OpenVox GUI Version 3.10.6
This guide explains how to update your existing OpenVox GUI installation to the latest version. Updates bring new features, bug fixes, and security improvements.
- Before You Update
- Quick Update (Recommended)
- Manual Update Process
- Update Scripts
- Rollback Process
- Troubleshooting Updates
- Version History
ovox is a first-class subsystem with its own ovox/VERSION file. When you run update_local.sh or deploy.sh, the CLI is refreshed along with the rest of the application.
After an update, verify with:
ovox --versionSee the full ovox documentation for details on its independent versioning.
Think of updating like changing the oil in your car - you want to prepare first:
-
Check Your Current Version
# Look at the bottom-left of the web interface # OR run this command: curl -k https://localhost:4567/health
-
Read the Release Notes
- Check what's new in the version you're updating to
- Look for any breaking changes or special instructions
- See the Changelog for details
-
Backup Your Data (Very Important!)
# Create a backup directory sudo mkdir -p /backup/openvox-gui # Backup your data and configuration sudo cp -r /opt/openvox-gui/data /backup/openvox-gui/data-$(date +%Y%m%d) sudo cp -r /opt/openvox-gui/config /backup/openvox-gui/config-$(date +%Y%m%d)
-
Schedule a Maintenance Window — Automatic via Scripts (3.7.3+)
- Updates usually take 5-10 minutes.
- The service will be briefly unavailable to web users.
- Notify your users if needed.
- Automatic behavior:
update_local.sh,update_remote.sh, anddeploy.shnow automatically raise the maintenance flag (/opt/openvox-gui/data/maintenance.flag+ richmaintenance.json) and ensure the branded static page is in place before any file overwrites or service restarts. A shelltrapguarantees the flag is removed on any exit (success, failure, or interrupt). Web users see the themed "Under Maintenance" page (Formal or Casual, with OpenVox fox SVG) via Apache instead of errors or raw JSON. Themaintenance/assets are also copied on every run. - Manual override/control remains available:
ovox maintenance enable -m "Applying GUI update $(cat VERSION)" -e "20 minutes" -y # ... perform the update ... ovox maintenance disable
- See
maintenance/README.mdfor the complete program (static pages,ovox maintenanceCLI commands + sub-group underinfra, backend 503 middleware, Apache config example, flag locations, workflows, and troubleshooting). The scripts also ensure proper permissions for the web server user.
3.6.0 introduces the OpenVox Agent Installer -- a local
package mirror under /opt/openvox-pkgs/ plus PE-style
curl ... | sudo bash agent install scripts served on port 8140 --
plus comprehensive security hardening (per-route role enforcement,
encrypted LDAP bind password, HMAC-verified deploy webhook, JWT
revocation on logout, tightened sudoers).
When you upgrade an existing installation to 3.6.0, update_local.sh
will:
- Drop the new
sync-openvox-repo.shscript and the agent installer templates into your install dir. - Render
install.bashandinstall.ps1with your puppetserver FQDN baked in. - Install the systemd timer + service (
openvox-repo-sync.{timer,service}) and enable the timer for nightly auto-sync at 02:30. - Drop the puppetserver static-content mount config into
/etc/puppetlabs/puppetserver/conf.d/(you'll be reminded to restart puppetserver to activate it on port 8140). - Offer an interactive "Sync now?" prompt -- because the local
mirror starts out empty on first upgrade. Answer
yto populate it immediately; answerN(or run with--auto/--force) to leave it empty until either the GUI's "Sync now" button or the 02:30 timer.
⚠️ The first sync downloads roughly 1-2 GB and can take 15-45 minutes on a typical broadband connection. Subsequent syncs are incremental. If you skip the initial sync prompt, the agent install one-liners will return install.bash correctly but agents will fail at the package-install step until the mirror is populated.
After the upgrade, visit Infrastructure -> Agent Install in the GUI. The page now consists of:
- One Install Commands card with five tabs: Linux, Windows, Direct URLs, Mirror Status, Sync Log -- "Sync now" button in the card header (always visible, no matter which tab is active).
- One Pending Certificate Requests card with Sign and Reject buttons (so the whole agent bring-up workflow lives on one page -- paste the install one-liner, wait for the CSR to appear, click Sign).
The published Linux one-liner is now the bare PE-style form:
curl -k --noproxy <fqdn> https://<fqdn>:8140/packages/install.bash | sudo bashNo --server arg, no bash -s -- -- the script auto-discovers the
puppetserver FQDN from the kernel's TCP state, installs the puppet
CA into the agent's system trust store, sets no_proxy, and runs
the package install.
See docs/INSTALLER.md for the full feature guide.
MANDATORY ACTION (only if you use the GitHub deploy webhook): 3.6.0 hardened
/api/deploy/webhookto require HMAC-SHA256 signature verification. The endpoint is disabled by default after the upgrade and returns 503 until you opt in. If you have a GitHub webhook currently pointed at this endpoint, run once:SECRET=$(openssl rand -hex 32) echo "OPENVOX_GUI_DEPLOY_WEBHOOK_SECRET=${SECRET}" | sudo tee -a /opt/openvox-gui/config/.env sudo systemctl restart openvox-gui echo "Now paste this string into the GitHub webhook 'Secret' field:" echo "${SECRET}"If you don't use the deploy webhook, ignore -- leaving it disabled is the safer default.
This is the easiest and safest way to update. The update script handles everything for you.
Key concept: OpenVox GUI uses a clone-then-deploy architecture. Your git repository lives in a staging directory (e.g.
~/openvox-gui), and the running installation lives at/opt/openvox-gui. The install directory is not a git repo — it is a deployment target. Updates are pulled in the staging repo, then deployed to/opt.
# Go to wherever you originally cloned the repo
cd ~/openvox-gui# Get the latest version from GitHub
git pull origin main# Deploy the updated code to /opt/openvox-gui and restart
sudo ./scripts/update_local.shThe script automatically:
- ✅ Backs up your data and configuration from
/opt/openvox-gui - ✅ Deploys updated backend, frontend, and scripts from the source repo
- ✅ Preserves your configuration (
.env, data, certs) - ✅ Updates Python dependencies
- ✅ Rebuilds the frontend
- ✅ Restarts the service
- ✅ Verifies everything is working
# Check the new version
curl -k https://localhost:4567/health
# Should show something like:
# {"status":"ok","version":"3.10.6"}Open your browser and refresh the page. You might need to clear your browser cache:
- Windows/Linux: Ctrl + F5
- Mac: Cmd + Shift + R
If the automatic update doesn't work or you prefer to do it manually, follow these steps:
# Stop OpenVox GUI
sudo systemctl stop openvox-gui
# Verify it's stopped
sudo systemctl status openvox-gui# Create backup directory with timestamp
BACKUP_DIR="/backup/openvox-gui-$(date +%Y%m%d-%H%M%S)"
sudo mkdir -p $BACKUP_DIR
# Backup everything important
sudo cp -r /opt/openvox-gui/data $BACKUP_DIR/
sudo cp -r /opt/openvox-gui/config $BACKUP_DIR/
sudo cp -r /opt/openvox-gui/backend $BACKUP_DIR/
sudo cp -r /opt/openvox-gui/frontend $BACKUP_DIR/
echo "Backup created at: $BACKUP_DIR"# Go to your source repository (NOT /opt/openvox-gui)
cd ~/openvox-gui
# Fetch latest changes
git fetch origin
# Check what will change
git log HEAD..origin/main --oneline
# Pull the updates
git pull origin main
# Deploy updated files to /opt/openvox-gui
sudo rm -rf /opt/openvox-gui/backend
sudo cp -a backend /opt/openvox-gui/
sudo cp VERSION /opt/openvox-gui/
sudo rm -rf /opt/openvox-gui/frontend
sudo cp -a frontend /opt/openvox-gui/
sudo cp scripts/enc.py scripts/deploy.sh scripts/update_local.sh /opt/openvox-gui/scripts/# Update Python packages using the install dir's venv
sudo /opt/openvox-gui/venv/bin/pip install --upgrade -r /opt/openvox-gui/backend/requirements.txt# Check if frontend needs rebuilding
if [ -f "frontend/dist/.build-version" ]; then
OLD_VERSION=$(cat frontend/dist/.build-version)
NEW_VERSION=$(cat frontend/package.json | grep version | head -1 | awk -F'"' '{print $4}')
if [ "$OLD_VERSION" != "$NEW_VERSION" ]; then
echo "Frontend needs updating..."
cd frontend
npm install
npm run build
cd ..
fi
else
# No version file, rebuild to be safe
cd frontend
npm install
npm run build
cd ..
fi# Ensure correct ownership
sudo chown -R puppet:puppet /opt/openvox-gui# Start OpenVox GUI
sudo systemctl start openvox-gui
# Check it's running
sudo systemctl status openvox-gui
# View logs to ensure no errors
sudo journalctl -u openvox-gui -n 50OpenVox GUI includes several update scripts for different scenarios:
Run from your source repo to deploy updates to /opt/openvox-gui:
cd ~/openvox-gui
git pull origin main
sudo ./scripts/update_local.shDuring update, if SSL is not yet enabled, the script will prompt:
SSL is not enabled on port 4567.
Enable SSL using Puppet certs? [y/N]:
Answering y enables HTTPS via Puppet certificates and restarts the service.
Options:
--skip-backup- Don't create a backup (not recommended)--force- Update even if versions match
Updates OpenVox GUI on a remote server via SSH:
# Specify the target server
./scripts/update_remote.sh --host server.example.com --user jsheets --yes
# Or set defaults via environment variables
export OPENVOX_DEPLOY_HOST=server.example.com
export OPENVOX_DEPLOY_USER=admin
./scripts/update_remote.sh --yesThis is useful for updating installations from a development machine or CI pipeline. SSH key-based authentication must be configured for the target server.
Set up automatic updates (use with caution). Since the update script must run from the source repo, create a small wrapper:
# Create an update wrapper script
cat > /usr/local/bin/openvox-gui-update.sh << 'EOF'
#!/bin/bash
cd /root/openvox-gui && git pull origin main && ./scripts/update_local.sh --auto
EOF
chmod +x /usr/local/bin/openvox-gui-update.sh
# Edit crontab
sudo crontab -e
# Add this line to update weekly on Sunday at 2 AM
0 2 * * 0 /usr/local/bin/openvox-gui-update.sh >> /var/log/openvox-update.log 2>&1OpenVox GUI supports clean switching between stable and beta branches. The update script handles everything — file deployment, Python dependencies, database migrations, frontend rebuild, service file, sudoers, and restart.
cd ~/openvox-gui
git checkout feature/bolt-dynamic-inventory
sudo ./scripts/update_local.sh --forcecd ~/openvox-gui
git checkout main
sudo ./scripts/update_local.sh --forceThe --force flag ensures the deploy runs even if version numbers match between
branches. The script displays a warning when it detects a branch switch:
⚠ Branch switch: main → feature/bolt-dynamic-inventory
| Component | Action |
|---|---|
| Backend code | Completely replaced from the new branch |
| Frontend | Completely replaced and rebuilt |
| Python dependencies | Reinstalled from the branch's requirements.txt |
| Database migrations | Applied (upgrade head) or reverted as needed |
| Branch-specific files | Deployed if present, removed if absent (e.g., bolt-plugin/) |
| Data and config | Preserved — your .env, database, and logs are never touched |
| Service file + sudoers | Updated and reloaded automatically |
- Data is safe: Your database,
.envconfig, and logs are never deleted during a branch switch. The switch only replaces application code. - Database schema: If a beta branch adds new database columns, they are applied via Alembic migrations. Reverting to stable leaves the extra columns in place (SQLAlchemy ignores columns it doesn't know about). For a truly clean revert, run
alembic downgrade 001_baselinebefore switching branches. - Use
--force: Always use the--forceflag when switching branches. Without it, the script may skip the deploy if the version numbers happen to match.
