Revert "slapos-master: Use ERP5 SR directly"

This reverts commit 3d63cd39.

software/slapos-master/apache-backend.conf.in

+{# This file configures apache to redirect requests from ports to specific urls.
+ # It provides SSL support for server and optionaly for client.
+ #
+ # All parameters are given through the `parameter_dict` variable, see the
+ # list entries :
+ #
+ #     parameter_dict = {
+ #       #  The path given to "PidFile"
+ #       "pid-file": "<file_path>",
+ #
+ #       #  The number given to "TimeOut"
+ #       "timeout": 300,
+ #
+ #       #  The path given to "SSLCertificateFile"
+ #       "cert": "<file_path>",
+ #
+ #       #  The path given to "SSLCertificateKeyFile"
+ #       "key": "<file_path>",
+ #
+ #       #  The value given to "SSLCipherSuite" (can be empty)
+ #       "cipher": "",
+ #
+ #       #  The path given to "SSLSessionCache shmcb:<folder_path>(512000)"
+ #       "ssl-session-cache": "<folder_path>",
+ #
+ #       #  The path given to "SSLCACertificateFile" (can be empty)
+ #       #  If this value is not empty, it enables client certificate check.
+ #       #  (Enabling "SSLVerifyClient require")
+ #       "ca-cert": "<file_path>",
+ #
+ #       #  The path given to "SSLCARevocationFile" (used if ca-cert is not
+ #       #  empty)
+ #       "crl": "<file_path>",
+ #
+ #       #  The path given to "ErrorLog"
+ #       "error-log": "<file_path>",
+ #
+ #       #  The path given to "AccessLog"
+ #       "access-log": "<file_path>",
+ #
+ #       #  The list of ip which apache will listen to.
+ #       "ip-list": [
+ #         "0.0.0.0",
+ #         "[::1]",
+ #       ],
+ #
+ #       #  The list of backends which apache should redirect to.
+ #       "backend-list": [
+ #         # (port, unused, internal_scheme, enable_authentication)
+ #         (8000, _, "http://10.0.0.10:8001", True),
+ #         (8002, _, "http://10.0.0.10:8003", False),
+ #       ],
+ #
+ #       # The mapping of zope paths this apache should redirect to.
+ #       # This is a Zope specific feature.
+ #       # `enable_authentication` has same meaning as for `backend-list`.
+ #       "zope-virtualhost-monster-backend-dict": {
+ #          # {(ip, port): ( enable_authentication, {frontend_path: ( internal_scheme ) }, ) }
+ #          ('[::1]', 8004): (
+ #            True, {
+ #              'zope-1': 'http://10.0.0.10:8001',
+ #              'zope-2': 'http://10.0.0.10:8002',
+ #            },
+ #          ),
+ #        },
+ #     }
+ #
+ #  This sample of `parameter_dict` will make apache listening to :
+ #  From to `backend-list`:
+ #   - 0.0.0.0:8000 redirecting internaly to http://10.0.0.10:8001 and
+ #   - [::1]:8000 redirecting internaly to http://10.0.0.10:8001
+ #  only accepting requests from clients who provide a valid SSL certificate trusted in `ca-cert`.
+ #   - 0.0.0.0:8002 redirecting internaly to http://10.0.0.10:8003
+ #   - [::1]:8002 redirecting internaly to http://10.0.0.10:8003
+ #  accepting requests from any client.
+ #
+ # From zope-virtualhost-monster-backend-dict`:
+ #   - [::1]:8004 with some path based rewrite-rules redirecting to:
+ #     * http://10.0.0.10/8001 when path matches /zope-1(.*)
+ #     * http://10.0.0.10/8002 when path matches /zope-2(.*)
+ #   with some VirtualHostMonster rewrite rules so zope writes URLs with
+ #  [::1]:8004 as server name.
+ #  For more details, refer to
+ #  https://docs.zope.org/zope2/zope2book/VirtualHosting.html#using-virtualhostroot-and-virtualhostbase-together
+-#}
+LoadModule unixd_module modules/mod_unixd.so
+LoadModule access_compat_module modules/mod_access_compat.so
+LoadModule authz_core_module modules/mod_authz_core.so
+LoadModule authz_host_module modules/mod_authz_host.so
+LoadModule log_config_module modules/mod_log_config.so
+LoadModule setenvif_module modules/mod_setenvif.so
+LoadModule version_module modules/mod_version.so
+LoadModule proxy_module modules/mod_proxy.so
+LoadModule proxy_http_module modules/mod_proxy_http.so
+LoadModule socache_shmcb_module modules/mod_socache_shmcb.so
+LoadModule ssl_module modules/mod_ssl.so
+LoadModule mime_module modules/mod_mime.so
+LoadModule dav_module modules/mod_dav.so
+LoadModule dav_fs_module modules/mod_dav_fs.so
+LoadModule negotiation_module modules/mod_negotiation.so
+LoadModule rewrite_module modules/mod_rewrite.so
+LoadModule headers_module modules/mod_headers.so
+LoadModule deflate_module modules/mod_deflate.so
+LoadModule filter_module modules/mod_filter.so
+
+AddOutputFilterByType DEFLATE text/cache-manifest text/html text/plain text/css application/hal+json application/json application/x-javascript text/xml application/xml application/rss+xml text/javascript application/javascript image/svg+xml application/x-font-ttf application/font-woff application/font-woff2 application/x-font-opentype application/wasm
+
+PidFile "{{ parameter_dict['pid-file'] }}"
+ServerAdmin admin@
+TypesConfig conf/mime.types
+AddType application/x-compress .Z
+AddType application/x-gzip .gz .tgz
+
+ServerTokens Prod
+ServerSignature Off
+TraceEnable Off
+
+TimeOut {{ parameter_dict['timeout'] }}
+
+SSLCertificateFile {{ parameter_dict['cert'] }}
+SSLCertificateKeyFile {{ parameter_dict['key'] }}
+SSLRandomSeed startup builtin
+SSLRandomSeed connect builtin
+SSLProtocol all -SSLv2 -SSLv3
+SSLHonorCipherOrder on
+{% if parameter_dict['cipher'] -%}
+SSLCipherSuite {{ parameter_dict['cipher'] }}
+{% else %}
+SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:HIGH:!aNULL:!MD5
+{%- endif %}
+SSLSessionCache shmcb:{{ parameter_dict['ssl-session-cache'] }}(512000)
+SSLProxyEngine On
+
+# As backend is trusting Remote-User header unset it always
+RequestHeader unset Remote-User
+{% if parameter_dict['ca-cert'] -%}
+SSLVerifyClient optional
+RequestHeader set Remote-User %{SSL_CLIENT_S_DN_CN}s
+SSLCACertificateFile {{ parameter_dict['ca-cert'] }}
+{%   if not parameter_dict['shared-ca-cert'] %}
+{%     if parameter_dict['crl'] -%}
+SSLCARevocationCheck chain
+SSLCARevocationFile {{ parameter_dict['crl'] }}
+{%-     endif %}
+{%-   endif %}
+{%- endif %}
+
+ErrorLog "{{ parameter_dict['error-log'] }}"
+# Default apache log format with request time in microsecond at the end
+LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %D" combined
+CustomLog "{{ parameter_dict['access-log'] }}" combined
+
+<Directory />
+  Options FollowSymLinks
+  AllowOverride None
+  Allow from all
+</Directory>
+
+RewriteEngine On
+{% for port, _, backend, enable_authentication in parameter_dict['backend-list'] -%}
+{%   for ip in parameter_dict['ip-list'] -%}
+Listen {{ ip }}:{{ port }}
+{%   endfor -%}
+<VirtualHost *:{{ port }}>
+  SSLEngine on
+{% if enable_authentication and parameter_dict['shared-ca-cert'] -%}
+  SSLVerifyClient require
+  # Custom block we use for now different parameters.
+  RequestHeader set Remote-User %{SSL_CLIENT_S_DN_CN}s
+  SSLCACertificateFile {{ parameter_dict['shared-ca-cert'] }}
+{% if 'shared-crl' in parameter_dict -%}
+  SSLCARevocationCheck chain
+  SSLCARevocationPath {{ parameter_dict['shared-crl'] }}
+{% endif -%}
+
+  LogFormat "%h %l %{Remote-User}i %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %D" service
+
+  # We would like to separate the the authentificated logs.
+  ErrorLog "{{ parameter_dict['log-dir'] }}/apache-service-error.log"
+  CustomLog "{{ parameter_dict['log-dir'] }}/apache-service-access.log" service
+{% endif -%}
+  RewriteRule ^/(.*) {{ backend }}/$1 [L,P]
+</VirtualHost>
+{% endfor -%}
+
+
+{% for (ip, port), (enable_authentication, path_mapping) in parameter_dict.get('zope-virtualhost-monster-backend-dict', {}).items() -%}
+Listen {{ ip }}:{{ port }}
+<VirtualHost {{ ip }}:{{ port }}>
+  SSLEngine on
+  Timeout 3600
+{%   if enable_authentication and parameter_dict['ca-cert'] and parameter_dict['crl'] -%}
+  SSLVerifyClient require
+  SSLCACertificateFile {{ parameter_dict['ca-cert'] }}
+  SSLCARevocationCheck chain
+  SSLCARevocationFile {{ parameter_dict['crl'] }}
+
+  LogFormat "%h %l %{REMOTE_USER}i %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %D" combined
+
+  # We would like to separate the the authentificated logs.
+  # XXX filename ? is it log-rotated ?
+  ErrorLog "{{ parameter_dict['log-dir'] }}/apache-service-virtual-host-error.log"
+  CustomLog "{{ parameter_dict['log-dir'] }}/apache-service-virtual-host-access.log" combined
+{%   endif -%}
+
+{%   for path, backend in path_mapping.items() %}
+  RewriteRule ^/{{path}}(.*) {{ backend }}/VirtualHostBase/https/{{ ip }}:{{ port }}/VirtualHostRoot/_vh_{{ path }}$1 [L,P]
+{%   endfor -%}
+</VirtualHost>
+{% endfor -%}

