Commit 642bad45 authored by Jérome Perrin's avatar Jérome Perrin

Merge remote-tracking branch 'upstream/master' into zope4py3

parents 24558646 568cdc71
...@@ -30,6 +30,6 @@ configure-options = ...@@ -30,6 +30,6 @@ configure-options =
--with-systemdsystemunitdir=no --with-systemdsystemunitdir=no
environment = environment =
PATH=${pkgconfig:location}/bin:${glib:location}/bin:%(PATH)s PATH=${pkgconfig:location}/bin:${glib:location}/bin:%(PATH)s
CFLAGS=-I${gdbm:location}/include CFLAGS=-I${gdbm:location}/include -I${libexpat:location}/include
LDFLAGS=-L${gettext:location}/lib -Wl,-rpath=${gettext:location}/lib -L${zlib:location}/lib -Wl,-rpath=${zlib:location}/lib -L${glib:location}/lib -Wl,-rpath=${glib:location}/lib -L${gdbm:location}/lib -Wl,-rpath=${gdbm:location}/lib LDFLAGS=-L${gettext:location}/lib -Wl,-rpath=${gettext:location}/lib -L${zlib:location}/lib -Wl,-rpath=${zlib:location}/lib -L${glib:location}/lib -Wl,-rpath=${glib:location}/lib -L${gdbm:location}/lib -Wl,-rpath=${gdbm:location}/lib -L${libexpat:location}/lib -Wl,-rpath=${libexpat:location}/lib
PKG_CONFIG_PATH=${glib:location}/lib/pkgconfig:${pcre:location}/lib/pkgconfig:${dbus:location}/lib/pkgconfig PKG_CONFIG_PATH=${glib:location}/lib/pkgconfig:${pcre:location}/lib/pkgconfig:${dbus:location}/lib/pkgconfig:${libexpat:location}/lib/pkgconfig
...@@ -42,8 +42,8 @@ environment = ...@@ -42,8 +42,8 @@ environment =
[binutils] [binutils]
recipe = slapos.recipe.cmmi recipe = slapos.recipe.cmmi
shared = true shared = true
url = http://ftp.gnu.org/gnu/binutils/binutils-2.32.tar.bz2 url = http://ftp.gnu.org/gnu/binutils/binutils-2.41.tar.bz2
md5sum = 64f8ea283e571200f8b2b7f66fe8a0d6 md5sum = b572fd7ea427a8f5a3be58d50bd7ea7e
configure-options = configure-options =
--disable-bootstrap --disable-bootstrap
--with-mpc=${mpc:location} --with-mpc=${mpc:location}
......
...@@ -131,14 +131,14 @@ class TestFileServer(SlapOSInstanceTestCase): ...@@ -131,14 +131,14 @@ class TestFileServer(SlapOSInstanceTestCase):
return cnx.sock._sslobj.getpeercert() return cnx.sock._sslobj.getpeercert()
cert_before = _getpeercert() cert_before = _getpeercert()
# execute certificate updater two month later, when it's time to renew certificate. # execute certificate updater when it's time to renew certificate.
# use a timeout, because this service runs forever # use a timeout, because this service runs forever
subprocess.run( subprocess.run(
( (
'timeout', 'timeout',
'5', '5',
'faketime', 'faketime',
'+2 months', '+63 days',
os.path.join( os.path.join(
self.computer_partition_root_path, self.computer_partition_root_path,
'etc/service/dufs-certificate-updater'), 'etc/service/dufs-certificate-updater'),
......
[instance-profile] [instance-profile]
filename = instance.cfg.in filename = instance.cfg.in
md5sum = 685e7b371768f6977896d7214fd379f1 md5sum = 0d50ed911a41b76b952b63d37853c3a4
...@@ -44,11 +44,7 @@ command-line = sh -c "cd $${directory:srv-metabase}; ${java:location}/bin/java $ ...@@ -44,11 +44,7 @@ command-line = sh -c "cd $${directory:srv-metabase}; ${java:location}/bin/java $
environment = environment =
MB_EMOJI_IN_LOGS=false MB_EMOJI_IN_LOGS=false
MB_JETTY_HOST=$${:ip} MB_JETTY_HOST=$${:ip}
MB_JETTY_PORT=$${:-http-port} MB_JETTY_PORT=$${:port}
MB_JETTY_SSL_PORT=$${:port}
MB_JETTY_SSL=true
MB_JETTY_SSL_KEYSTORE=$${metabase-keystore:file}
MB_JETTY_SSL_KEYSTORE_PASSWORD=$${metabase-keystore:password}
MB_DB_TYPE=postgres MB_DB_TYPE=postgres
MB_DB_DBNAME=$${postgresql:dbname} MB_DB_DBNAME=$${postgresql:dbname}
MB_DB_PORT=$${postgresql:port} MB_DB_PORT=$${postgresql:port}
...@@ -62,68 +58,57 @@ environment = ...@@ -62,68 +58,57 @@ environment =
hash-existing-files = hash-existing-files =
$${buildout:directory}/software_release/buildout.cfg $${buildout:directory}/software_release/buildout.cfg
ip = $${instance-parameter:ipv6-random} ip = $${instance-parameter:ipv4-random}
port = 8443 port = 18080
# XXX It does not seem we can prevent metabase to also listen on http, so we
# give it an http port, but don't use it.
-http-port = 18080
hostname = [$${:ip}]
scheme = https
url = $${:scheme}://$${:hostname}:$${:port}
promises = promises =
$${metabase-promise:name} $${metabase-promise:name}
[metabase-promise] [metabase-frontend-certificate]
<= monitor-promise-base
promise = check_url_available
name = $${:_buildout_section_name_}.py
config-url= $${metabase-instance:url}/api/session/properties
[metabase-keystore-password]
recipe = slapos.cookbook:generate.password
[metabase-keystore]
recipe = plone.recipe.command recipe = plone.recipe.command
stop-on-error = true
command = command =
if [ -f $${:file} ] if [ ! -e $${:cert-file} ]
then then
# XXX password used to be "insecure", but we changed to proper password. ${openssl-output:openssl} req -x509 -nodes -days 3650 \
# We try to list the store with the new password and if it fail we change -subj "/C=AA/ST=X/L=X/O=Dis/CN=$${:common-name}" \
# the keystore password. -newkey rsa -keyout $${:cert-file} \
if ! ${java:location}/bin/keytool \ -out $${:cert-file}
-list \
-keystore "$${:file}" \
-storepass "$${:password}"
then
echo "Migrating keystore password" && \
${java:location}/bin/keytool \
-storepasswd \
-keystore "$${:file}" \
-storepass insecure \
-new "$${:password}" && \
echo "Migrating certificate key password" && \
${java:location}/bin/keytool \
-keypasswd \
-alias "$${:alias}" \
-keypass insecure \
-new "$${:password}" \
-keystore "$${:file}" \
-storepass "$${:password}"
fi
else
${java:location}/bin/keytool \
-genkeypair \
-alias "$${:alias}" \
-keyalg RSA \
-keypass "$${:password}" \
-dname "CN=$${metabase-instance:ip},OU=Unit,O=Organization,L=City,S=State,C=Country" \
-keystore "$${:file}" \
-storepass "$${:password}"
fi fi
file = $${directory:etc}/.metabase_keystore update-command = $${:command}
password = $${metabase-keystore-password:passwd} cert-file = $${directory:var}/$${:_buildout_section_name_}.pem
alias = metabase common-name = $${metabase-frontend-config:ip}
location =
$${:cert-file}
[metabase-frontend-config]
recipe = slapos.recipe.template:jinja2
url = ${stack-haproxy-default-backend-config:target}
output = $${directory:etc}/$${:_buildout_section_name_}
context =
key pidfile :pidfile
key content :content
content =
listen app
log global
bind $${:ip}:$${:port} ssl crt $${metabase-frontend-certificate:cert-file} alpn h2,http/1.1
server app $${metabase-instance:ip}:$${metabase-instance:port}
