Update Shellinabox in testnode

/reviewed-on nexedi/slapos!408

Update Shellinabox in testnode
/reviewed-on nexedi/slapos!408
d21df0ee · Jérome Perrin · 71d01aa6 · 5d4852c3 · 71d01aa6 · 71d01aa6
Commit d21df0ee authored Sep 21, 2018 by Jérome Perrin
9 changed files
--- a/component/shellinabox/0001-Switch-to-IPv6.patch
+++ b/component/shellinabox/0001-Switch-to-IPv6.patch
-From 50ec7439e80bd6a77346dc6482895e481d8cd43a Mon Sep 17 00:00:00 2001
-From: Antoine Catton <acatton@tiolive.com>
-Date: Tue, 10 Jan 2012 18:30:20 +0100
-Subject: [PATCH] Switch to IPv6
---
- libhttp/http.h             |    4 ++--
- libhttp/httpconnection.c   |   11 ++++++++++-
- libhttp/server.c           |   33 +++++++++++++++++++--------------
- libhttp/server.h           |    6 +++---
- shellinabox/shellinaboxd.c |   14 +++++++-------
- 5 files changed, 41 insertions(+), 27 deletions(-)
-diff --git a/libhttp/http.h b/libhttp/http.h
-index e7840fa..5cd61e3 100644
--- a/libhttp/http.h
-+++ b/libhttp/http.h
-@@ -66,8 +66,8 @@ typedef struct ServerConnection ServerConnection;
- typedef struct Server Server;
- typedef struct URL URL;
-Server *newCGIServer(int localhostOnly, int portMin, int portMax, int timeout);
-Server *newServer(int localhostOnly, int port);
-+Server *newCGIServer(char *ipv6, int portMin, int portMax, int timeout);
-+Server *newServer(char *ipv6, int port);
- void deleteServer(Server *server);
- int  serverGetListeningPort(Server *server);
- int  serverGetFd(Server *server);
-diff --git a/libhttp/httpconnection.c b/libhttp/httpconnection.c
-index c8e69f6..cae467f 100644
--- a/libhttp/httpconnection.c
-+++ b/libhttp/httpconnection.c
-@@ -823,8 +823,17 @@ static int httpHandleCommand(struct HttpConnection *http,
-   const char *host                         = getFromHashMap(&http->header,
-                                                             "host");
-   if (host) {
-+    int brackets = 0; // For IPv6 hosts
-     for (char ch; (ch = *host) != '\000'; host++) {
-      if (ch == ':') {
-+      if (ch == '[') {
-+          brackets = 1;
-+          break;
-+      }
-+      if (ch == ']') {
-+          brackets = 0;
-+          break;
-+      }
-+      if (!brackets && ch == ':') {
-         *(char *)host                      = '\000';
-         break;
-       }
-diff --git a/libhttp/server.c b/libhttp/server.c
-index f52a269..2c30bd8 100644
--- a/libhttp/server.c
-+++ b/libhttp/server.c
-@@ -170,19 +170,19 @@ static int serverQuitHandler(struct HttpConnection *http, void *arg) {
-   return HTTP_DONE;
- }
-struct Server *newCGIServer(int localhostOnly, int portMin, int portMax,
-+struct Server *newCGIServer(char *ipv6, int portMin, int portMax,
-                             int timeout) {
-   struct Server *server;
-   check(server = malloc(sizeof(struct Server)));
-  initServer(server, localhostOnly, portMin, portMax, timeout);
-+  initServer(server, ipv6, portMin, portMax, timeout);
-   return server;
- }
-struct Server *newServer(int localhostOnly, int port) {
-  return newCGIServer(localhostOnly, port, port, -1);
-+struct Server *newServer(char *ipv6, int port) {
-+  return newCGIServer(ipv6, port, port, -1);
- }
-void initServer(struct Server *server, int localhostOnly, int portMin,
-+void initServer(struct Server *server, char *ipv6, int portMin,
-                 int portMax, int timeout) {
-   server->looping               = 0;
-   server->exitAll               = 0;
-@@ -192,14 +192,19 @@ void initServer(struct Server *server, int localhostOnly, int portMin,
-   server->numConnections        = 0;
-   int true                      = 1;
-  server->serverFd              = socket(PF_INET, SOCK_STREAM, 0);
-+  server->serverFd              = socket(PF_INET6, SOCK_STREAM, 0);
-   check(server->serverFd >= 0);
-   check(!setsockopt(server->serverFd, SOL_SOCKET, SO_REUSEADDR,
-                     &true, sizeof(true)));
-  struct sockaddr_in serverAddr = { 0 };
-  serverAddr.sin_family         = AF_INET;
-  serverAddr.sin_addr.s_addr    = htonl(localhostOnly
-                                        ? INADDR_LOOPBACK : INADDR_ANY);
-+  struct sockaddr_in6 serverAddr = { 0 };
-+  serverAddr.sin6_family         = AF_INET6;
-+  if (ipv6 != NULL) {
-+    if (!inet_pton(AF_INET6, ipv6, serverAddr.sin6_addr.s6_addr)) {
-+        fatal("Bad ipv6 address");
-+    }
-+  } else {
-+    serverAddr.sin6_addr = in6addr_any;
-+  }
-   // Linux unlike BSD does not have support for picking a local port range.