software/slapos-master/buildout.hash.cfg

+# THIS IS NOT A BUILDOUT FILE, despite purposedly using a compatible syntax.
+# The only allowed lines here are (regexes):
+# - "^#" comments, copied verbatim
+# - "^[" section beginings, copied verbatim
+# - lines containing an "=" sign which must fit in the following categorie.
+#   - "^\s*filename\s*=\s*path\s*$" where "path" is relative to this file
+#     Copied verbatim.
+#   - "^\s*hashtype\s*=.*" where "hashtype" is one of the values supported
+#     by the re-generation script.
+#     Re-generated.
+# - other lines are copied verbatim
+# Substitution (${...:...}), extension ([buildout] extends = ...) and
+# section inheritance (< = ...) are NOT supported (but you should really
+# not need these here).
+[template-erp5]
+filename = instance-erp5.cfg.in
+md5sum = 38eab3283d175230231c998fa4a3416e
+
+[template-balancer]
+filename = instance-balancer.cfg.in
+md5sum = 88e15a803df4aa35285e59ae9186438a
+
+[template-apache-backend-conf]
+filename = apache-backend.conf.in
+md5sum = aa11283ca8b80a91b508732cd3443f7b
+
+[template-haproxy-cfg]
+filename = haproxy.cfg.in
+md5sum = fec6a312e4ef84b02837742992aaf495

software/slapos-master/haproxy.cfg.in

+{% set server_check_path = parameter_dict['server-check-path'] -%}
+global
+  maxconn 4096
+  stats socket {{ parameter_dict['socket-path'] }} level admin
+
+defaults
+  mode http
+  retries 1
+  option redispatch
+  maxconn 2000
+  cookie SERVERID rewrite
+  balance roundrobin
+  stats uri /haproxy
+  stats realm Global\ statistics
+  # it is useless to have timeout much bigger than the one of apache.
+  # By default apache use 300s, so we set slightly more in order to
+  # make sure that apache will first stop the connection.
+  timeout server 305s
+  # Stop waiting in queue for a zope to become available.
+  # If no zope can be reached after one minute, consider the request will
+  # never succeed.
+  timeout queue 60s
+  # The connection should be immediate on LAN,
+  # so we should not set more than 5 seconds, and it could be already too much
+  timeout connect 5s
+  # As requested in haproxy doc, make this "at least equal to timeout server".
+  timeout client 305s
+  # Use "option httpclose" to not preserve client & server persistent connections
+  # while handling every incoming request individually, dispatching them one after
+  # another to servers, in HTTP close mode. This is really needed when haproxy
+  # is configured with maxconn to 1, without this option browsers are unable
+  # to render a page
+  option httpclose
+
+{% for name, (port, backend_list) in sorted(parameter_dict['backend-dict'].iteritems()) -%}
+listen {{ name }}
+  bind {{ parameter_dict['ip'] }}:{{ port }}
+  http-request set-header X-Balancer-Current-Cookie SERVERID
+{%   set has_webdav = [] -%}
+{%   for address, connection_count, webdav in backend_list -%}
+{%     if webdav %}{% do has_webdav.append(None) %}{% endif -%}
+{%     set server_name = name ~ '-' ~ loop.index0 -%}
+  server {{ server_name }} {{ address }} cookie {{ server_name }} check inter 3s rise 1 fall 2 maxqueue 5 maxconn {{ connection_count }}
+{%   endfor -%}
+{%-  if not has_webdav and server_check_path %}
+  option httpchk GET {{ server_check_path }}
+{%   endif -%}
+{% endfor %}

