Commit 642bad45 authored by Jérome Perrin's avatar Jérome Perrin

Merge remote-tracking branch 'upstream/master' into zope4py3

parents 24558646 568cdc71
......@@ -30,6 +30,6 @@ configure-options =
--with-systemdsystemunitdir=no
environment =
PATH=${pkgconfig:location}/bin:${glib:location}/bin:%(PATH)s
CFLAGS=-I${gdbm:location}/include
LDFLAGS=-L${gettext:location}/lib -Wl,-rpath=${gettext:location}/lib -L${zlib:location}/lib -Wl,-rpath=${zlib:location}/lib -L${glib:location}/lib -Wl,-rpath=${glib:location}/lib -L${gdbm:location}/lib -Wl,-rpath=${gdbm:location}/lib
PKG_CONFIG_PATH=${glib:location}/lib/pkgconfig:${pcre:location}/lib/pkgconfig:${dbus:location}/lib/pkgconfig
CFLAGS=-I${gdbm:location}/include -I${libexpat:location}/include
LDFLAGS=-L${gettext:location}/lib -Wl,-rpath=${gettext:location}/lib -L${zlib:location}/lib -Wl,-rpath=${zlib:location}/lib -L${glib:location}/lib -Wl,-rpath=${glib:location}/lib -L${gdbm:location}/lib -Wl,-rpath=${gdbm:location}/lib -L${libexpat:location}/lib -Wl,-rpath=${libexpat:location}/lib
PKG_CONFIG_PATH=${glib:location}/lib/pkgconfig:${pcre:location}/lib/pkgconfig:${dbus:location}/lib/pkgconfig:${libexpat:location}/lib/pkgconfig
......@@ -42,8 +42,8 @@ environment =
[binutils]
recipe = slapos.recipe.cmmi
shared = true
url = http://ftp.gnu.org/gnu/binutils/binutils-2.32.tar.bz2
md5sum = 64f8ea283e571200f8b2b7f66fe8a0d6
url = http://ftp.gnu.org/gnu/binutils/binutils-2.41.tar.bz2
md5sum = b572fd7ea427a8f5a3be58d50bd7ea7e
configure-options =
--disable-bootstrap
--with-mpc=${mpc:location}
......
......@@ -131,14 +131,14 @@ class TestFileServer(SlapOSInstanceTestCase):
return cnx.sock._sslobj.getpeercert()
cert_before = _getpeercert()
# execute certificate updater two month later, when it's time to renew certificate.
# execute certificate updater when it's time to renew certificate.
# use a timeout, because this service runs forever
subprocess.run(
(
'timeout',
'5',
'faketime',
'+2 months',
'+63 days',
os.path.join(
self.computer_partition_root_path,
'etc/service/dufs-certificate-updater'),
......
[instance-profile]
filename = instance.cfg.in
md5sum = 685e7b371768f6977896d7214fd379f1
md5sum = 0d50ed911a41b76b952b63d37853c3a4
......@@ -44,11 +44,7 @@ command-line = sh -c "cd $${directory:srv-metabase}; ${java:location}/bin/java $
environment =
MB_EMOJI_IN_LOGS=false
MB_JETTY_HOST=$${:ip}
MB_JETTY_PORT=$${:-http-port}
MB_JETTY_SSL_PORT=$${:port}
MB_JETTY_SSL=true
MB_JETTY_SSL_KEYSTORE=$${metabase-keystore:file}
MB_JETTY_SSL_KEYSTORE_PASSWORD=$${metabase-keystore:password}
MB_JETTY_PORT=$${:port}
MB_DB_TYPE=postgres
MB_DB_DBNAME=$${postgresql:dbname}
MB_DB_PORT=$${postgresql:port}
......@@ -62,68 +58,57 @@ environment =
hash-existing-files =
$${buildout:directory}/software_release/buildout.cfg
ip = $${instance-parameter:ipv6-random}
port = 8443
# XXX It does not seem we can prevent metabase to also listen on http, so we
# give it an http port, but don't use it.
-http-port = 18080
hostname = [$${:ip}]
scheme = https
url = $${:scheme}://$${:hostname}:$${:port}
ip = $${instance-parameter:ipv4-random}
port = 18080
promises =
$${metabase-promise:name}
[metabase-promise]
<= monitor-promise-base
promise = check_url_available
name = $${:_buildout_section_name_}.py
config-url= $${metabase-instance:url}/api/session/properties
[metabase-keystore-password]
recipe = slapos.cookbook:generate.password
[metabase-keystore]
[metabase-frontend-certificate]
recipe = plone.recipe.command
stop-on-error = true
command =
if [ -f $${:file} ]
if [ ! -e $${:cert-file} ]
then
# XXX password used to be "insecure", but we changed to proper password.
# We try to list the store with the new password and if it fail we change
# the keystore password.
if ! ${java:location}/bin/keytool \
-list \
-keystore "$${:file}" \
-storepass "$${:password}"
then
echo "Migrating keystore password" && \
${java:location}/bin/keytool \
-storepasswd \
-keystore "$${:file}" \
-storepass insecure \
-new "$${:password}" && \
echo "Migrating certificate key password" && \
${java:location}/bin/keytool \
-keypasswd \
-alias "$${:alias}" \
-keypass insecure \
-new "$${:password}" \
-keystore "$${:file}" \
-storepass "$${:password}"
fi
else
${java:location}/bin/keytool \
-genkeypair \
-alias "$${:alias}" \
-keyalg RSA \
-keypass "$${:password}" \
-dname "CN=$${metabase-instance:ip},OU=Unit,O=Organization,L=City,S=State,C=Country" \
-keystore "$${:file}" \
-storepass "$${:password}"
${openssl-output:openssl} req -x509 -nodes -days 3650 \
-subj "/C=AA/ST=X/L=X/O=Dis/CN=$${:common-name}" \
-newkey rsa -keyout $${:cert-file} \
-out $${:cert-file}
fi
file = $${directory:etc}/.metabase_keystore
password = $${metabase-keystore-password:passwd}
alias = metabase
update-command = $${:command}
cert-file = $${directory:var}/$${:_buildout_section_name_}.pem
common-name = $${metabase-frontend-config:ip}
location =
$${:cert-file}
[metabase-frontend-config]
recipe = slapos.recipe.template:jinja2
url = ${stack-haproxy-default-backend-config:target}
output = $${directory:etc}/$${:_buildout_section_name_}
context =
key pidfile :pidfile
key content :content
content =
listen app
log global
bind $${:ip}:$${:port} ssl crt $${metabase-frontend-certificate:cert-file} alpn h2,http/1.1
server app $${metabase-instance:ip}:$${metabase-instance:port}
pidfile = $${directory:run}/$${:_buildout_section_name_}.pid
ip = $${instance-parameter:ipv6-random}
port = 8443
[metabase-frontend]
recipe = slapos.cookbook:wrapper
wrapper-path = $${directory:services}/$${:_buildout_section_name_}
command-line =
${haproxy:location}/sbin/haproxy -f $${metabase-frontend-config:output}
url = https://[$${metabase-frontend-config:ip}]:$${metabase-frontend-config:port}
[metabase-promise]
<= monitor-promise-base
promise = check_url_available
name = $${:_buildout_section_name_}.py
config-url= $${metabase-frontend:url}/api/session/properties
[postgresql-password]
recipe = slapos.cookbook:generate.password
......@@ -247,6 +232,7 @@ var-cron-entries = $${:var}/cron-entries
srv = $${buildout:directory}/srv
bin = $${buildout:directory}/bin
tmp = $${buildout:directory}/tmp
run = $${buildout:directory}/run
service = $${:etc}/service
srv-metabase = $${:srv}/metabase
srv-backup = $${:srv}/backup
......@@ -254,6 +240,6 @@ fontconfig-cache = $${buildout:directory}/.fontconfig
[publish-connection-parameter]
recipe = slapos.cookbook:publish
url = $${metabase-instance:url}
url = $${metabase-frontend:url}
backup-crontab = $${postgresql-backup-crontab-entry:name}
restore-backup-script = $${postgresql-restore-backup:wrapper-path}
......@@ -6,6 +6,7 @@ extends =
../../component/java/buildout.cfg
../../component/postgresql/buildout.cfg
../../component/dcron/buildout.cfg
../../stack/haproxy/default-backend.cfg
../../stack/slapos.cfg
buildout.hash.cfg
../../stack/monitor/buildout.cfg
......@@ -19,8 +20,8 @@ parts =
[metabase.jar]
recipe = slapos.recipe.build:download
url = https://downloads.metabase.com/v0.45.2/metabase.jar
md5sum = cca1f4d663ebfa60b3a6d93705b340a0
url = https://downloads.metabase.com/v0.47.0/metabase.jar
md5sum = b81c71668a2177d89690730fabd85d9e
[instance-profile]
recipe = slapos.recipe.template
......
......@@ -158,14 +158,14 @@ class TestResticRestServer(SlapOSInstanceTestCase):
return cnx.sock._sslobj.getpeercert()
cert_before = _getpeercert()
# execute certificate updater two month later, when it's time to renew certificate.
# execute certificate updater when it's time to renew certificate.
# use a timeout, because this service runs forever
subprocess.run(
(
'timeout',
'5',
'faketime',
'+2 months',
'+63 days',
os.path.join(
self.computer_partition_root_path,
'etc/service/rest-server-certificate-updater'),
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment