Update Release Candidate

bd1399d3 · Rafael Monnerat · d4173404 · 07d64efb · bd1399d3 · bd1399d3
Commit bd1399d3 authored Mar 12, 2019 by Rafael Monnerat
9 changed files
--- a/software/kvm/README.rst
+++ b/software/kvm/README.rst
@@ -59,8 +59,8 @@ KVM instance parameters:
    For port forwarding to IPv6 of slapos partition
 - use-nat (default: True)
    Add one interface using qemu User Network (NAT), this interface support nat-rules.
- use-tap (default: False)
-    Add One interface that use tap interface
+- use-tap (default: True)
+    Add one interface that uses tap interface from the host
 - enable-vhost (default: False)
    Increase network speed by enabling vhost on qemu. (To use if the module is loaded on host machine)


--- a/software/kvm/buildout.hash.cfg
+++ b/software/kvm/buildout.hash.cfg
@@ -19,7 +19,7 @@ md5sum = 028b6a6456d744c11b1bb2c51ecd51b2

 [template-kvm]
 filename = instance-kvm.cfg.jinja2
-md5sum = c51026e815ca43b5de5ddc6cbd8bf1e2
+md5sum = c298aaa20a368ddc118b8bb22dc84dc3

 [template-kvm-cluster]
 filename = instance-kvm-cluster.cfg.jinja2.in

--- a/software/kvm/instance-kvm-input-schema.json
+++ b/software/kvm/instance-kvm-input-schema.json
@@ -266,9 +266,9 @@
    },
    "use-tap": {
      "title": "Use QEMU TAP network interface",
-      "description": "Use QEMU TAP network interface, might require a bridge on SlapOS Node.",
+      "description": "Use QEMU TAP network interface, requires taps creation on SlapOS Node.",
      "type": "boolean",
-      "default": false
+      "default": true
    },
    "use-nat": {
      "title": "Use QEMU USER Mode interface (NAT)",
@@ -278,7 +278,7 @@
    },
    "nat-rules": {
      "title": "List of rules for NAT of QEMU user mode network stack.",
-      "description": "List of rules for NAT of QEMU user mode network stack, as space-separated list of ports (with optional protocol). For each port specified, it will redirect port x of the VM (example: \"80 udp:53\") to the port x + 10000 of the public IPv6 of the host (example: \"10080 udp:10053\"). Ignored if \"use-tap\" parameter is enabled.",
+      "description": "List of rules for NAT of QEMU user mode network stack, as space-separated list of ports (with optional protocol). For each port specified, it will redirect port x of the VM (example: \"80 udp:53\") to the port x + 10000 of the public IPv6 of the host (example: \"10080 udp:10053\").",
      "type": "string",
      "default": "22 80 443"
    },

--- a/software/kvm/instance-kvm.cfg.jinja2
+++ b/software/kvm/instance-kvm.cfg.jinja2
 {% set enable_http = slapparameter_dict.get('enable-http-server', 'False').lower() -%}
-{% set use_tap = slapparameter_dict.get('use-tap', 'False').lower() -%}
+{% set use_tap = slapparameter_dict.get('use-tap', 'True').lower() -%}
 {% set use_nat = slapparameter_dict.get('use-nat', 'True').lower() -%}
 {% set wipe_disk = slapparameter_dict.get('wipe-disk-ondestroy', 'False').lower() -%}
 {% set nat_restrict = slapparameter_dict.get('nat-restrict-mode', 'False').lower() -%}
@@ -677,7 +677,7 @@ cpu-model = host

 nat-rules = 22 80 443
 use-nat = True
-use-tap = False
+use-tap = True
 nat-restrict-mode = False
 enable-vhost = False


--- a/software/slapos-master/buildout.hash.cfg
+++ b/software/slapos-master/buildout.hash.cfg
@@ -18,7 +18,7 @@ md5sum = edf81a602137858cd5835c050ac6e08c

 [template-balancer]
 filename = instance-balancer.cfg.in
-md5sum = 356cb73670ea4599ad608b29fb86b278
+md5sum = 1a6a00153441d6a8e7ff9d27039e541e

 [template-apache-backend-conf]
 filename = apache-backend.conf.in

--- a/software/slapos-master/instance-balancer.cfg.in
+++ b/software/slapos-master/instance-balancer.cfg.in
@@ -27,10 +27,10 @@ mode = 644
     updater_path='${directory:services-on-watch}/caucase-updater',
     url=ssl_parameter_dict['caucase-url'],
     data_dir='${directory:srv}/caucase-updater',
-     crt_path='${apache-conf-ssl:cert}',
+     crt_path='${apache-conf-ssl:caucase-cert}',
     ca_path='${apache-conf-ssl:ca-cert}',
     crl_path='${apache-conf-ssl:crl}',
-     key_path='${apache-conf-ssl:key}',
+     key_path='${apache-conf-ssl:caucase-key}',
     on_renew='${apache-graceful:output}',
     max_sleep=ssl_parameter_dict.get('max-crl-update-delay', 1.0),
     template_csr_pem=ssl_parameter_dict.get('csr'),
@@ -119,9 +119,25 @@ hash-files = ${haproxy-cfg:rendered}
 [apache-conf-ssl]
 cert = ${directory:apache-conf}/apache.crt
 key = ${directory:apache-conf}/apache.pem
+# XXX caucase certificate is not supported by caddy for now
+caucase-cert = ${directory:apache-conf}/apache-caucase.crt
+caucase-key = ${directory:apache-conf}/apache-caucase.pem
 ca-cert =  ${directory:apache-conf}/ca.crt
 crl = ${directory:apache-conf}/crl.pem

+[apache-ssl]
+{% if ssl_parameter_dict.get('key') -%}
+key = ${apache-ssl-key:rendered}
+cert = ${apache-ssl-cert:rendered}
+{{ simplefile('apache-ssl-key', '${apache-conf-ssl:key}', ssl_parameter_dict['key']) }}
+{{ simplefile('apache-ssl-cert', '${apache-conf-ssl:cert}', ssl_parameter_dict['cert']) }}
+{% else %}
+recipe = plone.recipe.command
+command = "{{ parameter_dict['openssl'] }}/bin/openssl" req -newkey rsa -batch -new -x509 -days 3650 -nodes -keyout "${:key}" -out "${:cert}"
+key = ${apache-conf-ssl:key}
+cert = ${apache-conf-ssl:cert}
+{%- endif %}
+
 [apache-conf-parameter-dict]
 backend-list = {{ dumps(apache_dict.values()) }}
 zope-virtualhost-monster-backend-dict = {{ dumps(zope_virtualhost_monster_backend_dict) }}
@@ -133,8 +149,8 @@ access-log = ${directory:log}/apache-access.log
 # Apache 2.4's default value (60 seconds) can be a bit too short
 timeout = 300
 # Basic SSL server configuration
-cert = ${apache-conf-ssl:cert}
-key = ${apache-conf-ssl:key}
+cert = ${apache-ssl:cert}
+key = ${apache-ssl:key}
 cipher =
 ssl-session-cache = ${directory:log}/apache-ssl-session-cache
 # Client x509 auth
@@ -218,6 +234,7 @@ services-on-watch = ${:etc}/service
 var = ${buildout:directory}/var
 run = ${:var}/run
 log = ${:var}/log
+srv = ${buildout:directory}/srv
 ca-dir = ${buildout:directory}/srv/ssl
 requests = ${:ca-dir}/requests
 private = ${:ca-dir}/private

--- a/stack/erp5/buildout.hash.cfg
+++ b/stack/erp5/buildout.hash.cfg
@@ -66,7 +66,7 @@ md5sum = 0969fbb25b05c02ef3c2d437b2f4e1a0

 [template]
 filename = instance.cfg.in
-md5sum = a2423975b29ab023f64ce257d097e286
+md5sum = 9009939093730fb8219cbe7092dda9ab

 [monitor-template-dummy]
 filename = dummy.cfg
@@ -86,7 +86,7 @@ md5sum = 3a6c7dec898abc7d1506957154ef566e

 [template-balancer]
 filename = instance-balancer.cfg.in
-md5sum = 7fcedcacb0558e770cbb1c1d63322ea4
+md5sum = a2f795e5ed9537951ee70114111930b0

 [template-haproxy-cfg]
 filename = haproxy.cfg.in

--- a/stack/erp5/instance-balancer.cfg.in
+++ b/stack/erp5/instance-balancer.cfg.in
@@ -26,10 +26,10 @@ mode = 644
     updater_path='${directory:services-on-watch}/caucase-updater',
     url=ssl_parameter_dict['caucase-url'],
     data_dir='${directory:srv}/caucase-updater',
-     crt_path='${apache-conf-ssl:cert}',
+     crt_path='${apache-conf-ssl:caucase-cert}',
     ca_path='${apache-conf-ssl:ca-cert}',
     crl_path='${apache-conf-ssl:crl}',
-     key_path='${apache-conf-ssl:key}',
+     key_path='${apache-conf-ssl:caucase-key}',
     on_renew='${apache-graceful:output}',
     max_sleep=ssl_parameter_dict.get('max-crl-update-delay', 1.0),
     template_csr_pem=ssl_parameter_dict.get('csr'),
@@ -118,9 +118,25 @@ hash-files = ${haproxy-cfg:rendered}
 [apache-conf-ssl]
 cert = ${directory:apache-conf}/apache.crt
 key = ${directory:apache-conf}/apache.pem
+# XXX caucase certificate is not supported by caddy for now
+caucase-cert = ${directory:apache-conf}/apache-caucase.crt
+caucase-key = ${directory:apache-conf}/apache-caucase.pem
 ca-cert =  ${directory:apache-conf}/ca.crt
 crl = ${directory:apache-conf}/crl.pem

+[apache-ssl]
+{% if ssl_parameter_dict.get('key') -%}
+key = ${apache-ssl-key:rendered}
+cert = ${apache-ssl-cert:rendered}
+{{ simplefile('apache-ssl-key', '${apache-conf-ssl:key}', ssl_parameter_dict['key']) }}
+{{ simplefile('apache-ssl-cert', '${apache-conf-ssl:cert}', ssl_parameter_dict['cert']) }}
+{% else %}
+recipe = plone.recipe.command
+command = "{{ parameter_dict['openssl'] }}/bin/openssl" req -newkey rsa -batch -new -x509 -days 3650 -nodes -keyout "${:key}" -out "${:cert}"
+key = ${apache-conf-ssl:key}
+cert = ${apache-conf-ssl:cert}
+{%- endif %}
+
 [apache-conf-parameter-dict]
 backend-list = {{ dumps(apache_dict.values()) }}
 zope-virtualhost-monster-backend-dict = {{ dumps(zope_virtualhost_monster_backend_dict) }}
@@ -132,8 +148,8 @@ access-log = ${directory:log}/apache-access.log
 # Apache 2.4's default value (60 seconds) can be a bit too short
 timeout = 300
 # Basic SSL server configuration
-cert = ${apache-conf-ssl:cert}
-key = ${apache-conf-ssl:key}
+cert = ${apache-ssl:cert}
+key = ${apache-ssl:key}
 cipher =
 ssl-session-cache = ${directory:log}/apache-ssl-session-cache
 # Client x509 auth

--- a/stack/erp5/instance.cfg.in
+++ b/stack/erp5/instance.cfg.in
@@ -163,10 +163,10 @@ filename = instance-mariadb.cfg
 extra-context =
    section parameter_dict dynamic-template-mariadb-parameters

-# Keep cloudooo section for backward compatibility
+# Keep a section for backward compatibility for removed types
 # Once the section is removed, ghost instances will keep failing until
 # garbage collection be implemented.
-[dynamic-template-cloudooo-legacy]
+[dynamic-template-legacy]
 recipe = collective.recipe.template
 input = inline:[buildout]
  eggs-directory = ${buildout:eggs-directory}
@@ -174,7 +174,7 @@ input = inline:[buildout]
  offline = true
  parts =

-output = ${directory:directory/instance-cloudoo-legacy.cfg
+output = ${directory:directory/instance-legacy.cfg
 mode = 644

 # we need this value to be present in a section,
@@ -202,4 +202,5 @@ zope = dynamic-template-zope:rendered
 jupyter = dynamic-template-jupyter:rendered

 # Keep cloudooo backward compatibility
-cloudooo = dynamic-template-cloudooo-legacy:output
+cloudooo = dynamic-template-legacy:output
+caucase = dynamic-template-legacy:output