.

component/binutils/buildout.cfg

@@ -57,3 +57,4 @@ configure-options =
 environment =
   LDFLAGS=-L${gettext:location}/lib -lintl -Wl,-rpath=${gettext:location}/lib -Wl,-rpath=${zlib:location}/lib
   PATH=${texinfo7:location}/bin:${bison:location}/bin:${m4:location}/bin:%(PATH)s
+  BISON_PKGDATADIR=${bison:location}/share/bison

component/ca-certificates/buildout.cfg

@@ -12,12 +12,13 @@ parts =
 [ca-certificates]
 recipe = slapos.recipe.cmmi
 shared = true
-url = http://deb.debian.org/debian/pool/main/c/ca-certificates/ca-certificates_20210119.tar.xz
-md5sum = c02582bf9ae338e558617291897615eb
+url = https://deb.debian.org/debian/pool/main/c/ca-certificates/ca-certificates_20230311.tar.xz
+md5sum = fc1c3ec0067385f0be8ac7f6e670a0f8
 patch-binary = ${patch:location}/bin/patch
 patches =
   ${:_profile_base_location_}/ca-certificates-any-python.patch#c13b44dfc3157dda13a9a2ff97a9d501
-  ${:_profile_base_location_}/ca-certificates-sbin-dir.patch#0b4e7d82ce768823c01954ee41ef177b
+  ${:_profile_base_location_}/ca-certificates-mkdir-p.patch#02ed8a6d60c39c4b088657888af345ef
+  ${:_profile_base_location_}/ca-certificates-no-cryptography.patch#14ad1308623b0d15420906ae3d9b4867
 patch-options = -p0
 configure-command = true
 make-targets = install DESTDIR=@@LOCATION@@ CERTSDIR=certs SBINDIR=sbin

component/ca-certificates/ca-certificates-sbin-dir.patch → component/ca-certificates/ca-certificates-mkdir-p.patch

@@ -9,19 +9,3 @@
  	  $(MAKE) -C $$dir install CERTSDIR=$(DESTDIR)/$(CERTSDIR)/$$dir; \
  	done
  	for dir in sbin; do \
---- sbin/Makefile.orig	2011-12-11 20:54:02.000000000 +0100
-+++ sbin/Makefile	2012-01-09 17:31:45.207387898 +0100
-@@ -3,9 +3,12 @@
- #
- #
- 
-+SBINDIR=/usr/sbin
-+
- all:
- 
- clean:
- 
- install:
--	install -m755 update-ca-certificates $(DESTDIR)/usr/sbin/
-+	mkdir -p $(DESTDIR)/$(SBINDIR)
-+	install -m755 update-ca-certificates $(DESTDIR)/$(SBINDIR)

component/ca-certificates/ca-certificates-no-cryptography.patch

+Don't depend on cryptography
+
+Revert https://salsa.debian.org/debian/ca-certificates/-/commit/8033d52259172b4bddc0f8bbcb6f6566b348db72 
+we don't need this here.
+
+--- mozilla/certdata2pem.py	2023-01-14 22:58:27.000000000 +0900
++++ mozilla/certdata2pem.py	2023-10-02 22:13:31.355540545 +0900
+@@ -21,15 +21,12 @@
+ # USA.
+ 
+ import base64
+-import datetime
+ import os.path
+ import re
+ import sys
+ import textwrap
+ import io
+ 
+-from cryptography import x509
+-
+ 
+ objects = []
+ 
+@@ -122,12 +119,6 @@
+         if not obj['CKA_LABEL'] in trust or not trust[obj['CKA_LABEL']]:
+             continue
+ 
+-        cert = x509.load_der_x509_certificate(bytes(obj['CKA_VALUE']))
+-        if cert.not_valid_after < datetime.datetime.utcnow():
+-            print('!'*74)
+-            print('Trusted but expired certificate found: %s' % obj['CKA_LABEL'])
+-            print('!'*74)
+-
+         bname = obj['CKA_LABEL'][1:-1].replace('/', '_')\
+                                       .replace(' ', '_')\
+                                       .replace('(', '=')\

component/egg-patch/Zope/0001-WSGIPublisher-set-REMOTE_USER-even-in-case-of-error-.patch

