slapos-master: Use ERP5 SR directly

For now the only exception is slapos_configurator only

slapos-master: Use ERP5 SR directly
For now the only exception is slapos_configurator only
3d63cd39 · Rafael Monnerat · 5a70227c · 5a70227c · 5a70227c · 5a70227c
Commit 3d63cd39 authored Feb 06, 2024 by Rafael Monnerat
6 changed files
--- a/software/slapos-master/apache-backend.conf.in
+++ b/software/slapos-master/apache-backend.conf.in
-{# This file configures apache to redirect requests from ports to specific urls.
- # It provides SSL support for server and optionaly for client.
- #
- # All parameters are given through the `parameter_dict` variable, see the
- # list entries :
- #
- #     parameter_dict = {
- #       #  The path given to "PidFile"
- #       "pid-file": "<file_path>",
- #
- #       #  The number given to "TimeOut"
- #       "timeout": 300,
- #
- #       #  The path given to "SSLCertificateFile"
- #       "cert": "<file_path>",
- #
- #       #  The path given to "SSLCertificateKeyFile"
- #       "key": "<file_path>",
- #
- #       #  The value given to "SSLCipherSuite" (can be empty)
- #       "cipher": "",
- #
- #       #  The path given to "SSLSessionCache shmcb:<folder_path>(512000)"
- #       "ssl-session-cache": "<folder_path>",
- #
- #       #  The path given to "SSLCACertificateFile" (can be empty)
- #       #  If this value is not empty, it enables client certificate check.
- #       #  (Enabling "SSLVerifyClient require")
- #       "ca-cert": "<file_path>",
- #
- #       #  The path given to "SSLCARevocationFile" (used if ca-cert is not
- #       #  empty)
- #       "crl": "<file_path>",
- #
- #       #  The path given to "ErrorLog"
- #       "error-log": "<file_path>",
- #
- #       #  The path given to "AccessLog"
- #       "access-log": "<file_path>",
- #
- #       #  The list of ip which apache will listen to.
- #       "ip-list": [
- #         "0.0.0.0",
- #         "[::1]",
- #       ],
- #
- #       #  The list of backends which apache should redirect to.
- #       "backend-list": [
- #         # (port, unused, internal_scheme, enable_authentication)
- #         (8000, _, "http://10.0.0.10:8001", True),
- #         (8002, _, "http://10.0.0.10:8003", False),
- #       ],
- #
- #       # The mapping of zope paths this apache should redirect to.
- #       # This is a Zope specific feature.
- #       # `enable_authentication` has same meaning as for `backend-list`.
- #       "zope-virtualhost-monster-backend-dict": {
- #          # {(ip, port): ( enable_authentication, {frontend_path: ( internal_scheme ) }, ) }
- #          ('[::1]', 8004): (
- #            True, {
- #              'zope-1': 'http://10.0.0.10:8001',
- #              'zope-2': 'http://10.0.0.10:8002',
- #            },
- #          ),
- #        },
- #     }
- #
- #  This sample of `parameter_dict` will make apache listening to :
- #  From to `backend-list`:
- #   - 0.0.0.0:8000 redirecting internaly to http://10.0.0.10:8001 and
- #   - [::1]:8000 redirecting internaly to http://10.0.0.10:8001
- #  only accepting requests from clients who provide a valid SSL certificate trusted in `ca-cert`.
- #   - 0.0.0.0:8002 redirecting internaly to http://10.0.0.10:8003
- #   - [::1]:8002 redirecting internaly to http://10.0.0.10:8003
- #  accepting requests from any client.
- #
- # From zope-virtualhost-monster-backend-dict`:
- #   - [::1]:8004 with some path based rewrite-rules redirecting to:
- #     * http://10.0.0.10/8001 when path matches /zope-1(.*)
- #     * http://10.0.0.10/8002 when path matches /zope-2(.*)
- #   with some VirtualHostMonster rewrite rules so zope writes URLs with
- #  [::1]:8004 as server name.
- #  For more details, refer to
- #  https://docs.zope.org/zope2/zope2book/VirtualHosting.html#using-virtualhostroot-and-virtualhostbase-together
-#}
-LoadModule unixd_module modules/mod_unixd.so
-LoadModule access_compat_module modules/mod_access_compat.so
-LoadModule authz_core_module modules/mod_authz_core.so
-LoadModule authz_host_module modules/mod_authz_host.so
-LoadModule log_config_module modules/mod_log_config.so
-LoadModule setenvif_module modules/mod_setenvif.so
-LoadModule version_module modules/mod_version.so
-LoadModule proxy_module modules/mod_proxy.so
-LoadModule proxy_http_module modules/mod_proxy_http.so
-LoadModule socache_shmcb_module modules/mod_socache_shmcb.so
-LoadModule ssl_module modules/mod_ssl.so
-LoadModule mime_module modules/mod_mime.so
-LoadModule dav_module modules/mod_dav.so
-LoadModule dav_fs_module modules/mod_dav_fs.so
-LoadModule negotiation_module modules/mod_negotiation.so
-LoadModule rewrite_module modules/mod_rewrite.so
-LoadModule headers_module modules/mod_headers.so
-LoadModule deflate_module modules/mod_deflate.so
-LoadModule filter_module modules/mod_filter.so
-
-AddOutputFilterByType DEFLATE text/cache-manifest text/html text/plain text/css application/hal+json application/json application/x-javascript text/xml application/xml application/rss+xml text/javascript application/javascript image/svg+xml application/x-font-ttf application/font-woff application/font-woff2 application/x-font-opentype application/wasm
-
-PidFile "{{ parameter_dict['pid-file'] }}"
-ServerAdmin admin@
-TypesConfig conf/mime.types
-AddType application/x-compress .Z
-AddType application/x-gzip .gz .tgz
-
-ServerTokens Prod
-ServerSignature Off
-TraceEnable Off
-
-TimeOut {{ parameter_dict['timeout'] }}
-
-SSLCertificateFile {{ parameter_dict['cert'] }}
-SSLCertificateKeyFile {{ parameter_dict['key'] }}
-SSLRandomSeed startup builtin
-SSLRandomSeed connect builtin
-SSLProtocol all -SSLv2 -SSLv3
-SSLHonorCipherOrder on
-{% if parameter_dict['cipher'] -%}
-SSLCipherSuite {{ parameter_dict['cipher'] }}
-{% else %}
-SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:HIGH:!aNULL:!MD5
-{%- endif %}
-SSLSessionCache shmcb:{{ parameter_dict['ssl-session-cache'] }}(512000)
-SSLProxyEngine On
-
-# As backend is trusting Remote-User header unset it always
-RequestHeader unset Remote-User
-{% if parameter_dict['ca-cert'] -%}
-SSLVerifyClient optional
-RequestHeader set Remote-User %{SSL_CLIENT_S_DN_CN}s
-SSLCACertificateFile {{ parameter_dict['ca-cert'] }}
-{%   if not parameter_dict['shared-ca-cert'] %}
-{%     if parameter_dict['crl'] -%}
-SSLCARevocationCheck chain
-SSLCARevocationFile {{ parameter_dict['crl'] }}
-{%-     endif %}
-{%-   endif %}
-{%- endif %}
-
-ErrorLog "{{ parameter_dict['error-log'] }}"
-# Default apache log format with request time in microsecond at the end
-LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %D" combined
-CustomLog "{{ parameter_dict['access-log'] }}" combined
-
-<Directory />
-  Options FollowSymLinks
-  AllowOverride None
-  Allow from all
-</Directory>
-
-RewriteEngine On
-{% for port, _, backend, enable_authentication in parameter_dict['backend-list'] -%}
-{%   for ip in parameter_dict['ip-list'] -%}
-Listen {{ ip }}:{{ port }}
-{%   endfor -%}
-<VirtualHost *:{{ port }}>
-  SSLEngine on
-{% if enable_authentication and parameter_dict['shared-ca-cert'] -%}
-  SSLVerifyClient require
-  # Custom block we use for now different parameters.
-  RequestHeader set Remote-User %{SSL_CLIENT_S_DN_CN}s
-  SSLCACertificateFile {{ parameter_dict['shared-ca-cert'] }}
-{% if 'shared-crl' in parameter_dict -%}
-  SSLCARevocationCheck chain
-  SSLCARevocationPath {{ parameter_dict['shared-crl'] }}
-{% endif -%}
-
-  LogFormat "%h %l %{Remote-User}i %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %D" service
-
-  # We would like to separate the the authentificated logs.
-  ErrorLog "{{ parameter_dict['log-dir'] }}/apache-service-error.log"
-  CustomLog "{{ parameter_dict['log-dir'] }}/apache-service-access.log" service
-{% endif -%}
-  RewriteRule ^/(.*) {{ backend }}/$1 [L,P]
-</VirtualHost>
-{% endfor -%}
-
-
-{% for (ip, port), (enable_authentication, path_mapping) in parameter_dict.get('zope-virtualhost-monster-backend-dict', {}).items() -%}
-Listen {{ ip }}:{{ port }}
-<VirtualHost {{ ip }}:{{ port }}>
-  SSLEngine on
-  Timeout 3600
-{%   if enable_authentication and parameter_dict['ca-cert'] and parameter_dict['crl'] -%}
-  SSLVerifyClient require
-  SSLCACertificateFile {{ parameter_dict['ca-cert'] }}
-  SSLCARevocationCheck chain
-  SSLCARevocationFile {{ parameter_dict['crl'] }}
-
-  LogFormat "%h %l %{REMOTE_USER}i %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %D" combined
-
-  # We would like to separate the the authentificated logs.
-  # XXX filename ? is it log-rotated ?
-  ErrorLog "{{ parameter_dict['log-dir'] }}/apache-service-virtual-host-error.log"
-  CustomLog "{{ parameter_dict['log-dir'] }}/apache-service-virtual-host-access.log" combined
-{%   endif -%}
-
-{%   for path, backend in path_mapping.items() %}
-  RewriteRule ^/{{path}}(.*) {{ backend }}/VirtualHostBase/https/{{ ip }}:{{ port }}/VirtualHostRoot/_vh_{{ path }}$1 [L,P]
-{%   endfor -%}
-</VirtualHost>
-{% endfor -%}
--- a/software/slapos-master/buildout.hash.cfg
+++ b/software/slapos-master/buildout.hash.cfg
-# THIS IS NOT A BUILDOUT FILE, despite purposedly using a compatible syntax.
-# The only allowed lines here are (regexes):
-# - "^#" comments, copied verbatim
-# - "^[" section beginings, copied verbatim
-# - lines containing an "=" sign which must fit in the following categorie.
-#   - "^\s*filename\s*=\s*path\s*$" where "path" is relative to this file
-#     Copied verbatim.
-#   - "^\s*hashtype\s*=.*" where "hashtype" is one of the values supported
-#     by the re-generation script.
-#     Re-generated.
-# - other lines are copied verbatim
-# Substitution (${...:...}), extension ([buildout] extends = ...) and
-# section inheritance (< = ...) are NOT supported (but you should really
-# not need these here).
-[template-erp5]
-filename = instance-erp5.cfg.in
-md5sum = 38eab3283d175230231c998fa4a3416e
-
-[template-balancer]
-filename = instance-balancer.cfg.in
-md5sum = 88e15a803df4aa35285e59ae9186438a
-
-[template-apache-backend-conf]
-filename = apache-backend.conf.in
-md5sum = aa11283ca8b80a91b508732cd3443f7b
-
-[template-haproxy-cfg]
-filename = haproxy.cfg.in
-md5sum = fec6a312e4ef84b02837742992aaf495
--- a/software/slapos-master/haproxy.cfg.in
+++ b/software/slapos-master/haproxy.cfg.in
-{% set server_check_path = parameter_dict['server-check-path'] -%}
-global
-  maxconn 4096
-  stats socket {{ parameter_dict['socket-path'] }} level admin
-
-defaults
-  mode http
-  retries 1
-  option redispatch
-  maxconn 2000
-  cookie SERVERID rewrite
-  balance roundrobin
-  stats uri /haproxy
-  stats realm Global\ statistics
-  # it is useless to have timeout much bigger than the one of apache.
-  # By default apache use 300s, so we set slightly more in order to
-  # make sure that apache will first stop the connection.
-  timeout server 305s
-  # Stop waiting in queue for a zope to become available.
-  # If no zope can be reached after one minute, consider the request will
-  # never succeed.
-  timeout queue 60s
-  # The connection should be immediate on LAN,
-  # so we should not set more than 5 seconds, and it could be already too much
-  timeout connect 5s
-  # As requested in haproxy doc, make this "at least equal to timeout server".
-  timeout client 305s
-  # Use "option httpclose" to not preserve client & server persistent connections
-  # while handling every incoming request individually, dispatching them one after
-  # another to servers, in HTTP close mode. This is really needed when haproxy
-  # is configured with maxconn to 1, without this option browsers are unable
-  # to render a page
-  option httpclose
-
-{% for name, (port, backend_list) in sorted(parameter_dict['backend-dict'].iteritems()) -%}
-listen {{ name }}
-  bind {{ parameter_dict['ip'] }}:{{ port }}
-  http-request set-header X-Balancer-Current-Cookie SERVERID
-{%   set has_webdav = [] -%}
-{%   for address, connection_count, webdav in backend_list -%}
-{%     if webdav %}{% do has_webdav.append(None) %}{% endif -%}
-{%     set server_name = name ~ '-' ~ loop.index0 -%}
-  server {{ server_name }} {{ address }} cookie {{ server_name }} check inter 3s rise 1 fall 2 maxqueue 5 maxconn {{ connection_count }}
-{%   endfor -%}
-{%-  if not has_webdav and server_check_path %}
-  option httpchk GET {{ server_check_path }}
-{%   endif -%}
-{% endfor %}
--- a/software/slapos-master/instance-balancer.cfg.in
+++ b/software/slapos-master/instance-balancer.cfg.in
--- a/software/slapos-master/instance-erp5.cfg.in
+++ b/software/slapos-master/instance-erp5.cfg.in
--- a/software/slapos-master/software.cfg
+++ b/software/slapos-master/software.cfg
 [buildout]
 extends =
  ../../software/wendelin/software.cfg
-  buildout.hash.cfg

 [erp5-defaults]
 wcfs-enable-default = true
@@ -39,26 +38,6 @@ extra-paths +=
  ${vifib:location}/master
  ${slapos-bin:location}

-
-### Overwrite recipes to introduce customized changes
-[download-base-part]
-recipe = slapos.recipe.build:download
-url = ${:_profile_base_location_}/${:filename}
-
-[template-erp5]
-< = download-base-part
-filename = instance-erp5.cfg.in
-
-[template-balancer]
-< = download-base-part
-filename = instance-balancer.cfg.in
-
-[template-apache-backend-conf]
-url = ${:_profile_base_location_}/${:filename}
-
-[template-haproxy-cfg]
-url = ${:_profile_base_location_}/${:filename}
-
 [versions]
 python-memcached = 1.47
 xml-marshaller = 1.0.2