephon.org>
+Nicolas Rodriguez <nico@nicoladmin.fr>
 Nicole Lang <nicole.lang@icinga.com>
 Niflou <dubuscyr@gmail.com>
 Noah Hilverling <noah.hilverling@icinga.com>
@@ -219,6 +228,7 @@ Patrick Dolinic <pdolinic@netways.de>
 Patrick Huy <frz@frz.cc>
 Paul Denning <paul.denning@dimensiondata.com>
 Paul Richards <paul@minimoo.org>
+Pavel Motyrev <legioner.r@gmail.com>
 Pawel Szafer <pszafer@gmail.com>
 Per von Zweigbergk <pvz@itassistans.se>
 Peter Eckel <6815386+peteeckel@users.noreply.github.com>
@@ -232,7 +242,7 @@ pv2b <pvz@pvz.pp.se>
 Ralph Breier <ralph.breier@roedl.com>
 Reto Zeder <reto.zeder@arcade.ch>
 Ricardo Bartels <ricardo@bitchbrothers.com>
-RincewindsHat <12514511+RincewindsHat@users.noreply.github.com>
+Richard Mortimer <richm@oldelvet.org.uk>
 Rinck H. Sonnenberg <r.sonnenberg@netson.nl>
 Robert Lindgren <robert.lindgren@gmail.com>
 Robert Scheck <robert@fedoraproject.org>
@@ -249,6 +259,7 @@ Sascha Westermann <sascha.westermann@hl-services.de>
 Sebastian Brückner <mail@invlid.com>
 Sebastian Chrostek <sebastian@chrostek.net>
 Sebastian Eikenberg <eikese@mail.uni-paderborn.de>
+Sebastian Grund <s.grund@openinfrastructure.de>
 Sebastian Marsching <sebastian-git-2016@marsching.com>
 Silas <67681686+Tqnsls@users.noreply.github.com>
 Simon Murray <spjmurray@yahoo.co.uk>
@@ -269,6 +280,7 @@ Sven Wegener <swegener@gentoo.org>
 sysadt <sysadt@protonmail.com>
 T. Mulyana <nothinux@gmail.com>
 teclogi <27726999+teclogi@users.noreply.github.com>
+Theo Buehler <tb@openbsd.org>
 Thomas Forrer <thomas.forrer@wuerth-phoenix.com>
 Thomas Gelf <thomas.gelf@icinga.com>
 Thomas Niedermeier <tniedermeier@thomas-krenn.com>
@@ -276,6 +288,7 @@ Thomas Widhalm <thomas.widhalm@icinga.com>
 Tim Hardeck <thardeck@suse.de>
 Tim Weippert <weiti@weiti.eu>
 Timo Buhrmester <van.fstd@gmail.com>
+Tobias Bauriedel <tobias.bauriedel@netways.de>
 Tobias Birnbaum <osterd@gmx.de>
 Tobias Deiminger <haxtibal@posteo.de>
 Tobias von der Krone <tobias.vonderkrone@profitbricks.com>
@@ -290,6 +303,7 @@ Winfried Angele <winfried.angele@gmail.com>
 Wolfgang Nieder <wnd@gmx.net>
 XnS <git@xns.be>
 Yannick Charton <tontonitch-pro@yahoo.fr>
+Yannick Martin <yannick.martin@ovhcloud.com>
 Yohan Jarosz <yohanjarosz@yahoo.fr>
 Yonas Habteab <yonas.habteab@icinga.com>
 Zachary McGibbon <zachary.mcgibbon@gmail.com>

CHANGELOG.md

@@ -7,6 +7,50 @@ documentation before upgrading to a new release.
 
 Released closed milestones can be found on [GitHub](https://github.com/Icinga/icinga2/milestones?state=closed).
 
+## 2.14.3 (2024-11-12)
+
+This security release fixes a TLS certificate validation bypass.
+Given the severity of that issue, users are advised to upgrade all nodes immediately.
+
+* Security: fix TLS certificate validation bypass. CVE-2024-49369
+* Security: update OpenSSL shipped on Windows to v3.0.15.
+* Windows: sign MSI packages with a certificate the OS trusts by default.
+
+## 2.14.2 (2024-01-18)
+
+Version 2.14.2 is a hotfix release for master nodes that mainly
+fixes excessive disk usage caused by the InfluxDB writers.
+
+* InfluxDB: truncate timestamps to whole seconds to save disk space. #9969
+* HttpServerConnection: log request processing time as well. #9970
+* Update Boost shipped on Windows to v1.84. #9970
+
+## 2.14.1 (2023-12-21)
+
+Version 2.14.1 is a hotfix release for masters and satellites that mainly
+prevents permanent disintegration of a whole cluster due to root CA expiry.
+
+### Security
+
+* Automatically renew own root CA and distribute it to all nodes. #9933
+* Update OpenSSL shipped on Windows to v3.0.12. #9946
+* Disable TLS renegotiation (handshake on existing connection). #9946
+
+### Bugfixes
+
+* Icinga DB feature: fix crash due to missing NULL pointer check. #9946
+* Icinga DB feature: fix data written into Redis crashing the Go daemon. #9946
+* GelfWriter: fix deadlock on stop/reload caused by busy queue. #9947
+* Don't lose notifications due to too long output, truncate it. #9947
+
+### Enhancements
+
+* Discard duplicate problem notifications due to state filtering. #9932
+* Speed up API filters targeting specific hosts/services to O(1). #9944
+* POST /v1/console/\*: return HTTP 503 while Icinga is reloading. #9947
+* Update Boost shipped on Windows to v1.83. #9946
+* Documentation: several fixes and improvements. #9921
+
 ## 2.14.0 (2023-07-12)
 
 [Issues and PRs](https://github.com/Icinga/icinga2/issues?q=is%3Aclosed+milestone%3A2.14.0)
@@ -199,6 +243,35 @@ Add `linux_netdev` check command. #9045
 * Several code quality improvements. #8815 #9106 #9250
   #9508 #9517 #9537 #9594 #9605 #9606 #9641 #9658 #9702 #9717 #9738
 
+## 2.13.10 (2024-11-12)
+
+This security release fixes a TLS certificate validation bypass.
+Given the severity of that issue, users are advised to upgrade all nodes immediately.
+
+* Security: fix TLS certificate validation bypass. CVE-2024-49369
+* Security: update OpenSSL shipped on Windows to v3.0.15.
+* Windows: sign MSI packages with a certificate the OS trusts by default.
+
+## 2.13.9 (2023-12-21)
+
+Version 2.13.9 is a hotfix release for masters and satellites that mainly
+prevents permanent disintegration of a whole cluster due to root CA expiry.
+
+### Security
+
+* Automatically renew own root CA and distribute it to all nodes. #9934
+* Update OpenSSL shipped on Windows to v3.0.12. #9945
+* Disable TLS renegotiation (handshake on existing connection). #9945
+
+### Bugfixes
+
+* Icinga DB feature: fix crash due to missing NULL pointer check. #9945
+* Icinga DB feature: fix data written into Redis crashing the Go daemon. #9945
+
+### Updates
+
+* Update Boost shipped on Windows to v1.83. #9945
+
 ## 2.13.8 (2023-07-12)
 
 Version 2.13.8 is a maintenance release that fixes some bugs,
@@ -912,6 +985,15 @@ Thanks to all contributors:
   * Code quality fixes
   * Small documentation fixes
 
+## 2.11.12 (2024-11-12)
+
+This security release fixes a TLS certificate validation bypass.
+Given the severity of that issue, users are advised to upgrade all nodes immediately.
+
+* Security: fix TLS certificate validation bypass. CVE-2024-49369
+* Security: update OpenSSL shipped on Windows to v3.0.15.
+* Windows: sign MSI packages with a certificate the OS trusts by default.
+
 ## 2.11.11 (2021-08-19)
 
 The main focus of these versions is a security vulnerability in the TLS certificate verification of our metrics writers ElasticsearchWriter, GelfWriter and InfluxdbWriter.

CMakeLists.txt

@@ -1,17 +1,12 @@
 # Icinga 2 | (c) 2012 Icinga GmbH | GPLv2+
 
-cmake_minimum_required(VERSION 2.8.12)
+# CMake 3.8 is required, CMake policy compatibility was verified up to 3.17.
+cmake_minimum_required(VERSION 3.8...3.17)
 set(BOOST_MIN_VERSION "1.66.0")
 
-if("${CMAKE_VERSION}" VERSION_LESS "3.8") # SLES 12.5
-  if(NOT MSVC)
-    set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -std=c++17")
-  endif()
-else()
-  set(CMAKE_CXX_STANDARD 17)
-  set(CMAKE_CXX_STANDARD_REQUIRED ON)
-  set(CMAKE_CXX_EXTENSIONS OFF)
-endif()
+set(CMAKE_CXX_STANDARD 17)
+set(CMAKE_CXX_STANDARD_REQUIRED ON)
+set(CMAKE_CXX_EXTENSIONS OFF)
 
 project(icinga2)
 list(APPEND CMAKE_MODULE_PATH "${CMAKE_CURRENT_SOURCE_DIR}/cmake")
@@ -23,6 +18,10 @@ if(NOT CMAKE_BUILD_TYPE)
     FORCE)
 endif()
 
+# Include symbols in executables so that function names can be printed in stack traces, for example in crash dumps.
+set(CMAKE_ENABLE_EXPORTS ON) # Added in CMake 3.4
+set(CMAKE_EXECUTABLE_ENABLE_EXPORTS ON) # Added in CMake 3.27 and supersedes the above one.
+
 if(WIN32)
   set(ICINGA2_MASTER OFF)
 else()
@@ -186,21 +185,21 @@ add_definitions(-DBOOST_FILESYSTEM_NO_DEPRECATED)
 add_definitions(-DBOOST_ASIO_USE_TS_EXECUTOR_AS_DEFAULT)
 
 link_directories(${Boost_LIBRARY_DIRS})
-include_directories(${Boost_INCLUDE_DIRS})
+include_directories(SYSTEM ${Boost_INCLUDE_DIRS})
 
 find_package(OpenSSL REQUIRED)
-include_directories(${OPENSSL_INCLUDE_DIR})
+include_directories(SYSTEM ${OPENSSL_INCLUDE_DIR})
 
 set(base_DEPS ${CMAKE_DL_LIBS} ${Boost_LIBRARIES} ${OPENSSL_LIBRARIES})
 set(base_OBJS $<TARGET_OBJECTS:mmatch> $<TARGET_OBJECTS:socketpair> $<TARGET_OBJECTS:base>)
 
 # JSON
 find_package(JSON)
-include_directories(${JSON_INCLUDE})
+include_directories(SYSTEM ${JSON_INCLUDE})
 
 # UTF8CPP
 find_package(UTF8CPP)
-include_directories(${UTF8CPP_INCLUDE})
+include_directories(SYSTEM ${UTF8CPP_INCLUDE})
 
 find_package(Editline)
 set(HAVE_EDITLINE "${EDITLINE_FOUND}")
@@ -223,22 +222,23 @@ endif()
 
 if(EDITLINE_FOUND)
   list(APPEND base_DEPS ${EDITLINE_LIBRARIES})
-  include_directories(${EDITLINE_INCLUDE_DIR})
+  include_directories(SYSTEM ${EDITLINE_INCLUDE_DIR})
 endif()
 
 if(TERMCAP_FOUND)
   list(APPEND base_DEPS ${TERMCAP_LIBRARIES})
-  include_directories(${TERMCAP_INCLUDE_DIR})
+  include_directories(SYSTEM ${TERMCAP_INCLUDE_DIR})
 endif()
 
 if(WIN32)
   list(APPEND base_DEPS ws2_32 dbghelp shlwapi msi)
 endif()
 
-set(CMAKE_MACOSX_RPATH 1)
 set(CMAKE_INSTALL_RPATH "${CMAKE_INSTALL_RPATH};${CMAKE_INSTALL_FULL_LIBDIR}/icinga2")
 
 if(CMAKE_CXX_COMPILER_ID MATCHES "Clang")
+  set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -Winconsistent-missing-override")
+
   set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Qunused-arguments -fcolor-diagnostics -fno-limit-debug-info")
   set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -Qunused-arguments -fcolor-diagnostics -fno-limit-debug-info")
 
@@ -256,6 +256,8 @@ if(CMAKE_C_COMPILER_ID STREQUAL "SunPro")
 endif()
 
 if(CMAKE_C_COMPILER_ID STREQUAL "GNU")
+  set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -Wsuggest-override")
+
   if(CMAKE_SYSTEM_NAME MATCHES AIX)
     set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -g -lpthread")
     set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -g -lpthread")
@@ -365,6 +367,7 @@ check_function_exists(vfork HAVE_VFORK)
 check_function_exists(backtrace_symbols HAVE_BACKTRACE_SYMBOLS)
 check_function_exists(pipe2 HAVE_PIPE2)
 check_function_exists(nice HAVE_NICE)
+check_function_exists(malloc_info HAVE_MALLOC_INFO)
 check_library_exists(dl dladdr "dlfcn.h" HAVE_DLADDR)
 check_library_exists(execinfo backtrace_symbols "" HAVE_LIBEXECINFO)
 check_include_file_cxx(cxxabi.h HAVE_CXXABI_H)
@@ -506,6 +509,7 @@ set(CPACK_WIX_UI_DIALOG "${CMAKE_CURRENT_SOURCE_DIR}/icinga-installer/dlgbmp.bmp
 set(CPACK_WIX_PATCH_FILE "${CMAKE_CURRENT_BINARY_DIR}/icinga-installer/icinga2.wixpatch.Debug")
 set(CPACK_WIX_PATCH_FILE "${CMAKE_CURRENT_BINARY_DIR}/icinga-installer/icinga2.wixpatch")
 set(CPACK_WIX_EXTENSIONS "WixUtilExtension" "WixNetFxExtension")
+set(CPACK_WIX_INSTALL_SCOPE NONE)
 
 set(CMAKE_INSTALL_SYSTEM_RUNTIME_DESTINATION "sbin")
 set(CMAKE_INSTALL_UCRT_LIBRARIES TRUE)

CONTRIBUTING.md

@@ -111,6 +111,12 @@ refs #1234
 You can add multiple commits during your journey to finish your patch.
 Don't worry, you can squash those changes into a single commit later on.
 
+Ensure your name and email address in the commit metadata are correct.
+In your first contribution (PR) also add them to [AUTHORS](./AUTHORS).
+If those metadata changed since your last successful contribution,
+you should update [AUTHORS](./AUTHORS) and [.mailmap](./.mailmap).
+For the latter see [gitmailmap(5)](https://git-scm.com/docs/gitmailmap).
+
 ## <a id="contributing-pull-requests"></a> Pull Requests
 
 Once you've commited your changes, please update your local master

RELEASE.md

@@ -1,421 +0,0 @@
-# Release Workflow <a id="release-workflow"></a>
-
-#### Table of Content
-
-- [1. Preparations](#preparations)
-  - [1.1. Issues](#issues)
-  - [1.2. Backport Commits](#backport-commits)
-  - [1.3. Windows Dependencies](#windows-dependencies)
-- [2. Version](#version)
-- [3. Changelog](#changelog)
-- [4. Git Tag](#git-tag)
-- [5. Package Builds](#package-builds)
-  - [5.1. RPM Packages](#rpm-packages)
-  - [5.2. DEB Packages](#deb-packages)
-- [6. Build Server](#build-infrastructure)
-- [7. Release Tests](#release-tests)
-- [8. GitHub Release](#github-release)
-- [9. Docker](#docker)
-- [10. Post Release](#post-release)
-  - [10.1. Online Documentation](#online-documentation)
-  - [10.2. Announcement](#announcement)
-  - [10.3. Project Management](#project-management)
-
-## Preparations <a id="preparations"></a>
-
-Specify the release version.
-
-```bash
-VERSION=2.11.0
-```
-
-Add your signing key to your Git configuration file, if not already there.
-
-```
-vim $HOME/.gitconfig
-
-[user]
-        email = michael.friedrich@icinga.com
-        name = Michael Friedrich
-        signingkey = D14A1F16
-```
-
-### Issues <a id="issues"></a>
-
-Check issues at https://github.com/Icinga/icinga2
-
-### Backport Commits <a id="backport-commits"></a>
-
-For minor versions you need to manually backports any and all commits from the
-master branch which should be part of this release.
-
-### Windows Dependencies <a id="windows-dependencies"></a>
-
-In contrast to Linux, the bundled Windows dependencies
-(at least Boost and OpenSSL) aren't updated automatically.
-(Neither by Icinga administrators, nor at package build time.)
-
-To ensure the upcoming Icinga release ships the latest (i.e. most secure) dependencies on Windows:
-
-#### Update packages.icinga.com
-
-Add the latest Boost and OpenSSL versions to
-https://packages.icinga.com/windows/dependencies/ like this:
-
-```
-localhost:~$ ssh aptly.vm.icinga.com
-aptly:~$ sudo -i
-aptly:~# cd /var/www/html/aptly/public/windows/dependencies
-aptly:dependencies# wget https://master.dl.sourceforge.net/project/boost/boost-binaries/1.76.0/boost_1_76_0-msvc-14.2-64.exe
-aptly:dependencies# wget https://master.dl.sourceforge.net/project/boost/boost-binaries/1.76.0/boost_1_76_0-msvc-14.2-32.exe
-aptly:dependencies# wget https://slproweb.com/download/Win64OpenSSL-1_1_1k.exe
-aptly:dependencies# wget https://slproweb.com/download/Win32OpenSSL-1_1_1k.exe
-```
-
-#### Ensure Compatibility
-
-Preferably on a fresh Windows VM (not to accidentally build Icinga
-with old dependency versions) setup a dev environment using the new dependency versions:
-
-1. Download [doc/win-dev.ps1](doc/win-dev.ps1)
-2. Edit your local copy, adjust the dependency versions
-3. Ensure there are 35 GB free space on C:
-4. Run the following in an administrative Powershell:
-   1. `Enable-WindowsOptionalFeature -FeatureName "NetFx3" -Online`
-      (reboot when asked!)
-   2. `powershell -NoProfile -ExecutionPolicy Bypass -File "${Env:USERPROFILE}\Downloads\win-dev.ps1"`
-      (will take some time)
-
-Actually clone and build Icinga using the new dependency versions as described
-[here](https://github.com/Icinga/icinga2/blob/master/doc/21-development.md#tldr).
-Fix incompatibilities if any.
-
-#### Update Build Server, CI/CD and Documentation
-
-* https://git.icinga.com/infra/ansible-windows-build
-  (don't forget to provision!)
-* [doc/21-development.md](doc/21-development.md)
-* [doc/win-dev.ps1](doc/win-dev.ps1)
-  (also affects CI/CD)
-* [tools/win32/configure.ps1](tools/win32/configure.ps1)
-* [tools/win32/configure-dev.ps1](tools/win32/configure-dev.ps1)
-
-#### Re-provision Build Server
-
-Even if there aren't any new releases of dependencies with versions
-hardcoded in the repos and files listed above (Boost, OpenSSL).
-There may be new build versions of other dependencies (VS, MSVC).
-Our GitHub actions (tests) use the latest ones automatically,
-but the GitLab runner (release packages) doesn't.
-
-
-## Version <a id="version"></a>
-
-Update the version:
-
-```bash
-perl -pi -e "s/Version: .*/Version: $VERSION/g" ICINGA2_VERSION
-```
-
-## Changelog <a id="changelog"></a>
-
-Choose the most important issues and summarize them in multiple groups/paragraphs. Provide links to the mentioned
-issues/PRs. At the start include a link to the milestone's closed issues.
-
-
-## Git Tag  <a id="git-tag"></a>
-
-```bash
-git commit -v -a -m "Release version $VERSION"
-```
-
-Create a signed tag (tags/v<VERSION>) on the `master` branch (for major
-releases) or the `support` branch (for minor releases).
-
-```bash
-git tag -s -m "Version $VERSION" v$VERSION
-```
-
-Push the tag:
-
-```bash
-git push origin v$VERSION
-```
-
-**For major releases:** Create a new `support` branch:
-
-```bash
-git checkout master
-git push
-
-git checkout -b support/2.12
-git push -u origin support/2.12
-```
-
-
-## Package Builds  <a id="package-builds"></a>
-
-```bash
-mkdir $HOME/dev/icinga/packaging
-cd $HOME/dev/icinga/packaging
-```
-
-### RPM Packages  <a id="rpm-packages"></a>
-
-```bash
-git clone git@git.icinga.com:packaging/rpm-icinga2.git && cd rpm-icinga2
-```
-
-### DEB Packages <a id="deb-packages"></a>
-
-```bash
-git clone git@git.icinga.com:packaging/deb-icinga2.git && cd deb-icinga2
-```
-
-### Raspbian Packages
-
-```bash
-git clone git@git.icinga.com:packaging/raspbian-icinga2.git && cd raspbian-icinga2
-```
-
-### Windows Packages
-
-```bash
-git clone git@git.icinga.com:packaging/windows-icinga2.git && cd windows-icinga2
-```
-
-
-### Branch Workflow
-
-For each support branch in this repo (e.g. support/2.12), there exists a corresponding branch in the packaging repos
-(e.g. 2.12). Each package revision is a tagged commit on these branches. When doing a major release, create the new
-branch, otherweise switch to the existing one.
-
-
-### Switch Build Type
-
-Ensure that `ICINGA_BUILD_TYPE` is set to `release` in `.gitlab-ci.yml`. This should only be necessary after creating a
-new branch.
-
-```yaml
-variables:
-  ...
-  ICINGA_BUILD_TYPE: release
-  ...
-```
-
-Commit the change.
-
-```bash
-git commit -av -m "Switch build type for 2.13"
-```
-
-#### RPM Release Preparations
-
-Set the `Version`, `revision` and `%changelog` inside the spec file:
-
-```
-perl -pi -e "s/Version:.*/Version:        $VERSION/g" icinga2.spec
-
-vim icinga2.spec
-
-%changelog
-* Thu Sep 19 2019 Michael Friedrich <michael.friedrich@icinga.com> 2.11.0-1
-- Update to 2.11.0
-```
-
-#### DEB and Raspbian Release Preparations
-
-Update file `debian/changelog` and add at the beginning:
-
-```
-icinga2 (2.11.0-1) icinga; urgency=medium
-
-  * Release 2.11.0
-
- -- Michael Friedrich <michael.friedrich@icinga.com>  Thu, 19 Sep 2019 10:50:31 +0200
-```
-
-
-#### Windows Release Preparations
-
-Update the file `.gitlab-ci.yml`:
-
-```
-perl -pi -e "s/^  UPSTREAM_GIT_BRANCH: .*/  UPSTREAM_GIT_BRANCH: v$VERSION/g" .gitlab-ci.yml
-perl -pi -e "s/^  ICINGA_FORCE_VERSION: .*/  ICINGA_FORCE_VERSION: v$VERSION/g" .gitlab-ci.yml
-```
-
-
-### Release Commit
-
-Commit the changes and push the branch.
-
-```bash
-git commit -av -m "Release $VERSION-1"
-git push origin 2.11
-```
-
-GitLab will now build snapshot packages based on the tag `v2.11.0` of Icinga 2.
-
-### Package Tests
-
-In order to test the created packages you can download a job's artifacts:
-
-Visit [git.icinga.com](https://git.icinga.com/packaging/rpm-icinga2)
-and navigate to the respective pipeline under `CI / CD -> Pipelines`.
-
-There click on the job you want to download packages from.
-
-The job's output appears. On the right-hand sidebar you can browse its artifacts.
-
-Once there, navigate to `build/RPMS/noarch` where you'll find the packages.
-
-### Release Packages
-
-To build release packages and upload them to [packages.icinga.com](https://packages.icinga.com)
-tag the release commit and push it.
-
-RPM/DEB/Raspbian:
-
-```bash
-git tag -s $VERSION-1 -m "Release v$VERSION-1"
-git push origin $VERSION-1
-```
-
-Windows:
-
-```bash
-git tag -s $VERSION -m "Release v$VERSION"
-git push origin $VERSION
-```
-
-
-Now cherry pick the release commit to `master` so that the changes are transferred back to it.
-
-**Attention**: Only the release commit. *NOT* the one switching the build type!
-
-
-## Build Infrastructure <a id="build-infrastructure"></a>
-
-https://git.icinga.com/packaging/rpm-icinga2/pipelines
-https://git.icinga.com/packaging/deb-icinga2/pipelines
-https://git.icinga.com/packaging/windows-icinga2/pipelines
-https://git.icinga.com/packaging/raspbian-icinga2/pipelines
-
-* Verify package build changes for this version.
-* Test the snapshot packages for all distributions beforehand.
-
-Once the release repository tags are pushed, release builds
-are triggered and automatically published to packages.icinga.com
-
-## Release Tests  <a id="release-tests"></a>
-
-* Test DB IDO with MySQL and PostgreSQL.
-* Provision the vagrant boxes and test the release packages.
-* Test the [setup wizard](https://packages.icinga.com/windows/) inside a Windows VM.
-* Start a new docker container and install/run icinga2.
-
-### CentOS
-
-```bash
-docker run -ti centos:7 bash
-
-yum -y install https://packages.icinga.com/epel/icinga-rpm-release-7-latest.noarch.rpm
-yum -y install epel-release
-yum -y install icinga2
-icinga2 daemon -C
-```
-
-### Ubuntu
-
-```bash
-docker run -ti ubuntu:bionic bash
-
-apt-get update
-apt-get -y install apt-transport-https wget gnupg
-
-wget -O - https://packages.icinga.com/icinga.key | apt-key add -
-
-. /etc/os-release; if [ ! -z ${UBUNTU_CODENAME+x} ]; then DIST="${UBUNTU_CODENAME}"; else DIST="$(lsb_release -c| awk '{print $2}')"; fi; \
- echo "deb https://packages.icinga.com/ubuntu icinga-${DIST} main" > \
- /etc/apt/sources.list.d/${DIST}-icinga.list
- echo "deb-src https://packages.icinga.com/ubuntu icinga-${DIST} main" >> \
- /etc/apt/sources.list.d/${DIST}-icinga.list
-
-apt-get update
-
-apt-get -y install icinga2
-icinga2 daemon -C
-```
-
-
-## GitHub Release  <a id="github-release"></a>
-
-Create a new release for the newly created Git tag: https://github.com/Icinga/icinga2/releases
-
-> Hint: Choose [tags](https://github.com/Icinga/icinga2/tags), pick one to edit and
-> make this a release. You can also create a draft release.
-
-The release body should contain a short changelog, with links
-into the roadmap, changelog and blogpost.
-
-
-## Post Release  <a id="post-release"></a>
-
-### Online Documentation  <a id="online-documentation"></a>
-
-> Only required for major releases.
-
-Navigate to `puppet-customer/icinga.git` and do the following steps:
-
-#### Testing
-
-```bash
-git checkout testing && git pull
-vim files/var/www/docs/config/icinga2-latest.yml
-
-git commit -av -m "icinga-web: Update docs for Icinga 2"
-
-git push
-```
-
-SSH into the webserver and do a manual Puppet dry run with the testing environment.
-
-```bash
-puppet agent -t --environment testing --noop
-```
-
-Once succeeded, continue with production deployment.
-
-#### Production
-
-```bash
-git checkout master && git pull
-git merge testing
-git push
-```
-
-SSH into the webserver and do a manual Puppet run from the production environment (default).
-
-```bash
-puppet agent -t
-```
-
-#### Manual Generation
-
-SSH into the webserver or ask @bobapple.
-
-```bash
-cd /usr/local/icinga-docs-tools && ./build-docs.rb -c /var/www/docs/config/icinga2-latest.yml
-```
-
-### Announcement  <a id="announcement"></a>
-
-* Create a new blog post on [icinga.com/blog](https://icinga.com/blog) including a featured image
-* Create a release topic on [community.icinga.com](https://community.icinga.com)
-* Release email to net-tech & team
-
-### Project Management  <a id="project-management"></a>
-
-* Add new minor version on [GitHub](https://github.com/Icinga/icinga2/milestones).

config.h.cmake

@@ -8,6 +8,7 @@
 #cmakedefine HAVE_LIBEXECINFO
 #cmakedefine HAVE_CXXABI_H
 #cmakedefine HAVE_NICE
+#cmakedefine HAVE_MALLOC_INFO
 #cmakedefine HAVE_EDITLINE
 #cmakedefine HAVE_SYSTEMD
 

doc/01-about.md

@@ -67,4 +67,3 @@ Read more about development builds in the [development chapter](21-development.m
 Icinga 2 and the Icinga 2 documentation are licensed under the terms of the GNU
 General Public License Version 2. You will find a copy of this license in the
 LICENSE file included in the source package.
-

doc/02-installation.md

@@ -14,9 +14,16 @@ In case you are upgrading an existing setup, please ensure to
 follow the [upgrade documentation](16-upgrading-icinga-2.md#upgrading-icinga-2).
 <!-- {% else %} -->
 
+<!-- {% if not windows %} -->
 ## Add Icinga Package Repository <a id="add-icinga-package-repository"></a>
 
-We recommend using our official repositories. Here's how to add it to your system:
+We recommend using our official repositories.
+
+All the following commands should be executed as the root user.
+As pipes and nested commands are used, it is recommended to switch to a root user session, e.g., using `sudo -i`.
+
+Here's how to add it to your system:
+<!-- {% endif %} -->
 
 <!-- {% if debian %} -->
 
@@ -24,9 +31,13 @@ We recommend using our official repositories. Here's how to add it to your syste
 
 ```bash
 apt update
-apt -y install apt-transport-https wget gnupg
+apt -y install apt-transport-https wget
 
-wget -O - https://packages.icinga.com/icinga.key | gpg --dearmor -o /usr/share/keyrings/icinga-archive-keyring.gpg
+wget -O icinga-archive-keyring.deb "https://packages.icinga.com/icinga-archive-keyring_latest+debian$(
+ . /etc/os-release; echo "$VERSION_ID"
+).deb"
+
+apt install ./icinga-archive-keyring.deb
 
 DIST=$(awk -F"[)(]+" '/VERSION=/ {print $2}' /etc/os-release); \
  echo "deb [signed-by=/usr/share/keyrings/icinga-archive-keyring.gpg] https://packages.icinga.com/debian icinga-${DIST} main" > \
@@ -36,21 +47,6 @@ DIST=$(awk -F"[)(]+" '/VERSION=/ {print $2}' /etc/os-release); \
 
 apt update
 ```
-
-#### Debian Backports Repository <a id="debian-backports-repository"></a>
-
-This repository is required for Debian Stretch since Icinga v2.11.
-
-Debian Stretch:
-
-```bash
-DIST=$(awk -F"[)(]+" '/VERSION=/ {print $2}' /etc/os-release); \
- echo "deb https://deb.debian.org/debian ${DIST}-backports main" > \
- /etc/apt/sources.list.d/${DIST}-backports.list
-
-apt update
-```
-
 <!-- {% endif %} -->
 
 <!-- {% if ubuntu %} -->
@@ -58,9 +54,13 @@ apt update
 
 ```bash
 apt update
-apt -y install apt-transport-https wget gnupg
+apt -y install apt-transport-https wget
 
-wget -O - https://packages.icinga.com/icinga.key | gpg --dearmor -o /usr/share/keyrings/icinga-archive-keyring.gpg
+wget -O icinga-archive-keyring.deb "https://packages.icinga.com/icinga-archive-keyring_latest+ubuntu$(
+ . /etc/os-release; echo "$VERSION_ID"
+).deb"
+
+apt install ./icinga-archive-keyring.deb
 
 . /etc/os-release; if [ ! -z ${UBUNTU_CODENAME+x} ]; then DIST="${UBUNTU_CODENAME}"; else DIST="$(lsb_release -c| awk '{print $2}')"; fi; \
  echo "deb [signed-by=/usr/share/keyrings/icinga-archive-keyring.gpg] https://packages.icinga.com/ubuntu icinga-${DIST} main" > \
@@ -72,41 +72,6 @@ apt update
 ```
 <!-- {% endif %} -->
 
-<!-- {% if raspbian %} -->
-### Raspbian Repository <a id="raspbian-repository"></a>
-
-```bash
-apt update
-apt -y install apt-transport-https wget gnupg
-
-wget -O - https://packages.icinga.com/icinga.key | gpg --dearmor -o /usr/share/keyrings/icinga-archive-keyring.gpg
-
-DIST=$(awk -F"[)(]+" '/VERSION=/ {print $2}' /etc/os-release); \
- echo "deb [signed-by=/usr/share/keyrings/icinga-archive-keyring.gpg] https://packages.icinga.com/raspbian icinga-${DIST} main" > \
- /etc/apt/sources.list.d/icinga.list
- echo "deb-src [signed-by=/usr/share/keyrings/icinga-archive-keyring.gpg] https://packages.icinga.com/raspbian icinga-${DIST} main" >> \
- /etc/apt/sources.list.d/icinga.list
-
-apt update
-```
-<!-- {% endif %} -->
-
-<!-- {% if centos %} -->
-### CentOS Repository <a id="centos-repository"></a>
-
-```bash
-rpm --import https://packages.icinga.com/icinga.key
-wget https://packages.icinga.com/centos/ICINGA-release.repo -O /etc/yum.repos.d/ICINGA-release.repo
-```
-
-The packages for CentOS depend on other packages which are distributed
-as part of the [EPEL repository](https://fedoraproject.org/wiki/EPEL):
-
-```bash
-yum install epel-release
-```
-<!-- {% endif %} -->
-
 <!-- {% if rhel %} -->
 ### RHEL Repository <a id="rhel-repository"></a>
 
@@ -118,7 +83,6 @@ yum install epel-release
     Don't forget to fill in the username and password section with your credentials in the local .repo file.
 
 ```bash
-rpm --import https://packages.icinga.com/icinga.key
 wget https://packages.icinga.com/subscription/rhel/ICINGA-release.repo -O /etc/yum.repos.d/ICINGA-release.repo
 ```
 
@@ -136,21 +100,12 @@ subscription-manager repos --enable "codeready-builder-for-rhel-${OSVER}-${ARCH}
 dnf install https://dl.fedoraproject.org/pub/epel/epel-release-latest-${OSVER}.noarch.rpm
 ```
 
-#### RHEL 7
-
-```bash
-subscription-manager repos --enable rhel-7-server-optional-rpms
-
-yum install https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
-```
 <!-- {% endif %} -->
 
-
 <!-- {% if fedora %} -->
 ### Fedora Repository <a id="fedora-repository"></a>
 
 ```bash
-rpm --import https://packages.icinga.com/icinga.key
 dnf install -y 'dnf-command(config-manager)'
 dnf config-manager --add-repo https://packages.icinga.com/fedora/$(. /etc/os-release; echo "$VERSION_ID")/release
 ```
@@ -167,8 +122,6 @@ dnf config-manager --add-repo https://packages.icinga.com/fedora/$(. /etc/os-rel
     Don't forget to fill in the username and password section with your credentials in the local .repo file.
 
 ```bash
-rpm --import https://packages.icinga.com/icinga.key
-
 zypper ar https://packages.icinga.com/subscription/sles/ICINGA-release.repo
 zypper ref
 ```
@@ -186,21 +139,13 @@ SUSEConnect -p PackageHub/$VERSION_ID/x86_64
 ### openSUSE Repository <a id="opensuse-repository"></a>
 
 ```bash
-rpm --import https://packages.icinga.com/icinga.key
-
 zypper ar https://packages.icinga.com/openSUSE/ICINGA-release.repo
 zypper ref
 ```
-
-You need to additionally add the `server:monitoring` repository to fulfill dependencies:
-
-```bash
-zypper ar https://download.opensuse.org/repositories/server:/monitoring/15.3/server:monitoring.repo
-```
 <!-- {% endif %} -->
 
 <!-- {% if amazon_linux %} -->
-### Amazon Linux 2 Repository <a id="amazon-linux-2-repository"></a>
+### Amazon Linux Repository <a id="amazon-linux-2-repository"></a>
 
 !!! info
 
@@ -210,16 +155,17 @@ zypper ar https://download.opensuse.org/repositories/server:/monitoring/15.3/ser
     Don't forget to fill in the username and password section with your credentials in the local .repo file.
 
 ```bash
-rpm --import https://packages.icinga.com/icinga.key
 wget https://packages.icinga.com/subscription/amazon/ICINGA-release.repo -O /etc/yum.repos.d/ICINGA-release.repo
 ```
 
-The packages for Amazon Linux 2 depend on other packages which are distributed
+The packages for **Amazon Linux 2** depend on other packages which are distributed
 as part of the [EPEL repository](https://fedoraproject.org/wiki/EPEL).
 
 ```bash
 yum install epel-release
 ```
+
+The packages for newer versions of Amazon Linux don't require additional repositories.
 <!-- {% endif %} -->
 
 <!-- {% if windows %} -->
@@ -237,36 +183,21 @@ You can install Icinga 2 by using your distribution's package manager
 to install the `icinga2` package. The following commands must be executed
 with `root` permissions unless noted otherwise.
 
-<!-- {% if centos or rhel or fedora or amazon_linux %} -->
+<!-- {% if rhel or fedora or amazon_linux %} -->
 !!! tip
 
     If you have [SELinux](22-selinux.md) enabled, the package `icinga2-selinux` is also required.
 <!-- {% endif %} -->
 
-<!-- {% if debian or ubuntu or raspbian %} -->
+<!-- {% if debian or ubuntu %} -->
 <!-- {% if not icingaDocs %} -->
-#### Debian / Ubuntu / Raspbian
+#### Debian / Ubuntu / Raspberry Pi OS
 <!-- {% endif %} -->
 ```bash
 apt install icinga2
 ```
 <!-- {% endif %} -->
 
-<!-- {% if centos %} -->
-<!-- {% if not icingaDocs %} -->
-#### CentOS
-<!-- {% endif %} -->
-!!! info
-
-    Note that installing Icinga 2 is only supported on CentOS 7 as CentOS 8 is EOL.
-
-```bash
-yum install icinga2
-systemctl enable icinga2
-systemctl start icinga2
-```
-<!-- {% endif %} -->
-
 <!-- {% if rhel %} -->
 #### RHEL 8 or Later
 
@@ -275,14 +206,6 @@ dnf install icinga2
 systemctl enable icinga2
 systemctl start icinga2
 ```
-
-#### RHEL 7
-
-```bash
-yum install icinga2
-systemctl enable icinga2
-systemctl start icinga2
-```
 <!-- {% endif %} -->
 
 <!-- {% if fedora %} -->
@@ -307,7 +230,7 @@ zypper install icinga2
 
 <!-- {% if amazon_linux %} -->
 <!-- {% if not icingaDocs %} -->
-#### Amazon Linux 2
+#### Amazon Linux
 <!-- {% endif %} -->
 ```bash
 yum install icinga2
@@ -355,26 +278,15 @@ to determine where to find the plugin binaries.
     additional check plugins into your Icinga 2 setup.
 
 
-<!-- {% if debian or ubuntu or raspbian %} -->
+<!-- {% if debian or ubuntu %} -->
 <!-- {% if not icingaDocs %} -->
-#### Debian / Ubuntu / Raspbian
+#### Debian / Ubuntu / Raspberry Pi OS
 <!-- {% endif %} -->
 ```bash
 apt install monitoring-plugins
 ```
 <!-- {% endif %} -->
 
-<!-- {% if centos %} -->
-<!-- {% if not icingaDocs %} -->
-#### CentOS
-<!-- {% endif %} -->
-The packages for CentOS depend on other packages which are distributed as part of the EPEL repository.
-
-```bash
-yum install nagios-plugins-all
-```
-<!-- {% endif %} -->
-
 <!-- {% if rhel %} -->
 <!-- {% if not icingaDocs %} -->
 #### RHEL
@@ -386,12 +298,6 @@ The packages for RHEL depend on other packages which are distributed as part of
 ```bash
 dnf install nagios-plugins-all
 ```
-
-#### RHEL 7
-
-```bash
-yum install nagios-plugins-all
-```
 <!-- {% endif %} -->
 
 <!-- {% if fedora %} -->
@@ -418,15 +324,17 @@ zypper install --recommends monitoring-plugins-all
 
 <!-- {% if amazon_linux %} -->
 <!-- {% if not icingaDocs %} -->
-#### Amazon Linux 2
+#### Amazon Linux
 <!-- {% endif %} -->
-The packages for Amazon Linux 2 depend on other packages which are distributed as part of the EPEL repository.
+The packages for **Amazon Linux 2** depend on other packages which are distributed as part of the EPEL repository.
 
 ```bash
 amazon-linux-extras install epel
 
 yum install nagios-plugins-all
 ```
+
+Unfortunately newer versions of Amazon Linux don't provide those plugins, yet.
 <!-- {% endif %} -->
 
 ## Set up Icinga 2 API <a id="set-up-icinga2-api"></a>
@@ -460,7 +368,7 @@ Restart Icinga 2 for these changes to take effect.
 systemctl restart icinga2
 ```
 
-<!-- {% if amazon_linux or centos or debian or rhel or sles or ubuntu %} -->
+<!-- {% if amazon_linux or debian or rhel or sles or ubuntu %} -->
 ## Set up Icinga DB <a id="set-up-icinga-db"></a>
 
 Icinga DB is a set of components for publishing, synchronizing and
@@ -505,30 +413,16 @@ Use your distribution's package manager to install the `icingadb-redis` package
 
 <!-- {% if amazon_linux %} -->
 <!-- {% if not icingaDocs %} -->
-##### Amazon Linux 2
+##### Amazon Linux
 <!-- {% endif %} -->
 ```bash
 yum install icingadb-redis
 ```
 <!-- {% endif %} -->
 
-<!-- {% if centos %} -->
-<!-- {% if not icingaDocs %} -->
-##### CentOS
-<!-- {% endif %} -->
-
-!!! info
-
-    Note that installing Icinga DB Redis is only supported on CentOS 7 as CentOS 8 is EOL.
-
-```bash
-yum install icingadb-redis
-```
-<!-- {% endif %} -->
-
 <!-- {% if debian or ubuntu %} -->
 <!-- {% if not icingaDocs %} -->
-##### Debian / Ubuntu
+##### Debian / Ubuntu / Raspberry Pi OS
 <!-- {% endif %} -->
 ```bash
 apt install icingadb-redis
@@ -541,12 +435,6 @@ apt install icingadb-redis
 ```bash
 dnf install icingadb-redis
 ```
-
-##### RHEL 7
-
-```bash
-yum install icingadb-redis
-```
 <!-- {% endif %} -->
 
 <!-- {% if sles %} -->
@@ -637,22 +525,19 @@ the Icinga DB daemon that synchronizes monitoring data between the Redis server
 The Icinga DB daemon package is also included in the Icinga repository, and since it is already set up,
 you have completed the instructions here and can proceed to
 <!-- {% if amazon_linux %} -->
-[install the Icinga DB daemon on Amazon Linux](https://icinga.com/docs/icinga-db/latest/doc/02-Installation/01-Amazon-Linux/#installing-icinga-db-package),
-<!-- {% endif %} -->
-<!-- {% if centos %} -->
-[install the Icinga DB daemon on CentOS](https://icinga.com/docs/icinga-db/latest/doc/02-Installation/02-CentOS/#installing-icinga-db-package),
+[install the Icinga DB daemon on Amazon Linux](https://icinga.com/docs/icinga-db/latest/doc/02-Installation/Amazon-Linux/#installing-the-package),
 <!-- {% endif %} -->
 <!-- {% if debian %} -->
-[install the Icinga DB daemon on Debian](https://icinga.com/docs/icinga-db/latest/doc/02-Installation/03-Debian/#installing-icinga-db-package),
+[install the Icinga DB daemon on Debian](https://icinga.com/docs/icinga-db/latest/doc/02-Installation/Debian/#installing-the-package),
 <!-- {% endif %} -->
 <!-- {% if rhel %} -->
-[install the Icinga DB daemon on RHEL](https://icinga.com/docs/icinga-db/latest/doc/02-Installation/04-RHEL/#installing-icinga-db-package),
+[install the Icinga DB daemon on RHEL](https://icinga.com/docs/icinga-db/latest/doc/02-Installation/RHEL/#installing-the-package),
 <!-- {% endif %} -->
 <!-- {% if sles %} -->
-[install the Icinga DB daemon on SLES](https://icinga.com/docs/icinga-db/latest/doc/02-Installation/05-SLES/#installing-icinga-db-package),
+[install the Icinga DB daemon on SLES](https://icinga.com/docs/icinga-db/latest/doc/02-Installation/SLES/#installing-the-package),
 <!-- {% endif %} -->
 <!-- {% if ubuntu %} -->
-[install the Icinga DB daemon on Ubuntu](https://icinga.com/docs/icinga-db/latest/doc/02-Installation/06-Ubuntu/#installing-icinga-db-package),
+[install the Icinga DB daemon on Ubuntu](https://icinga.com/docs/icinga-db/latest/doc/02-Installation/Ubuntu/#installing-the-package),
 <!-- {% endif %} -->
 which will also guide you through the setup of the database and Icinga DB Web.
 <!-- {% endif %} -->

doc/02-installation.md.d/03-Raspberry-Pi-OS.md

@@ -0,0 +1,3 @@
+# Install Icinga 2 on Raspberry Pi OS
+<!-- {% set debian = True %} -->
+<!-- {% include "02-installation.md" %} -->

doc/02-installation.md.d/03-Raspbian.md

@@ -1,3 +0,0 @@
-# Install Icinga 2 on Raspbian
-<!-- {% set raspbian = True %} -->
-<!-- {% include "02-installation.md" %} -->

doc/02-installation.md.d/05-CentOS.md

@@ -1,3 +0,0 @@
-# Install Icinga 2 on CentOS
-<!-- {% set centos = True %} -->
-<!-- {% include "02-installation.md" %} -->

doc/03-monitoring-basics.md

@@ -1599,7 +1599,7 @@ A common pattern is to store the users and user groups
 on the host or service objects instead of the notification
 object itself.
 
-The sample configuration provided in [hosts.conf](04-configuration.md#hosts-conf) and [notifications.conf](notifications-conf)
+The sample configuration provided in [hosts.conf](04-configuration.md#hosts-conf) and [notifications.conf](04-configuration.md#notifications-conf)
 already provides an example for this question.
 
 > **Tip**
@@ -2135,7 +2135,7 @@ In order to find out about the command argument, call the plugin's help
 or consult the README.
 
 ```
-./check_systemd.py --help
+./check_systemd --help
 
 ...
 
@@ -2194,7 +2194,7 @@ With the [example above](03-monitoring-basics.md#command-arguments-value),
 inspect the parameter's help text.
 
 ```
-./check_systemd.py --help
+./check_systemd --help
 
 ...
 
@@ -2579,6 +2579,7 @@ information.
   `notification_useremail`       | **Required.** The notification's recipient(s). Defaults to `$user.email$`.
   `notification_hoststate`       | **Required.** Current state of host. Defaults to `$host.state$`.
   `notification_type`            | **Required.** Type of notification. Defaults to `$notification.type$`.
+  `notification_hostnotes`       | **Optional.** The host's notes. Defaults to `$host.notes$`.
   `notification_address`         | **Optional.** The host's IPv4 address. Defaults to `$address$`.
   `notification_address6`        | **Optional.** The host's IPv6 address. Defaults to `$address6$`.
   `notification_author`          | **Optional.** Comment author. Defaults to `$notification.author$`.
@@ -2607,6 +2608,8 @@ information.
   `notification_useremail`          | **Required.** The notification's recipient(s). Defaults to `$user.email$`.
   `notification_servicestate`       | **Required.** Current state of host. Defaults to `$service.state$`.
   `notification_type`               | **Required.** Type of notification. Defaults to `$notification.type$`.
+  `notification_hostnotes`          | **Optional.** The host's notes. Defaults to `$host.notes$`.
+  `notification_servicenotes`       | **Optional.** The service's notes. Defaults to `$service.notes$`.
   `notification_address`            | **Optional.** The host's IPv4 address. Defaults to `$address$`.
   `notification_address6`           | **Optional.** The host's IPv6 address. Defaults to `$address6$`.
   `notification_author`             | **Optional.** Comment author. Defaults to `$notification.author$`.
@@ -2729,7 +2732,7 @@ Requirements:
 * Icinga 2 as client on the remote node
 * icinga user with sudo permissions to the httpd daemon
 
-Example on CentOS 7:
+Example on RHEL:
 
 ```
 # visudo

doc/04-configuration.md

@@ -593,7 +593,7 @@ Read more on that topic [here](03-monitoring-basics.md#notification-commands).
 
 #### groups.conf <a id="groups-conf"></a>
 
-The example host defined in [hosts.conf](hosts-conf) already has the
+The example host defined in [hosts.conf](#hosts-conf) already has the
 custom variable `os` set to `Linux` and is therefore automatically
 a member of the host group `linux-servers`.
 

doc/05-service-monitoring.md

@@ -51,7 +51,7 @@ described. Try running the plugin after setup and [ensure it works](05-service-m
 Prior to using the check plugin with Icinga 2 you should ensure that it is working properly
 by trying to run it on the console using whichever user Icinga 2 is running as:
 
-RHEL/CentOS/Fedora
+RHEL/Fedora
 
 ```bash
 sudo -u icinga /usr/lib64/nagios/plugins/check_mysql_health --help
@@ -111,7 +111,7 @@ Can't locate Net/SNMP.pm in @INC (you may need to install the Net::SNMP module)
 
 Prior to installing the Perl module via CPAN, look for a distribution
 specific package, e.g. `libnet-snmp-perl` on Debian/Ubuntu or `perl-Net-SNMP`
-on RHEL/CentOS.
+on RHEL.
 
 
 #### Optional: Custom Path <a id="service-monitoring-plugins-custom-path"></a>
@@ -225,12 +225,12 @@ apply Service "db-size-" for (db_name => config in host.vars.databases) {
   check_command = "mysql_health"
 
   if (config.mysql_health_username) {
-    vars.mysql_healt_username = config.mysql_health_username
+    vars.mysql_health_username = config.mysql_health_username
   } else {
     vars.mysql_health_username = "root"
   }
   if (config.mysql_health_password) {
-    vars.mysql_healt_password = config.mysql_health_password
+    vars.mysql_health_password = config.mysql_health_password
   } else {
     vars.mysql_health_password = "icingar0xx"
   }
@@ -281,10 +281,10 @@ that [it works](05-service-monitoring.md#service-monitoring-plugins-it-works). T
 `--help` parameter to see the actual parameters (docs might be outdated).
 
 ```
-./check_systemd.py --help
+./check_systemd --help
 
-usage: check_systemd.py [-h] [-c SECONDS] [-e UNIT | -u UNIT] [-v] [-V]
-                        [-w SECONDS]
+usage: check_systemd [-h] [-c SECONDS] [-e UNIT | -u UNIT] [-v] [-V]
+                     [-w SECONDS]
 
 ...
 
@@ -319,7 +319,7 @@ Start with the basic plugin call without any parameters.
 
 ```
 object CheckCommand "systemd" { // Plugin name without 'check_' prefix
-  command = [ PluginContribDir + "/check_systemd.py" ] // Use the 'PluginContribDir' constant, see the contributed ITL commands
+  command = [ PluginContribDir + "/check_systemd" ] // Use the 'PluginContribDir' constant, see the contributed ITL commands
 }
 ```
 

doc/06-distributed-monitoring.md

@@ -264,7 +264,7 @@ The setup wizard will ensure that the following steps are taken:
 * Update the [ApiListener](06-distributed-monitoring.md#distributed-monitoring-apilistener) and [constants](04-configuration.md#constants-conf) configuration.
 * Update the [icinga2.conf](04-configuration.md#icinga2-conf) to disable the `conf.d` inclusion, and add the `api-users.conf` file inclusion.
 
-Here is an example of a master setup for the `icinga2-master1.localdomain` node on CentOS 7:
+Here is an example of a master setup for the `icinga2-master1.localdomain` node:
 
 ```
 [root@icinga2-master1.localdomain /]# icinga2 node wizard
@@ -1031,9 +1031,7 @@ in `/etc/icinga2/icinga2.conf`.
 > Defaults to disabled.
 
 Now it is time to validate the configuration and to restart the Icinga 2 daemon
-on both nodes.
-
-Example on CentOS 7:
+on both nodes:
 
 ```
 [root@icinga2-agent1.localdomain /]# icinga2 daemon -C
@@ -1112,7 +1110,8 @@ Save the changes and validate the configuration on the master node:
 ```
 [root@icinga2-master1.localdomain /]# icinga2 daemon -C
 ```
-Restart the Icinga 2 daemon (example for CentOS 7):
+
+Restart the Icinga 2 daemon:
 
 ```
 [root@icinga2-master1.localdomain /]# systemctl restart icinga2
@@ -1221,9 +1220,7 @@ object ApiListener "api" {
 ```
 
 Now it is time to validate the configuration and to restart the Icinga 2 daemon
-on both nodes.
-
-Example on CentOS 7:
+on both nodes:
 
 ```
 [root@icinga2-satellite1.localdomain /]# icinga2 daemon -C
@@ -1285,7 +1282,7 @@ Save the changes and validate the configuration on the master node:
 [root@icinga2-master1.localdomain /]# icinga2 daemon -C
 ```
 
-Restart the Icinga 2 daemon (example for CentOS 7):
+Restart the Icinga 2 daemon:
 
 ```
 [root@icinga2-master1.localdomain /]# systemctl restart icinga2
@@ -3134,7 +3131,7 @@ object Endpoint "icinga2-master2.localdomain" {
 > **Note**
 >
 > This is required if you decide to change an already running single endpoint production
-> environment into a HA-enabled cluster zone with two endpoints.
+> environment into an HA-enabled cluster zone with two endpoints.
 > The [initial setup](06-distributed-monitoring.md#distributed-monitoring-scenarios-ha-master-clients)
 > with 2 HA masters doesn't require this step.
 
@@ -3183,7 +3180,7 @@ Create a certificate signing request (CSR) for the local instance:
 Sign the CSR with the previously created CA:
 
