This change the format or the (mostly) unused frontend parameter to
support requesting more than one frontend and also enable the request of
a frontend by default, so that requesting a frontend separately is no
longer needed.

The `frontend` parameter now also supports requesting frontends for
specific paths on the ERP5 backend, the example below requests a
frontend serving directly a web site, with the necessary rewrite rules:

```js
{
  "frontend": {
    "default": {
      "internal-path": "/erp5/web_site_module/renderjs_runner/"
    }
  }
}
```

The example below requests a default frontend to the erp5 root, to
access the ZMI or erp5_xhtml_style interface and two web sites:

```js
{
  "frontend": {
    "default": {},
    "erp5js": {
      "internal-path": "/erp5/web_site_module/renderjs_runner/"
    },
    "crm": {
      "internal-path": "/erp5/web_site_module/erp5_officejs_support_request_ui/"
    }
  }
}
```

The example below has an explicit definition of the zope families using
`zope-partition-dict` parameter, because there are no family named
"default", no frontend is requested by default:

```js
{
  "zope-partition-dict": {
    "backoffice": {
      "family": "backoffice"
    },
    "web": {
      "family": "web"
    },
    "activities": {
      "family": "activities"
    }
  }
}
```

Continuing this example, to have frontends for backoffice and web
families, the frontend request can specify the families, like it is
demonstrated in the example below. In this example, we don't specify an
entry for "activities" family, so no frontend will be requested for
this family.

```js
{
  "frontend": {
    "backoffice": {
      "zope-family": "backoffice"
    },
    "web": {
      "zope-family": "web",
      "internal-path": "/erp5/web_site_module/web_site/"
    }
  }
  "zope-partition-dict": {
    "backoffice": {
      "family": "backoffice"
    },
    "web": {
      "family": "web"
    },
    "activities": {
      "family": "activities"
    }
  }
}
```

We configure haproxy with "verify optional", which makes haproxy request
a client certificate, but accept the case where client does not present
a certificate, but as described in [1], if client present a certificate
and this certificate can not be verified, handshake is aborted. This is
not what we want, we want to treat the case of a non verified
certificate same as the case of the absence of certificate.

This configures haproxy accordingly, using "crt-ignore-err all" to allow
handshake anyway.

Once this was fixed, there was a remaining problem with
client_cert_verified acl, haproxy acl are OR, but this rule was supposed
to be a AND (client present a certificate AND it is verified), this was
rewritten to use inline condition which are AND.

[1]: https://cbonte.github.io/haproxy-dconv/1.8/configuration.html#5.1-verify

Also adjust test_x_forwarded_for_stripped_when_no_certificate to assert
that there is no X-Forwarded-For header at all when no client
certificate.

See merge request nexedi/slapos!1433

  https://archive.fosdem.org/2023/schedule/event/innodb_change_buffer/
  https://jira.mariadb.org/browse/MDEV-27734
  https://mariadb.com/kb/en/innodb-change-buffering/

If a server reboots brutally, there will be a legacy httpd pid file stay
in the file system, and the OS may reuse the PID that remains in that
file, which will cause httpd service to fail to start even if there is
no such httpd service is running.

This commit implemented the following logic:
0. If there is no existing PID file, then run the httpd service directly
1. If the PID file exists and contains the PID used by another process,
we delete the PID file, then restart the httpd service
2. If the PID file exists and contains the PID used by another running
httpd service, we allow the httpd report the "already running" error
normally

This is the last version supporting python 2.7.

See merge request nexedi/slapos!1428

See merge request !1404