An error occurred fetching the project authors.
- 13 Mar, 2019 2 commits
-
-
Łukasz Nowak authored
Use KeDiFa to store keys, and transmit the url to the requester for master and slave partitions. Download keys on the slave partitions level. Use caucase to fetch main caucase CA. kedifa-caucase-url is published in order to have access to it. Note: caucase is prepended with kedifa, as this is that one. Use kedifa-csr tool to generate CSR and use caucase-updater macro. Switch to KeDiFa with SSL Auth and updated goodies. KeDiFa endpoint URLs are randomised. Only one (first) user certificate is going to be automatically accepted. This one shall be operated by the cluster owner, the requester of frontend master partition. Then he will be able to sign certificates for other users and also for services - so each node in the cluster. Special trick from https://security.stackexchange.com/questions/74345/provide-subjectaltname-to-openssl-directly-on-command-line is used for one command generation of extensions in the certificate. Note: We could upgrade to openssl 1.1.1 in order to have it really simplified (see https://security.stackexchange.com/a/183973 ) Improve CSR readability by creating cluster-identification, which is master partition title, and use it as Organization of the CSR. Reserve slots for data exchange in KeDiFa.
-
Łukasz Nowak authored
-
- 07 Dec, 2018 1 commit
-
-
Łukasz Nowak authored
-
- 03 Dec, 2018 2 commits
-
-
Łukasz Nowak authored
Validate only if interesting files are changed. Simplify validation and graceful scripts, have one template for all cases. Aviod needless repetition. Note: There is limit of arguments to be passed to commands, see https://www.in-ulm.de/~mascheck/various/argmax/, but we are safe for now: $ getconf ARG_MAX 2097152 So we are keeping shell expansion instead of playing with find or other tools.
-
Łukasz Nowak authored
-
- 12 Sep, 2018 1 commit
-
-
Łukasz Nowak authored
Even if the master partition owner will authorise given slave for custom configuration reject this slave in case if it does not pass validation for snippet.
-
- 06 Sep, 2018 1 commit
-
-
Łukasz Nowak authored
Create caddyprofiledeps egg with dummy noop recipe. Thanks to setting dependencies of this egg and enabling it on the instance profile, buildout will install eggs during software run and activate them during instance run. No existing egg (like slapos.cookbook) is used, as this technique is to allow profile/software release developer to choose required eggs used during instantiation. Another apporach would be to add dependency for validators in slapos.recipe.template (in install_requires).
-
- 31 Jul, 2018 2 commits
-
-
Łukasz Nowak authored
-
Łukasz Nowak authored
Features: * jinja2 is used to generate instance templates * downloads are done the same way for all resources * create with shared content for all instance profiles * fill in instance-common with shared sections * render templates late in order to ease its extenension and development * drop not needd duplicated section * drop slap-parameter in frontend and replicate template * simplify monitor configuration * move instance-parameter to instance file Thanks to this only one and topmost profile is reponsible for parsing and passing through the information which comes from the network
-
- 27 Jul, 2018 1 commit
-
-
Łukasz Nowak authored
The backend url can come from request in `url` and `https-url` strings. It is validated using real caddy template configuration and by using caddy's `-stdin`. It results with calling it on each slave having any of those parameters.
-
- 28 Jun, 2018 5 commits
-
-
Łukasz Nowak authored
Those kept are backward compatibility variables from the request.
-
Łukasz Nowak authored
Caddy is able to bind only to all or one interface ( https://github.com/mholt/caddy/issues/864 ) By using 6tunnel this limitation is workarounded, and in the result listen on IPv6. Also drop needless "ipv6" keys across configuration.
-
Łukasz Nowak authored
Features: * shared place for Caddy configuration * gather a lot of parameters for caddy executable, as dislike Apache Caddy is configured from command line * dummy vhost for example.org * challanges (ACME SSL) are disabled * bind to interfaces are done per site * cache access is dummy, but working * /server-status redone in Caddy style * antiloris dropped, as this is apache specific * apache_custom_http and apache_custom_https * dropped not needed leftover access-control-string and protected-path * nginx replacement added * bin/caddy-wrapper is provided in order to allow parameterization of caddy over the network * access to log files over http is provided * username on log access is consistent, it is not uppercased like it was originally on apache-frontend * list of TODOs in TODO.rst
-
Łukasz Nowak authored
-
Łukasz Nowak authored
This will make it easier to track changes.