If something goes wrong after an update, you can rollback to the previous version:
If you just updated and need to rollback immediately:
# Stop the service
sudo systemctl stop openvox-gui
# Restore your backup (created automatically by update_local.sh)
# Find the latest backup:
ls /backup/openvox-gui/
# Restore data and config from the backup
sudo cp -r /backup/openvox-gui/TIMESTAMP/data/* /opt/openvox-gui/data/
sudo cp -r /backup/openvox-gui/TIMESTAMP/config/* /opt/openvox-gui/config/
# Restart the service
sudo systemctl start openvox-guiTo rollback to a specific version, revert the source repo and redeploy:
# Go to your source repo
cd ~/openvox-gui
# List available versions (tags)
git tag -l
# Checkout a specific version
git checkout v1.3.0
# Redeploy that version
sudo ./scripts/update_local.sh --forceIf you have a full backup:
# Stop the service
sudo systemctl stop openvox-gui
# Move current installation aside
sudo mv /opt/openvox-gui /opt/openvox-gui.broken
# Restore from backup
sudo cp -r /backup/openvox-gui-20240115 /opt/openvox-gui
# Fix permissions
sudo chown -R puppet:puppet /opt/openvox-gui
# Start the service
sudo systemctl start openvox-guiSolution: You have local changes in your git repo that conflict with updates:
# Go to your source repo
cd ~/openvox-gui
# See what files are changed
git status
# To keep the official version (recommended):
git reset --hard origin/main
# OR to keep your changes:
git stash
git pull
git stash pop
# Then manually resolve conflictsSolution: Check the logs for errors:
# Check service status
sudo systemctl status openvox-gui
# View detailed logs
sudo journalctl -u openvox-gui -n 100 --no-pager
# Common fixes:
# 1. Fix permissions
sudo chown -R puppet:puppet /opt/openvox-gui
# 2. Reinstall Python dependencies
cd /opt/openvox-gui
source venv/bin/activate
pip install -r backend/requirements.txt
deactivate
# 3. Check configuration file
sudo nano /opt/openvox-gui/config/.envSolution: Clear your browser cache:
-
Force refresh the page:
- Windows/Linux:
Ctrl + F5 - Mac:
Cmd + Shift + R
- Windows/Linux:
-
Clear browser data:
- Chrome: Settings → Privacy → Clear browsing data
- Firefox: Settings → Privacy → Clear Data
- Safari: Develop → Empty Caches
-
Try incognito/private mode to verify it's a cache issue
Solution: Python dependencies need updating:
cd /opt/openvox-gui
source venv/bin/activate
pip install --upgrade -r backend/requirements.txt
deactivate
sudo systemctl restart openvox-guiSolution: Run database migrations:
cd /opt/openvox-gui/backend
source ../venv/bin/activate
python -m alembic upgrade head
deactivate
sudo systemctl restart openvox-guiIf you're stuck:
-
Check the update log:
sudo journalctl -u openvox-gui --since "10 minutes ago" -
Verify file permissions:
ls -la /opt/openvox-gui/ # Should be owned by puppet:puppet -
Test the configuration:
cd /opt/openvox-gui source venv/bin/activate python -c "from backend.app.config import settings; print('Config OK')" deactivate
-
Ask for help:
- Check GitHub Issues
- Include your version, error messages, and what you tried
OpenVox GUI uses Semantic Versioning (SemVer 2.0.0) plus optional pre-releases:
- Stable:
MAJOR.MINOR.PATCH(example: 3.10.6 — current stable onmain) - Pre-release / beta trains: e.g.
3.10.6,3.10.3b14,3.9.0-dev.42, historical alpha labels such as3.10.04.a8on feature branches - ovox CLI version always matches the GUI (root
VERSIONfile) as of 3.7.3
Rules of thumb:
- MAJOR — big changes that might break compatibility
- MINOR — new features that are backwards compatible
- PATCH — bug fixes and small improvements
- Prefer the latest stable GitHub Release for production; use betas only on lab/test unless you mean to
Examples:
3.10.4→3.10.6: GUI performance (Dashboard lean PDB extract, multi-worker uvicorn, graph-page SWR)3.10.2→3.10.4: Live fleet consistency + 3.10.3 beta train (Log Viewer, ENC, Inventory, export, Executive Summary)3.10.3b14→3.10.4: Beta train promoted to stable (same code family)3.9.7→3.10.2: Feature line promotion (Insights NOC, ops UI, Orchestration #38)1.4.8→2.0.0: Major new feature (LDAP authentication) — see CHANGELOG for historical detail
Version 3.10.6 (Current stable — July 2026)
- Promotes 3.10.5-dev.1–dev.5 on
main(GitHub Release) - Performance: Dashboard lean PuppetDB trend extract; multi-worker uvicorn (
OPENVOX_GUI_UVICORN_WORKERS); API TTL caches; GZip; graph-page session SWR — see docs/PERFORMANCE.md - After upgrade: hard-refresh browsers once; confirm
systemctl cat openvox-guishows--workers N - Default git branch remains
main(nostagingbranch)
Version 3.10.4 (stable — July 2026, superseded by 3.10.6 for new installs)
- Promotes 3.10.3b1–b14 on
main(GitHub Release) - Live fleet = active PuppetDB ∩ signed CA (
get_live_nodes) for Nodes, Inventory, ENC, Dashboard, Node Health; ENC prunes SQLite ghosts - Nodes All Nodes export (CSV / JSON / text, column picker, respects filters)
- Log Viewer Agent journal-first + identifier / host-journal fallbacks; sudoers
-trules - Purge / Bolt config / Executive Summary reliability fixes (see CHANGELOG)
- After upgrade: open Classification (ENC) once so reconciliation runs; review sudoers backup if you used local overrides
Version 3.10.2 (stable — June 2026, superseded by 3.10.6 for new installs)
- Promotes the 3.10 line on
mainafter the3.10.a_r_alpha.6merge and 3.10.1.b1 / 3.10.1.b2 betas (GitHub Release) - Monitoring NOC multi-graph wallboard with shared UTC timeline; live JMX series timestamp fix
- Ops UI — OpsTable, FilterBar, Insights hub (
/insights,/insights/all) - Orchestration: one Bolt run per click (fixes triple execution — GitHub #38)
Version 3.10.1.b2 (beta, superseded by 3.10.2 / 3.10.4 / 3.10.6)
- Orchestration single-run fix only (#38); prefer upgrading to 3.10.6
Version 3.7.0
- Metrics / Insights section — visualization pages: Run Performance (JMX), Fleet Compliance, Fleet Fact Overview, Catalog Graph (React Flow), PuppetDB Health, Change Timeline, Environment Comparison, Node Heatmap, Classification Tree, Class Coverage
- Certificate Audit tool for finding/cleaning orphaned CA certs
- Navigation and chart polish; server-side caching (30s TTL) for expensive PuppetDB queries
- Maintenance program foundations (
ovox maintenance, branded maintenance pages)
Version 3.6.6
- SSL Certificate Wizard — guided web certificate and Puppet CA intermediate workflows
- Unclassified Nodes pane on Classification page now always visible
- Security & maintenance: dependency updates, sqlite3 crash fix, sudoers hardening
Version 3.6.5
- Node Scope filter on Fact Explorer (ENC group chip bar with multi-select)
- "All Nodes" chip for clearing group filters
Version 3.6.4
- Unclassified Nodes panel on the Nodes page
- Purge Node button on Node Detail (PuppetDB + ENC + CA removal)
- PuppetDB certname validation for ENC operations
- Fact Explorer sorting, operator filtering, and row limiting
Version 3.6.0
- OpenVox Agent Installer with local package mirror
- Webhook HMAC security hardening
- Per-subcommand sudoers rules replacing CA wildcards
- Fernet-encrypted LDAP bind password at rest
Version 3.3.0
- Orchestration targets resolved from PuppetDB in real-time instead of static inventory
- Deploy health checks use HTTPS when SSL is enabled (fixes false "not healthy" errors)
- Native SSL support on port 4567 with Puppet certs; SSL Configuration tab
- Reports grouped by ENC node groups; broader navigation foundations
Version 2.3.x
- Zero CVEs — all dependencies audited and upgraded (FastAPI 0.135.1, PyJWT 2.12.1)
- python-jose replaced with PyJWT (eliminates unfixable ecdsa CVE)
- Run OpenVox output panel on Node Detail page
- ENC groups in Orchestration target selector
- r10k deploy wrapper for proper environment reconstruction
- Clone-then-deploy update architecture (scripts + documentation)
- SUDOERS.md configuration guide
Version 2.0.x–2.2.x
- LDAP / Active Directory split authentication
- Per-user authentication source selection (local or LDAP)
- Auto-provisioning of LDAP users on first login
- Installer proxy support for corporate environments
- Node.js auto-installation from system repos
- Comprehensive security headers and rate limiting
Version 1.4.x
- Fixed "Run OpenVox" button (uses bolt command run instead of missing task)
- All Dependabot security alerts resolved
- Python upgraded from 3.9 to 3.11 on production servers
- Ghost user prevention (username whitespace stripping)
- Centralized version management (single VERSION file)
- User deletion bug fix; comprehensive security headers and rate limiting
Version 1.4.0 (First Production Release)
- Production-ready release with comprehensive documentation
- Graceful handling of application updates during deployments
- Enhanced Fact Explorer with nested fact support
- Comprehensive CA information panel
- Many bug fixes and stability improvements
Version 0.3.x
- Certificate Authority management (sign/revoke/clean)
- Fact Explorer, Resource Explorer, PQL Console
- Theme system (Casual dark mode / Formal light mode)
- Orchestration with Bolt integration
- Hierarchical Node Classifier (4-layer deep merge)
See the full Changelog for complete version history.
- Always backup first - It takes 1 minute and can save hours
- Read release notes - Know what's changing
- Update regularly - Small frequent updates are easier than big jumps
- Test after updating - Click through main features to verify
- Keep update logs - Note when and what you updated
- Don't skip major versions - Update incrementally (1.2 → 1.3 → 1.4)
- Don't update during peak hours - Users might be affected
- Don't ignore errors - Fix problems before they get worse
- Don't modify core files - Your changes will be lost on update
- Don't forget to clear browser cache - Causes confusion
OpenVox GUI can notify you when updates are available:
-
In the Web Interface:
- A banner appears when a new version is available
- Click "View Update" to see what's new
-
Email Notifications (coming soon):
- Get emailed when updates are released
- Configure in Settings → Notifications
-
Check Manually:
cd ~/openvox-gui git fetch git log HEAD..origin/main --oneline # Shows commits available to pull
Security updates are released as needed and should be applied immediately:
-
Identify security updates:
- Version numbers ending in
.1,.2, etc. often indicate patches - Check release notes for "Security" labels
- Subscribe to security announcements
- Version numbers ending in
-
Apply security updates immediately:
cd ~/openvox-gui git pull origin main sudo ./scripts/update_local.sh --security
-
Verify the update:
# Check version curl -k https://localhost:4567/health # Check logs for any issues sudo journalctl -u openvox-gui -n 100
Remember: Regular updates keep your system secure and running smoothly. When in doubt, backup first and update during a maintenance window!
Need help? Check the Troubleshooting Guide or visit our GitHub page.
This document was created with the assistance of AI (Grok, xAI). All technical content has been reviewed and verified by human contributors.