If we enter user namespace via regular unshare without help from SUID
newuidmap/newgidmap, all supplementary groups are mapped to -1. As the result
when Go test tries to chown to a supplementary group, it gets EINVAL:

https://github.com/golang/go/issues/42525

-> work it around with patch to skip this chown tests.

A more proper, longer-term fix would be to fix Linux kernel to allow writes to
/proc/self/gid_map to setup mapping not only to original gid, but to all
original supplementary groups as well here:

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/kernel/user_namespace.c?id=v5.16-rc4-0-g0fcfb00b28c0#n1143

this fix, even if accepted by upstream, would be long to be waited for to
propagate to distribution kernels that we currently use. So we go with this
workaround for now.

--------

Another patch is to fix the following TestSCMCredentials failure:

    === RUN   TestSCMCredentials
        creds_test.go:81: WriteMsgUnix failed with invalid argument, want EPERM
    --- FAIL: TestSCMCredentials (0.00s)

There the code tries to send uid0/gid0 credentials from non-zero uid and
expects EPERM reject from kernel. However under `unshare -Umc` uid0/gid0 are
not mapped to anywhere and so implicitly map to -1 and are rejected with EINVAL
by the kernel.

4) Hook in python-prctl, as it becomes nxdtest dependency: see
   nexedi/nxdtest!13 (79d13eff)

Prepare for upcoming nxdtest changes to run each testcase with its own
/tmp and /dev/shm:

1) put unshare from SlapOS component into $PATH, so that our version is
   used even if OS provides /bin/unshare. As @jerome explains we need
   features that were added relatively recently and are missing in unshare
   on Debian 10: nexedi/nxdtest!13 (comment 146752)

   It is anyway better to "isolate" from OS by using our own component
   instead of system-provided one.

   Correspondingly adjust util-linux to enable unshare in its build.

2) similarly to "1" adjust util-linux to enable mount so that our version
   is used instead of /bin/mount. For example on Debian 9, even if we
   successfully enter user/mount namespace with `unshare -Umc`

       /bin/mount -t tmpfs none /tmp

   complains that

       mount: only root can use "--types" option

   -> Fix it the same way as with unshare by forcing usage of
   SlapOS-provided mount.

3) rework how nxdtest script is generated and split it into .nxdtest.pyexe and
   nxdtest itself. .nxdtest.pyexe is python interpreter via which nxdtest is run.
   This interpreter has all eggs required by nxdtest in sys.path, so that
   nxdtest could spawn its trun.py via sys.executable. If we don't care to have
   properly setup sys.executable, trun.py will fail when importing any module that
   nxdtest.py could already successfully import.

   Initially I tried to workaround this issue via adjusting $PYTHONPATH <-
   sys.path in main nxdtest script, but @jerome points out that, $PYTHONPATH,
   if set, also affects processes that trun.py spawns, which is not good:

   nexedi/slapos!1095 (comment 146799)

   -> so fix this via running nxdtest via environment where sys.executable is
   properly setup python interpreter with path for all eggs that nxdtest has
   access to.

   Because we already have half-way workarounds for similar problem in several
   places, and because running a script with correctly setup sys.executable is
   generally better, I would say it should be a good idea to rework
   zc.recipe.egg:scripts to generate all scripts to work this way, but I do not
   want to fight about it.

   So let's leave this scheme nxdtest-specific for now.

/cc @tomo
/helped-by @jerome

See merge request nexedi/slapos!1094

It appears no longer needed to use LD_LIBRARY_PATH to ensure the
correct runtime path resolution of libsecret in theia's `keytar`
component. Also LD_LIBRARY_PATH was leaking into theia's environment
and affecting tests launched from within theia.

This reverts commit 681ec188.

See merge request nexedi/slapos!1096

Always format the partitions to ensure the slapformat configuration is
valid, because the constructor overwrites it with invalid values.

We need a valid configuration so that `slapos node format` works,
and we need `slapos node format` for the resiliency import script.

No need for the full URL here

This will force a password reset

Aggregate monitoring URLs from the main theia, clones and PBS.

Also add monitor-setup-url to the parameters published by the PBS.

32fbf0d4 (recipe/postgres: support non standard port, 2021-11-12)
broke support for empty port, it was generating config file with
`port = ` , which is an invalid config file syntax for postgresql.

The import script was overwriting the contents of ~/etc
which destroyed all the services running in the clone,
including the ones that allow the PBS to push new backup files.

See merge request nexedi/slapos!1091

This will force a password reset

Include the changes from 0b7511b4 (stack/erp5: expose random_activity_priority
argument of testrunner, 2021-11-22) to customized profiles from slapos
master

By setting this in the test suite configuration, we can force ERP5 tests
to use random priorities for activity processing.

The intended usage is to set this to an empty string, in which case
ERP5's runUnitTest chooses a random value for the seed and prints the
chosen value. It may also be possible to use a value, to reproduce a
previous run.