Merge kvm of slapos recipe.

slapos/recipe/kvm/__init__.py

@@ -30,113 +30,291 @@ from slapos.recipe.librecipe import BaseSlapRecipe
 import subprocess
 import binascii
 import random
-
+import zc.buildout
 import pkg_resources
-
+import ConfigParser
+import hashlib
 
 class Recipe(BaseSlapRecipe):
 
   def _install(self):
+    """
+    Set the connection dictionnary for the computer partition and create a list
+    of paths to the different wrappers
+
+    Parameters : none
+
+    Returns    : List path_list
+    """
+    self.path_list = []
+
+    self.requirements, self.ws           = self.egg.working_set()
+    self.cron_d                          = self.installCrond()    
+
+    self.ca_conf                         = self.installCertificateAuthority()
+    self.key_path, self.certificate_path = self.requestCertificate('noVNC')
+     
+    kvm_conf = self.installKvm(vnc_ip = self.getLocalIPv4Address())
+    
+    vnc_port = 5900 + kvm_conf['vnc_display']
+    
+    noVNC_conf = self.installNoVnc(source_ip   = self.getGlobalIPv6Address(),
+                                   source_port = 6080,
+                                   target_ip   = kvm_conf['vnc_ip'],
+                                   target_port = vnc_port,
+                                   python_path = kvm_conf['python_path'])
+    
+    self.linkBinary()
+    self.computer_partition.setConnectionDict(dict(
+        url = "https://[%s]:%s/vnc.html?host=[%s]&port=%s" % (noVNC_conf['source_ip'],
+                                                     noVNC_conf['source_port'],
+                                                     noVNC_conf['source_ip'],
+                                                     noVNC_conf['source_port']
+                                                     ), 
+        password = kvm_conf['vnc_passwd']))
+    
+    return self.path_list
+
+  def installKvm(self, vnc_ip):
+    """
+    Create kvm configuration dictionnary and instanciate a wrapper for kvm and 
+    kvm controller 
+
+    Parameters : IP the vnc server is listening on
+
+    Returns    : Dictionnary kvm_conf
+    """
+    kvm_conf = dict(vnc_ip = vnc_ip)
     
-    #Get the IP list
     connection_found = False
-    ip = self.getGlobalIPv6Address()
-    for tap, dummy in self.parameter_dict['ip_list']:
+    for tap_interface, dummy in self.parameter_dict['ip_list']:
       # Get an ip associated to a tap interface
-      if tap:
+      if tap_interface:
         connection_found = True
     if not connection_found:
       raise NotImplementedError("Do not support ip without tap interface")
 
+    kvm_conf['tap_interface'] = tap_interface
+    
     # Disk path
-    disk_path = os.path.join(self.data_root_directory, 'virtual.qcow2')
-    socket_path = os.path.join(self.var_directory, 'qmp_socket')
+    kvm_conf['disk_path'] = os.path.join(self.data_root_directory,
+        'virtual.qcow2')
+    kvm_conf['socket_path'] = os.path.join(self.var_directory, 'qmp_socket')
     # XXX Weak password
-    vnc_passwd = binascii.hexlify(os.urandom(4))
+    ##XXX -Vivien: add an option to generate one password for all instances 
+    # and/or to input it yourself
+    kvm_conf['vnc_passwd'] = binascii.hexlify(os.urandom(4))
 
-    #XXX pid_file path, database_path and xml path
-    pid_file_path = os.path.join(self.run_directory, 'pid_file')
-    database_path = os.path.join(self.data_root_directory, 'slapmonitor_database')
+    #XXX pid_file path, database_path, path to python binary and xml path
+    kvm_conf['pid_file_path'] = os.path.join(self.run_directory, 'pid_file')
+    kvm_conf['database_path'] = os.path.join(self.data_root_directory,
+        'slapmonitor_database')
+    kvm_conf['python_path']   = sys.executable
+    kvm_conf['qemu_path']     = self.options['qemu_path']
     #xml_path = os.path.join(self.var_directory, 'slapreport.xml' )
 
     # Create disk if needed
-    if not os.path.exists(disk_path):
+    if not os.path.exists(kvm_conf['disk_path']):
       retcode = subprocess.call(["%s create -f qcow2 %s %iG" % (
-          self.options['qemu_img_path'], disk_path,
+          self.options['qemu_img_path'], kvm_conf['disk_path'],
           int(self.options['disk_size']))], shell=True)
       if retcode != 0:
         raise OSError, "Disk creation failed!"
     
-    # Instanciate KVM
-    kvm_config = {}
     # Options nbd_ip and nbd_port are provided by slapos master
-    kvm_config.update(self.options)
-    #raise NotImplementedError("%s" % self.parameter_dict)
-    kvm_config['vnc_ip'] = ip
-    kvm_config['tap_interface'] = tap
-    kvm_config['nbd_ip'] = self.parameter_dict['nbd_ip']
-    kvm_config['nbd_port'] = self.parameter_dict['nbd_port']
-    #XXX
-    kvm_config['pid_file'] = pid_file_path 
-    kvm_config['image'] = disk_path
+    kvm_conf['nbd_ip']   = self.parameter_dict['nbd_ip']
+    kvm_conf['nbd_port'] = self.parameter_dict['nbd_port']
+
     # First octet has to represent a locally administered address
     octet_list         = [254] + [random.randint(0x00, 0xff) for x in range(5)]
-    kvm_config['mac_address'] = ':'.join(['%02x' % x for x in octet_list])
-    kvm_config['qmp_socket'] = socket_path
-    kvm_config['hostname'] = "slaposkvm"
+    kvm_conf['mac_address'] = ':'.join(['%02x' % x for x in octet_list])
 
-    kvm_wrapper_template_location = pkg_resources.resource_filename(
+    kvm_conf['hostname']    = "slaposkvm"
+    kvm_conf['smp_count']   = self.options['smp_count']
+    kvm_conf['ram_size']    = self.options['ram_size']
+
+    kvm_conf['vnc_display'] = 1
+    
+    # Instanciate KVM
+    kvm_template_location = pkg_resources.resource_filename(          
                                              __name__, os.path.join(         
                                              'template', 'kvm_run.in'))     
+    
     kvm_runner_path = self.createRunningWrapper("kvm",                        
-          self.substituteTemplate(kvm_wrapper_template_location, kvm_config))
+          self.substituteTemplate(kvm_template_location,
+                                  kvm_conf))
    
+    self.path_list.append(kvm_runner_path)
 
     # Instanciate KVM controller
-    controller_config = {}
-    # Options nbd_ip and nbd_port are provided by slapos master
-    controller_config.update(self.options)
-    controller_config['qmp_socket'] = socket_path
-    controller_config['vnc_passwd'] = vnc_passwd
-    controller_config['python_path'] = sys.executable
-
-    controller_wrapper_template_location = pkg_resources.resource_filename(
-                                             __name__, os.path.join(
-                                             'template', 'kvm_controller_run.in'))
-    controller_runner_path = self.createRunningWrapper("kvm_controller",
-          self.substituteTemplate(controller_wrapper_template_location, controller_config))
-
-    #XXX Instanciate Slapmonitor
-    slapmonitor_config={}
-    slapmonitor_config.update(self.options)
-    slapmonitor_config['database_path'] = database_path 
-    slapmonitor_config['pid_file'] = pid_file_path
-    slapmonitor_config['python_path'] = sys.executable
-    slapmonitor_wrapper_template_location = pkg_resources.resource_filename(
+    kvm_controller_template_location = pkg_resources.resource_filename(          
                                              __name__, os.path.join(         
-                                             'template', 'slapmonitor_run.in'))
-    slapmonitor_runner_path = self.createRunningWrapper("slapmonitor",
-          self.substituteTemplate(slapmonitor_wrapper_template_location, slapmonitor_config))
+                                             'template',
+                                             'kvm_controller_run.in' ))     
     
+    kvm_controller_runner_path = self.createRunningWrapper("kvm_controller",                        
+          self.substituteTemplate(kvm_controller_template_location,
+                                  kvm_conf))
    
-    #XXX Instanciate Slapreport
-    slapreport_config={}
-    slapreport_config.update(self.options)
-    slapreport_config['database_path'] = database_path 
-    slapreport_config['python_path'] = sys.executable
-    slapreport_wrapper_template_location = pkg_resources.resource_filename(
-                                             __name__, os.path.join(
-                                             'template', 'slapreport_run.in'))
-    slapreport_runner_path = self.createReportRunningWrapper(self.substituteTemplate(
-                      slapreport_wrapper_template_location, slapreport_config))
+    self.path_list.append(kvm_controller_runner_path)
    
+    # Instanciate Slapmonitor
+    ##slapmonitor_runner_path = self.instanciate_wrapper("slapmonitor",
+    #    [database_path, pid_file_path, python_path])
+    # Instanciate Slapreport
+    ##slapreport_runner_path = self.instanciate_wrapper("slapreport",
+    #    [database_path, python_path])
     
+    return kvm_conf
 
+  def installNoVnc(self, source_ip, source_port, target_ip, target_port, 
+                   python_path):
+    """
+    Create noVNC configuration dictionnary and instanciate Websockify proxy
 
-    self.computer_partition.setConnectionDict(dict(
-      vnc_connection_string="vnc://[%s]:1" % ip,
-      vnc_password=vnc_passwd,
-    ))
+    Parameters : IP of the proxy, port on which is situated the proxy,
+                 IP of the vnc server, port on which is situated the vnc server,
+                 path to python binary
+
+    Returns    : noVNC configuration dictionnary
+    """
+
+    noVNC_conf = {}
+   
+    noVNC_conf['source_ip']   = source_ip                                          
+    noVNC_conf['source_port'] = source_port
+    
+    # Instanciate Websockify
+    websockify_runner_path = zc.buildout.easy_install.scripts([('websockify',
+      'slapos.recipe.librecipe.execute', 'execute_wait')], self.ws,
+      sys.executable, self.wrapper_directory, arguments=[
+        [python_path.strip(),
+         self.options['websockify_path'],
+         '--web',
+         self.options['noVNC_location'],
+         '--key=%s' % (self.key_path),
+         '--cert=%s' % (self.certificate_path),
+         '--ssl-only',
+         '%s:%s' % (source_ip, source_port),
+         '%s:%s' % (target_ip, target_port)],
+        [self.certificate_path, self.key_path]]
+       )[0]
+    
+    self.path_list.append(websockify_runner_path)
+  
+    return noVNC_conf
+
+  def linkBinary(self):
+    """Links binaries to instance's bin directory for easier exposal"""
+    for linkline in self.options.get('link_binary_list', '').splitlines():
+      if not linkline:
+        continue
+      target = linkline.split()
+      if len(target) == 1:
+        target = target[0]
+        path, linkname = os.path.split(target)
+      else:
+        linkname = target[1]
+        target = target[0]
+      link = os.path.join(self.bin_directory, linkname)
+      if os.path.lexists(link):
+        if not os.path.islink(link):
+          raise zc.buildout.UserError(
+              'Target link already %r exists but it is not link' % link)
+        os.unlink(link)
+      os.symlink(target, link)
+      self.logger.debug('Created link %r -> %r' % (link, target))
+      self.path_list.append(link)
+      
+  def installCertificateAuthority(self, ca_country_code='XX',
+      ca_email='xx@example.com', ca_state='State', ca_city='City',
+      ca_company='Company'):
+    backup_path = self.createBackupDirectory('ca')
+    self.ca_dir = os.path.join(self.data_root_directory, 'ca')
+    self._createDirectory(self.ca_dir)
+    self.ca_request_dir = os.path.join(self.ca_dir, 'requests')
+    self._createDirectory(self.ca_request_dir)
+    config = dict(ca_dir=self.ca_dir, request_dir=self.ca_request_dir)
+    self.ca_private = os.path.join(self.ca_dir, 'private')
+    self.ca_certs = os.path.join(self.ca_dir, 'certs')
+    self.ca_crl = os.path.join(self.ca_dir, 'crl')
+    self.ca_newcerts = os.path.join(self.ca_dir, 'newcerts')
+    self.ca_key_ext = '.key'
+    self.ca_crt_ext = '.crt'
+    for d in [self.ca_private, self.ca_crl, self.ca_newcerts, self.ca_certs]:
+      self._createDirectory(d)
+    for f in ['crlnumber', 'serial']:
+      if not os.path.exists(os.path.join(self.ca_dir, f)):
+        open(os.path.join(self.ca_dir, f), 'w').write('01')
+    if not os.path.exists(os.path.join(self.ca_dir, 'index.txt')):
+      open(os.path.join(self.ca_dir, 'index.txt'), 'w').write('')
+    openssl_configuration = os.path.join(self.ca_dir, 'openssl.cnf')
+    config.update(
+        working_directory=self.ca_dir,
+        country_code=ca_country_code,
+        state=ca_state,
+        city=ca_city,
+        company=ca_company,
+        email_address=ca_email,
+    )
+    self._writeFile(openssl_configuration, pkg_resources.resource_string(
+      __name__, 'template/openssl.cnf.ca.in') % config)
+    self.path_list.extend(zc.buildout.easy_install.scripts([
+      ('certificate_authority',
+        __name__ + '.certificate_authority', 'runCertificateAuthority')],
+        self.ws, sys.executable, self.wrapper_directory, arguments=[dict(
+          openssl_configuration=openssl_configuration,
+          openssl_binary=self.options['openssl_binary'],
+          certificate=os.path.join(self.ca_dir, 'cacert.pem'),
+          key=os.path.join(self.ca_private, 'cakey.pem'),
+          crl=os.path.join(self.ca_crl),
+          request_dir=self.ca_request_dir
+          )]))
+    # configure backup
+    backup_cron = os.path.join(self.cron_d, 'ca_rdiff_backup')
+    open(backup_cron, 'w').write(
+        '''0 0 * * * %(rdiff_backup)s %(source)s %(destination)s'''%dict(
+          rdiff_backup=self.options['rdiff_backup_binary'],
+          source=self.ca_dir,
+          destination=backup_path))
+    self.path_list.append(backup_cron)
+
+    return dict(
+      ca_certificate=os.path.join(config['ca_dir'], 'cacert.pem'),
+      ca_crl=os.path.join(config['ca_dir'], 'crl'),
+      certificate_authority_path=config['ca_dir']
+    )
   
-    return [kvm_runner_path, controller_runner_path]
+  def requestCertificate(self, name):
+    hash = hashlib.sha512(name).hexdigest()
+    key = os.path.join(self.ca_private, hash + self.ca_key_ext)
+    certificate = os.path.join(self.ca_certs, hash + self.ca_crt_ext)
+    parser = ConfigParser.RawConfigParser()
+    parser.add_section('certificate')
+    parser.set('certificate', 'name', name)
+    parser.set('certificate', 'key_file', key)
+    parser.set('certificate', 'certificate_file', certificate)
+    parser.write(open(os.path.join(self.ca_request_dir, hash), 'w'))
+    return key, certificate
   
+  def installCrond(self):
+    timestamps = self.createDataDirectory('cronstamps')
+    cron_output = os.path.join(self.log_directory, 'cron-output')
+    self._createDirectory(cron_output)
+    catcher = zc.buildout.easy_install.scripts([('catchcron',
+      __name__ + '.catdatefile', 'catdatefile')], self.ws, sys.executable,
+      self.bin_directory, arguments=[cron_output])[0]
+    self.path_list.append(catcher)
+    cron_d = os.path.join(self.etc_directory, 'cron.d')
+    crontabs = os.path.join(self.etc_directory, 'crontabs')
+    self._createDirectory(cron_d)
+    self._createDirectory(crontabs)
+    # Use execute from erp5.
+    wrapper = zc.buildout.easy_install.scripts([('crond',
+      'slapos.recipe.librecipe.execute', 'execute')], self.ws, sys.executable,
+      self.wrapper_directory, arguments=[
+        self.options['dcrond_binary'].strip(), '-s', cron_d, '-c', crontabs,
+        '-t', timestamps, '-f', '-l', '5', '-M', catcher]
+      )[0]
+    self.path_list.append(wrapper)
+    return cron_d

slapos/recipe/kvm/certificate_authority.py

+import os
+import subprocess
+import time
+import ConfigParser
+
+
+def popenCommunicate(command_list, input=None):
+  subprocess_kw = dict(stdout=subprocess.PIPE, stderr=subprocess.STDOUT)
+  if input is not None:
+    subprocess_kw.update(stdin=subprocess.PIPE)
+  popen = subprocess.Popen(command_list, **subprocess_kw)
+  result = popen.communicate(input)[0]
+  if popen.returncode is None:
+    popen.kill()
+  if popen.returncode != 0:
+    raise ValueError('Issue during calling %r, result was:\n%s' % (
+      command_list, result))
+  return result
+
+
+class CertificateAuthority:
+  def __init__(self, key, certificate, openssl_binary,
+      openssl_configuration, request_dir):
+    self.key = key
+    self.certificate = certificate
+    self.openssl_binary = openssl_binary
+    self.openssl_configuration = openssl_configuration
+    self.request_dir = request_dir
+
+  def checkAuthority(self):
+    file_list = [ self.key, self.certificate ]
+    ca_ready = True
+    for f in file_list:
+      if not os.path.exists(f):
+        ca_ready = False
+        break
+    if ca_ready:
+      return
+    for f in file_list:
+      if os.path.exists(f):
+        os.unlink(f)
+    try:
+      # no CA, let us create new one
+      popenCommunicate([self.openssl_binary, 'req', '-nodes', '-config',
+          self.openssl_configuration, '-new', '-x509', '-extensions',
+          'v3_ca', '-keyout', self.key, '-out', self.certificate,
+          '-days', '10950'], 'Automatic Certificate Authority\n')
+    except:
+      try:
+        for f in file_list:
+          if os.path.exists(f):
+            os.unlink(f)
+      except:
+        # do not raise during cleanup
+        pass
+      raise
+
+  def _checkCertificate(self, common_name, key, certificate):
+    file_list = [key, certificate]
+    ready = True
+    for f in file_list:
+      if not os.path.exists(f):
+        ready = False
+        break
+    if ready:
+      return False
+    for f in file_list:
+      if os.path.exists(f):
+        os.unlink(f)
+    csr = certificate + '.csr'
+    try:
+      popenCommunicate([self.openssl_binary, 'req', '-config',
+        self.openssl_configuration, '-nodes', '-new', '-keyout',
+        key, '-out', csr, '-days', '3650'],
+        common_name + '\n')
+      try:
+        popenCommunicate([self.openssl_binary, 'ca', '-batch', '-config',
+          self.openssl_configuration, '-out', certificate,
+          '-infiles', csr])
+      finally:
+        if os.path.exists(csr):
+          os.unlink(csr)
+    except:
+      try:
+        for f in file_list:
+          if os.path.exists(f):
+            os.unlink(f)
+      except:
+        # do not raise during cleanup
+        pass
+      raise
+    else:
+      return True
+
+  def checkRequestDir(self):
+    for request_file in os.listdir(self.request_dir):
+      parser = ConfigParser.RawConfigParser()
+      parser.readfp(open(os.path.join(self.request_dir, request_file), 'r'))
+      if self._checkCertificate(parser.get('certificate', 'name'),
+          parser.get('certificate', 'key_file'), parser.get('certificate',
+            'certificate_file')):
+        print 'Created certificate %r' % parser.get('certificate', 'name')
+
+def runCertificateAuthority(args):
+  ca_conf = args[0]
+  ca = CertificateAuthority(ca_conf['key'], ca_conf['certificate'],
+      ca_conf['openssl_binary'], ca_conf['openssl_configuration'],
+      ca_conf['request_dir'])
+  while True:
+    ca.checkAuthority()
+    ca.checkRequestDir()
+    time.sleep(60)

slapos/recipe/kvm/template/kvm_controller_run.in

@@ -11,7 +11,7 @@ so = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM)
 connected = False
 while not connected:
   try:
-    so.connect('%(qmp_socket)s')
+    so.connect('%(socket_path)s')
   except socket.error:
     time.sleep(1)
   else:

slapos/recipe/kvm/template/kvm_run.in

@@ -10,8 +10,8 @@ exec %(qemu_path)s \
   -smp %(smp_count)s \
   -m %(ram_size)s \
   -cdrom nbd:[%(nbd_ip)s]:%(nbd_port)s \
-  -drive file=%(image)s,if=virtio,boot=on \
-  -vnc [%(vnc_ip)s]:1,ipv6,tls,password \
+  -drive file=%(disk_path)s,if=virtio,boot=on \
+  -vnc %(vnc_ip)s:1,ipv4,password \
   -boot menu=on \
-  -qmp unix:%(qmp_socket)s,server \
-  -pidfile %(pid_file)s
+  -qmp unix:%(socket_path)s,server \
+  -pidfile %(pid_file_path)s

slapos/recipe/kvm/template/openssl.cnf.ca.in

+#
+# OpenSSL example configuration file.
+# This is mostly being used for generation of certificate requests.
+#
+
+# This definition stops the following lines choking if HOME isn't
+# defined.
+HOME			= .
+RANDFILE		  = $ENV::HOME/.rnd
+
+# Extra OBJECT IDENTIFIER info:
+#oid_file      		  = $ENV::HOME/.oid
+oid_section		    = new_oids
+
+# To use this configuration file with the "-extfile" option of the
+# "openssl x509" utility, name here the section containing the
+# X.509v3 extensions to use:
+# extensions	     	= 
+# (Alternatively, use a configuration file that has only
+# X.509v3 extensions in its main [= default] section.)
+
+[ new_oids ]
+
+# We can add new OIDs in here for use by 'ca', 'req' and 'ts'.
+# Add a simple OID like this:
+# testoid1=1.2.3.4
+# Or use config file substitution like this:
+# testoid2=${testoid1}.5.6
+
+# Policies used by the TSA examples.
+tsa_policy1 = 1.2.3.4.1
+tsa_policy2 = 1.2.3.4.5.6
+tsa_policy3 = 1.2.3.4.5.7
+
+####################################################################
+[ ca ]
+default_ca	= CA_default		# The default ca section
+
+####################################################################
+[ CA_default ]
+
+dir		= %(working_directory)s		# Where everything is kept
+certs		= $dir/certs			  # Where the issued certs are kept
+crl_dir		= $dir/crl			    # Where the issued crl are kept
+database	= $dir/index.txt		    # database index file.
+#unique_subject	= no			      	       # Set to 'no' to allow creation of
+		      					       	     # several ctificates with same subject.
+new_certs_dir	= $dir/newcerts	       # default place for new certs.
+
+certificate	= $dir/cacert.pem 	       # The CA certificate
+serial		= $dir/serial 	       	 # The current serial number
+crlnumber	= $dir/crlnumber		 # the current crl number
+				       # must be commented out to leave a V1 CRL
+crl		= $dir/crl.pem        # The current CRL
+private_key	= $dir/private/cakey.pem # The private key
+RANDFILE	= $dir/private/.rand	  # private random number file
+
+x509_extensions	= usr_cert		    # The extentions to add to the cert
+
+# Comment out the following two lines for the "traditional"
+# (and highly broken) format.
+name_opt      = ca_default		# Subject Name options
+cert_opt      = ca_default		  # Certificate field options
+
+# Extension copying option: use with caution.
+# copy_extensions = copy
+
+# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
+# so this is commented out by default to leave a V1 CRL.
+# crlnumber must also be commented out to leave a V1 CRL.
+# crl_extensions = crl_ext
+
+default_days	 = 3650			# how long to certify for
+default_crl_days = 30			      # how long before next CRL
+default_md	 = default		      	# use public key default MD
+preserve	 = no				      # keep passed DN ordering
+
+# A few difference way of specifying how similar the request should look
+# For type CA, the listed attributes must be the same, and the optional
+# and supplied fields are just that :-)
+policy	       	      = policy_match
+
+# For the CA policy
+[ policy_match ]
+countryName	= match
+stateOrProvinceName	= match
+organizationName	= match
+organizationalUnitName	= optional
+commonName		= supplied
+emailAddress		= optional
+
+# For the 'anything' policy
+# At this point in time, you must list all acceptable 'object'
+# types.
+[ policy_anything ]
+countryName		= optional
+stateOrProvinceName	= optional
+localityName		= optional
+organizationName	= optional
+organizationalUnitName	= optional
+commonName		= supplied
+emailAddress		= optional
+
+####################################################################
+[ req ]
+default_bits		= 2048
+default_md		= sha1
+default_keyfile 	= privkey.pem
+distinguished_name	= req_distinguished_name
+#attributes		= req_attributes
+x509_extensions		= v3_ca	# The extentions to add to the self signed cert
+
+# Passwords for private keys if not present they will be prompted for
+# input_password = secret
+# output_password = secret
+
+# This sets a mask for permitted string types. There are several options. 
+# default: PrintableString, T61String, BMPString.
+# pkix	    : PrintableString, BMPString (PKIX recommendation before 2004)
+# utf8only: only UTF8Strings (PKIX recommendation after 2004).
+# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
+# MASK:XXXX a literal mask value.
+# WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings.
+string_mask = utf8only
+
+# req_extensions = v3_req # The extensions to add to a certificate request
+
+[ req_distinguished_name ]
+countryName				= Country Name (2 letter code)
+countryName_value			= %(country_code)s
+countryName_min				= 2
+countryName_max				= 2
+
+stateOrProvinceName			= State or Province Name (full name)
+stateOrProvinceName_value		= %(state)s
+
+localityName				= Locality Name (eg, city)
+localityName_value			= %(city)s
+
+0.organizationName			= Organization Name (eg, company)
+0.organizationName_value		= %(company)s
+
+# we can do this but it is not needed normally :-)
+#1.organizationName  	= Second Organization Name (eg, company)
+#1.organizationName_default	 = World Wide Web Pty Ltd
+
+commonName	   = Common Name (eg, your name or your server\'s hostname)
+commonName_max	   = 64
+
+emailAddress	   = Email Address
+emailAddress_value = %(email_address)s
+emailAddress_max   = 64
+
+# SET-ex3	   = SET extension number 3
+
+#[ req_attributes ]
+#challengePassword	= A challenge password
+#challengePassword_min	= 4
+#challengePassword_max	= 20
+#
+#unstructuredName	= An optional company name
+
+[ usr_cert ]
+
+# These extensions are added when 'ca' signs a request.
+
+# This goes against PKIX guidelines but some CAs do it and some software
+# requires this to avoid interpreting an end user certificate as a CA.
+
+basicConstraints=CA:FALSE
+
+# Here are some examples of the usage of nsCertType. If it is omitted
+# the certificate can be used for anything *except* object signing.
+
+# This is OK for an SSL server.
+# nsCertType 	    = server
+
+# For an object signing certificate this would be used.
+# nsCertType = objsign
+
+# For normal client use this is typical
+# nsCertType = client, email
+
+# and for everything including object signing:
+# nsCertType = client, email, objsign
+
+# This is typical in keyUsage for a client certificate.
+# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+# This will be displayed in Netscape's comment listbox.
+nsComment      		 = "OpenSSL Generated Certificate"
+
+# PKIX recommendations harmless if included in all certificates.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer
+
+# This stuff is for subjectAltName and issuerAltname.
+# Import the email address.
+# subjectAltName=email:copy
+# An alternative to produce certificates that aren't
+# deprecated according to PKIX.
+# subjectAltName=email:move
+
+# Copy subject details
+# issuerAltName=issuer:copy
+
+#nsCaRevocationUrl		= http://www.domain.dom/ca-crl.pem
+#nsBaseUrl
+#nsRevocationUrl
+#nsRenewalUrl
+#nsCaPolicyUrl
+#nsSslServerName
+
+# This is required for TSA certificates.
+# extendedKeyUsage = critical,timeStamping
+
+[ v3_req ]
+
+# Extensions to add to a certificate request
+
+basicConstraints = CA:FALSE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+[ v3_ca ]
+
+
+# Extensions for a typical CA
+
+
+# PKIX recommendation.
+
+subjectKeyIdentifier=hash
+
+authorityKeyIdentifier=keyid:always,issuer
+
+# This is what PKIX recommends but some broken software chokes on critical
+# extensions.
+#basicConstraints = critical,CA:true
+# So we do this instead.
+basicConstraints = CA:true
+
+# Key usage: this is typical for a CA certificate. However since it will
+# prevent it being used as an test self-signed certificate it is best
+# left out by default.
+# keyUsage = cRLSign, keyCertSign
+
+# Some might want this also
+# nsCertType = sslCA, emailCA
+
+# Include email address in subject alt name: another PKIX recommendation
+# subjectAltName=email:copy
+# Copy issuer details
+# issuerAltName=issuer:copy
+
+# DER hex encoding of an extension: beware experts only!
+# obj=DER:02:03
+# Where 'obj' is a standard or added object
+# You can even override a supported extension:
+# basicConstraints= critical, DER:30:03:01:01:FF
+
+[ crl_ext ]
+
+# CRL extensions.
+# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
+
+# issuerAltName=issuer:copy
+authorityKeyIdentifier=keyid:always
+
+[ proxy_cert_ext ]
+# These extensions should be added when creating a proxy certificate
+
+# This goes against PKIX guidelines but some CAs do it and some software
+# requires this to avoid interpreting an end user certificate as a CA.
+
+basicConstraints=CA:FALSE
+
+# Here are some examples of the usage of nsCertType. If it is omitted
+# the certificate can be used for anything *except* object signing.
+
+# This is OK for an SSL server.
+# nsCertType 	    = server
+
+# For an object signing certificate this would be used.
+# nsCertType = objsign
+
+# For normal client use this is typical
+# nsCertType = client, email
+
+# and for everything including object signing:
+# nsCertType = client, email, objsign
+
+# This is typical in keyUsage for a client certificate.
+# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+# This will be displayed in Netscape's comment listbox.
+nsComment      		 = "OpenSSL Generated Certificate"
+
+# PKIX recommendations harmless if included in all certificates.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer
+
+# This stuff is for subjectAltName and issuerAltname.
+# Import the email address.
+# subjectAltName=email:copy
+# An alternative to produce certificates that aren't
+# deprecated according to PKIX.
+# subjectAltName=email:move
+
+# Copy subject details
+# issuerAltName=issuer:copy
+
+#nsCaRevocationUrl		= http://www.domain.dom/ca-crl.pem
+#nsBaseUrl
+#nsRevocationUrl
+#nsRenewalUrl
+#nsCaPolicyUrl
+#nsSslServerName
+
+# This really needs to be in place for it to be a proxy certificate.
+proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo
+
+####################################################################
+[ tsa ]
+
+default_tsa = tsa_config1	# the default TSA section
+
+[ tsa_config1 ]
+
+# These are used by the TSA reply generation only.
+dir	                = /etc/pki/tls  	  # TSA root directory
+serial	                = $dir/tsaserial	  # The current serial number (mandatory)
+crypto_device           = builtin		    # OpenSSL engine to use for signing
+signer_cert             = $dir/tsacert.pem    # The TSA signing certificate
+	      		      	  # (optional)
+certs	                = $dir/cacert.pem	# Certificate chain to include in reply
+		  	      # (optional)
+signer_key              = $dir/private/tsakey.pem # The TSA private key (optional)
+
+default_policy          = tsa_policy1		  # Policy if request did not specify it
+					    	   # (optional)
+other_policies          = tsa_policy2, tsa_policy3 # acceptable policies (optional)
+digests	                = md5, sha1  	      # Acceptable message digests (mandatory)
+accuracy                = secs:1, millisecs:500, microsecs:100	   # (optional)
+clock_precision_digits  = 0	    # number of digits after dot. (optional)
+ordering		= yes	    # Is ordering defined for timestamps?
+			  	       # (optional, default: no)
+tsa_name		= yes	    # Must the TSA name be included in the reply?
+			  	      # (optional, default: no)
+ess_cert_id_chain	= no	   # Must the ESS cert id chain be included?
+				     # (optional, default: no)

slapos/recipe/kvm/template/slapmonitor_run.in

 #!/bin/sh
 # BEWARE: This file is operated by slapgrid
 # BEWARE: It will be overwritten automatically
-exec %(python_path)s %(slapmonitor_path)s %(pid_file)s %(database_path)s
+exec %(python_path)s %(slapmonitor_path)s %(pid_file_path)s %(database_path)s