-
- 02 Jun, 2017 1 commit
-
-
Rafael Monnerat authored
Wait for 60 to reload apache configuration in order to accumulate several logrotate runs. If the amount of slaves are too high, the number of logs are high, so the entries on logrotate are also high. So it is enough to DDoS with a huge amount of 'kill -1', so delay is the only way to avoid to re-implement logrotate existing features. Only reload the apache configuration if the the apache configuration or the certificates contains a change, else don't reload it. Keep a command on bin folder to force reload of configuration in case it is required.
-
- 24 Mar, 2017 2 commits
-
-
Rafael Monnerat authored
-
Rafael Monnerat authored
-
- 10 Mar, 2017 1 commit
-
-
Kazuhiko Shiozaki authored
-
- 01 Mar, 2017 1 commit
-
-
Cédric Le Ninivin authored
If not so, trafficserver configuration is removed and then replaced on every slapos node instance call making traffic server unstable
-
- 28 Feb, 2017 2 commits
-
-
Cédric Le Ninivin authored
-
Cédric Le Ninivin authored
-
- 25 Nov, 2016 2 commits
-
-
Rafael Monnerat authored
-
Rafael Monnerat authored
-
- 22 Nov, 2016 7 commits
-
-
Rafael Monnerat authored
Introduce NGINX on the same partition of apache to handle websocket\ and eventsource types. The NGINX will run on another port and it would require a second ip at the machine for enable it. This configuration is a working version with fully https support, but some additional adjustments might be required.
-
Rafael Monnerat authored
Use a single apache server to handle cache and normal apache configurations. With trafficserver, the access would follow the model: Apache > Traffic Server > Apache 'Cache' > Backend Now the configuration changed to: Apache > Traffic Server > Apache (same as before) > Backend This simplify the amount of apache process to manage on the frontend.
-
Rafael Monnerat authored
-
Rafael Monnerat authored
Reduce a bit the number of sections also for create directories Move all 'set's and 'do's to earliest as possible, to keep buildout syntax more evident Drop duplicated logics and 'if's reducing general code
-
Rafael Monnerat authored
-
Rafael Monnerat authored
-
Rafael Monnerat authored
-
- 28 Oct, 2016 1 commit
-
-
Rafael Monnerat authored
-
- 26 Oct, 2016 1 commit
-
-
Rafael Monnerat authored
-
- 25 Oct, 2016 3 commits
-
-
Rafael Monnerat authored
-
Rafael Monnerat authored
Use 2 different ports on apache for cached slaves, to differ http and https accesses. Introduce the parameter https-url (with fallback to url) to include specific https urls, if they are different from url. Include /HTTPS/ mapping to traffic server to differ the backends based on the input.
-
Rafael Monnerat authored
Not all frontend clusers setup uses the same re6stnet network.
-
- 24 Oct, 2016 1 commit
-
-
Rafael Monnerat authored
The promise returns too much data into the PIPE, if it is the case, it makes the promise much much slower, causing constant timeout
-
- 19 Oct, 2016 1 commit
-
-
Rafael Monnerat authored
-
- 22 Sep, 2016 1 commit
-
-
Nicolas Wavrant authored
Slapos.toolbox has a new dependency to pycurl, which fails to compile if libcurl cannot be found. This commit adds the component/pycurl dependency to most of the Software Releases which have a dependency to slapos.toolbox. I tried to do it globally, so I couldn't check the compilation of all the modified SRs. Is it a way to test that all SRs still compiled ? Also, did I forget some important SR ? @rafael @alain.takoudjou @kazuhiko @jm /reviewed-on nexedi/slapos!97
-
- 25 Aug, 2016 1 commit
-
-
Cédric Le Ninivin authored
-