Merge branch 'master' into master+ZODB4-wc2

* master:
  wendelin.core: v↑ 0.13 -> 2.0.alpha1
  caddy-frontend: Support not resolving backend hostnames
  component/caddy: Use golang 1.17
  software/metabase: configure fonts and tempdir
  software/metabase: generate proper passwords
  software/metabase: version up metabase v0.41.2
  software/metabase: sleep a bit more after "this will erase data" warning
  software/metabase: use temurin JRE
  component/java: add temurin JRE

component/caddy/buildout.cfg

@@ -13,7 +13,7 @@ repository    = https://lab.nexedi.com/nexedi/caddy.git
 revision      = nxd-v1.0.3-1-g2c11cedc
 
 [gowork]
-golang  = ${golang1.16:location}
+golang  = ${golang1.17:location}
 install =
   ${caddy-get:location}:./...
 

component/java/buildout.cfg

 [buildout]
-
+extends =
+  ../coreutils/buildout.cfg
+  ../patchelf/buildout.cfg
+  ../alsa/buildout.cfg
+  ../libpng/buildout.cfg
+  ../freetype/buildout.cfg
+  ../fontconfig/buildout.cfg
+  ../xorg/buildout.cfg
+  ../zlib/buildout.cfg
 parts =
   java
 
@@ -9,12 +17,12 @@ parts =
 [java-re]
 <= java-re-7
 
-[java-common]
+[java-sun-common]
 recipe = slapos.recipe.build:download-unpacked
-url = http://javadl.sun.com/webapps/download/AutoDL?BundleId=${:bundle-id}
+url = https://javadl.sun.com/webapps/download/AutoDL?BundleId=${:bundle-id}
 
 [java-re-7]
-<= java-common
+<= java-sun-common
 # http://java.com/en/download/manual_java7.jsp
 
 [java-re-7:linux and platform.machine() == 'i686']
@@ -26,7 +34,7 @@ bundle-id = 97800
 md5sum = 7605134662f6c87131eca5745895fe84
 
 [java-re-8]
-<= java-common
+<= java-sun-common
 # https://www.java.com/en/download/manual.jsp
 # Update 161
 
@@ -45,3 +53,25 @@ stop-on-error = true
 update-command = ${:command}
 command = ${coreutils-output:test} -x ${:keytool}
 keytool = ${java-re-8:location}/bin/keytool
+
+
+[java-re-temurin-11]
+recipe = slapos.recipe.build
+update =
+  from zc.buildout import UserError
+  raise UserError("unsupported platform")
+
+[java-re-temurin-11:linux and platform.machine() == 'x86_64']
+recipe = slapos.recipe.cmmi
+shared = true
+url = https://github.com/adoptium/temurin11-binaries/releases/download/jdk-11.0.13%2B8/OpenJDK11U-jre_x64_linux_hotspot_11.0.13_8.tar.gz
+md5sum = 1b06100bcd0923d3f3279c2f09773af0
+configure-command = :
+make-binary = :
+post-install =
+  mv * %(location)s
+  for file in %(location)s/bin/* %(location)s/lib/*.so %(location)s/lib/*/*.so ; do
+    echo appending rpath to $file
+    ${patchelf:location}/bin/patchelf --set-rpath %(rpath)s $file
+  done
+rpath = ${alsa:location}/lib:${freetype:location}/lib:${fontconfig:location}/lib:${libpng:location}/lib:${libXrender:location}/lib:${libXtst:location}/lib:${libX11:location}/lib:${libXau:location}/lib:${libXext:location}/lib:${libXdmcp:location}/lib:${libXi:location}/lib:${libxcb:location}/lib:${zlib:location}/lib:@@LOCATION@@/lib:@@LOCATION@@/lib/server:@@LOCATION@@/lib/jli

component/wendelin.core/activate-WC2-preview.cfg

-# SlapOS extension that switches Wendelin.core to Wendelin.core 2 preview.
-#
-# Should go away once wendelin.core 2 lands to nexedi/wendelin.core@master.
-# Must be extended from last, for example:
-#
-# [buildout]
-# extends =
-#   .../stack/erp5/buildout.cfg
-#   .../component/wendelin.core/activate-WC2-preview.cfg
-
-[wendelin.core-repository]
-repository = https://lab.nexedi.com/kirr/wendelin.core.git
-branch   = t
-revision =
-
-# Wendelin.core 2 targets Go1.17
-[gowork]
-golang = ${golang1.17:location}

component/wendelin.core/buildout.cfg

@@ -50,7 +50,7 @@ CGO_LDFLAGS += -Wl,-rpath=${zlib:location}/lib
 recipe  = slapos.recipe.build:gitclone
 repository = https://lab.nexedi.com/nexedi/wendelin.core.git
 branch   = master
-revision = v0.13-0-gb26ba55
+revision = wendelin.core-2.0.alpha1-0-g49f826b1
 # dir is pretty name as top-level recipe
 location = ${buildout:parts-directory}/wendelin.core
 git-executable = ${git:location}/bin/git

software/caddy-frontend/buildout.hash.cfg

@@ -50,7 +50,7 @@ md5sum = 37475d79f28c5f126bc1947fdb938fdb
 
 [template-backend-haproxy-configuration]
 _update_hash_filename_ = templates/backend-haproxy.cfg.in
-md5sum = 5e126be0f74d8ae390a5594e1e912a59
+md5sum = d2851c7ebd2c9baa2edecb3ca3485511
 
