Like f6f97d72 - pristine copy from omnibus-gitlab 8.7.9+ce.1-0-gf589ad7

Changes are:

    - database.yml.erb

      * db_sslca option to specify CA for cases when DB is accessed via
        SSL (we do not need it as we access DB over unix:// only)

    - gitconfig.erb

      * turns gc.auto=0

        This is questionable to me. What they needed is to adjust
        warning reporting in git, not completely disable gc.auto and control it
        with their hands from rails.

        context: https://gitlab.com/gitlab-org/gitlab-ce/issues/14357

    - gitlab-rails-config.ru.erb removed

      with unicorn OOM killer settings moved to unicorn.rb. See:

      https://gitlab.com/gitlab-org/omnibus-gitlab/commit/cfbe6c55
      https://gitlab.com/gitlab-org/omnibus-gitlab/merge_requests/672

    - gitlab.yml.erb

      * +geo_bulk_notify_worker (EE only, we do not use gitlab geo)
      * +repository_archive_cache_worker.cron   (gitlab-ce defaults to "0 * * * *")
        https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/3663
      * +update_all_remote_mirrors_worker.cron  (EE only ?)
      * +omniauth.external_providers (we do not use omniauth)
      * +trusted_proxies

        this adds ability to let gitlab know trusted proxies addresses
        from which it can get and trust things like X-Forwarded-For and the
        like.

    - nginx-gitlab-http.conf.erb

      * add support for using nginx's realip module
        (http://nginx.org/en/docs/http/ngx_http_realip_module.html) for
        configuring trusted proxies and letting requests from them to
        pass through nginx with e.g. X-Forwarded-For header.

    - smtp_settings.rb.erb

      * +ssl option

        https://gitlab.com/gitlab-org/omnibus-gitlab/merge_requests/730

    - unicorn.rb: see above about "gitlab-rails-config.ru.erb removed"

The following files stay the same:

    - gitlab-shell-config.yml.erb
    - nginx.conf.erb
    - rack_attack.rb.erb
    - resque.yml.erb

Like 02d0063b - pristine copy from omnibus-gitlab 8.6.5+ce.0-0-g342f8be

Changes are in:

    - gitlab.yml.erb

      * + ldap.sync_time    (we do not use LDAP)
      * artifacts.storage_path -> artifacts.path

    - nginx.conf.erb

      * proxy cache can be configured (gitlab defaults to up to 1GB
        on-disk cache)

            https://gitlab.com/gitlab-org/omnibus-gitlab/commit/8b91c071

        This cache was introduced by upstream instead of accepting
        https://gitlab.com/gitlab-org/gitlab-workhorse/merge_requests/17

        For raw blobs downloading the cache is activated essentially for
        public projects only (only for them cache-control is public)

            https://gitlab.com/gitlab-org/gitlab-ce/commit/fc90d9e5#a587159e3f053514fa2a9a4fa9a9cb56e6928df0_155_157

        The cache is not very effective, and under load can do more harm
        than good:

            https://gitlab.com/gitlab-org/gitlab-workhorse/merge_requests/17#note_4082683

        Since we have fast raw blobs serving by our gitlab-workhorse
        patches, and caches on frontends, for this cache, offhand we are
        not very interested.

    - nginx-gitlab-http.conf.erb

      * nginx can connect to gitlab-workhorse not via unix://  (we
        always use unix://)

      * HTTP/2 support can be disabled (we are going to always support HTTP/2)

      * All static content (except 404,422,500,502) is now served by
        gitlab-workhorse (under nginx), not nginx directly

        https://gitlab.com/gitlab-org/omnibus-gitlab/commit/48dce4ec

The following files stay the same:

    - database.yml.erb
    - gitconfig.erb
    - gitlab-rails-config.ru.erb
    - gitlab-shell-config.yml.erb
    - rack_attack.rb.erb
    - resque.yml.erb
    - smtp_settings.rb.erb
    - unicorn.rb.erb

Like 8c62b063, d17f1f5f and e8461571 - pristine copy from omnibus-gitlab
8.5.1+ce.0-1-ge732b39 .

Changes are in

    - gitlab.yml.erb, unicorn.rb.erb

      * Something related to relative URL root (we do not use)
      * Something related to SAML (we do not use)
      * Misc

    - nginx-gitlab-http.conf.erb

      * SPDY -> HTTP/2
      * Relative URL root
      * Configurable proxy_set_header passing

The following files stay the same:

    - database.yml.erb
    - gitconfig.erb
    - gitlab-rails-config.ru.erb
    - gitlab-shell-config.yml.erb
    - nginx.conf.erb
    - rack_attack.rb.erb
    - resque.yml.erb
    - smtp_settings.rb.erb

It was my mistake to establish several tracking lines for tracking
upstream changes - e.g. in

    61544d87    (gitlab: Import nginx http configuration from omnibus-gitlab)

we started not from

    6fd7b987    (gitlab: Import gitlab-ce & gitlab-shell configs from omnibus-gitlab)

-- the first upstream tracking commit on its own branch -- but from

    4c127fdd    (gitlab: Setup sidekiq service)

i.e. from after some changes which already tweaked upstream
configuration files.

This makes updating gitlab more work than necessary: instead of
switching to upstream branch only once, importing all files, and
then switching back to master and merging upstream changes only once, we
currently have to do that operation 3 times:

    - for main gitlab settings,
    - for nginx settings, and
    - for gitconfig settings

which is not convenient and wastes our time.

So establish a proper 1 branch for tracking upstream configs:

Here we cherry-pick the following commits

    61544d87    (gitlab: Import nginx http configuration from omnibus-gitlab)
    d17f1f5f    (gitlab: Sync nginx http configuration from omnibus gitlab)

    8f945bd2    (gitlab: Import gitconfig from omnibus-gitlab)
    e8461571    (gitlab: Sync gitconfig settings from omnibus-gitlab)

and later we'll be updating upstream files on a branch starting from
this commit and containing upstream changes only.

/cc @kazuhiko, @jerome

Like 6fd7b987 - pristine copy from omnibus 8.4.4+ce.0-0-g1680742.

The only change is in

    gitlab.yml

The following files stay the same:

    database.yml.erb
    gitlab-rails-config.ru.erb
    gitlab-shell-config.yml.erb
    rack_attack.rb.erb
    resque.yml.erb
    smtp_settings.rb.erb
    unicorn.rb.erb

/cc @kazuhiko, @jerome

Pristine import of template configuration files from omnibus GitLab
package. All files were imported as-is in their ERB form and filenames
from omnibus-gitlab 8.2.3+ce.0-0-g8eda093 from here:

    https://gitlab.com/gitlab-org/omnibus-gitlab/tree/8eda093/files/gitlab-cookbooks/gitlab/templates/default

We will convert the templates to jinja2 and adjust them to slapos
version in the following patches.

Scheme for synchronizing with future upstream changes is envisioned as this:

    - checkout latest commit which updated pristine erb files
    - copy updated files from omnibus-gitlab, and commit the updates
    - checkout slapos master
    - merge commit that updated erb

That should reasonably work with not too-many conflicts and even those
should be not hard to resolve (with `git mergetool` e.g. in kdiff3)

/cc @kazuhiko, @jerome

Organize per-instance place for gitlab configuration and work directory.

Unfortunately as GitLab is Ruby-on-Rails application, it is not possible
to keep its code in one place and have multiple separate configuration
sets in different places and start that code for a configuration set -
GitLab and Rails insist to get configuration from relative to source
code tree.

GitLab omnibus "solves" this by having only one configuration set and
having symlinks from code to that only configiration set. In slapos we
can potentially have several instances for one software and thus we
cannot do that.

With such limitations a proper solution would be to bind-mount software
code into instance filesystem namespace close to configuration - that
way the code will be only one and will find proper per-instance config.
Currently we do not have namespaces available on slapos unfortunately,
thus something else is needed.

The workaround I decided to do is this: to clone cloned gitlab
repository from software/ space to instance/ space and adjust it in
instance space. This has the following drawbacks:

    - code is duplicated
    - code becomes read-write, instead of being read-only

but imho it is the most practical thing to do. Another solution could be
to patch GitLab / Rails to remove "config lives in code" assumption, but
the number of places where this needs to be done is really many.

NOTE gems which gitlab uses and which were installed during software
    compilation are not duplicated - they are reused via bundler - via
    pointing BUNDLE_GEMFILE to original location in software.

NOTE2 For instance tasks and also for maintanace convenience we establish
    <instance>/bin/gitlab-* programs, e.g. gitlab-rake, which e.g. for
    gitlab-rake will run rake with correctly loaded gitlab environment -
    like in gitlab-omnibus.

/cc @kazuhiko, @jerome, @jp

Organize internal Redis service, like with PostgreSQL in the previous
patch, with the help of slapos.cookbook:redis.server recipe.

Like with postgresql, and as we planned, redis listens only on
internal-to-partition unix socket.

The recipe establishes both service and promise to check it is alive;
we only need to setup log rotation manually.

/cc @kazuhiko, @jerome

Organize internal PostgreSQL database which will be used as DB for
Roby-on-Rails GitLab and listens only on unix socket (for security and
performance reasons - see earlier intro patch).

To do it we use slapos.cookbook:postgres recipe, with disabling
"listen-to-network" via passing empty sets to ipv4 and ipv6 recipe
arguments.

The promise to check whether DB is alive is just `psql -c '\q'` which
will error if failing to connect to DB, but exit silently if connected ok.

Explicit log rotation is not needed - as postgresql logs to
stdout/stderr - not to a file - logs are handled by slapos - put into
.slappartX_postgresql.log and automatically rotated there.

XXX omnibus-gitlab tunes postgresql with shared_buffers and other
parameters, most likely for performance reasons - see e.g.

    https://gitlab.com/gitlab-org/omnibus-gitlab/blob/8-2-stable/files/gitlab-cookbooks/gitlab/templates/default/postgresql.conf.erb#L113

I decided not to fine-tune postgresql for now, and get on-field feedback
first, and then, if needed, we can tune.

/cc @kazuhiko, @jerome

A recipe could do

    [promise-<service>]
    <= promise-wrapper
    command-line = ...

and the wrapper will be put automatiaclly into etc/promise/<service>.

( for this to happen !py! magic is used again, like we did for logrotate
  and cron entries before )

/cc @kazuhiko, @jerome

gitlab: Make a plan to base instance layout on gitlab-omnibus and to interconnect all internal services via unix sockets

Upcoming changes will follow two points:

- we try to base our gitlab setup on how it is done in
  gitlab-omnibus[1] with the idea to ease tracking upstream changes to
  instance setup.

- we will interconnect all internal services via unix sockets only.

  The reason to do it is twofold:

    1. easier security: currently files on different slapos partitions
       are isolated from each other, but there is no "in-between-partitions"
       networking isolation - thus (potentially evil) programs can
       access internal services on other slapos partition.

       permissions to access unix sockets, on the other hand, are
       managed by filesystem-level permissions, and thus unix sockets in
       one partition will be, by default, isolated from programs on
       another partitions.

    2. It is well known that UNIX sockets are faster than TCP over
       loopback. For example for our std shuttles they have 2 times lower
       latency and ~ 2-3 times more throughput compared to TCP over loopback

    More details on 1 & 2 can be found e.g. here:

    nexedi/slapos!27
    https://gitlab.com/gitlab-org/gitlab-shell/merge_requests/30

/cc @kazuhiko, @jerome

[1] https://gitlab.com/gitlab-org/omnibus-gitlab

Add stub instance configuration which just establishes a way to have
several software types(*), pass all needed info from software to
instance, organizes base directory and establishes log rotation base for
upcoming services.

Log rotation is done with the help of cron periodicallly calling
logrotate. The rotation is done in "copytruncate" mode - i.e. log file
is not moved away and signal sent for service to reopen it, but instead
log content is just copied to outside and there is no need for a service
to reopen it's log file.

The reason it is done this way, is that there is a chance of not
handling such "reopen-log-file" callbacks correctly on a service side,
and so the net is full of crashing reports, e.g. like this:

    http://serverfault.com/questions/627521/why-is-logrotate-causing-apache-to-seg-fault-each-time

That's why we take a safer approach instead, even if "copytruncate" mode
is risking to loose several log entries(**) on rotation.

NOTE services will organize log rotation with just

    [logrotate-entry-<service>]
    <= logrotate-entry
    log     = path/to/log/files/*.log

For this to work some "!py!" magic (our way to serialize object into
executable python and process it in buildout recipes) is used to process
section names.

The approach trick is also used for cron, e.g. logrotate registers to
cron this way:

    [cron-entry-logrotate]
    <= cron-entry
    time    = daily
    command = ${logrotate:wrapper}

NOTE2 instance md5 are not fixed yet - we'll fix them after applying all
    patches in gitlab series.

(*) for now there is only 1 - "gitlab", but we'll need to have "-export"
    and "-import" for resiliency in the future.

(**) ideally such things should be done with logfs - a filesystem
    specializeing in logging - for client services it will look like as
    they just continue to write to log file, and on log service side, the
    rotation can happen, all transparent to client service.

/cc @kazuhiko, @jerome

First step - build all needed software. We build:

- Git
- PostgreSQL 9.2
- Redis 2.8
- Nginx

- gitlab-shell
- gitlab-workhorse
- gitlab-ce 8.2 itself

and everything which is needed to build the above programs.

Git is needed because GitLab is a git-hosting service and uses git
underneath. PostgreSQL is used as DB by gitlab and Redis as a cache.

GitLab-shell is a small project to manage ssh access to the service
(we'll disable ssh though) and to perform all "change a repository"
operations.

GitLab-workhorse is a service which offloads long-running or slow
request from main GitLab service.

GitLab-ce is the main Ruby-on-Rails-based web application.

Ruby- and Go- based programs are built in a way similar to:

    - 31a45a94    (helloworld & helloweb: Ruby version), and
    - 24e82414    (helloworld & helloweb: Go version)

Version of all components, except Git, were picked the same, as used by
gitlab omnibus v8.2 .

/cc @kazuhiko, @jerome

Some dists like SLE_12 don't seem to have it.

../../stack/slapos.cfg is removed from component/*/buildout.cfg
because we normally don't specify it in component/
The OBS package will need to extend it.

Pin versions required for ipython==4.0.0 with ipykernel separated
from ipython eggs.
The split was in accordance to : https://blog.jupyter.org/2015/04/15/the-big-split/

/reviewed-by @kirr  (on nexedi/slapos!33)

ipython_notebook SR hooked with ERP5 kernel.
This kernel helps in interaction between erp5 and Jupyter frontend.
The patches have been cleaned up

Features:

- All the code execution is being done at erp5 side, Jupyter just acts as dumb client.
- Receives result as string and its mime_type and thanks to kernel, displays it accordingly.
- Interactions b/w erp5 and Jupyter frontend are based on HTTP requests.

Major changes:

- Addition of erp5 kernel
- Improvement in code according to guidelines(name, section name)
- Use jinja template as instance file and make it more dynamic
- Debugging added for ipython_notebook service.

Note: The certificate authentication changed has been reverted to the previous
one(done by creating wrapper around openssl command) for now.

/cc @Tyagov
/reviewed-by @kirr, @jerome  (on nexedi/slapos!33)

@jerome added --matplotlib=inline in 48eefab5 (ipython notebook) but it is
really neither needed:

   @jerome
   I remember adding this --matplotlib=inline line, but I am not sure it was
   ever needed. Using magic %matplotlib in notebook should be enough.

   @tiwariayush
   Yeah, for inline matplotlib in default python kernel, magics do there
   work(therefore neither pylab nor matplotlib alias are needed while starting the
   server), so I'd say leave this commit as it is and regarding version updation:
   a new patch making change wherever required.

nor supported:

   $ cat .slappart0_ipython_notebook.log
   [W 15:51:35.454 NotebookApp] Unrecognized alias: '--matplotlib=inline', it will probably have no effect.

Remove it.

P.S.

'--logfile' isn't available for ipython version 3.2.0 but we are not removing
it since we are planning to upgrade IPython to versions 4.x where it is supported.

