Update Release Candidate

component/lz4/buildout.cfg

@@ -6,6 +6,6 @@ parts =
 [lz4]
 recipe = slapos.recipe.cmmi
 shared = true
-url = https://github.com/lz4/lz4/archive/v1.9.2.tar.gz
-md5sum = 3898c56c82fb3d9455aefd48db48eaad
+url = https://github.com/lz4/lz4/archive/v1.9.3.tar.gz
+md5sum = 3a1ab1684e14fc1afc66228ce61b2db3
 configure-command = true

component/mariadb/buildout.cfg

@@ -30,8 +30,8 @@ parts =
 recipe = slapos.recipe.cmmi
 shared = true
 url = https://archive.mariadb.org//mariadb-${:version}/source/mariadb-${:version}.tar.gz
-version = 10.4.14
-md5sum = 9801120ae8acb33904ab4a3366a7714f
+version = 10.4.17
+md5sum = e8193b9cd008b6d7f177f5a5c44c7a9f
 location = @@LOCATION@@
 pre-configure =
   set '\bSET(PLUGIN_AUTH_PAM YES CACHE BOOL "")' cmake/build_configurations/mysql_release.cmake
@@ -131,12 +131,8 @@ environment =
 ### (we just override here for easier revert)
 [mariadb-10.3]
 <= mariadb-10.4
-version = 10.3.22
-md5sum = f712a5e6fde038d0c9c6d2a2cd88b84e
-pre-configure =
-  set -e '\bSET(PLUGIN_AUTH_PAM YES)' cmake/build_configurations/mysql_release.cmake
-  grep -q "$@"
-  sed -i "/$1/d" "$2"
+version = 10.3.27
+md5sum = 6ab2934a671191d8ca8730e9a626c5c9
 post-install =
   ldd=`ldd ${:location}/lib/plugin/ha_rocksdb.so`
   for x in ${lz4:location} ${snappy:location} ${zstd:location}

component/tomcat/buildout.cfg

@@ -10,7 +10,7 @@ parts =
 <= tomcat9
 
 [tomcat7]
-recipe = hexagonit.recipe.download
+recipe = slapos.recipe.build:download-unpacked
 ignore-existing = true
 strip-top-level-dir = true
 url = https://archive.apache.org/dist/tomcat/tomcat-7/v${:version}/bin/apache-tomcat-${:version}.tar.gz
@@ -18,7 +18,7 @@ version = 7.0.100
 md5sum = 79be4ba5a6e770730a4be3d5cb3c7862
 
 [tomcat9]
-recipe = hexagonit.recipe.download
+recipe = slapos.recipe.build:download-unpacked
 ignore-existing = true
 strip-top-level-dir = true
 url = https://archive.apache.org/dist/tomcat/tomcat-9/v${:version}/bin/apache-tomcat-${:version}.tar.gz

component/zbar/buildout.cfg

@@ -5,8 +5,10 @@ parts=
 [zbar]
 recipe = slapos.recipe.cmmi
 shared = true
-url = https://jaist.dl.sourceforge.net/project/zbar/zbar/0.10/zbar-0.10.tar.bz2
-md5sum = 0fd61eb590ac1bab62a77913c8b086a5
+url = https://github.com/mchehab/zbar/archive/0.23.1.tar.gz
+md5sum = 04f1ffafd0f12473d82763931d9c7c68
+pre-configure =
+  autoreconf -vfi -I ${libtool:location}/share/aclocal -I ${pkgconfig:location}/share/aclocal
 configure-options = 
   --disable-video
   --without-imagemagick
@@ -17,4 +19,5 @@ configure-options =
   --without-x
   --without-jpg
 environment =
+  PATH=${autoconf:location}/bin:${automake:location}/bin:${gettext:location}/bin:${libtool:location}/bin:${m4:location}/bin:%(PATH)s
   CFLAGS=

software/caddy-frontend/README.caddy_frontend.rst

@@ -245,6 +245,15 @@ Necessary to activate cache.
 
 ``enable_cache`` is an optional parameter.
 
+backend-active-check-*
+~~~~~~~~~~~~~~~~~~~~~~
+
+This set of parameters is used to control the way how the backend checks will be done. Such active checks can be really useful for `stale-if-error` caching technique and especially in case if backend is very slow to reply or to connect to.
+
+`backend-active-check-http-method` can be used to configure the HTTP method used to check the backend. Special method `CONNECT` can be used to check only for connection attempt.
+
+Please be aware that the `backend-active-check-timeout` is really short by default, so in case if `/` of the backend is slow to reply configure proper path with `backend-active-check-http-path` to not mark such backend down too fast, before increasing the check timeout.
+
 Examples
 ========
 

software/caddy-frontend/buildout.hash.cfg

@@ -22,23 +22,23 @@ md5sum = 5784bea3bd608913769ff9a8afcccb68
 
 [profile-caddy-frontend]
 filename = instance-apache-frontend.cfg.in
-md5sum = e7d7e1448b6420657e953026573311ca
+md5sum = e8db3179e3278c6390a786cdcc947173
 
 [profile-caddy-replicate]
 filename = instance-apache-replicate.cfg.in
-md5sum = b70f9ce80dd927ead51b4526997b75ed
+md5sum = b29a4764dd489030030a72770162c157
 
 [profile-slave-list]
 _update_hash_filename_ = templates/apache-custom-slave-list.cfg.in
-md5sum = ab143bfa2e20725aa35940c9033fa0ee
+md5sum = 2cbcdff6fe75ec469ab7d6accd72f83c
 
 [profile-replicate-publish-slave-information]
 _update_hash_filename_ = templates/replicate-publish-slave-information.cfg.in
-md5sum = de268251dafa5ad83ebf5b20636365d9
+md5sum = df304a8aee87b6f2425241016a48f7a5
 
 [profile-caddy-frontend-configuration]
 _update_hash_filename_ = templates/Caddyfile.in
-md5sum = 2503056e35463e045db3329bb8b6fae8
+md5sum = 8cdc462956b6b492c14a53f987c0df5c
 
 [template-not-found-html]
 _update_hash_filename_ = templates/notfound.html
@@ -50,11 +50,7 @@ md5sum = 266f175dbdfc588af7a86b0b1884fe73
 
 [template-backend-haproxy-configuration]
 _update_hash_filename_ = templates/backend-haproxy.cfg.in
-md5sum = bf40f8d0a049a8dd924ccc731956c87e
-
-[template-log-access]
-_update_hash_filename_ = templates/template-log-access.conf.in
-md5sum = f8068179333ce19e95df561c70073857
+md5sum = 5c807d34198f334b143cfa9263f6bc4e
 
 [template-empty]
 _update_hash_filename_ = templates/empty.in

software/caddy-frontend/instance-apache-frontend.cfg.in

@@ -90,8 +90,8 @@ frontend_cluster = ${:var}/frontend_cluster
 
 # csr_id publication
 csr_id = ${:srv}/csr_id
-caddy-csr_id = ${:etc}/caddy-csr_id
-caddy-csr_id-log = ${:log}/httpd-csr_id
+certificate-csr_id = ${:etc}/certificate-csr_id
+expose-csr_id-var = ${:var}/expose-csr_id
 
 # slave introspection
 slave-introspection-var = ${:var}/slave-introspection
@@ -102,7 +102,6 @@ single-default = ${dynamic-custom-personal-profile-slave-list:rendered}
 single-custom-personal = ${dynamic-custom-personal-profile-slave-list:rendered}
 
 [frontend-configuration]
-log-access-configuration = ${directory:etc}/log-access.conf
 ip-access-certificate = ${self-signed-ip-access:certificate}
 caddy-ipv6 = {{ instance_parameter_dict['ipv6-random'] }}
 caddy-https-port = ${configuration:port}
@@ -583,7 +582,7 @@ template = {{ software_parameter_dict['template_configuration_state_script'] }}
 rendered = ${directory:bin}/${:_buildout_section_name_}
 mode = 0700
 
-path_list = ${caddy-configuration:frontend-configuration} ${frontend-configuration:log-access-configuration} ${caddy-directory:slave-configuration}/*.conf ${caddy-directory:master-autocert-dir}/*.key ${caddy-directory:master-autocert-dir}/*.crt ${caddy-directory:master-autocert-dir}/*.pem ${caddy-directory:autocert}/*.pem ${caddy-directory:custom-ssl-directory}/*.proxy_ca_crt ${directory:bbb-ssl-dir}/*.crt
+path_list = ${caddy-configuration:frontend-configuration} ${caddy-directory:slave-configuration}/*.conf ${caddy-directory:master-autocert-dir}/*.key ${caddy-directory:master-autocert-dir}/*.crt ${caddy-directory:master-autocert-dir}/*.pem ${caddy-directory:autocert}/*.pem ${caddy-directory:custom-ssl-directory}/*.proxy_ca_crt ${directory:bbb-ssl-dir}/*.crt
 sha256sum = {{ software_parameter_dict['sha256sum'] }}
 
 extra-context =
@@ -712,7 +711,7 @@ statistic-certificate = ${self-signed-ip-access:certificate}
 statistic-port = ${configuration:backend-haproxy-statistic-port}
 statistic-username = ${monitor-instance-parameter:username}
 statistic-password = ${monitor-htpasswd:passwd}
-statistic-identification = {{ slapparameter_dict['cluster-identification'] }}
+statistic-identification = {{ instance_parameter_dict['configuration.frontend-name'] + ' @ ' + slapparameter_dict['cluster-identification'] }}
 statistic-frontend-secure_access = ${backend-haproxy-statistic-frontend:connection-secure_access}
 
 [backend-haproxy]

software/caddy-frontend/instance-apache-replicate.cfg.in

@@ -124,6 +124,35 @@ context =
 {%   elif slave_type not in [None, '', 'default', 'zope', 'redirect', 'notebook', 'websocket'] %}
 {%     do slave_error_list.append('type:%s is not supported' % (slave_type,)) %}
 {%   endif %}
+{#   Check backend-active-check-* #}
+{%   set backend_active_check = (str(slave.get('backend-active-check', False)) or 'false').lower() %}
+{%   if backend_active_check in TRUE_VALUES %}
+{%     set backend_active_check_http_method = slave.get('backend-active-check-http-method') or 'GET' %}
+{%     if backend_active_check_http_method not in ['GET', 'OPTIONS', 'CONNECT', 'POST'] %}
+{%       do slave_error_list.append('Wrong backend-active-check-http-method %s' % (backend_active_check_http_method,)) %}
+{%     endif %}
+{%     set backend_active_check_http_path = slave.get('backend-active-check-http-path') or '/' %}
+{%     set backend_active_check_http_version = slave.get('backend-active-check-http-version') or 'HTTP/1.1' %}
+{%     if backend_active_check_http_version not in ['HTTP/1.1', 'HTTP/1.0'] %}
+{%       do slave_error_list.append('Wrong backend-active-check-http-version %s' % (backend_active_check_http_version,)) %}
+{%     endif %}
+{%     set backend_active_check_timeout = (slave.get('backend-active-check-timeout') or '2') | int(False) %}
+{%     if backend_active_check_timeout in [False] or backend_active_check_timeout <= 0 %}
+{%       do slave_error_list.append('Wrong backend-active-check-timeout %s' % (slave.get('backend-active-check-timeout'),)) %}
+{%     endif %}
+{%     set backend_active_check_interval = (slave.get('backend-active-check-interval') or '5') | int(False) %}
+{%     if backend_active_check_interval in [False] or backend_active_check_interval <= 0 %}
+{%       do slave_error_list.append('Wrong backend-active-check-interval %s' % (slave.get('backend-active-check-interval'),)) %}
+{%     endif %}
+{%     set backend_active_check_rise = (slave.get('backend-active-check-rise') or '1') | int(False) %}
+{%     if backend_active_check_rise in [False] or backend_active_check_rise <= 0 %}
+{%       do slave_error_list.append('Wrong backend-active-check-rise %s' % (slave.get('backend-active-check-rise'),)) %}
+{%     endif %}
+{%     set backend_active_check_fall = (slave.get('backend-active-check-fall') or '1') | int(False) %}
+{%     if backend_active_check_fall in [False] or backend_active_check_fall <= 0 %}
+{%       do slave_error_list.append('Wrong backend-active-check-fall %s' % (slave.get('backend-active-check-fall'),)) %}
+{%     endif %}
+{%   endif %}
 {#   Check ciphers #}
 {%   set slave_cipher_list = slave.get('ciphers', '').strip().split() %}
 {%   if slave_cipher_list %}
@@ -217,11 +246,11 @@ context =
 {%     endfor %}
 {%     do authorized_slave_list.append(authorized_slave) %}
 {%   else %}
-{%     do rejected_slave_dict.__setitem__(slave.get('slave_reference'), slave_error_list) %}
-{%     do rejected_slave_title_dict.__setitem__(slave.get('slave_title'), slave_error_list) %}
+{%     do rejected_slave_dict.__setitem__(slave.get('slave_reference'), sorted(slave_error_list)) %}
+{%     do rejected_slave_title_dict.__setitem__(slave.get('slave_title'), sorted(slave_error_list)) %}
 {%   endif %}
 {%   if len(slave_warning_list) > 0 %}
-{%     do warning_slave_dict.__setitem__(slave.get('slave_reference'), slave_warning_list) %}
+{%     do warning_slave_dict.__setitem__(slave.get('slave_reference'), sorted(slave_warning_list)) %}
 {%   endif %}
 {% endfor %}
 {% do authorized_slave_list.sort() %}
@@ -335,6 +364,19 @@ kedifa-csr_id-certificate = ${request-kedifa:connection-csr_id-certificate}
 {% endfor %}
 {% endif %}
 
+# Generate promises for requested nodes
+{% for frontend in frontend_list %}
+{%   set part_name = 'promise-backend-haproxy-statistic-url-' + frontend %}
+{%   do part_list.append(part_name) %}
+{%   set section_part = '${request-' + frontend %}
+[{{ part_name }}]
+<= monitor-promise-base
+module = check_url_available
+name = check-backend-haproxy-statistic-url-{{ frontend }}.py
+config-url =
+  {{ section_part }}:connection-backend-haproxy-statistic-url}
+{% endfor %}
+
 #----------------------------
 #--
 #-- Publish slave information
@@ -379,16 +421,10 @@ sla-{{ key[sla_kedifa_key_length:] }} = {{ slapparameter_dict.pop(key) }}
 {% endfor %}
 
 [rejected-slave-information]
-{% for slave_id, rejected_list in rejected_slave_dict.iteritems() %}
-{# sort_keys are important in order to avoid shuffling parameters on each run #}
-{{ slave_id }} = {{ dumps(json_module.dumps(rejected_list, sort_keys=True)) }}
-{% endfor %}
+rejected-slave-dict = {{ dumps(rejected_slave_dict) }}
 
 [warning-slave-information]
-{% for slave_id, warning_list in warning_slave_dict.iteritems() %}
-{# sort_keys are important in order to avoid shuffling parameters on each run #}
-{{ slave_id }} = {{ dumps(json_module.dumps(warning_list, sort_keys=True)) }}
-{% endfor %}
+warning-slave-dict = {{ dumps(warning_slave_dict) }}
 
 [slave-information]
 {% for frontend_section in frontend_section_list %}

software/caddy-frontend/instance-slave-caddy-input-schema.json

@@ -223,6 +223,68 @@
       ],
       "title": "Authenticate to backend",
       "type": "string"
+    },
+    "backend-active-check": {
+      "title": "Backend Active Check",
+      "description": "Enables active checks of the backend. For HTTP level checks the HTTP code shall be 2xx or 3xx, otherwise backend will be considered down.",
+      "enum": [
+        "false",
+        "true"
+      ],
+      "default": "false",
+      "type": "string"
+    },
+    "backend-active-check-http-method": {
+      "title": "Backend Active Check HTTP Metod",
+      "description": "Selects method to do the active check. CONNECT means that connection will be enough for the check, otherwise it's HTTP method.",
+      "enum": [
+        "GET",
+        "OPTIONS",
+        "POST",
+        "CONNECT"
+      ],
+      "default": "GET",
+      "type": "string"
+    },
+    "backend-active-check-http-path": {
+      "title": "Backend Active Check HTTP Path",
+      "description": "A path on which do the active check, unused in case of CONNECT.",
+      "default": "/",
+      "type": "string"
+    },
+    "backend-active-check-http-version": {
+      "title": "Backend Active Check HTTP Version",
+      "description": "A HTTP version to use to check the backend, unused in case of CONNECT.",
+      "enum": [
+        "HTTP/1.1",
+        "HTTP/1.0"
+      ],
+      "default": "HTTP/1.1",
+      "type": "string"
+    },
+    "backend-active-check-timeout": {
+      "title": "Backend Active Check Timeout (seconds)",
+      "description": "A timeout to for the request to be fulfilled, after connection happen.",
+      "default": "2",
+      "type": "integer"
+    },
+    "backend-active-check-interval": {
+      "title": "Backend Active Check Interval (seconds)",
+      "description": "An interval of backend active check.",
+      "default": "5",
+      "type": "integer"
+    },
+    "backend-active-check-rise": {
+      "title": "Backend Active Check Rise",
+      "description": "Amount of correct responses from the backend to consider it up.",
+      "default": "1",
+      "type": "integer"
+    },
+    "backend-active-check-fall": {
+      "title": "Backend Active Check Fall",
+      "description": "Amount of bad responses from the backend to consider it down.",
+      "default": "1",
+      "type": "integer"
     }
   },
   "title": "Input Parameters",

software/caddy-frontend/software.cfg

@@ -107,7 +107,6 @@ template_configuration_state_script = ${template-configuration-state-script:targ
 template_default_slave_virtualhost = ${template-default-slave-virtualhost:target}
 template_empty = ${template-empty:target}
 template_graceful_script = ${template-graceful-script:target}
-template_log_access = ${template-log-access:target}
 template_not_found_html = ${template-not-found-html:target}
 template_rotate_script = ${template-rotate-script:target}
 template_slave_introspection_httpd_nginx = ${template-slave-introspection-httpd-nginx:target}
@@ -187,9 +186,6 @@ mode = 640
 [template-backend-haproxy-configuration]
 <=download-template
 
-[template-log-access]
-<=download-template
-
 [template-empty]
 <=download-template
 

software/caddy-frontend/templates/Caddyfile.in

 # Main caddy configuration file
 
-import {{frontend_configuration.get('log-access-configuration')}}
 import {{ slave_configuration_directory }}/*.conf
 
 :{{ https_port }} {

software/caddy-frontend/templates/apache-custom-slave-list.cfg.in

@@ -113,6 +113,33 @@ context =
 {%-     endif %}
 {%-   endfor %}
 {%-   do slave_instance.__setitem__('authenticate-to-backend', ('' ~ slave_instance.get('authenticate-to-backend', '')).lower() in TRUE_VALUES) %}
+{#-   Setup active check #}
+{%-   do slave_instance.__setitem__('backend-active-check',  ('' ~ slave_instance.get('backend-active-check', '')).lower() in TRUE_VALUES) %}
+{%-   if slave_instance['backend-active-check']  %}
+{%-     if 'backend-active-check-http-method' not in slave_instance %}
+{%-       do slave_instance.__setitem__('backend-active-check-http-method', 'GET') %}
+{%-     endif %}
+{%-     if 'backend-active-check-http-version' not in slave_instance %}
+{%-       do slave_instance.__setitem__('backend-active-check-http-version', 'HTTP/1.1') %}
+{%-     endif %}
+{%-     if 'backend-active-check-interval' not in slave_instance %}
+{%-       do slave_instance.__setitem__('backend-active-check-interval', '5') %}
+{%-     endif %}
+{%-     if 'backend-active-check-rise' not in slave_instance %}
+{%-       do slave_instance.__setitem__('backend-active-check-rise', '1') %}
+{%-     endif %}
+{%-     if 'backend-active-check-fall' not in slave_instance %}
+{%-       do slave_instance.__setitem__('backend-active-check-fall', '2') %}
+{%-     endif %}
+{%-     if 'backend-active-check-timeout' not in slave_instance %}
+{%-       do slave_instance.__setitem__('backend-active-check-timeout', '2') %}
+{%-     endif %}
+{%-     do slave_instance.__setitem__('backend-active-check-http-path', slave_instance.get('backend-active-check-http-path') or '/') %}
+{%-   else %}
+{%-     do slave_instance.__setitem__('backend-active-check-http-method', '') %}
+{%-     do slave_instance.__setitem__('backend-active-check-http-version', '') %}
+{%-     do slave_instance.__setitem__('backend-active-check-http-path', '') %}
+{%-   endif %} {# if backend_active_check #}
 {#-   Set Up log files #}
 {%-   do slave_parameter_dict.__setitem__('access_log', '/'.join([caddy_log_directory, '%s_access_log' % slave_reference])) %}
 {%-   do slave_parameter_dict.__setitem__('error_log', '/'.join([caddy_log_directory, '%s_error_log' % slave_reference])) %}
@@ -307,7 +334,6 @@ recipe = slapos.cookbook:publish
 {%-  endif %}
 {%- endfor %} {# Slave iteration ends for slave_instance in slave_instance_list #}
 
