Metabase 0.41.2

Update metabase and fix a few minor problems, mostly: - use proper passwords for keystore and for postgresql - use Eclipse Temurin JRE, where the SSH tunnels work See merge request nexedi/slapos!1077

Metabase 0.41.2
Update metabase and fix a few minor problems, mostly: - use proper passwords for keystore and for postgresql - use Eclipse Temurin JRE, where the SSH tunnels work See merge request nexedi/slapos!1077
e870252f · Jérome Perrin · 14d90bcd · f2eb74db · e870252f · e870252f
Commit e870252f authored Nov 16, 2021 by Jérome Perrin
6 changed files
--- a/component/java/buildout.cfg
+++ b/component/java/buildout.cfg
 [buildout]
-
+extends =
+  ../coreutils/buildout.cfg
+  ../patchelf/buildout.cfg
+  ../alsa/buildout.cfg
+  ../libpng/buildout.cfg
+  ../freetype/buildout.cfg
+  ../fontconfig/buildout.cfg
+  ../xorg/buildout.cfg
+  ../zlib/buildout.cfg
 parts =
  java

@@ -9,12 +17,12 @@ parts =
 [java-re]
 <= java-re-7

-[java-common]
+[java-sun-common]
 recipe = slapos.recipe.build:download-unpacked
-url = http://javadl.sun.com/webapps/download/AutoDL?BundleId=${:bundle-id}
+url = https://javadl.sun.com/webapps/download/AutoDL?BundleId=${:bundle-id}

 [java-re-7]
-<= java-common
+<= java-sun-common
 # http://java.com/en/download/manual_java7.jsp

 [java-re-7:linux and platform.machine() == 'i686']
@@ -26,7 +34,7 @@ bundle-id = 97800
 md5sum = 7605134662f6c87131eca5745895fe84

 [java-re-8]
-<= java-common
+<= java-sun-common
 # https://www.java.com/en/download/manual.jsp
 # Update 161

@@ -45,3 +53,25 @@ stop-on-error = true
 update-command = ${:command}
 command = ${coreutils-output:test} -x ${:keytool}
 keytool = ${java-re-8:location}/bin/keytool
+
+
+[java-re-temurin-11]
+recipe = slapos.recipe.build
+update =
+  from zc.buildout import UserError
+  raise UserError("unsupported platform")
+
+[java-re-temurin-11:linux and platform.machine() == 'x86_64']
+recipe = slapos.recipe.cmmi
+shared = true
+url = https://github.com/adoptium/temurin11-binaries/releases/download/jdk-11.0.13%2B8/OpenJDK11U-jre_x64_linux_hotspot_11.0.13_8.tar.gz
+md5sum = 1b06100bcd0923d3f3279c2f09773af0
+configure-command = :
+make-binary = :
+post-install =
+  mv * %(location)s
+  for file in %(location)s/bin/* %(location)s/lib/*.so %(location)s/lib/*/*.so ; do
+    echo appending rpath to $file
+    ${patchelf:location}/bin/patchelf --set-rpath %(rpath)s $file
+  done
+rpath = ${alsa:location}/lib:${freetype:location}/lib:${fontconfig:location}/lib:${libpng:location}/lib:${libXrender:location}/lib:${libXtst:location}/lib:${libX11:location}/lib:${libXau:location}/lib:${libXext:location}/lib:${libXdmcp:location}/lib:${libXi:location}/lib:${libxcb:location}/lib:${zlib:location}/lib:@@LOCATION@@/lib:@@LOCATION@@/lib/server:@@LOCATION@@/lib/jli
--- a/software/metabase/README.md
+++ b/software/metabase/README.md
-# Metabae
+# Metabase

 https://www.metabase.com/

 ## TODO:
 * export backups for resilience
- * security (proper passwords, verifiable certificate, study metabase encryption option)
+ * security (verifiable certificate, study metabase encryption option)
--- a/software/metabase/buildout.hash.cfg
+++ b/software/metabase/buildout.hash.cfg
 [instance-profile]
 filename = instance.cfg.in
-md5sum = 143f46b125389f39905226ec9482ce2a
+md5sum = 5f2f7c4c2f793d609ad3c4fa0aa2f8a5
--- a/software/metabase/instance.cfg.in
+++ b/software/metabase/instance.cfg.in
@@ -7,10 +7,28 @@ eggs-directory = ${buildout:eggs-directory}
 develop-eggs-directory = ${buildout:develop-eggs-directory}
 offline = true

+[fontconfig-conf]
+recipe = slapos.recipe.template:jinja2
+template = ${template-fonts-conf:output}
+rendered = $${directory:etc}/fonts.conf
+context =
+    key cachedir directory:fontconfig-cache
+    key fonts :fonts
+    key includes :includes
+fonts =
+    ${android-fonts:location}
+    ${dejavu-fonts:location}
+    ${ipa-fonts:location}
+    ${ipaex-fonts:location}
+    ${liberation-fonts:location}
+    ${ocrb-fonts:location}
+includes =
+    ${fontconfig:location}/etc/fonts/conf.d
+
 [metabase-instance]
 recipe = slapos.cookbook:wrapper
 wrapper-path = $${directory:service}/$${:_buildout_section_name_}
-command-line = sh -c "cd $${directory:srv-metabase}; ${java-re-8:location}/bin/java $JAVA_ARGS -jar ${metabase.jar:location}/metabase.jar"
+command-line = sh -c "cd $${directory:srv-metabase}; ${java:location}/bin/java $JAVA_ARGS -jar ${metabase.jar:location}/metabase.jar"
 # https://www.metabase.com/docs/latest/operations-guide/customizing-jetty-webserver.html
 # note that we set org.quartz.scheduler.instanceId through $JAVA_ARGS as a workaround for machines
 # which cannot resolve their hostnames. See also https://github.com/metabase/metabase/issues/8373
@@ -28,7 +46,8 @@ environment =
  MB_DB_USER=$${postgresql:superuser}
  MB_DB_PASS=$${postgresql:password}
  MB_DB_HOST=$${postgresql:ipv4}
-  JAVA_ARGS=-Dorg.quartz.scheduler.instanceId=$${slap-connection:computer-id}.$${slap-connection:partition-id}
+  FONTCONFIG_FILE=$${fontconfig-conf:rendered}
+  JAVA_ARGS=-Dorg.quartz.scheduler.instanceId=$${slap-connection:computer-id}.$${slap-connection:partition-id} -Djava.io.tmpdir="$${directory:tmp}"
 hash-existing-files =
  $${buildout:directory}/software_release/buildout.cfg

@@ -49,19 +68,56 @@ promise = check_url_available
 name = $${:_buildout_section_name_}.py
 config-url= $${metabase-instance:url}/api/session/properties

+[metabase-keystore-password]
+recipe = slapos.cookbook:generate.password
+bytes = 24
+
 [metabase-keystore]
 recipe = plone.recipe.command
+stop-on-error = true
 command =
-  ${java-re-8-output:keytool} \
-    -genkeypair \
-    -alias "metabase" \
-    -keyalg RSA \
-    -keypass "$${:password}" \
-    -dname "CN=$${metabase-instance:ip},OU=Unit,O=Organization,L=City,S=State,C=Country" \
-    -keystore "$${:file}" \
-    -storepass "$${:password}"
+  if [ -f $${:file} ]
+  then
+    # XXX password used to be "insecure", but we changed to proper password.
+    # We try to list the store with the new password and if it fail we change
+    # the keystore password.
+    if ! ${java:location}/bin/keytool \
+      -list \
+      -keystore "$${:file}" \
+      -storepass "$${:password}"
+    then
+      echo "Migrating keystore password" && \
+      ${java:location}/bin/keytool \
+        -storepasswd \
+        -keystore "$${:file}" \
+        -storepass insecure \
+        -new "$${:password}" && \
+      echo "Migrating certificate key password" && \
+      ${java:location}/bin/keytool \
+        -keypasswd \
+        -alias "$${:alias}" \
+        -keypass insecure \
+        -new "$${:password}" \
+        -keystore "$${:file}" \
+        -storepass "$${:password}"
+    fi
+  else
+    ${java:location}/bin/keytool \
+      -genkeypair \
+      -alias "$${:alias}" \
+      -keyalg RSA \
+      -keypass "$${:password}" \
+      -dname "CN=$${metabase-instance:ip},OU=Unit,O=Organization,L=City,S=State,C=Country" \
+      -keystore "$${:file}" \
+      -storepass "$${:password}"
+  fi
 file = $${directory:etc}/.metabase_keystore
-password = insecure
+password = $${metabase-keystore-password:passwd}
+alias = metabase
+
+[postgresql-password]
+recipe = slapos.cookbook:generate.password
+bytes = 24

 [postgresql]
 recipe = slapos.cookbook:postgres
@@ -69,7 +125,7 @@ bin = ${postgresql10:location}/bin/
 services = $${directory:service}
 dbname  = metabase_db
 superuser = metabase-psql
-password = insecure
+password = $${postgresql-password:passwd}
 pgdata-directory = $${directory:srv}/postgresql

 ipv4 = $${instance-parameter:ipv4-random}
@@ -125,7 +181,7 @@ wrapper-path = $${directory:bin}/$${:_buildout_section_name_}
 command-line =
  sh -e -c "\
    echo 'This will replace current database with latest backup. Hit Ctrl+C to cancel';
-    sleep 5;
+    sleep 30;
    $${postgresql:bin}/pg_restore \
        --exit-on-error \
        -h $${postgresql:pgdata-directory} \
@@ -176,7 +232,7 @@ tmp = $${buildout:directory}/tmp
 service = $${:etc}/service
 srv-metabase = $${:srv}/metabase
 srv-backup = $${:srv}/backup
-
+fontconfig-cache = $${buildout:directory}/.fontconfig

 [publish-connection-parameter]
 recipe = slapos.cookbook:publish

--- a/software/metabase/software.cfg
+++ b/software/metabase/software.cfg
 [buildout]
 extends =
    ../../component/defaults.cfg
+    ../../component/fontconfig/buildout.cfg
+    ../../component/fonts/buildout.cfg
    ../../component/java/buildout.cfg
    ../../component/postgresql/buildout.cfg
    ../../component/dcron/buildout.cfg
@@ -15,10 +17,13 @@ parts =
 [python]
 part = python3

+[java]
+<= java-re-temurin-11
+
 [metabase.jar]
 recipe = slapos.recipe.build:download
-url = https://downloads.metabase.com/v0.38.3/metabase.jar
-md5sum = b91e4b9ae13c892894fec8bab2fd195f
+url = https://downloads.metabase.com/v0.41.2/metabase.jar
+md5sum = 630068d1ccbdc95556931fe9cfc12e61

 [instance-profile]
 recipe = slapos.recipe.template

--- a/software/metabase/test/test.py
+++ b/software/metabase/test/test.py
@@ -85,7 +85,7 @@ class TestMetabaseSetup(MetabaseTestCase):
            "username": email,
            "password": "wrong"
        })
-    self.assertEqual(requests.codes.bad_request, resp.status_code)
+    self.assertEqual(resp.status_code, requests.codes.unauthorized)

    session = requests.post(
        parse.urljoin(url, '/api/session'),