software/slapos-master/instance-balancer.cfg.in

+{% import "caucase" as caucase with context %}
+{% set part_list = [] -%}
+{% macro section(name) %}{% do part_list.append(name) %}{{ name }}{% endmacro -%}
+{% set ssl_parameter_dict = slapparameter_dict['ssl'] -%}
+{% set frontend_caucase_url_list = ssl_parameter_dict.get('frontend-caucase-url-list', []) -%}
+{% set shared_ca_path = slapparameter_dict.get('shared-certificate-authority-path') -%}
+{#
+XXX: This template only supports exactly one IPv4 and (if ipv6 is used) one IPv6
+per partition. No more (undefined result), no less (IndexError).
+-#}
+{% set ipv4 = (ipv4_set | list)[0] -%}
+{% set apache_ip_list = [ipv4] -%}
+{% if ipv6_set -%}
+{%   set ipv6 = (ipv6_set | list)[0] -%}
+{%   do apache_ip_list.append('[' ~ ipv6 ~ ']') -%}
+{% endif -%}
+
+[jinja2-template-base]
+recipe = slapos.recipe.template:jinja2
+
+{{ caucase.updater(
+     prefix='caucase-updater',
+     buildout_bin_directory=parameter_dict['bin-directory'],
+     updater_path='${directory:services-on-watch}/caucase-updater',
+     url=ssl_parameter_dict['caucase-url'],
+     data_dir='${directory:srv}/caucase-updater',
+     crt_path='${apache-conf-ssl:caucase-cert}',
+     ca_path='${apache-conf-ssl:ca-cert}',
+     crl_path='${apache-conf-ssl:crl}',
+     key_path='${apache-conf-ssl:caucase-key}',
+     on_renew='${apache-graceful:output}',
+     max_sleep=ssl_parameter_dict.get('max-crl-update-delay', 1.0),
+     template_csr_pem=ssl_parameter_dict.get('csr'),
+     openssl=parameter_dict['openssl'] ~ '/bin/openssl',
+)}}
+{% do section('caucase-updater') -%}
+
+{% set haproxy_dict = {} -%}
+{% set apache_dict = {} -%}
+{% set zope_virtualhost_monster_backend_dict = {} %}
+{% set test_runner_url_dict = {} %} {# family_name => list of URLs #}
+{% set next_port = itertools.count(slapparameter_dict['tcpv4-port']).next -%}
+{% for family_name, parameter_id_list in sorted(
+  slapparameter_dict['zope-family-dict'].iteritems()) -%}
+{%   set zope_family_address_list = [] -%}
+{%   set ssl_authentication = slapparameter_dict['ssl-authentication-dict'].get(family_name, False) -%}
+{%   set has_webdav = [] -%}
+{%   for parameter_id in parameter_id_list -%}
+{%     set zope_address_list = slapparameter_dict[parameter_id] -%}
+{%     for zope_address, maxconn, webdav in zope_address_list -%}
+{%       if webdav -%}
+{%         do has_webdav.append(None) %}
+{%       endif -%}
+{%       set zope_effective_address = zope_address -%}
+{%       do zope_family_address_list.append((zope_effective_address, maxconn, webdav)) -%}
+{%     endfor -%}
+
+{#     # Generate entries with rewrite rule for test runnners #}
+{%     set test_runner_address_list = slapparameter_dict.get(parameter_id ~ '-test-runner-address-list', []) %}
+{%     if test_runner_address_list -%}
+{%       set test_runner_backend_mapping = {} %}
+{%       set test_runner_balancer_url_list = [] %}
+{%       set test_runner_external_port = next_port() %}
+{%       for i, (test_runner_internal_ip, test_runner_internal_port) in enumerate(test_runner_address_list) %}
+{%         do test_runner_backend_mapping.__setitem__(
+                'unit_test_' ~ i,
+                'http://' ~ test_runner_internal_ip ~ ':' ~ test_runner_internal_port ) %}
+{%         do test_runner_balancer_url_list.append(
+                'https://' ~ ipv4 ~ ':' ~ test_runner_external_port ~ '/unit_test_' ~ i ~ '/' ) %}
+{%       endfor %}
+{%       do zope_virtualhost_monster_backend_dict.__setitem__(
+              (ipv4, test_runner_external_port),
+              ( ssl_authentication, test_runner_backend_mapping ) ) -%}
+{%       do test_runner_url_dict.__setitem__(family_name, test_runner_balancer_url_list) -%}
+{%     endif -%}
+{%   endfor -%}
+
+{# Make rendering fail artificially if any family has no known backend.
+ # This is useful as haproxy's hot-reconfiguration mechanism is
+ # supervisord-incompatible.
+ # As jinja2 postpones KeyError until place-holder value is actually used,
+ # do a no-op getitem.
+-#}
+{%   do zope_family_address_list[0][0] -%}
+{%   set haproxy_port = next_port() -%}
+{%   set backend_path = slapparameter_dict['backend-path-dict'][family_name] -%}
+{%   do haproxy_dict.__setitem__(family_name, (haproxy_port, zope_family_address_list)) -%}
+{%   if has_webdav -%}
+{%     set internal_scheme = 'http' -%}{# mod_rewrite does not recognise webdav scheme -#}
+{%     set external_scheme = 'webdavs' -%}
+{%   else %}
+{%     set internal_scheme = 'http' -%}
+{%     set external_scheme = 'https' -%}
+{%   endif -%}
+{%   do apache_dict.__setitem__(family_name, (next_port(), external_scheme, internal_scheme ~ '://' ~ ipv4 ~ ':' ~ haproxy_port ~ backend_path, slapparameter_dict['ssl-authentication-dict'].get(family_name, False))) -%}
+{% endfor -%}
+
+[haproxy-cfg-parameter-dict]
+socket-path = ${directory:run}/haproxy.sock
+server-check-path = {{ dumps(slapparameter_dict['haproxy-server-check-path']) }}
+backend-dict = {{ dumps(haproxy_dict) }}
+ip = {{ ipv4 }}
+
+[haproxy-cfg]
+< = jinja2-template-base
+url = {{ parameter_dict['template-haproxy-cfg'] }}
+output = ${directory:etc}/haproxy.cfg
+context = section parameter_dict haproxy-cfg-parameter-dict
+extensions = jinja2.ext.do
+
+[{{ section('haproxy') }}]
+recipe = slapos.cookbook:wrapper
+wrapper-path = ${directory:services}/haproxy
+command-line = "{{ parameter_dict['haproxy'] }}/sbin/haproxy" -f "${haproxy-cfg:output}"
+hash-files = ${haproxy-cfg:output}
+
+[apache-conf-ssl]
+cert = ${directory:apache-conf}/apache.crt
+key = ${directory:apache-conf}/apache.pem
+# XXX caucase certificate is not supported by caddy for now
+caucase-cert = ${directory:apache-conf}/apache-caucase.crt
+caucase-key = ${directory:apache-conf}/apache-caucase.pem
+ca-cert =  ${directory:apache-conf}/ca.crt
+crl = ${directory:apache-conf}/crl.pem
+
+[simplefile]
+< = jinja2-template-base
+inline = {{ '{{ content }}' }}
+
+{% macro simplefile(section_name, file_path, content, mode='') -%}
+{%   set content_section_name = section_name ~ '-content' -%}
+[{{  content_section_name }}]
+content = {{ dumps(content) }}
+
+[{{  section(section_name) }}]
+< = simplefile
+output = {{ file_path }}
+context = key content {{content_section_name}}:content
+mode = {{ mode }}
+{%- endmacro %}
+
+
+[apache-ssl]
+{% if ssl_parameter_dict.get('key') -%}
+key = ${apache-ssl-key:output}
+cert = ${apache-ssl-cert:output}
+{{ simplefile('apache-ssl-key', '${apache-conf-ssl:key}', ssl_parameter_dict['key']) }}
+{{ simplefile('apache-ssl-cert', '${apache-conf-ssl:cert}', ssl_parameter_dict['cert']) }}
+{% else %}
+recipe = plone.recipe.command
+command = "{{ parameter_dict['openssl'] }}/bin/openssl" req -newkey rsa -batch -new -x509 -days 3650 -nodes -keyout "${:key}" -out "${:cert}"
+key = ${apache-conf-ssl:key}
+cert = ${apache-conf-ssl:cert}
+{%- endif %}
+
+[apache-conf-parameter-dict]
+backend-list = {{ dumps(apache_dict.values()) }}
+zope-virtualhost-monster-backend-dict = {{ dumps(zope_virtualhost_monster_backend_dict) }}
+ip-list = {{ dumps(apache_ip_list) }}
+pid-file = ${directory:run}/apache.pid
+log-dir = ${directory:log}
+error-log = ${directory:log}/apache-error.log
+access-log = ${directory:log}/apache-access.log
+# Apache 2.4's default value (60 seconds) can be a bit too short
+timeout = 300
+# Basic SSL server configuration
+cert = ${apache-ssl:cert}
+key = ${apache-ssl:key}
+cipher =
+ssl-session-cache = ${directory:log}/apache-ssl-session-cache
+# Client x509 auth
+ca-cert = ${apache-conf-ssl:ca-cert}
+crl = ${apache-conf-ssl:crl}
+
+{% if shared_ca_path -%}
+shared-ca-cert = {{ shared_ca_path }}/cacert.pem
+{% if slapparameter_dict.get('check-crl') -%}
+shared-crl = {{ shared_ca_path }}/crl
+{%- endif %}
+{%- endif %}
+
+[apache-conf]
+< = jinja2-template-base
+url = {{ parameter_dict['template-apache-conf'] }}
+output = ${directory:apache-conf}/apache.conf
+context = section parameter_dict apache-conf-parameter-dict
+
+[{{ section('apache') }}]
+recipe = slapos.cookbook:wrapper
+wrapper-path = ${directory:services}/apache
+command-line = "{{ parameter_dict['apache'] }}/bin/httpd" -f "${apache-conf:output}" -DFOREGROUND
+wait-for-files =
+  ${apache-conf-ssl:cert}
+  ${apache-conf-ssl:key}
+
+[apache-graceful]
+recipe = collective.recipe.template
+output = ${directory:bin}/apache-httpd-graceful
+mode = 700
+input = inline:
+  #!/bin/sh
+  kill -USR1 "$(cat '${apache-conf-parameter-dict:pid-file}')"
+
+[{{ section('apache-promise') }}]
+# Check any apache port in ipv4, expect other ports and ipv6 to behave consistently
+<= monitor-promise-base
+promise = check_socket_listening
+name = apache.py
+config-host = {{ ipv4 }}
+config-port = {{ apache_dict.values()[0][0] }}
+
+[{{ section('publish') }}]
+recipe = slapos.cookbook:publish.serialised
+{% for family_name, (apache_port, scheme, _, _) in apache_dict.items() -%}
+{{   family_name ~ '-v6' }} = {% if ipv6_set %}{{ scheme ~ '://[' ~ ipv6 ~ ']:' ~ apache_port }}{% endif %}
+{{   family_name }} = {{ scheme ~ '://' ~ ipv4 ~ ':' ~ apache_port }}
+{% endfor -%}
+{% for family_name, test_runner_url_list in test_runner_url_dict.items() -%}
+{{    family_name ~ '-test-runner-url-list' }} = {{ dumps(test_runner_url_list) }}
+{% endfor -%}
+
+monitor-base-url = ${monitor-publish-parameters:monitor-base-url}
+
+{% set apache_service_log_list = {} -%}
+{% for family_name, (_, _, _, authentication) in apache_dict.items() -%}
+{%   if authentication -%}
+{%     set base_name = 'apache-' ~ family_name -%}
+{%     do part_list.append('logrotate-' ~ base_name) -%}
+{%     do apache_service_log_list.__setitem__(family_name, base_name) -%}
+[logrotate-{{ base_name }}]
+< = logrotate-entry-base
+name = {{ base_name }}
+log = ${apache-conf-parameter-dict:log-dir}/{{ base_name }}-error.log ${apache-conf-parameter-dict:log-dir}/{{ base_name }}-access.log
+post = test ! -s ${apache-conf-parameter-dict:pid-file} || {{ parameter_dict['bin-directory'] }}/slapos-kill --pidfile ${apache-conf-parameter-dict:pid-file} -s USR1
+{%   endif -%}
+{% endfor -%}
+
+[{{ section('logrotate-apache') }}]
+< = logrotate-entry-base
+name = apache
+log = ${apache-conf-parameter-dict:error-log} ${apache-conf-parameter-dict:access-log}
+post = test ! -s ${apache-conf-parameter-dict:pid-file} || {{ parameter_dict['bin-directory'] }}/slapos-kill --pidfile ${apache-conf-parameter-dict:pid-file} -s USR1
+
+[directory]
+recipe = slapos.cookbook:mkdirectory
+apache-conf = ${:etc}/apache
+bin = ${buildout:directory}/bin
+etc = ${buildout:directory}/etc
+services = ${:etc}/run
+services-on-watch = ${:etc}/service
+var = ${buildout:directory}/var
+run = ${:var}/run
+log = ${:var}/log
+srv = ${buildout:directory}/srv
+ca-dir = ${buildout:directory}/srv/ssl
+requests = ${:ca-dir}/requests
+private = ${:ca-dir}/private
+certs = ${:ca-dir}/certs
+newcerts = ${:ca-dir}/newcerts
+crl = ${:ca-dir}/crl
+apachedex = ${monitor-directory:private}/apachedex
+
+[{{ section('resiliency-exclude-file') }}]
+# Generate rdiff exclude file in case of resiliency
+< = jinja2-template-base
+inline = {{ '{{ "${directory:log}/**\\n" }}' }}
+output = ${directory:srv}/exporter.exclude
+
+[{{ section('monitor-generate-apachedex-report') }}]
+recipe = slapos.cookbook:cron.d
+cron-entries = ${cron:cron-entries}
+name = generate-apachedex-report
+# The goal is to be executed before logrotate log rotation.
+# Here, logrotate-entry-base:frequency = daily, so we run at 23 o'clock every day.
+frequency = 0 23 * * *
+command = ${monitor-generate-apachedex-report-wrapper:wrapper-path}
+
+[monitor-generate-apachedex-report-wrapper]
+recipe = slapos.cookbook:wrapper
+wrapper-path = ${directory:bin}/${:command}
+command-line = "{{ parameter_dict['run-apachedex-location'] }}" "{{ parameter_dict['apachedex-location'] }}" "${directory:apachedex}" ${monitor-publish-parameters:monitor-base-url}/private/apachedex --apache-log-list "${apachedex-parameters:apache-log-list}" --configuration ${apachedex-parameters:configuration}
+command = generate-apachedex-report
+
+[monitor-apachedex-report-config]
+recipe = slapos.recipe.template
+output = ${directory:etc}/${:_buildout_section_name_}
+inline =
+  {% for line in slapparameter_dict['apachedex-configuration'] %}
+    {# apachedex config files use shlex.split, so we need to quote the arguments. #}
+    {# BBB: in python 3 we can use shlex.quote instead. #}
+    {{ repr(line.encode('utf-8')) }}
+  {% endfor %}
+
+[apachedex-parameters]
+apache-log-list = ${apache-conf-parameter-dict:access-log}
+configuration = ${monitor-apachedex-report-config:output}
+promise-threshold = {{ slapparameter_dict['apachedex-promise-threshold'] }}
+
+[{{ section('monitor-promise-apachedex-result') }}]
+<= monitor-promise-base
+promise = check_command_execute
+name = check-apachedex-result.py
+config-command = "{{ parameter_dict['promise-check-apachedex-result'] }}" --apachedex_path "${directory:apachedex}" --status_file ${monitor-directory:private}/apachedex.report.json --threshold "${apachedex-parameters:promise-threshold}"
+
+[{{ section('promise-check-computer-memory') }}]
+<= monitor-promise-base
+promise = check_command_execute
+name = check-computer-memory.py
+config-command = "{{ parameter_dict["check-computer-memory-binary"] }}" -db ${monitor-instance-parameter:collector-db} --threshold "{{ slapparameter_dict["computer-memory-percent-threshold"] }}" --unit percent
+
+[monitor-instance-parameter]
+monitor-httpd-ipv6 = {{ (ipv6_set | list)[0] }}
+monitor-httpd-port = {{ next_port() }}
+monitor-title = {{ slapparameter_dict['name'] }}
+password = {{ slapparameter_dict['monitor-passwd'] }}
+
+[buildout]
+extends =
+  {{ template_monitor }}
+parts +=
+  {{ part_list | join('\n  ') }}

software/slapos-master/instance-erp5.cfg.in

+{% import "root_common" as root_common with context -%}
+{% import "caucase" as caucase with context %}
+{% set frontend_dict = slapparameter_dict.get('frontend', {}) -%}
+{% set has_frontend = frontend_dict.get('software-url', '') != '' -%}
+{% set site_id = slapparameter_dict.get('site-id', 'erp5') -%}
+{% set inituser_login = slapparameter_dict.get('inituser-login', 'zope') -%}
+{% set publish_dict = {'site-id': site_id, 'inituser-login': inituser_login} -%}
+{% set has_posftix = slapparameter_dict.get('smtp', {}).get('postmaster') -%}
+{% set jupyter_dict = slapparameter_dict.get('jupyter', {}) -%}
+{% set has_jupyter = jupyter_dict.get('enable', jupyter_enable_default.lower() in ('true', 'yes')) -%}
+{% set jupyter_zope_family = jupyter_dict.get('zope-family', '') -%}
+{% set wcfs_dict = slapparameter_dict.get('wcfs', {}) -%}
+{% set wcfs_enable = wcfs_dict.get('enable', wcfs_enable_default.lower() in ('true', 'yes')) -%}
+{% set test_runner_enabled = slapparameter_dict.get('test-runner', {}).get('enabled', True) -%}
+{% set test_runner_node_count = slapparameter_dict.get('test-runner', {}).get('node-count', 3) -%}
+{% set test_runner_extra_database_count = slapparameter_dict.get('test-runner', {}).get('extra-database-count', 3) -%}
+{% set test_runner_total_database_count = test_runner_node_count * (1 + test_runner_extra_database_count) -%}
+{# Backward compatibility for mariadb.test-database-amount #}
+{% set mariadb_test_database_amount = slapparameter_dict.get('mariadb', {}).get('test-database-amount') -%}
+{% if mariadb_test_database_amount is not none -%}
+{%   set test_runner_total_database_count = mariadb_test_database_amount %}
+{%   set test_runner_enabled = mariadb_test_database_amount > 0 %}
+{% endif -%}
+{# Backward compatibility for cloudooo-url #}
+{% if slapparameter_dict.get('cloudooo-url') -%}
+{%   do slapparameter_dict.setdefault('cloudooo-url-list', slapparameter_dict['cloudooo-url'].split(',')) %}
+{% endif -%}
+{% set test_runner_random_activity_priority = slapparameter_dict.get('test-runner', {}).get('random-activity-priority') -%}
+{% set monitor_base_url_dict = {} -%}
+{% set monitor_dict = slapparameter_dict.get('monitor', {}) %}
+{% set use_ipv6 = slapparameter_dict.get('use-ipv6', False) -%}
+{% set partition_thread_count_list = [] -%}
+{% set zope_partition_dict = slapparameter_dict.get('zope-partition-dict', {'1': {}}) -%}
+{% set zope_family_override_dict = slapparameter_dict.get('family-override', {}) -%}
+{% for zope_parameter_dict in zope_partition_dict.values() -%}
+{#   Apply some zope_parameter_dict default values, to avoid duplication. -#}
+{%   do zope_parameter_dict.setdefault('thread-amount', 4) -%}
+{%   do zope_parameter_dict.setdefault('instance-count', 1) -%}
+{%   do partition_thread_count_list.append(zope_parameter_dict['thread-amount'] * zope_parameter_dict['instance-count']) -%}
+{% endfor -%}
+[request-common]
+<= request-common-base
+config-use-ipv6 = {{ dumps(slapparameter_dict.get('use-ipv6', False)) }}
+config-computer-memory-percent-threshold = {{ dumps(monitor_dict.get('computer-memory-percent-threshold', 80)) }}
+{% set caucase_dict = slapparameter_dict.get('caucase', {}) -%}
+{% set caucase_url = caucase_dict.get('url', '') -%}
+
+{% macro request(name, software_type, config_key, config, ret={'url': True}, key_config={}) -%}
+{% do config.update(slapparameter_dict.get(config_key, {})) -%}
+{% set section = 'request-' ~ name -%}
+[{{ section }}]
+<= request-common
+name = {{ name }}
+software-type = {{ software_type }}
+return = {{ ' '.join(ret) }}
+{% for ret, publish in ret.iteritems() -%}
+{%   if publish -%}
+{%     do publish_dict.__setitem__(name ~ '-' ~ ret, '${' ~ section ~ ':connection-' ~ ret ~ '}') %}
+{%   endif -%}
+{%   if ret == "monitor-base-url" -%}
+{%     do monitor_base_url_dict.__setitem__(section, '${' ~ section ~ ':connection-' ~ ret ~ '}') -%}
+{%   endif -%}
+{% endfor -%}
+{{ root_common.sla(name) }}
+{% for k, v in config.iteritems() -%}
+config-{{ k }} = {{ dumps(v) }}
+{% endfor -%}
+{% for k, v in key_config.iteritems() -%}
+config-{{ k }} = {{ '${' ~ v ~ '}' }}
+{% endfor -%}
+config-name = {{ name }}
+{% endmacro -%}
+
+[directory]
+recipe = slapos.cookbook:mkdirectory
+bin = ${buildout:directory}/bin
+service-on-watch = ${buildout:directory}/etc/service
+srv = ${buildout:directory}/srv
+backup-caucased = ${:srv}/backup/caucased
+
+{% if not caucase_url -%}
+{%   if use_ipv6 -%}
+{%     set caucase_host = '[' ~ (ipv6_set | list)[0] ~ ']' %}
+{%-  else -%}
+{%     set caucase_host = (ipv4_set | list)[0] %}
+{%-  endif %}
+{%   set caucase_port = caucase_dict.get('base-port', 8890) -%}
+{%   set caucase_netloc = caucase_host ~ ':' ~ caucase_port -%}
+{%   set caucase_url = 'http://' ~ caucase_netloc -%}
+{{   caucase.caucased(
+       prefix='caucased',
+       buildout_bin_directory=bin_directory,
+       caucased_path='${directory:service-on-watch}/caucased',
+       backup_dir='${directory:backup-caucased}',
+       data_dir='${directory:srv}/caucased',
+       netloc=caucase_netloc,
+       tmp='${directory:tmp}',
+       service_auto_approve_count=caucase_dict.get('service-auto-approve-amount', 1),
+       user_auto_approve_count=caucase_dict.get('user-auto-approve-amount', 0),
+       key_len=caucase_dict.get('key-length', 2048),
+)}}
+{% do root_common.section('caucased') -%}
+{% do root_common.section('caucased-promise') -%}
+{% endif -%}
+{% do publish_dict.__setitem__('caucase-http-url', caucase_url) -%}
+{% set balancer_dict = slapparameter_dict.setdefault('balancer', {}) -%}
+{% do balancer_dict.setdefault('ssl', {}).setdefault('caucase-url', caucase_url) -%}
+{% do balancer_dict.setdefault('tcpv4-port', 2150) -%}
+{% do balancer_dict.__setitem__('haproxy-server-check-path', balancer_dict.get('haproxy-server-check-path', '/') % {'site-id': site_id}) -%}
+{% set routing_path_template_field_dict = {"site-id": site_id} -%}
+{% macro expandRoutingPath(output, input) -%}
+{%   for outer_prefix, inner_prefix in input -%}
+{%     do output.append((outer_prefix, inner_prefix % routing_path_template_field_dict)) -%}
+{%   endfor -%}
+{% endmacro -%}
+{% set path_routing_list = [] -%}
+{% do expandRoutingPath(
+  path_routing_list,
+  balancer_dict.get(
+    'path-routing-list',
+    (('/', '/'), ),
+  ),
+) -%}
+{% do balancer_dict.__setitem__('path-routing-list', path_routing_list) -%}
+{% set family_path_routing_dict = {} -%}
+{% for name, family_path_routing_list in balancer_dict.get(
+  'family-path-routing-dict',
+  {},
+).items() -%}
+{%    set path_routing_list = [] -%}
+{%    do expandRoutingPath(path_routing_list, family_path_routing_list) -%}
+{%    do family_path_routing_dict.__setitem__(name, path_routing_list) -%}
+{% endfor -%}
+{% do balancer_dict.__setitem__('family-path-routing-dict', family_path_routing_dict) -%}
+
+{{ request('memcached-persistent', 'kumofs', 'kumofs', {'tcpv4-port': 2000}, {'url': True, 'monitor-base-url': False}, key_config={'monitor-passwd': 'monitor-htpasswd:passwd'}) }}
+{{ request('memcached-volatile', 'kumofs', 'memcached', {'tcpv4-port': 2010, 'ram-storage-size': 64}, {'url': True, 'monitor-base-url': False}, key_config={'monitor-passwd': 'monitor-htpasswd:passwd'}) }}
+{# Notes on max-connection-count: On a standard ERP5, each transaction
+   can have 4 connections to mariadb: activities, catalog, deferred and
+   transactionless. Count 5 to have some headroom. Multiply by the total
+   number of zope threads for all processes from all partitions to get the
+   expected number of connections. Add 50 for have some more zope-independent
+   headroom (automated probes, replication, ...).
+-#}
+{{ request('mariadb', 'mariadb', 'mariadb',
+  {
+    'tcpv4-port': 2099,
+    'max-slowqueries-threshold': monitor_dict.get('max-slowqueries-threshold', 1000),
+    'slowest-query-threshold': monitor_dict.get('slowest-query-threshold', ''),
+    'test-database-amount': test_runner_total_database_count,
+    'max-connection-count': sum(partition_thread_count_list) * 5 + 50,
+  },
+  {
+    'database-list': True,
+    'test-database-list': True,
+    'monitor-base-url': False,
+  },
+  key_config={'monitor-passwd': 'monitor-htpasswd:passwd'},
+) }}
+{% if has_posftix -%}
+{{   request('smtp', 'postfix', 'smtp', {'tcpv4-port': 2025, 'smtpd-sasl-user': 'erp5@nowhere'}, key_config={'smtpd-sasl-password': 'publish-early:smtpd-sasl-password', 'monitor-passwd': 'monitor-htpasswd:passwd'}) }}
+{%- else %}
+[request-smtp]
+# Placeholder smtp service URL
+connection-url = smtp://127.0.0.2:0/
+{%- endif %}
+
+{# ZODB -#}
+{% set zodb_dict = {} -%}
+{% set storage_dict = {} -%}
+{% set mountpoints = set() -%}
+{% for zodb in slapparameter_dict.get('zodb') or ({'type': 'zeo', 'server': {}},) -%}
+{%   do mountpoints.add(zodb.setdefault('mount-point', '/')) -%}
+{%   set name = zodb.pop('name', 'root') -%}
+{%   do assert(name not in zodb_dict, name, zodb_dict) -%}
+{%   do zodb_dict.__setitem__(name, zodb) -%}
+{%   if 'server' in zodb -%}
+{%     do storage_dict.setdefault(zodb['type'], {}).__setitem__(name, zodb.pop('server')) -%}
+{%   endif -%}
+{% endfor -%}
+{% do assert(len(mountpoints) == len(zodb_dict)) -%}
+{% set neo = [] -%}
+{% for server_type, server_dict in storage_dict.iteritems() -%}
+{%   if server_type == 'neo' -%}
+{%     set ((name, server_dict),) = server_dict.items() -%}
+{%     do neo.append(server_dict.get('cluster')) -%}
+{%     do server_dict.update(cluster='${publish-early:neo-cluster}') -%}
+{{     root_common.request_neo(server_dict, 'zodb-neo', 'neo-', monitor_base_url_dict) }}
+{%     set client_dict = zodb_dict[name].setdefault('storage-dict', {}) -%}
+{%     for k in 'ssl', '_ca', '_cert', '_key' -%}
+{%       do k in server_dict and client_dict.setdefault(k, server_dict[k]) -%}
+{%     endfor -%}
+{%   else -%}
+{{     assert(server_type == 'zeo', server_type) -}}
+{# BBB: for compatibility, keep 'zodb' as partition_reference for ZEO -#}
+{{     request('zodb', 'zodb-' ~ server_type, 'zodb-' ~ server_type, {'tcpv4-port': 2100, 'zodb-dict': server_dict}, dict.fromkeys(('storage-dict', 'tidstorage-ip', 'tidstorage-port', 'monitor-base-url')), key_config={'monitor-passwd': 'monitor-htpasswd:passwd'}) }}
+{%   endif -%}
+{% endfor -%}
+
+[request-zodb-base]
+config-zodb-dict = {{ dumps(zodb_dict) }}
+{% for server_type, server_dict in storage_dict.iteritems() -%}
+{%   if server_type == 'neo' -%}
+config-neo-cluster = ${publish-early:neo-cluster}
+config-neo-name = {{ server_dict.keys()[0] }}
+config-neo-masters = ${publish-early:neo-masters}
+{%   else -%}
+config-zodb-zeo = ${request-zodb:connection-storage-dict}
+config-tidstorage-ip = ${request-zodb:connection-tidstorage-ip}
+config-tidstorage-port = ${request-zodb:connection-tidstorage-port}
+{%   endif -%}
+{% endfor -%}
+
+
+{% set zope_address_list_id_dict = {} -%}
+{% if zope_partition_dict -%}
+
+[request-zope-base]
+<= request-common
+   request-zodb-base
+return =
+  zope-address-list
+  hosts-dict
+  monitor-base-url
+  software-release-url
+{%- if test_runner_enabled %}
+  test-runner-address-list
+{% endif %}
+{% set bt5_default_list = [
+  'erp5_full_text_mroonga_catalog',
+  'slapos_configurator',
+] -%}
+{% if has_jupyter -%}
+{%   do bt5_default_list.append('erp5_data_notebook') -%}
+{% endif -%}
+config-bt5 = {{ dumps(slapparameter_dict.get('bt5', ' '.join(bt5_default_list))) }}
+config-bt5-repository-url = {{ dumps(slapparameter_dict.get('bt5-repository-url', local_bt5_repository)) }}
+config-cloudooo-url-list = {{ dumps(slapparameter_dict.get('cloudooo-url-list', default_cloudooo_url_list)) }}
+config-caucase-url = {{ dumps(caucase_url) }}
+config-deadlock-debugger-password = ${publish-early:deadlock-debugger-password}
+config-developer-list = {{ dumps(slapparameter_dict.get('developer-list', [inituser_login])) }}
+config-selenium-server-configuration-dict = {{ dumps(slapparameter_dict.get('selenium-server-configuration-dict', {})) }}
+config-hosts-dict = {{ dumps(slapparameter_dict.get('hosts-dict', {})) }}
+config-computer-hosts-dict = {{ dumps(slapparameter_dict.get('computer-hosts-dict', {})) }}
+config-hostalias-dict = {{ dumps(slapparameter_dict.get('hostalias-dict', {})) }}
+config-id-store-interval = {{ dumps(slapparameter_dict.get('id-store-interval')) }}
+config-zope-longrequest-logger-error-threshold = {{ dumps(monitor_dict.get('zope-longrequest-logger-error-threshold', 20)) }}
+config-zope-longrequest-logger-maximum-delay = {{ dumps(monitor_dict.get('zope-longrequest-logger-maximum-delay', 0)) }}
+config-inituser-login = {{ dumps(inituser_login) }}
+config-inituser-password-hashed = ${publish-early:inituser-password-hashed}
+config-kumofs-url = ${request-memcached-persistent:connection-url}
+config-memcached-url = ${request-memcached-volatile:connection-url}
+config-monitor-passwd = ${monitor-htpasswd:passwd}
+config-mysql-test-url-list = ${request-mariadb:connection-test-database-list}
+config-mysql-url-list = ${request-mariadb:connection-database-list}
+config-python-hash-seed = {{ dumps(slapparameter_dict.get('python-hash-seed', '')) }}
+config-site-id = {{ dumps(site_id) }}
+config-smtp-url = ${request-smtp:connection-url}
+config-timezone = {{ dumps(slapparameter_dict.get('timezone', 'UTC')) }}
+config-cloudooo-retry-count = {{ slapparameter_dict.get('cloudooo-retry-count', 2) }}
+config-wendelin-core-zblk-fmt = {{ dumps(slapparameter_dict.get('wendelin-core-zblk-fmt', '')) }}
+config-test-runner-enabled = {{ dumps(test_runner_enabled) }}
+config-test-runner-node-count = {{ dumps(test_runner_node_count) }}
+config-test-runner-random-activity-priority = {{ dumps(test_runner_random_activity_priority) }}
+config-wcfs_enable = {{ dumps(wcfs_enable) }}
+config-test-runner-configuration = {{ dumps(slapparameter_dict.get('test-runner', {})) }}
+software-type = zope
+
+{% set global_publisher_timeout = slapparameter_dict.get('publisher-timeout') -%}
+{% set global_activity_timeout = slapparameter_dict.get('activity-timeout') -%}
+{% set zope_family_dict = {} -%}
+{% set zope_family_name_list = [] -%}
+{% set zope_backend_path_dict = {} -%}
+{% set ssl_authentication_dict = {} -%}
+{% set jupyter_zope_family_default = [] -%}
+{% for custom_name, zope_parameter_dict in zope_partition_dict.items() -%}
+{%   set partition_name = 'zope-' ~ custom_name -%}
+{%   set section_name = 'request-' ~ partition_name -%}
+{%   set promise_software_url_section_name = 'promise-software-url' ~ partition_name -%}
+{%   set zope_family = zope_parameter_dict.get('family', 'default') -%}
+{%   do zope_family_name_list.append(zope_family) %}
+{%   set backend_path = zope_parameter_dict.get('backend-path', '') % {'site-id': site_id} %}
+{#   # default jupyter zope family is first zope family. -#}
+{#   # use list.append() to update it, because in jinja2 set changes only local scope. -#}
+{%   if not jupyter_zope_family_default -%}
+{%     do jupyter_zope_family_default.append(zope_family) -%}
+{%   endif -%}
+{%   do zope_family_dict.setdefault(zope_family, []).append(section_name) -%}
+{%   do zope_backend_path_dict.__setitem__(zope_family, backend_path) -%}
+{%   do ssl_authentication_dict.__setitem__(zope_family, zope_parameter_dict.get('ssl-authentication', False)) -%}
+{%   set current_zope_family_override_dict = zope_family_override_dict.get(zope_family, {}) -%}
+[{{ section_name }}]
+<= request-zope-base
+name = {{ partition_name }}
+{% do monitor_base_url_dict.__setitem__(section_name, '${' ~ section_name ~ ':connection-monitor-base-url}') -%}
+{{ root_common.sla(partition_name) }}
+config-name = {{ dumps(custom_name) }}
+config-instance-count = {{ dumps(zope_parameter_dict['instance-count']) }}
+config-private-dev-shm = {{ zope_parameter_dict.get('private-dev-shm', '') }}
+config-thread-amount = {{ dumps(zope_parameter_dict['thread-amount']) }}
+config-timerserver-interval = {{ dumps(zope_parameter_dict.get('timerserver-interval', 5)) }}
+config-longrequest-logger-interval = {{ dumps(zope_parameter_dict.get('longrequest-logger-interval', -1)) }}
+config-longrequest-logger-timeout = {{ dumps(zope_parameter_dict.get('longrequest-logger-timeout', 1)) }}
+config-large-file-threshold = {{ dumps(zope_parameter_dict.get('large-file-threshold', "10MB")) }}
+config-port-base = {{ dumps(zope_parameter_dict.get('port-base', 2200)) }}
+config-with-max-rlimit-nofile = {{ dumps(slapparameter_dict.get('with-max-rlimit-nofile', false)) }}
+{# BBB: zope_parameter_dict used to contain 'webdav', so fallback to it -#}
+config-webdav = {{ dumps(current_zope_family_override_dict.get('webdav', zope_parameter_dict.get('webdav', False))) }}
+config-publisher-timeout = {{ dumps(current_zope_family_override_dict.get('publisher-timeout', global_publisher_timeout)) }}
+config-activity-timeout = {{ dumps(current_zope_family_override_dict.get('activity-timeout', global_activity_timeout)) }}
+{%   if test_runner_enabled -%}
+config-test-runner-balancer-url-list = ${publish-early:{{ zope_family }}-test-runner-url-list}
+
+[{{ promise_software_url_section_name }}]
+# Promise to wait for zope partition to use the expected software URL,
+# used on upgrades.
+recipe = slapos.cookbook:check_parameter
+value = {{ '${' ~ section_name ~ ':connection-software-release-url}' }}
+expected-not-value =
+expected-value = ${slap-connection:software-release-url}
+path = ${directory:bin}/${:_buildout_section_name_}
+
+{% do root_common.section(promise_software_url_section_name) -%}
+
+{%   endif -%}
+{% endfor -%}
+
+{# if not explicitly configured, connect jupyter to first zope family, which  -#}
+{# will be 'default' if zope families are not configured also -#}
+{% if not jupyter_zope_family and jupyter_zope_family_default -%}
+{%   set jupyter_zope_family = jupyter_zope_family_default[0] -%}
+{% endif -%}
+
+{# We need to concatenate lists that we cannot read as lists, so this gets hairy. -#}
+{% set zope_family_parameter_dict = {} -%}
+{% for family_name, zope_section_id_list in zope_family_dict.items() -%}
+{%   for zope_section_id in zope_section_id_list -%}
+{%     set parameter_name = 'zope-family-entry-' ~ zope_section_id -%}
+{%     do zope_address_list_id_dict.__setitem__(zope_section_id, parameter_name) -%}
+{%     do zope_family_parameter_dict.setdefault(family_name, []).append(parameter_name) -%}
+{%   endfor -%}
+{%   if has_frontend -%}
+{%     set frontend_name = 'frontend-' ~ family_name -%}
+{%     do publish_dict.__setitem__('family-' ~ family_name, '${' ~ frontend_name ~ ':connection-site_url}' ) -%}
+[{{ frontend_name }}]
+<= request-frontend-base
+name = {{ frontend_name }}
+config-url = ${request-balancer:connection-{{ family_name }}-v6}
+{%   else -%}
+{%     do publish_dict.__setitem__('family-' ~ family_name, '${request-balancer:connection-' ~ family_name ~ '}' ) -%}
+{%     do publish_dict.__setitem__('family-' ~ family_name ~ '-v6', '${request-balancer:connection-' ~ family_name ~ '-v6}' ) -%}
+{%   endif -%}
+{% endfor -%}
+
+{% if has_jupyter -%}
+{# request jupyter connected to balancer of proper zope family -#}
+{{   request('jupyter', 'jupyter', 'jupyter', {}, key_config={'erp5-url': 'request-balancer:connection-' ~ jupyter_zope_family}) }}
+
+{%   if has_frontend -%}
+[frontend-jupyter]
+<= request-frontend-base
+name = frontend-jupyter
+config-url = ${request-jupyter:connection-url}
+{#     # override jupyter-url in publish_dict with frontend address -#}
+{%     do publish_dict.__setitem__('jupyter-url', '${frontend-jupyter:connection-site_url}') -%}
+{%   endif -%}
+{%- endif %}
+
+{% if wcfs_enable -%}
+{# request WCFS connected to ZODB -#}
+{%   do root_common.section('request-wcfs') -%}
+{{   request('wcfs', 'wcfs', 'wcfs', {}, {}) }}
+
+[request-wcfs]
+<= request-common
+   request-zodb-base
+
+{%- endif %}
+
+[directory]
+recipe = slapos.cookbook:mkdirectory
+{% if slapparameter_dict.get('shared-certificate-authority-path', '') -%}
+ca-dir = {{ slapparameter_dict.get('shared-certificate-authority-path') }}
+{% else -%}
+ca-dir = ${buildout:directory}/srv/ssl
+{% endif -%}
+bin = ${buildout:directory}/bin
+etc = ${buildout:directory}/etc
+tmp = ${buildout:directory}/tmp
+services = ${:etc}/run
+requests = ${:ca-dir}/requests
+private = ${:ca-dir}/private
+certs = ${:ca-dir}/certs
+newcerts = ${:ca-dir}/newcerts
+crl = ${:ca-dir}/crl
+
+[{{root_common.section('apache-certificate-authority')}}]
+recipe = slapos.cookbook:certificate_authority
+openssl-binary = {{ openssl_location }}/bin/openssl
+ca-dir = ${directory:ca-dir}
+requests-directory = ${directory:requests}
+wrapper = ${directory:services}/service-ca
+ca-private = ${directory:private}
+ca-certs = ${directory:certs}
+ca-newcerts = ${directory:newcerts}
+ca-crl = ${directory:crl}
+country-code = {{ dumps(slapparameter_dict.get('country-code', 'ZZ')) }}
+email = {{ dumps(slapparameter_dict.get('email', 'nobody@example.com')) }}
+state = {{ dumps(slapparameter_dict.get('state', "('State',)")) }}
+city = {{ dumps(slapparameter_dict.get('city', 'City')) }}
+company = {{ dumps(slapparameter_dict.get('company', 'Compagny')) }}
+
+# XXX - Big hack: Change access for certificate authority configuration
+#       To allow apache to read openssl.cnf in this folder
+[{{root_common.section('fix-ca-folder')}}]
+recipe = plone.recipe.command
+stop-on-error = true
+command =
+  chmod 644 ${apache-certificate-authority:ca-dir}/openssl.cnf
+update-command = ${:command}
+
+[request-balancer]
+<= request-common
+name = balancer
+software-type = balancer
+{{ root_common.sla('balancer') }}
+return =
+  monitor-base-url
+{%- for family in zope_family_dict %}
+  {{ family }}
+  {{ family }}-v6
+  {% if test_runner_enabled %}
+  {{ family }}-test-runner-url-list
+  {% endif %}
+{% endfor -%}
+{% do monitor_base_url_dict.__setitem__('request-balancer', '${' ~ 'request-balancer' ~ ':connection-monitor-base-url}') -%}
+config-zope-family-dict = {{ dumps(zope_family_parameter_dict) }}
+config-frontend-parameter-dict = {{ dumps({}) }}
+config-tcpv4-port = {{ dumps(balancer_dict.get('tcpv4-port', 2150)) }}
+{% for zope_section_id, name in zope_address_list_id_dict.items() -%}
+config-{{ name }} = {{ ' ${' ~ zope_section_id ~ ':connection-zope-address-list}' }}
+{%   if test_runner_enabled -%}
+config-{{ name }}-test-runner-address-list = {{ ' ${' ~ zope_section_id ~ ':connection-test-runner-address-list}' }}
+{%   endif -%}
+{% endfor -%}
+# XXX: should those really be same for all families ?
+config-haproxy-server-check-path = {{ dumps(balancer_dict.get('haproxy-server-check-path', '/') % {'site-id': site_id}) }}
+config-monitor-passwd = ${monitor-htpasswd:passwd}
+config-ssl = {{ dumps(balancer_dict['ssl']) }}
+config-name = ${:name}
+config-shared-certificate-authority-path = ${directory:ca-dir}
+config-check-crl = {{ dumps(slapparameter_dict.get('check-crl', True)) }}
+config-backend-path-dict = {{ dumps(zope_backend_path_dict) }}
+config-ssl-authentication-dict = {{ dumps(ssl_authentication_dict) }}
+config-apachedex-promise-threshold = {{ dumps(monitor_dict.get('apachedex-promise-threshold', 70)) }}
+config-apachedex-configuration = {{
+  dumps(
+    monitor_dict.get(
+      'apachedex-configuration',
+      [
+        '--erp5-base', '+erp5', '.*/VirtualHostRoot/erp5(/|\\?|$)',
+        '--base', '+other', '/',
+        '--skip-user-agent', 'Zabbix',
+        '--error-detail',
+        '--js-embed',
+        '--quiet'])) }}
+
+[request-frontend-base]
+{% if has_frontend -%}
+<= request-common
+recipe = slapos.cookbook:request
+software-url = {{ dumps(frontend_dict['software-url']) }}
+software-type = {{ dumps(frontend_dict.get('software-type', 'RootSoftwareInstance')) }}
+{{ root_common.sla('frontend', True) }}
+shared = true
+{% set config_dict = {
+  'type': 'zope',
+} -%}
+{%   if frontend_dict.get('domain') -%}
+{%     do config_dict.__setitem__('custom_domain', frontend_dict['domain']) -%}
+{%   endif -%}
+{%   if frontend_dict.get('virtualhostroot-http-port') -%}
+{%     do config_dict.__setitem__('virtualhostroot-http-port', frontend_dict['virtualhostroot-http-port']) -%}
+{%   endif -%}
+{%   if frontend_dict.get('virtualhostroot-https-port') -%}
+{%     do config_dict.__setitem__('virtualhostroot-https-port', frontend_dict['virtualhostroot-https-port']) -%}
+{%   endif -%}
+{%   for name, value in config_dict.items() -%}
+config-{{ name }} = {{ value }}
+{%   endfor -%}
+return = site_url
+{% endif -%}
+
+{% endif -%}{# if zope_partition_dict -#}
+
+[publish]
+<= monitor-publish
+recipe = slapos.cookbook:publish.serialised
+-extends = publish-early
+{% if zope_address_list_id_dict -%}
+{#
+Pick any published hosts-dict, they are expected to be identical - and there is
+no way to check here.
+-#}
+hosts-dict = {{ '${' ~ zope_address_list_id_dict.keys()[0] ~ ':connection-hosts-dict}' }}
+{% endif -%}
+{% for name, value in publish_dict.items() -%}
+{{   name }} = {{ value }}
+{% endfor -%}
+{% if test_runner_enabled -%}
+{%   for zope_family_name in zope_family_name_list -%}
+{{     zope_family_name }}-test-runner-url-list = ${request-balancer:connection-{{ zope_family_name }}-test-runner-url-list}
+{%   endfor -%}
+{% endif -%}
+
+[publish-early]
+recipe = slapos.cookbook:publish-early
+-init =
+  inituser-password gen-password:passwd
+  inituser-password-hashed gen-password:passwd-ldap-salted-sha1
+  deadlock-debugger-password gen-deadlock-debugger-password:passwd
+{%- if has_posftix %}
+  smtpd-sasl-password gen-smtpd-sasl-password:passwd
+{%- endif %}
+{%- if test_runner_enabled %}
+{%-   for zope_family_name in zope_family_name_list %}
+  {{ zope_family_name }}-test-runner-url-list default-balancer-test-runner-url-list:{{ zope_family_name }}
+{%-   endfor %}
+{%- endif %}
+{%- if neo %}
+  neo-cluster gen-neo-cluster:name
+  neo-admins neo-cluster:admins
+  neo-masters neo-cluster:masters
+{%-  if neo[0] %}
+neo-cluster = {{ dumps(neo[0]) }}
+{%-  endif %}
+{%- endif %}
+{%- set deadlock_debugger_password = slapparameter_dict.get('deadlock-debugger-password') -%}
+{%- if deadlock_debugger_password %}
+deadlock-debugger-password = {{ dumps(deadlock_debugger_password) }}
+{% endif %}
+
+{%- if test_runner_enabled %}
+[default-balancer-test-runner-url-list]
+recipe =
+{%-   for zope_family_name in zope_family_name_list %}
+{{ zope_family_name }} = not-ready
+{%-   endfor %}
+{%- endif %}
+
+[gen-password]
+recipe = slapos.cookbook:generate.password
+storage-path =
+{%- set inituser_password = slapparameter_dict.get('inituser-password') %}
+{%- if inituser_password %}
+passwd = {{ dumps(inituser_password) }}
+{%- endif %}
+
+[gen-deadlock-debugger-password]
+<= gen-password
+
+[gen-neo-cluster-base]
+<= gen-password
+
+[gen-neo-cluster]
+name = neo-${gen-neo-cluster-base:passwd}
+
+[gen-smtpd-sasl-password]
+< = gen-password
+
+{{ root_common.common_section() }}
+
+[monitor-conf-parameters]
+monitor-title = ERP5
+password = ${monitor-htpasswd:passwd}
+
+[monitor-base-url-dict]
+{% for key, value in monitor_base_url_dict.items() -%}
+{{ key }} = {{ value }}
+{% endfor %}

software/slapos-master/software.cfg

 [buildout]
 extends =
   ../../software/wendelin/software.cfg
+  buildout.hash.cfg
 
 [erp5-defaults]
 wcfs-enable-default = true
@@ -43,6 +44,26 @@ extra-paths +=
   ${vifib:location}/master
   ${slapos-bin:location}
 
+
+### Overwrite recipes to introduce customized changes
+[download-base-part]
+recipe = slapos.recipe.build:download
+url = ${:_profile_base_location_}/${:filename}
+
+[template-erp5]
+< = download-base-part
+filename = instance-erp5.cfg.in
+
+[template-balancer]
+< = download-base-part
+filename = instance-balancer.cfg.in
+
+[template-apache-backend-conf]
+url = ${:_profile_base_location_}/${:filename}
+
+[template-haproxy-cfg]
+url = ${:_profile_base_location_}/${:filename}
+
 [versions]
 python-memcached = 1.47
 xml-marshaller = 1.0.2

[Rafael Monnerat]

I reverted 3d63cd39 because it was pushed by mistake. Sorry about that.

This commit is part of: !1381