-   // So, we have to randomly pick a port from our allowed port range, and then
-@@ -214,14 +219,14 @@ void initServer(struct Server *server, int localhostOnly, int portMin,
-     int portStart               = rand() % (portMax - portMin + 1) + portMin;
-     for (int p = 0; p <= portMax-portMin; p++) {
-       int port                  = (p+portStart)%(portMax-portMin+1)+ portMin;
-      serverAddr.sin_port       = htons(port);
-+      serverAddr.sin6_port       = htons(port);
-       if (!bind(server->serverFd, (struct sockaddr *)&serverAddr,
-                 sizeof(serverAddr))) {
-         break;
-       }
-      serverAddr.sin_port       = 0;
-+      serverAddr.sin6_port       = 0;
-     }
-    if (!serverAddr.sin_port) {
-+    if (!serverAddr.sin6_port) {
-       fatal("Failed to find any available port");
-     }
-   }
-@@ -231,7 +236,7 @@ void initServer(struct Server *server, int localhostOnly, int portMin,
-   check(!getsockname(server->serverFd, (struct sockaddr *)&serverAddr,
-                      &socklen));
-   check(socklen == sizeof(serverAddr));
-  server->port                  = ntohs(serverAddr.sin_port);
-+  server->port                  = ntohs(serverAddr.sin6_port);
-   info("Listening on port %d", server->port);
-   check(server->pollFds         = malloc(sizeof(struct pollfd)));
-diff --git a/libhttp/server.h b/libhttp/server.h
-index bb879fb..5ffb698 100644
--- a/libhttp/server.h
-+++ b/libhttp/server.h
-@@ -78,10 +78,10 @@ struct Server {
-   struct SSLSupport       ssl;
- };
-struct Server *newCGIServer(int localhostOnly, int portMin, int portMax,
-+struct Server *newCGIServer(char *ipv6, int portMin, int portMax,
-                             int timeout);
-struct Server *newServer(int localhostOnly, int port);
-void initServer(struct Server *server, int localhostOnly, int portMin,
-+struct Server *newServer(char *ipv6, int port);
-+void initServer(struct Server *server, char *ipv6, int portMin,
-                 int portMax, int timeout);
- void destroyServer(struct Server *server);
- void deleteServer(struct Server *server);
-diff --git a/shellinabox/shellinaboxd.c b/shellinabox/shellinaboxd.c
-index dcf05ff..2d1d758 100644
--- a/shellinabox/shellinaboxd.c
-+++ b/shellinabox/shellinaboxd.c
-@@ -80,7 +80,7 @@
- static int            port;
- static int            portMin;
- static int            portMax;
-static int            localhostOnly = 0;
-+static char           *ipv6 = NULL;
- static int            noBeep        = 0;
- static int            numericHosts  = 0;
- static int            enableSSL     = 1;
-@@ -747,7 +747,7 @@ static void usage(void) {
-           "  -g, --group=GID             switch to this group (default: %s)\n"
-           "  -h, --help                  print this message\n"
-           "      --linkify=[none|normal|agressive] default is \"normal\"\n"
-          "      --localhost-only        only listen on 127.0.0.1\n"
-+          "      --ipv6                  listen on a specific ipv6\n"
-           "      --no-beep               suppress all audio output\n"
-           "  -n, --numeric               do not resolve hostnames\n"
-           "  -p, --port=PORT             select a port (default: %d)\n"
-@@ -839,7 +839,7 @@ static void parseArgs(int argc, char * const argv[]) {
-       { "static-file",      1, 0, 'f' },
-       { "group",            1, 0, 'g' },
-       { "linkify",          1, 0,  0  },
-      { "localhost-only",   0, 0,  0  },
-+      { "ipv6",             1, 0,  0  },
-       { "no-beep",          0, 0,  0  },
-       { "numeric",          0, 0, 'n' },
-       { "port",             1, 0, 'p' },
-@@ -1001,8 +1001,8 @@ static void parseArgs(int argc, char * const argv[]) {
-               "\"none\", \"normal\", or \"aggressive\".");
-       }
-     } else if (!idx--) {
-      // Localhost Only
-      localhostOnly        = 1;
-+      // IPv6
-+      ipv6 = optarg;
-     } else if (!idx--) {
-       // No Beep
-       noBeep               = 1;
-@@ -1197,7 +1197,7 @@ int main(int argc, char * const argv[]) {
-   // Create a new web server
-   Server *server;
-   if (port) {
-    check(server  = newServer(localhostOnly, port));
-+    check(server  = newServer(ipv6, port));
-     dropPrivileges();
-     setUpSSL(server);
-   } else {
-@@ -1217,7 +1217,7 @@ int main(int argc, char * const argv[]) {
-       _exit(0);
-     }
-     check(!NOINTR(close(fds[0])));
-    check(server  = newCGIServer(localhostOnly, portMin, portMax,
-+    check(server  = newCGIServer(ipv6, portMin, portMax,
-                                  AJAX_TIMEOUT));
-     cgiServer     = server;
-     setUpSSL(server);
-- 
-1.7.6.5
--- a/component/shellinabox/0002-Allow-to-run-entire-command-path.patch
+++ b/component/shellinabox/0002-Allow-to-run-entire-command-path.patch
-From eee6f7180dc5dd4523264e7ce0721945ab2b78a1 Mon Sep 17 00:00:00 2001
-From: Antoine Catton <acatton@tiolive.com>
-Date: Wed, 11 Jan 2012 17:32:15 +0100
-Subject: [PATCH 2/2] Allow to run entire command path.
---
- shellinabox/launcher.c |    3 +--
- 1 files changed, 1 insertions(+), 2 deletions(-)
-diff --git a/shellinabox/launcher.c b/shellinabox/launcher.c
-index fb8a133..e116a75 100644
--- a/shellinabox/launcher.c
-+++ b/shellinabox/launcher.c
-@@ -1226,8 +1226,7 @@ static void execService(int width, int height, struct Service *service,
-   extern char **environ;
-   environ                     = environment;
-  char *cmd                   = strrchr(argv[0], '/');
-  execvp(cmd ? cmd + 1: argv[0], argv);
-+  execvp(argv[0], argv);
- }
- void setWindowSize(int pty, int width, int height) {
-- 
-1.7.6.5
--- a/component/shellinabox/buildout.cfg
+++ b/component/shellinabox/buildout.cfg
@@ -11,24 +11,6 @@ extends =
 parts = shellinabox
-[shellinabox]
-<= shellinabox-2.10
-[shellinabox-2.10]
-; This version is old, but we patch it for IPv6 support
-recipe = slapos.recipe.cmmi
-url = http://shellinabox.googlecode.com/files/shellinabox-2.10.tar.gz
-md5sum = 0e144910d85d92edc54702ab9c46f032
-patch-binary = ${patch:location}/bin/patch
-patch-options = -p1
-patches =
-    ${:_profile_base_location_}/0001-Switch-to-IPv6.patch#b61cb099c00e15a5fcaf6c98134fff45
-    ${:_profile_base_location_}/0002-Allow-to-run-entire-command-path.patch#a506b4d83021e24c830f767501c1d3fc
-environment =
-    CFLAGS = -I${zlib:location}/include -I${openssl:location}/include
-    LDFLAGS = -L${zlib:location}/lib -Wl,-rpath=${zlib:location}/lib -L${openssl:location}/lib -Wl,-rpath=${openssl:location}/lib
-    PKG_CONFIG_PATH = ${openssl:location}/lib/pkgconfig/
 [shellinabox-git-repository]
 ; This version has much more features, but does not support IPv6 (support unix domain though)
 recipe = slapos.recipe.build:gitclone
@@ -36,7 +18,7 @@ repository = https://github.com/shellinabox/shellinabox
