checkpoint rsyslogd

stack/erp5/buildout.cfg

@@ -210,7 +210,7 @@ context =
     key template_balancer template-balancer:target
     key template_erp5 template-erp5:target
     key template_haproxy_cfg template-haproxy-cfg:target
-    key template_rsyslog_cfg template-rsyslogd-cfg:target
+    key template_rsyslogd_cfg template-rsyslogd-cfg:target
     key template_jupyter_cfg instance-jupyter-notebook:rendered
     key template_kumofs template-kumofs:target
     key template_mariadb template-mariadb:target

stack/erp5/buildout.hash.cfg

@@ -70,7 +70,7 @@ md5sum = cc19560b9400cecbd23064d55c501eec
 
 [template]
 filename = instance.cfg.in
-md5sum = 22619a2b75abcc8cc19bd46b585173ab
+md5sum = 694221ac8ef893f4bbc50ab33649ada2
 
 [monitor-template-dummy]
 filename = dummy.cfg
@@ -90,7 +90,7 @@ md5sum = 2f3ddd328ac1c375e483ecb2ef5ffb57
 
 [template-balancer]
 filename = instance-balancer.cfg.in
-md5sum = 167130243df84ba3472679d09fd35ecb
+md5sum = 76e81a6dfea17226627171a6cefe6bfe
 
 [template-haproxy-cfg]
 filename = haproxy.cfg.in

stack/erp5/haproxy.cfg.in

+
+{# This file configures haproxy to redirect requests from ports to specific urls.
+ # It provides TLS support for server and optionnaly for client.
+ #
+ # All parameters are given through the `parameter_dict` variable, see the
+ # list entries :
+ #
+ #     parameter_dict = { 
+ #       #  Certificate and keys in PEM format
+ #       "cert": "<file_path>",
+ #
+ #       #  An optional list of CA to verify client certificates.
+ #       #  If set, client certificates will be verified with these CAs.
+ #       #  If not set, client certificates are not verified.
+ #       "ca-cert-list": [ "<file_path>", ]
+ # 
+ #       #  An optional list of Certificate revocation list files.
+ #       "crl-list": [ "<file_path>", ],
+ #
+ #       #  AF_UNIX socket for logs. Syslog must be listening on this socket.
+ #       "log-socket": "<file_path>",
+ #
+ #       #  AF_UNIX socket for statistics and control.
+ #       #  Haproxy will listen on this socket.
+ #       "stats-socket": "<file_path>",
+ #
+ #       #  The list of ip which haproxy will listen to.
+ #       "ip-list": [
+ #         "0.0.0.0",
+ #         "[::1]",
+ #       ],
+ #
+ # TODO: merge these 2 in one
+ 
+ #       #  The list of backends.
+ #       "backend-list": [
+ #         # (port, unused, internal_url, enable_authentication)
+ #         (8000, _, "http://10.0.0.10:8001", True),
+ #         (8002, _, "http://10.0.0.10:8003", False),
+ #       ],
+ #
+ #       # The mapping of zope paths.
+ #       # This is a Zope specific feature.
+ #       # `enable_authentication` has same meaning as for `backend-list`.
+ #       "zope-virtualhost-monster-backend-dict": {
+ #          # {(ip, port): ( enable_authentication, {frontend_path: ( internal_url ) }, ) }
+ #          ('[::1]', 8004): (
+ #            True, {
+ #              'zope-1': 'http://10.0.0.10:8001',
+ #              'zope-2': 'http://10.0.0.10:8002',
+ #            },
+ #          ),
+ #        },
+ #     }
+ #
+ #  This sample of `parameter_dict` will make haproxy listening to :
+ #  From to `backend-list`:
+ #   - 0.0.0.0:8000 redirecting internaly to http://10.0.0.10:8001 and
+ #   - [::1]:8000 redirecting internaly to http://10.0.0.10:8001
+ #  only accepting requests from clients who provide a valid TLS certificate trusted by any of the `ca-cert-list`.
+ #   - 0.0.0.0:8002 redirecting internaly to http://10.0.0.10:8003
+ #   - [::1]:8002 redirecting internaly to http://10.0.0.10:8003
+ #  accepting requests from any client.
+ #  In both cases, X-Forwarded-For will be stripped unless client presents a verified certificate.
+ #
+ # From zope-virtualhost-monster-backend-dict`:
+ #   - [::1]:8004 with some path based rewrite-rules redirecting to:
+ #     * http://10.0.0.10/8001 when path matches /zope-1(.*)
+ #     * http://10.0.0.10/8002 when path matches /zope-2(.*)
+ #   with some VirtualHostMonster rewrite rules so zope writes URLs with
+ #  [::1]:8004 as server name.
+ #  For more details, refer to
+ #  https://docs.zope.org/zope2/zope2book/VirtualHosting.html#using-virtualhostroot-and-virtualhostbase-together
+-#}
+
 {% set server_check_path = parameter_dict['server-check-path'] -%}
 global
   maxconn 4096

stack/erp5/instance-balancer.cfg.in

@@ -188,7 +188,8 @@ update-command = ${:command}
 {% endfor -%}
 
 [haproxy-cfg-parameter-dict]
-socket-path = ${directory:run}/haproxy.sock
+stats-socket = ${directory:run}/haproxy.sock
+log-socket = ${rsyslogd-cfg:log-socket}
 server-check-path = {{ dumps(slapparameter_dict['haproxy-server-check-path']) }}
 backend-dict = {{ dumps(haproxy_dict) }}
 ip = {{ ipv4 }}
@@ -217,18 +218,10 @@ graceful-command = kill -HUP $(cat ${:pid-file})
 
 [rsyslogd-cfg]
 <= jinja2-template-base
+template = {{ parameter_dict['template-rsyslogd-cfg'] }}
 rendered = ${directory:etc}/rsyslogd.conf
-context =
-  section parameter_dict rsyslogd-cfg-parameter-dict
-template = inline:
-  module(load="imuxsock" SysSock.Name="{{ parameter_dict['log-socket'] }}")
-  template(name="rawoutput" type="string" string="%msg:2:8192%\n")
-  $ActionFileDefaultTemplate rawoutput
-  $FileCreateMode 0600
-  $DirCreateMode 0700
-  $Umask 0022
-  $WorkDirectory {{ parameter_dict['spool-directory'] }}
-  *.* {{ parameter_dict['log-file'] }}
+context = section parameter_dict rsyslogd-cfg-parameter-dict
+
 
 [{{ section ('rsyslogd') }}]
 recipe = slapos.cookbook:wrapper

stack/erp5/instance.cfg.in

@@ -64,6 +64,8 @@ apachedex-location = {{ bin_directory }}/apachedex
 run-apachedex-location = {{ bin_directory }}/runApacheDex
 promise-check-apachedex-result = {{ bin_directory }}/check-apachedex-result
 template-haproxy-cfg = {{ template_haproxy_cfg }}
+template-rsyslogd-cfg = {{ template_rsyslogd_cfg }}
+# TODO drop
 template-apache-conf = {{ template_apache_conf }}
 
 [dynamic-template-balancer]