refactor: serve timeout static content using Go

refactor(adminmonitor): adjust the unit test
refactor(admintimeout): merge the admin monitor middleware into the admin monitor service
2022-03-31 13:42:41 +13:00 · 2022-03-30 17:10:32 +13:00 · 2022-03-30 15:08:06 +13:00 · 2022-03-29 23:11:57 +13:00 · 2022-03-28 12:27:55 +03:00 · 2022-03-26 12:17:55 +13:00
1195 changed files with 38235 additions and 26012 deletions
--- a/.env.defaults
+++ b/.env.defaults
@@ -0,0 +1 @@
+PORTAINER_EDITION=CE
--- a/.eslintrc.yml
+++ b/.eslintrc.yml
@@ -9,6 +9,7 @@ globals:

 extends:
  - 'eslint:recommended'
+  - 'plugin:storybook/recommended'
  - prettier

 plugins:
@@ -60,6 +61,7 @@ overrides:
      - 'plugin:@typescript-eslint/recommended'
      - 'plugin:@typescript-eslint/eslint-recommended'
      - 'plugin:promise/recommended'
+      - 'plugin:storybook/recommended'
      - prettier # should be last
    settings:
      react:
@@ -77,12 +79,17 @@ overrides:
      react/forbid-prop-types: off
      react/require-default-props: off
      react/no-array-index-key: off
+      no-underscore-dangle: off
      react/jsx-filename-extension: [0]
      import/no-extraneous-dependencies: ['error', { devDependencies: true }]
      '@typescript-eslint/explicit-module-boundary-types': off
      '@typescript-eslint/no-unused-vars': 'error'
      '@typescript-eslint/no-explicit-any': 'error'
      'jsx-a11y/label-has-associated-control': ['error', { 'assert': 'either' }]
+      'react/function-component-definition': ['error', { 'namedComponents': 'function-declaration' }]
+      'react/jsx-no-bind': off
+      'no-await-in-loop': 'off'
+      'react/jsx-no-useless-fragment': ['error', { allowExpressions: true }]
  - files:
      - app/**/*.test.*
    extends:
@@ -90,3 +97,9 @@ overrides:
      - 'plugin:jest/style'
    env:
      'jest/globals': true
+    rules:
+      'react/jsx-no-constructed-context-values': off
+  - files:
+      - app/**/*.stories.*
+    rules:
+      'no-alert': off
--- a/.git-blame-ignore-revs
+++ b/.git-blame-ignore-revs
@@ -0,0 +1,5 @@
+# prettier
+cf5056d9c03b62d91a25c3b9127caac838695f98
+
+# prettier v2
+42e7db0ae7897d3cb72b0ea1ecf57ee2dd694169
--- a/.github/ISSUE_TEMPLATE.md
+++ b/.github/ISSUE_TEMPLATE.md
@@ -2,7 +2,7 @@

 Thanks for opening an issue on Portainer !

-Do you need help or have a question? Come chat with us on Slack http://portainer.io/slack/ or gitter https://gitter.im/portainer/Lobby.
+Do you need help or have a question? Come chat with us on Slack https://portainer.io/slack/ or gitter https://gitter.im/portainer/Lobby.

 If you are reporting a new issue, make sure that we do not have any duplicates
 already open. You can ensure this by searching the issue list for this
--- a/.github/ISSUE_TEMPLATE/Bug_report.md
+++ b/.github/ISSUE_TEMPLATE/Bug_report.md
@@ -12,7 +12,7 @@ Thanks for reporting a bug for Portainer !

 You can find more information about Portainer support framework policy here: https://www.portainer.io/2019/04/portainer-support-policy/

-Do you need help or have a question? Come chat with us on Slack http://portainer.slack.com/
+Do you need help or have a question? Come chat with us on Slack https://portainer.io/slack/

 Before opening a new issue, make sure that we do not have any duplicates
 already open. You can ensure this by searching the issue list for this
@@ -47,7 +47,7 @@ You can see how [here](https://documentation.portainer.io/r/portainer-logs)
 - Platform (windows/linux):
 - Command used to start Portainer (`docker run -p 9443:9443 portainer/portainer`):
 - Browser:
- Use Case (delete as appropriate): Using Portainer at Home, Using Portainer in a Commerical setup.
+- Use Case (delete as appropriate): Using Portainer at Home, Using Portainer in a Commercial setup.
 - Have you reviewed our technical documentation and knowledge base? Yes/No

 **Additional context**
--- a/.github/ISSUE_TEMPLATE/Custom.md
+++ b/.github/ISSUE_TEMPLATE/Custom.md
@@ -4,11 +4,11 @@ about: Ask us a question about Portainer usage or deployment
 title: ''
 labels: ''
 assignees: ''
-
 ---
+
 Before you start, we need a little bit more information from you:

-Use Case (delete as appropriate): Using Portainer at Home, Using Portainer in a Commerical setup.
+Use Case (delete as appropriate): Using Portainer at Home, Using Portainer in a Commercial setup.

 Have you reviewed our technical documentation and knowledge base? Yes/No

@@ -16,7 +16,7 @@ Have you reviewed our technical documentation and knowledge base? Yes/No

 You can find more information about Portainer support framework policy here: https://old.portainer.io/2019/04/portainer-support-policy/

-Do you need help or have a question? Come chat with us on Slack http://portainer.slack.com/
+Do you need help or have a question? Come chat with us on Slack https://portainer.io/slack/

 Also, be sure to check our FAQ and documentation first: https://documentation.portainer.io/
 -->
--- a/.github/ISSUE_TEMPLATE/Feature_request.md
+++ b/.github/ISSUE_TEMPLATE/Feature_request.md
@@ -4,14 +4,13 @@ about: Suggest a feature/enhancement that should be added in Portainer
 title: ''
 labels: ''
 assignees: ''
-
 ---

 <!--

 Thanks for opening a feature request for Portainer !

-Do you need help or have a question? Come chat with us on Slack http://portainer.slack.com/
+Do you need help or have a question? Come chat with us on Slack https://portainer.io/slack/

 Before opening a new issue, make sure that we do not have any duplicates
 already open. You can ensure this by searching the issue list for this
--- a/.github/PULL_REQUEST_TEMPLATE.md
+++ b/.github/PULL_REQUEST_TEMPLATE.md
@@ -0,0 +1,4 @@
+closes #0 <!-- Github issue number (remove if unknown) -->
+closes [CE-0] <!-- Jira link number (remove if unknown). Please also add the same [CE-XXX] at the back of the PR title -->
+
+### Changes:
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -0,0 +1,36 @@
+name: Lint
+
+on:
+  push:
+    branches:
+      - master
+      - develop
+      - release/*
+  pull_request:
+    branches:
+      - master
+      - develop
+      - release/*
+
+jobs:
+  run-linters:
+    name: Run linters
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v2
+      - uses: actions/setup-node@v2
+        with:
+          node-version: '14'
+          cache: 'yarn'
+      - run: yarn --frozen-lockfile
+
+      - name: Run linters
+        uses: wearerequired/lint-action@v1
+        with:
+          eslint: true
+          eslint_extensions: ts,tsx,js,jsx
+          prettier: true
+          prettier_dir: app/
+          gofmt: true
+          gofmt_dir: api/
--- a/.github/workflows/test-client.yaml
+++ b/.github/workflows/test-client.yaml
@@ -0,0 +1,15 @@
+name: Test Frontend
+on: push
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      - uses: actions/setup-node@v2
+        with:
+          node-version: '14'
+          cache: 'yarn'
+      - run: yarn install --frozen-lockfile
+
+      - name: Run tests
+        run: yarn test:client
--- a/.prettierrc
+++ b/.prettierrc
@@ -4,20 +4,16 @@
  "htmlWhitespaceSensitivity": "strict",
  "overrides": [
    {
-      "files": [
-        "*.html"
-      ],
+      "files": ["*.html"],
      "options": {
        "parser": "angular"
      }
    },
    {
-      "files": [
-        "*.{j,t}sx"
-      ],
+      "files": ["*.{j,t}sx", "*.ts"],
      "options": {
-        "printWidth": 80,
+        "printWidth": 80
      }
    }
  ]
-}
+}
--- a/.storybook/main.js
+++ b/.storybook/main.js
@@ -28,4 +28,8 @@ module.exports = {
    ];
    return config;
  },
+  core: {
+    builder: 'webpack5',
+  },
+  staticDirs: ['./public'],
 };
--- a/.storybook/preview.js
+++ b/.storybook/preview.js
@@ -1,5 +1,23 @@
 import '../app/assets/css';

+import { pushStateLocationPlugin, UIRouter } from '@uirouter/react';
+import { initialize as initMSW, mswDecorator } from 'msw-storybook-addon';
+import { handlers } from '@/setup-tests/server-handlers';
+
+// Initialize MSW
+initMSW({
+  onUnhandledRequest: ({ method, url }) => {
+    if (url.pathname.startsWith('/api')) {
+      console.error(`Unhandled ${method} request to ${url}.
+
+        This exception has been only logged in the console, however, it's strongly recommended to resolve this error as you don't want unmocked data in Storybook stories.
+
+        If you wish to mock an error response, please refer to this guide: https://mswjs.io/docs/recipes/mocking-error-responses
+      `);
+    }
+  },
+});
+
 export const parameters = {
  actions: { argTypesRegex: '^on[A-Z].*' },
  controls: {
@@ -8,4 +26,16 @@ export const parameters = {
      date: /Date$/,
    },
  },
+  msw: {
+    handlers,
+  },
 };
+
+export const decorators = [
+  (Story) => (
+    <UIRouter plugins={[pushStateLocationPlugin]}>
+      <Story />
+    </UIRouter>
+  ),
+  mswDecorator,
+];
--- a/.storybook/public/mockServiceWorker.js
+++ b/.storybook/public/mockServiceWorker.js
@@ -0,0 +1,328 @@
+/* eslint-disable */
+/* tslint:disable */
+
+/**
+ * Mock Service Worker (0.36.3).
+ * @see https://github.com/mswjs/msw
+ * - Please do NOT modify this file.
+ * - Please do NOT serve this file on production.
+ */
+
+const INTEGRITY_CHECKSUM = '02f4ad4a2797f85668baf196e553d929';
+const bypassHeaderName = 'x-msw-bypass';
+const activeClientIds = new Set();
+
+self.addEventListener('install', function () {
+  return self.skipWaiting();
+});
+
+self.addEventListener('activate', async function (event) {
+  return self.clients.claim();
+});
+
+self.addEventListener('message', async function (event) {
+  const clientId = event.source.id;
+
+  if (!clientId || !self.clients) {
+    return;
+  }
+
+  const client = await self.clients.get(clientId);
+
+  if (!client) {
+    return;
+  }
+
+  const allClients = await self.clients.matchAll();
+
+  switch (event.data) {
+    case 'KEEPALIVE_REQUEST': {
+      sendToClient(client, {
+        type: 'KEEPALIVE_RESPONSE',
+      });
+      break;
+    }
+
+    case 'INTEGRITY_CHECK_REQUEST': {
+      sendToClient(client, {
+        type: 'INTEGRITY_CHECK_RESPONSE',
+        payload: INTEGRITY_CHECKSUM,
+      });
+      break;
+    }
+
+    case 'MOCK_ACTIVATE': {
+      activeClientIds.add(clientId);
+
+      sendToClient(client, {
+        type: 'MOCKING_ENABLED',
+        payload: true,
+      });
+      break;
+    }
+
+    case 'MOCK_DEACTIVATE': {
+      activeClientIds.delete(clientId);
+      break;
+    }
+
+    case 'CLIENT_CLOSED': {
+      activeClientIds.delete(clientId);
+
+      const remainingClients = allClients.filter((client) => {
+        return client.id !== clientId;
+      });
+
+      // Unregister itself when there are no more clients
+      if (remainingClients.length === 0) {
+        self.registration.unregister();
+      }
+
+      break;
+    }
+  }
+});
+
+// Resolve the "main" client for the given event.
+// Client that issues a request doesn't necessarily equal the client
+// that registered the worker. It's with the latter the worker should
+// communicate with during the response resolving phase.
+async function resolveMainClient(event) {
+  const client = await self.clients.get(event.clientId);
+
+  if (client.frameType === 'top-level') {
+    return client;
+  }
+
+  const allClients = await self.clients.matchAll();
+
+  return allClients
+    .filter((client) => {
+      // Get only those clients that are currently visible.
+      return client.visibilityState === 'visible';
+    })
+    .find((client) => {
+      // Find the client ID that's recorded in the
+      // set of clients that have registered the worker.
+      return activeClientIds.has(client.id);
+    });
+}
+
+async function handleRequest(event, requestId) {
+  const client = await resolveMainClient(event);
+  const response = await getResponse(event, client, requestId);
+
+  // Send back the response clone for the "response:*" life-cycle events.
+  // Ensure MSW is active and ready to handle the message, otherwise
+  // this message will pend indefinitely.
+  if (client && activeClientIds.has(client.id)) {
+    (async function () {
+      const clonedResponse = response.clone();
+      sendToClient(client, {
+        type: 'RESPONSE',
+        payload: {
+          requestId,
+          type: clonedResponse.type,
+          ok: clonedResponse.ok,
+          status: clonedResponse.status,
+          statusText: clonedResponse.statusText,
+          body: clonedResponse.body === null ? null : await clonedResponse.text(),
+          headers: serializeHeaders(clonedResponse.headers),
+          redirected: clonedResponse.redirected,
+        },
+      });
+    })();
+  }
+
+  return response;
+}
+
+async function getResponse(event, client, requestId) {
+  const { request } = event;
+  const requestClone = request.clone();
+  const getOriginalResponse = () => fetch(requestClone);
+
+  // Bypass mocking when the request client is not active.
+  if (!client) {
+    return getOriginalResponse();
+  }
+
+  // Bypass initial page load requests (i.e. static assets).
+  // The absence of the immediate/parent client in the map of the active clients
+  // means that MSW hasn't dispatched the "MOCK_ACTIVATE" event yet
+  // and is not ready to handle requests.
+  if (!activeClientIds.has(client.id)) {
+    return await getOriginalResponse();
+  }
+
+  // Bypass requests with the explicit bypass header
+  if (requestClone.headers.get(bypassHeaderName) === 'true') {
+    const cleanRequestHeaders = serializeHeaders(requestClone.headers);
+
+    // Remove the bypass header to comply with the CORS preflight check.
+    delete cleanRequestHeaders[bypassHeaderName];
+
+    const originalRequest = new Request(requestClone, {
+      headers: new Headers(cleanRequestHeaders),
+    });
+
+    return fetch(originalRequest);
+  }
+
+  // Send the request to the client-side MSW.
+  const reqHeaders = serializeHeaders(request.headers);
+  const body = await request.text();
+
+  const clientMessage = await sendToClient(client, {
+    type: 'REQUEST',
+    payload: {
+      id: requestId,
+      url: request.url,
+      method: request.method,
+      headers: reqHeaders,
+      cache: request.cache,
+      mode: request.mode,
+      credentials: request.credentials,
+      destination: request.destination,
+      integrity: request.integrity,
+      redirect: request.redirect,
+      referrer: request.referrer,
+      referrerPolicy: request.referrerPolicy,
+      body,
+      bodyUsed: request.bodyUsed,
+      keepalive: request.keepalive,
+    },
+  });
+
+  switch (clientMessage.type) {
+    case 'MOCK_SUCCESS': {
+      return delayPromise(() => respondWithMock(clientMessage), clientMessage.payload.delay);
+    }
+
+    case 'MOCK_NOT_FOUND': {
+      return getOriginalResponse();
+    }
+
+    case 'NETWORK_ERROR': {
+      const { name, message } = clientMessage.payload;
+      const networkError = new Error(message);
+      networkError.name = name;
+
+      // Rejecting a request Promise emulates a network error.
+      throw networkError;
+    }
+
+    case 'INTERNAL_ERROR': {
+      const parsedBody = JSON.parse(clientMessage.payload.body);
+
+      console.error(
+        `\
+[MSW] Uncaught exception in the request handler for "%s %s":
+
+${parsedBody.location}
+
+This exception has been gracefully handled as a 500 response, however, it's strongly recommended to resolve this error, as it indicates a mistake in your code. If you wish to mock an error response, please see this guide: https://mswjs.io/docs/recipes/mocking-error-responses\
+`,
+        request.method,
+        request.url
+      );
+
+      return respondWithMock(clientMessage);
+    }
+  }
+
+  return getOriginalResponse();
+}
+
+self.addEventListener('fetch', function (event) {
+  const { request } = event;
+  const accept = request.headers.get('accept') || '';
+
+  // Bypass server-sent events.
+  if (accept.includes('text/event-stream')) {
+    return;
+  }
+
+  // Bypass navigation requests.
+  if (request.mode === 'navigate') {
+    return;
+  }
+
+  // Opening the DevTools triggers the "only-if-cached" request
+  // that cannot be handled by the worker. Bypass such requests.
+  if (request.cache === 'only-if-cached' && request.mode !== 'same-origin') {
+    return;
+  }
+
+  // Bypass all requests when there are no active clients.
+  // Prevents the self-unregistered worked from handling requests
+  // after it's been deleted (still remains active until the next reload).
+  if (activeClientIds.size === 0) {
+    return;
+  }
+
+  const requestId = uuidv4();
+
+  return event.respondWith(
+    handleRequest(event, requestId).catch((error) => {
+      if (error.name === 'NetworkError') {
+        console.warn('[MSW] Successfully emulated a network error for the "%s %s" request.', request.method, request.url);
+        return;
+      }
+
+      // At this point, any exception indicates an issue with the original request/response.
+      console.error(
+        `\
+[MSW] Caught an exception from the "%s %s" request (%s). This is probably not a problem with Mock Service Worker. There is likely an additional logging output above.`,
+        request.method,
+        request.url,
+        `${error.name}: ${error.message}`
+      );
+    })
+  );
+});
+
+function serializeHeaders(headers) {
+  const reqHeaders = {};
+  headers.forEach((value, name) => {
+    reqHeaders[name] = reqHeaders[name] ? [].concat(reqHeaders[name]).concat(value) : value;
+  });
+  return reqHeaders;
+}
+
+function sendToClient(client, message) {
+  return new Promise((resolve, reject) => {
+    const channel = new MessageChannel();
+
+    channel.port1.onmessage = (event) => {
+      if (event.data && event.data.error) {
+        return reject(event.data.error);
+      }
+
+      resolve(event.data);
+    };
+
+    client.postMessage(JSON.stringify(message), [channel.port2]);
+  });
+}
+
+function delayPromise(cb, duration) {
+  return new Promise((resolve) => {
+    setTimeout(() => resolve(cb()), duration);
+  });
+}
+
+function respondWithMock(clientMessage) {
+  return new Response(clientMessage.payload.body, {
+    ...clientMessage.payload,
+    headers: clientMessage.payload.headers,
+  });
+}
+
+function uuidv4() {
+  return 'xxxxxxxx-xxxx-4xxx-yxxx-xxxxxxxxxxxx'.replace(/[xy]/g, function (c) {
+    const r = (Math.random() * 16) | 0;
+    const v = c == 'x' ? r : (r & 0x3) | 0x8;
+    return v.toString(16);
+  });
+}
--- a/.vscode.example/launch.json
+++ b/.vscode.example/launch.json
@@ -9,7 +9,7 @@
      "type": "go",
      "request": "launch",
      "mode": "debug",
-      "program": "${workspaceRoot}/api/cmd/portainer/main.go",
+      "program": "${workspaceRoot}/api/cmd/portainer",
      "cwd": "${workspaceRoot}",
      "env": {},
      "showLog": true,
--- a/.vscode.example/settings.json
+++ b/.vscode.example/settings.json
@@ -1,4 +1,8 @@
 {
  "go.lintTool": "golangci-lint",
-  "go.lintFlags": ["--fast", "-E", "exportloopref"]
+  "go.lintFlags": ["--fast", "-E", "exportloopref"],
+  "gopls": {
+    "build.expandWorkspaceToModule": false
+  },
+  "gitlens.advanced.blame.customArguments": ["--ignore-revs-file", ".git-blame-ignore-revs"]
 }
--- a/README.md
+++ b/README.md
@@ -42,10 +42,10 @@ View [this](https://www.portainer.io/products) table to see all of the Portainer

 Portainer CE is an open source project and is supported by the community. You can buy a supported version of Portainer at portainer.io

-Learn more about Portainers community support channels [here.](https://www.portainer.io/community_help)
+Learn more about Portainer's community support channels [here.](https://www.portainer.io/community_help)

 - Issues: https://github.com/portainer/portainer/issues
- Slack (chat): [https://portainer.slack.com/](https://join.slack.com/t/portainer/shared_invite/zt-txh3ljab-52QHTyjCqbe5RibC2lcjKA)
+- Slack (chat): [https://portainer.io/slack](https://portainer.io/slack)

 You can join the Portainer Community by visiting community.portainer.io. This will give you advance notice of events, content and other related Portainer content.

--- a/api/adminmonitor/admin_monitor.go
+++ b/api/adminmonitor/admin_monitor.go
@@ -2,7 +2,12 @@ package adminmonitor

 import (
 	"context"
+	"embed"
+	"io/fs"
 	"log"
+	"net/http"
+	"strings"
+	"sync"
 	"time"

 	portainer "github.com/portainer/portainer/api"
@@ -11,24 +16,37 @@ import (

 var logFatalf = log.Fatalf

+const RedirectReasonAdminInitTimeout string = "AdminInitTimeout"
+
 type Monitor struct {
-	timeout          time.Duration
-	datastore        dataservices.DataStore
-	shutdownCtx      context.Context
-	cancellationFunc context.CancelFunc
+	timeout           time.Duration
+	datastore         dataservices.DataStore
+	shutdownCtx       context.Context
+	cancellationFunc  context.CancelFunc
+	mu                sync.Mutex
+	adminInitDisabled bool
 }

-// New creates a monitor that when started will wait for the timeout duration and then shutdown the application unless it has been initialized.
+// New creates a monitor that when started will wait for an admin account being created for timeout duration
+// if and admin account would still be missing, it'll disable the http traffic handling
 func New(timeout time.Duration, datastore dataservices.DataStore, shutdownCtx context.Context) *Monitor {
 	return &Monitor{
-		timeout:     timeout,
-		datastore:   datastore,
-		shutdownCtx: shutdownCtx,
+		timeout:           timeout,
+		datastore:         datastore,
+		shutdownCtx:       shutdownCtx,
+		adminInitDisabled: false,
 	}
 }

 // Starts starts the monitor. Active monitor could be stopped or shuttted down by cancelling the shutdown context.
 func (m *Monitor) Start() {
+	m.mu.Lock()
+	defer m.mu.Unlock()
+
+	if m.cancellationFunc != nil {
+		return
+	}
+
 	cancellationCtx, cancellationFunc := context.WithCancel(context.Background())
 	m.cancellationFunc = cancellationFunc

@@ -41,7 +59,11 @@ func (m *Monitor) Start() {
 				logFatalf("%s", err)
 			}
 			if !initialized {
-				logFatalf("[FATAL] [internal,init] No administrator account was created in %f mins. Shutting down the Portainer instance for security reasons", m.timeout.Minutes())
+				log.Println("[INFO] [internal,init] The Portainer instance timed out for security purposes. To re-enable your Portainer instance, you will need to restart Portainer")
+				m.mu.Lock()
+				defer m.mu.Unlock()
+				m.adminInitDisabled = true
+				return
 			}
 		case <-cancellationCtx.Done():
 			log.Println("[DEBUG] [internal,init] [message: canceling initialization monitor]")
@@ -53,6 +75,9 @@ func (m *Monitor) Start() {

 // Stop stops monitor. Safe to call even if monitor wasn't started.
 func (m *Monitor) Stop() {
+	m.mu.Lock()
+	defer m.mu.Unlock()
+
 	if m.cancellationFunc == nil {
 		return
 	}
@@ -68,3 +93,35 @@ func (m *Monitor) WasInitialized() (bool, error) {
 	}
 	return len(users) > 0, nil
 }
+
+func (m *Monitor) WasInstanceDisabled() bool {
+	m.mu.Lock()
+	defer m.mu.Unlock()
+	return m.adminInitDisabled
+}
+
+//go:embed timeout
+var timeoutFiles embed.FS
+
+// WithRedirect checks whether administrator initialisation timeout. If so, it will return the error with redirect reason.
+// Otherwise, it will pass through the request to next
+func (m *Monitor) WithRedirect(next http.Handler) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		if m.WasInstanceDisabled() {
+			if r.RequestURI == `/` || strings.HasPrefix(r.RequestURI, "/api") {
+				w.Header().Set("redirect-reason", `Administrator initialization timeout`)
+				http.Redirect(w, r, `/timeout.html`, http.StatusSeeOther)
+				return
+			}
+
+			files, err := fs.Sub(timeoutFiles, "timeout")
+			if err != nil {
+				log.Printf("Error %s\n", err)
+			}
+			http.FileServer(http.FS(files)).ServeHTTP(w, r)
+			return
+		}
+
+		next.ServeHTTP(w, r)
+	})
+}
--- a/api/adminmonitor/admin_monitor_test.go
+++ b/api/adminmonitor/admin_monitor_test.go
@@ -21,6 +21,18 @@ func Test_stopCouldBeCalledMultipleTimes(t *testing.T) {
 	monitor.Stop()
 }

+func Test_startOrStopCouldBeCalledMultipleTimesConcurrently(t *testing.T) {
+	monitor := New(1*time.Minute, nil, context.Background())
+
+	go monitor.Start()
+	monitor.Start()
+
+	go monitor.Stop()
+	monitor.Stop()
+
+	time.Sleep(2 * time.Second)
+}
+
 func Test_canStopStartedMonitor(t *testing.T) {
 	monitor := New(1*time.Minute, nil, context.Background())
 	monitor.Start()
@@ -30,21 +42,13 @@ func Test_canStopStartedMonitor(t *testing.T) {
 	assert.Nil(t, monitor.cancellationFunc, "cancellation function should absent in stopped monitor")
 }

-func Test_start_shouldFatalAfterTimeout_ifNotInitialized(t *testing.T) {
+func Test_start_shouldDisableInstanceAfterTimeout_ifNotInitialized(t *testing.T) {
 	timeout := 10 * time.Millisecond

 	datastore := i.NewDatastore(i.WithUsers([]portainer.User{}))
-
-	var fataled bool
-	origLogFatalf := logFatalf
-	logFatalf = func(s string, v ...interface{}) { fataled = true }
-	defer func() {
-		logFatalf = origLogFatalf
-	}()
-
 	monitor := New(timeout, datastore, context.Background())
 	monitor.Start()
-	<-time.After(2 * timeout)

-	assert.True(t, fataled, "monitor should been timeout and fatal")
+	<-time.After(20 * timeout)
+	assert.True(t, monitor.WasInstanceDisabled(), "monitor should have been timeout and instance is disabled")
 }
--- a/api/adminmonitor/timeout/assets/ico/apple-touch-icon.png
+++ b/api/adminmonitor/timeout/assets/ico/apple-touch-icon.png
--- a/api/adminmonitor/timeout/assets/ico/favicon-16x16.png
+++ b/api/adminmonitor/timeout/assets/ico/favicon-16x16.png
--- a/api/adminmonitor/timeout/assets/ico/favicon-32x32.png
+++ b/api/adminmonitor/timeout/assets/ico/favicon-32x32.png
--- a/api/adminmonitor/timeout/assets/ico/favicon.ico
+++ b/api/adminmonitor/timeout/assets/ico/favicon.ico
--- a/api/adminmonitor/timeout/assets/ico/safari-pinned-tab.svg
+++ b/api/adminmonitor/timeout/assets/ico/safari-pinned-tab.svg
@@ -0,0 +1 @@
+<svg version="1" xmlns="http://www.w3.org/2000/svg" width="420" height="420" viewBox="0 0 315.000000 315.000000"><path d="M163 13.3v6.4l-38.3 22.1-38.2 22.1h-34c-2.8.1-3 .3-3.2 4.5-.2 3.4.1 4.5 1.5 4.8.9.2 16 .3 33.5.2 17.4 0 31.7.2 31.8.5.1.3.2 10.3.4 22.1.1 11.8.3 21.8.4 22.2 0 .5 5.5.8 12 .8h11.9l-.1-22.8-.1-22.7 11.2-.1H163V204l3.5.1c1.9.1 4.1.2 4.7.3 1 .1 1.3-13.7 1.3-65.3V73.7l3.3-.3 3.2-.2.1 66.6v66.7l4.8 3.1 4.7 3.2v-69c-.1-38 .1-69.3.4-69.7.3-.4 17.2-.7 37.5-.7h37l.3-4.6.3-4.6-8.3-.3-8.3-.4-37-21.4c-20.3-11.8-37.2-21.6-37.5-21.8-.3-.3-.5-2.8-.6-5.6-.1-2.9-.2-5.8-.3-6.5-.1-.7-1.7-1.2-4.6-1.2H163v6.3zm0 34.1v16.5h-28.2c-28 0-28.3 0-25.8-1.9 1.4-1 4.3-2.8 6.5-4 2.2-1.1 13.5-7.6 25-14.4 11.6-6.9 21.3-12.5 21.8-12.5.4-.1.7 7.3.7 16.3zm28.6-5.4c7.5 4.4 13.7 8 13.9 8 .1 0 4.5 2.5 9.6 5.7 5.2 3.1 10.5 6.2 11.9 6.9 2.1 1.1-2 1.3-26 1.1l-28.5-.2V47.3l-.1-16.1 2.8 1.4c1.5.8 8.9 5 16.4 9.4zm-55.4 40.5c0 4.9-.1 9.7-.1 10.5-.1 1.3-1.5 1.6-7.3 1.5l-7.3-.1-.5-10.5-.5-10.6 7.8.1 7.9.1v9zm-12.3 23.9c.1 6.6-.2 8.5-1.4 9-.8.3-1.5.2-1.6-.2-.4-3.4-.5-15-.1-16 .2-.6 1-1.2 1.7-1.2.9 0 1.3 2.3 1.4 8.4zm6.7.4c0 4.5-.3 8.2-.8 8.2-.4 0-1.1.1-1.5.2-.5.2-.8-3.7-.9-8.5 0-7.5.2-8.7 1.5-8.5 1.3.3 1.6 1.9 1.7 8.6zm6.9 0c.1 7.2-.1 8.2-1.6 8.2-1.6 0-1.8-1-1.7-8.5.1-7.3.3-8.5 1.7-8.3 1.3.3 1.6 1.8 1.6 8.6z"/><path d="M61.9 108c0 .3-.1 5.7-.2 12l-.1 11.5 12.2.3 12.2.3v-24.6H74c-6.6 0-12 .2-12.1.5zm7.1 11.4c0 8-1 11.1-2.6 8.5-.5-.9-.8-8.6-.5-15.2.1-.9.8-1.7 1.6-1.7 1.2 0 1.5 1.6 1.5 8.4zm7-.1c0 8.6-.3 9.9-2.3 9.1-.8-.3-1.1-3-1-7.7.2-10 .1-9.7 1.8-9.7 1.2 0 1.5 1.6 1.5 8.3zm6.8-.3c.3 8.4-.2 10.7-2.1 9.2-.9-.7-1.2-3.6-1.1-8.9.2-9.2.1-8.6 1.7-8.1.8.3 1.3 3 1.5 7.8zM89.4 107.9c-.2.2-.4 5.8-.4 12.3V132h24.5l-.1-11.3c-.1-6.1-.2-11.7-.3-12.2-.1-1-22.7-1.5-23.7-.6zm7.2 11.2c.1 8.6-.3 10-2.2 9.2-1-.4-1.4-2.5-1.4-8.2 0-4.3.3-8.1.7-8.5 1.8-1.8 2.8.7 2.9 7.5zm6.5-7.4c.4 3.9.3 15.7-.2 16.5-1.7 2.7-2.9-.9-2.9-8.8 0-6.8.3-8.4 1.5-8.4.8 0 1.5.3 1.6.7zm7 .5c.5 5.5.3 13.6-.4 15.1-1.6 3.6-2.7.4-2.7-7.9 0-6.8.3-8.4 1.5-8.4.8 0 1.5.6 1.6 1.2zM94.3 134.8l-5.3.3v12c0 8.8.3 11.9 1.3 12 1.7.1 15.5.1 19.7 0l3.5-.1-.1-10.8c-.1-5.9-.2-11.4-.3-12.2-.1-1.5-6.2-1.9-18.8-1.2zm2.2 12.3c0 6.8-.3 8.4-1.5 8.4s-1.6-1.6-1.8-7.3c-.4-8.1.1-10.6 2.1-9.9.8.2 1.2 2.9 1.2 8.8zm6.6-7.4c.5 5.9.3 14.6-.2 15.5-.4.6-1.2.7-1.8.4-1.2-.8-1.6-15.8-.4-16.9 1.2-1.2 2.3-.7 2.4 1zm7-1c0 .5.1 4.4.2 8.8 0 6.3-.2 8-1.4 8-1.1 0-1.5-1.9-1.7-8.8-.2-7.3 0-8.7 1.3-8.7.8 0 1.5.3 1.6.7zM120 134.8l-3.5.3-.1 11.9c0 7.6.4 12 1.1 12.1 4.6.3 21.5 0 22.3-.5.5-.3 1-5.7 1-12.1l.1-11.5-5.7-.1c-3.1 0-7-.1-8.7-.2-1.6-.1-4.6-.1-6.5.1zm3.4 4.8c1 2.7.7 15.2-.5 15.9-.6.4-1.3.4-1.6.1-.7-.7-1.2-15.7-.6-16.9.7-1.2 2.1-.8 2.7.9zm7.3 6c.2 7.9-.4 10.7-2 10.1-.8-.2-1.2-3.2-1.3-8.3-.1-8.5.1-9.7 1.9-9.1.7.2 1.3 3.1 1.4 7.3zm6.9 0c.2 8.5-.3 10.5-2.2 9.7-1.1-.4-1.4-2.2-1.3-8.2.2-8.3.5-9.4 2.2-8.8.8.2 1.2 3 1.3 7.3zM61.9 136.7c-.4 9-.3 21.6.3 21.9.7.4 13.9.7 21.1.5l2.7-.1v-24H74c-10.7 0-12 .2-12.1 1.7zM69 147c0 5-.4 9-.9 9-1.6 0-2.2-1.7-2.2-7.2-.2-9.6 0-10.8 1.6-10.8 1.2 0 1.5 1.7 1.5 9zm6.8-.5c.3 7.2-.7 10.9-2.4 9.2-.4-.4-.7-3.5-.7-6.9.1-10.2.2-11 1.6-10.6.8.3 1.3 3.1 1.5 8.3zm7 0c.2 4.7-.1 8.2-.8 8.9-1.8 1.8-2.6-.8-2.4-8.6.2-9.3.2-9 1.7-8.6.8.3 1.3 3.1 1.5 8.3zM59.4 166.7c-3.1 7.2-4.3 13.6-4 21.2.5 12.5 4.9 22.4 13.7 31.1 4.1 4.1 5.4 4.8 7.2 4.1 1.2-.4 3.9-.7 5.9-.6 3.6.1 3.8-.1 6.8-6.2 8.2-16.7 29.1-23.3 47.6-15.2 2.4 1.1 4.6 2.4 4.9 2.9 2.5 4.1 5.4-3.3 5.9-15.3.4-8-.6-14-3.5-20.7l-2.1-5H61l-1.6 3.7z"/><path d="M118.5 202.8c-6 .9-11 2.8-15.1 5.7-5.2 3.7-11 11.3-11.9 15.6-.6 2.4-1.2 2.9-3.8 3-9.6.2-17.3 3.5-23.7 10-6 6.2-8.4 12.1-8.6 20.9-.3 10.2 2.1 16.5 9.1 23.5 6.6 6.6 12.5 9 22 9 6.7 0 7.1.1 8.9 3 2.6 4.2 7.3 8.3 13.1 11.3 4.2 2.2 6.3 2.6 13 2.6 9.5 0 16.9-2.9 22.8-8.9l3.7-3.8 6.1 3.3c13 6.9 29.4 3.7 38.8-7.6 5.3-6.5 7.2-11.7 7.3-20.4.2-7-.2-8.6-2.8-13.7-2.6-5-2.9-6.4-2.1-9.3 2.3-8.9-1.7-22.2-8.9-29.4-9.8-9.8-22.8-11.7-38.1-5.5-3 1.2-3.4 1.1-5.8-1.4-5.1-5-17.1-9-24-7.9z"/></svg>
--- a/api/adminmonitor/timeout/assets/images/logo_alt.svg
+++ b/api/adminmonitor/timeout/assets/images/logo_alt.svg
@@ -0,0 +1,60 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!-- Generator: Adobe Illustrator 25.0.0, SVG Export Plug-In . SVG Version: 6.00 Build 0)  -->
+<svg version="1.1" id="Layer_1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px"
+	 viewBox="0 0 940 300" style="enable-background:new 0 0 940 300;" xml:space="preserve">
+<style type="text/css">
+	.st0{fill-rule:evenodd;clip-rule:evenodd;fill:#13BEF9;}
+	.st1{fill:#13BEF9;}
+</style>
+<g>
+	<polygon class="st0" points="84.3,76.6 80.3,76.6 80.3,97.3 84.3,97.3 84.3,76.6 	"/>
+	<polygon class="st0" points="101.5,76.6 97.5,76.6 97.5,97.3 101.5,97.3 101.5,76.6 	"/>
+	<polygon class="st0" points="125,37.1 120.9,30 52.5,69.5 56.6,76.6 125,37.1 	"/>
+	<polygon class="st0" points="124.6,37.1 128.7,30 197.1,69.5 193,76.6 124.6,37.1 	"/>
+	<polygon class="st0" points="209.2,76.7 209.2,68.5 21.8,68.5 21.8,76.7 209.2,76.7 	"/>
+	<path class="st0" d="M135,192.5V71h8.2v127.4C141,195.9,138.2,194.1,135,192.5L135,192.5z"/>
+	<path class="st0" d="M121,190.4V19h8.2v172.4C126.9,190.3,121.3,190.4,121,190.4L121,190.4z"/>
+	<path class="st0" d="M43.3,207.5c-10-7.4-16.6-19.2-16.6-32.6c0-7.1,1.9-14.1,5.4-20.2h70c3.6,6.1,5.4,13.1,5.4,20.2
+		c0,6.2-0.8,12-3.3,17.2c-5.3-5.1-13.1-7.3-21-7.3c-14,0-26,8.7-29.1,21.7c-1.1-0.1-1.8-0.2-2.9-0.2
+		C48.5,206.4,45.9,206.8,43.3,207.5L43.3,207.5z"/>
+	<path class="st1" d="M219.8,115.5c-10.6,0-19.9,4.9-26.3,12.5v-11.4h-10.6v101.3h10.6v-42.7c6.3,7.8,15.7,12.8,26.3,12.8
+		c19.8,0,36.1-16.9,36.1-36.4C255.9,131.8,239.6,115.5,219.8,115.5L219.8,115.5z M220.1,177.5c-13.8,0-26-12.2-26-26
+		c0-14.1,12.2-25.6,26-25.6c14.1,0,24.7,11.5,24.7,25.6C244.8,165.3,234.2,177.5,220.1,177.5L220.1,177.5z"/>
+	<path class="st1" d="M302.3,187.9c19.8,0,36.1-16.9,36.1-36.4c0-19.8-16.3-36.1-36.1-36.1c-19.8,0-36.1,16.3-36.1,36.1
+		C266.2,171,282.5,187.9,302.3,187.9L302.3,187.9z M302.3,125.9c14.1,0,25,11.5,25,25.6c0,13.8-10.9,26-25,26c-14.1,0-25-12.2-25-26
+		C277.3,137.5,288.2,125.9,302.3,125.9L302.3,125.9z"/>
+	<path class="st1" d="M365.6,116.6H355v69.6h10.6v-38.5c0-14.2,11.2-21.8,23.6-21.8v-10.4c-9.6,0-17.9,4.1-23.6,10.6V116.6
+		L365.6,116.6z"/>
+	<polygon class="st1" points="433.8,126.2 433.8,116.6 418.1,116.6 418.1,89.2 407.5,89.2 407.5,116.6 397.1,116.6 397.1,126.2 
+		407.5,126.2 407.5,186.2 418.1,186.2 418.1,126.2 433.8,126.2 	"/>
+	<path class="st1" d="M478.6,187.9c10.6,0,19.9-5.1,26.3-12.8v11.4h10.6v-69.9h-10.6V128c-6.3-7.6-15.7-12.5-26.3-12.5
+		c-19.8,0-36.1,16.3-36.1,36.1C442.5,171,458.8,187.9,478.6,187.9L478.6,187.9z M478.2,177.5c-14.1,0-24.7-12.2-24.7-26
+		c0-14.1,10.6-25.6,24.7-25.6c13.8,0,26,11.5,26,25.6C504.2,165.3,492,177.5,478.2,177.5L478.2,177.5z"/>
+	<path class="st1" d="M543.6,102.5c4,0,7.4-3.3,7.4-7.6c0-3.8-3.5-7.3-7.4-7.3c-4.3,0-7.6,3.5-7.6,7.3
+		C536,99.2,539.3,102.5,543.6,102.5L543.6,102.5z M538.2,186.2h11.1v-69.6h-11.1V186.2L538.2,186.2z"/>
+	<path class="st1" d="M571.6,186.2h10.6v-37c0-15.7,8.7-23.6,22.8-23.3c11.6,0,17.9,6.8,17.9,20.6v39.7h10.6v-39.7
+		c0-22.2-8.5-31-28.5-31c-9.5,0-17.2,3.5-22.8,9.5v-8.4h-10.6V186.2L571.6,186.2z"/>
+	<path class="st1" d="M720.7,151.5c0-19.8-16.3-36.1-36.1-36.1c-19.8,0-36.1,16.3-36.1,36.1c0,19.5,16.3,36.4,36.1,36.4
+		c14.1,0,26.6-8.1,32.4-20.1h-13.1c-4.4,5.7-11.2,9.7-19.3,9.7c-12.3,0-22.3-9.5-24.5-21h60.6L720.7,151.5L720.7,151.5z
+		 M684.6,125.9c12.2,0,22.2,8.9,24.5,20.4h-49.1C662.4,134.8,672.3,125.9,684.6,125.9L684.6,125.9z"/>
+	<path class="st1" d="M747.9,116.6h-10.6v69.6h10.6v-38.5c0-14.2,11.2-21.8,23.6-21.8v-10.4c-9.7,0-17.9,4.1-23.6,10.6V116.6
+		L747.9,116.6z"/>
+	<path class="st1" d="M787.5,187c4.7,0,8.7-4,8.7-8.9c0-4.7-4-8.7-8.7-8.7c-4.9,0-8.9,4-8.9,8.7C778.6,183,782.6,187,787.5,187
+		L787.5,187z"/>
+	<path class="st1" d="M823.5,102.5c4,0,7.4-3.3,7.4-7.6c0-3.8-3.5-7.3-7.4-7.3c-4.3,0-7.6,3.5-7.6,7.3
+		C816,99.2,819.3,102.5,823.5,102.5L823.5,102.5z M818.2,186.2h11.1v-69.6h-11.1V186.2L818.2,186.2z"/>
+	<path class="st1" d="M882.1,187.9c19.8,0,36.1-16.9,36.1-36.4c0-19.8-16.3-36.1-36.1-36.1c-19.8,0-36.1,16.3-36.1,36.1
+		C846,171,862.3,187.9,882.1,187.9L882.1,187.9z M882.1,125.9c14.1,0,25,11.5,25,25.6c0,13.8-10.9,26-25,26c-14.1,0-25-12.2-25-26
+		C857.1,137.5,868,125.9,882.1,125.9L882.1,125.9z"/>
+	<polygon class="st0" points="77.7,106.5 56.5,106.5 56.5,127.8 77.7,127.8 77.7,106.5 	"/>
+	<polygon class="st0" points="53.8,106.5 32.6,106.5 32.6,127.8 53.8,127.8 53.8,106.5 	"/>
+	<polygon class="st0" points="53.8,130.2 32.6,130.2 32.6,151.5 53.8,151.5 53.8,130.2 	"/>
+	<polygon class="st0" points="77.7,130.2 56.5,130.2 56.5,151.5 77.7,151.5 77.7,130.2 	"/>
+	<polygon class="st0" points="101.5,130.2 80.3,130.2 80.3,151.5 101.5,151.5 101.5,130.2 	"/>
+	<polygon class="st0" points="101.5,95.1 80.3,95.1 80.3,116.4 101.5,116.4 101.5,95.1 	"/>
+	<path class="st0" d="M57.6,210.7c2.9-12.3,14-21.5,27.2-21.5c8.5,0,16.1,3.8,21.3,9.8c4.5-3.1,9.9-4.9,15.8-4.9
+		c15.4,0,27.9,12.5,27.9,27.9c0,3.2-0.5,6.2-1.5,9.1c3.4,4.6,5.5,10.4,5.5,16.6c0,15.4-12.5,27.9-27.9,27.9c-6.8,0-13-2.4-17.8-6.4
+		c-5.1,7.1-13.4,11.8-22.8,11.8c-10.8,0-20.2-6.2-24.9-15.2c-1.9,0.4-3.8,0.6-5.8,0.6c-15.4,0-28-12.5-28-27.9s12.5-27.9,28-27.9
+		C55.6,210.5,56.6,210.5,57.6,210.7L57.6,210.7z"/>
+</g>
+</svg>
--- a/api/adminmonitor/timeout/timeout.html
+++ b/api/adminmonitor/timeout/timeout.html
@@ -0,0 +1,59 @@
+<!DOCTYPE html>
+<html lang="en">
+  <head>
+    <meta charset="utf-8" />
+    <title>Portainer</title>
+    <meta name="description" content="" />
+    <base id="base" />
+
+    <!-- Fav and touch icons -->
+    <link rel="apple-touch-icon" sizes="180x180" href="./assets/ico/apple-touch-icon.png" />
+    <link rel="icon" type="image/png" sizes="32x32" href="./assets/ico/favicon-32x32.png" />
+    <link rel="icon" type="image/png" sizes="16x16" href="./assets/ico/favicon-16x16.png" />
+    <link rel="mask-icon" href="./assets/ico/safari-pinned-tab.svg" color="#5b" />
+    <link rel="shortcut icon" href="./assets/ico/favicon.ico" />
+    <meta name="msapplication-config" content="./assets/ico/browserconfig.xml" />
+    <meta name="theme-color" content="#ffffff" />
+  </head>
+
+  <body>
+    <div class="page-wrapper">
+      <!-- timeout info box -->
+      <div class="container simple-box">
+        <div class="col-md-8 col-md-offset-2 col-sm-10 col-sm-offset-1">
+          <!-- simple box logo -->
+          <div class="row">
+            <img src="./assets/images/logo_alt.svg" class="simple-box-logo" alt="Portainer" />
+          </div>
+
+          <div class="panel panel-default">
+            <div class="panel-body">
+              <!-- toggle -->
+              <div style="padding-bottom: 24px">
+                <a>
+                  <span style="padding-left: 10px">New Portainer installation</span>
+                </a>
+              </div>
+
+              <!-- init admin init timeout notification -->
+              <div class="simple-box" style="padding-left: 30px">
+                <div class="col-sm-12">
+                  <span class="small text-muted" style="margin-left: 2px">
+                    Your Portainer instance timed out for security purposes. To re-enable your Portainer instance, you will need to restart Portainer.
+                  </span>
+                  <br /><br />
+                  <span class="text-muted small" style="margin-left: 2px">
+                    For further information, view our <a href="https://docs.portainer.io/v/ce-2.11/start/install" target="_blank">documentation</a>.
+                  </span>
+                </div>
+              </div>
+              <!-- !init admin init timeout notification -->
+            </div>
+          </div>
+        </div>
+      </div>
+
+      <!-- !timeout info box -->
+    </div>
+  </body>
+</html>
--- a/api/backup/restore.go
+++ b/api/backup/restore.go
@@ -10,6 +10,7 @@ import (
 	"github.com/pkg/errors"
 	"github.com/portainer/portainer/api/archive"
 	"github.com/portainer/portainer/api/crypto"
+	"github.com/portainer/portainer/api/database/boltdb"
 	"github.com/portainer/portainer/api/dataservices"
 	"github.com/portainer/portainer/api/filesystem"
 	"github.com/portainer/portainer/api/http/offlinegate"
@@ -65,5 +66,20 @@ func restoreFiles(srcDir string, destinationDir string) error {
 			return err
 		}
 	}
-	return nil
+
+	// TODO:  This is very boltdb module specific once again due to the filename.  Move to bolt module? Refactor for another day
+
+	// Prevent the possibility of having both databases.  Remove any default new instance
+	os.Remove(filepath.Join(destinationDir, boltdb.DatabaseFileName))
+	os.Remove(filepath.Join(destinationDir, boltdb.EncryptedDatabaseFileName))
+
+	// Now copy the database.  It'll be either portainer.db or portainer.edb
+
+	// Note: CopyPath does not return an error if the source file doesn't exist
+	err := filesystem.CopyPath(filepath.Join(srcDir, boltdb.EncryptedDatabaseFileName), destinationDir)
+	if err != nil {
+		return err
+	}
+
+	return filesystem.CopyPath(filepath.Join(srcDir, boltdb.DatabaseFileName), destinationDir)
 }
--- a/api/chisel/schedules.go
+++ b/api/chisel/schedules.go
@@ -1,14 +1,13 @@
 package chisel

 import (
-	"strconv"
-
 	portainer "github.com/portainer/portainer/api"
 )

 // AddEdgeJob register an EdgeJob inside the tunnel details associated to an environment(endpoint).
 func (service *Service) AddEdgeJob(endpointID portainer.EndpointID, edgeJob *portainer.EdgeJob) {
-	tunnel := service.GetTunnelDetails(endpointID)
+	service.mu.Lock()
+	tunnel := service.getTunnelDetails(endpointID)

 	existingJobIndex := -1
 	for idx, existingJob := range tunnel.Jobs {
@@ -24,24 +23,25 @@ func (service *Service) AddEdgeJob(endpointID portainer.EndpointID, edgeJob *por
 		tunnel.Jobs[existingJobIndex] = *edgeJob
 	}

-	key := strconv.Itoa(int(endpointID))
-	service.tunnelDetailsMap.Set(key, tunnel)
+	service.mu.Unlock()
 }

 // RemoveEdgeJob will remove the specified Edge job from each tunnel it was registered with.
 func (service *Service) RemoveEdgeJob(edgeJobID portainer.EdgeJobID) {
-	for item := range service.tunnelDetailsMap.IterBuffered() {
-		tunnelDetails := item.Val.(*portainer.TunnelDetails)
+	service.mu.Lock()

-		updatedJobs := make([]portainer.EdgeJob, 0)
-		for _, edgeJob := range tunnelDetails.Jobs {
-			if edgeJob.ID == edgeJobID {
-				continue
+	for _, tunnel := range service.tunnelDetailsMap {
+		// Filter in-place
+		n := 0
+		for _, edgeJob := range tunnel.Jobs {
+			if edgeJob.ID != edgeJobID {
+				tunnel.Jobs[n] = edgeJob
+				n++
 			}
-			updatedJobs = append(updatedJobs, edgeJob)
 		}

-		tunnelDetails.Jobs = updatedJobs
-		service.tunnelDetailsMap.Set(item.Key, tunnelDetails)
+		tunnel.Jobs = tunnel.Jobs[:n]
 	}
+
+	service.mu.Unlock()
 }
--- a/api/chisel/service.go
+++ b/api/chisel/service.go
@@ -3,17 +3,16 @@ package chisel
 import (
 	"context"
 	"fmt"
-	"github.com/portainer/portainer/api/http/proxy"
 	"log"
 	"net/http"
-	"strconv"
+	"sync"
 	"time"

+	chserver "github.com/andres-portainer/chisel/server"
 	"github.com/dchest/uniuri"
-	chserver "github.com/jpillora/chisel/server"
-	cmap "github.com/orcaman/concurrent-map"
 	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/dataservices"
+	"github.com/portainer/portainer/api/http/proxy"
 )

 const (
@@ -28,18 +27,19 @@ const (
 type Service struct {
 	serverFingerprint string
 	serverPort        string
-	tunnelDetailsMap  cmap.ConcurrentMap
+	tunnelDetailsMap  map[portainer.EndpointID]*portainer.TunnelDetails
 	dataStore         dataservices.DataStore
 	snapshotService   portainer.SnapshotService
 	chiselServer      *chserver.Server
 	shutdownCtx       context.Context
 	ProxyManager      *proxy.Manager
+	mu                sync.Mutex
 }

 // NewService returns a pointer to a new instance of Service
 func NewService(dataStore dataservices.DataStore, shutdownCtx context.Context) *Service {
 	return &Service{
-		tunnelDetailsMap: cmap.New(),
+		tunnelDetailsMap: make(map[portainer.EndpointID]*portainer.TunnelDetails),
 		dataStore:        dataStore,
 		shutdownCtx:      shutdownCtx,
 	}
@@ -58,11 +58,7 @@ func (service *Service) pingAgent(endpointID portainer.EndpointID) error {
 		Timeout: 3 * time.Second,
 	}
 	_, err = httpClient.Do(req)
-	if err != nil {
-		return err
-	}
-
-	return nil
+	return err
 }

 // KeepTunnelAlive keeps the tunnel of the given environment for maxAlive duration, or until ctx is done
@@ -185,42 +181,37 @@ func (service *Service) startTunnelVerificationLoop() {
 }

 func (service *Service) checkTunnels() {
-	for item := range service.tunnelDetailsMap.IterBuffered() {
-		tunnel := item.Val.(*portainer.TunnelDetails)
+	tunnels := make(map[portainer.EndpointID]portainer.TunnelDetails)

+	service.mu.Lock()
+	for key, tunnel := range service.tunnelDetailsMap {
+		tunnels[key] = *tunnel
+	}
+	service.mu.Unlock()
+
+	for endpointID, tunnel := range tunnels {
 		if tunnel.LastActivity.IsZero() || tunnel.Status == portainer.EdgeAgentIdle {
 			continue
 		}

 		elapsed := time.Since(tunnel.LastActivity)
-		log.Printf("[DEBUG] [chisel,monitoring] [endpoint_id: %s] [status: %s] [status_time_seconds: %f] [message: environment tunnel monitoring]", item.Key, tunnel.Status, elapsed.Seconds())
+		log.Printf("[DEBUG] [chisel,monitoring] [endpoint_id: %d] [status: %s] [status_time_seconds: %f] [message: environment tunnel monitoring]", endpointID, tunnel.Status, elapsed.Seconds())

 		if tunnel.Status == portainer.EdgeAgentManagementRequired && elapsed.Seconds() < requiredTimeout.Seconds() {
 			continue
 		} else if tunnel.Status == portainer.EdgeAgentManagementRequired && elapsed.Seconds() > requiredTimeout.Seconds() {
-			log.Printf("[DEBUG] [chisel,monitoring] [endpoint_id: %s] [status: %s] [status_time_seconds: %f] [timeout_seconds: %f] [message: REQUIRED state timeout exceeded]", item.Key, tunnel.Status, elapsed.Seconds(), requiredTimeout.Seconds())
+			log.Printf("[DEBUG] [chisel,monitoring] [endpoint_id: %d] [status: %s] [status_time_seconds: %f] [timeout_seconds: %f] [message: REQUIRED state timeout exceeded]", endpointID, tunnel.Status, elapsed.Seconds(), requiredTimeout.Seconds())
 		}

 		if tunnel.Status == portainer.EdgeAgentActive && elapsed.Seconds() < activeTimeout.Seconds() {
 			continue
 		} else if tunnel.Status == portainer.EdgeAgentActive && elapsed.Seconds() > activeTimeout.Seconds() {
-			log.Printf("[DEBUG] [chisel,monitoring] [endpoint_id: %s] [status: %s] [status_time_seconds: %f] [timeout_seconds: %f] [message: ACTIVE state timeout exceeded]", item.Key, tunnel.Status, elapsed.Seconds(), activeTimeout.Seconds())
+			log.Printf("[DEBUG] [chisel,monitoring] [endpoint_id: %d] [status: %s] [status_time_seconds: %f] [timeout_seconds: %f] [message: ACTIVE state timeout exceeded]", endpointID, tunnel.Status, elapsed.Seconds(), activeTimeout.Seconds())

-			endpointID, err := strconv.Atoi(item.Key)
+			err := service.snapshotEnvironment(endpointID, tunnel.Port)
 			if err != nil {
-				log.Printf("[ERROR] [chisel,snapshot,conversion] Invalid environment identifier (id: %s): %s", item.Key, err)
+				log.Printf("[ERROR] [snapshot] Unable to snapshot Edge environment (id: %d): %s", endpointID, err)
 			}
-
-			err = service.snapshotEnvironment(portainer.EndpointID(endpointID), tunnel.Port)
-			if err != nil {
-				log.Printf("[ERROR] [snapshot] Unable to snapshot Edge environment (id: %s): %s", item.Key, err)
-			}
-		}
-
-		endpointID, err := strconv.Atoi(item.Key)
-		if err != nil {
-			log.Printf("[ERROR] [chisel,conversion] Invalid environment identifier (id: %s): %s", item.Key, err)
-			continue
 		}

 		service.SetTunnelStatusToIdle(portainer.EndpointID(endpointID))
--- a/api/chisel/tunnel.go
+++ b/api/chisel/tunnel.go
@@ -4,13 +4,11 @@ import (
 	"encoding/base64"
 	"fmt"
 	"math/rand"
-	"strconv"
 	"strings"
 	"time"

-	"github.com/portainer/libcrypto"
-
 	"github.com/dchest/uniuri"
+	"github.com/portainer/libcrypto"
 	portainer "github.com/portainer/portainer/api"
 )

@@ -19,13 +17,13 @@ const (
 	maxAvailablePort = 65535
 )

+// NOTE: it needs to be called with the lock acquired
 // getUnusedPort is used to generate an unused random port in the dynamic port range.
 // Dynamic ports (also called private ports) are 49152 to 65535.
 func (service *Service) getUnusedPort() int {
 	port := randomInt(minAvailablePort, maxAvailablePort)

-	for item := range service.tunnelDetailsMap.IterBuffered() {
-		tunnel := item.Val.(*portainer.TunnelDetails)
+	for _, tunnel := range service.tunnelDetailsMap {
 		if tunnel.Port == port {
 			return service.getUnusedPort()
 		}
@@ -38,26 +36,32 @@ func randomInt(min, max int) int {
 	return min + rand.Intn(max-min)
 }

+// NOTE: it needs to be called with the lock acquired
+func (service *Service) getTunnelDetails(endpointID portainer.EndpointID) *portainer.TunnelDetails {
+
+	if tunnel, ok := service.tunnelDetailsMap[endpointID]; ok {
+		return tunnel
+	}
+
+	tunnel := &portainer.TunnelDetails{
+		Status: portainer.EdgeAgentIdle,
+	}
+
+	service.tunnelDetailsMap[endpointID] = tunnel
+
+	return tunnel
+}
+
 // GetTunnelDetails returns information about the tunnel associated to an environment(endpoint).
-func (service *Service) GetTunnelDetails(endpointID portainer.EndpointID) *portainer.TunnelDetails {
-	key := strconv.Itoa(int(endpointID))
+func (service *Service) GetTunnelDetails(endpointID portainer.EndpointID) portainer.TunnelDetails {
+	service.mu.Lock()
+	defer service.mu.Unlock()

-	if item, ok := service.tunnelDetailsMap.Get(key); ok {
-		tunnelDetails := item.(*portainer.TunnelDetails)
-		return tunnelDetails
-	}
-
-	jobs := make([]portainer.EdgeJob, 0)
-	return &portainer.TunnelDetails{
-		Status:      portainer.EdgeAgentIdle,
-		Port:        0,
-		Jobs:        jobs,
-		Credentials: "",
-	}
+	return *service.getTunnelDetails(endpointID)
 }

 // GetActiveTunnel retrieves an active tunnel which allows communicating with edge agent
-func (service *Service) GetActiveTunnel(endpoint *portainer.Endpoint) (*portainer.TunnelDetails, error) {
+func (service *Service) GetActiveTunnel(endpoint *portainer.Endpoint) (portainer.TunnelDetails, error) {
 	tunnel := service.GetTunnelDetails(endpoint.ID)

 	if tunnel.Status == portainer.EdgeAgentActive {
@@ -68,13 +72,13 @@ func (service *Service) GetActiveTunnel(endpoint *portainer.Endpoint) (*portaine
 	if tunnel.Status == portainer.EdgeAgentIdle || tunnel.Status == portainer.EdgeAgentManagementRequired {
 		err := service.SetTunnelStatusToRequired(endpoint.ID)
 		if err != nil {
-			return nil, fmt.Errorf("failed opening tunnel to endpoint: %w", err)
+			return portainer.TunnelDetails{}, fmt.Errorf("failed opening tunnel to endpoint: %w", err)
 		}

 		if endpoint.EdgeCheckinInterval == 0 {
 			settings, err := service.dataStore.Settings().Settings()
 			if err != nil {
-				return nil, fmt.Errorf("failed fetching settings from db: %w", err)
+				return portainer.TunnelDetails{}, fmt.Errorf("failed fetching settings from db: %w", err)
 			}

 			endpoint.EdgeCheckinInterval = settings.EdgeAgentCheckinInterval
@@ -83,29 +87,27 @@ func (service *Service) GetActiveTunnel(endpoint *portainer.Endpoint) (*portaine
 		time.Sleep(2 * time.Duration(endpoint.EdgeCheckinInterval) * time.Second)
 	}

-	tunnel = service.GetTunnelDetails(endpoint.ID)
-
-	return tunnel, nil
+	return service.GetTunnelDetails(endpoint.ID), nil
 }

 // SetTunnelStatusToActive update the status of the tunnel associated to the specified environment(endpoint).
 // It sets the status to ACTIVE.
 func (service *Service) SetTunnelStatusToActive(endpointID portainer.EndpointID) {
-	tunnel := service.GetTunnelDetails(endpointID)
+	service.mu.Lock()
+	tunnel := service.getTunnelDetails(endpointID)
 	tunnel.Status = portainer.EdgeAgentActive
 	tunnel.Credentials = ""
 	tunnel.LastActivity = time.Now()
-
-	key := strconv.Itoa(int(endpointID))
-	service.tunnelDetailsMap.Set(key, tunnel)
+	service.mu.Unlock()
 }

 // SetTunnelStatusToIdle update the status of the tunnel associated to the specified environment(endpoint).
 // It sets the status to IDLE.
 // It removes any existing credentials associated to the tunnel.
 func (service *Service) SetTunnelStatusToIdle(endpointID portainer.EndpointID) {
-	tunnel := service.GetTunnelDetails(endpointID)
+	service.mu.Lock()

+	tunnel := service.getTunnelDetails(endpointID)
 	tunnel.Status = portainer.EdgeAgentIdle
 	tunnel.Port = 0
 	tunnel.LastActivity = time.Now()
@@ -116,10 +118,9 @@ func (service *Service) SetTunnelStatusToIdle(endpointID portainer.EndpointID) {
 		service.chiselServer.DeleteUser(strings.Split(credentials, ":")[0])
 	}

-	key := strconv.Itoa(int(endpointID))
-	service.tunnelDetailsMap.Set(key, tunnel)
-
 	service.ProxyManager.DeleteEndpointProxy(endpointID)
+
+	service.mu.Unlock()
 }

 // SetTunnelStatusToRequired update the status of the tunnel associated to the specified environment(endpoint).
@@ -128,7 +129,10 @@ func (service *Service) SetTunnelStatusToIdle(endpointID portainer.EndpointID) {
 // and generate temporary credentials that can be used to establish a reverse tunnel on that port.
 // Credentials are encrypted using the Edge ID associated to the environment(endpoint).
 func (service *Service) SetTunnelStatusToRequired(endpointID portainer.EndpointID) error {
-	tunnel := service.GetTunnelDetails(endpointID)
+	tunnel := service.getTunnelDetails(endpointID)
+
+	service.mu.Lock()
+	defer service.mu.Unlock()

 	if tunnel.Port == 0 {
 		endpoint, err := service.dataStore.Endpoint().Endpoint(endpointID)
@@ -152,9 +156,6 @@ func (service *Service) SetTunnelStatusToRequired(endpointID portainer.EndpointI
 			return err
 		}
 		tunnel.Credentials = credentials
-
-		key := strconv.Itoa(int(endpointID))
-		service.tunnelDetailsMap.Set(key, tunnel)
 	}

 	return nil
--- a/api/cli/cli.go
+++ b/api/cli/cli.go
@@ -45,17 +45,21 @@ func (*Service) ParseFlags(version string) (*portainer.CLIFlags, error) {
 		TLSCert:                   kingpin.Flag("tlscert", "Path to the TLS certificate file").Default(defaultTLSCertPath).String(),
 		TLSKey:                    kingpin.Flag("tlskey", "Path to the TLS key").Default(defaultTLSKeyPath).String(),
 		HTTPDisabled:              kingpin.Flag("http-disabled", "Serve portainer only on https").Default(defaultHTTPDisabled).Bool(),
+		HTTPEnabled:               kingpin.Flag("http-enabled", "Serve portainer on http").Default(defaultHTTPEnabled).Bool(),
 		SSL:                       kingpin.Flag("ssl", "Secure Portainer instance using SSL (deprecated)").Default(defaultSSL).Bool(),
 		SSLCert:                   kingpin.Flag("sslcert", "Path to the SSL certificate used to secure the Portainer instance").String(),
 		SSLKey:                    kingpin.Flag("sslkey", "Path to the SSL key used to secure the Portainer instance").String(),
 		Rollback:                  kingpin.Flag("rollback", "Rollback the database store to the previous version").Bool(),
-		SnapshotInterval:          kingpin.Flag("snapshot-interval", "Duration between each environment snapshot job").Default(defaultSnapshotInterval).String(),
+		SnapshotInterval:          kingpin.Flag("snapshot-interval", "Duration between each environment snapshot job").String(),
 		AdminPassword:             kingpin.Flag("admin-password", "Hashed admin password").String(),
 		AdminPasswordFile:         kingpin.Flag("admin-password-file", "Path to the file containing the password for the admin user").String(),
 		Labels:                    pairs(kingpin.Flag("hide-label", "Hide containers with a specific label in the UI").Short('l')),
 		Logo:                      kingpin.Flag("logo", "URL for the logo displayed in the UI").String(),
 		Templates:                 kingpin.Flag("templates", "URL to the templates definitions.").Short('t').String(),
 		BaseURL:                   kingpin.Flag("base-url", "Base URL parameter such as portainer if running portainer as http://yourdomain.com/portainer/.").Short('b').Default(defaultBaseURL).String(),
+		InitialMmapSize:           kingpin.Flag("initial-mmap-size", "Initial mmap size of the database in bytes").Int(),
+		MaxBatchSize:              kingpin.Flag("max-batch-size", "Maximum size of a batch").Int(),
+		MaxBatchDelay:             kingpin.Flag("max-batch-delay", "Maximum delay before a batch starts").Duration(),
 		SecretKeyName:             kingpin.Flag("secret-key-name", "Secret key name for encryption and will be used as /run/secrets/<secret-key-name>.").Default(defaultSecretKeyName).String(),
 	}

@@ -125,7 +129,7 @@ func validateEndpointURL(endpointURL string) error {
 }

 func validateSnapshotInterval(snapshotInterval string) error {
-	if snapshotInterval != defaultSnapshotInterval {
+	if snapshotInterval != "" {
 		_, err := time.ParseDuration(snapshotInterval)
 		if err != nil {
 			return errInvalidSnapshotInterval
--- a/api/cli/defaults.go
+++ b/api/cli/defaults.go
@@ -16,10 +16,10 @@ const (
 	defaultTLSCertPath         = "/certs/cert.pem"
 	defaultTLSKeyPath          = "/certs/key.pem"
 	defaultHTTPDisabled        = "false"
+	defaultHTTPEnabled         = "false"
 	defaultSSL                 = "false"
 	defaultSSLCertPath         = "/certs/portainer.crt"
 	defaultSSLKeyPath          = "/certs/portainer.key"
-	defaultSnapshotInterval    = "5m"
 	defaultBaseURL             = "/"
 	defaultSecretKeyName       = "portainer"
 )
--- a/api/cli/defaults_windows.go
+++ b/api/cli/defaults_windows.go
@@ -13,6 +13,7 @@ const (
 	defaultTLSCertPath         = "C:\\certs\\cert.pem"
 	defaultTLSKeyPath          = "C:\\certs\\key.pem"
 	defaultHTTPDisabled        = "false"
+	defaultHTTPEnabled         = "false"
 	defaultSSL                 = "false"
 	defaultSSLCertPath         = "C:\\certs\\portainer.crt"
 	defaultSSLKeyPath          = "C:\\certs\\portainer.key"
--- a/api/cmd/portainer/import.go
+++ b/api/cmd/portainer/import.go
@@ -13,7 +13,7 @@ func importFromJson(fileService portainer.FileService, store *datastore.Store) {
 	importFile := "/data/import.json"
 	if exists, _ := fileService.FileExists(importFile); exists {
 		if err := store.Import(importFile); err != nil {
-			logrus.WithError(err).Debugf("import %s failed", importFile)
+			logrus.WithError(err).Debugf("Import %s failed", importFile)

 			// TODO: should really rollback on failure, but then we have nothing.
 		} else {
@@ -23,7 +23,7 @@ func importFromJson(fileService portainer.FileService, store *datastore.Store) {
 		// I also suspect that everything from "Init to Init" is potentially a migration
 		err := store.Init()
 		if err != nil {
-			log.Fatalf("failed initializing data store: %v", err)
+			log.Fatalf("Failed initializing data store: %v", err)
 		}
 	}
 }
--- a/api/cmd/portainer/log.go
+++ b/api/cmd/portainer/log.go
@@ -1,18 +1,41 @@
 package main

 import (
+	"fmt"
 	"log"
+	"strings"

 	"github.com/sirupsen/logrus"
 )

+type portainerFormatter struct {
+	logrus.TextFormatter
+}
+
+func (f *portainerFormatter) Format(entry *logrus.Entry) ([]byte, error) {
+	var levelColor int
+	switch entry.Level {
+	case logrus.DebugLevel, logrus.TraceLevel:
+		levelColor = 31 // gray
+	case logrus.WarnLevel:
+		levelColor = 33 // yellow
+	case logrus.ErrorLevel, logrus.FatalLevel, logrus.PanicLevel:
+		levelColor = 31 // red
+	default:
+		levelColor = 36 // blue
+	}
+	return []byte(fmt.Sprintf("\x1b[%dm%s\x1b[0m %s %s\n", levelColor, strings.ToUpper(entry.Level.String()), entry.Time.Format(f.TimestampFormat), entry.Message)), nil
+}
+
 func configureLogger() {
 	logger := logrus.New() // logger is to implicitly substitute stdlib's log
 	log.SetOutput(logger.Writer())

 	formatter := &logrus.TextFormatter{DisableTimestamp: true, DisableLevelTruncation: true}
+	formatterLogrus := &portainerFormatter{logrus.TextFormatter{DisableTimestamp: false, DisableLevelTruncation: true, TimestampFormat: "2006/01/02 15:04:05", FullTimestamp: true}}
+
 	logger.SetFormatter(formatter)
-	logrus.SetFormatter(formatter)
+	logrus.SetFormatter(formatterLogrus)

 	logger.SetLevel(logrus.DebugLevel)
 	logrus.SetLevel(logrus.DebugLevel)
--- a/api/cmd/portainer/main.go
+++ b/api/cmd/portainer/main.go
@@ -2,6 +2,7 @@ package main

 import (
 	"context"
+	"crypto/sha256"
 	"fmt"
 	"log"
 	"os"
@@ -19,6 +20,7 @@ import (
 	"github.com/portainer/portainer/api/cli"
 	"github.com/portainer/portainer/api/crypto"
 	"github.com/portainer/portainer/api/database"
+	"github.com/portainer/portainer/api/database/boltdb"
 	"github.com/portainer/portainer/api/dataservices"
 	"github.com/portainer/portainer/api/datastore"
 	"github.com/portainer/portainer/api/docker"
@@ -47,12 +49,12 @@ func initCLI() *portainer.CLIFlags {
 	var cliService portainer.CLIService = &cli.Service{}
 	flags, err := cliService.ParseFlags(portainer.APIVersion)
 	if err != nil {
-		log.Fatalf("failed parsing flags: %v", err)
+		logrus.Fatalf("Failed parsing flags: %v", err)
 	}

 	err = cliService.ValidateFlags(flags)
 	if err != nil {
-		log.Fatalf("failed validating flags:%v", err)
+		logrus.Fatalf("Failed validating flags:%v", err)
 	}
 	return flags
 }
@@ -60,46 +62,84 @@ func initCLI() *portainer.CLIFlags {
 func initFileService(dataStorePath string) portainer.FileService {
 	fileService, err := filesystem.NewService(dataStorePath, "")
 	if err != nil {
-		log.Fatalf("failed creating file service: %v", err)
+		logrus.Fatalf("Failed creating file service: %v", err)
 	}
 	return fileService
 }

-func initDataStore(storePath string, rollback bool, secretKey string, fileService portainer.FileService, shutdownCtx context.Context) dataservices.DataStore {
-	connection, err := database.NewDatabase("boltdb", storePath, secretKey)
+func initDataStore(flags *portainer.CLIFlags, secretKey []byte, fileService portainer.FileService, shutdownCtx context.Context) dataservices.DataStore {
+	connection, err := database.NewDatabase("boltdb", *flags.Data, secretKey)
 	if err != nil {
-		panic(err)
+		logrus.Fatalf("failed creating database connection: %s", err)
 	}

-	store := datastore.NewStore(storePath, fileService, connection)
-	_, err = store.Open()
-	if err != nil {
-		log.Fatalf("failed opening store: %s", err.Error())
+	if bconn, ok := connection.(*boltdb.DbConnection); ok {
+		bconn.MaxBatchSize = *flags.MaxBatchSize
+		bconn.MaxBatchDelay = *flags.MaxBatchDelay
+		bconn.InitialMmapSize = *flags.InitialMmapSize
+	} else {
+		logrus.Fatalf("failed creating database connection: expecting a boltdb database type but a different one was received")
 	}

-	if rollback {
+	store := datastore.NewStore(*flags.Data, fileService, connection)
+	isNew, err := store.Open()
+	if err != nil {
+		logrus.Fatalf("Failed opening store: %v", err)
+	}
+
+	if *flags.Rollback {
 		err := store.Rollback(false)
 		if err != nil {
-			log.Fatalf("failed rolling back: %s", err.Error())
+			logrus.Fatalf("Failed rolling back: %v", err)
 		}

-		log.Println("Exiting rollback")
+		logrus.Println("Exiting rollback")
 		os.Exit(0)
 		return nil
 	}

+	// Init sets some defaults - it's basically a migration
 	err = store.Init()
 	if err != nil {
-		log.Fatalf("failed initializing data store: %v", err)
+		logrus.Fatalf("Failed initializing data store: %v", err)
 	}

+	if isNew {
+		// from MigrateData
+		store.VersionService.StoreDBVersion(portainer.DBVersion)
+
+		err := updateSettingsFromFlags(store, flags)
+		if err != nil {
+			logrus.Fatalf("Failed updating settings from flags: %v", err)
+		}
+	} else {
+		storedVersion, err := store.VersionService.DBVersion()
+		if err != nil {
+			logrus.Fatalf("Something Failed during creation of new database: %v", err)
+		}
+		if storedVersion != portainer.DBVersion {
+			err = store.MigrateData()
+			if err != nil {
+				logrus.Fatalf("Failed migration: %v", err)
+			}
+		}
+	}
+
+	err = updateSettingsFromFlags(store, flags)
+	if err != nil {
+		log.Fatalf("Failed updating settings from flags: %v", err)
+	}
+
+	// this is for the db restore functionality - needs more tests.
 	go func() {
 		<-shutdownCtx.Done()
-		exportFilename := path.Join(storePath, fmt.Sprintf("export-%d.json", time.Now().Unix()))
+		defer connection.Close()
+
+		exportFilename := path.Join(*flags.Data, fmt.Sprintf("export-%d.json", time.Now().Unix()))

 		err := store.Export(exportFilename)
 		if err != nil {
-			logrus.WithError(err).Debugf("failed to export to %s", exportFilename)
+			logrus.WithError(err).Debugf("Failed to export to %s", exportFilename)
 		} else {
 			logrus.Debugf("exported to %s", exportFilename)
 		}
@@ -111,7 +151,7 @@ func initDataStore(storePath string, rollback bool, secretKey string, fileServic
 func initComposeStackManager(assetsPath string, configPath string, reverseTunnelService portainer.ReverseTunnelService, proxyManager *proxy.Manager) portainer.ComposeStackManager {
 	composeWrapper, err := exec.NewComposeStackManager(assetsPath, configPath, proxyManager)
 	if err != nil {
-		log.Fatalf("failed creating compose manager: %s", err)
+		logrus.Fatalf("Failed creating compose manager: %v", err)
 	}

 	return composeWrapper
@@ -193,11 +233,11 @@ func initKubernetesClientFactory(signatureService portainer.DigitalSignatureServ
 	return kubecli.NewClientFactory(signatureService, reverseTunnelService, instanceID, dataStore)
 }

-func initSnapshotService(snapshotInterval string, dataStore dataservices.DataStore, dockerClientFactory *docker.ClientFactory, kubernetesClientFactory *kubecli.ClientFactory, shutdownCtx context.Context) (portainer.SnapshotService, error) {
+func initSnapshotService(snapshotIntervalFromFlag string, dataStore dataservices.DataStore, dockerClientFactory *docker.ClientFactory, kubernetesClientFactory *kubecli.ClientFactory, shutdownCtx context.Context) (portainer.SnapshotService, error) {
 	dockerSnapshotter := docker.NewSnapshotter(dockerClientFactory)
 	kubernetesSnapshotter := kubernetes.NewSnapshotter(kubernetesClientFactory)

-	snapshotService, err := snapshot.NewService(snapshotInterval, dataStore, dockerSnapshotter, kubernetesSnapshotter, shutdownCtx)
+	snapshotService, err := snapshot.NewService(snapshotIntervalFromFlag, dataStore, dockerSnapshotter, kubernetesSnapshotter, shutdownCtx)
 	if err != nil {
 		return nil, err
 	}
@@ -217,13 +257,18 @@ func updateSettingsFromFlags(dataStore dataservices.DataStore, flags *portainer.
 	if err != nil {
 		return err
 	}
-	logrus.WithField("settings", settings).Infof("see AuthenticationMethod ")

-	settings.LogoURL = *flags.Logo
-	settings.SnapshotInterval = *flags.SnapshotInterval
-	settings.EnableEdgeComputeFeatures = *flags.EnableEdgeComputeFeatures
-	settings.EnableTelemetry = true
-	settings.OAuthSettings.SSO = true
+	if *flags.SnapshotInterval != "" {
+		settings.SnapshotInterval = *flags.SnapshotInterval
+	}
+
+	if *flags.Logo != "" {
+		settings.LogoURL = *flags.Logo
+	}
+
+	if *flags.EnableEdgeComputeFeatures {
+		settings.EnableEdgeComputeFeatures = *flags.EnableEdgeComputeFeatures
+	}

 	if *flags.Templates != "" {
 		settings.TemplatesURL = *flags.Templates
@@ -238,14 +283,16 @@ func updateSettingsFromFlags(dataStore dataservices.DataStore, flags *portainer.
 		return err
 	}

-	httpEnabled := !*flags.HTTPDisabled
-
 	sslSettings, err := dataStore.SSLSettings().Settings()
 	if err != nil {
 		return err
 	}

-	sslSettings.HTTPEnabled = httpEnabled
+	if *flags.HTTPDisabled {
+		sslSettings.HTTPEnabled = false
+	} else if *flags.HTTPEnabled {
+		sslSettings.HTTPEnabled = true
+	}

 	err = dataStore.SSLSettings().UpdateSettings(sslSettings)
 	if err != nil {
@@ -287,9 +334,9 @@ func enableFeaturesFromFlags(dataStore dataservices.DataStore, flags *portainer.
 		}

 		if featureState {
-			log.Printf("Feature %v : on", *correspondingFeature)
+			logrus.Printf("Feature %v : on", *correspondingFeature)
 		} else {
-			log.Printf("Feature %v : off", *correspondingFeature)
+			logrus.Printf("Feature %v : off", *correspondingFeature)
 		}

 		settings.FeatureFlagSettings[*correspondingFeature] = featureState
@@ -318,7 +365,7 @@ func generateAndStoreKeyPair(fileService portainer.FileService, signatureService
 func initKeyPair(fileService portainer.FileService, signatureService portainer.DigitalSignatureService) error {
 	existingKeyPair, err := fileService.KeyPairFilesExist()
 	if err != nil {
-		log.Fatalf("failed checking for existing key pair: %v", err)
+		logrus.Fatalf("Failed checking for existing key pair: %v", err)
 	}

 	if existingKeyPair {
@@ -351,7 +398,6 @@ func createTLSSecuredEndpoint(flags *portainer.CLIFlags, dataStore dataservices.
 		TLSConfig:          tlsConfiguration,
 		UserAccessPolicies: portainer.UserAccessPolicies{},
 		TeamAccessPolicies: portainer.TeamAccessPolicies{},
-		Extensions:         []portainer.EndpointExtension{},
 		TagIDs:             []portainer.TagID{},
 		Status:             portainer.EndpointStatusUp,
 		Snapshots:          []portainer.DockerSnapshot{},
@@ -389,7 +435,7 @@ func createTLSSecuredEndpoint(flags *portainer.CLIFlags, dataStore dataservices.

 	err := snapshotService.SnapshotEndpoint(endpoint)
 	if err != nil {
-		log.Printf("http error: environment snapshot error (environment=%s, URL=%s) (err=%s)\n", endpoint.Name, endpoint.URL, err)
+		logrus.Printf("http error: environment snapshot error (environment=%s, URL=%s) (err=%s)\n", endpoint.Name, endpoint.URL, err)
 	}

 	return dataStore.Endpoint().Create(endpoint)
@@ -413,7 +459,6 @@ func createUnsecuredEndpoint(endpointURL string, dataStore dataservices.DataStor
 		TLSConfig:          portainer.TLSConfiguration{},
 		UserAccessPolicies: portainer.UserAccessPolicies{},
 		TeamAccessPolicies: portainer.TeamAccessPolicies{},
-		Extensions:         []portainer.EndpointExtension{},
 		TagIDs:             []portainer.TagID{},
 		Status:             portainer.EndpointStatusUp,
 		Snapshots:          []portainer.DockerSnapshot{},
@@ -435,7 +480,7 @@ func createUnsecuredEndpoint(endpointURL string, dataStore dataservices.DataStor

 	err := snapshotService.SnapshotEndpoint(endpoint)
 	if err != nil {
-		log.Printf("http error: environment snapshot error (environment=%s, URL=%s) (err=%s)\n", endpoint.Name, endpoint.URL, err)
+		logrus.Printf("http error: environment snapshot error (environment=%s, URL=%s) (err=%s)\n", endpoint.Name, endpoint.URL, err)
 	}

 	return dataStore.Endpoint().Create(endpoint)
@@ -452,7 +497,7 @@ func initEndpoint(flags *portainer.CLIFlags, dataStore dataservices.DataStore, s
 	}

 	if len(endpoints) > 0 {
-		log.Println("Instance already has defined environments. Skipping the environment defined via CLI.")
+		logrus.Println("Instance already has defined environments. Skipping the environment defined via CLI.")
 		return nil
 	}

@@ -462,99 +507,90 @@ func initEndpoint(flags *portainer.CLIFlags, dataStore dataservices.DataStore, s
 	return createUnsecuredEndpoint(*flags.EndpointURL, dataStore, snapshotService)
 }

-func initSecretKey(fileName string) string {
-	ok, _ := filesystem.FileExists("/run/secrets/" + fileName)
-	if !ok {
-		log.Println(fmt.Sprintf("encryption secret file `%s` does not exists", fileName))
-		return ""
-	}
-
-	content, err := os.ReadFile("/run/secrets/" + fileName)
+func loadEncryptionSecretKey(keyfilename string) []byte {
+	content, err := os.ReadFile(path.Join("/run/secrets", keyfilename))
 	if err != nil {
-		log.Println(fmt.Sprintf("error reading encryption key file: %s", err.Error()))
-		return ""
+		if os.IsNotExist(err) {
+			logrus.Printf("Encryption key file `%s` not present", keyfilename)
+		} else {
+			logrus.Printf("Error reading encryption key file: %v", err)
+		}
+
+		return nil
 	}

-	return strings.TrimSuffix(string(content), "\n")
+	// return a 32 byte hash of the secret (required for AES)
+	hash := sha256.Sum256(content)
+	return hash[:]
 }

 func buildServer(flags *portainer.CLIFlags) portainer.Server {
 	shutdownCtx, shutdownTrigger := context.WithCancel(context.Background())

 	fileService := initFileService(*flags.Data)
-	encryptionKey := initSecretKey(*flags.SecretKeyName)
-	if encryptionKey == "" {
-		log.Println("proceeding without encryption key")
+	encryptionKey := loadEncryptionSecretKey(*flags.SecretKeyName)
+	if encryptionKey == nil {
+		logrus.Println("Proceeding without encryption key")
 	}

-	dataStore := initDataStore(*flags.Data, *flags.Rollback, encryptionKey, fileService, shutdownCtx)
+	dataStore := initDataStore(flags, encryptionKey, fileService, shutdownCtx)

 	if err := dataStore.CheckCurrentEdition(); err != nil {
-		log.Fatal(err)
+		logrus.Fatal(err)
 	}
 	instanceID, err := dataStore.Version().InstanceID()
 	if err != nil {
-		log.Fatalf("failed getting instance id: %v", err)
+		logrus.Fatalf("Failed getting instance id: %v", err)
 	}

 	apiKeyService := initAPIKeyService(dataStore)

 	settings, err := dataStore.Settings().Settings()
 	if err != nil {
-		log.Fatal(err)
+		logrus.Fatal(err)
 	}
 	jwtService, err := initJWTService(settings.UserSessionTimeout, dataStore)
 	if err != nil {
-		log.Fatalf("failed initializing JWT service: %v", err)
+		logrus.Fatalf("Failed initializing JWT service: %v", err)
 	}

 	err = enableFeaturesFromFlags(dataStore, flags)
 	if err != nil {
-		log.Fatalf("failed enabling feature flag: %v", err)
+		logrus.Fatalf("Failed enabling feature flag: %v", err)
 	}

 	ldapService := initLDAPService()
 	oauthService := initOAuthService()
 	gitService := initGitService()

-	openAMTService := openamt.NewService(dataStore)
+	openAMTService := openamt.NewService()

 	cryptoService := initCryptoService()
 	digitalSignatureService := initDigitalSignatureService()

 	sslService, err := initSSLService(*flags.AddrHTTPS, *flags.Data, *flags.SSLCert, *flags.SSLKey, fileService, dataStore, shutdownTrigger)
 	if err != nil {
-		log.Fatal(err)
+		logrus.Fatal(err)
 	}

 	sslSettings, err := sslService.GetSSLSettings()
 	if err != nil {
-		log.Fatalf("failed to get ssl settings: %s", err)
+		logrus.Fatalf("Failed to get ssl settings: %s", err)
 	}

 	err = initKeyPair(fileService, digitalSignatureService)
 	if err != nil {
-		log.Fatalf("failed initializing key pair: %v", err)
+		logrus.Fatalf("Failed initializing key pair: %v", err)
 	}

 	reverseTunnelService := chisel.NewService(dataStore, shutdownCtx)

-	instanceID, err = dataStore.Version().InstanceID()
-	if err != nil {
-		log.Fatalf("failed getting instance id: %v", err)
-	}
-	dbVersion, err := dataStore.Version().DBVersion()
-	if err != nil {
-		log.Fatalf("failed getting db version: %v", err)
-	}
-	logrus.WithField("instanceID", instanceID).WithField("dbVersion", dbVersion).Infof("started with valid store")
-
 	dockerClientFactory := initDockerClientFactory(digitalSignatureService, reverseTunnelService)
 	kubernetesClientFactory := initKubernetesClientFactory(digitalSignatureService, reverseTunnelService, instanceID, dataStore)

 	snapshotService, err := initSnapshotService(*flags.SnapshotInterval, dataStore, dockerClientFactory, kubernetesClientFactory, shutdownCtx)
 	if err != nil {
-		log.Fatalf("failed initializing snapshot service: %v", err)
+		logrus.Fatalf("Failed initializing snapshot service: %v", err)
 	}
 	snapshotService.Start()

@@ -563,7 +599,7 @@ func buildServer(flags *portainer.CLIFlags) portainer.Server {

 	kubernetesTokenCacheManager := kubeproxy.NewTokenCacheManager()

-	kubeConfigService := kubernetes.NewKubeConfigCAService(*flags.AddrHTTPS, sslSettings.CertPath)
+	kubeClusterAccessService := kubernetes.NewKubeClusterAccessService(*flags.BaseURL, *flags.AddrHTTPS, sslSettings.CertPath)

 	proxyManager := proxy.NewManager(dataStore, digitalSignatureService, reverseTunnelService, dockerClientFactory, kubernetesClientFactory, kubernetesTokenCacheManager)

@@ -575,37 +611,37 @@ func buildServer(flags *portainer.CLIFlags) portainer.Server {

 	swarmStackManager, err := initSwarmStackManager(*flags.Assets, dockerConfigPath, digitalSignatureService, fileService, reverseTunnelService, dataStore)
 	if err != nil {
-		log.Fatalf("failed initializing swarm stack manager: %s", err)
+		logrus.Fatalf("Failed initializing swarm stack manager: %v", err)
 	}

 	kubernetesDeployer := initKubernetesDeployer(kubernetesTokenCacheManager, kubernetesClientFactory, dataStore, reverseTunnelService, digitalSignatureService, proxyManager, *flags.Assets)

 	helmPackageManager, err := initHelmPackageManager(*flags.Assets)
 	if err != nil {
-		log.Fatalf("failed initializing helm package manager: %s", err)
+		logrus.Fatalf("Failed initializing helm package manager: %v", err)
 	}

 	err = edge.LoadEdgeJobs(dataStore, reverseTunnelService)
 	if err != nil {
-		log.Fatalf("failed loading edge jobs from database: %v", err)
+		logrus.Fatalf("Failed loading edge jobs from database: %v", err)
 	}

 	applicationStatus := initStatus(instanceID)

 	err = initEndpoint(flags, dataStore, snapshotService)
 	if err != nil {
-		log.Fatalf("failed initializing environment: %v", err)
+		logrus.Fatalf("Failed initializing environment: %v", err)
 	}

 	adminPasswordHash := ""
 	if *flags.AdminPasswordFile != "" {
 		content, err := fileService.GetFileContent(*flags.AdminPasswordFile, "")
 		if err != nil {
-			log.Fatalf("failed getting admin password file: %v", err)
+			logrus.Fatalf("Failed getting admin password file: %v", err)
 		}
 		adminPasswordHash, err = cryptoService.Hash(strings.TrimSuffix(string(content), "\n"))
 		if err != nil {
-			log.Fatalf("failed hashing admin password: %v", err)
+			logrus.Fatalf("Failed hashing admin password: %v", err)
 		}
 	} else if *flags.AdminPassword != "" {
 		adminPasswordHash = *flags.AdminPassword
@@ -614,11 +650,11 @@ func buildServer(flags *portainer.CLIFlags) portainer.Server {
 	if adminPasswordHash != "" {
 		users, err := dataStore.User().UsersByRole(portainer.AdministratorRole)
 		if err != nil {
-			log.Fatalf("failed getting admin user: %v", err)
+			logrus.Fatalf("Failed getting admin user: %v", err)
 		}

 		if len(users) == 0 {
-			log.Println("Created admin user with the given password.")
+			logrus.Println("Created admin user with the given password.")
 			user := &portainer.User{
 				Username: "admin",
 				Role:     portainer.AdministratorRole,
@@ -626,21 +662,21 @@ func buildServer(flags *portainer.CLIFlags) portainer.Server {
 			}
 			err := dataStore.User().Create(user)
 			if err != nil {
-				log.Fatalf("failed creating admin user: %v", err)
+				logrus.Fatalf("Failed creating admin user: %v", err)
 			}
 		} else {
-			log.Println("Instance already has an administrator user defined. Skipping admin password related flags.")
+			logrus.Println("Instance already has an administrator user defined. Skipping admin password related flags.")
 		}
 	}

 	err = reverseTunnelService.StartTunnelServer(*flags.TunnelAddr, *flags.TunnelPort, snapshotService)
 	if err != nil {
-		log.Fatalf("failed starting tunnel server: %s", err)
+		logrus.Fatalf("Failed starting tunnel server: %v", err)
 	}

 	sslDBSettings, err := dataStore.SSLSettings().Settings()
 	if err != nil {
-		log.Fatalf("failed to fetch ssl settings from DB")
+		logrus.Fatalf("Failed to fetch ssl settings from DB")
 	}

 	scheduler := scheduler.NewScheduler(shutdownCtx)
@@ -670,7 +706,7 @@ func buildServer(flags *portainer.CLIFlags) portainer.Server {
 		OpenAMTService:              openAMTService,
 		ProxyManager:                proxyManager,
 		KubernetesTokenCacheManager: kubernetesTokenCacheManager,
-		KubeConfigService:           kubeConfigService,
+		KubeClusterAccessService:    kubeClusterAccessService,
 		SignatureService:            digitalSignatureService,
 		SnapshotService:             snapshotService,
 		SSLService:                  sslService,
@@ -680,7 +716,6 @@ func buildServer(flags *portainer.CLIFlags) portainer.Server {
 		ShutdownCtx:                 shutdownCtx,
 		ShutdownTrigger:             shutdownTrigger,
 		StackDeployer:               stackDeployer,
-		BaseURL:                     *flags.BaseURL,
 	}
 }

@@ -691,8 +726,8 @@ func main() {

 	for {
 		server := buildServer(flags)
-		log.Printf("[INFO] [cmd,main] Starting Portainer version %s\n", portainer.APIVersion)
+		logrus.Printf("[INFO] [cmd,main] Starting Portainer version %s\n", portainer.APIVersion)
 		err := server.Start()
-		log.Printf("[INFO] [cmd,main] Http server exited: %s\n", err)
+		logrus.Printf("[INFO] [cmd,main] Http server exited: %v\n", err)
 	}
 }
--- a/api/cmd/portainer/main_test.go
+++ b/api/cmd/portainer/main_test.go
@@ -29,11 +29,6 @@ func Test_enableFeaturesFromFlags(t *testing.T) {
 		isSupported bool
 	}{
 		{"test", false},
-		{"openamt", false},
-		{"open-amt", true},
-		{"oPeN-amT", true},
-		{"fdo", true},
-		{"FDO", true},
 	}
 	for _, test := range tests {
 		t.Run(fmt.Sprintf("%s succeeds:%v", test.featureFlag, test.isSupported), func(t *testing.T) {
--- a/api/connection.go
+++ b/api/connection.go
@@ -11,14 +11,16 @@ type Connection interface {
 	// write the db contents to filename as json (the schema needs defining)
 	ExportRaw(filename string) error

-	//Rollback(force bool) error
-	//MigrateData(migratorParams *database.MigratorParameters, force bool) error
-
 	// TODO: this one is very database specific atm
 	BackupTo(w io.Writer) error
-	GetDatabaseFilename() string
+	GetDatabaseFileName() string
+	GetDatabaseFilePath() string
 	GetStorePath() string

+	IsEncryptedStore() bool
+	NeedsEncryptionMigration() (bool, error)
+	SetEncrypted(encrypted bool)
+
 	SetServiceName(bucketName string) error
 	GetObject(bucketName string, key []byte, object interface{}) error
 	UpdateObject(bucketName string, key []byte, object interface{}) error
@@ -27,11 +29,12 @@ type Connection interface {
 	GetNextIdentifier(bucketName string) int
 	CreateObject(bucketName string, fn func(uint64) (int, interface{})) error
 	CreateObjectWithId(bucketName string, id int, obj interface{}) error
+	CreateObjectWithStringId(bucketName string, id []byte, obj interface{}) error
 	CreateObjectWithSetSequence(bucketName string, id int, obj interface{}) error
 	GetAll(bucketName string, obj interface{}, append func(o interface{}) (interface{}, error)) error
 	GetAllWithJsoniter(bucketName string, obj interface{}, append func(o interface{}) (interface{}, error)) error
 	ConvertToKey(v int) []byte

-	IsEncryptionRequired() (bool, error)
-	SetIsDBEncryptedFlag(bool)
+	BackupMetadata() (map[string]interface{}, error)
+	RestoreMetadata(s map[string]interface{}) error
 }
--- a/api/database/boltdb/db.go
+++ b/api/database/boltdb/db.go
@@ -6,84 +6,133 @@ import (
 	"fmt"
 	"io"
 	"io/ioutil"
-	"log"
 	"os"
 	"path"
 	"time"

-	"github.com/boltdb/bolt"
-	portainerErrors "github.com/portainer/portainer/api/dataservices/errors"
-	"github.com/portainer/portainer/api/dataservices/version"
+	dserrors "github.com/portainer/portainer/api/dataservices/errors"
 	"github.com/sirupsen/logrus"
+	bolt "go.etcd.io/bbolt"
+)
+
+const (
+	DatabaseFileName          = "portainer.db"
+	EncryptedDatabaseFileName = "portainer.edb"
+)
+
+var (
+	ErrHaveEncryptedAndUnencrypted = errors.New("Portainer has detected both an encrypted and un-encrypted database and cannot start.  Only one database should exist")
+	ErrHaveEncryptedWithNoKey      = errors.New("The portainer database is encrypted, but no secret was loaded")
 )

 type DbConnection struct {
-	Path          string
-	EncryptionKey string
-	IsDBEncrypted bool
+	Path            string
+	MaxBatchSize    int
+	MaxBatchDelay   time.Duration
+	InitialMmapSize int
+	EncryptionKey   []byte
+	isEncrypted     bool

 	*bolt.DB
 }

-func (connection *DbConnection) GetDatabaseFilename() string {
-	return "portainer.db"
+// GetDatabaseFileName get the database filename
+func (connection *DbConnection) GetDatabaseFileName() string {
+	if connection.IsEncryptedStore() {
+		return EncryptedDatabaseFileName
+	}
+
+	return DatabaseFileName
 }

+// GetDataseFilePath get the path + filename for the database file
+func (connection *DbConnection) GetDatabaseFilePath() string {
+	if connection.IsEncryptedStore() {
+		return path.Join(connection.Path, EncryptedDatabaseFileName)
+	}
+
+	return path.Join(connection.Path, DatabaseFileName)
+}
+
+// GetStorePath get the filename and path for the database file
 func (connection *DbConnection) GetStorePath() string {
 	return connection.Path
 }

-func (connection *DbConnection) SetIsDBEncryptedFlag(flag bool) {
-	connection.IsDBEncrypted = flag
+func (connection *DbConnection) SetEncrypted(flag bool) {
+	connection.isEncrypted = flag
 }

-func (connection *DbConnection) IsEncryptionRequired() (bool, error) {
-	if connection.EncryptionKey != "" {
-		// set it back to true as encryption key exists
-		defer connection.SetIsDBEncryptedFlag(true)
+// Return true if the database is encrypted
+func (connection *DbConnection) IsEncryptedStore() bool {
+	return connection.getEncryptionKey() != nil
+}

-		// set IsDBEncrypted to false and get the version
-		connection.IsDBEncrypted = false
-		version, err := version.NewService(connection)
-		if err != nil {
-			return false, err
-		}
+// NeedsEncryptionMigration returns true if database encryption is enabled and
+// we have an un-encrypted DB that requires migration to an encrypted DB
+func (connection *DbConnection) NeedsEncryptionMigration() (bool, error) {

-		// 0: if encrypted or new
-		// > 0 if unencrypted
-		v, err := version.DBVersion()
-		logrus.Infof("DB version %d", v)
-		if err != nil || v == 0 {
-			if errors.Is(err, portainerErrors.ErrObjectNotFound) {
-				logrus.Info("it is new database")
-			} else {
-				logrus.Info("it is encrypted database")
-			}
-			return false, err
-		}
+	// Cases:  Note, we need to check both portainer.db and portainer.edb
+	// to determine if it's a new store.   We only need to differentiate between cases 2,3 and 5

+	// 1) portainer.edb + key     => False
+	// 2) portainer.edb + no key  => ERROR Fatal!
+	// 3) portainer.db  + key     => True  (needs migration)
+	// 4) portainer.db  + no key  => False
+	// 5) NoDB (new)    + key     => False
+	// 6) NoDB (new)    + no key  => False
+	// 7) portainer.db & portainer.edb => ERROR Fatal!
+
+	// If we have a loaded encryption key, always set encrypted
+	if connection.EncryptionKey != nil {
+		connection.SetEncrypted(true)
+	}
+
+	// Check for portainer.db
+	dbFile := path.Join(connection.Path, DatabaseFileName)
+	_, err := os.Stat(dbFile)
+	haveDbFile := err == nil
+
+	// Check for portainer.edb
+	edbFile := path.Join(connection.Path, EncryptedDatabaseFileName)
+	_, err = os.Stat(edbFile)
+	haveEdbFile := err == nil
+
+	if haveDbFile && haveEdbFile {
+		// 7 - encrypted and unencrypted db?
+		return false, ErrHaveEncryptedAndUnencrypted
+	}
+
+	if haveDbFile && connection.EncryptionKey != nil {
+		// 3 - needs migration
 		return true, nil
 	}
+
+	if haveEdbFile && connection.EncryptionKey == nil {
+		// 2 - encrypted db, but no key?
+		return false, ErrHaveEncryptedWithNoKey
+	}
+
+	// 1, 4, 5, 6
 	return false, nil
 }

-// Opens the BoltDB database.
+// Open opens and initializes the BoltDB database.
 func (connection *DbConnection) Open() error {
-	databaseExportPath := path.Join(connection.Path, fmt.Sprintf("raw-%s-%d.json", connection.GetDatabaseFilename(), time.Now().Unix()))
-	if err := connection.ExportRaw(databaseExportPath); err != nil {
-		log.Printf("raw export to %s error: %s", databaseExportPath, err)
-	} else {
-		log.Printf("raw export to %s success", databaseExportPath)
-	}

-	databasePath := path.Join(connection.Path, connection.GetDatabaseFilename())
+	logrus.Infof("Loading PortainerDB: %s", connection.GetDatabaseFileName())

-	logrus.WithField("dbPath", databasePath).WithField("try Passphrase", connection.EncryptionKey != "").Debugf("opening database")
-
-	db, err := bolt.Open(databasePath, 0600, &bolt.Options{Timeout: 1 * time.Second})
+	// Now we open the db
+	databasePath := connection.GetDatabaseFilePath()
+	db, err := bolt.Open(databasePath, 0600, &bolt.Options{
+		Timeout:         1 * time.Second,
+		InitialMmapSize: connection.InitialMmapSize,
+	})
 	if err != nil {
 		return err
 	}
+	db.MaxBatchSize = connection.MaxBatchSize
+	db.MaxBatchDelay = connection.MaxBatchDelay
 	connection.DB = db
 	return nil
 }
@@ -107,12 +156,11 @@ func (connection *DbConnection) BackupTo(w io.Writer) error {
 }

 func (connection *DbConnection) ExportRaw(filename string) error {
-	databasePath := path.Join(connection.Path, connection.GetDatabaseFilename())
+	databasePath := connection.GetDatabaseFilePath()
 	if _, err := os.Stat(databasePath); err != nil {
 		return fmt.Errorf("stat on %s failed: %s", databasePath, err)
 	}

-	// TODO: Put it behind a debug feature flag
 	b, err := connection.exportJson(databasePath)
 	if err != nil {
 		return err
@@ -131,18 +179,14 @@ func (connection *DbConnection) ConvertToKey(v int) []byte {

 // CreateBucket is a generic function used to create a bucket inside a database database.
 func (connection *DbConnection) SetServiceName(bucketName string) error {
-	return connection.Update(func(tx *bolt.Tx) error {
+	return connection.Batch(func(tx *bolt.Tx) error {
 		_, err := tx.CreateBucketIfNotExists([]byte(bucketName))
-		if err != nil {
-			return err
-		}
-		return nil
+		return err
 	})
 }

 // GetObject is a generic function used to retrieve an unmarshalled object from a database database.
 func (connection *DbConnection) GetObject(bucketName string, key []byte, object interface{}) error {
-	logrus.WithField("bucket", bucketName).WithField("key", string(key)).Infof("GetObject")
 	var data []byte

 	err := connection.View(func(tx *bolt.Tx) error {
@@ -150,7 +194,7 @@ func (connection *DbConnection) GetObject(bucketName string, key []byte, object

 		value := bucket.Get(key)
 		if value == nil {
-			return portainerErrors.ErrObjectNotFound
+			return dserrors.ErrObjectNotFound
 		}

 		data = make([]byte, len(value))
@@ -162,43 +206,33 @@ func (connection *DbConnection) GetObject(bucketName string, key []byte, object
 		return err
 	}

-	return connection.UnmarshalObject(data, object)
+	return connection.UnmarshalObjectWithJsoniter(data, object)
 }

-func (connection *DbConnection) getEncryptionKey() string {
-	logrus.Infof("With EncryptionKey=%t & IsDBEncrypted=%t", connection.EncryptionKey != "", connection.IsDBEncrypted)
-	if !connection.IsDBEncrypted {
-		return ""
+func (connection *DbConnection) getEncryptionKey() []byte {
+	if !connection.isEncrypted {
+		return nil
 	}
+
 	return connection.EncryptionKey
 }

 // UpdateObject is a generic function used to update an object inside a database database.
 func (connection *DbConnection) UpdateObject(bucketName string, key []byte, object interface{}) error {
-	logrus.WithField("bucket", bucketName).WithField("key", string(key)).Infof("UpdateObject")
+	data, err := connection.MarshalObject(object)
+	if err != nil {
+		return err
+	}

-	return connection.Update(func(tx *bolt.Tx) error {
+	return connection.Batch(func(tx *bolt.Tx) error {
 		bucket := tx.Bucket([]byte(bucketName))
-
-		data, err := connection.MarshalObject(object)
-		if err != nil {
-			return err
-		}
-
-		err = bucket.Put(key, data)
-		if err != nil {
-			return err
-		}
-
-		return nil
+		return bucket.Put(key, data)
 	})
 }

 // DeleteObject is a generic function used to delete an object inside a database database.
 func (connection *DbConnection) DeleteObject(bucketName string, key []byte) error {
-	logrus.WithField("bucket", bucketName).WithField("key", string(key)).Infof("DeleteObject")
-
-	return connection.Update(func(tx *bolt.Tx) error {
+	return connection.Batch(func(tx *bolt.Tx) error {
 		bucket := tx.Bucket([]byte(bucketName))
 		return bucket.Delete(key)
 	})
@@ -207,9 +241,7 @@ func (connection *DbConnection) DeleteObject(bucketName string, key []byte) erro
 // DeleteAllObjects delete all objects where matching() returns (id, ok).
 // TODO: think about how to return the error inside (maybe change ok to type err, and use "notfound"?
 func (connection *DbConnection) DeleteAllObjects(bucketName string, matching func(o interface{}) (id int, ok bool)) error {
-	logrus.WithField("bucket", bucketName).Infof("DeleteAllObjects")
-
-	return connection.Update(func(tx *bolt.Tx) error {
+	return connection.Batch(func(tx *bolt.Tx) error {
 		bucket := tx.Bucket([]byte(bucketName))

 		cursor := bucket.Cursor()
@@ -236,7 +268,7 @@ func (connection *DbConnection) DeleteAllObjects(bucketName string, matching fun
 func (connection *DbConnection) GetNextIdentifier(bucketName string) int {
 	var identifier int

-	connection.Update(func(tx *bolt.Tx) error {
+	connection.Batch(func(tx *bolt.Tx) error {
 		bucket := tx.Bucket([]byte(bucketName))
 		id, err := bucket.NextSequence()
 		if err != nil {
@@ -251,9 +283,7 @@ func (connection *DbConnection) GetNextIdentifier(bucketName string) int {

 // CreateObject creates a new object in the bucket, using the next bucket sequence id
 func (connection *DbConnection) CreateObject(bucketName string, fn func(uint64) (int, interface{})) error {
-	logrus.WithField("bucket", bucketName).Infof("CreateObject")
-
-	return connection.Update(func(tx *bolt.Tx) error {
+	return connection.Batch(func(tx *bolt.Tx) error {
 		bucket := tx.Bucket([]byte(bucketName))

 		seqId, _ := bucket.NextSequence()
@@ -270,24 +300,34 @@ func (connection *DbConnection) CreateObject(bucketName string, fn func(uint64)

 // CreateObjectWithId creates a new object in the bucket, using the specified id
 func (connection *DbConnection) CreateObjectWithId(bucketName string, id int, obj interface{}) error {
-	logrus.WithField("bucket", bucketName).WithField("id", id).Infof("CreateObjectWithId")
-
-	return connection.Update(func(tx *bolt.Tx) error {
+	return connection.Batch(func(tx *bolt.Tx) error {
 		bucket := tx.Bucket([]byte(bucketName))
-
 		data, err := connection.MarshalObject(obj)
 		if err != nil {
 			return err
 		}

-		return bucket.Put(connection.ConvertToKey(int(id)), data)
+		return bucket.Put(connection.ConvertToKey(id), data)
+	})
+}
+
+// CreateObjectWithStringId creates a new object in the bucket, using the specified id
+func (connection *DbConnection) CreateObjectWithStringId(bucketName string, id []byte, obj interface{}) error {
+	return connection.Batch(func(tx *bolt.Tx) error {
+		bucket := tx.Bucket([]byte(bucketName))
+		data, err := connection.MarshalObject(obj)
+		if err != nil {
+			return err
+		}
+
+		return bucket.Put(id, data)
 	})
 }

 // CreateObjectWithSetSequence creates a new object in the bucket, using the specified id, and sets the bucket sequence
 // avoid this :)
 func (connection *DbConnection) CreateObjectWithSetSequence(bucketName string, id int, obj interface{}) error {
-	return connection.Update(func(tx *bolt.Tx) error {
+	return connection.Batch(func(tx *bolt.Tx) error {
 		bucket := tx.Bucket([]byte(bucketName))

 		// We manually manage sequences for schedules
@@ -301,16 +341,13 @@ func (connection *DbConnection) CreateObjectWithSetSequence(bucketName string, i
 			return err
 		}

-		return bucket.Put(connection.ConvertToKey(int(id)), data)
+		return bucket.Put(connection.ConvertToKey(id), data)
 	})
 }

 func (connection *DbConnection) GetAll(bucketName string, obj interface{}, append func(o interface{}) (interface{}, error)) error {
-	logrus.WithField("bucket", bucketName).Infof("GetAll")
-
 	err := connection.View(func(tx *bolt.Tx) error {
 		bucket := tx.Bucket([]byte(bucketName))
-
 		cursor := bucket.Cursor()
 		for k, v := cursor.First(); k != nil; k, v = cursor.Next() {
 			err := connection.UnmarshalObject(v, obj)
@@ -330,8 +367,6 @@ func (connection *DbConnection) GetAll(bucketName string, obj interface{}, appen

 // TODO: decide which Unmarshal to use, and use one...
 func (connection *DbConnection) GetAllWithJsoniter(bucketName string, obj interface{}, append func(o interface{}) (interface{}, error)) error {
-	logrus.WithField("bucket", bucketName).Infof("GetAllWithJsoniter")
-
 	err := connection.View(func(tx *bolt.Tx) error {
 		bucket := tx.Bucket([]byte(bucketName))

@@ -351,3 +386,43 @@ func (connection *DbConnection) GetAllWithJsoniter(bucketName string, obj interf
 	})
 	return err
 }
+
+func (connection *DbConnection) BackupMetadata() (map[string]interface{}, error) {
+	buckets := map[string]interface{}{}
+
+	err := connection.View(func(tx *bolt.Tx) error {
+		err := tx.ForEach(func(name []byte, bucket *bolt.Bucket) error {
+			bucketName := string(name)
+			bucket = tx.Bucket([]byte(bucketName))
+			seqId := bucket.Sequence()
+			buckets[bucketName] = int(seqId)
+			return nil
+		})
+
+		return err
+	})
+
+	return buckets, err
+}
+
+func (connection *DbConnection) RestoreMetadata(s map[string]interface{}) error {
+	var err error
+
+	for bucketName, v := range s {
+		id, ok := v.(float64) // JSON ints are unmarshalled to interface as float64. See: https://pkg.go.dev/encoding/json#Decoder.Decode
+		if !ok {
+			logrus.Errorf("Failed to restore metadata to bucket %s, skipped", bucketName)
+			continue
+		}
+
+		err = connection.Batch(func(tx *bolt.Tx) error {
+			bucket, err := tx.CreateBucketIfNotExists([]byte(bucketName))
+			if err != nil {
+				return err
+			}
+			return bucket.SetSequence(uint64(id))
+		})
+	}
+
+	return err
+}
--- a/api/database/boltdb/db_test.go
+++ b/api/database/boltdb/db_test.go
@@ -0,0 +1,124 @@
+package boltdb
+
+import (
+	"os"
+	"path"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func Test_NeedsEncryptionMigration(t *testing.T) {
+	// Test the specific scenarios mentioned in NeedsEncryptionMigration
+
+	// i.e.
+	// Cases:  Note, we need to check both portainer.db and portainer.edb
+	// to determine if it's a new store.   We only need to differentiate between cases 2,3 and 5
+
+	// 1) portainer.edb + key     => False
+	// 2) portainer.edb + no key  => ERROR Fatal!
+	// 3) portainer.db  + key     => True  (needs migration)
+	// 4) portainer.db  + no key  => False
+	// 5) NoDB (new)    + key     => False
+	// 6) NoDB (new)    + no key  => False
+	// 7) portainer.db & portainer.edb (key not important) => ERROR Fatal!
+
+	is := assert.New(t)
+	dir := t.TempDir()
+
+	cases := []struct {
+		name         string
+		dbname       string
+		key          bool
+		expectError  error
+		expectResult bool
+	}{
+		{
+			name:         "portainer.edb + key",
+			dbname:       EncryptedDatabaseFileName,
+			key:          true,
+			expectError:  nil,
+			expectResult: false,
+		},
+		{
+			name:         "portainer.db + key (migration needed)",
+			dbname:       DatabaseFileName,
+			key:          true,
+			expectError:  nil,
+			expectResult: true,
+		},
+		{
+			name:         "portainer.db + no key",
+			dbname:       DatabaseFileName,
+			key:          false,
+			expectError:  nil,
+			expectResult: false,
+		},
+		{
+			name:         "NoDB (new) + key",
+			dbname:       "",
+			key:          false,
+			expectError:  nil,
+			expectResult: false,
+		},
+		{
+			name:         "NoDB (new) + no key",
+			dbname:       "",
+			key:          false,
+			expectError:  nil,
+			expectResult: false,
+		},
+
+		// error tests
+		{
+			name:         "portainer.edb + no key",
+			dbname:       EncryptedDatabaseFileName,
+			key:          false,
+			expectError:  ErrHaveEncryptedWithNoKey,
+			expectResult: false,
+		},
+		{
+			name:         "portainer.db & portainer.edb",
+			dbname:       "both",
+			key:          true,
+			expectError:  ErrHaveEncryptedAndUnencrypted,
+			expectResult: false,
+		},
+	}
+
+	for _, tc := range cases {
+		tc := tc
+
+		t.Run(tc.name, func(t *testing.T) {
+
+			connection := DbConnection{Path: dir}
+
+			if tc.dbname == "both" {
+				// Special case.  If portainer.db and portainer.edb exist.
+				dbFile1 := path.Join(connection.Path, DatabaseFileName)
+				f, _ := os.Create(dbFile1)
+				f.Close()
+				defer os.Remove(dbFile1)
+
+				dbFile2 := path.Join(connection.Path, EncryptedDatabaseFileName)
+				f, _ = os.Create(dbFile2)
+				f.Close()
+				defer os.Remove(dbFile2)
+			} else if tc.dbname != "" {
+				dbFile := path.Join(connection.Path, tc.dbname)
+				f, _ := os.Create(dbFile)
+				f.Close()
+				defer os.Remove(dbFile)
+			}
+
+			if tc.key {
+				connection.EncryptionKey = []byte("secret")
+			}
+
+			result, err := connection.NeedsEncryptionMigration()
+
+			is.Equal(tc.expectError, err, "Fatal Error failure. Test: %s", tc.name)
+			is.Equal(result, tc.expectResult, "Failed test: %s", tc.name)
+		})
+	}
+}
--- a/api/database/boltdb/export.go
+++ b/api/database/boltdb/export.go
@@ -2,16 +2,14 @@ package boltdb

 import (
 	"encoding/json"
-	"fmt"
 	"time"

-	"github.com/boltdb/bolt"
 	"github.com/sirupsen/logrus"
+	bolt "go.etcd.io/bbolt"
 )

 // inspired by github.com/konoui/boltdb-exporter (which has no license)
 // but very much simplified, based on how we use boltdb
-
 func (c *DbConnection) exportJson(databasePath string) ([]byte, error) {
 	logrus.WithField("databasePath", databasePath).Infof("exportJson")

@@ -40,20 +38,7 @@ func (c *DbConnection) exportJson(databasePath string) ([]byte, error) {
 					obj = v
 				}
 				if bucketName == "version" {
-					if string(k) == "DB_UPDATING" {
-						continue
-					}
-					v, ok := obj.(string)
-					if ok {
-						version[string(k)] = v
-					} else {
-						if string(k) == "DB_VERSION" {
-							if v, ok := obj.(int); ok {
-								version[string(k)] = fmt.Sprintf("%s", v)
-							}
-						}
-						logrus.WithError(err).Errorf("unknown type for (bucket version): key=%s value=%v", string(k), string(v))
-					}
+					version[string(k)] = string(v)
 				} else {
 					list = append(list, obj)
 				}
--- a/api/database/boltdb/json.go
+++ b/api/database/boltdb/json.go
@@ -10,20 +10,22 @@ import (

 	jsoniter "github.com/json-iterator/go"
 	"github.com/pkg/errors"
-	"github.com/sirupsen/logrus"
 )

-var encryptedStringTooShort = fmt.Errorf("encrypted string too short")
+var errEncryptedStringTooShort = fmt.Errorf("encrypted string too short")

 // MarshalObject encodes an object to binary format
-func (connection *DbConnection) MarshalObject(object interface{}) ([]byte, error) {
-	data, err := json.Marshal(object)
-	if err != nil {
-		logrus.WithError(err).Errorf("failed marshaling object")
-		return data, err
+func (connection *DbConnection) MarshalObject(object interface{}) (data []byte, err error) {
+	// Special case for the VERSION bucket. Here we're not using json
+	if v, ok := object.(string); ok {
+		data = []byte(v)
+	} else {
+		data, err = json.Marshal(object)
+		if err != nil {
+			return data, err
+		}
 	}
-	if connection.getEncryptionKey() == "" {
-		logrus.Infof("no encryption passphrase")
+	if connection.getEncryptionKey() == nil {
 		return data, nil
 	}
 	return encrypt(data, connection.getEncryptionKey())
@@ -32,17 +34,22 @@ func (connection *DbConnection) MarshalObject(object interface{}) ([]byte, error
 // UnmarshalObject decodes an object from binary data
 func (connection *DbConnection) UnmarshalObject(data []byte, object interface{}) error {
 	var err error
-	if connection.getEncryptionKey() == "" {
-		logrus.Infof("no encryption passphrase")
-	} else {
+	if connection.getEncryptionKey() != nil {
 		data, err = decrypt(data, connection.getEncryptionKey())
 		if err != nil {
-			logrus.WithError(err).Errorf("failed decrypting object")
+			return errors.Wrap(err, "Failed decrypting object")
 		}
 	}
 	e := json.Unmarshal(data, object)
 	if e != nil {
-		return errors.Wrap(err, e.Error())
+		// Special case for the VERSION bucket. Here we're not using json
+		// So we need to return it as a string
+		s, ok := object.(*string)
+		if !ok {
+			return errors.Wrap(err, e.Error())
+		}
+
+		*s = string(data)
 	}
 	return err
 }
@@ -51,26 +58,32 @@ func (connection *DbConnection) UnmarshalObject(data []byte, object interface{})
 // using the jsoniter library. It is mainly used to accelerate environment(endpoint)
 // decoding at the moment.
 func (connection *DbConnection) UnmarshalObjectWithJsoniter(data []byte, object interface{}) error {
-	if connection.getEncryptionKey() == "" {
-		logrus.Infof("no encryption passphrase")
-	} else {
+	if connection.getEncryptionKey() != nil {
 		var err error
 		data, err = decrypt(data, connection.getEncryptionKey())
 		if err != nil {
-			logrus.WithError(err).Errorf("failed decrypting object")
 			return err
 		}
 	}
 	var jsoni = jsoniter.ConfigCompatibleWithStandardLibrary
-	return jsoni.Unmarshal(data, &object)
+	err := jsoni.Unmarshal(data, &object)
+	if err != nil {
+		if s, ok := object.(*string); ok {
+			*s = string(data)
+			return nil
+		}
+
+		return err
+	}
+
+	return nil
 }

 // mmm, don't have a KMS .... aes GCM seems the most likely from
 // https://gist.github.com/atoponce/07d8d4c833873be2f68c34f9afc5a78a#symmetric-encryption

-func encrypt(plaintext []byte, passphrase string) (encrypted []byte, err error) {
-	logrus.Infof("encrypt")
-	block, _ := aes.NewCipher([]byte(passphrase))
+func encrypt(plaintext []byte, passphrase []byte) (encrypted []byte, err error) {
+	block, _ := aes.NewCipher(passphrase)
 	gcm, err := cipher.NewGCM(block)
 	if err != nil {
 		return encrypted, err
@@ -87,27 +100,23 @@ func encrypt(plaintext []byte, passphrase string) (encrypted []byte, err error)
 	return ciphertextByte, nil
 }

-// On error, return the original byte array - it might be unencrypted...
-func decrypt(encrypted []byte, passphrase string) (plaintextByte []byte, err error) {
+func decrypt(encrypted []byte, passphrase []byte) (plaintextByte []byte, err error) {
 	if string(encrypted) == "false" {
 		return []byte("false"), nil
 	}
-	passphraseByte := []byte(passphrase)
-	block, err := aes.NewCipher(passphraseByte)
+	block, err := aes.NewCipher(passphrase)
 	if err != nil {
-		logrus.Infof("Error creating cypher block: %s", err.Error())
-		return encrypted, err
+		return encrypted, errors.Wrap(err, "Error creating cypher block")
 	}

 	gcm, err := cipher.NewGCM(block)
 	if err != nil {
-		logrus.Infof("Error creating GCM: %s", err.Error())
-		return encrypted, err
+		return encrypted, errors.Wrap(err, "Error creating GCM")
 	}

 	nonceSize := gcm.NonceSize()
 	if len(encrypted) < nonceSize {
-		return encrypted, encryptedStringTooShort
+		return encrypted, errEncryptedStringTooShort
 	}

 	nonce, ciphertextByteClean := encrypted[:nonceSize], encrypted[nonceSize:]
@@ -117,10 +126,8 @@ func decrypt(encrypted []byte, passphrase string) (plaintextByte []byte, err err
 		ciphertextByteClean,
 		nil)
 	if err != nil {
-		logrus.Infof("Error decrypting text: %s", err.Error())
-		return encrypted, err
+		return encrypted, errors.Wrap(err, "Error decrypting text")
 	}
-	
-	logrus.Infof("decrypted successfully")
+
 	return plaintextByte, err
 }
--- a/api/database/boltdb/json_test.go
+++ b/api/database/boltdb/json_test.go
@@ -0,0 +1,177 @@
+package boltdb
+
+import (
+	"crypto/sha256"
+	"fmt"
+	"testing"
+
+	"github.com/gofrs/uuid"
+	"github.com/stretchr/testify/assert"
+)
+
+const (
+	jsonobject = `{"LogoURL":"","BlackListedLabels":[],"AuthenticationMethod":1,"LDAPSettings":{"AnonymousMode":true,"ReaderDN":"","URL":"","TLSConfig":{"TLS":false,"TLSSkipVerify":false},"StartTLS":false,"SearchSettings":[{"BaseDN":"","Filter":"","UserNameAttribute":""}],"GroupSearchSettings":[{"GroupBaseDN":"","GroupFilter":"","GroupAttribute":""}],"AutoCreateUsers":true},"OAuthSettings":{"ClientID":"","AccessTokenURI":"","AuthorizationURI":"","ResourceURI":"","RedirectURI":"","UserIdentifier":"","Scopes":"","OAuthAutoCreateUsers":false,"DefaultTeamID":0,"SSO":true,"LogoutURI":"","KubeSecretKey":"j0zLVtY/lAWBk62ByyF0uP80SOXaitsABP0TTJX8MhI="},"OpenAMTConfiguration":{"Enabled":false,"MPSServer":"","MPSUser":"","MPSPassword":"","MPSToken":"","CertFileContent":"","CertFileName":"","CertFilePassword":"","DomainName":""},"FeatureFlagSettings":{},"SnapshotInterval":"5m","TemplatesURL":"https://raw.githubusercontent.com/portainer/templates/master/templates-2.0.json","EdgeAgentCheckinInterval":5,"EnableEdgeComputeFeatures":false,"UserSessionTimeout":"8h","KubeconfigExpiry":"0","EnableTelemetry":true,"HelmRepositoryURL":"https://charts.bitnami.com/bitnami","KubectlShellImage":"portainer/kubectl-shell","DisplayDonationHeader":false,"DisplayExternalContributors":false,"EnableHostManagementFeatures":false,"AllowVolumeBrowserForRegularUsers":false,"AllowBindMountsForRegularUsers":false,"AllowPrivilegedModeForRegularUsers":false,"AllowHostNamespaceForRegularUsers":false,"AllowStackManagementForRegularUsers":false,"AllowDeviceMappingForRegularUsers":false,"AllowContainerCapabilitiesForRegularUsers":false}`
+	passphrase = "my secret key"
+)
+
+func secretToEncryptionKey(passphrase string) []byte {
+	hash := sha256.Sum256([]byte(passphrase))
+	return hash[:]
+}
+
+func Test_MarshalObjectUnencrypted(t *testing.T) {
+	is := assert.New(t)
+
+	uuid := uuid.Must(uuid.NewV4())
+
+	tests := []struct {
+		object   interface{}
+		expected string
+	}{
+		{
+			object:   nil,
+			expected: `null`,
+		},
+		{
+			object:   true,
+			expected: `true`,
+		},
+		{
+			object:   false,
+			expected: `false`,
+		},
+		{
+			object:   123,
+			expected: `123`,
+		},
+		{
+			object:   "456",
+			expected: "456",
+		},
+		{
+			object:   uuid,
+			expected: "\"" + uuid.String() + "\"",
+		},
+		{
+			object:   uuid.String(),
+			expected: uuid.String(),
+		},
+		{
+			object:   map[string]interface{}{"key": "value"},
+			expected: `{"key":"value"}`,
+		},
+		{
+			object:   []bool{true, false},
+			expected: `[true,false]`,
+		},
+		{
+			object:   []int{1, 2, 3},
+			expected: `[1,2,3]`,
+		},
+		{
+			object:   []string{"1", "2", "3"},
+			expected: `["1","2","3"]`,
+		},
+		{
+			object:   []map[string]interface{}{{"key1": "value1"}, {"key2": "value2"}},
+			expected: `[{"key1":"value1"},{"key2":"value2"}]`,
+		},
+		{
+			object:   []interface{}{1, "2", false, map[string]interface{}{"key1": "value1"}},
+			expected: `[1,"2",false,{"key1":"value1"}]`,
+		},
+	}
+
+	conn := DbConnection{}
+
+	for _, test := range tests {
+		t.Run(fmt.Sprintf("%s -> %s", test.object, test.expected), func(t *testing.T) {
+			data, err := conn.MarshalObject(test.object)
+			is.NoError(err)
+			is.Equal(test.expected, string(data))
+		})
+	}
+}
+
+func Test_UnMarshalObjectUnencrypted(t *testing.T) {
+	is := assert.New(t)
+
+	// Based on actual data entering and what we expect out of the function
+
+	tests := []struct {
+		object   []byte
+		expected string
+	}{
+		{
+			object:   []byte(""),
+			expected: "",
+		},
+		{
+			object:   []byte("35"),
+			expected: "35",
+		},
+		{
+			// An unmarshalled byte string should return the same without error
+			object:   []byte("9ca4a1dd-a439-4593-b386-a7dfdc2e9fc6"),
+			expected: "9ca4a1dd-a439-4593-b386-a7dfdc2e9fc6",
+		},
+		{
+			// An un-marshalled json object string should return the same as a string without error also
+			object:   []byte(jsonobject),
+			expected: jsonobject,
+		},
+	}
+
+	conn := DbConnection{}
+
+	for _, test := range tests {
+		t.Run(fmt.Sprintf("%s -> %s", test.object, test.expected), func(t *testing.T) {
+			var object string
+			err := conn.UnmarshalObject(test.object, &object)
+			is.NoError(err)
+			is.Equal(test.expected, string(object))
+		})
+	}
+}
+
+func Test_ObjectMarshallingEncrypted(t *testing.T) {
+	is := assert.New(t)
+
+	// Based on actual data entering and what we expect out of the function
+
+	tests := []struct {
+		object   []byte
+		expected string
+	}{
+		{
+			object: []byte(""),
+		},
+		{
+			object: []byte("35"),
+		},
+		{
+			// An unmarshalled byte string should return the same without error
+			object: []byte("9ca4a1dd-a439-4593-b386-a7dfdc2e9fc6"),
+		},
+		{
+			// An un-marshalled json object string should return the same as a string without error also
+			object: []byte(jsonobject),
+		},
+	}
+
+	key := secretToEncryptionKey(passphrase)
+	conn := DbConnection{EncryptionKey: key}
+	for _, test := range tests {
+		t.Run(fmt.Sprintf("%s -> %s", test.object, test.expected), func(t *testing.T) {
+
+			data, err := conn.MarshalObject(test.object)
+			is.NoError(err)
+
+			var object []byte
+			err = conn.UnmarshalObject(data, &object)
+
+			is.NoError(err)
+			is.Equal(test.object, object)
+		})
+	}
+}
--- a/api/database/database.go
+++ b/api/database/database.go
@@ -8,14 +8,12 @@ import (
 )

 // NewDatabase should use config options to return a connection to the requested database
-func NewDatabase(storeType, storePath, encryptionKey string) (connection portainer.Connection, err error) {
+func NewDatabase(storeType, storePath string, encryptionKey []byte) (connection portainer.Connection, err error) {
 	switch storeType {
 	case "boltdb":
-		isDBEncrypted := encryptionKey != ""
 		return &boltdb.DbConnection{
 			Path:          storePath,
 			EncryptionKey: encryptionKey,
-			IsDBEncrypted: isDBEncrypted,
 		}, nil
 	}
 	return nil, fmt.Errorf("unknown storage database: %s", storeType)
--- a/api/dataservices/edgestack/edgestack.go
+++ b/api/dataservices/edgestack/edgestack.go
@@ -67,14 +67,15 @@ func (service *Service) EdgeStack(ID portainer.EdgeStackID) (*portainer.EdgeStac
 	return &stack, nil
 }

-// CreateEdgeStack assign an ID to a new Edge stack and saves it.
-func (service *Service) Create(edgeStack *portainer.EdgeStack) error {
-	return service.connection.CreateObject(
+// CreateEdgeStack saves an Edge stack object to db.
+func (service *Service) Create(id portainer.EdgeStackID, edgeStack *portainer.EdgeStack) error {
+
+	edgeStack.ID = id
+
+	return service.connection.CreateObjectWithId(
 		BucketName,
-		func(id uint64) (int, interface{}) {
-			edgeStack.ID = portainer.EdgeStackID(id)
-			return int(edgeStack.ID), edgeStack
-		},
+		int(edgeStack.ID),
+		edgeStack,
 	)
 }

--- a/api/dataservices/endpoint/endpoint.go
+++ b/api/dataservices/endpoint/endpoint.go
@@ -69,7 +69,7 @@ func (service *Service) Endpoints() ([]portainer.Endpoint, error) {
 			endpoint, ok := obj.(*portainer.Endpoint)
 			if !ok {
 				logrus.WithField("obj", obj).Errorf("Failed to convert to Endpoint object")
-				return nil, fmt.Errorf("Failed to convert to Endpoint object: %s", obj)
+				return nil, fmt.Errorf("failed to convert to Endpoint object: %s", obj)
 			}
 			endpoints = append(endpoints, *endpoint)
 			return &portainer.Endpoint{}, nil
--- a/api/dataservices/errors/errors.go
+++ b/api/dataservices/errors/errors.go
@@ -4,7 +4,7 @@ import "errors"

 var (
 	// TODO: i'm pretty sure this needs wrapping at several levels
-	ErrObjectNotFound = errors.New("Object not found inside the database")
-	ErrWrongDBEdition = errors.New("The Portainer database is set for Portainer Business Edition, please follow the instructions in our documentation to downgrade it: https://documentation.portainer.io/v2.0-be/downgrade/be-to-ce/")
+	ErrObjectNotFound = errors.New("object not found inside the database")
+	ErrWrongDBEdition = errors.New("the Portainer database is set for Portainer Business Edition, please follow the instructions in our documentation to downgrade it: https://documentation.portainer.io/v2.0-be/downgrade/be-to-ce/")
 	ErrDBImportFailed = errors.New("importing backup failed")
 )
--- a/api/dataservices/fdoprofile/fdoprofile.go
+++ b/api/dataservices/fdoprofile/fdoprofile.go
@@ -0,0 +1,93 @@
+package fdoprofile
+
+import (
+	"fmt"
+
+	portainer "github.com/portainer/portainer/api"
+	"github.com/sirupsen/logrus"
+)
+
+const (
+	// BucketName represents the name of the bucket where this service stores data.
+	BucketName = "fdo_profiles"
+)
+
+// Service represents a service for managingFDO Profiles data.
+type Service struct {
+	connection portainer.Connection
+}
+
+func (service *Service) BucketName() string {
+	return BucketName
+}
+
+// NewService creates a new instance of a service.
+func NewService(connection portainer.Connection) (*Service, error) {
+	err := connection.SetServiceName(BucketName)
+	if err != nil {
+		return nil, err
+	}
+
+	return &Service{
+		connection: connection,
+	}, nil
+}
+
+// FDOProfiles return an array containing all the FDO Profiles.
+func (service *Service) FDOProfiles() ([]portainer.FDOProfile, error) {
+	var fdoProfiles = make([]portainer.FDOProfile, 0)
+
+	err := service.connection.GetAll(
+		BucketName,
+		&portainer.FDOProfile{},
+		func(obj interface{}) (interface{}, error) {
+			fdoProfile, ok := obj.(*portainer.FDOProfile)
+			if !ok {
+				logrus.WithField("obj", obj).Errorf("Failed to convert to FDOProfile object")
+				return nil, fmt.Errorf("failed to convert to FDOProfile object: %s", obj)
+			}
+			fdoProfiles = append(fdoProfiles, *fdoProfile)
+			return &portainer.FDOProfile{}, nil
+		})
+
+	return fdoProfiles, err
+}
+
+// FDOProfile returns an FDO Profile by ID.
+func (service *Service) FDOProfile(ID portainer.FDOProfileID) (*portainer.FDOProfile, error) {
+	var FDOProfile portainer.FDOProfile
+	identifier := service.connection.ConvertToKey(int(ID))
+
+	err := service.connection.GetObject(BucketName, identifier, &FDOProfile)
+	if err != nil {
+		return nil, err
+	}
+
+	return &FDOProfile, nil
+}
+
+// Create assign an ID to a new FDO Profile and saves it.
+func (service *Service) Create(FDOProfile *portainer.FDOProfile) error {
+	return service.connection.CreateObjectWithId(
+		BucketName,
+		int(FDOProfile.ID),
+		FDOProfile,
+	)
+}
+
+// Update updates an FDO Profile.
+func (service *Service) Update(ID portainer.FDOProfileID, FDOProfile *portainer.FDOProfile) error {
+	identifier := service.connection.ConvertToKey(int(ID))
+	return service.connection.UpdateObject(BucketName, identifier, FDOProfile)
+}
+
+// Delete deletes an FDO Profile.
+func (service *Service) Delete(ID portainer.FDOProfileID) error {
+	identifier := service.connection.ConvertToKey(int(ID))
+	return service.connection.DeleteObject(BucketName, identifier)
+}
+
+// GetNextIdentifier returns the next identifier for a FDO Profile.
+func (service *Service) GetNextIdentifier() int {
+	return service.connection.GetNextIdentifier(BucketName)
+}
--- a/api/dataservices/helmuserrepository/helmuserrepository.go
+++ b/api/dataservices/helmuserrepository/helmuserrepository.go
@@ -34,7 +34,7 @@ func NewService(connection portainer.Connection) (*Service, error) {
 }

 //HelmUserRepository returns an array of all HelmUserRepository
-func (service *Service) HelmUserRepositorys() ([]portainer.HelmUserRepository, error) {
+func (service *Service) HelmUserRepositories() ([]portainer.HelmUserRepository, error) {
 	var repos = make([]portainer.HelmUserRepository, 0)

 	err := service.connection.GetAll(
@@ -85,3 +85,15 @@ func (service *Service) Create(record *portainer.HelmUserRepository) error {
 		},
 	)
 }
+
+// UpdateHelmUserRepostory updates an registry.
+func (service *Service) UpdateHelmUserRepository(ID portainer.HelmUserRepositoryID, registry *portainer.HelmUserRepository) error {
+	identifier := service.connection.ConvertToKey(int(ID))
+	return service.connection.UpdateObject(BucketName, identifier, registry)
+}
+
+// DeleteHelmUserRepository deletes an registry.
+func (service *Service) DeleteHelmUserRepository(ID portainer.HelmUserRepositoryID) error {
+	identifier := service.connection.ConvertToKey(int(ID))
+	return service.connection.DeleteObject(BucketName, identifier)
+}
--- a/api/dataservices/interface.go
+++ b/api/dataservices/interface.go
@@ -14,7 +14,7 @@ import (
 type (
 	// DataStore defines the interface to manage the data
 	DataStore interface {
-		Open() (bool, error)
+		Open() (newStore bool, err error)
 		Init() error
 		Close() error
 		MigrateData() error
@@ -31,6 +31,7 @@ type (
 		Endpoint() EndpointService
 		EndpointGroup() EndpointGroupService
 		EndpointRelation() EndpointRelationService
+		FDOProfile() FDOProfileService
 		HelmUserRepository() HelmUserRepositoryService
 		Registry() RegistryService
 		ResourceControl() ResourceControlService
@@ -84,7 +85,7 @@ type (
 	EdgeStackService interface {
 		EdgeStacks() ([]portainer.EdgeStack, error)
 		EdgeStack(ID portainer.EdgeStackID) (*portainer.EdgeStack, error)
-		Create(edgeStack *portainer.EdgeStack) error
+		Create(id portainer.EdgeStackID, edgeStack *portainer.EdgeStack) error
 		UpdateEdgeStack(ID portainer.EdgeStackID, edgeStack *portainer.EdgeStack) error
 		DeleteEdgeStack(ID portainer.EdgeStackID) error
 		GetNextIdentifier() int
@@ -122,11 +123,24 @@ type (
 		BucketName() string
 	}

+	// FDOProfileService represents a service to manage FDO Profiles
+	FDOProfileService interface {
+		FDOProfiles() ([]portainer.FDOProfile, error)
+		FDOProfile(ID portainer.FDOProfileID) (*portainer.FDOProfile, error)
+		Create(FDOProfile *portainer.FDOProfile) error
+		Update(ID portainer.FDOProfileID, FDOProfile *portainer.FDOProfile) error
+		Delete(ID portainer.FDOProfileID) error
+		GetNextIdentifier() int
+		BucketName() string
+	}
+
 	// HelmUserRepositoryService represents a service to manage HelmUserRepositories
 	HelmUserRepositoryService interface {
-		HelmUserRepositorys() ([]portainer.HelmUserRepository, error)
+		HelmUserRepositories() ([]portainer.HelmUserRepository, error)
 		HelmUserRepositoryByUserID(userID portainer.UserID) ([]portainer.HelmUserRepository, error)
 		Create(record *portainer.HelmUserRepository) error
+		UpdateHelmUserRepository(ID portainer.HelmUserRepositoryID, repository *portainer.HelmUserRepository) error
+		DeleteHelmUserRepository(ID portainer.HelmUserRepositoryID) error
 		BucketName() string
 	}

@@ -278,9 +292,10 @@ type (
 		Webhooks() ([]portainer.Webhook, error)
 		Webhook(ID portainer.WebhookID) (*portainer.Webhook, error)
 		Create(portainer *portainer.Webhook) error
+		UpdateWebhook(ID portainer.WebhookID, webhook *portainer.Webhook) error
 		WebhookByResourceID(resourceID string) (*portainer.Webhook, error)
 		WebhookByToken(token string) (*portainer.Webhook, error)
-		DeleteWebhook(serviceID portainer.WebhookID) error
+		DeleteWebhook(ID portainer.WebhookID) error
 		BucketName() string
 	}
 )
--- a/api/dataservices/resourcecontrol/resourcecontrol.go
+++ b/api/dataservices/resourcecontrol/resourcecontrol.go
@@ -4,7 +4,6 @@ import (
 	"fmt"

 	portainer "github.com/portainer/portainer/api"
-	"github.com/portainer/portainer/api/dataservices/errors"
 	"github.com/sirupsen/logrus"
 )

@@ -79,9 +78,6 @@ func (service *Service) ResourceControlByResourceIDAndType(resourceID string, re
 	if err == stop {
 		return resourceControl, nil
 	}
-	if err == nil {
-		return nil, errors.ErrObjectNotFound
-	}

 	return nil, err
 }
--- a/api/dataservices/team/team.go
+++ b/api/dataservices/team/team.go
@@ -63,7 +63,7 @@ func (service *Service) TeamByName(name string) (*portainer.Team, error) {
 				logrus.WithField("obj", obj).Errorf("Failed to convert to Team object")
 				return nil, fmt.Errorf("Failed to convert to Team object: %s", obj)
 			}
-			if strings.EqualFold(t.Name, name) {
+			if strings.EqualFold(team.Name, name) {
 				t = team
 				return nil, stop
 			}
--- a/api/dataservices/team/tests/team_test.go
+++ b/api/dataservices/team/tests/team_test.go
@@ -0,0 +1,53 @@
+package tests
+
+import (
+	"testing"
+
+	"github.com/portainer/portainer/api/dataservices/errors"
+	"github.com/portainer/portainer/api/datastore"
+	"github.com/stretchr/testify/assert"
+)
+
+func Test_teamByName(t *testing.T) {
+	t.Run("When store is empty should return ErrObjectNotFound", func(t *testing.T) {
+		_, store, teardown := datastore.MustNewTestStore(true)
+		defer teardown()
+
+		_, err := store.Team().TeamByName("name")
+		assert.ErrorIs(t, err, errors.ErrObjectNotFound)
+
+	})
+
+	t.Run("When there is no object with the same name should return ErrObjectNotFound", func(t *testing.T) {
+		_, store, teardown := datastore.MustNewTestStore(true)
+		defer teardown()
+
+		teamBuilder := teamBuilder{
+			t:     t,
+			store: store,
+			count: 0,
+		}
+
+		teamBuilder.createNew("name1")
+
+		_, err := store.Team().TeamByName("name")
+		assert.ErrorIs(t, err, errors.ErrObjectNotFound)
+	})
+
+	t.Run("When there is an object with the same name should return the object", func(t *testing.T) {
+		_, store, teardown := datastore.MustNewTestStore(true)
+		defer teardown()
+
+		teamBuilder := teamBuilder{
+			t:     t,
+			store: store,
+			count: 0,
+		}
+
+		expectedTeam := teamBuilder.createNew("name1")
+
+		team, err := store.Team().TeamByName("name1")
+		assert.NoError(t, err, "TeamByName should succeed")
+		assert.Equal(t, expectedTeam, team)
+	})
+}
--- a/api/dataservices/team/tests/utils.go
+++ b/api/dataservices/team/tests/utils.go
@@ -0,0 +1,28 @@
+package tests
+
+import (
+	"testing"
+
+	portainer "github.com/portainer/portainer/api"
+	"github.com/portainer/portainer/api/datastore"
+	"github.com/stretchr/testify/assert"
+)
+
+type teamBuilder struct {
+	t     *testing.T
+	count int
+	store *datastore.Store
+}
+
+func (b *teamBuilder) createNew(name string) *portainer.Team {
+	b.count++
+	team := &portainer.Team{
+		ID:   portainer.TeamID(b.count),
+		Name: name,
+	}
+
+	err := b.store.Team().Create(team)
+	assert.NoError(b.t, err)
+
+	return team
+}
--- a/api/dataservices/version/version.go
+++ b/api/dataservices/version/version.go
@@ -1,11 +1,9 @@
 package version

 import (
-	"fmt"
 	"strconv"

 	portainer "github.com/portainer/portainer/api"
-	"github.com/sirupsen/logrus"
 )

 const (
@@ -40,22 +38,12 @@ func NewService(connection portainer.Connection) (*Service, error) {

 // DBVersion retrieves the stored database version.
 func (service *Service) DBVersion() (int, error) {
-	var version interface{}
+	var version string
 	err := service.connection.GetObject(BucketName, []byte(versionKey), &version)
 	if err != nil {
 		return 0, err
 	}
-	vs, ok := version.(string)
-	if ok {
-		return strconv.Atoi(vs)
-	}
-	// bolt is treating numbers as float64
-	vi, ok := version.(float64)
-	if !ok {
-		logrus.Errorf("db version type unknown %T", version)
-		return 0, fmt.Errorf("db version type unknown %T", version)
-	}
-	return int(vi), nil
+	return strconv.Atoi(version)
 }

 // Edition retrieves the stored portainer edition.
--- a/api/dataservices/webhook/webhook.go
+++ b/api/dataservices/webhook/webhook.go
@@ -141,3 +141,9 @@ func (service *Service) Create(webhook *portainer.Webhook) error {
 		},
 	)
 }
+
+// UpdateWebhook update a webhook.
+func (service *Service) UpdateWebhook(ID portainer.WebhookID, webhook *portainer.Webhook) error {
+	identifier := service.connection.ConvertToKey(int(ID))
+	return service.connection.UpdateObject(BucketName, identifier, webhook)
+}
--- a/api/datastore/backup.go
+++ b/api/datastore/backup.go
@@ -35,7 +35,7 @@ func (store *Store) createBackupFolders() {
 }

 func (store *Store) databasePath() string {
-	return path.Join(store.connection.GetStorePath(), store.connection.GetDatabaseFilename())
+	return store.connection.GetDatabaseFilePath()
 }

 func (store *Store) commonBackupDir() string {
@@ -84,7 +84,7 @@ func (store *Store) setupOptions(options *BackupOptions) *BackupOptions {
 		options.BackupDir = store.commonBackupDir()
 	}
 	if options.BackupFileName == "" {
-		options.BackupFileName = fmt.Sprintf("%s.%s.%s", store.connection.GetDatabaseFilename(), fmt.Sprintf("%03d", options.Version), time.Now().Format("20060102150405"))
+		options.BackupFileName = fmt.Sprintf("%s.%s.%s", store.connection.GetDatabaseFileName(), fmt.Sprintf("%03d", options.Version), time.Now().Format("20060102150405"))
 	}
 	if options.BackupPath == "" {
 		options.BackupPath = path.Join(options.BackupDir, options.BackupFileName)
--- a/api/datastore/backup_test.go
+++ b/api/datastore/backup_test.go
@@ -48,7 +48,7 @@ func TestBackup(t *testing.T) {
 		store.VersionService.StoreDBVersion(portainer.DBVersion)
 		store.backupWithOptions(nil)

-		backupFileName := path.Join(connection.GetStorePath(), "backups", "common", fmt.Sprintf("portainer.db.%03d.*", portainer.DBVersion))
+		backupFileName := path.Join(connection.GetStorePath(), "backups", "common", fmt.Sprintf("portainer.edb.%03d.*", portainer.DBVersion))
 		if !isFileExist(backupFileName) {
 			t.Errorf("Expect backup file to be created %s", backupFileName)
 		}
--- a/api/datastore/datastore.go
+++ b/api/datastore/datastore.go
@@ -3,11 +3,12 @@ package datastore
 import (
 	"fmt"
 	"io"
+	"os"
 	"path"
 	"time"

 	portainer "github.com/portainer/portainer/api"
-	"github.com/portainer/portainer/api/dataservices/errors"
+	portainerErrors "github.com/portainer/portainer/api/dataservices/errors"
 	"github.com/sirupsen/logrus"
 )

@@ -36,31 +37,26 @@ func NewStore(storePath string, fileService portainer.FileService, connection po
 }

 // Open opens and initializes the BoltDB database.
-func (store *Store) Open() (bool, error) {
-	newStore := true
-	err := store.connection.Open()
+func (store *Store) Open() (newStore bool, err error) {
+	newStore = true
+
+	encryptionReq, err := store.connection.NeedsEncryptionMigration()
+	if err != nil {
+		return false, err
+	}
+
+	if encryptionReq {
+		err = store.encryptDB()
+		if err != nil {
+			return false, err
+		}
+	}
+
+	err = store.connection.Open()
 	if err != nil {
 		return newStore, err
 	}

-	// Check if DB is encrypted
-	ok, err := store.connection.IsEncryptionRequired()
-	if err != nil {
-		logrus.Warnf("Error calling IsEncryptionRequired: %s", err.Error())
-	}
-	logrus.Infof("Is migration required?: %t", ok)
-	if ok {
-		// unencrypted database
-		err := store.encryptDB()
-		if err != nil {
-			// In case of an error set DB to unencrypted
-			// and continue without encryption
-			logrus.Errorf("error encrypting database: %s", err.Error())
-			store.connection.SetIsDBEncryptedFlag(false)
-		}
-	}
-
-	// This creates the accessor structures, and should not mutate the data in any way
 	err = store.initServices()
 	if err != nil {
 		return newStore, err
@@ -68,24 +64,19 @@ func (store *Store) Open() (bool, error) {

 	// if we have DBVersion in the database then ensure we flag this as NOT a new store
 	version, err := store.VersionService.DBVersion()
-	logrus.Infof("database version: %d", version)
-
-	if err == nil {
-		newStore = true
-		logrus.WithField("version", version).Infof("Opened existing store")
-	} else {
-		if err.Error() == "encrypted string too short" {
-			logrus.WithError(err).Debugf("open db failed - wrong encryption key")
-		}
+	if err != nil {
 		if store.IsErrObjectNotFound(err) {
-			logrus.WithError(err).Debugf("open db failed - object not found")
 			return newStore, nil
-		} else {
-			logrus.WithError(err).Debugf("open db failed - other")
 		}
+
 		return newStore, err
 	}

+	if version > 0 {
+		logrus.WithField("version", version).Infof("Opened existing store")
+		return false, nil
+	}
+
 	return newStore, nil
 }

@@ -93,64 +84,6 @@ func (store *Store) Close() error {
 	return store.connection.Close()
 }

-func (store *Store) encryptDB() error {
-	// Since database is not encrypted so
-	// settings this flag to false will not
-	// allow connection to use encryption key
-	store.connection.SetIsDBEncryptedFlag(false)
-	err := store.initServices()
-	if err != nil {
-		logrus.Fatal("init services failed")
-	}
-
-	dbBackup := store.databasePath() + fmt.Sprintf(".backup-%d.db", time.Now().Unix())
-
-	err = store.fileService.Copy(store.databasePath(), dbBackup, false)
-	if err != nil {
-		logrus.WithError(err).Warnf("failed to create backup copy of db")
-		return err
-	}
-
-	// export file path for backup
-	exportFilename := path.Join(store.databasePath() + "." + fmt.Sprintf("backup-%d.json", time.Now().Unix()))
-
-	logrus.Infof("exporting database backup to %s", exportFilename)
-	err = store.Export(exportFilename)
-	if err != nil {
-		logrus.WithError(err).Warnf("failed to export to %s", exportFilename)
-		return err
-	}
-
-	logrus.Infof("database backup exported")
-
-	// Set isDBEncryptedFlag to true to import JSON in the encrypted format
-	store.connection.SetIsDBEncryptedFlag(true)
-	err = store.Import(exportFilename)
-	if err != nil {
-		
-		logrus.Warnf(errors.ErrDBImportFailed.Error())
-		
-		// Close the connection so that db file can be restored
-		store.connection.Close()
-	
-		// Restore the backup
-		err = store.fileService.Copy(dbBackup, store.databasePath(), true)
-		if err != nil {
-			logrus.WithError(err).Fatalf("failed to restore database backup copy. Rename %s to %s to continue and disbale encryption key. Please report the error.", dbBackup, store.databasePath())
-			return err
-		}
-
-		// Open the connection
-		store.connection.Open()
-	}
-
-	// Remove the backup file
-	store.fileService.Delete(dbBackup)
-	logrus.Info("database successfully encrypted")
-
-	return nil
-}
-
 // BackupTo backs up db to a provided writer.
 // It does hot backup and doesn't block other database reads and writes
 func (store *Store) BackupTo(w io.Writer) error {
@@ -160,16 +93,81 @@ func (store *Store) BackupTo(w io.Writer) error {
 // CheckCurrentEdition checks if current edition is community edition
 func (store *Store) CheckCurrentEdition() error {
 	if store.edition() != portainer.PortainerCE {
-		return errors.ErrWrongDBEdition
+		return portainerErrors.ErrWrongDBEdition
 	}
 	return nil
 }

 // TODO: move the use of this to dataservices.IsErrObjectNotFound()?
 func (store *Store) IsErrObjectNotFound(e error) bool {
-	return e == errors.ErrObjectNotFound
+	return e == portainerErrors.ErrObjectNotFound
 }

 func (store *Store) Rollback(force bool) error {
 	return store.connectionRollback(force)
 }
+
+func (store *Store) encryptDB() error {
+	store.connection.SetEncrypted(false)
+	err := store.connection.Open()
+	if err != nil {
+		return err
+	}
+
+	err = store.initServices()
+	if err != nil {
+		return err
+	}
+
+	// The DB is not currently encrypted.  First save the encrypted db filename
+	oldFilename := store.connection.GetDatabaseFilePath()
+	logrus.Infof("Encrypting database")
+
+	// export file path for backup
+	exportFilename := path.Join(store.databasePath() + "." + fmt.Sprintf("backup-%d.json", time.Now().Unix()))
+
+	logrus.Infof("Exporting database backup to %s", exportFilename)
+	err = store.Export(exportFilename)
+	if err != nil {
+		logrus.WithError(err).Debugf("Failed to export to %s", exportFilename)
+		return err
+	}
+
+	logrus.Infof("Database backup exported")
+
+	// Close existing un-encrypted db so that we can delete the file later
+	store.connection.Close()
+
+	// Tell the db layer to create an encrypted db when opened
+	store.connection.SetEncrypted(true)
+	store.connection.Open()
+
+	// We have to init services before import
+	err = store.initServices()
+	if err != nil {
+		return err
+	}
+
+	err = store.Import(exportFilename)
+	if err != nil {
+		// Remove the new encrypted file that we failed to import
+		os.Remove(store.connection.GetDatabaseFilePath())
+		logrus.Fatal(portainerErrors.ErrDBImportFailed.Error())
+	}
+
+	err = os.Remove(oldFilename)
+	if err != nil {
+		logrus.Errorf("Failed to remove the un-encrypted db file")
+	}
+
+	err = os.Remove(exportFilename)
+	if err != nil {
+		logrus.Errorf("Failed to remove the json backup file")
+	}
+
+	// Close db connection
+	store.connection.Close()
+
+	logrus.Info("Database successfully encrypted")
+	return nil
+}
--- a/api/datastore/datastore_test.go
+++ b/api/datastore/datastore_test.go
@@ -0,0 +1,417 @@
+package datastore
+
+import (
+	"fmt"
+	"runtime"
+	"strings"
+	"testing"
+
+	"github.com/dchest/uniuri"
+	"github.com/pkg/errors"
+	portainer "github.com/portainer/portainer/api"
+	"github.com/portainer/portainer/api/chisel"
+	"github.com/portainer/portainer/api/crypto"
+	"github.com/stretchr/testify/assert"
+)
+
+const (
+	adminUsername                       = "admin"
+	adminPassword                       = "password"
+	standardUsername                    = "standard"
+	standardPassword                    = "password"
+	agentOnDockerEnvironmentUrl         = "tcp://192.168.167.207:30775"
+	edgeAgentOnKubernetesEnvironmentUrl = "tcp://192.168.167.207"
+	kubernetesLocalEnvironmentUrl       = "https://kubernetes.default.svc"
+)
+
+// TestStoreFull an eventually comprehensive set of tests for the Store.
+// The idea is what we write to the store, we should read back.
+func TestStoreFull(t *testing.T) {
+	_, store, teardown := MustNewTestStore(true)
+	defer teardown()
+
+	testCases := map[string]func(t *testing.T){
+		"User Accounts": func(t *testing.T) {
+			store.testUserAccounts(t)
+		},
+		"Environments": func(t *testing.T) {
+			store.testEnvironments(t)
+		},
+		"Settings": func(t *testing.T) {
+			store.testSettings(t)
+		},
+		"SSL Settings": func(t *testing.T) {
+			store.testSSLSettings(t)
+		},
+		"Tunnel Server": func(t *testing.T) {
+			store.testTunnelServer(t)
+		},
+		"Custom Templates": func(t *testing.T) {
+			store.testCustomTemplates(t)
+		},
+		"Registries": func(t *testing.T) {
+			store.testRegistries(t)
+		},
+		"Resource Control": func(t *testing.T) {
+			store.testResourceControl(t)
+		},
+		"Schedules": func(t *testing.T) {
+			store.testSchedules(t)
+		},
+		"Tags": func(t *testing.T) {
+			store.testTags(t)
+		},
+
+		// "Test Title": func(t *testing.T) {
+		// },
+	}
+
+	for name, test := range testCases {
+		t.Run(name, test)
+	}
+
+}
+
+func (store *Store) testEnvironments(t *testing.T) {
+	id := store.CreateEndpoint(t, "local", portainer.KubernetesLocalEnvironment, "", true)
+	store.CreateEndpointRelation(id)
+
+	id = store.CreateEndpoint(t, "agent", portainer.AgentOnDockerEnvironment, agentOnDockerEnvironmentUrl, true)
+	store.CreateEndpointRelation(id)
+
+	id = store.CreateEndpoint(t, "edge", portainer.EdgeAgentOnKubernetesEnvironment, edgeAgentOnKubernetesEnvironmentUrl, true)
+	store.CreateEndpointRelation(id)
+}
+
+func newEndpoint(endpointType portainer.EndpointType, id portainer.EndpointID, name, URL string, TLS bool) *portainer.Endpoint {
+	endpoint := &portainer.Endpoint{
+		ID:        id,
+		Name:      name,
+		URL:       URL,
+		Type:      endpointType,
+		GroupID:   portainer.EndpointGroupID(1),
+		PublicURL: "",
+		TLSConfig: portainer.TLSConfiguration{
+			TLS: false,
+		},
+		UserAccessPolicies: portainer.UserAccessPolicies{},
+		TeamAccessPolicies: portainer.TeamAccessPolicies{},
+		TagIDs:             []portainer.TagID{},
+		Status:             portainer.EndpointStatusUp,
+		Snapshots:          []portainer.DockerSnapshot{},
+		Kubernetes:         portainer.KubernetesDefault(),
+	}
+
+	if TLS {
+		endpoint.TLSConfig = portainer.TLSConfiguration{
+			TLS:           true,
+			TLSSkipVerify: true,
+		}
+	}
+
+	return endpoint
+}
+
+func setEndpointAuthorizations(endpoint *portainer.Endpoint) {
+	endpoint.SecuritySettings = portainer.EndpointSecuritySettings{
+		AllowVolumeBrowserForRegularUsers: false,
+		EnableHostManagementFeatures:      false,
+
+		AllowSysctlSettingForRegularUsers:         true,
+		AllowBindMountsForRegularUsers:            true,
+		AllowPrivilegedModeForRegularUsers:        true,
+		AllowHostNamespaceForRegularUsers:         true,
+		AllowContainerCapabilitiesForRegularUsers: true,
+		AllowDeviceMappingForRegularUsers:         true,
+		AllowStackManagementForRegularUsers:       true,
+	}
+}
+
+func (store *Store) CreateEndpoint(t *testing.T, name string, endpointType portainer.EndpointType, URL string, tls bool) portainer.EndpointID {
+	is := assert.New(t)
+
+	var expectedEndpoint *portainer.Endpoint
+	id := portainer.EndpointID(store.Endpoint().GetNextIdentifier())
+
+	switch endpointType {
+	case portainer.DockerEnvironment:
+		if URL == "" {
+			URL = "unix:///var/run/docker.sock"
+			if runtime.GOOS == "windows" {
+				URL = "npipe:////./pipe/docker_engine"
+			}
+		}
+		expectedEndpoint = newEndpoint(endpointType, id, name, URL, tls)
+
+	case portainer.AgentOnDockerEnvironment:
+		expectedEndpoint = newEndpoint(endpointType, id, name, URL, tls)
+
+	case portainer.AgentOnKubernetesEnvironment:
+		URL = strings.TrimPrefix(URL, "tcp://")
+		expectedEndpoint = newEndpoint(endpointType, id, name, URL, tls)
+
+	case portainer.EdgeAgentOnKubernetesEnvironment:
+		cs := chisel.NewService(store, nil)
+		expectedEndpoint = newEndpoint(endpointType, id, name, URL, tls)
+		edgeKey := cs.GenerateEdgeKey(URL, "", int(id))
+		expectedEndpoint.EdgeKey = edgeKey
+		store.testTunnelServer(t)
+
+	case portainer.KubernetesLocalEnvironment:
+		if URL == "" {
+			URL = kubernetesLocalEnvironmentUrl
+		}
+		expectedEndpoint = newEndpoint(endpointType, id, name, URL, tls)
+	}
+
+	setEndpointAuthorizations(expectedEndpoint)
+	store.Endpoint().Create(expectedEndpoint)
+
+	endpoint, err := store.Endpoint().Endpoint(id)
+	is.NoError(err, "Endpoint() should not return an error")
+	is.Equal(expectedEndpoint, endpoint, "endpoint should be the same")
+
+	return endpoint.ID
+}
+
+func (store *Store) CreateEndpointRelation(id portainer.EndpointID) {
+	relation := &portainer.EndpointRelation{
+		EndpointID: id,
+		EdgeStacks: map[portainer.EdgeStackID]bool{},
+	}
+
+	store.EndpointRelation().Create(relation)
+}
+
+func (store *Store) testSSLSettings(t *testing.T) {
+	is := assert.New(t)
+	ssl := &portainer.SSLSettings{
+		CertPath:    "/data/certs/cert.pem",
+		HTTPEnabled: true,
+		KeyPath:     "/data/certs/key.pem",
+		SelfSigned:  true,
+	}
+
+	store.SSLSettings().UpdateSettings(ssl)
+
+	settings, err := store.SSLSettings().Settings()
+	is.NoError(err, "Get sslsettings should succeed")
+	is.Equal(ssl, settings, "Stored SSLSettings should be the same as what is read out")
+}
+
+func (store *Store) testTunnelServer(t *testing.T) {
+	is := assert.New(t)
+	expectPrivateKeySeed := uniuri.NewLen(16)
+
+	err := store.TunnelServer().UpdateInfo(&portainer.TunnelServerInfo{PrivateKeySeed: expectPrivateKeySeed})
+	is.NoError(err, "UpdateInfo should have succeeded")
+
+	serverInfo, err := store.TunnelServer().Info()
+	is.NoError(err, "Info should have succeeded")
+
+	is.Equal(expectPrivateKeySeed, serverInfo.PrivateKeySeed, "hashed passwords should not differ")
+}
+
+// add users, read them back and check the details are unchanged
+func (store *Store) testUserAccounts(t *testing.T) {
+	is := assert.New(t)
+
+	err := store.createAccount(adminUsername, adminPassword, portainer.AdministratorRole)
+	is.NoError(err, "CreateAccount should succeed")
+	store.checkAccount(adminUsername, adminPassword, portainer.AdministratorRole)
+	is.NoError(err, "Account failure")
+
+	err = store.createAccount(standardUsername, standardPassword, portainer.StandardUserRole)
+	is.NoError(err, "CreateAccount should succeed")
+	store.checkAccount(standardUsername, standardPassword, portainer.StandardUserRole)
+	is.NoError(err, "Account failure")
+}
+
+// create an account with the provided details
+func (store *Store) createAccount(username, password string, role portainer.UserRole) error {
+	var err error
+	user := &portainer.User{Username: username, Role: role}
+
+	// encrypt the password
+	cs := &crypto.Service{}
+	user.Password, err = cs.Hash(password)
+	if err != nil {
+		return err
+	}
+
+	err = store.User().Create(user)
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func (store *Store) checkAccount(username, expectPassword string, expectRole portainer.UserRole) error {
+	// Read the account for username.  Check password and role is what we expect
+
+	user, err := store.User().UserByUsername(username)
+	if err != nil {
+		return errors.Wrap(err, "failed to find user")
+	}
+
+	if user.Username != username || user.Role != expectRole {
+		return fmt.Errorf("%s user details do not match", user.Username)
+	}
+
+	// Check the password
+	cs := &crypto.Service{}
+	expectPasswordHash, err := cs.Hash(expectPassword)
+	if err != nil {
+		return errors.Wrap(err, "hash failed")
+	}
+
+	if user.Password != expectPasswordHash {
+		return fmt.Errorf("%s user password hash failure", user.Username)
+	}
+
+	return nil
+}
+
+func (store *Store) testSettings(t *testing.T) {
+	is := assert.New(t)
+
+	// since many settings are default and basically nil, I'm going to update some and read them back
+	expectedSettings, err := store.Settings().Settings()
+	is.NoError(err, "Settings() should not return an error")
+	expectedSettings.TemplatesURL = "http://portainer.io/application-templates"
+	expectedSettings.HelmRepositoryURL = "http://portainer.io/helm-repository"
+	expectedSettings.EdgeAgentCheckinInterval = 60
+	expectedSettings.AuthenticationMethod = portainer.AuthenticationLDAP
+	expectedSettings.LDAPSettings = portainer.LDAPSettings{
+		AnonymousMode:   true,
+		StartTLS:        true,
+		AutoCreateUsers: true,
+		Password:        "random",
+	}
+	expectedSettings.SnapshotInterval = "10m"
+
+	err = store.Settings().UpdateSettings(expectedSettings)
+	is.NoError(err, "UpdateSettings() should succeed")
+
+	settings, err := store.Settings().Settings()
+	is.NoError(err, "Settings() should not return an error")
+	is.Equal(expectedSettings, settings, "stored settings should match")
+}
+
+func (store *Store) testCustomTemplates(t *testing.T) {
+	is := assert.New(t)
+
+	customTemplate := store.CustomTemplate()
+	is.NotNil(customTemplate, "customTemplate Service shouldn't be nil")
+
+	expectedTemplate := &portainer.CustomTemplate{
+		ID:              portainer.CustomTemplateID(customTemplate.GetNextIdentifier()),
+		Title:           "Custom Title",
+		Description:     "Custom Template Description",
+		ProjectPath:     "/data/custom_template/1",
+		Note:            "A note about this custom template",
+		EntryPoint:      "docker-compose.yaml",
+		CreatedByUserID: 10,
+	}
+
+	customTemplate.Create(expectedTemplate)
+
+	actualTemplate, err := customTemplate.CustomTemplate(expectedTemplate.ID)
+	is.NoError(err, "CustomTemplate should not return an error")
+	is.Equal(expectedTemplate, actualTemplate, "expected and actual template do not match")
+}
+
+func (store *Store) testRegistries(t *testing.T) {
+	is := assert.New(t)
+
+	regService := store.RegistryService
+	is.NotNil(regService, "RegistryService shouldn't be nil")
+
+	reg1 := &portainer.Registry{
+		ID:   1,
+		Type: portainer.DockerHubRegistry,
+		Name: "Dockerhub Registry Test",
+	}
+
+	reg2 := &portainer.Registry{
+		ID:   2,
+		Type: portainer.GitlabRegistry,
+		Name: "Gitlab Registry Test",
+		Gitlab: portainer.GitlabRegistryData{
+			ProjectID:   12345,
+			InstanceURL: "http://gitlab.com/12345",
+			ProjectPath: "mytestproject",
+		},
+	}
+
+	err := regService.Create(reg1)
+	is.NoError(err)
+
+	err = regService.Create(reg2)
+	is.NoError(err)
+
+	actualReg1, err := regService.Registry(reg1.ID)
+	is.NoError(err)
+	is.Equal(reg1, actualReg1, "registries differ")
+
+	actualReg2, err := regService.Registry(reg2.ID)
+	is.NoError(err)
+	is.Equal(reg2, actualReg2, "registries differ")
+}
+
+func (store *Store) testResourceControl(t *testing.T) {
+	// is := assert.New(t)
+	// resControl := store.ResourceControl()
+	// ctrl := &portainer.ResourceControl{
+	// }
+	// resControl().Create()
+}
+
+func (store *Store) testSchedules(t *testing.T) {
+	is := assert.New(t)
+
+	schedule := store.ScheduleService
+	s := &portainer.Schedule{
+		ID:             portainer.ScheduleID(schedule.GetNextIdentifier()),
+		Name:           "My Custom Schedule 1",
+		CronExpression: "*/5 * * * * portainer /bin/sh -c echo 'hello world'",
+	}
+
+	err := schedule.CreateSchedule(s)
+	is.NoError(err, "CreateSchedule should succeed")
+
+	actual, err := schedule.Schedule(s.ID)
+	is.NoError(err, "schedule should be found")
+	is.Equal(s, actual, "schedules differ")
+}
+
+func (store *Store) testTags(t *testing.T) {
+	is := assert.New(t)
+
+	tags := store.TagService
+
+	tag1 := &portainer.Tag{
+		ID:   1,
+		Name: "Tag 1",
+	}
+
+	tag2 := &portainer.Tag{
+		ID:   2,
+		Name: "Tag 1",
+	}
+
+	err := tags.Create(tag1)
+	is.NoError(err, "Tags.Create should succeed")
+
+	err = tags.Create(tag2)
+	is.NoError(err, "Tags.Create should succeed")
+
+	actual, err := tags.Tag(tag1.ID)
+	is.NoError(err, "tag1 should be found")
+	is.Equal(tag1, actual, "tags differ")
+
+	actual, err = tags.Tag(tag2.ID)
+	is.NoError(err, "tag2 should be found")
+	is.Equal(tag2, actual, "tags differ")
+}
--- a/api/datastore/init.go
+++ b/api/datastore/init.go
@@ -7,26 +7,44 @@ import (

 // Init creates the default data set.
 func (store *Store) Init() error {
-	instanceID, err := store.VersionService.InstanceID()
+	err := store.checkOrCreateInstanceID()
+	if err != nil {
+		return err
+	}
+
+	err = store.checkOrCreateDefaultSettings()
+	if err != nil {
+		return err
+	}
+
+	err = store.checkOrCreateDefaultSSLSettings()
+	if err != nil {
+		return err
+	}
+
+	return store.checkOrCreateDefaultData()
+}
+
+func (store *Store) checkOrCreateInstanceID() error {
+	_, err := store.VersionService.InstanceID()
 	if store.IsErrObjectNotFound(err) {
 		uid, err := uuid.NewV4()
 		if err != nil {
 			return err
 		}

-		instanceID = uid.String()
-		err = store.VersionService.StoreInstanceID(instanceID)
-		if err != nil {
-			return err
-		}
-	} else if err != nil {
-		return err
+		instanceID := uid.String()
+		return store.VersionService.StoreInstanceID(instanceID)
 	}
+	return err
+}

+func (store *Store) checkOrCreateDefaultSettings() error {
 	// TODO: these need to also be applied when importing
 	settings, err := store.SettingsService.Settings()
 	if store.IsErrObjectNotFound(err) {
 		defaultSettings := &portainer.Settings{
+			EnableTelemetry:      true,
 			AuthenticationMethod: portainer.AuthenticationInternal,
 			BlackListedLabels:    make([]portainer.Pair, 0),
 			LDAPSettings: portainer.LDAPSettings{
@@ -34,14 +52,16 @@ func (store *Store) Init() error {
 				AutoCreateUsers: true,
 				TLSConfig:       portainer.TLSConfiguration{},
 				SearchSettings: []portainer.LDAPSearchSettings{
-					portainer.LDAPSearchSettings{},
+					{},
 				},
 				GroupSearchSettings: []portainer.LDAPGroupSearchSettings{
-					portainer.LDAPGroupSearchSettings{},
+					{},
 				},
 			},
-			OAuthSettings: portainer.OAuthSettings{},
-
+			OAuthSettings: portainer.OAuthSettings{
+				SSO: true,
+			},
+			SnapshotInterval:         portainer.DefaultSnapshotInterval,
 			EdgeAgentCheckinInterval: portainer.DefaultEdgeAgentCheckinIntervalInSeconds,
 			TemplatesURL:             portainer.DefaultTemplatesURL,
 			HelmRepositoryURL:        portainer.DefaultHelmRepositoryURL,
@@ -50,35 +70,33 @@ func (store *Store) Init() error {
 			KubectlShellImage:        portainer.DefaultKubectlShellImage,
 		}

-		err = store.SettingsService.UpdateSettings(defaultSettings)
-		if err != nil {
-			return err
-		}
-	} else if err != nil {
+		return store.SettingsService.UpdateSettings(defaultSettings)
+	}
+	if err != nil {
 		return err
-	} else if err == nil {
-		if settings.UserSessionTimeout == "" {
-			settings.UserSessionTimeout = portainer.DefaultUserSessionTimeout
-			store.Settings().UpdateSettings(settings)
-		}
 	}

-	_, err = store.SSLSettings().Settings()
-	if err != nil {
-		if !store.IsErrObjectNotFound(err) {
-			return err
-		}
+	if settings.UserSessionTimeout == "" {
+		settings.UserSessionTimeout = portainer.DefaultUserSessionTimeout
+		return store.Settings().UpdateSettings(settings)
+	}
+	return nil
+}

+func (store *Store) checkOrCreateDefaultSSLSettings() error {
+	_, err := store.SSLSettings().Settings()
+
+	if store.IsErrObjectNotFound(err) {
 		defaultSSLSettings := &portainer.SSLSettings{
 			HTTPEnabled: true,
 		}

-		err = store.SSLSettings().UpdateSettings(defaultSSLSettings)
-		if err != nil {
-			return err
-		}
+		return store.SSLSettings().UpdateSettings(defaultSSLSettings)
 	}
+	return err
+}

+func (store *Store) checkOrCreateDefaultData() error {
 	groups, err := store.EndpointGroupService.EndpointGroups()
 	if err != nil {
 		return err
@@ -99,6 +117,5 @@ func (store *Store) Init() error {
 			return err
 		}
 	}
-
 	return nil
 }
--- a/api/datastore/migrate_data.go
+++ b/api/datastore/migrate_data.go
@@ -19,7 +19,6 @@ const beforePortainerVersionUpgradeBackup = "portainer.db.bak"
 var migrateLog = plog.NewScopedLog("database, migrate")

 func (store *Store) MigrateData() error {
-
 	version, err := store.version()
 	if err != nil {
 		return err
@@ -31,6 +30,7 @@ func (store *Store) MigrateData() error {
 		EndpointService:         store.EndpointService,
 		EndpointRelationService: store.EndpointRelationService,
 		ExtensionService:        store.ExtensionService,
+		FDOProfilesService:      store.FDOProfilesService,
 		RegistryService:         store.RegistryService,
 		ResourceControlService:  store.ResourceControlService,
 		RoleService:             store.RoleService,
--- a/api/datastore/migrate_data_test.go
+++ b/api/datastore/migrate_data_test.go
@@ -36,8 +36,8 @@ func TestMigrateData(t *testing.T) {
 		testVersion(store, portainer.DBVersion, t)
 		store.Close()

-		isNew, _ := store.Open()
-		if isNew {
+		newStore, _ = store.Open()
+		if newStore {
 			t.Error("Expect store to NOT be new DB")
 		}
 	})
--- a/api/datastore/migrator/migrator.go
+++ b/api/datastore/migrator/migrator.go
@@ -7,6 +7,7 @@ import (
 	"github.com/portainer/portainer/api/dataservices/endpointgroup"
 	"github.com/portainer/portainer/api/dataservices/endpointrelation"
 	"github.com/portainer/portainer/api/dataservices/extension"
+	"github.com/portainer/portainer/api/dataservices/fdoprofile"
 	"github.com/portainer/portainer/api/dataservices/registry"
 	"github.com/portainer/portainer/api/dataservices/resourcecontrol"
 	"github.com/portainer/portainer/api/dataservices/role"
@@ -26,12 +27,12 @@ var migrateLog = plog.NewScopedLog("database, migrate")
 type (
 	// Migrator defines a service to migrate data after a Portainer version update.
 	Migrator struct {
-		currentDBVersion int
-
+		currentDBVersion        int
 		endpointGroupService    *endpointgroup.Service
 		endpointService         *endpoint.Service
 		endpointRelationService *endpointrelation.Service
 		extensionService        *extension.Service
+		fdoProfilesService      *fdoprofile.Service
 		registryService         *registry.Service
 		resourceControlService  *resourcecontrol.Service
 		roleService             *role.Service
@@ -48,7 +49,27 @@ type (
 	}

 	// MigratorParameters represents the required parameters to create a new Migrator instance.
-
+	MigratorParameters struct {
+		DatabaseVersion         int
+		EndpointGroupService    *endpointgroup.Service
+		EndpointService         *endpoint.Service
+		EndpointRelationService *endpointrelation.Service
+		ExtensionService        *extension.Service
+		FDOProfilesService      *fdoprofile.Service
+		RegistryService         *registry.Service
+		ResourceControlService  *resourcecontrol.Service
+		RoleService             *role.Service
+		ScheduleService         *schedule.Service
+		SettingsService         *settings.Service
+		StackService            *stack.Service
+		TagService              *tag.Service
+		TeamMembershipService   *teammembership.Service
+		UserService             *user.Service
+		VersionService          *version.Service
+		FileService             portainer.FileService
+		AuthorizationService    *authorization.Service
+		DockerhubService        *dockerhub.Service
+	}
 )

 // NewMigrator creates a new Migrator.
@@ -59,6 +80,7 @@ func NewMigrator(parameters *MigratorParameters) *Migrator {
 		endpointService:         parameters.EndpointService,
 		endpointRelationService: parameters.EndpointRelationService,
 		extensionService:        parameters.ExtensionService,
+		fdoProfilesService:      parameters.FDOProfilesService,
 		registryService:         parameters.RegistryService,
 		resourceControlService:  parameters.ResourceControlService,
 		roleService:             parameters.RoleService,
@@ -79,24 +101,3 @@ func NewMigrator(parameters *MigratorParameters) *Migrator {
 func (migrator *Migrator) Version() int {
 	return migrator.currentDBVersion
 }
-
-type MigratorParameters struct {
-	DatabaseVersion         int
-	EndpointGroupService    *endpointgroup.Service
-	EndpointService         *endpoint.Service
-	EndpointRelationService *endpointrelation.Service
-	ExtensionService        *extension.Service
-	RegistryService         *registry.Service
-	ResourceControlService  *resourcecontrol.Service
-	RoleService             *role.Service
-	ScheduleService         *schedule.Service
-	SettingsService         *settings.Service
-	StackService            *stack.Service
-	TagService              *tag.Service
-	TeamMembershipService   *teammembership.Service
-	UserService             *user.Service
-	VersionService          *version.Service
-	FileService             portainer.FileService
-	AuthorizationService    *authorization.Service
-	DockerhubService        *dockerhub.Service
-}
--- a/api/datastore/services.go
+++ b/api/datastore/services.go
@@ -17,6 +17,7 @@ import (
 	"github.com/portainer/portainer/api/dataservices/endpointgroup"
 	"github.com/portainer/portainer/api/dataservices/endpointrelation"
 	"github.com/portainer/portainer/api/dataservices/extension"
+	"github.com/portainer/portainer/api/dataservices/fdoprofile"
 	"github.com/portainer/portainer/api/dataservices/helmuserrepository"
 	"github.com/portainer/portainer/api/dataservices/registry"
 	"github.com/portainer/portainer/api/dataservices/resourcecontrol"
@@ -39,7 +40,7 @@ import (
 // BoltDB as the storage system.
 type Store struct {
 	connection portainer.Connection
-	
+
 	fileService               portainer.FileService
 	CustomTemplateService     *customtemplate.Service
 	DockerHubService          *dockerhub.Service
@@ -50,6 +51,7 @@ type Store struct {
 	EndpointService           *endpoint.Service
 	EndpointRelationService   *endpointrelation.Service
 	ExtensionService          *extension.Service
+	FDOProfilesService        *fdoprofile.Service
 	HelmUserRepositoryService *helmuserrepository.Service
 	RegistryService           *registry.Service
 	ResourceControlService    *resourcecontrol.Service
@@ -129,6 +131,12 @@ func (store *Store) initServices() error {
 	}
 	store.ExtensionService = extensionService

+	fdoProfilesService, err := fdoprofile.NewService(store.connection)
+	if err != nil {
+		return err
+	}
+	store.FDOProfilesService = fdoProfilesService
+
 	helmUserRepositoryService, err := helmuserrepository.NewService(store.connection)
 	if err != nil {
 		return err
@@ -257,6 +265,11 @@ func (store *Store) EndpointRelation() dataservices.EndpointRelationService {
 	return store.EndpointRelationService
 }

+// FDOProfile gives access to the FDOProfile data management layer
+func (store *Store) FDOProfile() dataservices.FDOProfileService {
+	return store.FDOProfilesService
+}
+
 // HelmUserRepository access the helm user repository settings
 func (store *Store) HelmUserRepository() dataservices.HelmUserRepositoryService {
 	return store.HelmUserRepositoryService
@@ -356,6 +369,7 @@ type storeExport struct {
 	User               []portainer.User               `json:"users,omitempty"`
 	Version            map[string]string              `json:"version,omitempty"`
 	Webhook            []portainer.Webhook            `json:"webhooks,omitempty"`
+	Metadata           map[string]interface{}         `json:"metadata,omitempty"`
 }

 func (store *Store) Export(filename string) (err error) {
@@ -363,125 +377,195 @@ func (store *Store) Export(filename string) (err error) {
 	backup := storeExport{}

 	if c, err := store.CustomTemplate().CustomTemplates(); err != nil {
-		logrus.WithError(err).Debugf("Export boom")
+		if !store.IsErrObjectNotFound(err) {
+			logrus.WithError(err).Errorf("Exporting Custom Templates")
+		}
 	} else {
 		backup.CustomTemplate = c
 	}
+
 	if e, err := store.EdgeGroup().EdgeGroups(); err != nil {
-		logrus.WithError(err).Debugf("Export boom")
+		if !store.IsErrObjectNotFound(err) {
+			logrus.WithError(err).Errorf("Exporting Edge Groups")
+		}
 	} else {
 		backup.EdgeGroup = e
 	}
+
 	if e, err := store.EdgeJob().EdgeJobs(); err != nil {
-		logrus.WithError(err).Debugf("Export boom")
+		if !store.IsErrObjectNotFound(err) {
+			logrus.WithError(err).Errorf("Exporting Edge Jobs")
+		}
 	} else {
 		backup.EdgeJob = e
 	}
+
 	if e, err := store.EdgeStack().EdgeStacks(); err != nil {
-		logrus.WithError(err).Debugf("Export boom")
+		if !store.IsErrObjectNotFound(err) {
+			logrus.WithError(err).Errorf("Exporting Edge Stacks")
+		}
 	} else {
 		backup.EdgeStack = e
 	}
+
 	if e, err := store.Endpoint().Endpoints(); err != nil {
-		logrus.WithError(err).Debugf("Export boom")
+		if !store.IsErrObjectNotFound(err) {
+			logrus.WithError(err).Errorf("Exporting Endpoints")
+		}
 	} else {
 		backup.Endpoint = e
 	}
+
 	if e, err := store.EndpointGroup().EndpointGroups(); err != nil {
-		logrus.WithError(err).Debugf("Export boom")
+		if !store.IsErrObjectNotFound(err) {
+			logrus.WithError(err).Errorf("Exporting Endpoint Groups")
+		}
 	} else {
 		backup.EndpointGroup = e
 	}
+
 	if r, err := store.EndpointRelation().EndpointRelations(); err != nil {
-		logrus.WithError(err).Debugf("Export boom")
+		if !store.IsErrObjectNotFound(err) {
+			logrus.WithError(err).Errorf("Exporting Endpoint Relations")
+		}
 	} else {
 		backup.EndpointRelation = r
 	}
+
 	if r, err := store.ExtensionService.Extensions(); err != nil {
-		logrus.WithError(err).Debugf("Export boom")
+		if !store.IsErrObjectNotFound(err) {
+			logrus.WithError(err).Errorf("Exporting Extensions")
+		}
 	} else {
 		backup.Extensions = r
 	}
-	if r, err := store.HelmUserRepository().HelmUserRepositorys(); err != nil {
-		logrus.WithError(err).Debugf("Export boom")
+
+	if r, err := store.HelmUserRepository().HelmUserRepositories(); err != nil {
+		if !store.IsErrObjectNotFound(err) {
+			logrus.WithError(err).Errorf("Exporting Helm User Repositories")
+		}
 	} else {
 		backup.HelmUserRepository = r
 	}
+
 	if r, err := store.Registry().Registries(); err != nil {
-		logrus.WithError(err).Debugf("Export boom")
+		if !store.IsErrObjectNotFound(err) {
+			logrus.WithError(err).Errorf("Exporting Registries")
+		}
 	} else {
 		backup.Registry = r
 	}
+
 	if c, err := store.ResourceControl().ResourceControls(); err != nil {
-		logrus.WithError(err).Debugf("Export boom")
+		if !store.IsErrObjectNotFound(err) {
+			logrus.WithError(err).Errorf("Exporting Resource Controls")
+		}
 	} else {
 		backup.ResourceControl = c
 	}
+
 	if role, err := store.Role().Roles(); err != nil {
-		logrus.WithError(err).Debugf("Export boom")
+		if !store.IsErrObjectNotFound(err) {
+			logrus.WithError(err).Errorf("Exporting Roles")
+		}
 	} else {
 		backup.Role = role
 	}
+
 	if r, err := store.ScheduleService.Schedules(); err != nil {
-		logrus.WithError(err).Debugf("Export boom")
+		if !store.IsErrObjectNotFound(err) {
+			logrus.WithError(err).Errorf("Exporting Schedules")
+		}
 	} else {
 		backup.Schedules = r
 	}
+
 	if settings, err := store.Settings().Settings(); err != nil {
-		logrus.WithError(err).Debugf("Export boom")
+		if !store.IsErrObjectNotFound(err) {
+			logrus.WithError(err).Errorf("Exporting Settings")
+		}
 	} else {
 		backup.Settings = *settings
 	}
+
 	if settings, err := store.SSLSettings().Settings(); err != nil {
-		logrus.WithError(err).Debugf("Export boom")
+		if !store.IsErrObjectNotFound(err) {
+			logrus.WithError(err).Errorf("Exporting SSL Settings")
+		}
 	} else {
 		backup.SSLSettings = *settings
 	}
+
 	if t, err := store.Stack().Stacks(); err != nil {
-		logrus.WithError(err).Debugf("Export boom")
+		if !store.IsErrObjectNotFound(err) {
+			logrus.WithError(err).Errorf("Exporting Stacks")
+		}
 	} else {
 		backup.Stack = t
 	}
+
 	if t, err := store.Tag().Tags(); err != nil {
-		logrus.WithError(err).Debugf("Export boom")
+		if !store.IsErrObjectNotFound(err) {
+			logrus.WithError(err).Errorf("Exporting Tags")
+		}
 	} else {
 		backup.Tag = t
 	}
+
 	if t, err := store.TeamMembership().TeamMemberships(); err != nil {
-		logrus.WithError(err).Debugf("Export boom")
+		if !store.IsErrObjectNotFound(err) {
+			logrus.WithError(err).Errorf("Exporting Team Memberships")
+		}
 	} else {
 		backup.TeamMembership = t
 	}
+
 	if t, err := store.Team().Teams(); err != nil {
-		logrus.WithError(err).Debugf("Export boom")
+		if !store.IsErrObjectNotFound(err) {
+			logrus.WithError(err).Errorf("Exporting Teams")
+		}
 	} else {
 		backup.Team = t
 	}
+
 	if info, err := store.TunnelServer().Info(); err != nil {
-		logrus.WithError(err).Debugf("Export boom")
+		if !store.IsErrObjectNotFound(err) {
+			logrus.WithError(err).Errorf("Exporting Tunnel Server")
+		}
 	} else {
 		backup.TunnelServer = *info
 	}
+
 	if users, err := store.User().Users(); err != nil {
-		logrus.WithError(err).Debugf("Export boom")
+		if !store.IsErrObjectNotFound(err) {
+			logrus.WithError(err).Errorf("Exporting Users")
+		}
 	} else {
 		backup.User = users
 	}
+
+	if webhooks, err := store.Webhook().Webhooks(); err != nil {
+		if !store.IsErrObjectNotFound(err) {
+			logrus.WithError(err).Errorf("Exporting Webhooks")
+		}
+	} else {
+		backup.Webhook = webhooks
+	}
+
 	v, err := store.Version().DBVersion()
-	if err != nil {
-		logrus.WithError(err).Debugf("Export boom")
+	if err != nil && !store.IsErrObjectNotFound(err) {
+		logrus.WithError(err).Errorf("Exporting DB version")
 	}
 	instance, _ := store.Version().InstanceID()
-	//edition, _ := store.Version().Edition()
 	backup.Version = map[string]string{
 		"DB_VERSION":  strconv.Itoa(v),
 		"INSTANCE_ID": instance,
 	}

-	// backup[store.Webhook().BucketName()], err = store.Webhook().Webhooks()
-	// if err != nil {
-	// 	logrus.WithError(err).Debugf("Export boom")
-	// }
+	backup.Metadata, err = store.connection.BackupMetadata()
+	if err != nil {
+		logrus.WithError(err).Errorf("Exporting Metadata")
+	}

 	b, err := json.MarshalIndent(backup, "", "  ")
 	if err != nil {
@@ -491,6 +575,7 @@ func (store *Store) Export(filename string) (err error) {
 }

 func (store *Store) Import(filename string) (err error) {
+
 	backup := storeExport{}

 	s, err := ioutil.ReadFile(filename)
@@ -519,51 +604,66 @@ func (store *Store) Import(filename string) (err error) {
 	for _, v := range backup.CustomTemplate {
 		store.CustomTemplate().UpdateCustomTemplate(v.ID, &v)
 	}
+
 	for _, v := range backup.EdgeGroup {
 		store.EdgeGroup().UpdateEdgeGroup(v.ID, &v)
 	}
+
 	for _, v := range backup.EdgeJob {
 		store.EdgeJob().UpdateEdgeJob(v.ID, &v)
 	}
+
 	for _, v := range backup.EdgeStack {
 		store.EdgeStack().UpdateEdgeStack(v.ID, &v)
 	}
+
 	for _, v := range backup.Endpoint {
 		store.Endpoint().UpdateEndpoint(v.ID, &v)
 	}
+
 	for _, v := range backup.EndpointGroup {
 		store.EndpointGroup().UpdateEndpointGroup(v.ID, &v)
 	}
+
 	for _, v := range backup.EndpointRelation {
 		store.EndpointRelation().UpdateEndpointRelation(v.EndpointID, &v)
 	}
-	// backup[store.HelmUserRepository().BucketName()], err = store.HelmUserRepository().HelmUserRepositorys()
-	// for _, v := range backup.HelmUserRepository {
-	// 	store.HelmUserRepository().UpdateHelmUserRepository(v.ID, &v)
-	// }
+
+	for _, v := range backup.HelmUserRepository {
+		store.HelmUserRepository().UpdateHelmUserRepository(v.ID, &v)
+	}
+
 	for _, v := range backup.Registry {
 		store.Registry().UpdateRegistry(v.ID, &v)
 	}
+
 	for _, v := range backup.ResourceControl {
 		store.ResourceControl().UpdateResourceControl(v.ID, &v)
 	}
+
 	for _, v := range backup.Role {
 		store.Role().UpdateRole(v.ID, &v)
 	}
+
 	store.Settings().UpdateSettings(&backup.Settings)
 	store.SSLSettings().UpdateSettings(&backup.SSLSettings)
+
 	for _, v := range backup.Stack {
 		store.Stack().UpdateStack(v.ID, &v)
 	}
+
 	for _, v := range backup.Tag {
 		store.Tag().UpdateTag(v.ID, &v)
 	}
+
 	for _, v := range backup.TeamMembership {
 		store.TeamMembership().UpdateTeamMembership(v.ID, &v)
 	}
+
 	for _, v := range backup.Team {
 		store.Team().UpdateTeam(v.ID, &v)
 	}
+
 	store.TunnelServer().UpdateInfo(&backup.TunnelServer)

 	for _, user := range backup.User {
@@ -572,10 +672,9 @@ func (store *Store) Import(filename string) (err error) {
 		}
 	}

-	// backup[store.Webhook().BucketName()], err = store.Webhook().Webhooks()
-	// if err != nil {
-	// 	logrus.WithError(err).Debugf("Export boom")
-	// }
+	for _, v := range backup.Webhook {
+		store.Webhook().UpdateWebhook(v.ID, &v)
+	}

-	return nil
+	return store.connection.RestoreMetadata(backup.Metadata)
 }
--- a/api/datastore/teststore.go
+++ b/api/datastore/teststore.go
@@ -42,29 +42,28 @@ func NewTestStore(init bool) (bool, *Store, func(), error) {
 		return false, nil, nil, err
 	}

-	// TODO: add the UX to get the key from somewhere we consider "safe"
-	connection, err := database.NewDatabase("boltdb", storePath, "apassphrasewhichneedstobe32bytes")
+	connection, err := database.NewDatabase("boltdb", storePath, []byte("apassphrasewhichneedstobe32bytes"))
 	if err != nil {
 		panic(err)
 	}
 	store := NewStore(storePath, fileService, connection)
-	isNewStore, err := store.Open()
+	newStore, err := store.Open()
 	if err != nil {
-		return isNewStore, nil, nil, err
+		return newStore, nil, nil, err
 	}

 	if init {
 		err = store.Init()
 		if err != nil {
-			return isNewStore, nil, nil, err
+			return newStore, nil, nil, err
 		}
 	}

-	if isNewStore {
+	if newStore {
 		// from MigrateData
 		store.VersionService.StoreDBVersion(portainer.DBVersion)
 		if err != nil {
-			return isNewStore, nil, nil, err
+			return newStore, nil, nil, err
 		}
 	}

@@ -72,7 +71,7 @@ func NewTestStore(init bool) (bool, *Store, func(), error) {
 		teardown(store, storePath)
 	}

-	return isNewStore, store, teardown, nil
+	return newStore, store, teardown, nil
 }

 func teardown(store *Store, storePath string) {
--- a/api/docker/client.go
+++ b/api/docker/client.go
@@ -15,7 +15,7 @@ import (
 var errUnsupportedEnvironmentType = errors.New("Environment not supported")

 const (
-	defaultDockerRequestTimeout = 60
+	defaultDockerRequestTimeout = 60 * time.Second
 	dockerClientVersion         = "1.37"
 )

@@ -33,22 +33,23 @@ func NewClientFactory(signatureService portainer.DigitalSignatureService, revers
 	}
 }

-// createClient is a generic function to create a Docker client based on
+// CreateClient is a generic function to create a Docker client based on
 // a specific environment(endpoint) configuration. The nodeName parameter can be used
 // with an agent enabled environment(endpoint) to target a specific node in an agent cluster.
-func (factory *ClientFactory) CreateClient(endpoint *portainer.Endpoint, nodeName string) (*client.Client, error) {
+// The underlying http client timeout may be specified, a default value is used otherwise.
+func (factory *ClientFactory) CreateClient(endpoint *portainer.Endpoint, nodeName string, timeout *time.Duration) (*client.Client, error) {
 	if endpoint.Type == portainer.AzureEnvironment {
 		return nil, errUnsupportedEnvironmentType
 	} else if endpoint.Type == portainer.AgentOnDockerEnvironment {
-		return createAgentClient(endpoint, factory.signatureService, nodeName)
+		return createAgentClient(endpoint, factory.signatureService, nodeName, timeout)
 	} else if endpoint.Type == portainer.EdgeAgentOnDockerEnvironment {
-		return createEdgeClient(endpoint, factory.signatureService, factory.reverseTunnelService, nodeName)
+		return createEdgeClient(endpoint, factory.signatureService, factory.reverseTunnelService, nodeName, timeout)
 	}

 	if strings.HasPrefix(endpoint.URL, "unix://") || strings.HasPrefix(endpoint.URL, "npipe://") {
 		return createLocalClient(endpoint)
 	}
-	return createTCPClient(endpoint)
+	return createTCPClient(endpoint, timeout)
 }

 func createLocalClient(endpoint *portainer.Endpoint) (*client.Client, error) {
@@ -58,8 +59,8 @@ func createLocalClient(endpoint *portainer.Endpoint) (*client.Client, error) {
 	)
 }

-func createTCPClient(endpoint *portainer.Endpoint) (*client.Client, error) {
-	httpCli, err := httpClient(endpoint)
+func createTCPClient(endpoint *portainer.Endpoint, timeout *time.Duration) (*client.Client, error) {
+	httpCli, err := httpClient(endpoint, timeout)
 	if err != nil {
 		return nil, err
 	}
@@ -71,8 +72,8 @@ func createTCPClient(endpoint *portainer.Endpoint) (*client.Client, error) {
 	)
 }

-func createEdgeClient(endpoint *portainer.Endpoint, signatureService portainer.DigitalSignatureService, reverseTunnelService portainer.ReverseTunnelService, nodeName string) (*client.Client, error) {
-	httpCli, err := httpClient(endpoint)
+func createEdgeClient(endpoint *portainer.Endpoint, signatureService portainer.DigitalSignatureService, reverseTunnelService portainer.ReverseTunnelService, nodeName string, timeout *time.Duration) (*client.Client, error) {
+	httpCli, err := httpClient(endpoint, timeout)
 	if err != nil {
 		return nil, err
 	}
@@ -95,7 +96,7 @@ func createEdgeClient(endpoint *portainer.Endpoint, signatureService portainer.D
 	if err != nil {
 		return nil, err
 	}
-	
+
 	endpointURL := fmt.Sprintf("http://127.0.0.1:%d", tunnel.Port)

 	return client.NewClientWithOpts(
@@ -106,8 +107,8 @@ func createEdgeClient(endpoint *portainer.Endpoint, signatureService portainer.D
 	)
 }

-func createAgentClient(endpoint *portainer.Endpoint, signatureService portainer.DigitalSignatureService, nodeName string) (*client.Client, error) {
-	httpCli, err := httpClient(endpoint)
+func createAgentClient(endpoint *portainer.Endpoint, signatureService portainer.DigitalSignatureService, nodeName string, timeout *time.Duration) (*client.Client, error) {
+	httpCli, err := httpClient(endpoint, timeout)
 	if err != nil {
 		return nil, err
 	}
@@ -134,7 +135,7 @@ func createAgentClient(endpoint *portainer.Endpoint, signatureService portainer.
 	)
 }

-func httpClient(endpoint *portainer.Endpoint) (*http.Client, error) {
+func httpClient(endpoint *portainer.Endpoint, timeout *time.Duration) (*http.Client, error) {
 	transport := &http.Transport{}

 	if endpoint.TLSConfig.TLS {
@@ -145,8 +146,13 @@ func httpClient(endpoint *portainer.Endpoint) (*http.Client, error) {
 		transport.TLSClientConfig = tlsConfig
 	}

+	clientTimeout := defaultDockerRequestTimeout
+	if timeout != nil {
+		clientTimeout = *timeout
+	}
+
 	return &http.Client{
 		Transport: transport,
-		Timeout:   defaultDockerRequestTimeout * time.Second,
+		Timeout:   clientTimeout,
 	}, nil
 }
--- a/api/docker/snapshot.go
+++ b/api/docker/snapshot.go
@@ -26,7 +26,7 @@ func NewSnapshotter(clientFactory *ClientFactory) *Snapshotter {

 // CreateSnapshot creates a snapshot of a specific Docker environment(endpoint)
 func (snapshotter *Snapshotter) CreateSnapshot(endpoint *portainer.Endpoint) (*portainer.DockerSnapshot, error) {
-	cli, err := snapshotter.clientFactory.CreateClient(endpoint, "")
+	cli, err := snapshotter.clientFactory.CreateClient(endpoint, "", nil)
 	if err != nil {
 		return nil, err
 	}
--- a/api/exec/common.go
+++ b/api/exec/common.go
@@ -3,3 +3,48 @@ package exec
 import "regexp"

 var stackNameNormalizeRegex = regexp.MustCompile("[^-_a-z0-9]+")
+
+type StringSet map[string]bool
+
+func NewStringSet() StringSet {
+	return make(StringSet)
+}
+
+func (s StringSet) Add(x string) {
+	s[x] = true
+}
+
+func (s StringSet) Remove(x string) {
+	if s.Contains(x) {
+		delete(s, x)
+	}
+}
+
+func (s StringSet) Contains(x string) bool {
+	_, ok := s[x]
+	return ok
+}
+
+func (s StringSet) Len() int {
+	return len(s)
+}
+
+func (s StringSet) List() []string {
+	list := make([]string, s.Len())
+
+	i := 0
+	for k := range s {
+		list[i] = k
+		i++
+	}
+
+	return list
+}
+
+func (s StringSet) Union(x StringSet) {
+	if x.Len() != 0 {
+		for k := range x {
+			s.Add(k)
+		}
+	}
+}
--- a/api/exec/compose_stack.go
+++ b/api/exec/compose_stack.go
@@ -3,8 +3,10 @@ package exec
 import (
 	"context"
 	"fmt"
+	"io"
 	"os"
 	"path"
+	"regexp"
 	"strings"

 	"github.com/pkg/errors"
@@ -12,6 +14,7 @@ import (
 	libstack "github.com/portainer/docker-compose-wrapper"
 	"github.com/portainer/docker-compose-wrapper/compose"

+	"github.com/docker/cli/cli/compose/loader"
 	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/http/proxy"
 	"github.com/portainer/portainer/api/http/proxy/factory"
@@ -43,7 +46,7 @@ func (manager *ComposeStackManager) ComposeSyntaxMaxVersion() string {
 }

 // Up builds, (re)creates and starts containers in the background. Wraps `docker-compose up -d` command
-func (manager *ComposeStackManager) Up(ctx context.Context, stack *portainer.Stack, endpoint *portainer.Endpoint) error {
+func (manager *ComposeStackManager) Up(ctx context.Context, stack *portainer.Stack, endpoint *portainer.Endpoint, forceRereate bool) error {
 	url, proxy, err := manager.fetchEndpointProxy(endpoint)
 	if err != nil {
 		return errors.Wrap(err, "failed to fetch environment proxy")
@@ -59,7 +62,7 @@ func (manager *ComposeStackManager) Up(ctx context.Context, stack *portainer.Sta
 	}

 	filePaths := stackutils.GetStackFilePaths(stack)
-	err = manager.deployer.Deploy(ctx, stack.ProjectPath, url, stack.Name, filePaths, envFilePath)
+	err = manager.deployer.Deploy(ctx, stack.ProjectPath, url, stack.Name, filePaths, envFilePath, forceRereate)
 	return errors.Wrap(err, "failed to deploy a stack")
 }

@@ -73,6 +76,10 @@ func (manager *ComposeStackManager) Down(ctx context.Context, stack *portainer.S
 		defer proxy.Close()
 	}

+	if err := updateNetworkEnvFile(stack); err != nil {
+		return err
+	}
+
 	filePaths := stackutils.GetStackFilePaths(stack)
 	err = manager.deployer.Remove(ctx, stack.ProjectPath, url, stack.Name, filePaths)
 	return errors.Wrap(err, "failed to remove a stack")
@@ -97,6 +104,12 @@ func (manager *ComposeStackManager) fetchEndpointProxy(endpoint *portainer.Endpo
 }

 func createEnvFile(stack *portainer.Stack) (string, error) {
+	// workaround for EE-1862. It will have to be removed when
+	// docker/compose upgraded to v2.x.
+	if err := createNetworkEnvFile(stack); err != nil {
+		return "", errors.Wrap(err, "failed to create network env file")
+	}
+
 	if stack.Env == nil || len(stack.Env) == 0 {
 		return "", nil
 	}
@@ -115,3 +128,175 @@ func createEnvFile(stack *portainer.Stack) (string, error) {

 	return "stack.env", nil
 }
+
+func fileNotExist(filePath string) bool {
+	if _, err := os.Stat(filePath); errors.Is(err, os.ErrNotExist) {
+		return true
+	}
+
+	return false
+}
+
+func updateNetworkEnvFile(stack *portainer.Stack) error {
+	envFilePath := path.Join(stack.ProjectPath, ".env")
+	stackFilePath := path.Join(stack.ProjectPath, "stack.env")
+	if fileNotExist(envFilePath) {
+		if fileNotExist(stackFilePath) {
+			return nil
+		}
+
+		flags := os.O_WRONLY | os.O_SYNC | os.O_CREATE
+		envFile, err := os.OpenFile(envFilePath, flags, 0666)
+		if err != nil {
+			return err
+		}
+
+		defer envFile.Close()
+
+		stackFile, err := os.Open(stackFilePath)
+		if err != nil {
+			return err
+		}
+
+		defer stackFile.Close()
+
+		_, err = io.Copy(envFile, stackFile)
+		return err
+	}
+
+	return nil
+}
+
+func createNetworkEnvFile(stack *portainer.Stack) error {
+	networkNameSet := NewStringSet()
+
+	for _, filePath := range stackutils.GetStackFilePaths(stack) {
+		networkNames, err := extractNetworkNames(filePath)
+		if err != nil {
+			return errors.Wrap(err, "failed to extract network name")
+		}
+
+		if networkNames == nil || networkNames.Len() == 0 {
+			continue
+		}
+
+		networkNameSet.Union(networkNames)
+	}
+
+	for _, s := range networkNameSet.List() {
+		if _, ok := os.LookupEnv(s); ok {
+			networkNameSet.Remove(s)
+		}
+	}
+
+	if networkNameSet.Len() == 0 && stack.Env == nil {
+		return nil
+	}
+
+	envfile, err := os.OpenFile(path.Join(stack.ProjectPath, ".env"),
+		os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0600)
+	if err != nil {
+		return errors.Wrap(err, "failed to open env file")
+	}
+
+	defer envfile.Close()
+
+	var scanEnvSettingFunc = func(name string) (string, bool) {
+		if stack.Env != nil {
+			for _, v := range stack.Env {
+				if name == v.Name {
+					return v.Value, true
+				}
+			}
+		}
+
+		return "", false
+	}
+
+	for _, s := range networkNameSet.List() {
+		if _, ok := scanEnvSettingFunc(s); !ok {
+			stack.Env = append(stack.Env, portainer.Pair{
+				Name:  s,
+				Value: "None",
+			})
+		}
+	}
+
+	if stack.Env != nil {
+		for _, v := range stack.Env {
+			envfile.WriteString(
+				fmt.Sprintf("%s=%s\n", v.Name, v.Value))
+		}
+	}
+
+	return nil
+}
+
+func extractNetworkNames(filePath string) (StringSet, error) {
+	if info, err := os.Stat(filePath); errors.Is(err,
+		os.ErrNotExist) || info.IsDir() {
+		return nil, nil
+	}
+
+	stackFileContent, err := os.ReadFile(filePath)
+	if err != nil {
+		return nil, errors.Wrap(err, "failed to open yaml file")
+	}
+
+	config, err := loader.ParseYAML(stackFileContent)
+	if err != nil {
+		// invalid stack file
+		return nil, errors.Wrap(err, "invalid stack file")
+	}
+
+	var version string
+	if _, ok := config["version"]; ok {
+		version, _ = config["version"].(string)
+	}
+
+	var networks map[string]interface{}
+	if value, ok := config["networks"]; ok {
+		if value == nil {
+			return nil, nil
+		}
+
+		if networks, ok = value.(map[string]interface{}); !ok {
+			return nil, nil
+		}
+	} else {
+		return nil, nil
+	}
+
+	networkContent, err := loader.LoadNetworks(networks, version)
+	if err != nil {
+		return nil, nil // skip the error
+	}
+
+	re := regexp.MustCompile(`^\$\{?([^\}]+)\}?$`)
+	networkNames := NewStringSet()
+
+	for _, v := range networkContent {
+		matched := re.FindAllStringSubmatch(v.Name, -1)
+		if matched != nil && matched[0] != nil {
+			if strings.Contains(matched[0][1], ":-") {
+				continue
+			}
+
+			if strings.Contains(matched[0][1], "?") {
+				continue
+			}
+
+			if strings.Contains(matched[0][1], "-") {
+				continue
+			}
+
+			networkNames.Add(matched[0][1])
+		}
+	}
+
+	if networkNames.Len() == 0 {
+		return nil, nil
+	}
+
+	return networkNames, nil
+}
--- a/api/exec/compose_stack_integration_test.go
+++ b/api/exec/compose_stack_integration_test.go
@@ -50,7 +50,7 @@ func Test_UpAndDown(t *testing.T) {

 	ctx := context.TODO()

-	err = w.Up(ctx, stack, endpoint)
+	err = w.Up(ctx, stack, endpoint, false)
 	if err != nil {
 		t.Fatalf("Error calling docker-compose up: %s", err)
 	}
--- a/api/exec/compose_stack_test.go
+++ b/api/exec/compose_stack_test.go
@@ -64,3 +64,57 @@ func Test_createEnvFile(t *testing.T) {
 		})
 	}
 }
+
+func Test_createNetworkEnvFile(t *testing.T) {
+	dir := t.TempDir()
+	buf := []byte(`
+version: '3.6'
+services:
+  nginx-example:
+    image: nginx:latest
+networks:
+  default:
+    name: ${test}
+    driver: bridge
+`)
+	if err := ioutil.WriteFile(path.Join(dir,
+		"docker-compose.yml"), buf, 0644); err != nil {
+		t.Fatalf("Failed to create yaml file: %s", err)
+	}
+
+	stackWithoutEnv := &portainer.Stack{
+		ProjectPath: dir,
+		EntryPoint:  "docker-compose.yml",
+		Env:         []portainer.Pair{},
+	}
+
+	if err := createNetworkEnvFile(stackWithoutEnv); err != nil {
+		t.Fatalf("Failed to create network env file: %s", err)
+	}
+
+	content, err := ioutil.ReadFile(path.Join(dir, ".env"))
+	if err != nil {
+		t.Fatalf("Failed to read network env file: %s", err)
+	}
+
+	assert.Equal(t, "test=None\n", string(content))
+
+	stackWithEnv := &portainer.Stack{
+		ProjectPath: dir,
+		EntryPoint:  "docker-compose.yml",
+		Env: []portainer.Pair{
+			{Name: "test", Value: "test-value"},
+		},
+	}
+
+	if err := createNetworkEnvFile(stackWithEnv); err != nil {
+		t.Fatalf("Failed to create network env file: %s", err)
+	}
+
+	content, err = ioutil.ReadFile(path.Join(dir, ".env"))
+	if err != nil {
+		t.Fatalf("Failed to read network env file: %s", err)
+	}
+
+	assert.Equal(t, "test=test-value\n", string(content))
+}
--- a/api/filesystem/filesystem.go
+++ b/api/filesystem/filesystem.go
@@ -35,6 +35,8 @@ const (
 	ManifestFileDefaultName = "k8s-deployment.yml"
 	// EdgeStackStorePath represents the subfolder where edge stack files are stored in the file store folder.
 	EdgeStackStorePath = "edge_stacks"
+	// FDOProfileStorePath represents the subfolder where FDO profiles files are stored in the file store folder.
+	FDOProfileStorePath = "fdo_profiles"
 	// PrivateKeyFile represents the name on disk of the file containing the private key.
 	PrivateKeyFile = "portainer.key"
 	// PublicKeyFile represents the name on disk of the file containing the public key.
@@ -612,12 +614,12 @@ func (service *Service) StoreSSLCertPair(cert, key []byte) (string, string, erro
 func (service *Service) CopySSLCertPair(certPath, keyPath string) (string, string, error) {
 	defCertPath, defKeyPath := service.GetDefaultSSLCertsPath()

-	err := service.Copy(certPath, defCertPath, false)
+	err := service.Copy(certPath, defCertPath, true)
 	if err != nil {
 		return "", "", err
 	}

-	err = service.Copy(keyPath, defKeyPath, false)
+	err = service.Copy(keyPath, defKeyPath, true)
 	if err != nil {
 		return "", "", err
 	}
@@ -653,7 +655,19 @@ func MoveDirectory(originalPath, newPath string) error {
 	return os.Rename(originalPath, newPath)
 }

-// Deleet the file
-func (service *Service) Delete(filePath string) error {
-	return os.Remove(filePath)
+// StoreFDOProfileFileFromBytes creates a subfolder in the FDOProfileStorePath and stores a new file from bytes.
+// It returns the path to the folder where the file is stored.
+func (service *Service) StoreFDOProfileFileFromBytes(fdoProfileIdentifier string, data []byte) (string, error) {
+	err := service.createDirectoryInStore(FDOProfileStorePath)
+	if err != nil {
+		return "", err
+	}
+
+	filePath := JoinPaths(FDOProfileStorePath, fdoProfileIdentifier)
+	err = service.createFileInStore(filePath, bytes.NewReader(data))
+	if err != nil {
+		return "", err
+	}
+
+	return service.wrapFileStore(filePath), nil
 }
--- a/api/filesystem/filesystem_move_test.go
+++ b/api/filesystem/filesystem_move_test.go
@@ -1,7 +1,6 @@
 package filesystem

 import (
-	"fmt"
 	"os"
 	"path"
 	"testing"
@@ -9,41 +8,65 @@ import (
 	"github.com/stretchr/testify/assert"
 )

-// temporary function until upgrade to 1.16
-func tempDir(t *testing.T) string {
-	tmpDir, err := os.MkdirTemp("", "dir")
-	assert.NoError(t, err, "MkdirTemp should not fail")
+func Test_movePath_shouldFailIfSourceDirDoesNotExist(t *testing.T) {
+	sourceDir := "missing"
+	destinationDir := t.TempDir()
+	file1 := addFile(destinationDir, "dir", "file")
+	file2 := addFile(destinationDir, "file")

-	return tmpDir
+	err := MoveDirectory(sourceDir, destinationDir)
+	assert.Error(t, err, "move directory should fail when source path is missing")
+	assert.FileExists(t, file1, "destination dir contents should remain")
+	assert.FileExists(t, file2, "destination dir contents should remain")
 }

-func Test_movePath_shouldFailIfOriginalPathDoesntExist(t *testing.T) {
-	tmpDir := tempDir(t)
-	missingPath := path.Join(tmpDir, "missing")
-	targetPath := path.Join(tmpDir, "target")
+func Test_movePath_shouldFailIfDestinationDirExists(t *testing.T) {
+	sourceDir := t.TempDir()
+	file1 := addFile(sourceDir, "dir", "file")
+	file2 := addFile(sourceDir, "file")
+	destinationDir := t.TempDir()
+	file3 := addFile(destinationDir, "dir", "file")
+	file4 := addFile(destinationDir, "file")

-	defer os.RemoveAll(tmpDir)
-
-	err := MoveDirectory(missingPath, targetPath)
-	assert.Error(t, err, "move directory should fail when target path exists")
+	err := MoveDirectory(sourceDir, destinationDir)
+	assert.Error(t, err, "move directory should fail when destination directory already exists")
+	assert.FileExists(t, file1, "source dir contents should remain")
+	assert.FileExists(t, file2, "source dir contents should remain")
+	assert.FileExists(t, file3, "destination dir contents should remain")
+	assert.FileExists(t, file4, "destination dir contents should remain")
 }

-func Test_movePath_shouldFailIfTargetPathDoesExist(t *testing.T) {
-	originalPath := tempDir(t)
-	missingPath := tempDir(t)
+func Test_movePath_successWhenSourceExistsAndDestinationIsMissing(t *testing.T) {
+	tmp := t.TempDir()
+	sourceDir := path.Join(tmp, "source")
+	os.Mkdir(sourceDir, 0766)
+	file1 := addFile(sourceDir, "dir", "file")
+	file2 := addFile(sourceDir, "file")
+	destinationDir := path.Join(tmp, "destination")

-	defer os.RemoveAll(originalPath)
-	defer os.RemoveAll(missingPath)
-
-	err := MoveDirectory(originalPath, missingPath)
-	assert.Error(t, err, "move directory should fail when target path exists")
-}
-
-func Test_movePath_success(t *testing.T) {
-	originalPath := tempDir(t)
-
-	defer os.RemoveAll(originalPath)
-
-	err := MoveDirectory(originalPath, fmt.Sprintf("%s-old", originalPath))
+	err := MoveDirectory(sourceDir, destinationDir)
 	assert.NoError(t, err)
+	assert.NoFileExists(t, file1, "source dir contents should be moved")
+	assert.NoFileExists(t, file2, "source dir contents should be moved")
+	assertFileContent(t, path.Join(destinationDir, "file"))
+	assertFileContent(t, path.Join(destinationDir, "dir", "file"))
+}
+
+var content []byte = []byte("content")
+
+func addFile(fileParts ...string) (filepath string) {
+	if len(fileParts) > 2 {
+		dir := path.Join(fileParts[:len(fileParts)-1]...)
+		os.MkdirAll(dir, 0766)
+	}
+
+	p := path.Join(fileParts...)
+	os.WriteFile(p, content, 0766)
+	return p
+}
+
+func assertFileContent(t *testing.T, filePath string) {
+	actualContent, err := os.ReadFile(filePath)
+	assert.NoErrorf(t, err, "failed to read file %s", filePath)
+	assert.Equal(t, content, actualContent, "file %s content doesn't match", filePath)
 }
--- a/api/go.mod
+++ b/api/go.mod
@@ -1,48 +1,45 @@
 module github.com/portainer/portainer/api

-go 1.16
+go 1.17

 require (
 	github.com/Microsoft/go-winio v0.4.17
-	github.com/alecthomas/units v0.0.0-20210208195552-ff826a37aa15 // indirect
+	github.com/andres-portainer/chisel v1.7.8-0.20220314202502-97e2b32f6bd8
 	github.com/asaskevich/govalidator v0.0.0-20200428143746-21a406dcc535
 	github.com/aws/aws-sdk-go-v2 v1.11.1
 	github.com/aws/aws-sdk-go-v2/credentials v1.6.2
 	github.com/aws/aws-sdk-go-v2/service/ecr v1.10.1
-	github.com/boltdb/bolt v1.3.1
-	github.com/containerd/containerd v1.5.7 // indirect
 	github.com/coreos/go-semver v0.3.0
 	github.com/dchest/uniuri v0.0.0-20160212164326-8902c56451e9
 	github.com/dgrijalva/jwt-go v3.2.0+incompatible
 	github.com/docker/cli v20.10.9+incompatible
 	github.com/docker/docker v20.10.9+incompatible
-	github.com/docker/go-connections v0.4.0 // indirect
+	github.com/fxamacker/cbor/v2 v2.3.0
 	github.com/g07cha/defender v0.0.0-20180505193036-5665c627c814
 	github.com/go-git/go-git/v5 v5.3.0
 	github.com/go-ldap/ldap/v3 v3.1.8
 	github.com/gofrs/uuid v4.0.0+incompatible
-	github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 // indirect
+	github.com/gorilla/handlers v1.5.1
 	github.com/gorilla/mux v1.7.3
 	github.com/gorilla/securecookie v1.1.1
-	github.com/gorilla/websocket v1.4.2
+	github.com/gorilla/websocket v1.5.0
 	github.com/hashicorp/golang-lru v0.5.4
 	github.com/joho/godotenv v1.3.0
-	github.com/jpillora/chisel v0.0.0-20190724232113-f3a8df20e389
 	github.com/json-iterator/go v1.1.11
 	github.com/koding/websocketproxy v0.0.0-20181220232114-7ed82d81a28c
-	github.com/moby/term v0.0.0-20210619224110-3f7ff695adc6 // indirect
-	github.com/morikuni/aec v1.0.0 // indirect
 	github.com/orcaman/concurrent-map v0.0.0-20190826125027-8c72a8bb44f6
 	github.com/pkg/errors v0.9.1
-	github.com/portainer/docker-compose-wrapper v0.0.0-20211018221743-10a04c9d4f19
+	github.com/portainer/docker-compose-wrapper v0.0.0-20220225003350-cec58db3549e
 	github.com/portainer/libcrypto v0.0.0-20210422035235-c652195c5c3a
 	github.com/portainer/libhelm v0.0.0-20210929000907-825e93d62108
-	github.com/portainer/libhttp v0.0.0-20211021135806-13e6c55c5fbc
+	github.com/portainer/libhttp v0.0.0-20211208103139-07a5f798eb3f
+	github.com/rkl-/digest v0.0.0-20180419075440-8316caa4a777
 	github.com/robfig/cron/v3 v3.0.1
 	github.com/sirupsen/logrus v1.8.1
 	github.com/stretchr/testify v1.7.0
-	github.com/xeipuuv/gojsonschema v1.2.0 // indirect
-	golang.org/x/crypto v0.0.0-20210322153248-0c34fe9e7dc2
+	github.com/viney-shih/go-lock v1.1.1
+	go.etcd.io/bbolt v1.3.6
+	golang.org/x/crypto v0.0.0-20220307211146-efcb8507fb70
 	golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d
 	golang.org/x/sync v0.0.0-20210220032951-036812b2e83c
 	gopkg.in/alecthomas/kingpin.v2 v2.2.6
@@ -52,3 +49,74 @@ require (
 	k8s.io/client-go v0.22.2
 	software.sslmate.com/src/go-pkcs12 v0.0.0-20210415151418-c5206de65a78
 )
+
+require (
+	github.com/alecthomas/template v0.0.0-20190718012654-fb15b899a751 // indirect
+	github.com/alecthomas/units v0.0.0-20210208195552-ff826a37aa15 // indirect
+	github.com/andrew-d/go-termutil v0.0.0-20150726205930-009166a695a2 // indirect
+	github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.1 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.0.1 // indirect
+	github.com/aws/smithy-go v1.9.0 // indirect
+	github.com/containerd/containerd v1.5.7 // indirect
+	github.com/davecgh/go-spew v1.1.1 // indirect
+	github.com/docker/distribution v2.7.1+incompatible // indirect
+	github.com/docker/go-connections v0.4.0 // indirect
+	github.com/docker/go-units v0.4.0 // indirect
+	github.com/emirpasic/gods v1.12.0 // indirect
+	github.com/evanphx/json-patch v4.11.0+incompatible // indirect
+	github.com/felixge/httpsnoop v1.0.1 // indirect
+	github.com/fsnotify/fsnotify v1.5.1 // indirect
+	github.com/go-asn1-ber/asn1-ber v1.3.1 // indirect
+	github.com/go-git/gcfg v1.5.0 // indirect
+	github.com/go-git/go-billy/v5 v5.1.0 // indirect
+	github.com/go-logr/logr v0.4.0 // indirect
+	github.com/gogo/protobuf v1.3.2 // indirect
+	github.com/golang/protobuf v1.5.2 // indirect
+	github.com/google/go-cmp v0.5.6 // indirect
+	github.com/google/gofuzz v1.1.0 // indirect
+	github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 // indirect
+	github.com/googleapis/gnostic v0.5.5 // indirect
+	github.com/imdario/mergo v0.3.12 // indirect
+	github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 // indirect
+	github.com/jmespath/go-jmespath v0.4.0 // indirect
+	github.com/jpillora/ansi v1.0.2 // indirect
+	github.com/jpillora/requestlog v1.0.0 // indirect
+	github.com/jpillora/sizestr v1.0.0 // indirect
+	github.com/kevinburke/ssh_config v0.0.0-20201106050909-4977a11b4351 // indirect
+	github.com/mitchellh/go-homedir v1.1.0 // indirect
+	github.com/mitchellh/mapstructure v1.1.2 // indirect
+	github.com/moby/spdystream v0.2.0 // indirect
+	github.com/moby/term v0.0.0-20210619224110-3f7ff695adc6 // indirect
+	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
+	github.com/modern-go/reflect2 v1.0.1 // indirect
+	github.com/morikuni/aec v1.0.0 // indirect
+	github.com/opencontainers/go-digest v1.0.0 // indirect
+	github.com/opencontainers/image-spec v1.0.1 // indirect
+	github.com/pmezard/go-difflib v1.0.0 // indirect
+	github.com/sergi/go-diff v1.1.0 // indirect
+	github.com/spf13/pflag v1.0.5 // indirect
+	github.com/tomasen/realip v0.0.0-20180522021738-f0c99a92ddce // indirect
+	github.com/x448/float16 v0.8.4 // indirect
+	github.com/xanzy/ssh-agent v0.3.0 // indirect
+	github.com/xeipuuv/gojsonpointer v0.0.0-20180127040702-4e3ac2762d5f // indirect
+	github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect
+	github.com/xeipuuv/gojsonschema v1.2.0 // indirect
+	golang.org/x/net v0.0.0-20220225172249-27dd8689420f // indirect
+	golang.org/x/sys v0.0.0-20220310020820-b874c991c1a5 // indirect
+	golang.org/x/term v0.0.0-20210927222741-03fcf44c2211 // indirect
+	golang.org/x/text v0.3.7 // indirect
+	golang.org/x/time v0.0.0-20210723032227-1f47c861a9ac // indirect
+	google.golang.org/appengine v1.6.5 // indirect
+	google.golang.org/genproto v0.0.0-20201110150050-8816d57aaa9a // indirect
+	google.golang.org/grpc v1.33.2 // indirect
+	google.golang.org/protobuf v1.26.0 // indirect
+	gopkg.in/inf.v0 v0.9.1 // indirect
+	gopkg.in/warnings.v0 v0.1.2 // indirect
+	gopkg.in/yaml.v2 v2.4.0 // indirect
+	k8s.io/klog/v2 v2.9.0 // indirect
+	k8s.io/kube-openapi v0.0.0-20210421082810-95288971da7e // indirect
+	k8s.io/utils v0.0.0-20210819203725-bdf08cb9a70a // indirect
+	sigs.k8s.io/structured-merge-diff/v4 v4.1.2 // indirect
+	sigs.k8s.io/yaml v1.2.0 // indirect
+)
--- a/api/go.sum
+++ b/api/go.sum
@@ -75,6 +75,8 @@ github.com/alecthomas/units v0.0.0-20190717042225-c3de453c63f4/go.mod h1:ybxpYRF
 github.com/alecthomas/units v0.0.0-20210208195552-ff826a37aa15 h1:AUNCr9CiJuwrRYS3XieqF+Z9B9gNxo/eANAJCF2eiN4=
 github.com/alecthomas/units v0.0.0-20210208195552-ff826a37aa15/go.mod h1:OMCwj8VM1Kc9e19TLln2VL61YJF0x1XFtfdL4JdbSyE=
 github.com/alexflint/go-filemutex v0.0.0-20171022225611-72bdc8eae2ae/go.mod h1:CgnQgUtFrFz9mxFNtED3jI5tLDjKlOM+oUF/sTk6ps0=
+github.com/andres-portainer/chisel v1.7.8-0.20220314202502-97e2b32f6bd8 h1:jyKZnBKYNRl6TmNokn7Rp5YGr5f/NnabahCcAZ5NoSY=
+github.com/andres-portainer/chisel v1.7.8-0.20220314202502-97e2b32f6bd8/go.mod h1:KmC2waRLjHvJCPI2QPlzWcuretdka631DNOFLNx7PR4=
 github.com/andrew-d/go-termutil v0.0.0-20150726205930-009166a695a2 h1:axBiC50cNZOs7ygH5BgQp4N+aYrZ2DNpWZ1KG3VOSOM=
 github.com/andrew-d/go-termutil v0.0.0-20150726205930-009166a695a2/go.mod h1:jnzFpU88PccN/tPPhCpnNU8mZphvKxYM9lLNkd8e+os=
 github.com/anmitsu/go-shlex v0.0.0-20161002113705-648efa622239 h1:kFOfPq6dUM1hTo4JG6LR5AXSUEsOjtdm0kw0FtQtMJA=
@@ -112,8 +114,6 @@ github.com/bits-and-blooms/bitset v1.2.0/go.mod h1:gIdJ4wp64HaoK2YrL1Q5/N7Y16edY
 github.com/blang/semver v3.1.0+incompatible/go.mod h1:kRBLl5iJ+tD4TcOOxsy/0fnwebNt5EWlYSAyrTnjyyk=
 github.com/blang/semver v3.5.1+incompatible/go.mod h1:kRBLl5iJ+tD4TcOOxsy/0fnwebNt5EWlYSAyrTnjyyk=
 github.com/bmizerany/assert v0.0.0-20160611221934-b7ed37b82869/go.mod h1:Ekp36dRnpXw/yCqJaO+ZrUyxD+3VXMFFr56k5XYrpB4=
-github.com/boltdb/bolt v1.3.1 h1:JQmyP4ZBrce+ZQu0dY660FMfatumYDLun9hBCUVIkF4=
-github.com/boltdb/bolt v1.3.1/go.mod h1:clJnj/oiGkjum5o1McbSZDSLxVThjynRyGBgiAx27Ps=
 github.com/bshuster-repo/logrus-logstash-hook v0.4.1/go.mod h1:zsTqEiSzDgAa/8GZR7E1qaXrhYNDKBYy5/dWPTIflbk=
 github.com/buger/jsonparser v0.0.0-20180808090653-f4dd9f5a6b44/go.mod h1:bbYlZJ7hK1yFx9hf58LP0zeX7UjIGs20ufpu3evjr+s=
 github.com/bugsnag/bugsnag-go v0.0.0-20141110184014-b1d153021fcd/go.mod h1:2oa8nejYd4cQ/b0hMIopN0lCRxU0bueqREvZLWFrtK8=
@@ -290,14 +290,19 @@ github.com/evanphx/json-patch v4.9.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLi
 github.com/evanphx/json-patch v4.11.0+incompatible h1:glyUF9yIYtMHzn8xaKw5rMhdWcwsYV8dZHIq5567/xs=
 github.com/evanphx/json-patch v4.11.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk=
 github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4=
+github.com/felixge/httpsnoop v1.0.1 h1:lvB5Jl89CsZtGIWuTcDM1E/vkVs49/Ml7JJe07l8SPQ=
+github.com/felixge/httpsnoop v1.0.1/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U=
 github.com/flynn/go-shlex v0.0.0-20150515145356-3f9db97f8568/go.mod h1:xEzjJPgXI435gkrCt3MPfRiAkVrwSbHsst4LCFVfpJc=
 github.com/form3tech-oss/jwt-go v3.2.2+incompatible/go.mod h1:pbq4aXjuKjdthFRnoDwaVPLA+WlJuPGy+QneDUgJi2k=
 github.com/form3tech-oss/jwt-go v3.2.3+incompatible/go.mod h1:pbq4aXjuKjdthFRnoDwaVPLA+WlJuPGy+QneDUgJi2k=
 github.com/frankban/quicktest v1.11.3/go.mod h1:wRf/ReqHper53s+kmmSZizM8NamnL3IM0I9ntUbOk+k=
 github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo=
-github.com/fsnotify/fsnotify v1.4.9 h1:hsms1Qyu0jgnwNXIxa+/V/PDsU6CfLf6CNO8H7IWoS4=
 github.com/fsnotify/fsnotify v1.4.9/go.mod h1:znqG4EE+3YCdAaPaxE2ZRY/06pZUdp0tY4IgpuI1SZQ=
+github.com/fsnotify/fsnotify v1.5.1 h1:mZcQUHVQUQWoPXXtuf9yuEXKudkV2sx1E06UadKWpgI=
+github.com/fsnotify/fsnotify v1.5.1/go.mod h1:T3375wBYaZdLLcVNkcVbzGHY7f1l/uK5T5Ai1i3InKU=
 github.com/fullsailor/pkcs7 v0.0.0-20190404230743-d7302db945fa/go.mod h1:KnogPXtdwXqoenmZCw6S+25EAm2MkxbG0deNDu4cbSA=
+github.com/fxamacker/cbor/v2 v2.3.0 h1:aM45YGMctNakddNNAezPxDUpv38j44Abh+hifNuqXik=
+github.com/fxamacker/cbor/v2 v2.3.0/go.mod h1:TA1xS00nchWmaBnEIxPSE5oHLuJBAVvqrtAnWBwBCVo=
 github.com/g07cha/defender v0.0.0-20180505193036-5665c627c814 h1:gWvniJ4GbFfkf700kykAImbLiEMU0Q3QN9hQ26Js1pU=
 github.com/g07cha/defender v0.0.0-20180505193036-5665c627c814/go.mod h1:secRm32Ro77eD23BmPVbgLbWN+JWDw7pJszenjxI4bI=
 github.com/garyburd/redigo v0.0.0-20150301180006-535138d7bcd7/go.mod h1:NR3MbYisc3/PwhQ00EMzDiPmrwpPxAn5GI05/YaO1SY=
@@ -394,7 +399,6 @@ github.com/google/go-cmp v0.5.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/
 github.com/google/go-cmp v0.5.1/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.2/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.4/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
-github.com/google/go-cmp v0.5.5 h1:Khx7svrCpmxxtHBq5j2mp/xVjsi8hQMfNLvJFAlrGgU=
 github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.6 h1:BKbKCqvP6I+rmFHt06ZmyQtvB8xAkWdhFyr0ZUNZcxQ=
 github.com/google/go-cmp v0.5.6/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
@@ -422,6 +426,8 @@ github.com/googleapis/gnostic v0.5.5 h1:9fHAtK0uDfpveeqqo1hkEZJcFvYXAiCN3UutL8F9
 github.com/googleapis/gnostic v0.5.5/go.mod h1:7+EbHbldMins07ALC74bsA81Ovc97DwqyJO1AENw9kA=
 github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1/go.mod h1:wJfORRmW1u3UXTncJ5qlYoELFm8eSnnEO6hX4iZ3EWY=
 github.com/gorilla/handlers v0.0.0-20150720190736-60c7bfde3e33/go.mod h1:Qkdc/uu4tH4g6mTK6auzZ766c4CA0Ng8+o/OAirnOIQ=
+github.com/gorilla/handlers v1.5.1 h1:9lRY6j8DEeeBT10CvO9hGW0gmky0BprnvDI5vfhUHH4=
+github.com/gorilla/handlers v1.5.1/go.mod h1:t8XrUpc4KVXb7HGyJ4/cEnwQiaxrX/hz1Zv/4g96P1Q=
 github.com/gorilla/mux v1.7.2/go.mod h1:1lud6UwP+6orDFRuTfBEV8e9/aOM/c4fVVCaMa2zaAs=
 github.com/gorilla/mux v1.7.3 h1:gnP5JzjVOuiZD07fKKToCAOjS0yOpj/qPETTXCCS6hw=
 github.com/gorilla/mux v1.7.3/go.mod h1:1lud6UwP+6orDFRuTfBEV8e9/aOM/c4fVVCaMa2zaAs=
@@ -429,8 +435,9 @@ github.com/gorilla/securecookie v1.1.1 h1:miw7JPhV+b/lAHSXz4qd/nN9jRiAFV5FwjeKyC
 github.com/gorilla/securecookie v1.1.1/go.mod h1:ra0sb63/xPlUeL+yeDciTfxMRAA+MP+HVt/4epWDjd4=
 github.com/gorilla/websocket v0.0.0-20170926233335-4201258b820c/go.mod h1:E7qHFY5m1UJ88s3WnNqhKjPHQ0heANvMoAMk2YaljkQ=
 github.com/gorilla/websocket v1.4.0/go.mod h1:E7qHFY5m1UJ88s3WnNqhKjPHQ0heANvMoAMk2YaljkQ=
-github.com/gorilla/websocket v1.4.2 h1:+/TMaTYc4QFitKJxsQ7Yye35DkWvkdLcvGKqM+x0Ufc=
 github.com/gorilla/websocket v1.4.2/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE=
+github.com/gorilla/websocket v1.5.0 h1:PPwGk2jz7EePpoHN/+ClbZu8SPxiqlu12wZP/3sWmnc=
+github.com/gorilla/websocket v1.5.0/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE=
 github.com/gregjones/httpcache v0.0.0-20180305231024-9cad4c3443a7/go.mod h1:FecbI9+v66THATjSRHfNgh1IVFe/9kFxbXtjV0ctIMA=
 github.com/grpc-ecosystem/go-grpc-middleware v1.0.0/go.mod h1:FiyG127CGDf3tlThmgyCl78X/SZQqEOJBCDaAfeWzPs=
 github.com/grpc-ecosystem/go-grpc-middleware v1.0.1-0.20190118093823-f849b5445de4/go.mod h1:FiyG127CGDf3tlThmgyCl78X/SZQqEOJBCDaAfeWzPs=
@@ -463,19 +470,18 @@ github.com/jmespath/go-jmespath v0.0.0-20160202185014-0b12d6b521d8/go.mod h1:Nht
 github.com/jmespath/go-jmespath v0.0.0-20160803190731-bd40a432e4c7/go.mod h1:Nht3zPeWKUH0NzdCt2Blrr5ys8VGpn0CEB0cQHVjt7k=
 github.com/jmespath/go-jmespath v0.4.0 h1:BEgLn5cpjn8UN1mAw4NjwDrS35OdebyEtFe+9YPoQUg=
 github.com/jmespath/go-jmespath v0.4.0/go.mod h1:T8mJZnbsbmF+m6zOOFylbeCJqk5+pHWvzYPziyZiYoo=
+github.com/jmespath/go-jmespath/internal/testify v1.5.1 h1:shLQSRRSCCPj3f2gpwzGwWFoC7ycTf1rcQZHOlsJ6N8=
 github.com/jmespath/go-jmespath/internal/testify v1.5.1/go.mod h1:L3OGu8Wl2/fWfCI6z80xFu9LTZmf1ZRjMHUOPmWr69U=
 github.com/joho/godotenv v1.3.0 h1:Zjp+RcGpHhGlrMbJzXTrZZPrWj+1vfm90La1wgB6Bhc=
 github.com/joho/godotenv v1.3.0/go.mod h1:7hK45KPybAkOC6peb+G5yklZfMxEjkZhHbwpqxOKXbg=
 github.com/jonboulle/clockwork v0.1.0/go.mod h1:Ii8DK3G1RaLaWxj9trq07+26W01tbo22gdxWY5EU2bo=
-github.com/jpillora/ansi v0.0.0-20170202005112-f496b27cd669 h1:l5rH/CnVVu+HPxjtxjM90nHrm4nov3j3RF9/62UjgLs=
-github.com/jpillora/ansi v0.0.0-20170202005112-f496b27cd669/go.mod h1:kOeLNvjNBGSV3uYtFjvb72+fnZCMFJF1XDvRIjdom0g=
-github.com/jpillora/backoff v0.0.0-20180909062703-3050d21c67d7/go.mod h1:2iMrUgbbvHEiQClaW2NsSzMyGHqN+rDFqY705q49KG0=
-github.com/jpillora/chisel v0.0.0-20190724232113-f3a8df20e389 h1:K3JsoRqX6C4gmTvY4jqtFGCfK8uToj9DMahciJaoWwE=
-github.com/jpillora/chisel v0.0.0-20190724232113-f3a8df20e389/go.mod h1:wHQUFFnFySoqdAOzjHkTvb4DsVM1h/73PS9l2vnioRM=
-github.com/jpillora/requestlog v0.0.0-20181015073026-df8817be5f82 h1:7ufdyC3aMxFcCv+ABZy/dmIVGKFoGNBCqOgLYPIckD8=
-github.com/jpillora/requestlog v0.0.0-20181015073026-df8817be5f82/go.mod h1:w8buj+yNfmLEP0ENlbG/FRnK6bVmuhqXnukYCs9sDvY=
-github.com/jpillora/sizestr v0.0.0-20160130011556-e2ea2fa42fb9 h1:0c9jcgBtHRtDU//jTrcCgWG6UHjMZytiq/3WhraNgUM=
-github.com/jpillora/sizestr v0.0.0-20160130011556-e2ea2fa42fb9/go.mod h1:1ffp+CRe0eAwwRb0/BownUAjMBsmTLwgAvRbfj9dRwE=
+github.com/jpillora/ansi v1.0.2 h1:+Ei5HCAH0xsrQRCT2PDr4mq9r4Gm4tg+arNdXRkB22s=
+github.com/jpillora/ansi v1.0.2/go.mod h1:D2tT+6uzJvN1nBVQILYWkIdq7zG+b5gcFN5WI/VyjMY=
+github.com/jpillora/backoff v1.0.0/go.mod h1:J/6gKK9jxlEcS3zixgDgUAsiuZ7yrSoa/FX5e0EB2j4=
+github.com/jpillora/requestlog v1.0.0 h1:bg++eJ74T7DYL3DlIpiwknrtfdUA9oP/M4fL+PpqnyA=
+github.com/jpillora/requestlog v1.0.0/go.mod h1:HTWQb7QfDc2jtHnWe2XEIEeJB7gJPnVdpNn52HXPvy8=
+github.com/jpillora/sizestr v1.0.0 h1:4tr0FLxs1Mtq3TnsLDV+GYUWG7Q26a6s+tV5Zfw2ygw=
+github.com/jpillora/sizestr v1.0.0/go.mod h1:bUhLv4ctkknatr6gR42qPxirmd5+ds1u7mzD+MZ33f0=
 github.com/json-iterator/go v1.1.6/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU=
 github.com/json-iterator/go v1.1.7/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4=
 github.com/json-iterator/go v1.1.10/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4=
@@ -607,16 +613,14 @@ github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
-github.com/portainer/docker-compose-wrapper v0.0.0-20211018221743-10a04c9d4f19 h1:tG2gU4mkm5yElj35XpU3lgllOYQxN3kaM1Jab7AqTDs=
-github.com/portainer/docker-compose-wrapper v0.0.0-20211018221743-10a04c9d4f19/go.mod h1:WxDlJWZxCnicdLCPnLNEv7/gRhjeIVuCGmsv+iOPH3c=
+github.com/portainer/docker-compose-wrapper v0.0.0-20220225003350-cec58db3549e h1:wLnlzAXeVkjkZxuc81nEVUukl52fSEPUlOsUItrTK10=
+github.com/portainer/docker-compose-wrapper v0.0.0-20220225003350-cec58db3549e/go.mod h1:WxDlJWZxCnicdLCPnLNEv7/gRhjeIVuCGmsv+iOPH3c=
 github.com/portainer/libcrypto v0.0.0-20210422035235-c652195c5c3a h1:qY8TbocN75n5PDl16o0uVr5MevtM5IhdwSelXEd4nFM=
 github.com/portainer/libcrypto v0.0.0-20210422035235-c652195c5c3a/go.mod h1:n54EEIq+MM0NNtqLeCby8ljL+l275VpolXO0ibHegLE=
 github.com/portainer/libhelm v0.0.0-20210929000907-825e93d62108 h1:5e8KAnDa2G3cEHK7aV/ue8lOaoQwBZUzoALslwWkR04=
 github.com/portainer/libhelm v0.0.0-20210929000907-825e93d62108/go.mod h1:YvYAk7krKTzB+rFwDr0jQ3sQu2BtiXK1AR0sZH7nhJA=
-github.com/portainer/libhttp v0.0.0-20190806161843-ba068f58be33 h1:H8HR2dHdBf8HANSkUyVw4o8+4tegGcd+zyKZ3e599II=
-github.com/portainer/libhttp v0.0.0-20190806161843-ba068f58be33/go.mod h1:Y2TfgviWI4rT2qaOTHr+hq6MdKIE5YjgQAu7qwptTV0=
-github.com/portainer/libhttp v0.0.0-20211021135806-13e6c55c5fbc h1:vxVN9srGND+iA9oBmyFgtbtOvnmOCLmxw20ncYCJ5HA=
-github.com/portainer/libhttp v0.0.0-20211021135806-13e6c55c5fbc/go.mod h1:nyQA6IahOruIvENCcBk54aaUvV2WHFdXkvBjIutg+SY=
+github.com/portainer/libhttp v0.0.0-20211208103139-07a5f798eb3f h1:GMIjRVV2LADpJprPG2+8MdRH6XvrFgC7wHm7dFUdOpc=
+github.com/portainer/libhttp v0.0.0-20211208103139-07a5f798eb3f/go.mod h1:nyQA6IahOruIvENCcBk54aaUvV2WHFdXkvBjIutg+SY=
 github.com/pquerna/cachecontrol v0.0.0-20171018203845-0dec1b30a021/go.mod h1:prYjPmNq4d1NPVmpShWobRqXY3q7Vp+80DqgxxUrUIA=
 github.com/prometheus/client_golang v0.0.0-20180209125602-c332b6f63c06/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXPKyh/dDVn+NZz0KFw=
 github.com/prometheus/client_golang v0.9.1/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXPKyh/dDVn+NZz0KFw=
@@ -647,6 +651,8 @@ github.com/prometheus/procfs v0.1.3/go.mod h1:lV6e/gmhEcM9IjHGsFOCxxuZ+z1YqCvr4O
 github.com/prometheus/procfs v0.2.0/go.mod h1:lV6e/gmhEcM9IjHGsFOCxxuZ+z1YqCvr4OA4YeYWdaU=
 github.com/prometheus/procfs v0.6.0/go.mod h1:cz+aTbrPOrUb4q7XlbU9ygM+/jj0fzG6c1xBZuNvfVA=
 github.com/prometheus/tsdb v0.7.1/go.mod h1:qhTCs0VvXwvX/y3TZrWD7rabWM+ijKTux40TwIPHuXU=
+github.com/rkl-/digest v0.0.0-20180419075440-8316caa4a777 h1:rDj3WeO+TiWyxfcydUnKegWAZoR5kQsnW0wzhggdOrw=
+github.com/rkl-/digest v0.0.0-20180419075440-8316caa4a777/go.mod h1:xRVvTK+cS/dJSvrOufGUQFWfgvE7yXExeng96n8377o=
 github.com/robfig/cron/v3 v3.0.1 h1:WdRxkvbJztn8LMz/QEvLN5sBU+xKpSqwwUO1Pjr4qDs=
 github.com/robfig/cron/v3 v3.0.1/go.mod h1:eQICP3HwyT7UooqI/z+Ov+PtYAWygg1TEWWzGIFLtro=
 github.com/rogpeppe/fastuuid v0.0.0-20150106093220-6724a57986af/go.mod h1:XWv6SoW27p1b0cqNHllgS5HIMJraePCO15w5zCzIWYg=
@@ -712,6 +718,8 @@ github.com/urfave/cli v0.0.0-20171014202726-7bc6a0acffa5/go.mod h1:70zkFmudgCuE/
 github.com/urfave/cli v1.20.0/go.mod h1:70zkFmudgCuE/ngEzBv17Jvp/497gISqfk5gWijbERA=
 github.com/urfave/cli v1.22.1/go.mod h1:Gos4lmkARVdJ6EkW0WaNv/tZAAMe9V7XWyB60NtXRu0=
 github.com/urfave/cli v1.22.2/go.mod h1:Gos4lmkARVdJ6EkW0WaNv/tZAAMe9V7XWyB60NtXRu0=
+github.com/viney-shih/go-lock v1.1.1 h1:SwzDPPAiHpcwGCr5k8xD15d2gQSo8d4roRYd7TDV2eI=
+github.com/viney-shih/go-lock v1.1.1/go.mod h1:Yijm78Ljteb3kRiJrbLAxVntkUukGu5uzSxq/xV7OO8=
 github.com/vishvananda/netlink v0.0.0-20181108222139-023a6dafdcdf/go.mod h1:+SR5DhBJrl6ZM7CoCKvpw5BKroDKQ+PJqOg65H/2ktk=
 github.com/vishvananda/netlink v1.1.0/go.mod h1:cTgwzPIzzgDAYoQrMm0EdrjRUBkTqKYppBueQtXaqoE=
 github.com/vishvananda/netlink v1.1.1-0.20201029203352-d40f9887b852/go.mod h1:twkDnbuQxJYemMlGd4JFIcuhgX83tXhKS2B/PRMpOho=
@@ -720,6 +728,8 @@ github.com/vishvananda/netns v0.0.0-20191106174202-0a2b9b5464df/go.mod h1:JP3t17
 github.com/vishvananda/netns v0.0.0-20200728191858-db3c7e526aae/go.mod h1:DD4vA1DwXk04H54A1oHXtwZmA0grkVMdPxx/VGLCah0=
 github.com/willf/bitset v1.1.11-0.20200630133818-d5bec3311243/go.mod h1:RjeCKbqT1RxIR/KWY6phxZiaY1IyutSBfGjNPySAYV4=
 github.com/willf/bitset v1.1.11/go.mod h1:83CECat5yLh5zVOf4P1ErAgKA5UDvKtgyUABdr3+MjI=
+github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM=
+github.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcYsOfg=
 github.com/xanzy/ssh-agent v0.3.0 h1:wUMzuKtKilRgBAD1sUb8gOwwRr2FGoBVumcjoOACClI=
 github.com/xanzy/ssh-agent v0.3.0/go.mod h1:3s9xbODqPuuhK9JV1R321M/FlMZSBvE5aY6eAcqrDh0=
 github.com/xeipuuv/gojsonpointer v0.0.0-20180127040702-4e3ac2762d5f h1:J9EGpcZtP0E/raorCMxlFGSTBrsSlaDGf3jU/qvAE2c=
@@ -739,6 +749,8 @@ github.com/yvasiyarov/newrelic_platform_go v0.0.0-20140908184405-b21fdbd4370f/go
 go.etcd.io/bbolt v1.3.2/go.mod h1:IbVyRI1SCnLcuJnV2u8VeU0CEYM7e686BmAb1XKL+uU=
 go.etcd.io/bbolt v1.3.3/go.mod h1:IbVyRI1SCnLcuJnV2u8VeU0CEYM7e686BmAb1XKL+uU=
 go.etcd.io/bbolt v1.3.5/go.mod h1:G5EMThwa9y8QZGBClrRx5EY+Yw9kAhnjy3bSjsnlVTQ=
+go.etcd.io/bbolt v1.3.6 h1:/ecaJf0sk1l4l6V4awd65v2C3ILy7MSj+s/x1ADCIMU=
+go.etcd.io/bbolt v1.3.6/go.mod h1:qXsaaIqmgQH0T+OPdb99Bf+PKfBBQVAdyD6TY9G8XM4=
 go.etcd.io/etcd v0.5.0-alpha.5.0.20200910180754-dd1b699fc489/go.mod h1:yVHk9ub3CSBatqGNg7GRmsnfLWtoW60w4eDYfh7vHDg=
 go.mozilla.org/pkcs7 v0.0.0-20200128120323-432b2356ecb1/go.mod h1:SNgMg+EgDFwmvSmLRTNKC5fegJjB7v23qTQ0XLGUNHk=
 go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU=
@@ -752,7 +764,6 @@ go.uber.org/zap v1.10.0/go.mod h1:vwi/ZaCAaUcBkycHslxD9B2zi4UTXhF60s6SWpuDF0Q=
 golang.org/x/crypto v0.0.0-20171113213409-9f005a07e0d3/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
 golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
 golang.org/x/crypto v0.0.0-20181009213950-7c1a557ab941/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
-golang.org/x/crypto v0.0.0-20181015023909-0c41d7ab0a0e/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
 golang.org/x/crypto v0.0.0-20190219172222-a4c6cb3142f2/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
@@ -764,8 +775,10 @@ golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPh
 golang.org/x/crypto v0.0.0-20200728195943-123391ffb6de/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20201002170205-7f63de1d35b0/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20210220033148-5ea612d1eb83/go.mod h1:jdWPYTVW3xRLrWPugEBEK3UY2ZEsg3UU495nc5E+M+I=
-golang.org/x/crypto v0.0.0-20210322153248-0c34fe9e7dc2 h1:It14KIkyBFYkHkwZ7k45minvA9aorojkyjGk9KJ5B/w=
 golang.org/x/crypto v0.0.0-20210322153248-0c34fe9e7dc2/go.mod h1:T9bdIzuCu7OtxOm1hfPfRQxPLYneinmdGuTeoZ9dtd4=
+golang.org/x/crypto v0.0.0-20210616213533-5ff15b29337e/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
+golang.org/x/crypto v0.0.0-20220307211146-efcb8507fb70 h1:syTAU9FwmvzEoIYMqcPHOcVm4H3U5u90WsvuYgwpETU=
+golang.org/x/crypto v0.0.0-20220307211146-efcb8507fb70/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8=
@@ -800,7 +813,6 @@ golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73r
 golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20181011144130-49bb7cea24b1/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
-golang.org/x/net v0.0.0-20181017193950-04a2e542c03f/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20181114220301-adae6a3d119a/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20181220203305-927f97764cc3/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
@@ -833,8 +845,11 @@ golang.org/x/net v0.0.0-20201110031124-69a78807bb2b/go.mod h1:sp8m0HH+o8qH0wwXwY
 golang.org/x/net v0.0.0-20201224014010-6772e930b67b/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
 golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
 golang.org/x/net v0.0.0-20210326060303-6b1517762897/go.mod h1:uSPa2vr4CLtc/ILN5odXGNXS6mhrKVzTaCXzk9m6W3k=
-golang.org/x/net v0.0.0-20210520170846-37e1c6afe023 h1:ADo5wSpq2gqaCGQWzk7S5vd//0iyyLeAratkEoG5dLE=
 golang.org/x/net v0.0.0-20210520170846-37e1c6afe023/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
+golang.org/x/net v0.0.0-20210614182718-04defd469f4e/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
+golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
+golang.org/x/net v0.0.0-20220225172249-27dd8689420f h1:oA4XRj0qtSt8Yo1Zms0CUlsT3KG69V2UGQWPBxujDmc=
+golang.org/x/net v0.0.0-20220225172249-27dd8689420f/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
@@ -847,6 +862,7 @@ golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJ
 golang.org/x/sync v0.0.0-20190227155943-e225da77a7e6/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20200317015054-43a5402ce75a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20200625203802-6e8e738ad208/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20201207232520-09787c993a3a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@@ -855,7 +871,6 @@ golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJ
 golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20181019160139-8e24a49d80f8/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20181107165924-66b7b1311ac8/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20181116152217-5ac8a444bdc5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
@@ -905,6 +920,7 @@ golang.org/x/sys v0.0.0-20200817155316-9781c653f443/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20200909081042-eff7692f9009/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200916030750-2334cc1a136f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200922070232-aee5d888a860/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200923182605-d9f96fdee20d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20201112073958-5cba982894dd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20201117170446-d9b008d0a637/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@@ -916,20 +932,27 @@ golang.org/x/sys v0.0.0-20210320140829-1e4c9ba3b0c4/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20210324051608-47abb6519492/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210426230700-d19ff857e887/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20210616094352-59db8d763f22 h1:RqytpXGR1iVNX7psjB3ff8y7sNFinVFvkx1c8SjBkio=
+golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210616094352-59db8d763f22/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220310020820-b874c991c1a5 h1:y/woIyUBFbpQGKS0u1aHF/40WUDnek3fPOyD08H5Vng=
+golang.org/x/sys v0.0.0-20220310020820-b874c991c1a5/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
-golang.org/x/term v0.0.0-20210220032956-6a3ed077a48d h1:SZxvLBoTP5yHO3Frd4z4vrF+DBX9vMVanchswa69toE=
 golang.org/x/term v0.0.0-20210220032956-6a3ed077a48d/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
+golang.org/x/term v0.0.0-20210615171337-6886f2dfbf5b/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
+golang.org/x/term v0.0.0-20210927222741-03fcf44c2211 h1:JGgROgKl9N8DuW20oFS5gxc+lE67/N3FcwmBPMe7ArY=
+golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
 golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.4/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.3.6 h1:aRYxNxv6iGQlyVaZmk6ZgYEDa+Jg18DxebPSrd6bg1M=
 golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
+golang.org/x/text v0.3.7 h1:olpwvP2KacW1ZWvsR7uQhoyTYvKAupfQrRGBFM352Gk=
+golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
 golang.org/x/time v0.0.0-20180412165947-fbb02b2291d2/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
--- a/api/hostmanagement/fdo/owner_client.go
+++ b/api/hostmanagement/fdo/owner_client.go
@@ -0,0 +1,235 @@
+package fdo
+
+import (
+	"bytes"
+	"errors"
+	"io"
+	"net/http"
+	"net/url"
+	"strconv"
+	"strings"
+	"time"
+
+	"github.com/rkl-/digest"
+)
+
+type FDOOwnerClient struct {
+	OwnerURL string
+	Username string
+	Password string
+	Timeout  time.Duration
+}
+
+type ServiceInfo struct {
+	Module   string
+	Var      string
+	Filename string
+	Bytes    []byte
+	GUID     string
+	Device   string
+	Priority int
+	OS       string
+	Version  string
+	Arch     string
+	CRID     int
+	Hash     string
+}
+
+func (c FDOOwnerClient) doDigestAuthReq(method, endpoint, contentType string, body io.Reader) (*http.Response, error) {
+	transport := digest.NewTransport(c.Username, c.Password)
+
+	client, err := transport.Client()
+	if err != nil {
+		return nil, err
+	}
+	client.Timeout = c.Timeout
+
+	e, err := url.Parse(endpoint)
+	if err != nil {
+		return nil, err
+	}
+
+	u, err := url.Parse(c.OwnerURL)
+	if err != nil {
+		return nil, err
+	}
+
+	req, err := http.NewRequest(method, u.ResolveReference(e).String(), body)
+	if err != nil {
+		return nil, err
+	}
+
+	if contentType != "" {
+		req.Header.Set("Content-Type", contentType)
+	}
+
+	return client.Do(req)
+}
+
+func (c FDOOwnerClient) PostVoucher(ov []byte) (string, error) {
+	resp, err := c.doDigestAuthReq(
+		http.MethodPost,
+		"api/v1/owner/vouchers",
+		"application/cbor",
+		bytes.NewReader(ov),
+	)
+	if err != nil {
+		return "", err
+	}
+	defer resp.Body.Close()
+
+	body, err := io.ReadAll(resp.Body)
+	if err != nil {
+		return "", err
+	}
+
+	if resp.StatusCode != http.StatusOK {
+		return "", errors.New(http.StatusText(resp.StatusCode))
+	}
+
+	return string(body), nil
+}
+
+func (c FDOOwnerClient) PutDeviceSVI(info ServiceInfo) error {
+	values := url.Values{}
+	values.Set("module", info.Module)
+	values.Set("var", info.Var)
+	values.Set("filename", info.Filename)
+	values.Set("guid", info.GUID)
+	values.Set("device", info.Device)
+	values.Set("priority", strconv.Itoa(info.Priority))
+	values.Set("os", info.OS)
+	values.Set("version", info.Version)
+	values.Set("arch", info.Arch)
+	values.Set("crid", strconv.Itoa(info.CRID))
+	values.Set("hash", info.Hash)
+
+	resp, err := c.doDigestAuthReq(
+		http.MethodPut,
+		"api/v1/device/svi?"+values.Encode(),
+		"application/octet-stream",
+		strings.NewReader(string(info.Bytes)),
+	)
+	if err != nil {
+		return err
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode != http.StatusOK {
+		return errors.New(http.StatusText(resp.StatusCode))
+	}
+
+	return nil
+}
+
+func (c FDOOwnerClient) PutDeviceSVIRaw(info url.Values, body []byte) error {
+	resp, err := c.doDigestAuthReq(
+		http.MethodPut,
+		"api/v1/device/svi?"+info.Encode(),
+		"application/octet-stream",
+		strings.NewReader(string(body)),
+	)
+	if err != nil {
+		return err
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode != http.StatusOK {
+		return errors.New(http.StatusText(resp.StatusCode))
+	}
+
+	return nil
+}
+
+func (c FDOOwnerClient) GetVouchers() ([]string, error) {
+	resp, err := c.doDigestAuthReq(
+		http.MethodGet,
+		"api/v1/owner/vouchers",
+		"",
+		nil,
+	)
+	if err != nil {
+		return nil, err
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode != http.StatusOK {
+		return nil, errors.New(http.StatusText(resp.StatusCode))
+	}
+
+	contents, err := io.ReadAll(resp.Body)
+	if err != nil {
+		return nil, err
+	}
+
+	guids := strings.FieldsFunc(
+		strings.TrimSpace(string(contents)),
+		func(c rune) bool {
+			return c == ','
+		},
+	)
+
+	return guids, nil
+}
+
+func (c FDOOwnerClient) DeleteVoucher(guid string) error {
+	resp, err := c.doDigestAuthReq(
+		http.MethodDelete,
+		"api/v1/owner/vouchers?id="+guid,
+		"",
+		nil,
+	)
+	if err != nil {
+		return err
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode != http.StatusOK {
+		return errors.New(http.StatusText(resp.StatusCode))
+	}
+
+	return nil
+}
+
+func (c FDOOwnerClient) GetDeviceSVI(guid string) (string, error) {
+	resp, err := c.doDigestAuthReq(
+		http.MethodGet,
+		"api/v1/device/svi?guid="+guid,
+		"",
+		nil,
+	)
+	if err != nil {
+		return "", err
+	}
+	defer resp.Body.Close()
+
+	body, err := io.ReadAll(resp.Body)
+	if err != nil {
+		return "", err
+	}
+
+	if resp.StatusCode != http.StatusOK {
+		return "", errors.New(http.StatusText(resp.StatusCode))
+	}
+
+	return string(body), nil
+}
+
+func (c FDOOwnerClient) DeleteDeviceSVI(id string) error {
+	resp, err := c.doDigestAuthReq(
+		http.MethodDelete,
+		"api/v1/device/svi?id="+id,
+		"",
+		nil,
+	)
+	if err != nil {
+		return err
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode != http.StatusOK {
+		return errors.New(http.StatusText(resp.StatusCode))
+	}
+
+	return nil
+}
--- a/api/hostmanagement/openamt/authorization.go
+++ b/api/hostmanagement/openamt/authorization.go
@@ -14,39 +14,39 @@ type authenticationResponse struct {
 	Token string `json:"token"`
 }

-func (service *Service) executeAuthenticationRequest(configuration portainer.OpenAMTConfiguration) (*authenticationResponse, error) {
+func (service *Service) Authorization(configuration portainer.OpenAMTConfiguration) (string, error) {
 	loginURL := fmt.Sprintf("https://%s/mps/login/api/v1/authorize", configuration.MPSServer)

 	payload := map[string]string{
-		"username": configuration.Credentials.MPSUser,
-		"password": configuration.Credentials.MPSPassword,
+		"username": configuration.MPSUser,
+		"password": configuration.MPSPassword,
 	}
 	jsonValue, _ := json.Marshal(payload)

 	req, err := http.NewRequest(http.MethodPost, loginURL, bytes.NewBuffer(jsonValue))
 	if err != nil {
-		return nil, err
+		return "", err
 	}
 	req.Header.Set("Content-Type", "application/json")

 	response, err := service.httpsClient.Do(req)
 	if err != nil {
-		return nil, err
+		return "", err
 	}
 	responseBody, readErr := ioutil.ReadAll(response.Body)
 	if readErr != nil {
-		return nil, readErr
+		return "", readErr
 	}
 	errorResponse := parseError(responseBody)
 	if errorResponse != nil {
-		return nil, errorResponse
+		return "", errorResponse
 	}

 	var token authenticationResponse
 	err = json.Unmarshal(responseBody, &token)
 	if err != nil {
-		return nil, err
+		return "", err
 	}

-	return &token, nil
+	return token.Token, nil
 }
--- a/api/hostmanagement/openamt/configCIRA.go
+++ b/api/hostmanagement/openamt/configCIRA.go
@@ -4,7 +4,6 @@ import (
 	"encoding/base64"
 	"encoding/json"
 	"encoding/pem"
-	"errors"
 	"fmt"
 	"io"
 	"net"
@@ -47,7 +46,7 @@ func (service *Service) createOrUpdateCIRAConfig(configuration portainer.OpenAMT
 func (service *Service) getCIRAConfig(configuration portainer.OpenAMTConfiguration, configName string) (*CIRAConfig, error) {
 	url := fmt.Sprintf("https://%s/rps/api/v1/admin/ciraconfigs/%s", configuration.MPSServer, configName)

-	responseBody, err := service.executeGetRequest(url, configuration.Credentials.MPSToken)
+	responseBody, err := service.executeGetRequest(url, configuration.MPSToken)
 	if err != nil {
 		return nil, err
 	}
@@ -89,7 +88,7 @@ func (service *Service) saveCIRAConfig(method string, configuration portainer.Op
 	}
 	payload, _ := json.Marshal(config)

-	responseBody, err := service.executeSaveRequest(method, url, configuration.Credentials.MPSToken, payload)
+	responseBody, err := service.executeSaveRequest(method, url, configuration.MPSToken, payload)
 	if err != nil {
 		return nil, err
 	}
@@ -123,7 +122,7 @@ func (service *Service) getCIRACertificate(configuration portainer.OpenAMTConfig
 	if err != nil {
 		return "", err
 	}
-	req.Header.Set("Authorization", fmt.Sprintf("Bearer %s", configuration.Credentials.MPSToken))
+	req.Header.Set("Authorization", fmt.Sprintf("Bearer %s", configuration.MPSToken))

 	response, err := service.httpsClient.Do(req)
 	if err != nil {
@@ -131,7 +130,7 @@ func (service *Service) getCIRACertificate(configuration portainer.OpenAMTConfig
 	}

 	if response.StatusCode != http.StatusOK {
-		return "", errors.New(fmt.Sprintf("unexpected status code %s", response.Status))
+		return "", fmt.Errorf("unexpected status code %s", response.Status)
 	}

 	certificate, err := io.ReadAll(response.Body)
--- a/api/hostmanagement/openamt/configDevice.go
+++ b/api/hostmanagement/openamt/configDevice.go
@@ -0,0 +1,87 @@
+package openamt
+
+import (
+	"encoding/json"
+	"fmt"
+	"strings"
+
+	portainer "github.com/portainer/portainer/api"
+)
+
+type Device struct {
+	GUID             string `json:"guid"`
+	HostName         string `json:"hostname"`
+	ConnectionStatus bool   `json:"connectionStatus"`
+}
+
+type DevicePowerState struct {
+	State portainer.PowerState `json:"powerstate"`
+}
+
+type DeviceEnabledFeatures struct {
+	Redirection bool   `json:"redirection"`
+	KVM         bool   `json:"KVM"`
+	SOL         bool   `json:"SOL"`
+	IDER        bool   `json:"IDER"`
+	UserConsent string `json:"userConsent"`
+}
+
+func (service *Service) getDevice(configuration portainer.OpenAMTConfiguration, deviceGUID string) (*Device, error) {
+	url := fmt.Sprintf("https://%s/mps/api/v1/devices/%s", configuration.MPSServer, deviceGUID)
+
+	responseBody, err := service.executeGetRequest(url, configuration.MPSToken)
+	if err != nil {
+		if strings.EqualFold(err.Error(), "invalid value") {
+			return nil, nil
+		}
+		return nil, err
+	}
+	if responseBody == nil {
+		return nil, nil
+	}
+
+	var result Device
+	err = json.Unmarshal(responseBody, &result)
+	if err != nil {
+		return nil, err
+	}
+	return &result, nil
+}
+
+func (service *Service) getDevicePowerState(configuration portainer.OpenAMTConfiguration, deviceGUID string) (*DevicePowerState, error) {
+	url := fmt.Sprintf("https://%s/mps/api/v1/amt/power/state/%s", configuration.MPSServer, deviceGUID)
+
+	responseBody, err := service.executeGetRequest(url, configuration.MPSToken)
+	if err != nil {
+		return nil, err
+	}
+	if responseBody == nil {
+		return nil, nil
+	}
+
+	var result DevicePowerState
+	err = json.Unmarshal(responseBody, &result)
+	if err != nil {
+		return nil, err
+	}
+	return &result, nil
+}
+
+func (service *Service) getDeviceEnabledFeatures(configuration portainer.OpenAMTConfiguration, deviceGUID string) (*DeviceEnabledFeatures, error) {
+	url := fmt.Sprintf("https://%s/mps/api/v1/amt/features/%s", configuration.MPSServer, deviceGUID)
+
+	responseBody, err := service.executeGetRequest(url, configuration.MPSToken)
+	if err != nil {
+		return nil, err
+	}
+	if responseBody == nil {
+		return nil, nil
+	}
+
+	var result DeviceEnabledFeatures
+	err = json.Unmarshal(responseBody, &result)
+	if err != nil {
+		return nil, err
+	}
+	return &result, nil
+}
--- a/api/hostmanagement/openamt/configDomain.go
+++ b/api/hostmanagement/openamt/configDomain.go
@@ -37,9 +37,9 @@ func (service *Service) createOrUpdateDomain(configuration portainer.OpenAMTConf
 }

 func (service *Service) getDomain(configuration portainer.OpenAMTConfiguration) (*Domain, error) {
-	url := fmt.Sprintf("https://%s/rps/api/v1/admin/domains/%s", configuration.MPSServer, configuration.DomainConfiguration.DomainName)
+	url := fmt.Sprintf("https://%s/rps/api/v1/admin/domains/%s", configuration.MPSServer, configuration.DomainName)

-	responseBody, err := service.executeGetRequest(url, configuration.Credentials.MPSToken)
+	responseBody, err := service.executeGetRequest(url, configuration.MPSToken)
 	if err != nil {
 		return nil, err
 	}
@@ -59,15 +59,15 @@ func (service *Service) saveDomain(method string, configuration portainer.OpenAM
 	url := fmt.Sprintf("https://%s/rps/api/v1/admin/domains", configuration.MPSServer)

 	profile := Domain{
-		DomainName:                    configuration.DomainConfiguration.DomainName,
-		DomainSuffix:                  configuration.DomainConfiguration.DomainName,
-		ProvisioningCert:              configuration.DomainConfiguration.CertFileText,
-		ProvisioningCertPassword:      configuration.DomainConfiguration.CertPassword,
+		DomainName:                    configuration.DomainName,
+		DomainSuffix:                  configuration.DomainName,
+		ProvisioningCert:              configuration.CertFileContent,
+		ProvisioningCertPassword:      configuration.CertFilePassword,
 		ProvisioningCertStorageFormat: "string",
 	}
 	payload, _ := json.Marshal(profile)

-	responseBody, err := service.executeSaveRequest(method, url, configuration.Credentials.MPSToken, payload)
+	responseBody, err := service.executeSaveRequest(method, url, configuration.MPSToken, payload)
 	if err != nil {
 		return nil, err
 	}
--- a/api/hostmanagement/openamt/configProfile.go
+++ b/api/hostmanagement/openamt/configProfile.go
@@ -29,7 +29,7 @@ type (
 	}
 )

-func (service *Service) createOrUpdateAMTProfile(configuration portainer.OpenAMTConfiguration, profileName string, ciraConfigName string, wirelessConfig string) (*Profile, error) {
+func (service *Service) createOrUpdateAMTProfile(configuration portainer.OpenAMTConfiguration, profileName string, ciraConfigName string) (*Profile, error) {
 	profile, err := service.getAMTProfile(configuration, profileName)
 	if err != nil {
 		return nil, err
@@ -40,7 +40,7 @@ func (service *Service) createOrUpdateAMTProfile(configuration portainer.OpenAMT
 		method = http.MethodPatch
 	}

-	profile, err = service.saveAMTProfile(method, configuration, profileName, ciraConfigName, wirelessConfig)
+	profile, err = service.saveAMTProfile(method, configuration, profileName, ciraConfigName)
 	if err != nil {
 		return nil, err
 	}
@@ -50,7 +50,7 @@ func (service *Service) createOrUpdateAMTProfile(configuration portainer.OpenAMT
 func (service *Service) getAMTProfile(configuration portainer.OpenAMTConfiguration, profileName string) (*Profile, error) {
 	url := fmt.Sprintf("https://%s/rps/api/v1/admin/profiles/%s", configuration.MPSServer, profileName)

-	responseBody, err := service.executeGetRequest(url, configuration.Credentials.MPSToken)
+	responseBody, err := service.executeGetRequest(url, configuration.MPSToken)
 	if err != nil {
 		return nil, err
 	}
@@ -66,7 +66,7 @@ func (service *Service) getAMTProfile(configuration portainer.OpenAMTConfigurati
 	return &result, nil
 }

-func (service *Service) saveAMTProfile(method string, configuration portainer.OpenAMTConfiguration, profileName string, ciraConfigName string, wirelessConfig string) (*Profile, error) {
+func (service *Service) saveAMTProfile(method string, configuration portainer.OpenAMTConfiguration, profileName string, ciraConfigName string) (*Profile, error) {
 	url := fmt.Sprintf("https://%s/rps/api/v1/admin/profiles", configuration.MPSServer)

 	profile := Profile{
@@ -74,23 +74,15 @@ func (service *Service) saveAMTProfile(method string, configuration portainer.Op
 		Activation:                 "acmactivate",
 		GenerateRandomAMTPassword:  false,
 		GenerateRandomMEBxPassword: false,
-		AMTPassword:                configuration.Credentials.MPSPassword,
-		MEBXPassword:               configuration.Credentials.MPSPassword,
+		AMTPassword:                configuration.MPSPassword,
+		MEBXPassword:               configuration.MPSPassword,
 		CIRAConfigName:             &ciraConfigName,
 		Tags:                       []string{},
 		DHCPEnabled:                true,
 	}
-	if wirelessConfig != "" {
-		profile.WIFIConfigs = []ProfileWifiConfig{
-			{
-				Priority:    1,
-				ProfileName: DefaultWirelessConfigName,
-			},
-		}
-	}
 	payload, _ := json.Marshal(profile)

-	responseBody, err := service.executeSaveRequest(method, url, configuration.Credentials.MPSToken, payload)
+	responseBody, err := service.executeSaveRequest(method, url, configuration.MPSToken, payload)
 	if err != nil {
 		return nil, err
 	}
--- a/api/hostmanagement/openamt/configWireless.go
+++ b/api/hostmanagement/openamt/configWireless.go
@@ -1,91 +0,0 @@
-package openamt
-
-import (
-	"encoding/json"
-	"fmt"
-	"net/http"
-	"strconv"
-
-	portainer "github.com/portainer/portainer/api"
-)
-
-type (
-	WirelessProfile struct {
-		ProfileName          string `json:"profileName"`
-		AuthenticationMethod int    `json:"authenticationMethod"`
-		EncryptionMethod     int    `json:"encryptionMethod"`
-		SSID                 string `json:"ssid"`
-		PSKPassphrase        string `json:"pskPassphrase"`
-	}
-)
-
-func (service *Service) createOrUpdateWirelessConfig(configuration portainer.OpenAMTConfiguration, wirelessConfigName string) (*WirelessProfile, error) {
-	wirelessConfig, err := service.getWirelessConfig(configuration, wirelessConfigName)
-	if err != nil {
-		return nil, err
-	}
-
-	method := http.MethodPost
-	if wirelessConfig != nil {
-		method = http.MethodPatch
-	}
-
-	wirelessConfig, err = service.saveWirelessConfig(method, configuration, wirelessConfigName)
-	if err != nil {
-		return nil, err
-	}
-	return wirelessConfig, nil
-}
-
-func (service *Service) getWirelessConfig(configuration portainer.OpenAMTConfiguration, configName string) (*WirelessProfile, error) {
-	url := fmt.Sprintf("https://%s/rps/api/v1/admin/wirelessconfigs/%s", configuration.MPSServer, configName)
-
-	responseBody, err := service.executeGetRequest(url, configuration.Credentials.MPSToken)
-	if err != nil {
-		return nil, err
-	}
-	if responseBody == nil {
-		return nil, nil
-	}
-
-	var result WirelessProfile
-	err = json.Unmarshal(responseBody, &result)
-	if err != nil {
-		return nil, err
-	}
-	return &result, nil
-}
-
-func (service *Service) saveWirelessConfig(method string, configuration portainer.OpenAMTConfiguration, configName string) (*WirelessProfile, error) {
-	parsedAuthenticationMethod, err := strconv.Atoi(configuration.WirelessConfiguration.AuthenticationMethod)
-	if err != nil {
-		return nil, fmt.Errorf("error parsing wireless authentication method: %s", err.Error())
-	}
-	parsedEncryptionMethod, err := strconv.Atoi(configuration.WirelessConfiguration.EncryptionMethod)
-	if err != nil {
-		return nil, fmt.Errorf("error parsing wireless encryption method: %s", err.Error())
-	}
-
-	url := fmt.Sprintf("https://%s/rps/api/v1/admin/wirelessconfigs", configuration.MPSServer)
-
-	config := WirelessProfile{
-		ProfileName:          configName,
-		AuthenticationMethod: parsedAuthenticationMethod,
-		EncryptionMethod:     parsedEncryptionMethod,
-		SSID:                 configuration.WirelessConfiguration.SSID,
-		PSKPassphrase:        configuration.WirelessConfiguration.PskPass,
-	}
-	payload, _ := json.Marshal(config)
-
-	responseBody, err := service.executeSaveRequest(method, url, configuration.Credentials.MPSToken, payload)
-	if err != nil {
-		return nil, err
-	}
-
-	var result WirelessProfile
-	err = json.Unmarshal(responseBody, &result)
-	if err != nil {
-		return nil, err
-	}
-	return &result, nil
-}
--- a/api/hostmanagement/openamt/deviceActions.go
+++ b/api/hostmanagement/openamt/deviceActions.go
@@ -0,0 +1,55 @@
+package openamt
+
+import (
+	"encoding/json"
+	"fmt"
+	"net/http"
+	"strings"
+
+	portainer "github.com/portainer/portainer/api"
+)
+
+type ActionResponse struct {
+	Body struct {
+		ReturnValue    int    `json:"ReturnValue"`
+		ReturnValueStr string `json:"ReturnValueStr"`
+	} `json:"Body"`
+}
+
+func (service *Service) executeDeviceAction(configuration portainer.OpenAMTConfiguration, deviceGUID string, action int) error {
+	url := fmt.Sprintf("https://%s/mps/api/v1/amt/power/action/%s", configuration.MPSServer, deviceGUID)
+
+	payload := map[string]int{
+		"action": action,
+	}
+	jsonValue, _ := json.Marshal(payload)
+
+	responseBody, err := service.executeSaveRequest(http.MethodPost, url, configuration.MPSToken, jsonValue)
+	if err != nil {
+		return err
+	}
+
+	var response ActionResponse
+	err = json.Unmarshal(responseBody, &response)
+	if err != nil {
+		return err
+	}
+
+	if response.Body.ReturnValue != 0 {
+		return fmt.Errorf("failed to execute action, error status %v: %s", response.Body.ReturnValue, response.Body.ReturnValueStr)
+	}
+
+	return nil
+}
+
+func parseAction(actionRaw string) (portainer.PowerState, error) {
+	switch strings.ToLower(actionRaw) {
+	case "power on":
+		return powerOnState, nil
+	case "power off":
+		return powerOffState, nil
+	case "restart":
+		return restartState, nil
+	}
+	return 0, fmt.Errorf("unsupported device action %s", actionRaw)
+}
--- a/api/hostmanagement/openamt/deviceFeatures.go
+++ b/api/hostmanagement/openamt/deviceFeatures.go
@@ -0,0 +1,29 @@
+package openamt
+
+import (
+	"encoding/json"
+	"fmt"
+	"net/http"
+
+	portainer "github.com/portainer/portainer/api"
+)
+
+func (service *Service) enableDeviceFeatures(configuration portainer.OpenAMTConfiguration, deviceGUID string, features portainer.OpenAMTDeviceEnabledFeatures) error {
+	url := fmt.Sprintf("https://%s/mps/api/v1/amt/features/%s", configuration.MPSServer, deviceGUID)
+
+	payload := map[string]interface{}{
+		"enableSOL":   features.SOL,
+		"enableIDER":  features.IDER,
+		"enableKVM":   features.KVM,
+		"redirection": features.Redirection,
+		"userConsent": features.UserConsent,
+	}
+	jsonValue, _ := json.Marshal(payload)
+
+	_, err := service.executeSaveRequest(http.MethodPost, url, configuration.MPSToken, jsonValue)
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
--- a/api/hostmanagement/openamt/openamt.go
+++ b/api/hostmanagement/openamt/openamt.go
@@ -11,13 +11,18 @@ import (
 	"time"

 	portainer "github.com/portainer/portainer/api"
-	"github.com/portainer/portainer/api/dataservices"
+	"golang.org/x/sync/errgroup"
 )

 const (
-	DefaultCIRAConfigName     = "ciraConfigDefault"
-	DefaultWirelessConfigName = "wirelessProfileDefault"
-	DefaultProfileName        = "profileAMTDefault"
+	DefaultCIRAConfigName = "ciraConfigDefault"
+	DefaultProfileName    = "profileAMTDefault"
+
+	httpClientTimeout = 5 * time.Minute
+
+	powerOnState  portainer.PowerState = 2
+	powerOffState portainer.PowerState = 8
+	restartState  portainer.PowerState = 5
 )

 // Service represents a service for managing an OpenAMT server.
@@ -26,13 +31,10 @@ type Service struct {
 }

 // NewService initializes a new service.
-func NewService(dataStore dataservices.DataStore) *Service {
-	if !dataStore.Settings().IsFeatureFlagEnabled(portainer.FeatOpenAMT) {
-		return nil
-	}
+func NewService() *Service {
 	return &Service{
 		httpsClient: &http.Client{
-			Timeout: time.Second * time.Duration(5),
+			Timeout: httpClientTimeout,
 			Transport: &http.Transport{
 				TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
 			},
@@ -63,28 +65,19 @@ func parseError(responseBody []byte) error {
 	return nil
 }

-func (service *Service) ConfigureDefault(configuration portainer.OpenAMTConfiguration) error {
-	token, err := service.executeAuthenticationRequest(configuration)
+func (service *Service) Configure(configuration portainer.OpenAMTConfiguration) error {
+	token, err := service.Authorization(configuration)
 	if err != nil {
 		return err
 	}
-	configuration.Credentials.MPSToken = token.Token
+	configuration.MPSToken = token

 	ciraConfig, err := service.createOrUpdateCIRAConfig(configuration, DefaultCIRAConfigName)
 	if err != nil {
 		return err
 	}

-	wirelessConfigName := ""
-	if configuration.WirelessConfiguration != nil {
-		wirelessConfig, err := service.createOrUpdateWirelessConfig(configuration, DefaultWirelessConfigName)
-		if err != nil {
-			return err
-		}
-		wirelessConfigName = wirelessConfig.ProfileName
-	}
-
-	_, err = service.createOrUpdateAMTProfile(configuration, DefaultProfileName, ciraConfig.ConfigName, wirelessConfigName)
+	_, err = service.createOrUpdateAMTProfile(configuration, DefaultProfileName, ciraConfig.ConfigName)
 	if err != nil {
 		return err
 	}
@@ -119,7 +112,7 @@ func (service *Service) executeSaveRequest(method string, url string, token stri
 		if errorResponse != nil {
 			return nil, errorResponse
 		}
-		return nil, errors.New(fmt.Sprintf("unexpected status code %s", response.Status))
+		return nil, fmt.Errorf("unexpected status code %s", response.Status)
 	}

 	return responseBody, nil
@@ -151,8 +144,110 @@ func (service *Service) executeGetRequest(url string, token string) ([]byte, err
 		if errorResponse != nil {
 			return nil, errorResponse
 		}
-		return nil, errors.New(fmt.Sprintf("unexpected status code %s", response.Status))
+		return nil, fmt.Errorf("unexpected status code %s", response.Status)
 	}

 	return responseBody, nil
 }
+
+func (service *Service) DeviceInformation(configuration portainer.OpenAMTConfiguration, deviceGUID string) (*portainer.OpenAMTDeviceInformation, error) {
+	token, err := service.Authorization(configuration)
+	if err != nil {
+		return nil, err
+	}
+	configuration.MPSToken = token
+
+	var g errgroup.Group
+	var resultDevice *Device
+	var resultPowerState *DevicePowerState
+	var resultEnabledFeatures *DeviceEnabledFeatures
+
+	g.Go(func() error {
+		device, err := service.getDevice(configuration, deviceGUID)
+		if err != nil {
+			return err
+		}
+		if device == nil {
+			return fmt.Errorf("device %s not found", deviceGUID)
+		}
+		resultDevice = device
+		return nil
+	})
+
+	g.Go(func() error {
+		powerState, err := service.getDevicePowerState(configuration, deviceGUID)
+		if err != nil {
+			return err
+		}
+		resultPowerState = powerState
+		return nil
+	})
+
+	g.Go(func() error {
+		enabledFeatures, err := service.getDeviceEnabledFeatures(configuration, deviceGUID)
+		if err != nil {
+			return err
+		}
+		resultEnabledFeatures = enabledFeatures
+		return nil
+	})
+
+	if err := g.Wait(); err != nil {
+		return nil, err
+	}
+
+	deviceInformation := &portainer.OpenAMTDeviceInformation{
+		GUID:             resultDevice.GUID,
+		HostName:         resultDevice.HostName,
+		ConnectionStatus: resultDevice.ConnectionStatus,
+	}
+	if resultPowerState != nil {
+		deviceInformation.PowerState = resultPowerState.State
+	}
+	if resultEnabledFeatures != nil {
+		deviceInformation.EnabledFeatures = &portainer.OpenAMTDeviceEnabledFeatures{
+			Redirection: resultEnabledFeatures.Redirection,
+			KVM:         resultEnabledFeatures.KVM,
+			SOL:         resultEnabledFeatures.SOL,
+			IDER:        resultEnabledFeatures.IDER,
+			UserConsent: resultEnabledFeatures.UserConsent,
+		}
+	}
+
+	return deviceInformation, nil
+}
+
+func (service *Service) ExecuteDeviceAction(configuration portainer.OpenAMTConfiguration, deviceGUID string, action string) error {
+	parsedAction, err := parseAction(action)
+	if err != nil {
+		return err
+	}
+
+	token, err := service.Authorization(configuration)
+	if err != nil {
+		return err
+	}
+	configuration.MPSToken = token
+
+	err = service.executeDeviceAction(configuration, deviceGUID, int(parsedAction))
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func (service *Service) EnableDeviceFeatures(configuration portainer.OpenAMTConfiguration, deviceGUID string, features portainer.OpenAMTDeviceEnabledFeatures) (string, error) {
+	token, err := service.Authorization(configuration)
+	if err != nil {
+		return "", err
+	}
+	configuration.MPSToken = token
+
+	err = service.enableDeviceFeatures(configuration, deviceGUID, features)
+	if err != nil {
+		return "", err
+	}
+
+	return token, nil
+}
--- a/api/http/handler/auth/authenticate.go
+++ b/api/http/handler/auth/authenticate.go
@@ -12,6 +12,7 @@ import (
 	"github.com/portainer/libhttp/response"
 	portainer "github.com/portainer/portainer/api"
 	httperrors "github.com/portainer/portainer/api/http/errors"
+	"github.com/portainer/portainer/api/internal/authorization"
 )

 type authenticatePayload struct {
@@ -49,7 +50,7 @@ func (payload *authenticatePayload) Validate(r *http.Request) error {
 // @failure 422 "Invalid Credentials"
 // @failure 500 "Server error"
 // @router /auth [post]
-func (handler *Handler) authenticate(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
+func (handler *Handler) authenticate(rw http.ResponseWriter, r *http.Request) *httperror.HandlerError {
 	var payload authenticatePayload
 	err := request.DecodeAndValidateJSONPayload(r, &payload)
 	if err != nil {
@@ -61,39 +62,36 @@ func (handler *Handler) authenticate(w http.ResponseWriter, r *http.Request) *ht
 		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve settings from the database", err}
 	}

-	u, err := handler.DataStore.User().UserByUsername(payload.Username)
-	if err != nil && !handler.DataStore.IsErrObjectNotFound(err) {
-		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve a user with the specified username from the database", err}
+	user, err := handler.DataStore.User().UserByUsername(payload.Username)
+	if err != nil {
+		if !handler.DataStore.IsErrObjectNotFound(err) {
+			return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve a user with the specified username from the database", err}
+		}
+
+		if settings.AuthenticationMethod == portainer.AuthenticationInternal ||
+			settings.AuthenticationMethod == portainer.AuthenticationOAuth ||
+			(settings.AuthenticationMethod == portainer.AuthenticationLDAP && !settings.LDAPSettings.AutoCreateUsers) {
+			return &httperror.HandlerError{http.StatusUnprocessableEntity, "Invalid credentials", httperrors.ErrUnauthorized}
+		}
 	}

-	if handler.DataStore.IsErrObjectNotFound(err) && (settings.AuthenticationMethod == portainer.AuthenticationInternal || settings.AuthenticationMethod == portainer.AuthenticationOAuth) {
-		return &httperror.HandlerError{http.StatusUnprocessableEntity, "Invalid credentials", httperrors.ErrUnauthorized}
+	if user != nil && isUserInitialAdmin(user) || settings.AuthenticationMethod == portainer.AuthenticationInternal {
+		return handler.authenticateInternal(rw, user, payload.Password)
+	}
+
+	if settings.AuthenticationMethod == portainer.AuthenticationOAuth {
+		return &httperror.HandlerError{http.StatusUnprocessableEntity, "Only initial admin is allowed to login without oauth", httperrors.ErrUnauthorized}
 	}

 	if settings.AuthenticationMethod == portainer.AuthenticationLDAP {
-		if u == nil && settings.LDAPSettings.AutoCreateUsers {
-			return handler.authenticateLDAPAndCreateUser(w, payload.Username, payload.Password, &settings.LDAPSettings)
-		} else if u == nil && !settings.LDAPSettings.AutoCreateUsers {
-			return &httperror.HandlerError{http.StatusUnprocessableEntity, "Invalid credentials", httperrors.ErrUnauthorized}
-		}
-		return handler.authenticateLDAP(w, u, payload.Password, &settings.LDAPSettings)
+		return handler.authenticateLDAP(rw, user, payload.Username, payload.Password, &settings.LDAPSettings)
 	}

-	return handler.authenticateInternal(w, u, payload.Password)
+	return &httperror.HandlerError{http.StatusUnprocessableEntity, "Login method is not supported", httperrors.ErrUnauthorized}
 }

-func (handler *Handler) authenticateLDAP(w http.ResponseWriter, user *portainer.User, password string, ldapSettings *portainer.LDAPSettings) *httperror.HandlerError {
-	err := handler.LDAPService.AuthenticateUser(user.Username, password, ldapSettings)
-	if err != nil {
-		return handler.authenticateInternal(w, user, password)
-	}
-
-	err = handler.addUserIntoTeams(user, ldapSettings)
-	if err != nil {
-		log.Printf("Warning: unable to automatically add user into teams: %s\n", err.Error())
-	}
-
-	return handler.writeToken(w, user)
+func isUserInitialAdmin(user *portainer.User) bool {
+	return int(user.ID) == 1
 }

 func (handler *Handler) authenticateInternal(w http.ResponseWriter, user *portainer.User, password string) *httperror.HandlerError {
@@ -105,20 +103,27 @@ func (handler *Handler) authenticateInternal(w http.ResponseWriter, user *portai
 	return handler.writeToken(w, user)
 }

-func (handler *Handler) authenticateLDAPAndCreateUser(w http.ResponseWriter, username, password string, ldapSettings *portainer.LDAPSettings) *httperror.HandlerError {
+func (handler *Handler) authenticateLDAP(w http.ResponseWriter, user *portainer.User, username, password string, ldapSettings *portainer.LDAPSettings) *httperror.HandlerError {
 	err := handler.LDAPService.AuthenticateUser(username, password, ldapSettings)
 	if err != nil {
-		return &httperror.HandlerError{http.StatusUnprocessableEntity, "Invalid credentials", err}
+		return &httperror.HandlerError{
+			StatusCode: http.StatusForbidden,
+			Message:    "Only initial admin is allowed to login without oauth",
+			Err:        err,
+		}
 	}

-	user := &portainer.User{
-		Username: username,
-		Role:     portainer.StandardUserRole,
-	}
+	if user == nil {
+		user = &portainer.User{
+			Username:                username,
+			Role:                    portainer.StandardUserRole,
+			PortainerAuthorizations: authorization.DefaultPortainerAuthorizations(),
+		}

-	err = handler.DataStore.User().Create(user)
-	if err != nil {
-		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to persist user inside the database", err}
+		err = handler.DataStore.User().Create(user)
+		if err != nil {
+			return &httperror.HandlerError{http.StatusInternalServerError, "Unable to persist user inside the database", err}
+		}
 	}

 	err = handler.addUserIntoTeams(user, ldapSettings)
@@ -130,7 +135,9 @@ func (handler *Handler) authenticateLDAPAndCreateUser(w http.ResponseWriter, use
 }

 func (handler *Handler) writeToken(w http.ResponseWriter, user *portainer.User) *httperror.HandlerError {
-	return handler.persistAndWriteToken(w, composeTokenData(user))
+	tokenData := composeTokenData(user)
+
+	return handler.persistAndWriteToken(w, tokenData)
 }

 func (handler *Handler) persistAndWriteToken(w http.ResponseWriter, tokenData *portainer.TokenData) *httperror.HandlerError {
--- a/api/http/handler/customtemplates/customtemplate_create.go
+++ b/api/http/handler/customtemplates/customtemplate_create.go
@@ -4,6 +4,7 @@ import (
 	"errors"
 	"log"
 	"net/http"
+	"os"
 	"regexp"
 	"strconv"

@@ -271,14 +272,19 @@ func (handler *Handler) createCustomTemplateFromGitRepository(r *http.Request) (
 	if err != nil {
 		return nil, err
 	}
+	isValidProject := true
+	defer func() {
+		if !isValidProject {
+			if err := handler.FileService.RemoveDirectory(projectPath); err != nil {
+				log.Printf("[WARN] [http,customtemplate,git] [error: %s] [message: unable to remove git repository directory]", err)
+			}
+		}
+	}()

 	entryPath := filesystem.JoinPaths(projectPath, customTemplate.EntryPoint)
-
 	exists, err := handler.FileService.FileExists(entryPath)
 	if err != nil || !exists {
-		if err := handler.FileService.RemoveDirectory(projectPath); err != nil {
-			log.Printf("[WARN] [http,customtemplate,git] [error: %s] [message: unable to remove git repository directory]", err)
-		}
+		isValidProject = false
 	}

 	if err != nil {
@@ -289,6 +295,16 @@ func (handler *Handler) createCustomTemplateFromGitRepository(r *http.Request) (
 		return nil, errors.New("Invalid Compose file, ensure that the Compose file path is correct")
 	}

+	info, err := os.Lstat(entryPath)
+	if err != nil {
+		isValidProject = false
+		return nil, err
+	}
+	if info.Mode()&os.ModeSymlink != 0 { // entry is a symlink
+		isValidProject = false
+		return nil, errors.New("Invalid Compose file, ensure that the Compose file is not a symbolic link")
+	}
+
 	return customTemplate, nil
 }

--- a/api/http/handler/edgestacks/edgestack_create.go
+++ b/api/http/handler/edgestacks/edgestack_create.go
@@ -159,7 +159,7 @@ func (handler *Handler) createSwarmStackFromFileContent(r *http.Request) (*porta
 		return nil, fmt.Errorf("Unable to update endpoint relations: %w", err)
 	}

-	err = handler.DataStore.EdgeStack().Create(stack)
+	err = handler.DataStore.EdgeStack().Create(stack.ID, stack)
 	if err != nil {
 		return nil, err
 	}
@@ -274,7 +274,7 @@ func (handler *Handler) createSwarmStackFromGitRepository(r *http.Request) (*por
 		return nil, fmt.Errorf("Unable to update endpoint relations: %w", err)
 	}

-	err = handler.DataStore.EdgeStack().Create(stack)
+	err = handler.DataStore.EdgeStack().Create(stack.ID, stack)
 	if err != nil {
 		return nil, err
 	}
@@ -381,7 +381,7 @@ func (handler *Handler) createSwarmStackFromFileUpload(r *http.Request) (*portai
 		return nil, fmt.Errorf("Unable to update endpoint relations: %w", err)
 	}

-	err = handler.DataStore.EdgeStack().Create(stack)
+	err = handler.DataStore.EdgeStack().Create(stack.ID, stack)
 	if err != nil {
 		return nil, err
 	}
--- a/api/http/handler/endpointproxy/handler.go
+++ b/api/http/handler/endpointproxy/handler.go
@@ -34,7 +34,5 @@ func NewHandler(bouncer *security.RequestBouncer) *Handler {
 		bouncer.AuthenticatedAccess(httperror.LoggerHandler(h.proxyRequestsToDockerAPI)))
 	h.PathPrefix("/{id}/agent/kubernetes").Handler(
 		bouncer.AuthenticatedAccess(httperror.LoggerHandler(h.proxyRequestsToKubernetesAPI)))
-	h.PathPrefix("/{id}/storidge").Handler(
-		bouncer.AuthenticatedAccess(httperror.LoggerHandler(h.proxyRequestsToStoridgeAPI)))
 	return h
 }
--- a/api/http/handler/endpointproxy/proxy_docker.go
+++ b/api/http/handler/endpointproxy/proxy_docker.go
@@ -4,9 +4,9 @@ import (
 	"errors"
 	httperror "github.com/portainer/libhttp/error"
 	"github.com/portainer/libhttp/request"
+	portainer "github.com/portainer/portainer/api"
 	"strconv"
 	"strings"
-	portainer "github.com/portainer/portainer/api"

 	"net/http"
 )
--- a/api/http/handler/endpointproxy/proxy_storidge.go
+++ b/api/http/handler/endpointproxy/proxy_storidge.go
@@ -1,59 +0,0 @@
-package endpointproxy
-
-// TODO: legacy extension management
-
-import (
-	"errors"
-	"strconv"
-
-	httperror "github.com/portainer/libhttp/error"
-	"github.com/portainer/libhttp/request"
-	portainer "github.com/portainer/portainer/api"
-
-	"net/http"
-)
-
-func (handler *Handler) proxyRequestsToStoridgeAPI(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
-	endpointID, err := request.RetrieveNumericRouteVariableValue(r, "id")
-	if err != nil {
-		return &httperror.HandlerError{http.StatusBadRequest, "Invalid environment identifier route variable", err}
-	}
-
-	endpoint, err := handler.DataStore.Endpoint().Endpoint(portainer.EndpointID(endpointID))
-	if handler.DataStore.IsErrObjectNotFound(err) {
-		return &httperror.HandlerError{http.StatusNotFound, "Unable to find an environment with the specified identifier inside the database", err}
-	} else if err != nil {
-		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to find an environment with the specified identifier inside the database", err}
-	}
-
-	err = handler.requestBouncer.AuthorizedEndpointOperation(r, endpoint)
-	if err != nil {
-		return &httperror.HandlerError{http.StatusForbidden, "Permission denied to access environment", err}
-	}
-
-	var storidgeExtension *portainer.EndpointExtension
-	for _, extension := range endpoint.Extensions {
-		if extension.Type == portainer.StoridgeEndpointExtension {
-			storidgeExtension = &extension
-		}
-	}
-
-	if storidgeExtension == nil {
-		return &httperror.HandlerError{http.StatusServiceUnavailable, "Storidge extension not supported on this environment", errors.New("This extension is not supported")}
-	}
-
-	proxyExtensionKey := strconv.Itoa(endpointID) + "_" + strconv.Itoa(int(portainer.StoridgeEndpointExtension)) + "_" + storidgeExtension.URL
-
-	var proxy http.Handler
-	proxy = handler.ProxyManager.GetLegacyExtensionProxy(proxyExtensionKey)
-	if proxy == nil {
-		proxy, err = handler.ProxyManager.CreateLegacyExtensionProxy(proxyExtensionKey, storidgeExtension.URL)
-		if err != nil {
-			return &httperror.HandlerError{http.StatusInternalServerError, "Unable to create extension proxy", err}
-		}
-	}
-
-	id := strconv.Itoa(endpointID)
-	http.StripPrefix("/"+id+"/storidge", proxy).ServeHTTP(w, r)
-	return nil
-}
--- a/api/http/handler/endpoints/endpoint_create.go
+++ b/api/http/handler/endpoints/endpoint_create.go
@@ -11,6 +11,7 @@ import (
 	"strings"
 	"time"

+	"github.com/gofrs/uuid"
 	httperror "github.com/portainer/libhttp/error"
 	"github.com/portainer/libhttp/request"
 	"github.com/portainer/libhttp/response"
@@ -37,6 +38,7 @@ type endpointCreatePayload struct {
 	AzureAuthenticationKey string
 	TagIDs                 []portainer.TagID
 	EdgeCheckinInterval    int
+	IsEdgeDevice           bool
 }

 type endpointCreationEnum int
@@ -144,6 +146,9 @@ func (payload *endpointCreatePayload) Validate(r *http.Request) error {
 	checkinInterval, _ := request.RetrieveNumericMultiPartFormValue(r, "CheckinInterval", true)
 	payload.EdgeCheckinInterval = checkinInterval

+	isEdgeDevice, _ := request.RetrieveBooleanMultiPartFormValue(r, "IsEdgeDevice", true)
+	payload.IsEdgeDevice = isEdgeDevice
+
 	return nil
 }

@@ -279,7 +284,6 @@ func (handler *Handler) createAzureEndpoint(payload *endpointCreatePayload) (*po
 		PublicURL:          payload.PublicURL,
 		UserAccessPolicies: portainer.UserAccessPolicies{},
 		TeamAccessPolicies: portainer.TeamAccessPolicies{},
-		Extensions:         []portainer.EndpointExtension{},
 		AzureCredentials:   credentials,
 		TagIDs:             payload.TagIDs,
 		Status:             portainer.EndpointStatusUp,
@@ -325,13 +329,27 @@ func (handler *Handler) createEdgeAgentEndpoint(payload *endpointCreatePayload)
 		},
 		UserAccessPolicies:  portainer.UserAccessPolicies{},
 		TeamAccessPolicies:  portainer.TeamAccessPolicies{},
-		Extensions:          []portainer.EndpointExtension{},
 		TagIDs:              payload.TagIDs,
 		Status:              portainer.EndpointStatusUp,
 		Snapshots:           []portainer.DockerSnapshot{},
 		EdgeKey:             edgeKey,
 		EdgeCheckinInterval: payload.EdgeCheckinInterval,
 		Kubernetes:          portainer.KubernetesDefault(),
+		IsEdgeDevice:        payload.IsEdgeDevice,
+	}
+
+	settings, err := handler.DataStore.Settings().Settings()
+	if err != nil {
+		return nil, &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve the settings from the database", err}
+	}
+
+	if settings.EnforceEdgeID {
+		edgeID, err := uuid.NewV4()
+		if err != nil {
+			return nil, &httperror.HandlerError{http.StatusInternalServerError, "Cannot generate the Edge ID", err}
+		}
+
+		endpoint.EdgeID = edgeID.String()
 	}

 	err = handler.saveEndpointAndUpdateAuthorizations(endpoint)
@@ -365,11 +383,11 @@ func (handler *Handler) createUnsecuredEndpoint(payload *endpointCreatePayload)
 		},
 		UserAccessPolicies: portainer.UserAccessPolicies{},
 		TeamAccessPolicies: portainer.TeamAccessPolicies{},
-		Extensions:         []portainer.EndpointExtension{},
 		TagIDs:             payload.TagIDs,
 		Status:             portainer.EndpointStatusUp,
 		Snapshots:          []portainer.DockerSnapshot{},
 		Kubernetes:         portainer.KubernetesDefault(),
+		IsEdgeDevice:       payload.IsEdgeDevice,
 	}

 	err := handler.snapshotAndPersistEndpoint(endpoint)
@@ -400,7 +418,6 @@ func (handler *Handler) createKubernetesEndpoint(payload *endpointCreatePayload)
 		},
 		UserAccessPolicies: portainer.UserAccessPolicies{},
 		TeamAccessPolicies: portainer.TeamAccessPolicies{},
-		Extensions:         []portainer.EndpointExtension{},
 		TagIDs:             payload.TagIDs,
 		Status:             portainer.EndpointStatusUp,
 		Snapshots:          []portainer.DockerSnapshot{},
@@ -430,11 +447,11 @@ func (handler *Handler) createTLSSecuredEndpoint(payload *endpointCreatePayload,
 		},
 		UserAccessPolicies: portainer.UserAccessPolicies{},
 		TeamAccessPolicies: portainer.TeamAccessPolicies{},
-		Extensions:         []portainer.EndpointExtension{},
 		TagIDs:             payload.TagIDs,
 		Status:             portainer.EndpointStatusUp,
 		Snapshots:          []portainer.DockerSnapshot{},
 		Kubernetes:         portainer.KubernetesDefault(),
+		IsEdgeDevice:       payload.IsEdgeDevice,
 	}

 	err := handler.storeTLSFiles(endpoint, payload)
--- a/api/http/handler/endpoints/endpoint_extension_add.go
+++ b/api/http/handler/endpoints/endpoint_extension_add.go
@@ -1,81 +0,0 @@
-package endpoints
-
-// TODO: legacy extension management
-
-import (
-	"errors"
-	"net/http"
-
-	"github.com/asaskevich/govalidator"
-	httperror "github.com/portainer/libhttp/error"
-	"github.com/portainer/libhttp/request"
-	"github.com/portainer/libhttp/response"
-	portainer "github.com/portainer/portainer/api"
-)
-
-type endpointExtensionAddPayload struct {
-	Type int
-	URL  string
-}
-
-func (payload *endpointExtensionAddPayload) Validate(r *http.Request) error {
-	if payload.Type != 1 {
-		return errors.New("Invalid type value. Value must be one of: 1 (Storidge)")
-	}
-	if payload.Type == 1 && govalidator.IsNull(payload.URL) {
-		return errors.New("Invalid extension URL")
-	}
-	return nil
-}
-
-// @id endpointExtensionAdd
-// @tags endpoints
-// @deprecated
-// @param id path int true "Environment(Endpoint) identifier"
-// @success 204 "Success"
-// @router /endpoints/{id}/extensions [post]
-func (handler *Handler) endpointExtensionAdd(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
-	endpointID, err := request.RetrieveNumericRouteVariableValue(r, "id")
-	if err != nil {
-		return &httperror.HandlerError{http.StatusBadRequest, "Invalid environment identifier route variable", err}
-	}
-
-	endpoint, err := handler.DataStore.Endpoint().Endpoint(portainer.EndpointID(endpointID))
-	if handler.DataStore.IsErrObjectNotFound(err) {
-		return &httperror.HandlerError{http.StatusNotFound, "Unable to find an environment with the specified identifier inside the database", err}
-	} else if err != nil {
-		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to find an environment with the specified identifier inside the database", err}
-	}
-
-	var payload endpointExtensionAddPayload
-	err = request.DecodeAndValidateJSONPayload(r, &payload)
-	if err != nil {
-		return &httperror.HandlerError{http.StatusBadRequest, "Invalid request payload", err}
-	}
-
-	extensionType := portainer.EndpointExtensionType(payload.Type)
-
-	var extension *portainer.EndpointExtension
-	for idx := range endpoint.Extensions {
-		if endpoint.Extensions[idx].Type == extensionType {
-			extension = &endpoint.Extensions[idx]
-		}
-	}
-
-	if extension != nil {
-		extension.URL = payload.URL
-	} else {
-		extension = &portainer.EndpointExtension{
-			Type: extensionType,
-			URL:  payload.URL,
-		}
-		endpoint.Extensions = append(endpoint.Extensions, *extension)
-	}
-
-	err = handler.DataStore.Endpoint().UpdateEndpoint(endpoint.ID, endpoint)
-	if err != nil {
-		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to persist environment changes inside the database", err}
-	}
-
-	return response.JSON(w, extension)
-}
--- a/api/http/handler/endpoints/endpoint_extension_remove.go
+++ b/api/http/handler/endpoints/endpoint_extension_remove.go
@@ -1,51 +0,0 @@
-package endpoints
-
-// TODO: legacy extension management
-
-import (
-	"net/http"
-
-	httperror "github.com/portainer/libhttp/error"
-	"github.com/portainer/libhttp/request"
-	"github.com/portainer/libhttp/response"
-	portainer "github.com/portainer/portainer/api"
-)
-
-// @id endpointExtensionRemove
-// @tags endpoints
-// @deprecated
-// @param id path int true "Environment(Endpoint) identifier"
-// @param extensionType path string true "Extension Type"
-// @success 204 "Success"
-// @router /endpoints/{id}/extensions/{extensionType} [delete]
-func (handler *Handler) endpointExtensionRemove(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
-	endpointID, err := request.RetrieveNumericRouteVariableValue(r, "id")
-	if err != nil {
-		return &httperror.HandlerError{http.StatusBadRequest, "Invalid environment identifier route variable", err}
-	}
-
-	endpoint, err := handler.DataStore.Endpoint().Endpoint(portainer.EndpointID(endpointID))
-	if handler.DataStore.IsErrObjectNotFound(err) {
-		return &httperror.HandlerError{http.StatusNotFound, "Unable to find an environment with the specified identifier inside the database", err}
-	} else if err != nil {
-		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to find an environment with the specified identifier inside the database", err}
-	}
-
-	extensionType, err := request.RetrieveNumericRouteVariableValue(r, "extensionType")
-	if err != nil {
-		return &httperror.HandlerError{http.StatusBadRequest, "Invalid extension type route variable", err}
-	}
-
-	for idx, ext := range endpoint.Extensions {
-		if ext.Type == portainer.EndpointExtensionType(extensionType) {
-			endpoint.Extensions = append(endpoint.Extensions[:idx], endpoint.Extensions[idx+1:]...)
-		}
-	}
-
-	err = handler.DataStore.Endpoint().UpdateEndpoint(endpoint.ID, endpoint)
-	if err != nil {
-		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to persist environment changes inside the database", err}
-	}
-
-	return response.Empty(w)
-}
--- a/api/http/handler/endpoints/endpoint_list.go
+++ b/api/http/handler/endpoints/endpoint_list.go
@@ -4,6 +4,7 @@ import (
 	"net/http"
 	"strconv"
 	"strings"
+	"time"

 	"github.com/portainer/libhttp/request"

@@ -80,6 +81,7 @@ func (handler *Handler) endpointList(w http.ResponseWriter, r *http.Request) *ht
 	}

 	filteredEndpoints := security.FilterEndpoints(endpoints, endpointGroups, securityContext)
+	totalAvailableEndpoints := len(filteredEndpoints)

 	if endpointIDs != nil {
 		filteredEndpoints = filteredEndpointsByIds(filteredEndpoints, endpointIDs)
@@ -89,6 +91,11 @@ func (handler *Handler) endpointList(w http.ResponseWriter, r *http.Request) *ht
 		filteredEndpoints = filterEndpointsByGroupID(filteredEndpoints, portainer.EndpointGroupID(groupID))
 	}

+	edgeDeviceFilter, edgeDeviceFilterErr := request.RetrieveBooleanQueryParameter(r, "edgeDeviceFilter", false)
+	if edgeDeviceFilterErr == nil {
+		filteredEndpoints = filterEndpointsByEdgeDevice(filteredEndpoints, edgeDeviceFilter)
+	}
+
 	if search != "" {
 		tags, err := handler.DataStore.Tag().Tags()
 		if err != nil {
@@ -119,9 +126,11 @@ func (handler *Handler) endpointList(w http.ResponseWriter, r *http.Request) *ht
 		if paginatedEndpoints[idx].EdgeCheckinInterval == 0 {
 			paginatedEndpoints[idx].EdgeCheckinInterval = settings.EdgeAgentCheckinInterval
 		}
+		paginatedEndpoints[idx].QueryDate = time.Now().Unix()
 	}

 	w.Header().Set("X-Total-Count", strconv.Itoa(filteredEndpointCount))
+	w.Header().Set("X-Total-Available", strconv.Itoa(totalAvailableEndpoints))
 	return response.JSON(w, paginatedEndpoints)
 }

@@ -231,6 +240,17 @@ func filterEndpointsByTypes(endpoints []portainer.Endpoint, endpointTypes []int)
 	return filteredEndpoints
 }

+func filterEndpointsByEdgeDevice(endpoints []portainer.Endpoint, edgeDeviceFilter bool) []portainer.Endpoint {
+	filteredEndpoints := make([]portainer.Endpoint, 0)
+
+	for _, endpoint := range endpoints {
+		if edgeDeviceFilter == endpoint.IsEdgeDevice {
+			filteredEndpoints = append(filteredEndpoints, endpoint)
+		}
+	}
+	return filteredEndpoints
+}
+
 func convertTagIDsToTags(tagsMap map[portainer.TagID]string, tagIDs []portainer.TagID) []string {
 	tags := make([]string, 0)
 	for _, tagID := range tagIDs {
--- a/api/http/handler/endpoints/endpoint_snapshot.go
+++ b/api/http/handler/endpoints/endpoint_snapshot.go
@@ -1,6 +1,7 @@
 package endpoints

 import (
+	"errors"
 	"net/http"

 	httperror "github.com/portainer/libhttp/error"
@@ -37,7 +38,7 @@ func (handler *Handler) endpointSnapshot(w http.ResponseWriter, r *http.Request)
 	}

 	if !snapshot.SupportDirectSnapshot(endpoint) {
-		return &httperror.HandlerError{http.StatusBadRequest, "Snapshots not supported for this environment", err}
+		return &httperror.HandlerError{http.StatusBadRequest, "Snapshots not supported for this environment", errors.New("Snapshots not supported for this environment")}
 	}

 	snapshotError := handler.SnapshotService.SnapshotEndpoint(endpoint)
--- a/api/http/handler/endpoints/endpoint_status_inspect.go
+++ b/api/http/handler/endpoints/endpoint_status_inspect.go
@@ -103,6 +103,15 @@ func (handler *Handler) endpointStatusInspect(w http.ResponseWriter, r *http.Req
 		}
 	}

+	if endpoint.EdgeCheckinInterval == 0 {
+		settings, err := handler.DataStore.Settings().Settings()
+		if err != nil {
+			return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve settings from the database", err}
+		}
+
+		endpoint.EdgeCheckinInterval = settings.EdgeAgentCheckinInterval
+	}
+
 	endpoint.LastCheckInDate = time.Now().Unix()

 	err = handler.DataStore.Endpoint().UpdateEndpoint(endpoint.ID, endpoint)
@@ -110,18 +119,8 @@ func (handler *Handler) endpointStatusInspect(w http.ResponseWriter, r *http.Req
 		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to Unable to persist environment changes inside the database", err}
 	}

-	settings, err := handler.DataStore.Settings().Settings()
-	if err != nil {
-		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve settings from the database", err}
-	}
-
 	tunnel := handler.ReverseTunnelService.GetTunnelDetails(endpoint.ID)

-	checkinInterval := settings.EdgeAgentCheckinInterval
-	if endpoint.EdgeCheckinInterval != 0 {
-		checkinInterval = endpoint.EdgeCheckinInterval
-	}
-
 	schedules := []edgeJobResponse{}
 	for _, job := range tunnel.Jobs {
 		schedule := edgeJobResponse{
@@ -146,7 +145,7 @@ func (handler *Handler) endpointStatusInspect(w http.ResponseWriter, r *http.Req
 		Status:          tunnel.Status,
 		Port:            tunnel.Port,
 		Schedules:       schedules,
-		CheckinInterval: checkinInterval,
+		CheckinInterval: endpoint.EdgeCheckinInterval,
 		Credentials:     tunnel.Credentials,
 	}

--- a/api/http/handler/endpoints/endpoint_update.go
+++ b/api/http/handler/endpoints/endpoint_update.go
@@ -46,6 +46,8 @@ type endpointUpdatePayload struct {
 	EdgeCheckinInterval *int `example:"5"`
 	// Associated Kubernetes data
 	Kubernetes *portainer.KubernetesData
+	// Whether the device has been trusted or not by the user
+	UserTrusted *bool
 }

 func (payload *endpointUpdatePayload) Validate(r *http.Request) error {
@@ -270,6 +272,10 @@ func (handler *Handler) endpointUpdate(w http.ResponseWriter, r *http.Request) *
 		}
 	}

+	if payload.UserTrusted != nil {
+		endpoint.UserTrusted = *payload.UserTrusted
+	}
+
 	err = handler.DataStore.Endpoint().UpdateEndpoint(endpoint.ID, endpoint)
 	if err != nil {
 		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to persist environment changes inside the database", err}
--- a/api/http/handler/endpoints/handler.go
+++ b/api/http/handler/endpoints/handler.go
@@ -62,10 +62,6 @@ func NewHandler(bouncer *security.RequestBouncer) *Handler {
 		bouncer.AdminAccess(httperror.LoggerHandler(h.endpointDelete))).Methods(http.MethodDelete)
 	h.Handle("/endpoints/{id}/dockerhub/{registryId}",
 		bouncer.AuthenticatedAccess(httperror.LoggerHandler(h.endpointDockerhubStatus))).Methods(http.MethodGet)
-	h.Handle("/endpoints/{id}/extensions",
-		bouncer.RestrictedAccess(httperror.LoggerHandler(h.endpointExtensionAdd))).Methods(http.MethodPost)
-	h.Handle("/endpoints/{id}/extensions/{extensionType}",
-		bouncer.RestrictedAccess(httperror.LoggerHandler(h.endpointExtensionRemove))).Methods(http.MethodDelete)
 	h.Handle("/endpoints/{id}/snapshot",
 		bouncer.AdminAccess(httperror.LoggerHandler(h.endpointSnapshot))).Methods(http.MethodPost)
 	h.Handle("/endpoints/{id}/status",
--- a/Show More
+++ b/Show More
				`@@ -0,0 +1 @@`
				<svg version="1" xmlns="http://www.w3.org/2000/svg" width="420" height="420" viewBox="0 0 315.000000 315.000000"><path d="M163 13.3v6.4l-38.3 22.1-38.2 22.1h-34c-2.8.1-3 .3-3.2 4.5-.2 3.4.1 4.5 1.5 4.8.9.2 16 .3 33.5.2 17.4 0 31.7.2 31.8.5.1.3.2 10.3.4 22.1.1 11.8.3 21.8.4 22.2 0 .5 5.5.8 12 .8h11.9l-.1-22.8-.1-22.7 11.2-.1H163V204l3.5.1c1.9.1 4.1.2 4.7.3 1 .1 1.3-13.7 1.3-65.3V73.7l3.3-.3 3.2-.2.1 66.6v66.7l4.8 3.1 4.7 3.2v-69c-.1-38 .1-69.3.4-69.7.3-.4 17.2-.7 37.5-.7h37l.3-4.6.3-4.6-8.3-.3-8.3-.4-37-21.4c-20.3-11.8-37.2-21.6-37.5-21.8-.3-.3-.5-2.8-.6-5.6-.1-2.9-.2-5.8-.3-6.5-.1-.7-1.7-1.2-4.6-1.2H163v6.3zm0 34.1v16.5h-28.2c-28 0-28.3 0-25.8-1.9 1.4-1 4.3-2.8 6.5-4 2.2-1.1 13.5-7.6 25-14.4 11.6-6.9 21.3-12.5 21.8-12.5.4-.1.7 7.3.7 16.3zm28.6-5.4c7.5 4.4 13.7 8 13.9 8 .1 0 4.5 2.5 9.6 5.7 5.2 3.1 10.5 6.2 11.9 6.9 2.1 1.1-2 1.3-26 1.1l-28.5-.2V47.3l-.1-16.1 2.8 1.4c1.5.8 8.9 5 16.4 9.4zm-55.4 40.5c0 4.9-.1 9.7-.1 10.5-.1 1.3-1.5 1.6-7.3 1.5l-7.3-.1-.5-10.5-.5-10.6 7.8.1 7.9.1v9zm-12.3 23.9c.1 6.6-.2 8.5-1.4 9-.8.3-1.5.2-1.6-.2-.4-3.4-.5-15-.1-16 .2-.6 1-1.2 1.7-1.2.9 0 1.3 2.3 1.4 8.4zm6.7.4c0 4.5-.3 8.2-.8 8.2-.4 0-1.1.1-1.5.2-.5.2-.8-3.7-.9-8.5 0-7.5.2-8.7 1.5-8.5 1.3.3 1.6 1.9 1.7 8.6zm6.9 0c.1 7.2-.1 8.2-1.6 8.2-1.6 0-1.8-1-1.7-8.5.1-7.3.3-8.5 1.7-8.3 1.3.3 1.6 1.8 1.6 8.6z"/><path d="M61.9 108c0 .3-.1 5.7-.2 12l-.1 11.5 12.2.3 12.2.3v-24.6H74c-6.6 0-12 .2-12.1.5zm7.1 11.4c0 8-1 11.1-2.6 8.5-.5-.9-.8-8.6-.5-15.2.1-.9.8-1.7 1.6-1.7 1.2 0 1.5 1.6 1.5 8.4zm7-.1c0 8.6-.3 9.9-2.3 9.1-.8-.3-1.1-3-1-7.7.2-10 .1-9.7 1.8-9.7 1.2 0 1.5 1.6 1.5 8.3zm6.8-.3c.3 8.4-.2 10.7-2.1 9.2-.9-.7-1.2-3.6-1.1-8.9.2-9.2.1-8.6 1.7-8.1.8.3 1.3 3 1.5 7.8zM89.4 107.9c-.2.2-.4 5.8-.4 12.3V132h24.5l-.1-11.3c-.1-6.1-.2-11.7-.3-12.2-.1-1-22.7-1.5-23.7-.6zm7.2 11.2c.1 8.6-.3 10-2.2 9.2-1-.4-1.4-2.5-1.4-8.2 0-4.3.3-8.1.7-8.5 1.8-1.8 2.8.7 2.9 7.5zm6.5-7.4c.4 3.9.3 15.7-.2 16.5-1.7 2.7-2.9-.9-2.9-8.8 0-6.8.3-8.4 1.5-8.4.8 0 1.5.3 1.6.7zm7 .5c.5 5.5.3 13.6-.4 15.1-1.6 3.6-2.7.4-2.7-7.9 0-6.8.3-8.4 1.5-8.4.8 0 1.5.6 1.6 1.2zM94.3 134.8l-5.3.3v12c0 8.8.3 11.9 1.3 12 1.7.1 15.5.1 19.7 0l3.5-.1-.1-10.8c-.1-5.9-.2-11.4-.3-12.2-.1-1.5-6.2-1.9-18.8-1.2zm2.2 12.3c0 6.8-.3 8.4-1.5 8.4s-1.6-1.6-1.8-7.3c-.4-8.1.1-10.6 2.1-9.9.8.2 1.2 2.9 1.2 8.8zm6.6-7.4c.5 5.9.3 14.6-.2 15.5-.4.6-1.2.7-1.8.4-1.2-.8-1.6-15.8-.4-16.9 1.2-1.2 2.3-.7 2.4 1zm7-1c0 .5.1 4.4.2 8.8 0 6.3-.2 8-1.4 8-1.1 0-1.5-1.9-1.7-8.8-.2-7.3 0-8.7 1.3-8.7.8 0 1.5.3 1.6.7zM120 134.8l-3.5.3-.1 11.9c0 7.6.4 12 1.1 12.1 4.6.3 21.5 0 22.3-.5.5-.3 1-5.7 1-12.1l.1-11.5-5.7-.1c-3.1 0-7-.1-8.7-.2-1.6-.1-4.6-.1-6.5.1zm3.4 4.8c1 2.7.7 15.2-.5 15.9-.6.4-1.3.4-1.6.1-.7-.7-1.2-15.7-.6-16.9.7-1.2 2.1-.8 2.7.9zm7.3 6c.2 7.9-.4 10.7-2 10.1-.8-.2-1.2-3.2-1.3-8.3-.1-8.5.1-9.7 1.9-9.1.7.2 1.3 3.1 1.4 7.3zm6.9 0c.2 8.5-.3 10.5-2.2 9.7-1.1-.4-1.4-2.2-1.3-8.2.2-8.3.5-9.4 2.2-8.8.8.2 1.2 3 1.3 7.3zM61.9 136.7c-.4 9-.3 21.6.3 21.9.7.4 13.9.7 21.1.5l2.7-.1v-24H74c-10.7 0-12 .2-12.1 1.7zM69 147c0 5-.4 9-.9 9-1.6 0-2.2-1.7-2.2-7.2-.2-9.6 0-10.8 1.6-10.8 1.2 0 1.5 1.7 1.5 9zm6.8-.5c.3 7.2-.7 10.9-2.4 9.2-.4-.4-.7-3.5-.7-6.9.1-10.2.2-11 1.6-10.6.8.3 1.3 3.1 1.5 8.3zm7 0c.2 4.7-.1 8.2-.8 8.9-1.8 1.8-2.6-.8-2.4-8.6.2-9.3.2-9 1.7-8.6.8.3 1.3 3.1 1.5 8.3zM59.4 166.7c-3.1 7.2-4.3 13.6-4 21.2.5 12.5 4.9 22.4 13.7 31.1 4.1 4.1 5.4 4.8 7.2 4.1 1.2-.4 3.9-.7 5.9-.6 3.6.1 3.8-.1 6.8-6.2 8.2-16.7 29.1-23.3 47.6-15.2 2.4 1.1 4.6 2.4 4.9 2.9 2.5 4.1 5.4-3.3 5.9-15.3.4-8-.6-14-3.5-20.7l-2.1-5H61l-1.6 3.7z"/><path d="M118.5 202.8c-6 .9-11 2.8-15.1 5.7-5.2 3.7-11 11.3-11.9 15.6-.6 2.4-1.2 2.9-3.8 3-9.6.2-17.3 3.5-23.7 10-6 6.2-8.4 12.1-8.6 20.9-.3 10.2 2.1 16.5 9.1 23.5 6.6 6.6 12.5 9 22 9 6.7 0 7.1.1 8.9 3 2.6 4.2 7.3 8.3 13.1 11.3 4.2 2.2 6.3 2.6 13 2.6 9.5 0 16.9-2.9 22.8-8.9l3.7-3.8 6.1 3.3c13 6.9 29.4 3.7 38.8-7.6 5.3-6.5 7.2-11.7 7.3-20.4.2-7-.2-8.6-2.8-13.7-2.6-5-2.9-6.4-2.1-9.3 2.3-8.9-1.7-22.2-8.9-29.4-9.8-9.8-22.8-11.7-38.1-5.5-3 1.2-3.4 1.1-5.8-1.4-5.1-5-17.1-9-24-7.9z"/></svg>