fix(api): api error message [EE-6818]

fix(csrf): disable csrf secure cookie EE-6787 (#11299 )
fix(app): views not loading when quickly navigating in app (#11279 )
2024-03-13 12:26:09 +13:00 · 2024-03-13 11:22:18 +13:00 · 2024-03-12 15:16:19 +01:00 · 2024-03-12 09:59:39 +02:00 · 2024-03-12 17:19:45 +13:00 · 2024-03-12 11:32:03 +13:00
1843 changed files with 20384 additions and 31324 deletions
--- a/.eslintrc.yml
+++ b/.eslintrc.yml
@@ -87,7 +87,6 @@ overrides:
        version: 'detect'

    rules:
-      no-console: error
      import/order:
        [
          'error',
@@ -141,11 +140,9 @@ overrides:
      'react/jsx-no-constructed-context-values': off
      '@typescript-eslint/no-restricted-imports': off
      no-restricted-imports: off
-      'react/jsx-props-no-spreading': off
  - files:
      - app/**/*.stories.*
    rules:
      'no-alert': off
      '@typescript-eslint/no-restricted-imports': off
      no-restricted-imports: off
-      'react/jsx-props-no-spreading': off
--- a/.github/ISSUE_TEMPLATE/bug_report.yml
+++ b/.github/ISSUE_TEMPLATE/bug_report.yml
@@ -93,11 +93,6 @@ body:
      description: We only provide support for the most recent version of Portainer and the previous 3 versions. If you are on an older version of Portainer we recommend [upgrading first](https://docs.portainer.io/start/upgrade) in case your bug has already been fixed.
      multiple: false
      options:
-        - '2.20.3'
-        - '2.20.2'
-        - '2.20.1'
-        - '2.20.0'
-        - '2.19.5'
        - '2.19.4'
        - '2.19.3'
        - '2.19.2'
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -22,7 +22,7 @@ on:
 env:
  DOCKER_HUB_REPO: portainerci/portainer-ce
  EXTENSION_HUB_REPO: portainerci/portainer-docker-extension
-  GO_VERSION: 1.21.9
+  GO_VERSION: 1.21.6
  NODE_VERSION: 18.x

 jobs:
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -18,7 +18,7 @@ on:
      - ready_for_review

 env:
-  GO_VERSION: 1.21.9
+  GO_VERSION: 1.21.6
  NODE_VERSION: 18.x

 jobs:
--- a/.github/workflows/nightly-security-scan.yml
+++ b/.github/workflows/nightly-security-scan.yml
@@ -6,7 +6,7 @@ on:
  workflow_dispatch:

 env:
-  GO_VERSION: 1.21.9
+  GO_VERSION: 1.21.6

 jobs:
  client-dependencies:
--- a/.github/workflows/pr-security.yml
+++ b/.github/workflows/pr-security.yml
@@ -14,7 +14,7 @@ on:
      - '.github/workflows/pr-security.yml'

 env:
-  GO_VERSION: 1.21.9
+  GO_VERSION: 1.21.6
  NODE_VERSION: 18.x

 jobs:
--- a/.github/workflows/test.yaml
+++ b/.github/workflows/test.yaml
@@ -1,7 +1,7 @@
 name: Test

 env:
-  GO_VERSION: 1.21.9
+  GO_VERSION: 1.21.6
  NODE_VERSION: 18.x

 on:
--- a/.github/workflows/validate-openapi-spec.yaml
+++ b/.github/workflows/validate-openapi-spec.yaml
@@ -13,7 +13,7 @@ on:
      - ready_for_review

 env:
-  GO_VERSION: 1.21.9
+  GO_VERSION: 1.21.6
  NODE_VERSION: 18.x

 jobs:
--- a/.storybook/preview.tsx
+++ b/.storybook/preview.tsx
@@ -3,11 +3,12 @@ import React from 'react';
 import { pushStateLocationPlugin, UIRouter } from '@uirouter/react';
 import { initialize as initMSW, mswLoader } from 'msw-storybook-addon';
 import { handlers } from '../app/setup-tests/server-handlers';
-import { QueryClient, QueryClientProvider } from '@tanstack/react-query';
+import { QueryClient, QueryClientProvider } from 'react-query';

 initMSW(
  {
    onUnhandledRequest: ({ method, url }) => {
+      console.log(method, url);
      if (url.startsWith('/api')) {
        console.error(`Unhandled ${method} request to ${url}.

--- a/api/apikey/cache_test.go
+++ b/api/apikey/cache_test.go
@@ -35,7 +35,7 @@ func Test_apiKeyCacheGet(t *testing.T) {
 	}

 	for _, test := range tests {
-		t.Run(test.digest, func(t *testing.T) {
+		t.Run(string(test.digest), func(t *testing.T) {
 			_, _, found := keyCache.Get(test.digest)
 			is.Equal(test.found, found)
 		})
--- a/api/backup/backup.go
+++ b/api/backup/backup.go
@@ -82,8 +82,7 @@ func CreateBackupArchive(password string, gate *offlinegate.OfflineGate, datasto
 }

 func backupDb(backupDirPath string, datastore dataservices.DataStore) error {
-	dbFileName := datastore.Connection().GetDatabaseFileName()
-	_, err := datastore.Backup(filepath.Join(backupDirPath, dbFileName))
+	_, err := datastore.Backup(filepath.Join(backupDirPath, "portainer.db"))
 	return err
 }

--- a/api/backup/restore.go
+++ b/api/backup/restore.go
@@ -26,7 +26,7 @@ func RestoreArchive(archive io.Reader, password string, filestorePath string, ga
 	if password != "" {
 		archive, err = decrypt(archive, password)
 		if err != nil {
-			return errors.Wrap(err, "failed to decrypt the archive. Please ensure the password is correct and try again")
+			return errors.Wrap(err, "failed to decrypt the archive")
 		}
 	}

--- a/api/chisel/schedules.go
+++ b/api/chisel/schedules.go
@@ -5,17 +5,6 @@ import (
 	"github.com/portainer/portainer/api/internal/edge/cache"
 )

-// EdgeJobs retrieves the edge jobs for the given environment
-func (service *Service) EdgeJobs(endpointID portainer.EndpointID) []portainer.EdgeJob {
-	service.mu.RLock()
-	defer service.mu.RUnlock()
-
-	return append(
-		make([]portainer.EdgeJob, 0, len(service.edgeJobs[endpointID])),
-		service.edgeJobs[endpointID]...,
-	)
-}
-
 // AddEdgeJob register an EdgeJob inside the tunnel details associated to an environment(endpoint).
 func (service *Service) AddEdgeJob(endpoint *portainer.Endpoint, edgeJob *portainer.EdgeJob) {
 	if endpoint.Edge.AsyncMode {
@@ -23,10 +12,10 @@ func (service *Service) AddEdgeJob(endpoint *portainer.Endpoint, edgeJob *portai
 	}

 	service.mu.Lock()
-	defer service.mu.Unlock()
+	tunnel := service.getTunnelDetails(endpoint.ID)

 	existingJobIndex := -1
-	for idx, existingJob := range service.edgeJobs[endpoint.ID] {
+	for idx, existingJob := range tunnel.Jobs {
 		if existingJob.ID == edgeJob.ID {
 			existingJobIndex = idx

@@ -35,28 +24,30 @@ func (service *Service) AddEdgeJob(endpoint *portainer.Endpoint, edgeJob *portai
 	}

 	if existingJobIndex == -1 {
-		service.edgeJobs[endpoint.ID] = append(service.edgeJobs[endpoint.ID], *edgeJob)
+		tunnel.Jobs = append(tunnel.Jobs, *edgeJob)
 	} else {
-		service.edgeJobs[endpoint.ID][existingJobIndex] = *edgeJob
+		tunnel.Jobs[existingJobIndex] = *edgeJob
 	}

 	cache.Del(endpoint.ID)
+
+	service.mu.Unlock()
 }

 // RemoveEdgeJob will remove the specified Edge job from each tunnel it was registered with.
 func (service *Service) RemoveEdgeJob(edgeJobID portainer.EdgeJobID) {
 	service.mu.Lock()

-	for endpointID := range service.edgeJobs {
+	for endpointID, tunnel := range service.tunnelDetailsMap {
 		n := 0
-		for _, edgeJob := range service.edgeJobs[endpointID] {
+		for _, edgeJob := range tunnel.Jobs {
 			if edgeJob.ID != edgeJobID {
-				service.edgeJobs[endpointID][n] = edgeJob
+				tunnel.Jobs[n] = edgeJob
 				n++
 			}
 		}

-		service.edgeJobs[endpointID] = service.edgeJobs[endpointID][:n]
+		tunnel.Jobs = tunnel.Jobs[:n]

 		cache.Del(endpointID)
 	}
@@ -66,17 +57,19 @@ func (service *Service) RemoveEdgeJob(edgeJobID portainer.EdgeJobID) {

 func (service *Service) RemoveEdgeJobFromEndpoint(endpointID portainer.EndpointID, edgeJobID portainer.EdgeJobID) {
 	service.mu.Lock()
-	defer service.mu.Unlock()
+	tunnel := service.getTunnelDetails(endpointID)

 	n := 0
-	for _, edgeJob := range service.edgeJobs[endpointID] {
+	for _, edgeJob := range tunnel.Jobs {
 		if edgeJob.ID != edgeJobID {
-			service.edgeJobs[endpointID][n] = edgeJob
+			tunnel.Jobs[n] = edgeJob
 			n++
 		}
 	}

-	service.edgeJobs[endpointID] = service.edgeJobs[endpointID][:n]
+	tunnel.Jobs = tunnel.Jobs[:n]

 	cache.Del(endpointID)
+
+	service.mu.Unlock()
 }
--- a/api/chisel/service.go
+++ b/api/chisel/service.go
@@ -19,6 +19,7 @@ import (

 const (
 	tunnelCleanupInterval = 10 * time.Second
+	requiredTimeout       = 15 * time.Second
 	activeTimeout         = 4*time.Minute + 30*time.Second
 	pingTimeout           = 3 * time.Second
 )
@@ -27,54 +28,32 @@ const (
 // It is used to start a reverse tunnel server and to manage the connection status of each tunnel
 // connected to the tunnel server.
 type Service struct {
-	serverFingerprint      string
-	serverPort             string
-	activeTunnels          map[portainer.EndpointID]*portainer.TunnelDetails
-	edgeJobs               map[portainer.EndpointID][]portainer.EdgeJob
-	dataStore              dataservices.DataStore
-	snapshotService        portainer.SnapshotService
-	chiselServer           *chserver.Server
-	shutdownCtx            context.Context
-	ProxyManager           *proxy.Manager
-	mu                     sync.RWMutex
-	fileService            portainer.FileService
-	defaultCheckinInterval int
+	serverFingerprint string
+	serverPort        string
+	tunnelDetailsMap  map[portainer.EndpointID]*portainer.TunnelDetails
+	dataStore         dataservices.DataStore
+	snapshotService   portainer.SnapshotService
+	chiselServer      *chserver.Server
+	shutdownCtx       context.Context
+	ProxyManager      *proxy.Manager
+	mu                sync.Mutex
+	fileService       portainer.FileService
 }

 // NewService returns a pointer to a new instance of Service
 func NewService(dataStore dataservices.DataStore, shutdownCtx context.Context, fileService portainer.FileService) *Service {
-	defaultCheckinInterval := portainer.DefaultEdgeAgentCheckinIntervalInSeconds
-
-	settings, err := dataStore.Settings().Settings()
-	if err == nil {
-		defaultCheckinInterval = settings.EdgeAgentCheckinInterval
-	} else {
-		log.Error().Err(err).Msg("unable to retrieve the settings from the database")
-	}
-
 	return &Service{
-		activeTunnels:          make(map[portainer.EndpointID]*portainer.TunnelDetails),
-		edgeJobs:               make(map[portainer.EndpointID][]portainer.EdgeJob),
-		dataStore:              dataStore,
-		shutdownCtx:            shutdownCtx,
-		fileService:            fileService,
-		defaultCheckinInterval: defaultCheckinInterval,
+		tunnelDetailsMap: make(map[portainer.EndpointID]*portainer.TunnelDetails),
+		dataStore:        dataStore,
+		shutdownCtx:      shutdownCtx,
+		fileService:      fileService,
 	}
 }

 // pingAgent ping the given agent so that the agent can keep the tunnel alive
 func (service *Service) pingAgent(endpointID portainer.EndpointID) error {
-	endpoint, err := service.dataStore.Endpoint().Endpoint(endpointID)
-	if err != nil {
-		return err
-	}
-
-	tunnelAddr, err := service.TunnelAddr(endpoint)
-	if err != nil {
-		return err
-	}
-
-	requestURL := fmt.Sprintf("http://%s/ping", tunnelAddr)
+	tunnel := service.GetTunnelDetails(endpointID)
+	requestURL := fmt.Sprintf("http://127.0.0.1:%d/ping", tunnel.Port)
 	req, err := http.NewRequest(http.MethodHead, requestURL, nil)
 	if err != nil {
 		return err
@@ -97,49 +76,47 @@ func (service *Service) pingAgent(endpointID portainer.EndpointID) error {

 // KeepTunnelAlive keeps the tunnel of the given environment for maxAlive duration, or until ctx is done
 func (service *Service) KeepTunnelAlive(endpointID portainer.EndpointID, ctx context.Context, maxAlive time.Duration) {
-	go service.keepTunnelAlive(endpointID, ctx, maxAlive)
-}
+	go func() {
+		log.Debug().
+			Int("endpoint_id", int(endpointID)).
+			Float64("max_alive_minutes", maxAlive.Minutes()).
+			Msg("KeepTunnelAlive: start")

-func (service *Service) keepTunnelAlive(endpointID portainer.EndpointID, ctx context.Context, maxAlive time.Duration) {
-	log.Debug().
-		Int("endpoint_id", int(endpointID)).
-		Float64("max_alive_minutes", maxAlive.Minutes()).
-		Msg("KeepTunnelAlive: start")
+		maxAliveTicker := time.NewTicker(maxAlive)
+		defer maxAliveTicker.Stop()

-	maxAliveTicker := time.NewTicker(maxAlive)
-	defer maxAliveTicker.Stop()
+		pingTicker := time.NewTicker(tunnelCleanupInterval)
+		defer pingTicker.Stop()

-	pingTicker := time.NewTicker(tunnelCleanupInterval)
-	defer pingTicker.Stop()
+		for {
+			select {
+			case <-pingTicker.C:
+				service.SetTunnelStatusToActive(endpointID)
+				err := service.pingAgent(endpointID)
+				if err != nil {
+					log.Debug().
+						Int("endpoint_id", int(endpointID)).
+						Err(err).
+						Msg("KeepTunnelAlive: ping agent")
+				}
+			case <-maxAliveTicker.C:
+				log.Debug().
+					Int("endpoint_id", int(endpointID)).
+					Float64("timeout_minutes", maxAlive.Minutes()).
+					Msg("KeepTunnelAlive: tunnel keep alive timeout")

-	for {
-		select {
-		case <-pingTicker.C:
-			service.UpdateLastActivity(endpointID)
-
-			if err := service.pingAgent(endpointID); err != nil {
+				return
+			case <-ctx.Done():
+				err := ctx.Err()
 				log.Debug().
 					Int("endpoint_id", int(endpointID)).
 					Err(err).
-					Msg("KeepTunnelAlive: ping agent")
+					Msg("KeepTunnelAlive: tunnel stop")
+
+				return
 			}
-		case <-maxAliveTicker.C:
-			log.Debug().
-				Int("endpoint_id", int(endpointID)).
-				Float64("timeout_minutes", maxAlive.Minutes()).
-				Msg("KeepTunnelAlive: tunnel keep alive timeout")
-
-			return
-		case <-ctx.Done():
-			err := ctx.Err()
-			log.Debug().
-				Int("endpoint_id", int(endpointID)).
-				Err(err).
-				Msg("KeepTunnelAlive: tunnel stop")
-
-			return
 		}
-	}
+	}()
 }

 // StartTunnelServer starts a tunnel server on the specified addr and port.
@@ -149,6 +126,7 @@ func (service *Service) keepTunnelAlive(endpointID portainer.EndpointID, ctx con
 // The snapshotter is used in the tunnel status verification process.
 func (service *Service) StartTunnelServer(addr, port string, snapshotService portainer.SnapshotService) error {
 	privateKeyFile, err := service.retrievePrivateKeyFile()
+
 	if err != nil {
 		return err
 	}
@@ -166,21 +144,21 @@ func (service *Service) StartTunnelServer(addr, port string, snapshotService por
 	service.serverFingerprint = chiselServer.GetFingerprint()
 	service.serverPort = port

-	if err := chiselServer.Start(addr, port); err != nil {
+	err = chiselServer.Start(addr, port)
+	if err != nil {
 		return err
 	}
-
 	service.chiselServer = chiselServer

 	// TODO: work-around Chisel default behavior.
 	// By default, Chisel will allow anyone to connect if no user exists.
 	username, password := generateRandomCredentials()
-	if err = service.chiselServer.AddUser(username, password, "127.0.0.1"); err != nil {
+	err = service.chiselServer.AddUser(username, password, "127.0.0.1")
+	if err != nil {
 		return err
 	}

 	service.snapshotService = snapshotService
-
 	go service.startTunnelVerificationLoop()

 	return nil
@@ -194,39 +172,37 @@ func (service *Service) StopTunnelServer() error {
 func (service *Service) retrievePrivateKeyFile() (string, error) {
 	privateKeyFile := service.fileService.GetDefaultChiselPrivateKeyPath()

-	if exists, _ := service.fileService.FileExists(privateKeyFile); exists {
+	exist, _ := service.fileService.FileExists(privateKeyFile)
+	if !exist {
+		log.Debug().
+			Str("private-key", privateKeyFile).
+			Msg("Chisel private key file does not exist")
+
+		privateKey, err := ccrypto.GenerateKey("")
+		if err != nil {
+			log.Error().
+				Err(err).
+				Msg("Failed to generate chisel private key")
+			return "", err
+		}
+
+		err = service.fileService.StoreChiselPrivateKey(privateKey)
+		if err != nil {
+			log.Error().
+				Err(err).
+				Msg("Failed to save Chisel private key to disk")
+			return "", err
+		} else {
+			log.Info().
+				Str("private-key", privateKeyFile).
+				Msg("Generated a new Chisel private key file")
+		}
+	} else {
 		log.Info().
 			Str("private-key", privateKeyFile).
-			Msg("found Chisel private key file on disk")
-
-		return privateKeyFile, nil
+			Msg("Found Chisel private key file on disk")
 	}

-	log.Debug().
-		Str("private-key", privateKeyFile).
-		Msg("chisel private key file does not exist")
-
-	privateKey, err := ccrypto.GenerateKey("")
-	if err != nil {
-		log.Error().
-			Err(err).
-			Msg("failed to generate chisel private key")
-
-		return "", err
-	}
-
-	if err = service.fileService.StoreChiselPrivateKey(privateKey); err != nil {
-		log.Error().
-			Err(err).
-			Msg("failed to save Chisel private key to disk")
-
-		return "", err
-	}
-
-	log.Info().
-		Str("private-key", privateKeyFile).
-		Msg("generated a new Chisel private key file")
-
 	return privateKeyFile, nil
 }

@@ -254,45 +230,63 @@ func (service *Service) startTunnelVerificationLoop() {
 	}
 }

-// checkTunnels finds the first tunnel that has not had any activity recently
-// and attempts to take a snapshot, then closes it and returns
 func (service *Service) checkTunnels() {
-	service.mu.RLock()
+	tunnels := make(map[portainer.EndpointID]portainer.TunnelDetails)

-	for endpointID, tunnel := range service.activeTunnels {
-		elapsed := time.Since(tunnel.LastActivity)
-		log.Debug().
-			Int("endpoint_id", int(endpointID)).
-			Float64("last_activity_seconds", elapsed.Seconds()).
-			Msg("environment tunnel monitoring")
-
-		if tunnel.Status == portainer.EdgeAgentManagementRequired && elapsed < activeTimeout {
+	service.mu.Lock()
+	for key, tunnel := range service.tunnelDetailsMap {
+		if tunnel.LastActivity.IsZero() || tunnel.Status == portainer.EdgeAgentIdle {
 			continue
 		}

-		tunnelPort := tunnel.Port
-
-		service.mu.RUnlock()
-
-		log.Debug().
-			Int("endpoint_id", int(endpointID)).
-			Float64("last_activity_seconds", elapsed.Seconds()).
-			Float64("timeout_seconds", activeTimeout.Seconds()).
-			Msg("last activity timeout exceeded")
-
-		if err := service.snapshotEnvironment(endpointID, tunnelPort); err != nil {
-			log.Error().
-				Int("endpoint_id", int(endpointID)).
-				Err(err).
-				Msg("unable to snapshot Edge environment")
+		if tunnel.Status == portainer.EdgeAgentManagementRequired && time.Since(tunnel.LastActivity) < requiredTimeout {
+			continue
 		}

-		service.close(endpointID)
+		if tunnel.Status == portainer.EdgeAgentActive && time.Since(tunnel.LastActivity) < activeTimeout {
+			continue
+		}

-		return
+		tunnels[key] = *tunnel
 	}
+	service.mu.Unlock()

-	service.mu.RUnlock()
+	for endpointID, tunnel := range tunnels {
+		elapsed := time.Since(tunnel.LastActivity)
+		log.Debug().
+			Int("endpoint_id", int(endpointID)).
+			Str("status", tunnel.Status).
+			Float64("status_time_seconds", elapsed.Seconds()).
+			Msg("environment tunnel monitoring")
+
+		if tunnel.Status == portainer.EdgeAgentManagementRequired && elapsed > requiredTimeout {
+			log.Debug().
+				Int("endpoint_id", int(endpointID)).
+				Str("status", tunnel.Status).
+				Float64("status_time_seconds", elapsed.Seconds()).
+				Float64("timeout_seconds", requiredTimeout.Seconds()).
+				Msg("REQUIRED state timeout exceeded")
+		}
+
+		if tunnel.Status == portainer.EdgeAgentActive && elapsed > activeTimeout {
+			log.Debug().
+				Int("endpoint_id", int(endpointID)).
+				Str("status", tunnel.Status).
+				Float64("status_time_seconds", elapsed.Seconds()).
+				Float64("timeout_seconds", activeTimeout.Seconds()).
+				Msg("ACTIVE state timeout exceeded")
+
+			err := service.snapshotEnvironment(endpointID, tunnel.Port)
+			if err != nil {
+				log.Error().
+					Int("endpoint_id", int(endpointID)).
+					Err(err).
+					Msg("unable to snapshot Edge environment")
+			}
+		}
+
+		service.SetTunnelStatusToIdle(portainer.EndpointID(endpointID))
+	}
 }

 func (service *Service) snapshotEnvironment(endpointID portainer.EndpointID, tunnelPort int) error {
--- a/api/chisel/service_test.go
+++ b/api/chisel/service_test.go
@@ -1,27 +1,20 @@
 package chisel

 import (
-	"context"
 	"net"
 	"net/http"
 	"testing"
 	"time"

 	portainer "github.com/portainer/portainer/api"
-	"github.com/portainer/portainer/api/datastore"

 	"github.com/stretchr/testify/require"
 )

 func TestPingAgentPanic(t *testing.T) {
-	endpoint := &portainer.Endpoint{
-		ID:   1,
-		Type: portainer.EdgeAgentOnDockerEnvironment,
-	}
+	endpointID := portainer.EndpointID(1)

-	_, store := datastore.MustNewTestStore(t, true, true)
-
-	s := NewService(store, nil, nil)
+	s := NewService(nil, nil, nil)

 	defer func() {
 		require.Nil(t, recover())
@@ -35,17 +28,12 @@ func TestPingAgentPanic(t *testing.T) {
 	ln, err := net.ListenTCP("tcp", &net.TCPAddr{IP: net.IPv4(127, 0, 0, 1), Port: 0})
 	require.NoError(t, err)

-	srv := &http.Server{Handler: mux}
-
-	errCh := make(chan error)
 	go func() {
-		errCh <- srv.Serve(ln)
+		require.NoError(t, http.Serve(ln, mux))
 	}()

-	s.Open(endpoint)
-	s.activeTunnels[endpoint.ID].Port = ln.Addr().(*net.TCPAddr).Port
+	s.getTunnelDetails(endpointID)
+	s.tunnelDetailsMap[endpointID].Port = ln.Addr().(*net.TCPAddr).Port

-	require.Error(t, s.pingAgent(endpoint.ID))
-	require.NoError(t, srv.Shutdown(context.Background()))
-	require.ErrorIs(t, <-errCh, http.ErrServerClosed)
+	require.Error(t, s.pingAgent(endpointID))
 }
--- a/api/chisel/tunnel.go
+++ b/api/chisel/tunnel.go
@@ -5,18 +5,14 @@ import (
 	"errors"
 	"fmt"
 	"math/rand"
-	"net"
 	"strings"
 	"time"

 	portainer "github.com/portainer/portainer/api"
-	"github.com/portainer/portainer/api/internal/edge"
 	"github.com/portainer/portainer/api/internal/edge/cache"
-	"github.com/portainer/portainer/api/internal/endpointutils"
 	"github.com/portainer/portainer/pkg/libcrypto"

 	"github.com/dchest/uniuri"
-	"github.com/rs/zerolog/log"
 )

 const (
@@ -24,181 +20,18 @@ const (
 	maxAvailablePort = 65535
 )