+From 1f0be881320f440cec05eb838fa42c5ddf56a57c Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?J=C3=A9rome=20Perrin?= <jerome@nexedi.com>
+Date: Tue, 19 Sep 2023 15:19:51 +0900
+Subject: [PATCH] WSGIPublisher: set REMOTE_USER even in case of error (#1156)
+
+This fixes a problem that user name was empty in access log for error pages.
+
+Fixes #1155
+
+---------
+
+Co-authored-by: Michael Howitz <icemac@gmx.net>
+---
+ src/ZPublisher/WSGIPublisher.py            | 13 +++++++------
+ src/ZPublisher/tests/test_WSGIPublisher.py |  9 +++++++++
+ 2 files changed, 16 insertions(+), 6 deletions(-)
+
+diff --git a/src/ZPublisher/WSGIPublisher.py b/src/ZPublisher/WSGIPublisher.py
+index bd0ae1d17..09b2c44c9 100644
+--- a/src/ZPublisher/WSGIPublisher.py
++++ b/src/ZPublisher/WSGIPublisher.py
+@@ -382,12 +382,13 @@ def publish_module(environ, start_response,
+             try:
+                 with load_app(module_info) as new_mod_info:
+                     with transaction_pubevents(request, response):
+-                        response = _publish(request, new_mod_info)
+-
+-                        user = getSecurityManager().getUser()
+-                        if user is not None and \
+-                           user.getUserName() != 'Anonymous User':
+-                            environ['REMOTE_USER'] = user.getUserName()
++                        try:
++                            response = _publish(request, new_mod_info)
++                        finally:
++                            user = getSecurityManager().getUser()
++                            if user is not None and \
++                               user.getUserName() != 'Anonymous User':
++                                environ['REMOTE_USER'] = user.getUserName()
+                 break
+             except TransientError:
+                 if request.supports_retry():
+diff --git a/src/ZPublisher/tests/test_WSGIPublisher.py b/src/ZPublisher/tests/test_WSGIPublisher.py
+index 989970f24..38e402ab3 100644
+--- a/src/ZPublisher/tests/test_WSGIPublisher.py
++++ b/src/ZPublisher/tests/test_WSGIPublisher.py
+@@ -822,6 +822,15 @@ class TestPublishModule(ZopeTestCase):
+         self._callFUT(environ, start_response, _publish)
+         self.assertFalse('REMOTE_USER' in environ)
+ 
++    def test_set_REMOTE_USER_environ_error(self):
++        environ = self._makeEnviron()
++        start_response = DummyCallable()
++        _publish = DummyCallable()
++        _publish._raise = ValueError()
++        with self.assertRaises(ValueError):
++            self._callFUT(environ, start_response, _publish)
++        self.assertEqual(environ['REMOTE_USER'], user_name)
++
+     def test_webdav_source_port(self):
+         from ZPublisher import WSGIPublisher
+         old_webdav_source_port = WSGIPublisher._WEBDAV_SOURCE_PORT
+-- 
+2.39.2
+

component/file/buildout.cfg

@@ -11,8 +11,8 @@ extends =
 [file]
 recipe = slapos.recipe.cmmi
 shared = true
-url = http://ftp.astron.com/pub/file/file-5.44.tar.gz
-md5sum = a60d586d49d015d842b9294864a89c7a
+url = http://ftp.astron.com/pub/file/file-5.45.tar.gz
+md5sum = 26b2a96d4e3a8938827a1e572afd527a
 configure-options =
   --disable-static
   --disable-libseccomp