 ```
-[root@icinga2-master1.localdomain /root]# icinga2 pki sign-csr --csr icinga2-master1.localdomain.csr --cert icinga2-master1.localdomain
+[root@icinga2-master1.localdomain /root]# icinga2 pki sign-csr --csr icinga2-master1.localdomain.csr --cert icinga2-master1.localdomain.crt
 ```
 
 Repeat the steps for all instances in your setup.
@@ -3230,6 +3227,53 @@ information/pki: Writing certificate to file 'icinga2-satellite1.localdomain.crt
 
 Copy and move these certificates to the respective instances e.g. with SSH/SCP.
 
+#### External CA/PKI
+
+Icinga works best with its own certificates.
+The commands described above take care of the optimal certificate properties.
+Also, Icinga renews them periodically at runtime to avoid expiry.
+But you can also provide your own certificates,
+just like to any other application which uses TLS.
+
+!!! warning
+
+    The only serious reasons to generate own certificates are company policies.
+    You are responsible for making Icinga working with your certificates,
+    as well as for [expiry monitoring](10-icinga-template-library.md#plugin-check-command-ssl_cert)
+    and renewal.
+    
+    Especially `icinga2 pki` CLI commands do not expect such certificates.
+    
+    Also, do not provide your custom CA private key to Icinga 2!
+    Otherwise, it will automatically renew leaf certificates
+    with our hardcoded properties, not your custom ones.
+
+The CA certificate must be located in `/var/lib/icinga2/certs/ca.crt`.
+The basic requirements for all leaf certificates are:
+
+* Located in `/var/lib/icinga2/certs/NODENAME.crt`
+  and `/var/lib/icinga2/certs/NODENAME.key`
+* Subject with CN matching the endpoint name
+* A DNS SAN matching the endpoint name
+
+Pretty much everything else is limited only by your company policy
+and the OpenSSL versions your Icinga nodes use. E.g. the following works:
+
+* Custom key sizes, e.g. 2048 bits
+* Custom key types, e.g. ECC
+* Any number of intermediate CAs (but see limitations below)
+* Multiple trusted root CAs in `/var/lib/icinga2/certs/ca.crt`
+* Different root CAs per cluster subtree, as long as each node trusts the
+  certificate issuers of all nodes it's directly connected to
+
+Intermediate CA restrictions:
+
+* Each side has to provide its intermediate CAs along with the leaf certificate
+  in `/var/lib/icinga2/certs/NODENAME.crt`, ordered from leaf to root.
+* Intermediate CAs may not be used directly as root CAs. To trust only specific
+  intermediate CAs, cross-sign them with themselves, so that you get equal
+  certificates except that they're self-signed. Use them as root CAs in Icinga.
+
 ## Automation <a id="distributed-monitoring-automation"></a>
 
 These hints should get you started with your own automation tools (Puppet, Ansible, Chef, Salt, etc.)

doc/08-advanced-topics.md

@@ -484,7 +484,7 @@ host or service is considered flapping until it drops below the low flapping thr
 The attribute `flapping_ignore_states` allows to ignore state changes to specified states during the flapping calculation.
 
 `FlappingStart` and `FlappingEnd` notifications will be sent out accordingly, if configured. See the chapter on
-[notifications](alert-notifications) for details
+[notifications](03-monitoring-basics.md#notifications) for details
 
 > Note: There is no distinctions between hard and soft states with flapping. All state changes count and notifications
 > will be sent out regardless of the objects state.

doc/09-object-types.md

@@ -34,6 +34,7 @@ the [Icinga 2 API](12-icinga2-api.md#icinga2-api-config-objects).
   templates                 | Array                 | Templates imported on object compilation.
   package                   | String                | [Configuration package name](12-icinga2-api.md#icinga2-api-config-management) this object belongs to. Local configuration is set to `_etc`, runtime created objects use `_api`.
   source\_location          | Dictionary            | Location information where the configuration files are stored.
+  name                      | String                | Object name. Might be used in [apply rules](03-monitoring-basics.md#using-apply).
 
 ## Monitoring Objects <a id="object-types-monitoring"></a>
 
@@ -392,7 +393,6 @@ Runtime Attributes:
   last\_check\_result       | CheckResult           | The current [check result](08-advanced-topics.md#advanced-value-types-checkresult).
   last\_state\_change       | Timestamp             | When the last state change occurred (as a UNIX timestamp).
   last\_hard\_state\_change | Timestamp             | When the last hard state change occurred (as a UNIX timestamp).
-  last\_in\_downtime        | Boolean               | Whether the host was in a downtime when the last check occurred.
   acknowledgement           | Number                | The acknowledgement type (0 = NONE, 1 = NORMAL, 2 = STICKY).
   acknowledgement\_expiry   | Timestamp             | When the acknowledgement expires (as a UNIX timestamp; 0 = no expiry).
   downtime\_depth           | Number                | Whether the host has one or more active downtimes.
@@ -731,7 +731,6 @@ Configuration Attributes:
   event\_command            | Object name           | **Optional.** The name of an event command that should be executed every time the service's state changes or the service is in a `SOFT` state.
   volatile                  | Boolean               | **Optional.** Treat all state changes as HARD changes. See [here](08-advanced-topics.md#volatile-services-hosts) for details. Defaults to `false`.
   zone                      | Object name           | **Optional.** The zone this object is a member of. Please read the [distributed monitoring](06-distributed-monitoring.md#distributed-monitoring) chapter for details.
-  name                      | String                | **Required.** The service name. Must be unique on a per-host basis. For advanced usage in [apply rules](03-monitoring-basics.md#using-apply) only.
   command\_endpoint         | Object name           | **Optional.** The endpoint where commands are executed on.
   notes                     | String                | **Optional.** Notes for the service.
   notes\_url                | String                | **Optional.** URL for notes for the service (for example, in notification commands).
@@ -758,7 +757,6 @@ Runtime Attributes:
   last\_check\_result           | CheckResult       | The current [check result](08-advanced-topics.md#advanced-value-types-checkresult).
   last\_state\_change           | Timestamp         | When the last state change occurred (as a UNIX timestamp).
   last\_hard\_state\_change     | Timestamp         | When the last hard state change occurred (as a UNIX timestamp).
-  last\_in\_downtime            | Boolean           | Whether the service was in a downtime when the last check occurred.
   acknowledgement               | Number            | The acknowledgement type (0 = NONE, 1 = NORMAL, 2 = STICKY).
   acknowledgement\_expiry       | Timestamp         | When the acknowledgement expires (as a UNIX timestamp; 0 = no expiry).
   acknowledgement\_last\_change | Timestamp         | When the acknowledgement has been set/cleared
@@ -1046,8 +1044,8 @@ Configuration Attributes:
 
   Name                      | Type                  | Description
   --------------------------|-----------------------|----------------------------------
-  host\_name                | Object name           | **Required.** The name of the host this comment belongs to.
-  service\_name             | Object name           | **Optional.** The short name of the service this comment belongs to. If omitted, this comment object is treated as host comment.
+  host\_name                | Object name           | **Required.** The name of the host this downtime belongs to.
+  service\_name             | Object name           | **Optional.** The short name of the service this downtime belongs to. If omitted, this downtime object is treated as host downtime.
   author                    | String                | **Required.** The author's name.
   comment                   | String                | **Required.** The comment text.
   start\_time               | Timestamp             | **Required.** The start time as UNIX timestamp.
@@ -1389,7 +1387,9 @@ Configuration Attributes:
   host                      | String                | **Optional.** Redis host. Defaults to `127.0.0.1`.
   port                      | Number                | **Optional.** Redis port. Defaults to `6380` since the Redis server provided by the `icingadb-redis` package listens on that port.
   path                      | String                | **Optional.** Redis unix socket path. Can be used instead of `host` and `port` attributes.
+  username                  | String                | **Optional.** Redis auth username. Only possible if Redis ACLs are used. Requires `password` to be set as well.
   password                  | String                | **Optional.** Redis auth password.
+  db\_index                 | Number                | **Optional.** Redis logical database by its number. Defaults to `0`.
   enable\_tls               | Boolean               | **Optional.** Whether to use TLS.
   cert\_path                | String                | **Optional.** Path to the certificate.
   key\_path                 | String                | **Optional.** Path to the private key.

doc/10-icinga-template-library.md

@@ -75,8 +75,10 @@ plugin scripts.
 
 ### icinga <a id="itl-icinga"></a>
 
-Check command for the built-in `icinga` check. This check returns performance
-data for the current Icinga instance, reports as warning if the last reload failed and optionally allows for minimum version checks.
+Check command for the built-in `icinga` check. This check returns performance data for the current Icinga instance,
+reports as warning if the last reload or config sync failed and optionally allows for minimum version checks.
+
+For the config sync check to work, it must be run on the satellite or agent.
 
 Custom variables passed as [command parameters](03-monitoring-basics.md#command-passing-parameters):
 
@@ -215,7 +217,7 @@ Optional custom variables passed as [command parameters](03-monitoring-basics.md
 | ifw\_api\_cert          | null (Icinga PKI) | TLS client certificate path.                                                                                |
 | ifw\_api\_key           | null (Icinga PKI) | TLS client private key path.                                                                                |
 | ifw\_api\_ca            | null (Icinga PKI) | Peer TLS CA certificate path.                                                                               |
-| ifw\_api\_crl           | null (Icinga PKI) | Path to TLS CRL to check peer against.                                                                      |
+| ifw\_api\_crl           | null (none)       | Path to TLS CRL to check peer against.                                                                      |
 | ifw\_api\_username      | null (none)       | Basic auth username.                                                                                        |
 | ifw\_api\_password      | null (none)       | Basic auth password.                                                                                        |
 
@@ -268,7 +270,6 @@ Custom variables passed as [command parameters](03-monitoring-basics.md#command-
 
 Name                    | Description
 ------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
-apt_extra_opts          | **Optional.** Read options from an ini file.
 apt_upgrade             | **Optional.** [Default] Perform an upgrade. If an optional OPTS argument is provided, apt-get will be run with these command line options instead of the default.
 apt_dist_upgrade        | **Optional.** Perform a dist-upgrade instead of normal upgrade. Like with -U OPTS can be provided to override the default options.
 apt_include             | **Optional.** Include only packages matching REGEXP. Can be specified multiple times the values will be combined together.
@@ -277,6 +278,7 @@ apt_critical            | **Optional.** If the full package information of any o
 apt_timeout             | **Optional.** Seconds before plugin times out (default: 10).
 apt_only_critical       | **Optional.** Only warn about critical upgrades.
 apt_list                | **Optional.** List packages available for upgrade.
+apt_extra_opts          | **Optional.** Read extra plugin options from an ini file.
 
 
 ### breeze <a id="plugin-check-command-breeze"></a>
@@ -317,6 +319,7 @@ by_ssh_options     | **Optional.** Call ssh with '-o OPTION' (multiple options m
 by_ssh_ipv4        | **Optional.** Use IPv4 connection. Defaults to false.
 by_ssh_ipv6        | **Optional.** Use IPv6 connection. Defaults to false.
 by_ssh_skip_stderr | **Optional.** Ignore all or (if specified) first n lines on STDERR.
+by_ssh_extra_opts  | **Optional.** Read extra plugin options from an ini file.
 
 
 ### clamd <a id="plugin-check-command-clamd"></a>
@@ -348,6 +351,7 @@ clamd_ctime          | **Optional.** Response time to result in critical status
 clamd_timeout        | **Optional.** Seconds before connection times out. Defaults to 10.
 clamd_ipv4           | **Optional.** Use IPv4 connection. Defaults to false.
 clamd_ipv6           | **Optional.** Use IPv6 connection. Defaults to false.
+clamd_extra_opts     | **Optional.** Read extra plugin options from an ini file.
 
 
 ### dhcp <a id="plugin-check-command-dhcp"></a>
@@ -365,6 +369,7 @@ dhcp_timeout    | **Optional.** The timeout in seconds.
 dhcp_interface  | **Optional.** The interface to use.
 dhcp_mac        | **Optional.** The MAC address to use in the DHCP request.
 dhcp_unicast    | **Optional.** Whether to use unicast requests. Defaults to false.
+dhcp_extra_opts | **Optional.** Read extra plugin options from an ini file.
 
 
 ### dig <a id="plugin-check-command-dig"></a>
@@ -388,6 +393,7 @@ dig_critical         | **Optional.** Response time to result in critical status
 dig_timeout          | **Optional.** Seconds before connection times out (default: 10).
 dig_ipv4             | **Optional.** Force dig to only use IPv4 query transport. Defaults to false.
 dig_ipv6             | **Optional.** Force dig to only use IPv6 query transport. Defaults to false.
+dig_extra_opts       | **Optional.** Read extra plugin options from an ini file.
 
 
 ### disk <a id="plugin-check-command-disk"></a>
@@ -425,9 +431,11 @@ disk\_ignore\_eregi\_path | **Optional.** Regular expression to ignore selected
 disk\_ignore\_ereg\_path  | **Optional.** Regular expression to ignore selected path or partition. Multiple regular expression strings must be defined as array.
 disk\_timeout             | **Optional.** Seconds before connection times out (default: 10).
 disk\_units               | **Optional.** Choose bytes, kB, MB, GB, TB.
-disk\_exclude\_type       | **Optional.** Ignore all filesystems of indicated type. Multiple regular expression strings must be defined as array. Defaults to "none", "tmpfs", "sysfs", "proc", "configfs", "devtmpfs", "devfs", "mtmfs", "tracefs", "cgroup", "fuse.gvfsd-fuse", "fuse.gvfs-fuse-daemon", "fdescfs", "overlay", "nsfs", "squashfs".
+disk\_exclude\_type       | **Optional.** Ignore all filesystems of indicated type. Multiple regular expression strings must be defined as array. Defaults to "none", "tmpfs", "sysfs", "proc", "configfs", "devtmpfs", "devfs", "mtmfs", "tracefs", "cgroup", "fuse.\*" (only Monitoring Plugins support this so far), "fuse.gvfsd-fuse", "fuse.gvfs-fuse-daemon", "fuse.sshfs", "fdescfs", "overlay", "nsfs", "squashfs".
 disk\_include\_type       | **Optional.** Check only filesystems of indicated type. Multiple regular expression strings must be defined as array.
 disk\_inode\_perfdata     | **Optional.** Display inode usage in perfdata
+disk\_np\_inode\_perfdata | **Optional.** Enable performance data for inode-based statistics (Requires: nagios-plugins >= 2.3.0)
+disk\_extra\_opts         | **Optional.** Read extra plugin options from an ini file.
 
 ### disk_smb <a id="plugin-check-command-disk-smb"></a>
 
@@ -469,6 +477,7 @@ dns_accept_cname     | **Optional.** Accept cname responses as a valid result to
 dns_wtime            | **Optional.** Return warning if elapsed time exceeds value.
 dns_ctime            | **Optional.** Return critical if elapsed time exceeds value.
 dns_timeout          | **Optional.** Seconds before connection times out. Defaults to 10.
+dns_extra_opts       | **Optional.** Read extra plugin options from an ini file.
 
 
 
@@ -525,6 +534,7 @@ fping_bytes	| **Optional.** The size of ICMP packet.
 fping_target_timeout | **Optional.** The target timeout in milli-seconds.
 fping_source_ip | **Optional.** The name or ip address of the source ip.
 fping_source_interface | **Optional.** The source interface name.
+fping_extra_opts | **Optional.** Read extra plugin options from an ini file.
 
 
 ### fping6 <a id="plugin-check-command-fping6"></a>
@@ -550,6 +560,7 @@ fping_bytes	| **Optional.** The size of ICMP packet.
 fping_target_timeout | **Optional.** The target timeout in milli-seconds.
 fping_source_ip | **Optional.** The name or ip address of the source ip.
 fping_source_interface | **Optional.** The source interface name.
+fping_extra_opts | **Optional.** Read extra plugin options from an ini file.
 
 
 ### ftp <a id="plugin-check-command-ftp"></a>
@@ -581,6 +592,7 @@ ftp_ctime          | **Optional.** Response time to result in critical status (s
 ftp_timeout        | **Optional.** Seconds before connection times out. Defaults to 10.
 ftp_ipv4           | **Optional.** Use IPv4 connection. Defaults to false.
 ftp_ipv6           | **Optional.** Use IPv6 connection. Defaults to false.
+ftp_extra_opts     | **Optional.** Read extra plugin options from an ini file.
 
 
 ### game <a id="plugin-check-command-game"></a>
@@ -604,6 +616,7 @@ game_mapfield      | **Optional.** Field number in raw qstat output that contain
 game_pingfield     | **Optional.** Field number in raw qstat output that contains ping time.
 game_gametime      | **Optional.** Field number in raw qstat output that contains game time.
 game_hostname      | **Optional.** Name of the host running the game.
+game_extra_opts    | **Optional.** Read extra plugin options from an ini file.
 
 
 ### hostalive <a id="plugin-check-command-hostalive"></a>
@@ -622,7 +635,8 @@ ping_wpl        | **Optional.** The packet loss warning threshold in %. Defaults
 ping_crta       | **Optional.** The RTA critical threshold in milliseconds. Defaults to 5000.
 ping_cpl        | **Optional.** The packet loss critical threshold in %. Defaults to 100.
 ping_packets    | **Optional.** The number of packets to send. Defaults to 5.
-ping_timeout    | **Optional.** The plugin timeout in seconds. Defaults to 0 (no timeout).
+ping_timeout    | **Optional.** The plugin timeout in seconds. Defaults to 10.
+ping_extra_opts | **Optional.** Read extra plugin options from an ini file.
 
 
 ### hostalive4 <a id="plugin-check-command-hostalive4"></a>
@@ -641,6 +655,7 @@ ping_crta       | **Optional.** The RTA critical threshold in milliseconds. Defa
 ping_cpl        | **Optional.** The packet loss critical threshold in %. Defaults to 100.
 ping_packets    | **Optional.** The number of packets to send. Defaults to 5.
 ping_timeout    | **Optional.** The plugin timeout in seconds. Defaults to 0 (no timeout).
+ping_extra_opts | **Optional.** Read extra plugin options from an ini file.
 
 
 ### hostalive6 <a id="plugin-check-command-hostalive6"></a>
@@ -659,6 +674,7 @@ ping_crta       | **Optional.** The RTA critical threshold in milliseconds. Defa
 ping_cpl        | **Optional.** The packet loss critical threshold in %. Defaults to 100.
 ping_packets    | **Optional.** The number of packets to send. Defaults to 5.
 ping_timeout    | **Optional.** The plugin timeout in seconds. Defaults to 0 (no timeout).
+ping_extra_opts | **Optional.** Read extra plugin options from an ini file.
 
 
 ### hpjd <a id="plugin-check-command-hpjd"></a>
@@ -674,6 +690,7 @@ Name            | Description
 hpjd_address    | **Optional.** The host's address. Defaults to "$address$" if the host's `address` attribute is set, "$address6$" otherwise.
 hpjd_port       | **Optional.** The host's SNMP port. Defaults to 161.
 hpjd_community  | **Optional.** The SNMP community. Defaults  to "public".
+hpjd_extra_opts | **Optional.** Read extra plugin options from an ini file.
 
 
 ### http <a id="plugin-check-command-http"></a>
@@ -716,6 +733,7 @@ http_warn_time                   | **Optional.** The warning threshold.
 http_critical_time               | **Optional.** The critical threshold.
 http_expect                      | **Optional.** Comma-delimited list of strings, at least one of them is expected in the first (status) line of the server response. Default: HTTP/1.
 http_certificate                 | **Optional.** Minimum number of days a certificate has to be valid. Port defaults to 443. When this option is used the URL is not checked. The first parameter defines the warning threshold (in days), the second parameter the critical threshold (in days). (Example `http_certificate = "30,20"`).
+http_certificate_continue        | **Optional.** Allows the HTTP check to continue after performing the certificate check. Does nothing unless http_certificate is used.
 http_clientcert                  | **Optional.** Name of file contains the client certificate (PEM format).
 http_privatekey                  | **Optional.** Name of file contains the private key (PEM format).
 http_headerstring                | **Optional.** String to expect in the response headers.
@@ -735,6 +753,68 @@ http_ipv6                        | **Optional.** Use IPv6 connection. Defaults t
 http_link                        | **Optional.** Wrap output in HTML link. Defaults to false.
 http_verbose                     | **Optional.** Show details for command-line debugging. Defaults to false.
 http_verify_host                 | **Optional.** Verify SSL certificate is for the -H hostname (with --sni and -S). Defaults to false. **Only supported by the Nagios plugins version of check\_http, not by the monitoring plugins one.**
+http_extra_opts                  | **Optional.** Read extra plugin options from an ini file.
+
+### curl <a id="plugin-check-command-curl"></a>
+
+The [check_curl](https://www.monitoring-plugins.org/doc/man/check_curl.html) plugin
+tests the HTTP service on the specified host. It can test normal (http) and secure
+(https) servers, follow redirects, search for strings and regular expressions,
+check connection times, and report on certificate expiration times.
+
+The plugin can either test the HTTP response of a server, or if `curl_certificate_valid_days_min_warning`/`curl_certificate_valid_days_min_critical` is set to a non-empty value, the TLS certificate age for a HTTPS host.
+
+Custom variables passed as [command parameters](03-monitoring-basics.md#command-passing-parameters):
+
+Name                             | Description
+---------------------------------|---------------------------------
+curl_vhost                       | **Optional.** The virtual host that should be sent in the "Host" header.
+curl_ip							 | **Optional.** The host's address. Defaults to "$address$" if the host's `address` attribute is set, "$address6$" otherwise.
+curl_port                        | **Optional.** The TCP port. Defaults to 80 when not using SSL, 443 otherwise.
+curl_ipv4                        | **Optional.** Use IPv4 connection. Defaults to false.
+curl_ipv6                        | **Optional.** Use IPv6 connection. Defaults to false.
+curl_tls						 | **Optional.** Whether to use SSL. Defaults to false.
+curl_tls_version	             | **Optional.** Connect via SSL. Port defaults to 443. VERSION is optional, and prevents auto-negotiation (2 = SSLv2, 3 = SSLv3, 1 = TLSv1, 1.1 = TLSv1.1, 1.2 = TLSv1.2, 1.3 = TLSv1.3). With a '+' suffix, newer versions are also accepted. Note: SSLv2 and SSLv3 are deprecated and are usually disabled in libcurl.
+curl_sni                         | **Optional.** Whether to use SNI. This is the  default of `check_curl` in *most* cases and this option will not change this behaviour then. For obscure and old setup it might be necessary to manually activate it. The variable itself defaults to false.
+curl_certificate_valid_days_min_warning  | **Optional.** Minimum number of days a certificate has to be valid. Port defaults to 443. When this option is used, the URL is not checked (by default). This defines the warning threshold (in days).
+curl_certificate_valid_days_min_critical  | **Optional.** Minimum number of days a certificate has to be valid. This parameter defines the critical threshold (in days). See also `curl_certificate_valid_days_min_warning` above for more information.
+curl_continue_after_certificate  | **Optional.** Allows the HTTP check to continue after performing the certificate check. Does nothing unless tls certificate check mode is used (`curl_certificate_valid_days_min_warning`/`curl_certificate_valid_days_min_critical`). (available since Monitoring Plugins v2.3.2)
+curl_client_certificate_file     | **Optional.** Name of file contains the client certificate (PEM format).
+curl_client_certificate_key_file | **Optional.** Name of file contains the private key (PEM format).
+curl_ca_cert_file                | **Optional.** CA certificate file to verify peer against.
+curl_verify_peer_cert            | **Optional.** Verify that the peers certificate matches against the hostname
+curl_expect_string               | **Optional.** Comma-delimited list of strings, at least one of them is expected in the first (status) line of the server response. Default: HTTP/1.
+curl_expect_header_string        | **Optional.** String to expect in the response headers.
+curl_expect_content_string		 | **Optional.** String to expect in the content.
+curl_url                         | **Optional.** The request URL for GET or POST. Defaults to `/`.
+curl_post_data                   | **Optional.** URL encoded curl POST data.
+curl_http_method                 | **Optional.** Set curl method (for example: HEAD, OPTIONS, TRACE, PUT, DELETE).
+curl_no_body                     | **Optional.** Don't wait for document body: stop reading after headers. (Note that this stilldoes an HTTP GET or POST, not a HEAD.).
+curl_max_age                      | **Optional.** Warn if document is more than seconds old.
+curl_content_type                 | **Optional.** Specify Content-Type header when POSTing.
+curl_linespan                    | **Optional.** Allow regex to span newline.
+curl_ereg			             | **Optional.** A regular expression which the body must match against. Incompatible with curl_no-body.
+curl_eregi 				         | **Optional.** A case-insensitive expression which the body must match against. Incompatible with curl_no-body.
+curl_invert_regex                | **Optional.** Changes behavior of curl_ereg and curl_eregi to return CRITICAL if found, OK if not.
+curl_state_regex                 | **Optional.** Return STATE if regex is found, OK if not. STATE can be one of "critical","warning"
+curl_authorization               | **Optional.** Add 'username:password' authorization pair.
+curl_proxy_authorization         | **Optional.** Add 'username:password' authorization pair for proxy.
+curl_user_agent                   | **Optional.** String to be sent in curl header as User Agent.
+curl_header                      | **Optional.** Any other tags to be sent in curl header. Can be an array if multiple headers should be passed to `check_curl`.
+curl_extended_perfdata            | **Optional.** Print additional perfdata. Defaults to false.
+curl_show_body                   | **Optional.** Print body content below status line
+curl_link                        | **Optional.** Wrap output in HTML link. Defaults to false.
+curl_onredirect                  | **Optional.** How to handle redirect pages. Possible values: "ok" (default), "warning", "critical", "follow", "sticky" (like follow but stick to address), "stickyport" (like sticky but also to port)
+curl_max_redirs                   | **Optional.** Maximum number of redirects
+curl_pagesize                    | **Optional.** Minimum page size required:Maximum page size required.
+curl_http_version                | **Optional.** Connect via specific HTTP protocol. 1.0 = HTTP/1.0, 1.1 = HTTP/1.1, 2.0 = HTTP/2 (HTTP/2 will fail without -S)
+curl_enable_automatic_decompression |  **Optional.** Enable automatic decompression of body (CURLOPT_ACCEPT_ENCODING).
+curl_haproxy_protocol            | **Optional.** Send HAProxy proxy protocol v1 header (CURLOPT_HAPROXYPROTOCOL) (available since Monitoring Plugins v2.4.0)
+curl_cookie_jar_file             | **Optional.** Path to a cookie jar file. Store cookies in the cookie jar and send them out when requested. (available since Monitoring Plugins v2.3.4)
+curl_warning                     | **Optional.** The warning threshold.
+curl_critical 	                 | **Optional.** The critical threshold.
+curl_timeout                     | **Optional.** Seconds before connection times out.
+curl_extra_opts                  | **Optional.** Read options from an ini file.
 
 
 ### icmp <a id="plugin-check-command-icmp"></a>
@@ -762,6 +842,7 @@ icmp_hosts_alive | **Optional.** The number of hosts which have to be alive for
 icmp_data_bytes | **Optional.** Payload size for each ICMP request. Defaults to 8.
 icmp_timeout    | **Optional.** The plugin timeout in seconds. Defaults to 10 (seconds).
 icmp_ttl        | **Optional.** The TTL on outgoing packets.
+icmp_extra_opts | **Optional.** Read extra plugin options from an ini file.
 
 
 ### imap <a id="plugin-check-command-imap"></a>
@@ -792,6 +873,7 @@ imap_critical         | **Optional.** Response time to result in critical status
 imap_timeout          | **Optional.** Seconds before connection times out (default: 10).
 imap_ipv4             | **Optional.** Use IPv4 connection. Defaults to false.
 imap_ipv6             | **Optional.** Use IPv6 connection. Defaults to false.
+imap_extra_opts       | **Optional.** Read extra plugin options from an ini file.
 
 
 ### ldap <a id="plugin-check-command-ldap"></a>
@@ -822,6 +904,7 @@ ldap_warning_entries	| **Optional.** Number of found entries to result in warnin
 ldap_critical_entries	| **Optional.** Number of found entries to result in critical status.
 ldap_timeout		| **Optional.** Seconds before connection times out (default: 10).
 ldap_verbose		| **Optional.** Show details for command-line debugging (disabled by default)
+ldap_extra_opts 	| **Optional.** Read extra plugin options from an ini file.
 
 ### load <a id="plugin-check-command-load"></a>
 
@@ -839,6 +922,7 @@ load_cload1     | **Optional.** The 1-minute critical threshold. Defaults to 10.
 load_cload5     | **Optional.** The 5-minute critical threshold. Defaults to 6.
 load_cload15    | **Optional.** The 15-minute critical threshold. Defaults to 4.
 load_percpu     | **Optional.** Divide the load averages by the number of CPUs (when possible). Defaults to false.
+load_extra_opts | **Optional.** Read extra plugin options from an ini file.
 
 ### mailq <a id="plugin-check-command-mailq"></a>
 
@@ -885,6 +969,7 @@ mysql_cert		| **Optional.** Path to SSL certificate.
 mysql_key		| **Optional.** Path to private SSL key.
 mysql_cadir		| **Optional.** Path to CA directory.
 mysql_ciphers		| **Optional.** List of valid SSL ciphers.
+mysql_extra_opts	| **Optional.** Read extra plugin options from an ini file.
 
 
 ### mysql_query <a id="plugin-check-command-mysql-query"></a>
@@ -910,6 +995,7 @@ mysql_query_password    | **Optional.** Use the indicated password to authentica
 mysql_query_execute     | **Required.** SQL Query to run on the MySQL Server.
 mysql_query_warning     | **Optional.** Exit with WARNING status if query is outside of the range (format: start:end).
 mysql_query_critical    | **Optional.** Exit with CRITICAL status if query is outside of the range.
+mysql_query_extra_opts  | **Optional.** Read extra plugin options from an ini file.
 
 
 ### negate <a id="plugin-check-command-negate"></a>
@@ -981,6 +1067,7 @@ nscp_warn       | **Optional.** The warning threshold.
 nscp_crit       | **Optional.** The critical threshold.
 nscp_timeout    | **Optional.** The query timeout in seconds.
 nscp_showall    | **Optional.** Use with SERVICESTATE to see working services or PROCSTATE for running processes. Defaults to false.
+nscp_extra_opts | **Optional.** Read extra plugin options from an ini file.
 
 
 ### ntp_time <a id="plugin-check-command-ntp-time"></a>
@@ -1003,6 +1090,7 @@ ntp_timeoffset  | **Optional.** Expected offset of the ntp server relative to lo
 ntp_timeout     | **Optional.** Seconds before connection times out (default: 10).
 ntp_ipv4        | **Optional.** Use IPv4 connection. Defaults to false.
 ntp_ipv6        | **Optional.** Use IPv6 connection. Defaults to false.
+ntp_extra_opts  | **Optional.** Read extra plugin options from an ini file.
 
 
 ### ntp_peer <a id="plugin-check-command-ntp-peer"></a>
@@ -1030,6 +1118,7 @@ ntp_csource     | **Optional.** Critical threshold for number of usable time sou
 ntp_timeout     | **Optional.** Seconds before connection times out (default: 10).
 ntp_ipv4        | **Optional.** Use IPv4 connection. Defaults to false.
 ntp_ipv6        | **Optional.** Use IPv6 connection. Defaults to false.
+ntp_extra_opts  | **Optional.** Read extra plugin options from an ini file.
 
 
 ### pgsql <a id="plugin-check-command-pgsql"></a>
@@ -1057,6 +1146,7 @@ pgsql_timeout		| **Optional.** Seconds before connection times out (default: 10)
 pgsql_query		| **Optional.** SQL query to run. Only first column in first row will be read.
 pgsql_query_warning	| **Optional.** SQL query value to result in warning status (double).
 pgsql_query_critical	| **Optional.** SQL query value to result in critical status (double).
+pgsql_extra_opts	| **Optional.** Read extra plugin options from an ini file.
 
 ### ping <a id="plugin-check-command-ping"></a>
 
@@ -1078,6 +1168,7 @@ ping_crta       | **Optional.** The RTA critical threshold in milliseconds. Defa
 ping_cpl        | **Optional.** The packet loss critical threshold in %. Defaults to 15.
 ping_packets    | **Optional.** The number of packets to send. Defaults to 5.
 ping_timeout    | **Optional.** The plugin timeout in seconds. Defaults to 0 (no timeout).
+ping_extra_opts | **Optional.** Read extra plugin options from an ini file.
 
 
 ### ping4 <a id="plugin-check-command-ping4"></a>
@@ -1100,6 +1191,7 @@ ping_crta       | **Optional.** The RTA critical threshold in milliseconds. Defa
 ping_cpl        | **Optional.** The packet loss critical threshold in %. Defaults to 15.
 ping_packets    | **Optional.** The number of packets to send. Defaults to 5.
 ping_timeout    | **Optional.** The plugin timeout in seconds. Defaults to 0 (no timeout).
+ping_extra_opts | **Optional.** Read extra plugin options from an ini file.
 
 ### ping6 <a id="plugin-check-command-ping6"></a>
 
@@ -1121,6 +1213,7 @@ ping_crta       | **Optional.** The RTA critical threshold in milliseconds. Defa
 ping_cpl        | **Optional.** The packet loss critical threshold in %. Defaults to 15.
 ping_packets    | **Optional.** The number of packets to send. Defaults to 5.
 ping_timeout    | **Optional.** The plugin timeout in seconds. Defaults to 0 (no timeout).
+ping_extra_opts | **Optional.** Read extra plugin options from an ini file.
 
 
 ### pop <a id="plugin-check-command-pop"></a>
@@ -1151,6 +1244,7 @@ pop_critical         | **Optional.** Response time to result in critical status
 pop_timeout          | **Optional.** Seconds before connection times out (default: 10).
 pop_ipv4             | **Optional.** Use IPv4 connection. Defaults to false.
 pop_ipv6             | **Optional.** Use IPv6 connection. Defaults to false.
+pop_extra_opts       | **Optional.** Read extra plugin options from an ini file.
 
 
 ### procs <a id="plugin-check-command-processes"></a>
@@ -1162,23 +1256,25 @@ of processes. Search filters can be applied to limit the processes to check.
 
 Custom variables passed as [command parameters](03-monitoring-basics.md#command-passing-parameters):
 
-Name                 | Description
----------------------|--------------
-procs_warning        | **Optional.** The process count warning threshold. Defaults to 250.
-procs_critical       | **Optional.** The process count critical threshold. Defaults to 400.
-procs_metric         | **Optional.** Check thresholds against metric.
-procs_timeout        | **Optional.** Seconds before plugin times out.
-procs_traditional    | **Optional.** Filter own process the traditional way by PID instead of /proc/pid/exe. Defaults to false.
-procs_state          | **Optional.** Only scan for processes that have one or more of the status flags you specify.
-procs_ppid           | **Optional.** Only scan for children of the parent process ID indicated.
-procs_vsz            | **Optional.** Only scan for processes with VSZ higher than indicated.
-procs_rss            | **Optional.** Only scan for processes with RSS higher than indicated.
-procs_pcpu           | **Optional.** Only scan for processes with PCPU higher than indicated.
-procs_user           | **Optional.** Only scan for processes with user name or ID indicated.
-procs_argument       | **Optional.** Only scan for processes with args that contain STRING.
-procs_argument_regex | **Optional.** Only scan for processes with args that contain the regex STRING.
-procs_command        | **Optional.** Only scan for exact matches of COMMAND (without path).
-procs_nokthreads     | **Optional.** Only scan for non kernel threads. Defaults to false.
+Name                  | Description
+----------------------|--------------
+procs_warning         | **Optional.** The process count warning threshold. Defaults to 250.
+procs_critical        | **Optional.** The process count critical threshold. Defaults to 400.
+procs_metric          | **Optional.** Check thresholds against metric.
+procs_timeout         | **Optional.** Seconds before plugin times out.
+procs_traditional     | **Optional.** Filter own process the traditional way by PID instead of /proc/pid/exe. Defaults to false.
+procs_state           | **Optional.** Only scan for processes that have one or more of the status flags you specify.
+procs_ppid            | **Optional.** Only scan for children of the parent process ID indicated.
+procs_vsz             | **Optional.** Only scan for processes with VSZ higher than indicated.
+procs_rss             | **Optional.** Only scan for processes with RSS higher than indicated.
+procs_pcpu            | **Optional.** Only scan for processes with PCPU higher than indicated.
+procs_user            | **Optional.** Only scan for processes with user name or ID indicated.
+procs_argument        | **Optional.** Only scan for processes with args that contain STRING.
+procs_argument_regex  | **Optional.** Only scan for processes with args that contain the regex STRING.
+procs_command         | **Optional.** Only scan for exact matches of COMMAND (without path).
+procs_exclude_process | **Optional.** Exclude processes which match this comma separated list.
+procs_nokthreads      | **Optional.** Only scan for non kernel threads. Defaults to false.
+procs_extra_opts      | **Optional.** Read extra plugin options from an ini file.
 
 
 ### radius <a id="plugin-check-command-radius"></a>
@@ -1208,6 +1304,7 @@ radius_nas_address | **Optional.** The NAS IP address.
 radius_expect      | **Optional.** The response string to expect from the server.
 radius_retries     | **Optional.** The number of times to retry a failed connection.
 radius_timeout     | **Optional.** The number of seconds before connection times out (default: 10).
+radius_extra_opts  | **Optional.** Read extra plugin options from an ini file.
 
 ### rpc <a id="plugin-check-command-rpc"></a>
 
@@ -1254,6 +1351,7 @@ simap_critical         | **Optional.** Response time to result in critical statu
 simap_timeout          | **Optional.** Seconds before connection times out (default: 10).
 simap_ipv4             | **Optional.** Use IPv4 connection. Defaults to false.
 simap_ipv6             | **Optional.** Use IPv6 connection. Defaults to false.
+simap_extra_opts       | **Optional.** Read extra plugin options from an ini file.
 
 ### smart <a id="plugin-check-command-smart"></a>
 
@@ -1262,9 +1360,10 @@ checks a local hard drive with the (Linux specific) SMART interface. Requires in
 
 Custom variables passed as [command parameters](03-monitoring-basics.md#command-passing-parameters):
 
-Name            | Description
-----------------|--------------
-smart_device    | **Required.** The name of a local hard drive to monitor.
+Name             | Description
+-----------------|--------------
+smart_device     | **Required.** The name of a local hard drive to monitor.
+smart_extra_opts | **Optional.** Read extra plugin options from an ini file.
 
 
 ### smtp <a id="plugin-check-command-smtp"></a>
@@ -1294,6 +1393,7 @@ smtp_critical         | **Optional.** Response time to result in critical status
 smtp_timeout          | **Optional.** Seconds before connection times out (default: 10).
 smtp_ipv4             | **Optional.** Use IPv4 connection. Defaults to false.
 smtp_ipv6             | **Optional.** Use IPv6 connection. Defaults to false.
+smtp_extra_opts       | **Optional.** Read extra plugin options from an ini file.
 
 
 ### snmp <a id="plugin-check-command-snmp"></a>
@@ -1322,6 +1422,7 @@ snmp_invert_search  | **Optional.** Invert search result and return CRITICAL sta
 snmp_units          | **Optional.** Units label(s) for output value (e.g., 'sec.').
 snmp_version        | **Optional.** Version to use. E.g. 1, 2, 2c or 3.
 snmp_miblist        | **Optional.** MIB's to use, comma separated. Defaults to "ALL".
+snmp_multiplier     |**Optional.** Multiplies current value, 0 < n < 1 works as divider, defaults to 1
 snmp_rate_multiplier | **Optional.** Converts rate per second. For example, set to 60 to convert to per minute.
 snmp_rate           | **Optional.** Boolean. Enable rate calculation.
 snmp_getnext        | **Optional.** Boolean. Use SNMP GETNEXT. Defaults to false.
@@ -1329,6 +1430,7 @@ snmp_timeout        | **Optional.** The command timeout in seconds. Defaults to
 snmp_offset         | **Optional.** Add/subtract the specified OFFSET to numeric sensor data.
 snmp_output_delimiter | **Optional.** Separates output on multiple OID requests.
 snmp_perf_oids      | **Optional.** Label performance data with OIDs instead of --label's.
+snmp_extra_opts     | **Optional.** Read extra plugin options from an ini file.
 
 ### snmpv3 <a id="plugin-check-command-snmpv3"></a>
 
@@ -1357,9 +1459,11 @@ snmpv3_eregi         | **Optional.** Return OK state (for that OID) if case-inse
 snmpv3_invert_search | **Optional.** Invert search result and return CRITICAL if found
 snmpv3_label         | **Optional.** Prefix label for output value.
 snmpv3_units         | **Optional.** Units label(s) for output value (e.g., 'sec.').
+snmp3_multiplier     |**Optional.** Multiplies current value, 0 < n < 1 works as divider, defaults to 1
 snmpv3_rate_multiplier | **Optional.** Converts rate per second. For example, set to 60 to convert to per minute.
 snmpv3_rate          | **Optional.** Boolean. Enable rate calculation.
 snmpv3_timeout       | **Optional.** The command timeout in seconds. Defaults to 10 seconds.
+snmpv3_extra_opts    | **Optional.** Read extra plugin options from an ini file.
 
 ### snmp-uptime <a id="plugin-check-command-snmp-uptime"></a>
 
@@ -1373,6 +1477,7 @@ Name            | Description
 snmp_address    | **Optional.** The host's address. Defaults to "$address$" if the host's `address` attribute is set, "$address6$" otherwise.
 snmp_oid        | **Optional.** The SNMP OID. Defaults to "1.3.6.1.2.1.1.3.0".
 snmp_community  | **Optional.** The SNMP community. Defaults to "public".
+snmp_extra_opts | **Optional.** Read extra plugin options from an ini file.
 
 
 ### spop <a id="plugin-check-command-spop"></a>
@@ -1403,6 +1508,7 @@ spop_critical         | **Optional.** Response time to result in critical status
 spop_timeout          | **Optional.** Seconds before connection times out (default: 10).
 spop_ipv4             | **Optional.** Use IPv4 connection. Defaults to false.
 spop_ipv6             | **Optional.** Use IPv6 connection. Defaults to false.
+spop_extra_opts       | **Optional.** Read extra plugin options from an ini file.
 
 
 ### ssh <a id="plugin-check-command-ssh"></a>
@@ -1412,13 +1518,16 @@ connects to an SSH server at a specified host and port.
 
 Custom variables passed as [command parameters](03-monitoring-basics.md#command-passing-parameters):
 
-Name            | Description
-----------------|--------------
-ssh_address     | **Optional.** The host's address. Defaults to "$address$" if the host's `address` attribute is set, "$address6$" otherwise.
-ssh_port        | **Optional.** The port that should be checked. Defaults to 22.
-ssh_timeout     | **Optional.** Seconds before connection times out. Defaults to 10.
-ssh_ipv4        | **Optional.** Use IPv4 connection. Defaults to false.
-ssh_ipv6        | **Optional.** Use IPv6 connection. Defaults to false.
+Name                | Description
+--------------------|--------------
+ssh_address         | **Optional.** The host's address. Defaults to "$address$" if the host's `address` attribute is set, "$address6$" otherwise.
+ssh_port            | **Optional.** The port that should be checked. Defaults to 22.
+ssh_timeout         | **Optional.** Seconds before connection times out. Defaults to 10.
+ssh_ipv4            | **Optional.** Use IPv4 connection. Defaults to false.
+ssh_ipv6            | **Optional.** Use IPv6 connection. Defaults to false.
+ssh_remote_version  | **Optional.** Alert if string doesn't match expected server version (ex: OpenSSH_3.9p1).
+ssh_remote_protocol | **Optional.** Alert if protocol doesn't match expected protocol version (ex: 2.0).
+ssh_extra_opts      | **Optional.** Read extra plugin options from an ini file.
 
 
 ### ssl <a id="plugin-check-command-ssl"></a>
@@ -1436,6 +1545,7 @@ ssl_timeout                   | **Optional.** Timeout in seconds for the connect
 ssl_cert_valid_days_warn      | **Optional.** Warning threshold for days before the certificate will expire. When used, the default for ssl_cert_valid_days_critical is 0.
 ssl_cert_valid_days_critical  | **Optional.** Critical threshold for days before the certificate will expire. When used, ssl_cert_valid_days_warn must also be set.
 ssl_sni                       | **Optional.** The `server_name` that is sent to select the SSL certificate to check. Important if SNI is used.
+ssl_extra_opts                | **Optional.** Read extra plugin options from an ini file.
 
 
 ### ssmtp <a id="plugin-check-command-ssmtp"></a>
@@ -1466,6 +1576,7 @@ ssmtp_critical         | **Optional.** Response time to result in critical statu
 ssmtp_timeout          | **Optional.** Seconds before connection times out (default: 10).
 ssmtp_ipv4             | **Optional.** Use IPv4 connection. Defaults to false.
 ssmtp_ipv6             | **Optional.** Use IPv6 connection. Defaults to false.
+ssmtp_extra_opts       | **Optional.** Read extra plugin options from an ini file.
 
 
 ### swap <a id="plugin-check-command-swap"></a>
@@ -1482,6 +1593,7 @@ swap_cfree      | **Optional.** The free swap space critical threshold in % (ena
 swap_integer    | **Optional.** Specifies whether the thresholds are passed as number or percent value. Defaults to false (percent values).
 swap_allswaps   | **Optional.** Conduct comparisons for all swap partitions, one by one. Defaults to false.
 swap_noswap     | **Optional.** Resulting state when there is no swap regardless of thresholds. Possible values are "ok", "warning", "critical", "unknown". Defaults to "critical".
+swap_extra_opts | **Optional.** Read extra plugin options from an ini file.
 
 
 ### tcp <a id="plugin-check-command-tcp"></a>
@@ -1514,6 +1626,7 @@ tcp_ctime       | **Optional.** Response time to result in critical status (seco
 tcp_timeout     | **Optional.** Seconds before connection times out. Defaults to 10.
 tcp_ipv4        | **Optional.** Use IPv4 connection. Defaults to false.
 tcp_ipv6        | **Optional.** Use IPv6 connection. Defaults to false.
+tcp_extra_opts  | **Optional.** Read extra plugin options from an ini file.
 
 
 ### udp <a id="plugin-check-command-udp"></a>
@@ -1532,6 +1645,7 @@ udp_expect      | **Required.** The payload to expect in the response datagram.
 udp_quit        | **Optional.** The payload to send to 'close' the session.
 udp_ipv4        | **Optional.** Use IPv4 connection. Defaults to false.
 udp_ipv6        | **Optional.** Use IPv6 connection. Defaults to false.
+udp_extra_opts  | **Optional.** Read extra plugin options from an ini file.
 
 
 ### ups <a id="plugin-check-command-ups"></a>
@@ -1552,6 +1666,7 @@ ups_warning     | **Optional.** The warning threshold for the selected variable.
 ups_critical    | **Optional.** The critical threshold for the selected variable.
 ups_celsius     | **Optional.** Display the temperature in degrees Celsius instead of Fahrenheit. Defaults to `false`.
 ups_timeout     | **Optional.** The number of seconds before the connection times out. Defaults to 10.
+ups_extra_opts  | **Optional.** Read extra plugin options from an ini file.
 
 
 ### users <a id="plugin-check-command-users"></a>
@@ -1562,10 +1677,11 @@ error if the number exceeds the thresholds specified.
 
 Custom variables passed as [command parameters](03-monitoring-basics.md#command-passing-parameters):
 
-Name            | Description
-----------------|--------------
-users_wgreater  | **Optional.** The user count warning threshold. Defaults to 20.
-users_cgreater  | **Optional.** The user count critical threshold. Defaults to 50.
+Name             | Description
+-----------------|--------------
+users_wgreater   | **Optional.** The user count warning threshold. Defaults to 20.
+users_cgreater   | **Optional.** The user count critical threshold. Defaults to 50.
+users_extra_opts | **Optional.** Read extra plugin options from an ini file.
 
 
 ### uptime <a id="plugin-check-command-uptime"></a>
@@ -3447,7 +3563,7 @@ thola_identify_discover_timeouts   | **Optional.** The number of discover timeou
 
 > **Note**:
 >
-> One of the variables `thola_identify_model`, `thola_identify_os_version`, 
+> One of the variables `thola_identify_model`, `thola_identify_os_version`,
 > `thola_identify_vendor` or `thola_identify_serial_number` must be set
 
 ##### thola-memory-usage <a id="plugin-contrib-command-thola-memory-usage"></a>
@@ -3652,22 +3768,33 @@ iostat\_cwrite | **Required.** Critical threshold for KB/s writes (default: 200)
 
 #### systemd <a id="plugin-contrib-command-systemd"></a>
 
-The [check_systemd.py](https://github.com/Josef-Friedrich/check_systemd) plugin
-will report a degraded system to your monitoring solution. It requires only the [nagiosplugin](https://nagiosplugin.readthedocs.io/en/stable) library.
+The [check_systemd](https://github.com/Josef-Friedrich/check_systemd) plugin
+will report a degraded system to your monitoring solution.
 
 Custom variables passed as [command parameters](03-monitoring-basics.md#command-passing-parameters):
 
-Name                            | Description
---------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------
-systemd\_unit                   | **Optional.** Name of the systemd unit that is being tested.
-systemd\_exclude\_unit          | **Optional.** Exclude a systemd unit from the checks. This option can be applied multiple times. Also supports regular expressions.
-systemd\_no\_startup\_time      | **Optional.** Don’t check the startup time. Using this option the options `systemd_warning` and `systemd_critical` have no effect. (Default: `false`)
-systemd\_warning                | **Optional.** Startup time in seconds to result in a warning status. (Default: `60s`)
-systemd\_critical               | **Optional.** Startup time in seconds to result in a critical status. (Default: `120s`)
-systemd\_dead\_timers           | **Optional.** Detect dead / inactive timers. (Default: `false`)
-systemd\_dead\_timers\_warning  | **Optional.** Time ago in seconds for dead / inactive timers to trigger a warning state (by default 6 days).
-systemd\_dead\_timers\_critical | **Optional.** Time ago in seconds for dead / inactive timers to trigger a critical state (by default 7 days).
-systemd\_verbose\_level         | **Optional.** Increase verbosity level (Accepted values: `1`, `2` or `3`). (Defaults to none)
+Name                             | Description
+---------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------
+systemd\_verbose\_level          | **Optional.** Increase verbosity level (Accepted values: `1`, `2` or `3`). (Defaults to none)
+systemd\_ignore\_inactive\_state | **Optional.** Ignore an inactive state on a specific unit. Only affective if used with `systemd_unit`.
+systemd\_include                 | **Optional.** Include systemd units to the checks, regular expressions are supported. This option can be applied multiple times.
+systemd\_unit                    | **Optional.** Name of the systemd unit that is being tested.
+systemd\_include\_type           | **Optional.** Unit types to be tested (for example: `service`, `timer`). This option can be applied multiple times.
+systemd\_exclude\_unit           | **Optional.** Exclude a systemd unit from the checks, regular expressions are supported. This option can be applied multiple times.
+systemd\_exclude\_unit\_name     | **Optional.** Exclude a systemd unit from the checks. This option can be applied multiple times.
+systemd\_exclude\_type           | **Optional.** Exclude a systemd unit type (for example: `service`, `timer`)
+systemd\_state                   | **Optional.** Specify the active state that the systemd unit must have (for example: `active`, `inactive`)
+systemd\_dead\_timers            | **Optional.** Detect dead / inactive timers, see `systemd_dead_timers_{warning,critical}`. (Default `false`)
+systemd\_dead\_timers\_warning   | **Optional.** Time ago in seconds for dead / inactive timers to trigger a warning state. (Default 6 days)
+systemd\_dead\_timers\_critical  | **Optional.** Time ago in seconds for dead / inactive timers to trigger a critical state. (Default 7 days)
+systemd\_no\_startup\_time       | **Optional.** Don't check the startup time. Using this option, the options `systemd_{warning,critical}` have no effect. (Default `false`)
+systemd\_warning                 | **Optional.** Startup time in seconds to result in a warning status. (Default 60 seconds)
+systemd\_critical                | **Optional.** Startup time in seconds to result in a critical status. (Default 120 seconds)
+systemd\_dbus                    | **Optional.** Use systemd's D-Bus API instead of parsing command output. Only partially implemented!
+systemd\_cli                     | **Optional.** Use text output from parsing command output. (Default)
+systemd\_user                    | **Optional.** Also show user (systemctl --user) units.
+
+
 
 #### yum <a id="plugin-contrib-command-yum"></a>
 
@@ -4314,23 +4441,24 @@ Check command object for the `check_vmware_esx` plugin. Shows net info.
 
 Custom variables passed as [command parameters](03-monitoring-basics.md#command-passing-parameters):
 
-Name                    | Description
-------------------------|--------------
-vmware_host             | **Required.** ESX or ESXi hostname.
-vmware_datacenter       | **Optional.** Datacenter/vCenter hostname. In case the check is done through a Datacenter/vCenter host.
-vmware_sslport          | **Optional.** SSL port connection. Defaults to "443".
-vmware_ignoreunknown    | **Optional.** Sometimes 3 (unknown) is returned from a component. But the check itself is ok. With this option the plugin will return OK (0) instead of UNKNOWN (3). Defaults to "false".
-vmware_ignorewarning    | **Optional.** Sometimes 2 (warning) is returned from a component. But the check itself is ok (from an operator view). With this option the plugin will return OK (0) instead of WARNING (1). Defaults to "false".
-vmware_timeout          | **Optional.** Seconds before plugin times out. Defaults to "90".
-vmware_trace            | **Optional.** Set verbosity level of vSphere API request/respond trace.
-vmware_sessionfile      | **Optional.** Session file name enhancement.
-vmware_sessionfiledir   | **Optional.** Path to store the **vmware_sessionfile** file. Defaults to "/var/spool/icinga2/tmp".
-vmware_nosession        | **Optional.** No auth session -- IT SHOULD BE USED FOR TESTING PURPOSES ONLY!. Defaults to "false".
-vmware_username         | **Optional.** The username to connect to Host or vCenter server. No value defined as default.
-vmware_password         | **Optional.** The username's password. No value defined as default.
-vmware_authfile         | **Optional.** Use auth file instead username/password to session connect. No effect if **vmware_username** and **vmware_password** are defined <br> **Authentication file content:** <br>  username=vmuser <br> password=p@ssw0rd
-vmware_exclude          | **Optional.** Blacklist NICs. No value defined as default.
-vmware_isregexp         | **Optional.** Treat blacklist expression as regexp.
+Name                        | Description
+----------------------------|--------------
+vmware_host                 | **Required.** ESX or ESXi hostname.
+vmware_datacenter           | **Optional.** Datacenter/vCenter hostname. In case the check is done through a Datacenter/vCenter host.
+vmware_sslport              | **Optional.** SSL port connection. Defaults to "443".
+vmware_ignoreunknown        | **Optional.** Sometimes 3 (unknown) is returned from a component. But the check itself is ok. With this option the plugin will return OK (0) instead of UNKNOWN (3). Defaults to "false".
+vmware_ignorewarning        | **Optional.** Sometimes 2 (warning) is returned from a component. But the check itself is ok (from an operator view). With this option the plugin will return OK (0) instead of WARNING (1). Defaults to "false".
+vmware_timeout              | **Optional.** Seconds before plugin times out. Defaults to "90".
+vmware_trace                | **Optional.** Set verbosity level of vSphere API request/respond trace.
+vmware_sessionfile          | **Optional.** Session file name enhancement.
+vmware_sessionfiledir       | **Optional.** Path to store the **vmware_sessionfile** file. Defaults to "/var/spool/icinga2/tmp".
+vmware_nosession            | **Optional.** No auth session -- IT SHOULD BE USED FOR TESTING PURPOSES ONLY!. Defaults to "false".
+vmware_username             | **Optional.** The username to connect to Host or vCenter server. No value defined as default.
+vmware_password             | **Optional.** The username's password. No value defined as default.
+vmware_authfile             | **Optional.** Use auth file instead username/password to session connect. No effect if **vmware_username** and **vmware_password** are defined <br> **Authentication file content:** <br>  username=vmuser <br> password=p@ssw0rd
+vmware_exclude              | **Optional.** Blacklist NICs. No value defined as default.
+vmware_isregexp             | **Optional.** Treat blacklist expression as regexp.
+vmware_unplugged_nics_state | **Optional.** Sets status for unplugged nics (Possible values are: [OK | ok] or [CRITICAL | critical | CRIT | crit] or [WARNING | warning | WARN | warn]. Default is WARNING. Values are case insensitive.)
 
 
 **vmware-esx-soap-host-net-usage**
@@ -4414,23 +4542,24 @@ Check command object for the `check_vmware_esx` plugin. Check all active NICs.
 
 Custom variables passed as [command parameters](03-monitoring-basics.md#command-passing-parameters):
 
-Name                    | Description
-------------------------|--------------
-vmware_host             | **Required.** ESX or ESXi hostname.
-vmware_datacenter       | **Optional.** Datacenter/vCenter hostname. In case the check is done through a Datacenter/vCenter host.
-vmware_sslport          | **Optional.** SSL port connection. Defaults to "443".
-vmware_ignoreunknown    | **Optional.** Sometimes 3 (unknown) is returned from a component. But the check itself is ok. With this option the plugin will return OK (0) instead of UNKNOWN (3). Defaults to "false".
-vmware_ignorewarning    | **Optional.** Sometimes 2 (warning) is returned from a component. But the check itself is ok (from an operator view). With this option the plugin will return OK (0) instead of WARNING (1). Defaults to "false".
-vmware_timeout          | **Optional.** Seconds before plugin times out. Defaults to "90".
-vmware_trace            | **Optional.** Set verbosity level of vSphere API request/respond trace.
-vmware_sessionfile      | **Optional.** Session file name enhancement.
-vmware_sessionfiledir   | **Optional.** Path to store the **vmware_sessionfile** file. Defaults to "/var/spool/icinga2/tmp".
-vmware_nosession        | **Optional.** No auth session -- IT SHOULD BE USED FOR TESTING PURPOSES ONLY!. Defaults to "false".
-vmware_username         | **Optional.** The username to connect to Host or vCenter server. No value defined as default.
-vmware_password         | **Optional.** The username's password. No value defined as default.
-vmware_authfile         | **Optional.** Use auth file instead username/password to session connect. No effect if **vmware_username** and **vmware_password** are defined <br> **Authentication file content:** <br>  username=vmuser <br> password=p@ssw0rd
-vmware_exclude          | **Optional.** Blacklist NICs. No value defined as default.
-vmware_isregexp         | **Optional.** Treat blacklist expression as regexp.
+Name                        | Description
+----------------------------|--------------
+vmware_host                 | **Required.** ESX or ESXi hostname.
+vmware_datacenter           | **Optional.** Datacenter/vCenter hostname. In case the check is done through a Datacenter/vCenter host.
+vmware_sslport              | **Optional.** SSL port connection. Defaults to "443".
+vmware_ignoreunknown        | **Optional.** Sometimes 3 (unknown) is returned from a component. But the check itself is ok. With this option the plugin will return OK (0) instead of UNKNOWN (3). Defaults to "false".
+vmware_ignorewarning        | **Optional.** Sometimes 2 (warning) is returned from a component. But the check itself is ok (from an operator view). With this option the plugin will return OK (0) instead of WARNING (1). Defaults to "false".
+vmware_timeout              | **Optional.** Seconds before plugin times out. Defaults to "90".
+vmware_trace                | **Optional.** Set verbosity level of vSphere API request/respond trace.
+vmware_sessionfile          | **Optional.** Session file name enhancement.
+vmware_sessionfiledir       | **Optional.** Path to store the **vmware_sessionfile** file. Defaults to "/var/spool/icinga2/tmp".
+vmware_nosession            | **Optional.** No auth session -- IT SHOULD BE USED FOR TESTING PURPOSES ONLY!. Defaults to "false".
+vmware_username             | **Optional.** The username to connect to Host or vCenter server. No value defined as default.
+vmware_password             | **Optional.** The username's password. No value defined as default.
+vmware_authfile             | **Optional.** Use auth file instead username/password to session connect. No effect if **vmware_username** and **vmware_password** are defined <br> **Authentication file content:** <br>  username=vmuser <br> password=p@ssw0rd
+vmware_exclude              | **Optional.** Blacklist NICs. No value defined as default.
+vmware_isregexp             | **Optional.** Treat blacklist expression as regexp.
+vmware_unplugged_nics_state | **Optional.** Sets status for unplugged nics (Possible values are: [OK | ok] or [CRITICAL | critical | CRIT | crit] or [WARNING | warning | WARN | warn]. Default is WARNING. Values are case insensitive.)
 
 
 **vmware-esx-soap-host-volumes**
@@ -5828,40 +5957,43 @@ Custom variables passed as [command parameters](03-monitoring-basics.md#command-
 
 Name                      | Description
 --------------------------|--------------
-ssl_cert_address              | **Optional.** The host's address. Defaults to "$address$" if the host's `address` attribute is set, "$address6$" otherwise.
-ssl_cert_port                 | **Optional.** TCP port number (default: 443).
-ssl_cert_proxy                | **Optional.** Proxy server to use for connecting to the host. Sets http_proxy and the s_client -proxy option.
-ssl_cert_file                 | **Optional.** Local file path. Works only if `ssl_cert_address` is set to "localhost".
-ssl_cert_warn                 | **Optional.** Minimum number of days a certificate has to be valid.
-ssl_cert_critical             | **Optional.** Minimum number of days a certificate has to be valid to issue a critical status.
-ssl_cert_cn                   | **Optional.** Pattern to match the CN of the certificate.
-ssl_cert_altnames             | **Optional.** Matches the pattern specified in -n with alternate
-ssl_cert_issuer               | **Optional.** Pattern to match the issuer of the certificate.
-ssl_cert_org                  | **Optional.** Pattern to match the organization of the certificate.
-ssl_cert_email                | **Optional.** Pattern to match the email address contained in the certificate.
-ssl_cert_serial               | **Optional.** Pattern to match the serial number.
-ssl_cert_noauth               | **Optional.** Ignore authority warnings (expiration only)
-ssl_cert_match_host           | **Optional.** Match CN with the host name.
-ssl_cert_selfsigned           | **Optional.** Allow self-signed certificate.
-ssl_cert_sni                  | **Optional.** Sets the TLS SNI (Server Name Indication) extension.
-ssl_cert_timeout              | **Optional.** Seconds before connection times out (default: 15)
-ssl_cert_protocol             | **Optional.** Use the specific protocol {http,smtp,pop3,imap,ftp,xmpp,irc,ldap} (default: http).
-ssl_cert_clientcert           | **Optional.** Use client certificate to authenticate.
-ssl_cert_clientpass           | **Optional.** Set passphrase for client certificate.
-ssl_cert_ssllabs              | **Optional.** SSL Labs assessment
-ssl_cert_ssllabs_nocache      | **Optional.** Forces a new check by SSL Labs
-ssl_cert_rootcert             | **Optional.** Root certificate or directory to be used for certificate validation.
-ssl_cert_ignore_signature     | **Optional.** Do not check if the certificate was signed with SHA1 od MD5.
-ssl_cert_ssl_version          | **Optional.** Force specific SSL version out of {ssl2,ssl3,tls1,tls1_1,tls1_2}.
-ssl_cert_disable_ssl_versions | **Optional.** Disable specific SSL versions out of {ssl2,ssl3,tls1,tls1_1,tls1_2}. Multiple versions can be given as array.
-ssl_cert_cipher               | **Optional.** Cipher selection: force {ecdsa,rsa} authentication.
-ssl_cert_ignore_expiration    | **Optional.** Ignore expiration date.
-ssl_cert_ignore_host_cn       | **Optional.** Do not complain if the CN does not match.
-ssl_cert_ignore_ocsp          | **Optional.** Do not check revocation with OCSP.
-ssl_cert_ignore_ocsp_errors   | **Optional.** Continue if the OCSP status cannot be checked.
-ssl_cert_ignore_ocsp_timeout  | **Optional.** Ignore OCSP result when timeout occurs while checking.
-ssl_cert_ignore_sct           | **Optional.** Do not check for signed certificate timestamps.
-ssl_cert_ignore_tls_renegotiation  | **Optional.** Do not check for renegotiation.
+ssl_cert_address                        | **Optional.** The host's address. Defaults to "$address$" if the host's `address` attribute is set, "$address6$" otherwise.
+ssl_cert_port                           | **Optional.** TCP port number (default: 443).
+ssl_cert_proxy                          | **Optional.** Proxy server to use for connecting to the host. Sets http_proxy and the s_client -proxy option.
+ssl_cert_file                           | **Optional.** Local file path. Works only if `ssl_cert_address` is set to "localhost".
+ssl_cert_warn                           | **Optional.** Minimum number of days a certificate has to be valid.
+ssl_cert_critical                       | **Optional.** Minimum number of days a certificate has to be valid to issue a critical status.
+ssl_cert_maximum_validity               | **Optional.** Maximum number of days a certificate is allowed to be valid (default: 397)
+ssl_cert_ignore_maximum_validity        | **Optional.** Ignore the certificate maximum validity
+ssl_cert_cn                             | **Optional.** Pattern to match the CN or AltName of the certificate.
+ssl_cert_issuer                         | **Optional.** Pattern to match the issuer of the certificate.
+ssl_cert_org                            | **Optional.** Pattern to match the organization of the certificate.
+ssl_cert_email                          | **Optional.** Pattern to match the email address contained in the certificate.
+ssl_cert_serial                         | **Optional.** Pattern to match the serial number.
+ssl_cert_noauth                         | **Optional.** Ignore authority warnings (expiration only)
+ssl_cert_match_host                     | **Optional.** Match CN with the host name.
+ssl_cert_selfsigned                     | **Optional.** Allow self-signed certificate.
+ssl_cert_sni                            | **Optional.** Sets the TLS SNI (Server Name Indication) extension.
+ssl_cert_timeout                        | **Optional.** Seconds before connection times out (default: 15)
+ssl_cert_protocol                       | **Optional.** Use the specific protocol {http,smtp,pop3,imap,ftp,xmpp,irc,ldap} (default: http).
+ssl_cert_http_url                       | **Optional.** HTTP Request URL (default: /)
+ssl_cert_clientcert                     | **Optional.** Use client certificate to authenticate.
+ssl_cert_clientpass                     | **Optional.** Set passphrase for client certificate.
+ssl_cert_ssllabs                        | **Optional.** SSL Labs assessment
+ssl_cert_ssllabs_nocache                | **Optional.** Forces a new check by SSL Labs
+ssl_cert_rootcert                       | **Optional.** Root certificate or directory to be used for certificate validation.
+ssl_cert_ignore_signature               | **Optional.** Do not check if the certificate was signed with SHA1 od MD5.
+ssl_cert_ssl_version                    | **Optional.** Force specific SSL version out of {ssl2,ssl3,tls1,tls1_1,tls1_2}.
+ssl_cert_disable_ssl_versions           | **Optional.** Disable specific SSL versions out of {ssl2,ssl3,tls1,tls1_1,tls1_2}. Multiple versions can be given as array.
+ssl_cert_cipher                         | **Optional.** Cipher selection: force {ecdsa,rsa} authentication.
+ssl_cert_ignore_expiration              | **Optional.** Ignore expiration date.
+ssl_cert_ignore_host_cn                 | **Optional.** Do not complain if the CN does not match.
+ssl_cert_ignore_ocsp                    | **Optional.** Do not check revocation with OCSP.
+ssl_cert_ignore_ocsp_errors             | **Optional.** Continue if the OCSP status cannot be checked.
+ssl_cert_ignore_ocsp_timeout            | **Optional.** Ignore OCSP result when timeout occurs while checking.
+ssl_cert_ignore_sct                     | **Optional.** Do not check for signed certificate timestamps.
+ssl_cert_ignore_tls_renegotiation       | **Optional.** Do not check for renegotiation.
+ssl_cert_dane                           | **Optional.** Verify that valid DANE records exist ({211,301,302,311,312} or empty string).
 
 
 #### jmx4perl <a id="plugin-contrib-command-jmx4perl"></a>

doc/11-cli-commands.md

@@ -22,7 +22,7 @@ Supported commands:
   * api setup (setup for API)
   * ca list (lists all certificate signing requests)
   * ca restore (restores a removed certificate request)
-  * ca remove (removes an outstanding certificate request)  
+  * ca remove (removes an outstanding certificate request)
   * ca sign (signs an outstanding certificate request)
   * console (Icinga debug console)
   * daemon (starts Icinga 2)
@@ -73,7 +73,7 @@ RPM and Debian packages install the bash completion files into
 
 You need to install the `bash-completion` package if not already installed.
 
-RHEL/CentOS/Fedora:
+RHEL/Fedora:
 
 ```bash
 yum install bash-completion

doc/12-icinga2-api.md

@@ -115,7 +115,7 @@ You can also use [jq](https://stedolan.github.io/jq/) or `python -m json.tool`
 in combination with curl on the CLI.
 
 ```bash
-curl ... | jq 
+curl ... | jq
 curl ... | python -m json.tool
 ```
 
@@ -288,6 +288,7 @@ Available permissions for specific URL endpoints:
   config/query                  | /v1/config    | No                | 1
   config/modify                 | /v1/config    | No                | 512
   console                       | /v1/console   | No                | 1
+  debug                         | /v1/debug     | No                | 1
   events/<type>           | /v1/events    | No                | 1
   objects/query/<type>    | /v1/objects   | Yes               | 1
   objects/create/<type>   | /v1/objects   | No                | 1
@@ -565,7 +566,7 @@ created by the API.
 ### Querying Objects <a id="icinga2-api-config-objects-query"></a>
 
 You can request information about configuration objects by sending
-a `GET` query to the `/v1/objects/<type>` URL endpoint. `<type` has
+a `GET` query to the `/v1/objects/<type>` URL endpoint. `<type>` has
 to be replaced with the plural name of the object type you are interested
 in:
 
@@ -813,7 +814,7 @@ parameters need to be passed inside the JSON body:
 
   Parameters        | Type         | Description
   ------------------|--------------|--------------------------
-  templates         | Array        | **Optional.** Import existing configuration templates for this object type. Note: These templates must either be statically configured or provided in [config packages](12-icinga2-api.md#icinga2-api-config-management)-
+  templates         | Array        | **Optional.** Import existing configuration templates for this object type. Note: These templates must either be statically configured or provided in [config packages](12-icinga2-api.md#icinga2-api-config-management).
   attrs             | Dictionary   | **Required.** Set specific object attributes for this [object type](09-object-types.md#object-types).
   ignore\_on\_error | Boolean      | **Optional.** Ignore object creation errors and return an HTTP 200 status instead.
 
@@ -950,7 +951,7 @@ list the latter in the `restore_attrs` parameter. E.g.:
 ```bash
 curl -k -s -S -i -u root:icinga -H 'Accept: application/json' \
  -X POST 'https://localhost:5665/v1/objects/hosts/example.localdomain' \
- -d '{ "restore_attrs": [ "address", "vars.os" ] }, "pretty": true }'
+ -d '{ "restore_attrs": [ "address", "vars.os" ], "pretty": true }'
 ```
 
 ```json
@@ -1008,7 +1009,7 @@ curl -k -s -S -i -u root:icinga -H 'Accept: application/json' \
 There are several actions available for Icinga 2 provided by the `/v1/actions`
 URL endpoint. You can run actions by sending a `POST` request.
 
-The following actions are also used by [Icinga Web 2](https://icinga.com/products/icinga-web-2/):
+The following actions are also used by [Icinga Web 2](https://icinga.com/docs/icinga-web/latest/):
 
 * sending check results to Icinga from scripts, remote agents, etc.
 * scheduling downtimes from external scripts or cronjobs
@@ -1657,14 +1658,14 @@ Send a `POST` request to the URL endpoint `/v1/actions/execute-command`.
   --------------|------------|--------------
   ttl           | Number     | **Required.** The time to live of the execution expressed in seconds.
   command_type  | String     | **Optional.** The command type: `CheckCommand` or `EventCommand` or `NotificationCommand`. Default: `EventCommand`
-  command       | String     | **Optional.** The command to execute. Its type must the same as `command_type`. It can be a macro string. Default: depending on the `command_type` it's either `$check_command$`, `$event_command$` or `$notification_command$`   
+  command       | String     | **Optional.** The command to execute. Its type must the same as `command_type`. It can be a macro string. Default: depending on the `command_type` it's either `$check_command$`, `$event_command$` or `$notification_command$`
   endpoint      | String     | **Optional.** The endpoint to execute the command on. It can be a macro string. Default: `$command_endpoint$`.
   macros        | Dictionary | **Optional.** Macro overrides. Default: `{}`
-  user          | String     | **Optional.** The user used for the notification command. 
+  user          | String     | **Optional.** The user used for the notification command.
   notification  | String     | **Optional.** The notification used for the notification command.
-  
+
 Example:
-  
+
 ```bash
 curl -k -s -S -i -u root:icinga -H 'Accept: application/json' \
  -X POST 'https://localhost:5665/v1/actions/execute-command' \
@@ -1850,7 +1851,7 @@ Example for all object events:
   --------------|---------------|--------------------------
   type 	        | String        | Event type `DowntimeAdded`.
   timestamp     | Timestamp     | Unix timestamp when the event happened.
-  downtime      | Dictionary    | Serialized [Comment](09-object-types.md#objecttype-downtime) object.
+  downtime      | Dictionary    | Serialized [Downtime](09-object-types.md#objecttype-downtime) object.
 
 #### <a id="icinga2-api-event-streams-type-downtimeremoved"></a> Event Stream Type: DowntimeRemoved
 
@@ -1858,7 +1859,7 @@ Example for all object events:
   --------------|---------------|--------------------------
   type 	        | String        | Event type `DowntimeRemoved`.
   timestamp     | Timestamp     | Unix timestamp when the event happened.
-  downtime      | Dictionary    | Serialized [Comment](09-object-types.md#objecttype-downtime) object.
+  downtime      | Dictionary    | Serialized [Downtime](09-object-types.md#objecttype-downtime) object.
 
 
 #### <a id="icinga2-api-event-streams-type-downtimestarted"></a> Event Stream Type: DowntimeStarted
@@ -1867,7 +1868,7 @@ Example for all object events:
   --------------|---------------|--------------------------
   type 	        | String        | Event type `DowntimeStarted`.
   timestamp     | Timestamp     | Unix timestamp when the event happened.
-  downtime      | Dictionary    | Serialized [Comment](09-object-types.md#objecttype-downtime) object.
+  downtime      | Dictionary    | Serialized [Downtime](09-object-types.md#objecttype-downtime) object.
 
 
 #### <a id="icinga2-api-event-streams-type-downtimetriggered"></a> Event Stream Type: DowntimeTriggered
@@ -1876,8 +1877,34 @@ Example for all object events:
   --------------|---------------|--------------------------
   type 	        | String        | Event type `DowntimeTriggered`.
   timestamp     | Timestamp     | Unix timestamp when the event happened.
-  downtime      | Dictionary    | Serialized [Comment](09-object-types.md#objecttype-downtime) object.
+  downtime      | Dictionary    | Serialized [Downtime](09-object-types.md#objecttype-downtime) object.
 
+#### <a id="icinga2-api-event-streams-type-objectcreated"></a> Event Stream Type: ObjectCreated
+
+| Name         | Type      | Description                                                    |
+|--------------|-----------|----------------------------------------------------------------|
+| type         | String    | Event type `ObjectCreated`.                                    |
+| timestamp    | Timestamp | Unix timestamp when the event happened.                        |
+| object\_type | String    | Type of the newly created object, such as `Host` or `Service`. |
+| object\_name | String    | The full name of the object.                                   |
+
+#### <a id="icinga2-api-event-streams-type-objectmodified"></a> Event Stream Type: ObjectModified
+
+| Name         | Type      | Description                                               |
+|--------------|-----------|-----------------------------------------------------------|
+| type         | String    | Event type `ObjectModified`.                              |
+| timestamp    | Timestamp | Unix timestamp when the event happened.                   |
+| object\_type | String    | Type of the modified object, such as `Host` or `Service`. |
+| object\_name | String    | The full name of the object.                              |
+
+#### <a id="icinga2-api-event-streams-type-objectdeleted"></a> Event Stream Type: ObjectDeleted
+
+| Name         | Type      | Description                                              |
+|--------------|-----------|----------------------------------------------------------|
+| type         | String    | Event type `ObjectDeleted`.                              |
+| timestamp    | Timestamp | Unix timestamp when the event happened.                  |
+| object\_type | String    | Type of the deleted object, such as `Host` or `Service`. |
+| object\_name | String    | The full name of the object.                             |
 
 ### Event Stream Filter <a id="icinga2-api-event-streams-filter"></a>
 
@@ -2347,7 +2374,7 @@ Creation, modification and deletion of templates at runtime is not supported.
 ### Querying Templates <a id="icinga2-api-config-templates-query"></a>
 
 You can request information about configuration templates by sending
-a `GET` query to the `/v1/templates/<type>` URL endpoint. `<type` has
+a `GET` query to the `/v1/templates/<type>` URL endpoint. `<type>` has
 to be replaced with the plural name of the object type you are interested
 in:
 
@@ -2502,6 +2529,72 @@ curl -k -s -S -i -u root:icinga -H 'Accept: application/json' \
 }
 ```
 
+## Memory Usage Analysis <a id="icinga2-api-memory"></a>
+
+The GNU libc function `malloc_info(3)` provides memory allocation and usage
+statistics of Icinga 2 itself. You can call it directly by sending a `GET`
+request to the URL endpoint `/v1/debug/malloc_info`.
+
+The [API permission](12-icinga2-api.md#icinga2-api-permissions) `debug` is required.
+
+Example:
+
+```bash
+curl -k -s -S -i -u root:icinga https://localhost:5665/v1/debug/malloc_info
+```
+
+In contrast to other API endpoints, the response is not JSON,
+but the raw XML output from `malloc_info(3)`. See also the
+[glibc malloc(3) internals](https://sourceware.org/glibc/wiki/MallocInternals).
+
+```xml
+<malloc version="1">
+  <heap nr="0">
+    <sizes>
+      <size from="33" to="48" total="96" count="2"/>
+      <size from="49" to="64" total="192" count="3"/>
+      <size from="65" to="80" total="80" count="1"/>
+      <unsorted from="84817" to="84817" total="84817" count="1"/>
+    </sizes>
+    <total type="fast" count="6" size="368"/>
+    <total type="rest" count="2" size="859217"/>
+    <system type="current" size="7409664"/>
+    <system type="max" size="7409664"/>
+    <aspace type="total" size="7409664"/>
+    <aspace type="mprotect" size="7409664"/>
+  </heap>
+  <!-- ... -->
+  <heap nr="30">
+    <sizes>
+      <size from="17" to="32" total="96" count="3"/>
+      <size from="33" to="48" total="576" count="12"/>
+      <size from="49" to="64" total="64" count="1"/>
+      <size from="97" to="112" total="3584" count="32"/>
+      <size from="49" to="49" total="98" count="2"/>
+      <size from="81" to="81" total="810" count="10"/>
+      <size from="257" to="257" total="2827" count="11"/>
+      <size from="689" to="689" total="689" count="1"/>
+      <size from="705" to="705" total="705" count="1"/>
+      <unsorted from="81" to="81" total="81" count="1"/>
+    </sizes>
+    <total type="fast" count="48" size="4320"/>
+    <total type="rest" count="27" size="118618"/>
+    <system type="current" size="135168"/>
+    <system type="max" size="135168"/>
+    <aspace type="total" size="135168"/>
+    <aspace type="mprotect" size="135168"/>
+    <aspace type="subheaps" size="1"/>
+  </heap>
+  <total type="fast" count="938" size="79392"/>
+  <total type="rest" count="700" size="4409469"/>
+  <total type="mmap" count="0" size="0"/>
+  <system type="current" size="15114240"/>
+  <system type="max" size="15114240"/>
+  <aspace type="total" size="15114240"/>
+  <aspace type="mprotect" size="15114240"/>
+</malloc>
+```
+
 ## API Clients <a id="icinga2-api-clients"></a>
 
 After its initial release in 2015, community members
@@ -2545,7 +2638,7 @@ Name												| Language	| Description
 [BitBar for OSX](https://getbitbar.com/plugins/Dev/Icinga2/icinga2.24m.py)			| Python	| macOS tray app for highlighting the host/service status
 [Icinga 2 Multistatus](https://chrome.google.com/webstore/detail/icinga-multi-status/khabbhcojgkibdeipanmiphceeoiijal/related)	| - 	| Chrome Extension
 [Naglite4](https://github.com/wftech/icinga2-naglite4)						| Python	| Naglite3 rewrite using the Icinga 2 REST API.
-[icinga-telegram-bot](https://github.com/joni1993/icinga-telegram-bot)				| Python	| Telegram Bot using the Icinga 2 REST API 
+[icinga-telegram-bot](https://github.com/joni1993/icinga-telegram-bot)				| Python	| Telegram Bot using the Icinga 2 REST API
 
 ### Manage Objects <a id="icinga2-api-clients-management"></a>
 
@@ -2606,7 +2699,7 @@ The following languages are covered:
 * [Golang](12-icinga2-api.md#icinga2-api-clients-programmatic-examples-golang)
 * [Powershell](12-icinga2-api.md#icinga2-api-clients-programmatic-examples-powershell)
 
-The [request method](icinga2-api-requests) is `POST` using [X-HTTP-Method-Override: GET](12-icinga2-api.md#icinga2-api-requests-method-override)
+The [request method](#icinga2-api-requests) is `POST` using [X-HTTP-Method-Override: GET](12-icinga2-api.md#icinga2-api-requests-method-override)
 which allows you to send a JSON request body. The examples request specific service
 attributes joined with host attributes. `attrs` and `joins` are therefore specified
 as array.

doc/13-addons.md

@@ -32,7 +32,7 @@ vim /etc/icinga2/conf.d/templates.conf
 
 Install the package `nano-icinga2` with your distribution's package manager.
 
-**Note:** On Debian, Ubuntu and Raspbian, the syntax files are installed with the `icinga2-common` package already.
+**Note:** On Debian, Ubuntu and Raspberry Pi OS, the syntax files are installed with the `icinga2-common` package already.
 
 Copy the `/etc/nanorc` sample file to your home directory.
 
@@ -71,9 +71,6 @@ via email.
 
 ![Icinga Reporting](images/addons/icinga_reporting.png)
 
-Follow along in this [hands-on blog post](https://icinga.com/2019/06/17/icinga-reporting-hands-on/).
-
-
 ## Graphs and Metrics <a id="addons-graphs-metrics"></a>
 
 ### Graphite <a id="addons-graphing-graphite"></a>
@@ -185,7 +182,7 @@ in a tree or list overview and can be added to any dashboard.
 
 ![Icinga Web 2 Business Process](images/addons/icingaweb2_businessprocess.png)
 
-Read more [here](https://icinga.com/products/icinga-business-process-modelling/).
+Read more [here](https://icinga.com/docs/icinga-business-process-modeling/latest/).
 
 ### Certificate Monitoring <a id="addons-visualization-certificate-monitoring"></a>
 
@@ -194,8 +191,7 @@ actions and view all details at a glance.
 
 ![Icinga Certificate Monitoring](images/addons/icinga_certificate_monitoring.png)
 
-Read more [here](https://icinga.com/products/icinga-certificate-monitoring/)
-and [here](https://icinga.com/2019/06/03/monitoring-automation-with-icinga-certificate-monitoring/).
+Read more [here](https://icinga.com/products/icinga-certificate-monitoring/).
 
 ### Dashing Dashboard <a id="addons-visualization-dashing-dashboard"></a>
 
@@ -204,7 +200,7 @@ on top of Dashing and uses the [REST API](12-icinga2-api.md#icinga2-api) to visu
 on with your monitoring. It combines several popular widgets and provides development
 instructions for your own implementation.
 
-The dashboard also allows to embed the [Icinga Web 2](https://icinga.com/products/icinga-web-2/)
+The dashboard also allows to embed the [Icinga Web 2](https://icinga.com/docs/icinga-web/latest/)
 host and service problem lists as Iframe.
 
 ![Dashing dashboard](images/addons/dashing_icinga2.png)
@@ -234,10 +230,6 @@ There's a variety of resources available, for example different notification scr
 * Ticket systems
 * etc.
 
-Blog posts and howtos:
-
-* [Environmental Monitoring and Alerting](https://icinga.com/2019/09/02/environmental-monitoring-and-alerting-via-text-message/)
-
 Additionally external services can be [integrated with Icinga 2](https://icinga.com/products/integrations/):
 
 * [Pagerduty](https://icinga.com/products/integrations/pagerduty/)

doc/14-features.md

@@ -52,7 +52,7 @@ Icinga DB is a set of components for publishing, synchronizing and
 visualizing monitoring data in the Icinga ecosystem, consisting of:
 
 * Icinga 2 with its `icingadb` feature enabled,
-  responsible for publishing monitoring data to a Redis server, i.e. configuration and its runtime updates,  
+  responsible for publishing monitoring data to a Redis server, i.e. configuration and its runtime updates,
   check results, state changes, downtimes, acknowledgements, notifications, and other events such as flapping
 * The [Icinga DB daemon](https://icinga.com/docs/icinga-db),
   which synchronizes the data between the Redis server and a database
@@ -106,7 +106,7 @@ The current naming schema is defined as follows. The [Icinga Web 2 Graphite modu
 depends on this schema.
 
 The default prefix for hosts and services is configured using
-[runtime macros](03-monitoring-basics.md#runtime-macros)like this:
+[runtime macros](03-monitoring-basics.md#runtime-macros) like this:
 
 ```
 icinga2.$host.name$.host.$host.check_command$
@@ -815,16 +815,6 @@ apt-get install icinga2-ido-mysql
     default. You can skip the automated setup and install/upgrade the
     database manually if you prefer.
 
-###### CentOS 7
-
-!!! info
-
-    Note that installing `icinga2-ido-mysql` is only supported on CentOS 7 as CentOS 8 is EOL.
-
-```bash
-yum install icinga2-ido-mysql
-```
-
 ###### RHEL 8
 
 ```bash
@@ -843,7 +833,7 @@ yum install icinga2-ido-mysql
 zypper install icinga2-ido-mysql
 ```
 
-###### Amazon Linux 2
+###### Amazon Linux
 
 ```bash
 yum install icinga2-ido-mysql
@@ -914,16 +904,6 @@ apt-get install icinga2-ido-pgsql
     You can skip the automated setup and install/upgrade the database manually
     if you prefer that.
 
-###### CentOS 7
-
-!!! info
-
-    Note that installing `icinga2-ido-pgsql` is only supported on CentOS 7 as CentOS 8 is EOL.
-
-```bash
-yum install icinga2-ido-pgsql
-```
-
 ###### RHEL 8
 
 ```bash
@@ -942,7 +922,7 @@ yum install icinga2-ido-pgsql
 zypper install icinga2-ido-pgsql
 ```
 
-###### Amazon Linux 2
+###### Amazon Linux
 
 ```bash
 yum install icinga2-ido-pgsql

doc/15-troubleshooting.md

@@ -19,8 +19,8 @@ findings and details please.
 	* `icinga2 --version`
 	* `icinga2 feature list`
 	* `icinga2 daemon -C`
-	* [Icinga Web 2](https://icinga.com/products/icinga-web-2/) version (screenshot from System - About)
-	* [Icinga Web 2 modules](https://icinga.com/products/icinga-web-2-modules/) e.g. the Icinga Director (optional)
+	* [Icinga Web 2](https://icinga.com/docs/icinga-web/latest/) version (screenshot from System - About)
+	* Icinga Web 2 modules e.g. the Icinga Director (optional)
 * Configuration insights:
 	* Provide complete configuration snippets explaining your problem in detail
 	* Your [icinga2.conf](04-configuration.md#icinga2-conf) file
@@ -176,6 +176,64 @@ C:\> cd C:\ProgramData\icinga2\var\log\icinga2
 C:\ProgramData\icinga2\var\log\icinga2> Get-Content .\debug.log -tail 10 -wait
 ```
 
+### Enable/Disable Debug Output on the fly <a id="troubleshooting-enable-disable-debug-output-api"></a>
+
+The `debuglog` feature can also be created and deleted at runtime without having to restart Icinga 2.
+Technically, this is possible because this feature is a [FileLogger](09-object-types.md#objecttype-filelogger)
+that can be managed through the [API](12-icinga2-api.md#icinga2-api-config-objects).
+
+This is a good alternative to `icinga2 feature enable debuglog` as object
+creation/deletion via API happens immediately and requires no restart.
+
+The above matters in setups large enough for the reload to take a while.
+Especially these produce a lot of debug log output until disabled again.
+
+!!! info
+
+    In case of [an HA zone](06-distributed-monitoring.md#distributed-monitoring-scenarios-ha-master-agents),
+    the following API examples toggle the feature on both nodes.
+
+#### Enable Debug Output on the fly <a id="troubleshooting-enable-debug-output-api"></a>
+
+```bash
+curl -k -s -S -i -u root:icinga -H 'Accept: application/json' \
+ -X PUT 'https://localhost:5665/v1/objects/fileloggers/on-the-fly-debug-file' \
+ -d '{ "attrs": { "severity": "debug", "path": "/var/log/icinga2/on-the-fly-debug.log" }, "pretty": true }'
+```
+
+```json
+{
+    "results": [
+        {
+            "code": 200.0,
+            "status": "Object was created."
+        }
+    ]
+}
+```
+
+#### Disable Debug Output on the fly <a id="troubleshooting-disable-debug-output-api"></a>
+
+This works only for debug loggers enabled on the fly as above!
+
+```bash
+curl -k -s -S -i -u root:icinga -H 'Accept: application/json' \
+ -X DELETE 'https://localhost:5665/v1/objects/fileloggers/on-the-fly-debug-file?pretty=1'
+```
+
+```json
+{
+    "results": [
+        {
+            "code": 200.0,
+            "name": "on-the-fly-debug-file",
+            "status": "Object was deleted.",
+            "type": "FileLogger"
+        }
+    ]
+}
+```
+
 ## Icinga starts/restarts/reloads very slowly
 
 ### Try swapping out the allocator
@@ -814,7 +872,7 @@ trying because you probably have a problem that requires manual intervention.
 
 ### Late Check Results <a id="late-check-results"></a>
 
-[Icinga Web 2](https://icinga.com/products/icinga-web-2/) provides
+[Icinga Web 2](https://icinga.com/docs/icinga-web/latest/) provides
 a dashboard overview for `overdue checks`.
 
 The REST API provides the [status](12-icinga2-api.md#icinga2-api-status) URL endpoint with some generic metrics
@@ -829,8 +887,7 @@ You can also calculate late check results via the REST API:
 * Fetch the `last_check` timestamp from each object
 * Compare the timestamp with the current time and add `check_interval` multiple times (change it to see which results are really late, like five times check_interval)
 
-You can use the [icinga2 console](11-cli-commands.md#cli-command-console) to connect to the instance, fetch all data
-and calculate the differences. More infos can be found in [this blogpost](https://icinga.com/2016/08/11/analyse-icinga-2-problems-using-the-console-api/).
+You can use the [icinga2 console](11-cli-commands.md#cli-command-console) to connect to the instance, fetch all data and calculate the differences.
 
 ```
 # ICINGA2_API_USERNAME=root ICINGA2_API_PASSWORD=icinga icinga2 console --connect 'https://localhost:5665/'
@@ -878,7 +935,7 @@ actively attempts to schedule and execute checks. Otherwise the node does not fe
 }
 ```
 
-You may ask why this analysis is important? Fair enough - if the numbers are not inverted in a HA zone
+You may ask why this analysis is important? Fair enough - if the numbers are not inverted in an HA zone
 with two members, this may give a hint that the cluster nodes are in a split-brain scenario, or you've
 found a bug in the cluster.
 
@@ -950,95 +1007,6 @@ curl -k -s -u root:icinga -H 'Accept: application/json' -X POST 'https://localho
 ```
 
 
-### Analyze Notification Result <a id="troubleshooting-notifications-result"></a>
-
-> **Note**
->
-> This feature is available since v2.11 and requires all endpoints
-> being updated.
-
-Notifications inside a HA enabled zone are balanced between the endpoints,
-just like checks.
-
-Sometimes notifications may fail, and with looking into the (debug) logs
-for both masters, you cannot correlate this correctly.
-
-The `last_notification_result` runtime attribute is stored and synced for Notification
-objects and can be queried via REST API.
-
-Example for retrieving the notification object and result from all `disk` services using a
-[regex match](18-library-reference.md#global-functions-regex) on the name:
-
-```
-$ curl -k -s -u root:icinga -H 'Accept: application/json' -H 'X-HTTP-Method-Override: GET' -X POST 'https://localhost:5665/v1/objects/notifications' \
--d '{ "filter": "regex(pattern, service.name)", "filter_vars": { "pattern": "^disk" }, "attrs": [ "__name", "last_notification_result" ], "pretty": true }'
-{
-    "results": [
-
-        {
-            "attrs": {
-                "last_notification_result": {
-                    "active": true,
-                    "command": [
-                        "/etc/icinga2/scripts/mail-service-notification.sh",
-                        "-4",
-                        "",
-                        "-6",
-                        "",
-                        "-b",
-                        "",
-                        "-c",
-                        "",
-                        "-d",
-                        "2019-08-02 10:54:16 +0200",
-                        "-e",
-                        "disk",
-                        "-l",
-                        "icinga2-agent1.localdomain",
-                        "-n",
-                        "icinga2-agent1.localdomain",
-                        "-o",
-                        "DISK OK - free space: / 38108 MB (90.84% inode=100%);",
-                        "-r",
-                        "user@localdomain",
-                        "-s",
-                        "OK",
-                        "-t",
-                        "RECOVERY",
-                        "-u",
-                        "disk"
-                    ],
-                    "execution_end": 1564736056.186217,
-                    "execution_endpoint": "icinga2-master1.localdomain",
-                    "execution_start": 1564736056.132323,
-                    "exit_status": 0.0,
-                    "output": "",
-                    "type": "NotificationResult"
-                }
-            },
-            "joins": {},
-            "meta": {},
-            "name": "icinga2-agent1.localdomain!disk!mail-service-notification",
-            "type": "Notification"
-        }
-
-...
-
-    ]
-}
-```
-
-Example with the debug console:
-
-```
-$ ICINGA2_API_PASSWORD=icinga icinga2 console --connect 'https://root@localhost:5665/' --eval 'get_object(Notification, "icinga2-agent1.localdomain!disk!mail-service-notification").last_notification_result.execution_endpoint' | jq
-
-"icinga2-agent1.localdomain"
-```
-
-Whenever a notification command failed to execute, you can fetch the output as well.
-
-
 ## Feature Troubleshooting <a id="troubleshooting-features"></a>
 
 ### Feature is not working <a id="feature-not-working"></a>
@@ -1729,6 +1697,9 @@ Typical errors are:
 * The api feature doesn't [accept config](06-distributed-monitoring.md#distributed-monitoring-top-down-config-sync). This is logged into `/var/lib/icinga2/icinga2.log`.
 * The received configuration zone is not configured in [zones.conf](04-configuration.md#zones-conf) and Icinga denies it. This is logged into `/var/lib/icinga2/icinga2.log`.
 * The satellite/agent has local configuration in `/etc/icinga2/zones.d` and thinks it is authoritive for this zone. It then denies the received update. Purge the content from `/etc/icinga2/zones.d`, `/var/lib/icinga2/api/zones/*` and restart Icinga to fix this.
+* Configuration parts stored outside of `/etc/icinga2/zones.d` on the master, for example a constant in `/etc/icinga2/constants.conf`, are then missing on the satellite/agent.
+
+Note that if set up, the [built-in icinga CheckCommand](10-icinga-template-library.md#icinga) will notify you in case the config sync wasn't successful.
 
 #### New configuration does not trigger a reload <a id="troubleshooting-cluster-config-sync-no-reload"></a>
 

doc/17-language-reference.md

@@ -97,6 +97,7 @@ Character                 | Escape sequence
 --------------------------|------------------------------------
 "                         | \\"
 \\                        | \\\\
+$                         | $$
 <TAB>               | \\t
 <CARRIAGE-RETURN>   | \\r
 <LINE-FEED>         | \\n
@@ -107,6 +108,10 @@ In addition to these pre-defined escape sequences you can specify
 arbitrary ASCII characters using the backslash character (\\) followed
 by an ASCII character in octal encoding.
 
+In Icinga 2, the `$` character is reserved for resolving [runtime macros](03-monitoring-basics.md#runtime-macros).
+However, in situations where a string that isn't intended to be used as a runtime macro contains the `$` character,
+it is necessary to escape it with another `$` character.
+
 ### Multi-line String Literals <a id="multiline-string-literals"></a>
 
 Strings spanning multiple lines can be specified by enclosing them in

doc/18-library-reference.md

@@ -1648,9 +1648,9 @@ Example:
 function set_x(val) {
   this.x = val
 }
-	
+
 dict = {}
-	
+
 set_x.call(dict, 7) /* Invokes set_x using `dict` as `this` */
 ```
 
@@ -1671,7 +1671,7 @@ Example:
 function set_x(val) {
   this.x = val
 }
-	
+
 var dict = {}
 
 var args = [ 7 ]

doc/19-technical-concepts.md

@@ -651,7 +651,7 @@ authority = endpoints[Utility::SDBM(object->GetName()) % endpoints.size()] == my
 that by querying the `paused` attribute for all objects via REST API
 or debug console on both endpoints.
 
-Endpoints inside a HA zone calculate the object authority independent from each other.
+Endpoints inside an HA zone calculate the object authority independent from each other.
 This object authority is important for selected features explained below.
 
 Since features are configuration objects too, you must ensure that all nodes
@@ -1514,6 +1514,76 @@ Message updates will be dropped when:
 * Notification does not exist.
 * Origin endpoint's zone is not allowed to access this checkable.
 
+#### event::UpdateLastNotifiedStatePerUser <a id="technical-concepts-json-rpc-messages-event-updatelastnotifiedstateperuser"></a>
+
+> Location: `clusterevents.cpp`
+
+##### Message Body
+
+Key       | Value
+----------|---------
+jsonrpc   | 2.0
+method    | event::UpdateLastNotifiedStatePerUser
+params    | Dictionary
+
+##### Params
+
+Key          | Type   | Description
+-------------|--------|------------------
+notification | String | Notification name
+user         | String | User name
+state        | Number | Checkable state the user just got a problem notification for
+
+Used to sync the state of a notification object within the same HA zone.
+
+##### Functions
+
+Event Sender: `Notification::OnLastNotifiedStatePerUserUpdated`
+Event Receiver: `LastNotifiedStatePerUserUpdatedAPIHandler`
+
+##### Permissions
+
+The receiver will not process messages from not configured endpoints.
+
+Message updates will be dropped when:
+
+* Notification does not exist.
+* Origin endpoint is not within the local zone.
+
+#### event::ClearLastNotifiedStatePerUser <a id="technical-concepts-json-rpc-messages-event-clearlastnotifiedstateperuser"></a>
+
+> Location: `clusterevents.cpp`
+
+##### Message Body
+
+Key       | Value
+----------|---------
+jsonrpc   | 2.0
+method    | event::ClearLastNotifiedStatePerUser
+params    | Dictionary
+
+##### Params
+
+Key          | Type   | Description
+-------------|--------|------------------
+notification | String | Notification name
+
+Used to sync the state of a notification object within the same HA zone.
+
+##### Functions
+
+Event Sender: `Notification::OnLastNotifiedStatePerUserCleared`
+Event Receiver: `LastNotifiedStatePerUserClearedAPIHandler`
+
+##### Permissions
+
+The receiver will not process messages from not configured endpoints.
+
+Message updates will be dropped when:
+
+* Notification does not exist.
+* Origin endpoint is not within the local zone.
+
 #### event::SetForceNextCheck <a id="technical-concepts-json-rpc-messages-event-setforcenextcheck"></a>
 
 > Location: `clusterevents.cpp`
@@ -1817,7 +1887,7 @@ source         | String        | The execution UUID
 
 Special handling, calls `ClusterEvents::EnqueueCheck()` for command endpoint checks.
 This function enqueues check tasks into a queue which is controlled in `RemoteCheckThreadProc()`.
-If the `endpoint` parameter is specified and is not equal to the local endpoint then the message is forwarded to the correct endpoint zone. 
+If the `endpoint` parameter is specified and is not equal to the local endpoint then the message is forwarded to the correct endpoint zone.
 
 ##### Permissions
 
@@ -1862,7 +1932,7 @@ executions     | Dictionary    | Executions to be updated
 ##### Functions
 
 **Event Sender:** `ClusterEvents::ExecutedCommandAPIHandler`, `ClusterEvents::UpdateExecutionsAPIHandler`, `ApiActions::ExecuteCommand`
-**Event Receiver:** `ClusterEvents::UpdateExecutionsAPIHandler` 
+**Event Receiver:** `ClusterEvents::UpdateExecutionsAPIHandler`
 
 ##### Permissions
 
@@ -1892,7 +1962,7 @@ Key            | Type          | Description
 host           | String        | Host name.
 service        | String        | Service name.
 execution      | String        | The execution ID executed.
-exitStatus     | Number        | The command exit status. 
+exitStatus     | Number        | The command exit status.
 output         | String        | The command output.
 start          | Number        | The unix timestamp at the start of the command execution
 end            | Number        | The unix timestamp at the end of the command execution
@@ -1900,7 +1970,7 @@ end            | Number        | The unix timestamp at the end of the command ex
 ##### Functions
 
 **Event Sender:** `ClusterEvents::ExecuteCheckFromQueue`, `ClusterEvents::ExecuteCommandAPIHandler`
-**Event Receiver:** `ClusterEvents::ExecutedCommandAPIHandler` 
+**Event Receiver:** `ClusterEvents::ExecutedCommandAPIHandler`
 
 ##### Permissions
 

doc/21-development.md

@@ -48,7 +48,7 @@ or `icinga2-ido-mysql`.
 Distribution       | Command
 -------------------|------------------------------------------
 Debian/Ubuntu      | `apt-get install icinga2-dbg`
-RHEL/CentOS        | `yum install icinga2-debuginfo`
+RHEL               | `yum install icinga2-debuginfo`
 Fedora             | `dnf install icinga2-debuginfo icinga2-bin-debuginfo icinga2-ido-mysql-debuginfo`
 SLES/openSUSE      | `zypper install icinga2-bin-debuginfo icinga2-ido-mysql-debuginfo`
 
@@ -65,7 +65,7 @@ Install GDB in your development environment.
 Distribution       | Command
 -------------------|------------------------------------------
 Debian/Ubuntu      | `apt-get install gdb`
-RHEL/CentOS        | `yum install gdb`
+RHEL               | `yum install gdb`
 Fedora             | `dnf install gdb`
 SLES/openSUSE      | `zypper install gdb`
 
@@ -477,18 +477,18 @@ File Type: EXECUTABLE IMAGE
 
   Image has the following dependencies:
 
-    boost_coroutine-vc142-mt-gd-x64-1_82.dll
-    boost_date_time-vc142-mt-gd-x64-1_82.dll
-    boost_filesystem-vc142-mt-gd-x64-1_82.dll
-    boost_thread-vc142-mt-gd-x64-1_82.dll
-    boost_regex-vc142-mt-gd-x64-1_82.dll
+    boost_coroutine-vc142-mt-gd-x64-1_85.dll
+    boost_date_time-vc142-mt-gd-x64-1_85.dll
+    boost_filesystem-vc142-mt-gd-x64-1_85.dll
+    boost_thread-vc142-mt-gd-x64-1_85.dll
+    boost_regex-vc142-mt-gd-x64-1_85.dll
     libssl-3_0-x64.dll
     libcrypto-3_0-x64.dll
     WS2_32.dll
     dbghelp.dll
     SHLWAPI.dll
     msi.dll
-    boost_unit_test_framework-vc142-mt-gd-x64-1_82.dll
+    boost_unit_test_framework-vc142-mt-gd-x64-1_85.dll
     KERNEL32.dll
     SHELL32.dll
     ADVAPI32.dll
@@ -537,7 +537,7 @@ packages.
 If you encounter a problem, please [open a new issue](https://github.com/Icinga/icinga2/issues/new/choose)
 on GitHub and mention that you're testing the snapshot packages.
 
-#### RHEL/CentOS <a id="development-tests-snapshot-packages-rhel"></a>
+#### RHEL <a id="development-tests-snapshot-packages-rhel"></a>
 
 2.11+ requires the EPEL repository for Boost 1.66+.
 
@@ -1332,9 +1332,6 @@ autocmd BufWinLeave * call clearmatches()
 
 ### Linux Dev Environment <a id="development-linux-dev-env"></a>
 
-Based on CentOS 7, we have an early draft available inside the Icinga Vagrant boxes:
-[centos7-dev](https://github.com/Icinga/icinga-vagrant/tree/master/centos7-dev).
-
 If you're compiling Icinga 2 natively without any virtualization layer in between,
 this usually is faster. This is also the reason why developers on macOS prefer native builds
 over Linux or Windows VMs. Don't forget to test the actual code on Linux later! Socket specific
@@ -1357,21 +1354,20 @@ mkdir -p release debug
 Proceed with the specific distribution examples below. Keep in mind that these instructions
 are best effort and sometimes out-of-date. Git Master may contain updates.
 
-* [CentOS 7](21-development.md#development-linux-dev-env-centos)
+* [Fedora 40](21-development.md#development-linux-dev-env-fedora)
 * [Debian 10 Buster](21-development.md#development-linux-dev-env-debian)
 * [Ubuntu 18 Bionic](21-development.md#development-linux-dev-env-ubuntu)
 
-
-#### CentOS 7 <a id="development-linux-dev-env-centos"></a>
+#### Fedora 40 <a id="development-linux-dev-env-fedora"></a>
 
 ```bash
-yum -y install gdb vim git bash-completion htop centos-release-scl
+yum -y install gdb vim git bash-completion htop
 
 yum -y install rpmdevtools ccache \
- cmake make devtoolset-11-gcc-c++ flex bison \
- openssl-devel boost169-devel systemd-devel \
+ cmake make gcc-c++ flex bison \
+ openssl-devel boost-devel systemd-devel \
  mysql-devel postgresql-devel libedit-devel \
- devtoolset-11-libstdc++-devel
+ libstdc++-devel
 
 groupadd icinga
 groupadd icingacmd
@@ -1389,47 +1385,42 @@ slower but allows for better debugging insights.
 For benchmarks, change `CMAKE_BUILD_TYPE` to `RelWithDebInfo` and
 build inside the `release` directory.
 
-First, off export some generics for Boost.
+First, override the default prefix path.
 
 ```bash
-export I2_BOOST="-DBoost_NO_BOOST_CMAKE=TRUE -DBoost_NO_SYSTEM_PATHS=TRUE -DBOOST_LIBRARYDIR=/usr/lib64/boost169 -DBOOST_INCLUDEDIR=/usr/include/boost169 -DBoost_ADDITIONAL_VERSIONS='1.69;1.69.0'"
+export I2_GENERIC="-DCMAKE_INSTALL_PREFIX=/usr/local/icinga2"
 ```
 
-Second, add the prefix path to it.
-
-```bash
-export I2_GENERIC="$I2_BOOST -DCMAKE_INSTALL_PREFIX=/usr/local/icinga2"
-```
-
-Third, define the two build types with their specific CMake variables.
+Second, define the two build types with their specific CMake variables.
 
 ```bash
 export I2_DEBUG="-DCMAKE_BUILD_TYPE=Debug -DICINGA2_UNITY_BUILD=OFF $I2_GENERIC"
 export I2_RELEASE="-DCMAKE_BUILD_TYPE=RelWithDebInfo -DICINGA2_WITH_TESTS=ON -DICINGA2_UNITY_BUILD=ON $I2_GENERIC"
 ```
 
-Fourth, depending on your likings, you may add a bash alias for building,
+Third, depending on your likings, you may use a bash alias for building,
 or invoke the commands inside:
 
 ```bash
-alias i2_debug="cd /root/icinga2; mkdir -p debug; cd debug; scl enable devtoolset-11 -- cmake $I2_DEBUG ..; make -j2; sudo make -j2 install; cd .."
-alias i2_release="cd /root/icinga2; mkdir -p release; cd release; scl enable devtoolset-11 -- cmake $I2_RELEASE ..; make -j2; sudo make -j2 install; cd .."
+alias i2_debug="cd /root/icinga2; mkdir -p debug; cd debug; cmake $I2_DEBUG ..; make -j2; sudo make -j2 install; cd .."
+alias i2_release="cd /root/icinga2; mkdir -p release; cd release; cmake $I2_RELEASE ..; make -j2; sudo make -j2 install; cd .."
 ```
 
-This is taken from the [centos7-dev](https://github.com/Icinga/icinga-vagrant/tree/master/centos7-dev) Vagrant box.
-
+```bash
+i2_debug
+```
 
 The source installation doesn't set proper permissions, this is
 handled in the package builds which are officially supported.
 
 ```bash
-chown -R icinga:icinga /usr/local/icinga2/var/
+chown -R icinga:icinga /usr/local/icinga2/{etc,var}/
 
 /usr/local/icinga2/lib/icinga2/prepare-dirs /usr/local/icinga2/etc/sysconfig/icinga2
 /usr/local/icinga2/sbin/icinga2 api setup
 vim /usr/local/icinga2/etc/icinga2/conf.d/api-users.conf
 
-/usr/local/icinga2/lib/icinga2/sbin/icinga2 daemon
+/usr/local/icinga2/lib64/icinga2/sbin/icinga2 daemon
 ```
 
 #### Debian 10 <a id="development-linux-dev-env-debian"></a>
@@ -1476,7 +1467,7 @@ The source installation doesn't set proper permissions, this is
 handled in the package builds which are officially supported.
 
 ```bash
-chown -R icinga:icinga /usr/local/icinga2/var/
+chown -R icinga:icinga /usr/local/icinga2/{etc,var}/
 
 /usr/local/icinga2/lib/icinga2/prepare-dirs /usr/local/icinga2/etc/sysconfig/icinga2
 /usr/local/icinga2/sbin/icinga2 api setup
@@ -1540,7 +1531,7 @@ The source installation doesn't set proper permissions, this is
 handled in the package builds which are officially supported.
 
 ```bash
-chown -R icinga:icinga /usr/local/icinga2/var/
+chown -R icinga:icinga /usr/local/icinga2/{etc,var}/
 
 /usr/local/icinga2/lib/icinga2/prepare-dirs /usr/local/icinga2/etc/sysconfig/icinga2
 /usr/local/icinga2/sbin/icinga2 api setup
@@ -1745,10 +1736,12 @@ and don't care for the details,
 
 1. ensure there are 35 GB free space on C:
 2. run the following in an administrative Powershell:
-  1. `Enable-WindowsOptionalFeature -FeatureName "NetFx3" -Online`
-     (reboot when asked!)
-  2. `powershell -NoProfile -ExecutionPolicy Bypass -Command "Invoke-Expression (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/Icinga/icinga2/master/doc/win-dev.ps1')"`
-    (will take some time)
+    1. Windows Server only:
+       `Enable-WindowsOptionalFeature -FeatureName NetFx3ServerFeatures -Online`
+    2. `Enable-WindowsOptionalFeature -FeatureName NetFx3 -Online`
+       (reboot when asked!)
+    3. `powershell -NoProfile -ExecutionPolicy Bypass -Command "Invoke-Expression (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/Icinga/icinga2/master/doc/win-dev.ps1')"`
+       (will take some time)
 
 This installs everything needed for cloning and building Icinga 2
 on the command line (Powershell) as follows:
@@ -1763,7 +1756,7 @@ mkdir build
 cd .\build\
 
 & "C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\Common7\IDE\CommonExtensions\Microsoft\CMake\CMake\bin\cmake.exe" `
-  -DICINGA2_UNITY_BUILD=OFF -DBoost_INCLUDE_DIR=C:\local\boost_1_82_0-Win64 `
+  -DICINGA2_UNITY_BUILD=OFF -DBoost_INCLUDE_DIR=C:\local\boost_1_85_0-Win64 `
   -DBISON_EXECUTABLE=C:\ProgramData\chocolatey\lib\winflexbison3\tools\win_bison.exe `
   -DFLEX_EXECUTABLE=C:\ProgramData\chocolatey\lib\winflexbison3\tools\win_flex.exe ..
 