-// Open will mark the tunnel as REQUIRED so the agent opens it
-func (s *Service) Open(endpoint *portainer.Endpoint) error {
-	if !endpointutils.IsEdgeEndpoint(endpoint) {
-		return errors.New("cannot open a tunnel for non-edge environments")
-	}
-
-	if endpoint.Edge.AsyncMode {
-		return errors.New("cannot open a tunnel for async edge environments")
-	}
-
-	s.mu.Lock()
-	defer s.mu.Unlock()
-
-	if _, ok := s.activeTunnels[endpoint.ID]; ok {
-		return nil
-	}
-
-	defer cache.Del(endpoint.ID)
-
-	tun := &portainer.TunnelDetails{
-		Status:       portainer.EdgeAgentManagementRequired,
-		Port:         s.getUnusedPort(),
-		LastActivity: time.Now(),
-	}
-
-	username, password := generateRandomCredentials()
-
-	if s.chiselServer != nil {
-		authorizedRemote := fmt.Sprintf("^R:0.0.0.0:%d$", tun.Port)
-
-		if err := s.chiselServer.AddUser(username, password, authorizedRemote); err != nil {
-			return err
-		}
-	}
-
-	credentials, err := encryptCredentials(username, password, endpoint.EdgeID)
-	if err != nil {
-		return err
-	}
-
-	tun.Credentials = credentials
-
-	s.activeTunnels[endpoint.ID] = tun
-
-	return nil
-}
-
-// close removes the tunnel from the map so the agent will close it
-func (s *Service) close(endpointID portainer.EndpointID) {
-	s.mu.Lock()
-	defer s.mu.Unlock()
-
-	tun, ok := s.activeTunnels[endpointID]
-	if !ok {
-		return
-	}
-
-	if len(tun.Credentials) > 0 && s.chiselServer != nil {
-		user, _, _ := strings.Cut(tun.Credentials, ":")
-		s.chiselServer.DeleteUser(user)
-	}
-
-	if s.ProxyManager != nil {
-		s.ProxyManager.DeleteEndpointProxy(endpointID)
-	}
-
-	delete(s.activeTunnels, endpointID)
-
-	cache.Del(endpointID)
-}
-
-// Config returns the tunnel details needed for the agent to connect
-func (s *Service) Config(endpointID portainer.EndpointID) portainer.TunnelDetails {
-	s.mu.RLock()
-	defer s.mu.RUnlock()
-
-	if tun, ok := s.activeTunnels[endpointID]; ok {
-		return *tun
-	}
-
-	return portainer.TunnelDetails{Status: portainer.EdgeAgentIdle}
-}
-
-// TunnelAddr returns the address of the local tunnel, including the port, it
-// will block until the tunnel is ready
-func (s *Service) TunnelAddr(endpoint *portainer.Endpoint) (string, error) {
-	if err := s.Open(endpoint); err != nil {
-		return "", err
-	}
-
-	tun := s.Config(endpoint.ID)
-	checkinInterval := time.Duration(s.tryEffectiveCheckinInterval(endpoint)) * time.Second
-
-	for t0 := time.Now(); ; {
-		if time.Since(t0) > 2*checkinInterval {
-			s.close(endpoint.ID)
-
-			return "", errors.New("unable to open the tunnel")
-		}
-
-		// Check if the tunnel is established
-		conn, err := net.DialTCP("tcp", nil, &net.TCPAddr{IP: net.IPv4(127, 0, 0, 1), Port: tun.Port})
-		if err != nil {
-			time.Sleep(checkinInterval / 100)
-
-			continue
-		}
-
-		conn.Close()
-
-		break
-	}
-
-	s.UpdateLastActivity(endpoint.ID)
-
-	return fmt.Sprintf("127.0.0.1:%d", tun.Port), nil
-}
-
-// tryEffectiveCheckinInterval avoids a potential deadlock by returning a
-// previous known value after a timeout
-func (s *Service) tryEffectiveCheckinInterval(endpoint *portainer.Endpoint) int {
-	ch := make(chan int, 1)
-
-	go func() {
-		ch <- edge.EffectiveCheckinInterval(s.dataStore, endpoint)
-	}()
-
-	select {
-	case <-time.After(50 * time.Millisecond):
-		s.mu.RLock()
-		defer s.mu.RUnlock()
-
-		return s.defaultCheckinInterval
-	case i := <-ch:
-		s.mu.Lock()
-		s.defaultCheckinInterval = i
-		s.mu.Unlock()
-
-		return i
-	}
-}
-
-// UpdateLastActivity sets the current timestamp to avoid the tunnel timeout
-func (s *Service) UpdateLastActivity(endpointID portainer.EndpointID) {
-	s.mu.Lock()
-	defer s.mu.Unlock()
-
-	if tun, ok := s.activeTunnels[endpointID]; ok {
-		tun.LastActivity = time.Now()
-	}
-}
-
 // NOTE: it needs to be called with the lock acquired
 // getUnusedPort is used to generate an unused random port in the dynamic port range.
 // Dynamic ports (also called private ports) are 49152 to 65535.
 func (service *Service) getUnusedPort() int {
 	port := randomInt(minAvailablePort, maxAvailablePort)

-	for _, tunnel := range service.activeTunnels {
+	for _, tunnel := range service.tunnelDetailsMap {
 		if tunnel.Port == port {
 			return service.getUnusedPort()
 		}
 	}

-	conn, err := net.DialTCP("tcp", nil, &net.TCPAddr{IP: net.IPv4(127, 0, 0, 1), Port: port})
-	if err == nil {
-		conn.Close()
-
-		log.Debug().
-			Int("port", port).
-			Msg("selected port is in use, trying a different one")
-
-		return service.getUnusedPort()
-	}
-
 	return port
 }

@@ -206,10 +39,152 @@ func randomInt(min, max int) int {
 	return min + rand.Intn(max-min)
 }

+// NOTE: it needs to be called with the lock acquired
+func (service *Service) getTunnelDetails(endpointID portainer.EndpointID) *portainer.TunnelDetails {
+
+	if tunnel, ok := service.tunnelDetailsMap[endpointID]; ok {
+		return tunnel
+	}
+
+	tunnel := &portainer.TunnelDetails{
+		Status: portainer.EdgeAgentIdle,
+	}
+
+	service.tunnelDetailsMap[endpointID] = tunnel
+
+	cache.Del(endpointID)
+
+	return tunnel
+}
+
+// GetTunnelDetails returns information about the tunnel associated to an environment(endpoint).
+func (service *Service) GetTunnelDetails(endpointID portainer.EndpointID) portainer.TunnelDetails {
+	service.mu.Lock()
+	defer service.mu.Unlock()
+
+	return *service.getTunnelDetails(endpointID)
+}
+
+// GetActiveTunnel retrieves an active tunnel which allows communicating with edge agent
+func (service *Service) GetActiveTunnel(endpoint *portainer.Endpoint) (portainer.TunnelDetails, error) {
+	if endpoint.Edge.AsyncMode {
+		return portainer.TunnelDetails{}, errors.New("cannot open tunnel on async endpoint")
+	}
+
+	tunnel := service.GetTunnelDetails(endpoint.ID)
+
+	if tunnel.Status == portainer.EdgeAgentActive {
+		// update the LastActivity
+		service.SetTunnelStatusToActive(endpoint.ID)
+	}
+
+	if tunnel.Status == portainer.EdgeAgentIdle || tunnel.Status == portainer.EdgeAgentManagementRequired {
+		err := service.SetTunnelStatusToRequired(endpoint.ID)
+		if err != nil {
+			return portainer.TunnelDetails{}, fmt.Errorf("failed opening tunnel to endpoint: %w", err)
+		}
+
+		if endpoint.EdgeCheckinInterval == 0 {
+			settings, err := service.dataStore.Settings().Settings()
+			if err != nil {
+				return portainer.TunnelDetails{}, fmt.Errorf("failed fetching settings from db: %w", err)
+			}
+
+			endpoint.EdgeCheckinInterval = settings.EdgeAgentCheckinInterval
+		}
+
+		time.Sleep(2 * time.Duration(endpoint.EdgeCheckinInterval) * time.Second)
+	}
+
+	return service.GetTunnelDetails(endpoint.ID), nil
+}
+
+// SetTunnelStatusToActive update the status of the tunnel associated to the specified environment(endpoint).
+// It sets the status to ACTIVE.
+func (service *Service) SetTunnelStatusToActive(endpointID portainer.EndpointID) {
+	service.mu.Lock()
+	tunnel := service.getTunnelDetails(endpointID)
+	tunnel.Status = portainer.EdgeAgentActive
+	tunnel.Credentials = ""
+	tunnel.LastActivity = time.Now()
+	service.mu.Unlock()
+
+	cache.Del(endpointID)
+}
+
+// SetTunnelStatusToIdle update the status of the tunnel associated to the specified environment(endpoint).
+// It sets the status to IDLE.
+// It removes any existing credentials associated to the tunnel.
+func (service *Service) SetTunnelStatusToIdle(endpointID portainer.EndpointID) {
+	service.mu.Lock()
+
+	tunnel := service.getTunnelDetails(endpointID)
+	tunnel.Status = portainer.EdgeAgentIdle
+	tunnel.Port = 0
+	tunnel.LastActivity = time.Now()
+
+	credentials := tunnel.Credentials
+	if credentials != "" {
+		tunnel.Credentials = ""
+
+		if service.chiselServer != nil {
+			service.chiselServer.DeleteUser(strings.Split(credentials, ":")[0])
+		}
+	}
+
+	service.ProxyManager.DeleteEndpointProxy(endpointID)
+
+	service.mu.Unlock()
+
+	cache.Del(endpointID)
+}
+
+// SetTunnelStatusToRequired update the status of the tunnel associated to the specified environment(endpoint).
+// It sets the status to REQUIRED.
+// If no port is currently associated to the tunnel, it will associate a random unused port to the tunnel
+// and generate temporary credentials that can be used to establish a reverse tunnel on that port.
+// Credentials are encrypted using the Edge ID associated to the environment(endpoint).
+func (service *Service) SetTunnelStatusToRequired(endpointID portainer.EndpointID) error {
+	defer cache.Del(endpointID)
+
+	tunnel := service.getTunnelDetails(endpointID)
+
+	service.mu.Lock()
+	defer service.mu.Unlock()
+
+	if tunnel.Port == 0 {
+		endpoint, err := service.dataStore.Endpoint().Endpoint(endpointID)
+		if err != nil {
+			return err
+		}
+
+		tunnel.Status = portainer.EdgeAgentManagementRequired
+		tunnel.Port = service.getUnusedPort()
+		tunnel.LastActivity = time.Now()
+
+		username, password := generateRandomCredentials()
+		authorizedRemote := fmt.Sprintf("^R:0.0.0.0:%d$", tunnel.Port)
+
+		if service.chiselServer != nil {
+			err = service.chiselServer.AddUser(username, password, authorizedRemote)
+			if err != nil {
+				return err
+			}
+		}
+
+		credentials, err := encryptCredentials(username, password, endpoint.EdgeID)
+		if err != nil {
+			return err
+		}
+		tunnel.Credentials = credentials
+	}
+
+	return nil
+}
+
 func generateRandomCredentials() (string, string) {
 	username := uniuri.NewLen(8)
 	password := uniuri.NewLen(8)
-
 	return username, password
 }

--- a/api/cli/cli.go
+++ b/api/cli/cli.go
@@ -34,6 +34,7 @@ func (*Service) ParseFlags(version string) (*portainer.CLIFlags, error) {
 		TunnelPort:                kingpin.Flag("tunnel-port", "Port to serve the tunnel server").Default(defaultTunnelServerPort).String(),
 		Assets:                    kingpin.Flag("assets", "Path to the assets").Default(defaultAssetsDirectory).Short('a').String(),
 		Data:                      kingpin.Flag("data", "Path to the folder where the data is stored").Default(defaultDataDirectory).Short('d').String(),
+		DemoEnvironment:           kingpin.Flag("demo", "Demo environment").Bool(),
 		EndpointURL:               kingpin.Flag("host", "Environment URL").Short('H').String(),
 		FeatureFlags:              kingpin.Flag("feat", "List of feature flags").Strings(),
 		EnableEdgeComputeFeatures: kingpin.Flag("edge-compute", "Enable Edge Compute features").Bool(),
@@ -61,7 +62,7 @@ func (*Service) ParseFlags(version string) (*portainer.CLIFlags, error) {
 		MaxBatchDelay:             kingpin.Flag("max-batch-delay", "Maximum delay before a batch starts").Duration(),
 		SecretKeyName:             kingpin.Flag("secret-key-name", "Secret key name for encryption and will be used as /run/secrets/<secret-key-name>.").Default(defaultSecretKeyName).String(),
 		LogLevel:                  kingpin.Flag("log-level", "Set the minimum logging level to show").Default("INFO").Enum("DEBUG", "INFO", "WARN", "ERROR"),
-		LogMode:                   kingpin.Flag("log-mode", "Set the logging output mode").Default("PRETTY").Enum("NOCOLOR", "PRETTY", "JSON"),
+		LogMode:                   kingpin.Flag("log-mode", "Set the logging output mode").Default("PRETTY").Enum("PRETTY", "JSON"),
 	}

 	kingpin.Parse()
--- a/api/cmd/portainer/log.go
+++ b/api/cmd/portainer/log.go
@@ -42,13 +42,6 @@ func setLoggingMode(mode string) {
 			TimeFormat:    "2006/01/02 03:04PM",
 			FormatMessage: formatMessage,
 		})
-	case "NOCOLOR":
-		log.Logger = log.Output(zerolog.ConsoleWriter{
-			Out:           os.Stderr,
-			TimeFormat:    "2006/01/02 03:04PM",
-			FormatMessage: formatMessage,
-			NoColor:       true,
-		})
 	case "JSON":
 		log.Logger = log.Output(os.Stderr)
 	}
--- a/api/cmd/portainer/main.go
+++ b/api/cmd/portainer/main.go
@@ -19,7 +19,7 @@ import (
 	"github.com/portainer/portainer/api/dataservices"
 	"github.com/portainer/portainer/api/datastore"
 	"github.com/portainer/portainer/api/datastore/migrator"
-	"github.com/portainer/portainer/api/datastore/postinit"
+	"github.com/portainer/portainer/api/demo"
 	"github.com/portainer/portainer/api/docker"
 	dockerclient "github.com/portainer/portainer/api/docker/client"
 	"github.com/portainer/portainer/api/exec"
@@ -42,8 +42,6 @@ import (
 	"github.com/portainer/portainer/api/ldap"
 	"github.com/portainer/portainer/api/oauth"
 	"github.com/portainer/portainer/api/pendingactions"
-	"github.com/portainer/portainer/api/pendingactions/actions"
-	"github.com/portainer/portainer/api/pendingactions/handlers"
 	"github.com/portainer/portainer/api/scheduler"
 	"github.com/portainer/portainer/api/stacks/deployments"
 	"github.com/portainer/portainer/pkg/featureflags"
@@ -459,11 +457,19 @@ func buildServer(flags *portainer.CLIFlags) portainer.Server {
 	authorizationService := authorization.NewService(dataStore)
 	authorizationService.K8sClientFactory = kubernetesClientFactory

+	pendingActionsService := pendingactions.NewService(dataStore, kubernetesClientFactory, authorizationService, shutdownCtx)
+
+	snapshotService, err := initSnapshotService(*flags.SnapshotInterval, dataStore, dockerClientFactory, kubernetesClientFactory, shutdownCtx, pendingActionsService)
+	if err != nil {
+		log.Fatal().Err(err).Msg("failed initializing snapshot service")
+	}
+	snapshotService.Start()
+
 	kubernetesTokenCacheManager := kubeproxy.NewTokenCacheManager()

 	kubeClusterAccessService := kubernetes.NewKubeClusterAccessService(*flags.BaseURL, *flags.AddrHTTPS, sslSettings.CertPath)

-	proxyManager := proxy.NewManager(kubernetesClientFactory)
+	proxyManager := proxy.NewManager(dataStore, digitalSignatureService, reverseTunnelService, dockerClientFactory, kubernetesClientFactory, kubernetesTokenCacheManager, gitService)

 	reverseTunnelService.ProxyManager = proxyManager

@@ -483,19 +489,6 @@ func buildServer(flags *portainer.CLIFlags) portainer.Server {

 	kubernetesDeployer := initKubernetesDeployer(kubernetesTokenCacheManager, kubernetesClientFactory, dataStore, reverseTunnelService, digitalSignatureService, proxyManager, *flags.Assets)

-	pendingActionsService := pendingactions.NewService(dataStore, kubernetesClientFactory)
-	pendingActionsService.RegisterHandler(actions.CleanNAPWithOverridePolicies, handlers.NewHandlerCleanNAPWithOverridePolicies(authorizationService, dataStore))
-	pendingActionsService.RegisterHandler(actions.DeletePortainerK8sRegistrySecrets, handlers.NewHandlerDeleteRegistrySecrets(authorizationService, dataStore, kubernetesClientFactory))
-	pendingActionsService.RegisterHandler(actions.PostInitMigrateEnvironment, handlers.NewHandlerPostInitMigrateEnvironment(authorizationService, dataStore, kubernetesClientFactory, dockerClientFactory, *flags.Assets, kubernetesDeployer))
-
-	snapshotService, err := initSnapshotService(*flags.SnapshotInterval, dataStore, dockerClientFactory, kubernetesClientFactory, shutdownCtx, pendingActionsService)
-	if err != nil {
-		log.Fatal().Err(err).Msg("failed initializing snapshot service")
-	}
-	snapshotService.Start()
-
-	proxyManager.NewProxyFactory(dataStore, digitalSignatureService, reverseTunnelService, dockerClientFactory, kubernetesClientFactory, kubernetesTokenCacheManager, gitService, snapshotService)
-
 	helmPackageManager, err := initHelmPackageManager(*flags.Assets)
 	if err != nil {
 		log.Fatal().Err(err).Msg("failed initializing helm package manager")
@@ -508,6 +501,14 @@ func buildServer(flags *portainer.CLIFlags) portainer.Server {

 	applicationStatus := initStatus(instanceID)

+	demoService := demo.NewService()
+	if *flags.DemoEnvironment {
+		err := demoService.Init(dataStore, cryptoService)
+		if err != nil {
+			log.Fatal().Err(err).Msg("failed initializing demo environment")
+		}
+	}
+
 	// channel to control when the admin user is created
 	adminCreationDone := make(chan struct{}, 1)

@@ -577,12 +578,10 @@ func buildServer(flags *portainer.CLIFlags) portainer.Server {
 	// but some more complex migrations require access to a kubernetes or docker
 	// client. Therefore we run a separate migration process just before
 	// starting the server.
-	postInitMigrator := postinit.NewPostInitMigrator(
+	postInitMigrator := datastore.NewPostInitMigrator(
 		kubernetesClientFactory,
 		dockerClientFactory,
 		dataStore,
-		*flags.Assets,
-		kubernetesDeployer,
 	)
 	if err := postInitMigrator.PostInitMigrate(); err != nil {
 		log.Fatal().Err(err).Msg("failure during post init migrations")
@@ -622,6 +621,7 @@ func buildServer(flags *portainer.CLIFlags) portainer.Server {
 		ShutdownCtx:                 shutdownCtx,
 		ShutdownTrigger:             shutdownTrigger,
 		StackDeployer:               stackDeployer,
+		DemoService:                 demoService,
 		UpgradeService:              upgradeService,
 		AdminCreationDone:           adminCreationDone,
 		PendingActionsService:       pendingActionsService,
@@ -650,7 +650,6 @@ func main() {
 			Msg("starting Portainer")

 		err := server.Start()
-
 		log.Info().Err(err).Msg("HTTP server exited")
 	}
 }
--- a/api/crypto/aes.go
+++ b/api/crypto/aes.go
@@ -1,216 +1,52 @@
 package crypto

 import (
-	"bufio"
-	"bytes"
 	"crypto/aes"
 	"crypto/cipher"
-	"crypto/rand"
-	"errors"
-	"fmt"
 	"io"

-	"golang.org/x/crypto/argon2"
 	"golang.org/x/crypto/scrypt"
 )

-const (
-	// AES GCM settings
-	aesGcmHeader    = "AES256-GCM" // The encrypted file header
-	aesGcmBlockSize = 1024 * 1024  // 1MB block for aes gcm
+// NOTE: has to go with what is considered to be a simplistic in that it omits any
+// authentication of the encrypted data.
+// Person with better knowledge is welcomed to improve it.
+// sourced from https://golang.org/src/crypto/cipher/example_test.go

-	// Argon2 settings
-	// Recommded settings lower memory hardware according to current OWASP recommendations
-	// Considering some people run portainer on a NAS I think it's prudent not to assume we're on server grade hardware
-	// https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html#argon2id
-	argon2MemoryCost = 12 * 1024
-	argon2TimeCost   = 3
-	argon2Threads    = 1
-	argon2KeyLength  = 32
-)
+var emptySalt []byte = make([]byte, 0)

-// AesEncrypt reads from input, encrypts with AES-256 and writes to output. passphrase is used to generate an encryption key
-func AesEncrypt(input io.Reader, output io.Writer, passphrase []byte) error {
-	err := aesEncryptGCM(input, output, passphrase)
-	if err != nil {
-		return fmt.Errorf("error encrypting file: %w", err)
-	}
-
-	return nil
-}
-
-// AesDecrypt reads from input, decrypts with AES-256 and returns the reader to read the decrypted content from
-func AesDecrypt(input io.Reader, passphrase []byte) (io.Reader, error) {
-	// Read file header to determine how it was encrypted
-	inputReader := bufio.NewReader(input)
-	header, err := inputReader.Peek(len(aesGcmHeader))
-	if err != nil {
-		return nil, fmt.Errorf("error reading encrypted backup file header: %w", err)
-	}
-
-	if string(header) == aesGcmHeader {
-		reader, err := aesDecryptGCM(inputReader, passphrase)
-		if err != nil {
-			return nil, fmt.Errorf("error decrypting file: %w", err)
-		}
-
-		return reader, nil
-	}
-
-	// Use the previous decryption routine which has no header (to support older archives)
-	reader, err := aesDecryptOFB(inputReader, passphrase)
-	if err != nil {
-		return nil, fmt.Errorf("error decrypting legacy file backup: %w", err)
-	}
-
-	return reader, nil
-}
-
-// aesEncryptGCM reads from input, encrypts with AES-256 and writes to output. passphrase is used to generate an encryption key.
-func aesEncryptGCM(input io.Reader, output io.Writer, passphrase []byte) error {
-	// Derive key using argon2 with a random salt
-	salt := make([]byte, 16) // 16 bytes salt
-	if _, err := io.ReadFull(rand.Reader, salt); err != nil {
-		return err
-	}
-
-	key := argon2.IDKey(passphrase, salt, argon2TimeCost, argon2MemoryCost, argon2Threads, 32)
-	block, err := aes.NewCipher(key)
-	if err != nil {
-		return err
-	}
-
-	aesgcm, err := cipher.NewGCM(block)
-	if err != nil {
-		return err
-	}
-
-	// Generate nonce
-	nonce, err := NewRandomNonce(aesgcm.NonceSize())
-	if err != nil {
-		return err
-	}
-
-	// write the header
-	if _, err := output.Write([]byte(aesGcmHeader)); err != nil {
-		return err
-	}
-
-	// Write nonce and salt to the output file
-	if _, err := output.Write(salt); err != nil {
-		return err
-	}
-	if _, err := output.Write(nonce.Value()); err != nil {
-		return err
-	}
-
-	// Buffer for reading plaintext blocks
-	buf := make([]byte, aesGcmBlockSize) // Adjust buffer size as needed
-	ciphertext := make([]byte, len(buf)+aesgcm.Overhead())
-
-	// Encrypt plaintext in blocks
-	for {
-		n, err := io.ReadFull(input, buf)
-		if n == 0 {
-			break // end of plaintext input
-		}
-
-		if err != nil && !(errors.Is(err, io.EOF) || errors.Is(err, io.ErrUnexpectedEOF)) {
-			return err
-		}
-
-		// Seal encrypts the plaintext using the nonce returning the updated slice.
-		ciphertext = aesgcm.Seal(ciphertext[:0], nonce.Value(), buf[:n], nil)
-
-		_, err = output.Write(ciphertext)
-		if err != nil {
-			return err
-		}
-
-		nonce.Increment()
-	}
-
-	return nil
-}
-
-// aesDecryptGCM reads from input, decrypts with AES-256 and returns the reader to read the decrypted content from.
-func aesDecryptGCM(input io.Reader, passphrase []byte) (io.Reader, error) {
-	// Reader & verify header
-	header := make([]byte, len(aesGcmHeader))
-	if _, err := io.ReadFull(input, header); err != nil {
-		return nil, err
-	}
-
-	if string(header) != aesGcmHeader {
-		return nil, fmt.Errorf("invalid header")
-	}
-
-	// Read salt
-	salt := make([]byte, 16) // Salt size
-	if _, err := io.ReadFull(input, salt); err != nil {
-		return nil, err
-	}
-
-	key := argon2.IDKey(passphrase, salt, argon2TimeCost, argon2MemoryCost, argon2Threads, 32)
-
-	// Initialize AES cipher block
-	block, err := aes.NewCipher(key)
-	if err != nil {
-		return nil, err
-	}
-
-	// Create GCM mode with the cipher block
-	aesgcm, err := cipher.NewGCM(block)
-	if err != nil {
-		return nil, err
-	}
-
-	// Read nonce from the input reader
-	nonce := NewNonce(aesgcm.NonceSize())
-	if err := nonce.Read(input); err != nil {
-		return nil, err
-	}
-
-	// Initialize a buffer to store decrypted data
-	buf := bytes.Buffer{}
-	plaintext := make([]byte, aesGcmBlockSize)
-
-	// Decrypt the ciphertext in blocks
-	for {
-		// Read a block of ciphertext from the input reader
-		ciphertextBlock := make([]byte, aesGcmBlockSize+aesgcm.Overhead()) // Adjust block size as needed
-		n, err := io.ReadFull(input, ciphertextBlock)
-		if n == 0 {
-			break // end of ciphertext
-		}
-
-		if err != nil && !(errors.Is(err, io.EOF) || errors.Is(err, io.ErrUnexpectedEOF)) {
-			return nil, err
-		}
-
-		// Decrypt the block of ciphertext
-		plaintext, err = aesgcm.Open(plaintext[:0], nonce.Value(), ciphertextBlock[:n], nil)
-		if err != nil {
-			return nil, err
-		}
-
-		_, err = buf.Write(plaintext)
-		if err != nil {
-			return nil, err
-		}
-
-		nonce.Increment()
-	}
-
-	return &buf, nil
-}
-
-// aesDecryptOFB reads from input, decrypts with AES-256 and returns the reader to a read decrypted content from.
+// AesEncrypt reads from input, encrypts with AES-256 and writes to the output.
 // passphrase is used to generate an encryption key.
-// note: This function used to decrypt files that were encrypted without a header i.e. old archives
-func aesDecryptOFB(input io.Reader, passphrase []byte) (io.Reader, error) {
-	var emptySalt []byte = make([]byte, 0)
+func AesEncrypt(input io.Reader, output io.Writer, passphrase []byte) error {
+	// making a 32 bytes key that would correspond to AES-256
+	// don't necessarily need a salt, so just kept in empty
+	key, err := scrypt.Key(passphrase, emptySalt, 32768, 8, 1, 32)
+	if err != nil {
+		return err
+	}

+	block, err := aes.NewCipher(key)
+	if err != nil {
+		return err
+	}
+
+	// If the key is unique for each ciphertext, then it's ok to use a zero
+	// IV.
+	var iv [aes.BlockSize]byte
+	stream := cipher.NewOFB(block, iv[:])
+
+	writer := &cipher.StreamWriter{S: stream, W: output}
+	// Copy the input to the output, encrypting as we go.
+	if _, err := io.Copy(writer, input); err != nil {
+		return err
+	}
+
+	return nil
+}
+
+// AesDecrypt reads from input, decrypts with AES-256 and returns the reader to a read decrypted content from.
+// passphrase is used to generate an encryption key.
+func AesDecrypt(input io.Reader, passphrase []byte) (io.Reader, error) {
 	// making a 32 bytes key that would correspond to AES-256
 	// don't necessarily need a salt, so just kept in empty
 	key, err := scrypt.Key(passphrase, emptySalt, 32768, 8, 1, 32)
@@ -223,9 +59,11 @@ func aesDecryptOFB(input io.Reader, passphrase []byte) (io.Reader, error) {
 		return nil, err
 	}

