Merge branch 'master' into apache

7efd1f60 · Rafael Monnerat · f1469707 · f9ac6a39 · 7efd1f60 · 7efd1f60
Commit 7efd1f60 authored Jun 09, 2011 by Rafael Monnerat
31 changed files
--- a/CHANGES.txt
+++ b/CHANGES.txt
+0.4 (2011-06-09)
+================
+ * Remove reference to slapos.tool.networkcache as it was removed from pypi. [Łukasz Nowak]
+ * Add Kumofs standalone software release and recipe [Cedric de Saint Martin]
+ * Add Memcached standalone software release and recipe [Cedric de Saint Martin]
+0.3 (2011-06-09)
+================
+ * Moved out template and build to separate distributions [Łukasz Nowak]
+ * Depend on slapos.core instead of depracated slapos.slap [Romain Courteaud]
+ * Fix apache module configuration [Kazuhiko Shiozaki]
+ * Allow to control full environment in erp5 module [Łukasz Nowak]
 0.2 (unreleased)
 ================

--- a/setup.py
+++ b/setup.py
@@ -2,7 +2,7 @@ from setuptools import setup, find_packages
 import glob
 import os
-version = '0.3-dev5'
+version = '0.4'
 name = 'slapos.cookbook'
 long_description = open("README.txt").read() + "\n" + \
    open("CHANGES.txt").read() + "\n"
@@ -28,11 +28,10 @@ setup(name=name,
      install_requires=[
        'PyXML', # for full blown python interpreter
        'Zope2', # some recipes like to play with zope
-        'collective.recipe.template', # needed by template recipe
        'lxml', # for full blown python interpreter
        'netaddr', # to manipulate on IP addresses
        'setuptools', # namespaces
-        'slapos.slap', # uses internally
+        'slapos.core', # uses internally
 #        'slapos.toolbox', # needed for libcloud, cloudmgr, disabled for now
        'xml_marshaller', # need to communication with slapgrid
        'zc.buildout', # plays with buildout
@@ -41,23 +40,22 @@ setup(name=name,
      zip_safe=True,
      entry_points={
        'zc.buildout': [
-          'build = slapos.recipe.build:Script',
-          'buildcmmi = slapos.recipe.build:Cmmi',
          'download = slapos.recipe.download:Recipe',
          'erp5 = slapos.recipe.erp5:Recipe',
          'erp5testnode = slapos.recipe.erp5testnode:Recipe',
          'helloworld = slapos.recipe.helloworld:Recipe',
          'java = slapos.recipe.java:Recipe',
+          'kumofs = slapos.recipe.kumofs:Recipe',
          'kvm = slapos.recipe.kvm:Recipe',
          'libcloud = slapos.recipe.libcloud:Recipe',
          'libcloudrequest = slapos.recipe.libcloudrequest:Recipe',
+          'memcached = slapos.recipe.memcached:Recipe',
          'nbdserver = slapos.recipe.nbdserver:Recipe',
          'nosqltestbed = slapos.recipe.nosqltestbed:NoSQLTestBed',
          'proactive = slapos.recipe.proactive:Recipe',
          'sheepdogtestbed = slapos.recipe.sheepdogtestbed:SheepDogTestBed',
          'siptester = slapos.recipe.siptester:SipTesterRecipe',
          'slaprunner = slapos.recipe.slaprunner:Recipe',
-          'template = slapos.recipe.template:Recipe',
          'testnode = slapos.recipe.testnode:Recipe',
          'vifib = slapos.recipe.vifib:Recipe',
          'xwiki = slapos.recipe.xwiki:Recipe',

--- a/slapos/recipe/README.build.txt
+++ b/slapos/recipe/README.build.txt
-build
-=====
-Recipe to build the software.
-Example buildout::
-  [buildout]
-  parts =
-    file
-  [zlib]
-  # Use standard configure, make, make install way
-  recipe = slapos.cookbook:build
-  url = http://prdownloads.sourceforge.net/libpng/zlib-1.2.5.tar.gz?download
-  md5sum = c735eab2d659a96e5a594c9e8541ad63
-  slapos_promisee =
-    directory:include
-    file:include/zconf.h
-    file:include/zlib.h
-    directory:lib
-    statlib:lib/libz.a
-    dynlib:lib/libz.so linked:libc.so.6 rpath:
-    dynlib:lib/libz.so.1 linked:libc.so.6 rpath:
-    dynlib:lib/libz.so.1.2.5 linked:libc.so.6
-    directory:lib/pkgconfig
-    file:lib/pkgconfig/zlib.pc
-    directory:share
-    directory:share/man
-    directory:share/man/man3
-    file:share/man/man3/zlib.3
-  [file]
-  recipe = slapos.cookbook:buildcmmi
-  url = ftp://ftp.astron.com/pub/file/file-5.04.tar.gz
-  md5sum = accade81ff1cc774904b47c72c8aeea0
-  environment =
-    CPPFLAGS=-I${zlib:location}/include
-    LDFLAGS=-L${zlib:location}/lib -Wl,-rpath -Wl,${zlib:location}/lib
-  slapos_promisee =
-    directory:bin
-    dynlib:bin/file linked:libz.so.1,libc.so.6,libmagic.so.1 rpath:${zlib:location}/lib,!/lib
-    directory:include
-    file:include/magic.h
-    directory:lib
-    statlib:lib/libmagic.a
-    statlib:lib/libmagic.la
-    dynlib:lib/libmagic.so linked:libz.so.1,libc.so.6 rpath:${zlib:location}/lib
-    dynlib:lib/libmagic.so.1 linked:libz.so.1,libc.so.6 rpath:${zlib:location}/lib
-    dynlib:lib/libmagic.so.1.0.0 linked:libz.so.1,libc.so.6 rpath:${zlib:location}/lib
-    directory:share
-    directory:share/man
-    directory:share/man/man1
-    file:share/man/man1/file.1
-    directory:share/man/man3
-    file:share/man/man3/libmagic.3
-    directory:share/man/man4
-    file:share/man/man4/magic.4
-    directory:share/man/man5
-    directory:share/misc
-    file:share/misc/magic.mgc
-  [somethingelse]
-  # default way with using script
-  recipe = slapos.cookbook:build
-  url_0 = http://host/path/file.tar.gz
-  md5sum = 9631070eac74f92a812d4785a84d1b4e
-  script =
-    import os
-    os.chdir(%(work_directory)s)
-    unpack(%(url_0), strip_path=True)
-    execute('make')
-    execute('make install DEST=%(location)s')
-  slapos_promisee =
-    ...
-TODO:
- * add linking suport, buildout definition:
-slapos_link = <relative/path> [optional-path
-can be used as::
-  [file]
-  slapos_link =
-    bin/file
-    bin/file ${buildout:bin-directory}/bin/anotherfile
-Which will link ${file:location}/bin/file to ${buildout:bin-directory}/bin/file
-and ${file:location}/bin/file to ${buildout:bin-directory}/bin/anotherfile
--- a/slapos/recipe/README.kumofs.txt
+++ b/slapos/recipe/README.kumofs.txt
+kumofs
+=========
+Instantiates KumoFS instance.
--- a/slapos/recipe/README.memcached.txt
+++ b/slapos/recipe/README.memcached.txt
+memcached
+=========
+Instantiates Memcached instance.
--- a/slapos/recipe/README.template.txt
+++ b/slapos/recipe/README.template.txt
-template
-========
-Fully networked template recipe, reusing collective.recipe.template with
-ability to download template over the network
-Usage
-----
-::
-  [buildout]
-  parts = template
-  [template]
-  recipe = slapos.cookbook:template
-  url = http://server/with/template
-  # optional md5sum
-  md5sum = 1234567890
-  output = ${buildout:directory}/result
-All parameters except url and md5sum will be passed to
-collective.recipe.template, so please visit
-http://pypi.python.org/pypi/collective.recipe.template for full information.
--- a/slapos/recipe/build.py
+++ b/slapos/recipe/build.py
-##############################################################################
-#
-# Copyright (c) 2010 Vifib SARL and Contributors. All Rights Reserved.
-#
-# WARNING: This program as such is intended to be used by professional
-# programmers who take the whole responsibility of assessing all potential
-# consequences resulting from its eventual inadequacies and bugs
-# End users who are looking for a ready-to-use solution with commercial
-# guarantees and support are strongly adviced to contract a Free Software
-# Service Company
-#
-# This program is Free Software; you can redistribute it and/or
-# modify it under the terms of the GNU General Public License
-# as published by the Free Software Foundation; either version 3
-# of the License, or (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software
-# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA.
-#
-##############################################################################
-import logging
-import os
-import setuptools
-import shutil
-import subprocess
-import tempfile
-import zc.buildout
-def readElfAsDict(f):
-  """Reads ELF information from file"""
-  popen = subprocess.Popen(['readelf', '-d', f],
-      stdout=subprocess.PIPE, stderr=subprocess.STDOUT)
-  result = popen.communicate()[0]
-  if popen.returncode != 0:
-    raise AssertionError(result)
-  library_list = []
-  rpath_list = []
-  runpath_list = []
-  for l in result.split('\n'):
-    if '(NEEDED)' in l:
-      library_list.append(l.split(':')[1].strip(' []'))
-    elif '(RPATH)' in l:
-      rpath_list = [q.rstrip('/') for q in l.split(':',1)[1].strip(' []').split(':')]
-    elif '(RUNPATH)' in l:
-      runpath_list = [q.rstrip('/') for q in l.split(':',1)[1].strip(' []').split(':')]
-  if len(runpath_list) == 0:
-    runpath_list = rpath_list
-  elif len(rpath_list) != 0 and runpath_list != rpath_list:
-    raise ValueError('RPATH and RUNPATH are different.')
-  return dict(
-    library_list=sorted(library_list),
-    runpath_list=sorted(runpath_list)
-  )
-def call(*args, **kwargs):
-  """Subprocess call with closed file descriptors and stdin"""
-  kwargs.update(
-    stdin=subprocess.PIPE,
-    close_fds=True)
-  popen = subprocess.Popen(*args, **kwargs)
-  popen.stdin.flush()
-  popen.stdin.close()
-  popen.stdin = None
-  popen.communicate()
-  if popen.returncode != 0:
-    raise subprocess.CalledProcessError(popen.returncode, ' '.join(args[0]))
-def calls(call_string, **kwargs):
-  """Subprocesser caller which allows to pass arguments as string"""
-  call(call_string.split(), **kwargs)
-def guessworkdir(path):
-  if len(os.listdir(path)) == 1:
-    return os.path.join(path, os.listdir(path)[0])
-  return path
-class Script:
-  """Free script building system"""
-  def _checkPromisee(self, location):
-    promisee_problem_list = []
-    a = promisee_problem_list.append
-    for promisee in self.options['slapos_promisee'].split('\n'):
-      promisee = promisee.strip()
-      if not promisee:
-        continue
-      if promisee.startswith('file:') or promisee.startswith('statlib'):
-        s, path = promisee.split(':')
-        if not os.path.exists(os.path.join(location, path)):
-          a('File promisee not met for %r' % path)
-      elif promisee.startswith('directory'):
-        s, path = promisee.split(':')
-        if not os.path.isdir(os.path.join(location, path)):
-          a('Directory promisee not met for %r' %
-              path)
-      elif promisee.startswith('dynlib:'):
-        if 'linked:' not in promisee:
-          raise zc.buildout.UserError('dynlib promisee requires \'linked:\' '
-            'parameter.')
-        if 'rpath:' not in promisee:
-          rpath_list = []
-        for promisee_part in promisee.split():
-          if promisee_part.startswith('dynlib:'):
-            s, path = promisee_part.split(':')
-          elif promisee_part.startswith('linked:'):
-            s, link_list = promisee_part.split(':')
-            link_list = link_list.split(',')
-          elif promisee_part.startswith('rpath:'):
-            s, rpath_list = promisee_part.split(':')
-            if rpath_list:
-              r = rpath_list
-              rpath_list = []
-              for q in r.split(','):
-                if q.startswith('!'):
-                  q = q.replace('!', location)
-                rpath_list.append(q)
-            else:
-              rpath_list = []
-        if not os.path.exists(os.path.join(location, path)):
-          a('Dynlib promisee file not met %r' % promisee)
-        else:
-          elf_dict = readElfAsDict(os.path.join(location, path))
-          if sorted(link_list) != sorted(elf_dict['library_list']):
-            a('Promisee library list not met (wanted: %r, found: %r)'%(
-              link_list, elf_dict['library_list']))
-          if sorted(rpath_list) != sorted(elf_dict['runpath_list']):
-            a('Promisee rpath list not met (wanted: %r, found: %r)'%(
-              rpath_list, elf_dict['runpath_list']))
-      else:
-        raise zc.buildout.UserError('Unknown promisee %r' % promisee)
-    if len(promisee_problem_list):
-      raise zc.buildout.UserError('Promisee not met, found issues:\n  %s' %
-          '  '.join([q+'\n' for q in promisee_problem_list]))
-  def download(self, url, md5sum):
-    download = zc.buildout.download.Download(self.buildout['buildout'],
-        hash_name=True)
-    path, is_temp = download(url, md5sum=self.options.get('md5sum'))
-    return path
-  def extract(self, path):
-    extract_dir = tempfile.mkdtemp(self.name)
-    self.logger.debug('Created working directory %r' % extract_dir)
-    setuptools.archive_util.unpack_archive(path, extract_dir)
-    self.cleanup_dir_list.append(extract_dir)
-    return extract_dir
-  script = 'raise NotImplementedError'
-  def __init__(self, buildout, name, options):
-    self.cleanup_dir_list = []
-    self.options = options
-    self.buildout = buildout
-    self.name = name
-    self.logger = logging.getLogger('SlapOS build of %s' % self.name)
-    self.options.setdefault('location',
-        os.path.join(buildout['buildout']['parts-directory'], self.name))
-    # cleanup some variables
-    for k in ['location', 'url', 'md5sum']:
-      self.options[k] = self.options.get(k, '').strip()
-    self.options['script'] = self.options.get('script', self.script) % self.options
-  def getEnvironment(self):
-    # prepare cool dictionary
-    wanted_env = {}
-    for line in self.options.get('environment', '').splitlines():
-      line = line.strip()
-      if not line:
-        continue
-      if not '=' in line:
-        raise zc.buildout.UserError('Line %r in environment is incorrect' % line)
-      key, value = line.split('=')
-      key = key.strip()
-      value = value.strip()
-      if key in wanted_env:
-        raise zc.buildout.UserError('Key %r is repeated' % key)
-      wanted_env[key] = value
-    env = {}
-    for k,v in os.environ.iteritems():
-      change = wanted_env.pop(k, None)
-      if change is not None:
-        env[k] = change % os.environ
-        self.logger.info('Environment %r setup to %r' % (k, env[k]))
-      else:
-        env[k] =v
-    for k,v in wanted_env.iteritems():
-      self.logger.info('Environment %r added with %r' % (k, v))
-      env[k] = v
-    return env
-  def install(self):
-    try:
-      env = self.getEnvironment()
-      exec self.options['script']
-      try:
-        self._checkPromisee(self.options['location'])
-      except Exception:
-        if os.path.exists(self.options['location']):
-          self.logger.info('Removing location %r because of error' % self.options['location'])
-          shutil.rmtree(self.options['location'])
-        raise
-    finally:
-      for d in self.cleanup_dir_list:
-        if os.path.exists(d):
-          self.logger.debug('Cleanup directory %r' % d)
-          shutil.rmtree(d)
-    return [self.options['location']]
-  def update(self):
-    pass
-class Cmmi(Script):
-  """Simple configure-make-make-insall compatible with hexagonit.recipe.cmmi
-  Compatibility on parameter level, without bug-to-bug, hack-to-hack"""
-  script = """
-extract_dir = self.extract(self.download(self.options['url'], self.options.get('md5sum')))
-workdir = guessworkdir(extract_dir)
-configure_command = ["./configure", "--prefix=%(location)s"]
-configure_command.extend(%(configure-options)r.split())
-self.logger.info('Configuring with: %%s' %% configure_command)
-call(configure_command, cwd=workdir, env=env)
-self.logger.info('Building')
-call("make", cwd=workdir, env=env)
-self.logger.info('Installing')
-call(["make", "install"], cwd=workdir, env=env)
-"""
-  def __init__(self, buildout, name, options):
-    options['configure-options'] = ' '.join(options.get('configure-options', '').strip().splitlines())
-    Script.__init__(self, buildout, name, options)
--- a/slapos/recipe/erp5/__init__.py
+++ b/slapos/recipe/erp5/__init__.py
@@ -617,7 +617,19 @@ class Recipe(BaseSlapRecipe):
  def installZope(self, ip, port, name, zodb_configuration_string,
      with_timerservice=False, tidstorage_config=None, thread_amount=1,
-      with_deadlockdebugger=True):
+      with_deadlockdebugger=True, zope_environment=None):
+    default_zope_environment = dict(
+      TMP=self.tmp_directory,
+      TMPDIR=self.tmp_directory,
+      HOME=self.tmp_directory,
+      PATH=self.bin_directory
+    )
+    if zope_environment is None:
+      zope_environment = default_zope_environment.copy()
+    else:
+      for envk, envv in default_zope_environment.iteritems():
+        if envk not in zope_environment:
+          zope_environment[envk] = envv
    # Create zope configuration file
    zope_config = dict(
        products=self.options['products'],
@@ -649,8 +661,10 @@ class Recipe(BaseSlapRecipe):
                             self.erp5_directory, 'Products'))
    zope_config['products'] = '\n'.join(prefixed_products)
    zope_config['address'] = '%s:%s' % (ip, port)
-    zope_config['tmp_directory'] = self.tmp_directory
+    zope_environment_list = []
-    zope_config['path'] = self.bin_directory
+    for envk, envv in zope_environment.iteritems():
+      zope_environment_list.append('%s %s' % (envk, envv))
+    zope_config['environment'] = "\n".join(zope_environment_list)
    zope_wrapper_template_location = self.getTemplateFilename('zope.conf.in')
    zope_conf_content = self.substituteTemplate(

--- a/slapos/recipe/erp5/template/apache.zope.conf.in
+++ b/slapos/recipe/erp5/template/apache.zope.conf.in
 # Apache configuration file for Zope
 # Automatically generated
+# List of modules
+LoadModule authz_host_module modules/mod_authz_host.so
+LoadModule log_config_module modules/mod_log_config.so
+LoadModule setenvif_module modules/mod_setenvif.so
+LoadModule version_module modules/mod_version.so
+LoadModule proxy_module modules/mod_proxy.so
+LoadModule proxy_http_module modules/mod_proxy_http.so
+LoadModule ssl_module modules/mod_ssl.so
+LoadModule mime_module modules/mod_mime.so
+LoadModule dav_module modules/mod_dav.so
+LoadModule dav_fs_module modules/mod_dav_fs.so
+LoadModule negotiation_module modules/mod_negotiation.so
+LoadModule rewrite_module modules/mod_rewrite.so
+LoadModule headers_module modules/mod_headers.so
+LoadModule antiloris_module modules/mod_antiloris.so
 # Basic server configuration
 PidFile "%(pid_file)s"
 LockFile "%(lock_file)s"
 Listen %(ip)s:%(port)s
 ServerAdmin %(server_admin)s
-DefaultType text/plain
 TypesConfig conf/mime.types
 AddType application/x-compress .Z
 AddType application/x-gzip .gz .tgz
@@ -19,7 +34,6 @@ RequestHeader unset REMOTE_USER
 # Log configuration
 ErrorLog "%(error_log)s"
-LogLevel warn
 LogFormat "%%h %%{REMOTE_USER}i %%l %%u %%t \"%%r\" %%>s %%b \"%%{Referer}i\" \"%%{User-Agent}i\"" combined
 LogFormat "%%h %%{REMOTE_USER}i %%l %%u %%t \"%%r\" %%>s %%b" common
 CustomLog "%(access_log)s" common
@@ -37,19 +51,3 @@ CustomLog "%(access_log)s" common
 # Magic of Zope related rewrite
 RewriteEngine On
 %(rewrite_rule)s
-# List of modules
-LoadModule authz_host_module modules/mod_authz_host.so
-LoadModule log_config_module modules/mod_log_config.so
-LoadModule setenvif_module modules/mod_setenvif.so
-LoadModule version_module modules/mod_version.so
-LoadModule proxy_module modules/mod_proxy.so
-LoadModule proxy_http_module modules/mod_proxy_http.so
-LoadModule ssl_module modules/mod_ssl.so
-LoadModule mime_module modules/mod_mime.so
-LoadModule dav_module modules/mod_dav.so
-LoadModule dav_fs_module modules/mod_dav_fs.so
-LoadModule negotiation_module modules/mod_negotiation.so
-LoadModule rewrite_module modules/mod_rewrite.so
-LoadModule headers_module modules/mod_headers.so
-LoadModule antiloris_module modules/mod_antiloris.so
--- a/slapos/recipe/erp5/template/zope.conf.in
+++ b/slapos/recipe/erp5/template/zope.conf.in
@@ -9,10 +9,7 @@ instancehome $INSTANCE
 # Environment override
 <environment>
-  TMP %(tmp_directory)s
+%(environment)s
-  TMPDIR %(tmp_directory)s
-  HOME %(tmp_directory)s
-  PATH %(path)s
 </environment>
 # No need to debug

--- a/slapos/recipe/kumofs/__init__.py
+++ b/slapos/recipe/kumofs/__init__.py
+##############################################################################
+#
+# Copyright (c) 2010 Vifib SARL and Contributors. All Rights Reserved.