@@ -1935,16 +1928,16 @@ Download the [boost-binaries](https://sourceforge.net/projects/boost/files/boost
 - 64 for 64 bit builds
 
 ```
-https://sourceforge.net/projects/boost/files/boost-binaries/1.82.0/boost_1_82_0-msvc-14.2-64.exe/download
+https://sourceforge.net/projects/boost/files/boost-binaries/1.85.0/boost_1_85_0-msvc-14.2-64.exe/download
 ```
 
-Run the installer and leave the default installation path in `C:\local\boost_1_82_0`.
+Run the installer and leave the default installation path in `C:\local\boost_1_85_0`.
 
 
 ##### Source & Compile
 
 In order to use the boost development header and library files you need to [download](https://www.boost.org/users/download/)
-Boost and then extract it to e.g. `C:\local\boost_1_82_0`.
+Boost and then extract it to e.g. `C:\local\boost_1_85_0`.
 
 > **Note**
 >
@@ -1952,12 +1945,12 @@ Boost and then extract it to e.g. `C:\local\boost_1_82_0`.
 > the archive contains more than 70k files.
 
 In order to integrate Boost into Visual Studio, open the `Developer Command Prompt` from the start menu,
-and navigate to `C:\local\boost_1_82_0`.
+and navigate to `C:\local\boost_1_85_0`.
 
 Execute `bootstrap.bat` first.
 
 ```
-cd C:\local\boost_1_82_0
+cd C:\local\boost_1_85_0
 bootstrap.bat
 ```
 
@@ -2040,8 +2033,8 @@ You need to specify the previously installed component paths.
 
 Variable              | Value                                                                | Description
 ----------------------|----------------------------------------------------------------------|-------------------------------------------------------
-`BOOST_ROOT`          | `C:\local\boost_1_82_0`                                                    | Root path where you've extracted and compiled Boost.
-`BOOST_LIBRARYDIR`    | Binary: `C:\local\boost_1_82_0\lib64-msvc-14.2`, Source: `C:\local\boost_1_82_0\stage` | Path to the static compiled Boost libraries, directory must contain `lib`.
+`BOOST_ROOT`          | `C:\local\boost_1_85_0`                                                    | Root path where you've extracted and compiled Boost.
+`BOOST_LIBRARYDIR`    | Binary: `C:\local\boost_1_85_0\lib64-msvc-14.2`, Source: `C:\local\boost_1_85_0\stage` | Path to the static compiled Boost libraries, directory must contain `lib`.
 `BISON_EXECUTABLE`    | `C:\ProgramData\chocolatey\lib\winflexbison\tools\win_bison.exe`     | Path to the Bison executable.
 `FLEX_EXECUTABLE`     | `C:\ProgramData\chocolatey\lib\winflexbison\tools\win_flex.exe`      | Path to the Flex executable.
 `ICINGA2_UNITY_BUILD` | OFF                                                                  | Disable unity builds for development environments.
@@ -2076,8 +2069,8 @@ $env:ICINGA2_INSTALLPATH = 'C:\Program Files\Icinga2-debug'
 $env:ICINGA2_BUILDPATH='debug'
 $env:CMAKE_BUILD_TYPE='Debug'
 $env:OPENSSL_ROOT_DIR='C:\OpenSSL-Win64'
-$env:BOOST_ROOT='C:\local\boost_1_82_0'
-$env:BOOST_LIBRARYDIR='C:\local\boost_1_82_0\lib64-msvc-14.2'
+$env:BOOST_ROOT='C:\local\boost_1_85_0'
+$env:BOOST_LIBRARYDIR='C:\local\boost_1_85_0\lib64-msvc-14.2'
 ```
 
 #### Icinga 2 in Visual Studio
@@ -2203,7 +2196,7 @@ Icinga application using a dist tarball (including notes for distributions):
     * Debian/Ubuntu: libpq-dev
     * postgresql-dev on Alpine
 * libedit (CLI console)
-    * RHEL/Fedora: libedit-devel on CentOS (RHEL requires rhel-7-server-optional-rpms)
+    * RHEL/Fedora: libedit-devel (RHEL requires rhel-7-server-optional-rpms)
     * Debian/Ubuntu/Alpine: libedit-dev
 * Termcap (only required if libedit doesn't already link against termcap/ncurses)
     * RHEL/Fedora: libtermcap-devel
@@ -2343,7 +2336,7 @@ for implementation details.
 
 CMake determines the Icinga 2 version number using `git describe` if the
 source directory is contained in a Git repository. Otherwise the version number
-is extracted from the [ICINGA2_VERSION](ICINGA2_VERSION) file. This behavior can be
+is extracted from the `ICINGA2_VERSION` file. This behavior can be
 overridden by creating a file called `icinga-version.h.force` in the source
 directory. Alternatively the `-DICINGA2_GIT_VERSION_INFO=OFF` option for CMake
 can be used to disable the usage of `git describe`.
@@ -2351,7 +2344,7 @@ can be used to disable the usage of `git describe`.
 
 ### Building RPMs <a id="development-package-builds-rpms"></a>
 
-#### Build Environment on RHEL, CentOS, Fedora, Amazon Linux
+#### Build Environment on RHEL, Fedora, Amazon Linux
 
 Setup your build environment:
 
@@ -2407,7 +2400,7 @@ spectool -g ../SPECS/icinga2.spec
 cd $HOME/rpmbuild
 ```
 
-Install the build dependencies. Example for CentOS 7:
+Install the build dependencies:
 
 ```bash
 yum -y install libedit-devel ncurses-devel gcc-c++ libstdc++-devel openssl-devel \
@@ -2436,21 +2429,9 @@ rpmbuild -ba SPECS/icinga2.spec
 The following packages are required to build the SELinux policy module:
 
 * checkpolicy
-* selinux-policy (selinux-policy on CentOS 6, selinux-policy-devel on CentOS 7)
+* selinux-policy-devel
 * selinux-policy-doc
 
-##### RHEL/CentOS 7
-
-The RedHat Developer Toolset is required for building Icinga 2 beforehand.
-This contains a C++ compiler which supports C++17 features.
-
-```bash
-yum install centos-release-scl
-```
-
-Dependencies to devtools-11 are used in the RPM SPEC, so the correct tools
-should be used for building.
-
 ##### Amazon Linux
 
 If you prefer to build packages offline, a suitable Vagrant box is located
@@ -2541,7 +2522,7 @@ chmod +x /etc/init.d/icinga2
 
 Icinga 2 reads a single configuration file which is used to specify all
 configuration settings (global settings, hosts, services, etc.). The
-configuration format is explained in detail in the [doc/](doc/) directory.
+configuration format is explained in detail in the `doc/` directory.
 
 By default `make install` installs example configuration files in
 `/usr/local/etc/icinga2` unless you have specified a different prefix or

doc/22-selinux.md

@@ -116,19 +116,19 @@ The policy provides a role `icinga2adm_r` for confining an user which enables an
 
 SELinux is based on the least level of access required for a service to run. Using booleans you can grant more access in a defined way. The Icinga 2 policy package provides the following booleans.
 
-**icinga2_can_connect_all** 
+**icinga2_can_connect_all**
 
 Having this boolean enabled allows icinga2 to connect to all ports. This can be necessary if you use features which connect to unconfined services, for example the [influxdb writer](14-features.md#influxdb-writer).
 
-**icinga2_run_sudo** 
+**icinga2_run_sudo**
 
 To allow Icinga 2 executing plugins via sudo you can toogle this boolean. It is disabled by default, resulting in error messages like `execvpe(sudo) failed: Permission denied`.
 
-**httpd_can_write_icinga2_command** 
+**httpd_can_write_icinga2_command**
 
 To allow httpd to write to the command pipe of icinga2 this boolean has to be enabled. This is enabled by default, if not needed you can disable it for more security.
 
-**httpd_can_connect_icinga2_api** 
+**httpd_can_connect_icinga2_api**
 
 Enabling this boolean allows httpd to connect to the API of icinga2 (Ports labeled `icinga2_port_t`). This is enabled by default, if not needed you can disable it for more security.
 

doc/23-migrating-from-icinga-1x.md

@@ -1,4 +1,8 @@
-# Migration from Icinga 1.x <a id="migration"></a>
+# Migration from Icinga 1.x or Nagios <a id="migration"></a>
+
+!!! note
+
+    Icinga 1.x was originally a fork of Nagios. The information provided here also applies to Nagios.
 
 ## Configuration Migration <a id="configuration-migration"></a>
 
@@ -804,7 +808,7 @@ define service {
 }
 ```
 
-Icinga 2 supports objects and (global) variables, but does not make a difference 
+Icinga 2 supports objects and (global) variables, but does not make a difference
 between the main configuration file or any other included file.
 
 icinga2.conf:

doc/24-appendix.md

@@ -692,4 +692,3 @@ the [servicegroups](24-appendix.md#schema-livestatus-servicegroups-table-attribu
 
 All [services](24-appendix.md#schema-livestatus-services-table-attributes) table attributes grouped with
 the [hostgroups](24-appendix.md#schema-livestatus-hostgroups-table-attributes) table prefixed with `hostgroup_`.
-

doc/win-dev.ps1

@@ -13,8 +13,8 @@ function ThrowOnNativeFailure {
 
 $VsVersion = 2019
 $MsvcVersion = '14.2'
-$BoostVersion = @(1, 82, 0)
-$OpensslVersion = '3_0_9'
+$BoostVersion = @(1, 86, 0)
+$OpensslVersion = '3_0_15'
 
 switch ($Env:BITS) {
 	32 { }
@@ -91,6 +91,8 @@ if (-not $Env:GITHUB_ACTIONS) {
     ThrowOnNativeFailure
 }
 
+# Disable the progress bar for downloads from the Web, which will speed up the entire download process
+$Global:ProgressPreference = 'SilentlyContinue';
 
 Install-Exe -Url "https://packages.icinga.com/windows/dependencies/boost_$($BoostVersion -join '_')-msvc-${MsvcVersion}-${Env:BITS}.exe" -Dir "C:\local\boost_$($BoostVersion -join '_')-Win${Env:BITS}"
 

etc/icinga2/scripts/mail-host-notification.sh

@@ -165,13 +165,15 @@ if [ -n "$MAILFROM" ] ; then
 
   ## Debian/Ubuntu use mailutils which requires `-a` to append the header
   if [ -f /etc/debian_version ]; then
-    /usr/bin/printf "%b" "$NOTIFICATION_MESSAGE" | $MAILBIN -a "From: $MAILFROM" -s "$SUBJECT" $USEREMAIL
+    /usr/bin/printf "%b" "$NOTIFICATION_MESSAGE" | tr -d '\015' \
+    | $MAILBIN -a "From: $MAILFROM" -s "$SUBJECT" $USEREMAIL
   ## Other distributions (RHEL/SUSE/etc.) prefer mailx which sets a sender address with `-r`
   else
-    /usr/bin/printf "%b" "$NOTIFICATION_MESSAGE" | $MAILBIN -r "$MAILFROM" -s "$SUBJECT" $USEREMAIL
+    /usr/bin/printf "%b" "$NOTIFICATION_MESSAGE" | tr -d '\015' \
+    | $MAILBIN -r "$MAILFROM" -s "$SUBJECT" $USEREMAIL
   fi
 
 else
-  /usr/bin/printf "%b" "$NOTIFICATION_MESSAGE" \
+  /usr/bin/printf "%b" "$NOTIFICATION_MESSAGE" | tr -d '\015' \
   | $MAILBIN -s "$SUBJECT" $USEREMAIL
 fi

etc/icinga2/scripts/mail-service-notification.sh

@@ -178,13 +178,15 @@ if [ -n "$MAILFROM" ] ; then
 
   ## Debian/Ubuntu use mailutils which requires `-a` to append the header
   if [ -f /etc/debian_version ]; then
-    /usr/bin/printf "%b" "$NOTIFICATION_MESSAGE" | $MAILBIN -a "From: $MAILFROM" -s "$SUBJECT" $USEREMAIL
+    /usr/bin/printf "%b" "$NOTIFICATION_MESSAGE" | tr -d '\015' \
+    | $MAILBIN -a "From: $MAILFROM" -s "$SUBJECT" $USEREMAIL
   ## Other distributions (RHEL/SUSE/etc.) prefer mailx which sets a sender address with `-r`
   else
-    /usr/bin/printf "%b" "$NOTIFICATION_MESSAGE" | $MAILBIN -r "$MAILFROM" -s "$SUBJECT" $USEREMAIL
+    /usr/bin/printf "%b" "$NOTIFICATION_MESSAGE" | tr -d '\015' \
+    | $MAILBIN -r "$MAILFROM" -s "$SUBJECT" $USEREMAIL
   fi
 
 else
-  /usr/bin/printf "%b" "$NOTIFICATION_MESSAGE" \
+  /usr/bin/printf "%b" "$NOTIFICATION_MESSAGE" | tr -d '\015' \
   | $MAILBIN -s "$SUBJECT" $USEREMAIL
 fi

icinga-app/CMakeLists.txt

@@ -19,7 +19,7 @@ set_target_properties (
   FOLDER Lib
 )
 
-include_directories(${Boost_INCLUDE_DIRS})
+include_directories(SYSTEM ${Boost_INCLUDE_DIRS})
 
 if(ICINGA2_WITH_CHECKER)
   list(APPEND icinga_app_SOURCES $<TARGET_OBJECTS:checker>)
@@ -95,6 +95,8 @@ install(
   RUNTIME DESTINATION ${InstallPath}
 )
 
-install(CODE "file(MAKE_DIRECTORY \"\$ENV{DESTDIR}${ICINGA2_FULL_LOGDIR}\")")
-install(CODE "file(MAKE_DIRECTORY \"\$ENV{DESTDIR}${ICINGA2_FULL_DATADIR}\")")
-install(CODE "file(MAKE_DIRECTORY \"\$ENV{DESTDIR}${ICINGA2_FULL_INITRUNDIR}\")")
+if(NOT WIN32)
+  install(CODE "file(MAKE_DIRECTORY \"\$ENV{DESTDIR}${ICINGA2_FULL_LOGDIR}\")")
+  install(CODE "file(MAKE_DIRECTORY \"\$ENV{DESTDIR}${ICINGA2_FULL_DATADIR}\")")
+  install(CODE "file(MAKE_DIRECTORY \"\$ENV{DESTDIR}${ICINGA2_FULL_INITRUNDIR}\")")
+endif()

itl/command-plugins.conf

@@ -24,6 +24,10 @@ template CheckCommand "ping-common" {
 			value = "$ping_address$"
 			description = "host to ping"
 		}
+		"--extra-opts" = {
+			value = "$ping_extra_opts$"
+			description = "Read extra plugin options from an ini file."
+		}
 		"-w" = {
 			value = "$ping_wrta$,$ping_wpl$%"
 			description = "warning threshold pair"
@@ -101,6 +105,10 @@ template CheckCommand "fping-common" {
 	]
 
 	arguments = {
+		"--extra-opts" = {
+			value = "$fping_extra_opts$"
+			description = "Read extra plugin options from an ini file."
+		}
 		"-w" = {
 			value = "$fping_wrta$,$fping_wpl$%"
 			description = "warning threshold pair"
@@ -169,6 +177,10 @@ object CheckCommand "tcp" {
 			value =  "$tcp_address$"
 			description = "Host name, IP Address, or unix socket (must be an absolute path)."
 		}
+		"--extra-opts" = {
+			value = "$tcp_extra_opts$"
+			description = "Read extra plugin options from an ini file."
+		}
 		"-p" = {
 			value =  "$tcp_port$"
 			description = "The TCP port number."
@@ -276,6 +288,10 @@ object CheckCommand "ssl" {
 			value = "$ssl_address$"
 			description = "Host address"
 		}
+		"--extra-opts" = {
+			value = "$ssl_extra_opts$"
+			description = "Read extra plugin options from an ini file."
+		}
 		"-p" = {
 			value = "$ssl_port$"
 			description ="TCP port (default: 443)"
@@ -321,6 +337,10 @@ object CheckCommand "udp" {
 	]
 
 	arguments = {
+		"--extra-opts" = {
+			value = "$udp_extra_opts$"
+			description = "Read extra plugin options from an ini file."
+		}
 		"-s" = {
 			value = "$udp_send$"
 			required = true
@@ -360,6 +380,11 @@ object CheckCommand "http" {
 			value = "$http_vhost$"
 			description = "Host name argument for servers using host headers (virtual host)"
 		}
+		"--extra-opts" = {
+			set_if = {{ string(macro("$http_extra_opts$")) != "" }}
+			value = "$http_extra_opts$"
+			description = "Read extra plugin options from an ini file"
+		}
 		"-I" = {
 			set_if = {{ string(macro("$http_address$")) != "" }}
 			value = "$http_address$"
@@ -419,12 +444,16 @@ object CheckCommand "http" {
 		}
 		"--sni" = {
 			set_if = "$http_sni$"
-			description = "Enable SSL/TLS hostname extension support (SNI)"
+			description = "Enable SSL/TLS hostname extension support (SNI). This is (normally) the default in modern setups"
 		}
 		"-C" = {
 			value = "$http_certificate$"
 			description = "Minimum number of days a certificate has to be valid. This parameter explicitely sets the port to 443 and ignores the URL if passed."
 		}
+		"--continue-after-certificate" = {
+			set_if = "$http_certificate_continue$"
+			description = "Allows the HTTP check to continue after performing the certificate check. Does nothing unless -C is used"
+		}
 		"-J" = {
 			value = "$http_clientcert$"
 			description = "Name of file contains the client certificate (PEM format)"
@@ -557,6 +586,212 @@ object CheckCommand "http" {
 	vars.http_verbose = false
 }
 
+object CheckCommand "curl" {
+	import "ipv4-or-ipv6"
+
+	command = [ PluginDir + "/check_curl" ]
+
+	arguments += {
+		"--extra-opts" = {
+			value = "$curl_extra_opts$"
+			description = "Read options from an ini file"
+		}
+		"-H" = {
+			value = "$curl_vhost$"
+			description = "Host name argument for servers using host headers (virtual host). Append a port to include it in the header (eg: example.com:5000)"
+		}
+		"-I" = {
+			value = "$curl_ip$"
+			set_if = {{ string(macro("$curl_ip$")) != "" }}
+			description = "IP address or name (use numeric address if possible to bypass DNS lookup)."
+		}
+		"-p" = {
+			value = "$curl_port$"
+			description = "Port number (default: 80)"
+		}
+		"-4" = {
+			set_if = "$curl_ipv4$"
+			description = "Force `check_curl` to use IPv4 instead of choosing automatically"
+		}
+		"-6" = {
+			set_if = "$curl_ipv6$"
+			description = "Force `check_curl` to use IPv6 instead of choosing automatically"
+		}
+		"(-S w/ value)" = {
+			set_if = {{ macro("$curl_tls$") && string(macro("$curl_tls_version$")) != "" }}
+			key = "-S"
+			value = "$curl_tls_version$"
+			description = "Connect via SSL. Port defaults to 443. VERSION is optional, and prevents auto-negotiation"
+		}
+		"(-S w/o value)" = {
+			set_if = {{ macro("$curl_tls$") && string(macro("$curl_tls_version$")) == "" }}
+			key = "-S"
+			description = "Connect via SSL. Port defaults to 443. VERSION is optional, and prevents auto-negotiation"
+		}
+		"--sni" = {
+			set_if = "$curl_sni$"
+			description = "Enable SSL/TLS hostname extension support (SNI). Default if TLS version > 1.0"
+		}
+		"-C" = {
+			value = "$curl_certificate_valid_days_min_warning$,$curl_certificate_valid_days_min_critical$"
+			description = "Minimum number of days a certificate has to be valid."
+		}
+		"--continue-after-certificate" = {
+			value = "$curl_continue_after_certificate$"
+			description = "Allows the HTTP check to continue after performing the certificate check. Does nothing unless -C is used."
+		}
+		"-J" = {
+			value = "$curl_client_certificate_file$"
+			description = "Name of file that contains the client certificate (PEM format) to be used in establishing the SSL session"
+		}
+		"-K" = {
+			value = "$curl_client_certificate_key_file$"
+			description = "Name of file containing the private key (PEM format) matching the client certificate"
+		}
+		"--ca-cert" = {
+			value = "$curl_ca_cert_file$"
+			description = "CA certificate file to verify peer against"
+		}
+		"-D" = {
+			set_if = "$curl_verify_peer_cert$"
+			description = "Verify the peer's SSL certificate and hostname"
+		}
+		"-e" = {
+			value = "$curl_expect_string$"
+			description = "Comma-delimited list of strings, at least one of them is expected in the first (status) line of the server response (default: HTTP/), If specified skips all other status line logic (ex: 3xx, 4xx, 5xx processing)"
+		}
+		"-d" = {
+			value = "$curl_expect_header_string$"
+			description = "String to expect in the response headers"
+		}
+		"-s" = {
+			value = "$curl_expect_content_string$"
+			description = "String to expect in the content"
+		}
+		"-u" = {
+			value = "$curl_url$"
+			description = "URL to GET or POST (default: /)"
+		}
+		"-P" = {
+			value = "$curl_post_data$"
+			description = "URL encoded http POST data"
+		}
+		"-j" = {
+			value = "$curl_http_method$"
+			description = "Set HTTP method (for example: HEAD, OPTIONS, TRACE, PUT, DELETE, CONNECT)"
+		}
+		"-N" = {
+			value = "$curl_no_body$"
+			description = "Don't wait for document body: stop reading after headers. (Note that this still does an HTTP GET or POST, not a HEAD.)"
+		}
+		"-M" = {
+			value = "$curl_max_age$"
+			description = "Warn if document is more than SECONDS old. the number can also be of the form '10m' for minutes, '10h' for hours, or '10d' for days."
+		}
+		"-T" = {
+			value = "$curl_content_type$"
+			description = "specify Content-Type header media type when POSTing"
+		}
+		"-l" = {
+			value = "$curl_linespan$"
+			description = "Allow regex to span newlines (must precede -r or -R)"
+		}
+		"-r" = {
+			value = "$curl_ereg$"
+			description = "Search page for regex STRING"
+		}
+		"-R" = {
+			value = "$curl_eregi$"
+			description = "Search page for case-insensitive regex STRING"
+		}
+		"--invert-regex" = {
+			set_if = "$curl_invert_regex$"
+			description = "When using regex, return CRITICAL if found, OK if not"
+		}
+		"--state-regex" = {
+			value = "$curl_state_regex$"
+			description = "Return STATE if regex is found, OK if not"
+		}
+		"-a" = {
+			value = "$curl_authorization$"
+			description = "Username:password on sites with basic authentication"
+		}
+		"-b" = {
+			value = "$curl_proxy_authorization$"
+			description = "Username:password on proxy-servers with basic authentication"
+		}
+		"-A" = {
+			value = "$curl_user_agent$"
+			description = "String to be sent in http header as 'User Agent'"
+		}
+		"-k" = {
+			value = "$curl_header$"
+			repeat_key = true
+			description = "Any other tags to be sent in http header. Use multiple times for additional headers"
+		}
+		"-E" = {
+			set_if = "$curl_extended_perfdata$"
+			description = "Print additional performance data"
+		}
+		"-B" = {
+			set_if = "$curl_show_body$"
+			description = "Print body content below status line"
+		}
+		"-L" = {
+			set_if = "$curl_link$"
+			description = "Wrap output in HTML link (obsoleted by urlize)"
+		}
+		"-f" = {
+			value = "$curl_onredirect$"
+			description = "Options: <ok|warning|critical|follow|sticky|stickyport|curl> How to handle redirected pages."
+		}
+		"--max-redirs" = {
+			value = "$curl_max_redirs$"
+			description = "Maximal number of redirects (default: 15)"
+		}
+		"-m" = {
+			value = "$curl_pagesize$"
+			description = "Minimum page size required (bytes) : Maximum page size required (bytes)"
+		}
+		"--http-version" = {
+			value = "$curl_http_version$"
+			description = "Connect via specific HTTP protocol. 1.0 = HTTP/1.0, 1.1 = HTTP/1.1, 2.0 = HTTP/2 (HTTP/2 will fail without -S)"
+		}
+		"--enable-automatic-decompression" = {
+			set_if = "$curl_enable_automatic_decompression$"
+			description = "Enable automatic decompression of body (CURLOPT_ACCEPT_ENCODING)."
+		}
+		"--haproxy-protocol" = {
+			set_if = "$curl_haproxy_protocol$"
+			description = "Send HAProxy proxy protocol v1 header (CURLOPT_HAPROXYPROTOCOL)"
+		}
+		"--cookie-jar" = {
+			value = "$curl_cookie_jar_file$"
+			description = "Store cookies in the cookie jar file and send them out when requested."
+		}
+		"-w" = {
+			value = "$curl_warning$"
+			description = "Response time to result in warning status (seconds)"
+		}
+		"-c" = {
+			value = "$curl_critical$"
+			description = "Response time to result in critical status (seconds)"
+		}
+		"-t" = {
+			value = "$curl_timeout$"
+			description = "Seconds before connection times out (default: 10)"
+		}
+	}
+
+	vars.curl_ip = "$check_address$"
+	vars.curl_link = false
+	vars.curl_invert_regex = false
+	vars.curl_show_body = false
+	vars.curl_extended_perfdata = false
+	vars.check_ipv4 = "$curl_ipv4$"
+	vars.check_ipv6 = "$curl_ipv6$"
+}
+
 object CheckCommand "ftp" {
 	import "ipv4-or-ipv6"
 
@@ -567,6 +802,10 @@ object CheckCommand "ftp" {
 			value = "$ftp_address$"
 			description = "The host's address. Defaults to $address$ or $address6$ if the address attribute is not set."
 		}
+		"--extra-opts" = {
+			value = "$ftp_extra_opts$"
+			description = "Read extra plugin options from an ini file."
+		}
 		"-p" = {
 			value = "$ftp_port$"
 			description = "The FTP port number. Defaults to none"
@@ -670,6 +909,10 @@ object CheckCommand "smtp" {
 			value = "$smtp_address$"
 			description = "Host name, IP Address, or unix socket (must be an absolute path)"
 		}
+		"--extra-opts" = {
+			value = "$smtp_extra_opts$"
+			description = "Read extra plugin options from an ini file."
+		}
 		"-p" = {
 			value = "$smtp_port$"
 			description = "Port number (default: 25)"
@@ -755,6 +998,10 @@ object CheckCommand "ssmtp" {
 			value = "$ssmtp_address$"
 			description = "Host name, IP Address, or unix socket (must be an absolute path)"
 		}
+		"--extra-opts" = {
+			value = "$ssmtp_extra_opts$"
+			description = "Read extra plugin options from an ini file."
+		}
 		"-p" = {
 			value = "$ssmtp_port$"
 			description = "Port number (default: none)"
@@ -844,6 +1091,10 @@ object CheckCommand "imap" {
 			value = "$imap_address$"
 			description = "Host name, IP Address, or unix socket (must be an absolute path)"
 		}
+		"--extra-opts" = {
+			value = "$imap_extra_opts$"
+			description = "Read extra plugin options from an ini file."
+		}
 		"-p" = {
 			value = "$imap_port$"
 			description = "Port number (default: none)"
@@ -933,6 +1184,10 @@ object CheckCommand "simap" {
 			value = "$simap_address$"
 			description = "Host name, IP Address, or unix socket (must be an absolute path)"
 		}
+		"--extra-opts" = {
+			value = "$simap_extra_opts$"
+			description = "Read extra plugin options from an ini file."
+		}
 		"-p" = {
 			value = "$simap_port$"
 			description = "Port number (default: none)"
@@ -1022,6 +1277,10 @@ object CheckCommand "pop" {
 			value = "$pop_address$"
 			description = "Host name, IP Address, or unix socket (must be an absolute path)"
 		}
+		"--extra-opts" = {
+			value = "$pop_extra_opts$"
+			description = "Read extra plugin options from an ini file."
+		}
 		"-p" = {
 			value = "$pop_port$"
 			description = "Port number (default: none)"
@@ -1111,6 +1370,10 @@ object CheckCommand "spop" {
 			value = "$spop_address$"
 			description = "Host name, IP Address, or unix socket (must be an absolute path)"
 		}
+		"--extra-opts" = {
+			value = "$spop_extra_opts$"
+			description = "Read extra plugin options from an ini file."
+		}
 		"-p" = {
 			value = "$spop_port$"
 			description = "Port number (default: none)"
@@ -1200,6 +1463,10 @@ object CheckCommand "ntp_time" {
 			value = "$ntp_address$"
 			description = "Host name, IP Address, or unix socket (must be an absolute path)"
 		}
+		"--extra-opts" = {
+			value = "$ntp_extra_opts$"
+			description = "Read extra plugin options from an ini file."
+		}
 		"-p" = {
 			value = "$ntp_port$"
 			description = "Port number (default: 123)"
@@ -1249,6 +1516,10 @@ object CheckCommand "ntp_peer" {
 			value = "$ntp_address$"
 			description = "Host name, IP Address, or unix socket (must be an absolute path)"
 		}
+		"--extra-opts" = {
+			value = "$ntp_extra_opts$"
+			description = "Read extra plugin options from an ini file."
+		}
 		"-p" = {
 			value = "$ntp_port$"
 			description = "Port number (default: 123)"
@@ -1314,6 +1585,10 @@ object CheckCommand "ssh" {
 	command = [ PluginDir + "/check_ssh" ]
 
 	arguments = {
+		"--extra-opts" = {
+			value = "$ssh_extra_opts$"
+			description = "Read extra plugin options from an ini file."
+		}
 		"-p" = {
 			value = "$ssh_port$"
 			description = "Port number (default: 22)"
@@ -1335,6 +1610,14 @@ object CheckCommand "ssh" {
 			set_if = "$ssh_ipv6$"
 			description = "Use IPv6 connection"
 		}
+		"-r" = {
+			value = "$ssh_remote_version$"
+			description = "Alert if string doesn't match expected server version (ex: OpenSSH_3.9p1)"
+		}
+		"-P" = {
+			value = "$ssh_remote_protocol$"
+			description = "Alert if protocol doesn't match expected protocol version (ex: 2.0)"
+		}
 	}
 
 	vars.ssh_address = "$check_address$"
@@ -1346,6 +1629,10 @@ object CheckCommand "disk" {
 	command = [ PluginDir + "/check_disk" ]
 
 	arguments = {
+		"--extra-opts" = {
+			value = "$disk_extra_opts$"
+			description = "Read extra plugin options from an ini file."
+		}
 		"-w" = {
 			value = "$disk_wfree$"
 			description = "Exit with WARNING status if less than INTEGER units of disk are free or Exit with WARNING status if less than PERCENT of disk space is free"
@@ -1372,6 +1659,10 @@ object CheckCommand "disk" {
 			description = "Display inode usage in perfdata"
 			set_if = "$disk_inode_perfdata$"
 		}
+		"--inode-perfdata" = {
+			description = "Enable performance data for inode-based statistics (nagios-plugins)"
+			set_if = "$disk_np_inode_perfdata$"
+		}
 		"-p" = {
 			value = "$disk_partitions$"
 			description = "Path or partition (may be repeated)"
@@ -1491,9 +1782,11 @@ object CheckCommand "disk" {
 		"mtmfs",
 		"tracefs",
 		"cgroup",
+		"fuse.*", // only Monitoring Plugins support this so far
 		"fuse.gvfsd-fuse",
 		"fuse.gvfs-fuse-daemon",
 		"fuse.portal",
+		"fuse.sshfs",
 		"fdescfs",
 		"overlay",
 		"nsfs",
@@ -1551,6 +1844,10 @@ object CheckCommand "users" {
 	command = [ PluginDir + "/check_users" ]
 
 	arguments = {
+		"--extra-opts" = {
+			value = "$users_extra_opts$"
+			description = "Read extra plugin options from an ini file."
+		}
 		"-w" = {
 			value = "$users_wgreater$"
 			description = "Set WARNING status if more than INTEGER users are logged in"
@@ -1569,6 +1866,10 @@ object CheckCommand "procs" {
 	command = [ PluginDir + "/check_procs" ]
 
 	arguments = {
+		"--extra-opts" = {
+			value = "$procs_extra_opts$"
+			description = "Read extra plugin options from an ini file."
+		}
 		"-w" = {
 			value = "$procs_warning$"
 			description = "Generate warning state if metric is outside this range"
@@ -1625,6 +1926,10 @@ object CheckCommand "procs" {
 			value = "$procs_command$"
 			description = "Only scan for exact matches of COMMAND (without path)"
 		}
+		"-X" = {
+			value = "$procs_exclude_process$"
+			description = "Exclude processes which match this comma separated list"
+		}
 		"-k" = {
 			set_if = "$procs_nokthreads$"
 			description = "Only scan for non kernel threads"
@@ -1641,6 +1946,10 @@ object CheckCommand "swap" {
 	command = [ PluginDir + "/check_swap" ]
 