-	// If the key is unique for each ciphertext, then it's ok to use a zero IV.
+	// If the key is unique for each ciphertext, then it's ok to use a zero
+	// IV.
 	var iv [aes.BlockSize]byte
 	stream := cipher.NewOFB(block, iv[:])
+
 	reader := &cipher.StreamReader{S: stream, R: input}

 	return reader, nil
--- a/api/crypto/aes_test.go
+++ b/api/crypto/aes_test.go
@@ -2,7 +2,6 @@ package crypto

 import (
 	"io"
-	"math/rand"
 	"os"
 	"path/filepath"
 	"testing"
@@ -10,19 +9,7 @@ import (
 	"github.com/stretchr/testify/assert"
 )

-const letterBytes = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
-
-func randBytes(n int) []byte {
-	b := make([]byte, n)
-	for i := range b {
-		b[i] = letterBytes[rand.Intn(len(letterBytes))]
-	}
-	return b
-}
-
 func Test_encryptAndDecrypt_withTheSamePassword(t *testing.T) {
-	const passphrase = "passphrase"
-
 	tmpdir := t.TempDir()

 	var (
@@ -31,99 +18,17 @@ func Test_encryptAndDecrypt_withTheSamePassword(t *testing.T) {
 		decryptedFilePath = filepath.Join(tmpdir, "decrypted")
 	)

-	content := randBytes(1024*1024*100 + 523)
-	os.WriteFile(originFilePath, content, 0600)
-
-	originFile, _ := os.Open(originFilePath)
-	defer originFile.Close()
-
-	encryptedFileWriter, _ := os.Create(encryptedFilePath)
-
-	err := AesEncrypt(originFile, encryptedFileWriter, []byte(passphrase))
-	assert.Nil(t, err, "Failed to encrypt a file")
-	encryptedFileWriter.Close()
-
-	encryptedContent, err := os.ReadFile(encryptedFilePath)
-	assert.Nil(t, err, "Couldn't read encrypted file")
-	assert.NotEqual(t, encryptedContent, content, "Content wasn't encrypted")
-
-	encryptedFileReader, _ := os.Open(encryptedFilePath)
-	defer encryptedFileReader.Close()
-
-	decryptedFileWriter, _ := os.Create(decryptedFilePath)
-	defer decryptedFileWriter.Close()
-
-	decryptedReader, err := AesDecrypt(encryptedFileReader, []byte(passphrase))
-	assert.Nil(t, err, "Failed to decrypt file")
-
-	io.Copy(decryptedFileWriter, decryptedReader)
-
-	decryptedContent, _ := os.ReadFile(decryptedFilePath)
-	assert.Equal(t, content, decryptedContent, "Original and decrypted content should match")
-}
-
-func Test_encryptAndDecrypt_withStrongPassphrase(t *testing.T) {
-	const passphrase = "A strong passphrase with special characters: !@#$%^&*()_+"
-	tmpdir := t.TempDir()
-
-	var (
-		originFilePath    = filepath.Join(tmpdir, "origin2")
-		encryptedFilePath = filepath.Join(tmpdir, "encrypted2")
-		decryptedFilePath = filepath.Join(tmpdir, "decrypted2")
-	)
-
-	content := randBytes(500)
-	os.WriteFile(originFilePath, content, 0600)
-
-	originFile, _ := os.Open(originFilePath)
-	defer originFile.Close()
-
-	encryptedFileWriter, _ := os.Create(encryptedFilePath)
-
-	err := AesEncrypt(originFile, encryptedFileWriter, []byte(passphrase))
-	assert.Nil(t, err, "Failed to encrypt a file")
-	encryptedFileWriter.Close()
-
-	encryptedContent, err := os.ReadFile(encryptedFilePath)
-	assert.Nil(t, err, "Couldn't read encrypted file")
-	assert.NotEqual(t, encryptedContent, content, "Content wasn't encrypted")
-
-	encryptedFileReader, _ := os.Open(encryptedFilePath)
-	defer encryptedFileReader.Close()
-
-	decryptedFileWriter, _ := os.Create(decryptedFilePath)
-	defer decryptedFileWriter.Close()
-
-	decryptedReader, err := AesDecrypt(encryptedFileReader, []byte(passphrase))
-	assert.Nil(t, err, "Failed to decrypt file")
-
-	io.Copy(decryptedFileWriter, decryptedReader)
-
-	decryptedContent, _ := os.ReadFile(decryptedFilePath)
-	assert.Equal(t, content, decryptedContent, "Original and decrypted content should match")
-}
-
-func Test_encryptAndDecrypt_withTheSamePasswordSmallFile(t *testing.T) {
-	tmpdir := t.TempDir()
-
-	var (
-		originFilePath    = filepath.Join(tmpdir, "origin2")
-		encryptedFilePath = filepath.Join(tmpdir, "encrypted2")
-		decryptedFilePath = filepath.Join(tmpdir, "decrypted2")
-	)
-
-	content := randBytes(500)
+	content := []byte("content")
 	os.WriteFile(originFilePath, content, 0600)

 	originFile, _ := os.Open(originFilePath)
 	defer originFile.Close()

 	encryptedFileWriter, _ := os.Create(encryptedFilePath)
+	defer encryptedFileWriter.Close()

 	err := AesEncrypt(originFile, encryptedFileWriter, []byte("passphrase"))
 	assert.Nil(t, err, "Failed to encrypt a file")
-	encryptedFileWriter.Close()
-
 	encryptedContent, err := os.ReadFile(encryptedFilePath)
 	assert.Nil(t, err, "Couldn't read encrypted file")
 	assert.NotEqual(t, encryptedContent, content, "Content wasn't encrypted")
@@ -152,7 +57,7 @@ func Test_encryptAndDecrypt_withEmptyPassword(t *testing.T) {
 		decryptedFilePath = filepath.Join(tmpdir, "decrypted")
 	)

-	content := randBytes(1024 * 50)
+	content := []byte("content")
 	os.WriteFile(originFilePath, content, 0600)

 	originFile, _ := os.Open(originFilePath)
@@ -191,7 +96,7 @@ func Test_decryptWithDifferentPassphrase_shouldProduceWrongResult(t *testing.T)
 		decryptedFilePath = filepath.Join(tmpdir, "decrypted")
 	)

-	content := randBytes(1034)
+	content := []byte("content")
 	os.WriteFile(originFilePath, content, 0600)

 	originFile, _ := os.Open(originFilePath)
@@ -212,6 +117,11 @@ func Test_decryptWithDifferentPassphrase_shouldProduceWrongResult(t *testing.T)
 	decryptedFileWriter, _ := os.Create(decryptedFilePath)
 	defer decryptedFileWriter.Close()

-	_, err = AesDecrypt(encryptedFileReader, []byte("garbage"))
-	assert.NotNil(t, err, "Should not allow decrypt with wrong passphrase")
+	decryptedReader, err := AesDecrypt(encryptedFileReader, []byte("garbage"))
+	assert.Nil(t, err, "Should allow to decrypt with wrong passphrase")
+
+	io.Copy(decryptedFileWriter, decryptedReader)
+
+	decryptedContent, _ := os.ReadFile(decryptedFilePath)
+	assert.NotEqual(t, content, decryptedContent, "Original and decrypted content should NOT match")
 }
--- a/api/crypto/nonce.go
+++ b/api/crypto/nonce.go
@@ -1,61 +0,0 @@
-package crypto
-
-import (
-	"crypto/rand"
-	"errors"
-	"io"
-)
-
-type Nonce struct {
-	val []byte
-}
-
-func NewNonce(size int) *Nonce {
-	return &Nonce{val: make([]byte, size)}
-}
-
-// NewRandomNonce generates a new initial nonce with the lower byte set to a random value
-// This ensures there are plenty of nonce values availble before rolling over
-// Based on ideas from the Secure Programming Cookbook for C and C++ by John Viega, Matt Messier
-// https://www.oreilly.com/library/view/secure-programming-cookbook/0596003943/ch04s09.html
-func NewRandomNonce(size int) (*Nonce, error) {
-	randomBytes := 1
-	if size <= randomBytes {
-		return nil, errors.New("nonce size must be greater than the number of random bytes")
-	}
-
-	randomPart := make([]byte, randomBytes)
-	if _, err := rand.Read(randomPart); err != nil {
-		return nil, err
-	}
-
-	zeroPart := make([]byte, size-randomBytes)
-	nonceVal := append(randomPart, zeroPart...)
-	return &Nonce{val: nonceVal}, nil
-}
-
-func (n *Nonce) Read(stream io.Reader) error {
-	_, err := io.ReadFull(stream, n.val)
-	return err
-}
-
-func (n *Nonce) Value() []byte {
-	return n.val
-}
-
-func (n *Nonce) Increment() error {
-	// Start incrementing from the least significant byte
-	for i := len(n.val) - 1; i >= 0; i-- {
-		// Increment the current byte
-		n.val[i]++
-
-		// Check for overflow
-		if n.val[i] != 0 {
-			// No overflow, nonce is successfully incremented
-			return nil
-		}
-	}
-
-	// If we reach here, it means the nonce has overflowed
-	return errors.New("nonce overflow")
-}
--- a/api/crypto/tls.go
+++ b/api/crypto/tls.go
@@ -22,12 +22,6 @@ func CreateTLSConfiguration() *tls.Config {
 			tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
 			tls.TLS_RSA_WITH_AES_128_GCM_SHA256,
 			tls.TLS_RSA_WITH_AES_256_GCM_SHA384,
-			tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
-			tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
-			tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
-			tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
-			tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
-			tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
 		},
 	}
 }
--- a/api/database/boltdb/db.go
+++ b/api/database/boltdb/db.go
@@ -8,7 +8,6 @@ import (
 	"math"
 	"os"
 	"path"
-	"strconv"
 	"time"

 	portainer "github.com/portainer/portainer/api"
@@ -74,6 +73,7 @@ func (connection *DbConnection) IsEncryptedStore() bool {
 // NeedsEncryptionMigration returns true if database encryption is enabled and
 // we have an un-encrypted DB that requires migration to an encrypted DB
 func (connection *DbConnection) NeedsEncryptionMigration() (bool, error) {
+
 	// Cases:  Note, we need to check both portainer.db and portainer.edb
 	// to determine if it's a new store.   We only need to differentiate between cases 2,3 and 5

@@ -121,11 +121,11 @@ func (connection *DbConnection) NeedsEncryptionMigration() (bool, error) {

 // Open opens and initializes the BoltDB database.
 func (connection *DbConnection) Open() error {
+
 	log.Info().Str("filename", connection.GetDatabaseFileName()).Msg("loading PortainerDB")

 	// Now we open the db
 	databasePath := connection.GetDatabaseFilePath()
-
 	db, err := bolt.Open(databasePath, 0600, &bolt.Options{
 		Timeout:         1 * time.Second,
 		InitialMmapSize: connection.InitialMmapSize,
@@ -178,7 +178,6 @@ func (connection *DbConnection) ViewTx(fn func(portainer.Transaction) error) err
 func (connection *DbConnection) BackupTo(w io.Writer) error {
 	return connection.View(func(tx *bolt.Tx) error {
 		_, err := tx.WriteTo(w)
-
 		return err
 	})
 }
@@ -193,7 +192,6 @@ func (connection *DbConnection) ExportRaw(filename string) error {
 	if err != nil {
 		return err
 	}
-
 	return os.WriteFile(filename, b, 0600)
 }

@@ -214,7 +212,7 @@ func keyToString(b []byte) string {

 	v := binary.BigEndian.Uint64(b)
 	if v <= math.MaxInt32 {
-		return strconv.FormatUint(v, 10)
+		return fmt.Sprintf("%d", v)
 	}

 	return string(b)
@@ -323,22 +321,22 @@ func (connection *DbConnection) CreateObjectWithStringId(bucketName string, id [
 	})
 }

-func (connection *DbConnection) GetAll(bucketName string, obj interface{}, appendFn func(o interface{}) (interface{}, error)) error {
+func (connection *DbConnection) GetAll(bucketName string, obj interface{}, append func(o interface{}) (interface{}, error)) error {
 	return connection.ViewTx(func(tx portainer.Transaction) error {
-		return tx.GetAll(bucketName, obj, appendFn)
+		return tx.GetAll(bucketName, obj, append)
 	})
 }

 // TODO: decide which Unmarshal to use, and use one...
-func (connection *DbConnection) GetAllWithJsoniter(bucketName string, obj interface{}, appendFn func(o interface{}) (interface{}, error)) error {
+func (connection *DbConnection) GetAllWithJsoniter(bucketName string, obj interface{}, append func(o interface{}) (interface{}, error)) error {
 	return connection.ViewTx(func(tx portainer.Transaction) error {
-		return tx.GetAllWithJsoniter(bucketName, obj, appendFn)
+		return tx.GetAllWithJsoniter(bucketName, obj, append)
 	})
 }

-func (connection *DbConnection) GetAllWithKeyPrefix(bucketName string, keyPrefix []byte, obj interface{}, appendFn func(o interface{}) (interface{}, error)) error {
+func (connection *DbConnection) GetAllWithKeyPrefix(bucketName string, keyPrefix []byte, obj interface{}, append func(o interface{}) (interface{}, error)) error {
 	return connection.ViewTx(func(tx portainer.Transaction) error {
-		return tx.GetAllWithKeyPrefix(bucketName, keyPrefix, obj, appendFn)
+		return tx.GetAllWithKeyPrefix(bucketName, keyPrefix, obj, append)
 	})
 }

@@ -347,13 +345,14 @@ func (connection *DbConnection) BackupMetadata() (map[string]interface{}, error)
 	buckets := map[string]interface{}{}

 	err := connection.View(func(tx *bolt.Tx) error {
-		return tx.ForEach(func(name []byte, bucket *bolt.Bucket) error {
+		err := tx.ForEach(func(name []byte, bucket *bolt.Bucket) error {
 			bucketName := string(name)
 			seqId := bucket.Sequence()
 			buckets[bucketName] = int(seqId)
-
 			return nil
 		})
+
+		return err
 	})

 	return buckets, err
@@ -367,7 +366,6 @@ func (connection *DbConnection) RestoreMetadata(s map[string]interface{}) error
 		id, ok := v.(float64) // JSON ints are unmarshalled to interface as float64. See: https://pkg.go.dev/encoding/json#Decoder.Decode
 		if !ok {
 			log.Error().Str("bucket", bucketName).Msg("failed to restore metadata to bucket, skipped")
-
 			continue
 		}

--- a/api/database/boltdb/json.go
+++ b/api/database/boltdb/json.go
@@ -5,13 +5,14 @@ import (
 	"crypto/aes"
 	"crypto/cipher"
 	"crypto/rand"
+	"fmt"
 	"io"

 	"github.com/pkg/errors"
 	"github.com/segmentio/encoding/json"
 )

-var errEncryptedStringTooShort = errors.New("encrypted string too short")
+var errEncryptedStringTooShort = fmt.Errorf("encrypted string too short")

 // MarshalObject encodes an object to binary format
 func (connection *DbConnection) MarshalObject(object interface{}) ([]byte, error) {
@@ -69,20 +70,22 @@ func encrypt(plaintext []byte, passphrase []byte) (encrypted []byte, err error)
 	if err != nil {
 		return encrypted, err
 	}
-
 	nonce := make([]byte, gcm.NonceSize())
 	if _, err = io.ReadFull(rand.Reader, nonce); err != nil {
 		return encrypted, err
 	}
-
-	return gcm.Seal(nonce, nonce, plaintext, nil), nil
+	ciphertextByte := gcm.Seal(
+		nonce,
+		nonce,
+		plaintext,
+		nil)
+	return ciphertextByte, nil
 }

 func decrypt(encrypted []byte, passphrase []byte) (plaintextByte []byte, err error) {
 	if string(encrypted) == "false" {
 		return []byte("false"), nil
 	}
-
 	block, err := aes.NewCipher(passphrase)
 	if err != nil {
 		return encrypted, errors.Wrap(err, "Error creating cypher block")
@@ -99,8 +102,11 @@ func decrypt(encrypted []byte, passphrase []byte) (plaintextByte []byte, err err
 	}

 	nonce, ciphertextByteClean := encrypted[:nonceSize], encrypted[nonceSize:]
-
-	plaintextByte, err = gcm.Open(nil, nonce, ciphertextByteClean, nil)
+	plaintextByte, err = gcm.Open(
+		nil,
+		nonce,
+		ciphertextByteClean,
+		nil)
 	if err != nil {
 		return encrypted, errors.Wrap(err, "Error decrypting text")
 	}
--- a/api/database/boltdb/tx.go
+++ b/api/database/boltdb/tx.go
@@ -74,10 +74,9 @@ func (tx *DbTransaction) DeleteAllObjects(bucketName string, obj interface{}, ma

 func (tx *DbTransaction) GetNextIdentifier(bucketName string) int {
 	bucket := tx.tx.Bucket([]byte(bucketName))
-
 	id, err := bucket.NextSequence()
 	if err != nil {
-		log.Error().Err(err).Str("bucket", bucketName).Msg("failed to get the next identifier")
+		log.Error().Err(err).Str("bucket", bucketName).Msg("failed to get the next identifer")
 		return 0
 	}

--- a/api/dataservices/interface.go
+++ b/api/dataservices/interface.go
@@ -36,7 +36,6 @@ type (
 	}

 	DataStore interface {
-		Connection() portainer.Connection
 		Open() (newStore bool, err error)
 		Init() error
 		Close() error
@@ -72,9 +71,8 @@ type (
 	}

 	PendingActionsService interface {
-		BaseCRUD[portainer.PendingAction, portainer.PendingActionID]
+		BaseCRUD[portainer.PendingActions, portainer.PendingActionsID]
 		GetNextIdentifier() int
-		DeleteByEndpointID(ID portainer.EndpointID) error
 	}

 	// EdgeStackService represents a service to manage Edge stacks
--- a/api/dataservices/pendingactions/pendingactions.go
+++ b/api/dataservices/pendingactions/pendingactions.go
@@ -1,12 +1,10 @@
 package pendingactions

 import (
-	"fmt"
 	"time"

 	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/dataservices"
-	"github.com/rs/zerolog/log"
 )

 const (
@@ -14,11 +12,11 @@ const (
 )

 type Service struct {
-	dataservices.BaseDataService[portainer.PendingAction, portainer.PendingActionID]
+	dataservices.BaseDataService[portainer.PendingActions, portainer.PendingActionsID]
 }

 type ServiceTx struct {
-	dataservices.BaseDataServiceTx[portainer.PendingAction, portainer.PendingActionID]
+	dataservices.BaseDataServiceTx[portainer.PendingActions, portainer.PendingActionsID]
 }

 func NewService(connection portainer.Connection) (*Service, error) {
@@ -28,34 +26,28 @@ func NewService(connection portainer.Connection) (*Service, error) {
 	}

 	return &Service{
-		BaseDataService: dataservices.BaseDataService[portainer.PendingAction, portainer.PendingActionID]{
+		BaseDataService: dataservices.BaseDataService[portainer.PendingActions, portainer.PendingActionsID]{
 			Bucket:     BucketName,
 			Connection: connection,
 		},
 	}, nil
 }

-func (s Service) Create(config *portainer.PendingAction) error {
+func (s Service) Create(config *portainer.PendingActions) error {
 	return s.Connection.UpdateTx(func(tx portainer.Transaction) error {
 		return s.Tx(tx).Create(config)
 	})
 }

-func (s Service) Update(ID portainer.PendingActionID, config *portainer.PendingAction) error {
+func (s Service) Update(ID portainer.PendingActionsID, config *portainer.PendingActions) error {
 	return s.Connection.UpdateTx(func(tx portainer.Transaction) error {
 		return s.Tx(tx).Update(ID, config)
 	})
 }

-func (s Service) DeleteByEndpointID(ID portainer.EndpointID) error {
-	return s.Connection.UpdateTx(func(tx portainer.Transaction) error {
-		return s.Tx(tx).DeleteByEndpointID(ID)
-	})
-}
-
 func (service *Service) Tx(tx portainer.Transaction) ServiceTx {
 	return ServiceTx{
-		BaseDataServiceTx: dataservices.BaseDataServiceTx[portainer.PendingAction, portainer.PendingActionID]{
+		BaseDataServiceTx: dataservices.BaseDataServiceTx[portainer.PendingActions, portainer.PendingActionsID]{
 			Bucket:     BucketName,
 			Connection: service.Connection,
 			Tx:         tx,
@@ -63,42 +55,19 @@ func (service *Service) Tx(tx portainer.Transaction) ServiceTx {
 	}
 }

-func (s ServiceTx) Create(config *portainer.PendingAction) error {
+func (s ServiceTx) Create(config *portainer.PendingActions) error {
 	return s.Tx.CreateObject(BucketName, func(id uint64) (int, interface{}) {
-		config.ID = portainer.PendingActionID(id)
+		config.ID = portainer.PendingActionsID(id)
 		config.CreatedAt = time.Now().Unix()

 		return int(config.ID), config
 	})
 }

-func (s ServiceTx) Update(ID portainer.PendingActionID, config *portainer.PendingAction) error {
+func (s ServiceTx) Update(ID portainer.PendingActionsID, config *portainer.PendingActions) error {
 	return s.BaseDataServiceTx.Update(ID, config)
 }

-func (s ServiceTx) DeleteByEndpointID(ID portainer.EndpointID) error {
-	log.Debug().Int("endpointId", int(ID)).Msg("deleting pending actions for endpoint")
-	pendingActions, err := s.BaseDataServiceTx.ReadAll()
-	if err != nil {
-		return fmt.Errorf("failed to retrieve pending-actions for endpoint (%d): %w", ID, err)
-	}
-
-	for _, pendingAction := range pendingActions {
-		if pendingAction.EndpointID == ID {
-			err := s.BaseDataServiceTx.Delete(pendingAction.ID)
-			if err != nil {
-				log.Debug().Int("endpointId", int(ID)).Msgf("failed to delete pending action: %v", err)
-			}
-		}
-	}
-	return nil
-}
-
-// GetNextIdentifier returns the next identifier for a custom template.
-func (service ServiceTx) GetNextIdentifier() int {
-	return service.Tx.GetNextIdentifier(BucketName)
-}
-
 // GetNextIdentifier returns the next identifier for a custom template.
 func (service *Service) GetNextIdentifier() int {
 	return service.Connection.GetNextIdentifier(BucketName)
--- a/api/datastore/migrate_data.go
+++ b/api/datastore/migrate_data.go
@@ -86,7 +86,6 @@ func (store *Store) newMigratorParameters(version *models.Version) *migrator.Mig
 		EdgeStackService:        store.EdgeStackService,
 		EdgeJobService:          store.EdgeJobService,
 		TunnelServerService:     store.TunnelServerService,
-		PendingActionsService:   store.PendingActionsService,
 	}
 }

--- a/api/datastore/migrate_legacyversion.go
+++ b/api/datastore/migrate_legacyversion.go
@@ -99,7 +99,7 @@ func (store *Store) getOrMigrateLegacyVersion() (*models.Version, error) {
 	return &models.Version{
 		SchemaVersion: dbVersionToSemanticVersion(dbVersion),
 		Edition:       edition,
-		InstanceID:    instanceId,
+		InstanceID:    string(instanceId),
 	}, nil
 }

--- a/api/datastore/migrate_post_init.go
+++ b/api/datastore/migrate_post_init.go
@@ -0,0 +1,117 @@
+package datastore
+
+import (
+	"context"
+
+	"github.com/docker/docker/api/types"
+	portainer "github.com/portainer/portainer/api"
+	"github.com/portainer/portainer/api/dataservices"
+	dockerclient "github.com/portainer/portainer/api/docker/client"
+	"github.com/portainer/portainer/api/kubernetes/cli"
+
+	"github.com/rs/zerolog/log"
+)
+
+type PostInitMigrator struct {
+	kubeFactory   *cli.ClientFactory
+	dockerFactory *dockerclient.ClientFactory
+	dataStore     dataservices.DataStore
+}
+
+func NewPostInitMigrator(kubeFactory *cli.ClientFactory, dockerFactory *dockerclient.ClientFactory, dataStore dataservices.DataStore) *PostInitMigrator {
+	return &PostInitMigrator{
+		kubeFactory:   kubeFactory,
+		dockerFactory: dockerFactory,
+		dataStore:     dataStore,
+	}
+}
+
+func (migrator *PostInitMigrator) PostInitMigrate() error {
+	if err := migrator.PostInitMigrateIngresses(); err != nil {
+		return err
+	}
+
+	migrator.PostInitMigrateGPUs()
+
+	return nil
+}
+
+func (migrator *PostInitMigrator) PostInitMigrateIngresses() error {
+	endpoints, err := migrator.dataStore.Endpoint().Endpoints()
+	if err != nil {
+		return err
+	}
+
+	for i := range endpoints {
+		// Early exit if we do not need to migrate!
+		if !endpoints[i].PostInitMigrations.MigrateIngresses {
+			return nil
+		}
+
+		err := migrator.kubeFactory.MigrateEndpointIngresses(&endpoints[i])
+		if err != nil {
+			log.Debug().Err(err).Msg("failure migrating endpoint ingresses")
+		}
+	}
+
+	return nil
+}
+
+// PostInitMigrateGPUs will check all docker endpoints for containers with GPUs and set EnableGPUManagement to true if any are found
+// If there's an error getting the containers, we'll log it and move on
+func (migrator *PostInitMigrator) PostInitMigrateGPUs() {
+	environments, err := migrator.dataStore.Endpoint().Endpoints()
+	if err != nil {
+		log.Err(err).Msg("failure getting endpoints")
+		return
+	}
+
+	for i := range environments {
+		if environments[i].Type == portainer.DockerEnvironment {
+			// // Early exit if we do not need to migrate!
+			if !environments[i].PostInitMigrations.MigrateGPUs {
+				return
+			}
+
+			// set the MigrateGPUs flag to false so we don't run this again
+			environments[i].PostInitMigrations.MigrateGPUs = false
+			migrator.dataStore.Endpoint().UpdateEndpoint(environments[i].ID, &environments[i])
+
+			// create a docker client
+			dockerClient, err := migrator.dockerFactory.CreateClient(&environments[i], "", nil)
+			if err != nil {
+				log.Err(err).Msg("failure creating docker client for environment: " + environments[i].Name)
+				return
+			}
+			defer dockerClient.Close()
+
+			// get all containers
+			containers, err := dockerClient.ContainerList(context.Background(), types.ContainerListOptions{All: true})
+			if err != nil {
+				log.Err(err).Msg("failed to list containers")
+				return
+			}
+
+			// check for a gpu on each container. If even one GPU is found, set EnableGPUManagement to true for the whole endpoint
+		containersLoop:
+			for _, container := range containers {
+				// https://www.sobyte.net/post/2022-10/go-docker/ has nice documentation on the docker client with GPUs
+				containerDetails, err := dockerClient.ContainerInspect(context.Background(), container.ID)
+				if err != nil {
+					log.Err(err).Msg("failed to inspect container")
+					return
+				}
+
+				deviceRequests := containerDetails.HostConfig.Resources.DeviceRequests
+				for _, deviceRequest := range deviceRequests {
+					if deviceRequest.Driver == "nvidia" {
+						environments[i].EnableGPUManagement = true
+						migrator.dataStore.Endpoint().UpdateEndpoint(environments[i].ID, &environments[i])
+
+						break containersLoop
+					}
+				}
+			}
+		}
+	}
+}
--- a/api/datastore/migrator/migrate_dbversion111.go
+++ b/api/datastore/migrator/migrate_dbversion111.go
@@ -1,32 +0,0 @@
-package migrator
-
-import (
-	portainer "github.com/portainer/portainer/api"
-	"github.com/portainer/portainer/api/dataservices"
-	"github.com/rs/zerolog/log"
-)
-
-func (migrator *Migrator) cleanPendingActionsForDeletedEndpointsForDB111() error {
-	log.Info().Msg("cleaning up pending actions for deleted endpoints")
-
-	pendingActions, err := migrator.pendingActionsService.ReadAll()
-	if err != nil {
-		return err
-	}
-
-	endpoints := make(map[portainer.EndpointID]struct{})
-	for _, action := range pendingActions {
-		endpoints[action.EndpointID] = struct{}{}
-	}
-
-	for endpointId := range endpoints {
-		_, err := migrator.endpointService.Endpoint(endpointId)
-		if dataservices.IsErrObjectNotFound(err) {
-			err := migrator.pendingActionsService.DeleteByEndpointID(endpointId)
-			if err != nil {
-				return err
-			}
-		}
-	}
-	return nil
-}
--- a/api/datastore/migrator/migrate_dbversion130.go
+++ b/api/datastore/migrator/migrate_dbversion130.go
@@ -1,33 +0,0 @@
-package migrator
-
-import (
-	"github.com/segmentio/encoding/json"
-
-	"github.com/rs/zerolog/log"
-)
-
-func (migrator *Migrator) migratePendingActionsDataForDB130() error {
-	log.Info().Msg("Migrating pending actions data")
-
-	pendingActions, err := migrator.pendingActionsService.ReadAll()
-	if err != nil {
-		return err
-	}
-
-	for _, pa := range pendingActions {
-		actionData, err := json.Marshal(pa.ActionData)
-		if err != nil {
-			return err
-		}
-
-		pa.ActionData = string(actionData)
-
-		// Update the pending action
-		err = migrator.pendingActionsService.Update(pa.ID, &pa)
-		if err != nil {
-			return err
-		}
-	}
-
-	return nil
-}
--- a/api/datastore/migrator/migrate_dbversion31.go
+++ b/api/datastore/migrator/migrate_dbversion31.go
@@ -123,7 +123,7 @@ func (m *Migrator) updateDockerhubToDB32() error {
 				migrated = true
 			} else {
 				// delete subsequent duplicates
-				m.registryService.Delete(r.ID)
+				m.registryService.Delete(portainer.RegistryID(r.ID))
 			}
 		}
 	}
--- a/api/datastore/migrator/migrator.go
+++ b/api/datastore/migrator/migrator.go
@@ -14,7 +14,6 @@ import (
 	"github.com/portainer/portainer/api/dataservices/endpointrelation"
 	"github.com/portainer/portainer/api/dataservices/extension"
 	"github.com/portainer/portainer/api/dataservices/fdoprofile"
-	"github.com/portainer/portainer/api/dataservices/pendingactions"
 	"github.com/portainer/portainer/api/dataservices/registry"
 	"github.com/portainer/portainer/api/dataservices/resourcecontrol"
 	"github.com/portainer/portainer/api/dataservices/role"
@@ -59,7 +58,6 @@ type (
 		edgeStackService        *edgestack.Service
 		edgeJobService          *edgejob.Service
 		TunnelServerService     *tunnelserver.Service
-		pendingActionsService   *pendingactions.Service
 	}

 	// MigratorParameters represents the required parameters to create a new Migrator instance.
@@ -87,7 +85,6 @@ type (
 		EdgeStackService        *edgestack.Service
 		EdgeJobService          *edgejob.Service
 		TunnelServerService     *tunnelserver.Service
-		PendingActionsService   *pendingactions.Service
 	}
 )

@@ -117,7 +114,6 @@ func NewMigrator(parameters *MigratorParameters) *Migrator {
 		edgeStackService:        parameters.EdgeStackService,
 		edgeJobService:          parameters.EdgeJobService,
 		TunnelServerService:     parameters.TunnelServerService,
-		pendingActionsService:   parameters.PendingActionsService,
 	}

 	migrator.initMigrations()
@@ -236,14 +232,8 @@ func (m *Migrator) initMigrations() {
 		m.updateAppTemplatesVersionForDB110,
 		m.updateResourceOverCommitToDB110,
 	)
-	m.addMigrations("2.20.2",
-		m.cleanPendingActionsForDeletedEndpointsForDB111,
-	)
-	m.addMigrations("2.22.0",
-		m.migratePendingActionsDataForDB130,
-	)

-	// Add new migrations above...
+	// Add new migrations below...
 	// One function per migration, each versions migration funcs in the same file.
 }

--- a/api/datastore/pendingactions_test.go
+++ b/api/datastore/pendingactions_test.go
@@ -1,98 +0,0 @@
-package datastore
-
-import (
-	"testing"
-
-	portainer "github.com/portainer/portainer/api"
-	"github.com/portainer/portainer/api/pendingactions/actions"
-	"github.com/portainer/portainer/api/pendingactions/handlers"
-)
-
-type cleanNAPWithOverridePolicies struct {
-	EndpointGroupID portainer.EndpointGroupID
-}
-
-func Test_ConvertCleanNAPWithOverridePoliciesPayload(t *testing.T) {
-	t.Run("test ConvertCleanNAPWithOverridePoliciesPayload", func(t *testing.T) {
-
-		_, store := MustNewTestStore(t, true, false)
-		defer store.Close()
-
-		gid := portainer.EndpointGroupID(1)
-
-		testData := []struct {
-			Name          string
-			PendingAction portainer.PendingAction
-			Expected      any
-			Err           bool
-		}{
-			{
-				Name: "test actiondata with EndpointGroupID 1",
-				PendingAction: handlers.NewCleanNAPWithOverridePolicies(
-					1,
-					&gid,
-				),
-				Expected: portainer.EndpointGroupID(1),
-			},
-			{
-				Name: "test actionData nil",
-				PendingAction: handlers.NewCleanNAPWithOverridePolicies(
-					2,
-					nil,
-				),
-				Expected: nil,
-			},
-			{
-				Name: "test actionData empty and expected error",
-				PendingAction: portainer.PendingAction{
-					EndpointID: 2,
-					Action:     actions.CleanNAPWithOverridePolicies,
-					ActionData: "",
-				},
-				Expected: nil,
-				Err:      true,
-			},
-		}
-
-		for _, d := range testData {
-			err := store.PendingActions().Create(&d.PendingAction)
-			if err != nil {
-				t.Error(err)
-				return
-			}
-
-			pendingActions, err := store.PendingActions().ReadAll()
-			if err != nil {
-				t.Error(err)
-				return
-			}
-
-			for _, endpointPendingAction := range pendingActions {
-				t.Run(d.Name, func(t *testing.T) {
-					if endpointPendingAction.Action == actions.CleanNAPWithOverridePolicies {
-						var payload cleanNAPWithOverridePolicies
-
-						err := endpointPendingAction.UnmarshallActionData(&payload)
-
-						if d.Err && err == nil {
-							t.Error(err)
-						}
-
-						if d.Expected == nil && payload.EndpointGroupID != 0 {
-							t.Errorf("expected nil, got %d", payload.EndpointGroupID)
-						}
-
-						if d.Expected != nil {
-							expected := d.Expected.(portainer.EndpointGroupID)
-							if d.Expected != nil && expected != payload.EndpointGroupID {
-								t.Errorf("expected EndpointGroupID %d, got %d", expected, payload.EndpointGroupID)
-							}
-						}
-					}
-				})
-			}
-
-			store.PendingActions().Delete(d.PendingAction.ID)
-		}
-	})
-}
--- a/api/datastore/postinit/migrate_post_init.go
+++ b/api/datastore/postinit/migrate_post_init.go
@@ -1,184 +0,0 @@
-package postinit
-
-import (
-	"context"
-
-	"github.com/docker/docker/api/types/container"
-	"github.com/docker/docker/client"
-	portainer "github.com/portainer/portainer/api"
-	"github.com/portainer/portainer/api/dataservices"
-	dockerClient "github.com/portainer/portainer/api/docker/client"
-	"github.com/portainer/portainer/api/internal/endpointutils"
-	"github.com/portainer/portainer/api/kubernetes/cli"
-	"github.com/portainer/portainer/api/pendingactions/actions"
-
-	"github.com/rs/zerolog/log"
-)
-
-type PostInitMigrator struct {
-	kubeFactory        *cli.ClientFactory
-	dockerFactory      *dockerClient.ClientFactory
-	dataStore          dataservices.DataStore
-	assetsPath         string
-	kubernetesDeployer portainer.KubernetesDeployer
-}
-
-func NewPostInitMigrator(
-	kubeFactory *cli.ClientFactory,
-	dockerFactory *dockerClient.ClientFactory,
-	dataStore dataservices.DataStore,
-	assetsPath string,
-	kubernetesDeployer portainer.KubernetesDeployer,
-) *PostInitMigrator {
-	return &PostInitMigrator{
-		kubeFactory:        kubeFactory,
-		dockerFactory:      dockerFactory,
-		dataStore:          dataStore,
-		assetsPath:         assetsPath,
-		kubernetesDeployer: kubernetesDeployer,
-	}
-}
-
-// PostInitMigrate will run all post-init migrations, which require docker/kube clients for all edge or non-edge environments
-func (postInitMigrator *PostInitMigrator) PostInitMigrate() error {
-	environments, err := postInitMigrator.dataStore.Endpoint().Endpoints()
-	if err != nil {
-		log.Error().Err(err).Msg("Error getting environments")
-		return err
-	}
-
-	for _, environment := range environments {
-		// edge environments will run after the server starts, in pending actions
-		if endpointutils.IsEdgeEndpoint(&environment) {
-			log.Info().Msgf("Adding pending action 'PostInitMigrateEnvironment' for environment %d", environment.ID)
-			err = postInitMigrator.createPostInitMigrationPendingAction(environment.ID)
-			if err != nil {
-				log.Error().Err(err).Msgf("Error creating pending action for environment %d", environment.ID)
-			}
-		} else {
-			// non-edge environments will run before the server starts.
-			err = postInitMigrator.MigrateEnvironment(&environment)
-			if err != nil {
-				log.Error().Err(err).Msgf("Error running post-init migrations for non-edge environment %d", environment.ID)
-			}
-		}
-
-	}
-
-	return nil
-}
-
-// try to create a post init migration pending action. If it already exists, do nothing
-// this function exists for readability, not reusability
-// TODO: This should be moved into pending actions as part of the pending action migration
-func (postInitMigrator *PostInitMigrator) createPostInitMigrationPendingAction(environmentID portainer.EndpointID) error {
-	// If there are no pending actions for the given endpoint, create one
-	err := postInitMigrator.dataStore.PendingActions().Create(&portainer.PendingAction{
-		EndpointID: environmentID,
-		Action:     actions.PostInitMigrateEnvironment,
-	})
-	if err != nil {
-		log.Error().Err(err).Msgf("Error creating pending action for environment %d", environmentID)
-	}
-	return nil
-}
-
-// MigrateEnvironment runs migrations on a single environment
-func (migrator *PostInitMigrator) MigrateEnvironment(environment *portainer.Endpoint) error {
-	log.Info().Msgf("Executing post init migration for environment %d", environment.ID)
-
-	switch {
-	case endpointutils.IsKubernetesEndpoint(environment):
-		// get the kubeclient for the environment, and skip all kube migrations if there's an error
-		kubeclient, err := migrator.kubeFactory.GetKubeClient(environment)
-		if err != nil {
-			log.Error().Err(err).Msgf("Error creating kubeclient for environment: %d", environment.ID)
-			return err
-		}
-		// if one environment fails, it is logged and the next migration runs. The error is returned at the end and handled by pending actions
-		err = migrator.MigrateIngresses(*environment, kubeclient)
-		if err != nil {
-			return err
-		}
-		return nil
-	case endpointutils.IsDockerEndpoint(environment):
-		// get the docker client for the environment, and skip all docker migrations if there's an error
-		dockerClient, err := migrator.dockerFactory.CreateClient(environment, "", nil)
-		if err != nil {
-			log.Error().Err(err).Msgf("Error creating docker client for environment: %d", environment.ID)
-			return err
-		}
-		defer dockerClient.Close()
-		migrator.MigrateGPUs(*environment, dockerClient)
-	}
-
-	return nil
-}
-
-func (migrator *PostInitMigrator) MigrateIngresses(environment portainer.Endpoint, kubeclient *cli.KubeClient) error {
-	// Early exit if we do not need to migrate!
-	if !environment.PostInitMigrations.MigrateIngresses {
-		return nil
-	}
-	log.Debug().Msgf("Migrating ingresses for environment %d", environment.ID)
-
-	err := migrator.kubeFactory.MigrateEndpointIngresses(&environment, migrator.dataStore, kubeclient)
-	if err != nil {
-		log.Error().Err(err).Msgf("Error migrating ingresses for environment %d", environment.ID)
-		return err
-	}
-	return nil
-}
-
-// MigrateGPUs will check all docker endpoints for containers with GPUs and set EnableGPUManagement to true if any are found
-// If there's an error getting the containers, we'll log it and move on
-func (migrator *PostInitMigrator) MigrateGPUs(e portainer.Endpoint, dockerClient *client.Client) error {
-	return migrator.dataStore.UpdateTx(func(tx dataservices.DataStoreTx) error {
-		environment, err := tx.Endpoint().Endpoint(e.ID)
-		if err != nil {
-			log.Error().Err(err).Msgf("Error getting environment %d", environment.ID)
-			return err
-		}
-		// Early exit if we do not need to migrate!
-		if !environment.PostInitMigrations.MigrateGPUs {
-			return nil
-		}
-		log.Debug().Msgf("Migrating GPUs for environment %d", e.ID)
-
-		// get all containers
-		containers, err := dockerClient.ContainerList(context.Background(), container.ListOptions{All: true})
-		if err != nil {
-			log.Error().Err(err).Msgf("failed to list containers for environment %d", environment.ID)
-			return err
-		}
-
-		// check for a gpu on each container. If even one GPU is found, set EnableGPUManagement to true for the whole environment
-	containersLoop:
-		for _, container := range containers {
-			// https://www.sobyte.net/post/2022-10/go-docker/ has nice documentation on the docker client with GPUs
-			containerDetails, err := dockerClient.ContainerInspect(context.Background(), container.ID)
-			if err != nil {
-				log.Error().Err(err).Msg("failed to inspect container")
-				continue
-			}
-
-			deviceRequests := containerDetails.HostConfig.Resources.DeviceRequests
-			for _, deviceRequest := range deviceRequests {
-				if deviceRequest.Driver == "nvidia" {
-					environment.EnableGPUManagement = true
-					break containersLoop
-				}
-			}
-		}
-
-		// set the MigrateGPUs flag to false so we don't run this again
-		environment.PostInitMigrations.MigrateGPUs = false
-		err = tx.Endpoint().UpdateEndpoint(environment.ID, environment)
-		if err != nil {
-			log.Error().Err(err).Msgf("Error updating EnableGPUManagement flag for environment %d", environment.ID)
-			return err
-		}
-
-		return nil
-	})
-}
--- a/api/datastore/services.go
+++ b/api/datastore/services.go
@@ -616,7 +616,7 @@ func (store *Store) Import(filename string) (err error) {
 	if err != nil {
 		return err
 	}
-	err = json.Unmarshal(s, &backup)
+	err = json.Unmarshal([]byte(s), &backup)
 	if err != nil {
 		return err
 	}
--- a/api/datastore/services_tx.go
+++ b/api/datastore/services_tx.go
@@ -16,9 +16,7 @@ func (tx *StoreTx) IsErrObjectNotFound(err error) bool {

 func (tx *StoreTx) CustomTemplate() dataservices.CustomTemplateService { return nil }

-func (tx *StoreTx) PendingActions() dataservices.PendingActionsService {
-	return tx.store.PendingActionsService.Tx(tx.tx)
-}
+func (tx *StoreTx) PendingActions() dataservices.PendingActionsService { return nil }

 func (tx *StoreTx) EdgeGroup() dataservices.EdgeGroupService {
 	return tx.store.EdgeGroupService.Tx(tx.tx)
@@ -70,10 +68,7 @@ func (tx *StoreTx) Snapshot() dataservices.SnapshotService {
 }

 func (tx *StoreTx) SSLSettings() dataservices.SSLSettingsService { return nil }
-
-func (tx *StoreTx) Stack() dataservices.StackService {
-	return tx.store.StackService.Tx(tx.tx)
-}
+func (tx *StoreTx) Stack() dataservices.StackService             { return nil }

 func (tx *StoreTx) Tag() dataservices.TagService {
 	return tx.store.TagService.Tx(tx.tx)
@@ -83,8 +78,7 @@ func (tx *StoreTx) TeamMembership() dataservices.TeamMembershipService {
 	return tx.store.TeamMembershipService.Tx(tx.tx)
 }

-func (tx *StoreTx) Team() dataservices.TeamService { return nil }
-
+func (tx *StoreTx) Team() dataservices.TeamService                 { return nil }
 func (tx *StoreTx) TunnelServer() dataservices.TunnelServerService { return nil }

 func (tx *StoreTx) User() dataservices.UserService {
--- a/api/datastore/test_data/output_24_to_latest.json
+++ b/api/datastore/test_data/output_24_to_latest.json
@@ -631,7 +631,6 @@
    "LogoURL": "",
    "OAuthSettings": {
      "AccessTokenURI": "",
-      "AuthStyle": 0,
      "AuthorizationURI": "",
      "ClientID": "",
      "DefaultTeamID": 0,
@@ -678,7 +677,6 @@
            "Architecture": "",
            "BridgeNfIp6tables": false,
            "BridgeNfIptables": false,
-            "CDISpecDirs": null,
            "CPUSet": false,
            "CPUShares": false,
            "CgroupDriver": "",
@@ -941,6 +939,6 @@
    }
  ],
  "version": {
-    "VERSION": "{\"SchemaVersion\":\"2.22.0\",\"MigratorCount\":1,\"Edition\":1,\"InstanceID\":\"463d5c47-0ea5-4aca-85b1-405ceefee254\"}"
+    "VERSION": "{\"SchemaVersion\":\"2.20.0\",\"MigratorCount\":2,\"Edition\":1,\"InstanceID\":\"463d5c47-0ea5-4aca-85b1-405ceefee254\"}"
  }
 }
--- a/api/demo/demo.go
+++ b/api/demo/demo.go
@@ -0,0 +1,118 @@
+package demo
+
+import (
+	portainer "github.com/portainer/portainer/api"
+	"github.com/portainer/portainer/api/dataservices"
+
+	"github.com/pkg/errors"
+	"github.com/rs/zerolog/log"
+)
+
+type EnvironmentDetails struct {
+	Enabled      bool                   `json:"enabled"`
+	Users        []portainer.UserID     `json:"users"`
+	Environments []portainer.EndpointID `json:"environments"`
+}
+
+type Service struct {
+	details EnvironmentDetails
+}
+
+func NewService() *Service {
+	return &Service{}
+}
+
+func (service *Service) Details() EnvironmentDetails {
+	return service.details
+}
+
+func (service *Service) Init(store dataservices.DataStore, cryptoService portainer.CryptoService) error {
+	log.Info().Msg("starting demo environment")
+
+	isClean, err := isCleanStore(store)
+	if err != nil {
+		return errors.WithMessage(err, "failed checking if store is clean")
+	}
+
+	if !isClean {
+		return errors.New(" Demo environment can only be initialized on a clean database")
+	}
+
+	id, err := initDemoUser(store, cryptoService)
+	if err != nil {
+		return errors.WithMessage(err, "failed creating demo user")
+	}
+
+	endpointIds, err := initDemoEndpoints(store)
+	if err != nil {
+		return errors.WithMessage(err, "failed creating demo endpoint")
+	}
+
+	err = initDemoSettings(store)
+	if err != nil {
+		return errors.WithMessage(err, "failed updating demo settings")
+	}
+
+	service.details = EnvironmentDetails{
+		Enabled: true,
+		Users:   []portainer.UserID{id},
+		// endpoints 2,3 are created after deployment of portainer
+		Environments: endpointIds,
+	}
+
+	return nil
+}
+
+func isCleanStore(store dataservices.DataStore) (bool, error) {
+	endpoints, err := store.Endpoint().Endpoints()
+	if err != nil {
+		return false, err
+	}
+
+	if len(endpoints) > 0 {
+		return false, nil
+	}
+
+	users, err := store.User().ReadAll()
+	if err != nil {
+		return false, err
+	}
+
+	if len(users) > 0 {
+		return false, nil
+	}
+
+	return true, nil
+}
+
+func (service *Service) IsDemo() bool {
+	return service.details.Enabled
+}
+
+func (service *Service) IsDemoEnvironment(environmentID portainer.EndpointID) bool {
+	if !service.IsDemo() {
+		return false
+	}
+
+	for _, demoEndpointID := range service.details.Environments {
+		if environmentID == demoEndpointID {
+			return true
+		}
+	}
+
+	return false
+}
+
+func (service *Service) IsDemoUser(userID portainer.UserID) bool {
+	if !service.IsDemo() {
+		return false
+	}
+
+	for _, demoUserID := range service.details.Users {
+		if userID == demoUserID {
+			return true
+		}
+	}
+
+	return false
+}
--- a/api/demo/init.go
+++ b/api/demo/init.go
@@ -0,0 +1,88 @@
+package demo
+
+import (
+	"github.com/pkg/errors"
+	portainer "github.com/portainer/portainer/api"
+	"github.com/portainer/portainer/api/dataservices"
+)
+
+func initDemoUser(
+	store dataservices.DataStore,
+	cryptoService portainer.CryptoService,
+) (portainer.UserID, error) {
+
+	password, err := cryptoService.Hash("tryportainer")
+	if err != nil {
+		return 0, errors.WithMessage(err, "failed creating password hash")
+	}
+
+	admin := &portainer.User{
+		Username: "admin",
+		Password: password,
+		Role:     portainer.AdministratorRole,
+	}
+
+	err = store.User().Create(admin)
+	return admin.ID, errors.WithMessage(err, "failed creating user")
+}
+
+func initDemoEndpoints(store dataservices.DataStore) ([]portainer.EndpointID, error) {
+	localEndpointId, err := initDemoLocalEndpoint(store)
+	if err != nil {
+		return nil, err
+	}
+
+	// second and third endpoints are going to be created with docker-compose as a part of the demo environment set up.
+	// ref: https://github.com/portainer/portainer-demo/blob/master/docker-compose.yml
+	return []portainer.EndpointID{localEndpointId, localEndpointId + 1, localEndpointId + 2}, nil
+}
+
+func initDemoLocalEndpoint(store dataservices.DataStore) (portainer.EndpointID, error) {
+	id := portainer.EndpointID(store.Endpoint().GetNextIdentifier())
+	localEndpoint := &portainer.Endpoint{
+		ID:        id,
+		Name:      "local",
+		URL:       "unix:///var/run/docker.sock",
+		PublicURL: "demo.portainer.io",
+		Type:      portainer.DockerEnvironment,
+		GroupID:   portainer.EndpointGroupID(1),
+		TLSConfig: portainer.TLSConfiguration{
+			TLS: false,
+		},
+		AuthorizedUsers:    []portainer.UserID{},
+		AuthorizedTeams:    []portainer.TeamID{},
+		UserAccessPolicies: portainer.UserAccessPolicies{},
+		TeamAccessPolicies: portainer.TeamAccessPolicies{},
+		TagIDs:             []portainer.TagID{},
+		Status:             portainer.EndpointStatusUp,
+		Snapshots:          []portainer.DockerSnapshot{},
+		Kubernetes:         portainer.KubernetesDefault(),
+	}
+
+	err := store.Endpoint().Create(localEndpoint)
+	if err != nil {
+		return id, errors.WithMessage(err, "failed creating local endpoint")
+	}
+
+	err = store.Snapshot().Create(&portainer.Snapshot{EndpointID: id})
+	if err != nil {
+		return id, errors.WithMessage(err, "failed creating snapshot")
+	}
+
+	return id, errors.WithMessage(err, "failed creating local endpoint")
+}
+
+func initDemoSettings(
+	store dataservices.DataStore,
+) error {
+	settings, err := store.Settings().Settings()
+	if err != nil {
+		return errors.WithMessage(err, "failed fetching settings")
+	}
+
+	settings.EnableTelemetry = false
+	settings.LogoURL = ""
+
+	err = store.Settings().UpdateSettings(settings)
+	return errors.WithMessage(err, "failed updating settings")
+}
--- a/api/docker/client/client.go
+++ b/api/docker/client/client.go
@@ -3,6 +3,7 @@ package client
 import (
 	"bytes"
 	"errors"
+	"fmt"
 	"io"
 	"maps"
 	"net/http"
@@ -12,7 +13,7 @@ import (
 	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/crypto"

-	"github.com/docker/docker/api/types/image"
+	"github.com/docker/docker/api/types"
 	"github.com/docker/docker/client"
 	"github.com/segmentio/encoding/json"
 )
@@ -49,12 +50,12 @@ func (factory *ClientFactory) CreateClient(endpoint *portainer.Endpoint, nodeNam
 	case portainer.AgentOnDockerEnvironment:
 		return createAgentClient(endpoint, endpoint.URL, factory.signatureService, nodeName, timeout)
 	case portainer.EdgeAgentOnDockerEnvironment:
-		tunnelAddr, err := factory.reverseTunnelService.TunnelAddr(endpoint)
+		tunnel, err := factory.reverseTunnelService.GetActiveTunnel(endpoint)
 		if err != nil {
 			return nil, err
 		}

-		endpointURL := "http://" + tunnelAddr
+		endpointURL := fmt.Sprintf("http://127.0.0.1:%d", tunnel.Port)

 		return createAgentClient(endpoint, endpointURL, factory.signatureService, nodeName, timeout)
 	}
@@ -92,17 +93,11 @@ func createTCPClient(endpoint *portainer.Endpoint, timeout *time.Duration) (*cli
 		return nil, err
 	}

-	opts := []client.Opt{
+	return client.NewClientWithOpts(
 		client.WithHost(endpoint.URL),
 		client.WithAPIVersionNegotiation(),
 		client.WithHTTPClient(httpCli),
-	}
-
-	if nnTransport, ok := httpCli.Transport.(*NodeNameTransport); ok && nnTransport.TLSClientConfig != nil {
-		opts = append(opts, client.WithScheme("https"))
-	}
-
-	return client.NewClientWithOpts(opts...)
+	)
 }

 func createAgentClient(endpoint *portainer.Endpoint, endpointURL string, signatureService portainer.DigitalSignatureService, nodeName string, timeout *time.Duration) (*client.Client, error) {
@@ -164,7 +159,7 @@ func (t *NodeNameTransport) RoundTrip(req *http.Request) (*http.Response, error)
 	resp.Body = io.NopCloser(bytes.NewReader(body))

 	var rs []struct {
-		image.Summary
+		types.ImageSummary
 		Portainer struct {
 			Agent struct {
 				NodeName string
--- a/api/docker/consts/labels.go
+++ b/api/docker/consts/labels.go
@@ -3,7 +3,6 @@ package consts
 const (
 	ComposeStackNameLabel = "com.docker.compose.project"
 	SwarmStackNameLabel   = "com.docker.stack.namespace"
-	SwarmServiceIDLabel   = "com.docker.swarm.service.id"
-	SwarmNodeIDLabel      = "com.docker.swarm.node.id"
-	HideStackLabel        = "io.portainer.hideStack"
+	SwarmServiceIdLabel   = "com.docker.swarm.service.id"
+	SwarmNodeIdLabel      = "com.docker.swarm.node.id"
 )
--- a/api/docker/container.go
+++ b/api/docker/container.go
@@ -7,12 +7,12 @@ import (
 	"github.com/docker/docker/api/types"
 	dockercontainer "github.com/docker/docker/api/types/container"
 	"github.com/docker/docker/api/types/network"
+	"github.com/docker/docker/client"
+	"github.com/pkg/errors"
 	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/dataservices"
 	dockerclient "github.com/portainer/portainer/api/docker/client"
 	"github.com/portainer/portainer/api/docker/images"
-
-	"github.com/pkg/errors"
 	"github.com/rs/zerolog/log"
 )

@@ -37,7 +37,9 @@ func (c *ContainerService) Recreate(ctx context.Context, endpoint *portainer.End
 		return nil, errors.Wrap(err, "create client error")
 	}

-	defer cli.Close()
+	defer func(cli *client.Client) {
+		cli.Close()
+	}(cli)

 	log.Debug().Str("container_id", containerId).Msg("starting to fetch container information")

@@ -117,7 +119,7 @@ func (c *ContainerService) Recreate(ctx context.Context, endpoint *portainer.End
 		for _, network := range container.NetworkSettings.Networks {
 			cli.NetworkConnect(ctx, network.NetworkID, containerId, network)
 		}
-		cli.ContainerStart(ctx, containerId, dockercontainer.StartOptions{})
+		cli.ContainerStart(ctx, containerId, types.ContainerStartOptions{})
 	})

 	log.Debug().Str("container", strings.Split(container.Name, "/")[1]).Msg("starting to create a new container")
@@ -133,7 +135,7 @@ func (c *ContainerService) Recreate(ctx context.Context, endpoint *portainer.End
 	c.sr.push(func() {
 		log.Debug().Str("container_id", create.ID).Msg("removing the new container")
 		cli.ContainerStop(ctx, create.ID, dockercontainer.StopOptions{})
-		cli.ContainerRemove(ctx, create.ID, dockercontainer.RemoveOptions{})
+		cli.ContainerRemove(ctx, create.ID, types.ContainerRemoveOptions{})
 	})

 	if err != nil {
@@ -162,14 +164,14 @@ func (c *ContainerService) Recreate(ctx context.Context, endpoint *portainer.End

 	// 8. start the new container
 	log.Debug().Str("container_id", newContainerId).Msg("starting the new container")
-	err = cli.ContainerStart(ctx, newContainerId, dockercontainer.StartOptions{})
+	err = cli.ContainerStart(ctx, newContainerId, types.ContainerStartOptions{})
 	if err != nil {
 		return nil, errors.Wrap(err, "start container error")
 	}

 	// 9. delete the old container
 	log.Debug().Str("container_id", containerId).Msg("starting to remove the old container")
-	_ = cli.ContainerRemove(ctx, containerId, dockercontainer.RemoveOptions{})
+	_ = cli.ContainerRemove(ctx, containerId, types.ContainerRemoveOptions{})

 	c.sr.disable()

--- a/api/docker/container_stats.go
+++ b/api/docker/container_stats.go
@@ -1,37 +0,0 @@
-package docker
-
-import "github.com/docker/docker/api/types"
-
-type ContainerStats struct {
-	Running   int `json:"running"`
-	Stopped   int `json:"stopped"`
-	Healthy   int `json:"healthy"`
-	Unhealthy int `json:"unhealthy"`
-	Total     int `json:"total"`
-}
-
-func CalculateContainerStats(containers []types.Container) ContainerStats {
-	var running, stopped, healthy, unhealthy int
-	for _, container := range containers {
-		switch container.State {
-		case "running":
-			running++
-		case "healthy":
-			running++
-			healthy++
-		case "unhealthy":
-			running++
-			unhealthy++
-		case "exited", "stopped":
-			stopped++
-		}
-	}
-
-	return ContainerStats{
-		Running:   running,
-		Stopped:   stopped,
-		Healthy:   healthy,
-		Unhealthy: unhealthy,
-		Total:     len(containers),
-	}
-}
--- a/api/docker/container_stats_test.go
+++ b/api/docker/container_stats_test.go
@@ -1,27 +0,0 @@
-package docker
-
-import (
-	"testing"
-
-	"github.com/docker/docker/api/types"
-	"github.com/stretchr/testify/assert"
-)
-
-func TestCalculateContainerStats(t *testing.T) {
-	containers := []types.Container{
-		{State: "running"},
-		{State: "running"},
-		{State: "exited"},
-		{State: "stopped"},
-		{State: "healthy"},
-		{State: "unhealthy"},
-	}
-
-	stats := CalculateContainerStats(containers)
-
-	assert.Equal(t, 4, stats.Running)
-	assert.Equal(t, 2, stats.Stopped)
-	assert.Equal(t, 1, stats.Healthy)
-	assert.Equal(t, 1, stats.Unhealthy)
-	assert.Equal(t, 6, stats.Total)
-}
--- a/api/docker/images/status.go
+++ b/api/docker/images/status.go
@@ -7,7 +7,6 @@ import (
 	"time"

 	"github.com/docker/docker/api/types"
-	"github.com/docker/docker/api/types/container"
 	"github.com/docker/docker/api/types/filters"
 	portainer "github.com/portainer/portainer/api"
 	consts "github.com/portainer/portainer/api/docker/consts"
@@ -48,11 +47,11 @@ func (c *DigestClient) ContainersImageStatus(ctx context.Context, containers []t
 	statuses := make([]Status, len(containers))
 	for i, ct := range containers {
 		var nodeName string
-		if swarmNodeId := ct.Labels[consts.SwarmNodeIDLabel]; swarmNodeId != "" {
+		if swarmNodeId := ct.Labels[consts.SwarmNodeIdLabel]; swarmNodeId != "" {
 			if swarmNodeName, ok := swarmID2NameCache.Get(swarmNodeId); ok {
 				nodeName, _ = swarmNodeName.(string)
 			} else {
-				node, _, err := cli.NodeInspectWithRaw(ctx, ct.Labels[consts.SwarmNodeIDLabel])
+				node, _, err := cli.NodeInspectWithRaw(ctx, ct.Labels[consts.SwarmNodeIdLabel])
 				if err != nil {
 					return Error
 				}
@@ -158,9 +157,9 @@ func (c *DigestClient) ServiceImageStatus(ctx context.Context, serviceID string,
 		return Error, nil
 	}

-	containers, err := cli.ContainerList(ctx, container.ListOptions{
+	containers, err := cli.ContainerList(ctx, types.ContainerListOptions{
 		All:     true,
-		Filters: filters.NewArgs(filters.Arg("label", consts.SwarmServiceIDLabel+"="+serviceID)),
+		Filters: filters.NewArgs(filters.Arg("label", consts.SwarmServiceIdLabel+"="+serviceID)),
 	})
 	if err != nil {
 		log.Warn().Err(err).Str("serviceID", serviceID).Msg("cannot list container for the service")
--- a/api/docker/snapshot.go
+++ b/api/docker/snapshot.go
@@ -6,7 +6,6 @@ import (
 	"time"

 	"github.com/docker/docker/api/types"
-	"github.com/docker/docker/api/types/container"
 	_container "github.com/docker/docker/api/types/container"
 	"github.com/docker/docker/api/types/volume"
 	"github.com/docker/docker/client"
@@ -148,16 +147,24 @@ func snapshotSwarmServices(snapshot *portainer.DockerSnapshot, cli *client.Clien
 }

 func snapshotContainers(snapshot *portainer.DockerSnapshot, cli *client.Client) error {
-	containers, err := cli.ContainerList(context.Background(), container.ListOptions{All: true})
+	containers, err := cli.ContainerList(context.Background(), types.ContainerListOptions{All: true})
 	if err != nil {
 		return err
 	}

+	runningContainers := 0
+	stoppedContainers := 0
+	healthyContainers := 0
+	unhealthyContainers := 0
 	stacks := make(map[string]struct{})
 	gpuUseSet := make(map[string]struct{})
 	gpuUseAll := false
 	for _, container := range containers {
-		if container.State == "running" {
+		if container.State == "exited" || container.State == "stopped" {
+			stoppedContainers++
+		} else if container.State == "running" {
+			runningContainers++
+
 			// snapshot GPUs
 			response, err := cli.ContainerInspect(context.Background(), container.ID)
 			if err != nil {
@@ -194,6 +201,15 @@ func snapshotContainers(snapshot *portainer.DockerSnapshot, cli *client.Client)
 			}
 		}

+		if container.State == "healthy" {
+			runningContainers++
+			healthyContainers++
+		}
+
+		if container.State == "unhealthy" {
+			unhealthyContainers++
+		}
+
 		for k, v := range container.Labels {
 			if k == consts.ComposeStackNameLabel {
 				stacks[v] = struct{}{}
@@ -209,13 +225,11 @@ func snapshotContainers(snapshot *portainer.DockerSnapshot, cli *client.Client)
 	snapshot.GpuUseAll = gpuUseAll
 	snapshot.GpuUseList = gpuUseList

-	stats := CalculateContainerStats(containers)
-
-	snapshot.ContainerCount = stats.Total
-	snapshot.RunningContainerCount = stats.Running
-	snapshot.StoppedContainerCount = stats.Stopped
-	snapshot.HealthyContainerCount = stats.Healthy
-	snapshot.UnhealthyContainerCount = stats.Unhealthy
+	snapshot.ContainerCount = len(containers)
+	snapshot.RunningContainerCount = runningContainers
+	snapshot.StoppedContainerCount = stoppedContainers
+	snapshot.HealthyContainerCount = healthyContainers
+	snapshot.UnhealthyContainerCount = unhealthyContainers
 	snapshot.StackCount += len(stacks)
 	for _, container := range containers {
 		snapshot.SnapshotRaw.Containers = append(snapshot.SnapshotRaw.Containers, portainer.DockerContainerSnapshot{Container: container})
--- a/api/exec/compose_stack.go
+++ b/api/exec/compose_stack.go
@@ -76,9 +76,15 @@ func (manager *ComposeStackManager) Down(ctx context.Context, stack *portainer.S
 		defer proxy.Close()
 	}

+	envFilePath, err := createEnvFile(stack)
+	if err != nil {
+		return errors.Wrap(err, "failed to create env file")
+	}
+
 	err = manager.deployer.Remove(ctx, stack.Name, nil, libstack.Options{
-		WorkingDir: "",
-		Host:       url,
+		WorkingDir:  stack.ProjectPath,
+		EnvFilePath: envFilePath,
+		Host:        url,
 	})

 	return errors.Wrap(err, "failed to remove a stack")
@@ -142,46 +148,28 @@ func createEnvFile(stack *portainer.Stack) (string, error) {
 	}
 	defer envfile.Close()

-	// Copy from default .env file
-	defaultEnvPath := path.Join(stack.ProjectPath, path.Dir(stack.EntryPoint), ".env")
-	if err = copyDefaultEnvFile(envfile, defaultEnvPath); err != nil {
-		return "", err
-	}
+	copyDefaultEnvFile(stack, envfile)

-	// Copy from stack env vars
-	if err = copyConfigEnvVars(envfile, stack.Env); err != nil {
-		return "", err
+	for _, v := range stack.Env {
+		envfile.WriteString(fmt.Sprintf("%s=%s\n", v.Name, v.Value))
 	}

 	return "stack.env", nil
 }

 // copyDefaultEnvFile copies the default .env file if it exists to the provided writer
-func copyDefaultEnvFile(w io.Writer, defaultEnvFilePath string) error {
-	defaultEnvFile, err := os.Open(defaultEnvFilePath)
+func copyDefaultEnvFile(stack *portainer.Stack, w io.Writer) {
+	defaultEnvFile, err := os.Open(path.Join(path.Join(stack.ProjectPath, path.Dir(stack.EntryPoint)), ".env"))
 	if err != nil {
 		// If cannot open a default file, then don't need to copy it.
 		// We could as well stat it and check if it exists, but this is more efficient.
-		return nil
+		return
 	}

 	defer defaultEnvFile.Close()

 	if _, err = io.Copy(w, defaultEnvFile); err == nil {
-		if _, err = fmt.Fprintf(w, "\n"); err != nil {
-			return fmt.Errorf("failed to copy default env file: %w", err)
-		}
+		io.WriteString(w, "\n")
 	}
-	return nil
 	// If couldn't copy the .env file, then ignore the error and try to continue
 }
-
-// copyConfigEnvVars write the environment variables from stack configuration to the writer
-func copyConfigEnvVars(w io.Writer, envs []portainer.Pair) error {
-	for _, v := range envs {
-		if _, err := fmt.Fprintf(w, "%s=%s\n", v.Name, v.Value); err != nil {
-			return fmt.Errorf("failed to copy config env vars: %w", err)
-		}
-	}
-	return nil
-}
--- a/api/exec/compose_stack_test.go
+++ b/api/exec/compose_stack_test.go
@@ -23,7 +23,6 @@ func Test_createEnvFile(t *testing.T) {
 			name: "should not add env file option if stack doesn't have env variables",
 			stack: &portainer.Stack{
 				ProjectPath: dir,
-				Env:         nil,
 			},
 			expected: "",
 		},
--- a/api/exec/swarm_stack.go
+++ b/api/exec/swarm_stack.go
@@ -3,6 +3,7 @@ package exec
 import (
 	"bytes"
 	"errors"
+	"fmt"
 	"os"
 	"os/exec"
 	"path"
@@ -157,10 +158,7 @@ func runCommandAndCaptureStdErr(command string, args []string, env []string, wor
 	var stderr bytes.Buffer
 	cmd := exec.Command(command, args...)
 	cmd.Stderr = &stderr
-
-	if workingDir != "" {
-		cmd.Dir = workingDir
-	}
+	cmd.Dir = workingDir

 	if env != nil {
 		cmd.Env = os.Environ()
@@ -188,11 +186,11 @@ func (manager *SwarmStackManager) prepareDockerCommandAndArgs(binaryPath, config

 	endpointURL := endpoint.URL
 	if endpoint.Type == portainer.EdgeAgentOnDockerEnvironment {
-		tunnelAddr, err := manager.reverseTunnelService.TunnelAddr(endpoint)
+		tunnel, err := manager.reverseTunnelService.GetActiveTunnel(endpoint)
 		if err != nil {
 			return "", nil, err
 		}
-		endpointURL = "tcp://" + tunnelAddr
+		endpointURL = fmt.Sprintf("tcp://127.0.0.1:%d", tunnel.Port)
 	}

 	args = append(args, "-H", endpointURL)
--- a/api/filesystem/filesystem.go
+++ b/api/filesystem/filesystem.go
@@ -934,7 +934,7 @@ func FileExists(filePath string) (bool, error) {
 func (service *Service) SafeMoveDirectory(originalPath, newPath string) error {
 	// 1. Backup the source directory to a different folder
 	backupDir := fmt.Sprintf("%s-%s", filepath.Dir(originalPath), "backup")
-	err := MoveDirectory(originalPath, backupDir, false)
+	err := MoveDirectory(originalPath, backupDir)
 	if err != nil {
 		return fmt.Errorf("failed to backup source directory: %w", err)
 	}
@@ -973,14 +973,14 @@ func restoreBackup(src, backupDir string) error {
 		return fmt.Errorf("failed to delete destination directory: %w", err)
 	}

-	err = MoveDirectory(backupDir, src, false)
+	err = MoveDirectory(backupDir, src)
 	if err != nil {
 		return fmt.Errorf("failed to restore backup directory: %w", err)
 	}
 	return nil
 }

-func MoveDirectory(originalPath, newPath string, overwriteTargetPath bool) error {
+func MoveDirectory(originalPath, newPath string) error {
 	if _, err := os.Stat(originalPath); err != nil {
 		return err
 	}
@@ -991,13 +991,7 @@ func MoveDirectory(originalPath, newPath string, overwriteTargetPath bool) error
 	}

 	if alreadyExists {
-		if !overwriteTargetPath {
-			return fmt.Errorf("Target path already exists")
-		}
-
-		if err = os.RemoveAll(newPath); err != nil {
-			return fmt.Errorf("failed to overwrite path %s: %s", newPath, err.Error())
-		}
+		return errors.New("Target path already exists")
 	}

 	return os.Rename(originalPath, newPath)
--- a/api/filesystem/filesystem_move_test.go
+++ b/api/filesystem/filesystem_move_test.go
@@ -16,7 +16,7 @@ func Test_movePath_shouldFailIfSourceDirDoesNotExist(t *testing.T) {
 	file1 := addFile(destinationDir, "dir", "file")
 	file2 := addFile(destinationDir, "file")

-	err := MoveDirectory(sourceDir, destinationDir, false)
+	err := MoveDirectory(sourceDir, destinationDir)
 	assert.Error(t, err, "move directory should fail when source path is missing")
 	assert.FileExists(t, file1, "destination dir contents should remain")
 	assert.FileExists(t, file2, "destination dir contents should remain")
@@ -30,7 +30,7 @@ func Test_movePath_shouldFailIfDestinationDirExists(t *testing.T) {
 	file3 := addFile(destinationDir, "dir", "file")
 	file4 := addFile(destinationDir, "file")

-	err := MoveDirectory(sourceDir, destinationDir, false)
+	err := MoveDirectory(sourceDir, destinationDir)
 	assert.Error(t, err, "move directory should fail when destination directory already exists")
 	assert.FileExists(t, file1, "source dir contents should remain")
 	assert.FileExists(t, file2, "source dir contents should remain")
@@ -38,22 +38,6 @@ func Test_movePath_shouldFailIfDestinationDirExists(t *testing.T) {
 	assert.FileExists(t, file4, "destination dir contents should remain")
 }

-func Test_movePath_succesIfOverwriteSetWhenDestinationDirExists(t *testing.T) {
-	sourceDir := t.TempDir()
-	file1 := addFile(sourceDir, "dir", "file")
-	file2 := addFile(sourceDir, "file")
-	destinationDir := t.TempDir()
-	file3 := addFile(destinationDir, "dir", "file")
-	file4 := addFile(destinationDir, "file")
-
-	err := MoveDirectory(sourceDir, destinationDir, true)
-	assert.NoError(t, err)
-	assert.NoFileExists(t, file1, "source dir contents should be moved")
-	assert.NoFileExists(t, file2, "source dir contents should be moved")
-	assert.FileExists(t, file3, "destination dir contents should remain")
-	assert.FileExists(t, file4, "destination dir contents should remain")
-}
-
 func Test_movePath_successWhenSourceExistsAndDestinationIsMissing(t *testing.T) {
 	tmp := t.TempDir()
 	sourceDir := path.Join(tmp, "source")
@@ -62,7 +46,7 @@ func Test_movePath_successWhenSourceExistsAndDestinationIsMissing(t *testing.T)
 	file2 := addFile(sourceDir, "file")
 	destinationDir := path.Join(tmp, "destination")

-	err := MoveDirectory(sourceDir, destinationDir, false)
+	err := MoveDirectory(sourceDir, destinationDir)
 	assert.NoError(t, err)
 	assert.NoFileExists(t, file1, "source dir contents should be moved")
 	assert.NoFileExists(t, file2, "source dir contents should be moved")
--- a/api/git/backup.go
+++ b/api/git/backup.go
@@ -38,7 +38,7 @@ func CloneWithBackup(gitService portainer.GitService, fileService portainer.File
 		}
 	}

-	err = filesystem.MoveDirectory(options.ProjectPath, backupProjectPath, true)
+	err = filesystem.MoveDirectory(options.ProjectPath, backupProjectPath)
 	if err != nil {
 		return cleanFn, errors.WithMessage(err, "Unable to move git repository directory")
 	}
@@ -48,7 +48,7 @@ func CloneWithBackup(gitService portainer.GitService, fileService portainer.File
 	err = gitService.CloneRepository(options.ProjectPath, options.URL, options.ReferenceName, options.Username, options.Password, options.TLSSkipVerify)
 	if err != nil {
 		cleanUp = false
-		restoreError := filesystem.MoveDirectory(backupProjectPath, options.ProjectPath, false)
+		restoreError := filesystem.MoveDirectory(backupProjectPath, options.ProjectPath)
 		if restoreError != nil {
 			log.Warn().Err(restoreError).Msg("failed restoring backup folder")
 		}
--- a/api/http/csrf/csrf.go
+++ b/api/http/csrf/csrf.go
@@ -22,7 +22,7 @@ func WithProtect(handler http.Handler) (http.Handler, error) {
 	}

 	handler = gorillacsrf.Protect(
-		token,
+		[]byte(token),
 		gorillacsrf.Path("/"),
 		gorillacsrf.Secure(false),
 	)(handler)
--- a/api/http/errors/errors.go
+++ b/api/http/errors/errors.go
@@ -9,4 +9,6 @@ var (
 	ErrUnauthorized = errors.New("Unauthorized")
 	// ErrResourceAccessDenied Access denied to resource error
 	ErrResourceAccessDenied = errors.New("Access denied to resource")
+	// ErrNotAvailableInDemo feature is not allowed in demo
+	ErrNotAvailableInDemo = errors.New("This feature is not available in the demo version of Portainer")
 )
--- a/api/http/handler/auth/authenticate.go
+++ b/api/http/handler/auth/authenticate.go
@@ -75,12 +75,7 @@ func (handler *Handler) authenticate(rw http.ResponseWriter, r *http.Request) *h
 		if settings.AuthenticationMethod == portainer.AuthenticationInternal ||
 			settings.AuthenticationMethod == portainer.AuthenticationOAuth ||
 			(settings.AuthenticationMethod == portainer.AuthenticationLDAP && !settings.LDAPSettings.AutoCreateUsers) {
-			// avoid username enumeration timing attack by creating a fake user
-			// https://en.wikipedia.org/wiki/Timing_attack
-			user = &portainer.User{
-				Username: "portainer-fake-username",
-				Password: "$2a$10$abcdefghijklmnopqrstuvwx..ABCDEFGHIJKLMNOPQRSTUVWXYZ12", // fake but valid format bcrypt hash
-			}
+			return httperror.NewError(http.StatusUnprocessableEntity, "Invalid credentials", httperrors.ErrUnauthorized)
 		}
 	}

@@ -117,11 +112,7 @@ func (handler *Handler) authenticateInternal(w http.ResponseWriter, user *portai
 func (handler *Handler) authenticateLDAP(w http.ResponseWriter, user *portainer.User, username, password string, ldapSettings *portainer.LDAPSettings) *httperror.HandlerError {
 	err := handler.LDAPService.AuthenticateUser(username, password, ldapSettings)
 	if err != nil {
-		if errors.Is(err, httperrors.ErrUnauthorized) {
-			return httperror.NewError(http.StatusUnprocessableEntity, "Invalid credentials", httperrors.ErrUnauthorized)
-		}
-
-		return httperror.InternalServerError("Unable to authenticate user against LDAP", err)
+		return httperror.Forbidden("Only initial admin is allowed to login without oauth", err)
 	}

 	if user == nil {
--- a/api/http/handler/backup/backup_test.go
+++ b/api/http/handler/backup/backup_test.go
@@ -16,6 +16,7 @@ import (

 	"github.com/portainer/portainer/api/adminmonitor"
 	"github.com/portainer/portainer/api/crypto"
+	"github.com/portainer/portainer/api/demo"
 	"github.com/portainer/portainer/api/http/offlinegate"
 	"github.com/portainer/portainer/api/internal/testhelpers"

@@ -54,7 +55,8 @@ func Test_backupHandlerWithoutPassword_shouldCreateATarballArchive(t *testing.T)
 		gate,
 		"./test_assets/handler_test",
 		func() {},
-		adminMonitor).backup(w, r)
+		adminMonitor,
+		&demo.Service{}).backup(w, r)
 	assert.Nil(t, handlerErr, "Handler should not fail")

 	response := w.Result()
@@ -97,7 +99,8 @@ func Test_backupHandlerWithPassword_shouldCreateEncryptedATarballArchive(t *test
 		gate,
 		"./test_assets/handler_test",
 		func() {},
-		adminMonitor).backup(w, r)
+		adminMonitor,
+		&demo.Service{}).backup(w, r)
 	assert.Nil(t, handlerErr, "Handler should not fail")

 	response := w.Result()
--- a/api/http/handler/backup/handler.go
+++ b/api/http/handler/backup/handler.go
@@ -6,6 +6,8 @@ import (

 	"github.com/portainer/portainer/api/adminmonitor"
 	"github.com/portainer/portainer/api/dataservices"
+	"github.com/portainer/portainer/api/demo"
+	"github.com/portainer/portainer/api/http/middlewares"
 	"github.com/portainer/portainer/api/http/offlinegate"
 	"github.com/portainer/portainer/api/http/security"
 	httperror "github.com/portainer/portainer/pkg/libhttp/error"
@@ -32,7 +34,10 @@ func NewHandler(
 	filestorePath string,
 	shutdownTrigger context.CancelFunc,
 	adminMonitor *adminmonitor.Monitor,
+	demoService *demo.Service,
+
 ) *Handler {
+
 	h := &Handler{
 		Router:          mux.NewRouter(),
 		bouncer:         bouncer,
@@ -43,8 +48,11 @@ func NewHandler(
 		adminMonitor:    adminMonitor,
 	}

-	h.Handle("/backup", bouncer.RestrictedAccess(adminAccess(httperror.LoggerHandler(h.backup)))).Methods(http.MethodPost)
-	h.Handle("/restore", bouncer.PublicAccess(httperror.LoggerHandler(h.restore))).Methods(http.MethodPost)
+	demoRestrictedRouter := h.NewRoute().Subrouter()
+	demoRestrictedRouter.Use(middlewares.RestrictDemoEnv(demoService.IsDemo))
+
+	demoRestrictedRouter.Handle("/backup", bouncer.RestrictedAccess(adminAccess(httperror.LoggerHandler(h.backup)))).Methods(http.MethodPost)
+	demoRestrictedRouter.Handle("/restore", bouncer.PublicAccess(httperror.LoggerHandler(h.restore))).Methods(http.MethodPost)

 	return h
 }
--- a/api/http/handler/backup/restore_test.go
+++ b/api/http/handler/backup/restore_test.go
@@ -14,6 +14,7 @@ import (

 	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/adminmonitor"
+	"github.com/portainer/portainer/api/demo"
 	"github.com/portainer/portainer/api/http/offlinegate"
 	"github.com/portainer/portainer/api/internal/testhelpers"

@@ -62,6 +63,7 @@ func Test_restoreArchive_usingCombinationOfPasswords(t *testing.T) {
 				"./test_assets/handler_test",
 				func() {},
 				adminMonitor,
+				&demo.Service{},
 			)

 			//backup
@@ -94,6 +96,7 @@ func Test_restoreArchive_shouldFailIfSystemWasAlreadyInitialized(t *testing.T) {
 		"./test_assets/handler_test",
 		func() {},
 		adminMonitor,
+		&demo.Service{},
 	)

 	//backup
--- a/api/http/handler/customtemplates/customtemplate_create.go
+++ b/api/http/handler/customtemplates/customtemplate_create.go
@@ -482,7 +482,7 @@ func (handler *Handler) createCustomTemplateFromFileUpload(r *http.Request) (*po
 	}

 	templateFolder := strconv.Itoa(customTemplateID)
-	projectPath, err := handler.FileService.StoreCustomTemplateFileFromBytes(templateFolder, customTemplate.EntryPoint, payload.FileContent)
+	projectPath, err := handler.FileService.StoreCustomTemplateFileFromBytes(templateFolder, customTemplate.EntryPoint, []byte(payload.FileContent))
 	if err != nil {
 		return nil, err
 	}
--- a/api/http/handler/customtemplates/customtemplate_git_fetch.go
+++ b/api/http/handler/customtemplates/customtemplate_git_fetch.go
@@ -70,7 +70,8 @@ func (handler *Handler) customTemplateGitFetch(w http.ResponseWriter, r *http.Re
 	if err != nil {
 		log.Warn().Err(err).Msg("failed to download git repository")

-		if rbErr := rollbackCustomTemplate(backupPath, customTemplate.ProjectPath); rbErr != nil {
+		if err != nil {
+			rbErr := rollbackCustomTemplate(backupPath, customTemplate.ProjectPath)
 			return httperror.InternalServerError("Failed to rollback the custom template folder", rbErr)
 		}

--- a/api/http/handler/customtemplates/customtemplate_git_fetch_test.go
+++ b/api/http/handler/customtemplates/customtemplate_git_fetch_test.go
@@ -2,7 +2,6 @@ package customtemplates

 import (
 	"bytes"
-	"errors"
 	"io"
 	"io/fs"
 	"net/http"
@@ -20,7 +19,6 @@ import (
 	"github.com/portainer/portainer/api/internal/authorization"
 	"github.com/portainer/portainer/api/internal/testhelpers"
 	"github.com/portainer/portainer/api/jwt"
-	httperror "github.com/portainer/portainer/pkg/libhttp/error"

 	"github.com/segmentio/encoding/json"
 	"github.com/stretchr/testify/assert"
@@ -51,19 +49,6 @@ func (f *TestFileService) GetFileContent(projectPath, configFilePath string) ([]
 	return os.ReadFile(filepath.Join(projectPath, configFilePath))
 }

-type InvalidTestGitService struct {
-	portainer.GitService
-	targetFilePath string
-}
-
-func (g *InvalidTestGitService) CloneRepository(dest, repoUrl, refName, username, password string, tlsSkipVerify bool) error {
-	return errors.New("simulate network error")
-}
-
-func (g *InvalidTestGitService) LatestCommitID(repositoryURL, referenceName, username, password string, tlsSkipVerify bool) (string, error) {
-	return "", nil
-}
-
 func createTestFile(targetPath string) error {
 	f, err := os.Create(targetPath)
 	if err != nil {
@@ -90,7 +75,7 @@ func singleAPIRequest(h *Handler, jwt string, is *assert.Assertions, expect stri
 		FileContent string
 	}

-	req := httptest.NewRequest(http.MethodPut, "/custom_templates/1/git_fetch", bytes.NewBufferString("{}"))
+	req := httptest.NewRequest(http.MethodPut, "/custom_templates/1/git_fetch", bytes.NewBuffer([]byte("{}")))
 	testhelpers.AddTestSecurityCookie(req, jwt)

 	rr := httptest.NewRecorder()
@@ -189,28 +174,4 @@ func Test_customTemplateGitFetch(t *testing.T) {

 		singleAPIRequest(h, jwt2, is, "gfedcba")
 	})
-
-	t.Run("restore git repository if it is failed to download the new git repository", func(t *testing.T) {
-		invalidGitService := &InvalidTestGitService{
-			targetFilePath: filepath.Join(template1.ProjectPath, template1.GitConfig.ConfigFilePath),
-		}
-		h := NewHandler(requestBouncer, store, fileService, invalidGitService)
-
-		req := httptest.NewRequest(http.MethodPut, "/custom_templates/1/git_fetch", bytes.NewBufferString("{}"))
-		testhelpers.AddTestSecurityCookie(req, jwt1)
-
-		rr := httptest.NewRecorder()
-		h.ServeHTTP(rr, req)
-
-		is.Equal(http.StatusInternalServerError, rr.Code)
-
-		var errResp httperror.HandlerError
-		err = json.NewDecoder(rr.Body).Decode(&errResp)
-		assert.NoError(t, err, "failed to parse error body")
-
-		assert.FileExists(t, gitService.targetFilePath, "previous git repository is not restored")
-		fileContent, err := os.ReadFile(gitService.targetFilePath)
-		assert.NoError(t, err, "failed to read target file")
-		assert.Equal(t, "gfedcba", string(fileContent))
-	})
 }
--- a/api/http/handler/docker/containers/handler.go
+++ b/api/http/handler/docker/containers/handler.go
@@ -7,7 +7,6 @@ import (
 	"github.com/portainer/portainer/api/dataservices"
 	"github.com/portainer/portainer/api/docker"
 	dockerclient "github.com/portainer/portainer/api/docker/client"
-	"github.com/portainer/portainer/api/http/middlewares"
 	"github.com/portainer/portainer/api/http/security"
 	httperror "github.com/portainer/portainer/pkg/libhttp/error"
 )
@@ -31,7 +30,7 @@ func NewHandler(routePrefix string, bouncer security.BouncerService, dataStore d
 	}

 	router := h.PathPrefix(routePrefix).Subrouter()
-	router.Use(bouncer.AuthenticatedAccess, middlewares.CheckEndpointAuthorization(bouncer))
+	router.Use(bouncer.AuthenticatedAccess)

 	router.Handle("/{containerId}/gpus", httperror.LoggerHandler(h.containerGpusInspect)).Methods(http.MethodGet)
 	router.Handle("/{containerId}/recreate", httperror.LoggerHandler(h.recreate)).Methods(http.MethodPost)
--- a/api/http/handler/docker/containers/recreate.go
+++ b/api/http/handler/docker/containers/recreate.go
@@ -11,7 +11,6 @@ import (
 	httperror "github.com/portainer/portainer/pkg/libhttp/error"
 	"github.com/portainer/portainer/pkg/libhttp/request"
 	"github.com/portainer/portainer/pkg/libhttp/response"
-
 	"github.com/rs/zerolog/log"
 )

@@ -31,7 +30,8 @@ func (handler *Handler) recreate(w http.ResponseWriter, r *http.Request) *httper
 	}

 	var payload RecreatePayload
-	if err := request.DecodeAndValidateJSONPayload(r, &payload); err != nil {
+	err = request.DecodeAndValidateJSONPayload(r, &payload)
+	if err != nil {
 		return httperror.BadRequest("Invalid request payload", err)
 	}

@@ -40,7 +40,8 @@ func (handler *Handler) recreate(w http.ResponseWriter, r *http.Request) *httper
 		return httperror.NotFound("Unable to find an environment on request context", err)
 	}

-	if err := handler.bouncer.AuthorizedEndpointOperation(r, endpoint); err != nil {
+	err = handler.bouncer.AuthorizedEndpointOperation(r, endpoint)
+	if err != nil {
 		return httperror.Forbidden("Permission denied to force update service", err)
 	}

@@ -57,9 +58,8 @@ func (handler *Handler) recreate(w http.ResponseWriter, r *http.Request) *httper
 	go func() {
 		images.EvictImageStatus(containerID)
 		images.EvictImageStatus(newContainer.Config.Labels[consts.ComposeStackNameLabel])
-		images.EvictImageStatus(newContainer.Config.Labels[consts.SwarmServiceIDLabel])
+		images.EvictImageStatus(newContainer.Config.Labels[consts.SwarmServiceIdLabel])
 	}()
-
 	return response.JSON(w, newContainer)
 }

@@ -67,7 +67,6 @@ func (handler *Handler) createResourceControl(oldContainerId string, newContaine
 	resourceControls, err := handler.dataStore.ResourceControl().ReadAll()
 	if err != nil {
 		log.Error().Err(err).Msg("Exporting Resource Controls")
-
 		return
 	}

@@ -75,10 +74,11 @@ func (handler *Handler) createResourceControl(oldContainerId string, newContaine
 	if resourceControl == nil {
 		return
 	}
-
 	resourceControl.ResourceID = newContainerId
-	if err := handler.dataStore.ResourceControl().Create(resourceControl); err != nil {
+	err = handler.dataStore.ResourceControl().Create(resourceControl)
+	if err != nil {
 		log.Error().Err(err).Str("containerId", newContainerId).Msg("Failed to create new resource control for container")
+		return
 	}
 }

@@ -86,12 +86,12 @@ func (handler *Handler) updateWebhook(oldContainerId string, newContainerId stri
 	webhook, err := handler.dataStore.Webhook().WebhookByResourceID(oldContainerId)
 	if err != nil {
 		log.Error().Err(err).Str("containerId", oldContainerId).Msg("cannot find webhook by containerId")
-
 		return
 	}

 	webhook.ResourceID = newContainerId
-	if err := handler.dataStore.Webhook().Update(webhook.ID, webhook); err != nil {
+	err = handler.dataStore.Webhook().Update(webhook.ID, webhook)
+	if err != nil {
 		log.Error().Err(err).Int("webhookId", int(webhook.ID)).Msg("cannot update webhook")
 	}
 }
--- a/api/http/handler/docker/dashboard.go
+++ b/api/http/handler/docker/dashboard.go
@@ -1,164 +0,0 @@
-package docker
-
-import (
-	"net/http"
-
-	"github.com/docker/docker/api/types"
-	"github.com/docker/docker/api/types/container"
-	"github.com/docker/docker/api/types/image"
-	"github.com/docker/docker/api/types/swarm"
-	"github.com/docker/docker/api/types/volume"
-	portainer "github.com/portainer/portainer/api"
-	"github.com/portainer/portainer/api/dataservices"
-	"github.com/portainer/portainer/api/docker"
-	"github.com/portainer/portainer/api/http/errors"
-	"github.com/portainer/portainer/api/http/handler/docker/utils"
-	"github.com/portainer/portainer/api/http/middlewares"
-	"github.com/portainer/portainer/api/http/security"
-	httperror "github.com/portainer/portainer/pkg/libhttp/error"
-	"github.com/portainer/portainer/pkg/libhttp/response"
-)
-
-type imagesCounters struct {
-	Total int   `json:"total"`
-	Size  int64 `json:"size"`
-}
-
-type dashboardResponse struct {
-	Containers docker.ContainerStats `json:"containers"`
-	Services   int                   `json:"services"`
-	Images     imagesCounters        `json:"images"`
-	Volumes    int                   `json:"volumes"`
-	Networks   int                   `json:"networks"`
-	Stacks     int                   `json:"stacks"`
-}
-
-// @id dockerDashboard
-// @summary Get counters for the dashboard
-// @description **Access policy**: restricted
-// @tags docker
-// @security jwt
-// @param environmentId path int true "Environment identifier"
-// @accept json
-// @produce json
-// @success 200 {object} dashboardResponse "Success"
-// @failure 400 "Bad request"
-// @failure 500 "Internal server error"
-// @router /docker/{environmentId}/dashboard [post]
-func (h *Handler) dashboard(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
-	var resp dashboardResponse
-	err := h.dataStore.ViewTx(func(tx dataservices.DataStoreTx) error {
-		cli, httpErr := utils.GetClient(r, h.dockerClientFactory)
-		if httpErr != nil {
-			return httpErr
-		}
-
-		context, err := security.RetrieveRestrictedRequestContext(r)
-		if err != nil {
-			return httperror.InternalServerError("Unable to retrieve user details from request context", err)
-		}
-
-		containers, err := cli.ContainerList(r.Context(), container.ListOptions{All: true})
-		if err != nil {
-			return httperror.InternalServerError("Unable to retrieve Docker containers", err)
-		}
-
-		containers, err = utils.FilterByResourceControl(tx, containers, portainer.ContainerResourceControl, context, func(c types.Container) string {
-			return c.ID
-		})
-		if err != nil {
-			return err
-		}
-
-		images, err := cli.ImageList(r.Context(), image.ListOptions{})
-		if err != nil {
-			return httperror.InternalServerError("Unable to retrieve Docker images", err)
-		}
-
-		var totalSize int64
-		for _, image := range images {
-			totalSize += image.Size
-		}
-
-		info, err := cli.Info(r.Context())
-		if err != nil {
-			return httperror.InternalServerError("Unable to retrieve Docker info", err)
-		}
-
-		isSwarmManager := info.Swarm.ControlAvailable && info.Swarm.NodeID != ""
-
-		var services []swarm.Service
-		if isSwarmManager {
-			servicesRes, err := cli.ServiceList(r.Context(), types.ServiceListOptions{})
-			if err != nil {
-				return httperror.InternalServerError("Unable to retrieve Docker services", err)
-			}
-
-			filteredServices, err := utils.FilterByResourceControl(tx, servicesRes, portainer.ServiceResourceControl, context, func(c swarm.Service) string {
-				return c.ID
-			})
-			if err != nil {
-				return err
-			}
-
-			services = filteredServices
-		}
-
-		volumesRes, err := cli.VolumeList(r.Context(), volume.ListOptions{})
-		if err != nil {
-			return httperror.InternalServerError("Unable to retrieve Docker volumes", err)
-		}
-
-		volumes, err := utils.FilterByResourceControl(tx, volumesRes.Volumes, portainer.NetworkResourceControl, context, func(c *volume.Volume) string {
-			return c.Name
-		})
-		if err != nil {
-			return err
-		}
-
-		networks, err := cli.NetworkList(r.Context(), types.NetworkListOptions{})
-		if err != nil {
-			return httperror.InternalServerError("Unable to retrieve Docker networks", err)
-		}
-
-		networks, err = utils.FilterByResourceControl(tx, networks, portainer.NetworkResourceControl, context, func(c types.NetworkResource) string {
-			return c.Name
-		})
-		if err != nil {
-			return err
-		}
-
-		environment, err := middlewares.FetchEndpoint(r)
-		if err != nil {
-			return httperror.InternalServerError("Unable to retrieve environment", err)
-		}
-
-		stackCount := 0
-		if environment.SecuritySettings.AllowStackManagementForRegularUsers || context.IsAdmin {
-			stacks, err := utils.GetDockerStacks(tx, context, environment.ID, containers, services)
-			if err != nil {
-				return httperror.InternalServerError("Unable to retrieve stacks", err)
-			}
-
-			stackCount = len(stacks)
-		}
-
-		resp = dashboardResponse{
-			Images: imagesCounters{
-				Total: len(images),
-				Size:  totalSize,
-			},
-			Services:   len(services),
-			Containers: docker.CalculateContainerStats(containers),
-			Networks:   len(networks),
-			Volumes:    len(volumes),
-			Stacks:     stackCount,
-		}
-
-		return nil
-	})
-
-	return errors.TxResponse(err, func() *httperror.HandlerError {
-		return response.JSON(w, resp)
-	})
-}
--- a/api/http/handler/docker/handler.go
+++ b/api/http/handler/docker/handler.go
@@ -40,16 +40,14 @@ func NewHandler(bouncer security.BouncerService, authorizationService *authoriza
 	}

 	// endpoints
-	endpointRouter := h.PathPrefix("/docker/{id}").Subrouter()
-	endpointRouter.Use(bouncer.AuthenticatedAccess)
-	endpointRouter.Use(middlewares.WithEndpoint(dataStore.Endpoint(), "id"), dockerOnlyMiddleware)
+	endpointRouter := h.PathPrefix("/{id}").Subrouter()
+	endpointRouter.Use(middlewares.WithEndpoint(dataStore.Endpoint(), "id"))
+	endpointRouter.Use(dockerOnlyMiddleware)

-	endpointRouter.Handle("/dashboard", httperror.LoggerHandler(h.dashboard)).Methods(http.MethodGet)
-
-	containersHandler := containers.NewHandler("/docker/{id}/containers", bouncer, dataStore, dockerClientFactory, containerService)
+	containersHandler := containers.NewHandler("/{id}/containers", bouncer, dataStore, dockerClientFactory, containerService)
 	endpointRouter.PathPrefix("/containers").Handler(containersHandler)

-	imagesHandler := images.NewHandler("/docker/{id}/images", bouncer, dockerClientFactory)
+	imagesHandler := images.NewHandler("/{id}/images", bouncer, dockerClientFactory)
 	endpointRouter.PathPrefix("/images").Handler(imagesHandler)
 	return h
 }
--- a/api/http/handler/docker/images/handler.go
+++ b/api/http/handler/docker/images/handler.go
@@ -4,7 +4,6 @@ import (
 	"net/http"

 	"github.com/portainer/portainer/api/docker/client"
-	"github.com/portainer/portainer/api/http/middlewares"
 	"github.com/portainer/portainer/api/http/security"
 	httperror "github.com/portainer/portainer/pkg/libhttp/error"

@@ -26,7 +25,7 @@ func NewHandler(routePrefix string, bouncer security.BouncerService, dockerClien
 	}

 	router := h.PathPrefix(routePrefix).Subrouter()
-	router.Use(bouncer.AuthenticatedAccess, middlewares.CheckEndpointAuthorization(bouncer))
+	router.Use(bouncer.AuthenticatedAccess)

 	router.Handle("", httperror.LoggerHandler(h.imagesList)).Methods(http.MethodGet)
 	return h
--- a/api/http/handler/docker/images/images_list.go
+++ b/api/http/handler/docker/images/images_list.go
@@ -12,7 +12,6 @@ import (
 	"github.com/portainer/portainer/pkg/libhttp/response"

 	"github.com/docker/docker/api/types"
-	"github.com/docker/docker/api/types/container"
 )

 type ImageResponse struct {
@@ -64,9 +63,7 @@ func (handler *Handler) imagesList(w http.ResponseWriter, r *http.Request) *http

 	imageUsageSet := set.Set[string]{}
 	if withUsage {
-		containers, err := cli.ContainerList(r.Context(), container.ListOptions{
-			All: true,
-		})
+		containers, err := cli.ContainerList(r.Context(), types.ContainerListOptions{})
 		if err != nil {
 			return httperror.InternalServerError("Unable to retrieve Docker containers", err)
 		}
@@ -78,7 +75,7 @@ func (handler *Handler) imagesList(w http.ResponseWriter, r *http.Request) *http

 	imagesList := make([]ImageResponse, len(images))
 	for i, image := range images {
-		if len(image.RepoTags) == 0 && len(image.RepoDigests) > 0 {
+		if (image.RepoTags == nil || len(image.RepoTags) == 0) && (image.RepoDigests != nil && len(image.RepoDigests) > 0) {
 			for _, repoDigest := range image.RepoDigests {
 				image.RepoTags = append(image.RepoTags, repoDigest[0:strings.Index(repoDigest, "@")]+":<none>")
 			}
--- a/api/http/handler/docker/utils/filter_by_uac.go
+++ b/api/http/handler/docker/utils/filter_by_uac.go
@@ -1,36 +0,0 @@
-package utils
-
-import (
-	"fmt"
-
-	portainer "github.com/portainer/portainer/api"
-	"github.com/portainer/portainer/api/dataservices"
-	"github.com/portainer/portainer/api/http/security"
-	"github.com/portainer/portainer/api/internal/authorization"
-	"github.com/portainer/portainer/api/internal/slices"
-)
-
-// filterByResourceControl filters a list of items based on the user's role and the resource control associated to the item.
-func FilterByResourceControl[T any](tx dataservices.DataStoreTx, items []T, rcType portainer.ResourceControlType, securityContext *security.RestrictedRequestContext, idGetter func(T) string) ([]T, error) {
-	if securityContext.IsAdmin {
-		return items, nil
-	}
-
-	userTeamIDs := slices.Map(securityContext.UserMemberships, func(membership portainer.TeamMembership) portainer.TeamID {
-		return membership.TeamID
-	})
-
-	filteredItems := make([]T, 0)
-	for _, item := range items {
-		resourceControl, err := tx.ResourceControl().ResourceControlByResourceIDAndType(idGetter(item), portainer.ContainerResourceControl)
-		if err != nil {
-			return nil, fmt.Errorf("Unable to retrieve resource control: %w", err)
-		}
-
-		if resourceControl == nil || authorization.UserCanAccessResource(securityContext.UserID, userTeamIDs, resourceControl) {
-			filteredItems = append(filteredItems, item)
-		}
-
-	}
-	return filteredItems, nil
-}
--- a/api/http/handler/docker/utils/get_stacks.go
+++ b/api/http/handler/docker/utils/get_stacks.go
@@ -1,83 +0,0 @@
-package utils
-
-import (
-	"fmt"
-
-	"github.com/docker/docker/api/types"
-	"github.com/docker/docker/api/types/swarm"
-	portainer "github.com/portainer/portainer/api"
-	portaineree "github.com/portainer/portainer/api"
-	"github.com/portainer/portainer/api/dataservices"
-	dockerconsts "github.com/portainer/portainer/api/docker/consts"
-	"github.com/portainer/portainer/api/http/security"
-)
-
-type StackViewModel struct {
-	InternalStack *portaineree.Stack
-
-	ID         portainer.StackID
-	Name       string
-	IsExternal bool
-	Type       portainer.StackType
-}
-
-// GetDockerStacks retrieves all the stacks associated to a specific environment filtered by the user's access.
-func GetDockerStacks(tx dataservices.DataStoreTx, securityContext *security.RestrictedRequestContext, environmentID portainer.EndpointID, containers []types.Container, services []swarm.Service) ([]StackViewModel, error) {
-
-	stacks, err := tx.Stack().ReadAll()
-	if err != nil {
-		return nil, fmt.Errorf("Unable to retrieve stacks: %w", err)
-	}
-
-	stacksNameSet := map[string]*StackViewModel{}
-
-	for i := range stacks {
-		stack := stacks[i]
-		if stack.EndpointID == environmentID {
-			stacksNameSet[stack.Name] = &StackViewModel{
-				InternalStack: &stack,
-				ID:            stack.ID,
-				Name:          stack.Name,
-				IsExternal:    false,
-				Type:          stack.Type,
-			}
-		}
-	}
-
-	for _, container := range containers {
-		name := container.Labels[dockerconsts.ComposeStackNameLabel]
-
-		if name != "" && stacksNameSet[name] == nil && !isHiddenStack(container.Labels) {
-			stacksNameSet[name] = &StackViewModel{
-				Name:       name,
-				IsExternal: true,
-				Type:       portainer.DockerComposeStack,
-			}
-		}
-	}
-
-	for _, service := range services {
-		name := service.Spec.Labels[dockerconsts.SwarmStackNameLabel]
-
-		if name != "" && stacksNameSet[name] == nil && !isHiddenStack(service.Spec.Labels) {
-			stacksNameSet[name] = &StackViewModel{
-				Name:       name,
-				IsExternal: true,
-				Type:       portainer.DockerSwarmStack,
-			}
-		}
-	}
-
-	stacksList := make([]StackViewModel, 0)
-	for _, stack := range stacksNameSet {
-		stacksList = append(stacksList, *stack)
-	}
-
-	return FilterByResourceControl(tx, stacksList, portainer.StackResourceControl, securityContext, func(c StackViewModel) string {
-		return c.Name
-	})
-}
-
-func isHiddenStack(labels map[string]string) bool {
-	return labels[dockerconsts.HideStackLabel] != ""
-}
--- a/api/http/handler/docker/utils/get_stacks_test.go
+++ b/api/http/handler/docker/utils/get_stacks_test.go
@@ -1,96 +0,0 @@
-package utils
-
-import (
-	"testing"
-
-	"github.com/docker/docker/api/types"
-	"github.com/docker/docker/api/types/swarm"
-	portainer "github.com/portainer/portainer/api"
-	portaineree "github.com/portainer/portainer/api"
-	dockerconsts "github.com/portainer/portainer/api/docker/consts"
-	"github.com/portainer/portainer/api/http/security"
-	"github.com/portainer/portainer/api/internal/testhelpers"
-	"github.com/stretchr/testify/assert"
-)
-
-func TestHandler_getDockerStacks(t *testing.T) {
-	environment := &portaineree.Endpoint{
-		ID: 1,
-		SecuritySettings: portainer.EndpointSecuritySettings{
-			AllowStackManagementForRegularUsers: true,
-		},
-	}
-
-	containers := []types.Container{
-		{
-			Labels: map[string]string{
-				dockerconsts.ComposeStackNameLabel: "stack1",
-			},
-		},
-		{
-			Labels: map[string]string{
-				dockerconsts.ComposeStackNameLabel: "stack2",
-			},
-		},
-	}
-
-	services := []swarm.Service{
-		{
-			Spec: swarm.ServiceSpec{
-				Annotations: swarm.Annotations{
-					Labels: map[string]string{
-						dockerconsts.SwarmStackNameLabel: "stack3",
-					},
-				},
-			},
-		},
-	}
-
-	stack1 := portaineree.Stack{
-		ID:         1,
-		Name:       "stack1",
-		EndpointID: 1,
-		Type:       portainer.DockerComposeStack,
-	}
-
-	datastore := testhelpers.NewDatastore(
-		testhelpers.WithEndpoints([]portaineree.Endpoint{*environment}),
-		testhelpers.WithStacks([]portaineree.Stack{
-			stack1,
-			{
-				ID:         2,
-				Name:       "stack2",
-				EndpointID: 2,
-				Type:       portainer.DockerSwarmStack,
-			},
-		}),
-	)
-
-	stacksList, err := GetDockerStacks(datastore, &security.RestrictedRequestContext{
-		IsAdmin: true,
-	}, environment.ID, containers, services)
-	assert.NoError(t, err)
-	assert.Len(t, stacksList, 3)
-
-	expectedStacks := []StackViewModel{
-		{
-			InternalStack: &stack1,
-			ID:            1,
-			Name:          "stack1",
-			IsExternal:    false,
-			Type:          portainer.DockerComposeStack,
-		},
-		{
-			Name:       "stack2",
-			IsExternal: true,
-			Type:       portainer.DockerComposeStack,
-		},
-		{
-			Name:       "stack3",
-			IsExternal: true,
-			Type:       portainer.DockerSwarmStack,
-		},
-	}
-
-	assert.ElementsMatch(t, expectedStacks, stacksList)
-}
--- a/api/http/handler/edgegroups/edgegroup_delete.go
+++ b/api/http/handler/edgegroups/edgegroup_delete.go
@@ -19,9 +19,8 @@ import (
 // @security jwt
 // @param id path int true "EdgeGroup Id"
 // @success 204
-// @failure 409 "Edge group is in use by an Edge stack or Edge job"
 // @failure 503 "Edge compute features are disabled"
-// @failure 500 "Server error"
+// @failure 500
 // @router /edge_groups/{id} [delete]
 func (handler *Handler) edgeGroupDelete(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
 	edgeGroupID, err := request.RetrieveNumericRouteVariableValue(r, "id")
--- a/api/http/handler/edgegroups/edgegroup_list.go
+++ b/api/http/handler/edgegroups/edgegroup_list.go
@@ -69,7 +69,7 @@ func getEdgeGroupList(tx dataservices.DataStoreTx) ([]decoratedEdgeGroup, error)
 	for _, orgEdgeGroup := range edgeGroups {
 		usedByEdgeJob := false
 		for _, edgeJob := range edgeJobs {
-			if slices.Contains(edgeJob.EdgeGroups, orgEdgeGroup.ID) {
+			if slices.Contains(edgeJob.EdgeGroups, portainer.EdgeGroupID(orgEdgeGroup.ID)) {
 				usedByEdgeJob = true
 				break
 			}
--- a/api/http/handler/edgejobs/edgejob_delete.go
+++ b/api/http/handler/edgejobs/edgejob_delete.go
@@ -49,7 +49,7 @@ func (handler *Handler) edgeJobDelete(w http.ResponseWriter, r *http.Request) *h
 }

 func (handler *Handler) deleteEdgeJob(tx dataservices.DataStoreTx, edgeJobID portainer.EdgeJobID) error {
-	edgeJob, err := tx.EdgeJob().Read(edgeJobID)
+	edgeJob, err := tx.EdgeJob().Read(portainer.EdgeJobID(edgeJobID))
 	if tx.IsErrObjectNotFound(err) {
 		return httperror.NotFound("Unable to find an Edge job with the specified identifier inside the database", err)
 	} else if err != nil {
--- a/api/http/handler/edgejobs/edgejob_tasklogs_clear.go
+++ b/api/http/handler/edgejobs/edgejob_tasklogs_clear.go
@@ -75,7 +75,7 @@ func (handler *Handler) edgeJobTasksClear(w http.ResponseWriter, r *http.Request
 }

 func (handler *Handler) clearEdgeJobTaskLogs(tx dataservices.DataStoreTx, edgeJobID portainer.EdgeJobID, endpointID portainer.EndpointID, updateEdgeJob func(*portainer.EdgeJob, portainer.EndpointID, []portainer.EndpointID) error) error {
-	edgeJob, err := tx.EdgeJob().Read(edgeJobID)
+	edgeJob, err := tx.EdgeJob().Read(portainer.EdgeJobID(edgeJobID))
 	if tx.IsErrObjectNotFound(err) {
 		return httperror.NotFound("Unable to find an Edge job with the specified identifier inside the database", err)
 	} else if err != nil {
--- a/api/http/handler/edgejobs/edgejob_tasklogs_inspect.go
+++ b/api/http/handler/edgejobs/edgejob_tasklogs_inspect.go
@@ -43,5 +43,5 @@ func (handler *Handler) edgeJobTaskLogsInspect(w http.ResponseWriter, r *http.Re
 		return httperror.InternalServerError("Unable to retrieve log file from disk", err)
 	}

-	return response.JSON(w, &fileResponse{FileContent: logFileContent})
+	return response.JSON(w, &fileResponse{FileContent: string(logFileContent)})
 }
--- a/api/http/handler/edgejobs/edgejob_tasks_list.go
+++ b/api/http/handler/edgejobs/edgejob_tasks_list.go
@@ -47,7 +47,7 @@ func (handler *Handler) edgeJobTasksList(w http.ResponseWriter, r *http.Request)
 }

 func listEdgeJobTasks(tx dataservices.DataStoreTx, edgeJobID portainer.EdgeJobID) ([]taskContainer, error) {
-	edgeJob, err := tx.EdgeJob().Read(edgeJobID)
+	edgeJob, err := tx.EdgeJob().Read(portainer.EdgeJobID(edgeJobID))
 	if tx.IsErrObjectNotFound(err) {
 		return nil, httperror.NotFound("Unable to find an Edge job with the specified identifier inside the database", err)
 	} else if err != nil {
--- a/api/http/handler/edgejobs/edgejob_update.go
+++ b/api/http/handler/edgejobs/edgejob_update.go
@@ -48,7 +48,7 @@ func (payload *edgeJobUpdatePayload) Validate(r *http.Request) error {
 // @failure 500
 // @failure 400
 // @failure 503 "Edge compute features are disabled"
-// @router /edge_jobs/{id} [put]
+// @router /edge_jobs/{id} [post]
 func (handler *Handler) edgeJobUpdate(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
 	edgeJobID, err := request.RetrieveNumericRouteVariableValue(r, "id")
 	if err != nil {
@@ -71,7 +71,7 @@ func (handler *Handler) edgeJobUpdate(w http.ResponseWriter, r *http.Request) *h
 }

 func (handler *Handler) updateEdgeJob(tx dataservices.DataStoreTx, edgeJobID portainer.EdgeJobID, payload edgeJobUpdatePayload) (*portainer.EdgeJob, error) {
-	edgeJob, err := tx.EdgeJob().Read(edgeJobID)
+	edgeJob, err := tx.EdgeJob().Read(portainer.EdgeJobID(edgeJobID))
 	if tx.IsErrObjectNotFound(err) {
 		return nil, httperror.NotFound("Unable to find an Edge job with the specified identifier inside the database", err)
 	} else if err != nil {
@@ -137,7 +137,7 @@ func (handler *Handler) updateEdgeSchedule(tx dataservices.DataStoreTx, edgeJob
 		}

 		for _, endpointID := range endpoints {
-			endpointsToRemove[endpointID] = true
+			endpointsToRemove[portainer.EndpointID(endpointID)] = true
 		}

 		edgeJob.EdgeGroups = nil
--- a/api/http/handler/edgestacks/edgestack_delete.go
+++ b/api/http/handler/edgestacks/edgestack_delete.go
@@ -45,7 +45,7 @@ func (handler *Handler) edgeStackDelete(w http.ResponseWriter, r *http.Request)
 }

 func (handler *Handler) deleteEdgeStack(tx dataservices.DataStoreTx, edgeStackID portainer.EdgeStackID) error {
-	edgeStack, err := tx.EdgeStack().EdgeStack(edgeStackID)
+	edgeStack, err := tx.EdgeStack().EdgeStack(portainer.EdgeStackID(edgeStackID))
 	if handler.DataStore.IsErrObjectNotFound(err) {
 		return httperror.NotFound("Unable to find an edge stack with the specified identifier inside the database", err)
 	} else if err != nil {
--- a/api/http/handler/edgestacks/edgestack_status_delete.go
+++ b/api/http/handler/edgestacks/edgestack_status_delete.go
@@ -61,7 +61,7 @@ func (handler *Handler) edgeStackStatusDelete(w http.ResponseWriter, r *http.Req
 }

 func (handler *Handler) deleteEdgeStackStatus(tx dataservices.DataStoreTx, stackID portainer.EdgeStackID, endpoint *portainer.Endpoint) (*portainer.EdgeStack, error) {
-	stack, err := tx.EdgeStack().EdgeStack(stackID)
+	stack, err := tx.EdgeStack().EdgeStack(portainer.EdgeStackID(stackID))
 	if err != nil {
 		return nil, handler.handlerDBErr(err, "Unable to find a stack with the specified identifier inside the database")
 	}
--- a/api/http/handler/edgestacks/edgestack_status_update_test.go
+++ b/api/http/handler/edgestacks/edgestack_status_update_test.go
@@ -81,7 +81,7 @@ func TestUpdateStatusAndInspect(t *testing.T) {
 		t.Fatalf("expected EdgeStackStatusType %d, found %d", *payload.Status, lastStatus.Type)
 	}

-	if endpointStatus.EndpointID != payload.EndpointID {
+	if endpointStatus.EndpointID != portainer.EndpointID(payload.EndpointID) {
 		t.Fatalf("expected EndpointID %d, found %d", payload.EndpointID, endpointStatus.EndpointID)
 	}

--- a/api/http/handler/edgestacks/edgestack_update.go
+++ b/api/http/handler/edgestacks/edgestack_update.go
@@ -80,7 +80,7 @@ func (handler *Handler) edgeStackUpdate(w http.ResponseWriter, r *http.Request)
 }

 func (handler *Handler) updateEdgeStack(tx dataservices.DataStoreTx, stackID portainer.EdgeStackID, payload updateEdgeStackPayload) (*portainer.EdgeStack, error) {
-	stack, err := tx.EdgeStack().EdgeStack(stackID)
+	stack, err := tx.EdgeStack().EdgeStack(portainer.EdgeStackID(stackID))
 	if err != nil {
 		return nil, handler.handlerDBErr(err, "Unable to find a stack with the specified identifier inside the database")
 	}
--- a/api/http/handler/edgestacks/utils_update_stack_version.go
+++ b/api/http/handler/edgestacks/utils_update_stack_version.go
@@ -7,11 +7,11 @@ import (
 	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/filesystem"
 	edgestackutils "github.com/portainer/portainer/api/internal/edge/edgestacks"
-
 	"github.com/rs/zerolog/log"
 )

 func (handler *Handler) updateStackVersion(stack *portainer.EdgeStack, deploymentType portainer.EdgeStackDeploymentType, config []byte, oldGitHash string, relatedEnvironmentsIDs []portainer.EndpointID) error {
+
 	stack.Version = stack.Version + 1
 	stack.Status = edgestackutils.NewStatus(stack.Status, relatedEnvironmentsIDs)

@@ -19,9 +19,11 @@ func (handler *Handler) updateStackVersion(stack *portainer.EdgeStack, deploymen
 }

 func (handler *Handler) storeStackFile(stack *portainer.EdgeStack, deploymentType portainer.EdgeStackDeploymentType, config []byte) error {
+
 	if deploymentType != stack.DeploymentType {
 		// deployment type was changed - need to delete all old files
-		if err := handler.FileService.RemoveDirectory(stack.ProjectPath); err != nil {
+		err := handler.FileService.RemoveDirectory(stack.ProjectPath)
+		if err != nil {
 			log.Warn().Err(err).Msg("Unable to clear old files")
 		}

@@ -48,7 +50,8 @@ func (handler *Handler) storeStackFile(stack *portainer.EdgeStack, deploymentTyp
 		entryPoint = stack.ManifestPath
 	}

-	if _, err := handler.FileService.StoreEdgeStackFileFromBytes(stackFolder, entryPoint, config); err != nil {
+	_, err := handler.FileService.StoreEdgeStackFileFromBytes(stackFolder, entryPoint, config)
+	if err != nil {
 		return fmt.Errorf("unable to persist updated Compose file with version on disk: %w", err)
 	}

--- a/api/http/handler/endpointedge/endpointedge_job_logs.go
+++ b/api/http/handler/endpointedge/endpointedge_job_logs.go
@@ -78,7 +78,7 @@ func (handler *Handler) getEdgeJobLobs(tx dataservices.DataStoreTx, endpointID p
 		return httperror.InternalServerError("Unable to find an environment with the specified identifier inside the database", err)
 	}

-	edgeJob, err := tx.EdgeJob().Read(edgeJobID)
+	edgeJob, err := tx.EdgeJob().Read(portainer.EdgeJobID(edgeJobID))
 	if tx.IsErrObjectNotFound(err) {
 		return httperror.NotFound("Unable to find an edge job with the specified identifier inside the database", err)
 	} else if err != nil {
--- a/api/http/handler/endpointedge/endpointedge_status_inspect.go
+++ b/api/http/handler/endpointedge/endpointedge_status_inspect.go
@@ -15,7 +15,6 @@ import (

 	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/dataservices"
-	"github.com/portainer/portainer/api/internal/edge"
 	"github.com/portainer/portainer/api/internal/edge/cache"
 	httperror "github.com/portainer/portainer/pkg/libhttp/error"
 	"github.com/portainer/portainer/pkg/libhttp/request"
@@ -135,7 +134,7 @@ func (handler *Handler) inspectStatus(tx dataservices.DataStoreTx, r *http.Reque

 	// Take an initial snapshot
 	if endpoint.LastCheckInDate == 0 {
-		handler.ReverseTunnelService.Open(endpoint)
+		handler.ReverseTunnelService.SetTunnelStatusToRequired(endpoint.ID)
 	}

 	agentPlatform, agentPlatformErr := parseAgentPlatform(r)
@@ -154,21 +153,34 @@ func (handler *Handler) inspectStatus(tx dataservices.DataStoreTx, r *http.Reque
 		return nil, httperror.InternalServerError("Unable to persist environment changes inside the database", err)
 	}

-	tunnel := handler.ReverseTunnelService.Config(endpoint.ID)
+	checkinInterval := endpoint.EdgeCheckinInterval
+	if endpoint.EdgeCheckinInterval == 0 {
+		settings, err := tx.Settings().Settings()
+		if err != nil {
+			return nil, httperror.InternalServerError("Unable to retrieve settings from the database", err)
+		}
+		checkinInterval = settings.EdgeAgentCheckinInterval
+	}
+
+	tunnel := handler.ReverseTunnelService.GetTunnelDetails(endpoint.ID)

 	statusResponse := endpointEdgeStatusInspectResponse{
 		Status:          tunnel.Status,
 		Port:            tunnel.Port,
-		CheckinInterval: edge.EffectiveCheckinInterval(tx, endpoint),
+		CheckinInterval: checkinInterval,
 		Credentials:     tunnel.Credentials,
 	}

-	schedules, handlerErr := handler.buildSchedules(endpoint.ID)
+	schedules, handlerErr := handler.buildSchedules(endpoint.ID, tunnel)
 	if handlerErr != nil {
 		return nil, handlerErr
 	}
 	statusResponse.Schedules = schedules

+	if tunnel.Status == portainer.EdgeAgentManagementRequired {
+		handler.ReverseTunnelService.SetTunnelStatusToActive(endpoint.ID)
+	}
+
 	edgeStacksStatus, handlerErr := handler.buildEdgeStacks(tx, endpoint.ID)
 	if handlerErr != nil {
 		return nil, handlerErr
@@ -201,9 +213,9 @@ func parseAgentPlatform(r *http.Request) (portainer.EndpointType, error) {
 	}
 }

-func (handler *Handler) buildSchedules(endpointID portainer.EndpointID) ([]edgeJobResponse, *httperror.HandlerError) {
+func (handler *Handler) buildSchedules(endpointID portainer.EndpointID, tunnel portainer.TunnelDetails) ([]edgeJobResponse, *httperror.HandlerError) {
 	schedules := []edgeJobResponse{}
-	for _, job := range handler.ReverseTunnelService.EdgeJobs(endpointID) {
+	for _, job := range tunnel.Jobs {
 		var collectLogs bool
 		if _, ok := job.GroupLogsCollection[endpointID]; ok {
 			collectLogs = job.GroupLogsCollection[endpointID].CollectLogs
--- a/api/http/handler/endpointgroups/endpointgroup_delete.go
+++ b/api/http/handler/endpointgroups/endpointgroup_delete.go
@@ -68,7 +68,7 @@ func (handler *Handler) deleteEndpointGroup(tx dataservices.DataStoreTx, endpoin
 	}

 	for _, endpoint := range endpoints {
-		if endpoint.GroupID == endpointGroupID {
+		if endpoint.GroupID == portainer.EndpointGroupID(endpointGroupID) {
 			endpoint.GroupID = portainer.EndpointGroupID(1)
 			err = tx.Endpoint().UpdateEndpoint(endpoint.ID, &endpoint)
 			if err != nil {
--- a/api/http/handler/endpointgroups/endpointgroup_endpoint_add.go
+++ b/api/http/handler/endpointgroups/endpointgroup_endpoint_add.go
@@ -52,14 +52,14 @@ func (handler *Handler) endpointGroupAddEndpoint(w http.ResponseWriter, r *http.
 }

 func (handler *Handler) addEndpoint(tx dataservices.DataStoreTx, endpointGroupID portainer.EndpointGroupID, endpointID portainer.EndpointID) error {
-	endpointGroup, err := tx.EndpointGroup().Read(endpointGroupID)
+	endpointGroup, err := tx.EndpointGroup().Read(portainer.EndpointGroupID(endpointGroupID))
 	if tx.IsErrObjectNotFound(err) {
 		return httperror.NotFound("Unable to find an environment group with the specified identifier inside the database", err)
 	} else if err != nil {
 		return httperror.InternalServerError("Unable to find an environment group with the specified identifier inside the database", err)
 	}

-	endpoint, err := tx.Endpoint().Endpoint(endpointID)
+	endpoint, err := tx.Endpoint().Endpoint(portainer.EndpointID(endpointID))
 	if tx.IsErrObjectNotFound(err) {
 		return httperror.NotFound("Unable to find an environment with the specified identifier inside the database", err)
 	} else if err != nil {
--- a/api/http/handler/endpointgroups/endpointgroup_endpoint_delete.go
+++ b/api/http/handler/endpointgroups/endpointgroup_endpoint_delete.go
@@ -51,14 +51,14 @@ func (handler *Handler) endpointGroupDeleteEndpoint(w http.ResponseWriter, r *ht
 }

 func (handler *Handler) removeEndpoint(tx dataservices.DataStoreTx, endpointGroupID portainer.EndpointGroupID, endpointID portainer.EndpointID) error {
-	_, err := tx.EndpointGroup().Read(endpointGroupID)
+	_, err := tx.EndpointGroup().Read(portainer.EndpointGroupID(endpointGroupID))
 	if tx.IsErrObjectNotFound(err) {
 		return httperror.NotFound("Unable to find an environment group with the specified identifier inside the database", err)
 	} else if err != nil {
 		return httperror.InternalServerError("Unable to find an environment group with the specified identifier inside the database", err)
 	}

-	endpoint, err := tx.Endpoint().Endpoint(endpointID)
+	endpoint, err := tx.Endpoint().Endpoint(portainer.EndpointID(endpointID))
 	if tx.IsErrObjectNotFound(err) {
 		return httperror.NotFound("Unable to find an environment with the specified identifier inside the database", err)
 	} else if err != nil {
--- a/api/http/handler/endpointgroups/endpointgroup_update.go
+++ b/api/http/handler/endpointgroups/endpointgroup_update.go
@@ -7,13 +7,10 @@ import (

 	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/dataservices"
-	"github.com/portainer/portainer/api/internal/endpointutils"
 	"github.com/portainer/portainer/api/internal/tag"
-	"github.com/portainer/portainer/api/pendingactions/handlers"
 	httperror "github.com/portainer/portainer/pkg/libhttp/error"
 	"github.com/portainer/portainer/pkg/libhttp/request"
 	"github.com/portainer/portainer/pkg/libhttp/response"
-
 	"github.com/rs/zerolog/log"
 )

@@ -55,17 +52,17 @@ func (handler *Handler) endpointGroupUpdate(w http.ResponseWriter, r *http.Reque
 	}

 	var payload endpointGroupUpdatePayload
-	if err := request.DecodeAndValidateJSONPayload(r, &payload); err != nil {
+	err = request.DecodeAndValidateJSONPayload(r, &payload)
+	if err != nil {
 		return httperror.BadRequest("Invalid request payload", err)
 	}

 	var endpointGroup *portainer.EndpointGroup
-
-	if err := handler.DataStore.UpdateTx(func(tx dataservices.DataStoreTx) error {
+	err = handler.DataStore.UpdateTx(func(tx dataservices.DataStoreTx) error {
 		endpointGroup, err = handler.updateEndpointGroup(tx, portainer.EndpointGroupID(endpointGroupID), payload)
-
 		return err
-	}); err != nil {
+	})
+	if err != nil {
 		var httpErr *httperror.HandlerError
 		if errors.As(err, &httpErr) {
 			return httpErr
@@ -78,7 +75,7 @@ func (handler *Handler) endpointGroupUpdate(w http.ResponseWriter, r *http.Reque
 }

 func (handler *Handler) updateEndpointGroup(tx dataservices.DataStoreTx, endpointGroupID portainer.EndpointGroupID, payload endpointGroupUpdatePayload) (*portainer.EndpointGroup, error) {
-	endpointGroup, err := tx.EndpointGroup().Read(endpointGroupID)
+	endpointGroup, err := tx.EndpointGroup().Read(portainer.EndpointGroupID(endpointGroupID))
 	if tx.IsErrObjectNotFound(err) {
 		return nil, httperror.NotFound("Unable to find an environment group with the specified identifier inside the database", err)
 	} else if err != nil {
@@ -153,20 +150,29 @@ func (handler *Handler) updateEndpointGroup(tx dataservices.DataStoreTx, endpoin
 		}

 		for _, endpoint := range endpoints {
-			if endpoint.GroupID == endpointGroup.ID && endpointutils.IsKubernetesEndpoint(&endpoint) {
-				if err := handler.AuthorizationService.CleanNAPWithOverridePolicies(tx, &endpoint, endpointGroup); err != nil {
-					// Update flag with endpoint and continue
-					go func(endpointID portainer.EndpointID, endpointGroupID portainer.EndpointGroupID) {
-						if err := handler.PendingActionsService.Create(handlers.NewCleanNAPWithOverridePolicies(endpointID, &endpointGroupID)); err != nil {
-							log.Error().Err(err).Msgf("Unable to create pending action to clean NAP with override policies for endpoint (%d) and endpoint group (%d).", endpointID, endpointGroupID)
-						}
-					}(endpoint.ID, endpointGroup.ID)
+			if endpoint.GroupID == endpointGroup.ID {
+				if endpoint.Type == portainer.KubernetesLocalEnvironment || endpoint.Type == portainer.AgentOnKubernetesEnvironment || endpoint.Type == portainer.EdgeAgentOnKubernetesEnvironment {
+					err = handler.AuthorizationService.CleanNAPWithOverridePolicies(tx, &endpoint, endpointGroup)
+					if err != nil {
+						// Update flag with endpoint and continue
+						go func(endpointID portainer.EndpointID, endpointGroupID portainer.EndpointGroupID) {
+							err := handler.PendingActionsService.Create(portainer.PendingActions{
+								EndpointID: endpointID,
+								Action:     "CleanNAPWithOverridePolicies",
+								ActionData: endpointGroupID,
+							})
+							if err != nil {
+								log.Error().Err(err).Msgf("Unable to create pending action to clean NAP with override policies for endpoint (%d) and endpoint group (%d).", endpointID, endpointGroupID)
+							}
+						}(endpoint.ID, endpointGroup.ID)
+					}
 				}
 			}
 		}
 	}

-	if err := tx.EndpointGroup().Update(endpointGroup.ID, endpointGroup); err != nil {
+	err = tx.EndpointGroup().Update(endpointGroup.ID, endpointGroup)
+	if err != nil {
 		return nil, httperror.InternalServerError("Unable to persist environment group changes inside the database", err)
 	}

@@ -174,11 +180,13 @@ func (handler *Handler) updateEndpointGroup(tx dataservices.DataStoreTx, endpoin
 		endpoints, err := tx.Endpoint().Endpoints()
 		if err != nil {
 			return nil, httperror.InternalServerError("Unable to retrieve environments from the database", err)
+
 		}

 		for _, endpoint := range endpoints {
 			if endpoint.GroupID == endpointGroup.ID {
-				if err := handler.updateEndpointRelations(tx, &endpoint, endpointGroup); err != nil {
+				err = handler.updateEndpointRelations(tx, &endpoint, endpointGroup)
+				if err != nil {
 					return nil, httperror.InternalServerError("Unable to persist environment relations changes inside the database", err)
 				}
 			}
--- a/api/http/handler/endpointproxy/proxy_docker.go
+++ b/api/http/handler/endpointproxy/proxy_docker.go
@@ -34,7 +34,7 @@ func (handler *Handler) proxyRequestsToDockerAPI(w http.ResponseWriter, r *http.
 			return httperror.InternalServerError("No Edge agent registered with the environment", errors.New("No agent available"))
 		}

-		_, err := handler.ReverseTunnelService.TunnelAddr(endpoint)
+		_, err := handler.ReverseTunnelService.GetActiveTunnel(endpoint)
 		if err != nil {
 			return httperror.InternalServerError("Unable to get the active tunnel", err)
 		}
--- a/api/http/handler/endpointproxy/proxy_kubernetes.go
+++ b/api/http/handler/endpointproxy/proxy_kubernetes.go
@@ -34,7 +34,7 @@ func (handler *Handler) proxyRequestsToKubernetesAPI(w http.ResponseWriter, r *h
 			return httperror.InternalServerError("No Edge agent registered with the environment", errors.New("No agent available"))
 		}

-		_, err := handler.ReverseTunnelService.TunnelAddr(endpoint)
+		_, err := handler.ReverseTunnelService.GetActiveTunnel(endpoint)
 		if err != nil {
 			return httperror.InternalServerError("Unable to get the active tunnel", err)
 		}
--- a/api/http/handler/endpoints/endpoint_association_delete.go
+++ b/api/http/handler/endpoints/endpoint_association_delete.go
@@ -59,6 +59,8 @@ func (handler *Handler) endpointAssociationDelete(w http.ResponseWriter, r *http
 		return httperror.InternalServerError("Failed persisting environment in database", err)
 	}

+	handler.ReverseTunnelService.SetTunnelStatusToIdle(endpoint.ID)
+
 	return response.Empty(w)
 }

--- a/api/http/handler/endpoints/endpoint_create.go
+++ b/api/http/handler/endpoints/endpoint_create.go
@@ -201,7 +201,6 @@ func (payload *endpointCreatePayload) Validate(r *http.Request) error {
 // @param Gpus formData string false "List of GPUs - json stringified array of {name, value} structs"
 // @success 200 {object} portainer.Endpoint "Success"
 // @failure 400 "Invalid request"
-// @failure 409 "Name is not unique"
 // @failure 500 "Server error"
 // @router /endpoints [post]
 func (handler *Handler) endpointCreate(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
--- a/api/http/handler/endpoints/endpoint_create_global_key_test.go
+++ b/api/http/handler/endpoints/endpoint_create_global_key_test.go
@@ -10,7 +10,10 @@ import (
 )

 func TestEmptyGlobalKey(t *testing.T) {
-	handler := NewHandler(helper.NewTestRequestBouncer())
+	handler := NewHandler(
+		helper.NewTestRequestBouncer(),
+		nil,
+	)

 	req, err := http.NewRequest(http.MethodPost, "https://portainer.io:9443/endpoints/global-key", nil)
 	if err != nil {
--- a/api/http/handler/endpoints/endpoint_delete.go
+++ b/api/http/handler/endpoints/endpoint_delete.go
@@ -2,13 +2,13 @@ package endpoints

 import (
 	"errors"
-	"fmt"
 	"net/http"
 	"slices"
 	"strconv"

 	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/dataservices"
+	httperrors "github.com/portainer/portainer/api/http/errors"
 	"github.com/portainer/portainer/api/internal/endpointutils"
 	httperror "github.com/portainer/portainer/pkg/libhttp/error"
 	"github.com/portainer/portainer/pkg/libhttp/request"
@@ -17,40 +17,19 @@ import (
 	"github.com/rs/zerolog/log"
 )

-type endpointDeleteRequest struct {
-	ID            int  `json:"id"`
-	DeleteCluster bool `json:"deleteCluster"`
-}
-
-type endpointDeleteBatchPayload struct {
-	Endpoints []endpointDeleteRequest `json:"endpoints"`
-}
-
-type endpointDeleteBatchPartialResponse struct {
-	Deleted []int `json:"deleted"`
-	Errors  []int `json:"errors"`
-}
-
-func (payload *endpointDeleteBatchPayload) Validate(r *http.Request) error {
-	if payload == nil || len(payload.Endpoints) == 0 {
-		return fmt.Errorf("invalid request payload. You must provide a list of environments to delete")
-	}
-
-	return nil
-}
-
 // @id EndpointDelete
-// @summary Remove an environment
-// @description Remove the environment associated to the specified identifier and optionally clean-up associated resources.
-// @description **Access policy**: Administrator only.
+// @summary Remove an environment(endpoint)
+// @description Remove an environment(endpoint).
+// @description **Access policy**: administrator
 // @tags endpoints
-// @security ApiKeyAuth || jwt
+// @security ApiKeyAuth
+// @security jwt
 // @param id path int true "Environment(Endpoint) identifier"
-// @success 204 "Environment successfully deleted."
-// @failure 400 "Invalid request payload, such as missing required fields or fields not meeting validation criteria."
-// @failure 403 "Unauthorized access or operation not allowed."
-// @failure 404 "Unable to find the environment with the specified identifier inside the database."
-// @failure 500 "Server error occurred while attempting to delete the environment."
+// @success 204 "Success"
+// @failure 400 "Invalid request"
+// @failure 403 "Permission denied"
+// @failure 404 "Environment(Endpoint) not found"
+// @failure 500 "Server error"
 // @router /endpoints/{id} [delete]
 func (handler *Handler) endpointDelete(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
 	endpointID, err := request.RetrieveNumericRouteVariableValue(r, "id")
@@ -64,9 +43,14 @@ func (handler *Handler) endpointDelete(w http.ResponseWriter, r *http.Request) *
 		return httperror.BadRequest("Invalid boolean query parameter", err)
 	}

-	if err := handler.DataStore.UpdateTx(func(tx dataservices.DataStoreTx) error {
+	if handler.demoService.IsDemoEnvironment(portainer.EndpointID(endpointID)) {
+		return httperror.Forbidden(httperrors.ErrNotAvailableInDemo.Error(), httperrors.ErrNotAvailableInDemo)
+	}
+
+	err = handler.DataStore.UpdateTx(func(tx dataservices.DataStoreTx) error {
 		return handler.deleteEndpoint(tx, portainer.EndpointID(endpointID), deleteCluster)
-	}); err != nil {
+	})
+	if err != nil {
 		var handlerError *httperror.HandlerError
 		if errors.As(err, &handlerError) {
 			return handlerError
@@ -78,58 +62,8 @@ func (handler *Handler) endpointDelete(w http.ResponseWriter, r *http.Request) *
 	return response.Empty(w)
 }

-// @id EndpointDeleteBatch
-// @summary Remove multiple environments
-// @description Remove multiple environments and optionally clean-up associated resources.
-// @description **Access policy**: Administrator only.
-// @tags endpoints
-// @security ApiKeyAuth || jwt
-// @accept json
-// @produce json
-// @param body body endpointDeleteBatchPayload true "List of environments to delete, with optional deleteCluster flag to clean-up associated resources (cloud environments only)"
-// @success 204 "Environment(s) successfully deleted."
-// @failure 207 {object} endpointDeleteBatchPartialResponse "Partial success. Some environments were deleted successfully, while others failed."
-// @failure 400 "Invalid request payload, such as missing required fields or fields not meeting validation criteria."
-// @failure 403 "Unauthorized access or operation not allowed."
-// @failure 500 "Server error occurred while attempting to delete the specified environments."
-// @router /endpoints [delete]
-func (handler *Handler) endpointDeleteBatch(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
-	var p endpointDeleteBatchPayload
-	if err := request.DecodeAndValidateJSONPayload(r, &p); err != nil {
-		return httperror.BadRequest("Invalid request payload", err)
-	}
-
-	resp := endpointDeleteBatchPartialResponse{
-		Deleted: []int{},
-		Errors:  []int{},
-	}
-
-	if err := handler.DataStore.UpdateTx(func(tx dataservices.DataStoreTx) error {
-		for _, e := range p.Endpoints {
-			if err := handler.deleteEndpoint(tx, portainer.EndpointID(e.ID), e.DeleteCluster); err != nil {
-				resp.Errors = append(resp.Errors, e.ID)
-				log.Warn().Err(err).Int("environment_id", e.ID).Msg("Unable to remove environment")
-
-				continue
-			}
-
-			resp.Deleted = append(resp.Deleted, e.ID)
-		}
-
-		return nil
-	}); err != nil {
-		return httperror.InternalServerError("Unable to delete environments", err)
-	}
-
-	if len(resp.Errors) > 0 {
-		return response.JSONWithStatus(w, resp, http.StatusPartialContent)
-	}
-
-	return response.Empty(w)
-}
-
 func (handler *Handler) deleteEndpoint(tx dataservices.DataStoreTx, endpointID portainer.EndpointID, deleteCluster bool) error {
-	endpoint, err := tx.Endpoint().Endpoint(endpointID)
+	endpoint, err := tx.Endpoint().Endpoint(portainer.EndpointID(endpointID))
 	if tx.IsErrObjectNotFound(err) {
 		return httperror.NotFound("Unable to find an environment with the specified identifier inside the database", err)
 	} else if err != nil {
@@ -138,24 +72,28 @@ func (handler *Handler) deleteEndpoint(tx dataservices.DataStoreTx, endpointID p

 	if endpoint.TLSConfig.TLS {
 		folder := strconv.Itoa(int(endpointID))
-		if err := handler.FileService.DeleteTLSFiles(folder); err != nil {
+		err = handler.FileService.DeleteTLSFiles(folder)
+		if err != nil {
 			log.Error().Err(err).Msgf("Unable to remove TLS files from disk when deleting endpoint %d", endpointID)
 		}
 	}

-	if err := tx.Snapshot().Delete(endpointID); err != nil {
+	err = tx.Snapshot().Delete(endpointID)
+	if err != nil {
 		log.Warn().Err(err).Msgf("Unable to remove the snapshot from the database")
 	}

 	handler.ProxyManager.DeleteEndpointProxy(endpoint.ID)

 	if len(endpoint.UserAccessPolicies) > 0 || len(endpoint.TeamAccessPolicies) > 0 {
-		if err := handler.AuthorizationService.UpdateUsersAuthorizationsTx(tx); err != nil {
+		err = handler.AuthorizationService.UpdateUsersAuthorizationsTx(tx)
+		if err != nil {
 			log.Warn().Err(err).Msgf("Unable to update user authorizations")
 		}
 	}

-	if err := tx.EndpointRelation().DeleteEndpointRelation(endpoint.ID); err != nil {
+	err = tx.EndpointRelation().DeleteEndpointRelation(endpoint.ID)
+	if err != nil {
 		log.Warn().Err(err).Msgf("Unable to remove environment relation from the database")
 	}

@@ -184,7 +122,8 @@ func (handler *Handler) deleteEndpoint(tx dataservices.DataStoreTx, endpointID p
 			return e == endpoint.ID
 		})

-		if err := tx.EdgeGroup().Update(edgeGroup.ID, &edgeGroup); err != nil {
+		err = tx.EdgeGroup().Update(edgeGroup.ID, &edgeGroup)
+		if err != nil {
 			log.Warn().Err(err).Msgf("Unable to update edge group")
 		}
 	}
@@ -240,12 +179,8 @@ func (handler *Handler) deleteEndpoint(tx dataservices.DataStoreTx, endpointID p
 		}
 	}

-	// delete the pending actions
-	if err := tx.PendingActions().DeleteByEndpointID(endpoint.ID); err != nil {
-		log.Warn().Err(err).Int("endpointId", int(endpoint.ID)).Msgf("Unable to delete pending actions")
-	}
-
-	if err := tx.Endpoint().DeleteEndpoint(endpointID); err != nil {
+	err = tx.Endpoint().DeleteEndpoint(portainer.EndpointID(endpointID))
+	if err != nil {
 		return httperror.InternalServerError("Unable to delete the environment from the database", err)
 	}

--- a/api/http/handler/endpoints/endpoint_delete_test.go
+++ b/api/http/handler/endpoints/endpoint_delete_test.go
@@ -9,6 +9,7 @@ import (

 	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/datastore"
+	"github.com/portainer/portainer/api/demo"
 	"github.com/portainer/portainer/api/http/proxy"
 	"github.com/portainer/portainer/api/internal/testhelpers"
 )
@@ -18,10 +19,9 @@ func TestEndpointDeleteEdgeGroupsConcurrently(t *testing.T) {

 	_, store := datastore.MustNewTestStore(t, true, false)

-	handler := NewHandler(testhelpers.NewTestRequestBouncer())
+	handler := NewHandler(testhelpers.NewTestRequestBouncer(), demo.NewService())
 	handler.DataStore = store
-	handler.ProxyManager = proxy.NewManager(nil)
-	handler.ProxyManager.NewProxyFactory(nil, nil, nil, nil, nil, nil, nil, nil)
+	handler.ProxyManager = proxy.NewManager(nil, nil, nil, nil, nil, nil, nil)

 	// Create all the environments and add them to the same edge group

--- a/api/http/handler/endpoints/endpoint_force_update_service.go
+++ b/api/http/handler/endpoints/endpoint_force_update_service.go
@@ -11,10 +11,9 @@ import (
 	httperror "github.com/portainer/portainer/pkg/libhttp/error"
 	"github.com/portainer/portainer/pkg/libhttp/request"
 	"github.com/portainer/portainer/pkg/libhttp/response"
-	"github.com/rs/zerolog/log"

+	"github.com/docker/docker/api/types"
 	dockertypes "github.com/docker/docker/api/types"
-	"github.com/docker/docker/api/types/container"
 	"github.com/docker/docker/api/types/filters"
 )

@@ -40,7 +39,7 @@ func (payload *forceUpdateServicePayload) Validate(r *http.Request) error {
 // @produce json
 // @param id path int true "endpoint identifier"
 // @param body body forceUpdateServicePayload true "details"
-// @success 200 {object} swarm.ServiceUpdateResponse "Success"
+// @success 200 {object} dockertypes.ServiceUpdateResponse "Success"
 // @failure 400 "Invalid request"
 // @failure 403 "Permission denied"
 // @failure 404 "endpoint not found"
@@ -95,14 +94,10 @@ func (handler *Handler) endpointForceUpdateService(w http.ResponseWriter, r *htt
 	go func() {
 		images.EvictImageStatus(payload.ServiceID)
 		images.EvictImageStatus(service.Spec.Labels[consts.SwarmStackNameLabel])
-		// ignore errors from this cleanup function, log them instead
-		containers, err := dockerClient.ContainerList(context.TODO(), container.ListOptions{
+		containers, _ := dockerClient.ContainerList(context.TODO(), types.ContainerListOptions{
 			All:     true,
-			Filters: filters.NewArgs(filters.Arg("label", consts.SwarmServiceIDLabel+"="+payload.ServiceID)),
+			Filters: filters.NewArgs(filters.Arg("label", consts.SwarmServiceIdLabel+"="+payload.ServiceID)),
 		})
-		if err != nil {
-			log.Warn().Err(err).Str("Environment", endpoint.Name).Msg("Error listing containers")
-		}

 		for _, container := range containers {
 			images.EvictImageStatus(container.ID)
--- a/api/http/handler/endpoints/endpoint_list_test.go
+++ b/api/http/handler/endpoints/endpoint_list_test.go
@@ -194,7 +194,7 @@ func setupEndpointListHandler(t *testing.T, endpoints []portainer.Endpoint) *Han

 	bouncer := testhelpers.NewTestRequestBouncer()

-	handler := NewHandler(bouncer)
+	handler := NewHandler(bouncer, nil)
 	handler.DataStore = store
 	handler.ComposeStackManager = testhelpers.NewComposeStackManager()
 	handler.SnapshotService, _ = snapshot.NewService("1s", store, nil, nil, nil, nil)
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
prabhat khera	e075b71fef	fix(api): api error message [EE-6818]	2024-03-13 12:26:09 +13:00
cmeng	6e11c10bab	fix(csrf): disable csrf secure cookie EE-6787 (#11299 )	2024-03-13 11:22:18 +13:00
LP B	cb9ab3b375	fix(app): views not loading when quickly navigating in app (#11279 )	2024-03-12 15:16:19 +01:00
Chaim Lev-Ari	b13dac0f6d	fix(docker): apply private uac to edge admin [EE-6788] (#11284 )	2024-03-12 09:59:39 +02:00
cmeng	0144a98b3b	fix(edge-stack): deploy button is disabled EE-6819 (#11354 )	2024-03-12 17:19:45 +13:00
Prabhat Khera	64a08c59e9	address review commets (#11361 )	2024-03-12 11:32:03 +13:00
Ali	1090c82beb	fix(app): on create don't mention previous values [EE-6837] (#11351 ) Co-authored-by: testa113 <testa113>	2024-03-11 16:43:45 +13:00
Prabhat Khera	6094dc115b	fix(container): autocomplete off for create container form [EE-6761] (#11337 ) * autocomplete off doe create container form * address review commets * remove auto complete off from forms	2024-03-11 13:38:59 +13:00
Prabhat Khera	30513695b5	fix(kube): stackname in daemonsets and statefulsets app [EE-6670] (#11353 )	2024-03-11 10:04:55 +13:00
Chaim Lev-Ari	dd2be9fb1e	refactor(tests): wrap tests explicitly with provider [EE-6686] (#11276 )	2024-03-10 14:22:05 +02:00
Chaim Lev-Ari	e265b8b67c	fix(kube/config): validate change window start [EE-6830] (#11328 )	2024-03-10 09:42:29 +02:00
Matt Hook	cc1ce9412a	fix(exec): improve alignment of help icon [EE-6816] (#11340 )	2024-03-08 14:03:01 +13:00
Prabhat Khera	8eb8df2b30	fix(kube-stacks): change wordings [EE-6670] (#11335 )	2024-03-08 12:15:27 +13:00
Ali	c0bd2dfdaf	fix(matomo): stop oauth link event [EE-6779] (#11333 )	2024-03-08 10:17:26 +13:00
Matt Hook	bf65a38d5a	fix(exec): fix alignment and text size and alignment [EE-6816] (#11324 )	2024-03-07 12:57:53 +13:00
cmeng	0ea21f2317	fix(menu): edge compute menu not clickable EE-6804 (#11320 )	2024-03-07 12:11:59 +13:00
Prabhat Khera	b5f839a920	fix(stacks): make stackName kube stack specific field [EE-6670] (#11316 ) * fix(stacks): make stackName kube stack specific field [EE-6670] * fix wordings	2024-03-07 11:31:28 +13:00
Prabhat Khera	29025e7dd4	fix(UI): axios progress bar loading issue [EE-6781] (#11290 )	2024-03-07 11:30:23 +13:00
Ali	692981b615	fix(time window): show errors for component [EE-6800] (#11318 ) Co-authored-by: testa113 <testa113>	2024-03-07 09:03:26 +13:00
Chaim Lev-Ari	d6545b6af5	fix(kube/setup): add a11y labels [EE-6747] (#11308 )	2024-03-06 14:57:03 +02:00
Matt Hook	6bbf62fe64	fix(contexthelp): remove extra slash from contexthelp docs link [EE-6780] (#11312 )	2024-03-06 16:38:19 +13:00
Matt Hook	6b3ddf11d4	fix(helm): remove helm insights from the stack datatable [EE-6803] (#11313 )	2024-03-06 16:36:48 +13:00
Dakota Walsh	77c9124e8a	fix(datatable): title size EE-6774 (#11273 )	2024-03-06 08:01:45 +13:00
Chaim Lev-Ari	2c3dcdd14e	fix(docker/images): export image [EE-6807] (#11305 )	2024-03-05 19:30:45 +02:00
matias-portainer	ec913b45d6	fix(edge/templates): get correct default value for selectType env vars EE-6796 (#11293 )	2024-03-04 10:35:19 -03:00
Matt Hook	51c672af21	fix(kube): update doc links to match new menu structure [EE-6759] (#11266 )	2024-03-01 15:37:32 +13:00
Matt Hook	ff178641be	fix(help): add versioned doc links to support LTS/STS docs [EE-6780] (#11282 )	2024-03-01 15:36:19 +13:00
cmeng	a43454076b	fix(edge-stacks): take not-found stack as removed EE-6758 (#11249 )	2024-03-01 11:50:27 +13:00
cmeng	a7eaa0f3fa	fix(container): get old container info correctly EE-6716 (#11215 )	2024-03-01 09:14:26 +13:00
cmeng	8ad11fc88f	fix(stack): more space for add button EE-6773 (#11258 )	2024-03-01 09:11:46 +13:00
Chaim Lev-Ari	43a95874f4	fix(auth): prevent unauthorized redirect on page load [EE-6777] (#11265 )	2024-02-29 09:41:29 +02:00
Chaim Lev-Ari	b4f4c3212a	feat(kube): add a11y props for smoke tests [EE-6747] (#11262 )	2024-02-29 09:26:10 +02:00
Chaim Lev-Ari	d44f57ed6f	fix(ci): prevent tests from running twice [EE-6728] (#11196 )	2024-02-29 08:11:46 +02:00
Chaim Lev-Ari	eba08cdca0	fix(docker): hide write buttons for non authorized [EE-6775] (#11261 )	2024-02-27 12:36:47 +02:00
Prabhat Khera	de3a3f88a0	fix(ui): autocomplete on edge custom template and stacks [EE-6761] (#11269 )	2024-02-27 20:15:56 +13:00
Matt Hook	f6b2c879bc	fix(kube): make app autorefresh and show system settings stay [EE-6771] (#11256 )	2024-02-27 11:18:28 +13:00
Prabhat Khera	f5fbcd4d9d	fix(stack): auto complete dropdown in docker stacks [EE-6761] (#11254 )	2024-02-26 11:43:18 +13:00
Ali	f8b68a809f	fix(app): parse nan in validation check [EE-6714] (#11247 )	2024-02-26 09:20:59 +13:00
Oscar Zhou	6258c02353	fix(edge/template): validate app template env vars [EE-6743] (#11234 )	2024-02-26 09:00:03 +13:00
Chaim Lev-Ari	0fd20277c1	fix(docker): prevent non admins from passing security settings [EE-6765] (#11239 )	2024-02-25 11:57:19 +02:00
cmeng	988064a542	fix(stack): make web editor readonly for git template EE-6706 (#11183 )	2024-02-23 13:28:20 +13:00
Matt Hook	380b23a9f5	fix(dependancies): update compose and runc [EE-6744] (#11243 )	2024-02-23 11:48:49 +13:00
Prabhat Khera	158b43194c	fix(ui): turn autocomplete off for git deployment [EE-6761] (#11241 )	2024-02-23 08:44:00 +13:00
Ali	1bbe98379a	fix(app): NaN validation for autoscaling [EE-6714] (#11238 )	2024-02-22 17:36:41 +13:00
Matt Hook	8f9b265f5a	fix(helm) tighten up helm requests [EE-6722] (#11233 )	2024-02-22 11:35:01 +13:00
Ali	1cdd3fdfe2	fix(input): allow clearing number inputs [EE-6714] (#11187 )	2024-02-21 10:43:28 +13:00
Ali	4e95139909	fix(inputlist): update warning style [EE-6737] (#11222 )	2024-02-21 08:29:14 +13:00
Matt Hook	704d75596d	fix(libhttp): capitalize http error responses for better display [EE-6698] (#11109 )	2024-02-21 07:51:29 +13:00
Chaim Lev-Ari	a8938779bf	fix(ui): check for authorization [EE-6733] (#11207 )	2024-02-20 11:06:05 +02:00
Chaim Lev-Ari	bb6f4e026a	fix(kube/apps): move namespace selector in apps view [EE-6612] (#11069 )	2024-02-20 10:14:11 +02:00
Ali	b64166ff25	fix(app): remove insight from helm [EE-6693] (#11214 ) Co-authored-by: testa113 <testa113>	2024-02-20 17:25:22 +13:00
Ali	bac1c28fa9	fix(app): set values in react autoscaling form section [EE-6740] (#11220 )	2024-02-20 09:35:32 +13:00
Prabhat Khera	a17da6d2cd	fix(git): update stack name for git stacks [EE-6670] (#11218 )	2024-02-20 09:23:50 +13:00
Chaim Lev-Ari	24c2baf6cc	feat(a11y): add labels and roles [EE-6717] (#11209 )	2024-02-19 16:37:21 +02:00
Oscar Zhou	22b4d029fd	fix(edge/template): custom template git fields not pre-filled [EE-6695] (#11113 )	2024-02-19 08:39:16 +13:00
Ali	b126472ec7	fix(app): update app type when changing data access policy [EE-6719] (#11210 ) Co-authored-by: testa113 <testa113>	2024-02-19 08:08:17 +13:00
Ali	a46fa3b2c4	fix(app): avoid duplicate env requests [EE-6727] (#11193 ) Co-authored-by: testa113 <testa113>	2024-02-16 14:02:02 +13:00
Prabhat Khera	a374157d6f	fix(ui): update search placeholder [EE-6667] (#11191 ) * update search placeholder * remove box selector description	2024-02-16 12:34:10 +13:00
Matt Hook	861ed662e2	fix(namespace): fix default namespace quota [EE-6700] (#11184 )	2024-02-16 08:17:10 +13:00
Chaim Lev-Ari	99b89a8ec5	chore(eslint): add rule to check imports [EE-6730] (#11200 )	2024-02-15 17:45:54 +02:00
Chaim Lev-Ari	95750c2339	fix(auth): export hasAuthorizations [EE-6595] (#11198 )	2024-02-15 14:05:45 +02:00
Chaim Lev-Ari	165d6165dc	feat(ui): restrict views by role [EE-6595] (#11071 )	2024-02-15 13:29:55 +02:00
Chaim Lev-Ari	fe6ed55cab	feat(edge/stacks): add app templates to deploy types [EE-6632] (#11070 )	2024-02-15 09:00:57 +02:00
Chaim Lev-Ari	edea9e3481	feat(auth): add useIsEdgeAdmin hook [EE-6627] (#11101 )	2024-02-14 19:50:26 -03:00
Ali	c08b5af85a	fix(insight): split insight from input [EE-6693] (#11177 ) Co-authored-by: testa113 <testa113>	2024-02-15 10:46:02 +13:00
Prabhat Khera	ed861044a7	Revert "fix(logs): add NOCOLOR option for use when exporting to greylog etc […" (#11178 ) This reverts commit `aca6d33548`.	2024-02-15 06:26:22 +13:00
Chaim Lev-Ari	a83321ebe6	feat(ui): write tests [EE-6685] (#11082 )	2024-02-14 17:25:32 +02:00
Ali	513cd9c9b3	fix(configs): correct 'external' display in tables [EE-6649] (#11111 ) Co-authored-by: testa113 <testa113>	2024-02-14 11:48:05 +13:00
Ali	dc94bf141e	fix(stacks): add app form stacks input [EE-6693] (#11105 )	2024-02-14 09:01:02 +13:00
Dakota Walsh	24471a9ae1	fix(restore): add S3 teaser [EE-6675] (#11096 )	2024-02-14 08:40:34 +13:00
Matt Hook	aca6d33548	fix(logs): add NOCOLOR option for use when exporting to greylog etc [EE-6696] (#11107 )	2024-02-14 07:54:47 +13:00
Ali	ca77b85c65	fix(kube-owner): owner labels from resources created via manifest [EE-6647] (#11103 ) Co-authored-by: testa113 <testa113>	2024-02-12 15:30:59 +13:00
Prabhat Khera	1fd4291630	fix(ui): stackname auto fill on create from manifest screen [EE-6688] (#11100 ) * fix(ui): stackname auto fill on create from manifest screen [EE-6688] * address review comment	2024-02-12 10:54:24 +13:00
Ali	08dd7f6d2a	fix(auth): isAdmin redirect for wizard [EE-6669] (#11075 ) Co-authored-by: testa113 <testa113>	2024-02-12 08:04:44 +13:00
Prabhat Khera	ce4b0e759c	fix(ui): scroll issue [EE-6667 (#11085 ) * Fix scroll issue * fix minorissue * address review comments * add comment	2024-02-09 15:35:38 +13:00
Steven Kang	538e7a823b	fix: pre-release build only after merging (#11098 )	2024-02-09 15:26:39 +13:00
Matt Hook	956e8d3c59	fix(docs): fix swagger docs for webhook params [EE-6668] (#11089 )	2024-02-09 14:44:29 +13:00
Prabhat Khera	1c5458f0d4	fix(kube): ingress path duplication issue [EE-6649] (#11087 )	2024-02-09 07:49:57 +13:00
Prabhat Khera	f6085ffad7	fix stack name update issue (#11065 )	2024-02-08 13:51:06 +13:00
Matt Hook	490bda2eaf	fix(kube-apps): add helm insights, remove namespace insights panel [EE-6671] (#11078 )	2024-02-08 11:18:48 +13:00
Prabhat Khera	d601d8eb7b	fix(UI): some minor fixes [EE-6667] (#11062 ) * minor tweeks for kubernetes settings * address review comments	2024-02-06 12:17:35 +13:00
Steven Kang	b0564b9238	Pre-release as part of the CI (#11067 ) * feat: add pre-release * feat: add extension * feat: fix typo	2024-02-05 18:29:12 +13:00
Prabhat Khera	8922585a70	keep labels on edit ingress, configmaps and secrets (#11063 )	2024-02-05 16:30:31 +13:00
Ali	d7cf2284dc	fix(r2a): don't set errors to undefined [EE-6665] (#11060 ) Co-authored-by: testa113 <testa113>	2024-02-05 14:24:15 +13:00