- 10 Nov, 2020 5 commits
-
-
Jérome Perrin authored
Until now, caucase stack was re-generating a new key every time software release was upgraded. That was not really a problem because we were not using this certificate but since af7a0208 (ERP5: Test balancer partition and use caucase certificate for balancer, 2020-11-04) we are using caucase certificate for balancer. Problem is that it was not possible to update old instances, since on "very old" instances the original key was lost and also since in af7a0208 we switch to using CSR template, this also generated a new key, so updating from "not so old" instances was not possible either. Now we have an upgrade test that will confirm that our changes in ERP5 do not prevent from updating old instances, so we ignore all our past mistakes with certificate management in this software release and start over with a new data dir.
-
Jérome Perrin authored
We are using this pattern for most of our services since several months without any issue, so let's also use it for zopes. This makes automatic upgrade possible. Also remove "zope running current products" promise, since we restart we no longer need to check this.
-
Jérome Perrin authored
haproxy can be controlled with this socket, so it might be useful to "expose" it - it's not really expose because we only use a UNIX socket.
-
Jérome Perrin authored
Two big differences of haproxy are that haproxy does not use separate files for certificates and that the time in logs are in milliseconds, whereas with httpd it was microseconds. For certificates, when using caucase to generate haproxy's own server certificate we specify the same file as cert and key as caucase supports this and instead of maintaining directories of CA and CRL for client certificates (used by shared frontend), we build PEM files containing all CA certificates and all CRL together. For the logs, we use a new version of apachedex which supports `%{ms}T` for durations. Tests have been modified a bit, because haproxy uses HTTP/2.0 and not 1.1 like httpd was doing several haproxy features (keep alive and gzip compression) are only available when backend uses HTTP/1.1, so we adjusted tests to use a 1.1 backend. There was also differences with logs, because of the time being in milliseconds. TestPublishedURLIsReachableMixin._checkERP5IsReachable was also updated, it was working by chance because when accessed behind httpd->haproxy->zope, zope was producing a redirect URL that was the URL of haproxy, which could be resolved by chance. This test was updated to access zope with a path that contains VirtualHostMonster magic, as the shared frontend ( with "zope" software type) is supposed to set. This should hopefuly solve the "502 Proxy Error" that we are observing with httpd.
-
Jérome Perrin authored
use hash-existing-files feature of wrapper recipe to make sevices restart automatically when they are re-requested with different parameters.
-
- 09 Nov, 2020 2 commits
-
-
Jérome Perrin authored
If key or csr are already present, we should not re-run this openssl command which generates a new key and a new CSR.
-
Jérome Perrin authored
Caucase rerequest uses a CSR *template* and use it to generate a new CSR with a new key, so we should not use the actual key to generate this CSR, because it is caucase rerequest job to generate the key. Also, we should be careful not to generate a new CSR every time this command run, otherwise a new key will be generated and a new CSR will be sent to caucase, but caucase will not sign it automatically (since we configure it to sign only one certificate). This means that the case of IP address changes is currently not supported automatically. To support it we would need to: - force generation of a new CSR template - force caucase rerequester to request a new certificate (by removing existing certificate) - force caucased to sign the new certificate This commit fix indentation and remove simplefile macro that is no longer used
-
- 04 Nov, 2020 3 commits
-
-
Jérome Perrin authored
The test expecting that X-Forwarded-For is empty can also accept the case where X-Forwarded-For header is not present.
-
Vincent Pelletier authored
Make the value and its changes easier to read.
-
Jérome Perrin authored
Revert f8f72a17 ([erp5] don't use caucase generated certificate for now, 2019-03-12) since nothing prevents us drom using caucase certificate now. Use [managed resources](nexedi/slapos.core!259) to simplify existing tests and introduce tests for: ## Access Log - [x] balancer partition should produce logs in apache "combined" log format with microsecond timing of requests. - [x] these logs should be rotated daily - [x] an [apachedex](https://lab.nexedi.com/nexedi/apachedex) report is ran on these logs daily. ## Balancing - [x] requests are balanced to multiple backends using round-robin algorithm - [x] if backend is down it is excluded - [x] a "sticky cookie" is used so that clients are associated to the same backend - [x] the cookie is set by balancer - [x] when client comes with a cookie it "sticks" on the associated backend - [x] if "sticked" backend is down, another backend will be used ## Content-Encoding - [x] balancer encodes responses in gzip for some configured content types. ## HTTP - [x] Server uses HTTP/1.1 or more and keep connection with clients ## TLS (server certificate) In this MR we also change apache to use a caucase managed certificate and add test coverage for: - [x] balancer listen on https with a certificate that can be verified using the CA from caucase. - [x] balancer uses the new certificate when its own certificate is renewed. But we don't add support for: - ~~balancer can be instantiated with a certificate and key passed as SlapOS request parameters (code [here](https://lab.nexedi.com/nexedi/slapos/blob/757c1a4ddee93659d5e2649e4252d87bf9494566/stack/erp5/instance-balancer.cfg.in#L208-213))~~ this use case is the job of caucase, so we no longer support this. ## TLS (client certificate) - [x] balancer verifies frontend certificates from frontend caucases ( also tested in "Forwarded-For" section ) - [x] if frontend provided a verified certificate, balancer set `remote-user` header - [x] balancer updates CRL from caucases ( `caucase-updater-housekeeper` ) - (NOT TESTED) balancer updates CA certificate from caucase ( `caucase-updater-housekeeper` ). Since this is would be complex to test and basic functionality of `caucase-updater-housekeeper` for frontend caucases is covered by CRL test, we don't test this for simplicity. ## "Forwarded-For" header This was also covered by existing tests: - [x] balancer set `X-Forwarded-For` header when frontend certificate can be verified - [x] balancer strips existing `X-Forwarded-For` ## Integration with the rest of ERP5 software release This was also covered by existing tests: - [x] The https URL of each Zope family is published and replies properly - [x] Some https URLs are generated for `runUnitTest`, so that test run with an https certificate. This is also covered by regular ERP5 functional tests. See merge request nexedi/slapos!840
-
- 02 Nov, 2020 4 commits
-
-
Léo-Paul Géneau authored
-
Léo-Paul Géneau authored
-
Thomas Gambier authored
See merge request nexedi/slapos!839
-
- 30 Oct, 2020 1 commit
-
-
Łukasz Nowak authored
-
- 29 Oct, 2020 5 commits
-
-
Xavier Thompson authored
Future Cython+ work will use it.
-
Jérome Perrin authored
-
Jérome Perrin authored
-
Jérome Perrin authored
-
Jérome Perrin authored
Fix for #20200514-218C705 - \[testnode\] frontend for log access Depends on nexedi/erp5!1304 See merge request nexedi/slapos!848
-
- 28 Oct, 2020 3 commits
-
-
Julien Muchembled authored
This fixes the nextcloud SR, which was broken by commit 92779bf4 (mariadb is not a part anymore).
-
Julien Muchembled authored
This fixes commit a62e5e7b. See also commit 491e6e28.
-
Jérome Perrin authored
And set it as log_frontend_url in testnode config
-
- 27 Oct, 2020 12 commits
-
-
Julien Muchembled authored
Just add the following 2 lines in a SR: [mariadb] location = ${mariadb-10.4:location}
-
Julien Muchembled authored
-
Julien Muchembled authored
-
Julien Muchembled authored
-
Julien Muchembled authored
It does not build with GCC 8.2
-
Kirill Smelkov authored
Going Go1.14.9 -> Go1.14.10 brings in compiler and runtime fixes including fix for crash in garbage-collector due to race condition: https://github.com/golang/go/issues/40642 https://github.com/golang/go/issues/40641 Tested on helloworld SR.
-
Łukasz Nowak authored
See merge request nexedi/slapos!844
-
Łukasz Nowak authored
validators.url is enough, even for Caddy, to check that URL is correct, and caddy_backend_url_validator was introduced before validators. Also calling an external command for each slave takes a lot of time.
-
Łukasz Nowak authored
Thanks to this other sections can directly reference them, and so they are correctly created as needed, so linking section does not need update-command
-
Łukasz Nowak authored
The password is anyway present in the section itself, so it's eventual change will result with reinstalling the section.
-
Jérome Perrin authored
Also change a bit existing frontend_url to manage it the same way.
-
Jérome Perrin authored
This way buildout can reuse egg caches and it's a bit faster: To run a simple instance buildout, from 2.837s it goes down to 1.875s. To run slapos node instance 10 times just after requesting an ERP5 instance, it goes from ~112s to 98s before: hyperfine "/srv/slapgrid/slappart4/srv/slapos/inst/slappart0/tmp/shared/python2.7/60364a13cc977dd5a894e0239ac889b9/bin/python2.7 /srv/slapgrid/slappart4/srv/slapos/inst/slappart0/tmp/soft/c63ba7265399450b28f9ea6d5667a5e7/bin/buildout -U" Benchmark #1: /srv/slapgrid/slappart4/srv/slapos/inst/slappart0/tmp/shared/python2.7/60364a13cc977dd5a894e0239ac889b9/bin/python2.7 /srv/slapgrid/slappart4/srv/slapos/inst/slappart0/tmp/soft/c63ba7265399450b28f9ea6d5667a5e7/bin/buildout -U Time (mean ± σ): 2.837 s ± 0.275 s [User: 2.481 s, System: 0.285 s] Range (min … max): 2.482 s … 3.222 s 10 runs after: hyperfine "/srv/slapgrid/slappart4/srv/slapos/inst/slappart0/tmp/shared/python2.7/60364a13cc977dd5a894e0239ac889b9/bin/python2.7 /srv/slapgrid/slappart4/srv/slapos/inst/slappart0/tmp/soft/c63ba7265399450b28f9ea6d5667a5e7/bin/buildout -U" Benchmark #1: /srv/slapgrid/slappart4/srv/slapos/inst/slappart0/tmp/shared/python2.7/60364a13cc977dd5a894e0239ac889b9/bin/python2.7 /srv/slapgrid/slappart4/srv/slapos/inst/slappart0/tmp/soft/c63ba7265399450b28f9ea6d5667a5e7/bin/buildout -U Time (mean ± σ): 1.875 s ± 0.067 s [User: 1.660 s, System: 0.148 s] Range (min … max): 1.816 s … 2.038 s 10 runs
-
- 26 Oct, 2020 4 commits
-
-
Julien Muchembled authored
See merge request nexedi/slapos!846
-
Léo-Paul Géneau authored
Changes configuration files to run repman tests in python3.
-
Léo-Paul Géneau authored
Adds the newly added to nexedi's repositories rubygemsrecipe (https://lab.nexedi.com/nexedi/rubygemsrecipe) to the list of tested eggs.
-
Julien Muchembled authored
This also fixes rpath of rust binaries.
-
- 23 Oct, 2020 1 commit
-
-
Léo-Paul Géneau authored
See merge request nexedi/slapos!845
-