chore(4.0.x): release 4.0.0

[mender-test-bot]

---

4.0.0 - 2025-02-10

Bug Fixes

• (deployments) Deprecate v1 endpoint for listing deployments
  (MEN-7543) (879b589) by @kjaskiewiczz

  We deprecated GET v1 /deployments/deployments endpoint because of an
  issue with "search" query parameter behavior. As a replacement we
  introduce v2 version of the endpoint, where we replaced "search"
  parameter with "id" and "name" parameters.

• (deviceconfig) Enable multiplatform build
  (QA-673) (fbbe646) by @oldgiova

  The required TARGETOS and TARGETARCH variables were missing from the
  Dockerfile.

• (gui) Fixed an issue that could prevent browsers from following programmatically triggered downloads
  (f2b6189) by @mzedel

  • relative download addresses seem not to be followed, switched to absolute instead

• (gui) Fixed an issue that would sometimes prevent users from switching between tenants
  (MEN-7774) (ce777fd) by @mzedel

  can't rely on the user list data as it doesn't contain all the user details

• (gui) Fixed an issue that prevented deployment sizes from being shown
  (d2bbb8d) by @mzedel

• (gui) Fixed an issue that caused number comparisons in device filters to not work
  (MEN-7717) (84e2398) by @mzedel

• (gui) Added readable name for ltne device filter
  (MEN-7717) (a741011) by @mzedel

• (gui) Fixed an issue that could lead to unexpected locations in the UI when accessing unauthorized sections while authorized
  (MEN-7842) (7938291) by @mzedel

• (gui) Enable device configuration for non enterprise users
  (67170c5) by @thall

  Currently it's not possible to see device configuration if you host
  Mender self and have environment variable HAVE_DEVICECONFIG=true.

  Changes the predicate to be the same as for hasDeviceConnect.

• (gui) Added missing link to rbac docs in the cooresponding section
  (MEN-7826) (1d8c4ff) by @mzedel

• (gui) Prevented disabled form inputs from showing validation errors
  (2e7215a) by @mzedel

• (gui) Aligned quick actions in release details with actually possibile actions
  (365f564) by @mzedel

• (gui) Fixed an issue that would prevent showing deployment reports for phased deployments
  (132d6b2) by @mzedel

• (gui) Fixed an issue that would prevent upgrading a running session to a different plan
  (MEN-7898) (7668b29) by @mzedel

• (gui) Fixed an issue that would crash the site when showing release details with multiple artifacts
  (fd06f66) by @mzedel

• (gui) Made addon availability rely more on addons where possible to prevent erroneous device config retrieval
  (MEN-7895) (62d6516) by @mzedel

• (gui) Aligned webhook details behaviour w/ rest of UI
  (MEN-7955) (7860b5b) by @mzedel

• (gui) Prevented sso config retrieval on plans that don't support this
  (fe6da5d) by @mzedel

• (gui) Fixed an issue that would prevent deleting & tagging releases in the release overview
  (MEN-7960) (16b2628) by @mzedel

• (gui) Let on-prem installations refer to the docs to prevent server-url misconfiguration following monorepo transition
  (MEN-7948) (e0dae51) by @mzedel

• (gui) Fixed end date filters out today's entries in the Audit log, Deployments and Devices
  (3ee84f2) by @aleksandrychev

• (gui) Ensured target directory is nonempty on artifact generation
  (MEN-8010) (5616722) by @mzedel

• (gui) Fixed an issue that could prevent listing devices with their custom identity in a deployment report
  (f1fcf26) by @mzedel

• (gui) Fixed an issue that would prevent navigating to devices from a software distribution chart
  (MEN-8038) (6516986) by @mzedel

• (gui) Made user list tracking rely only on backend data instead of local store to prevent duplicate users listed
  (MEN-8049) (7d1b060) by @mzedel

• (gui) Fixed an issue that would cause the ui to crash when creating phased deployments
  (9827ba9) by @mzedel

• (gui) Fixed remaining device percentage not being displayed correctly on phased deployment creation
  (5600913) by @mzedel

• (iot-core) Incosistent serialization format for device private key
  (MEN-7478) (6deadef) by @alfrunes

  The generated key is serialized using SEC 1 (RFC5915) ASN.1 encoding,
  but encoded to PEM using PKCS8 (RFC5208) block header/trailer.

• Aligned identity attribute usage with scoped inventory data to prevent overriding custom naming attributes with name tags
  (MEN-7218) (9d82ea1) by @mzedel

• Document the 409 return for creating deployment to a group
  (MEN-7414) (5327dac) by @kjaskiewiczz

• Prevented commercial client components are only selected when plan/ addon accessible
  (MEN-7458) (81e0b73) by @mzedel

• Fixed an issue that prevented retrieving group devices & related reports
  (MEN-7461) (95ea85f) by @mzedel

• Fixed an issue that prevented showing PATs on page refresh
  (bde80fe) by @mzedel

• Fixed an issue that prevented onboarding tips from showing
  (c2ecfcf) by @mzedel

• Fixed an issue that prevented the UI from showing deeply nested software installations
  (MEN-7640) (13496f3) by @mzedel

• Stop user from having similar email and password
  (MEN-6462) (3fa4a43) by @bahaa-ghazal

• Implement signal handler for server commands
  (QA-782) (6e17ada) by @bahaa-ghazal

• Deviceauth healthcheck panics malformed inventory address
  (70d493a) by @alfrunes

• Use internal URLs for storage backend when generating artifacts
  (MEN-7939) (3d72d5e) by @alfrunes

  • BREAKING: Generate artifacts API ignores storage.proxy_uri and
    aws.external_url configuration values and instead access the API using
    the same URL as deployments service.

  When generating artifacts, the backend will use the direct access URL
  instead of rewriting the URL using the configured storage.proxy_uri or
  aws.external_url.

• Deployment device count should not exceed max devices
  (MEN-7847) (15e5fee) by @alfrunes

  Added a condition to skip deployments when the device count reaches max
  devices.

• Update outdated api endpoints in the inventory service
  (MEN-7017) (73c7149) by @bahaa-ghazal

• Limiting the size of metadata when uploading and generating artifacts
  (MEN-7166) (9e80728) by @bahaa-ghazal

• (create-artifact-worker) do not install openssl1.1-compat

  Changes:

  • use mender-artifact which does not depend on openssl1.1-compat
  • do not install openssl1.1-compat

• (deployments) Accesslog catches panic traces and remove "dev" middleware (MC-7155)

• (deployments) Improve error message when uploading too large artifacts (MEN-7175)

• (deployments) fix release filtering and RBAC for releases

• (deployments)* With the old implementation, when using more than one tag in the filter, or when using role which grants access to releases with given tag (and more than one tag was specified), deployments will present only releases containg ALL the tags each. With the new behavior, deployments will retrun all the releases containg ANY of the tags. (MEN-7272)

• (deployments) Compatibility with MongoDB > 5.0 (MEN-6956)

• (deviceauth) Handling preauthorized auth set when device is accepted

• (deviceauth) The previous behavior was putting the device in a conflicting state and returning 500 errors on auth requests. With this commit, the preauthorized auth set will take precedence and take over as the accepted auth set. (ALV-213)

• (deviceauth) Wrong Content-Type header on successful authentication

• (deviceauth) On success, the Content-Type header is set to application/jwt instead of invalid application/json on 200 responses to POST /api/devices/v1/authentication/auth_requests (MEN-6912)

• (deviceauth) Preauthorize force behavior applies to existing auth sets

• (deviceauth) Updates the behavior of the Preauthorize endpoint if "force" paremeter is set:

  • If an authset already exist, the status will be forced to "preauthorized".
  • If the auth set does not exist, a new one will be created. (MEN-7241)

• (deviceauth) Inconsistent device check_in_time when listing devices

  The lookup for check_in_time from the cache does not work when running Redis in cluster mode because of the MGET command requires keys to hash to the same slot. This commit replaces MGET with multiple batched GET commands when running Redis in cluster mode. (MEN-7337)

• (gui) fixed missing theme global variables (MEN-7044)

• (gui) fixed terminal closure made by exit command (MEN-7081)

• (gui) Devices tab not showing in the UI with Deployments manager (MEN-7111)

• (gui) fixed Software distribution widget displayed wrong other devices count

• (gui) ensured release is retrieved on deployment recreation (MEN-7228)

• (gui) ensured an attempt to show fresh device information is made in every device related auditlog entry (MEN-7034)

• (gui) fixed an issue that sometimes prevented reopening paginated auditlog links

• (gui) fixed an issue that could prevent SSO logins depending on the type of SSO

• (gui) fixed SSO information not being adjusted depending on the type of SSO configured (MEN-7277)

• (gui) fixed an issue that prevented accessing releases with routing relevant symbols in their name (MEN-7209)

• (gui) ensured browser generated reports are refreshed on every full device data retrieval to prevent partly initialized report data to show misleading software distributions (MEN-7123)

• (gui) fixed an issue that would prevent promoting a device to a gateway device (MEN-7334)

• (gui) limited global settings saving for less privileged users (MEN-6970)

• (inventory) Accesslog middleware log panic traces and remove "dev" middleware (MC-7155)

• (inventory) Bound the number of devices considered when aggregating filter attributes to maximum 5,000. (MEN-6917)

• (inventory) do not return updated_ts as zero time if updated_ts is not set

• (inventory) store "check_in_time" attribute as ISODate instead of string (MEN-7259)

• (inventory) attribute modification in the range loop

• (iot-manager) Event APIs return OK if event is saved to database (MEN-6898)

• (iot-manager) Create TTL index for removing expired logs (MEN-7101)

• (iot-manager) Incosistent serialization format for device private key

  The generated key is serialized using (RFC5915) ASN.1 encoding, but encoded to PEM using PKCS8 (RFC5208) block header/trailer. (MEN-7478, [SEC 1](https://northerntech.atlassian.net/browse/SEC 1))

• (useradm) Update accesslog middleware to catch panic traces and remove dev mode (MC-7155)

Documentation

• (README) Add step to clone repository
  (f9d3bbd) by @alfrunes

• (README) Consistently add syntax highlighting to code blocks
  (8583102) by @alfrunes

• (deployments) Clarifications for the GET /deployments version 2 endpoint.
  (MEN-8053) (ea9fda0)

• Update README.md with instructions on using the docker composition
  (c9aa7dc) by @alfrunes

• Add section about testing build artifacts
  (5c7eaaa) by @alfrunes

• Add snippet for starting a mender client to README
  (a322b2d) by @alfrunes

• Update README.md
  (f7a1b09) by @alfrunes

  Adjusted styling (note color, added 1st level indentation, taxonomy i.e., Mender Server, Mender Enterprise) to make it easy to follow and read.

• Document how to bring up the Virtual Device for enterprise setup
  (c674566) by @lluiscampos

• Fix typo in snippet for creating tenant
  (a346d33) by @alfrunes

• Docmentation on backend integration tests running separately
  (QA-683) (a8f8d54) by @merlin-northern

Features

• (deployments) Add filter field to deployment object
  (MEN-7416) (fec5b91) by @kjaskiewiczz

  The filter field contains information about devices targeted by the
  deployment.

• (deployments) New endpoint for getting release by name
  (MEN-7575) (3a18e88) by @kjaskiewiczz

• (gui) Enabled webhook scope selection
  (MEN-7455) (cec277d) by @mzedel

• (gui) Extended webhook event details
  (MEN-7574) (0bfda40) by @mzedel

• (gui) Aligned webhook listing with updated design
  (MEN-7573) (80e55d1) by @mzedel

• (gui) Added the possibility to create service provider administering roles
  (MEN-7570) (92d7e50) by @mzedel

• (gui) Aligned role removal dialog with other parts of the UI
  (8661704) by @mzedel

• (gui) Added support for Personal Access Token auditlog entries
  (MEN-7622) (9a9a6c3) by @mzedel

• (gui) Added possibility to trigger deployment & inventory data updates when troubleshooting
  (MEN-7657) (11a9b7a) by @mzedel

• (gui) Made deployment targets rely on filter information in the deployment to more reliably display target devices etc.
  (MEN-7647) (47c92d4) by @mzedel

• (gui) Aligned notions of "latest device activity" in listing & details
  (40ee57d) by @mzedel

• (gui) Limited onboarding to hosted Mender to ensure a streamlined experience
  (MEN-7896) (cee60f8) by @mzedel

• (gui) Added feedback on file size limits to artifact upload dialog
  (MEN-7858) (d612334) by @mzedel

• (gui) Aligned text input appearance with MUI updated guidelines
  (MEN-7838) (e5d5672) by @mzedel

• (gui) Added explanation about integration number limitation
  (MEN-7899) (dbdfa67) by @mzedel

• (gui) Clarified user creation capabilities for non-enterprise users
  (MEN-7883) (d2fd192) by @mzedel

• (gui) Added automatic refresh to get webhook events
  (MEN-8045) (502e06a) by @mzedel

• (inventory) Add support for "$in" operator in the device search API
  (MEN-7667) (fd4eaf0) by @kjaskiewiczz

• Added option to limit deployments to a maximum number of devices in a dynamic group
  (MEN-7403) (c04d736) by @mzedel

• Made search results reopen whenever the search field is clicked again and has a search term
  (MEN-6894) (c36eb96) by @mzedel

• Added feedback dialog
  (MEN-7355) (8c0a3ba) by @mzedel

• New endpoint for listing deployments
  (MEN-7541) (afb1566) by @kjaskiewiczz

• Add version command to all Go binaries
  (ff439c9) by @alfrunes

  The version command will display the app version (linked at build
  time) as well as runtime version and commit SHA1.

• (deployments) Add configuration for max data size when generating artifacts

• (deployments) Adds a new configuration option for setting the max data section size when generating an image with a default of 512MiB. The configuraiton path is storage.max_generate_data_size or environment variable DEPLOYMENTS_STORAGE_MAX_GENERATE_DATA_SIZE. (MEN-7134)

• (deployments) prevent the creation of deployments if there is already an active deployment with the same constructor parameters (MEN-6622)

• (deviceauth) accept and support preauth at any time (MEN-6961)

• (deviceauth) sync check_in_time with inventory if reporting is disabled (MEN-7202)

• (deviceconfig) internal endpoint to delete all records related to a tenant (MEN-7312)

• (deviceconnect) Forward filetransfer statuscode from client (ALV-209)

• (deviceconnect) internal endpoint to delete all records related to a tenant (MEN-7317)

• (devicemonitor) internal endpoint to delete all records related to a tenant (MEN-7318)

• (gui) treat devices which didn't contact server after being accepted as offline (MEN-6880)

• (gui) treat devices without update_ts as offline

• *(gui) The new "$ltne" filter operator allows to get list of device where the update_ts is lower than given value or update_ts doesn't exist. (MEN-6880)

• (gui) Added UI interface to save the Open ID connect Single sign-on (MEN-6922)

• (gui) allow to save SAML Single Sign-On without config providing

• (gui) allow personal access tokens generation for the SSO users (MEN-6824)

• (gui) Added releases quick actions support (MEN-6859)

• (gui) added two-step login for enterprise users (MEN-6823)

• (gui) enabled password reset during user creation (MEN-7192)

• (gui) use inventory's check_in_time to extract and list offline devices (MEN-7251)

• (gui) gave device deployment log files more descriptive file names (MEN-7221)

• (gui) made log viewer wider to ease going through deployment logs (MEN-7220)

• (gui) added copyable userid to user information (MEN-7277)

• (gui) allowed adding users by user id in user creation dialog (MEN-7277)

• (gui) restructured account menu & added option to switch tenant in supporting setups (MEN-6906)

• (gui) let device details remain open when adding the device to a group (MEN-7336)

• (gui) added notification about changes to the device offline threshold (MEN-7288)

• (inventory) do not set updated_ts field when inserting the device (MEN-6878)

• (iot-manager) process webhook requests asynchronously, returing 202 Accepted instead of 204 No Content or 200 OK (MEN-7227)

• (iot-manager) add a timeout for webhook requests, defaults to 10 seconds; you can modify it using the webhooks_timeout_seconds configuration setting (MEN-7227)

• (iot-manager) internal endpoint to delete all records related to a tenant (MEN-7319)

• (workflows) Add encoding option "html" for html-escaping string parameters (MEN-7003)

Build

• (gui) BREAKING: Changed container image to unprivileged port 8090 and unprivileged user (13b2268) by @alfrunes

• (docker) BREAKING: Changed container image tag scheme from mender-x.y.z to vX.Y.Z

  The new versioning scheme uses the Mender Server version which is decoupled from the other components in the Mender ecosystem.

• (docker) Add build stage to Dockerfiles
  (ba3692e) by @alfrunes

  The Dockerfiles are now self-contained by moving the build stage into
  the Dockerfile.

• (docker) Build images on BUILDPLATFORM
  (44e5b7f) by @alfrunes

• (docker) Use make(1) when building inside docker images
  (153269e) by @alfrunes

  For consistent builds.

• (make) Update docker targets to use updated Dockerfiles
  (11f26d6) by @alfrunes

  Refactored common parts to parent directory.

• (make) Change default target to docker and add variable TAGS
  (92ac12a) by @alfrunes

  Containers are the primary build artifacts for this repo so it makes
  sense to build them by default.

• (make) Fix acceptance test targets after refactor
  (70919bd) by @alfrunes

  Put common acceptance test targets in Makefile.common and made
  exceptions for create-artifact-worker and reporting.

• (make) Do not expand go shell commands unconditionally
  (1c68b83) by @alfrunes

• (make) Run acceptance tests without rebuilding the containers
  (ce241cc) by @alfrunes

  Removed the dependency on docker-acceptance for the
  test-acceptance-run.

• (make) test-unit target runs in same environment as build
  (141ea40) by @alfrunes

• (make) Change TAGS behavior to always include required build tags
  (5bae608) by @alfrunes

• (make) Rename DOCKER_ARGS to DOCKER_BUILDARGS, TAGS to BUILDTAGS
  (1a97891) by @alfrunes

  It seems like Gitlab has a built in TAGS env variable which conflicts
  with the Make environment.

• (make) Add docker-pull target for pulling images
  (37f4391) by @alfrunes

• (make) Define DOCKER_PLATFORM template as multiline variable
  (0db0c9a) by @alfrunes

• (make) Fix tag override for docker-acceptance
  (7f0b260) by @alfrunes

  MENDER_IMAGE_TAG_TEST should set the tag when building the target.

• (make) Remove make 4.4 function let
  (75f980e) by @alfrunes

• (make) Added target docker-publish for publishing images
  (c400b04) by @alfrunes

• (make) Split MENDER_PUBLISH_REGISTRY into registry and repository
  (e27c770) by @alfrunes

• (test) Force serialize unit tests for deviceauth
  (a0ab55e) by @alfrunes

Check

• Make sed(1) Linux compatible again
  (1271396) by @alfrunes

  Replace flag -i='' with -i.bak and removing the files.

Refac

• (compose) Refactor SeaweedFS topology and optimize startup/shutdown time
  (fe7ee2e) by @alfrunes

  Instead of running SeaweedFS as a monolith using the server command,
  we explicitly launch all services in different containers. It appears
  that the server command has some issues when initializing the master
  and sometimes enter a deadlock the healthcheck interval is too low at
  startup. Moreover, running the services in different containers makes it
  easier to debug and interpret the logs.

• (iotcore) Break on errors instead of falling through
  (733f8ab) by @alfrunes

  Using long chains of fallthrough error conditions makes it very
  difficult to read and error prone to extend. Refactoring to use common
  coding patterns instead.

• Use an overlay directory to create Makefiles and Dockerfiles
  (85e93e0) by @alfrunes

  Allows for easier individual customization required for accepatnce
  tests.

• Move compat tests to dedicated test suite
  (059f437) by @alfrunes

Revert

• (docker) Revert generate-delta-worker dockerfile
  (d205b3e) by @alfrunes

  Reverts the dockerfile to the upstream docker file with the two
  exceptions of copying the binaries from this repositories rather than
  relying on master docker images.

• Change docker entrypoint to launch workflows worker
  (0d39c96) by @alfrunes

  This was done by mistake when updating the Dockerfile for the monorepo.

[kjaskiewiczz]

except for the deprecation, which landed up in the bug fixes section, it's looking good to me (didn't read it line by line though)

[alfrunes]

I'm missing a changelog entry for the following breaking changes:

• gui docker image port number changed from 80 to 8090 and run as non-root
• docker image tag format changed from mender-X.Y.Z to vX.Y.Z

[mender-test-bot]

🤖 Created releases:

• v4.0.0

🌻