Update Release Candidate

component/firewalld/buildout.cfg

@@ -3,6 +3,7 @@ parts =
   firewalld-patch
 
 extends =
+  ../bison/buildout.cfg
   ../defaults.cfg
   ../dbus/buildout.cfg
   ../flex/buildout.cfg
@@ -11,7 +12,11 @@ extends =
   ../intltool/buildout.cfg
   ../libtool/buildout.cfg
   ../nftables/buildout.cfg
+  ../pcre2/buildout.cfg
   ../python-slip/buildout.cfg
+  ../meson/buildout.cfg
+  ../ninja/buildout.cfg
+  ../pkgconfig/buildout.cfg
 
 [firewalld]
 recipe = slapos.recipe.cmmi
@@ -66,46 +71,45 @@ environment =
 
 [gobject-introspection]
 recipe = slapos.recipe.cmmi
-url = http://ftp.gnome.org/pub/gnome/core/3.22/3.22.2/sources/gobject-introspection-1.50.0.tar.xz
-md5sum = 5af8d724f25d0c9cfbe6df41b77e5dc0
-pre-configure = cp -f ${gnu-config:location}/config.sub ${gnu-config:location}/config.guess build-aux/
-configure-options =
-  --disable-static
-
+url = https://download.gnome.org/core/44/44.9/sources/gobject-introspection-1.76.1.tar.xz
+md5sum = 5cb554fdd139db79f9b1be13892fddac
+location = @@LOCATION@@
+pre-configure =
+  mkdir -p subprojects/gnu-config
+  cp -f ${gnu-config:location}/config.sub ${gnu-config:location}/config.guess subprojects/gnu-config/
+configure-command =
+  ${meson:location}/bin/meson setup builddir \
+    --prefix=${buildout:parts-directory}/${:_buildout_section_name_} \
+    --wrap-mode=nodownload \
+    --libdir=lib \
+    -Dbuildtype=release
+make-binary = ${ninja:location}/bin/ninja -C builddir
 environment =
-  PATH=${pkgconfig:location}/bin:${gettext:location}/bin:${glib:location}/bin:${xz-utils:location}/bin:${flex:location}/bin:${bison:location}/bin:%(PATH)s
-  PKG_CONFIG_PATH=${glib:location}/lib/pkgconfig:${glib:pkg_config_depends}
-  CPPFLAGS=-I${glib:location}/include/glib-2.0 -I${glib:location}/lib/glib-2.0/include
-  LDFLAGS=-L${glib:location}/lib -Wl,-rpath=${glib:location}/lib -L${libffi:location}/lib -Wl,-rpath=${libffi:location}/lib -lffi -L${zlib:location}/lib/ -Wl,-rpath=${zlib:location}/lib/
-  GLIB_CFLAGS=-I${glib:location}/include/glib-2.0 -I${glib:location}/lib/glib-2.0/include
-  GLIB_LIBS=-L${glib:location}/lib -lglib-2.0 -lgobject-2.0
-  FFI_CFLAGS=-I${libffi:location}/include
-  FFI_LIBS=-L${libffi:location}/lib -Wl,-rpath=${libffi:location}/lib -lffi
-  GIR_DIR=${buildout:parts-directory}/${:_buildout_section_name_}/share/gir-1.0
-  PYTHON=${buildout:executable}
+  PATH=${pkgconfig:location}/bin:${glib:location}/bin:${ninja:location}/bin:${meson:location}/bin:${flex:location}/bin:${bison:location}/bin:%(PATH)s
+  LDFLAGS=-Wl,-rpath=${:location}/lib -Wl,-rpath=${libffi:location}/lib -Wl,-rpath=${glib:location}/lib
+  PKG_CONFIG_PATH=${glib:location}/lib/pkgconfig:${pcre2:location}/lib/pkgconfig:${libffi:location}/lib/pkgconfig:${zlib:location}/lib/pkgconfig
+
 
 [pygobject3]
 recipe = slapos.recipe.cmmi
-url = http://ftp.gnome.org/pub/gnome/core/3.22/3.22.2/sources/pygobject-3.22.0.tar.xz
+url = https://download.gnome.org/core/44/44.9/sources/pygobject-3.44.2.tar.xz
 python-egg = ${buildout:parts-directory}/${:_buildout_section_name_}/lib/python${python:version}/site-packages
-md5sum = ed4117ed5d554d25fd7718807fbf819f
+md5sum = f1a1e2304c328094806c306bbf658e85
 pre-configure =
-  cp -f ${gnu-config:location}/config.sub ${gnu-config:location}/config.guess .
-  sed -i 's#/usr/local#${gobject-introspection:location}#g' ${gobject-introspection:location}/lib/pkgconfig/gobject-introspection-1.0.pc
-configure-options =
-  --disable-static
-  --disable-cairo
-
+  mkdir -p subprojects/gnu-config
+  cp -f ${gnu-config:location}/config.sub ${gnu-config:location}/config.guess subprojects/gnu-config/
+configure-command =
+  ${meson:location}/bin/meson setup builddir \
+    --prefix=${buildout:parts-directory}/${:_buildout_section_name_} \
+    --wrap-mode=nodownload \
+    -Dpython=${buildout:executable} \
+    -Dbuildtype=release \
+    -Dpycairo=disabled  # Disable cairo bindings explicitly
+make-binary = ${ninja:location}/bin/ninja -C builddir
 environment =
-  PATH=${pkgconfig:location}/bin:${libtool:location}/bin:${glib:location}/bin:${xz-utils:location}/bin:%(PATH)s
+  PATH=${pkgconfig:location}/bin:${ninja:location}/bin:${libtool:location}/bin:${glib:location}/bin:${xz-utils:location}/bin:%(PATH)s
   PKG_CONFIG_PATH=${glib:location}/lib/pkgconfig:${glib:pkg_config_depends}:${gobject-introspection:location}/lib/pkgconfig
-  FFI_CFLAGS=-I${libffi:location}/include
-  FFI_LIBS=-L${libffi:location}/lib -Wl,-rpath=${libffi:location}/lib -lffi
-  CPPFLAGS=-I${glib:location}/include/glib-2.0 -I${glib:location}/lib/glib-2.0/include -I${gettext:location}/include -I${libffi:location}/include
-  LDFLAGS=-L${glib:location}/lib -Wl,-rpath=${glib:location}/lib -L${gettext:location}/lib -Wl,-rpath=${gettext:location}/lib
-  GIO_LIBS=-L${glib:location}/lib -lgio-2.0
-  GI_CFLAGS=-I${gobject-introspection:location}/include/gobject-introspection-1.0
-  GI_LIBS=-L${gobject-introspection:location}/lib -lgirepository-1.0
+  LDFLAGS=-Wl,-rpath=${gobject-introspection:location}/lib -Wl,-rpath=${libffi:location}/lib -Wl,-rpath=${glib:location}/lib
   PYTHON=${buildout:executable}
 
 [trusted-config]

component/golang/buildout.cfg

@@ -124,6 +124,14 @@ patches +=
 # Backport of https://github.com/golang/go/commit/d1d93129506c78cc8ee25644384286822d93c81a
   ${:_profile_base_location_}/crypto-tls-fix-Config.Time-in-tests-using-expired-ce-go-1-21.patch#8e30a06c854a9654e5b789c887453d64
 
+[golang1.23]
+<= golang-common
+url = https://go.dev/dl/go1.23.5.src.tar.gz
+md5sum = e13bea63175a402f3bdac29a048cc8b6
+# go1.23 requires go1.20.6 to bootstrap (see https://go.dev/blog/rebuild)
+environment-extra =
+  GOROOT_BOOTSTRAP=${golang1.21:location}
+
 # ---- infrastructure to build Go workspaces / projects ----
 
 # gowork is the top-level section that defines Go workspace.

component/meson/buildout.cfg

@@ -8,8 +8,8 @@ parts =
 recipe = slapos.recipe.cmmi
 shared = true
 url = https://github.com/mesonbuild/meson/releases/download/${:version}/meson-${:version}.tar.gz
-version = 0.62.1
-md5sum = 2f5301d0e7fd5544ab0004393ba44cbe
+version = 1.7.0
+md5sum = c20f3e5ebbb007352d22f4fd6ceb925c
 configure-command = true
 make-binary = true
 post-install =

component/nodejs/buildout.cfg

@@ -13,6 +13,7 @@ parts =
   nodejs
 
 # nodejs >= 16 needs gcc >= 8.3
+# nodejs >= 22 needs gcc >= 12.3
 [gcc]
 min_version = 8.3
 
@@ -60,6 +61,17 @@ version = v18.18.0
 md5sum = c5ab3e98977dfd639d830625d79eff52
 
 
+[nodejs-22.11.0]
+<= nodejs-base
+version = v22.11.0
+md5sum = 573831fd2b7abf70a882946e511b64f4
+
+[nodejs-headers-22.11.0]
+<= nodejs-headers-base
+version = v22.11.0
+md5sum = 45ffb2b6ff09e4391caa6beb13343721
+
+
 [nodejs-14.16.0]
 <= nodejs-base
 version = v14.16.0

component/ruby/buildout.cfg

@@ -30,5 +30,10 @@ environment =
 url = https://ftp.ruby-lang.org/pub/ruby/2.7/ruby-2.7.8.tar.xz
 md5sum = 27af2c340d0524ab272d564ddfd733d9
 
+[ruby3.4]
+<= ruby-common
+url = https://cache.ruby-lang.org/pub/ruby/3.4/ruby-3.4.1.tar.xz
+md5sum = 45bf4f2706ee6d07133f3355e581f920
+
 [ruby]
 <= ruby2.7

component/slapos/buildout.cfg

@@ -19,9 +19,9 @@ parts =
   py
   firewalld-patch
 
-# Force python3.7 for a while to be compatible with more SR
+# Force our own version of python to not depend on the default one (we need to keep backward compatibility a bit longer in slapos-node package)
 [python3]
-<= python3.7
+<= python3.9
 
 [environment]
 # Note: For now original PATH is appended to the end, as not all tools are

component/slapos/obs.cfg

@@ -85,8 +85,8 @@ pre-configure =
   sed -i 's#/opt/slapos/parts/dbus/lib/libdbus-1.la#${dbus:location}/lib/libdbus-1.la#' ${dbus-glib:location}/lib/libdbus-glib-1.la
 environment +=
   LD_LIBRARY_PATH=${dbus:location}/lib
-  PYTHON_INCLUDES=-I${python:location}/include/python${python:version}m
-  PYTHON_LIBS=-L${python:location}/lib -lpython${python:version}m -lpthread -ldl -lutil -lm
+  PYTHON_INCLUDES=-I${python:location}/include/python${python:version}
+  PYTHON_LIBS=-L${python:location}/lib -lpython${python:version} -lpthread -ldl -lutil -lm
 post-install =
   sed -i 's#${dbus:location}/lib/libdbus-1.la#/opt/slapos/parts/dbus/lib/libdbus-1.la#' ${dbus-glib:location}/lib/libdbus-glib-1.la
 
@@ -102,22 +102,24 @@ environment +=
 [gobject-introspection]
 pre-configure +=
   sed -i 's#!/opt/slapos/parts/python${python:version}/bin/python${python:version}#!${python:location}/bin/python${python:version}#' ${python:location}/bin/python${python:version}-config
-configure-options +=
-  --enable-shared
 environment +=
   PERL5LIB=${perl:location}/lib/${perl:version}/
+  BISON_PKGDATADIR=${bison:location}/share/bison/
+  LD_LIBRARY_PATH=${glib:location}/lib
 post-install =
   sed -i 's#!${python:location}/bin/python${python:version}#!/opt/slapos/parts/python${python:version}/bin/python${python:version}#' ${python:location}/bin/python${python:version}-config
 
 [pygobject3]
 pre-configure +=
   sed -i 's#!/opt/slapos/parts/python${python:version}/bin/python${python:version}#!${python:location}/bin/python${python:version}#' ${python:location}/bin/python${python:version}-config
+environment +=
+  LD_LIBRARY_PATH=${glib:location}/lib:${libffi:location}/lib:${gobject-introspection:location}/lib
 post-install =
   sed -i 's#!${python:location}/bin/python${python:version}#!/opt/slapos/parts/python${python:version}/bin/python${python:version}#' ${python:location}/bin/python${python:version}-config
 
 [flex]
 environment +=
- BISON_PKGDATADIR=${bison:location}/share/bison/
+  BISON_PKGDATADIR=${bison:location}/share/bison/
 
 
 [perl-CPAN-package]

component/yarn/buildout.cfg

@@ -62,3 +62,30 @@ md5sum = db82fa09c996e9318f2f1d2ab99228f9
 <= yarn-download
 version = 1.16.0
 md5sum = 46790033c23803387890f545e4040690
+
+[yarn-berry-install]
+recipe = slapos.recipe.build
+shared = true
+url = https://github.com/yarnpkg/berry/archive/refs/tags/@yarnpkg/cli/${:version}.tar.gz
+content =
+  #!/bin/sh
+  PATH=${nodejs:location}/bin/:$PATH
+  exec %(location)s/scripts/bin/yarn $@
+install =
+  import os
+  import subprocess
+  self.copyTree(guessworkdir(self.extract(self.download())), location)
+  bin = os.path.join(location, 'bin')
+  os.makedirs(bin)
+  yarn = os.path.join(bin, 'yarn')
+  with open(yarn, 'w') as f:
+    os.fchmod(f.fileno(), 0o755)
+    f.write(options['content'] % options)
+  # run a yarn command so that it finishes initialization before the installation directory
+  # is made read only.
+  subprocess.check_output([yarn, 'cache', 'clean'])
+
+[yarn-4.6.0]
+<= yarn-berry-install
+version = 4.6.0
+md5sum = aa26ce25aa0f214c75e2362a06e1cab0

slapos/recipe/re6stnet/re6stnet.py

@@ -151,14 +151,14 @@ def checkService(client, token_base_path, token_json, computer_partition):
     email = '%s@slapos' % slave_reference.lower()
     if status == 'TOKEN_USED':
       try:
-        ipv6 = client.getIPv6Address(str(email))
+        ipv6 = client.getIPv6Address(str(email)).decode()
       except Exception:
         log.info('Error for dump ipv6 for %s... \n %s' % (slave_reference,
                                         traceback.format_exc()))
 
       log.info("%s, IPV6 = %s" % (slave_reference, ipv6))
       try:
-        ipv4 = client.getIPv4Information(str(email)) or "0.0.0.0"
+        ipv4 = client.getIPv4Information(str(email)).decode() or "0.0.0.0"
       except Exception:
         log.info('Error for dump ipv4 for %s... \n %s' % (slave_reference,
                                         traceback.format_exc()))

software/grafana/buildout.hash.cfg

@@ -23,7 +23,7 @@ md5sum = 86e379ac6ba789d65369ca1e0d4dfa3f
 
 [instance-agent]
 filename = instance-agent.cfg.in
-md5sum = 89fd1b010351cea9968360054e0c4aa9
+md5sum = eeb529b2b6a8e762a9072c520691c66c
 
 
 [influxdb-config-file]
@@ -32,7 +32,7 @@ md5sum = a28972ced3e0f4aa776e43a9c44717c0
 
 [grafana-config-file]
 filename = grafana-config-file.cfg.in
-md5sum = 258a25781f164f933fae12b9e1bc55fc
+md5sum = aa0d98f3604dd964ca6f3683c463acf7
 
 [grafana-provisioning-dashboards-config-file]
 filename = grafana-provisioning-dashboards-config-file.cfg.in

software/grafana/grafana-config-file.cfg.in

@@ -34,7 +34,7 @@ protocol = https
 
 # The ip address to bind to, empty will bind to all interfaces
 #http_addr =
-http_addr = [{{ grafana['ipv6'] }}]
+http_addr = {{ grafana['ipv6'] }}
 
 # The http port  to use
 #http_port = 3000
@@ -460,8 +460,7 @@ global_api_key = -1
 global_session = -1
 
 #################################### Alerting ############################
-[alerting]
-# Disable alerting engine & UI features
+[unified_alerting]
 enabled = true
 # Makes it possible to turn off alert rule execution but alerting UI is visible
 execute_alerts = true

software/grafana/instance-agent.cfg.in

@@ -80,9 +80,10 @@ port = ${influxdb-server:port}
 [telegraf]
 recipe = slapos.cookbook:wrapper
 extra-config-dir = ${directory:telegraf-extra-config-dir}
-# telegraf needs influxdb to be already listening before starting
+# telegraf needs influxdb to be already listening before starting, so we wrap this command in bash.
+# we also run a login shell so that $PATH is initialized and sensors plugin can find sensors command.
 command-line =
-   bash -c '${influxdb-listen-promise:path} && ${:nice} {{ telegraf_bin }} --config ${telegraf-config-file:output} --config-directory ${:extra-config-dir}'
+   bash --login -c '${influxdb-listen-promise:path} && ${:nice} {{ telegraf_bin }} --config ${telegraf-config-file:output} --config-directory ${:extra-config-dir}'
 wrapper-path = ${directory:service}/telegraf
 hash-files = ${telegraf-config-file:output}
 # TODO: control nice of the agent ?
@@ -162,9 +163,11 @@ init =
     }
   )
   inputs["disk"].append({})
-  inputs["io"].append({})
+  inputs["diskio"].append({})
+  inputs["mdstat"].append({"interval": "1h"})
   inputs["mem"].append({})
   inputs["net"].append({"ignore_protocol_stats": True})
+  inputs["sensors"].append({"interval": "5m"})
   inputs["system"].append({})
 
   for application in slapparameter_dict.get("applications", []):

software/grafana/software.cfg

@@ -23,18 +23,30 @@ parts =
   fluent-bit
   post-install-cleanup
 
+[yarn]
+<= yarn-4.6.0
+
+[nodejs]
+<= nodejs-22.11.0
+
+[nodejs-headers]
+<= nodejs-headers-22.11.0
+
+[gcc]
+part = gcc-12.3
+min_version = 12.3.0
 
 [go_github.com_grafana_grafana]
 <= go-git-package
 go.importpath = github.com/grafana/grafana
 repository    = https://github.com/grafana/grafana
-revision      = v10.1.2-0-g8e428858dd
+revision      = v11.5.0-0-gf7a938db9ad
 
 [go_github.com_grafana_loki]
 <= go-git-package
 go.importpath = github.com/grafana/loki
 repository    = https://github.com/grafana/loki
-revision      = v3.1.0-0-g935aee77e
+revision      = v3.3.2-0-g23b5fc2c9
 
 [go_github.com_influxdata_influxdb]
 <= go-git-package
@@ -46,7 +58,7 @@ revision      = v1.8.4-0-gbc8ec4384e
 <= go-git-package
 go.importpath = github.com/influxdata/telegraf
 repository    = https://github.com/influxdata/telegraf
-revision      = v1.28.1-0-g3ea9ffbe2
+revision      = v1.33.0-0-g679020053
 
 [go_github.com_perrinjerome_slapos_telegraf_input]
 <= go-git-package
@@ -92,15 +104,16 @@ grafana-bin = ${grafana:binpath}/grafana
 grafana-homepath = ${grafana:homepath}
 loki-bin = ${:bin}/loki
 promtail-bin = ${:bin}/promtail
+golang  = ${golang1.23:location}
 
 [post-install-cleanup]
 recipe = plone.recipe.command
 stop-on-error = true
 # remove caches and binary files confusing software check
 command =
-  chmod +w ${gowork.dir:directory}/pkg/mod/github.com/gabriel-vasile/mimetype@v1.4.2/testdata/ \
-  && rm -rf ${gowork.dir:directory}/pkg/mod/github.com/gabriel-vasile/mimetype@v1.4.2/testdata/so.so \
-  && chmod -w ${gowork.dir:directory}/pkg/mod/github.com/gabriel-vasile/mimetype@v1.4.2/testdata/ \
+  chmod +w ${gowork.dir:directory}/pkg/mod/github.com/gabriel-vasile/mimetype@v1.4.4/testdata/ \
+  && rm -rf ${gowork.dir:directory}/pkg/mod/github.com/gabriel-vasile/mimetype@v1.4.4/testdata/so.so \
+  && chmod -w ${gowork.dir:directory}/pkg/mod/github.com/gabriel-vasile/mimetype@v1.4.4/testdata/ \
   && rm -rf ${buildout:directory}/.cache/
 
 [grafana]
@@ -108,15 +121,12 @@ recipe = plone.recipe.command
 command = bash -ce "
   cd ${:homepath} && \
   . ${gowork:env.sh} && \
-  go install github.com/google/wire/cmd/wire@v0.5.0 && \
-  wire gen -tags oss ./pkg/server ./pkg/cmd/grafana-cli/runner && \
+  go run ./pkg/build/wire/cmd/wire/main.go gen -tags oss ./pkg/server && \
   go run build.go setup && \
   go run build.go build && \
   export NODE_OPTIONS=--max_old_space_size=8192 && \
   ${yarn:location}/bin/yarn install --immutable && \
-  ${yarn:location}/bin/yarn run themes:generate && \
-  ${yarn:location}/bin/yarn run build && \
-  ${yarn:location}/bin/yarn run plugins:build-bundled"
+  ${yarn:location}/bin/yarn run build"
 homepath = ${go_github.com_grafana_grafana:location}
 # XXX "linux-amd64" is not portable here
 binpath = ${go_github.com_grafana_grafana:location}/bin/linux-amd64

software/rapid-cdn/README.rst

@@ -27,6 +27,7 @@ These parameters are:
     * ``disk-cache-size``
     * ``enable-http3``
     * ``http3-port``
+    * ``expert-backend-allow-downgrade-ssl``
   * ``-sla-i-foo`` : where "i" is the number of the concerned frontend (between 1 and "-frontend-quantity") and "foo" a sla parameter.
 
 For example::

software/rapid-cdn/buildout.hash.cfg

@@ -14,7 +14,7 @@
 # not need these here).
 [template]
 filename = instance.cfg.in
-md5sum = 1714aa40cffc3b26b672e534ef90894b
+md5sum = af3668cbfd2991fff846f3e96efcd711
 
 [profile-common]
 filename = instance-common.cfg.in
@@ -22,15 +22,15 @@ md5sum = 5784bea3bd608913769ff9a8afcccb68
 
 [profile-frontend]
 filename = instance-frontend.cfg.in
-md5sum = 081aef1b071585e5f334a93d6d4969d0
+md5sum = 4a53b09ba4cbf15e32a5088cc81db5ea
 
 [profile-master]
 filename = instance-master.cfg.in
-md5sum = 5ded3544de312750d0ae06fdb3a436c9
+md5sum = 653e8249ee71c3fa71b172fa3d2a4207
 
 [profile-slave-list]
 filename = instance-slave-list.cfg.in
-md5sum = 96bd66e98c7b4492ab4aba46e0e14e13
+md5sum = 8d6d2280ad47b431c433495bf9809adc
 
 [profile-master-publish-slave-information]
 filename = instance-master-publish-slave-information.cfg.in
@@ -119,3 +119,7 @@ md5sum = b79addf01b6fb93c2f3d018e83eff766
 [template-expose-csr-nginx-conf]
 _update_hash_filename_ = templates/expose-csr-nginx.conf.in
 md5sum = 5620baa8819fcc8340fa6777ee551a1a
+
+[template-backend-openssl-ssl-downgrade]
+_update_hash_filename_ = templates/backend-openssl-ssl-downgrade.cnf
+md5sum = ae9d1a46301f6e3dd9cd7dc710cee6be

software/rapid-cdn/instance-frontend.cfg.in

@@ -263,6 +263,7 @@ template-frontend-haproxy-rsyslogd-conf = {{ software_parameter_dict['template_f
 template-backend-haproxy-configuration = {{ software_parameter_dict['template_backend_haproxy_configuration'] }}
 template-backend-haproxy-rsyslogd-conf = {{ software_parameter_dict['template_backend_haproxy_rsyslogd_conf'] }}
 template-expose-csr-nginx-conf = {{ software_parameter_dict['template_expose_csr_nginx_conf'] }}
+template-backend-openssl-ssl-downgrade = {{ software_parameter_dict['template_backend_openssl_ssl_downgrade'] }}
 
 [kedifa-login-config]
 d = ${directory:ca-dir}
@@ -841,10 +842,22 @@ extra-context =
     key wait_time :wait_time
     key lazy_command frontend-haproxy-rsyslogd-config:graceful-command
 
+[backend-haproxy-wrapper]
+recipe = slapos.recipe.template:jinja2
+output = ${directory:bin}/${:_buildout_section_name_}
+backend-haproxy = {{ BACKEND_HAPROXY_EXECUTABLE }}
+inline =
+  #!/bin/bash
+{%- if instance_parameter_dict.get('configuration.expert-backend-allow-downgrade-ssl', 'false').lower() in TRUE_VALUES %}
+  export OPENSSL_CONF=${software-release-path:template-backend-openssl-ssl-downgrade}
+{%- endif %}
+  exec ${:backend-haproxy} -f ${backend-haproxy-configuration:file} "$@"
+
 [backend-haproxy]
 recipe = slapos.cookbook:wrapper
-command-line = {{ BACKEND_HAPROXY_EXECUTABLE }} -f ${backend-haproxy-configuration:file}
+command-line = ${backend-haproxy-wrapper:output}
 wrapper-path = ${directory:service}/backend-haproxy
+hash-files = ${backend-haproxy-wrapper:output}
 hash-existing-files = ${buildout:directory}/software_release/buildout.cfg
 
 [backend-haproxy-rsyslogd-lazy-graceful]

software/rapid-cdn/instance-master.cfg.in

@@ -40,6 +40,7 @@
         'ciphers',
         'request-timeout',
         'authenticate-to-backend',
+        'expert-backend-allow-downgrade-ssl',
     ]
 %}
 {#- SlapOS Master (but not slapproxy!) merges slave's instance and connection parameters, so the slave information passed to nodes have to be limited only to instance related keys #}

software/rapid-cdn/instance-slave-list.cfg.in

@@ -36,6 +36,8 @@ context =
 
 # empty sections if no slaves are available
 [slave-log-directory-dict]
+{#- Note: This section is only to build dictionary of all slave information about their directories #}
+{#-       It shall not be referenced as ${slave-log-directory-dict: by slaves, as this section is often updated #}
 [slave-password]
 [slave-htpasswd]
 
@@ -280,7 +282,8 @@ context =
 {#-   Set slave logrotate entry #}
 [{{slave_log_directory_section}}]
 recipe = slapos.cookbook:mkdirectory
-log-directory = {{ '${slave-log-directory-dict:' + slave_reference + '}' }}
+{#- Direct reference to slave_log_folder is on purpose to not depend on slave-log-directory-dict #}
+log-directory = {{ slave_log_folder }}
 
 [{{slave_logrotate_section}}]
 <= logrotate-entry-base

software/rapid-cdn/instance.cfg.in

@@ -109,3 +109,4 @@ configuration.backend-haproxy-statistic-port = 21444
 configuration.authenticate-to-backend = False
 configuration.rotate-num = 4000
 configuration.slave-introspection-https-port = 22443
+configuration.expert-backend-allow-downgrade-ssl = false

software/rapid-cdn/software.cfg

@@ -100,6 +100,7 @@ template_trafficserver_storage_config = ${template-trafficserver-storage-config:
 template_validate_script = ${template-validate-script:target}
 template_wrapper = ${template-wrapper:output}
 template_expose_csr_nginx_conf = ${template-expose-csr-nginx-conf:target}
+template_backend_openssl_ssl_downgrade = ${template-backend-openssl-ssl-downgrade:target}
 
 # directories
 bin_directory = ${buildout:bin-directory}
@@ -213,6 +214,9 @@ output = ${buildout:directory}/template-wrapper.cfg
 [template-frontend-haproxy-rsyslogd-conf]
 <=download-template
 
+[template-backend-openssl-ssl-downgrade]
+<=download-template
+
 [versions]
 kedifa = 0.0.7
 # Modern KeDiFa requires zc.lockfile

software/rapid-cdn/test/backend.py

+##############################################################################
+#
+# Copyright (c) 2025 Nexedi SA and Contributors. All Rights Reserved.
+#
+# WARNING: This program as such is intended to be used by professional
+# programmers who take the whole responsibility of assessing all potential
+# consequences resulting from its eventual inadequacies and bugs
+# End users who are looking for a ready-to-use solution with commercial
+# guarantees and support are strongly advised to contract a Free Software
+# Service Company
+#
+# This program is Free Software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version 3
+# of the License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA.
+#
+##############################################################################
+
+from http.server import BaseHTTPRequestHandler
+from http.server import HTTPServer
+from socketserver import ThreadingMixIn
+import base64
+import gzip
+import io
+import json
+import logging
+import os
+import random
+import ssl
+import string
+import sys
+import time
+
+
+class ThreadedHTTPServer(ThreadingMixIn, HTTPServer):
+  pass
+
+
+class TestHandler(BaseHTTPRequestHandler):
+  identification = None
+  configuration = {}
+  # override Server header response
+  server_version = "TestBackend"
+  sys_version = ""
+
+  log_message = logging.getLogger(__name__ + '.TestHandler').info
+
+  def do_DELETE(self):
+    config = self.configuration.pop(self.path, None)
+    if config is None:
+      self.send_response(204)
+      self.end_headers()
+    else:
+      self.send_response(200)
+      self.send_header("Content-Type", "application/json")
+      self.end_headers()
+      self.wfile.write(json.dumps({self.path: config}, indent=2))
+
+  def do_PUT(self):
+    incoming_config = {}
+    for key, value in list(self.headers.items()):
+      if key.startswith('X-'):
+        incoming_config[key] = value
+    config = {
+      'status_code': incoming_config.pop('X-Reply-Status-Code', '200')
+    }
+    prefix = 'X-Reply-Header-'
+    length = len(prefix)
+    for key in list(incoming_config.keys()):
+      if key.startswith(prefix):
+        header = '-'.join([q.capitalize() for q in key[length:].split('-')])
+        config[header] = incoming_config.pop(key)
+
+    if 'X-Reply-Body' in incoming_config:
+      config['Body'] = base64.b64decode(
+        incoming_config.pop('X-Reply-Body')).decode()
+
+    config['X-Drop-Header'] = incoming_config.pop('X-Drop-Header', None)
+    self.configuration[self.path] = config
+
+    self.send_response(201)
+    self.send_header("Content-Type", "application/json")
+    self.end_headers()
+    reply = {self.path: config}
+    if incoming_config:
+      reply['unknown_config'] = incoming_config
+    self.wfile.write(json.dumps(reply, indent=2).encode())
+
+  def do_POST(self):
+    return self.do_GET()
+
+  def do_GET(self):
+    config = self.configuration.get(self.path, None)
+    if config is not None:
+      config = config.copy()
+      response = config.pop('Body', None)
+      status_code = int(config.pop('status_code'))
+      timeout = int(config.pop('Timeout', '0'))
+      compress = int(config.pop('Compress', '0'))
+      drop_header_list = []
+      for header in (config.pop('X-Drop-Header') or '').split():
+        drop_header_list.append(header)
+      header_dict = config
+    else:
+      drop_header_list = []
+      for header in (self.headers.get('x-drop-header') or '').split():
+        drop_header_list.append(header)
+      response = None
+      status_code = 200
+      timeout = int(self.headers.get('timeout', '0'))
+      if 'x-maximum-timeout' in self.headers:
+        maximum_timeout = int(self.headers['x-maximum-timeout'])
+        timeout = random.randrange(maximum_timeout)
+      if 'x-response-size' in self.headers:
+        min_response, max_response = [
+          int(q) for q in self.headers['x-response-size'].split(' ')]
+        reponse_size = random.randrange(min_response, max_response)
+        response = ''.join(
+          random.choice(string.lowercase) for x in range(reponse_size))
+      compress = int(self.headers.get('compress', '0'))
+      header_dict = {}
+      prefix = 'x-reply-header-'
+      length = len(prefix)
+      for key, value in list(self.headers.items()):
+        if key.startswith(prefix):
+          header = '-'.join([q.capitalize() for q in key[length:].split('-')])
+          header_dict[header] = value.strip()
+    if response is None:
+      if 'x-reply-body' not in self.headers:
+        headers_dict = dict()
+        for header in list(self.headers.keys()):
+          content = self.headers.get_all(header)
+          if len(content) == 0:
+            headers_dict[header] = None
+          elif len(content) == 1:
+            headers_dict[header] = content[0]
+          else:
+            headers_dict[header] = content
+        response = {
+          'Path': self.path,
+          'Incoming Headers': headers_dict
+        }
+        response = json.dumps(response, indent=2)
+      else:
+        response = base64.b64decode(self.headers['x-reply-body'])
+
+    time.sleep(timeout)
+    self.send_response_only(status_code)
+    self.send_header('Server', self.server_version)
+
+    for key, value in list(header_dict.items()):
+      self.send_header(key, value)
+
+    if self.identification is not None:
+      self.send_header('X-Backend-Identification', self.identification)
+
+    if 'Content-Type' not in drop_header_list:
+      self.send_header("Content-Type", "application/json")
+    if 'Set-Cookie' not in drop_header_list:
+      self.send_header('Set-Cookie', 'secured=value;secure')
+      self.send_header('Set-Cookie', 'nonsecured=value')
+
+    if 'Via' not in drop_header_list:
+      self.send_header('Via', 'http/1.1 backendvia')
+    if compress:
+      self.send_header('Content-Encoding', 'gzip')
+      out = io.BytesIO()
+      # compress with level 0, to find out if in the middle someting would
+      # like to alter the compression
+      with gzip.GzipFile(fileobj=out, mode="wb", compresslevel=0) as f:
+        f.write(response.encode())
+      response = out.getvalue()
+      self.send_header('Backend-Content-Length', len(response))
+    if 'Content-Length' not in drop_header_list:
+      self.send_header('Content-Length', len(response))
+    self.end_headers()
+    if getattr(response, 'encode', None) is not None:
+      response = response.encode()
+    self.wfile.write(response)
+
+
+def server_https_weak_method(ip, port):
+  server_https_weak = ThreadedHTTPServer(
+    (ip, port),
+    TestHandler)
+  context = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
+  context.load_cert_chain(
+    os.path.join(
+      os.path.dirname(
+        os.path.realpath(__file__)), 'test_data', 'sha1-2048.pem'))
+  server_https_weak.socket = context.wrap_socket(
+    server_https_weak.socket, server_side=True)
+  server_https_weak.serve_forever()
+
+
+if __name__ == '__main__':
+  server_https_weak_method(sys.argv[1], int(sys.argv[2]))

software/rapid-cdn/test/test_data/sha1-2048.pem

+-----BEGIN CERTIFICATE-----
+MIIClzCCAX8CAQEwDQYJKoZIhvcNAQEFBQAwDTELMAkGA1UEAwwCQ0EwIBcNMjUw
+MTMwMTQxMjI4WhgPMzAyNDA2MDIxNDEyMjhaMBQxEjAQBgNVBAMMCXNoYTEtMjA0
+ODCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJzOtJWwtvWCgje14g/4
+swgPXaQkEnbmIhJUeC3h6lsxKuoUn1t7N/AmFSwVy+CUpjbo15JUqtN+gyGZezZH
+u27Q6K5NPLu1GjrJPLXtzQ6dZmWYub5wB5GMLziEQMeGPHC5OihWE2FkszTzDApA
+cr8vO9i6aZPjVobog5D12l1giB1R+n1RgJ0DsCTH7Cr9PaovNZ5uWsNdeZFE75VQ
+weIV/KjNL75TMHUpzSrjUdU0NCjyu6MOEbCpXPsZNb8qwmqUn9ImbTuBvgFotb7U
+GFomukAZGwmSaa9bDBiIah58vCZ3GM5HxBrJj/GFwBSntsWShxAZUvUMvXjb3T1y
+D0cCAwEAATANBgkqhkiG9w0BAQUFAAOCAQEASMYlBKwIF1FgkuCH7FqB92x7Qm7O
+yA6SqSwRUqZ0W6OtRr7gyblC0+Q9uqtLOpSo6pLl7/lGS76eioriqbZS7hkV63ot
+kHjaLFCKpvAhbpVyFRDdD6qXqf3rJuvdS8wr4KgRF54vPs7KSv6Z7QUu3TQChP7y
+5eOll5Ug9Bx7biJx5dme+GpswqnRgfHFVehTJ2FALtV2QraU1uzvvghiFhcXRsuZ
+6GMpGWGKTERtRApSHimFvysdwqzN9GQzP+06nXEekNEHReAYYIkrBISE0mnW98ar
+TaCZvYNmzA2jXULFNJh/Igg0PyPjLJr5jv9JD1B5yf5Nl/069H098hTMPg==
+-----END CERTIFICATE-----
+-----BEGIN PRIVATE KEY-----
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCczrSVsLb1goI3
+teIP+LMID12kJBJ25iISVHgt4epbMSrqFJ9bezfwJhUsFcvglKY26NeSVKrTfoMh
+mXs2R7tu0OiuTTy7tRo6yTy17c0OnWZlmLm+cAeRjC84hEDHhjxwuTooVhNhZLM0
+8wwKQHK/LzvYummT41aG6IOQ9dpdYIgdUfp9UYCdA7Akx+wq/T2qLzWeblrDXXmR
+RO+VUMHiFfyozS++UzB1Kc0q41HVNDQo8rujDhGwqVz7GTW/KsJqlJ/SJm07gb4B
+aLW+1BhaJrpAGRsJkmmvWwwYiGoefLwmdxjOR8QayY/xhcAUp7bFkocQGVL1DL14
+2909cg9HAgMBAAECggEAPv+k+cbnmrd2TZ+bVUNb2k8iFgIQEQjgg3DAX9614zFb
+xnPGmmBk1uzV8MJJCM9v//uIMFgn0ZSwZl1dbS9glGMGOJD7Z4aZJSkYZRdHHSoL
+q6GyblpgEA+8IP6xb/f0bG1eejoqyyREA2/qVGwULc9yQd6S8EGTz9u2kBTWSFER
+HG09Hl5HHY19Ad05F9wqpx2nwlo9bUZfdOHWqkaXpp0Gs7FWmSPsC1rSh4nCM1wz
+Jol/9hMSbXQQIgD8p6EaHRY0KYF7mmfoVtmUJdHKanB5Pra44p+FPr2bAsMRo/HS
+Bw4t1p9fZotekizcz7yp47j65SeW1UbaKTLVjQBJYQKBgQDLOHeXUeIzUilrOBxJ
+DZ3yQ/mh2MxNtMbOqy+OPhyREf60CTZpGQ2S8glfkclRjfpDueLfKrxYZn/s0/kJ
+BTZEB/Po3fYVyaLtYhFlMqS69p3JrNPEH6Vtxfawks13qv1MnErwj2dH3RnqHDwg
+6Od2wlb2cWanL2Kn9maYozzpTwKBgQDFiF3r0Se6Yh99YY4cDiJY670QoaiqJHd4
+ShRBvZd17gzFNCb2JXOcn++82royFjNIq5viJvf6WWcBrqtb9Bl2S0pEbDW8lPlo
+vLlZYbd2KP7NTx1dC6PovGMJokGLfzCVn/0DO6gX2DtBcMKGN2xinzJSgnpRa3+o
+zwtSVR6MiQKBgHBrFk0RMQ6u3ta/PXZ0H/HLBKcxpSM/Y9MkA7SuS2M9DydNCVpu
+T4IAfortvO5umgkpJYXKwFIusYmzYUpKJdDQjW8+iklXN9gVrgXLVDFRB8xu3N7b
+msn0/xiCvUL7xg/BTftxePLaLuHBKMoTzSd3LmA6L01A+1RrDCpX8vQlAoGAKC+/
+E9vAXl3aFDMFq1WAzWBgXYLWAo9asuE3T8yXhMmCVZhvmMIzzBiJuH0zRj9X/Z/U
+HeVZq9gGacQ0XofBqlxU5qixIgWY3CMQ/ksv/N0IQZKn4acdmJrC91HITe35X2dm
+HQNFBlzaaUzcdlvONB45Kaob4nahSSGeJwjkJykCgYEAyKIEDfiV33waYa0dvfno
++dqrxDqw5sYHIL9mwo6brt2yFxXa4yJxqc0jUb/9SxduTX6hex6ydtgtibpU34Hb
+Z8wBbyiGx4gaRXxnCQpklhGb5vF65pG4jEqEsoWopvZo/5HDsed1RM+mRIMfmI30
+wX/muwDoq11LDHFNFzW3dyA=
+-----END PRIVATE KEY-----

software/rapid-cdn/test/test_data/test.TestEnableHttp2ByDefaultFalseSlave.test00file_list_log.txt

@@ -193,6 +193,9 @@ T-2/var/log/httpd/_url-trailing-slash-present_frontend_log
 T-2/var/log/httpd/_url_https-url_access_log
 T-2/var/log/httpd/_url_https-url_backend_log
 T-2/var/log/httpd/_url_https-url_frontend_log
+T-2/var/log/httpd/_weak-ssl-backend_access_log
+T-2/var/log/httpd/_weak-ssl-backend_backend_log
+T-2/var/log/httpd/_weak-ssl-backend_frontend_log
 T-2/var/log/monitor-httpd-access.log
 T-2/var/log/monitor-httpd-error.log
 T-2/var/log/slave-introspection-access.log

software/rapid-cdn/test/test_data/test.TestEnableHttp2ByDefaultFalseSlave.test00supervisor_state.txt

@@ -19,7 +19,7 @@ T-1:logrotate-setup-validate EXITED
 T-1:monitor-httpd-{hash-generic}-on-watch RUNNING
 T-1:monitor-httpd-graceful EXITED
 T-2:backend-client-login-certificate-caucase-updater-on-watch RUNNING
-T-2:backend-haproxy-{hash-generic}-on-watch RUNNING
+T-2:backend-haproxy-{hash-backend-haproxy-T-2}-on-watch RUNNING
 T-2:backend-haproxy-rsyslogd-{hash-generic}-on-watch RUNNING
 T-2:backend-haproxy-safe-graceful EXITED
 T-2:bootstrap-monitor EXITED

software/rapid-cdn/test/test_data/test.TestMasterAIKCDisabledAIBCCDisabledRequest.test00supervisor_state.txt

@@ -17,7 +17,7 @@ T-1:logrotate-setup-validate EXITED
 T-1:monitor-httpd-{hash-generic}-on-watch RUNNING
 T-1:monitor-httpd-graceful EXITED
 T-2:backend-client-login-certificate-caucase-updater-on-watch RUNNING
-T-2:backend-haproxy-{hash-generic}-on-watch RUNNING
+T-2:backend-haproxy-{hash-backend-haproxy-T-2}-on-watch RUNNING
 T-2:backend-haproxy-rsyslogd-{hash-generic}-on-watch RUNNING
 T-2:backend-haproxy-safe-graceful EXITED
 T-2:bootstrap-monitor EXITED

software/rapid-cdn/test/test_data/test.TestMasterRequest.test00supervisor_state.txt

@@ -19,7 +19,7 @@ T-1:logrotate-setup-validate EXITED
 T-1:monitor-httpd-{hash-generic}-on-watch RUNNING
 T-1:monitor-httpd-graceful EXITED
 T-2:backend-client-login-certificate-caucase-updater-on-watch RUNNING
-T-2:backend-haproxy-{hash-generic}-on-watch RUNNING
+T-2:backend-haproxy-{hash-backend-haproxy-T-2}-on-watch RUNNING
 T-2:backend-haproxy-rsyslogd-{hash-generic}-on-watch RUNNING
 T-2:backend-haproxy-safe-graceful EXITED
 T-2:bootstrap-monitor EXITED

software/rapid-cdn/test/test_data/test.TestMasterRequestDomain.test00supervisor_state.txt

@@ -19,7 +19,7 @@ T-1:logrotate-setup-validate EXITED
 T-1:monitor-httpd-{hash-generic}-on-watch RUNNING
 T-1:monitor-httpd-graceful EXITED
 T-2:backend-client-login-certificate-caucase-updater-on-watch RUNNING
-T-2:backend-haproxy-{hash-generic}-on-watch RUNNING
+T-2:backend-haproxy-{hash-backend-haproxy-T-2}-on-watch RUNNING
 T-2:backend-haproxy-rsyslogd-{hash-generic}-on-watch RUNNING
 T-2:backend-haproxy-safe-graceful EXITED
 T-2:bootstrap-monitor EXITED

software/rapid-cdn/test/test_data/test.TestRe6stVerificationUrlSlave.test00supervisor_state.txt

@@ -19,7 +19,7 @@ T-1:logrotate-setup-validate EXITED
 T-1:monitor-httpd-{hash-generic}-on-watch RUNNING
 T-1:monitor-httpd-graceful EXITED
 T-2:backend-client-login-certificate-caucase-updater-on-watch RUNNING
-T-2:backend-haproxy-{hash-generic}-on-watch RUNNING
+T-2:backend-haproxy-{hash-backend-haproxy-T-2}-on-watch RUNNING
 T-2:backend-haproxy-rsyslogd-{hash-generic}-on-watch RUNNING
 T-2:backend-haproxy-safe-graceful EXITED
 T-2:bootstrap-monitor EXITED

software/rapid-cdn/test/test_data/test.TestReplicateSlave.test00supervisor_state.txt

@@ -19,7 +19,7 @@ T-1:logrotate-setup-validate EXITED
 T-1:monitor-httpd-{hash-generic}-on-watch RUNNING
 T-1:monitor-httpd-graceful EXITED
 T-2:backend-client-login-certificate-caucase-updater-on-watch RUNNING
-T-2:backend-haproxy-{hash-generic}-on-watch RUNNING
+T-2:backend-haproxy-{hash-backend-haproxy-T-2}-on-watch RUNNING
 T-2:backend-haproxy-rsyslogd-{hash-generic}-on-watch RUNNING
 T-2:backend-haproxy-safe-graceful EXITED
 T-2:bootstrap-monitor EXITED

software/rapid-cdn/test/test_data/test.TestSlave.test00file_list_log.txt

@@ -193,6 +193,9 @@ T-2/var/log/httpd/_url-trailing-slash-present_frontend_log
 T-2/var/log/httpd/_url_https-url_access_log
 T-2/var/log/httpd/_url_https-url_backend_log
 T-2/var/log/httpd/_url_https-url_frontend_log
+T-2/var/log/httpd/_weak-ssl-backend_access_log
+T-2/var/log/httpd/_weak-ssl-backend_backend_log
+T-2/var/log/httpd/_weak-ssl-backend_frontend_log
 T-2/var/log/monitor-httpd-access.log
 T-2/var/log/monitor-httpd-error.log
 T-2/var/log/slave-introspection-access.log

software/rapid-cdn/test/test_data/test.TestSlave.test00supervisor_state.txt

@@ -19,7 +19,7 @@ T-1:logrotate-setup-validate EXITED
 T-1:monitor-httpd-{hash-generic}-on-watch RUNNING
 T-1:monitor-httpd-graceful EXITED
 T-2:backend-client-login-certificate-caucase-updater-on-watch RUNNING
-T-2:backend-haproxy-{hash-generic}-on-watch RUNNING
+T-2:backend-haproxy-{hash-backend-haproxy-T-2}-on-watch RUNNING
 T-2:backend-haproxy-rsyslogd-{hash-generic}-on-watch RUNNING
 T-2:backend-haproxy-safe-graceful EXITED
 T-2:bootstrap-monitor EXITED

software/rapid-cdn/test/test_data/test.TestSlaveCiphers.test00supervisor_state.txt

@@ -19,7 +19,7 @@ T-1:logrotate-setup-validate EXITED
 T-1:monitor-httpd-{hash-generic}-on-watch RUNNING
 T-1:monitor-httpd-graceful EXITED
 T-2:backend-client-login-certificate-caucase-updater-on-watch RUNNING
-T-2:backend-haproxy-{hash-generic}-on-watch RUNNING
+T-2:backend-haproxy-{hash-backend-haproxy-T-2}-on-watch RUNNING
 T-2:backend-haproxy-rsyslogd-{hash-generic}-on-watch RUNNING
 T-2:backend-haproxy-safe-graceful EXITED
 T-2:bootstrap-monitor EXITED

software/rapid-cdn/test/test_data/test.TestSlaveHealthCheck.test00supervisor_state.txt