pidfile = $${directory:run}/$${:_buildout_section_name_}.pid
ip = $${instance-parameter:ipv6-random}
port = 8443
[metabase-frontend]
recipe = slapos.cookbook:wrapper
wrapper-path = $${directory:services}/$${:_buildout_section_name_}
command-line =
${haproxy:location}/sbin/haproxy -f $${metabase-frontend-config:output}
url = https://[$${metabase-frontend-config:ip}]:$${metabase-frontend-config:port}
[metabase-promise]
<= monitor-promise-base
promise = check_url_available
name = $${:_buildout_section_name_}.py
config-url= $${metabase-frontend:url}/api/session/properties
[postgresql-password] [postgresql-password]
recipe = slapos.cookbook:generate.password recipe = slapos.cookbook:generate.password
...@@ -247,6 +232,7 @@ var-cron-entries = $${:var}/cron-entries ...@@ -247,6 +232,7 @@ var-cron-entries = $${:var}/cron-entries
srv = $${buildout:directory}/srv srv = $${buildout:directory}/srv
bin = $${buildout:directory}/bin bin = $${buildout:directory}/bin
tmp = $${buildout:directory}/tmp tmp = $${buildout:directory}/tmp
run = $${buildout:directory}/run
service = $${:etc}/service service = $${:etc}/service
srv-metabase = $${:srv}/metabase srv-metabase = $${:srv}/metabase
srv-backup = $${:srv}/backup srv-backup = $${:srv}/backup
...@@ -254,6 +240,6 @@ fontconfig-cache = $${buildout:directory}/.fontconfig ...@@ -254,6 +240,6 @@ fontconfig-cache = $${buildout:directory}/.fontconfig
[publish-connection-parameter] [publish-connection-parameter]
recipe = slapos.cookbook:publish recipe = slapos.cookbook:publish
url = $${metabase-instance:url} url = $${metabase-frontend:url}
backup-crontab = $${postgresql-backup-crontab-entry:name} backup-crontab = $${postgresql-backup-crontab-entry:name}
restore-backup-script = $${postgresql-restore-backup:wrapper-path} restore-backup-script = $${postgresql-restore-backup:wrapper-path}
...@@ -6,6 +6,7 @@ extends = ...@@ -6,6 +6,7 @@ extends =
../../component/java/buildout.cfg ../../component/java/buildout.cfg
../../component/postgresql/buildout.cfg ../../component/postgresql/buildout.cfg
../../component/dcron/buildout.cfg ../../component/dcron/buildout.cfg
../../stack/haproxy/default-backend.cfg
../../stack/slapos.cfg ../../stack/slapos.cfg
buildout.hash.cfg buildout.hash.cfg
../../stack/monitor/buildout.cfg ../../stack/monitor/buildout.cfg
...@@ -19,8 +20,8 @@ parts = ...@@ -19,8 +20,8 @@ parts =
[metabase.jar] [metabase.jar]
recipe = slapos.recipe.build:download recipe = slapos.recipe.build:download
url = https://downloads.metabase.com/v0.45.2/metabase.jar url = https://downloads.metabase.com/v0.47.0/metabase.jar
md5sum = cca1f4d663ebfa60b3a6d93705b340a0 md5sum = b81c71668a2177d89690730fabd85d9e
[instance-profile] [instance-profile]
recipe = slapos.recipe.template recipe = slapos.recipe.template
......
...@@ -158,14 +158,14 @@ class TestResticRestServer(SlapOSInstanceTestCase): ...@@ -158,14 +158,14 @@ class TestResticRestServer(SlapOSInstanceTestCase):
return cnx.sock._sslobj.getpeercert() return cnx.sock._sslobj.getpeercert()
cert_before = _getpeercert() cert_before = _getpeercert()
# execute certificate updater two month later, when it's time to renew certificate. # execute certificate updater when it's time to renew certificate.
# use a timeout, because this service runs forever # use a timeout, because this service runs forever
subprocess.run( subprocess.run(
( (
'timeout', 'timeout',
'5', '5',
'faketime', 'faketime',
'+2 months', '+63 days',
os.path.join( os.path.join(
self.computer_partition_root_path, self.computer_partition_root_path,
'etc/service/rest-server-certificate-updater'), 'etc/service/rest-server-certificate-updater'),
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment