Revert "slapos-master: Use ERP5 SR directly"

This reverts commit 3d63cd39.

Revert "slapos-master: Use ERP5 SR directly"
This reverts commit 3d63cd39.
8360f221 · Rafael Monnerat · d83217b9 · 8360f221 · 8360f221 · 8360f221
Commit 8360f221 authored Mar 28, 2024 by Rafael Monnerat
6 changed files
--- a/software/slapos-master/apache-backend.conf.in
+++ b/software/slapos-master/apache-backend.conf.in
+{# This file configures apache to redirect requests from ports to specific urls.
+ # It provides SSL support for server and optionaly for client.
+ #
+ # All parameters are given through the `parameter_dict` variable, see the
+ # list entries :
+ #
+ #     parameter_dict = {
+ #       #  The path given to "PidFile"
+ #       "pid-file": "<file_path>",
+ #
+ #       #  The number given to "TimeOut"
+ #       "timeout": 300,
+ #
+ #       #  The path given to "SSLCertificateFile"
+ #       "cert": "<file_path>",
+ #
+ #       #  The path given to "SSLCertificateKeyFile"
+ #       "key": "<file_path>",
+ #
+ #       #  The value given to "SSLCipherSuite" (can be empty)
+ #       "cipher": "",
+ #
+ #       #  The path given to "SSLSessionCache shmcb:<folder_path>(512000)"
+ #       "ssl-session-cache": "<folder_path>",
+ #
+ #       #  The path given to "SSLCACertificateFile" (can be empty)
+ #       #  If this value is not empty, it enables client certificate check.
+ #       #  (Enabling "SSLVerifyClient require")
+ #       "ca-cert": "<file_path>",
+ #
+ #       #  The path given to "SSLCARevocationFile" (used if ca-cert is not
+ #       #  empty)
+ #       "crl": "<file_path>",
+ #
+ #       #  The path given to "ErrorLog"
+ #       "error-log": "<file_path>",
+ #
+ #       #  The path given to "AccessLog"
+ #       "access-log": "<file_path>",
+ #
+ #       #  The list of ip which apache will listen to.
+ #       "ip-list": [
+ #         "0.0.0.0",
+ #         "[::1]",
+ #       ],
+ #
+ #       #  The list of backends which apache should redirect to.
+ #       "backend-list": [
+ #         # (port, unused, internal_scheme, enable_authentication)
+ #         (8000, _, "http://10.0.0.10:8001", True),
+ #         (8002, _, "http://10.0.0.10:8003", False),
+ #       ],
+ #
+ #       # The mapping of zope paths this apache should redirect to.
+ #       # This is a Zope specific feature.
+ #       # `enable_authentication` has same meaning as for `backend-list`.
+ #       "zope-virtualhost-monster-backend-dict": {
+ #          # {(ip, port): ( enable_authentication, {frontend_path: ( internal_scheme ) }, ) }
+ #          ('[::1]', 8004): (
+ #            True, {
+ #              'zope-1': 'http://10.0.0.10:8001',
+ #              'zope-2': 'http://10.0.0.10:8002',
+ #            },
+ #          ),
+ #        },
+ #     }
+ #
+ #  This sample of `parameter_dict` will make apache listening to :
+ #  From to `backend-list`:
+ #   - 0.0.0.0:8000 redirecting internaly to http://10.0.0.10:8001 and
+ #   - [::1]:8000 redirecting internaly to http://10.0.0.10:8001
+ #  only accepting requests from clients who provide a valid SSL certificate trusted in `ca-cert`.
+ #   - 0.0.0.0:8002 redirecting internaly to http://10.0.0.10:8003
+ #   - [::1]:8002 redirecting internaly to http://10.0.0.10:8003
+ #  accepting requests from any client.
+ #
+ # From zope-virtualhost-monster-backend-dict`:
+ #   - [::1]:8004 with some path based rewrite-rules redirecting to:
+ #     * http://10.0.0.10/8001 when path matches /zope-1(.*)
+ #     * http://10.0.0.10/8002 when path matches /zope-2(.*)
+ #   with some VirtualHostMonster rewrite rules so zope writes URLs with
+ #  [::1]:8004 as server name.
+ #  For more details, refer to
+ #  https://docs.zope.org/zope2/zope2book/VirtualHosting.html#using-virtualhostroot-and-virtualhostbase-together
+-#}
+LoadModule unixd_module modules/mod_unixd.so
+LoadModule access_compat_module modules/mod_access_compat.so
+LoadModule authz_core_module modules/mod_authz_core.so
+LoadModule authz_host_module modules/mod_authz_host.so
+LoadModule log_config_module modules/mod_log_config.so
+LoadModule setenvif_module modules/mod_setenvif.so
+LoadModule version_module modules/mod_version.so
+LoadModule proxy_module modules/mod_proxy.so
+LoadModule proxy_http_module modules/mod_proxy_http.so
+LoadModule socache_shmcb_module modules/mod_socache_shmcb.so
+LoadModule ssl_module modules/mod_ssl.so
+LoadModule mime_module modules/mod_mime.so
+LoadModule dav_module modules/mod_dav.so
+LoadModule dav_fs_module modules/mod_dav_fs.so
+LoadModule negotiation_module modules/mod_negotiation.so
+LoadModule rewrite_module modules/mod_rewrite.so
+LoadModule headers_module modules/mod_headers.so
+LoadModule deflate_module modules/mod_deflate.so
+LoadModule filter_module modules/mod_filter.so
+
+AddOutputFilterByType DEFLATE text/cache-manifest text/html text/plain text/css application/hal+json application/json application/x-javascript text/xml application/xml application/rss+xml text/javascript application/javascript image/svg+xml application/x-font-ttf application/font-woff application/font-woff2 application/x-font-opentype application/wasm
+
+PidFile "{{ parameter_dict['pid-file'] }}"
+ServerAdmin admin@
+TypesConfig conf/mime.types
+AddType application/x-compress .Z
+AddType application/x-gzip .gz .tgz
+
+ServerTokens Prod
+ServerSignature Off
+TraceEnable Off
+
+TimeOut {{ parameter_dict['timeout'] }}
+
+SSLCertificateFile {{ parameter_dict['cert'] }}
+SSLCertificateKeyFile {{ parameter_dict['key'] }}
+SSLRandomSeed startup builtin
+SSLRandomSeed connect builtin
+SSLProtocol all -SSLv2 -SSLv3
+SSLHonorCipherOrder on
+{% if parameter_dict['cipher'] -%}
+SSLCipherSuite {{ parameter_dict['cipher'] }}
+{% else %}
+SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:HIGH:!aNULL:!MD5
+{%- endif %}
+SSLSessionCache shmcb:{{ parameter_dict['ssl-session-cache'] }}(512000)
+SSLProxyEngine On
+
+# As backend is trusting Remote-User header unset it always
+RequestHeader unset Remote-User
+{% if parameter_dict['ca-cert'] -%}
+SSLVerifyClient optional
+RequestHeader set Remote-User %{SSL_CLIENT_S_DN_CN}s
+SSLCACertificateFile {{ parameter_dict['ca-cert'] }}
+{%   if not parameter_dict['shared-ca-cert'] %}
+{%     if parameter_dict['crl'] -%}
+SSLCARevocationCheck chain
+SSLCARevocationFile {{ parameter_dict['crl'] }}
+{%-     endif %}
+{%-   endif %}
+{%- endif %}
+
+ErrorLog "{{ parameter_dict['error-log'] }}"
+# Default apache log format with request time in microsecond at the end
+LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %D" combined
+CustomLog "{{ parameter_dict['access-log'] }}" combined
+
+<Directory />
+  Options FollowSymLinks
+  AllowOverride None
+  Allow from all
+</Directory>
+
+RewriteEngine On
+{% for port, _, backend, enable_authentication in parameter_dict['backend-list'] -%}
+{%   for ip in parameter_dict['ip-list'] -%}
+Listen {{ ip }}:{{ port }}
+{%   endfor -%}
+<VirtualHost *:{{ port }}>
+  SSLEngine on
+{% if enable_authentication and parameter_dict['shared-ca-cert'] -%}
+  SSLVerifyClient require
+  # Custom block we use for now different parameters.
+  RequestHeader set Remote-User %{SSL_CLIENT_S_DN_CN}s
+  SSLCACertificateFile {{ parameter_dict['shared-ca-cert'] }}
+{% if 'shared-crl' in parameter_dict -%}
+  SSLCARevocationCheck chain
+  SSLCARevocationPath {{ parameter_dict['shared-crl'] }}
+{% endif -%}
+
+  LogFormat "%h %l %{Remote-User}i %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %D" service
+
+  # We would like to separate the the authentificated logs.
+  ErrorLog "{{ parameter_dict['log-dir'] }}/apache-service-error.log"
+  CustomLog "{{ parameter_dict['log-dir'] }}/apache-service-access.log" service
+{% endif -%}
+  RewriteRule ^/(.*) {{ backend }}/$1 [L,P]
+</VirtualHost>
+{% endfor -%}
+
+
+{% for (ip, port), (enable_authentication, path_mapping) in parameter_dict.get('zope-virtualhost-monster-backend-dict', {}).items() -%}
+Listen {{ ip }}:{{ port }}
+<VirtualHost {{ ip }}:{{ port }}>
+  SSLEngine on
+  Timeout 3600
+{%   if enable_authentication and parameter_dict['ca-cert'] and parameter_dict['crl'] -%}
+  SSLVerifyClient require
+  SSLCACertificateFile {{ parameter_dict['ca-cert'] }}
+  SSLCARevocationCheck chain
+  SSLCARevocationFile {{ parameter_dict['crl'] }}
+
+  LogFormat "%h %l %{REMOTE_USER}i %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %D" combined
+
+  # We would like to separate the the authentificated logs.
+  # XXX filename ? is it log-rotated ?
+  ErrorLog "{{ parameter_dict['log-dir'] }}/apache-service-virtual-host-error.log"
+  CustomLog "{{ parameter_dict['log-dir'] }}/apache-service-virtual-host-access.log" combined
+{%   endif -%}
+
+{%   for path, backend in path_mapping.items() %}
+  RewriteRule ^/{{path}}(.*) {{ backend }}/VirtualHostBase/https/{{ ip }}:{{ port }}/VirtualHostRoot/_vh_{{ path }}$1 [L,P]
+{%   endfor -%}
+</VirtualHost>
+{% endfor -%}
--- a/software/slapos-master/buildout.hash.cfg
+++ b/software/slapos-master/buildout.hash.cfg
+# THIS IS NOT A BUILDOUT FILE, despite purposedly using a compatible syntax.
+# The only allowed lines here are (regexes):
+# - "^#" comments, copied verbatim
+# - "^[" section beginings, copied verbatim
+# - lines containing an "=" sign which must fit in the following categorie.
+#   - "^\s*filename\s*=\s*path\s*$" where "path" is relative to this file
+#     Copied verbatim.
+#   - "^\s*hashtype\s*=.*" where "hashtype" is one of the values supported
+#     by the re-generation script.
+#     Re-generated.
+# - other lines are copied verbatim
+# Substitution (${...:...}), extension ([buildout] extends = ...) and
+# section inheritance (< = ...) are NOT supported (but you should really
+# not need these here).
+[template-erp5]
+filename = instance-erp5.cfg.in
+md5sum = 38eab3283d175230231c998fa4a3416e
+
+[template-balancer]
+filename = instance-balancer.cfg.in
+md5sum = 88e15a803df4aa35285e59ae9186438a
+
+[template-apache-backend-conf]
+filename = apache-backend.conf.in
+md5sum = aa11283ca8b80a91b508732cd3443f7b
+
+[template-haproxy-cfg]
+filename = haproxy.cfg.in
+md5sum = fec6a312e4ef84b02837742992aaf495
--- a/software/slapos-master/haproxy.cfg.in
+++ b/software/slapos-master/haproxy.cfg.in
+{% set server_check_path = parameter_dict['server-check-path'] -%}
+global
+  maxconn 4096
+  stats socket {{ parameter_dict['socket-path'] }} level admin
+
+defaults
+  mode http
+  retries 1
+  option redispatch
+  maxconn 2000
+  cookie SERVERID rewrite
+  balance roundrobin
+  stats uri /haproxy
+  stats realm Global\ statistics
+  # it is useless to have timeout much bigger than the one of apache.
+  # By default apache use 300s, so we set slightly more in order to
+  # make sure that apache will first stop the connection.
+  timeout server 305s
+  # Stop waiting in queue for a zope to become available.
+  # If no zope can be reached after one minute, consider the request will
+  # never succeed.
+  timeout queue 60s
+  # The connection should be immediate on LAN,
+  # so we should not set more than 5 seconds, and it could be already too much
+  timeout connect 5s
+  # As requested in haproxy doc, make this "at least equal to timeout server".
+  timeout client 305s
+  # Use "option httpclose" to not preserve client & server persistent connections
+  # while handling every incoming request individually, dispatching them one after
+  # another to servers, in HTTP close mode. This is really needed when haproxy
+  # is configured with maxconn to 1, without this option browsers are unable
+  # to render a page
+  option httpclose
+
+{% for name, (port, backend_list) in sorted(parameter_dict['backend-dict'].iteritems()) -%}
+listen {{ name }}
+  bind {{ parameter_dict['ip'] }}:{{ port }}
+  http-request set-header X-Balancer-Current-Cookie SERVERID
+{%   set has_webdav = [] -%}
+{%   for address, connection_count, webdav in backend_list -%}
+{%     if webdav %}{% do has_webdav.append(None) %}{% endif -%}
+{%     set server_name = name ~ '-' ~ loop.index0 -%}
+  server {{ server_name }} {{ address }} cookie {{ server_name }} check inter 3s rise 1 fall 2 maxqueue 5 maxconn {{ connection_count }}
+{%   endfor -%}
+{%-  if not has_webdav and server_check_path %}
+  option httpchk GET {{ server_check_path }}
+{%   endif -%}
+{% endfor %}
--- a/software/slapos-master/instance-balancer.cfg.in
+++ b/software/slapos-master/instance-balancer.cfg.in
--- a/software/slapos-master/instance-erp5.cfg.in
+++ b/software/slapos-master/instance-erp5.cfg.in
--- a/software/slapos-master/software.cfg
+++ b/software/slapos-master/software.cfg
 [buildout]
 extends =
  ../../software/wendelin/software.cfg
+  buildout.hash.cfg

 [erp5-defaults]
 wcfs-enable-default = true
@@ -43,6 +44,26 @@ extra-paths +=
  ${vifib:location}/master
  ${slapos-bin:location}

+
+### Overwrite recipes to introduce customized changes
+[download-base-part]
+recipe = slapos.recipe.build:download
+url = ${:_profile_base_location_}/${:filename}
+
+[template-erp5]
+< = download-base-part
+filename = instance-erp5.cfg.in
+
+[template-balancer]
+< = download-base-part
+filename = instance-balancer.cfg.in
+
+[template-apache-backend-conf]
+url = ${:_profile_base_location_}/${:filename}
+
+[template-haproxy-cfg]
+url = ${:_profile_base_location_}/${:filename}
+
 [versions]
 python-memcached = 1.47
 xml-marshaller = 1.0.2