software/slapos-master-dev: Working boostrapping slapos-master instance.

software/slapos-master-dev/apache-backend.conf.in

+{# This file configures apache to redirect requests from ports to specific urls.
+ # It provides SSL support for server and optionaly for client.
+ #
+ # All parameters are given through the `parameter_dict` variable, see the
+ # list entries :
+ #
+ #     parameter_dict = {
+ #       #  The path given to "PidFile"
+ #       "pid-file": "<file_path>",
+ #
+ #       #  The number given to "TimeOut"
+ #       "timeout": 300,
+ #
+ #       #  The path given to "SSLCertificateFile"
+ #       "cert": "<file_path>",
+ #
+ #       #  The path given to "SSLCertificateKeyFile"
+ #       "key": "<file_path>",
+ #
+ #       #  The value given to "SSLCipherSuite" (can be empty)
+ #       "cipher": "",
+ #
+ #       #  The path given to "SSLSessionCache shmcb:<folder_path>(512000)"
+ #       "ssl-session-cache": "<folder_path>",
+ #
+ #       #  The path given to "SSLCACertificateFile" (can be empty)
+ #       #  If this value is not empty, it enables client certificate check.
+ #       #  (Enabling "SSLVerifyClient require")
+ #       "ca-cert": "<file_path>",
+ #
+ #       #  The path given to "SSLCARevocationFile" (used if ca-cert is not
+ #       #  empty)
+ #       "crl": "<file_path>",
+ #
+ #       #  The path given to "ErrorLog"
+ #       "error-log": "<file_path>",
+ #
+ #       #  The path given to "AccessLog"
+ #       "access-log": "<file_path>",
+ #
+ #       #  The list of ip which apache will listen to.
+ #       "ip-list": [
+ #         "0.0.0.0",
+ #         "[::1]",
+ #       ],
+ #
+ #       #  The list of backends which apache should redirect to.
+ #       "backend-list": [
+ #         # (port, unused, internal_scheme, enable_authentication)
+ #         (8000, _, "http://10.0.0.10:8001", True),
+ #         (8002, _, "http://10.0.0.10:8003", False),
+ #       ],
+ #
+ #       # The mapping of zope paths this apache should redirect to.
+ #       # This is a Zope specific feature.
+ #       # `enable_authentication` has same meaning as for `backend-list`.
+ #       "zope-virtualhost-monster-backend-dict": {
+ #          # {(ip, port): ( enable_authentication, {frontend_path: ( internal_scheme ) }, ) }
+ #          ('[::1]', 8004): (
+ #            True, {
+ #              'zope-1': 'http://10.0.0.10:8001',
+ #              'zope-2': 'http://10.0.0.10:8002',
+ #            },
+ #          ),
+ #        },
+ #     }
+ #
+ #  This sample of `parameter_dict` will make apache listening to :
+ #  From to `backend-list`:
+ #   - 0.0.0.0:8000 redirecting internaly to http://10.0.0.10:8001 and
+ #   - [::1]:8000 redirecting internaly to http://10.0.0.10:8001
+ #  only accepting requests from clients who provide a valid SSL certificate trusted in `ca-cert`.
+ #   - 0.0.0.0:8002 redirecting internaly to http://10.0.0.10:8003
+ #   - [::1]:8002 redirecting internaly to http://10.0.0.10:8003
+ #  accepting requests from any client.
+ #
+ # From zope-virtualhost-monster-backend-dict`:
+ #   - [::1]:8004 with some path based rewrite-rules redirecting to:
+ #     * http://10.0.0.10/8001 when path matches /zope-1(.*)
+ #     * http://10.0.0.10/8002 when path matches /zope-2(.*)
+ #   with some VirtualHostMonster rewrite rules so zope writes URLs with
+ #  [::1]:8004 as server name.
+ #  For more details, refer to
+ #  https://docs.zope.org/zope2/zope2book/VirtualHosting.html#using-virtualhostroot-and-virtualhostbase-together
+-#}
+LoadModule unixd_module modules/mod_unixd.so
+LoadModule access_compat_module modules/mod_access_compat.so
+LoadModule authz_core_module modules/mod_authz_core.so
+LoadModule authz_host_module modules/mod_authz_host.so
+LoadModule log_config_module modules/mod_log_config.so
+LoadModule setenvif_module modules/mod_setenvif.so
+LoadModule version_module modules/mod_version.so
+LoadModule proxy_module modules/mod_proxy.so
+LoadModule proxy_http_module modules/mod_proxy_http.so
+LoadModule socache_shmcb_module modules/mod_socache_shmcb.so
+LoadModule ssl_module modules/mod_ssl.so
+LoadModule mime_module modules/mod_mime.so
+LoadModule dav_module modules/mod_dav.so
+LoadModule dav_fs_module modules/mod_dav_fs.so
+LoadModule negotiation_module modules/mod_negotiation.so
+LoadModule rewrite_module modules/mod_rewrite.so
+LoadModule headers_module modules/mod_headers.so
+LoadModule deflate_module modules/mod_deflate.so
+LoadModule filter_module modules/mod_filter.so
+
+AddOutputFilterByType DEFLATE text/cache-manifest text/html text/plain text/css application/hal+json application/json application/x-javascript text/xml application/xml application/rss+xml text/javascript image/svg+xml application/x-font-ttf application/font-woff application/font-woff2 application/x-font-opentype
+
+PidFile "{{ parameter_dict['pid-file'] }}"
+ServerAdmin admin@
+TypesConfig conf/mime.types
+AddType application/x-compress .Z
+AddType application/x-gzip .gz .tgz
+
+ServerTokens Prod
+ServerSignature Off
+TraceEnable Off
+
+TimeOut {{ parameter_dict['timeout'] }}
+
+SSLCertificateFile {{ parameter_dict['cert'] }}
+SSLCertificateKeyFile {{ parameter_dict['key'] }}
+SSLRandomSeed startup builtin
+SSLRandomSeed connect builtin
+SSLProtocol all -SSLv2 -SSLv3
+SSLHonorCipherOrder on
+{% if parameter_dict['cipher'] -%}
+SSLCipherSuite {{ parameter_dict['cipher'] }}
+{% else %}
+SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:HIGH:!aNULL:!MD5
+{%- endif %}
+SSLSessionCache shmcb:{{ parameter_dict['ssl-session-cache'] }}(512000)
+SSLProxyEngine On
+
+# As backend is trusting REMOTE_USER header unset it always
+RequestHeader unset REMOTE_USER
+RequestHeader unset SSL_CLIENT_SERIAL
+{% if parameter_dict['ca-cert'] -%}
+SSLVerifyClient optional
+RequestHeader set REMOTE_USER %{SSL_CLIENT_S_DN_CN}s
+RequestHeader set SSL_CLIENT_SERIAL "%{SSL_CLIENT_M_SERIAL}s"
+SSLCACertificateFile {{ parameter_dict['ca-cert'] }}
+{%   if not parameter_dict['shared-ca-cert'] %}
+{%     if parameter_dict['crl'] -%}
+SSLCARevocationCheck chain
+SSLCARevocationFile {{ parameter_dict['crl'] }}
+{%-     endif %}
+{%-   endif %}
+{%- endif %}
+
+ErrorLog "{{ parameter_dict['error-log'] }}"
+# Default apache log format with request time in microsecond at the end
+LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %D" combined
+CustomLog "{{ parameter_dict['access-log'] }}" combined
+
+<Directory />
+  Options FollowSymLinks
+  AllowOverride None
+  Allow from all
+</Directory>
+
+RewriteEngine On
+{% for port, _, backend, enable_authentication in parameter_dict['backend-list'] -%}
+{%   for ip in parameter_dict['ip-list'] -%}
+Listen {{ ip }}:{{ port }}
+{%   endfor -%}
+<VirtualHost *:{{ port }}>
+  SSLEngine on
+{% if enable_authentication and parameter_dict['shared-ca-cert'] and parameter_dict['shared-crl'] -%}
+  SSLVerifyClient require
+  # Custom block we use for now different parameters.
+  RequestHeader set REMOTE_USER %{SSL_CLIENT_S_DN_CN}s
+  SSLCACertificateFile {{ parameter_dict['shared-ca-cert'] }}
+  SSLCARevocationPath {{ parameter_dict['shared-crl'] }}
+
+  LogFormat "%h %l %{REMOTE_USER}i %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %D" combined
+
+  # We would like to separate the the authentificated logs.
+  ErrorLog "{{ parameter_dict['log-dir'] }}/apache-service-error.log"
+  CustomLog "{{ parameter_dict['log-dir'] }}/apache-service-access.log" combined
+{% endif -%}
+  RewriteRule ^/(.*) {{ backend }}/$1 [L,P]
+</VirtualHost>
+{% endfor -%}

software/slapos-master-dev/buildout.hash.cfg

+# THIS IS NOT A BUILDOUT FILE, despite purposedly using a compatible syntax.
+# The only allowed lines here are (regexes):
+# - "^#" comments, copied verbatim
+# - "^[" section beginings, copied verbatim
+# - lines containing an "=" sign which must fit in the following categorie.
+#   - "^\s*filename\s*=\s*path\s*$" where "path" is relative to this file
+#     Copied verbatim.
+#   - "^\s*hashtype\s*=.*" where "hashtype" is one of the values supported
+#     by the re-generation script.
+#     Re-generated.
+# - other lines are copied verbatim
+# Substitution (${...:...}), extension ([buildout] extends = ...) and
+# section inheritance (< = ...) are NOT supported (but you should really
+# not need these here).
+
+[template-erp5]
+filename = instance-erp5.cfg.in
+md5sum = b7a07989801f47e64cefb42a622503dc
+
+[template-balancer]
+filename = instance-balancer.cfg.in
+md5sum = a8aae281318411a0c488a6d84c93e47e
+
+[template-apache-backend-conf]
+filename = apache-backend.conf.in
+md5sum = e0a7b027cb52e5fa21ab64cfa7298f35

software/slapos-master-dev/software.cfg

+[buildout]
+extends =
+  ../../stack/erp5/buildout.cfg
+  buildout.hash.cfg
+
+parts +=
+  vifib-fix-products-paths
+
+[local-bt5-repository]
+# Same as bt5-repository, but only local repository.
+# Used to generate bt5lists.
+list = ${erp5:location}/bt5 ${erp5:location}/product/ERP5/bootstrap ${vifib:location}/master/bt5
+
+[erp5_repository_list]
+repository_id_list = erp5 vifib/master
+
+[erp5]
+branch = erp5-vifib
+
+[vifib]
+<= erp5
+repository = https://lab.nexedi.com/nexedi/slapos.core.git
+branch = master
+
+[vifib-fix-products-paths]
+recipe = plone.recipe.command
+stop-on-error = true
+command =
+  for DIR in "${vifib:location}/master"; do cd "$DIR"; rm -f Products ; ln -s product Products; touch product/__init__.py; done
+update-command = ${:command}
+
+[download-base-part]
+recipe = slapos.recipe.build:download
+url = ${:_profile_base_location_}/${:filename}
+mode = 644
+
+[template-erp5]
+<= download-base-part
+filename = instance-erp5.cfg.in
+
+[template-apache-backend-conf]
+url = ${:_profile_base_location_}/${:filename}
+filename = apache-backend.conf.in 
+
+[template-balancer]
+<= download-base-part
+filename = instance-balancer.cfg.in
+
+[eggs]
+eggs +=
+  slapos.core
+  
+dummy +=
+  ${vifib:location}
+  
+extra-paths +=
+  ${vifib:location}/master