Commit bd1399d3 authored by Rafael Monnerat's avatar Rafael Monnerat

Update Release Candidate

parents d4173404 07d64efb
......@@ -59,8 +59,8 @@ KVM instance parameters:
For port forwarding to IPv6 of slapos partition
- use-nat (default: True)
Add one interface using qemu User Network (NAT), this interface support nat-rules.
- use-tap (default: False)
Add One interface that use tap interface
- use-tap (default: True)
Add one interface that uses tap interface from the host
- enable-vhost (default: False)
Increase network speed by enabling vhost on qemu. (To use if the module is loaded on host machine)
......
......@@ -19,7 +19,7 @@ md5sum = 028b6a6456d744c11b1bb2c51ecd51b2
[template-kvm]
filename = instance-kvm.cfg.jinja2
md5sum = c51026e815ca43b5de5ddc6cbd8bf1e2
md5sum = c298aaa20a368ddc118b8bb22dc84dc3
[template-kvm-cluster]
filename = instance-kvm-cluster.cfg.jinja2.in
......
......@@ -266,9 +266,9 @@
},
"use-tap": {
"title": "Use QEMU TAP network interface",
"description": "Use QEMU TAP network interface, might require a bridge on SlapOS Node.",
"description": "Use QEMU TAP network interface, requires taps creation on SlapOS Node.",
"type": "boolean",
"default": false
"default": true
},
"use-nat": {
"title": "Use QEMU USER Mode interface (NAT)",
......@@ -278,7 +278,7 @@
},
"nat-rules": {
"title": "List of rules for NAT of QEMU user mode network stack.",
"description": "List of rules for NAT of QEMU user mode network stack, as space-separated list of ports (with optional protocol). For each port specified, it will redirect port x of the VM (example: \"80 udp:53\") to the port x + 10000 of the public IPv6 of the host (example: \"10080 udp:10053\"). Ignored if \"use-tap\" parameter is enabled.",
"description": "List of rules for NAT of QEMU user mode network stack, as space-separated list of ports (with optional protocol). For each port specified, it will redirect port x of the VM (example: \"80 udp:53\") to the port x + 10000 of the public IPv6 of the host (example: \"10080 udp:10053\").",
"type": "string",
"default": "22 80 443"
},
......
{% set enable_http = slapparameter_dict.get('enable-http-server', 'False').lower() -%}
{% set use_tap = slapparameter_dict.get('use-tap', 'False').lower() -%}
{% set use_tap = slapparameter_dict.get('use-tap', 'True').lower() -%}
{% set use_nat = slapparameter_dict.get('use-nat', 'True').lower() -%}
{% set wipe_disk = slapparameter_dict.get('wipe-disk-ondestroy', 'False').lower() -%}
{% set nat_restrict = slapparameter_dict.get('nat-restrict-mode', 'False').lower() -%}
......@@ -677,7 +677,7 @@ cpu-model = host
nat-rules = 22 80 443
use-nat = True
use-tap = False
use-tap = True
nat-restrict-mode = False
enable-vhost = False
......
......@@ -18,7 +18,7 @@ md5sum = edf81a602137858cd5835c050ac6e08c
[template-balancer]
filename = instance-balancer.cfg.in
md5sum = 356cb73670ea4599ad608b29fb86b278
md5sum = 1a6a00153441d6a8e7ff9d27039e541e
[template-apache-backend-conf]
filename = apache-backend.conf.in
......
......@@ -27,10 +27,10 @@ mode = 644
updater_path='${directory:services-on-watch}/caucase-updater',
url=ssl_parameter_dict['caucase-url'],
data_dir='${directory:srv}/caucase-updater',
crt_path='${apache-conf-ssl:cert}',
crt_path='${apache-conf-ssl:caucase-cert}',
ca_path='${apache-conf-ssl:ca-cert}',
crl_path='${apache-conf-ssl:crl}',
key_path='${apache-conf-ssl:key}',
key_path='${apache-conf-ssl:caucase-key}',
on_renew='${apache-graceful:output}',
max_sleep=ssl_parameter_dict.get('max-crl-update-delay', 1.0),
template_csr_pem=ssl_parameter_dict.get('csr'),
......@@ -119,9 +119,25 @@ hash-files = ${haproxy-cfg:rendered}
[apache-conf-ssl]
cert = ${directory:apache-conf}/apache.crt
key = ${directory:apache-conf}/apache.pem
# XXX caucase certificate is not supported by caddy for now
caucase-cert = ${directory:apache-conf}/apache-caucase.crt
caucase-key = ${directory:apache-conf}/apache-caucase.pem
ca-cert = ${directory:apache-conf}/ca.crt
crl = ${directory:apache-conf}/crl.pem
[apache-ssl]
{% if ssl_parameter_dict.get('key') -%}
key = ${apache-ssl-key:rendered}
cert = ${apache-ssl-cert:rendered}
{{ simplefile('apache-ssl-key', '${apache-conf-ssl:key}', ssl_parameter_dict['key']) }}
{{ simplefile('apache-ssl-cert', '${apache-conf-ssl:cert}', ssl_parameter_dict['cert']) }}
{% else %}
recipe = plone.recipe.command
command = "{{ parameter_dict['openssl'] }}/bin/openssl" req -newkey rsa -batch -new -x509 -days 3650 -nodes -keyout "${:key}" -out "${:cert}"
key = ${apache-conf-ssl:key}
cert = ${apache-conf-ssl:cert}
{%- endif %}
[apache-conf-parameter-dict]
backend-list = {{ dumps(apache_dict.values()) }}
zope-virtualhost-monster-backend-dict = {{ dumps(zope_virtualhost_monster_backend_dict) }}
......@@ -133,8 +149,8 @@ access-log = ${directory:log}/apache-access.log
# Apache 2.4's default value (60 seconds) can be a bit too short
timeout = 300
# Basic SSL server configuration
cert = ${apache-conf-ssl:cert}
key = ${apache-conf-ssl:key}
cert = ${apache-ssl:cert}
key = ${apache-ssl:key}
cipher =
ssl-session-cache = ${directory:log}/apache-ssl-session-cache
# Client x509 auth
......@@ -218,6 +234,7 @@ services-on-watch = ${:etc}/service
var = ${buildout:directory}/var
run = ${:var}/run
log = ${:var}/log
srv = ${buildout:directory}/srv
ca-dir = ${buildout:directory}/srv/ssl
requests = ${:ca-dir}/requests
private = ${:ca-dir}/private
......
......@@ -66,7 +66,7 @@ md5sum = 0969fbb25b05c02ef3c2d437b2f4e1a0
[template]
filename = instance.cfg.in
md5sum = a2423975b29ab023f64ce257d097e286
md5sum = 9009939093730fb8219cbe7092dda9ab
[monitor-template-dummy]
filename = dummy.cfg
......@@ -86,7 +86,7 @@ md5sum = 3a6c7dec898abc7d1506957154ef566e
[template-balancer]
filename = instance-balancer.cfg.in
md5sum = 7fcedcacb0558e770cbb1c1d63322ea4
md5sum = a2f795e5ed9537951ee70114111930b0
[template-haproxy-cfg]
filename = haproxy.cfg.in
......
......@@ -26,10 +26,10 @@ mode = 644
updater_path='${directory:services-on-watch}/caucase-updater',
url=ssl_parameter_dict['caucase-url'],
data_dir='${directory:srv}/caucase-updater',
crt_path='${apache-conf-ssl:cert}',
crt_path='${apache-conf-ssl:caucase-cert}',
ca_path='${apache-conf-ssl:ca-cert}',
crl_path='${apache-conf-ssl:crl}',
key_path='${apache-conf-ssl:key}',
key_path='${apache-conf-ssl:caucase-key}',
on_renew='${apache-graceful:output}',
max_sleep=ssl_parameter_dict.get('max-crl-update-delay', 1.0),
template_csr_pem=ssl_parameter_dict.get('csr'),
......@@ -118,9 +118,25 @@ hash-files = ${haproxy-cfg:rendered}
[apache-conf-ssl]
cert = ${directory:apache-conf}/apache.crt
key = ${directory:apache-conf}/apache.pem
# XXX caucase certificate is not supported by caddy for now
caucase-cert = ${directory:apache-conf}/apache-caucase.crt
caucase-key = ${directory:apache-conf}/apache-caucase.pem
ca-cert = ${directory:apache-conf}/ca.crt
crl = ${directory:apache-conf}/crl.pem
[apache-ssl]
{% if ssl_parameter_dict.get('key') -%}
key = ${apache-ssl-key:rendered}
cert = ${apache-ssl-cert:rendered}
{{ simplefile('apache-ssl-key', '${apache-conf-ssl:key}', ssl_parameter_dict['key']) }}
{{ simplefile('apache-ssl-cert', '${apache-conf-ssl:cert}', ssl_parameter_dict['cert']) }}
{% else %}
recipe = plone.recipe.command
command = "{{ parameter_dict['openssl'] }}/bin/openssl" req -newkey rsa -batch -new -x509 -days 3650 -nodes -keyout "${:key}" -out "${:cert}"
key = ${apache-conf-ssl:key}
cert = ${apache-conf-ssl:cert}
{%- endif %}
[apache-conf-parameter-dict]
backend-list = {{ dumps(apache_dict.values()) }}
zope-virtualhost-monster-backend-dict = {{ dumps(zope_virtualhost_monster_backend_dict) }}
......@@ -132,8 +148,8 @@ access-log = ${directory:log}/apache-access.log
# Apache 2.4's default value (60 seconds) can be a bit too short
timeout = 300
# Basic SSL server configuration
cert = ${apache-conf-ssl:cert}
key = ${apache-conf-ssl:key}
cert = ${apache-ssl:cert}
key = ${apache-ssl:key}
cipher =
ssl-session-cache = ${directory:log}/apache-ssl-session-cache
# Client x509 auth
......
......@@ -163,10 +163,10 @@ filename = instance-mariadb.cfg
extra-context =
section parameter_dict dynamic-template-mariadb-parameters
# Keep cloudooo section for backward compatibility
# Keep a section for backward compatibility for removed types
# Once the section is removed, ghost instances will keep failing until
# garbage collection be implemented.
[dynamic-template-cloudooo-legacy]
[dynamic-template-legacy]
recipe = collective.recipe.template
input = inline:[buildout]
eggs-directory = ${buildout:eggs-directory}
......@@ -174,7 +174,7 @@ input = inline:[buildout]
offline = true
parts =
output = ${directory:directory/instance-cloudoo-legacy.cfg
output = ${directory:directory/instance-legacy.cfg
mode = 644
# we need this value to be present in a section,
......@@ -202,4 +202,5 @@ zope = dynamic-template-zope:rendered
jupyter = dynamic-template-jupyter:rendered
# Keep cloudooo backward compatibility
cloudooo = dynamic-template-cloudooo-legacy:output
cloudooo = dynamic-template-legacy:output
caucase = dynamic-template-legacy:output
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment