An error occurred fetching the project authors.
  1. 29 Jun, 2021 1 commit
  2. 03 Mar, 2021 1 commit
  3. 21 Jan, 2021 1 commit
    • Jérome Perrin's avatar
      software/erp5: Adjust apachedex promise for haproxy · e6087b7d
      Jérome Perrin authored
      Since bd3c2b18 (Remove httpd from ERP5 and use haproxy instead, 2020-12-14)
      timing in balancer access log files are in milliseconds, no longer in
      microseconds as they use to be with apache.
      
      We update apachedex to version 1.8, where it supports generating reports
      from access log files with milliseconds, as long as the expected format is
      passed with --logformat argument.
      
      We changed the default value of apachedex configuration to use the expected
      --logformat argument, but users with a custom apachedex config passed as
      instance parameters (monitor.apachedex-configuration) will have to update
      their request parameters, to also pass --logformat.
      Since this is breaking change, we take this opportunity to introduce another
      breaking change, this parameter is not longer a string with all arguments
      on the same line, which was problematic because these arguments contained
      quotes and backslashes. The arguments are now passed as a list of strings
      which will become the list of arguments passed to apachedex.
      
      This is implemented by generating an apachedex config file, which simplifies
      the generation of the wrapper. For this we also needed to upate
      slapos.toolbox.
      
      The same change is reflected to the overriden profiles in slapos-master,
      but for slapos-master we don't pass the --logformat argument, because
      slapos-master is using httpd, so the logs timings are still in microseconds.
      e6087b7d
  4. 07 Dec, 2020 2 commits
    • Jérome Perrin's avatar
      stack/erp5: socat wrapper to get haproxy stats · 82a249b6
      Jérome Perrin authored
      haproxy can be controlled with this socket, so it might be useful
      to "expose" it - it's not really expose because we only use a
      UNIX socket.
      82a249b6
    • Jérome Perrin's avatar
      stack/erp5: remove httpd and use haproxy instead · 6a8f58c5
      Jérome Perrin authored
      Two main differences of haproxy are file format for certificates and logs.
      
      HAProxy also uses certificates in PEM format, but it expect its own server
      certificate and the key to be in the same file (although recent version seems
      to accept separate files, we don't use this now) and the CRL and CA certificates
      also all together in the same file.
      We change to use the same file for certificate and key and for CA and CRL, in
      the updater script we we build PEM files by containing all CA certificates and
      all CRL together.
      Also, since haproxy needs to be reloaded when certificate change, we run it in
      master-worker mode, with a pid file so that we can signal it to reload.
      
      For the logs, since haproxy does not log to file, we introduce a rsyslogd to
      log to a file. The log format is same as with httpd, except that timing are not
      in microseconds but in milliseconds - this did not seem to be configurable.
      This is a problem for apachedex reports on log, for that we plan to use an
      updated version of apachedex with support for `%{ms}T` for durations.
      
      HAProxy is configured with same timeouts, except:
       - "connect" timeout has been increased a bit (from 5 to 10s), because the
         comment "The connection should be immediate on LAN" was no longer true, now
         that haproxy is accessed from frontend.
       - the server entries for testrunner are a very long timeout (8h) because some
         ERP5 functional tests exceeed the 305s timeout.
      
      The SSL configuration is with current "modern" config from https://ssl-config.mozilla.org/
      
      Tests have been modified a bit, because haproxy uses HTTP/2.0 and not 1.1
      like httpd was doing several haproxy features (keep alive and gzip
      compression) are only available when backend uses HTTP/1.1, so we adjusted
      tests to use a 1.1 backend.
      
      There was also differences with logs, because of the time being in milliseconds.
      
      TestPublishedURLIsReachableMixin._checkERP5IsReachable was also updated, it
      was working by chance because when accessed behind httpd->haproxy->zope, zope
      was producing a redirect URL that was the URL of haproxy, which could be
      resolved by chance. This test was updated to access zope with a path that
      contains VirtualHostMonster magic, as the shared frontend ( with "zope" software
      type) is supposed to set.
      
      This should hopefuly solve the "502 Proxy Error" that we are observing with httpd.
      6a8f58c5
  5. 10 Nov, 2020 2 commits
    • Jérome Perrin's avatar
      stack/erp5: stop using caucase managed certificate for balancer · 620c9332
      Jérome Perrin authored
      Revert "software/erp5: use a caucase managed certificate for balancer"
      
      This reverts commit 74d18b9d and also follow
      up fixup ( 555b26a2 ).
      
      We are not ready to use caucase here, there are still too many problems with
      caucase (keys are lost at each SR update etc) and design might still evolve,
      so let's go back to self signed certificate for now.
      
      Also remove the promise and the updater, since they are also not working and
      causing problems on instances that have been updated (and where the key no
      longer match the certificate)
      620c9332
    • Jérome Perrin's avatar
      fixup! software/erp5: use a caucase managed certificate for balancer · 555b26a2
      Jérome Perrin authored
      fix balancer CSR generation:
      
      Caucase rerequest uses a CSR *template* and use it to generate
      a new CSR with a new key, so we should not use the actual key to
      generate this CSR, because it is caucase rerequest job to generate
      the key.
      Also, we should be careful not to generate a new CSR every time this
      command run, otherwise a new key will be generated and a new CSR will
      be sent to caucase, but caucase will not sign it automatically (since
      we configure it to sign only one certificate).
      
      This means that the case of IP address changes is currently not
      supported automatically. To support it we would need to:
        - force generation of a new CSR template
        - force caucase rerequester to request a new certificate (by removing
        existing certificate)
        - force caucased to sign the new certificate
      
      This commit also fix indentation and remove simplefile macro that is no longer used
      555b26a2
  6. 23 Oct, 2020 1 commit
  7. 21 Oct, 2020 1 commit
  8. 16 Jun, 2020 2 commits
  9. 06 Mar, 2020 1 commit
  10. 19 Nov, 2019 1 commit
  11. 19 Jun, 2019 1 commit
  12. 17 Apr, 2019 1 commit
    • Jérome Perrin's avatar
      erp5: Fix bug with too many apache Listen · 70b3e0e3
      Jérome Perrin authored
      A regression in the apache entries for testrunner used one apache port
      for each zope - not one for each family as what was intended.
      There was also a problem that these apache ports were used even when no
      testrunner.
      70b3e0e3
  13. 12 Mar, 2019 1 commit
  14. 01 Mar, 2019 1 commit
  15. 20 Nov, 2018 1 commit
  16. 14 Nov, 2018 2 commits
  17. 17 Sep, 2018 1 commit
  18. 10 Sep, 2018 1 commit
    • Jérome Perrin's avatar
      erp5: Rework testrunner's HTTP server · 2a457867
      Jérome Perrin authored
      We don't want runUnitTest is to listen on 127.0.0.1, as it is not
      allowed for SlapOS instances, runUnitTest wrapper is extended to include
      `--zserver` with a pre-assigned ip:port.
      
      runTestSuite starts several test in parrallel (controlled by
      `--node_quantity` argument, which is passed by erp5testnode), so we need
      to make sure that we provide it with enough ip:port. For this, we
      extended runTestSuite with a `--zserver_address_list` argument and we
      generate a wrapper with a list of `testrunner.node-count` pre-assigned
      ip:ports.
      
      Because zelenium tests needs to access this zserver over a secure origin
      (otherwise modern browser features such as service worker are not
      available), use an https proxy in the apache from the balancer
      partition.
      
      runUnitTest and runTestSuite have been extended with resp.
      `--zserver_frontend_url` and `--zserver_frontend_url_list` arguments and
      the URLs published by the balancer paritions are set in the wrappers.
      For compatibility reasons, runTestSuite pass parameters as environment
      variables.
      
      Implementation notes:
      
      This introduces a circular depencency, balancer partition needs to know
      the address of the testrunners and zope partitions needs to know the
      URLs of the corresponding http proxies on the apache. This is is handled
      by `slapos.recipe:publish-early`:
      
       1. request zope family with an empty `test-runner-apache-url-list`.
          zope is instanciated a first time.
          zope returns `test-runner-address-list` ( a list of (host, port)
          tuples )
       2. request balancer with `test-runner-address-list`
          balancer is instanciated.
          balancer returns `{{ family_name }}-test-runner-url-list` ( a list
          of apache URLs ), which are published in the root partition.
       3. zope family is re-requested with
          updated`test-runner-apache-url-list` information
      
      instance-erp5.cfg.in template was also reorganised to move
      `[publish-early]` next to `[publish]` at the bottom of the file because
      these sections are semantically related.
      Also test runner generation is moved after zope generation, because we
      want to allocate test runners ports after zopes, otherwise existing
      zopes would get new ports when existing instances are upgraded.
      2a457867
  19. 14 Aug, 2018 1 commit
  20. 18 May, 2018 1 commit
  21. 16 Mar, 2018 1 commit
  22. 28 Dec, 2017 1 commit
  23. 06 Oct, 2017 2 commits
  24. 04 Oct, 2017 1 commit
  25. 28 Sep, 2017 1 commit
  26. 18 Aug, 2017 3 commits
  27. 11 Aug, 2017 1 commit
  28. 18 Jul, 2017 1 commit
  29. 03 Jul, 2017 1 commit
  30. 20 Jun, 2017 2 commits
  31. 16 Feb, 2017 1 commit
    • Vincent Pelletier's avatar
      stack.logrotate: Fix support for stopped processes. · b0d0efc2
      Vincent Pelletier authored
      When a process is stopped:
      - it may not have emitted logs since previous rotation: add "missingok"
        As a direct consequence: stop using logrotate recipe.
      - its pid file (if applicable) may be missing: test its non-empty presence
        before calling slapos-kill
      Also, stop using slapos.cookbook:logrotate.
      Update obvious users (cloudooo, neoppod, erp5, monitor, re6stnet).
      b0d0efc2
  32. 08 Feb, 2017 1 commit