 revision = b8285748993c4c99e80793775f3d2a0a4e962d5a
 git-executable = ${git:location}/bin/git
-[shellinabox-github]
+[shellinabox]
 recipe = slapos.recipe.cmmi
 path = ${shellinabox-git-repository:location}
 configure-command =

--- a/setup.py
+++ b/setup.py
@@ -168,7 +168,6 @@ setup(name=name,
          'reverseproxy.nginx = slapos.recipe.reverse_proxy_nginx:Recipe',
          'sheepdogtestbed = slapos.recipe.sheepdogtestbed:SheepDogTestBed',
          'shell = slapos.recipe.shell:Recipe',
-          'shellinabox = slapos.recipe.shellinabox:Recipe',
          'signalwrapper= slapos.recipe.signal_wrapper:Recipe',
          'simplelogger = slapos.recipe.simplelogger:Recipe',
          'simplehttpserver = slapos.recipe.simplehttpserver:Recipe',

--- a/slapos/recipe/shellinabox.py
+++ b/slapos/recipe/shellinabox.py
-##############################################################################
-#
-# Copyright (c) 2010 Vifib SARL and Contributors. All Rights Reserved.
-#
-# WARNING: This program as such is intended to be used by professional
-# programmers who take the whole responsibility of assessing all potential
-# consequences resulting from its eventual inadequacies and bugs
-# End users who are looking for a ready-to-use solution with commercial
-# guarantees and support are strongly adviced to contract a Free Software
-# Service Company
-#
-# This program is Free Software; you can redistribute it and/or
-# modify it under the terms of the GNU General Public License
-# as published by the Free Software Foundation; either version 3
-# of the License, or (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software
-# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA.
-#
-##############################################################################
-from getpass import getpass
-import hmac
-import pwd
-import grp
-import os
-import shlex
-from slapos.recipe.librecipe import GenericBaseRecipe
-def login_shell(password_file, shell):
-  if password_file:
-    with open(password_file, 'r') as password_file:
-      password = password_file.read()
-    if not password or hmac.compare_digest(getpass(), password):
-      commandline = shlex.split(shell)
-      os.execv(commandline[0], commandline)
-  return 1
-def shellinabox(args):
-  certificate_dir = args['certificate_dir']
-  certificate_path = os.path.join(certificate_dir, 'certificate.pem')
-  with open(certificate_path, 'w') as certificate_file:
-    with open(args['ssl_key'], 'r') as key_file:
-      # XXX: Dirty hack in order to make shellinabox work
-      print >> certificate_file, key_file.read().replace(' PRIVATE ',
-                                                         ' RSA PRIVATE ')
-    with open(args['ssl_certificate']) as public_key_file:
-      print >> certificate_file, public_key_file.read()
-  user = pwd.getpwuid(os.getuid()).pw_uid
-  group = grp.getgrgid(os.getgid()).gr_gid
-  service = '/:%(user)s:%(group)s:%(directory)s:%(command)s' % {
-    'user': user,
-    'group': group,
-    'directory': args['directory'],
-    'command': args['login_shell'],
-  }
-  command_line = [
-    args['shellinabox'],
-    '-c', certificate_dir,
-    '-s', service,
-    '--ipv6', args['ipv6'],
-    '-p', args['port'],
-  ]
-  # XXX: By default shellinbox drop privileges
-  #      switching to nobody:nogroup user.
-  # This force root.
-  if group == 'root':
-    command_line.extend(['-g', group])
-  if user == 'root':
-    command_line.extend(['-u', group])
-  os.execv(command_line[0], command_line)
-class Recipe(GenericBaseRecipe):
-  def install(self):
-    login_shell_wrapper = self.createPythonScript(
-      self.options['login-shell'],
-      __name__ + '.login_shell',
-      (self.options['password-file'], self.options['shell'])
-    )
-    shellinabox_wrapper = self.createPythonScript(
-      self.options['wrapper'],
-      __name__ + '.shellinabox',
-      (dict(
-        certificate_dir=self.options['certificate-directory'],
-        ssl_key=self.options['key-file'],
-        ssl_certificate=self.options['cert-file'],
-        shellinabox=self.options['shellinabox-binary'],
-        directory=self.options['directory'],
-        ipv6=self.options['ipv6'],
-        port=self.options['port'],
-        login_shell=login_shell_wrapper,
-       ),)
-    )
-    return login_shell_wrapper, shellinabox_wrapper
--- a/software/erp5testnode/buildout.hash.cfg
+++ b/software/erp5testnode/buildout.hash.cfg
@@ -18,4 +18,4 @@ md5sum = 307663d73ef3ef94b02567ecd322252e
 [template-default]
 filename = instance-default.cfg
-md5sum = 555700e5d216ff32a981f4066791bdab
+md5sum = d5a4270e5e7827db2e6a19d2eedb570b
--- a/software/erp5testnode/instance-default.cfg
+++ b/software/erp5testnode/instance-default.cfg
@@ -9,8 +9,6 @@ extends = ${monitor2-template:rendered}
 parts =
  testnode
-  shell
-  shellinabox
  certificate-authority
  ca-shellinabox
  ca-httpd-testnode
@@ -18,11 +16,12 @@ parts =
  monitor-publish
  testnode-frontend
  resiliency-exclude-file
+  shellinabox-frontend-reload
+  promises
 [monitor-publish]
 recipe = slapos.cookbook:publish
-url = https://[$${shellinabox:ipv6}]:$${shellinabox:port}/
+url = $${shellinabox-frontend:url}
-password = $${pwgen:passwd}
 frontend-url = $${testnode-frontend:connection-secure_access}
 [pwgen]
@@ -73,34 +72,70 @@ apache-modules-dir = ${apache:location}/modules
 apache-mime-file = ${apache:location}/conf/mime.types
 apache-htpasswd = ${apache:location}/bin/htpasswd
-[shell]
-recipe = slapos.cookbook:shell
+[shell-environment]
-wrapper = $${rootdirectory:bin}/sh
+shell = ${bash:location}/bin/bash
-shell = ${busybox:location}/bin/sh
-home = $${buildout:directory}
-ps1 = "\\w> "
-path =
-    ${busybox:location}/bin/
-    ${busybox:location}/usr/bin/
-    ${git:location}/bin/
-    ${python2.7:location}/bin/
-    ${buildout:bin-directory}/
-    ${busybox:location}/sbin/
-    ${busybox:location}/usr/sbin/
 [shellinabox]
-recipe = slapos.cookbook:shellinabox
+recipe = slapos.recipe.template:jinja2
+# We cannot use slapos.cookbook:wrapper here because this recipe escapes too much
+socket = $${directory:run}/siab.sock
+mode = 0700
+rendered = $${basedirectory:services}/shellinaboxd
+template = inline:
+  #!/bin/sh
+  exec ${shellinabox:location}/bin/shellinaboxd \
+    --disable-ssl \
+    --disable-ssl-menu \
+    --unixdomain-only=$${:socket}:$(id -u):$(id -g):0600 \
+    --service "/:$(id -u):$(id -g):HOME:$${shell-environment:shell} -l"
+[shellinabox-frontend-config]
+recipe = slapos.recipe.template:jinja2
+rendered = $${directory:etc}/$${:_buildout_section_name_}
+template = inline:
+  https://$${:hostname}:$${:port} {
+    bind $${:ipv6}
+    tls $${:cert-file} $${:key-file}
+    gzip
+    log stdout
+    errors stderr
+    proxy / unix:$${shellinabox:socket}
+    basicauth $${:username} $${:passwd} {
+      realm "Test Node $${testnode:test-node-title}"
+      /
+    }
+  }
 ipv6 = $${slap-network-information:global-ipv6}
+hostname = [$${:ipv6}]
 port = 8080
-shell = $${shell:wrapper}
+username = testnode
-wrapper = $${rootdirectory:bin}/shellinaboxd
+passwd = $${pwgen:passwd}
-shellinabox-binary = ${shellinabox:location}/bin/shellinaboxd
-password-file = $${pwgen:storage-path}
-directory = $${buildout:directory}/
-login-shell = $${rootdirectory:bin}/login
-certificate-directory = $${directory:shellinabox}
 cert-file = $${directory:shellinabox}/public.crt
 key-file = $${directory:shellinabox}/private.key
+url = https://$${:username}:$${:passwd}@$${:hostname}:$${:port}
+[shellinabox-frontend]
+recipe = slapos.cookbook:wrapper
+wrapper-path = $${rootdirectory:bin}/$${:_buildout_section_name_}
+command-line =
+  ${caddy:output} -conf $${shellinabox-frontend-config:rendered} -pidfile $${:pidfile}
+url =  $${shellinabox-frontend-config:url}
+hostname = $${shellinabox-frontend-config:ipv6}
+port = $${shellinabox-frontend-config:port}
+pidfile = $${basedirectory:run}/$${:_buildout_section_name_}.pid
+[shellinabox-frontend-reload]
+recipe = slapos.cookbook:wrapper
+wrapper-path = $${basedirectory:services}/$${:_buildout_section_name_}
+command-line =
+  ${bash:location}/bin/bash -c 
+  "kill -s USR1 $$(${coreutils:location}/bin/cat $${shellinabox-frontend:pidfile}) \
+    && ${coreutils:location}/bin/sleep infinity"
+hash-files =
+  $${shellinabox-frontend-config:rendered}
+  $${shellinabox-frontend:wrapper-path}
 [certificate-authority]
 recipe = slapos.cookbook:certificate_authority
@@ -124,10 +159,10 @@ crl = $${directory:ca-dir}/crl/
 [ca-shellinabox]
 <= certificate-authority
 recipe = slapos.cookbook:certificate_authority.request
-executable = $${shellinabox:wrapper}
+executable = $${shellinabox-frontend:wrapper-path}
-wrapper = $${basedirectory:services}/shellinaboxd
+wrapper = $${basedirectory:services}/shellinabox-frontend
-key-file = $${shellinabox:key-file}
+key-file = $${shellinabox-frontend-config:key-file}
-cert-file = $${shellinabox:cert-file}
+cert-file = $${shellinabox-frontend-config:cert-file}
 [ca-httpd-testnode]
 <= certificate-authority
@@ -181,6 +216,21 @@ config-https-only = true
 #software-type = custom-personal
 return = domain secure_access
+[promises]
+recipe =
+instance-promises =
+  $${shellinabox-frontend-listen-promise:path}
+[check-port-listening-promise]
+recipe = slapos.cookbook:check_port_listening
+path = $${directory:promises}/$${:_buildout_section_name_}
+[shellinabox-frontend-listen-promise]
+<= check-port-listening-promise
+hostname= $${shellinabox-frontend:hostname}
+port = $${shellinabox-frontend:port}
 [slap-parameter]
 node-quantity = 1
 test-suite-master-url =

--- a/software/erp5testnode/software.cfg
+++ b/software/erp5testnode/software.cfg
@@ -5,7 +5,9 @@ extends =
  ../../component/git/buildout.cfg
  ../../component/lxml-python/buildout.cfg
  ../../component/zip/buildout.cfg
-  ../../component/busybox/buildout.cfg
+  ../../component/bash/buildout.cfg
+  ../../component/caddy/buildout.cfg
+  ../../component/coreutils/buildout.cfg
  ../../component/shellinabox/buildout.cfg
  ../../component/pwgen/buildout.cfg
  ../../component/apache/buildout.cfg
@@ -27,6 +29,7 @@ eggs =
  zc.buildout
  slapos.libnetworkcache
  slapos.core
+  slapos.recipe.template
  supervisor
  jsonschema
  hexagonit.recipe.download

--- a/software/slaprunner/software.cfg
+++ b/software/slaprunner/software.cfg
@@ -43,10 +43,6 @@ common-parts =
 parts =
  ${:common-parts}
-# Use shellinabox from github with AF_UNIX support
-[shellinabox]
-<= shellinabox-github
 [template-base]
 recipe = slapos.recipe.template
 url = ${:_profile_base_location_}/${:filename}