 [template-empty]
 _update_hash_filename_ = templates/empty.in

software/caddy-frontend/templates/backend-haproxy.cfg.in

@@ -13,6 +13,8 @@ defaults
   timeout client {{ configuration['request-timeout'] }}s
   timeout connect {{ configuration['backend-connect-timeout'] }}s
   retries {{ configuration['backend-connect-retries'] }}
+  {#- Allow to start with not resolved yet servers #}
+  default-server init-addr last,libc,none
 
 {%- set SCHEME_PREFIX_MAPPING = { 'http': 'http_backend', 'https': 'https_backend'} %}
 {%- macro frontend_entry(slave_instance, scheme, wildcard) %}

software/caddy-frontend/test/test.py

@@ -1310,6 +1310,9 @@ class TestSlave(SlaveHttpFrontendTestCase, TestDataMixin):
     return {
       'empty': {
       },
+      'bad-backend': {
+        'url': 'http://bad.backend/',
+      },
       'Url': {
         # make URL "incorrect", with whitespace, nevertheless it shall be
         # correctly handled

software/metabase/README.md

-# Metabae
+# Metabase
 
 https://www.metabase.com/
 
 ## TODO:
  * export backups for resilience
- * security (proper passwords, verifiable certificate, study metabase encryption option)
+ * security (verifiable certificate, study metabase encryption option)

software/metabase/buildout.hash.cfg

 [instance-profile]
 filename = instance.cfg.in
-md5sum = 143f46b125389f39905226ec9482ce2a
+md5sum = 5f2f7c4c2f793d609ad3c4fa0aa2f8a5

software/metabase/instance.cfg.in

@@ -7,10 +7,28 @@ eggs-directory = ${buildout:eggs-directory}
 develop-eggs-directory = ${buildout:develop-eggs-directory}
 offline = true
 
+[fontconfig-conf]
+recipe = slapos.recipe.template:jinja2
+template = ${template-fonts-conf:output}
+rendered = $${directory:etc}/fonts.conf
+context =
+    key cachedir directory:fontconfig-cache
+    key fonts :fonts
+    key includes :includes
+fonts =
+    ${android-fonts:location}
+    ${dejavu-fonts:location}
+    ${ipa-fonts:location}
+    ${ipaex-fonts:location}
+    ${liberation-fonts:location}
+    ${ocrb-fonts:location}
+includes =
+    ${fontconfig:location}/etc/fonts/conf.d
+
 [metabase-instance]
 recipe = slapos.cookbook:wrapper
 wrapper-path = $${directory:service}/$${:_buildout_section_name_}
-command-line = sh -c "cd $${directory:srv-metabase}; ${java-re-8:location}/bin/java $JAVA_ARGS -jar ${metabase.jar:location}/metabase.jar"
+command-line = sh -c "cd $${directory:srv-metabase}; ${java:location}/bin/java $JAVA_ARGS -jar ${metabase.jar:location}/metabase.jar"
 # https://www.metabase.com/docs/latest/operations-guide/customizing-jetty-webserver.html
 # note that we set org.quartz.scheduler.instanceId through $JAVA_ARGS as a workaround for machines
 # which cannot resolve their hostnames. See also https://github.com/metabase/metabase/issues/8373
@@ -28,7 +46,8 @@ environment =
   MB_DB_USER=$${postgresql:superuser}
   MB_DB_PASS=$${postgresql:password}
   MB_DB_HOST=$${postgresql:ipv4}
-  JAVA_ARGS=-Dorg.quartz.scheduler.instanceId=$${slap-connection:computer-id}.$${slap-connection:partition-id}
+  FONTCONFIG_FILE=$${fontconfig-conf:rendered}
+  JAVA_ARGS=-Dorg.quartz.scheduler.instanceId=$${slap-connection:computer-id}.$${slap-connection:partition-id} -Djava.io.tmpdir="$${directory:tmp}"
 hash-existing-files =
   $${buildout:directory}/software_release/buildout.cfg
 
@@ -49,19 +68,56 @@ promise = check_url_available
 name = $${:_buildout_section_name_}.py
 config-url= $${metabase-instance:url}/api/session/properties
 
+[metabase-keystore-password]
+recipe = slapos.cookbook:generate.password
+bytes = 24
+
 [metabase-keystore]
 recipe = plone.recipe.command
+stop-on-error = true
 command =
-  ${java-re-8-output:keytool} \
-    -genkeypair \
-    -alias "metabase" \
-    -keyalg RSA \
-    -keypass "$${:password}" \
-    -dname "CN=$${metabase-instance:ip},OU=Unit,O=Organization,L=City,S=State,C=Country" \
-    -keystore "$${:file}" \
-    -storepass "$${:password}"
+  if [ -f $${:file} ]
+  then
+    # XXX password used to be "insecure", but we changed to proper password.
+    # We try to list the store with the new password and if it fail we change
+    # the keystore password.
+    if ! ${java:location}/bin/keytool \
+      -list \
+      -keystore "$${:file}" \
+      -storepass "$${:password}"
+    then
+      echo "Migrating keystore password" && \
+      ${java:location}/bin/keytool \
+        -storepasswd \
+        -keystore "$${:file}" \
+        -storepass insecure \
+        -new "$${:password}" && \
+      echo "Migrating certificate key password" && \
+      ${java:location}/bin/keytool \
+        -keypasswd \
+        -alias "$${:alias}" \
+        -keypass insecure \
+        -new "$${:password}" \
+        -keystore "$${:file}" \
+        -storepass "$${:password}"
+    fi
+  else
+    ${java:location}/bin/keytool \
+      -genkeypair \
+      -alias "$${:alias}" \
+      -keyalg RSA \
+      -keypass "$${:password}" \
+      -dname "CN=$${metabase-instance:ip},OU=Unit,O=Organization,L=City,S=State,C=Country" \
+      -keystore "$${:file}" \
+      -storepass "$${:password}"
+  fi
 file = $${directory:etc}/.metabase_keystore
-password = insecure
+password = $${metabase-keystore-password:passwd}
+alias = metabase
+
+[postgresql-password]
+recipe = slapos.cookbook:generate.password
+bytes = 24
 
 [postgresql]
 recipe = slapos.cookbook:postgres
@@ -69,7 +125,7 @@ bin = ${postgresql10:location}/bin/
 services = $${directory:service}
 dbname  = metabase_db
 superuser = metabase-psql
-password = insecure
+password = $${postgresql-password:passwd}
 pgdata-directory = $${directory:srv}/postgresql
 
 ipv4 = $${instance-parameter:ipv4-random}
@@ -125,7 +181,7 @@ wrapper-path = $${directory:bin}/$${:_buildout_section_name_}
 command-line =
   sh -e -c "\
     echo 'This will replace current database with latest backup. Hit Ctrl+C to cancel';
-    sleep 5;
+    sleep 30;
     $${postgresql:bin}/pg_restore \
         --exit-on-error \
         -h $${postgresql:pgdata-directory} \
@@ -176,7 +232,7 @@ tmp = $${buildout:directory}/tmp
 service = $${:etc}/service
 srv-metabase = $${:srv}/metabase
 srv-backup = $${:srv}/backup
-
+fontconfig-cache = $${buildout:directory}/.fontconfig
 
 [publish-connection-parameter]
 recipe = slapos.cookbook:publish

software/metabase/software.cfg

 [buildout]
 extends =
     ../../component/defaults.cfg
+    ../../component/fontconfig/buildout.cfg
+    ../../component/fonts/buildout.cfg
     ../../component/java/buildout.cfg
     ../../component/postgresql/buildout.cfg
     ../../component/dcron/buildout.cfg
@@ -15,10 +17,13 @@ parts =
 [python]
 part = python3
 
+[java]
+<= java-re-temurin-11
+
 [metabase.jar]
 recipe = slapos.recipe.build:download
-url = https://downloads.metabase.com/v0.38.3/metabase.jar
-md5sum = b91e4b9ae13c892894fec8bab2fd195f
+url = https://downloads.metabase.com/v0.41.2/metabase.jar
+md5sum = 630068d1ccbdc95556931fe9cfc12e61
 
 [instance-profile]
 recipe = slapos.recipe.template

software/metabase/test/test.py

@@ -85,7 +85,7 @@ class TestMetabaseSetup(MetabaseTestCase):
             "username": email,
             "password": "wrong"
         })
-    self.assertEqual(requests.codes.bad_request, resp.status_code)
+    self.assertEqual(resp.status_code, requests.codes.unauthorized)
 
     session = requests.post(
         parse.urljoin(url, '/api/session'),

software/slapos-master/software.cfg

 [buildout]
 extends =
   ../../software/erp5/software.cfg
-  ../../component/wendelin.core/activate-WC2-preview.cfg
   buildout.hash.cfg
 
 parts +=