SHIELD v8.0.16

New Features

  • We now have a BackBlaze B2 storage plugin!


  • Ordinals are now optional in monthly schedule specs (via the web UI), allowing front-end users to type '3' or '3rd', per their strongly-held personal preference.

  • The token field of the vault plugins is now marked as a password, so that autocompletion in the browser gets turned off. Otherwise, Chrome/FF keeps wanting to leak your Vault tokens to people.

  • The data directory and web UI root configurations are now properly validated by the SHIELD core. If they do not exist, core startup is halted. That way, you find out sooner if you've misconfigured something. Wheee.

  • shield import can now properly import fixed-key backup jobs. Just what the doctor ordered for BOSH and SHIELD backup and recovery.

Bug Fixes

  • Errors with hourly schedules are now properly handled and give a readable error message to the front-end.

  • The mysql plugin can now properly restore a single database.

  • Some silly typos (some copy-pasta, some bad whitespace, some we-don't-know-what-we-were-thinking) have been fixed in SHIELD CLI --help output.

Download v8.0.16 from Github

Build From Source

... we're still working on this one ...

Older SHIELD Releases

SHIELD v8.0.15


  • Credentials in task log output are now displayed as a blurred white block, revealed on hover to those with sufficiently high rights.

  • The task log is now closed by clicking the [X] button in the log pane instead of clicking the 'full task log' link again.

Download v8.0.15 from Github

SHIELD v8.0.14

New Features

  • Compression of archives is now optional, on a per-target basis. If you have really big databases and don't want to bother compressing them, you can now turn that off and get done with your data protection tasks sooner!

  • The Tasks API now has new time boundary range parameters, for retrieving tasks based on when they started and/or stopped.


  • The Systems and Storage views now have the ability to toggle between a card-based layout (the default), and a table layout.

  • Tags in the Systems View Timeline are now only shown for non-backup tasks, and only for successfully completed tasks. In practice, this means that restore operations get tags and no one else does.

  • The Retention Policy API / UI / CLI is better. Namely, the API matches the documation (it's a PATCH not a PUT), and we have proper bounds checking on expiry days and policy name lengths.

Bug Fixes

  • When restoring archives with the CLI, and targeting a different data system than the archive originally came from, everything works as expected.
Download v8.0.14 from Github

SHIELD v8.0.13


  • Move the vault.crypt file out from under the vault/ data directory sub-directory; that sub-directory is dedicated to the Vault instance, and we shouldn't be putting other things in there.

  • Threshold for storage now indicates the use of units in the form field, to prevent the accidental specification of 50 bytes when you meant 50 gigabytes.

  • Improved results of the /v2/info and /v2/heath API endpoints to match its documented behaviour.


  • Removed FQDN from /v2/info as it was populated using DNS reverse lookups that were less than useful.

Bug Fixes

  • Storage health correctly stated during creation of ad-hoc runs.

  • Scheduled jobs in timeline are not longer incorrectly as "Ad-hoc"

  • Admin/Sessions page no longer shows all IP Addresses as localhost and shows the session creation time in human-readable format.

  • Notes for targets are now displayed on the page for a given system.

  • Errors encountered when unlocking the vault now notify the user.

  • Release version correctly displayed on header instead of (development)

Download v8.0.13 from Github

SHIELD v8.0.12


  • New vault plugin for backing up Safe or Vault installations. You can optionally restrict the subtree that gets backed up and restored, in case you share the Vault with others.
Download v8.0.12 from Github

SHIELD v8.0.8


  • Global Storage Systems are available for selection during the backup configuration wizard in the web UI.

  • Storage systems now properly report their health to all front-end views, fixing a few fixmes along the way.

  • Agents can now be resynchronized, in an ad hoc fashion, via the admin backend on the web UI.

  • Jobs will have their 'next run' time re-calculated when their schedule is changed. Previously, the existing schedule was in force until the first run after a schedule change, at which point the new schedule kicked in. This was weird, so we changed it.

  • New Cloud Storage Solutions (global or tenant-based) are considered healthy until proven broken.

  • shield-agent now has better logging to help troubleshoot registration problems.

Bug Fixes

  • Fix an egregious bug in the scheduling logic that was only considering jobs scheduled in the future to be "overdue". Since all jobs start out with a next_run of 0, this caused NO JOBS to ever be scheduled. Thankfully, 8.x is still beta.

  • Fix a segfault when dereferencing a nil Task during a broadcast. Now, we log that we got a nil task, to assist in tracking down why / where its occurring, rather than just crashing on panic.

  • The shield restore-archive command now prints out the UUID of the task scheduled to run the restore, rather than the cryptic (and oh-so-unhelpful) string "%s!:bool=true"

  • Neither shield create-job, nor shield update-job will allow you to create (or modify) jobs to have invalid, unparseable schedules. This will keep the CLI from accidentally creating schedules that the web UI can't process.

  • When restoring through the new wizard, the web UI only shows archives for the selected target system, instead of all of the archives every made for the tenant. Turns out this was less than useful.

  • Fix up some edge cases where we weren't checking for the existence of a tenant in tenant-scope API calls, just the rights to that tenant -- since system users can affect all tenants, we found that we could create child objects on non-existent tenants.

Developer Stuff

  • bin/testdev now runs a WebDAV service on the nginx reverse proxy (on $PORT+1), since we can no longer use the fs plugin for storage operations.

    On MacOS, with homebrew, you'll want to reinstall nginx with WebDAV support: brew reinstall --with-webdav nginx

Download v8.0.8 from Github

SHIELD v8.0.7

Bug Fixes

  • shield-agent will now propagate HTTP proxy environment variables: http_proxy, https_proxy and no_proxy, which some plugins (i.e. s3) can make use of.

  • The postgres plugin no longer requires a host address. If not specified, a local loopback (usually UNIX domain socket) will be attempted.

  • The postgres plugin no longer requires a password. If not specified, no authentication credentials will be sent. This is usually paired with an empty (or missing) pg_host, to gain superuser access over loopback (given a 'trust' entry in HBA)

Download v8.0.7 from Github

SHIELD v8.0.6

Bug Fixes

  • Fix non-deterministic short-circuit bug in Github OAuth role assignment logic that lead to different behaviors depending on how Github returned org/team memberships.
Download v8.0.6 from Github

SHIELD v8.0.5


  • The Github OAuth provider now properly handles Github Enterprise for API work (user lookups, org lookups, etc.)

  • The Github OAuth provider can now handle assignment across multiple tenants (including SYSTEM) from a single Github Org.

  • Shield CLI has been renamed from buckler back to shield similar to previous versions.

  • Added Cassandra target plugin.

Bug Fixes

  • Fix a missing slash in the Github Authentication Provider display, in the administrative backend.

  • The Web UI now propagates the job name from the configuration wizard to the API, replacing 'a random name?' with something just a bit less ... random.

Download v8.0.5 from Github

SHIELD v8.0.4

Bug Fixes

  • The v8 Web UI now properly renders target plugin forms, based on the metadata provided by the plugins themselves. Previously, only the fs plugin was working, due to the next bug we fixed.

  • The fs plugin was mistakenly reporting a store field, something that got missed when we removed its ability to act as a store plugin.

  • The swift plugin now features field metadata.

Download v8.0.4 from Github

SHIELD v8.0.3

SHIELD 8.x is still beta software; not recommended for production deployment

New Features

  • SHIELD now supports Fixed Key encryption for disaster recovery of backups for SHIELD itself.


  • The s3 plugin now uses pathd buckets, so it should work better with S3-workalikes that don't support DNS-style buckets.

  • The fs plugin strips the base director from the files as they are archived, allowing archives to be portably replayed to different base directors on restore.

  • The mysql and xtrabackup plugins are better now.

  • buckler import works better now, no longer requiring a SHIELD core (via either --core or $SHIELD_CORE). It also now supports skipping TLS verification of the SHIELD Core.

Bug Fixes

  • Plugins now accept boolish strings and numbers in place of actual booleans.

  • Handle symlinks in the fs plugin

  • The S3 plugin now properly sets a multipart upload chunk size of 5 MEGABYTES, not 5 GIGABYTES, so we don't OOM on VMs. Oops.

  • The WebUI can now display OAuth provider configuration (again).

  • buckler create-policy now properly validates the expiry value as a number.

  • SHIELD Core no longer leaks file descriptors when talking to the sealed Vaults.

Download v8.0.3 from Github

SHIELD v8.0.1

SHIELD 8.x is still beta software; not recommended for production deployment

New Features

  • The azure plugin now features a path_prefix setting to allow sharing of a single Azure Blobstore container amongst several jobs and/or SHIELDs.


  • The fs plugin no longer relies on the bsdtar executable to function; instead, all tarball creation / extraction is handled directly by the plugin code, making it easier to deploy.

  • The test-store and purge tasks that are scheduled in the slow loop are now skipped if the Vault is sealed. This keeps the task list from growing with lots of tasks that will not be scheduled until later. For purge tasks this wasn't a huge deal, but for test-store it meant that cloud storage would get slammed with test after test after test after test as soon as the SHIELD was unlocked.

Breaking Changes

  • The fs plugin no longer functions as a store plugin. This configuration was deemed to dangerous in the wild, given the locality constraints. If you need local-ish filesystem-backed storage, check out the webdav plugin.

Bug Fixes

  • WebSocket broadcast receivers are only registered after a successful upgrade from plain HTTP to WebSockets, to avoid stalling out the core on badly-behaved clients.

  • The CLI now honors -k everywhere it appears.

  • It is now possible to update a target / store that was created without any configuration (no --data on create-*).

  • CLI update-* commands now properly display the updated object attributes, instead of an empty report.

  • The create-auth-token CLI command now honors --json.

  • Fix javascript event handler stacking bugs in the web UI. In short, form submissions would "remember" their previous onsubmit handlers, leading to some very interesting errors on both client- and server-side.

Download v8.0.1 from Github

SHIELD v8.0.0

SHIELD v8 is a marked improvement over previous version of SHIELD.

New Features

  • Multi-Tenancy - SHIELD now supports the notion of tenants, which allow site operators to group their users logically, and sequester teams from one another. Each tenant has its own set of jobs, tasks, archives, etc., and members of one tenant cannot interact with the resources of another. Users can be assigned to multiple tenants, concurrently.

  • Archive Encryption - SHIELD now leverages AES-256 encryption when storing backup archives in cloud storage, making sure that your data is secure, even at-rest.

  • Agent Registration - SHIELD Agents now register with the SHIELD Core, and provide metadata to assist operators in the configuration of backup targets, and cloud storage systems.

  • Improved Web UI - SHIELD's web-based user interface got a massive overhaul in this release, with a concerted focus on efficiency and ease-of-use for operators, and their immediate concerns.

  • New CLI - The SHIELD CLI has been rewritten from the ground-up to interface more cleanly with the SHIELD v8 API. It handles plugin configuration more naturally, without forcing you to write proper JSON. Yay. It also supports a new import function that makes it easy to ensure that your target and storage systems, jobs, retention policies, etc. are always correct.

  • Improved Scheduling - Backup Jobs can now be run every X hours, much to the delight of SHIELD users everywhere.

Download v8.0.0 from Github