-{%- do part_list.append('caddy-log-access') %}
 {%- do part_list.append('slave-introspection') %}
 {#- ############################################## #}
 {#- ## Prepare virtualhost for slaves using cache  #}
@@ -330,29 +356,6 @@ ipv6-port = {{ configuration['plain_http_port'] }}
 ipv4-port = {{ configuration['port'] }}
 ipv6-port = {{ configuration['port'] }}
 
-{#- Define log access #}
-
-[caddy-log-access-parameters]
-caddy_log_directory = {{ dumps(caddy_log_directory) }}
-caddy_configuration_directory = {{ dumps(caddy_configuration_directory) }}
-local_ipv4 = {{ dumps(instance_parameter_dict['ipv4-random']) }}
-global_ipv6 = {{ dumps(global_ipv6) }}
-https_port = {{ dumps(configuration['port']) }}
-http_port = {{ dumps(configuration['plain_http_port']) }}
-ip_access_certificate = {{ frontend_configuration.get('ip-access-certificate') }}
-access_log = {{ dumps(caddy_configuration['access-log']) }}
-error_log = {{ dumps(caddy_configuration['error-log']) }}
-not_found_file = {{ dumps(caddy_configuration['not-found-file']) }}
-
-[caddy-log-access]
-< = jinja2-template-base
-template = {{ software_parameter_dict['template_log_access'] }}
-rendered = {{frontend_configuration.get('log-access-configuration')}}
-extra-context =
-    section slave_log_directory slave-log-directory-dict
-    section slave_password slave-password
-    section parameter_dict caddy-log-access-parameters
-
 [slave-introspection-parameters]
 local-ipv4 = {{ dumps(instance_parameter_dict['ipv4-random']) }}
 global-ipv6 = {{ dumps(global_ipv6) }}
@@ -434,13 +437,6 @@ template = inline:
 
 rendered = ${:file}
 
-[caddy-log-access-empty]
-# Caddy refuse to start if an `import`ed file is empty, so we prepend a header
-# so that the file is never empty.
-< = jinja2-template-base
-template = inline: # This file contain directives to serve directories with log files for shared instances, but no shared instances are defined yet.
-rendered = {{frontend_configuration.get('log-access-configuration')}}
-
 ##<Backend haproxy>
 [backend-haproxy-configuration]
 < = jinja2-template-base
@@ -494,9 +490,6 @@ parts +=
 {%- for part in part_list %}
 {{ '    %s' % part }}
 {%- endfor %}
-{%- if 'caddy-log-access' not in part_list %}
-    caddy-log-access-empty
-{%- endif %}
     publish-caddy-information
     tunnel-6to4-base-http_port
     tunnel-6to4-base-https_port
@@ -524,8 +517,8 @@ command =
 
 [certificate-csr_id]
 recipe = plone.recipe.command
-certificate = {{ directory['caddy-csr_id'] }}/certificate.pem
-key = {{ directory['caddy-csr_id'] }}/key.pem
+certificate = {{ directory['certificate-csr_id'] }}/certificate.pem
+key = {{ directory['certificate-csr_id'] }}/key.pem
 
 {#- Can be stopped on error, as does not rely on self provided service #}
 stop-on-error = True
@@ -542,18 +535,44 @@ ip = ${slap-network-information:global-ipv6}
 port = 17001
 key = ${certificate-csr_id:key}
 certificate = ${certificate-csr_id:certificate}
-error-log = {{ directory['caddy-csr_id-log'] }}/expose-csr_id.log
+error-log = {{ directory['log'] }}/expose-csr_id.log
 
 [expose-csr_id-template]
 recipe = slapos.recipe.template:jinja2
+var = {{ directory['expose-csr_id-var'] }}
+pid = {{ directory['var'] }}/nginx-expose-csr_id.pid
+rendered = {{ directory['etc'] }}/nginx-expose-csr_id.conf
 template = inline:
-  https://:${expose-csr_id-configuration:port}/ {
-    bind ${expose-csr_id-configuration:ip}
-    tls ${expose-csr_id-configuration:certificate} ${expose-csr_id-configuration:key}
-    log ${expose-csr_id-configuration:error-log}
+  daemon off;
+  pid ${:pid};
+  error_log ${expose-csr_id-configuration:error-log};
+  events {
+  }
+  http {
+    include {{ software_parameter_dict['nginx_mime'] }};
+    server {
+      server_name_in_redirect off;
+      port_in_redirect off;
+      error_log ${expose-csr_id-configuration:error-log};
+      access_log /dev/null;
+      listen [${expose-csr_id-configuration:ip}]:${expose-csr_id-configuration:port} ssl;                                                          
+      ssl_certificate ${expose-csr_id-configuration:certificate};
+      ssl_certificate_key ${expose-csr_id-configuration:key};
+      default_type application/octet-stream;
+      client_body_temp_path ${:var} 1 2;
+      proxy_temp_path ${:var} 1 2;
+      fastcgi_temp_path ${:var} 1 2;
+      uwsgi_temp_path ${:var} 1 2;
+      scgi_temp_path ${:var} 1 2;
+
+      location / {
+        alias {{ directory['csr_id'] }}/;
+        autoindex off;
+        sendfile on;
+        sendfile_max_chunk 1m;
+      }
+    }
   }
-
-rendered = {{ directory['caddy-csr_id'] }}/Caddyfile
 
 [promise-expose-csr_id-ip-port]
 <= monitor-promise-base
@@ -567,13 +586,8 @@ depends =
   ${store-csr_id:command}
   ${store-backend-haproxy-csr_id:command}
 recipe = slapos.cookbook:wrapper
-command-line = {{ software_parameter_dict['caddy'] }}
-  -conf ${expose-csr_id-template:rendered}
-  -log ${expose-csr_id-configuration:error-log}
-  -http2=true
-  -disable-http-challenge
-  -disable-tls-alpn-challenge
-  -root {{ directory['csr_id'] }}
+command-line = {{ software_parameter_dict['nginx'] }}
+  -c ${expose-csr_id-template:rendered}
 
 wrapper-path = {{ directory['service'] }}/expose-csr_id
 hash-existing-files = ${buildout:directory}/software_release/buildout.cfg

software/caddy-frontend/templates/backend-haproxy.cfg.in

@@ -49,6 +49,8 @@ frontend statistic
   stats show-desc {{ configuration['statistic-identification'] }}
   stats auth {{ configuration['statistic-username'] }}:{{ configuration['statistic-password'] }}
   stats realm {{ configuration['statistic-identification'] }}
+  stats scope http-backend
+  stats scope https-backend
 
 frontend http-backend
   bind {{ configuration['local-ipv4'] }}:{{ configuration['http-port'] }}
@@ -100,7 +102,22 @@ backend {{ slave_instance['slave_reference'] }}-{{ scheme }}
   timeout server {{ slave_instance['request-timeout'] }}s
   timeout connect {{ slave_instance['backend-connect-timeout'] }}s
   retries {{ slave_instance['backend-connect-retries'] }}
-  server {{ slave_instance['slave_reference'] }}-backend {{ hostname }}:{{ port }} {{ ' '.join(ssl_list) }}
+{%-         set active_check_list = [] %}
+{%-         set active_check_option_list = [] %}
+{%-         if slave_instance['backend-active-check'] %}
+{%-           do active_check_list.append('check') %}
+{%-           do active_check_list.append('inter %ss' % (slave_instance['backend-active-check-interval'])) %}
+{%-           do active_check_list.append('rise %s' % (slave_instance['backend-active-check-rise'])) %}
+{%-           do active_check_list.append('fall %s' % (slave_instance['backend-active-check-fall'])) %}
+{%-           if slave_instance['backend-active-check-http-method'] != 'CONNECT' %}
+{%-             do active_check_option_list.append('option httpchk %s %s %s' % (slave_instance['backend-active-check-http-method'], slave_instance['backend-active-check-http-path'] | urlencode, slave_instance['backend-active-check-http-version'])) %}
+{%-           endif %}
+{%-           do active_check_option_list.append('timeout check %ss' % (slave_instance['backend-active-check-timeout'])) %}
+{%-         endif %}
+  server {{ slave_instance['slave_reference'] }}-backend {{ hostname }}:{{ port }} {{ ' '.join(ssl_list) }} {{ ' ' + ' '.join(active_check_list)}}
+{%-         for active_check_option in active_check_option_list %}
+  {{ active_check_option }}
+{%-         endfor %}
 {%-         if path %}
   http-request set-path {{ path }}%[path]
 {%-         endif %}

software/caddy-frontend/templates/replicate-publish-slave-information.cfg.in

@@ -27,22 +27,22 @@
 {%   endfor %}
 {% endfor %}
 
-{% for slave_reference, rejected_info_list in rejected_slave_information.iteritems() %}
+{% for slave_reference, rejected_info_list in rejected_slave_information['rejected-slave-dict'].iteritems() %}
 {%   if slave_reference not in slave_information_dict %}
 {%     do slave_information_dict.__setitem__(slave_reference, {}) %}
 {%   endif %}
-{%   do slave_information_dict[slave_reference].__setitem__('request-error-list', rejected_info_list) %}
+{%   do slave_information_dict[slave_reference].__setitem__('request-error-list', json_module.dumps(rejected_info_list)) %}
 {% endfor %}
 
-{% for slave_reference, warning_info_list in warning_slave_information.iteritems() %}
+{% for slave_reference, warning_info_list in warning_slave_information['warning-slave-dict'].iteritems() %}
 {%   if slave_reference not in slave_information_dict %}
 {%     do slave_information_dict.__setitem__(slave_reference, {}) %}
 {%   endif %}
-{%   do slave_information_dict[slave_reference].__setitem__('warning-list', warning_info_list) %}
+{%   do slave_information_dict[slave_reference].__setitem__('warning-list', json_module.dumps(warning_info_list)) %}
 {% endfor %}
 
 {% for slave_reference, kedifa_dict in json_module.loads(slave_kedifa_information).iteritems() %}
-{%   if slave_reference not in rejected_slave_information %}
+{%   if slave_reference not in rejected_slave_information['rejected-slave-dict'] %}
 {%     if slave_reference not in slave_information_dict %}
 {%       do slave_information_dict.__setitem__(slave_reference, {}) %}
 {%     endif %}

software/caddy-frontend/templates/template-log-access.conf.in

-# Access log configuration
-{% for slave, directory in slave_log_directory.iteritems() %}
-https://[{{ parameter_dict['global_ipv6'] }}]:{{ parameter_dict['https_port'] }}/{{ slave }}, https://{{ parameter_dict['local_ipv4'] }}:{{ parameter_dict['https_port'] }}/{{ slave }} {
-  bind {{ parameter_dict['local_ipv4'] }}
-  root {{ directory }}/
-  browse
-  tls {{ parameter_dict['ip_access_certificate'] }} {{ parameter_dict['ip_access_certificate'] }}
-  basicauth "{{ slave }}" {{ slave_password[slave] | trim }} {
-    "Log Access {{ slave }}"
-    /
-  }
-  log / {{ parameter_dict['access_log'] }} "{remote} - {>REMOTE_USER} [{when}] \"{method} {uri} {proto}\" {status} {size} \"{>Referer}\" \"{>User-Agent}\" {latency_ms}" {
-    rotate_size 0
-  }
-  errors {{ parameter_dict['error_log'] }} {
-    rotate_size 0
-    * {{ parameter_dict['not_found_file'] }}
-  }
-}
-{% endfor %}

software/caddy-frontend/test/test_data/test.TestEnableHttp2ByDefaultDefaultSlave.test_file_list_log-CADDY.txt

@@ -6,9 +6,9 @@ T-1/var/log/kedifa.log
 T-1/var/log/monitor-httpd-access.log
 T-1/var/log/monitor-httpd-error.log
 T-2/var/log/backend-haproxy.log
+T-2/var/log/expose-csr_id.log
 T-2/var/log/frontend-access.log
 T-2/var/log/frontend-error.log
-T-2/var/log/httpd-csr_id/expose-csr_id.log
 T-2/var/log/httpd/_dummy-cached_access_log
 T-2/var/log/httpd/_dummy-cached_backend_log
 T-2/var/log/httpd/_dummy-cached_error_log

software/caddy-frontend/test/test_data/test.TestEnableHttp2ByDefaultDefaultSlave.test_file_list_plugin-CADDY.txt

@@ -3,6 +3,7 @@ T-0/etc/plugin/aibcc-user-caucase-updater.py
 T-0/etc/plugin/aikc-user-caucase-updater.py
 T-0/etc/plugin/buildout-T-0-status.py
 T-0/etc/plugin/caucased-backend-client.py
+T-0/etc/plugin/check-backend-haproxy-statistic-url-caddy-frontend-1.py
 T-0/etc/plugin/check-free-disk-space.py
 T-0/etc/plugin/monitor-bootstrap-status.py
 T-0/etc/plugin/monitor-http-frontend.py

software/caddy-frontend/test/test_data/test.TestEnableHttp2ByDefaultDefaultSlaveGlobalDisableHttp2.test_file_list_log-CADDY.txt

@@ -6,9 +6,9 @@ T-1/var/log/kedifa.log
 T-1/var/log/monitor-httpd-access.log
 T-1/var/log/monitor-httpd-error.log
 T-2/var/log/backend-haproxy.log
+T-2/var/log/expose-csr_id.log
 T-2/var/log/frontend-access.log
 T-2/var/log/frontend-error.log
-T-2/var/log/httpd-csr_id/expose-csr_id.log
 T-2/var/log/httpd/_dummy-cached_access_log
 T-2/var/log/httpd/_dummy-cached_backend_log
 T-2/var/log/httpd/_dummy-cached_error_log

software/caddy-frontend/test/test_data/test.TestEnableHttp2ByDefaultDefaultSlaveGlobalDisableHttp2.test_file_list_plugin-CADDY.txt

@@ -3,6 +3,7 @@ T-0/etc/plugin/aibcc-user-caucase-updater.py
 T-0/etc/plugin/aikc-user-caucase-updater.py
 T-0/etc/plugin/buildout-T-0-status.py
 T-0/etc/plugin/caucased-backend-client.py
+T-0/etc/plugin/check-backend-haproxy-statistic-url-caddy-frontend-1.py
 T-0/etc/plugin/check-free-disk-space.py
 T-0/etc/plugin/monitor-bootstrap-status.py
 T-0/etc/plugin/monitor-http-frontend.py

software/caddy-frontend/test/test_data/test.TestEnableHttp2ByDefaultFalseSlave.test_file_list_log-CADDY.txt

@@ -6,9 +6,9 @@ T-1/var/log/kedifa.log
 T-1/var/log/monitor-httpd-access.log
 T-1/var/log/monitor-httpd-error.log
 T-2/var/log/backend-haproxy.log
+T-2/var/log/expose-csr_id.log
 T-2/var/log/frontend-access.log
 T-2/var/log/frontend-error.log
-T-2/var/log/httpd-csr_id/expose-csr_id.log
 T-2/var/log/httpd/_dummy-cached_access_log
 T-2/var/log/httpd/_dummy-cached_backend_log
 T-2/var/log/httpd/_dummy-cached_error_log

software/caddy-frontend/test/test_data/test.TestEnableHttp2ByDefaultFalseSlave.test_file_list_plugin-CADDY.txt

@@ -3,6 +3,7 @@ T-0/etc/plugin/aibcc-user-caucase-updater.py
 T-0/etc/plugin/aikc-user-caucase-updater.py
 T-0/etc/plugin/buildout-T-0-status.py
 T-0/etc/plugin/caucased-backend-client.py
+T-0/etc/plugin/check-backend-haproxy-statistic-url-caddy-frontend-1.py
 T-0/etc/plugin/check-free-disk-space.py
 T-0/etc/plugin/monitor-bootstrap-status.py
 T-0/etc/plugin/monitor-http-frontend.py

software/caddy-frontend/test/test_data/test.TestEnableHttp2ByDefaultFalseSlaveGlobalDisableHttp2.test_file_list_log-CADDY.txt

@@ -6,9 +6,9 @@ T-1/var/log/kedifa.log
 T-1/var/log/monitor-httpd-access.log
 T-1/var/log/monitor-httpd-error.log
 T-2/var/log/backend-haproxy.log
+T-2/var/log/expose-csr_id.log
 T-2/var/log/frontend-access.log
 T-2/var/log/frontend-error.log
-T-2/var/log/httpd-csr_id/expose-csr_id.log
 T-2/var/log/httpd/_dummy-cached_access_log
 T-2/var/log/httpd/_dummy-cached_backend_log
 T-2/var/log/httpd/_dummy-cached_error_log

software/caddy-frontend/test/test_data/test.TestEnableHttp2ByDefaultFalseSlaveGlobalDisableHttp2.test_file_list_plugin-CADDY.txt

@@ -3,6 +3,7 @@ T-0/etc/plugin/aibcc-user-caucase-updater.py
 T-0/etc/plugin/aikc-user-caucase-updater.py
 T-0/etc/plugin/buildout-T-0-status.py
 T-0/etc/plugin/caucased-backend-client.py
+T-0/etc/plugin/check-backend-haproxy-statistic-url-caddy-frontend-1.py
 T-0/etc/plugin/check-free-disk-space.py
 T-0/etc/plugin/monitor-bootstrap-status.py
 T-0/etc/plugin/monitor-http-frontend.py

software/caddy-frontend/test/test_data/test.TestMasterRequest.test_file_list_log-CADDY.txt

@@ -6,9 +6,9 @@ T-1/var/log/kedifa.log
 T-1/var/log/monitor-httpd-access.log
 T-1/var/log/monitor-httpd-error.log
 T-2/var/log/backend-haproxy.log
+T-2/var/log/expose-csr_id.log
 T-2/var/log/frontend-access.log
 T-2/var/log/frontend-error.log
-T-2/var/log/httpd-csr_id/expose-csr_id.log
 T-2/var/log/monitor-httpd-access.log
 T-2/var/log/monitor-httpd-error.log
 T-2/var/log/slave-introspection-access.log

software/caddy-frontend/test/test_data/test.TestMasterRequest.test_file_list_plugin-CADDY.txt

@@ -3,6 +3,7 @@ T-0/etc/plugin/aibcc-user-caucase-updater.py
 T-0/etc/plugin/aikc-user-caucase-updater.py
 T-0/etc/plugin/buildout-T-0-status.py
 T-0/etc/plugin/caucased-backend-client.py
+T-0/etc/plugin/check-backend-haproxy-statistic-url-caddy-frontend-1.py
 T-0/etc/plugin/check-free-disk-space.py
 T-0/etc/plugin/monitor-bootstrap-status.py
 T-0/etc/plugin/monitor-http-frontend.py

software/caddy-frontend/test/test_data/test.TestMasterRequestDomain.test_file_list_log-CADDY.txt

@@ -6,9 +6,9 @@ T-1/var/log/kedifa.log
 T-1/var/log/monitor-httpd-access.log
 T-1/var/log/monitor-httpd-error.log
 T-2/var/log/backend-haproxy.log
+T-2/var/log/expose-csr_id.log
 T-2/var/log/frontend-access.log
 T-2/var/log/frontend-error.log
-T-2/var/log/httpd-csr_id/expose-csr_id.log
 T-2/var/log/monitor-httpd-access.log
 T-2/var/log/monitor-httpd-error.log
 T-2/var/log/slave-introspection-access.log

software/caddy-frontend/test/test_data/test.TestMasterRequestDomain.test_file_list_plugin-CADDY.txt

@@ -3,6 +3,7 @@ T-0/etc/plugin/aibcc-user-caucase-updater.py
 T-0/etc/plugin/aikc-user-caucase-updater.py
 T-0/etc/plugin/buildout-T-0-status.py
 T-0/etc/plugin/caucased-backend-client.py
+T-0/etc/plugin/check-backend-haproxy-statistic-url-caddy-frontend-1.py
 T-0/etc/plugin/check-free-disk-space.py
 T-0/etc/plugin/monitor-bootstrap-status.py
 T-0/etc/plugin/monitor-http-frontend.py

software/caddy-frontend/test/test_data/test.TestRe6stVerificationUrlDefaultSlave.test_file_list_log-CADDY.txt

@@ -6,9 +6,9 @@ T-1/var/log/kedifa.log
 T-1/var/log/monitor-httpd-access.log
 T-1/var/log/monitor-httpd-error.log
 T-2/var/log/backend-haproxy.log
+T-2/var/log/expose-csr_id.log
 T-2/var/log/frontend-access.log
 T-2/var/log/frontend-error.log
-T-2/var/log/httpd-csr_id/expose-csr_id.log
 T-2/var/log/httpd/_default_access_log
 T-2/var/log/httpd/_default_error_log
 T-2/var/log/monitor-httpd-access.log

software/caddy-frontend/test/test_data/test.TestRe6stVerificationUrlDefaultSlave.test_file_list_plugin-CADDY.txt

@@ -3,6 +3,7 @@ T-0/etc/plugin/aibcc-user-caucase-updater.py
 T-0/etc/plugin/aikc-user-caucase-updater.py
 T-0/etc/plugin/buildout-T-0-status.py
 T-0/etc/plugin/caucased-backend-client.py
+T-0/etc/plugin/check-backend-haproxy-statistic-url-caddy-frontend-1.py
 T-0/etc/plugin/check-free-disk-space.py
 T-0/etc/plugin/monitor-bootstrap-status.py
 T-0/etc/plugin/monitor-http-frontend.py

software/caddy-frontend/test/test_data/test.TestSlave.test_file_list_log-CADDY.txt

@@ -6,9 +6,9 @@ T-1/var/log/kedifa.log
 T-1/var/log/monitor-httpd-access.log
 T-1/var/log/monitor-httpd-error.log
 T-2/var/log/backend-haproxy.log
+T-2/var/log/expose-csr_id.log
 T-2/var/log/frontend-access.log
 T-2/var/log/frontend-error.log
-T-2/var/log/httpd-csr_id/expose-csr_id.log
 T-2/var/log/httpd/_Url_access_log
 T-2/var/log/httpd/_Url_backend_log
 T-2/var/log/httpd/_Url_error_log

software/caddy-frontend/test/test_data/test.TestSlave.test_file_list_plugin-CADDY.txt

@@ -3,6 +3,7 @@ T-0/etc/plugin/aibcc-user-caucase-updater.py
 T-0/etc/plugin/aikc-user-caucase-updater.py
 T-0/etc/plugin/buildout-T-0-status.py
 T-0/etc/plugin/caucased-backend-client.py
+T-0/etc/plugin/check-backend-haproxy-statistic-url-caddy-frontend-1.py
 T-0/etc/plugin/check-free-disk-space.py
 T-0/etc/plugin/monitor-bootstrap-status.py
 T-0/etc/plugin/monitor-http-frontend.py

software/caddy-frontend/test/test_data/test.TestSlaveBackendActiveCheck.test_file_list_etc_cron_d-CADDY.txt

+T-0/etc/cron.d/logrotate
+T-0/etc/cron.d/monitor-configurator
+T-0/etc/cron.d/monitor-globalstate
+T-0/etc/cron.d/monitor_collect
+T-1/etc/cron.d/logrotate
+T-1/etc/cron.d/monitor-configurator
+T-1/etc/cron.d/monitor-globalstate
+T-1/etc/cron.d/monitor_collect
+T-2/etc/cron.d/logrotate
+T-2/etc/cron.d/monitor-configurator
+T-2/etc/cron.d/monitor-globalstate
+T-2/etc/cron.d/monitor_collect
+T-2/etc/cron.d/trafficserver-logrotate

software/caddy-frontend/test/test_data/test.TestSlaveBackendActiveCheck.test_file_list_log-CADDY.txt

+T-0/var/log/monitor-httpd-access.log
+T-0/var/log/monitor-httpd-error.log
+T-0/var/log/slapgrid-T-0-error.log
+T-1/var/log/expose-csr_id.log
+T-1/var/log/kedifa.log
+T-1/var/log/monitor-httpd-access.log
+T-1/var/log/monitor-httpd-error.log
+T-2/var/log/backend-haproxy.log
+T-2/var/log/expose-csr_id.log
+T-2/var/log/frontend-access.log
+T-2/var/log/frontend-error.log
+T-2/var/log/httpd/_backend-active-check-connect_access_log
+T-2/var/log/httpd/_backend-active-check-connect_backend_log
+T-2/var/log/httpd/_backend-active-check-connect_error_log
+T-2/var/log/httpd/_backend-active-check-custom_access_log
+T-2/var/log/httpd/_backend-active-check-custom_backend_log
+T-2/var/log/httpd/_backend-active-check-custom_error_log
+T-2/var/log/httpd/_backend-active-check-default_access_log
+T-2/var/log/httpd/_backend-active-check-default_backend_log
+T-2/var/log/httpd/_backend-active-check-default_error_log
+T-2/var/log/httpd/_backend-active-check-disabled_access_log
+T-2/var/log/httpd/_backend-active-check-disabled_backend_log
+T-2/var/log/httpd/_backend-active-check-disabled_error_log
+T-2/var/log/monitor-httpd-access.log
+T-2/var/log/monitor-httpd-error.log
+T-2/var/log/slave-introspection-access.log
+T-2/var/log/slave-introspection-error.log
+T-2/var/log/trafficserver/manager.log

software/caddy-frontend/test/test_data/test.TestSlaveBackendActiveCheck.test_file_list_plugin-CADDY.txt

+T-0/etc/plugin/__init__.py
+T-0/etc/plugin/aibcc-user-caucase-updater.py
+T-0/etc/plugin/aikc-user-caucase-updater.py
+T-0/etc/plugin/buildout-T-0-status.py
+T-0/etc/plugin/caucased-backend-client.py
+T-0/etc/plugin/check-backend-haproxy-statistic-url-caddy-frontend-1.py
+T-0/etc/plugin/check-free-disk-space.py
+T-0/etc/plugin/monitor-bootstrap-status.py
+T-0/etc/plugin/monitor-http-frontend.py
+T-0/etc/plugin/monitor-httpd-listening-on-tcp.py
+T-0/etc/plugin/rejected-slave-publish-ip-port-listening.py
+T-0/etc/plugin/rejected-slave.py
+T-1/etc/plugin/__init__.py
+T-1/etc/plugin/buildout-T-1-status.py
+T-1/etc/plugin/caucased.py
+T-1/etc/plugin/check-free-disk-space.py
+T-1/etc/plugin/expose-csr_id-ip-port-listening.py
+T-1/etc/plugin/kedifa-http-reply.py
+T-1/etc/plugin/monitor-bootstrap-status.py
+T-1/etc/plugin/monitor-http-frontend.py
+T-1/etc/plugin/monitor-httpd-listening-on-tcp.py
+T-1/etc/plugin/promise-logrotate-setup.py
+T-2/etc/plugin/__init__.py
+T-2/etc/plugin/backend-client-caucase-updater.py
+T-2/etc/plugin/backend-haproxy-configuration.py
+T-2/etc/plugin/backend_haproxy_http.py
+T-2/etc/plugin/backend_haproxy_https.py
+T-2/etc/plugin/buildout-T-2-status.py
+T-2/etc/plugin/caddy_frontend_ipv4_http.py
+T-2/etc/plugin/caddy_frontend_ipv4_https.py
+T-2/etc/plugin/caddy_frontend_ipv6_http.py
+T-2/etc/plugin/caddy_frontend_ipv6_https.py
+T-2/etc/plugin/caucase-updater.py
+T-2/etc/plugin/check-free-disk-space.py
+T-2/etc/plugin/expose-csr_id-ip-port-listening.py
+T-2/etc/plugin/frontend-caddy-configuration-promise.py
+T-2/etc/plugin/monitor-bootstrap-status.py
+T-2/etc/plugin/monitor-http-frontend.py
+T-2/etc/plugin/monitor-httpd-listening-on-tcp.py
+T-2/etc/plugin/promise-logrotate-setup.py
+T-2/etc/plugin/re6st-connectivity.py
+T-2/etc/plugin/slave-introspection-configuration.py
+T-2/etc/plugin/slave_introspection_https.py
+T-2/etc/plugin/trafficserver-cache-availability.py
+T-2/etc/plugin/trafficserver-port-listening.py

software/caddy-frontend/test/test_data/test.TestSlaveBackendActiveCheck.test_file_list_run-CADDY.txt

+T-0/var/run/monitor-httpd.pid
+T-1/var/run/kedifa.pid
+T-1/var/run/monitor-httpd.pid
+T-2/var/run/backend-haproxy-rsyslogd.pid
+T-2/var/run/backend-haproxy.pid
+T-2/var/run/backend_haproxy_configuration_last_state
+T-2/var/run/backend_haproxy_graceful_configuration_state_signature
+T-2/var/run/bhlog.sck
+T-2/var/run/graceful_configuration_state_signature
+T-2/var/run/httpd.pid
+T-2/var/run/monitor-httpd.pid
+T-2/var/run/slave-introspection.pid
+T-2/var/run/slave_introspection_configuration_last_state
+T-2/var/run/slave_introspection_graceful_configuration_state_signature

software/caddy-frontend/test/test_data/test.TestSlaveBackendActiveCheck.test_supervisor_state-CADDY.txt

+T-0:aibcc-user-caucase-updater-on-watch RUNNING
+T-0:aikc-user-caucase-updater-on-watch RUNNING
+T-0:bootstrap-monitor EXITED
+T-0:caucased-backend-client-{hash-generic}-on-watch RUNNING
+T-0:certificate_authority-{hash-generic}-on-watch RUNNING
+T-0:crond-{hash-generic}-on-watch RUNNING
+T-0:monitor-httpd-{hash-generic}-on-watch RUNNING
+T-0:monitor-httpd-graceful EXITED
+T-0:rejected-slave-publish-{hash-rejected-slave-publish}-on-watch RUNNING
+T-1:bootstrap-monitor EXITED
+T-1:caucase-updater-on-watch RUNNING
+T-1:caucased-{hash-generic}-on-watch RUNNING
+T-1:certificate_authority-{hash-generic}-on-watch RUNNING
+T-1:crond-{hash-generic}-on-watch RUNNING
+T-1:expose-csr_id-{hash-generic}-on-watch RUNNING
+T-1:kedifa-{hash-generic}-on-watch RUNNING
+T-1:kedifa-reloader EXITED
+T-1:monitor-httpd-{hash-generic}-on-watch RUNNING
+T-1:monitor-httpd-graceful EXITED
+T-2:6tunnel-11080-{hash-generic}-on-watch RUNNING
+T-2:6tunnel-11443-{hash-generic}-on-watch RUNNING
+T-2:backend-client-login-certificate-caucase-updater-on-watch RUNNING
+T-2:backend-haproxy-{hash-generic}-on-watch RUNNING
+T-2:backend-haproxy-rsyslogd-{hash-generic}-on-watch RUNNING
+T-2:backend-haproxy-safe-graceful EXITED
+T-2:bootstrap-monitor EXITED
+T-2:certificate_authority-{hash-generic}-on-watch RUNNING
+T-2:crond-{hash-generic}-on-watch RUNNING
+T-2:expose-csr_id-{hash-generic}-on-watch RUNNING
+T-2:frontend-caddy-safe-graceful EXITED
+T-2:frontend_caddy-{hash-caddy-T-2}-on-watch RUNNING
+T-2:kedifa-login-certificate-caucase-updater-on-watch RUNNING
+T-2:kedifa-updater-{hash-generic}-on-watch RUNNING
+T-2:monitor-httpd-{hash-generic}-on-watch RUNNING
+T-2:monitor-httpd-graceful EXITED
+T-2:slave-instrospection-nginx-{hash-generic}-on-watch RUNNING
+T-2:slave-introspection-safe-graceful EXITED
+T-2:trafficserver-{hash-generic}-on-watch RUNNING
+T-2:trafficserver-reload EXITED

software/caddy-frontend/test/test_data/test.TestSlaveCiphers.test_file_list_log-CADDY.txt

@@ -6,9 +6,9 @@ T-1/var/log/kedifa.log
 T-1/var/log/monitor-httpd-access.log
 T-1/var/log/monitor-httpd-error.log
 T-2/var/log/backend-haproxy.log
+T-2/var/log/expose-csr_id.log
 T-2/var/log/frontend-access.log
 T-2/var/log/frontend-error.log
-T-2/var/log/httpd-csr_id/expose-csr_id.log
 T-2/var/log/httpd/_default_ciphers_access_log
 T-2/var/log/httpd/_default_ciphers_backend_log
 T-2/var/log/httpd/_default_ciphers_error_log

software/caddy-frontend/test/test_data/test.TestSlaveCiphers.test_file_list_plugin-CADDY.txt

@@ -3,6 +3,7 @@ T-0/etc/plugin/aibcc-user-caucase-updater.py
 T-0/etc/plugin/aikc-user-caucase-updater.py
 T-0/etc/plugin/buildout-T-0-status.py
 T-0/etc/plugin/caucased-backend-client.py
+T-0/etc/plugin/check-backend-haproxy-statistic-url-caddy-frontend-1.py
 T-0/etc/plugin/check-free-disk-space.py
 T-0/etc/plugin/monitor-bootstrap-status.py
 T-0/etc/plugin/monitor-http-frontend.py

software/caddy-frontend/test/test_data/test.TestSlaveGlobalDisableHttp2.test_file_list_log-CADDY.txt

@@ -6,9 +6,9 @@ T-1/var/log/kedifa.log
 T-1/var/log/monitor-httpd-access.log
 T-1/var/log/monitor-httpd-error.log
 T-2/var/log/backend-haproxy.log
+T-2/var/log/expose-csr_id.log
 T-2/var/log/frontend-access.log
 T-2/var/log/frontend-error.log
-T-2/var/log/httpd-csr_id/expose-csr_id.log
 T-2/var/log/httpd/_Url_access_log
 T-2/var/log/httpd/_Url_backend_log
 T-2/var/log/httpd/_Url_error_log

software/caddy-frontend/test/test_data/test.TestSlaveGlobalDisableHttp2.test_file_list_plugin-CADDY.txt

@@ -3,6 +3,7 @@ T-0/etc/plugin/aibcc-user-caucase-updater.py
 T-0/etc/plugin/aikc-user-caucase-updater.py
 T-0/etc/plugin/buildout-T-0-status.py
 T-0/etc/plugin/caucased-backend-client.py
+T-0/etc/plugin/check-backend-haproxy-statistic-url-caddy-frontend-1.py
 T-0/etc/plugin/check-free-disk-space.py
 T-0/etc/plugin/monitor-bootstrap-status.py
 T-0/etc/plugin/monitor-http-frontend.py

software/caddy-frontend/test/test_data/test.TestSlaveHostHaproxyClash.test_file_list_log-CADDY.txt

@@ -6,9 +6,9 @@ T-1/var/log/kedifa.log
 T-1/var/log/monitor-httpd-access.log
 T-1/var/log/monitor-httpd-error.log
 T-2/var/log/backend-haproxy.log
+T-2/var/log/expose-csr_id.log
 T-2/var/log/frontend-access.log
 T-2/var/log/frontend-error.log
-T-2/var/log/httpd-csr_id/expose-csr_id.log
 T-2/var/log/httpd/_wildcard_access_log
 T-2/var/log/httpd/_wildcard_backend_log
 T-2/var/log/httpd/_wildcard_error_log

software/caddy-frontend/test/test_data/test.TestSlaveHostHaproxyClash.test_file_list_plugin-CADDY.txt

@@ -3,6 +3,7 @@ T-0/etc/plugin/aibcc-user-caucase-updater.py
 T-0/etc/plugin/aikc-user-caucase-updater.py
 T-0/etc/plugin/buildout-T-0-status.py
 T-0/etc/plugin/caucased-backend-client.py
+T-0/etc/plugin/check-backend-haproxy-statistic-url-caddy-frontend-1.py
 T-0/etc/plugin/check-free-disk-space.py
 T-0/etc/plugin/monitor-bootstrap-status.py
 T-0/etc/plugin/monitor-http-frontend.py

software/caddy-frontend/test/test_data/test.TestSlaveSlapOSMasterCertificateCompatibility.test_file_list_log-CADDY.txt

@@ -6,9 +6,9 @@ T-1/var/log/kedifa.log
 T-1/var/log/monitor-httpd-access.log
 T-1/var/log/monitor-httpd-error.log
 T-2/var/log/backend-haproxy.log
+T-2/var/log/expose-csr_id.log
 T-2/var/log/frontend-access.log
 T-2/var/log/frontend-error.log
-T-2/var/log/httpd-csr_id/expose-csr_id.log
 T-2/var/log/httpd/_custom_domain_ssl_crt_ssl_key_access_log
 T-2/var/log/httpd/_custom_domain_ssl_crt_ssl_key_backend_log
 T-2/var/log/httpd/_custom_domain_ssl_crt_ssl_key_error_log

software/caddy-frontend/test/test_data/test.TestSlaveSlapOSMasterCertificateCompatibility.test_file_list_plugin-CADDY.txt

@@ -3,6 +3,7 @@ T-0/etc/plugin/aibcc-user-caucase-updater.py
 T-0/etc/plugin/aikc-user-caucase-updater.py
 T-0/etc/plugin/buildout-T-0-status.py
 T-0/etc/plugin/caucased-backend-client.py
+T-0/etc/plugin/check-backend-haproxy-statistic-url-caddy-frontend-1.py
 T-0/etc/plugin/check-free-disk-space.py
 T-0/etc/plugin/monitor-bootstrap-status.py
 T-0/etc/plugin/monitor-http-frontend.py

software/caddy-frontend/test/test_data/test.TestSlaveSlapOSMasterCertificateCompatibilityOverrideMaster.test_file_list_log-CADDY.txt

@@ -6,9 +6,9 @@ T-1/var/log/kedifa.log
 T-1/var/log/monitor-httpd-access.log
 T-1/var/log/monitor-httpd-error.log
 T-2/var/log/backend-haproxy.log
+T-2/var/log/expose-csr_id.log
 T-2/var/log/frontend-access.log
 T-2/var/log/frontend-error.log
-T-2/var/log/httpd-csr_id/expose-csr_id.log
 T-2/var/log/httpd/_ssl_from_master_kedifa_overrides_master_certificate_access_log
 T-2/var/log/httpd/_ssl_from_master_kedifa_overrides_master_certificate_backend_log
 T-2/var/log/httpd/_ssl_from_master_kedifa_overrides_master_certificate_error_log

software/caddy-frontend/test/test_data/test.TestSlaveSlapOSMasterCertificateCompatibilityOverrideMaster.test_file_list_plugin-CADDY.txt

@@ -3,6 +3,7 @@ T-0/etc/plugin/aibcc-user-caucase-updater.py
 T-0/etc/plugin/aikc-user-caucase-updater.py
 T-0/etc/plugin/buildout-T-0-status.py
 T-0/etc/plugin/caucased-backend-client.py
+T-0/etc/plugin/check-backend-haproxy-statistic-url-caddy-frontend-1.py
 T-0/etc/plugin/check-free-disk-space.py
 T-0/etc/plugin/monitor-bootstrap-status.py
 T-0/etc/plugin/monitor-http-frontend.py

software/caddy-frontend/test/test_data/test.TestSlaveSlapOSMasterCertificateCompatibilityUpdate.test_file_list_log-CADDY.txt

@@ -6,9 +6,9 @@ T-1/var/log/kedifa.log
 T-1/var/log/monitor-httpd-access.log
 T-1/var/log/monitor-httpd-error.log
 T-2/var/log/backend-haproxy.log
+T-2/var/log/expose-csr_id.log
 T-2/var/log/frontend-access.log
 T-2/var/log/frontend-error.log
-T-2/var/log/httpd-csr_id/expose-csr_id.log
 T-2/var/log/httpd/_ssl_from_master_access_log
 T-2/var/log/httpd/_ssl_from_master_backend_log
 T-2/var/log/httpd/_ssl_from_master_error_log

software/caddy-frontend/test/test_data/test.TestSlaveSlapOSMasterCertificateCompatibilityUpdate.test_file_list_plugin-CADDY.txt

@@ -3,6 +3,7 @@ T-0/etc/plugin/aibcc-user-caucase-updater.py
 T-0/etc/plugin/aikc-user-caucase-updater.py
 T-0/etc/plugin/buildout-T-0-status.py
 T-0/etc/plugin/caucased-backend-client.py
+T-0/etc/plugin/check-backend-haproxy-statistic-url-caddy-frontend-1.py
 T-0/etc/plugin/check-free-disk-space.py
 T-0/etc/plugin/monitor-bootstrap-status.py
 T-0/etc/plugin/monitor-http-frontend.py

software/erp5/test/test/test_balancer.py

@@ -5,15 +5,13 @@ import logging
 import os
 import re
 import shutil
-import socket
 import subprocess
 import tempfile
 import time
 import urlparse
 from BaseHTTPServer import BaseHTTPRequestHandler
-from typing import Any, Dict, Optional
+from typing import Dict
 
-import idna
 import mock
 import OpenSSL.SSL
 import pexpect
@@ -106,20 +104,6 @@ class CaucaseService(ManagedResource):
     self._caucased_process.wait()
     shutil.rmtree(self.directory)
 
-  @property
-  def ca_crt_path(self):
-    # type: () -> str
-    """Path of the CA certificate from this caucase.
-    """
-    ca_crt_path = os.path.join(self.directory, 'ca.crt.pem')
-    if not os.path.exists(ca_crt_path):
-      with open(ca_crt_path, 'w') as f:
-        f.write(
-            requests.get(urlparse.urljoin(
-                self.url,
-                '/cas/crt/ca.crt.pem',
-            )).text)
-    return ca_crt_path
 
 class BalancerTestCase(ERP5InstanceTestCase):
 
@@ -387,85 +371,6 @@ class TestHTTP(BalancerTestCase):
     ])
 
 
-class TestTLS(BalancerTestCase):
-  """Check TLS
-  """
-  __partition_reference__ = 's'
-
-  def _getServerCertificate(self, hostname, port):
-    # type: (Optional[str], Optional[int]) -> Any
-    hostname_idna = idna.encode(hostname)
-    sock = socket.socket()
-
-    sock.connect((hostname, port))
-    ctx = OpenSSL.SSL.Context(OpenSSL.SSL.SSLv23_METHOD)
-    ctx.check_hostname = False
-    ctx.verify_mode = OpenSSL.SSL.VERIFY_NONE
-
-    sock_ssl = OpenSSL.SSL.Connection(ctx, sock)
-    sock_ssl.set_connect_state()
-    sock_ssl.set_tlsext_host_name(hostname_idna)
-    sock_ssl.do_handshake()
-    cert = sock_ssl.get_peer_certificate()
-    crypto_cert = cert.to_cryptography()
-    sock_ssl.close()
-    sock.close()
-    return crypto_cert
-
-  def test_certificate_validates_with_caucase_ca(self):
-    # type: () -> None
-    caucase = self.getManagedResource("caucase", CaucaseService)
-    requests.get(self.default_balancer_url, verify=caucase.ca_crt_path)
-
-  def test_certificate_renewal(self):
-    # type: () -> None
-    caucase = self.getManagedResource("caucase", CaucaseService)
-    balancer_parsed_url = urlparse.urlparse(self.default_balancer_url)
-    certificate_before_renewal = self._getServerCertificate(
-        balancer_parsed_url.hostname,
-        balancer_parsed_url.port)
-
-    # run caucase updater 90 days in the future, so that certificate is
-    # renewed.
-    caucase_updater = os.path.join(
-        self.computer_partition_root_path,
-        'etc',
-        'service',
-        'caucase-updater',
-    )
-    process = pexpect.spawnu(
-       "faketime +90days %s" % caucase_updater,
-        env=dict(os.environ, PYTHONPATH=''),
-    )
-    logger = self.logger
-    class DebugLogFile:
-      def write(self, msg):
-        logger.info("output from caucase_updater: %s", msg)
-      def flush(self):
-        pass
-    process.logfile = DebugLogFile()
-    process.expect(u"Renewing .*\nNext wake-up.*")
-    process.terminate()
-    process.wait()
-
-    # wait for server to use new certificate
-    for _ in range(30):
-      certificate_after_renewal = self._getServerCertificate(
-          balancer_parsed_url.hostname,
-          balancer_parsed_url.port)
-      if certificate_after_renewal.not_valid_before > certificate_before_renewal.not_valid_before:
-        break
-      time.sleep(.5)
-
-    self.assertGreater(
-        certificate_after_renewal.not_valid_before,
-        certificate_before_renewal.not_valid_before,
-    )
-
-    # requests are served properly after cert renewal
-    requests.get(self.default_balancer_url, verify=caucase.ca_crt_path).raise_for_status()
-
-
 class ContentTypeHTTPServer(ManagedHTTPServer):
   """An HTTP Server which reply with content type from path.
 

software/erp5/test/test/test_erp5.py

@@ -31,7 +31,6 @@ import glob
 import urlparse
 import socket
 import time
-import tempfile
 
 import psutil
 import requests
@@ -44,7 +43,7 @@ setUpModule # pyflakes
 class TestPublishedURLIsReachableMixin(object):
   """Mixin that checks that default page of ERP5 is reachable.
   """
-  def _checkERP5IsReachable(self, url, verify):
+  def _checkERP5IsReachable(self, url):
     # What happens is that instanciation just create the services, but does not
     # wait for ERP5 to be initialized. When this test run ERP5 instance is
     # instanciated, but zope is still busy creating the site and haproxy replies
@@ -52,7 +51,7 @@ class TestPublishedURLIsReachableMixin(object):
     # erp5 site is not created, with 500 when mysql is not yet reachable, so we
     # retry in a loop until we get a succesful response.
     for i in range(1, 60):
-      r = requests.get(url, verify=verify)
+      r = requests.get(url, verify=False)  # XXX can we get CA from caucase already ?
       if r.status_code != requests.codes.ok:
         delay = i * 2
         self.logger.warn("ERP5 was not available, sleeping for %ds and retrying", delay)
@@ -63,36 +62,19 @@ class TestPublishedURLIsReachableMixin(object):
 
     self.assertIn("ERP5", r.text)
 
-  def _getCaucaseServiceCACertificate(self):
-    ca_cert = tempfile.NamedTemporaryFile(
-        prefix="ca.crt.pem",
-        mode="w",
-        delete=False,
-    )
-    ca_cert.write(
-        requests.get(
-            urlparse.urljoin(
-                self.getRootPartitionConnectionParameterDict()['caucase-http-url'],
-                '/cas/crt/ca.crt.pem',
-            )).text)
-    self.addCleanup(os.unlink, ca_cert.name)
-    return ca_cert.name
-
   def test_published_family_default_v6_is_reachable(self):
     """Tests the IPv6 URL published by the root partition is reachable.
     """
     param_dict = self.getRootPartitionConnectionParameterDict()
     self._checkERP5IsReachable(
-      urlparse.urljoin(param_dict['family-default-v6'], param_dict['site-id']),
-      self._getCaucaseServiceCACertificate())
+      urlparse.urljoin(param_dict['family-default-v6'], param_dict['site-id']))
 
   def test_published_family_default_v4_is_reachable(self):
     """Tests the IPv4 URL published by the root partition is reachable.
     """
     param_dict = self.getRootPartitionConnectionParameterDict()
     self._checkERP5IsReachable(
-      urlparse.urljoin(param_dict['family-default'], param_dict['site-id']),
-      self._getCaucaseServiceCACertificate())
+      urlparse.urljoin(param_dict['family-default'], param_dict['site-id']))
 
 
 class TestDefaultParameters(ERP5InstanceTestCase, TestPublishedURLIsReachableMixin):

software/neoppod/stress-testing/software.cfg

@@ -78,6 +78,8 @@ packages +=
   ca-certificates file g++ libc6-dev make patch python
 # speed up build by using the following components from the OS
   git liblzma-dev libssl-dev pkg-config python-dev
+# for pygolang
+  python-greenlet-dev
 # extra requirements for NEO
   libnetfilter-queue-dev nftables
 # extra requirements for this SR

software/plantuml/software.cfg

@@ -15,6 +15,9 @@ parts =
   slapos-cookbook
   instance
 
+[python]
+part = python3
+
 [instance]
 recipe = slapos.recipe.template
 url = ${:_profile_base_location_}/${:filename}

software/slapos-sr-testing/software-py3.cfg

@@ -6,14 +6,15 @@ extends =
 part = python3
 
 [eggs]
-eggs -=
-# plantuml is not Py3-compatible
+eggs +=
+# plantuml 0.3.0 is only available for Python 3
   ${slapos.test.plantuml-setup:egg}
 
