Merge remote-tracking branch 'origin/master' into erp5-component

component/hwloc/buildout.cfg

+[buildout]
+extends =
+  ../../component/libtool/buildout.cfg
+  ../../component/automake/buildout.cfg
+  ../../component/autoconf/buildout.cfg
+parts =
+  hwloc
+
+[hwloc]
+recipe = slapos.recipe.cmmi
+url = http://www.open-mpi.org/software/hwloc/v1.9/downloads/hwloc-1.9.tar.gz
+md5sum = 1f9f9155682fe8946a97c08896109508
+environment =
+  PATH=${pkgconfig:location}/bin:${automake:location}/bin:${autoconf:location}/bin:${libtool:location}/bin:%(PATH)s
+configure-options =
+  --prefix="${buildout:parts-directory}/${:_buildout_section_name_}"
\ No newline at end of file

component/lua/buildout.cfg

+[buildout]
+extends =
+  ../readline/buildout.cfg
+
+parts =
+  lua
+
+[lua]
+recipe = slapos.recipe.cmmi
+url = http://www.lua.org/ftp/lua-5.2.3.tar.gz
+md5sum = dc7f94ec6ff15c985d2d6ad0f1b35654
+configure-command = make posix
+make-targets =
+  install INSTALL_TOP=${buildout:parts-directory}/${:_buildout_section_name_}
+environment =
+  CMAKE_INCLUDE_PATH=${readline:location}/include
+  CMAKE_LIBRARY_PATH=${readline:location}/lib
+  CPPFLAGS =-I${readline:location}/include
+  LDFLAGS =-L${readline:location}/lib -Wl,-rpath=${readline:location}/lib

component/trafficserver/buildout.cfg

+[buildout]
+extends =
+  ../../component/lua/buildout.cfg
+  ../../component/hwloc/buildout.cfg
+  ../../component/pkgconfig/buildout.cfg
+  ../../component/libtool/buildout.cfg
+  ../../component/make/buildout.cfg
+  ../../component/openssl/buildout.cfg
+  ../../component/tcl/buildout.cfg
+  ../../component/libexpat/buildout.cfg
+  ../../component/pcre/buildout.cfg
+  ../../component/libcap/buildout.cfg
+  ../../component/flex/buildout.cfg
+  ../../component/ncurses/buildout.cfg
+  ../../component/curl/buildout.cfg
+  ../../component/zlib/buildout.cfg
+
+parts =
+  trafficserver
+
+[trafficserver]
+recipe = slapos.recipe.cmmi
+url = http://apache.claz.org/trafficserver/trafficserver-4.2.1.tar.bz2
+md5sum = 18f7d56650cba260c8cce3bf4abfa56c
+configure-options =
+  --prefix=${buildout:parts-directory}/${:_buildout_section_name_}
+  --with-openssl=${openssl:location}
+  --with-expat=${libexpat:location}
+  --with-pcre=${pcre:location}
+  --with-lua=${lua:location}
+  --with-ncurses=${ncurses:location}
+  --with-tcl=${tcl:location}/lib/
+  --with-zlib=${zlib:location}
+environment =
+  PATH=${make:location}/bin:${libtool:location}/bin:${pkgconfig:location}/bin:%(PATH)s
+  LDFLAGS = -L${tcl:location}/lib -Wl,-rpath=${tcl:location}/lib
+make-target =
+  check
+  install

software/apache-frontend/common.cfg

@@ -13,7 +13,8 @@ extends =
   ../../component/dcron/buildout.cfg
   ../../component/logrotate/buildout.cfg
   ../../component/rdiff-backup/buildout.cfg
-  ../../component/squid/buildout.cfg
+  ../../component/trafficserver/buildout.cfg
+
 # Monitoring stack
   ../../stack/monitor/buildout.cfg
 
@@ -33,7 +34,6 @@ parts +=
   dcron
   logrotate
   rdiff-backup
-  squid
 
 [slapos-toolbox]
 recipe = zc.recipe.egg
@@ -67,7 +67,7 @@ mode = 0644
 [template-apache-frontend]
 recipe = slapos.recipe.template
 url = ${:_profile_base_location_}/instance-apache-frontend.cfg
-md5sum = f5ec3d3b29d20ccdb00e3b64aa588fa5
+md5sum = b823cb31ff97700c009cf14725690323
 output = ${buildout:directory}/template-apache-frontend.cfg
 mode = 0644
 
@@ -144,12 +144,6 @@ url = ${:_profile_base_location_}/templates/template-log-access.conf.in
 md5sum = f85005b430978f3bd24ee7ce11b0e304
 mode = 640
 
-[template-squid-configuration]
-recipe = slapos.recipe.build:download
-url = ${:_profile_base_location_}/templates/squid.conf.jinja2
-md5sum = f17753fa87da074bc949b2967a330099
-mode = 640
-
 [template-empty]
 recipe = slapos.recipe.build:download
 url = ${:_profile_base_location_}/templates/empty.in
@@ -162,3 +156,12 @@ url = ${:_profile_base_location_}/templates/wrapper.in
 output = ${buildout:directory}/template-wrapper.cfg
 mode = 0644
 md5sum = 8cde04bfd0c0e9bd56744b988275cfd8
+
+[template-trafficserver-records-config]
+recipe = hexagonit.recipe.download
+url = ${:_profile_base_location_}/templates/trafficserver/${:filename}
+md5sum = 950a19be225a25309a3bda3f61fb5f6a
+location = ${buildout:parts-directory}/${:_buildout_section_name_}
+filename = records.config.jinja2
+download-only = true
+mode = 0644

software/apache-frontend/instance-apache-frontend.cfg

@@ -9,16 +9,11 @@ parts =
   certificate-authority
   logrotate-entry-apache
   logrotate-entry-apache-cached
-  logrotate-entry-squid
   apache-frontend
   apache-cached
   switch-apache-softwaretype
   frontend-apache-graceful
   cached-apache-graceful
-  squid-service
-  squid-prepare
-  squid-reload
-  promise-squid
   dynamic-template-default-vh
   not-found-html
   promise-frontend-apache-configuration
@@ -28,6 +23,14 @@ parts =
   promise-apache-frontend-v6-https
   promise-apache-frontend-v6-http
   promise-apache-cached
+
+  trafficserver-launcher
+  trafficserver-reload
+  trafficserver-configuration-directory
+  trafficserver-records-config
+  trafficserver-remap-config
+  trafficserver-storage-config
+
 ## Monitoring part
 ###Parts to add for monitoring
   certificate-authority
@@ -47,6 +50,9 @@ parts =
 ## Monitor for apache
   monitor-current-log-access
   monitor-backup-log-access
+  monitor-ats-cache-stats-wrapper
+  monitor-apache-configuration-verification
+
 extends = ${monitor-template:output}
 
 
@@ -79,6 +85,7 @@ crontabs = $${:etc}/crontabs
 cronstamps = $${:etc}/cronstamps
 ca-dir = $${:srv}/ssl
 
+
 [switch-apache-softwaretype]
 recipe = slapos.cookbook:softwaretype
 single-default = $${dynamic-default-template-slave-list:rendered}
@@ -117,14 +124,6 @@ apache-directory = ${apache-2.2:location}
 apache-ipv6 = $${instance-parameter:ipv6-random}
 apache-https-port = $${instance-parameter:configuration.port}
 
-[monitor-current-log-access]
-< = monitor-directory-access
-source = $${directory:log}
-
-[monitor-backup-log-access]
-< = monitor-directory-access
-source = $${directory:logrotate-backup}
-
 [jinja2-template-base]
 recipe = slapos.recipe.template:jinja2
 rendered = $${buildout:directory}/$${:filename}
@@ -135,6 +134,7 @@ context =
     key develop_eggs_directory buildout:develop-eggs-directory
     key slap_software_type instance-parameter:slap-software-type
     key slapparameter_dict instance-parameter:configuration
+    section directory directory
     $${:extra-context}
 
 [dynamic-template-default-vh]
@@ -333,8 +333,8 @@ cache-access-log = $${directory:log}/frontend-apache-access-cached.log
 cache-error-log = $${directory:log}/frontend-apache-error-cached.log
 cache-pid-file = $${directory:run}/httpd-cached.pid
 
-# Comunication with squid
-cache-port = 26010
+# Comunication with ats
+cache-port = $${trafficserver-variable:input-port}
 cache-through-port = 26011
 