+#
+# WARNING: This program as such is intended to be used by professional
+# programmers who take the whole responsibility of assessing all potential
+# consequences resulting from its eventual inadequacies and bugs
+# End users who are looking for a ready-to-use solution with commercial
+# guarantees and support are strongly adviced to contract a Free Software
+# Service Company
+#
+# This program is Free Software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version 3
+# of the License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA.
+#
+##############################################################################
+from slapos.recipe.librecipe import BaseSlapRecipe
+import hashlib
+import os
+import pkg_resources
+import sys
+import zc.buildout
+import ConfigParser
+class Recipe(BaseSlapRecipe):
+  def getTemplateFilename(self, template_name):
+    return pkg_resources.resource_filename(__name__,
+        'template/%s' % template_name)
+  def _install(self):
+    self.path_list = []
+    self.requirements, self.ws = self.egg.working_set()
+    # XXX-Cedric : add logrotate?
+    self.cron_d = self.installCrond()
+    kumo_conf = self.installKumo(self.getLocalIPv4Address())
+    ca_conf = self.installCertificateAuthority()
+    key, certificate = self.requestCertificate('Login Based Access')
+    stunnel_conf = self.installStunnel(self.getGlobalIPv6Address(),
+        self.getLocalIPv4Address(), 12345, kumo_conf['kumo_gateway_port'],
+        certificate, key, ca_conf['ca_crl'],
+        ca_conf['certificate_authority_path'])
+    self.linkBinary()
+    self.setConnectionDict(dict(
+      stunnel_ip = stunnel_conf['public_ip'],
+      stunnel_port = stunnel_conf['public_port'],
+    ))
+    return self.path_list
+  def linkBinary(self):
+    """Links binaries to instance's bin directory for easier exposal"""
+    for linkline in self.options.get('link_binary_list', '').splitlines():
+      if not linkline:
+        continue
+      target = linkline.split()
+      if len(target) == 1:
+        target = target[0]
+        path, linkname = os.path.split(target)
+      else:
+        linkname = target[1]
+        target = target[0]
+      link = os.path.join(self.bin_directory, linkname)
+      if os.path.lexists(link):
+        if not os.path.islink(link):
+          raise zc.buildout.UserError(
+              'Target link already %r exists but it is not link' % link)
+        os.unlink(link)
+      os.symlink(target, link)
+      self.logger.debug('Created link %r -> %r' % (link, target))
+      self.path_list.append(link)
+  def installCrond(self):
+    timestamps = self.createDataDirectory('cronstamps')
+    cron_output = os.path.join(self.log_directory, 'cron-output')
+    self._createDirectory(cron_output)
+    catcher = zc.buildout.easy_install.scripts([('catchcron',
+      __name__ + '.catdatefile', 'catdatefile')], self.ws, sys.executable,
+      self.bin_directory, arguments=[cron_output])[0]
+    self.path_list.append(catcher)
+    cron_d = os.path.join(self.etc_directory, 'cron.d')
+    crontabs = os.path.join(self.etc_directory, 'crontabs')
+    self._createDirectory(cron_d)
+    self._createDirectory(crontabs)
+    # Use execute from erp5.
+    wrapper = zc.buildout.easy_install.scripts([('crond',
+      'slapos.recipe.erp5.execute', 'execute')], self.ws, sys.executable,
+      self.wrapper_directory, arguments=[
+        self.options['dcrond_binary'].strip(), '-s', cron_d, '-c', crontabs,
+        '-t', timestamps, '-f', '-l', '5', '-M', catcher]
+      )[0]
+    self.path_list.append(wrapper)
+    return cron_d
+  def installLogrotate(self):
+    """Installs logortate main configuration file and registers its to cron"""
+    logrotate_d = os.path.abspath(os.path.join(self.etc_directory,
+      'logrotate.d'))
+    self._createDirectory(logrotate_d)
+    logrotate_backup = self.createBackupDirectory('logrotate')
+    logrotate_conf = self.createConfigurationFile("logrotate.conf",
+        "include %s" % logrotate_d)
+    logrotate_cron = os.path.join(self.cron_d, 'logrotate')
+    state_file = os.path.join(self.data_root_directory, 'logrotate.status')
+    open(logrotate_cron, 'w').write('0 0 * * * %s -s %s %s' %
+        (self.options['logrotate_binary'], state_file, logrotate_conf))
+    self.path_list.extend([logrotate_d, logrotate_conf, logrotate_cron])
+    return logrotate_d, logrotate_backup
+  def registerLogRotation(self, name, log_file_list, postrotate_script):
+    """Register new log rotation requirement"""
+    open(os.path.join(self.logrotate_d, name), 'w').write(
+        self.substituteTemplate(self.getTemplateFilename(
+          'logrotate_entry.in'),
+          dict(file_list=' '.join(['"'+q+'"' for q in log_file_list]),
+            postrotate=postrotate_script, olddir=self.logrotate_backup)))
+  def installCertificateAuthority(self, ca_country_code='XX',
+      ca_email='xx@example.com', ca_state='State', ca_city='City',
+      ca_company='Company'):
+    backup_path = self.createBackupDirectory('ca')
+    self.ca_dir = os.path.join(self.data_root_directory, 'ca')
+    self._createDirectory(self.ca_dir)
+    self.ca_request_dir = os.path.join(self.ca_dir, 'requests')
+    self._createDirectory(self.ca_request_dir)
+    config = dict(ca_dir=self.ca_dir, request_dir=self.ca_request_dir)
+    self.ca_private = os.path.join(self.ca_dir, 'private')
+    self.ca_certs = os.path.join(self.ca_dir, 'certs')
+    self.ca_crl = os.path.join(self.ca_dir, 'crl')
+    self.ca_newcerts = os.path.join(self.ca_dir, 'newcerts')
+    self.ca_key_ext = '.key'
+    self.ca_crt_ext = '.crt'
+    for d in [self.ca_private, self.ca_crl, self.ca_newcerts, self.ca_certs]:
+      self._createDirectory(d)
+    for f in ['crlnumber', 'serial']:
+      if not os.path.exists(os.path.join(self.ca_dir, f)):
+        open(os.path.join(self.ca_dir, f), 'w').write('01')
+    if not os.path.exists(os.path.join(self.ca_dir, 'index.txt')):
+      open(os.path.join(self.ca_dir, 'index.txt'), 'w').write('')
+    openssl_configuration = os.path.join(self.ca_dir, 'openssl.cnf')
+    config.update(
+        working_directory=self.ca_dir,
+        country_code=ca_country_code,
+        state=ca_state,
+        city=ca_city,
+        company=ca_company,
+        email_address=ca_email,
+    )
+    self._writeFile(openssl_configuration, pkg_resources.resource_string(
+      __name__, 'template/openssl.cnf.ca.in') % config)
+    self.path_list.extend(zc.buildout.easy_install.scripts([
+      ('certificate_authority',
+        __name__ + '.certificate_authority', 'runCertificateAuthority')],
+        self.ws, sys.executable, self.wrapper_directory, arguments=[dict(
+          openssl_configuration=openssl_configuration,
+          openssl_binary=self.options['openssl_binary'],
+          certificate=os.path.join(self.ca_dir, 'cacert.pem'),
+          key=os.path.join(self.ca_private, 'cakey.pem'),
+          crl=os.path.join(self.ca_crl),
+          request_dir=self.ca_request_dir
+          )]))
+    # configure backup
+    backup_cron = os.path.join(self.cron_d, 'ca_rdiff_backup')
+    open(backup_cron, 'w').write(
+        '''0 0 * * * %(rdiff_backup)s %(source)s %(destination)s'''%dict(
+          rdiff_backup=self.options['rdiff_backup_binary'],
+          source=self.ca_dir,
+          destination=backup_path))
+    self.path_list.append(backup_cron)
+    return dict(
+      ca_certificate=os.path.join(config['ca_dir'], 'cacert.pem'),
+      ca_crl=os.path.join(config['ca_dir'], 'crl'),
+      certificate_authority_path=config['ca_dir']
+    )
+  def requestCertificate(self, name):
+    hash = hashlib.sha512(name).hexdigest()
+    key = os.path.join(self.ca_private, hash + self.ca_key_ext)
+    certificate = os.path.join(self.ca_certs, hash + self.ca_crt_ext)
+    parser = ConfigParser.RawConfigParser()
+    parser.add_section('certificate')
+    parser.set('certificate', 'name', name)
+    parser.set('certificate', 'key_file', key)
+    parser.set('certificate', 'certificate_file', certificate)
+    parser.write(open(os.path.join(self.ca_request_dir, hash), 'w'))
+    return key, certificate
+  def installStunnel(self, public_ip, private_ip, public_port, private_port,
+      ca_certificate, key, ca_crl, ca_path):
+    """Installs stunnel"""
+    template_filename = self.getTemplateFilename('stunnel.conf.in')
+    log = os.path.join(self.log_directory, 'stunnel.log')
+    pid_file = os.path.join(self.run_directory, 'stunnel.pid')
+    stunnel_conf = dict(
+        public_ip=public_ip,
+        private_ip=private_ip,
+        public_port=public_port,
+        pid_file=pid_file,
+        log=log,
+        cert = ca_certificate,
+        key = key,
+        ca_crl = ca_crl,
+        ca_path = ca_path,
+        private_port = private_port,
+    )
+    stunnel_conf_path = self.createConfigurationFile("stunnel.conf",
+        self.substituteTemplate(template_filename,
+          stunnel_conf))
+    wrapper = zc.buildout.easy_install.scripts([('stunnel',
+      'slapos.recipe.erp5.execute', 'execute')], self.ws, sys.executable,
+      self.wrapper_directory, arguments=[
+        self.options['stunnel_binary'].strip(), stunnel_conf_path]
+      )[0]
+    self.path_list.append(wrapper)
+    return stunnel_conf
+  def installKumo(self, ip, kumo_manager_port=13101, kumo_server_port=13201,
+      kumo_server_listen_port=13202, kumo_gateway_port=13301):
+    # XXX: kumo is not storing pid in file, unless it is not running as daemon
+    #      but running daemons is incompatible with SlapOS, so there is currently
+    #      no way to have Kumo's pid files to rotate logs and send signals to them
+    config = dict(
+      kumo_gateway_binary=self.options['kumo_gateway_binary'],
+      kumo_gateway_ip=ip,
+      kumo_gateway_log=os.path.join(self.log_directory, "kumo-gateway.log"),
+      kumo_manager_binary=self.options['kumo_manager_binary'],
+      kumo_manager_ip=ip,
+      kumo_manager_log=os.path.join(self.log_directory, "kumo-manager.log"),
+      kumo_server_binary=self.options['kumo_server_binary'],
+      kumo_server_ip=ip,
+      kumo_server_log=os.path.join(self.log_directory, "kumo-server.log"),
+      kumo_server_storage=os.path.join(self.data_root_directory, "kumodb.tch"),
+      kumo_manager_port=kumo_manager_port,
+      kumo_server_port=kumo_server_port,
+      kumo_server_listen_port=kumo_server_listen_port,
+      kumo_gateway_port=kumo_gateway_port
+    )
+    self.path_list.append(self.createRunningWrapper('kumo_gateway',
+      self.substituteTemplate(self.getTemplateFilename('kumo_gateway.in'),
+        config)))
+    self.path_list.append(self.createRunningWrapper('kumo_manager',
+      self.substituteTemplate(self.getTemplateFilename('kumo_manager.in'),
+        config)))
+    self.path_list.append(self.createRunningWrapper('kumo_server',
+      self.substituteTemplate(self.getTemplateFilename('kumo_server.in'),
+        config)))
+    return dict(
+      kumo_address = '%s:%s' % (config['kumo_gateway_ip'],
+        config['kumo_gateway_port']),
+      kumo_gateway_ip=config['kumo_gateway_ip'],
+      kumo_gateway_port=config['kumo_gateway_port'],
+    )
\ No newline at end of file
--- a/slapos/recipe/kumofs/certificate_authority.py
+++ b/slapos/recipe/kumofs/certificate_authority.py
+import os
+import subprocess
+import time
+import ConfigParser
+def popenCommunicate(command_list, input=None):
+  subprocess_kw = dict(stdout=subprocess.PIPE, stderr=subprocess.STDOUT)
+  if input is not None:
+    subprocess_kw.update(stdin=subprocess.PIPE)
+  popen = subprocess.Popen(command_list, **subprocess_kw)
+  result = popen.communicate(input)[0]
+  if popen.returncode is None:
+    popen.kill()
+  if popen.returncode != 0:
+    raise ValueError('Issue during calling %r, result was:\n%s' % (
+      command_list, result))
+  return result
+class CertificateAuthority:
+  def __init__(self, key, certificate, openssl_binary,
+      openssl_configuration, request_dir):
+    self.key = key
+    self.certificate = certificate
+    self.openssl_binary = openssl_binary
+    self.openssl_configuration = openssl_configuration
+    self.request_dir = request_dir
+  def checkAuthority(self):
+    file_list = [ self.key, self.certificate ]
+    ca_ready = True
+    for f in file_list:
+      if not os.path.exists(f):
+        ca_ready = False
+        break
+    if ca_ready:
+      return
+    for f in file_list:
+      if os.path.exists(f):
+        os.unlink(f)
+    try:
+      # no CA, let us create new one
+      popenCommunicate([self.openssl_binary, 'req', '-nodes', '-config',
+          self.openssl_configuration, '-new', '-x509', '-extensions',
+          'v3_ca', '-keyout', self.key, '-out', self.certificate,
+          '-days', '10950'], 'Automatic Certificate Authority\n')
+    except:
+      try:
+        for f in file_list:
+          if os.path.exists(f):
+            os.unlink(f)
+      except:
+        # do not raise during cleanup
+        pass
+      raise
+  def _checkCertificate(self, common_name, key, certificate):
+    file_list = [key, certificate]
+    ready = True
+    for f in file_list:
+      if not os.path.exists(f):
+        ready = False
+        break
+    if ready:
+      return False
+    for f in file_list:
+      if os.path.exists(f):
+        os.unlink(f)
+    csr = certificate + '.csr'
+    try:
+      popenCommunicate([self.openssl_binary, 'req', '-config',
+        self.openssl_configuration, '-nodes', '-new', '-keyout',
+        key, '-out', csr, '-days', '3650'],
+        common_name + '\n')
+      try:
+        popenCommunicate([self.openssl_binary, 'ca', '-batch', '-config',
+          self.openssl_configuration, '-out', certificate,
+          '-infiles', csr])
+      finally:
+        if os.path.exists(csr):
+          os.unlink(csr)
+    except:
+      try:
+        for f in file_list:
+          if os.path.exists(f):
+            os.unlink(f)
+      except:
+        # do not raise during cleanup
+        pass
+      raise
+    else:
+      return True
+  def checkRequestDir(self):
+    for request_file in os.listdir(self.request_dir):
+      parser = ConfigParser.RawConfigParser()
+      parser.readfp(open(os.path.join(self.request_dir, request_file), 'r'))
+      if self._checkCertificate(parser.get('certificate', 'name'),
+          parser.get('certificate', 'key_file'), parser.get('certificate',
+            'certificate_file')):
+        print 'Created certificate %r' % parser.get('certificate', 'name')
+def runCertificateAuthority(args):
+  ca_conf = args[0]
+  ca = CertificateAuthority(ca_conf['key'], ca_conf['certificate'],
+      ca_conf['openssl_binary'], ca_conf['openssl_configuration'],
+      ca_conf['request_dir'])
+  while True:
+    ca.checkAuthority()
+    ca.checkRequestDir()
+    time.sleep(60)
--- a/slapos/recipe/kumofs/template/kumo_gateway.in
+++ b/slapos/recipe/kumofs/template/kumo_gateway.in
+#!/bin/sh
+exec %(kumo_gateway_binary)s -F -E -m %(kumo_manager_ip)s:%(kumo_manager_port)s -t %(kumo_gateway_ip)s:%(kumo_gateway_port)s -o %(kumo_gateway_log)s
--- a/slapos/recipe/kumofs/template/kumo_manager.in
+++ b/slapos/recipe/kumofs/template/kumo_manager.in
+#!/bin/sh
+exec %(kumo_manager_binary)s -a -l %(kumo_manager_ip)s:%(kumo_manager_port)s -o %(kumo_manager_log)s
--- a/slapos/recipe/kumofs/template/kumo_server.in
+++ b/slapos/recipe/kumofs/template/kumo_server.in
+#!/bin/sh
+exec %(kumo_server_binary)s -l %(kumo_server_ip)s:%(kumo_server_port)s -L %(kumo_server_listen_port)s -m %(kumo_manager_ip)s:%(kumo_manager_port)s -s %(kumo_server_storage)s -o %(kumo_server_log)s
--- a/slapos/recipe/kumofs/template/openssl.cnf.ca.in
+++ b/slapos/recipe/kumofs/template/openssl.cnf.ca.in
+#
+# OpenSSL example configuration file.
+# This is mostly being used for generation of certificate requests.
+#
+# This definition stops the following lines choking if HOME isn't
+# defined.
+HOME			= .
+RANDFILE		= $ENV::HOME/.rnd
+# Extra OBJECT IDENTIFIER info:
+#oid_file		= $ENV::HOME/.oid
+oid_section		= new_oids
+# To use this configuration file with the "-extfile" option of the
+# "openssl x509" utility, name here the section containing the
+# X.509v3 extensions to use:
+# extensions		= 
+# (Alternatively, use a configuration file that has only
+# X.509v3 extensions in its main [= default] section.)
+[ new_oids ]
+# We can add new OIDs in here for use by 'ca', 'req' and 'ts'.
+# Add a simple OID like this:
+# testoid1=1.2.3.4
+# Or use config file substitution like this:
+# testoid2=${testoid1}.5.6
+# Policies used by the TSA examples.
+tsa_policy1 = 1.2.3.4.1
+tsa_policy2 = 1.2.3.4.5.6
+tsa_policy3 = 1.2.3.4.5.7
+####################################################################
+[ ca ]
+default_ca	= CA_default		# The default ca section
+####################################################################
+[ CA_default ]
+dir		= %(working_directory)s		# Where everything is kept
+certs		= $dir/certs		# Where the issued certs are kept
+crl_dir		= $dir/crl		# Where the issued crl are kept
+database	= $dir/index.txt	# database index file.
+#unique_subject	= no			# Set to 'no' to allow creation of
+					# several ctificates with same subject.
+new_certs_dir	= $dir/newcerts		# default place for new certs.
+certificate	= $dir/cacert.pem 	# The CA certificate
+serial		= $dir/serial 		# The current serial number
+crlnumber	= $dir/crlnumber	# the current crl number
+					# must be commented out to leave a V1 CRL
+crl		= $dir/crl.pem 		# The current CRL
+private_key	= $dir/private/cakey.pem # The private key
+RANDFILE	= $dir/private/.rand	# private random number file
+x509_extensions	= usr_cert		# The extentions to add to the cert
+# Comment out the following two lines for the "traditional"
+# (and highly broken) format.
+name_opt 	= ca_default		# Subject Name options
+cert_opt 	= ca_default		# Certificate field options
+# Extension copying option: use with caution.
+# copy_extensions = copy
+# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
+# so this is commented out by default to leave a V1 CRL.
+# crlnumber must also be commented out to leave a V1 CRL.
+# crl_extensions	= crl_ext
+default_days	= 3650			# how long to certify for
+default_crl_days= 30			# how long before next CRL
+default_md	= default		# use public key default MD
+preserve	= no			# keep passed DN ordering
+# A few difference way of specifying how similar the request should look
+# For type CA, the listed attributes must be the same, and the optional
+# and supplied fields are just that :-)
+policy		= policy_match
+# For the CA policy
+[ policy_match ]
+countryName		= match
+stateOrProvinceName	= match
+organizationName	= match
+organizationalUnitName	= optional
+commonName		= supplied
+emailAddress		= optional
+# For the 'anything' policy
+# At this point in time, you must list all acceptable 'object'
+# types.
