I’ve just rolled out the Virtualmin virtual-server module version 5.99 for CentOS/RHEL and Debian/Ubuntu repositories. This includes many of the new features that will appear in Virtualmin 6.0 (a number of additional new features are in the installer, which has an alpha release announced a few days ago that you can try on non-critical systems, and several other features are in Authentic Theme, which is available for testing from the Authentic github, and most of which will appear in the next Webmin release, as well).
Changes since 5.07:
- Updates the Node.JS installer to version 7.7.4, DokuWiki to 2017-02-19b, Roundcube to 1.2.4, Mantis to 2.2.0, Moodle to 3.2.2 and 2.7.19, Rainloop to 126.96.36.199, Mantis to 2.2.1 and 1.3.7, Drupal to 8.2.7, phpBB to 3.2, and Wordpress to 4.7.3.
- The SSL certificate for all virtual servers will now be configured for use in the Virtualmin UI on port 10000, so that URLs like https://admin.domain.com:10000/ work without cert errors.
- Chroot jails for virtual server domain owners can now be setup at domain creation time or afterwards. This limits the files visible to SSH sessions and PHP apps run via FPM to the jail directory.
- SSL certificates can now be copied to Dovecot even for virtual servers that don’t have their own private IP address.
- SSL certificates that are expired or close to it are displayed on the System Information page.
The biggest new feature is chroot jails. If you want to use this feature, you’ll need the jailkit package that I have also released for some of our repos (i386 debian/ubuntu is not done, as I’m still busy setting up a new i386 build host…older distros are not supported at all, yet). Mail jailkit packages will come in the next couple of days as my time for building them and testing them allows.
Another big feature for Virtualmin GPL users is the inclusion of the WordPress Install Script. This has always been the most popular Install Script in Virtualmin, and we’re now giving it away with Virtualmin GPL! That’s pretty cool, right? Please consider supporting us economically by buying a license (even if you don’t need every Pro feature or much additional support), so we can keep pushing more Pro features into GPL.
We’re also beginning a deprecation process, so we can begin to remove things from Virtualmin in a predictable way. The 6.0 release cycle will see removal of a handful of things.
Deprecated in this release (for removal in the next release):
- Qmail+LDAP support. This is an old, creaky, poorly maintained fork of Qmail. We couldn’t find anyone using it in a few weeks of searching, and the last time anyone mentioned it in our ticket tracker or website was several years ago. So, it is dead to us, and will be removed.
- Website Editor. The website editor, while still occasionally used, has never been very popular or very useful. This one is just being removed from the default menu for domain owners, but will remain as an option until we have completed a better replacement (likely will mean adding a WYSIWYG page editor to File Manager).
- mod_php execution mode. This still exists in 5.99, but will be hidden in 6.0. It will be removed at some point during the 6.0 development cycle. The recommended execution mode (both according to us and according the PHP developers) is php-fpm. There is no reason to use mod_php for any new deployment, so it’s going away. mod_php is also incompatible with chroot jails, and has always represented a pretty big security risk, so there’s many reasons to deprecate it.
As always, let us know about any problems you run into. Despite the short-seeming changelog, this is a huge bunch of new code. New code is bound to be quirky, especially when it comes to config file locations and defaults across distros and versions. Jailkit has been very lightly tested (in the grand scheme of things…there’s so many variables, and we’re just a couple of humans). So, again, don’t trust the chroot jail feature for critical systems until you’ve tried out your use case on a non-critical system. Our jailkit packages use capabilities, so there is presumably no risk of privilege escalation, but there may be usability bugs that are uncomfortable for your domain owner users, if the configuration is weird and we didn’t notice.
Edit (after a couple of months of discussion and feedback from users): mod_php is not being deprecated in the foreseeable future. Too many people still rely on it. But, we strongly encourage you to move to a faster, more memory efficient, more secure, execution environment. mod_fcgid is still the most flexible, and PHP-FPM may be faster and more memory efficient for some workloads.