@@ -19,7 +19,7 @@ T-1:logrotate-setup-validate EXITED
 T-1:monitor-httpd-{hash-generic}-on-watch RUNNING
 T-1:monitor-httpd-graceful EXITED
 T-2:backend-client-login-certificate-caucase-updater-on-watch RUNNING
-T-2:backend-haproxy-{hash-generic}-on-watch RUNNING
+T-2:backend-haproxy-{hash-backend-haproxy-T-2}-on-watch RUNNING
 T-2:backend-haproxy-rsyslogd-{hash-generic}-on-watch RUNNING
 T-2:backend-haproxy-safe-graceful EXITED
 T-2:bootstrap-monitor EXITED

software/rapid-cdn/test/test_data/test.TestSlaveHostHaproxyClash.test00supervisor_state.txt

@@ -19,7 +19,7 @@ T-1:logrotate-setup-validate EXITED
 T-1:monitor-httpd-{hash-generic}-on-watch RUNNING
 T-1:monitor-httpd-graceful EXITED
 T-2:backend-client-login-certificate-caucase-updater-on-watch RUNNING
-T-2:backend-haproxy-{hash-generic}-on-watch RUNNING
+T-2:backend-haproxy-{hash-backend-haproxy-T-2}-on-watch RUNNING
 T-2:backend-haproxy-rsyslogd-{hash-generic}-on-watch RUNNING
 T-2:backend-haproxy-safe-graceful EXITED
 T-2:bootstrap-monitor EXITED

software/rapid-cdn/test/test_data/test.TestSlaveHttp3.test00file_list_log.txt

@@ -193,6 +193,9 @@ T-2/var/log/httpd/_url-trailing-slash-present_frontend_log
 T-2/var/log/httpd/_url_https-url_access_log
 T-2/var/log/httpd/_url_https-url_backend_log
 T-2/var/log/httpd/_url_https-url_frontend_log
+T-2/var/log/httpd/_weak-ssl-backend_access_log
+T-2/var/log/httpd/_weak-ssl-backend_backend_log
+T-2/var/log/httpd/_weak-ssl-backend_frontend_log
 T-2/var/log/monitor-httpd-access.log
 T-2/var/log/monitor-httpd-error.log
 T-2/var/log/slave-introspection-access.log

software/rapid-cdn/test/test_data/test.TestSlaveHttp3.test00supervisor_state.txt

@@ -19,7 +19,7 @@ T-1:logrotate-setup-validate EXITED
 T-1:monitor-httpd-{hash-generic}-on-watch RUNNING
 T-1:monitor-httpd-graceful EXITED
 T-2:backend-client-login-certificate-caucase-updater-on-watch RUNNING
-T-2:backend-haproxy-{hash-generic}-on-watch RUNNING
+T-2:backend-haproxy-{hash-backend-haproxy-T-2}-on-watch RUNNING
 T-2:backend-haproxy-rsyslogd-{hash-generic}-on-watch RUNNING
 T-2:backend-haproxy-safe-graceful EXITED
 T-2:bootstrap-monitor EXITED

software/rapid-cdn/test/test_data/test.TestEnableHttp2ByDefaultDefaultSlave.test00cluster_request_instance_parameter_dict.txt → software/rapid-cdn/test/test_data/test.TestSlaveManagement.test00cluster_request_instance_parameter_dict.txt

 [
   {
-    "caucase_port": "15090",
-    "domain": "example.com",
     "full_address_list": [],
     "instance_title": "testing partition 0",
-    "kedifa_port": "15080",
-    "plain_http_port": "11080",
-    "port": "11443",
     "root_instance_title": "testing partition 0",
     "slap_computer_id": "local",
     "slap_computer_partition_id": "T-0",
@@ -15,56 +10,30 @@
     "slave_instance_list": [
       {
         "slap_software_type": "default",
-        "slave_reference": "_enable-http2-default",
-        "slave_title": "_enable-http2-default"
+        "slave_reference": "_deleted",
+        "slave_title": "_deleted"
       },
       {
-        "enable-http2": "false",
         "slap_software_type": "default",
-        "slave_reference": "_enable-http2-false",
-        "slave_title": "_enable-http2-false"
-      },
-      {
-        "enable-http2": "true",
-        "slap_software_type": "default",
-        "slave_reference": "_enable-http2-true",
-        "slave_title": "_enable-http2-true"
-      },
-      {
-        "enable_cache": true,
-        "slap_software_type": "default",
-        "slave_reference": "_dummy-cached",
-        "slave_title": "_dummy-cached",
-        "url": "http://@@_ipv4_address@@:@@_server_http_port@@/"
+        "slave_reference": "_first",
+        "slave_title": "_first"
       }
     ],
     "timestamp": "@@TIMESTAMP@@"
   },
   {
     "_": {
-      "caucase_port": "15090",
       "cluster-identification": "testing partition 0",
-      "kedifa_port": "15080",
       "monitor-cors-domains": "monitor.app.officejs.com",
       "monitor-httpd-port": "8402",
       "monitor-password": "@@monitor-password@@",
       "monitor-username": "admin",
       "slave-list": [
         {
-          "enable_cache": true,
-          "slave_reference": "_dummy-cached",
-          "url": "http://@@_ipv4_address@@:@@_server_http_port@@/"
-        },
-        {
-          "slave_reference": "_enable-http2-default"
-        },
-        {
-          "enable-http2": "false",
-          "slave_reference": "_enable-http2-false"
+          "slave_reference": "_deleted"
         },
         {
-          "enable-http2": "true",
-          "slave_reference": "_enable-http2-true"
+          "slave_reference": "_first"
         }
       ]
     },
@@ -82,20 +51,17 @@
     "_": {
       "backend-client-caucase-url": "http://[@@_ipv6_address@@]:8990",
       "cluster-identification": "testing partition 0",
-      "domain": "example.com",
       "enable-http3": "false",
-      "extra_slave_instance_list": "[{\"enable_cache\": true, \"slave_reference\": \"_dummy-cached\", \"url\": \"http://@@_ipv4_address@@:@@_server_http_port@@/\"}, {\"slave_reference\": \"_enable-http2-default\"}, {\"enable-http2\": \"false\", \"slave_reference\": \"_enable-http2-false\"}, {\"enable-http2\": \"true\", \"slave_reference\": \"_enable-http2-true\"}]",
+      "extra_slave_instance_list": "[{\"slave_reference\": \"_deleted\"}, {\"slave_reference\": \"_first\"}]",
       "frontend-name": "caddy-frontend-1",
       "http3-port": "443",
-      "kedifa-caucase-url": "http://[@@_ipv6_address@@]:15090",
-      "master-key-download-url": "https://[@@_ipv6_address@@]:15080/@@master-key-download-url_endpoint@@",
+      "kedifa-caucase-url": "http://[@@_ipv6_address@@]:8890",
+      "master-key-download-url": "https://[@@_ipv6_address@@]:7879/@@master-key-download-url_endpoint@@",
       "monitor-cors-domains": "monitor.app.officejs.com",
       "monitor-httpd-port": 8411,
       "monitor-password": "@@monitor-password@@",
       "monitor-username": "admin",
-      "plain_http_port": "11080",
-      "port": "11443",
-      "slave-kedifa-information": "{\"_dummy-cached\": {\"kedifa-caucase-url\": \"http://[@@_ipv6_address@@]:15090\", \"key-download-url\": \"https://[@@_ipv6_address@@]:15080/@@dummy-cached_key-generate-auth-url@@\", \"key-generate-auth-url\": \"https://[@@_ipv6_address@@]:15080/@@dummy-cached_key-generate-auth-url@@/@@dummy-cached_key-upload-url@@\", \"key-upload-url\": \"https://[@@_ipv6_address@@]:15080/@@dummy-cached_key-generate-auth-url@@?auth=\"}, \"_enable-http2-default\": {\"kedifa-caucase-url\": \"http://[@@_ipv6_address@@]:15090\", \"key-download-url\": \"https://[@@_ipv6_address@@]:15080/@@enable-http2-default_key-generate-auth-url@@\", \"key-generate-auth-url\": \"https://[@@_ipv6_address@@]:15080/@@enable-http2-default_key-generate-auth-url@@/@@dummy-cached_key-upload-url@@\", \"key-upload-url\": \"https://[@@_ipv6_address@@]:15080/@@enable-http2-default_key-generate-auth-url@@?auth=\"}, \"_enable-http2-false\": {\"kedifa-caucase-url\": \"http://[@@_ipv6_address@@]:15090\", \"key-download-url\": \"https://[@@_ipv6_address@@]:15080/@@enable-http2-false_key-generate-auth-url@@\", \"key-generate-auth-url\": \"https://[@@_ipv6_address@@]:15080/@@enable-http2-false_key-generate-auth-url@@/@@dummy-cached_key-upload-url@@\", \"key-upload-url\": \"https://[@@_ipv6_address@@]:15080/@@enable-http2-false_key-generate-auth-url@@?auth=\"}, \"_enable-http2-true\": {\"kedifa-caucase-url\": \"http://[@@_ipv6_address@@]:15090\", \"key-download-url\": \"https://[@@_ipv6_address@@]:15080/@@enable-http2-true_key-generate-auth-url@@\", \"key-generate-auth-url\": \"https://[@@_ipv6_address@@]:15080/@@enable-http2-true_key-generate-auth-url@@/@@dummy-cached_key-upload-url@@\", \"key-upload-url\": \"https://[@@_ipv6_address@@]:15080/@@enable-http2-true_key-generate-auth-url@@?auth=\"}}"
+      "slave-kedifa-information": "{\"_deleted\": {\"kedifa-caucase-url\": \"http://[@@_ipv6_address@@]:8890\", \"key-download-url\": \"https://[@@_ipv6_address@@]:7879/@@deleted_key-generate-auth-url@@\", \"key-generate-auth-url\": \"https://[@@_ipv6_address@@]:7879/@@deleted_key-generate-auth-url@@/@@deleted_key-upload-url@@\", \"key-upload-url\": \"https://[@@_ipv6_address@@]:7879/@@deleted_key-generate-auth-url@@?auth=\"}, \"_first\": {\"kedifa-caucase-url\": \"http://[@@_ipv6_address@@]:8890\", \"key-download-url\": \"https://[@@_ipv6_address@@]:7879/@@first_key-generate-auth-url@@\", \"key-generate-auth-url\": \"https://[@@_ipv6_address@@]:7879/@@first_key-generate-auth-url@@/@@deleted_key-upload-url@@\", \"key-upload-url\": \"https://[@@_ipv6_address@@]:7879/@@first_key-generate-auth-url@@?auth=\"}}"
     },
     "full_address_list": [],
     "instance_title": "caddy-frontend-1",

software/rapid-cdn/test/test_data/test.TestEnableHttp2ByDefaultDefaultSlave.test00file_list_log.txt → software/rapid-cdn/test/test_data/test.TestSlaveManagement.test00file_list_log.txt

@@ -8,15 +8,6 @@ T-1/var/log/monitor-httpd-error.log
 T-2/var/log/backend-haproxy.log
 T-2/var/log/expose-csr.log
 T-2/var/log/frontend-haproxy.log
-T-2/var/log/httpd/_dummy-cached_access_log
-T-2/var/log/httpd/_dummy-cached_backend_log
-T-2/var/log/httpd/_dummy-cached_frontend_log
-T-2/var/log/httpd/_enable-http2-default_access_log
-T-2/var/log/httpd/_enable-http2-default_frontend_log
-T-2/var/log/httpd/_enable-http2-false_access_log
-T-2/var/log/httpd/_enable-http2-false_frontend_log
-T-2/var/log/httpd/_enable-http2-true_access_log
-T-2/var/log/httpd/_enable-http2-true_frontend_log
 T-2/var/log/monitor-httpd-access.log
 T-2/var/log/monitor-httpd-error.log
 T-2/var/log/slave-introspection-access.log

software/rapid-cdn/test/test_data/test.TestEnableHttp2ByDefaultDefaultSlave.test00supervisor_state.txt → software/rapid-cdn/test/test_data/test.TestSlaveManagement.test00supervisor_state.txt

@@ -19,7 +19,7 @@ T-1:logrotate-setup-validate EXITED
 T-1:monitor-httpd-{hash-generic}-on-watch RUNNING
 T-1:monitor-httpd-graceful EXITED
 T-2:backend-client-login-certificate-caucase-updater-on-watch RUNNING
-T-2:backend-haproxy-{hash-generic}-on-watch RUNNING
+T-2:backend-haproxy-{hash-backend-haproxy-T-2}-on-watch RUNNING
 T-2:backend-haproxy-rsyslogd-{hash-generic}-on-watch RUNNING
 T-2:backend-haproxy-safe-graceful EXITED
 T-2:bootstrap-monitor EXITED

software/rapid-cdn/test/test_data/test.TestSlaveSlapOSMasterCertificateCompatibility.test00supervisor_state.txt

@@ -19,7 +19,7 @@ T-1:logrotate-setup-validate EXITED
 T-1:monitor-httpd-{hash-generic}-on-watch RUNNING
 T-1:monitor-httpd-graceful EXITED
 T-2:backend-client-login-certificate-caucase-updater-on-watch RUNNING
-T-2:backend-haproxy-{hash-generic}-on-watch RUNNING
+T-2:backend-haproxy-{hash-backend-haproxy-T-2}-on-watch RUNNING
 T-2:backend-haproxy-rsyslogd-{hash-generic}-on-watch RUNNING
 T-2:backend-haproxy-safe-graceful EXITED
 T-2:bootstrap-monitor EXITED

software/rapid-cdn/test/test_data/test.TestSlaveSlapOSMasterCertificateCompatibilityOverrideMaster.test00supervisor_state.txt

@@ -19,7 +19,7 @@ T-1:logrotate-setup-validate EXITED
 T-1:monitor-httpd-{hash-generic}-on-watch RUNNING
 T-1:monitor-httpd-graceful EXITED
 T-2:backend-client-login-certificate-caucase-updater-on-watch RUNNING
-T-2:backend-haproxy-{hash-generic}-on-watch RUNNING
+T-2:backend-haproxy-{hash-backend-haproxy-T-2}-on-watch RUNNING
 T-2:backend-haproxy-rsyslogd-{hash-generic}-on-watch RUNNING
 T-2:backend-haproxy-safe-graceful EXITED
 T-2:bootstrap-monitor EXITED

software/rapid-cdn/test/test_data/test.TestSlaveSlapOSMasterCertificateCompatibilityUpdate.test00supervisor_state.txt

@@ -19,7 +19,7 @@ T-1:logrotate-setup-validate EXITED
 T-1:monitor-httpd-{hash-generic}-on-watch RUNNING
 T-1:monitor-httpd-graceful EXITED
 T-2:backend-client-login-certificate-caucase-updater-on-watch RUNNING
-T-2:backend-haproxy-{hash-generic}-on-watch RUNNING
+T-2:backend-haproxy-{hash-backend-haproxy-T-2}-on-watch RUNNING
 T-2:backend-haproxy-rsyslogd-{hash-generic}-on-watch RUNNING
 T-2:backend-haproxy-safe-graceful EXITED
 T-2:bootstrap-monitor EXITED

software/simpleran/buildout.hash.cfg

@@ -16,7 +16,7 @@
 
 [template]
 filename = instance.cfg
-md5sum = 0a1be770b8ed414344f3d61a09cacb0e
+md5sum = 109828c2a97c09b0976d266aaba00328
 
 [template-ors]
 filename = instance-ors.cfg

software/simpleran/instance.cfg

@@ -180,7 +180,7 @@ init =
   options['gnb_pci'] = sn % 1008
   options['enb_cell_id'] = "0x{:02X}".format(sn % 2**8)
   options['gnb_cell_id'] = "0x{:02X}".format((sn + 2**7) % 2**8)
-  options['root_sequence_index'] = sn % 834
+  options['root_sequence_index'] = sn % 138
 
   def to_int(x):
     try: