See merge request nexedi/slapos!1443

See merge request nexedi/slapos!1437

favicon, manifest and service worker do not need to be public, for
manifest it's required to explicitly make the link use credential.

Call to logrotate-setup-validate can take a lot of time and fill the state
file with some message from logrotate and in the same time the promise can
kick in resulting with false-positive alarm.

By using the temporary file such race condition is avoided. Promise running
periodically will detect problem with logrotate setup.

also update related python packages in stack/slapos.cfg

adjust peertube to explicitly use 16.19.0 as this version does not
support nodejs 18

drop some unused versions

While generating haproxy configuration (including it's CRT list) the specific
order of entries is used, so that wildcard domains end up last. Thanks to this
they work as a catch-all and allow specific domain to take precedence. Care
is taken to support *.example.example.com and *.example.com situation - so
tree like possibility of wildcards.

Anonymous in-place ACL are used per each domain, instead of per-shared
instance grouping in order to avoid situation like *.example.com and
example.com having single ACL, thus resulting with catch-all kicking in too
fast.

For the precision in the haproxy configuration and simplifcation of the regular
expressions the -m reg is used, so that host_only can be applied, which also
lowercases the hostname.

Notes:
 * test00cluster_request_instance_parameter_dict changed due to sorting slaves
   in test's requestSlaves
 * the test infrastructure has been improved to assure repetition of the
   situation
 * tests in TestSlaveHostHaproxyClash are asserting that correct domain AND
   that specific certificate have been used while serving given frontend
   configuration

A similar patches as ca-certificates-sbin-dir was
applied upstream as 4f0d3ec7aa4ebc91793245ed66c0e24d7150782b , the rest
of our patch was to use mkdir -p instead of mkdir, we keep this part in
ca-certificates-mkdir-p.patch

This introduces a new patch to not depend on cryptography, which is used
only to print a warning on the console when an expired certificate is
used.

We had a mechanism to catch usage of system python2, but using not
for system python3, which cause the same kind of problems.

On old debian (9) where python3 is python3.5 this component fails to
build with an error like:

    Configuring gdbus-example-objectmanager-visibility.h with command
    Running command: /opt/slapgrid/shared/glib/60e920f1feec2451d51bb344cfcad9ab/.build/glib-2.76.3/tools/gen-visibility-macros.py 2.0 visibility-macros GDBUS_OBJECT_MANAGER_EXAMPLE /opt/slapgrid/shared/glib/60e920f1feec2451d51bb344cfcad9ab/.build/glib-2.76.3/builddir/gio/tests/gdbus-object-manager-example/gdbus-example-objectmanager-visibility.h
    --- stdout ---
    --- stderr ---
      File "/opt/slapgrid/shared/glib/60e920f1feec2451d51bb344cfcad9ab/.build/glib-2.76.3/tools/gen-visibility-macros.py", line 37
        """
        ^
    SyntaxError: invalid syntax

This is because this gen-visibility-macros.py script is executable with
a shebang:

    #!/bin/env python3

for python 3 softwares, this is slapos python, because the python
section from component/defaults.cfg injects the slapos' python in PATH,
but for python 2 software, slapos' python 2 is injected in path and
`python3` resolves to system python, which in that case fails because
f-strings are SyntaxError but more generally this showed a dependency
to system python, but we can not rely on system python here.

See merge request nexedi/slapos!1438

this is a fixup of 54a08186

For slapos-node package compilation, we use DESTDIR pointing to temp
location and PREFIX pointing to future /opt/slapos.

Without this commit, bison look at wrong directory for data:

bison: cannot open file `/opt/slapos/parts/bison/share/bison/m4sugar/m4sugar.m4'

We configure haproxy with "verify optional", which makes haproxy request
a client certificate, but accept the case where client does not present
a certificate, but as described in [1], if client present a certificate
and this certificate can not be verified, handshake is aborted. This is
not what we want, we want to treat the case of a non verified
certificate same as the case of the absence of certificate.

This configures haproxy accordingly, using "crt-ignore-err all" to allow
handshake anyway.

Once this was fixed, there was a remaining problem with
client_cert_verified acl, haproxy acl are OR, but this rule was supposed
to be a AND (client present a certificate AND it is verified), this was
rewritten to use inline condition which are AND.

[1]: https://cbonte.github.io/haproxy-dconv/1.8/configuration.html#5.1-verify

Also adjust test_x_forwarded_for_stripped_when_no_certificate to assert
that there is no X-Forwarded-For header at all when no client
certificate.

See merge request nexedi/slapos!1433

  https://archive.fosdem.org/2023/schedule/event/innodb_change_buffer/
  https://jira.mariadb.org/browse/MDEV-27734
  https://mariadb.com/kb/en/innodb-change-buffering/