📌⚠️ Possible retrocompatibility breaking changes announcements (SUBSCRIBE if you use Doodba)

[yajo]

This project is currently in a production-ready but evolving status, so some not-retrocompatible changes might come in.

This issue will be a retrocompatibility breakage tracker. Please subscribe here if you use this project in production, because you will care of these changes.

Any announcement will include instructions on how to pin the image versions that supported old behaviour, and upgrade instructions.

[yajo]

New backup system

We will soon start defaulting to use https://github.com/Tecnativa/docker-duplicity project to generate backups.

https://github.com/Tecnativa/docker-server-backup will start being unmaintained.

When will this happen?

When #68 gets merged. Subscribe there for updates.

Why will this happen?

Duplicity is better docummented, supported, efficient, supports many backends (although default will be S3 as usual)...

What does it break?

New backup system is not compatible with old one. It uses different configuration, different storage, different everything.

Last non-breaking image/scaffolding version

• Scaffolding: Tecnativa/doodba-scaffolding@fc87679
• Image not affected by this change.

How to update?

Configure your S3 backend to move objects prefixed with archive- into glacier after 1 month, and to expire everything after 3 months.

If you need to restore an old backup, you will have to roll back your project to the last commit before updating the scaffolding, and use the old restore process.

[yajo]

Removing support for /opt/odoo/custom/src/requirements.txt file

Support was deprecated after #33. Now it's going to be removed.

When will this happen?

When #28 #71 gets merged. Subscribe there for updates.

Why will this happen?

Deprecated since 2 months ago, it's time to remove it... We have a better location for it now.

What does it break?

Builds using that file will not get pip dependencies installed.

Last non-breaking image/scaffolding version

• Scaffolding: Tecnativa/doodba-scaffolding@1b0d4a6
• Images:
  • 8.0: tecnativa/odoo-base@sha256:736196b6048bfba231092e5d4ddbb6edcf0838b1daaa4c6b6a5b3b17f47ad270
  • 9.0: tecnativa/odoo-base@sha256:13e9cf5a259eba70d559013a854a3cceb40d36c95ff3f50a83670385b71b078a
  • 10.0: tecnativa/odoo-base@sha256:3fb04373e16b25081d8d571b1faf58ae57902611b8a740004ae489356f9c924b

How to update?

Move /opt/odoo/custom/src/requirements.txt to /opt/odoo/custom/dependencies/pip.txt.

[yajo]

No volume versions in base scaffolding

When will this happen?

When #82 gets merged. Subscribe there for updates.

Why will this happen?

Motivation explained in #82 (comment).

What does it break?

Previous projects based on our scaffolding that get updated (by git pull scaffolding scaffolding) will get changed volumes.

This means that Docker will create a new volume and leave the older one dangling, meaning you could get the surprise of having an empty Odoo database.

More dangerous is that if you execute docker system prune or docker volume prune, your Odoo data could get lost!

Last non-breaking image/scaffolding version

• Scaffolding: https://github.com/Tecnativa/doodba-scaffolding/tree/50ff6b26d1f13f7f36448f308f4c3539187f4f92
• Images: not affected

How to update?

When you git pull from the updated scaffolding, choose one of:

• Make sure you keep your old versioned volume names, at least in prod.yaml file (others should get broken too, but it's not that important usually).
• Make sure you move data from the old volume to the new one (with Odoo shut down) before running the next docker-compose up -d command.

It's recommended that the next time you migrate your Odoo instance (i.e. from 8.0 to 9.0) you remove the version from the new filestore, to stop worrying about this in the future.

[yajo]

Changing addons-install script for just addons

The script gets renamed and its CLI arguments get changed.

When will this happen?

When #89 gets merged. Subscribe there for updates.

Why will this happen?

addons-install was introduced in #84 last week, so not much chance it's widely used out there.

New CLI provides a saner experience by avoiding failures on incompatible flag combinations.

What does it break?

The script will not exist and thus provide errors wherever used.

Last non-breaking image/scaffolding version

• Scaffolding: Not affected.
• Images:
  • 8.0: tecnativa/odoo-base@sha256:c9cbf7936a607307668404561d6cd0e70551f615159a8eb1a4c9e8aad5abb3b8
  • 9.0: tecnativa/odoo-base@sha256:fb4f8a0715686b73b22410a057e907db0e199d75c2abea79f72fe8e13a8628e5
  • 10.0: tecnativa/odoo-base@sha256:2aa7dca7a0ca21f71ed52803e2c52941ad34e21892694ab505f1e3b48aed7e86
  • 11.0: tecnativa/odoo-base@sha256:32a4e5b0fab14905cdbad799e17f662f3377daa70be8eebe182b78747096f558

How to update?

Replace your calls from addons-install to addons, using the new CLI.

[yajo]

Removing inbox container from the stack

The inbox containers (which came in flavors inboxfake and inboxreal) are being dropped from the scaffolding.

When will this happen?

When #117 gets merged. Subscribe there for updates.

Why will this happen?

Those containers were a workaround back in old times where Docker did not support network isolation by default, or when the scaffolding designer (younger me) did not know that feature.

Network isolation is by far more powerful that the proxies, and reduces maintenance and inflexibility burden in projects.

Besides, configuring Odoo to fetch mail from real host names reduces the diff between a Odoo deployment from the 90's and a modern Doodba-based one. 😋

What does it break?

Existing environments that were using inbox as the hostname for incoming mails will not be able to read emails anymore.

Existing deployments where the inverseproxy_shared network wasn't --internal will not benefit from a real isolation in their test.yaml environments until they set it, by following the recommendation published in da740db and a02fe37.

Isolation in devel.yaml environments will work out of the box after upgrading the scafolding.

Last non-breaking image/scaffolding version

• Scaffolding: https://github.com/Tecnativa/doodba-scaffolding/tree/327561634c5d6e4951f30822cf4085fe64eb934d
• Images: not affected.

How to update?

1. Upgrade your traefik deployment to set the inverseproxy_shared network as --internal. Doing this change should break nothing.
2. Upgrade scaffoldings from your projects. Projects with old scaffolding should work as usual.
3. Re-launch the projects behind that given Traefik instance with docker-compose up -d --remove-orphans
4. Access Odoo production instances and replace the inbox host name in the fetchmail.server records by the real host name.