 # Create wrapper for "apachectl conftest" in bin
@@ -433,77 +433,70 @@ sharedscripts = true
 notifempty = true
 create = true
 
-[logrotate-entry-squid]
-<= logrotate
-recipe = slapos.cookbook:logrotate.d
-name = squid
-log = $${squid-cache:cache-log-path} $${squid-cache:access-log-path}
-frequency = daily
-rotatep-num = 30
-post = ${buildout:bin-directory}/killpidfromfile $${apache-configuration:pid-file} SIGHUP
-sharedscripts = true
-notifempty = true
-create = true
-
-######################
-#  Squid deployment
-######################
-[squid-directory]
+#################
+# Trafficserver
+#################
+[trafficserver-directory]
 recipe = slapos.cookbook:mkdirectory
-squid-cache = $${directory:srv}/squid_cache
-
-[squid-cache]
-prepare-path = $${directory:etc-run}/squid-prepare
-wrapper-path = $${directory:service}/squid
-binary-path = ${squid:location}/sbin/squid
-configuration-path = $${directory:etc}/squid.cfg
-cache-path = $${squid-directory:squid-cache}
-ip = $${instance-parameter:ipv4-random}
-port = $${apache-configuration:cache-port}
-backend-ip = $${instance-parameter:ipv4-random}
-backend-port = $${apache-configuration:cache-through-port}
-open-port = $${instance-parameter:configuration.open-port}
-access-log-path = $${directory:log}/squid-access.log
-cache-log-path = $${directory:log}/squid-cache.log
-pid-filename-path = $${directory:run}/squid.pid
-
-[squid-configuration]
-< = jinja2-template-base
-template = ${template-squid-configuration:target}
-rendered = $${squid-cache:configuration-path}
-extra-context =
-      key ip squid-cache:ip
-      key port squid-cache:port
-      key backend_ip squid-cache:backend-ip
-      key backend_port squid-cache:backend-port
-      key cache_path squid-cache:cache-path
-      key access_log_path squid-cache:access-log-path
-      key cache_log_path squid-cache:cache-log-path
-      key pid_filename_path squid-cache:pid-filename-path
-      key open_port squid-cache:open-port
-
-[squid-service]
+configuration = $${directory:etc}/trafficserver
+local-state = $${directory:var}/trafficserver
+bin_path = ${trafficserver:location}/bin
+log = $${directory:log}/trafficserver
+cache-path = $${directory:srv}/ats_cache
+
+[trafficserver-variable]
+wrapper-path = $${directory:service}/trafficserver
+reload-path = $${directory:etc-run}/trafficserver-reload
+local-ip = $${instance-parameter:ipv4-random}
+input-port = 23432
+hostname = $${slap-parameter:frontend-name}
+remap = map / http://$${instance-parameter:ipv4-random}:$${apache-configuration:cache-through-port}
+disk-cache-config = $${trafficserver-directory:cache-path} 8G volume=$${slap-parameter:frontend-name}
+
+[trafficserver-configuration-directory]
+recipe = plone.recipe.command
+command = cp -rn ${trafficserver:location}/etc/trafficserver/* $${:target}
+target = $${trafficserver-directory:configuration}
+
+[trafficserver-launcher]
 recipe = slapos.cookbook:wrapper
-command-line = $${squid-cache:binary-path} -N -f $${squid-configuration:rendered}
-wrapper-path = $${squid-cache:wrapper-path}
+command-line = ${trafficserver:location}/bin/traffic_cop
+wrapper-path = $${trafficserver-variable:wrapper-path}
+environment = TS_ROOT=$${buildout:directory}
 
-[squid-prepare]
+[trafficserver-reload]
 recipe = slapos.cookbook:wrapper
-command-line = $${squid-cache:binary-path} -z -f $${squid-configuration:rendered}
-wrapper-path = $${squid-cache:prepare-path}
+command-line = ${trafficserver:location}/bin/traffic_line -x
+wrapper-path = $${trafficserver-variable:reload-path}
+environment = TS_ROOT=$${buildout:directory}
 
-[squid-reload]
-recipe = slapos.cookbook:wrapper
-command-line = ${buildout:bin-directory}/killpidfromfile $${squid-cache:pid-filename-path} SIGHUP
-wrapper-path = $${directory:etc-run}/squid-reload
+[trafficserver-records-config]
+< = jinja2-template-base
+template = ${template-trafficserver-records-config:location}/${template-trafficserver-records-config:filename}
+rendered = $${trafficserver-directory:configuration}/records.config
+mode = 700
+context =
+    import os_module os
+    section ats_directory trafficserver-directory
+    section ats_configuration trafficserver-variable
 
-[promise-squid]
-recipe = slapos.cookbook:check_port_listening
-path = $${directory:promise}/squid
-hostname = $${instance-parameter:ipv4-random}
-port = $${apache-configuration:cache-port}
+[trafficserver-remap-config]
+< = jinja2-template-base
+template = ${template-empty:target}
+rendered = $${trafficserver-configuration-directory:target}/remap.config
+mode = 700
+context =
+    key content trafficserver-variable:remap
 
-# End of Squid part
+[trafficserver-storage-config]
+< = jinja2-template-base
+template = ${template-empty:target}
+rendered = $${trafficserver-configuration-directory:target}/storage.config
+mode = 700
+context =
+    key content trafficserver-variable:disk-cache-config
+
+### End of ATS sections
 
 ### Apaches Graceful and promises
 [frontend-apache-graceful]
@@ -577,3 +570,62 @@ server_url = $${slap-connection:server-url}
 software_release_url = $${slap-connection:software-release-url}
 key_file = $${slap-connection:key-file}
 cert_file = $${slap-connection:cert-file}
+
+[slap-parameter]
+# Define default parameter(s) that will be used later, in case user didn't
+# specify it
+# All parameters are available through the configuration.XX syntax.
+# All possible parameters should have a default.
+domain = example.org
+public-ipv4 =
+port = 4443
+plain_http_port = 8080
+server-admin = admin@example.com
+apache_custom_https = ""
+apache_custom_http = ""
+apache-key =
+apache-certificate =
+open-port = 80 443
+extra_slave_instance_list =
+frontend-name =
+
+
+#######
+# Monitoring sections
+#
+
+[monitor-current-log-access]
+< = monitor-directory-access
+source = $${directory:log}
+
+[monitor-backup-log-access]
+< = monitor-directory-access
+source = $${directory:logrotate-backup}
+
+# Produce ATS Cache stats
+[monitor-ats-cache-stats-wrapper]
+< = jinja2-template-base
+template = ${template-wrapper:output}
+rendered = $${monitor-directory:monitoring-cgi}/ats-cache-stats
+mode = 0700
+command = export TS_ROOT=$${buildout:directory} && echo "<pre>$(${trafficserver:location}/bin/traffic_shell $${monitor-ats-cache-stats-config:rendered})</pre>"
+extra-context =
+  key content monitor-ats-cache-stats-wrapper:command
+
+[monitor-ats-cache-stats-config]
+< = jinja2-template-base
+template = ${template-empty:target}
+rendered = $${trafficserver-configuration-directory:target}/cache-config.stats
+mode = 644
+context =
+    raw content show:cache-stats
+
+# Display result of apache configuration check
+[monitor-apache-configuration-verification]
+< = jinja2-template-base
+template = ${template-wrapper:output}
+rendered = $${monitor-directory:monitoring-cgi}/front-httpd-configuration
+mode = 0700
+command = echo "<pre>$($${apache-configuration:frontend-configuration-verification})</pre>"
+extra-context =
+  key content :command

software/apache-frontend/templates/squid.conf.jinja2

-refresh_pattern .   0 20% 4320 max-stale=604800
-
-# Dissallow cachemgr access
-http_access deny manager
-
-# Squid service configuration
-http_port {{ ip }}:{{ port }} accel defaultsite={{ ip }}
-
-cache_peer {{ backend_ip }} parent {{ backend_port }} 0 no-query originserver name=backend
-
-acl our_sites port {{ open_port }}
-http_access allow our_sites
-cache_peer_access backend allow our_sites
-cache_peer_access backend deny all
-
-# Drop squid headers
-# via off
-# reply_header_access X-Cache-Lookup deny all
-# reply_header_access X-Squid-Error deny all
-# reply_header_access X-Cache deny all
-
-header_replace X-Forwarded-For
-follow_x_forwarded_for allow all
-forwarded_for on
-
-cache_dir aufs {{ cache_path }} 5000 16 256
-
-# Use 1Go of RAM
-cache_mem 1024 MB
-# But do not keep big object in RAM
-maximum_object_size_in_memory 2048 KB
-
-# Log
-access_log {{ access_log_path }}
-cache_log {{ cache_log_path }}
-pid_filename {{ pid_filename_path }}

software/apache-frontend/templates/trafficserver/records.config.jinja2

+#
+#
+# Process Records Config File
+#
+# <RECORD-TYPE> <NAME> <TYPE> <VALUE (till end of line)>
+#
+#	RECORD-TYPE:	CONFIG, LOCAL
+#	NAME:		name of variable
+#	TYPE:		INT, STRING, FLOAT
+#	VALUE:		Initial value for record
+#
+#
+# *NOTE*: All options covered in this file should be documented in the
+#         administration guide or the addendum:
+#
+#
+##############################################################################
+#
+# System Variables
+#
+##############################################################################
+CONFIG proxy.config.proxy_name STRING {{ ats_configuration['hostname'] }}
+CONFIG proxy.config.local_state_dir {{ ats_directory['local-state'] }}
+CONFIG proxy.config.config_dir STRING {{ ats_directory['configuration'] }}
+CONFIG proxy.config.bin_path STRING {{ ats_directory['bin_path'] }}
+CONFIG proxy.config.proxy_binary_opts STRING -M
+CONFIG proxy.config.env_prep STRING example_prep.sh
+CONFIG proxy.config.alarm_email STRING nobody
+CONFIG proxy.config.syslog_facility STRING LOG_DAEMON
+CONFIG proxy.config.output.logfile STRING traffic.out
+CONFIG proxy.config.snapshot_dir STRING snapshots
+CONFIG proxy.config.system.mmap_max INT 2097152
+##############################################################################
+#
+# Main threads configuration (worker threads). Also see configurations for
+# SSL threads, disk I/O threads and task threads in their respective areas.
+#
+##############################################################################
+CONFIG proxy.config.exec_thread.autoconfig INT 1
+CONFIG proxy.config.exec_thread.autoconfig.scale FLOAT 1.5
+CONFIG proxy.config.exec_thread.limit INT 2
+CONFIG proxy.config.accept_threads INT 1
+##############################################################################
+#
+# Local Manager
+#
+##############################################################################
+CONFIG proxy.config.admin.admin_user STRING admin
+CONFIG proxy.config.admin.number_config_bak INT 3
+CONFIG proxy.config.admin.user_id STRING {{ '#%s' % os_module.geteuid() }}
+##############################################################################
+#
+# Process Manager
+#
+##############################################################################
+CONFIG proxy.config.admin.autoconf_port INT 8083
+CONFIG proxy.config.process_manager.mgmt_port INT 8084
+##############################################################################
+#
+# In order to only bind a specific IP, use the following config, as in
+# the example below. Note - this can contain two addresses, one for IPv4
+# sockets and one for IPv6 sockets.
+#
+##############################################################################
+LOCAL proxy.local.incoming_ip_to_bind STRING {{ ats_configuration['local-ip'] }}
+#LOCAL proxy.local.outgoing_ip_to_bind STRING 10.0.143.32
+#LOCAL proxy.local.incoming_ip_to_bind STRING 192.168.101.17 fc07:192:168:101::17
+##############################################################################
+#
+# Alarm Configuration
+#
+##############################################################################
+   # execute alarm as "<abs_path>/<bin> "<MSG_STRING_FROM_PROXY>""
+CONFIG proxy.config.alarm.bin STRING example_alarm_bin.sh
+CONFIG proxy.config.alarm.abs_path STRING NULL
+##############################################################################
+#
+# HTTP Engine
+#
+##############################################################################
+   ##########
+   # basics #
+   ##########
+   # The server ports are listed here. These are separated by spaces or commas.
+   # Each port is a colon separated list of values, which must include a
+   # port number. The order is irrelevant. Other options are
+   # ipv4 - Use IPv4 (default)
+   # ipv6 - Use IPv6
+   # tr-in - Transparent inbound.
+   # tr-out - Transparent outbound.
+   # tr-full - Fully transparent (inbound and outbound).
+   # tr-pass - Transparently Pass-through non-HTTP traffic (in conjuction with tr-in).
+   # ssl - SSL terminated port.
+   # blind - Blind tunnel port (CONNECT only)
+   # ip-in=[addr] - Bind inbound IP address (listen for client).
+   # ip-out=[addr] - Bind outbound IP address (connect to origin server).
+   # ip-resolve=[style] - Set the IP resolution style.
+   #
+   # Note - address types must agree with each other and the ipv4/ipv6
+   # option if specified. IPv6 addresses must be enclosed in brackets.
+   # ip-out can be repeated as long as each address is a different
+   # family. If ip-in is specified as an IPv6 address, the port is
+   # forced to IPv6. Transparent ports cannot be bound to an IP
+   # address on the transparent side.
+   #
+   # The '=' is optional for any option with a value.
+   #
+   # Example 1: Port 8080 IPv6 inbound transparent, and port 80 IPv4
+   # "8080:ipv6:tr-in 80"
+   #
+   # Example 2: Listen on standard http and https ports for IPv4 and IPv6,
+   # fully transparent on the http ports. Also provide an non-transparent
+   # port at address 192.168.1.56 on port 8080.
+   # "80:ipv4:tr-full tr-full:80:ipv6 443:ipv4:ssl 443:ssl:ipv6 ip-in=192.168.1.56:8080"
+   #
+CONFIG proxy.config.http.server_ports STRING {{ ats_configuration['local-ip'] + ':' + ats_configuration['input-port'] }}
+   # Ports on the origin server to which a blind tunnel may connect.
+CONFIG proxy.config.http.connect_ports STRING 443 563
+   # The via settings have four values
+   #  0 - Do not modify / set this via header
+   #  1 - Update the via, with normal verbosity
+   #  2 - Update the via, with higher verbosity
+   #  3 - Update the via, with highest verbosity
+CONFIG proxy.config.http.insert_request_via_str INT 2
+CONFIG proxy.config.http.insert_response_via_str INT 2
+   # Insert a Server: header, this has three values
+   #   0 - Don't add or modify the Server: header
+   #   1 - Add a Server: header
+   #   2 - Only add a Server: header if one doesn't exist already
+CONFIG proxy.config.http.response_server_enabled INT 1
+CONFIG proxy.config.http.insert_age_in_response INT 1
+CONFIG proxy.config.http.enable_url_expandomatic INT 0
+CONFIG proxy.config.http.no_dns_just_forward_to_parent INT 0
+CONFIG proxy.config.http.uncacheable_requests_bypass_parent INT 1
+CONFIG proxy.config.http.keep_alive_enabled_in INT 1
+CONFIG proxy.config.http.keep_alive_enabled_out INT 1
+CONFIG proxy.config.http.chunking_enabled INT 1
+   # send http11 requests:
+   #   0 - Never
+   #   1 - Always
+   #   2 - if the server has returned http1.1 before
+   #   3 - if the client request is 1.1 & the server has returned 1.1 before
+   # If use_client_addr is set to 1, options 2 and 3 cause the proxy to use
+   # the client HTTP version for upstream requests.
+CONFIG proxy.config.http.send_http11_requests INT 1
+   # Share server connections
+   #  0 - Never
+   #  1 - Share, with a single global connection pool
+   #  2 - Share, with a connection pool per worker thread
+CONFIG proxy.config.http.share_server_sessions INT 2
+   ##########################
+   # HTTP referer filtering #
+   ##########################
+CONFIG proxy.config.http.referer_filter INT 0
+CONFIG proxy.config.http.referer_format_redirect INT 0
+CONFIG proxy.config.http.referer_default_redirect STRING http://www.example.com/
+   ##############################
+   # parent proxy configuration #
+   ##############################
+CONFIG proxy.config.http.parent_proxy_routing_enable INT 0
+CONFIG proxy.config.http.parent_proxy.retry_time INT 300
+   # Parent fail threshold is the number of request that must
+   # fail within the retry window for the parent to be marked
+   # down
+CONFIG proxy.config.http.parent_proxy.fail_threshold INT 10
+CONFIG proxy.config.http.parent_proxy.total_connect_attempts INT 4
+CONFIG proxy.config.http.parent_proxy.per_parent_connect_attempts INT 2
+CONFIG proxy.config.http.parent_proxy.connect_attempts_timeout INT 30
+CONFIG proxy.config.http.forward.proxy_auth_to_parent INT 0
+   ###################################
+   # HTTP connection timeouts (secs) #
+   ###################################
+   # out: proxy -> origin server connection
+   # in : ua -> proxy connection
+CONFIG proxy.config.http.keep_alive_no_activity_timeout_in INT 115
+CONFIG proxy.config.http.keep_alive_no_activity_timeout_out INT 120
+CONFIG proxy.config.http.transaction_no_activity_timeout_in INT 30
+CONFIG proxy.config.http.transaction_no_activity_timeout_out INT 30
+CONFIG proxy.config.http.transaction_active_timeout_in INT 900
+CONFIG proxy.config.http.transaction_active_timeout_out INT 0
+CONFIG proxy.config.http.accept_no_activity_timeout INT 120
+CONFIG proxy.config.http.background_fill_active_timeout INT 60
+CONFIG proxy.config.http.background_fill_completed_threshold FLOAT 0.5
+   ##################################
+   # origin server connect attempts #
+   ##################################
+CONFIG proxy.config.http.connect_attempts_max_retries INT 6
+CONFIG proxy.config.http.connect_attempts_max_retries_dead_server INT 3
+CONFIG proxy.config.http.connect_attempts_rr_retries INT 3
+CONFIG proxy.config.http.connect_attempts_timeout INT 30
+CONFIG proxy.config.http.post_connect_attempts_timeout INT 1800
+CONFIG proxy.config.http.down_server.cache_time INT 300
+CONFIG proxy.config.http.down_server.abort_threshold INT 10
+   ##################################
+   # congestion control             #
+   ##################################
+CONFIG proxy.config.http.congestion_control.enabled INT 0
+   #############################
+   # negative response caching #
+   #############################
+CONFIG proxy.config.http.negative_caching_enabled INT 0
+CONFIG proxy.config.http.negative_caching_lifetime INT 1800
+   #########################
+   # proxy users variables #
+   #########################
+CONFIG proxy.config.http.anonymize_remove_from INT 0
+CONFIG proxy.config.http.anonymize_remove_referer INT 0
+CONFIG proxy.config.http.anonymize_remove_user_agent INT 0
+CONFIG proxy.config.http.anonymize_remove_cookie INT 0
+CONFIG proxy.config.http.anonymize_remove_client_ip INT 0
+CONFIG proxy.config.http.anonymize_insert_client_ip INT 1
+CONFIG proxy.config.http.anonymize_other_header_list STRING NULL
+CONFIG proxy.config.http.insert_squid_x_forwarded_for INT 1
+   ############
+   # security #
+   ############
+CONFIG proxy.config.http.push_method_enabled INT 0
+
+#  ###################################
+#  # HTTP Quick filtering (security) #
+#  ###################################
+#  this functionality is moved to ip_allow.config
+
+   #################
+   # cache control #
+   #################
+CONFIG proxy.config.http.cache.http INT 1
+   # Enabling this setting allows the proxy to cache empty documents. This currently
+   # requires that the response has a Content-Length: header, with a value of "0".
+CONFIG proxy.config.http.cache.allow_empty_doc INT 0
+CONFIG proxy.config.http.cache.ignore_client_no_cache INT 1
+CONFIG proxy.config.http.cache.ims_on_client_no_cache INT 1
+CONFIG proxy.config.http.cache.ignore_server_no_cache INT 0
+CONFIG proxy.config.http.cache.ignore_client_cc_max_age INT 0
+CONFIG proxy.config.http.normalize_ae_gzip INT 0
+   # cache responses to cookies has 5 options:
+   #   0 - do not cache any responses to cookies
+   #   1 - cache for any content-type
+   #   2 - cache only for image types
+   #   3 - cache for all but text content-types
+   #   4 - cache for all but text content-types except OS response
+   #       without "Set-Cookie" or with "Cache-Control: public"
+   # See also cache-responses-to-cookies in cache.config.
+CONFIG proxy.config.http.cache.cache_responses_to_cookies INT 1
+CONFIG proxy.config.http.cache.ignore_authentication INT 0
+CONFIG proxy.config.http.cache.cache_urls_that_look_dynamic INT 1
+CONFIG proxy.config.http.cache.enable_default_vary_headers INT 0
+   #  when_to_revalidate has 5 options:
+   #    0 - default. use cache directives or heuristic
+   #    1 - stale if heuristic
+   #    2 - always stale (always revalidate)
+   #    3 - never stale
+   #    4 - always revalidate if request is conditional, else default is used
+CONFIG proxy.config.http.cache.when_to_revalidate INT 0
+   # Some old MSIE browsers don't send no-cache headers to
+   # reverse proxies or transparent caches, this variable controls
+   # when to add no-cache headers to MSIE requests:
+   #  -1 - no-cache is never added, stats are not updated
+   #   0 - default; no-cache not added to MSIE requests
+   #   1 - no-cache added to IMS MSIE requests
+   #   2 - no-cache added to all MSIE requests
+CONFIG proxy.config.http.cache.when_to_add_no_cache_to_msie_requests INT -1
+   # required headers: three options:
+   #   0 - No required headers to make document cachable
+   #   1 - "Last-Modified:", "Expires:", or "Cache-Control: max-age" required
+   #   2 - explicit lifetime required, "Expires:" or "Cache-Control: max-age"
+CONFIG proxy.config.http.cache.required_headers INT 2
+CONFIG proxy.config.http.cache.max_stale_age INT 604800
+CONFIG proxy.config.http.cache.range.lookup INT 1
+   ########################
+   # heuristic expiration #
+   ########################
+CONFIG proxy.config.http.cache.heuristic_min_lifetime INT 3600
+CONFIG proxy.config.http.cache.heuristic_max_lifetime INT 86400
+CONFIG proxy.config.http.cache.heuristic_lm_factor FLOAT 0.10
+CONFIG proxy.config.http.cache.fuzz.time INT 240
+CONFIG proxy.config.http.cache.fuzz.probability FLOAT 0.005
+   #########################################
+   # dynamic content & content negotiation #
+   #########################################
+CONFIG proxy.config.http.cache.vary_default_text STRING NULL
+CONFIG proxy.config.http.cache.vary_default_images STRING NULL
+CONFIG proxy.config.http.cache.vary_default_other STRING NULL
+   ##############################################################
+   # The HTTP stats are expensive, turn off you don't need them #
+   ##############################################################
+CONFIG proxy.config.http.enable_http_stats INT 1
+
+##############################################################################
+#
+# Customizable User Response Pages
+#
+##############################################################################
+   # 1 - enable customizable user response pages in only the "default" directory
+   # 2 - enable language-targeted user response pages
+CONFIG proxy.config.body_factory.enable_customizations INT 1
+CONFIG proxy.config.body_factory.enable_logging INT 0
+   # 0 - never suppress generated responses
+   # 1 - always suppress generated responses
+   # 2 - suppress responses for intercepted traffic
+CONFIG proxy.config.body_factory.response_suppression_mode INT 0
+##############################################################################
+#
+# Net Subsystem
+#
+##############################################################################
+CONFIG proxy.config.net.connections_throttle INT 30000
+   # Enable defer accept / accept filtering. On Linux, this is a timeout, sec.
+CONFIG proxy.config.net.defer_accept INT 45
+##############################################################################
+#
+# Cluster Subsystem
+#
+##############################################################################
+   # cluster type requires restart to change
+   # 1 is full clustering, 2 is mgmt only, 3 is no clustering
+LOCAL proxy.local.cluster.type INT 3
+CONFIG proxy.config.cluster.cluster_port INT 8086
+CONFIG proxy.config.cluster.rsport INT 8088
+CONFIG proxy.config.cluster.mcport INT 8089
+CONFIG proxy.config.cluster.mc_group_addr STRING 224.0.1.37
+CONFIG proxy.config.cluster.mc_ttl INT 1
+CONFIG proxy.config.cluster.log_bogus_mc_msgs INT 1
+CONFIG proxy.config.cluster.ethernet_interface STRING lo
+##############################################################################
+#
+# Cache
+#
+##############################################################################
+CONFIG proxy.config.cache.permit.pinning INT 0
+   # default the ram cache size to AUTO_SIZE (-1) based on cache size
+   #   (approximately 10 MB of RAM cache per GB of disk cache)
+   # alternatively, set to a fixed value such as 21474836480 (20GB)
+CONFIG proxy.config.cache.ram_cache.size INT 1G
+CONFIG proxy.config.cache.ram_cache_cutoff INT 4194304
+   # Replacement algorithm
+   #  0 : Clocked Least Frequently Used by Size (CLFUS) w/optional compression
+   #  1 : LRU w/o optional compression - trivially simple
+CONFIG proxy.config.cache.ram_cache.algorithm INT 0
+   # Filter inserts into the RAM cache to ensure that they have been seen at
+   # least once.  For LRU, this provides scan resistance. Note that CLFUS
+   # already requires that a document have history before it is inserted, so
+   # for CLFUS, setting this option means that a document must be seen three
+   # times before it is added to the RAM cache.
+CONFIG proxy.config.cache.ram_cache.use_seen_filter INT 0
+   # Compress the content of the ram cache:
+   #  0 : no compression
+   #  1 : fastlz (extremely fast, relatively low compression)
+   #  2 : libz (moderate speed, reasonable compression)
+   #  3 : liblzma (very slow, high compression)
+   #  NOTE: compression runs on task threads.  To use more cores for
+   #  compression, increase proxy.config.task_threads.
+CONFIG proxy.config.cache.ram_cache.compress INT 0
+   # The maximum number of alternates that are allowed for any given URL.
+   # It is not possible to strictly enforce this if the variable
+   #   'proxy.config.cache.vary_on_user_agent' is set to 1.
+   # The default value for 'proxy.config.cache.vary_on_user_agent' is 0.
+   # (0 disables the maximum number of alts check)
+CONFIG proxy.config.cache.limits.http.max_alts INT 5
+   # The target size of a contiguous fragment on disk.
+   # Acceptable values are powers of 2, e.g. 65536, 131072, 262144, 524288, 1048576, 2097152.
+   # Larger could waste memory on slow connections, smaller could waste seeks.
+CONFIG proxy.config.cache.target_fragment_size INT 1048576
+   # The maximum size of a document that will be stored in the cache.
+   # (0 disables the maximum document size check)
+CONFIG proxy.config.cache.max_doc_size INT 0
+   # enable the cache to read from an object while it is being added to the cache
+CONFIG proxy.config.cache.enable_read_while_writer INT 0
+   # This controls how many objects (average) the disk caches can hold, and
+   # how much memory it'll consume for the directory structure.
+CONFIG proxy.config.cache.min_average_object_size INT 8000
+   # How many I/O threads to allocate per disk (spindle). Be aware that RAID
+   # disks would show up to TS as a single spindle.
+CONFIG proxy.config.cache.threads_per_disk INT 8
+   # Time (in ms) to delay until retrying to acquire a cache lock. Setting
+   # this low can reduce latencies in some cases, but can consume more CPU.
+   # If you experience CPU spinning, try increasing this setting.
+CONFIG proxy.config.cache.mutex_retry_delay INT 2
+   # The interim storage disks. Must use raw disks.
+   # Only support at most 8 interim disks now. e.g.
+   # proxy.config.cache.interim.storage STRING /dev/sda /dev/sdb/
+LOCAL proxy.config.cache.interim.storage STRING NULL
+##############################################################################
+#
+# DNS
+#
+##############################################################################
+CONFIG proxy.config.dns.search_default_domains INT 0
+CONFIG proxy.config.dns.splitDNS.enabled INT 0
+CONFIG proxy.config.dns.max_dns_in_flight INT 2048
+   # Additional URL expansions for http DNS lookup
+CONFIG proxy.config.dns.url_expansions STRING NULL
+CONFIG proxy.config.dns.round_robin_nameservers INT 0
+CONFIG proxy.config.dns.nameservers STRING NULL
+CONFIG proxy.config.dns.resolv_conf STRING /etc/resolv.conf
+   # This provides additional resilience against DNS forgery, particularly in
+   # forward or transparent proxies, but requires that the resolver populates
+   # the queries section of the response properly.
+CONFIG proxy.config.dns.validate_query_name INT 0
+##############################################################################
+#
+# HostDB
+#
+##############################################################################
+   # in entries, may not be changed while running
+   # note that in order to increase hostdb.size, hostdb.storage_size should
+   # also be increase. These are best guesses, you will have to monitor this.
+CONFIG proxy.config.hostdb.size INT 120000
+CONFIG proxy.config.hostdb.storage_size INT 32M
+   # ttl modes:
+   #   0 = obey
+   #   1 = ignore
+   #   2 = min(X,ttl)
+   #   3 = max(X,ttl)
+CONFIG proxy.config.hostdb.ttl_mode INT 0
+   # in minutes...
+CONFIG proxy.config.hostdb.timeout INT 1440
+   # round-robin addresses for single clients
+   # (can cause authentication problems)
+CONFIG proxy.config.hostdb.strict_round_robin INT 0
+##############################################################################
+#
+# Logging Config
+#
+##############################################################################
+   # possible values for logging_enabled:
+   #   0: no logging at all
+   #   1: log errors only
+   #   2: log transactions only
+   #   3: full logging (errors + transactions)
+CONFIG proxy.config.log.logging_enabled INT 3
+CONFIG proxy.config.log.max_secs_per_buffer INT 5
+CONFIG proxy.config.log.max_space_mb_for_logs INT 25000
+CONFIG proxy.config.log.max_space_mb_for_orphan_logs INT 25
+CONFIG proxy.config.log.max_space_mb_headroom INT 1000
+CONFIG proxy.config.log.hostname STRING localhost
+CONFIG proxy.config.log.logfile_dir STRING {{ ats_directory['log'] }}
+CONFIG proxy.config.log.logfile_perm STRING rw-r--r--
+CONFIG proxy.config.log.custom_logs_enabled INT 0
+CONFIG proxy.config.log.squid_log_enabled INT 1
+CONFIG proxy.config.log.squid_log_is_ascii INT 0
+CONFIG proxy.config.log.squid_log_name STRING squid
+CONFIG proxy.config.log.squid_log_header STRING NULL
+CONFIG proxy.config.log.common_log_enabled INT 0
+CONFIG proxy.config.log.common_log_is_ascii INT 1
+CONFIG proxy.config.log.common_log_name STRING common
+CONFIG proxy.config.log.common_log_header STRING NULL
+CONFIG proxy.config.log.extended_log_enabled INT 0
+CONFIG proxy.config.log.extended_log_is_ascii INT 0
+CONFIG proxy.config.log.extended_log_name STRING extended
+CONFIG proxy.config.log.extended_log_header STRING NULL
+CONFIG proxy.config.log.extended2_log_enabled INT 0
+CONFIG proxy.config.log.extended2_log_is_ascii INT 1
+CONFIG proxy.config.log.extended2_log_name STRING extended2
+CONFIG proxy.config.log.extended2_log_header STRING NULL
+CONFIG proxy.config.log.separate_icp_logs INT 0
+CONFIG proxy.config.log.separate_host_logs INT 0
+   # Log collation allows you to do "remote logging"
+LOCAL proxy.local.log.collation_mode INT 0
+CONFIG proxy.config.log.collation_host STRING NULL
+CONFIG proxy.config.log.collation_port INT 8085
+CONFIG proxy.config.log.collation_secret STRING foobar
+CONFIG proxy.config.log.collation_host_tagged INT 0
+CONFIG proxy.config.log.collation_retry_sec INT 5
+CONFIG proxy.config.log.rolling_enabled INT 1
+CONFIG proxy.config.log.rolling_interval_sec INT 86400
+CONFIG proxy.config.log.rolling_offset_hr INT 0
+CONFIG proxy.config.log.rolling_size_mb INT 10
+CONFIG proxy.config.log.auto_delete_rolled_files INT 1
+CONFIG proxy.config.log.sampling_frequency INT 1
+##############################################################################
+#
+# Reverse Proxy
+#
+##############################################################################
+CONFIG proxy.config.reverse_proxy.enabled INT 1
+CONFIG proxy.config.header.parse.no_host_url_redirect STRING NULL
+##############################################################################
+#
+# URL Remap Rules
+#
+##############################################################################
+CONFIG proxy.config.url_remap.default_to_server_pac INT 0
+CONFIG proxy.config.url_remap.default_to_server_pac_port INT -1
+   # To enable forward proxy, you must turn off remap_required
+CONFIG proxy.config.url_remap.remap_required INT 1
+   # Pristine host header is the "original" (request) header. Make sure your
+   # origin expects them in reverse proxy.
+CONFIG proxy.config.url_remap.pristine_host_hdr INT 1
+##############################################################################
+#
+# SSL Termination
+#
+##############################################################################
+   # The number of SSL threads is a multiplier of number of CPUs and
+   # proxy.config.exec_thread.autoconfig.scale by default. You can
+   # override that here (set it to a non-zero value).
+CONFIG proxy.config.ssl.number.threads INT 0
+   # The following three variables can be
+   # set to 0 to disable SSLv2, SSLv3, and/or TLSv1.
+   # SSLv2 is disabled by default for security concern.
+CONFIG proxy.config.ssl.SSLv2 INT 0
+CONFIG proxy.config.ssl.SSLv3 INT 1
+CONFIG proxy.config.ssl.TLSv1 INT 1
+   # The following two variables control the Cipher Suite traffic Server
+   # uses for HTTPS connnections and whether to prefer the client
+   # selected (default) or the server selected
+   # Our default SSL Cipher Suite tries to be reasonably fast and strong.
+CONFIG proxy.config.ssl.server.cipher_suite STRING RC4-SHA:AES128-SHA:DES-CBC3-SHA:AES256-SHA:ALL:!aNULL:!EXP:!LOW:!MD5:!SSLV2:!NULL
+CONFIG proxy.config.ssl.server.honor_cipher_order INT 0
+   # Control if SSL should perform content compression or not
+CONFIG proxy.config.ssl.compression INT 0
+   # Client certification level should be:
+   # 0 no client certificates
+   # 1 client certificates optional
+   # 2 client certificates required
+CONFIG proxy.config.ssl.client.certification_level INT 0
+   # Server cert chain filename is the name of the global cert chain file
+   # that is added to every cert in ssl_multicert.config. This file is only
+   # loaded if there are configurations in ssl_multicert.config.
+CONFIG proxy.config.ssl.server.cert_chain.filename STRING NULL
+   # This is the path that SSL certificates files are relative to. Certificate
+   # names specified in ssl_multicert.config will be located relative to this path.
+CONFIG proxy.config.ssl.server.cert.path STRING etc/trafficserver
+   # If any private key is not contained in the certificate file, you must
+   # fill in the private key path. Private key names specified in
+   # ssl_multicert.config will be located relative to this path.
+CONFIG proxy.config.ssl.server.private_key.path STRING etc/trafficserver
+   # The CA file name and path are the
+   # certificate authority certificate that
+   # client certificates will be verified against.
+CONFIG proxy.config.ssl.CA.cert.filename STRING NULL
+CONFIG proxy.config.ssl.CA.cert.path STRING etc/trafficserver
+   ################################
+   # client related configuration #
+   ################################
+CONFIG proxy.config.ssl.client.verify.server INT 0
+CONFIG proxy.config.ssl.client.cert.filename STRING NULL
+CONFIG proxy.config.ssl.client.cert.path STRING etc/trafficserver
+   # Fill in private key file and path only if the client's
+   # private key is not contained in the client certificate file.
+CONFIG proxy.config.ssl.client.private_key.filename STRING NULL
+CONFIG proxy.config.ssl.client.private_key.path STRING etc/trafficserver
+   # The CA file name and path are the
+   # certificate authority certificate that
+   # server certificates will be verified against.
+CONFIG proxy.config.ssl.client.CA.cert.filename STRING NULL
+CONFIG proxy.config.ssl.client.CA.cert.path STRING etc/trafficserver
+##############################################################################
+#
+# ICP Configuration. NOTE! ICP is currently broken NOTE!
+#
+##############################################################################
+   # icp modes
+   #   enabled=0 ICP disabled
+   #   enabled=1 Allow receive of ICP queries
+   #   enabled=2 Allow send/receive of ICP queries
+CONFIG proxy.config.icp.enabled INT 0
+CONFIG proxy.config.icp.icp_interface STRING NULL
+CONFIG proxy.config.icp.icp_port INT 3130
+CONFIG proxy.config.icp.multicast_enabled INT 0
+CONFIG proxy.config.icp.query_timeout INT 2
+##############################################################################
+#
+# Scheduled Update Configuration
+#
+##############################################################################
+CONFIG proxy.config.update.enabled INT 0
+CONFIG proxy.config.update.force INT 0
+CONFIG proxy.config.update.retry_count INT 10
+CONFIG proxy.config.update.retry_interval INT 2
+CONFIG proxy.config.update.concurrent_updates INT 100
+##############################################################################
+#
+# Socket send/recv buffer sizes (0 == don't call setsockopt() )
+#
+##############################################################################
+   # out: proxy -> os connection
+   # in : ua -> proxy connection
+CONFIG proxy.config.net.sock_send_buffer_size_in INT 262144
+CONFIG proxy.config.net.sock_recv_buffer_size_in INT 0
+CONFIG proxy.config.net.sock_send_buffer_size_out INT 0
+CONFIG proxy.config.net.sock_recv_buffer_size_out INT 0
+##############################################################################
+#
+# User Overridden Configurations Below
+#
+##############################################################################
+CONFIG proxy.config.core_limit INT -1
+##############################################################################
+#
+# Debugging
+#
+##############################################################################
+  # Uses a regular expression to match the debugging topic name, performance
+  # will be affected!
+CONFIG proxy.config.diags.debug.enabled INT 0
+CONFIG proxy.config.diags.debug.tags STRING http.*|dns.*
+  # Great for tracking down memory leaks, but you need to use the
+  # ink allocators
+CONFIG proxy.config.dump_mem_info_frequency INT 0
+
+  # Log the source code location of diagnostic messages.
+CONFIG proxy.config.diags.show_location INT 0
+##############################################################################
+#
+# Configuration for Reclaimable InkFreeList memory pool
+#
+# NOTE: The following options are meaningfull only when Traffic Server is
+#       compiled with the following option to configure:
+#
+#	    --enable-reclaimable-freelist
+#
+##############################################################################
+CONFIG proxy.config.allocator.enable_reclaim INT 1
+  # The value of reclaim_factor should be in the 0.0 to 1.0 range. Allocators
+  # use it to calculate size of unused memory, which is used to determine when
+  # to reclaim memory. The larger the value, the more aggressive reclaims.
+CONFIG proxy.config.allocator.reclaim_factor FLOAT 0.300000
+  # Allocator will reclaim memory only when it continuously satisfy the reclaim
+  # condition for max_overage continuous checks.
+CONFIG proxy.config.allocator.max_overage INT 3
+  #  For debugging, enable debug_filter, which is a bit-map with these fields:
+  #     bit 0: reclaim memory in ink_freelist_new
+  #     bit 1: allocate memory from partial-free Chunks(if exist) or OS
+CONFIG proxy.config.allocator.debug_filter INT 0
+
+##############################################################################
+#
+# Slow Log
+#
+##############################################################################
+  # Log any request that takes more then x number of milliseconds, needs
+  # to be > 0 to be enabled
+CONFIG proxy.config.http.slow.log.threshold INT 0
+##############################################################################
+#
+# Thread pool for "misc" tasks, plugins etc. 2 is a good minimum.
+#
+##############################################################################
+CONFIG proxy.config.task_threads INT 2

