What's coming in 5.1

First off, I hope all you guys are staying safe in these tough times! Our team is split in Santa Clara and Berlin and we are doing well!

5.1 will be a quick release. There are a bunch of security related fixes but the main feature is the integration of turn addon/service into the platform. This will help us get the video conference apps in asap since it's the need of the hour.

https://vikunja.io/
https://code.vikunja.io/

We are continuing to work on getting many more of the apps published, see the WIP tag. Thanks to the community for really helping us out here!

CHANGE IN PLANS: As mentioned in the 5.4 post, we decided to release some of the features listed here in an intermediary release. I have marked the features below as such.

UPDATE 2: There is now a 5.5

UPDATE 3: There is now a 5.6

6.0 will be a feature rich release:

• Focal support
• Mailbox sharing - we tried IMAP based mailbox sharing but this doesn't work well for the apps we have. We will instead make it such that a single mailbox can have multiple owners.
• Optimize WP and Nextcloud installations. This is not directly related to box code but we want to speeden things up and optimize the configs since we have a large number of installs with these 2 apps. @MooCloud_Matt has given us a lot of ideas to work with here.
• Unified dashboard for multiple cloudron setups - This will provide a unified auth across cloudron setups plus a single dashboard to control multiple cloudrons. Details are still being worked on and I will post it once I have more info.
• Fix access control for service provider setups - There's a few small issues. Service providers wants admin flag per app, better control of SFTP user management and also to unify PHPMyAdmin across apps. We will see what we can do.
• Mail - Full text search via IMAP (solr integration)

Already released

• (5.4) Dark mode for dashboard
• (5.4) File manager UI to edit the files inside apps. For the initial version, one can only view and edit the files under /app/data (i.e one cannot view the files in the read-only parts of the file system. this is because of some technical reasons)
• (5.5) Backup upload/download speed - Currently, backups can be quite slow but we have some ideas to speed it up
• (5.4) Allow admin to lock email and display name globally. This essentially makes the LDAP directory non-editable by normal users.
• (5.5) Allow backup and update time to be set. Currently, this is all hard coded and it's causing problems for people working in the night
• (5.6) Mail: Configurable mail server settings - whitelist/blacklist, max message size, tls configuration. In the next release after 6.0, we will make spam settings configurable.

For the coming weeks, we are going to focus on getting some new apps packaged. The list is:

• OnlyOffice
• Bitwarden - @Felix and @iamthefij have done much of the heavy lifting, we just have to get it across the line.
• OpenVPN - We will add an admin interface that let's the admins configure some popular vpn settings.
• BigBlueButton or Jitsi (we will evaluate which works well for conferencing. We have used both and they both work well but BBB might win). If you have any thoughts here, please leave a comment.
• Development apps - basically provide a git push workflow for hosting custom nodejs/php apps (and make it work so that they can be mixed with various caches and databases).

If we should prioritize something else, please let us know! But the above should keep us occupied this month.

What we initially planned as Cloudron 4.5 is now Cloudron 5. We decided to bump the major version since it got a lot of changes to justify the bump.

New installations will already get Cloudron 5. Existing installations will get an update in a week or two. We roll out updates conservatively as always, if you want it immediately, please just send a mail to support@cloudron.io and we will make it available.

I am preparing the blog post which will have the screenshots for the features.

Changes:

• Add user roles - owner, admin, user manager and user

• Show backup disk usage in graphs

• Mail server event log and mailbox usage information

• Spam auto-learning - the spam solution is now per mailbox. The mail server will now periodically auto learn spam and ham from the mailbox with no user intervention.

• CPU resource allocation - We have implemented CPU Shared

• Whitelabel the footer/404

• App specific passwords

• Import backups UI - this lets you easily move apps across Cloudrons

• Display timestamps in browser timezone in the UI

• linode: add object storage backend

• Enhancements in the built-in LDAP to better support SOGo (more on this in a separate post).

There's a lot of other bug fixes as well. You can read through the commits for that

I have added a new category called Apps - https://forum.cloudron.io/category/9/apps . I am slowly adding all the apps we have into it as subcategories. It seems this might work better than tags (people are mistyping tags) and also provides a better direction/place for people to post.

Ideally, we keep the current Support category to Cloudron platform related issues. I am moving existing Apps related posts this new category.

Finally, we will start posting app updates in these new categories. Basically, https://cloudron.io/appstatus.html with a changelog. But since now apps are a separate category we can post it a bit more freely without being concerned about polluting the main support category.

Hi All,
Small change in plans for the Cloudron releases. Previously, we had announced that next release will be Cloudron 6. It turns out some of the features are in good shape already and we just want to get it out instead of waiting for everything to get done.

So, there will be a 5.4 release, hopefully later this week, with the following features:

• Dark mode for dashboard
• File manager UI to edit the files inside apps. For the initial version, one can only view and edit the files under /app/data (i.e one cannot view the files in the read-only parts of the file system. this is because of some technical reasons)
• Allow admin to lock email and display name globally. This essentially makes the LDAP directory non-editable by normal users.
• Mandatory 2FA - this is new feature that wasn't announced as part of 5.4! This will require users to setup 2FA before accessing the dashboard.
• We are moving nginx to latest upstream packages instead of ubuntu ones since they are lagging behind a lot.
• Backblaze b2 provider - also new

@jdaviescoates For pricing, as mentioned, we just offer discounted pricing on a case by case basis. Given we are a small company ourselves, we don't want Cloudron pricing to be a blocker for another business relying on us. We have a dozen or so re-sellers and they are generally IT admins, sysadmins who host for co ops, non-profits and schools.

As for Cloudron the company itself, we are profitable and pay ourselves a salary, and I can say we are not going away anytime soon. We are completely bootstrapped and haven't tried to ever raise money nor do we plan to. Future wise, one thing we really want to happen it is to grow to a size where we can start supporting upstream opensource apps - either by contributing with people or funding them.

I recorded a quick video showing host the tests run. The browser on the left is my Firefox that just shows the Cloudron dashboard. The browser that appears on the right is Chrome and it is where the automated testing happens.

Youtube Video

EDIT: OK, this is funny. @nebulon was wondering why I had some dark music in the video. I thought I had recorded a silent video and did not even know there was some background music Investigating, I found out that my youtube at some point has started auto-playing "3 HOURS Most EPIC POWERFUL BATTLE MUSIC"! and OBS was happily recording that. Since, I don't have a headset connected to this setup, I had no idea. Funnily, when I uploaded this video, it immediately told me there is a "copyright claim" and I thought "yeah, right". Now I know why.

Wanted to give some progress on the release here. Both @nebulon and I are taking a bit of break for Jitsi We will revisit once we finish some more enjoyable tasks.

• Update base image - this is done! Apps are slowly getting updated one by one.

• Add support for member-only mailing lists - done!
  

• Default to ECC certs from Let's Encrypt - done!
  

• Redis status - Under services, you can now tune redis instance of each app
  

App firewall will not make it this release since the changes are stacking up.

Some more updates.

• Clicking the update button now will always give you an update, if it's available. No more required to ask us to whitelist an update.

• Encrypted backups - there were security flaws with the current encryption. It's been fixed (more info when we do the actual release). thanks to @mehdi who has patiently worked with us through this.

• App graphs! Currently, just RAM and Disk. CPU and Network will come later.
  

• System graphs
  

• Backup listing UI for the platform
  

• New backup retention policy (this is same as keep daily/weekly/monthly in borg/restic).
  

• Finally, there is a way import and export the backup configuration easily. You see this in the right of the backups. You get a config file that can then be put in another Cloudron instance for restore or import.

We hope to get this out next week. Just doing a lot testing now.

As others pointed, Cloudron uses PBKDF2-HMAC-SHA1 with a per-user salt. This is totally different from just using SHA1.

As we are not cryptographers ourselves, the best approach is to not try to re-implement crypto ourselves and just follow NIST guidelines - NIST 800-63 Specs.

It recommends PBKDF2 and atleast 10k iterations. We also follow most of it's other password guidelines including following including 8 character minimum, support at least 64 characters maximum length, all ASCII characters (including space) should be supported, no password hints/expiry, non-SMS 2FA etc.

There is a good article summarizing the NIST guidelines at the Sophos website and also an article how to store passwords safely.

Hi all,
We released Cloudron 4 now. The blog has more details about the release.

Changes:

• SFTP access is built into the platform. As of this release, WordPress, Surfer and LAMP apps support SFTP access. You can get the SFTP credentials from the i button in the app grid. Note that the username for each app is different!
• App tags and labels - this lets you easily categorize and search app. The current UI is very basic, we hope to iterate on this. Feedback welcome.
• Scaleway Object Storage backend for backups
• Easier email import. There is some basic docs on how to use imapsync here
• Unmanaged WordPress app - this app allows you to edit WordPress code unlike the existing WordPress app. Since, we let you edit the code, we won't deal with updates either. You can to use the WPs built-in updater for that. Docs for this app are here. Currently, this app is marked as unstable. So, you have to enable the unstable flag in settings before you can install it/see it in your Cloudron.
• Immediate App Update notifications
• Backups created right before an app update are retained for upto 3 weeks. This lets admins roll back in case they notice some breakage late.
• Community/Unstable apps. There's been a lot of app packaging going on and we can't keep up with testing of all the apps. So, we will get them all listed in the coming weeks, so others can easily test them out.
• Upstream app version is now listed in the app info dialog
• Support for email relays that do not require authentication and self-signed certificates
• Cloudron updates can now be applied without taking a full backup. This was added for situations where there might a bug in the backup logic and an upcoming Cloudron update fixes the backup issue.
• Add a way to disable outbound mail for a domain. Email -> Outbound -> Select Disabled

I changed the title of this post to be less flame-baity

For the coming weeks, our focus is simply to get more of the apps out. bitwardern/jitsi/matrix etc are in various states and we want to get those out asap.

