Update Release Candidate

component/bzip2/buildout.cfg

@@ -5,7 +5,7 @@ parts =
 [bzip2]
 recipe = slapos.recipe.cmmi
 shared = true
-url = http://www.bzip.org/1.0.6/bzip2-1.0.6.tar.gz
+url = https://fossies.org/linux/misc/bzip2-1.0.6.tar.gz
 md5sum = 00b516f4704d4a7cb50a1d97e6e8e15b
 configure-command = true
 make-options =

component/shellinabox/0001-Switch-to-IPv6.patch

-From 50ec7439e80bd6a77346dc6482895e481d8cd43a Mon Sep 17 00:00:00 2001
-From: Antoine Catton <acatton@tiolive.com>
-Date: Tue, 10 Jan 2012 18:30:20 +0100
-Subject: [PATCH] Switch to IPv6
-
----
- libhttp/http.h             |    4 ++--
- libhttp/httpconnection.c   |   11 ++++++++++-
- libhttp/server.c           |   33 +++++++++++++++++++--------------
- libhttp/server.h           |    6 +++---
- shellinabox/shellinaboxd.c |   14 +++++++-------
- 5 files changed, 41 insertions(+), 27 deletions(-)
-
-diff --git a/libhttp/http.h b/libhttp/http.h
-index e7840fa..5cd61e3 100644
---- a/libhttp/http.h
-+++ b/libhttp/http.h
-@@ -66,8 +66,8 @@ typedef struct ServerConnection ServerConnection;
- typedef struct Server Server;
- typedef struct URL URL;
- 
--Server *newCGIServer(int localhostOnly, int portMin, int portMax, int timeout);
--Server *newServer(int localhostOnly, int port);
-+Server *newCGIServer(char *ipv6, int portMin, int portMax, int timeout);
-+Server *newServer(char *ipv6, int port);
- void deleteServer(Server *server);
- int  serverGetListeningPort(Server *server);
- int  serverGetFd(Server *server);
-diff --git a/libhttp/httpconnection.c b/libhttp/httpconnection.c
-index c8e69f6..cae467f 100644
---- a/libhttp/httpconnection.c
-+++ b/libhttp/httpconnection.c
-@@ -823,8 +823,17 @@ static int httpHandleCommand(struct HttpConnection *http,
-   const char *host                         = getFromHashMap(&http->header,
-                                                             "host");
-   if (host) {
-+    int brackets = 0; // For IPv6 hosts
-     for (char ch; (ch = *host) != '\000'; host++) {
--      if (ch == ':') {
-+      if (ch == '[') {
-+          brackets = 1;
-+          break;
-+      }
-+      if (ch == ']') {
-+          brackets = 0;
-+          break;
-+      }
-+      if (!brackets && ch == ':') {
-         *(char *)host                      = '\000';
-         break;
-       }
-diff --git a/libhttp/server.c b/libhttp/server.c
-index f52a269..2c30bd8 100644
---- a/libhttp/server.c
-+++ b/libhttp/server.c
-@@ -170,19 +170,19 @@ static int serverQuitHandler(struct HttpConnection *http, void *arg) {
-   return HTTP_DONE;
- }
- 
--struct Server *newCGIServer(int localhostOnly, int portMin, int portMax,
-+struct Server *newCGIServer(char *ipv6, int portMin, int portMax,
-                             int timeout) {
-   struct Server *server;
-   check(server = malloc(sizeof(struct Server)));
--  initServer(server, localhostOnly, portMin, portMax, timeout);
-+  initServer(server, ipv6, portMin, portMax, timeout);
-   return server;
- }
- 
--struct Server *newServer(int localhostOnly, int port) {
--  return newCGIServer(localhostOnly, port, port, -1);
-+struct Server *newServer(char *ipv6, int port) {
-+  return newCGIServer(ipv6, port, port, -1);
- }
- 
--void initServer(struct Server *server, int localhostOnly, int portMin,
-+void initServer(struct Server *server, char *ipv6, int portMin,
-                 int portMax, int timeout) {
-   server->looping               = 0;
-   server->exitAll               = 0;
-@@ -192,14 +192,19 @@ void initServer(struct Server *server, int localhostOnly, int portMin,
-   server->numConnections        = 0;
- 
-   int true                      = 1;
--  server->serverFd              = socket(PF_INET, SOCK_STREAM, 0);
-+  server->serverFd              = socket(PF_INET6, SOCK_STREAM, 0);
-   check(server->serverFd >= 0);
-   check(!setsockopt(server->serverFd, SOL_SOCKET, SO_REUSEADDR,
-                     &true, sizeof(true)));
--  struct sockaddr_in serverAddr = { 0 };
--  serverAddr.sin_family         = AF_INET;
--  serverAddr.sin_addr.s_addr    = htonl(localhostOnly
--                                        ? INADDR_LOOPBACK : INADDR_ANY);
-+  struct sockaddr_in6 serverAddr = { 0 };
-+  serverAddr.sin6_family         = AF_INET6;
-+  if (ipv6 != NULL) {
-+    if (!inet_pton(AF_INET6, ipv6, serverAddr.sin6_addr.s6_addr)) {
-+        fatal("Bad ipv6 address");
-+    }
-+  } else {
-+    serverAddr.sin6_addr = in6addr_any;
-+  }
- 
-   // Linux unlike BSD does not have support for picking a local port range.
-   // So, we have to randomly pick a port from our allowed port range, and then
-@@ -214,14 +219,14 @@ void initServer(struct Server *server, int localhostOnly, int portMin,
-     int portStart               = rand() % (portMax - portMin + 1) + portMin;
-     for (int p = 0; p <= portMax-portMin; p++) {
-       int port                  = (p+portStart)%(portMax-portMin+1)+ portMin;
--      serverAddr.sin_port       = htons(port);
-+      serverAddr.sin6_port       = htons(port);
-       if (!bind(server->serverFd, (struct sockaddr *)&serverAddr,
-                 sizeof(serverAddr))) {
-         break;
-       }
--      serverAddr.sin_port       = 0;
-+      serverAddr.sin6_port       = 0;
-     }
--    if (!serverAddr.sin_port) {
-+    if (!serverAddr.sin6_port) {
-       fatal("Failed to find any available port");
-     }
-   }
-@@ -231,7 +236,7 @@ void initServer(struct Server *server, int localhostOnly, int portMin,
-   check(!getsockname(server->serverFd, (struct sockaddr *)&serverAddr,
-                      &socklen));
-   check(socklen == sizeof(serverAddr));
--  server->port                  = ntohs(serverAddr.sin_port);
-+  server->port                  = ntohs(serverAddr.sin6_port);
-   info("Listening on port %d", server->port);
- 
-   check(server->pollFds         = malloc(sizeof(struct pollfd)));
-diff --git a/libhttp/server.h b/libhttp/server.h
-index bb879fb..5ffb698 100644
---- a/libhttp/server.h
-+++ b/libhttp/server.h
-@@ -78,10 +78,10 @@ struct Server {
-   struct SSLSupport       ssl;
- };
- 
--struct Server *newCGIServer(int localhostOnly, int portMin, int portMax,
-+struct Server *newCGIServer(char *ipv6, int portMin, int portMax,
-                             int timeout);
--struct Server *newServer(int localhostOnly, int port);
--void initServer(struct Server *server, int localhostOnly, int portMin,
-+struct Server *newServer(char *ipv6, int port);
-+void initServer(struct Server *server, char *ipv6, int portMin,
-                 int portMax, int timeout);
- void destroyServer(struct Server *server);
- void deleteServer(struct Server *server);
-diff --git a/shellinabox/shellinaboxd.c b/shellinabox/shellinaboxd.c
-index dcf05ff..2d1d758 100644
---- a/shellinabox/shellinaboxd.c
-+++ b/shellinabox/shellinaboxd.c
-@@ -80,7 +80,7 @@
- static int            port;
- static int            portMin;
- static int            portMax;
--static int            localhostOnly = 0;
-+static char           *ipv6 = NULL;
- static int            noBeep        = 0;
- static int            numericHosts  = 0;
- static int            enableSSL     = 1;
-@@ -747,7 +747,7 @@ static void usage(void) {
-           "  -g, --group=GID             switch to this group (default: %s)\n"
-           "  -h, --help                  print this message\n"
-           "      --linkify=[none|normal|agressive] default is \"normal\"\n"
--          "      --localhost-only        only listen on 127.0.0.1\n"
-+          "      --ipv6                  listen on a specific ipv6\n"
-           "      --no-beep               suppress all audio output\n"
-           "  -n, --numeric               do not resolve hostnames\n"
-           "  -p, --port=PORT             select a port (default: %d)\n"
-@@ -839,7 +839,7 @@ static void parseArgs(int argc, char * const argv[]) {
-       { "static-file",      1, 0, 'f' },
-       { "group",            1, 0, 'g' },
-       { "linkify",          1, 0,  0  },
--      { "localhost-only",   0, 0,  0  },
-+      { "ipv6",             1, 0,  0  },
-       { "no-beep",          0, 0,  0  },
-       { "numeric",          0, 0, 'n' },
-       { "port",             1, 0, 'p' },
-@@ -1001,8 +1001,8 @@ static void parseArgs(int argc, char * const argv[]) {
-               "\"none\", \"normal\", or \"aggressive\".");
-       }
-     } else if (!idx--) {
--      // Localhost Only
--      localhostOnly        = 1;
-+      // IPv6
-+      ipv6 = optarg;
-     } else if (!idx--) {
-       // No Beep
-       noBeep               = 1;
-@@ -1197,7 +1197,7 @@ int main(int argc, char * const argv[]) {
-   // Create a new web server
-   Server *server;
-   if (port) {
--    check(server  = newServer(localhostOnly, port));
-+    check(server  = newServer(ipv6, port));
-     dropPrivileges();
-     setUpSSL(server);
-   } else {
-@@ -1217,7 +1217,7 @@ int main(int argc, char * const argv[]) {
-       _exit(0);
-     }
-     check(!NOINTR(close(fds[0])));
--    check(server  = newCGIServer(localhostOnly, portMin, portMax,
-+    check(server  = newCGIServer(ipv6, portMin, portMax,
-                                  AJAX_TIMEOUT));
-     cgiServer     = server;
-     setUpSSL(server);
--- 
-1.7.6.5
-

