v1.6.8

What's in v1.6.8

Single-bug patch release. Strictly additive — no schema changes, no breaking changes, no required user action.

The bug

Backups via Netmiko or SCP through an SSH jump-host failed with No authentication methods available whenever the proxy credential used SSH key auth. Sample log from a real deployment:

[INFO]  netmiko_engine: opening proxy jump 10.2.1.10:7006 → 172.22.30.9:22 (proxy user: oxidized)
[INFO]  paramiko.transport: Connected (version 2.0, client OpenSSH_9.2p1)
[ERROR] backup_service: Backup failed for mp-sw1: Netmiko error on mp-sw1: No authentication methods available

TCP connect to the jump host succeeded — auth failed because the proxy code path only ever passed password=... to paramiko, with look_for_keys=False and allow_agent=False. If the proxy credential had no password (only a key), paramiko had zero auth methods to try and gave up immediately. Same problem hit the SCP engine's device-level connect, where direct (non-proxy) SCP also couldn't authenticate with a key alone.

The fix

New shared module app/modules/engines/ssh_auth.py with four helpers:

Helper	What it does
require_ssh_auth(cred, purpose)	Validates the credential has at least one auth method (password OR key) and raises a clear ValueError if not
client_connect_kwargs(host, port, cred, purpose)	Returns the kwargs dict for paramiko.SSHClient.connect: sets key_filename when ssh_key_path is present, password when a password is present, both when both are. If both are configured, paramiko tries the key first and falls back to the password
connect_transport(transport, cred, purpose)	Same logic for the lower-level paramiko.Transport API used by SCP — auth_publickey first, password fallback
load_private_key(path, password)	Loads a private key, trying Ed25519 / RSA / ECDSA / DSA in order

Both engines now route through this helper:

• netmiko_engine._open_proxy() — proxy connect
• scp_engine._open_proxy() — proxy connect
• scp_engine._make_transport() — device-level transport (gains key support it never had before)

Verified

• 6 new unit tests in tests/test_ssh_auth.py covering password-only, key-only, both, neither (raises), and missing username (raises)
• Full suite: 56 passed, 1 skipped (was 50 + 1 before)
• Original repro environment (proxy user oxidized over key auth) now succeeds without changes to the Credential row

Upgrading

Pull and restart — that's it. Existing devices/proxies configured with passwords keep working unchanged. Users who had hit No authentication methods available on key-auth jump hosts will now succeed.

• Docker: docker compose pull && docker compose up -d
• Shell / systemd: rerun install.sh

Commits

• 8049dcc — v1.6.8: SSH proxy / SCP honor key-based auth

v1.6.7

What's in v1.6.7

Three commits, grouped by area below. All changes land on top of v1.6.6 — no breaking changes, no config migration required.

Backup destinations

• Manual backup trigger now honors the destination selection. The /backups/trigger form gained a destination checkbox group; the POST handler accepts destination_ids so runs write to the destinations you pick instead of silently falling back to "the first enabled local destination".
• Multi-destination recording in the Backup row. When a backup writes to more than one destination (e.g. local + SMB), all of them are now recorded and rendered as colored badges in the list / detail / history views. Previously only the last successful destination showed.
• Proxmox / binary-archive backups now ship to every selected destination, not only local. The binary backup handler used to hard-code destination_type = "local"; it now loops every selected destination and calls a new optional save_binary(hostname, data, extension, config) method on DestinationBackend. LocalDestination and SMBDestination implement it; git-family backends are skipped with a warning (archives in git are unusual). Fixes the long-standing "only Brocade backups hit SMB, Proxmox didn't" issue.

New UI

• Per-device backup history at /backups/device/<id>/history — full chronological timeline with First / Changed / Unchanged markers computed from the stored config hash (cheap, no diffing per row), and checkboxes to pick any two backups to compare.
• Compare view at /backups/compare?a=<id>&b=<id> — unified diff between any two backups of the same device. Normalises older→newer automatically, handles identical configs and archive bundles gracefully.
• Destination badges replacing the plain-text "Destination" column across the list / detail / history pages.
• Shortcut links: View all / Compare on the device detail page, History and Compare with previous on each backup detail page.

Safety / upgrade ergonomics

• SECRET_KEY self-test at startup. init_db() now probe-decrypts one credential + one notification channel. If the current SECRET_KEY can't decrypt existing ciphertext (data volume wiped, .env regenerated, migration without copying the key, etc.), a clear WARNING is logged with recovery steps instead of silent empty-error backup failures at runtime. Catches the single biggest upgrade footgun.
• Device edit form: SSH proxy fields stay visible when values are saved. The "SSH Proxy / Jump Host" section was being hidden whenever the engine was not Netmiko or SCP, which also hid any saved proxy data after an engine switch (no way to see or clear it). The section now stays visible whenever the device has saved proxy values, and a caption clarifies that the fields apply to Netmiko / SCP engines only.

Housekeeping

• .dockerignore added — keeps .env, *.db, ssh_keys/, backups/, staging-backups/, venv/, .git/, and test caches out of the Docker build context (previous builds baked all of these into the image).
• .gitignore covers staging-backups/* except .gitkeep so local test artifacts don't show up as untracked.

Commits

• 1e9a9c1 — multi-destination fixes + backup compare/history UI
• 2bd52ca — SECRET_KEY self-test at startup
• 088b5cb — keep device edit form's SSH-proxy section visible when values saved

Upgrading

• Docker: docker compose pull && docker compose up -d — SECRET_KEY persists in the data volume; encrypted credentials continue to decrypt.
• Shell / systemd: rerun install.sh; it preserves .env (and therefore SECRET_KEY).

No schema migration beyond what v1.6.x already applied.

VIBENetBackup v1.5.7

What's New

SSH Proxy / Jump Host

Netmiko and SCP engines can now connect through a bastion/jump host before reaching the target device. Useful for remote sites where devices are only reachable via an intermediate SSH server (e.g. autossh tunnels).

• Configure per device: Proxy Host, Proxy Port, and optionally a separate Proxy Credential when the jump host uses different credentials than the device
• Device list shows a jump-host indicator icon with tooltip
• Works the same way as Oxidized's SSH proxy feature — two-hop SSH connection

Oxidized Engine

• Fetches configs by device hostname instead of IP address — required for jump-host setups where multiple devices share the same jump-host IP
• Import from Oxidized now captures port from node data; non-22 ports highlighted in import table

Docker / Upgrades

• Schema migrations now run automatically on container startup — docker compose pull && docker compose up -d is all you need
• Alembic migration reads DATABASE_URL from environment correctly

Docker

docker compose pull && docker compose up -d

Image: ghcr.io/kulunkilabs/vibenetbackup:1.5.7

Full Changelog

See README.md for the complete changelog.

VIBENetBackup v1.5

What's New

• Batch edit for devices — select multiple devices and change credential or group in bulk
• Nokia 7250 IXR support — added to device type labels and documentation

Bug Fixes

• Fix 500 Internal Server Error — updated all TemplateResponse calls for Starlette 1.0 compatibility
• Fix Nokia SR OS MD-CLI backups — map nokia_sros_md to nokia_sros netmiko driver (netmiko has no separate MD-CLI driver)
• Fix netmiko requirement — bumped to >=4.4.0
• Protect credentials across upgrades — SECRET_KEY is now always persisted and guarded against accidental changes

Upgrade

docker compose build --no-cache && docker compose up -d

VIBENetBackup v1.4

What's New

• Batch edit for devices — select multiple devices and change credential or group in bulk
• Nokia 7250 IXR support — added to device type labels and documentation
• Fix netmiko requirement — bumped to >=4.4.0 for nokia_sros_md support

Bug Fixes

• Fix 500 Internal Server Error — updated all TemplateResponse calls for Starlette 1.0 compatibility (affects all pages)

Upgrade

Rebuild your Docker image to pick up fixes:

docker compose build --no-cache && docker compose up -d

VIBENetBackup v1.3

What's New

• Nokia 7250 IXR support — added to device type labels and documentation
• Fix Nokia SR OS MD-CLI backups — bumped netmiko requirement to >=4.4.0 (adds nokia_sros_md device type support)

Upgrade

Rebuild your Docker image to pick up the new netmiko version:

docker compose build --no-cache && docker compose up -d

VIBENetBackup v1.2

VIBENetBackup v1.2

What's New

• Run Now button — Manually trigger any scheduled backup from the Schedules page
• Persistent SECRET_KEY — Credentials now survive updates on both systemd and Docker installs
• Docker entrypoint — Auto-generates and persists SECRET_KEY to data volume if not set
• Safer installer — Preserves .env, database, backups, and SSH keys in temp dir before any changes

Docker

docker pull ghcr.io/kulunkilabs/vibenetbackup:latest

Install / Update

curl -fsSL https://raw.githubusercontent.com/kulunkilabs/vibenetbackup/main/install.sh | sudo bash