 	arguments = {
+		"--extra-opts" = {
+			value = "$swap_extra_opts$"
+			description = "Read extra plugin options from an ini file."
+		}
 		"-w" = {{
 			if (macro("$swap_integer$")) {
 				return macro("$swap_wfree$")
@@ -1675,6 +1984,10 @@ object CheckCommand "load" {
 	command = [ PluginDir + "/check_load" ]
 
 	arguments = {
+		"--extra-opts" = {
+			value = "$load_extra_opts$"
+			description = "Read extra plugin options from an ini file."
+		}
 		"-w" = {
 			value = "$load_wload1$,$load_wload5$,$load_wload15$"
 			description = "Exit with WARNING status if load average exceeds WLOADn"
@@ -1708,6 +2021,10 @@ object CheckCommand "snmp" {
 			value = "$snmp_address$"
 			description = "Host name, IP Address, or unix socket (must be an absolute path)"
 		}
+		"--extra-opts" = {
+			value = "$snmp_extra_opts$"
+			description = "Read extra plugin options from an ini file."
+		}
 		"-o" = {
 			value = "$snmp_oid$"
 			description = "Object identifier(s) or SNMP variables whose value you wish to query"
@@ -1768,6 +2085,10 @@ object CheckCommand "snmp" {
 			value = "$snmp_miblist$"
 			description = "List of MIBS to be loaded (default = none if using numeric OIDs or 'ALL' for symbolic OIDs.)"
 		}
+		"-M" = {
+			value = "$snmp_multiplier$"
+			description = "Multiplies current value, 0 < n < 1 works as divider, defaults to 1"
+		}
 		"--rate-multiplier" = {
 			value = "$snmp_rate_multiplier$"
 			description = "Converts rate per second. For example, set to 60 to convert to per minute"
@@ -1820,6 +2141,10 @@ object CheckCommand "snmpv3" {
 			value = "$snmpv3_address$"
 			description = "Host name, IP Address, or unix socket (must be an absolute path)"
 		}
+		"--extra-opts" = {
+			value = "$snmpv3_extra_opts$"
+			description = "Read extra plugin options from an ini file."
+		}
 		"-p" = {
 			value = "$snmpv3_port$"
 			description = "Port number"
@@ -1896,6 +2221,10 @@ object CheckCommand "snmpv3" {
 			value = "$snmpv3_miblist$"
 			description = "List of SNMP MIBs for translating OIDs between numeric and textual representation"
 		}
+		"-M" = {
+			value = "$snmpv3_multiplier$"
+			description = "Multiplies current value, 0 < n < 1 works as divider, defaults to 1"
+		}
 		"-u" = {
 			value = "$snmpv3_units$"
 			description = "Units label(s) for output data (e.g., 'sec.')"
@@ -2001,6 +2330,10 @@ object CheckCommand "dhcp" {
 	command = [ PluginDir + "/check_dhcp" ]
 
 	arguments = {
+		"--extra-opts" = {
+			value = "$dhcp_extra_opts$"
+			description = "Read extra plugin options from an ini file."
+		}
 		"-s" = {
 			value = "$dhcp_serverip$"
 			description = "IP address of DHCP server that we must hear from"
@@ -2040,6 +2373,10 @@ object CheckCommand "dns" {
 			value = "$dns_lookup$"
 			description = "The name or address you want to query."
 		}
+		"--extra-opts" = {
+			value = "$dns_extra_opts$"
+			description = "Read extra plugin options from an ini file."
+		}
 		"-s" = {
 			value = "$dns_server$"
 			description = "Optional DNS server you want to use for the lookup."
@@ -2092,6 +2429,10 @@ object CheckCommand "dig" {
 			value = "$dig_server$"
 			description = "Host name, IP Address, or unix socket (must be an absolute path)"
 		}
+		"--extra-opts" = {
+			value = "$dig_extra_opts$"
+			description = "Read extra plugin options from an ini file."
+		}
 		"-p" = {
 			value = "$dig_port$"
 			description = "Port number (default: 53)"
@@ -2150,6 +2491,10 @@ object CheckCommand "nscp" {
 			value = "$nscp_address$"
 			description = "Name of the host to check"
 		}
+		"--extra-opts" = {
+			value = "$nscp_extra_opts$"
+			description = "Read extra plugin options from an ini file."
+		}
 		"-p" = {
 			value = "$nscp_port$"
 			description = "Optional port number (default: 1248)"
@@ -2201,6 +2546,10 @@ object CheckCommand "by_ssh" {
 			value = "$by_ssh_address$"
 			description = "Host name, IP Address, or unix socket (must be an absolute path)"
 		}
+		"--extra-opts" = {
+			value = "$by_ssh_extra_opts$"
+			description = "Read extra plugin options from an ini file."
+		}
 		"-p" = {
 			value = "$by_ssh_port$"
 			description = "Port number (default: none)"
@@ -2278,6 +2627,10 @@ object CheckCommand "ups" {
 			description = "Address of the upsd server"
 			required = true
 		}
+		"--extra-opts" = {
+			value = "$ups_extra_opts$"
+			description = "Read extra plugin options from an ini file."
+		}
 		"-u" = {
 			value = "$ups_name$"
 			description = "Name of the UPS to monitor"
@@ -2415,6 +2768,10 @@ object CheckCommand "hpjd" {
 			value = "$hpjd_address$"
 			description = "Host address"
 		}
+		"--extra-opts" = {
+			value = "$hpjd_extra_opts$"
+			description = "Read extra plugin options from an ini file."
+		}
 		"-C" = {
 			value = "$hpjd_community$"
 			description = "The SNMP community name (default=public)"
@@ -2438,6 +2795,10 @@ object CheckCommand "icmp" {
 			order = 1
 			description = "Host address"
 		}
+		"--extra-opts" = {
+			value = "$icmp_extra_opts$"
+			description = "Read extra plugin options from an ini file."
+		}
 		"-w" = {
 			value = "$icmp_wrta$,$icmp_wpl$%"
 			description = "warning threshold (currently 200.000ms,10%)"
@@ -2497,6 +2858,10 @@ object CheckCommand "ldap" {
 			value = "$ldap_address$"
 			description = "Host name, IP Address, or unix socket (must be an absolute path)"
 		}
+		"--extra-opts" = {
+			value = "$ldap_extra_opts$"
+			description = "Read extra plugin options from an ini file."
+		}
 		"-p" = {
 			value = "$ldap_port$"
 			description = "Port number (default: 389)"
@@ -2576,6 +2941,10 @@ object CheckCommand "clamd" {
 			description = "The host's address or unix socket (must be an absolute path)."
 			required = true
 		}
+		"--extra-opts" = {
+			value = "$clamd_extra_opts$"
+			description = "Read extra plugin options from an ini file."
+		}
 		"-p" = {
 			value = "$clamd_port$"
 			description = "Port number (default: none)."
@@ -2720,6 +3089,10 @@ object CheckCommand "pgsql" {
 			value = "$pgsql_hostname$"
 			description = "Host name, IP Address, or unix socket (must be an absolute path)"
 		}
+		"--extra-opts" = {
+			value = "$pgsql_extra_opts$"
+			description = "Read extra plugin options from an ini file."
+		}
 		"-P" = {
 			value = "$pgsql_port$"
 			description = "Port number (default: 5432)"
@@ -2784,6 +3157,10 @@ object CheckCommand "mysql" {
 			value = "$mysql_hostname$"
 			description = "Host name, IP Address, or unix socket (must be an absolute path)"
 		}
+		"--extra-opts" = {
+			value = "$mysql_extra_opts$"
+			description = "Read extra plugin options from an ini file."
+		}
 		"-P" = {
 			value = "$mysql_port$"
 			description = "Port number (default: 3306)"
@@ -2945,6 +3322,10 @@ object CheckCommand "smart" {
 	command = [ PluginDir + "/check_ide_smart" ]
 
 	arguments = {
+		"--extra-opts" = {
+			value = "$smart_extra_opts$"
+			description = "Read extra plugin options from an ini file."
+		}
 		"-d" = {
 			value = "$smart_device$"
 			description = "Name of a local hard drive to monitor"
@@ -3007,6 +3388,10 @@ object CheckCommand "game" {
 	command = [ PluginDir + "/check_game" ]
 
 	arguments = {
+		"--extra-opts" = {
+			value = "$game_extra_opts$"
+			description = "Read extra plugin options from an ini file."
+		}
 		"-P" = {
 			value = "$game_port$"
 			description = "Port to connect to"
@@ -3060,6 +3445,10 @@ object CheckCommand "mysql_query" {
 			value = "$mysql_query_hostname$"
 			description = "Host name, IP Address, or unix socket (must be an absolute path)"
 		}
+		"--extra-opts" = {
+			value = "$mysql_query_extra_opts$"
+			description = "Read extra plugin options from an ini file."
+		}
 		"-P" = {
 			value = "$mysql_query_port$"
 			description = "Port number (default: 3306)"
@@ -3113,6 +3502,10 @@ object CheckCommand "radius" {
 			value = "$radius_address$",
 			description = "Host name, IP Address, or unix socket (must be an absolute path)"
 		}
+		"--extra-opts" = {
+			value = "$radius_extra_opts$"
+			description = "Read extra plugin options from an ini file."
+		}
 		"-F" = {
 			value = "$radius_config_file$",
 			description = "Configuration file"

itl/plugins-contrib.d/systemd.conf

@@ -1,42 +1,10 @@
 /* Icinga 2 | (c) 2012 Icinga GmbH | GPLv2+ */
 
 object CheckCommand "systemd" {
-	command = [ PluginContribDir + "/check_systemd.py" ]
+	command = [ PluginContribDir + "/check_systemd" ]
 
 	arguments = {
-		"--unit" = {
-			value = "$systemd_unit$"
-			description = "Name of the systemd unit that is being tested."
-		}
-		"--exclude" = {
-			value = "$systemd_exclude_unit$"
-			description = "Exclude a systemd unit from the checks. This option can be applied multiple times. Also supports regular expressions."
-			repeat_key = true
-		}
-		"--no-startup-time" = {
-			set_if = "$systemd_no_startup_time$"
-			description = "Don’t check the startup time. Using this option the options `systemd_warning` and `systemd_critical` have no effect. (Default: `false`)"
-		}
-		"--warning" = {
-			value = "$systemd_warning$"
-			description = "Startup time in seconds to result in a warning status. (Default: `60s`)"
-		}
-		"--critical" = {
-			value = "$systemd_critical$"
-			description = "Startup time in seconds to result in a critical status. (Default: `120s`)"
-		}
-		"--dead-timers" = {
-			set_if = "$systemd_dead_timers$"
-			description = "Detect dead / inactive timers. (Default: `false`)"
-		}
-		"--dead-timers-warning" = {
-			value = "$systemd_dead_timers_warning$"
-			description = "Time ago in seconds for dead / inactive timers to trigger a warning state (by default 6 days)."
-		}
-		"--dead-timers-critical" = {
-			value = "$systemd_dead_timers_critical$"
-			description = "Time ago in seconds for dead / inactive timers to trigger a critical state (by default 7 days)."
-		}
+		/* General options */
 		"-v" = {
 			set_if = {{ macro("$systemd_verbose_level$") == 1 }}
 			description = "Increase verbosity level (Accepted values: `1`, `2` or `3`). Defaults to none."
@@ -47,5 +15,85 @@ object CheckCommand "systemd" {
 		"-vvv" = {
 			set_if = {{ macro("$systemd_verbose_level$") == 3 }}
 		}
+
+		/* Options related to unit selection */
+		"--ignore-inactive-state" = {
+			set_if = "$systemd_ignore_inactive_state$"
+			description = "Ignore an inactive state on a specific unit. Only affective if used with `systemd_unit`."
+		}
+		"--include" = {
+			value = "$systemd_include$"
+			description = "Include systemd units to the checks, regular expressions are supported. This option can be applied multiple times."
+			repeat_key = true
+		}
+		"--unit" = {
+			value = "$systemd_unit$"
+			description = "Name of the systemd unit that is being tested."
+		}
+		"--include-type" = {
+			value = "$systemd_include_type$"
+			description = "Unit types to be tested (for example: `service`, `timer`). This option can be applied multiple times."
+			repeat_key = true
+		}
+		"--exclude" = {
+			value = "$systemd_exclude_unit$"
+			description = "Exclude a systemd unit from the checks, regular expressions are supported. This option can be applied multiple times."
+			repeat_key = true
+		}
+		"--exclude-unit" = {
+			value = "$systemd_exclude_unit_name$"
+			description = "Exclude a systemd unit from the checks. This option can be applied multiple times."
+			repeat_key = true
+		}
+		"--exclude-type" = {
+			value = "$systemd_exclude_type$"
+			description = "Exclude a systemd unit type (for example: `service`, `timer`)"
+		}
+		"--state" = {
+			value = "$systemd_state$"
+			description = "Specify the active state that the systemd unit must have (for example: `active`, `inactive`)"
+		}
+
+		/* Timers related options */
+		"--dead-timers" = {
+			set_if = "$systemd_dead_timers$"
+			description = "Detect dead / inactive timers, see `systemd_dead_timers_{warning,critical}`. (Default `false`)"
+		}
+		"--dead-timers-warning" = {
+			value = "$systemd_dead_timers_warning$"
+			description = "Time ago in seconds for dead / inactive timers to trigger a warning state. (Default 6 days)"
+		}
+		"--dead-timers-critical" = {
+			value = "$systemd_dead_timers_critical$"
+			description = "Time ago in seconds for dead / inactive timers to trigger a critical state. (Default 7 days)"
+		}
+
+		/* Startup time related options */
+		"--no-startup-time" = {
+			set_if = "$systemd_no_startup_time$"
+			description = "Don't check the startup time. Using this option, the options `systemd_{warning,critical}` have no effect. (Default `false`)"
+		}
+		"--warning" = {
+			value = "$systemd_warning$"
+			description = "Startup time in seconds to result in a warning status. (Default 60 seconds)"
+		}
+		"--critical" = {
+			value = "$systemd_critical$"
+			description = "Startup time in seconds to result in a critical status. (Default 120 seconds)"
+		}
+
+		/* Monitoring data acquisition */
+		"--dbus" = {
+			set_if = "$systemd_dbus$"
+			description = "Use systemd's D-Bus API instead of parsing command output. Only partially implemented!"
+		}
+		"--cli" = {
+			set_if = "$systemd_cli$"
+			description = "Use text output from parsing command output. (Default)"
+		}
+		"--user" = {
+			set_if = "$systemd_user$"
+			description = "Also show user (systemctl --user) units."
+		}
 	}
 }

itl/plugins-contrib.d/vmware.conf

@@ -421,6 +421,10 @@ object CheckCommand "vmware-esx-soap-host-net" {
 		"--isregexp" = {
 			set_if = "$vmware_isregexp$"
 		}
+		"--unplugged_nics_state" = {
+			value = "$vmware_unplugged_nics_state$"
+			description = "Sets status for unplugged nics (Possible values are: [OK | ok] or [CRITICAL | critical | CRIT | crit] or [WARNING | warning | WARN | warn]. Default is WARNING. Values are case insensitive.)"
+		}
 	}
 }
 
@@ -467,6 +471,10 @@ object CheckCommand "vmware-esx-soap-host-net-nic" {
 		"--isregexp" = {
 			set_if = "$vmware_isregexp$"
 		}
+		"--unplugged_nics_state" = {
+			value = "$vmware_unplugged_nics_state$"
+			description = "Sets status for unplugged nics (Possible values are: [OK | ok] or [CRITICAL | critical | CRIT | crit] or [WARNING | warning | WARN | warn]. Default is WARNING. Values are case insensitive.)"
+		}
 	}
 }
 

itl/plugins-contrib.d/web.conf

@@ -396,13 +396,9 @@ object CheckCommand "ssl_cert" {
 			value = "$ssl_cert_critical$"
 			description = "Minimum number of days a certificate has to be valid to issue a critical status"
 		}
-		"-n" = {
+		"--match" = {
 			value = "$ssl_cert_cn$"
-			description = "Pattern to match the CN of the certificate"
-		}
-		"--altnames" = {
-			set_if = "$ssl_cert_altnames$"
-			description = "Matches the pattern specified in -n with alternate"
+			description = "Pattern to match the CN or AltNames of the certificate"
 		}
 		"-i" = {
 			value = "$ssl_cert_issuer$"
@@ -444,6 +440,10 @@ object CheckCommand "ssl_cert" {
 			value = "$ssl_cert_protocol$"
 			description = "Use the specific protocol {http|smtp|pop3|imap|ftp|xmpp|irc|ldap} (default: http)"
 		}
+		"--url" = {
+				value = "$ssl_cert_http_url$"
+				description = "HTTP request URL (default: /)"
+		}
 		"-C" = {
 			value = "$ssl_cert_clientssl_cert$"
 			description = "Use client certificate to authenticate"
@@ -578,11 +578,25 @@ object CheckCommand "ssl_cert" {
 			set_if = "$ssl_cert_ignore_tls_renegotiation$"
 			description = "Do not check for renegotiation"
 		}
+		"--maximum-validity" = {
+			value = "$ssl_cert_maximum_validity$"
+			description = "The maximum validity of the certificate in days (default: 397)"
+		}
+		"--dane" = {
+			value = "$ssl_cert_dane$"
+			description = "verify that valid DANE records exist (since OpenSSL 1.1.0)"
+			repeat_key = false
+		}
+		"--ignore-maximum-validity" = {
+			description = "Ignore the certificate maximum validity"
+			set_if = "$ssl_cert_ignore_maximum_validity$"
+                }
 
 	}
 
 	vars.ssl_cert_address = "$check_address$"
 	vars.ssl_cert_port = 443
+	vars.ssl_cert_cn = "$ssl_cert_altnames$"
 }
 
 object CheckCommand "varnish" {

lib/base/CMakeLists.txt

@@ -38,6 +38,7 @@ set(base_SOURCES
   filelogger.cpp filelogger.hpp filelogger-ti.hpp
   function.cpp function.hpp function-ti.hpp function-script.cpp functionwrapper.hpp
   initialize.cpp initialize.hpp
+  intrusive-ptr.hpp
   io-engine.cpp io-engine.hpp
   journaldlogger.cpp journaldlogger.hpp journaldlogger-ti.hpp
   json.cpp json.hpp json-script.cpp
@@ -130,7 +131,7 @@ if(HAVE_SYSTEMD)
   find_path(SYSTEMD_INCLUDE_DIR
     NAMES systemd/sd-daemon.h
     HINTS ${SYSTEMD_ROOT_DIR})
-  include_directories(${SYSTEMD_INCLUDE_DIR})
+  include_directories(SYSTEM ${SYSTEMD_INCLUDE_DIR})
   set_property(
     SOURCE ${CMAKE_CURRENT_SOURCE_DIR}/journaldlogger.cpp
     APPEND PROPERTY COMPILE_DEFINITIONS
@@ -140,13 +141,13 @@ endif()
 
 add_library(base OBJECT ${base_SOURCES})
 
-include_directories(${icinga2_SOURCE_DIR}/third-party/execvpe)
+include_directories(SYSTEM ${icinga2_SOURCE_DIR}/third-party/execvpe)
 link_directories(${icinga2_BINARY_DIR}/third-party/execvpe)
 
-include_directories(${icinga2_SOURCE_DIR}/third-party/mmatch)
+include_directories(SYSTEM ${icinga2_SOURCE_DIR}/third-party/mmatch)
 link_directories(${icinga2_BINARY_DIR}/third-party/mmatch)
 
-include_directories(${icinga2_SOURCE_DIR}/third-party/socketpair)
+include_directories(SYSTEM ${icinga2_SOURCE_DIR}/third-party/socketpair)
 link_directories(${icinga2_BINARY_DIR}/third-party/socketpair)
 
 set_target_properties (
@@ -154,7 +155,9 @@ set_target_properties (
   FOLDER Lib
 )
 
-install(CODE "file(MAKE_DIRECTORY \"\$ENV{DESTDIR}${ICINGA2_FULL_CACHEDIR}\")")
-install(CODE "file(MAKE_DIRECTORY \"\$ENV{DESTDIR}${ICINGA2_FULL_LOGDIR}/crash\")")
+if(NOT WIN32)
+  install(CODE "file(MAKE_DIRECTORY \"\$ENV{DESTDIR}${ICINGA2_FULL_CACHEDIR}\")")
+  install(CODE "file(MAKE_DIRECTORY \"\$ENV{DESTDIR}${ICINGA2_FULL_LOGDIR}/crash\")")
+endif()
 
 set(CPACK_NSIS_EXTRA_INSTALL_COMMANDS "${CPACK_NSIS_EXTRA_INSTALL_COMMANDS}" PARENT_SCOPE)

lib/base/atomic.hpp

@@ -12,7 +12,12 @@ namespace icinga
 {
 
 /**
- * Extends std::atomic with an atomic constructor.
+ * Like std::atomic, but enforces usage of its only safe constructor.
+ *
+ * "The default-initialized std::atomic<T> does not contain a T object,
+ * and its only valid uses are destruction and
+ * initialization by std::atomic_init, see LWG issue 2334."
+ *  -- https://en.cppreference.com/w/cpp/atomic/atomic/atomic
  *
  * @ingroup base
  */
@@ -20,24 +25,12 @@ template<class T>
 class Atomic : public std::atomic<T> {
 public:
 	/**
-	 * Like std::atomic#atomic, but operates atomically
+	 * The only safe constructor of std::atomic#atomic
 	 *
 	 * @param desired Initial value
 	 */
-	inline Atomic(T desired)
+	inline Atomic(T desired) : std::atomic<T>(desired)
 	{
-		this->store(desired);
-	}
-
-	/**
-	 * Like std::atomic#atomic, but operates atomically
-	 *
-	 * @param desired Initial value
-	 * @param order Initial store operation's memory order
-	 */
-	inline Atomic(T desired, std::memory_order order)
-	{
-		this->store(desired, order);
 	}
 };
 

lib/base/boolean-script.cpp

@@ -23,4 +23,3 @@ Object::Ptr Boolean::GetPrototype()
 
 	return prototype;
 }
-

lib/base/boolean.cpp

@@ -6,4 +6,3 @@
 using namespace icinga;
 
 REGISTER_BUILTIN_TYPE(Boolean, Boolean::GetPrototype());
-

lib/base/configobject-script.cpp

@@ -33,4 +33,3 @@ Object::Ptr ConfigObject::GetPrototype()
 
 	return prototype;
 }
-

lib/base/configtype.hpp

@@ -9,11 +9,13 @@
 #include "base/dictionary.hpp"
 #include <shared_mutex>
 #include <unordered_map>
+#include <boost/signals2.hpp>
 
 namespace icinga
 {
 
 class ConfigObject;
+class ConfigItems;
 
 class ConfigType
 {
@@ -48,6 +50,13 @@ for (const auto& object : objects) {
 
 	int GetObjectCount() const;
 
+	/**
+	 * Signal that allows hooking into the config loading process just before ConfigObject::OnAllConfigLoaded() is
+	 * called for a bunch of objects. A vector of pointers to these objects is passed as an argument. All elements
+	 * are of the object type the signal is called on.
+	 */
+	boost::signals2::signal<void (const ConfigItems&)> BeforeOnAllConfigLoaded;
+
 private:
 	typedef std::unordered_map<String, intrusive_ptr<ConfigObject> > ObjectMap;
 	typedef std::vector<intrusive_ptr<ConfigObject> > ObjectVector;

lib/base/datetime-script.cpp

@@ -25,4 +25,3 @@ Object::Ptr DateTime::GetPrototype()
 
 	return prototype;
 }
-

lib/base/debuginfo.cpp

@@ -95,4 +95,3 @@ void icinga::ShowCodeLocation(std::ostream& out, const DebugInfo& di, bool verbo
 		}
 	}
 }
-

lib/base/defer.hpp

@@ -22,6 +22,8 @@ public:
 	{
 	}
 
+	Defer() = default;
+
 	Defer(const Defer&) = delete;
 	Defer(Defer&&) = delete;
 	Defer& operator=(const Defer&) = delete;
@@ -39,6 +41,11 @@ public:
 		}
 	}
 
+	inline void SetFunc(std::function<void()> func)
+	{
+		m_Func = std::move(func);
+	}
+
 	inline
 	void Cancel()
 	{

lib/base/dependencygraph.cpp

@@ -5,46 +5,68 @@
 using namespace icinga;
 
 std::mutex DependencyGraph::m_Mutex;
-std::map<Object *, std::map<Object *, int> > DependencyGraph::m_Dependencies;
+DependencyGraph::DependencyMap DependencyGraph::m_Dependencies;
 
-void DependencyGraph::AddDependency(Object *parent, Object *child)
+void DependencyGraph::AddDependency(ConfigObject* child, ConfigObject* parent)
 {
 	std::unique_lock<std::mutex> lock(m_Mutex);
-	m_Dependencies[child][parent]++;
+	if (auto [it, inserted] = m_Dependencies.insert(Edge(parent, child)); !inserted) {
+		m_Dependencies.modify(it, [](Edge& e) { e.count++; });
+	}
 }
 
-void DependencyGraph::RemoveDependency(Object *parent, Object *child)
+void DependencyGraph::RemoveDependency(ConfigObject* child, ConfigObject* parent)
 {
 	std::unique_lock<std::mutex> lock(m_Mutex);
 
-	auto& refs = m_Dependencies[child];
-	auto it = refs.find(parent);
-
-	if (it == refs.end())
-		return;
-
-	it->second--;
-
-	if (it->second == 0)
-		refs.erase(it);
-
-	if (refs.empty())
-		m_Dependencies.erase(child);
-}
-
-std::vector<Object::Ptr> DependencyGraph::GetParents(const Object::Ptr& child)
-{
-	std::vector<Object::Ptr> objects;
-
-	std::unique_lock<std::mutex> lock(m_Mutex);
-	auto it = m_Dependencies.find(child.get());
-
-	if (it != m_Dependencies.end()) {
-		typedef std::pair<Object *, int> kv_pair;
-		for (const kv_pair& kv : it->second) {
-			objects.emplace_back(kv.first);
+	if (auto it(m_Dependencies.find(Edge(parent, child))); it != m_Dependencies.end()) {
+		if (it->count > 1) {
+			// Remove a duplicate edge from child to node, i.e. decrement the corresponding counter.
+			m_Dependencies.modify(it, [](Edge& e) { e.count--; });
+		} else {
+			// Remove the last edge from child to node (decrementing the counter would set it to 0),
+			// thus remove that connection from the data structure completely.
+			m_Dependencies.erase(it);
 		}
 	}
+}
+
+/**
+ * Returns all the parent objects of the given child object.
+ *
+ * @param child The child object.
+ *
+ * @returns A list of the parent objects.
+ */
+std::vector<ConfigObject::Ptr> DependencyGraph::GetParents(const ConfigObject::Ptr& child)
+{
+	std::vector<ConfigObject::Ptr> objects;
+
+	std::unique_lock lock(m_Mutex);
+	auto [begin, end] = m_Dependencies.get<2>().equal_range(child.get());
+	std::transform(begin, end, std::back_inserter(objects), [](const Edge& edge) {
+		return edge.parent;
+	});
+
+	return objects;
+}
+
+/**
+ * Returns all the dependent objects of the given parent object.
+ *
+ * @param parent The parent object.
+ *
+ * @returns A list of the dependent objects.
+ */
+std::vector<ConfigObject::Ptr> DependencyGraph::GetChildren(const ConfigObject::Ptr& parent)
+{
+	std::vector<ConfigObject::Ptr> objects;
+
+	std::unique_lock lock(m_Mutex);
+	auto [begin, end] = m_Dependencies.get<1>().equal_range(parent.get());
+	std::transform(begin, end, std::back_inserter(objects), [](const Edge& edge) {
+		return edge.child;
+	});
 
 	return objects;
 }

lib/base/dependencygraph.hpp

@@ -4,8 +4,10 @@
 #define DEPENDENCYGRAPH_H
 
 #include "base/i2-base.hpp"
-#include "base/object.hpp"
-#include <map>
+#include "base/configobject.hpp"
+#include <boost/multi_index_container.hpp>
+#include <boost/multi_index/hashed_index.hpp>
+#include <boost/multi_index/member.hpp>
 #include <mutex>
 
 namespace icinga {
@@ -18,15 +20,84 @@ namespace icinga {
 class DependencyGraph
 {
 public:
-	static void AddDependency(Object *parent, Object *child);
-	static void RemoveDependency(Object *parent, Object *child);
-	static std::vector<Object::Ptr> GetParents(const Object::Ptr& child);
+	static void AddDependency(ConfigObject* child, ConfigObject* parent);
+	static void RemoveDependency(ConfigObject* child, ConfigObject* parent);
+	static std::vector<ConfigObject::Ptr> GetParents(const ConfigObject::Ptr& child);
+	static std::vector<ConfigObject::Ptr> GetChildren(const ConfigObject::Ptr& parent);
 
 private:
 	DependencyGraph();
 
+	/**
+	 * Represents an undirected dependency edge between two objects.
+	 *
+	 * It allows to traverse the graph in both directions, i.e. from parent to child and vice versa.
+	 */
+	struct Edge
+	{
+		ConfigObject* parent; // The parent object of the child one.
+		ConfigObject* child; // The dependent object of the parent.
+		// Counter for the number of parent <-> child edges to allow duplicates.
+		int count;
+
+		Edge(ConfigObject* parent, ConfigObject* child, int count = 1): parent(parent), child(child), count(count)
+		{
+		}
+
+		struct Hash
+		{
+			/**
+			 * Generates a unique hash of the given Edge object.
+			 *
+			 * Note, the hash value is generated only by combining the hash values of the parent and child pointers.
+			 *
+			 * @param edge The Edge object to be hashed.
+			 *
+			 * @return size_t The resulting hash value of the given object.
+			 */
+			size_t operator()(const Edge& edge) const
+			{
+				size_t seed = 0;
+				boost::hash_combine(seed, edge.parent);
+				boost::hash_combine(seed, edge.child);
+
+				return seed;
+			}
+		};
+
+		struct Equal
+		{
+			/**
+			 * Compares whether the two Edge objects contain the same parent and child pointers.
+			 *
+			 * Note, the member property count is not taken into account for equality checks.
+			 *
+			 * @param a The first Edge object to compare.
+			 * @param b The second Edge object to compare.
+			 *
+			 * @return bool Returns true if the two objects are equal, false otherwise.
+			 */
+			bool operator()(const Edge& a, const Edge& b) const
+			{
+				return a.parent == b.parent && a.child == b.child;
+			}
+		};
+	};
+
+	using DependencyMap = boost::multi_index_container<
+		Edge, // The value type we want to sore in the container.
+		boost::multi_index::indexed_by<
+			// The first indexer is used for lookups by the Edge from child to parent, thus it
+			// needs its own hash function and comparison predicate.
+			boost::multi_index::hashed_unique<boost::multi_index::identity<Edge>, Edge::Hash, Edge::Equal>,
+			// These two indexers are used for lookups by the parent and child pointers.
+			boost::multi_index::hashed_non_unique<boost::multi_index::member<Edge, ConfigObject*, &Edge::parent>>,
+			boost::multi_index::hashed_non_unique<boost::multi_index::member<Edge, ConfigObject*, &Edge::child>>
+		>
+	>;
+
 	static std::mutex m_Mutex;
-	static std::map<Object *, std::map<Object *, int> > m_Dependencies;
+	static DependencyMap m_Dependencies;
 };
 
 }

lib/base/dictionary-script.cpp

@@ -116,4 +116,3 @@ Object::Ptr Dictionary::GetPrototype()
 
 	return prototype;
 }
-

lib/base/dictionary.cpp

@@ -67,6 +67,20 @@ bool Dictionary::Get(const String& key, Value *result) const
 	return true;
 }
 
+/**
+ * Retrieves a value's address from a dictionary.
+ *
+ * @param key The key whose value's address should be retrieved.
+ * @returns nullptr if the key was not found.
+ */
+const Value * Dictionary::GetRef(const String& key) const
+{
+	std::shared_lock<std::shared_timed_mutex> lock (m_DataMutex);
+	auto it (m_Data.find(key));
+
+	return it == m_Data.end() ? nullptr : &it->second;
+}
+
 /**
  * Sets a value in the dictionary.
  *
@@ -300,4 +314,3 @@ Dictionary::Iterator icinga::end(const Dictionary::Ptr& x)
 {
 	return x->End();
 }
-

lib/base/dictionary.hpp

@@ -42,6 +42,7 @@ public:
 
 	Value Get(const String& key) const;
 	bool Get(const String& key, Value *result) const;
+	const Value * GetRef(const String& key) const;
 	void Set(const String& key, Value value, bool overrideFrozen = false);
 	bool Contains(const String& key) const;
 

lib/base/fifo.cpp

@@ -54,26 +54,11 @@ void FIFO::Optimize()
 	}
 }
 
-size_t FIFO::Peek(void *buffer, size_t count, bool allow_partial)
-{
-	ASSERT(allow_partial);
-
-	if (count > m_DataSize)
-		count = m_DataSize;
-
-	if (buffer)
-		std::memcpy(buffer, m_Buffer + m_Offset, count);
-
-	return count;
-}
-
 /**
  * Implements IOQueue::Read.
  */
-size_t FIFO::Read(void *buffer, size_t count, bool allow_partial)
+size_t FIFO::Read(void *buffer, size_t count)
 {
-	ASSERT(allow_partial);
-
 	if (count > m_DataSize)
 		count = m_DataSize;
 

lib/base/fifo.hpp

@@ -23,8 +23,7 @@ public:
 
 	~FIFO() override;
 
-	size_t Peek(void *buffer, size_t count, bool allow_partial = false) override;
-	size_t Read(void *buffer, size_t count, bool allow_partial = false) override;
+	size_t Read(void *buffer, size_t count) override;
 	void Write(const void *buffer, size_t count) override;
 	void Close() override;
 	bool IsEof() const override;

lib/base/function-script.cpp

@@ -47,4 +47,3 @@ Object::Ptr Function::GetPrototype()
 
 	return prototype;
 }
-

lib/base/initialize.cpp

@@ -10,4 +10,3 @@ bool icinga::InitializeOnceHelper(const std::function<void()>& func, InitializeP
 	Loader::AddDeferredInitializer(func, priority);
 	return true;
 }
-

lib/base/initialize.hpp

@@ -23,6 +23,7 @@ enum class InitializePriority {
 	RegisterBuiltinTypes,
 	RegisterFunctions,
 	RegisterTypes,
+	SortTypes,
 	EvaluateConfigFragments,
 	Default,
 	FreezeNamespaces,

lib/base/intrusive-ptr.hpp

@@ -0,0 +1,22 @@
+/* Icinga 2 | (c) 2025 Icinga GmbH | GPLv2+ */
+
+#pragma once
+
+#include "base/i2-base.hpp"
+#include <memory>
+#include <boost/smart_ptr/intrusive_ptr.hpp>
+#include <boost/version.hpp>
+
+// std::hash is only implemented starting from Boost 1.74. Implement it ourselves for older version to allow using
+// boost::intrusive_ptr inside std::unordered_set<> or as the key of std::unordered_map<>.
+// https://github.com/boostorg/smart_ptr/commit/5a18ffdc5609a0e64b63e47cb81c4f0847e0c087
+#if BOOST_VERSION < 107400
+template<class T>
+struct std::hash<boost::intrusive_ptr<T>>
+{
+	std::size_t operator()(const boost::intrusive_ptr<T>& ptr) const noexcept
+	{
+		return std::hash<T*>{}(ptr.get());
+	}
+};
+#endif /* BOOST_VERSION < 107400 */

lib/base/io-engine.cpp

@@ -146,9 +146,14 @@ void AsioConditionVariable::Wait(boost::asio::yield_context yc)
 	m_Timer.async_wait(yc[ec]);
 }
 
+/**
+ * Cancels any pending timeout callback.
+ *
+ * Must be called in the strand in which the callback was scheduled!
+ */
 void Timeout::Cancel()
 {
-	m_Cancelled.store(true);
+	m_Cancelled->store(true);
 
 	boost::system::error_code ec;
 	m_Timer.cancel(ec);

lib/base/io-engine.hpp

@@ -3,10 +3,12 @@
 #ifndef IO_ENGINE_H
 #define IO_ENGINE_H
 
+#include "base/atomic.hpp"
+#include "base/debug.hpp"
 #include "base/exception.hpp"
 #include "base/lazy-init.hpp"
 #include "base/logger.hpp"
-#include "base/shared-object.hpp"
+#include "base/shared.hpp"
 #include <atomic>
 #include <exception>
 #include <memory>
@@ -109,8 +111,7 @@ public:
 					// https://github.com/boostorg/coroutine/issues/39
 					throw;
 				} catch (const std::exception& ex) {
-					Log(LogCritical, "IoEngine", "Exception in coroutine!");
-					Log(LogDebug, "IoEngine") << "Exception in coroutine: " << DiagnosticInformation(ex);
+					Log(LogCritical, "IoEngine") << "Exception in coroutine: " << DiagnosticInformation(ex);
 				} catch (...) {
 					Log(LogCritical, "IoEngine", "Exception in coroutine!");
 				}
@@ -164,51 +165,80 @@ private:
 /**
  * I/O timeout emulator
  *
+ * This class provides a workaround for Boost.ASIO's lack of built-in timeout support.
+ * While Boost.ASIO handles asynchronous operations, it does not natively support timeouts for these operations.
+ * This class uses a boost::asio::deadline_timer to emulate a timeout by scheduling a callback to be triggered
+ * after a specified duration, effectively adding timeout behavior where none exists.
+ * The callback is executed within the provided strand, ensuring thread-safety.
+ *
+ * The constructor returns immediately after scheduling the timeout callback.
+ * The callback itself is invoked asynchronously when the timeout occurs.
+ * This allows the caller to continue execution while the timeout is running in the background.
+ *
+ * The class provides a Cancel() method to unschedule any pending callback. If the callback has already been run,
+ * calling Cancel() has no effect. This method can be used to abort the timeout early if the monitored operation
+ * completes before the callback has been run. The Timeout destructor also automatically cancels any pending callback.
+ * A callback is considered pending even if the timeout has already expired,
+ * but the callback has not been executed yet due to a busy strand.
+ *
  * @ingroup base
  */
-class Timeout : public SharedObject
+class Timeout
 {
 public:
-	DECLARE_PTR_TYPEDEFS(Timeout);
+	using Timer = boost::asio::deadline_timer;
 
-	template<class Executor, class TimeoutFromNow, class OnTimeout>
-	Timeout(boost::asio::io_context& io, Executor& executor, TimeoutFromNow timeoutFromNow, OnTimeout onTimeout)
-		: m_Timer(io)
+	/**
+	 * Schedules onTimeout to be triggered after timeoutFromNow on strand.
+	 *
+	 * @param strand The strand in which the callback will be executed.
+	 *				 The caller must also run in this strand, as well as Cancel() and the destructor!
+	 * @param timeoutFromNow The duration after which the timeout callback will be triggered.
+	 * @param onTimeout The callback to invoke when the timeout occurs.
+	 */
+	template<class OnTimeout>
+	Timeout(boost::asio::io_context::strand& strand, const Timer::duration_type& timeoutFromNow, OnTimeout onTimeout)
+		: m_Timer(strand.context(), timeoutFromNow), m_Cancelled(Shared<Atomic<bool>>::Make(false))
 	{
-		Ptr keepAlive (this);
+		VERIFY(strand.running_in_this_thread());
 
-		m_Cancelled.store(false);
-		m_Timer.expires_from_now(std::move(timeoutFromNow));
-
-		IoEngine::SpawnCoroutine(executor, [this, keepAlive, onTimeout](boost::asio::yield_context yc) {
-			if (m_Cancelled.load()) {
-				return;
-			}
-
-			{
-				boost::system::error_code ec;
-
-				m_Timer.async_wait(yc[ec]);
-
-				if (ec) {
-					return;
+		m_Timer.async_wait(boost::asio::bind_executor(
+			strand, [cancelled = m_Cancelled, onTimeout = std::move(onTimeout)](boost::system::error_code ec) {
+				if (!ec && !cancelled->load()) {
+					onTimeout();
 				}
 			}
+		));
+	}
 
-			if (m_Cancelled.load()) {
-				return;
-			}
+	Timeout(const Timeout&) = delete;
+	Timeout(Timeout&&) = delete;
+	Timeout& operator=(const Timeout&) = delete;
+	Timeout& operator=(Timeout&&) = delete;
 
-			auto f (onTimeout);
-			f(std::move(yc));
-		});
+	/**
+	 * Cancels any pending timeout callback.
+	 *
+	 * Must be called in the strand in which the callback was scheduled!
+	 */
+	~Timeout()
+	{
+		Cancel();
 	}
 
 	void Cancel();
 
 private:
-	boost::asio::deadline_timer m_Timer;
-	std::atomic<bool> m_Cancelled;
+	Timer m_Timer;
+
+	/**
+	 * Indicates whether the Timeout has been cancelled.
+	 *
+	 * This must be Shared<> between the lambda in the constructor and Cancel() for the case
+	 * the destructor calls Cancel() while the lambda is already queued in the strand.
+	 * The whole Timeout instance can't be kept alive by the lambda because this would delay the destructor.
+	 */
+	Shared<Atomic<bool>>::Ptr m_Cancelled;
 };
 
 }

lib/base/loader.cpp

@@ -35,4 +35,3 @@ void Loader::AddDeferredInitializer(const std::function<void()>& callback, Initi
 
 	initializers->push(DeferredInitializer(callback, priority));
 }
-

lib/base/logger.hpp

@@ -121,7 +121,10 @@ public:
 	template<typename T>
 	Log& operator<<(const T& val)
 	{
-		m_Buffer << val;
+		if (!m_IsNoOp) {
+			m_Buffer << val;
+		}
+
 		return *this;
 	}
 

lib/base/logger.ti

@@ -9,7 +9,7 @@ namespace icinga
 
 abstract class Logger : ConfigObject
 {
-	[config, virtual] String severity {
+	[config, set_virtual] String severity {
 		default {{{ return "information"; }}}
 	};
 };

lib/base/namespace-script.cpp

@@ -81,4 +81,3 @@ Object::Ptr Namespace::GetPrototype()
 
 	return prototype;
 }
-

lib/base/namespace.cpp

@@ -186,4 +186,3 @@ Namespace::Iterator icinga::end(const Namespace::Ptr& x)
 {
 	return x->End();
 }
-

lib/base/networkstream.cpp

@@ -23,12 +23,10 @@ void NetworkStream::Close()
  * @param count The number of bytes to read from the queue.
  * @returns The number of bytes actually read.
  */
-size_t NetworkStream::Read(void *buffer, size_t count, bool allow_partial)
+size_t NetworkStream::Read(void *buffer, size_t count)
 {
 	size_t rc;
 
-	ASSERT(allow_partial);
-
 	if (m_Eof)
 		BOOST_THROW_EXCEPTION(std::invalid_argument("Tried to read from closed socket."));
 

lib/base/networkstream.hpp

@@ -22,7 +22,7 @@ public:
 
 	NetworkStream(Socket::Ptr socket);
 
-	size_t Read(void *buffer, size_t count, bool allow_partial = false) override;
+	size_t Read(void *buffer, size_t count) override;
 	void Write(const void *buffer, size_t count) override;
 
 	void Close() override;

lib/base/number-script.cpp

@@ -22,4 +22,3 @@ Object::Ptr Number::GetPrototype()
 
 	return prototype;
 }
-

lib/base/number.cpp

@@ -6,4 +6,3 @@
 using namespace icinga;
 
 REGISTER_BUILTIN_TYPE(Number, Number::GetPrototype());
-

lib/base/object-script.cpp

@@ -42,4 +42,3 @@ Object::Ptr Object::GetPrototype()
 
 	return prototype;
 }
-

lib/base/object.hpp

@@ -5,6 +5,7 @@
 
 #include "base/i2-base.hpp"
 #include "base/debug.hpp"
+#include "base/intrusive-ptr.hpp"
 #include <boost/smart_ptr/intrusive_ptr.hpp>
 #include <atomic>
 #include <cstddef>
@@ -27,7 +28,7 @@ class String;
 struct DebugInfo;
 class ValidationUtils;
 
-extern Value Empty;
+extern const Value Empty;
 
 #define DECLARE_PTR_TYPEDEFS(klass) \
 	typedef intrusive_ptr<klass> Ptr

lib/base/objecttype.cpp

@@ -54,4 +54,3 @@ ObjectFactory ObjectType::GetFactory() const
 {
 	return DefaultObjectFactory<Object>;
 }
-

lib/base/perfdatavalue.cpp

@@ -259,6 +259,10 @@ PerfdataValue::Ptr PerfdataValue::Parse(const String& perfdata)
 
 	double value = Convert::ToDouble(tokens[0].SubStr(0, pos));
 
+	if (!std::isfinite(value)) {
+		BOOST_THROW_EXCEPTION(std::invalid_argument("Invalid performance data value: " + perfdata + " is outside of any reasonable range"));
+	}
+
 	bool counter = false;
 	String unit;
 	Value warn, crit, min, max;
@@ -363,20 +367,27 @@ String PerfdataValue::Format() const
 
 	result << unit;
 
+	std::string interm(";");
 	if (!GetWarn().IsEmpty()) {
-		result << ";" << Convert::ToString(GetWarn());
+		result << interm << Convert::ToString(GetWarn());
+		interm.clear();
+	}
 
-		if (!GetCrit().IsEmpty()) {
-			result << ";" << Convert::ToString(GetCrit());
+	interm += ";";
+	if (!GetCrit().IsEmpty()) {
+		result << interm << Convert::ToString(GetCrit());
+		interm.clear();
+	}
 
-			if (!GetMin().IsEmpty()) {
-				result << ";" << Convert::ToString(GetMin());
+	interm += ";";
+	if (!GetMin().IsEmpty()) {
+		result << interm << Convert::ToString(GetMin());
+		interm.clear();
+	}
 
-				if (!GetMax().IsEmpty()) {
-					result << ";" << Convert::ToString(GetMax());
-				}
-			}
-		}
+	interm += ";";
+	if (!GetMax().IsEmpty()) {
+		result << interm << Convert::ToString(GetMax());
 	}
 
 	return result.str();

lib/base/primitivetype.cpp

@@ -61,4 +61,3 @@ ObjectFactory PrimitiveType::GetFactory() const
 {
 	return m_Factory;
 }
-

lib/base/process.cpp

@@ -19,6 +19,7 @@
 #ifndef _WIN32
 #	include <execvpe.h>
 #	include <poll.h>
+#	include <signal.h>
 #	include <string.h>
 
 #	ifndef __APPLE__
@@ -170,6 +171,17 @@ static Value ProcessSpawnImpl(struct msghdr *msgh, const Dictionary::Ptr& reques
 		}
 #endif /* HAVE_NICE */
 
+		{
+			struct sigaction sa;
+			memset(&sa, 0, sizeof(sa));
+
+			sa.sa_handler = SIG_DFL;
+
+			for (int sig = 1; sig <= 31; ++sig) {
+				(void)sigaction(sig, &sa, nullptr);
+			}
+		}
+
 		sigset_t mask;
 		sigemptyset(&mask);
 		sigprocmask(SIG_SETMASK, &mask, nullptr);
@@ -1075,7 +1087,9 @@ bool Process::DoEvents()
 				Log(LogWarning, "Process")
 					<< "Couldn't kill the process group " << m_PID << " (" << PrettyPrintArguments(m_Arguments)
 					<< "): [errno " << error << "] " << strerror(error);
-				could_not_kill = true;
+				if (error != ESRCH) {
+					could_not_kill = true;
+				}
 			}
 #endif /* _WIN32 */
 

lib/base/process.hpp

@@ -5,6 +5,7 @@
 
 #include "base/i2-base.hpp"
 #include "base/dictionary.hpp"
+#include <cstdint>
 #include <iosfwd>
 #include <deque>
 #include <vector>
@@ -25,7 +26,7 @@ struct ProcessResult
 	pid_t PID;
 	double ExecutionStart;
 	double ExecutionEnd;
-	long ExitStatus;
+	int_fast64_t ExitStatus;
 	String Output;
 };
 

lib/base/registry.hpp

@@ -23,16 +23,6 @@ class Registry
 public:
 	typedef std::map<String, T> ItemMap;
 
-	void RegisterIfNew(const String& name, const T& item)
-	{
-		std::unique_lock<std::mutex> lock(m_Mutex);
-
-		if (m_Items.find(name) != m_Items.end())
-			return;
-
-		RegisterInternal(name, item, lock);
-	}
-
 	void Register(const String& name, const T& item)
 	{
 		std::unique_lock<std::mutex> lock(m_Mutex);
@@ -40,38 +30,6 @@ public:
 		RegisterInternal(name, item, lock);
 	}
 
-	void Unregister(const String& name)
-	{
-		size_t erased;
-
-		{
-			std::unique_lock<std::mutex> lock(m_Mutex);
-			erased = m_Items.erase(name);
-		}
-
-		if (erased > 0)
-			OnUnregistered(name);
-	}
-
-	void Clear()
-	{
-		typename Registry<U, T>::ItemMap items;
-
-		{
-			std::unique_lock<std::mutex> lock(m_Mutex);
-			items = m_Items;
-		}
-
-		for (const auto& kv : items) {
-			OnUnregistered(kv.first);
-		}
-
-		{
-			std::unique_lock<std::mutex> lock(m_Mutex);
-			m_Items.clear();
-		}
-	}
-
 	T GetItem(const String& name) const
 	{
 		std::unique_lock<std::mutex> lock(m_Mutex);

lib/base/scriptglobal.cpp

@@ -107,4 +107,3 @@ void ScriptGlobal::WriteToFile(const String& filename)
 	sfp->Close();
 	fp.Commit();
 }
-

lib/base/scriptutils.cpp

@@ -520,7 +520,7 @@ String ScriptUtils::MsiGetComponentPathShim(const String& component)
 
 Array::Ptr ScriptUtils::TrackParents(const Object::Ptr& child)
 {
-	return Array::FromVector(DependencyGraph::GetParents(child));
+	return Array::FromVector(DependencyGraph::GetChildren(dynamic_pointer_cast<ConfigObject>(child)));
 }
 
 double ScriptUtils::Ptr(const Object::Ptr& object)

lib/base/shared.hpp

@@ -4,6 +4,7 @@
 #define SHARED_H
 
 #include "base/atomic.hpp"
+#include "base/intrusive-ptr.hpp"
 #include <boost/smart_ptr/intrusive_ptr.hpp>
 #include <cstdint>
 #include <utility>

lib/base/stdiostream.cpp

@@ -21,7 +21,7 @@ StdioStream::~StdioStream()
 	Close();
 }
 
-size_t StdioStream::Read(void *buffer, size_t size, bool allow_partial)
+size_t StdioStream::Read(void *buffer, size_t size)
 {
 	ObjectLock olock(this);
 

lib/base/stdiostream.hpp

@@ -18,7 +18,7 @@ public:
 	StdioStream(std::iostream *innerStream, bool ownsStream);
 	~StdioStream() override;
 
-	size_t Read(void *buffer, size_t size, bool allow_partial = false) override;
+	size_t Read(void *buffer, size_t size) override;
 	void Write(const void *buffer, size_t size) override;
 
 	void Close() override;

lib/base/stream.cpp

@@ -29,11 +29,6 @@ void Stream::Shutdown()
 	BOOST_THROW_EXCEPTION(std::runtime_error("Stream does not support Shutdown()."));
 }
 
-size_t Stream::Peek(void *buffer, size_t count, bool allow_partial)
-{
-	BOOST_THROW_EXCEPTION(std::runtime_error("Stream does not support Peek()."));
-}
-
 void Stream::SignalDataAvailable()
 {
 	OnDataAvailable(this);
@@ -129,7 +124,7 @@ bool StreamReadContext::FillFromStream(const Stream::Ptr& stream, bool may_wait)
 		if (stream->IsEof())
 			break;
 
-		size_t rc = stream->Read(Buffer + Size, 4096, true);
+		size_t rc = stream->Read(Buffer + Size, 4096);
 
 		Size += rc;
 		count += rc;

lib/base/stream.hpp

@@ -54,27 +54,15 @@ class Stream : public Object
 public:
 	DECLARE_PTR_TYPEDEFS(Stream);
 
-	/**
-	 * Reads data from the stream without removing it from the stream buffer.
-	 *
-	 * @param buffer The buffer where data should be stored. May be nullptr if you're
-	 *		 not actually interested in the data.
-	 * @param count The number of bytes to read from the queue.
-	 * @param allow_partial Whether to allow partial reads.
-	 * @returns The number of bytes actually read.
-	 */
-	virtual size_t Peek(void *buffer, size_t count, bool allow_partial = false);
-
 	/**
 	 * Reads data from the stream.
 	 *
 	 * @param buffer The buffer where data should be stored. May be nullptr if you're
 	 *		 not actually interested in the data.
 	 * @param count The number of bytes to read from the queue.
-	 * @param allow_partial Whether to allow partial reads.
 	 * @returns The number of bytes actually read.
 	 */
-	virtual size_t Read(void *buffer, size_t count, bool allow_partial = false) = 0;
+	virtual size_t Read(void *buffer, size_t count) = 0;
 
 	/**
 	 * Writes data to the stream.

lib/base/string-script.cpp

@@ -135,4 +135,3 @@ Object::Ptr String::GetPrototype()
 
 	return prototype;
 }
-

lib/base/string.cpp

@@ -33,7 +33,7 @@ String::String(const String& other)
 	: m_Data(other)
 { }
 
-String::String(String&& other)
+String::String(String&& other) noexcept
 	: m_Data(std::move(other.m_Data))
 { }
 
@@ -47,7 +47,7 @@ String::String(Value&& other)
 String& String::operator=(Value&& other)
 {
 	if (other.IsString())
-		m_Data = std::move(other.Get<String>());
+		*this = std::move(other.Get<String>()); // Will atomically bind to the move assignment operator below.
 	else
 		*this = static_cast<String>(other);
 
@@ -66,7 +66,7 @@ String& String::operator=(const String& rhs)
 	return *this;
 }
 
-String& String::operator=(String&& rhs)
+String& String::operator=(String&& rhs) noexcept
 {
 	m_Data = std::move(rhs.m_Data);
 	return *this;

lib/base/string.hpp

@@ -44,7 +44,7 @@ public:
 	String(std::string data);
 	String(String::SizeType n, char c);
 	String(const String& other);
-	String(String&& other);
+	String(String&& other) noexcept;
 
 #ifndef _MSC_VER
 	String(Value&& other);
@@ -56,7 +56,7 @@ public:
 	{ }
 
 	String& operator=(const String& rhs);
-	String& operator=(String&& rhs);
+	String& operator=(String&& rhs) noexcept;
 	String& operator=(Value&& rhs);
 	String& operator=(const std::string& rhs);
 	String& operator=(const char *rhs);

lib/base/tlsstream.cpp

@@ -7,6 +7,8 @@
 #include "base/logger.hpp"
 #include "base/configuration.hpp"
 #include "base/convert.hpp"
+#include "base/defer.hpp"
+#include "base/io-engine.hpp"
 #include <boost/asio/ssl/context.hpp>
 #include <boost/asio/ssl/verify_context.hpp>
 #include <boost/asio/ssl/verify_mode.hpp>
@@ -18,14 +20,48 @@
 
 using namespace icinga;
 
-bool UnbufferedAsioTlsStream::IsVerifyOK() const
+/**
+ * Checks whether the TLS handshake was completed with a valid peer certificate.
+ *
+ * @return true if the peer presented a valid certificate, false otherwise
+ */
+bool UnbufferedAsioTlsStream::IsVerifyOK()
 {
-	return m_VerifyOK;
+	if (!SSL_is_init_finished(native_handle())) {
+		// handshake was not completed
+		return false;
+	}
+
+	if (GetPeerCertificate() == nullptr) {
+		// no peer certificate was sent
+		return false;
+	}
+
+	return SSL_get_verify_result(native_handle()) == X509_V_OK;
 }
 
-String UnbufferedAsioTlsStream::GetVerifyError() const
+/**
+ * Returns a human-readable error string for situations where IsVerifyOK() returns false.
+ *
+ * If the handshake was completed and a peer certificate was provided,
+ * the string additionally contains the OpenSSL verification error code.
+ *
+ * @return string containing the error message
+ */
+String UnbufferedAsioTlsStream::GetVerifyError()
 {
-	return m_VerifyError;
+	if (!SSL_is_init_finished(native_handle())) {
+		return "handshake not completed";
+	}
+
+	if (GetPeerCertificate() == nullptr) {
+		return "no peer certificate provided";
+	}
+
+	std::ostringstream buf;
+	long err = SSL_get_verify_result(native_handle());
+	buf << "code " << err << ": " << X509_verify_cert_error_string(err);
+	return buf.str();
 }
 
 std::shared_ptr<X509> UnbufferedAsioTlsStream::GetPeerCertificate()
@@ -43,17 +79,17 @@ void UnbufferedAsioTlsStream::BeforeHandshake(handshake_type type)
 
 	set_verify_mode(ssl::verify_peer | ssl::verify_client_once);
 
-	set_verify_callback([this](bool preverified, ssl::verify_context& ctx) {
-		if (!preverified) {
-			m_VerifyOK = false;
-
-			std::ostringstream msgbuf;
-			int err = X509_STORE_CTX_get_error(ctx.native_handle());
-
-			msgbuf << "code " << err << ": " << X509_verify_cert_error_string(err);
-			m_VerifyError = msgbuf.str();
-		}
+	set_verify_callback([](bool preverified, ssl::verify_context& ctx) {
+		(void) preverified;
+		(void) ctx;
 
+		/* Continue the handshake even if an invalid peer certificate was presented. The verification result has to be
+		 * checked using the IsVerifyOK() method.
+		 *
+		 * Such connections are used for the initial enrollment of nodes where they use a self-signed certificate to
+		 * send a certificate request and receive their valid certificate after approval (manually by the administrator
+		 * or using a certificate ticket).
+		 */
 		return true;
 	});
 
@@ -69,3 +105,62 @@ void UnbufferedAsioTlsStream::BeforeHandshake(handshake_type type)
 	}
 #endif /* SSL_CTRL_SET_TLSEXT_HOSTNAME */
 }
+
+/**
+ * Forcefully close the connection, typically (details are up to the operating system) using a TCP RST.
+ */
+void AsioTlsStream::ForceDisconnect()
+{
+	if (!lowest_layer().is_open()) {
+		// Already disconnected, nothing to do.
+		return;
+	}
+
+	boost::system::error_code ec;
+
+	// Close the socket. In case the connection wasn't shut down cleanly by GracefulDisconnect(), the operating system
+	// will typically terminate the connection with a TCP RST. Otherwise, this just releases the file descriptor.
+	lowest_layer().close(ec);
+}
+
+/**
+ * Try to cleanly shut down the connection. This involves sending a TLS close_notify shutdown alert and terminating the
+ * underlying TCP connection. Sending these additional messages can block, hence the method takes a yield context and
+ * internally implements a timeout of 10 seconds for the operation after which the connection is forcefully terminated
+ * using ForceDisconnect().
+ *
+ * @param strand Asio strand used for other operations on this connection.
+ * @param yc Yield context for Asio coroutines
+ */
+void AsioTlsStream::GracefulDisconnect(boost::asio::io_context::strand& strand, boost::asio::yield_context& yc)
+{
+	if (!lowest_layer().is_open()) {
+		// Already disconnected, nothing to do.
+		return;
+	}
+
+	{
+		Timeout shutdownTimeout (strand, boost::posix_time::seconds(10),
+			[this] {
+				// Forcefully terminate the connection if async_shutdown() blocked more than 10 seconds.
+				ForceDisconnect();
+			}
+		);
+
+		// Close the TLS connection, effectively uses SSL_shutdown() to send a close_notify shutdown alert to the peer.
+		boost::system::error_code ec;
+		next_layer().async_shutdown(yc[ec]);
+	}
+
+	if (!lowest_layer().is_open()) {
+		// Connection got closed in the meantime, most likely by the timeout, so nothing more to do.
+		return;
+	}
+
+	// Shut down the TCP connection.
+	boost::system::error_code ec;
+	lowest_layer().shutdown(lowest_layer_type::shutdown_both, ec);
+
+	// Clean up the connection (closes the file descriptor).
+	ForceDisconnect();
+}

lib/base/tlsstream.hpp

@@ -70,12 +70,12 @@ class UnbufferedAsioTlsStream : public AsioTcpTlsStream
 public:
 	inline
 	UnbufferedAsioTlsStream(UnbufferedAsioTlsStreamParams& init)
-		: AsioTcpTlsStream(init.IoContext, init.SslContext), m_VerifyOK(true), m_Hostname(init.Hostname)
+		: AsioTcpTlsStream(init.IoContext, init.SslContext), m_Hostname(init.Hostname)
 	{
 	}
 
-	bool IsVerifyOK() const;
-	String GetVerifyError() const;
+	bool IsVerifyOK();
+	String GetVerifyError();
 	std::shared_ptr<X509> GetPeerCertificate();
 
 	template<class... Args>
@@ -97,8 +97,6 @@ public:
 	}
 
 private:
-	bool m_VerifyOK;
-	String m_VerifyError;
 	String m_Hostname;
 
 	void BeforeHandshake(handshake_type type);
@@ -113,6 +111,9 @@ public:
 	{
 	}
 
+	void ForceDisconnect();
+	void GracefulDisconnect(boost::asio::io_context::strand& strand, boost::asio::yield_context& yc);
+
 private:
 	inline
 	AsioTlsStream(UnbufferedAsioTlsStreamParams init)

lib/base/tlsutility.cpp

@@ -11,6 +11,8 @@
 #include <boost/asio/ssl/context.hpp>
 #include <openssl/opensslv.h>
 #include <openssl/crypto.h>
+#include <openssl/ssl.h>
+#include <openssl/ssl3.h>
 #include <fstream>
 
 namespace icinga
@@ -91,6 +93,18 @@ static void InitSslContext(const Shared<boost::asio::ssl::context>::Ptr& context
 
 	flags |= SSL_OP_CIPHER_SERVER_PREFERENCE;
 
+#ifdef LIBRESSL_VERSION_NUMBER
+	flags |= SSL_OP_NO_CLIENT_RENEGOTIATION;
+#elif OPENSSL_VERSION_NUMBER < 0x10100000L
+	SSL_CTX_set_info_callback(sslContext, [](const SSL* ssl, int where, int) {
+		if (where & SSL_CB_HANDSHAKE_DONE) {
+			ssl->s3->flags |= SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS;
+		}
+	});
+#else /* OPENSSL_VERSION_NUMBER < 0x10100000L */
+	flags |= SSL_OP_NO_RENEGOTIATION;
+#endif /* OPENSSL_VERSION_NUMBER < 0x10100000L */
+
 	SSL_CTX_set_options(sslContext, flags);
 
 	SSL_CTX_set_mode(sslContext, SSL_MODE_ENABLE_PARTIAL_WRITE | SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);
@@ -714,7 +728,7 @@ String GetIcingaCADir()
 	return Configuration::DataDir + "/ca";
 }
 
-std::shared_ptr<X509> CreateCertIcingaCA(EVP_PKEY *pubkey, X509_NAME *subject)
+std::shared_ptr<X509> CreateCertIcingaCA(EVP_PKEY *pubkey, X509_NAME *subject, bool ca)
 {
 	char errbuf[256];
 
@@ -751,7 +765,7 @@ std::shared_ptr<X509> CreateCertIcingaCA(EVP_PKEY *pubkey, X509_NAME *subject)
 	EVP_PKEY *privkey = EVP_PKEY_new();
 	EVP_PKEY_assign_RSA(privkey, rsa);
 
-	return CreateCert(pubkey, subject, X509_get_subject_name(cacert.get()), privkey, false);
+	return CreateCert(pubkey, subject, X509_get_subject_name(cacert.get()), privkey, ca);
 }
 
 std::shared_ptr<X509> CreateCertIcingaCA(const std::shared_ptr<X509>& cert)
@@ -760,24 +774,37 @@ std::shared_ptr<X509> CreateCertIcingaCA(const std::shared_ptr<X509>& cert)
 	return CreateCertIcingaCA(pkey.get(), X509_get_subject_name(cert.get()));
 }
 
+static inline
+bool CertExpiresWithin(X509* cert, int seconds)
+{
+	time_t renewalStart = time(nullptr) + seconds;
+
+	return X509_cmp_time(X509_get_notAfter(cert), &renewalStart) < 0;
+}
+
 bool IsCertUptodate(const std::shared_ptr<X509>& cert)
 {
-	time_t now;
-	time(&now);
+	if (CertExpiresWithin(cert.get(), RENEW_THRESHOLD)) {
+		return false;
+	}
 
 	/* auto-renew all certificates which were created before 2017 to force an update of the CA,
 	 * because Icinga versions older than 2.4 sometimes create certificates with an invalid
 	 * serial number. */
 	time_t forceRenewalEnd = 1483228800; /* January 1st, 2017 */
-	time_t renewalStart = now + RENEW_THRESHOLD;
 
-	return X509_cmp_time(X509_get_notBefore(cert.get()), &forceRenewalEnd) != -1 && X509_cmp_time(X509_get_notAfter(cert.get()), &renewalStart) != -1;
+	return X509_cmp_time(X509_get_notBefore(cert.get()), &forceRenewalEnd) >= 0;
 }
 
-String CertificateToString(const std::shared_ptr<X509>& cert)
+bool IsCaUptodate(X509* cert)
+{
+	return !CertExpiresWithin(cert, LEAF_VALID_FOR);
+}
+
+String CertificateToString(X509* cert)
 {
 	BIO *mem = BIO_new(BIO_s_mem());
-	PEM_write_bio_X509(mem, cert.get());
+	PEM_write_bio_X509(mem, cert);
 
 	char *data;
 	long len = BIO_get_mem_data(mem, &data);
@@ -1012,16 +1039,7 @@ int GetCertificateVersion(const std::shared_ptr<X509>& cert)
 
 String GetSignatureAlgorithm(const std::shared_ptr<X509>& cert)
 {
-	int alg;
 	int sign_alg;
-	X509_PUBKEY *key;
-	X509_ALGOR *algor;
-
-	key = X509_get_X509_PUBKEY(cert.get());
-
-	X509_PUBKEY_get0_param(nullptr, nullptr, 0, &algor, key); //TODO: Error handling
-
-	alg = OBJ_obj2nid (algor->algorithm);
 
 #if OPENSSL_VERSION_NUMBER < 0x10100000L
 	sign_alg = OBJ_obj2nid((cert.get())->sig_alg->algorithm);