[yajo]

Including master openupgradelib by default

When will this happen?

It already happened: 9878a49

Why will this happen?

Standard, pip-released, openupgradelib is included in the Docker image by default. Most times it's not enough and you need the master version from git directly.

It's now included in pip.txt file from the default scaffolding. The official released version from the Dockerfile didn't change though.

What does it break?

If you follow the standard scaffolding update system of git pull and get no conflicts, this change might get unnoticed and land into your deployment.

If you rely on the pip-released version of openupgradelib, you could get unknown results. TBH, most times it should just work equally, or even better.

Last non-breaking image/scaffolding version

• Scaffolding: Tecnativa/doodba-scaffolding@2666763
• Images: not affected.

How to update?

Just make sure you review git diff before updating the scaffolding, and know what you're doing.

[yajo]

Moving default scaffolding to v11

The default scaffolding image will be 11.0

When will this happen?

Sadly this has happened before it was noticed, in 88a9334

Why will this happen?

Just we're moving forward.

What does it break?

If you update any Odoo 10.0 scaffolding through the standard method of git pull scaffolding scaffolding and you don't get git conflicts, you might be upgrading to Odoo 11.0 without noticing.

Last non-breaking image/scaffolding version

• Scaffolding: Tecnativa/doodba-scaffolding@9878a49
• Images: not affected.

How to update?

Just make sure to review the update diff before merging it into your 10.0 branch.

If you were using another supported version, this will not affect you since you'll get a merge conflict and notice the change.

[yajo]

Upgrading wkhtmltox to 0.12.5

When will this happen?

When #147 gets merged. Subscribe there for updates.

Why will this happen?

This release fixes the infamous bug wkhtmltopdf/wkhtmltopdf#2711, and according to odoo/odoo#21255 (comment) it should be mostly safe to upgrade from current 0.12.4 version.

That bug has hit many customers in production, so it seems safer to upgrade to this small bugfix release by default.

What does it break?

There's a chance that upgrading the PDF rendering engine breaks some specific reports on some corner cases.

Last non-breaking image/scaffolding version

• Scaffolding: Not affected.
• Images:
  • 8.0: tecnativa/odoo-base@sha256:a59d52b1130dc4e348f0e9b8bcba492f37750b6e81c3953ec063830998be95f4
  • 9.0: tecnativa/odoo-base@sha256:45f88ed2777c75d57f2903098da2e541c2b72c70a7a62d4ed18bc357b01375cf
  • 10.0: tecnativa/odoo-base@sha256:e939a9c2b9963feae46bcaf180e266c9fbe40e0cedefaa1f7d341cf3587a7ba6
  • 11.0: tecnativa/odoo-base@sha256:b4ece2c40255b90978103608c839aab87cee15c69aea862912adbbbfa15cea28
  • latest: tecnativa/odoo-base@sha256:6638b49b19ff3a80a711cde5d9c9f2d6f6ae4b0e774d72a4bf3ce5d6e5f2e7cd

How to update?

Just rebuild with --pull as usual.

If you find incompatibilities, you can uninstall the package and install the old version (you can use the script as it was before, check the aforementioned pull request) in a build.d script for that specific project. For most projects, that shouldn't be a problem.

[yajo]

Repository reorganization

When will this happen?

When #157 gets fixed. Subscribe there for updates.

Why will this happen?

Many people is starting to build their own docker images for their own development/deployment workflows, and many discard using Doodba as a base because it enforces an opinionated workflow.

This opinionated workflow is mostly due to the fact of having many ONBUILD triggers in the dockerfiles, such as these: https://github.com/Tecnativa/docker-odoo-base/blob/11bef1a4e6797d781fd051bc322cea1cef01464a/11.0.Dockerfile#L11-L61

Those do the magic of Doodba, but we can safely split them into 2: onbuild and not onbuild.

We'll use this chance to enhace project branding by renaming it and the Docker Hub images.

What does it break?

Scaffolding will be found in a new place, images too.

However, deprecated images will continue to be available in the same place (just not updated anymore), and current scaffolding-based deployments will continue to work, as their code is local and doesn't depend on public official scaffolding.

Last non-breaking image/scaffolding version

• Scaffolding: Not affected.
• Images:
  • 8.0: tecnativa/odoo-base@sha256:dec50eaea1b1b37a2bb669d8675ca608708c9cb6d9591e0e8f69ba28d9221522
  • 9.0: tecnativa/odoo-base@sha256:e8d422d9ec51914b62728c2a56e2c0d471abcb65845523ffb894efcd90da53f4
  • 10.0: tecnativa/odoo-base@sha256:eaf88d7f3e0b6df547e21ced5d73e695ccaadcc1f5d90f3e0fc940b9e23cf882
  • 11.0: tecnativa/odoo-base@sha256:3348fae5529a0439bfe0f1770921551ede2d9dac76699569e6249850e38f67c3
  • latest: tecnativa/odoo-base@sha256:df6ca3b4dc30077b6e7c0e3125ea6355c33cfe3da6d4baac7dad2b9a6a378872

How to update?

Just update some URLs on your deployments and you're done. More details on #157.

[yajo]

Moving default scaffolding to Postgres 10

The default scaffolding image will use Postgres 10.

When will this happen?

When Tecnativa/doodba-scaffolding#3 is merged. Subscribe there for updates.

Why will this happen?

Just we're moving forward.

What does it break?

If you update any scaffolding through the standard method of git pull scaffolding master and you don't get git conflicts, you might be upgrading to Postgres 10 without noticing.

Last non-breaking image/scaffolding version

• Scaffolding: Tecnativa/doodba-scaffolding@3f6ef4f
• Images: not affected.

How to update?

Just make sure to review the update diff before upating your local scaffolding.

If you want to use this chance for actually upgrading to Postgres 10, then follow their update instructions.

[yajo]

Removing whitelist proxies from test environments

The default scaffolding will have no more whitelist proxies.

When will this happen?

When #165 and Tecnativa/doodba-scaffolding#5 get merged.

Why will this happen?

The testing environments already have the requirement to run in a server that declares an inverseproxy_shared network (which has its official deployment recommendation too), so asking sysadmins to add another network with a well docummented docker-compose.yaml example does not seem like adding much difficulty to the current status.

OTOH, this will reduce the amount of containers to be booted up by 5 for each testing deployment. Since that's the default recommended environment to use for running our QA suite, this can mean quicly hundreds of containers.

Besides adding some CPU consumption (not much, honestly), these containers also exhaust easily the available IPv4 address pool since they require creating one extra network per project to perform the isolation correctly.

What does it break?

When you update the scaffolding, you won't be able to deploy test environments if your servers are not ready for the change.

Last non-breaking image/scaffolding version

• Scaffolding: Tecnativa/doodba-scaffolding@67b7270
• Images: not affected.

How to update?

Follow the new instructions from #165 before your next scaffolding update.

[yajo]

Drop support for $AUTO_REQUIREMENTS feature

When will this happen?

When #175 gets fixed. Subscribe there for updates.

Why will this happen?

• It had bugs.
• It wasn't being used anymore by main contributors.
• It was blocking other actually useful features, such as Fix removal of wanted files #174.

See #175 for more details.

What does it break?

If you were relying on this feature, you will see that your test/prod builds are missing the requirements that they were getting automatically from the linked repositories.

Since the feature was buggy by design, there is a very low chance that you were using it.

Last non-breaking image/scaffolding version

• Scaffolding: Not affected.
• Images:
  • 8.0-onbuild: tecnativa/doodba@sha256:c1648485522ba760b5bc1238306fe541777a94b46e6144562a9aece912a390e3
  • 9.0-onbuild: tecnativa/doodba@sha256:0c0784911b6ca0205fec1c54892b7f027904a4a782e5ca5040ebb8d0193796ec
  • 10.0-onbuild: tecnativa/doodba@sha256:0e05025edc94229c1abc66670fa6c04e11f81e8fd3950e22764339915336af9e
  • 11.0-onbuild: tecnativa/doodba@sha256:4aac3b00b4f14e7cef4d2c7dcd3864868f072fedd6289a536a0f997563bee578
  • 12.0-onbuild: tecnativa/doodba@sha256:19bbdcec6e161553b4d4f19810470e72e54162b9069460284e177cf7987e24dd
  • latest-onbuild: tecnativa/odoo-base@sha256:03557e5b226f0a0296920d934ad9a576a883d30fc53a7ec67c7bc1c2f038d157

How to update?

Instead of that, include the remote requirement files from your main odoo/src/requirements/pip.txt file:

# Assuming you are installing all from server-tools
-r https://raw.githubusercontent.com/OCA/server-tools/11.0/requirements.txt

More details on #175.

[yajo]

Change base image of Doodba 11.0

When will this happen?

When #178 gets fixed. Subscribe there for updates.

Why will this happen?

Current Debian 9 release ships with python 3.5.3. This version contains some bugs that are fixed in 3.5.6, which is the latest python 3.5 bugfix release. We need a newer version.

What does it break?

The base image is also a Debian 9 base, but it includes many build dependencies, since it is based on buildpack-deps:stretch. This means that some pip packages are now installed perfectly without adding build dependencies to the apt_build.txt file.

Well, that's not actually breaking anything. The thing is that, before this patch, it was almost always required to add the python-dev package to apt_build.txt when installing any pip dependency with C extensions. However, now that package is no longer needed. In fact, if you install it, you'd have the included-and-locally-built python 3.5.6 headers, and the apt-installed python 3.5.3 headers, which could cause confusion and could cause some packages to appear to be installed at image build time, but not be executable later at container execution time.

In case you were installing python packages through apt, the problem is the same. For instance, the package python3-sqlalchemy depends on python3 and, thus, installs it. It should produce confusions among which packages belong to which python. Install all python packages from pip now.

Another side effect is that the resulting image is significantly bigger, although that is not exactly bad nor backwards-incompatible.

Last non-breaking image/scaffolding version

Scaffolding: Not affected.

Images:

Tag	Hash
8.0	tecnativa/doodba@sha256:d557f217ee2494a212830a407b9d2041934e8acd791dc1054d6fadeab0e6a150
8.0-onbuild	tecnativa/doodba@sha256:7f0a71a73c8e58ac129e90e15680078220c8df615b33fba9f9652743bdb3be36
9.0	tecnativa/doodba@sha256:c64d61c703d34f46536d489e904fa7aca8e83126a0c72f93aa6dfdfc64aab34a
9.0-onbuild	tecnativa/doodba@sha256:f66dab3513f3abe4d608e7ee794deeb9560b60513a85e42a50c56149e05b740b
10.0	tecnativa/doodba@sha256:cd326b7f0114f92bcc222fe30eb0134fb3d1dfe668c159bee9f7ac30aecf03b2
10.0-onbuild	tecnativa/doodba@sha256:036d8c5ea055d2135135e4e91d812c4e8e82a806c59843a284c72be313634a9b
11.0	tecnativa/doodba@sha256:e4f0e48db0d33549c32214d71b6a76b9ac22ecb100070ce535fd3e61d5e5bd64
11.0-onbuild	tecnativa/doodba@sha256:637f94efe1ffa4db5ffc4174fc58ade6a7a1b90170e910e76bb2bc4b6e9a22f6
12.0	tecnativa/doodba@sha256:556296810406f97aafa332d72af810ab41e4e89d1f78a71b17cb828777b8a685
12.0-onbuild	tecnativa/doodba@sha256:b99edc2b741fc9d5630f99ce1d8e73a923689ba8944a4d36b27c51a9f327643f
latest	tecnativa/doodba@sha256:0bb7317337d89ff80ef5ccf9a8aa6497ca11c130b84b78b9b1c17b8fcc173c07
latest-onbuild	tecnativa/doodba@sha256:aef27893f7d105487addf5f06a19f7262f2862f6b2c7397749b3310a1eb99292

How to update?

On your scaffoldings, if you have python-dev in the apt_build.txt file, remove that line. Possibly you can remove also build-essential if it is there too.

[yajo]

Switch to Liberation fonts by default

When will this happen?

When #181 gets merged. Subscribe there for updates.

Why will this happen?

Current fonts shipped by Debian do not render fine in Adobe PDF on Windows and Mac OS.

What does it break?

Your report fonts will change.

Last non-breaking image/scaffolding version

Scaffolding: Not affected.

Images:

Tag	Hash
8.0	tecnativa/doodba@sha256:c2ccdb76d93f9d855980f0d6791fb6612f7092db49251fb9657a43a237a4cf14
8.0-onbuild	tecnativa/doodba@sha256:f1b0b30421ac27ffd9fafa1f7f5a3a0e48772b3c57443b61be6b3b65a495dc7a
9.0	tecnativa/doodba@sha256:86f2088326ea8816d2de0f1ad1c3140171ecf67804b09a4ffef6b1f7de6f2347
9.0-onbuild	tecnativa/doodba@sha256:044273694b1f3cfb8b7be22ccd89332b4aa788fd209972d659bca25ebbc67cc7
10.0	tecnativa/doodba@sha256:f7211e4ad0ccbeabc8b047537a2269e764bd471ade054e39693d4eb891f253c7
10.0-onbuild	tecnativa/doodba@sha256:dbf24f0aadd4e3c84ed510a9108b5573671952d651d564e50d470bce90160c3c
11.0	tecnativa/doodba@sha256:0f7a46370af718f7bd267478e8c343a1993f534d435935db404a8eff17f21ce3
11.0-onbuild	tecnativa/doodba@sha256:86892ffd829955b4c9a520dc633937a15e8bfe4452010a05c4cb7e517ba05ada
12.0	tecnativa/doodba@sha256:f81ba5dcb05ce2b88937ec7b2b4c488bc7d72e5430e7b22b1672c4a9a9e1a328
12.0-onbuild	tecnativa/doodba@sha256:993be3593733057569020f58305c7e76c527d3aab15a701ad459c4a332a01702
latest	tecnativa/doodba@sha256:52c3161f5a807d591b40a9673c886c4f1d25c796e60643c6e61bfa0a296a8905
latest-onbuild	tecnativa/doodba@sha256:7bde409c3a99a5ca3e2c1539cc44d90b677688fd38d0ed0f5da89d67b52b8b96

How to update?

Usually nobody will notice about the change, but if you still need the old font, just remove this package from a build.d script, or make your font decision more explicit via css in your reports.

[yajo]

Database name for test.yaml environments will be changed to prod by default

When will this happen?

When Tecnativa/doodba-scaffolding#20 gets merged. Subscribe there for updates.

Why will this happen?

Transferring data from prod to test environments turned out to be quite common in practice. Examples:

• Using test.yaml to execute openupgrade scripts to migrate a copy of the current prod.yaml deployment.
• Using test.yaml as a staging environment.

The fact of the default postgres database name being named after the environment (a.k.a. devel, test or prod) hardens that data transfer.

However, changing prod database names massively can potentially bring half the world down, so we're only changing the default name for test environments, which never had data persistence guarantees.

What does it break?

When updating scaffolding of current deployments of any of those test environments and re-deploying, you'll probably see a new "prod" database being created.

Last non-breaking image/scaffolding version

Scaffolding: Tecnativa/doodba-scaffolding@61e46fd

Images: Not affected.

How to update?

If you want the change

On your next deployment after the change lands, do something similar to this:

# Update your scaffolding to latest version
git pull scaffolding master
# Stop current Odoo container
docker-compose stop odoo
# Spin up a temporary container to fix db name and filestore path
docker-compose run --rm odoo bash -c 'psql -c "ALTER DATABASE test RENAME TO prod" && mv /var/lib/odoo/filestore/test /var/lib/odoo/filestore/prod'
# Redeploy
docker-compose up -d

If you don't want the change

Alternatively, you can undo the patch in your local scaffoldings.

In any case, it will only affect you when you manually update your scaffolding.

[yajo]

Switch to Python 3.5 runtime in Doodba 12.0

When will this happen?

When #199 gets merged. Subscribe there for updates.

Why will this happen?

Python 3.5 is the version that Odoo SA uses in their deployments, so the project leader, @pedrobaeza, considers this version is more safe to use in Doodba than the currently latest stable version of Python: 3.7.

What does it break?

Since all the code you write for Odoo 12.0 should be Python 3.5+ compatible, as Odoo itself, nothing should break.

However, if you wrote using some Python 3.6/3.7-only features, your code might break on the next deployment.

Last non-breaking image/scaffolding version

Scaffolding: Not affected.

Images:

Tag	Hash
8.0	Not affected
8.0-onbuild	Not affected
9.0	Not affected
9.0-onbuild	Not affected
10.0	Not affected
10.0-onbuild	Not affected
11.0	Not affected
11.0-onbuild	Not affected
12.0	tecnativa/doodba@sha256:719187a783a74e2b3b98992307d4de387bd58734640daad52dbe69163e626754
12.0-onbuild	tecnativa/doodba@sha256:64acdd791ae8ea186110ce841f5df493499067ec1364b0f2f709838cdc555a3f
latest	tecnativa/doodba@sha256:c8bf996993cd91615206a654814a2cc696402c03870d79caf4bee4ea22e7721d
latest-onbuild	tecnativa/doodba@sha256:96e7e0c400899a303f4781e2fec4dfd917cc589a9d3a56c073768b873febad63

How to update?

Generally you have to do nothing special, or, in the case this affects your code, you'll have to either pin the base image version or fix your code to make it backwards-compatible to python 3.5.

[yajo]

test.yaml will not include demo data by default

When will this happen?

When Tecnativa/doodba-scaffolding#22 gets merged. Subscribe there for updates.

Why will this happen?

The test.yaml file can be used for CI, yes, but it can be used also for migrations and staging instances. In those environments, having demo data can lead to wrong data and user confusion, so it's better to disable it.

What does it break?

• You could install addons in preexisting demos that are updated, and expect demo data but not find it.

• Your CI environment could fail if you don't add DOODBA_WITHOUT_DEMO=false to it because most tests use demo data.

Last non-breaking image/scaffolding version

Scaffolding: https://github.com/Tecnativa/doodba-scaffolding/tree/b2d7ff09ca1917638d9763cf6d919e02d0180a70

Images: Not affected.

How to update?

If you use CI, add DOODBA_WITHOUT_DEMO=false to it before updating the scaffoldings. If you use test.yaml for migration or staging instances, you'll be saving some errors that you maybe didn't know you had!

[yajo]

Secrets and built-in proxy protection removal from official scaffolding

When will this happen?

When Tecnativa/doodba-scaffolding#24 is merged. Subscribe there for updates.

Why will this happen?

Secrets

Git was never a good place to store secrets in plain text. With the aim of having a simple project setup and bootstrap, this has been the official way of doing so since the project beginning, but it's no longer needed.

Today, automated deployment solutions are everywhere and docker compose files format have evolved enough to let us drop support for this.

So this will improve good practices when deploying staging and production environments. The situation is still not perfect, but much better than before.

Built-in Traefik proxy protection

Until today, /web/database/manager (and similiar) and /website/info controllers were blocked out of the box by the officially supported proxy (Traefik) through some bulit-in labels.

However, due to the secret removal decision, it became much harder to have this protection atomized by project and still easy to plug & play. Also, since #203 was merged, we have a way to specify that we don't want the database manager tools, and a simple shell/click-odoo deployment script like this can just disable the /website/info:

try:
  views = env["ir.ui.view"].search([
    ('key', '=', 'website.show_website_info')
  ])
# TODO Remove this except handler when we say farewell to Odoo 8
except ValueError:
  views = env.ref("website.show_website_info", False)
if views and True in views.mapped("active"):
  print("Hiding /website/info")
  views.write({"active": False})
  env.cr.commit()

The combination of both things would leave us in the same situation regarding security and sensation of security, while removing the need for the proxy protection, so it's being disabled by default from now on.

What does it break?

• You could lose security or sensation of security if you don't update your deployment system to do what was stated above about the proxy protection removal.

• Updated scaffoldings will not be able to boot in test.yaml and prod.yaml unless the new requirements are met (which are creating the secrets in separate untracked files). See the new instructions that will land in Document outsourcing of secrets #205 to know what you will have to do.

• CI environments that use test.yaml will break unless you start using the new script being developed at Add secrets-setup script doodba-qa#13, or something equivalent.

Last non-breaking image/scaffolding version

Scaffolding: https://github.com/Tecnativa/doodba-scaffolding/tree/ef59a34d90242fe93f47ef8946cc900309b6ce6c

Images: Not affected.

How to update?

• CI: Include the new script from Add secrets-setup script doodba-qa#13 in your pipelines.
• staging/prod environments: create the new required files documented in Document outsourcing of secrets #205 before you update your scaffolding, to make sure it keeps on working out of the box.
• scaffoldings: chances to have git conflicts when updating the scaffolding are ~100%. Be sure you strip secrets out of git. That's a good thing!

[yajo]

Remove openupgradelib from base images

When will this happen?

When #214 gets merged. Subscribe there for updates.

Why will this happen?

openupgradelib is not frequently published to Pypi. This causes that most of the time you have to update it from its git master.

This image bundled the latest pypi version of that library, but actually the official scaffolding always updated it from git. This produced an absurd situation where we pushed a default dependency that was never actually used.

Since #213 was merged, one side effect was that the git version didn't get installed. The pypi version proved useless in most cases, so the easiest way to fix this situation is to remove it from the base image.

What does it break?

If your scaffolding didn't include openupgradelib as a pip dependency, and your project was using it, you could get an error when migrating.

Last non-breaking image/scaffolding version

Scaffolding: Not affected.

Images:

Tag	Hash
8.0	docker.io/tecnativa/doodba@sha256:506094a255d3d18b75aa8ddf69a47b591168735512996eeb9533530cb84a5553
8.0-onbuild	docker.io/tecnativa/doodba@sha256:9f5ed2b0811654a8b2152d92d9ba82e4a75cadfc598eebd8ee8ee06ee8650d3b
9.0	docker.io/tecnativa/doodba@sha256:a6e8a23099e8c907c52917f33597ddbebc199c13638083e63eca877c8fa21441
9.0-onbuild	docker.io/tecnativa/doodba@sha256:c34e3cdce1f464cab0f7598d65dd876ca9d03f40e971c706aa5899e364e436bb
10.0	docker.io/tecnativa/doodba@sha256:0d0c62aad20a6b4eb98ab90d97879169e2569cfe8b622c98bcc43b739ca77a7c
10.0-onbuild	docker.io/tecnativa/doodba@sha256:9d09fb95921da8ddbab93b9486944bcfe0b0ec39ba6eb4abcb5a720dcd6ce5f1
11.0	docker.io/tecnativa/doodba@sha256:ca4b4548d4c2a538f343f7a94dc5ce129f1ad16c13b38d3d458de0addb2bf0ec
11.0-onbuild	docker.io/tecnativa/doodba@sha256:def237fd3646707c8519c31cd403b8ca9476c7705489c449a0151023d86dc0f0
12.0	docker.io/tecnativa/doodba@sha256:f6917a29f43adf63e456e96905ba6001ed52e51c30e49880228fb5f690059f95
12.0-onbuild	docker.io/tecnativa/doodba@sha256:b797f56ac65bd95882717929c362c2d9e99628e3d0bd610ea4fea9bf85213888
latest	docker.io/tecnativa/doodba@sha256:7c6c8d1ea4d4cf398d4ac8fd08242c755191734af41254e87c00eeda1aba858c
latest-onbuild	docker.io/tecnativa/doodba@sha256:a5a5c5b9c4c0b5869feec98cff81b859645607b7839d598398d31546cf09e2ba

How to update?

Make sure openupgradelib is included in some form in your scaffolding as a pip dependency, if you needed it.

[yajo]

Require [options] when declaring configurations

When will this happen?

Sadly it already happened after merging #227. I wasn't expecting this breakage, but it happens to be better to have it than to fix it.

Why will this happen?

We needed a way to define defaults in odoo config files which doesn't conflict with the problem of odoo v11 and v12 not allowing duplicate sections or keys, so we ended up creating a smarter config merger that allowed that.

What does it break?

Before this patch, in images odoo 11 and 12, you had to remove the duplicated [options] section if you had more than 1 config file with options for that section. Now, if there are options without section, you'll get an error similar to:

doodba INFO: Merging found configuration files in /opt/odoo/auto/odoo.conf
Traceback (most recent call last):
  File "/usr/local/bin/config-generate", line 36, in <module>
    parser.read(os.path.join(dir_, file_))
  File "/usr/local/lib/python3.5/configparser.py", line 696, in read
    self._read(fp, filename)
  File "/usr/local/lib/python3.5/configparser.py", line 1077, in _read
    raise MissingSectionHeaderError(fpname, lineno, line)
configparser.MissingSectionHeaderError: File contains no section headers.
file: '/opt/odoo/custom/conf.d/10-custom.conf', line: 2
'limit_memory_hard = 34359738368\n'
Traceback (most recent call last):
  File "/opt/odoo/common/entrypoint", line 32, in <module>
    subprocess.check_call(command)
  File "/usr/local/lib/python3.5/subprocess.py", line 271, in check_call
    raise CalledProcessError(retcode, cmd)
subprocess.CalledProcessError: Command '/opt/odoo/common/entrypoint.d/50-config-generate' returned non-zero exit status 1
Traceback (most recent call last):
  File "/usr/local/bin/build", line 39, in <module>
    "odoo", "--version",
  File "/usr/local/lib/python3.7/subprocess.py", line 347, in check_call
    raise CalledProcessError(retcode, cmd)
subprocess.CalledProcessError: Command '['docker-compose', 'run', '--rm', 'odoo', '--version']' returned non-zero exit status 1.

Last non-breaking image/scaffolding version

Scaffolding: Not affected.

Images:

Tag	Hash
8.0	Unknown
8.0-onbuild	docker.io/tecnativa/doodba@sha256:be5b1f9c931c068259146d532b05843c69eeef808443db5159b48a1e6f1746d5
9.0	Unknown
9.0-onbuild	docker.io/tecnativa/doodba@sha256:99b723fc1559b5cd2df59b49572ea84cdef5839983ba818ff4f19625192dbb63
10.0	Unknown
10.0-onbuild	docker.io/tecnativa/doodba@sha256:744cd18e3a342d97ebb11b761c8def30fc568152defc3acf5ef02cede721f8b5
11.0	Unknown
11.0-onbuild	docker.io/tecnativa/doodba@sha256:aa3d45aad3868f3a9848a3c4ff19bd93abd0a57e9e1ef2da56a01542adeba5b4
12.0	Unknown
12.0-onbuild	docker.io/tecnativa/doodba@sha256:58811244e59a77ac99edb54a4d36182daf45509661b6e31d7f56aead1c89ecf1
latest	Unknown
latest-onbuild	docker.io/tecnativa/doodba@sha256:a287e2037344acdc7800b3b7e725b7ec0c29006feea2246c22c77c9cb349e5cb

How to update?

All your files into odoo/custom/conf.d in your scaffoldings must start with [options] (or the corresponding section). No option should be left without section.

[yajo]

Some helper scripts deprecated in old versions, and removed in v13+

When will this happen?

The deprecation already happened in #237, and the removal in v13 already happened in #238.

Why will this happen?

All the deprecated scripts have newer and better alternatives:

• autoupdate 👉 click-odoo-update. The new alternative doesn't rely on an addon being installed in the database, and is supported by the community at https://github.com/acsone/click-odoo-contrib. Besides, it supports updating in parallel reducing downtime, thanks to update: Parallel DB locks watcher acsone/click-odoo-contrib#38.
• install.sh was used to merge some installation instructions that were similar-but-different for versions 7.0-10.0. Since then, we have a separate Dockerfile per version, so that script is deprecated. You probably never used this script actually.
• python-odoo-shell can be safely replaced with click-odoo, which is better supported, better documented, more predictable and allows for simple python scripts that have no linter warnings nor injected magical variables. Really, much better. Try it.
• unittest script can be replaced by the addons script. The latter is used intensively in Doodba QA so it's more stable. uittest module1,module2 is equal to addons update -tw module1,module2, with the difference that you can run also addons init -tw module1,module2 in case you need to test them in init mode. This way you also get more used to the addons script, which features many useful things to use in doodba development.

What does it break?

Actually nothing. In v12- they are still there but emit a deprecation warning. In v13+ they no longer exist, but that's a new version so we're not really breaking anything.

Last non-breaking image/scaffolding version

Scaffolding: Not affected.

Images: Not really broken. Just v13, which is new and has no old unaffected version.

How to update?

Just get used to the new alternatives, before you update to v13 and find them missing.

[yajo]

Replacing SMTP relay container to use tvial/docker-mailserver

When will this happen?

When Tecnativa/doodba-scaffolding#56 is merged. Subscribe there for updates.

Why will this happen?

It's probably easier to understand Klingon than Postfix.

The image we ship by default nowadays, https://github.com/Tecnativa/docker-postfix-relay, depends basically on me to make it work. Some bugs appeared and I miss the lack of a strong community behind it. That's what https://github.com/tomav/docker-mailserver provides (because the bugs are almost the same).

OTOH, docker-mailserver can act as a relay or as a real mail server, with SMTP, IMAP, POP3, SPAM/Virus filters, fail2ban, etc.. We will ship it with all of that disabled, but now our included batteries are just more powerful.

What does it break?

• It uses new volumes, so the old smtp volume, which holded the outgoing queue until today, will no longer be used.

• Until today, the .docker/smtp.env file had to define a MAIL_RELAY_PASS variable. From now on, this variable must be RELAY_PASSWORD, and otherwise your relay won't contact the outer world SMTP server. This change is documented in Document new RELAY_PASSWORD variable #272.

• tecnativa/postfix-relay included an option to wrap unauthorized domains into a format like noreply+original_sender-unauthorized_domain-com@authorized_domain.com. That will change to the actual standard of doing such things, which is called SRS and included out of the box in tvial/docker-mailserver.

Last non-breaking image/scaffolding version

Scaffolding: https://github.com/Tecnativa/doodba-scaffolding/tree/1bf8a8f0d5e9af713a11ed89ea3cdabfb097da3a

Images: Not affected.

How to update?

• You'll be safe as long as you don't update the scaffolding.
• When you update it, make sure you change the contents of the .docker/smtp.env file.
• Before you run docker-compose up -d next time, be sure the current smtp container has an empty queue (a.k.a. it's logging nothing ATM).

[yajo]

Switch to Python 3.7 runtime in Doodba 11.0 and 12.0

When will this happen?

When #290 gets merged. Subscribe there for updates.

Why will this happen?

Python 3.5 is flawed with https://bugs.python.org/issue24291, which affects Odoo as explained in odoo/odoo#20158. Odoo included odoo/odoo@d9b721c as a workaround, but it doesn't actually work. We still see the bug.

The only way to fix the bug is to update to Python 3.6+, where it's fixed. We decide to use version 3.7 to have a bigger support window from upstream.

Doodba 11.0 and 12.0 need to be updated.

What does it break?

The base debian distro remains the same, so most apt dependencies will keep working.

Previously it was already unsupported to install python3 packages from debian repos, and your dependencies in pip.txt file will be now installed in python 3.7 automatically, so it shouldn't be a problem also.

However, some cases could happen:

1. Your code could be incompatible with python 3.7.
2. ... or some of your dependences.
3. ... or some of your build.d scripts.
4. ... or anything that is hardcoded for 3.5.

So if your build fails, fix it wherever needed to make it compatible with python 3.7.

Last non-breaking image/scaffolding version

Scaffolding: Not affected.

Images:

Tag	Hash
7.0	Not affected
7.0-onbuild	Not affected
8.0	Not affected
8.0-onbuild	Not affected
9.0	Not affected
9.0-onbuild	Not affected
10.0	Not affected
10.0-onbuild	Not affected
11.0	tecnativa/doodba@sha256:6a3c060de5cfe9bd0220986ce718092057566cc9a496d517f4cef33cd1f93b68
11.0-onbuild	tecnativa/doodba@sha256:4221f89b68a6d27b59fda329002086812087ab7dda9d30021c00153a2a87d470
12.0	tecnativa/doodba@sha256:ce6ce69899a81bdaeeca2053ccad4f807a5062b0dcf9c9a3931ad145a80e363c
12.0-onbuild	tecnativa/doodba@sha256:c1c189fd65e8436c9a3d2dfb8855f22fbde35830aada0baac1b729eb4552ffdb
13.0	Not affected
13.0-onbuild	Not affected
latest	Not affected
latest-onbuild	Not affected

How to update?

Generally you have to do nothing special, or, in the case this affects your code, you'll have to either pin the base image version or fix your code to make it forwards-compatible to python 3.7.

[yajo]

Deprecation of Doodba Scaffolding

When will this happen?

When Tecnativa/doodba-scaffolding#69 is merged. Subscribe there for updates.

Why will this happen?

Because of many reasons.

What does it break?

Your workflow to update your child projects will change.

Now, you will have to replace git pull scaffolding master with copier update.

More details in the transition docs.

Last non-breaking image/scaffolding version

Scaffolding: Tecnativa/doodba-scaffolding@d23bf43

Images: Not affected.

How to update?

Read the transition docs.

And head to our new project in the doodba family: https://github.com/Tecnativa/doodba-copier-template.

[yajo]

Switch to Python 3.5 runtime in Doodba 11.0 and 12.0, and 3.6 in 13.0

When will this happen?

When #310 gets merged. Subscribe there for updates.

Why will this happen?

#67 (comment) was false.

Actually the problem was quite different, and python 3.5 has a workaround in Odoo code for that bug. The real fix to the problem explained there is odoo/odoo#51824.

The version of gevent that is pinned in Odoo requirements files don't seem to work fine with python 3.7, which was too new when they got released.

Thus, we will do our best to stick to the oldest python version supported by each Odoo release, as this one is the one actually used by upstream in production. As such, we're going back to those versions.

What does it break?

The base debian distro remains the same, so most apt dependencies will keep working.

Previously it was already unsupported to install python3 packages from debian repos, and your dependencies in pip.txt file will be now installed in python 3.5/3.6 automatically, so it shouldn't be a problem also.

However, some cases could happen:

1. Your code could be incompatible with python 3.5/3.6.
2. ... or some of your dependences.
3. ... or some of your build.d scripts.
4. ... or anything that is hardcoded for 3.7.

So if your build fails, fix it wherever needed to make it compatible with python 3.5/3.6.

Last non-breaking image/template version

Template: Not affected.

Images: Obtain SHA of images from CI logs in 4401ddd

How to update?

Generally you have to do nothing special, or, in the case this affects your code, you'll have to either pin the base image version or fix your code to make it backwards-compatible to python 3.5/3.6.

[yajo]

Forbidding incompatible pip dependencies

When will this happen?

When #313 gets merged. Subscribe there for updates.

Why will this happen?

Pip doesn't ensure yet your dependencies are not broken, so you could be having false positive buillds with broken dependencies.

It seems like it will do so soon, but in the mean time there's a simple workaround for us that is being applied everywhere in doodba.

What does it break?

Your builds, if they were broken but accidentally susccessful.

Last non-breaking image/template version

Template: Not affected.

Images: Obtain SHA of images from CI logs in https://github.com/Tecnativa/doodba/actions/runs/122313069

How to update?

Generally you have to do nothing special, or, in the case some of your builds is broken, you will see in the logs which dependencies conflict. Then, fix them properly and rebuild.

[joao-p-marques]

Switch to Python 3.8 runtime in Doodba 14.0

When will this happen?

When #332 is merged. Subscribe there for updates.

Why will this happen?

Seems like Odoo is using Python 3.8 for Runbots and Odoo.sh in v14: odoo/runbot#414 (comment)

We want to coincide with their environment.

What does it break?

The base debian distro remains the same, so most apt dependencies will keep working.

Previously it was already unsupported to install python3 packages from debian repos, and your dependencies in pip.txt file will be now installed in python 3.8 automatically, so it shouldn't be a problem also.

However, some cases could happen:

1. Your code could be incompatible with python 3.8.
2. ... or some of your dependences.
3. ... or some of your build.d scripts.
4. ... or anything that is hardcoded for 3.6.

So if your build fails, fix it wherever needed to make it compatible with python 3.8.

Last non-breaking image/template version

Template: Not affected.

Images: Obtain SHA of images from CI logs in https://github.com/Tecnativa/doodba/actions/runs/303904322

How to update?

Generally you have to do nothing special, or, in the case some of your builds is broken, you will see in the logs which dependencies conflict. Then, fix them properly and rebuild.

[joao-p-marques]

Always regenerating /opt/odoo/auto/odoo.conf

This file was only regenerated if no previous one existed. Now, it will be always regenerated.

When will this happen?

When #338 gets merged. Subscribe there for updates.

Why will this happen?

This is a dynamic file, as it take several information from, for example, environment variables. As of the current version, it wouldn't be regenerated, even if you changed environment variables that needed to be referenced by it.

What does it break?

If you have a custom odoo.conf file under odoo/auto, it will get regenerated.

Last non-breaking image/scaffolding version

Template: Not affected.

Images: Obtain SHA of images from CI logs in https://github.com/Tecnativa/doodba/actions/runs/339622888

How to update?

In most cases, you won't have to do anything. If you have custom configurations in your /opt/odoo/auto/odoo.conf file, move them to separate files under conf.d/ in your project root dir (will be copied to /opt/odoo/common/conf.d/ and used to regenerate the new conf file) or move your /opt/odoo/auto/odoo.conf to another file that is mounted on the container, and change the OPENERP_SERVER environment variable to point to it.

[joao-p-marques]

Deprecation of Doodba images before v11

When will this happen?

Once #408 is merged, we will only be supporting Doodba from versions >= 11.

Furthermore, from now on, we will only actively maintain the latest 4 official Odoo versions, although all the resources will remain available in our repositories for the older versions (in Git history), and the latest successfully built image will remain in the Docker Hub and GHCR registries.

Since the latest automated builds were being unsuccessful, the image available for up to version 10 is from 2 weeks ago. The image hasn't received updates ever since, including the ones that arrived in the most recent ones in the meantime.

Why will this happen?

The base image and some important resources associated with those older version's images are reaching their EOL and not receiving support, so maintaining the images will tend to be impossible.

What does it break?

As the images will remain built in the registries, it should not break anything. It is even possible to keep using those as a base for other images, installing other packages on top.

However, those will not receive patches and security updates neither from us nor from the maintainers of any package present in the latest build.

Last non-breaking image/template version

Template: Not affected.

Images:

• v7: Package doodba · GitHub
• v8: Package doodba · GitHub
• v9: Package doodba · GitHub
• v10: Package doodba · GitHub

[yajo]

Change of UMASK integer format to use common octal integers

When will this happen?

Once #413 is merged, UMASK needs to be given as an octal integer.

Why will this happen?

Umasks in linux usually are given as an octal integer when in integer form. Also all documentation mentioned a UMASK that pointed to octal integer form. But during autoaggregate the string given as UMASK was read a decimal integer which would give unexpected results.

What does it break?

Users specifying a UMASK as decimal integer may get the wrong permissions after this change. Users following the documentation and specifying the umask as octal integer (e.g. UMASK=$(umask), UMASK=27 or using https://github.com/Tecnativa/doodba-copier-template/blob/main/tasks_downstream.py) should get the correct permissions with this change.

Previously linux umask 0027 (permit nothing for others, do not permit write for group) needed to be given as UMASK=23. Whereas UMASK=27 would have been linux umask 0033 (do not permit read and write for group and other (but allow execute for group and others))

Last non-breaking image/template version

Template: not affected.

Images

Tag	Digest
latest-onbuild	sha256:1ab011d7a1e9b517e82178b4aa45d999b5f02525905d2fff87e4c76e2391a11f
latest	sha256:57080aaae70952a3bbba36eb0cb53f19929ff79582cd0b02c0acab03d8fa41ca
14.0-onbuild	sha256:1ab011d7a1e9b517e82178b4aa45d999b5f02525905d2fff87e4c76e2391a11f
14.0	sha256:57080aaae70952a3bbba36eb0cb53f19929ff79582cd0b02c0acab03d8fa41ca
13.0-onbuild	sha256:472797aa64f669d19f4acd09242182b3efca9ea2eee74848e4843ab7ba08b9fe
13.0	sha256:9f8e76f82b872c6999e78443d380e2c5b48f057a101abbdc912bb109e7634ed8
12.0-onbuild	sha256:3d114db5aa8ef3cfd69ccb1ae7c9218e1be8e6889b8b165656495d1f0bc89854
12.0	sha256:e91cafb03c3d72d7206774403cef5df52d7da4c5eaf37979c07dc48efe666b5b
11.0-onbuild	sha256:a9fe43e907dbd950a3bcd1102e4a87985368106b75cc0e294a63b05d68ae01e7
11.0	sha256:15d86baaca32e843c4fa7cd9378a1c151c34f11c513f86ff4f9eb09c5611ff92
10.0-onbuild	sha256:9a8ff14897991b37465ae00ed86f629ee190f7161250ed066e109365e0fe6308
10.0	sha256:4dbcc757892acec5a5ee6b06944a8163e17a2dab8369021bd296e65635f9254c
9.0-onbuild	sha256:49d1430aae54aa3e7d8b538dec27e00d7be26af637467a4ecaa79d2051d735e5
9.0	sha256:33e2af13582a70a9b8c81468feba6df9767496a2c2d0855cfc82d44d12d78107
8.0-onbuild	sha256:016a5e553eba4804c728afe300d61b4669dca835164cc4b1217a3b71d6bf77d1
8.0	sha256:2012782cfb7f0c8d381618ac769cf47bf342a82c6d95bb8847ff9321bc0e5b44
7.0-onbuild	sha256:edecde0b85653f91e75290689bfd27f4e873173d36501e7e5bba82126af56c63
7.0	sha256:f022d5e7051883153f4bb53794012fcf02936806d131b7d19cbc1734fe900fb2