+[ policy_anything ]
+countryName		= optional
+stateOrProvinceName	= optional
+localityName		= optional
+organizationName	= optional
+organizationalUnitName	= optional
+commonName		= supplied
+emailAddress		= optional
+####################################################################
+[ req ]
+default_bits		= 2048
+default_md		= sha1
+default_keyfile 	= privkey.pem
+distinguished_name	= req_distinguished_name
+#attributes		= req_attributes
+x509_extensions	= v3_ca	# The extentions to add to the self signed cert
+# Passwords for private keys if not present they will be prompted for
+# input_password = secret
+# output_password = secret
+# This sets a mask for permitted string types. There are several options. 
+# default: PrintableString, T61String, BMPString.
+# pkix	 : PrintableString, BMPString (PKIX recommendation before 2004)
+# utf8only: only UTF8Strings (PKIX recommendation after 2004).
+# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
+# MASK:XXXX a literal mask value.
+# WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings.
+string_mask = utf8only
+# req_extensions = v3_req # The extensions to add to a certificate request
+[ req_distinguished_name ]
+countryName			= Country Name (2 letter code)
+countryName_value		= %(country_code)s
+countryName_min			= 2
+countryName_max			= 2
+stateOrProvinceName		= State or Province Name (full name)
+stateOrProvinceName_value	= %(state)s
+localityName			= Locality Name (eg, city)
+localityName_value		= %(city)s
+0.organizationName		= Organization Name (eg, company)
+0.organizationName_value	= %(company)s
+# we can do this but it is not needed normally :-)
+#1.organizationName		= Second Organization Name (eg, company)
+#1.organizationName_default	= World Wide Web Pty Ltd
+commonName			= Common Name (eg, your name or your server\'s hostname)
+commonName_max			= 64
+emailAddress			= Email Address
+emailAddress_value = %(email_address)s
+emailAddress_max		= 64
+# SET-ex3			= SET extension number 3
+#[ req_attributes ]
+#challengePassword		= A challenge password
+#challengePassword_min		= 4
+#challengePassword_max		= 20
+#
+#unstructuredName		= An optional company name
+[ usr_cert ]
+# These extensions are added when 'ca' signs a request.
+# This goes against PKIX guidelines but some CAs do it and some software
+# requires this to avoid interpreting an end user certificate as a CA.
+basicConstraints=CA:FALSE
+# Here are some examples of the usage of nsCertType. If it is omitted
+# the certificate can be used for anything *except* object signing.
+# This is OK for an SSL server.
+# nsCertType			= server
+# For an object signing certificate this would be used.
+# nsCertType = objsign
+# For normal client use this is typical
+# nsCertType = client, email
+# and for everything including object signing:
+# nsCertType = client, email, objsign
+# This is typical in keyUsage for a client certificate.
+# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+# This will be displayed in Netscape's comment listbox.
+nsComment			= "OpenSSL Generated Certificate"
+# PKIX recommendations harmless if included in all certificates.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer
+# This stuff is for subjectAltName and issuerAltname.
+# Import the email address.
+# subjectAltName=email:copy
+# An alternative to produce certificates that aren't
+# deprecated according to PKIX.
+# subjectAltName=email:move
+# Copy subject details
+# issuerAltName=issuer:copy
+#nsCaRevocationUrl		= http://www.domain.dom/ca-crl.pem
+#nsBaseUrl
+#nsRevocationUrl
+#nsRenewalUrl
+#nsCaPolicyUrl
+#nsSslServerName
+# This is required for TSA certificates.
+# extendedKeyUsage = critical,timeStamping
+[ v3_req ]
+# Extensions to add to a certificate request
+basicConstraints = CA:FALSE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+[ v3_ca ]
+# Extensions for a typical CA
+# PKIX recommendation.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid:always,issuer
+# This is what PKIX recommends but some broken software chokes on critical
+# extensions.
+#basicConstraints = critical,CA:true
+# So we do this instead.
+basicConstraints = CA:true
+# Key usage: this is typical for a CA certificate. However since it will
+# prevent it being used as an test self-signed certificate it is best
+# left out by default.
+# keyUsage = cRLSign, keyCertSign
+# Some might want this also
+# nsCertType = sslCA, emailCA
+# Include email address in subject alt name: another PKIX recommendation
+# subjectAltName=email:copy
+# Copy issuer details
+# issuerAltName=issuer:copy
+# DER hex encoding of an extension: beware experts only!
+# obj=DER:02:03
+# Where 'obj' is a standard or added object
+# You can even override a supported extension:
+# basicConstraints= critical, DER:30:03:01:01:FF
+[ crl_ext ]
+# CRL extensions.
+# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
+# issuerAltName=issuer:copy
+authorityKeyIdentifier=keyid:always
+[ proxy_cert_ext ]
+# These extensions should be added when creating a proxy certificate
+# This goes against PKIX guidelines but some CAs do it and some software
+# requires this to avoid interpreting an end user certificate as a CA.
+basicConstraints=CA:FALSE
+# Here are some examples of the usage of nsCertType. If it is omitted
+# the certificate can be used for anything *except* object signing.
+# This is OK for an SSL server.
+# nsCertType			= server
+# For an object signing certificate this would be used.
+# nsCertType = objsign
+# For normal client use this is typical
+# nsCertType = client, email
+# and for everything including object signing:
+# nsCertType = client, email, objsign
+# This is typical in keyUsage for a client certificate.
+# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+# This will be displayed in Netscape's comment listbox.
+nsComment			= "OpenSSL Generated Certificate"
+# PKIX recommendations harmless if included in all certificates.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer
+# This stuff is for subjectAltName and issuerAltname.
+# Import the email address.
+# subjectAltName=email:copy
+# An alternative to produce certificates that aren't
+# deprecated according to PKIX.
+# subjectAltName=email:move
+# Copy subject details
+# issuerAltName=issuer:copy
+#nsCaRevocationUrl		= http://www.domain.dom/ca-crl.pem
+#nsBaseUrl
+#nsRevocationUrl
+#nsRenewalUrl
+#nsCaPolicyUrl
+#nsSslServerName
+# This really needs to be in place for it to be a proxy certificate.
+proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo
+####################################################################
+[ tsa ]
+default_tsa = tsa_config1	# the default TSA section
+[ tsa_config1 ]
+# These are used by the TSA reply generation only.
+dir		= /etc/pki/tls		# TSA root directory
+serial		= $dir/tsaserial	# The current serial number (mandatory)
+crypto_device	= builtin		# OpenSSL engine to use for signing
+signer_cert	= $dir/tsacert.pem 	# The TSA signing certificate
+					# (optional)
+certs		= $dir/cacert.pem	# Certificate chain to include in reply
+					# (optional)
+signer_key	= $dir/private/tsakey.pem # The TSA private key (optional)
+default_policy	= tsa_policy1		# Policy if request did not specify it
+					# (optional)
+other_policies	= tsa_policy2, tsa_policy3	# acceptable policies (optional)
+digests		= md5, sha1		# Acceptable message digests (mandatory)
+accuracy	= secs:1, millisecs:500, microsecs:100	# (optional)
+clock_precision_digits  = 0	# number of digits after dot. (optional)
+ordering		= yes	# Is ordering defined for timestamps?
+				# (optional, default: no)
+tsa_name		= yes	# Must the TSA name be included in the reply?
+				# (optional, default: no)
+ess_cert_id_chain	= no	# Must the ESS cert id chain be included?
+				# (optional, default: no)
--- a/slapos/recipe/kumofs/template/stunnel.conf.in
+++ b/slapos/recipe/kumofs/template/stunnel.conf.in
+foreground = yes
+output = %(log)s
+pid = %(pid_file)s
+syslog = no
+CApath = %(ca_path)s
+key = %(key)s
+CRLpath = %(ca_crl)s
+cert = %(cert)s
+[service]
+accept = %(public_ip)s:%(public_port)s
+connect = %(private_ip)s:%(private_port)s
--- a/slapos/recipe/memcached/__init__.py
+++ b/slapos/recipe/memcached/__init__.py
+##############################################################################
+#
+# Copyright (c) 2010 Vifib SARL and Contributors. All Rights Reserved.
+#
+# WARNING: This program as such is intended to be used by professional
+# programmers who take the whole responsibility of assessing all potential
+# consequences resulting from its eventual inadequacies and bugs
+# End users who are looking for a ready-to-use solution with commercial
+# guarantees and support are strongly adviced to contract a Free Software
+# Service Company
+#
+# This program is Free Software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version 3
+# of the License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA.
+#
+##############################################################################
+from slapos.recipe.librecipe import BaseSlapRecipe
+import hashlib
+import os
+import pkg_resources
+import sys
+import zc.buildout
+import ConfigParser
+class Recipe(BaseSlapRecipe):
+  def getTemplateFilename(self, template_name):
+    return pkg_resources.resource_filename(__name__,
+        'template/%s' % template_name)
+  def _install(self):
+    self.path_list = []
+    self.requirements, self.ws = self.egg.working_set()
+    # XXX-Cedric : add logrotate?
+    self.cron_d = self.installCrond()
+    memcached_conf = self.installMemcached(ip=self.getLocalIPv4Address(),
+        port=11000)
+    ca_conf = self.installCertificateAuthority()
+    key, certificate = self.requestCertificate('Memcached')
+    stunnel_conf = self.installStunnel(self.getGlobalIPv6Address(),
+        self.getLocalIPv4Address(), 12345, memcached_conf['memcached_port'],
+        certificate, key, ca_conf['ca_crl'],
+        ca_conf['certificate_authority_path'])
+    self.linkBinary()
+    self.setConnectionDict(dict(
+      stunnel_ip = stunnel_conf['public_ip'],
+      stunnel_port = stunnel_conf['public_port'],
+    ))
+    return self.path_list
+  def linkBinary(self):
+    """Links binaries to instance's bin directory for easier exposal"""
+    for linkline in self.options.get('link_binary_list', '').splitlines():
+      if not linkline:
+        continue
+      target = linkline.split()
+      if len(target) == 1:
+        target = target[0]
+        path, linkname = os.path.split(target)
+      else:
+        linkname = target[1]
+        target = target[0]
+      link = os.path.join(self.bin_directory, linkname)
+      if os.path.lexists(link):
+        if not os.path.islink(link):
+          raise zc.buildout.UserError(
+              'Target link already %r exists but it is not link' % link)
+        os.unlink(link)
+      os.symlink(target, link)
+      self.logger.debug('Created link %r -> %r' % (link, target))
+      self.path_list.append(link)
+  def installCrond(self):
+    timestamps = self.createDataDirectory('cronstamps')
+    cron_output = os.path.join(self.log_directory, 'cron-output')
+    self._createDirectory(cron_output)
+    catcher = zc.buildout.easy_install.scripts([('catchcron',
+      __name__ + '.catdatefile', 'catdatefile')], self.ws, sys.executable,
+      self.bin_directory, arguments=[cron_output])[0]
+    self.path_list.append(catcher)
+    cron_d = os.path.join(self.etc_directory, 'cron.d')
+    crontabs = os.path.join(self.etc_directory, 'crontabs')
+    self._createDirectory(cron_d)
+    self._createDirectory(crontabs)
+    # Use execute from erp5.