We are working on some ideas on the Cloudron side:

• Mail fts search - This will be optional since the dovecot+solr integration takes a lot of memory.
• Mail server queue and reports - This is just a UI to get an insight into what emails are incoming and outgoing on the mail server
• Mail spam controls - This will tackle the popular "Spams are still getting through" reports
• CPU resource allocation - Currently, you can control memory per app. This will allow you to control the CPU allocation as well.
• Firewall API
  • This will allow setting up basic application firewall rules. This is not clear yet but we will build on top of modsecurity/fail2ban potentially.
  • For email, this will have whitelist/blacklist
• Backup - listing, download and remove API and UI (for box and the apps).
• Per-app backup format.
• Group admins - The idea here is to create "sub admins" who can invite users but cannot control server level settings like backups.
• Whitelabel the footer/404
• App specific passwords

BTW, if you have comments/suggestions, feel free to open a thread in the Discuss section or comment here for any clarification

We released Cloudron 5.1 for all now. See the blog for screenshots and more info.

• TURN Service - This allows completely private P2P voice/video and data transfer. We have updated Kopano Meet, Nextcloud Talk, Matrix Synapse and FilePizza to use this built-in turn server. No configuration needed from your side, just make sure you are running Cloudron 5.1!
• We have released Mastodon. For supporting federated apps like Mastodon and Matrix, we have added support for .well-known URIs (docs)
• Mail eventlog now has search and filter options
• Disk graphs are now sorted by usage (thanks to @d19dotca for the suggestion)
• Apps that have automatic backups disabled are now listed in the Backups view (thanks to @d19dotca for the suggestion)
• Dropped support for TLSv1 and TLSv1.1 (thanks to @zerononcense)
• Support for ECC certs (thanks to @zerononcense for helping us test)
• Docker addon is now more secure (thanks to @iamthefij for reporting)
• fix bug with listing of >25 mailboxes and aliases
• branding: make the login page title show cloudron name
• mail fix incorrect eventlog db perms

There's a few minor bugs/annoyances in 5.4. So, we though we will do a quick 5.5 with a couple of features before 6.0. We also have to update all the app packages to have correct screenshots links since they use the old s3 path style links (they have to be changed to vhost style links).

• Contrast issues in dark mode
• File manager does not work when a custom data directory is set
• Fix sticky notifications
• Backup upload/download speed - Currently, backups can be quite slow but we have some ideas to speed it up
• Allow backup and update schedule to be set. Currently, this is all hard coded
• Mailbox sharing

Just one more sprint before 6.0. Mostly, it's mail related. Just trying to address some immediate needs in this release:

• Mail
  • Make some of the existing settings configurable via the UI. Whitelist/blacklist, max message size, tls configuration etc.
  • Make mail server name configurable. Instead of my.domain.com as email server, you can setup the name as mail.domain.com, for example.
  • Autodiscover/Autoconfig support for email - https://git.cloudron.io/cloudron/box/-/issues/556 . I am not sure how easy/hard this is, but worth trying.
  • Server side signature - If haraka allows this easily, we will add it.
  • Keep mail backups separate from box backups. This will make it easy to backup/restore emails separately. EDIT: decided it's a lot of work, postponed to some future release.
• Add a way to whitelist inbound ports. This will help apps like netdata, snmp monitors and other monitoring "agents".
• Add flag in manifest for reverse proxying to a port (for the OLS app).
• Update MongoDB to 4.2 - EDIT: this was not needed. The index length problem is solved by having smaller mongodb database names.
• Hardware transcoding for emby/jellyfin (and in the future plex)
• Do not auto-update to pre-release version
• Allow configuring schedule of platform updates
• Network usage graphs (See issue)
• Optimize WP and Nextcloud installations

Anything small/obvious I left out?

Before everyone jumps to conclusions So far, @nebulon has been trying to make coturn to be part of the app itself. This is indeed quite hard.

So, I think what this means is that we have to integrate the turn server into the platform code base itself. So, it would become an addon/service just like the databases and other things. And then nextcloud, jitsi, kopano meet etc can just use this coturn service. Integrating coturn into cloudron is not very hard but will require a new release of Cloudron.

Here's what you can expect from 5.2. We are still working actively on a few more apps and the apps have more priority. Specifically @nebulon is working on Bitwarden and I am trying to get Jitsi/BBB.

• Update base image - this should update many packages, the vim/bash history configuration etc.
• Some user onboarding flow - don't have concrete plans here. But sometimes new users are confused by all the automation we do - like db, email, user management. Feels very magical, so we have to put in some videos/images to re-assure them/explain what's happening.
• Add support for member-only mailing lists.
• Support for external volumes for apps
• Default to ECC certs from Let's Encrypt.
• App firewall (protect login screens and login routes of apps)

Any more suggestions?