component/shellinabox/0002-Allow-to-run-entire-command-path.patch

-From eee6f7180dc5dd4523264e7ce0721945ab2b78a1 Mon Sep 17 00:00:00 2001
-From: Antoine Catton <acatton@tiolive.com>
-Date: Wed, 11 Jan 2012 17:32:15 +0100
-Subject: [PATCH 2/2] Allow to run entire command path.
-
----
- shellinabox/launcher.c |    3 +--
- 1 files changed, 1 insertions(+), 2 deletions(-)
-
-diff --git a/shellinabox/launcher.c b/shellinabox/launcher.c
-index fb8a133..e116a75 100644
---- a/shellinabox/launcher.c
-+++ b/shellinabox/launcher.c
-@@ -1226,8 +1226,7 @@ static void execService(int width, int height, struct Service *service,
- 
-   extern char **environ;
-   environ                     = environment;
--  char *cmd                   = strrchr(argv[0], '/');
--  execvp(cmd ? cmd + 1: argv[0], argv);
-+  execvp(argv[0], argv);
- }
- 
- void setWindowSize(int pty, int width, int height) {
--- 
-1.7.6.5
-

component/shellinabox/buildout.cfg

@@ -11,24 +11,6 @@ extends =
 
 parts = shellinabox
 
-[shellinabox]
-<= shellinabox-2.10
-
-[shellinabox-2.10]
-; This version is old, but we patch it for IPv6 support
-recipe = slapos.recipe.cmmi
-url = http://shellinabox.googlecode.com/files/shellinabox-2.10.tar.gz
-md5sum = 0e144910d85d92edc54702ab9c46f032
-patch-binary = ${patch:location}/bin/patch
-patch-options = -p1
-patches =
-    ${:_profile_base_location_}/0001-Switch-to-IPv6.patch#b61cb099c00e15a5fcaf6c98134fff45
-    ${:_profile_base_location_}/0002-Allow-to-run-entire-command-path.patch#a506b4d83021e24c830f767501c1d3fc
-environment =
-    CFLAGS = -I${zlib:location}/include -I${openssl:location}/include
-    LDFLAGS = -L${zlib:location}/lib -Wl,-rpath=${zlib:location}/lib -L${openssl:location}/lib -Wl,-rpath=${openssl:location}/lib
-    PKG_CONFIG_PATH = ${openssl:location}/lib/pkgconfig/
-
 [shellinabox-git-repository]
 ; This version has much more features, but does not support IPv6 (support unix domain though)
 recipe = slapos.recipe.build:gitclone
@@ -36,7 +18,7 @@ repository = https://github.com/shellinabox/shellinabox
 revision = b8285748993c4c99e80793775f3d2a0a4e962d5a
 git-executable = ${git:location}/bin/git
 
-[shellinabox-github]
+[shellinabox]
 recipe = slapos.recipe.cmmi
 path = ${shellinabox-git-repository:location}
 configure-command =

setup.py

@@ -168,7 +168,6 @@ setup(name=name,
           'reverseproxy.nginx = slapos.recipe.reverse_proxy_nginx:Recipe',
           'sheepdogtestbed = slapos.recipe.sheepdogtestbed:SheepDogTestBed',
           'shell = slapos.recipe.shell:Recipe',
-          'shellinabox = slapos.recipe.shellinabox:Recipe',
           'signalwrapper= slapos.recipe.signal_wrapper:Recipe',
           'simplelogger = slapos.recipe.simplelogger:Recipe',
           'simplehttpserver = slapos.recipe.simplehttpserver:Recipe',

slapos/recipe/shellinabox.py

-##############################################################################
-#
-# Copyright (c) 2010 Vifib SARL and Contributors. All Rights Reserved.
-#
-# WARNING: This program as such is intended to be used by professional
-# programmers who take the whole responsibility of assessing all potential
-# consequences resulting from its eventual inadequacies and bugs
-# End users who are looking for a ready-to-use solution with commercial
-# guarantees and support are strongly adviced to contract a Free Software
-# Service Company
-#
-# This program is Free Software; you can redistribute it and/or
-# modify it under the terms of the GNU General Public License
-# as published by the Free Software Foundation; either version 3
-# of the License, or (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software
-# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA.
-#
-##############################################################################
-from getpass import getpass
-import hmac
-import pwd
-import grp
-import os
-import shlex
-
-from slapos.recipe.librecipe import GenericBaseRecipe
-
-def login_shell(password_file, shell):
-  if password_file:
-    with open(password_file, 'r') as password_file:
-      password = password_file.read()
-
-    if not password or hmac.compare_digest(getpass(), password):
-      commandline = shlex.split(shell)
-      os.execv(commandline[0], commandline)
-  return 1
-
-def shellinabox(args):
-  certificate_dir = args['certificate_dir']
-  certificate_path = os.path.join(certificate_dir, 'certificate.pem')
-  with open(certificate_path, 'w') as certificate_file:
-    with open(args['ssl_key'], 'r') as key_file:
-      # XXX: Dirty hack in order to make shellinabox work
-      print >> certificate_file, key_file.read().replace(' PRIVATE ',
-                                                         ' RSA PRIVATE ')
-    with open(args['ssl_certificate']) as public_key_file:
-      print >> certificate_file, public_key_file.read()
-
-  user = pwd.getpwuid(os.getuid()).pw_uid
-  group = grp.getgrgid(os.getgid()).gr_gid
-  service = '/:%(user)s:%(group)s:%(directory)s:%(command)s' % {
-    'user': user,
-    'group': group,
-    'directory': args['directory'],
-    'command': args['login_shell'],
-  }
-
-  command_line = [
-    args['shellinabox'],
-    '-c', certificate_dir,
-    '-s', service,
-    '--ipv6', args['ipv6'],
-    '-p', args['port'],
-  ]
-
-  # XXX: By default shellinbox drop privileges
-  #      switching to nobody:nogroup user.
-  # This force root.
-  if group == 'root':
-    command_line.extend(['-g', group])
-  if user == 'root':
-    command_line.extend(['-u', group])
-
-  os.execv(command_line[0], command_line)
-
-
-class Recipe(GenericBaseRecipe):
-
-  def install(self):
-    login_shell_wrapper = self.createPythonScript(
-      self.options['login-shell'],
-      __name__ + '.login_shell',
-      (self.options['password-file'], self.options['shell'])
-    )
-
-    shellinabox_wrapper = self.createPythonScript(
-      self.options['wrapper'],
-      __name__ + '.shellinabox',
-      (dict(
-        certificate_dir=self.options['certificate-directory'],
-        ssl_key=self.options['key-file'],
-        ssl_certificate=self.options['cert-file'],
-        shellinabox=self.options['shellinabox-binary'],
-        directory=self.options['directory'],
-        ipv6=self.options['ipv6'],
-        port=self.options['port'],
-        login_shell=login_shell_wrapper,
-       ),)
-    )
-
-    return login_shell_wrapper, shellinabox_wrapper

software/caddy-frontend/TODO.rst

@@ -58,6 +58,7 @@ Generally things to be done with ``caddy-frontend``:
  * drop ``6tunnel`` and use ``bind`` in Caddy configuration, as soon as multiple binds will be possible, tracked in upstream `bind: support multiple values <https://github.com/mholt/caddy/pull/2128>`_ and `ipv6: does not bind on ipv4 and ipv6 for sites that resolve to both <https://github.com/mholt/caddy/issues/864>`_
  * use caddy-frontend in `standalone style playbooks <https://lab.nexedi.com/nexedi/slapos.package/tree/master/playbook/roles/standalone-shared>`_
  * in ``templates/apache-custom-slave-list.cfg.in`` avoid repetetive ``part_list.append`` and use macro like in ERP5 SR (cf `Vincent's comment <https://lab.nexedi.com/nexedi/slapos/merge_requests/373#note_64362>`_)
+ * **Jérome Perrin**: consider privacy implications/GDPR compliance of https://caddyserver.com/docs/telemetry and decide if we should leave it enabled.
 
 Things which can't be implemented:
 

software/erp5testnode/buildout.hash.cfg

@@ -18,4 +18,4 @@ md5sum = 307663d73ef3ef94b02567ecd322252e
 
 [template-default]
 filename = instance-default.cfg
-md5sum = 555700e5d216ff32a981f4066791bdab
+md5sum = d5a4270e5e7827db2e6a19d2eedb570b

software/erp5testnode/instance-default.cfg

@@ -9,8 +9,6 @@ extends = ${monitor2-template:rendered}
 
 parts =
   testnode
-  shell
-  shellinabox
   certificate-authority
   ca-shellinabox
   ca-httpd-testnode
@@ -18,11 +16,12 @@ parts =
   monitor-publish
   testnode-frontend
   resiliency-exclude-file
+  shellinabox-frontend-reload
+  promises
   
 [monitor-publish]
 recipe = slapos.cookbook:publish
-url = https://[$${shellinabox:ipv6}]:$${shellinabox:port}/
-password = $${pwgen:passwd}
+url = $${shellinabox-frontend:url}
 frontend-url = $${testnode-frontend:connection-secure_access}
 
 [pwgen]
@@ -73,34 +72,70 @@ apache-modules-dir = ${apache:location}/modules
 apache-mime-file = ${apache:location}/conf/mime.types
 apache-htpasswd = ${apache:location}/bin/htpasswd
 
-[shell]
-recipe = slapos.cookbook:shell
-wrapper = $${rootdirectory:bin}/sh
-shell = ${busybox:location}/bin/sh
-home = $${buildout:directory}
-ps1 = "\\w> "
-path =
-    ${busybox:location}/bin/
-    ${busybox:location}/usr/bin/
-    ${git:location}/bin/
-    ${python2.7:location}/bin/
-    ${buildout:bin-directory}/
-    ${busybox:location}/sbin/
-    ${busybox:location}/usr/sbin/
+
+[shell-environment]
+shell = ${bash:location}/bin/bash
 
 [shellinabox]
-recipe = slapos.cookbook:shellinabox
+recipe = slapos.recipe.template:jinja2
+# We cannot use slapos.cookbook:wrapper here because this recipe escapes too much
+socket = $${directory:run}/siab.sock
+mode = 0700
+rendered = $${basedirectory:services}/shellinaboxd
+template = inline:
+  #!/bin/sh
+  exec ${shellinabox:location}/bin/shellinaboxd \
+    --disable-ssl \
+    --disable-ssl-menu \
+    --unixdomain-only=$${:socket}:$(id -u):$(id -g):0600 \
+    --service "/:$(id -u):$(id -g):HOME:$${shell-environment:shell} -l"
+
+[shellinabox-frontend-config]
+recipe = slapos.recipe.template:jinja2
+rendered = $${directory:etc}/$${:_buildout_section_name_}
+template = inline:
+  https://$${:hostname}:$${:port} {
+    bind $${:ipv6}
+    tls $${:cert-file} $${:key-file}
+    gzip
+    log stdout
+    errors stderr
+    proxy / unix:$${shellinabox:socket}
+    basicauth $${:username} $${:passwd} {
+      realm "Test Node $${testnode:test-node-title}"
+      /
+    }
+  }
 ipv6 = $${slap-network-information:global-ipv6}
+hostname = [$${:ipv6}]
 port = 8080
-shell = $${shell:wrapper}
-wrapper = $${rootdirectory:bin}/shellinaboxd
-shellinabox-binary = ${shellinabox:location}/bin/shellinaboxd
-password-file = $${pwgen:storage-path}
-directory = $${buildout:directory}/
-login-shell = $${rootdirectory:bin}/login
-certificate-directory = $${directory:shellinabox}
+username = testnode
+passwd = $${pwgen:passwd}
 cert-file = $${directory:shellinabox}/public.crt
 key-file = $${directory:shellinabox}/private.key
+url = https://$${:username}:$${:passwd}@$${:hostname}:$${:port}
+
+
+[shellinabox-frontend]
+recipe = slapos.cookbook:wrapper
+wrapper-path = $${rootdirectory:bin}/$${:_buildout_section_name_}
+command-line =
+  ${caddy:output} -conf $${shellinabox-frontend-config:rendered} -pidfile $${:pidfile}
+url =  $${shellinabox-frontend-config:url}
+hostname = $${shellinabox-frontend-config:ipv6}
+port = $${shellinabox-frontend-config:port}
+pidfile = $${basedirectory:run}/$${:_buildout_section_name_}.pid
+
+[shellinabox-frontend-reload]
+recipe = slapos.cookbook:wrapper
+wrapper-path = $${basedirectory:services}/$${:_buildout_section_name_}
+command-line =
+  ${bash:location}/bin/bash -c 
+  "kill -s USR1 $$(${coreutils:location}/bin/cat $${shellinabox-frontend:pidfile}) \
+    && ${coreutils:location}/bin/sleep infinity"
+hash-files =
+  $${shellinabox-frontend-config:rendered}
+  $${shellinabox-frontend:wrapper-path}
 
 [certificate-authority]
 recipe = slapos.cookbook:certificate_authority
@@ -124,10 +159,10 @@ crl = $${directory:ca-dir}/crl/
 [ca-shellinabox]
 <= certificate-authority
 recipe = slapos.cookbook:certificate_authority.request
-executable = $${shellinabox:wrapper}
-wrapper = $${basedirectory:services}/shellinaboxd
-key-file = $${shellinabox:key-file}
-cert-file = $${shellinabox:cert-file}
+executable = $${shellinabox-frontend:wrapper-path}
+wrapper = $${basedirectory:services}/shellinabox-frontend
+key-file = $${shellinabox-frontend-config:key-file}
+cert-file = $${shellinabox-frontend-config:cert-file}
 
 [ca-httpd-testnode]
 <= certificate-authority
@@ -181,6 +216,21 @@ config-https-only = true
 #software-type = custom-personal
 return = domain secure_access
 
+[promises]
+recipe =
+instance-promises =
+  $${shellinabox-frontend-listen-promise:path}
+
+[check-port-listening-promise]
+recipe = slapos.cookbook:check_port_listening
+path = $${directory:promises}/$${:_buildout_section_name_}
+
+[shellinabox-frontend-listen-promise]
+<= check-port-listening-promise
+hostname= $${shellinabox-frontend:hostname}
+port = $${shellinabox-frontend:port}
+
+
 [slap-parameter]
 node-quantity = 1
 test-suite-master-url =

software/erp5testnode/software.cfg

@@ -5,7 +5,9 @@ extends =
   ../../component/git/buildout.cfg
   ../../component/lxml-python/buildout.cfg
   ../../component/zip/buildout.cfg
-  ../../component/busybox/buildout.cfg
+  ../../component/bash/buildout.cfg
+  ../../component/caddy/buildout.cfg
+  ../../component/coreutils/buildout.cfg
   ../../component/shellinabox/buildout.cfg
   ../../component/pwgen/buildout.cfg
   ../../component/apache/buildout.cfg
@@ -27,6 +29,7 @@ eggs =
   zc.buildout
   slapos.libnetworkcache
   slapos.core
+  slapos.recipe.template
   supervisor
   jsonschema
   hexagonit.recipe.download
@@ -58,7 +61,7 @@ output = ${buildout:directory}/template-default.cfg
 mode = 0644
 
 [versions]
-erp5.util = 0.4.53
+erp5.util = 0.4.56
 slapos.recipe.template = 4.3
 dnspython = 1.15.0
 PyXML = 0.8.5

software/powerdns/slave-instance-powerdns-input-schema.json

@@ -42,10 +42,22 @@
       "default": "na",
       "type": "string"
     },
-    "china": {
-      "title": "China RR",
-      "description": "Records to use for China",
-      "default": "cn",
+    "china-telecom": {
+      "title": "China Telecom RR",
+      "description": "Records to use for China Telecom",
+      "default": "cn-t",
+      "type": "string"
+    },
+    "china-unicom": {
+      "title": "China Unicom RR",
+      "description": "Records to use for China Unicom",
+      "default": "cn-u",
+      "type": "string"
+    },
+    "china-mobile": {
+      "title": "China Mobile RR",
+      "description": "Records to use for China Mobile",
+      "default": "cn-m",
       "type": "string"
     },
     "japan": {

software/powerdns/software.cfg

@@ -45,7 +45,7 @@ mode = 0644
 recipe = hexagonit.recipe.download
 ignore-existing = true
 url = ${:_profile_base_location_}/template/zz.countries.nexedi.dk.rbldnsd
-md5sum = 078bbe893aae7272270b4ec22505de33
+md5sum = c4dc8c141d81b92d92cdb82ca67a13ee
 location = ${buildout:parts-directory}/${:_buildout_section_name_}
 filename = zz.countries.nexedi.dk.rbldnsd
 download-only = true
@@ -55,7 +55,7 @@ mode = 0644
 recipe = hexagonit.recipe.download
 ignore-existing = true
 url = ${:_profile_base_location_}/template/cdn.conf.in
-md5sum = 9d9b431d8373c2e1850f3cef5ae1898a
+md5sum = 29c29f93b3b0bd2f71f86f7b337e4543
 location = ${buildout:parts-directory}/${:_buildout_section_name_}
 filename = cdn.conf.in
 download-only = true

software/powerdns/template/cdn.conf.in

@@ -93,8 +93,12 @@ $ORIGIN {{ cdn.get('origin') }}
 152 {{ cdn.get('south-america', 'sa') }}
 # Cameroon
 120 {{ cdn.get('africa', 'af') }}
-# China
-156 {{ cdn.get('china', 'cn') }}
+# China telecom
+155 {{ cdn.get('china-telecom', 'cn-t') }}
+#china unicom
+156 {{ cdn.get('china-unicom', 'cn-u') }}
+#china mobile
+157 {{ cdn.get('china-mobile', 'cn-m') }}
 # Colombia
 170 {{ cdn.get('south-america', 'sa') }}
 # Costa Rica

software/slapos-testing/software.cfg

@@ -214,3 +214,7 @@ lockfile = 0.12.2
 # Required by:
 # slapos.toolbox==0.76
 passlib = 1.7.1
+
+# Required by:
+# caucase
+PyJWT = 1.6.4

software/slaprunner/buildout.hash.cfg

@@ -30,7 +30,7 @@ md5sum = 7a879739afe55320ee96409bcc8a52ab
 
 [template-runner-export-script]
 filename = template/runner-export.sh.jinja2
-md5sum = 98ce179badc6af5979a64a7c3d0a2ceb
+md5sum = 5877e70b2bd5cfe06aff793125f65d6a
 
 [instance-runner-export]
 filename = instance-runner-export.cfg.in

software/slaprunner/software.cfg

@@ -43,10 +43,6 @@ common-parts =
 parts =
   ${:common-parts}
 
-# Use shellinabox from github with AF_UNIX support
-[shellinabox]
-<= shellinabox-github
-
 [template-base]
 recipe = slapos.recipe.template
 url = ${:_profile_base_location_}/${:filename}

software/slaprunner/template/runner-export.sh.jinja2

@@ -113,16 +113,18 @@ trap remove_tmp_files EXIT
 
 # Getting files from runner backup directory, as instance backup files may be
 # explicitely excluded from the backup, using the srv/exporter.exclude
+backup_directory_path="$tmp_directory/backup_files.txt"
 cd {{ directory['backup'] }}
-backup_directory_path=$(find . -path "./runner/instance/slappart*/srv/backup/*" -type f)
+find . -path "./runner/instance/slappart*/srv/backup/*" -type f -print0 > $backup_directory_path
 
 # If no backup found, it's over
-if [ -z "$backup_directory_path" ]; then
+if [ ! -s "$backup_directory_path" ]; then
   exit 0
 fi
 
 sleep 5
-sha256sum $backup_directory_path | sort -k 66 > "$tmp_backup_sum"
+cat $backup_directory_path | xargs -0 sha256sum | sort -k 66 > "$tmp_backup_sum"
+rm $backup_directory_path
 egrep "instance/slappart.*/srv/backup/" "$backup_directory/backup.signature" > "$tmp_filtered_signature"
 
 # If the diff fails, then the notifier will restart this script

stack/caucase/buildout.cfg

@@ -97,6 +97,7 @@ gunicorn = 19.7.1
 slapos.recipe.template = 4.3
 slapos.toolbox = 0.81
 smmap2 = 2.0.3
+PyJWT = 1.6.4
 
 # Required by:
 # caucase==0.1.4

stack/erp5/buildout.cfg

@@ -712,7 +712,7 @@ oauth2client = 4.0.0
 objgraph = 3.1.0
 ply = 3.10
 polib = 1.0.8
-pprofile = 1.10.0
+pprofile = 2.0.0
 pyasn1 = 0.2.3
 pyasn1-modules = 0.0.8
 pycountry = 17.1.8

stack/erp5/zope-versions.cfg

 [versions]
+Zope2 = 2.13.28
 AccessControl = 2.13.16
 Acquisition = 2.13.12
 DateTime = 2.12.8
@@ -29,7 +30,6 @@ Sphinx = 1.0.8
 ZConfig = 2.9.3
 ZODB3 = 3.10.7
 ZServer = 3.0
-Zope2 = 2.13.27
 ZopeUndo = 2.12.0
 docutils = 0.12
 initgroups = 2.13.0
@@ -41,6 +41,7 @@ pytz = 2017.2
 repoze.retry = 1.2
 repoze.tm2 = 1.0
 repoze.who = 2.0
+six = 1.11.0
 tempstorage = 2.12.2
 tox = 2.9.1
 transaction = 1.1.1

stack/slapos.cfg

@@ -116,7 +116,7 @@ click = 6.7
 cliff = 2.4.0
 cmd2 = 0.7.0
 collective.recipe.template = 2.0
-cryptography = 2.1.1
+cryptography = 2.3.1
 decorator = 4.0.11
 idna = 2.2
 inotify-simple = 1.1.1
@@ -129,13 +129,13 @@ pbr = 2.0.0
 plone.recipe.command = 1.1
 prettytable = 0.7.2
 psutil = 5.4.3
-pyOpenSSL = 17.2.0
+pyOpenSSL = 18.0.0
 pyparsing = 2.2.0
 pytz = 2016.10
 requests = 2.13.0
 six = 1.10.0
 slapos.cookbook = 1.0.75
-slapos.core = 1.4.10
+slapos.core = 1.4.11
 slapos.extension.strip = 0.4
 slapos.extension.shared = 1.0
 slapos.libnetworkcache = 0.15