Based on patch by @tiwariayush  (see nexedi/slapos!33)

Jupyter: Change section name to instance-jupyter so as not to raise conflict in case of multiple extends

/reviewed-by @kirr  (on nexedi/slapos!33)

Maintain consistency with the slapOS SR format.
This SR can be hooked with other SR(ex:wendelin) and its better
to follow one way of publishing result parameters

[ kirr: This essentially changes publication format to JSON:

    $ xslapos proxy show --params

    # before
    slappart0: ipython_notebook (type default)
        url = https://[2001:67c:1254:e:49::952d]:8888
        monitor_url = https://[2001:67c:1254:e:49::952d]:9685

    # after
    slappart0: ipython_notebook (type default)
        _ = {"url": "https://[2001:67c:1254:e:49::952d]:8888", "monitor_url": "https://[2001:67c:1254:e:49::952d]:9685"}

  I'm not convinced we really need this, nor that the .serialized version is
  the most oftenly used one:

    slapos$ git grep 'slapos.cookbook:publish$' |wc -l
    59
    slapos$ git grep 'slapos.cookbook:publish.serialised$' |wc -l
    13

  but we can have it and see how it goes, reverting if needed ]

/cc @jerome
/proposed-for-review-on nexedi/slapos!33

This helps in logging up the requests made by ipython_notebook service

[ kirr: To be clear - until log-level is set to DEBUG, IPython notebook does
  not log HTTP requests, and since logging of HTTP requests is considered normal
  for most of our services (Zope, Apache, etc), it makes sense to enable such
  functionality for notebook too.

  There is not much additional noise produced by --log-level=DEBUG - in
  practice ipython only prints what config files it uses on startup, so this
  should be ok to go. ]

/reviewed-by @kirr, @jerome  (on nexedi/slapos!33)

ERP5 kernel basic info/workflow:

1. User enters code on notebook cell and executes
2. Code is sent to kernel via websockets
3. Kernel sends request to ERP5
4. Code is executed by ERP5 and the result is returned back via request.
5. Result is received and rendered on the notebook frontend.
6. Other message formats such as error and status are also conveyed by the Kernel.

[ kirr: in IPython notebook speak kernel is something that allows IPython
  notebook server side to talk to execution backend. ERP5 kernel is a thing that
  allows ipython notbook to talk to ERP5 (with help on-ERP5-server special bt5
  installed which accepts and executes commands).

  The bt5 to handle notebook calls on ERP5 side - erp5-data-notebook - is
  proposed to be merged into erp5.git on nexedi/erp5!29 ]

/initially-reviewed-by @kirr, @Tyagov  (in a lot of places, last time on nexedi/slapos!33)

IPython Notebook: Explicitly add environment variable around wrapper and use ipython directory inside instance in env

[ kirr: By default IPython keeps configuration and other files location in
  ~/.ipython . What this patch does is organize explicit directory in instance
  tree to keep such files  ]

/reviewed-by @kirr  (on nexedi/slapos!33)

IPython Notebook: Add dynamic-template-base section for common jinja related file section and extend them with this section

[ kirr: to-Jinja2 conversion is required because jinja is more suitable to
  describing instances compared to buildout, because jinja2 has e.g. control
  structures ]

/reviewed-by @kirr  (on nexedi/slapos!33)

Commit cee110b2 (IPython Notebook: Fixing coding crimes for section
names) changed IPython notebook section name to use '-' as word
delimiter but forgot to update users, and this way wendelin build
started to fail:

    INFO While:
    INFO   Installing.
    INFO   Getting section ipython_notebook.
    INFO Error: The referenced section, 'ipython_notebook', was not defined.

Fix it. (And I've made sure with whole-tree git grep that there is no
more ipython notebook users except wendelin in whole slapos.git so far)

/reported-by @Tyagov
/cc @tiwariayush
/reviewed-by TrustMe

This is required so that buildout does not fallback to installing
non-dev egg if version of wendelin.core from -dev differs from what has
been pinned.

For example the following

    [buildout]
    extends =
      https://lab.node.vifib.com/nexedi/slapos/raw/1.0.12/software/wendelin/software-dev.cfg

    # pin wendelin.core-dev to latest assumed-good revision with ZBlk1 support
    [wendelin.core-repository]
    revision = c507d9009f59fec2041bac9c31c5b08a48d3897d

will install wendelin.core-0.4.egg from pypi instead of installing
c507d9009f59fec2041bac9c31c5b08a48d3897d from repository, because that
latter revision says it is already version 0.5 and 1.0.12 wendelin SR
pins wendelin.core to 0.4 .

So unpin wendelin.core from versions and let software-dev.cfg work
always.

/cc @klaus
/reviewed-by @Tyagov  (on nexedi/slapos!36)