+    wrapper = zc.buildout.easy_install.scripts([('crond',
+      'slapos.recipe.erp5.execute', 'execute')], self.ws, sys.executable,
+      self.wrapper_directory, arguments=[
+        self.options['dcrond_binary'].strip(), '-s', cron_d, '-c', crontabs,
+        '-t', timestamps, '-f', '-l', '5', '-M', catcher]
+      )[0]
+    self.path_list.append(wrapper)
+    return cron_d
+  def installLogrotate(self):
+    """Installs logortate main configuration file and registers its to cron"""
+    logrotate_d = os.path.abspath(os.path.join(self.etc_directory,
+      'logrotate.d'))
+    self._createDirectory(logrotate_d)
+    logrotate_backup = self.createBackupDirectory('logrotate')
+    logrotate_conf = self.createConfigurationFile("logrotate.conf",
+        "include %s" % logrotate_d)
+    logrotate_cron = os.path.join(self.cron_d, 'logrotate')
+    state_file = os.path.join(self.data_root_directory, 'logrotate.status')
+    open(logrotate_cron, 'w').write('0 0 * * * %s -s %s %s' %
+        (self.options['logrotate_binary'], state_file, logrotate_conf))
+    self.path_list.extend([logrotate_d, logrotate_conf, logrotate_cron])
+    return logrotate_d, logrotate_backup
+  def registerLogRotation(self, name, log_file_list, postrotate_script):
+    """Register new log rotation requirement"""
+    open(os.path.join(self.logrotate_d, name), 'w').write(
+        self.substituteTemplate(self.getTemplateFilename(
+          'logrotate_entry.in'),
+          dict(file_list=' '.join(['"'+q+'"' for q in log_file_list]),
+            postrotate=postrotate_script, olddir=self.logrotate_backup)))
+  def installCertificateAuthority(self, ca_country_code='XX',
+      ca_email='xx@example.com', ca_state='State', ca_city='City',
+      ca_company='Company'):
+    backup_path = self.createBackupDirectory('ca')
+    self.ca_dir = os.path.join(self.data_root_directory, 'ca')
+    self._createDirectory(self.ca_dir)
+    self.ca_request_dir = os.path.join(self.ca_dir, 'requests')
+    self._createDirectory(self.ca_request_dir)
+    config = dict(ca_dir=self.ca_dir, request_dir=self.ca_request_dir)
+    self.ca_private = os.path.join(self.ca_dir, 'private')
+    self.ca_certs = os.path.join(self.ca_dir, 'certs')
+    self.ca_crl = os.path.join(self.ca_dir, 'crl')
+    self.ca_newcerts = os.path.join(self.ca_dir, 'newcerts')
+    self.ca_key_ext = '.key'
+    self.ca_crt_ext = '.crt'
+    for d in [self.ca_private, self.ca_crl, self.ca_newcerts, self.ca_certs]:
+      self._createDirectory(d)
+    for f in ['crlnumber', 'serial']:
+      if not os.path.exists(os.path.join(self.ca_dir, f)):
+        open(os.path.join(self.ca_dir, f), 'w').write('01')
+    if not os.path.exists(os.path.join(self.ca_dir, 'index.txt')):
+      open(os.path.join(self.ca_dir, 'index.txt'), 'w').write('')
+    openssl_configuration = os.path.join(self.ca_dir, 'openssl.cnf')
+    config.update(
+        working_directory=self.ca_dir,
+        country_code=ca_country_code,
+        state=ca_state,
+        city=ca_city,
+        company=ca_company,
+        email_address=ca_email,
+    )
+    self._writeFile(openssl_configuration, pkg_resources.resource_string(
+      __name__, 'template/openssl.cnf.ca.in') % config)
+    self.path_list.extend(zc.buildout.easy_install.scripts([
+      ('certificate_authority',
+        __name__ + '.certificate_authority', 'runCertificateAuthority')],
+        self.ws, sys.executable, self.wrapper_directory, arguments=[dict(
+          openssl_configuration=openssl_configuration,
+          openssl_binary=self.options['openssl_binary'],
+          certificate=os.path.join(self.ca_dir, 'cacert.pem'),
+          key=os.path.join(self.ca_private, 'cakey.pem'),
+          crl=os.path.join(self.ca_crl),
+          request_dir=self.ca_request_dir
+          )]))
+    # configure backup
+    backup_cron = os.path.join(self.cron_d, 'ca_rdiff_backup')
+    open(backup_cron, 'w').write(
+        '''0 0 * * * %(rdiff_backup)s %(source)s %(destination)s'''%dict(
+          rdiff_backup=self.options['rdiff_backup_binary'],
+          source=self.ca_dir,
+          destination=backup_path))
+    self.path_list.append(backup_cron)
+    return dict(
+      ca_certificate=os.path.join(config['ca_dir'], 'cacert.pem'),
+      ca_crl=os.path.join(config['ca_dir'], 'crl'),
+      certificate_authority_path=config['ca_dir']
+    )
+  def requestCertificate(self, name):
+    hash = hashlib.sha512(name).hexdigest()
+    key = os.path.join(self.ca_private, hash + self.ca_key_ext)
+    certificate = os.path.join(self.ca_certs, hash + self.ca_crt_ext)
+    parser = ConfigParser.RawConfigParser()
+    parser.add_section('certificate')
+    parser.set('certificate', 'name', name)
+    parser.set('certificate', 'key_file', key)
+    parser.set('certificate', 'certificate_file', certificate)
+    parser.write(open(os.path.join(self.ca_request_dir, hash), 'w'))
+    return key, certificate
+  def installStunnel(self, public_ip, private_ip, public_port, private_port,
+      ca_certificate, key, ca_crl, ca_path):
+    """Installs stunnel"""
+    template_filename = self.getTemplateFilename('stunnel.conf.in')
+    log = os.path.join(self.log_directory, 'stunnel.log')
+    pid_file = os.path.join(self.run_directory, 'stunnel.pid')
+    stunnel_conf = dict(
+        public_ip=public_ip,
+        private_ip=private_ip,
+        public_port=public_port,
+        pid_file=pid_file,
+        log=log,
+        cert = ca_certificate,
+        key = key,
+        ca_crl = ca_crl,
+        ca_path = ca_path,
+        private_port = private_port,
+    )
+    stunnel_conf_path = self.createConfigurationFile("stunnel.conf",
+        self.substituteTemplate(template_filename,
+          stunnel_conf))
+    wrapper = zc.buildout.easy_install.scripts([('stunnel',
+      'slapos.recipe.erp5.execute', 'execute')], self.ws, sys.executable,
+      self.wrapper_directory, arguments=[
+        self.options['stunnel_binary'].strip(), stunnel_conf_path]
+      )[0]
+    self.path_list.append(wrapper)
+    return stunnel_conf
+  def installMemcached(self, ip, port):
+    config = dict(
+        memcached_binary=self.options['memcached_binary'],
+        memcached_ip=ip,
+        memcached_port=port,
+    )
+    self.path_list.append(self.createRunningWrapper('memcached',
+      self.substituteTemplate(self.getTemplateFilename('memcached.in'),
+        config)))
+    return dict(memcached_url='%s:%s' %
+        (config['memcached_ip'], config['memcached_port']),
+        memcached_ip=config['memcached_ip'],
+        memcached_port=config['memcached_port'])
--- a/slapos/recipe/memcached/certificate_authority.py
+++ b/slapos/recipe/memcached/certificate_authority.py
+import os
+import subprocess
+import time
+import ConfigParser
+def popenCommunicate(command_list, input=None):
+  subprocess_kw = dict(stdout=subprocess.PIPE, stderr=subprocess.STDOUT)
+  if input is not None:
+    subprocess_kw.update(stdin=subprocess.PIPE)
+  popen = subprocess.Popen(command_list, **subprocess_kw)
+  result = popen.communicate(input)[0]
+  if popen.returncode is None:
+    popen.kill()
+  if popen.returncode != 0:
+    raise ValueError('Issue during calling %r, result was:\n%s' % (
+      command_list, result))
+  return result
+class CertificateAuthority:
+  def __init__(self, key, certificate, openssl_binary,
+      openssl_configuration, request_dir):
+    self.key = key
+    self.certificate = certificate
+    self.openssl_binary = openssl_binary
+    self.openssl_configuration = openssl_configuration
+    self.request_dir = request_dir
+  def checkAuthority(self):
+    file_list = [ self.key, self.certificate ]
+    ca_ready = True
+    for f in file_list:
+      if not os.path.exists(f):
+        ca_ready = False
+        break
+    if ca_ready:
+      return
+    for f in file_list:
+      if os.path.exists(f):
+        os.unlink(f)
+    try:
+      # no CA, let us create new one
+      popenCommunicate([self.openssl_binary, 'req', '-nodes', '-config',
+          self.openssl_configuration, '-new', '-x509', '-extensions',
+          'v3_ca', '-keyout', self.key, '-out', self.certificate,
+          '-days', '10950'], 'Automatic Certificate Authority\n')
+    except:
+      try:
+        for f in file_list:
+          if os.path.exists(f):
+            os.unlink(f)
+      except:
+        # do not raise during cleanup
+        pass
+      raise
+  def _checkCertificate(self, common_name, key, certificate):
+    file_list = [key, certificate]
+    ready = True
+    for f in file_list:
+      if not os.path.exists(f):
+        ready = False
+        break
+    if ready:
+      return False
+    for f in file_list:
+      if os.path.exists(f):
+        os.unlink(f)
+    csr = certificate + '.csr'
+    try:
+      popenCommunicate([self.openssl_binary, 'req', '-config',
+        self.openssl_configuration, '-nodes', '-new', '-keyout',
+        key, '-out', csr, '-days', '3650'],
+        common_name + '\n')
+      try:
+        popenCommunicate([self.openssl_binary, 'ca', '-batch', '-config',
+          self.openssl_configuration, '-out', certificate,
+          '-infiles', csr])
+      finally:
+        if os.path.exists(csr):
+          os.unlink(csr)
+    except:
+      try:
+        for f in file_list:
+          if os.path.exists(f):
+            os.unlink(f)
+      except:
+        # do not raise during cleanup
+        pass
+      raise
+    else:
+      return True
+  def checkRequestDir(self):
+    for request_file in os.listdir(self.request_dir):
+      parser = ConfigParser.RawConfigParser()
+      parser.readfp(open(os.path.join(self.request_dir, request_file), 'r'))
+      if self._checkCertificate(parser.get('certificate', 'name'),
+          parser.get('certificate', 'key_file'), parser.get('certificate',
+            'certificate_file')):
+        print 'Created certificate %r' % parser.get('certificate', 'name')
+def runCertificateAuthority(args):
+  ca_conf = args[0]
+  ca = CertificateAuthority(ca_conf['key'], ca_conf['certificate'],
+      ca_conf['openssl_binary'], ca_conf['openssl_configuration'],
+      ca_conf['request_dir'])
+  while True:
+    ca.checkAuthority()
+    ca.checkRequestDir()
+    time.sleep(60)
--- a/slapos/recipe/memcached/template/memcached.in
+++ b/slapos/recipe/memcached/template/memcached.in
+#!/bin/sh
+exec %(memcached_binary)s -p %(memcached_port)s -U %(memcached_port)s -l %(memcached_ip)s
--- a/slapos/recipe/memcached/template/openssl.cnf.ca.in
+++ b/slapos/recipe/memcached/template/openssl.cnf.ca.in
+#
+# OpenSSL example configuration file.
+# This is mostly being used for generation of certificate requests.
+#
+# This definition stops the following lines choking if HOME isn't
+# defined.
+HOME			= .
+RANDFILE		= $ENV::HOME/.rnd
+# Extra OBJECT IDENTIFIER info:
+#oid_file		= $ENV::HOME/.oid
+oid_section		= new_oids
+# To use this configuration file with the "-extfile" option of the
+# "openssl x509" utility, name here the section containing the
+# X.509v3 extensions to use:
+# extensions		= 
+# (Alternatively, use a configuration file that has only
+# X.509v3 extensions in its main [= default] section.)
+[ new_oids ]
+# We can add new OIDs in here for use by 'ca', 'req' and 'ts'.
+# Add a simple OID like this:
+# testoid1=1.2.3.4
+# Or use config file substitution like this:
+# testoid2=${testoid1}.5.6
+# Policies used by the TSA examples.
+tsa_policy1 = 1.2.3.4.1
+tsa_policy2 = 1.2.3.4.5.6
+tsa_policy3 = 1.2.3.4.5.7
+####################################################################
+[ ca ]
+default_ca	= CA_default		# The default ca section
+####################################################################
+[ CA_default ]
+dir		= %(working_directory)s		# Where everything is kept
+certs		= $dir/certs		# Where the issued certs are kept
+crl_dir		= $dir/crl		# Where the issued crl are kept
+database	= $dir/index.txt	# database index file.
+#unique_subject	= no			# Set to 'no' to allow creation of
+					# several ctificates with same subject.
+new_certs_dir	= $dir/newcerts		# default place for new certs.
+certificate	= $dir/cacert.pem 	# The CA certificate
+serial		= $dir/serial 		# The current serial number
+crlnumber	= $dir/crlnumber	# the current crl number
+					# must be commented out to leave a V1 CRL
+crl		= $dir/crl.pem 		# The current CRL
+private_key	= $dir/private/cakey.pem # The private key
+RANDFILE	= $dir/private/.rand	# private random number file
+x509_extensions	= usr_cert		# The extentions to add to the cert
+# Comment out the following two lines for the "traditional"
+# (and highly broken) format.
+name_opt 	= ca_default		# Subject Name options
+cert_opt 	= ca_default		# Certificate field options
+# Extension copying option: use with caution.
+# copy_extensions = copy
+# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
+# so this is commented out by default to leave a V1 CRL.
+# crlnumber must also be commented out to leave a V1 CRL.
+# crl_extensions	= crl_ext
+default_days	= 3650			# how long to certify for
+default_crl_days= 30			# how long before next CRL
+default_md	= default		# use public key default MD
+preserve	= no			# keep passed DN ordering
+# A few difference way of specifying how similar the request should look
+# For type CA, the listed attributes must be the same, and the optional
+# and supplied fields are just that :-)
+policy		= policy_match
+# For the CA policy
+[ policy_match ]
+countryName		= match
+stateOrProvinceName	= match
+organizationName	= match
+organizationalUnitName	= optional
+commonName		= supplied
+emailAddress		= optional
+# For the 'anything' policy
+# At this point in time, you must list all acceptable 'object'
+# types.
+[ policy_anything ]
+countryName		= optional
+stateOrProvinceName	= optional
+localityName		= optional
+organizationName	= optional
+organizationalUnitName	= optional
+commonName		= supplied
+emailAddress		= optional
+####################################################################
+[ req ]
+default_bits		= 2048
+default_md		= sha1
+default_keyfile 	= privkey.pem
+distinguished_name	= req_distinguished_name
+#attributes		= req_attributes
+x509_extensions	= v3_ca	# The extentions to add to the self signed cert
+# Passwords for private keys if not present they will be prompted for
+# input_password = secret
+# output_password = secret
+# This sets a mask for permitted string types. There are several options. 
+# default: PrintableString, T61String, BMPString.
+# pkix	 : PrintableString, BMPString (PKIX recommendation before 2004)
+# utf8only: only UTF8Strings (PKIX recommendation after 2004).
+# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
+# MASK:XXXX a literal mask value.
+# WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings.
+string_mask = utf8only
+# req_extensions = v3_req # The extensions to add to a certificate request
+[ req_distinguished_name ]
+countryName			= Country Name (2 letter code)
+countryName_value		= %(country_code)s
+countryName_min			= 2
+countryName_max			= 2
+stateOrProvinceName		= State or Province Name (full name)
+stateOrProvinceName_value	= %(state)s
+localityName			= Locality Name (eg, city)
+localityName_value		= %(city)s
+0.organizationName		= Organization Name (eg, company)
+0.organizationName_value	= %(company)s
+# we can do this but it is not needed normally :-)
+#1.organizationName		= Second Organization Name (eg, company)
+#1.organizationName_default	= World Wide Web Pty Ltd
+commonName			= Common Name (eg, your name or your server\'s hostname)
+commonName_max			= 64
+emailAddress			= Email Address
+emailAddress_value = %(email_address)s
+emailAddress_max		= 64
+# SET-ex3			= SET extension number 3
+#[ req_attributes ]
+#challengePassword		= A challenge password
+#challengePassword_min		= 4
+#challengePassword_max		= 20
+#
+#unstructuredName		= An optional company name
+[ usr_cert ]
+# These extensions are added when 'ca' signs a request.
+# This goes against PKIX guidelines but some CAs do it and some software
+# requires this to avoid interpreting an end user certificate as a CA.
+basicConstraints=CA:FALSE
+# Here are some examples of the usage of nsCertType. If it is omitted
+# the certificate can be used for anything *except* object signing.
+# This is OK for an SSL server.
+# nsCertType			= server
+# For an object signing certificate this would be used.
+# nsCertType = objsign
+# For normal client use this is typical
+# nsCertType = client, email
+# and for everything including object signing:
+# nsCertType = client, email, objsign
+# This is typical in keyUsage for a client certificate.
+# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+# This will be displayed in Netscape's comment listbox.
+nsComment			= "OpenSSL Generated Certificate"
+# PKIX recommendations harmless if included in all certificates.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer
+# This stuff is for subjectAltName and issuerAltname.
+# Import the email address.
+# subjectAltName=email:copy
+# An alternative to produce certificates that aren't
+# deprecated according to PKIX.
+# subjectAltName=email:move
+# Copy subject details
+# issuerAltName=issuer:copy
+#nsCaRevocationUrl		= http://www.domain.dom/ca-crl.pem
+#nsBaseUrl
+#nsRevocationUrl
+#nsRenewalUrl
+#nsCaPolicyUrl
+#nsSslServerName
+# This is required for TSA certificates.
+# extendedKeyUsage = critical,timeStamping
+[ v3_req ]
+# Extensions to add to a certificate request
+basicConstraints = CA:FALSE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+[ v3_ca ]
+# Extensions for a typical CA
+# PKIX recommendation.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid:always,issuer
+# This is what PKIX recommends but some broken software chokes on critical
+# extensions.
+#basicConstraints = critical,CA:true
+# So we do this instead.
+basicConstraints = CA:true
+# Key usage: this is typical for a CA certificate. However since it will
+# prevent it being used as an test self-signed certificate it is best
+# left out by default.
+# keyUsage = cRLSign, keyCertSign
+# Some might want this also
+# nsCertType = sslCA, emailCA
+# Include email address in subject alt name: another PKIX recommendation
+# subjectAltName=email:copy
+# Copy issuer details
+# issuerAltName=issuer:copy
+# DER hex encoding of an extension: beware experts only!
+# obj=DER:02:03
+# Where 'obj' is a standard or added object
+# You can even override a supported extension:
+# basicConstraints= critical, DER:30:03:01:01:FF
+[ crl_ext ]
+# CRL extensions.
+# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
+# issuerAltName=issuer:copy
+authorityKeyIdentifier=keyid:always
+[ proxy_cert_ext ]
+# These extensions should be added when creating a proxy certificate
+# This goes against PKIX guidelines but some CAs do it and some software
+# requires this to avoid interpreting an end user certificate as a CA.
+basicConstraints=CA:FALSE
+# Here are some examples of the usage of nsCertType. If it is omitted
+# the certificate can be used for anything *except* object signing.
+# This is OK for an SSL server.
+# nsCertType			= server
+# For an object signing certificate this would be used.
+# nsCertType = objsign
+# For normal client use this is typical
+# nsCertType = client, email
+# and for everything including object signing:
+# nsCertType = client, email, objsign
+# This is typical in keyUsage for a client certificate.
+# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+# This will be displayed in Netscape's comment listbox.
+nsComment			= "OpenSSL Generated Certificate"
+# PKIX recommendations harmless if included in all certificates.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer
+# This stuff is for subjectAltName and issuerAltname.
+# Import the email address.
+# subjectAltName=email:copy
+# An alternative to produce certificates that aren't
+# deprecated according to PKIX.
+# subjectAltName=email:move
+# Copy subject details
+# issuerAltName=issuer:copy
+#nsCaRevocationUrl		= http://www.domain.dom/ca-crl.pem
+#nsBaseUrl
+#nsRevocationUrl
+#nsRenewalUrl
+#nsCaPolicyUrl
+#nsSslServerName
+# This really needs to be in place for it to be a proxy certificate.
+proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo
+####################################################################
+[ tsa ]
+default_tsa = tsa_config1	# the default TSA section
+[ tsa_config1 ]
+# These are used by the TSA reply generation only.
+dir		= /etc/pki/tls		# TSA root directory
+serial		= $dir/tsaserial	# The current serial number (mandatory)
+crypto_device	= builtin		# OpenSSL engine to use for signing
+signer_cert	= $dir/tsacert.pem 	# The TSA signing certificate
+					# (optional)
+certs		= $dir/cacert.pem	# Certificate chain to include in reply
+					# (optional)
+signer_key	= $dir/private/tsakey.pem # The TSA private key (optional)
+default_policy	= tsa_policy1		# Policy if request did not specify it
+					# (optional)
+other_policies	= tsa_policy2, tsa_policy3	# acceptable policies (optional)
+digests		= md5, sha1		# Acceptable message digests (mandatory)
+accuracy	= secs:1, millisecs:500, microsecs:100	# (optional)
+clock_precision_digits  = 0	# number of digits after dot. (optional)
+ordering		= yes	# Is ordering defined for timestamps?
+				# (optional, default: no)
+tsa_name		= yes	# Must the TSA name be included in the reply?
+				# (optional, default: no)
+ess_cert_id_chain	= no	# Must the ESS cert id chain be included?
+				# (optional, default: no)
--- a/slapos/recipe/memcached/template/stunnel.conf.in
+++ b/slapos/recipe/memcached/template/stunnel.conf.in
+foreground = yes
+output = %(log)s
+pid = %(pid_file)s
+syslog = no
+CApath = %(ca_path)s
+key = %(key)s
+CRLpath = %(ca_crl)s
+cert = %(cert)s
+[service]
+accept = %(public_ip)s:%(public_port)s
+connect = %(private_ip)s:%(private_port)s
--- a/slapos/recipe/template.py
+++ b/slapos/recipe/template.py
-##############################################################################
-#
-# Copyright (c) 2010 Vifib SARL and Contributors. All Rights Reserved.
-#
-# WARNING: This program as such is intended to be used by professional
-# programmers who take the whole responsibility of assessing all potential
-# consequences resulting from its eventual inadequacies and bugs
-# End users who are looking for a ready-to-use solution with commercial
-# guarantees and support are strongly adviced to contract a Free Software
-# Service Company
-#
-# This program is Free Software; you can redistribute it and/or
-# modify it under the terms of the GNU General Public License
-# as published by the Free Software Foundation; either version 3
-# of the License, or (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software
-# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA.
-#
-##############################################################################
-import collective.recipe.template
-import zc.buildout
-class Recipe(collective.recipe.template.Recipe):
-  def __init__(self, buildout, name, options):
-    download = zc.buildout.download.Download(buildout['buildout'],
-                hash_name=True)
-    path, is_temp = download(options.pop('url'),
-        md5sum=options.get('md5sum'))
-    options['input'] = path
-    collective.recipe.template.Recipe.__init__(self, buildout, name, options)
--- a/software/erp5/software.cfg
+++ b/software/erp5/software.cfg
 [buildout]
 extensions =
  slapos.rebootstrap
-  slapos.tool.networkcache
  slapos.zcbworkarounds
  mr.developer

--- a/software/erp5testnode/software.cfg
+++ b/software/erp5testnode/software.cfg
 [buildout]
 extensions =
  slapos.rebootstrap
-  slapos.tool.networkcache
  slapos.zcbworkarounds
  mr.developer
@@ -11,6 +10,7 @@ find-links = http://www.nexedi.org/static/packages/source/slapos.buildout/
 versions = versions
 rebootstrap-section = python2.6
 extends =
  ../../component/python-2.6/buildout.cfg
  ../../component/subversion/buildout.cfg

--- a/software/kumofs/instance.cfg
+++ b/software/kumofs/instance.cfg
+[buildout]
+parts =
+  instance
+eggs-directory = ${buildout:eggs-directory}
+develop-eggs-directory = ${buildout:develop-eggs-directory}
+[instance]
+recipe = ${instance-recipe:egg}:${instance-recipe:module}
+kumo_gateway_binary = ${kumo:location}/bin/kumo-gateway
+kumo_manager_binary = ${kumo:location}/bin/kumo-manager
+kumo_server_binary = ${kumo:location}/bin/kumo-server
+dcrond_binary = ${dcron:location}/sbin/crond
+openssl_binary = ${openssl:location}/bin/openssl
+rdiff_backup_binary = ${buildout:bin-directory}/rdiff-backup
+stunnel_binary = ${stunnel:location}/bin/stunnel
--- a/software/kumofs/software.cfg
+++ b/software/kumofs/software.cfg
+[buildout]
+extensions =
+  slapos.zcbworkarounds
+  slapos.rebootstrap
+find-links +=
+    http://www.nexedi.org/static/packages/source/slapos.buildout/
+extends =
+  ../../component/git/buildout.cfg
+  ../../component/kumo/buildout.cfg
+  ../../component/python-2.7/buildout.cfg
+  ../../component/dcron/buildout.cfg
+  ../../component/stunnel/buildout.cfg
+  ../../component/rdiff-backup/buildout.cfg
+  ../../component/lxml-python/buildout.cfg
+versions = versions
+parts +=
+# Create instance template
+#TODO : list here all parts.
+  template
+  libxslt
+  eggs
+  instance-recipe-egg
+# XXX: Workaround of SlapOS limitation
+# Unzippig of eggs is required, as SlapOS do not yet provide nicely working
+# development / fast switching environment for whole software
+unzip = true
+[rebootstrap]
+# Default first version of rebootstrapped python
+version = 2
+section = python2.7
+[instance-recipe]
+egg = slapos.cookbook
+module = kumofs
+[instance-recipe-egg]
+recipe = zc.recipe.egg
+python = python2.7
+eggs = ${instance-recipe:egg}
+[eggs]
+recipe = zc.recipe.egg
+python = python2.7
+eggs =
+  ${lxml-python:egg}
+[template]
+# Default template for the instance.
+recipe = slapos.recipe.template
+url = ${:_profile_base_location_}/instance.cfg
+md5sum = 056a4af7128fd9e31da42c85cc039420
+output = ${buildout:directory}/template.cfg
+mode = 0644
+[versions]
+slapos.cookbook = 0.4
+erp5.recipe.cmmiforcei686 = 0.1.1
+hexagonit.recipe.cmmi = 1.5.0
+hexagonit.recipe.download = 1.5.0
+# Required by slapos.cookbook==0.4
+slapos.core = 0.2
+collective.recipe.template = 1.8
+netaddr = 0.7.5
+xml-marshaller = 0.9.7
+setuptools = 0.6c12dev-r88795
+# Use SlapOS patched zc.buildout
+zc.buildout = 1.5.3-dev-SlapOS-001
--- a/software/memcached/instance.cfg
+++ b/software/memcached/instance.cfg
+[buildout]
+parts =
+  instance
+eggs-directory = ${buildout:eggs-directory}
+develop-eggs-directory = ${buildout:develop-eggs-directory}
+[instance]
+recipe = ${instance-recipe:egg}:${instance-recipe:module}
+dcrond_binary = ${dcron:location}/sbin/crond
+memcached_binary = ${memcached:location}/bin/memcached
+openssl_binary = ${openssl:location}/bin/openssl
+rdiff_backup_binary = ${buildout:bin-directory}/rdiff-backup
+stunnel_binary = ${stunnel:location}/bin/stunnel
--- a/software/memcached/software.cfg
+++ b/software/memcached/software.cfg
+[buildout]
+extensions =
+  slapos.zcbworkarounds
+  slapos.rebootstrap
+find-links +=
+    http://www.nexedi.org/static/packages/source/slapos.buildout/
+extends =
+  ../../component/memcached/buildout.cfg
+  ../../component/python-2.7/buildout.cfg
+  ../../component/dcron/buildout.cfg
+  ../../component/stunnel/buildout.cfg
+  ../../component/rdiff-backup/buildout.cfg
+  ../../component/lxml-python/buildout.cfg
+versions = versions
+parts =
+# Create instance template
+#TODO : list here all parts.
+  template
+  libxslt
+  eggs
+  instance-recipe-egg
+# XXX: Workaround of SlapOS limitation
+# Unzippig of eggs is required, as SlapOS do not yet provide nicely working
+# development / fast switching environment for whole software
+unzip = true
+[rebootstrap]
+# Default first version of rebootstrapped python
+version = 2
+section = python2.7
+[instance-recipe]
+egg = slapos.cookbook
+module = memcached
+[instance-recipe-egg]
+recipe = zc.recipe.egg
+python = python2.7
+eggs = ${instance-recipe:egg}
+[eggs]
+recipe = zc.recipe.egg
+python = python2.7
+eggs =
+  ${lxml-python:egg}
+[template]
+# Default template for the instance.
+recipe = slapos.recipe.template
+url = ${:_profile_base_location_}/instance.cfg
+md5sum = 837caf9897332a5f70c72438f1dc5bae
+output = ${buildout:directory}/template.cfg
+mode = 0644
+[versions]
+slapos.cookbook = 0.4
+# Required by slapos.cookbook==0.4
+slapos.core = 0.2
+collective.recipe.template = 1.8
+netaddr = 0.7.5
+xml-marshaller = 0.9.7
+setuptools = 0.6c12dev-r88795
+hexagonit.recipe.cmmi = 1.5.0
+hexagonit.recipe.download = 1.5.0
+plone.recipe.command = 1.1
+# Use SlapOS patched zc.buildout
+zc.buildout = 1.5.3-dev-SlapOS-001
--- a/stack/cloudooo.cfg
+++ b/stack/cloudooo.cfg
 [buildout]
 extensions =
  slapos.tool.rebootstrap
-  slapos.tool.networkcache
  slapos.zcbworkarounds
  mr.developer

--- a/stack/erp5.cfg
+++ b/stack/erp5.cfg
 [buildout]
 extensions =
  slapos.rebootstrap
-  slapos.tool.networkcache
  slapos.zcbworkarounds
  mr.developer