stack/monitor/buildout.cfg

@@ -42,30 +42,30 @@ recipe = slapos.recipe.template
 url = ${:_profile_base_location_}/monitor.cfg.in
 output = ${buildout:directory}/monitor.cfg
 filename = monitor.cfg
-md5sum = bd592a0f0c41ec15c643c4e91e9ec5cc
+md5sum = 499ba647f0c22f16bea3cc88bdfd98e8
 mode = 0644
 
 [monitor-bin]
 recipe = hexagonit.recipe.download
 url = ${:_profile_base_location_}/${:filename}
 download-only = true
-md5sum = 1e7b4698f6627150b1eb783b06f8b13a
+md5sum = cb2f15850d3dc82459a0044adb4416cf
 destination = ${buildout:directory}/parts/monitor-template-monitor-bin
 filename = monitor.py.in
 mode = 0644
 
 [index]
 recipe = hexagonit.recipe.download
-url = ${:_profile_base_location_}/webfiles/${:filename}
+url = ${:_profile_base_location_}/webfile-directory/${:filename}
 download-only = true
-md5sum = 91ac749f86aecc0c383d93e51e15a572
+md5sum = cd649264b331499241abfcdb4e81672a
 destination = ${buildout:directory}/parts/monitor-index
 filename = index.cgi.in
 mode = 0644
 
 [index-template]
 recipe = hexagonit.recipe.download
-url = ${:_profile_base_location_}/webfiles/${:filename}
+url = ${:_profile_base_location_}/webfile-directory/${:filename}
 download-only = true
 destination = ${buildout:directory}/parts/monitor-template-index
 md5sum = e0d2aaeffc046b2ac6d9d717e1ba321d
@@ -74,22 +74,31 @@ mode = 0644
 
 [status-cgi]
 recipe = hexagonit.recipe.download
-url = ${:_profile_base_location_}/webfiles/${:filename}
+url = ${:_profile_base_location_}/webfile-directory/${:filename}
 download-only = true
-md5sum = aa2764cab87e457410435974f729e906
+md5sum = 4fb26753ee669b8ac90ffe33dbd12e8f
 destination = ${buildout:directory}/parts/monitor-template-status-cgi
 filename = status.cgi.in
 mode = 0644
 
 [settings-cgi]
 recipe = hexagonit.recipe.download
-url = ${:_profile_base_location_}/webfiles/${:filename}
+url = ${:_profile_base_location_}/webfile-directory/${:filename}
 download-only = true
-md5sum = 18574b804da0c65d8670959f9e7c4774
+md5sum = f19c8e4b94718d475520618ae57338c8
 destination = ${buildout:directory}/parts/monitor-template-settings-cgi
 filename = settings.cgi.in
 mode = 0644
 
+[monitor-password-cgi]
+recipe = hexagonit.recipe.download
+url = ${:_profile_base_location_}/webfile-directory/${:filename}
+download-only = true
+md5sum = 1a6153908934bf77e3e033eeabdc1675
+destination = ${buildout:directory}/parts/monitor-template-monitor-password-cgi
+filename = monitor-password.cgi.in
+mode = 0644
+
 [rss-bin]
 recipe = hexagonit.recipe.download
 url = ${:_profile_base_location_}/${:filename}
@@ -108,9 +117,9 @@ logfile = $${directory:log}/crond.log
 
 [download-static-files]
 recipe = hexagonit.recipe.download
-url = https://github.com/SlapOS/staticForMonitoring/blob/db670e7568871c69a64916d462ccb57629f1c77d/static-files.tar.gz?raw=true
+url = https://github.com/SlapOS/staticForMonitoring/blob/8b7050faa2dd22592766e25b66b9efe0d0b216c9/static-files.tar.gz?raw=true
 download-only = true
-md5sum = 9e3feb2b520620d5b8d478eb9a9be6de
+md5sum = 05030ff31dc75c2b96559dedc70945f5
 filename = static-files.tar.gz
 destination = ${buildout:directory}/parts/monitor-static-files
 mode = 0644

stack/monitor/monitor.cfg.in

@@ -18,6 +18,7 @@ url = https://[$${slap-parameters:ipv6-random}]:$${:port}
 index-filename = index.cgi
 index-path = $${monitor-directory:www}/$${:index-filename}
 db-path = $${monitor-directory:etc}/monitor.db
+monitor-password-path = $${monitor-directory:etc}/.monitor.shadow
 
 [monitor-directory]
 recipe = slapos.cookbook:mkdirectory
@@ -97,11 +98,14 @@ mode = 0644
 recipe = slapos.recipe.template:jinja2
 template = ${index:location}/${index:filename}
 rendered = $${monitor-parameters:index-path}
+update-apache-access = ${apache:location}/bin/htpasswd -cb $${monitor-parameters:htaccess-file} admin
 mode = 0744
 context =
   key cgi_directory monitor-directory:cgi-bin
   raw index_template $${deploy-index-template:location}/$${deploy-index-template:filename}
-  key password zero-parameters:monitor-password
+  key monitor_password_path monitor-parameters:monitor-password-path
+  key monitor_password_script_path deploy-monitor-password-cgi:rendered
+  key apache_update_command :update-apache-access
   raw extra_eggs_interpreter ${buildout:directory}/bin/${extra-eggs:interpreter}
   raw default_page /welcome.html
 
@@ -139,6 +143,17 @@ context =
   key pwd monitor-directory:knowledge0-cgi
   key this_file :filename
 
+[deploy-monitor-password-cgi]
+recipe = slapos.recipe.template:jinja2
+template = ${monitor-password-cgi:location}/${monitor-password-cgi:filename}
+rendered = $${monitor-directory:knowledge0-cgi}/$${:filename}
+filename = monitor-password.cgi
+mode = 0744
+context =
+  raw python_executable ${buildout:executable}
+  key pwd monitor-directory:knowledge0-cgi
+  key this_file :filename
+
 [deploy-monitor-script]
 recipe = slapos.recipe.template:jinja2
 template = ${monitor-bin:location}/${monitor-bin:filename}
@@ -159,12 +174,6 @@ context =
   section directory monitor-directory
   section monitor_parameters monitor-parameters
 
-[monitor-htaccess]
-recipe = plone.recipe.command
-stop-on-error = true
-htaccess-path = $${monitor-parameters:htaccess-file}
-command = ${apache:location}/bin/htpasswd -cb $${:htaccess-path} admin $${zero-parameters:monitor-password}
-
 [monitor-directory-access]
 recipe = plone.recipe.command
 command = ln -s $${:source} $${monitor-directory:private-directory}
@@ -211,7 +220,6 @@ name = example.com
 [public]
 recipe = slapos.cookbook:zero-knowledge.write
 filename = knowledge0.cfg
-monitor-password = passwordtochange
 
 [zero-parameters]
 recipe = slapos.cookbook:zero-knowledge.read
@@ -279,7 +287,7 @@ input = inline:
   </Files>
   AuthType Basic
   AuthName "Private access"
-  AuthUserFile "$${monitor-htaccess:htaccess-path}"
+  AuthUserFile "$${monitor-parameters:htaccess-file}"
   Require valid-user
   Options Indexes FollowSymLinks
   Satisfy all
@@ -315,4 +323,3 @@ curl_path = ${curl:location}/bin/curl
 [publish-connection-informations]
 recipe = slapos.cookbook:publish
 monitor_url = $${monitor-parameters:url}
-IMPORTANT_monitor_info = Change the monitor_password as soon as possible ! Default is : $${public:monitor-password} . You can change it in the setting.cgi section of your monitorin interface

stack/monitor/monitor.py.in

@@ -7,6 +7,7 @@ import subprocess
 import sys
 import sqlite3
 import time
+import threading
 from optparse import OptionParser, make_option
 
 
@@ -34,6 +35,26 @@ option_list = [
               help="add the file containing services\'pid to the files to monitor")
 ]
 
+class Popen(subprocess.Popen):
+  __timeout = None
+
+  def timeout(self, delay, delay_before_kill=5):
+    if self.__timeout is not None: self.__timeout.cancel()
+    self.__timeout = threading.Timer(delay, self.stop, [delay_before_kill])
+    self.__timeout.start()
+    def waiter():
+        self.wait()
+        self.__timeout.cancel()
+    threading.Thread(target=waiter).start()
+
+  def stop(self, delay_before_kill=5):
+    if self.__timeout is not None: self.__timeout.cancel()
+    self.terminate()
+    t = threading.Timer(delay_before_kill, self.kill)
+    t.start()
+    r = self.wait()
+    t.cancel()
+    return r
 
 def init_db():
   db = sqlite3.connect(db_path)
@@ -89,24 +110,26 @@ def runServices(directory):
 
 def runScripts(directory):
   scripts = getListOfScripts(directory)
-  script_timeout = 3
+  # XXX script_timeout could be passed as parameters
+  script_timeout = 60 # in seconds
   result = {}
   for script in scripts:
     command = [os.path.join(promise_dir, script)]
     script = os.path.basename(command[0])
     result[script] = ''
 
-    process_handler = subprocess.Popen(command,
-                                       cwd=instance_path,
-                                       env=None if sys.platform == 'cygwin' else {},
-                                       stdout=subprocess.PIPE,
-                                       stderr=subprocess.PIPE,
-                                       stdin=subprocess.PIPE)
+    process_handler = Popen(command,
+                            cwd=instance_path,
+                            env=None if sys.platform == 'cygwin' else {},
+                            stdout=subprocess.PIPE,
+                            stderr=subprocess.PIPE,
+                            stdin=subprocess.PIPE)
     process_handler.stdin.flush()
     process_handler.stdin.close()
     process_handler.stdin = None
 
-    time.sleep(script_timeout)
+    process_handler.timeout(script_timeout)
+    process_handler.wait()
 
     if process_handler.poll() is None:
       process_handler.terminate()

stack/monitor/webfiles/index.cgi.in → stack/monitor/webfile-directory/index.cgi.in

@@ -3,11 +3,12 @@
 import cgi
 import cgitb
 import Cookie
+import base64
+import hashlib
+import hmac
 import jinja2
-import json
 import os
 import subprocess
-import sys
 import urllib
 
 cgitb.enable(display=0, logdir="/tmp/cgi.log")
@@ -17,6 +18,58 @@ cookie = Cookie.SimpleCookie()
 
 cgi_path = "{{ cgi_directory }}"
 
+monitor_password_path = "{{ monitor_password_path }}"
+monitor_password_script_path = "{{ monitor_password_script_path }}"
+
+monitor_apache_password_command = "{{ apache_update_command }}"
+
+########
+# Password functions
+#######
+def crypt(word, salt="$$"):
+  salt = salt.split("$")
+  algo = salt[0] or 'sha1'
+  if algo in hashlib.algorithms:
+    H = getattr(hashlib, algo)
+  elif algo == "plain":
+    return "%s$%s" % (algo, word)
+  else:
+    raise ValueError
+  rounds = min(max(0, int(salt[1])), 30) if salt[1] else 9
+  salt = salt[2] or base64.b64encode(os.urandom(12), "./")
+  h = hmac.new(salt, word, H).digest()
+  for x in xrange(1, 1 << rounds):
+    h = H(h).digest()
+  return "%s$%s$%s$%s" % (algo, rounds, salt,
+    base64.b64encode(h, "./").rstrip("="))
+
+def is_password_set():
+  if not os.path.exists(monitor_password_path):
+    return False
+  hashed_password = open(monitor_password_path, 'r').read()
+  try:
+    void, algo, salt, hsh = hashed_password.split('$')
+  except ValueError:
+    return False
+  return True
+
+def set_password(raw_password):
+  hashed_password = crypt(raw_password)
+  subprocess.check_call(monitor_apache_password_command + " %s" % raw_password,
+                        shell=True)
+  open(monitor_password_path, 'w').write(hashed_password)
+
+
+def check_password(raw_password):
+  """
+  Returns a boolean of whether the raw_password was correct. Handles
+  encryption formats behind the scenes.
+  """
+  if not os.path.exists(monitor_password_path) or not raw_password:
+    return False
+  hashed_password = open(monitor_password_path, 'r').read()
+  return hashed_password == crypt(raw_password, hashed_password)
+### End of password functions
 
 def forward_form():
   command = os.path.join(cgi_path, form['posting-script'].value)
@@ -33,8 +86,10 @@ def forward_form():
     pass
 
 
-def return_document():
-  command = os.path.join(cgi_path, form['script'].value)
+def return_document(command=None):
+  if not command:
+    script = form['script'].value
+    command = os.path.join(cgi_path, script)
   #XXX this functions should be called only for display,
   #so a priori it doesn't need form data
   os.environ['QUERY_STRING'] = ''
@@ -45,8 +100,8 @@ def return_document():
       print open(command).read()
     else:
       raise OSError
-  except (subprocess.CalledProcessError, OSError):
-    print "<p>File cannot be found</p>"
+  except (subprocess.CalledProcessError, OSError) as e:
+    print "<p>Error :</p><pre>%s</pre>" % e
 
 
 def make_menu():
@@ -62,29 +117,48 @@ def make_menu():
   return folder_list
 
 
-# Beginning of response
-print "Content-Type: text/html"
-
-# Check if user is logged
-if "password" in form:
-  password = form['password'].value
-  if password == '{{ password }}' :
-    cookie['password'] = password
-    print cookie, "; Path=/; HttpOnly"
-else:
+def get_cookie_password():
   cookie_string = os.environ.get('HTTP_COOKIE')
   if cookie_string:
     cookie.load(cookie_string)
     try:
-      password = cookie['password'].value
+      return cookie['password'].value
     except KeyError:
-      password = None
-  else:
-    password = None
+      pass
+  return None
+
+def set_cookie_password(password):
+  cookie['password'] = password
+  print cookie, "; Path=/; HttpOnly"
 
+
+# Beginning of response
+print "Content-Type: text/html"
+
+password = None
+
+# Check if user is logged
+if "password_2" in form and "password" in form:
+  password_2 = form['password_2'].value
+  password_1 = form['password'].value
+  password = get_cookie_password()
+  if not is_password_set() or check_password(password):
+    if password_2 == password_1:
+      password = password_1
+      set_password(password)
+      set_cookie_password(password)
+elif "password" in form:
+  password = form['password'].value
+  if is_password_set() and check_password(password):
+    set_cookie_password(password)
+else:
+  password = get_cookie_password()
 print '\n'
 
-if not password or password != '{{ password }}':
+
+if not is_password_set():
+  return_document(monitor_password_script_path)
+elif not check_password(password):
   print "<html><head>"
   print """
     <link rel="stylesheet" href="pure-min.css">
@@ -101,7 +175,6 @@ if not password or password != '{{ password }}':
     <button type="submit" class="pure-button pure-button-primary">Access</button>
   </form>
   </body></html>"""
-
 # redirection to the required script/page
 else:
   print

stack/monitor/webfile-directory/monitor-password.cgi.in

+#!{{ python_executable }}
+
+import cgitb
+
+cgitb.enable()
+
+print "<html><head>"
+print """
+  <script type="text/javascript" src="/jquery-1.10.2.min.js"></script>
+  <link rel="stylesheet" href="pure-min.css">
+  <link rel="stylesheet" href="/style.css">"""
+print "</head><body>"
+print "<h1>This is the monitoring interface</h1>"
+print "<h2>Please set your password for later access</h2>"
+print """
+<form action="/index.cgi" method="post" class="pure-form-aligned">
+<div class="pure-control-group">
+<label for="password">Password*:</label>
+<input placeholder="Set your password" type="password" name="password" id="password"></br>
+</div><div class="pure-control-group">
+<label for="password">Verify Password*:</label>
+<input placeholder="Verify password" type="password" name="password_2" id="password_2"></br>
+</div><p id="validate-status" style="color:red"></p>
+<div class="pure-controls">
+<button id="register-button" type="submit" class="pure-button pure-button-primary" disabled>Access</button></div>
+</form>
+<script type="text/javascript" src="monitor-register.js"></script>
+</body></html>
+"""

stack/monitor/webfiles/settings.cgi.in → stack/monitor/webfile-directory/settings.cgi.in

@@ -17,14 +17,19 @@ config_file = "{{ config_cfg }}"
 
 if not os.path.exists(config_file):
   print "Your software does <b>not</b> embed 0-knowledge. \
-  This interface is useless in this case"
+  This interface is useless in this case</body></html>"
   exit(0)
 
 parser = ConfigParser.ConfigParser()
 parser.read(config_file)
 
+if not parser.has_section('public'):
+  print "<p>Your software does not use 0-knowledge settings.</p></body></html>"
+  exit(0)
+
 for name in form:
-  parser.set('public', name, form[name].value)
+  if parser.has_option('public', name):
+    parser.set('public', name, form[name].value)
 with open(config_file, 'w') as file:
   parser.write(file)
 

stack/monitor/webfiles/status.cgi.in → stack/monitor/webfile-directory/status.cgi.in

@@ -3,6 +3,7 @@
 import cgi
 import cgitb
 import json
+import os
 import subprocess
 
 def refresh():
@@ -11,10 +12,21 @@ def refresh():
 
 cgitb.enable(display=0, logdir="/tmp/cgi.log")
 form = cgi.FieldStorage()
-if "refresh" in form:
-  refresh()
 
 json_file = "{{ json_file }}"
+
+if not os.path.exists(json_file) or "refresh" in form:
+  refresh()
+
+if not os.path.exists(json_file):
+  print """<html><head>
+  <link rel="stylesheet" href="pure-min.css">
+  <link rel="stylesheet" href="/style.css">
+  </head><body>
+  <h1>Monitoring :</h1>
+  No status file found</p></body></html>"""
+  exit(0)
+
 result = json.load(open(json_file))
 
 print "<html><head>"
@@ -33,7 +45,7 @@ print "<br/>"
 print "<h2>These scripts and promises have failed :</h2>"
 for r in result:
   if result[r] != '':
-    print "<h3>%s</h3><p style=\"padding-left:30px;\">%s</p>" % (r, result[r])
+    print "<h3>%s</h3><pre style=\"padding-left:30px;\">%s</pre>" % (cgi.escape(r), cgi.escape(result[r]))
 print "<br/>"
 
 print "<h2>These scripts and promises were successful :</h2>"