 [template]
 extra =
   ${slapos.test.helloworld-setup:setup}
   ${slapos.test.monitor-setup:setup}
+  ${slapos.test.plantuml-setup:setup}
   ${slapos.test.powerdns-setup:setup}
   ${slapos.test.proftpd-setup:setup}
   ${slapos.test.repman-setup:setup}

software/slapos-sr-testing/software.cfg

@@ -189,7 +189,6 @@ eggs =
   ${slapos.test.jstestnode-setup:egg}
   ${slapos.test.kvm-setup:egg}
   ${slapos.test.monitor-setup:egg}
-  ${slapos.test.plantuml-setup:egg}
   ${slapos.test.powerdns-setup:egg}
   ${slapos.test.proftpd-setup:egg}
   ${slapos.test.re6stnet-setup:egg}
@@ -256,7 +255,6 @@ extra =
   ${slapos.test.erp5-setup:setup}
   ${slapos.test.htmlvalidatorserver-setup:setup}
   ${slapos.test.slapos-master-setup:setup}
-  ${slapos.test.plantuml-setup:setup}
   ${slapos.test.re6stnet-setup:setup}
   ${slapos.test.seleniumserver-setup:setup}
   ${slapos.test.jstestnode-setup:setup}
@@ -280,7 +278,7 @@ forcediphttpsadapter = 1.0.1
 httplib2 = 0.11.3
 image = 1.5.25
 paramiko = 2.4.2
-plantuml = 0.1.1
+plantuml = 0.3.0
 pysftp = 0.2.9
 requests-toolbelt = 0.8.0
 selenium = 3.141.0

software/slapos-testing/software.cfg

@@ -99,7 +99,7 @@ setup = ${slapos.rebootstrap-repository:location}
 
 [rubygemsrecipe-setup]
 <= setup-develop-egg
-egg = rubygemsrecipe
+egg = rubygemsrecipe[test]
 setup = ${rubygemsrecipe-repository:location}
 
 [eggs]
@@ -224,6 +224,7 @@ pycurl = 7.43.0.2
 pyflakes = 2.0.0
 zope.testing = 4.6.2
 urllib3 = 1.24.1
+pathlib = 1.0.1
 # Required by:
 # caucase
 PyJWT = 1.6.4

software/slaprunner/buildout.hash.cfg

@@ -26,7 +26,7 @@ md5sum = f2e2493bc5da90a53f86e5bcf64d2d57
 
 [instance-runner-import]
 filename = instance-runner-import.cfg.in
-md5sum = f5abd8aeb19707dfa12d979a8bc30076
+md5sum = ea7667f9af952bc4bdf43aad4520759f
 
 [instance-runner-export]
 filename = instance-runner-export.cfg.in

software/slaprunner/instance-runner-import.cfg.in

@@ -27,6 +27,7 @@ parts +=
   supervisord-wrapper
   importer-consistency-promise
   software-release-deployment-promise
+  template-slapuser-script
 
   resilient-software-release-information
 

software/theia/buildout.hash.cfg

@@ -15,7 +15,7 @@
 
 [instance]
 filename = instance.cfg.in
-md5sum = 397fcb3279029af3055b23525d147445
+md5sum = 2ceb9389281c00261abd864fc8ed566f
 
 [yarn.lock]
 filename = yarn.lock

software/theia/instance.cfg.in

@@ -98,8 +98,12 @@ stop-on-error = true
 [frontend-instance-logo]
 recipe = plone.recipe.command
 filename = logo.png
+full-path = $${directory:frontend-static}/$${:filename}
 command =
-  ln -s ${logo.png:output} $${directory:frontend-static}/$${:filename}
+  if [ ! -e $${:full-path} ]
+  then
+    ln -s ${logo.png:output} $${:full-path}
+  fi
 stop-on-error = true
 
 [frontend-instance-slapos.css]

stack/erp5/buildout.cfg

@@ -675,7 +675,7 @@ scikit-image = 0.14.0
 PyWavelets = 0.5.2
 networkx = 2.1
 pytesseract = 0.2.2
-zbarlight = 2.0
+zbarlight = 2.3
 cloudpickle = 0.5.3
 dask = 0.18.1
 toolz = 0.9.0

stack/erp5/buildout.hash.cfg

@@ -90,7 +90,7 @@ md5sum = 2f3ddd328ac1c375e483ecb2ef5ffb57
 
 [template-balancer]
 filename = instance-balancer.cfg.in
-md5sum = ecf119142e6b5cd85a2ba397552d2142
+md5sum = 4ba93d28d93bd066d5d19f4f74fc13d7
 
 [template-haproxy-cfg]
 filename = haproxy.cfg.in

stack/erp5/instance-balancer.cfg.in

@@ -18,56 +18,25 @@ per partition. No more (undefined result), no less (IndexError).
 recipe = slapos.recipe.template:jinja2
 mode = 644
 
-[balancer-csr-request-config]
-< = jinja2-template-base
-template = inline:
-    [req]
-    prompt = no
-    req_extensions = req_ext
-    distinguished_name = dn
-    [ dn ]
-    CN = example.com
-    [ req_ext ]
-    subjectAltName = @alt_names
-    [ alt_names ]
-    IP.1 =  {{ ipv4 }}
-    {% if ipv6_set -%}
-    IP.2 =  {{ ipv6 }}
-    {% endif %}
-rendered = ${buildout:parts-directory}/${:_buildout_section_name_}/${:_buildout_section_name_}.txt
-
-[balancer-csr-request]
-recipe = plone.recipe.command
-command = {{ parameter_dict["openssl"] }}/bin/openssl req \
-  -newkey rsa:2048 \
-  -batch \
-  -new \
-  -nodes \
-  -keyout '${apache-conf-ssl:key}' \
-  -config '${balancer-csr-request-config:rendered}' \
-  -out '${:csr}'
-stop-on-error = true
-csr = ${directory:etc}/${:_buildout_section_name_}.csr.pem
-
-
 {{ caucase.updater(
      prefix='caucase-updater',
      buildout_bin_directory=parameter_dict['bin-directory'],
      updater_path='${directory:services-on-watch}/caucase-updater',
      url=ssl_parameter_dict['caucase-url'],
      data_dir='${directory:srv}/caucase-updater',
-     crt_path='${apache-conf-ssl:cert}',
+     crt_path='${apache-conf-ssl:caucase-cert}',
      ca_path='${directory:srv}/caucase-updater/ca.crt',
      crl_path='${directory:srv}/caucase-updater/crl.pem',
-     key_path='${apache-conf-ssl:key}',
+     key_path='${apache-conf-ssl:caucase-key}',
      on_renew='${apache-graceful:output}',
      max_sleep=ssl_parameter_dict.get('max-crl-update-delay', 1.0),
      template_csr_pem=ssl_parameter_dict.get('csr'),
-     template_csr=None if ssl_parameter_dict.get('csr') else '${balancer-csr-request:csr}',
      openssl=parameter_dict['openssl'] ~ '/bin/openssl',
 )}}
+{# XXX we don't use caucase yet.
 {% do section('caucase-updater') -%}
 {% do section('caucase-updater-promise') -%}
+#}
 
 {% set frontend_caucase_url_hash_list = [] -%}
 {% for frontend_caucase_url in frontend_caucase_url_list -%}
@@ -209,6 +178,10 @@ hash-files = ${haproxy-cfg:rendered}
 [apache-conf-ssl]
 cert = ${directory:apache-conf}/apache.crt
 key = ${directory:apache-conf}/apache.pem
+# XXX caucase is/was buggy and this certificate does not match key for instances
+# that were updated, so don't use it yet.
+caucase-cert = ${directory:apache-conf}/apache-caucase.crt
+caucase-key = ${directory:apache-conf}/apache-caucase.pem
 {% if frontend_caucase_url_list -%}
 depends = ${caucase-updater-housekeeper-run:recipe}
 ca-cert-dir = ${directory:apache-ca-cert-dir}
@@ -231,6 +204,19 @@ context = key content {{content_section_name}}:content
 mode = {{ mode }}
 {%- endmacro %}
 
+[apache-ssl]
+{% if ssl_parameter_dict.get('key') -%}
+key = ${apache-ssl-key:rendered}
+cert = ${apache-ssl-cert:rendered}
+{{ simplefile('apache-ssl-key', '${apache-conf-ssl:key}', ssl_parameter_dict['key']) }}
+{{ simplefile('apache-ssl-cert', '${apache-conf-ssl:cert}', ssl_parameter_dict['cert']) }}
+{% else %}
+recipe = plone.recipe.command
+command = "{{ parameter_dict['openssl'] }}/bin/openssl" req -newkey rsa -batch -new -x509 -days 3650 -nodes -keyout "${:key}" -out "${:cert}"
+key = ${apache-conf-ssl:key}
+cert = ${apache-conf-ssl:cert}
+{%- endif %}
+
 [apache-conf-parameter-dict]
 backend-list = {{ dumps(apache_dict.values()) }}
 zope-virtualhost-monster-backend-dict = {{ dumps(zope_virtualhost_monster_backend_dict) }}
@@ -242,8 +228,8 @@ access-log = ${directory:log}/apache-access.log
 # Apache 2.4's default value (60 seconds) can be a bit too short
 timeout = 300
 # Basic SSL server configuration
-cert = ${apache-conf-ssl:cert}
-key = ${apache-conf-ssl:key}
+cert = ${apache-ssl:cert}
+key = ${apache-ssl:key}
 cipher =
 ssl-session-cache = ${directory:log}/apache-ssl-session-cache
 {% if frontend_caucase_url_list -%}