If the list of families does not change, their ports must not change, and it's
wrong to get this by relying on CPython implementation details. Even if we
automated the update of frontends with new urls, this couldn't be done
atomically and we'd get random failures.

Currently, frontends are only updated manually so we also want to minimize
changes when families are added/renamed/removed. By sorting alphabetically,
we have something predictable. Of course, this does not cover cases like the
following one:
- before: A, B, C
- after: A, C
Even if we added a 'port-base' parameter for the balancer, the port would
change for one of the 2 families.

We have no need for the moment, but we could go further with an optional list
parameter to choose the order, and a special value to skip ports. Another
option is to use publish-early but it's more complicated to implement and
we lose everything when we reinstanciate.

The sort in haproxy.cfg.in is for the stats page.

that is a long-deprecated syntax and removed in haproxy 1.6.

version up : OpenSSL 1.0.2e, including CVE-2015-3193, CVE-2015-3194, CVE-2015-3195 and CVE-2015-3196.

https://www.openssl.org/news/secadv/20151203.txt

From https://golang.org/doc/devel/release.html#go1.5.minor:

    go1.5.2 (released 2015/12/02) includes bug fixes to the compiler,
    linker, and the mime/multipart, net, and runtime packages

/reviewed-by: TrustMe

Update 1.0 branch for Next Release



See merge request !32

If one wants to check URLs on UNIX-sockets, there is no full URL schema
in curl for this, but the following has to be used instead:

    curl --unix-socket /path/to/socket http:/<url-path>

For this to work, one can do e.g. the following trick:

    [promise-unicorn]
    recipe  = slapos.cookbook:check_url_available
    url     = --unix-socket ${unicorn:socket}  http:/

but then generated promise scripts fails this way:

    ./etc/promise/unicorn: line 7: [: too many arguments

via quoting $URL in emptiness check we can support both usual URLs and
urls with --unix-socket prepended trick.

/reviewed-by @cedric.leninivin  (on nexedi/slapos!31)

In gitlab SR a service I need to check - gitlab-workhorse, returns 200
only when request comes to some repository and authentication backend
allows it.

Requiring access to repositories is not very good just to check if the
service is alive, and also auth backend can be not alive, and initially
there are no repositories at all. So gitlab-workhorse is checked to be
alive by pinging it with non-existing URL and expecting 403.

For this to work we need to allow clients to specify expected HTTP code
instead of previously hardcoded 200 (which still remains the default).

/reviewed-by @cedric.leninivin  (on nexedi/slapos!31)

  The final file were not a valid json sometimes as some entries '0.0.0.0' or '::' were been ignored
  and an additionalcomman was added on the wrong place.

Both SPDY an gzip_static are needed for upcoming GitLab SR:

  - GitLab uses SPDY in its https nginx configuration, and
  - prepares compiled assets in pre-gzipped form on filesystem

both modules are off by default and need to be explicitly enabled with
corresponding directives, so this should not affect already used nginx
configurations.

/cc @kazuhiko, @jerome, @gabriel
/reviewed-by @rafael  (on nexedi/slapos!30)