component/firewalld/buildout.cfg

@@ -76,7 +76,7 @@ environment =
   CPPFLAGS=-I${glib:location}/include/glib-2.0 -I${glib:location}/lib/glib-2.0/include
   LDFLAGS=-L${glib:location}/lib -Wl,-rpath=${glib:location}/lib -L${libffi:location}/lib -Wl,-rpath=${libffi:location}/lib -lffi -L${zlib:location}/lib/ -Wl,-rpath=${zlib:location}/lib/
   GLIB_CFLAGS=-I${glib:location}/include/glib-2.0 -I${glib:location}/lib/glib-2.0/include
-  GLIB_LIBS=-L${glib:location}/lib -lglib-2.0 -lintl -lgobject-2.0
+  GLIB_LIBS=-L${glib:location}/lib -lglib-2.0 -lgobject-2.0
   FFI_CFLAGS=-I${libffi:location}/include
   FFI_LIBS=-L${libffi:location}/lib -Wl,-rpath=${libffi:location}/lib -lffi
   GIR_DIR=${buildout:parts-directory}/${:_buildout_section_name_}/share/gir-1.0

component/freetype/buildout.cfg

@@ -14,12 +14,15 @@ parts =
 [freetype]
 recipe = slapos.recipe.cmmi
 shared = true
-url = http://download.savannah.gnu.org/releases/freetype/freetype-2.7.1.tar.bz2
-md5sum = b3230110e0cab777e0df7631837ac36e
+url = https://download.savannah.gnu.org/releases/freetype/freetype-2.13.2.tar.xz
+md5sum = 1f625f0a913c449551b1e3790a1817d7
 pkg_config_depends = ${zlib:location}/lib/pkgconfig:${libpng:location}/lib/pkgconfig
 location = @@LOCATION@@
 configure-options =
   --disable-static
+  --enable-freetype-config
+  --without-brotli
+  --without-librsvg
 environment =
   PATH=${pkgconfig:location}/bin:%(PATH)s
   PKG_CONFIG_PATH=${:pkg_config_depends}

component/gdal/buildout.cfg

@@ -9,7 +9,6 @@ extends =
   ../pcre/buildout.cfg
   ../proj4/buildout.cfg
   ../sqlite3/buildout.cfg
-  ../webp/buildout.cfg
   ../xz-utils/buildout.cfg
 
 parts =
@@ -32,12 +31,12 @@ configure-options =
   --with-png=${libpng:location}
   --with-static-proj4=${proj4:location}
   --with-sqlite3=${sqlite3:location}
-  --with-webp=${webp:location}
   --with-xml2=${libxml2:location}/bin/xml2-config
+  --without-webp
 environment =
   PATH=${xz-utils:location}/bin:%(PATH)s
   CPPFLAGS=-I${pcre:location}/include
-  LDFLAGS=-L${pcre:location}/lib -Wl,-rpath=${buildout:parts-directory}/${:_buildout_section_name_}/lib -Wl,-rpath=${curl:location}/lib -Wl,-rpath=${geos:location}/lib -Wl,-rpath=${giflib:location}/lib -Wl,-rpath=${jasper:location}/lib -Wl,-rpath=${jbigkit:location}/lib -Wl,-rpath=${libexpat:location}/lib -Wl,-rpath=${libjpeg:location}/lib -Wl,-rpath=${libpng:location}/lib -Wl,-rpath=${libtiff:location}/lib -Wl,-rpath=${libxml2:location}/lib -Wl,-rpath=${openssl:location}/lib -Wl,-rpath=${pcre:location}/lib -Wl,-rpath=${sqlite3:location}/lib -Wl,-rpath=${webp:location}/lib -Wl,-rpath=${zlib:location}/lib
+  LDFLAGS=-L${pcre:location}/lib -Wl,-rpath=${buildout:parts-directory}/${:_buildout_section_name_}/lib -Wl,-rpath=${curl:location}/lib -Wl,-rpath=${geos:location}/lib -Wl,-rpath=${giflib:location}/lib -Wl,-rpath=${jasper:location}/lib -Wl,-rpath=${jbigkit:location}/lib -Wl,-rpath=${libexpat:location}/lib -Wl,-rpath=${libjpeg:location}/lib -Wl,-rpath=${libpng:location}/lib -Wl,-rpath=${libtiff:location}/lib -Wl,-rpath=${libxml2:location}/lib -Wl,-rpath=${openssl:location}/lib -Wl,-rpath=${pcre:location}/lib -Wl,-rpath=${sqlite3:location}/lib -Wl,-rpath=${zlib:location}/lib
 
 [gdal-python]
 recipe = zc.recipe.egg:custom

component/ghostscript/buildout.cfg

@@ -14,8 +14,8 @@ parts = ghostscript
 [ghostscript]
 recipe = slapos.recipe.cmmi
 shared = true
-url = https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs9550/ghostscript-9.55.0.tar.xz
-md5sum = 92aa46e75c4f32eb11d9c975053d876c
+url = https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs10020/ghostscript-10.02.0.tar.xz
+md5sum = 80c1cdfada72f2eb5987dc0d590ea5b2
 pkg_config_depends = ${libtiff:location}/lib/pkgconfig:${libjpeg:location}/lib/pkgconfig:${fontconfig:location}/lib/pkgconfig:${fontconfig:pkg_config_depends}
 # XXX --with-tessdata work arounds a slaprunner bug of having softwares installed in a path containing //
 configure-options =
@@ -23,6 +23,7 @@ configure-options =
   --disable-threadsafe
   --with-system-libtiff
   --without-libidn
+  --without-so
   --without-x
   --with-drivers=FILES
   --with-tessdata=$(python -c 'print("""${:tessdata-location}""".replace("//", "/"))')

component/git/buildout.cfg

@@ -18,8 +18,8 @@ parts =
 [git]
 recipe = slapos.recipe.cmmi
 shared = true
-url = https://mirrors.edge.kernel.org/pub/software/scm/git/git-2.40.1.tar.xz
-md5sum = 125d13c374a9ec9253f42c483bacec31
+url = https://mirrors.edge.kernel.org/pub/software/scm/git/git-2.42.0.tar.xz
+md5sum = e61c187f6863d5e977e60cdedf213ec0
 configure-options =
   --with-curl=${curl:location}
   --with-openssl=${openssl:location}

component/glib/buildout.cfg

@@ -7,6 +7,7 @@ extends =
   ../patch/buildout.cfg
   ../pcre2/buildout.cfg
   ../perl/buildout.cfg
+  ../python3/buildout.cfg
   ../pkgconfig/buildout.cfg
   ../xz-utils/buildout.cfg
   ../zlib/buildout.cfg
@@ -14,6 +15,9 @@ extends =
 parts =
   glib
 
+[gcc]
+min_version = 8
+
 [glib]
 recipe = slapos.recipe.cmmi
 shared = true
@@ -24,7 +28,7 @@ make-binary = ninja -C builddir
 pkg_config_depends = ${pcre2:location}/lib/pkgconfig:${libffi:location}/lib/pkgconfig:${zlib:location}/lib/pkgconfig
 environment =
   PKG_CONFIG_PATH=${:pkg_config_depends}
-  PATH=${ninja:location}/bin:${pkgconfig:location}/bin:${patch:location}/bin:${perl:location}/bin:${xz-utils:location}/bin:%(PATH)s
+  PATH=${python3:location}/bin:${ninja:location}/bin:${pkgconfig:location}/bin:${patch:location}/bin:${perl:location}/bin:${xz-utils:location}/bin:%(PATH)s
   CFLAGS=-I${gettext:location}/include
   LDFLAGS=-L${gettext:location}/lib -lintl -Wl,-rpath=${gettext:location}/lib -Wl,-rpath=${libffi:location}/lib -Wl,-rpath=${zlib:location}/lib -Wl,-rpath=@@LOCATION@@/lib -Wl,-rpath=${pcre2:location}/lib
 post-install = rm %(location)s/bin/gtester-report

component/imagemagick/buildout.cfg

@@ -19,23 +19,27 @@ extends =
   ../jbigkit/buildout.cfg
   ../patch/buildout.cfg
   ../pkgconfig/buildout.cfg
-  ../webp/buildout.cfg
   ../xz-utils/buildout.cfg
   ../zlib/buildout.cfg
 
 [imagemagick]
 recipe = slapos.recipe.cmmi
 shared = true
-version = 7.0.2-10
+version = 7.1.1-20
 url = https://www.imagemagick.org/download/releases/ImageMagick-${:version}.tar.xz
-md5sum = e1cb23d9c10a8eff228ef30ee281711a
-pkg_config_depends = ${fontconfig:location}/lib/pkgconfig:${fontconfig:pkg_config_depends}:${lcms2:location}/lib/pkgconfig:${xz-utils:location}/lib/pkgconfig
+md5sum = 4ce5c6854c1f8ab6ce5571a9377b1f2f
+pkg_config_depends = ${fontconfig:location}/lib/pkgconfig:${fontconfig:pkg_config_depends}:${lcms2:location}/lib/pkgconfig:${libtiff:location}/lib/pkgconfig:${xz-utils:location}/lib/pkgconfig
+# Change export-filename to export-png for inkscape < 1.0
+pre-configure =
+  sed -i -e 's,--export-filename=,--export-png=,' config/delegates.xml.in
 configure-options =
   --disable-static
   --without-x
+  --with-frozenpaths
   --with-magick-plus-plus
   --disable-openmp
   --disable-opencl
+  --without-dmr
   --without-dps
   --without-djvu
   --without-fftw
@@ -44,6 +48,8 @@ configure-options =
   --with-fontconfig
   --without-gslib
   --without-gvc
+  --without-heic
+  --without-jxl
   --with-lcms
   --without-openjp2
   --without-lqr
@@ -51,17 +57,21 @@ configure-options =
   --without-openexr
   --without-pango
   --without-raqm
+  --without-raw
   --without-rsvg
+  --without-webp
   --without-wmf
+  --without-zip
+  --without-zstd
   --with-bzlib=${bzip2:location}
   --with-zlib=${zlib:location}
   --with-frozenpaths
 patch-options = -p1
 patches =
-  ${:_profile_base_location_}/imagemagick-7.0.2-10-no-gsx-gsc-probe.patch#64898455d5175efedd1a7bef9f1f18b5
-  ${:_profile_base_location_}/safe_policy.patch#383c0392de7257c9dff7270973342914
+  ${:_profile_base_location_}/imagemagick-7.1.1-20-no-gsx-gsc-probe.patch#98762d1977e5bce2e12954818a671eb9
+  ${:_profile_base_location_}/safe_policy.patch#0226c51e276f397b5900815c17dcf117
 environment =
   PATH=${freetype:location}/bin:${ghostscript:location}/bin:${inkscape:location}/bin:${libxml2:location}/bin:${patch:location}/bin:${pkgconfig:location}/bin:${xz-utils:location}/bin:%(PATH)s
   PKG_CONFIG_PATH=${:pkg_config_depends}
-  CPPFLAGS=-I${bzip2:location}/include -I${zlib:location}/include -I${jbigkit:location}/include -I${libjpeg:location}/include -I${libtiff:location}/include -I${libtool:location}/include -I${libpng:location}/include -I${jasper:location}/include -I${freetype:location}/include -I${webp:location}/include
-  LDFLAGS=-L${bzip2:location}/lib -Wl,-rpath=${bzip2:location}/lib -L${zlib:location}/lib -Wl,-rpath=${zlib:location}/lib -L${jbigkit:location}/lib -Wl,-rpath=${jbigkit:location}/lib -L${libjpeg:location}/lib -Wl,-rpath=${libjpeg:location}/lib -L${libtiff:location}/lib -Wl,-rpath=${libtiff:location}/lib -L${libtool:location}/lib -Wl,-rpath=${libtool:location}/lib -L${libpng:location}/lib -Wl,-rpath=${libpng:location}/lib -L${jasper:location}/lib -Wl,-rpath=${jasper:location}/lib -L${freetype:location}/lib -Wl,-rpath=${freetype:location}/lib -L${webp:location}/lib -Wl,-rpath=${webp:location}/lib
+  CPPFLAGS=-I${bzip2:location}/include -I${zlib:location}/include -I${jbigkit:location}/include -I${libjpeg:location}/include -I${libtool:location}/include -I${libpng:location}/include -I${jasper:location}/include -I${freetype:location}/include
+  LDFLAGS=-L${bzip2:location}/lib -Wl,-rpath=${bzip2:location}/lib -L${zlib:location}/lib -Wl,-rpath=${zlib:location}/lib -L${jbigkit:location}/lib -Wl,-rpath=${jbigkit:location}/lib -L${libjpeg:location}/lib -Wl,-rpath=${libjpeg:location}/lib -L${libtool:location}/lib -Wl,-rpath=${libtool:location}/lib -L${libpng:location}/lib -Wl,-rpath=${libpng:location}/lib -L${jasper:location}/lib -Wl,-rpath=${jasper:location}/lib -L${freetype:location}/lib -Wl,-rpath=${freetype:location}/lib

component/imagemagick/imagemagick-7.0.2-10-no-gsx-gsc-probe.patch

---- ImageMagick-7.0.2-10/configure.ac.orig      2016-08-30 11:33:39.160279386 +0200
-+++ ImageMagick-7.0.2-10/configure.ac   2016-08-30 11:35:34.753290590 +0200
-@@ -3110,7 +3110,7 @@
- AC_PATH_PROG(MrSIDDecodeDelegate, "$MrSIDDecodeDelegateDefault", "$MrSIDDecodeDelegateDefault")
- AC_PATH_PROG(MVDelegate, "$MVDelegateDefault", "$MVDelegateDefault")
- AC_PATH_PROG(PCLDelegate, "$PCLDelegateDefault", "$PCLDelegateDefault")
--AC_PATH_PROGS(PSDelegate, gsx gsc "$PSDelegateDefault", "$PSDelegateDefault")
-+AC_PATH_PROGS(PSDelegate, "$PSDelegateDefault", "$PSDelegateDefault")
- AC_PATH_PROG(RMDelegate, "$RMDelegateDefault", "$RMDelegateDefault")
- AC_PATH_PROG(RSVGDecodeDelegate, "$RSVGDecodeDelegateDefault", "$RSVGDecodeDelegateDefault")
- AC_PATH_PROG(SVGDecodeDelegate, "$SVGDecodeDelegateDefault", "$SVGDecodeDelegateDefault")

component/imagemagick/imagemagick-7.1.1-20-no-gsx-gsc-probe.patch

+--- ImageMagick-7.1.1-20/configure.ac.orig	2023-10-08 23:05:13.000000000 +0200
++++ ImageMagick-7.1.1-20/configure.ac	2023-10-10 09:22:13.287693848 +0200
+@@ -3317,7 +3317,7 @@
+ AC_PATH_PROG([MrSIDDecodeDelegate],["$MrSIDDecodeDelegateDefault"],["$MrSIDDecodeDelegateDefault"])
+ AC_PATH_PROG([MVDelegate],["$MVDelegateDefault"],["$MVDelegateDefault"])
+ AC_PATH_PROG([PCLDelegate],["$PCLDelegateDefault"],["$PCLDelegateDefault"])
+-AC_PATH_PROGS([PSDelegate],[gsx gsc "$PSDelegateDefault"],["$PSDelegateDefault"])
++AC_PATH_PROGS([PSDelegate],["$PSDelegateDefault"],["$PSDelegateDefault"])
+ AC_PATH_PROG([RMDelegate],["$RMDelegateDefault"],["$RMDelegateDefault"])
+ AC_PATH_PROG([RSVGDecodeDelegate],["$RSVGDecodeDelegateDefault"],["$RSVGDecodeDelegateDefault"])
+ AC_PATH_PROG([SVGDecodeDelegate],["$SVGDecodeDelegateDefault"],["$SVGDecodeDelegateDefault"])

component/imagemagick/safe_policy.patch

---- ImageMagick-7.0.2-10/config/policy.xml.orig	2016-08-30 11:37:29.110253211 +0200
-+++ ImageMagick-7.0.2-10/config/policy.xml	2016-08-30 11:40:09.719555899 +0200
-@@ -50,19 +50,28 @@
- -->
+--- ImageMagick-7.1.1-20.orig/config/policy-open.xml	2023-10-08 23:05:13.000000000 +0200
++++ ImageMagick-7.1.1-20/config/policy-open.xml	2023-10-10 18:29:06.846344247 +0200
+@@ -84,41 +84,41 @@
  <policymap>
-   <!-- <policy domain="resource" name="temporary-path" value="/tmp"/> -->
--  <!-- <policy domain="resource" name="memory" value="2GiB"/> -->
--  <!-- <policy domain="resource" name="map" value="4GiB"/> -->
--  <!-- <policy domain="resource" name="width" value="10MP"/> -->
--  <!-- <policy domain="resource" name="height" value="10MP"/> -->
--  <!-- <policy domain="resource" name="area" value="1GB"/> -->
--  <!-- <policy domain="resource" name="disk" value="16EB"/> -->
+   <policy domain="Undefined" rights="none"/>
+   <!-- Set maximum parallel threads. -->
+-  <!-- <policy domain="resource" name="thread" value="2"/> -->
++  <policy domain="resource" name="thread" value="2"/>
+   <!-- Set maximum time in seconds. When this limit is exceeded, an exception
+        is thrown and processing stops. -->
+-  <!-- <policy domain="resource" name="time" value="120"/> -->
++  <policy domain="resource" name="time" value="120"/>
+   <!-- Set maximum number of open pixel cache files. When this limit is
+        exceeded, any subsequent pixels cached to disk are closed and reopened
+        on demand. -->
 -  <!-- <policy domain="resource" name="file" value="768"/> -->
--  <!-- <policy domain="resource" name="thread" value="4"/> -->
--  <!-- <policy domain="resource" name="throttle" value="0"/> -->
--  <!-- <policy domain="resource" name="time" value="3600"/> -->
--  <!-- <policy domain="system" name="precision" value="6"/> -->
--  <!-- <policy domain="coder" rights="none" pattern="MVG" /> -->
--  <!-- <policy domain="delegate" rights="none" pattern="HTTPS" /> -->
--  <!-- <policy domain="path" rights="none" pattern="@*" /> -->
-+  <policy domain="resource" name="memory" value="2GiB"/>
-+  <policy domain="resource" name="map" value="4GiB"/>
-+  <policy domain="resource" name="width" value="10MP"/>
-+  <policy domain="resource" name="height" value="10MP"/>
-+  <policy domain="resource" name="area" value="1GB"/>
-+  <policy domain="resource" name="disk" value="16EB"/>
 +  <policy domain="resource" name="file" value="768"/>
-+  <policy domain="resource" name="thread" value="4"/>
-+  <policy domain="resource" name="throttle" value="0"/>
-+  <policy domain="resource" name="time" value="3600"/>
-+  <policy domain="system" name="precision" value="6"/>
-+  <policy domain="coder" rights="none" pattern="MVG" />
-+  <policy domain="delegate" rights="none" pattern="HTTPS" />
-+  <policy domain="path" rights="none" pattern="@*" />
-   <policy domain="cache" name="shared-secret" value="passphrase" stealth="true"/>
-+  <policy domain="coder" rights="none" pattern="EPHEMERAL" />
-+  <policy domain="coder" rights="none" pattern="HTTPS" />
-+  <policy domain="coder" rights="none" pattern="MSL" />
-+  <policy domain="coder" rights="none" pattern="MVG" />
-+  <policy domain="coder" rights="none" pattern="PLT" />
-+  <policy domain="coder" rights="none" pattern="SHOW" />
-+  <policy domain="coder" rights="none" pattern="TEXT" />
-+  <policy domain="coder" rights="none" pattern="URL" />
-+  <policy domain="coder" rights="none" pattern="WIN" />
+   <!-- Set maximum amount of memory in bytes to allocate for the pixel cache
+        from the heap. When this limit is exceeded, the image pixels are cached
+        to memory-mapped disk. -->
+-  <!-- <policy domain="resource" name="memory" value="256MiB"/> -->
++  <policy domain="resource" name="memory" value="256MiB"/>
+   <!-- Set maximum amount of memory map in bytes to allocate for the pixel
+        cache. When this limit is exceeded, the image pixels are cached to
+        disk. -->
+-  <!-- <policy domain="resource" name="map" value="512MiB"/> -->
++  <policy domain="resource" name="map" value="512MiB"/>
+   <!-- Set the maximum width * height of an image that can reside in the pixel
+        cache memory. Images that exceed the area limit are cached to disk. -->
+-  <!-- <policy domain="resource" name="area" value="16KP"/> -->
++  <policy domain="resource" name="area" value="16KP"/>
+   <!-- Set maximum amount of disk space in bytes permitted for use by the pixel
+        cache. When this limit is exceeded, the pixel cache is not be created
+        and an exception is thrown. -->
+-  <!-- <policy domain="resource" name="disk" value="1GiB"/> -->
++  <policy domain="resource" name="disk" value="1GiB"/>
+   <!-- Set the maximum length of an image sequence.  When this limit is
+        exceeded, an exception is thrown. -->
+-  <!-- <policy domain="resource" name="list-length" value="32"/> -->
++  <policy domain="resource" name="list-length" value="32"/>
+   <!-- Set the maximum width of an image.  When this limit is exceeded, an
+        exception is thrown. -->
+-  <!-- <policy domain="resource" name="width" value="8KP"/> -->
++  <policy domain="resource" name="width" value="8KP"/>
+   <!-- Set the maximum height of an image.  When this limit is exceeded, an
+        exception is thrown. -->
+-  <!-- <policy domain="resource" name="height" value="8KP"/> -->
++  <policy domain="resource" name="height" value="8KP"/>
+   <!-- Periodically yield the CPU for at least the time specified in
+        milliseconds. -->
+-  <!-- <policy domain="resource" name="throttle" value="2"/> -->
++  <policy domain="resource" name="throttle" value="2"/>
+   <!-- Do not create temporary files in the default shared directories, instead
+        specify a private area to store only ImageMagick temporary files. -->
+   <!-- <policy domain="resource" name="temporary-path" value="/magick/tmp/"/> -->
+@@ -138,7 +138,7 @@
+   <!-- don't read sensitive paths. -->
+   <!-- <policy domain="path" rights="none" pattern="/etc/*"/> -->
+   <!-- Indirect reads are not permitted. -->
+-  <!-- <policy domain="path" rights="none" pattern="@*"/> -->
++  <policy domain="path" rights="none" pattern="@*"/>
+   <!-- These image types are security risks on read, but write is fine -->
+   <!-- <policy domain="module" rights="write" pattern="{MSL,MVG,PS,SVG,URL,XPS}"/> -->
+   <!-- This policy sets the number of times to replace content of certain
+@@ -150,4 +150,5 @@
+   <!-- Set the maximum amount of memory in bytes that are permitted for
+        allocation requests. -->
+   <!-- <policy domain="system" name="max-memory-request" value="256MiB"/> -->
++  <policy domain="coder" rights="none" pattern="{EPHEMERAL,HTTPS,MSL,MVG,PLT,SHOW,TEXT,URL,WIN}" />
  </policymap>

component/leptonica/buildout.cfg

@@ -5,7 +5,6 @@ extends =
   ../libjpeg/buildout.cfg
   ../libpng/buildout.cfg
   ../libtiff/buildout.cfg
-  ../webp/buildout.cfg
   ../giflib/buildout.cfg
 
 [leptonica]
@@ -15,6 +14,9 @@ url = http://www.leptonica.org/source/leptonica-1.80.0.tar.gz
 md5sum = d640d684234442a84c9e8902f0b3ff36
 configure-options =
   --disable-static
+  --without-libwebp
+  --without-libwebpmux
+  --without-libopenjpeg
 environment =
-  CPPFLAGS=-I${zlib:location}/include -I${libjpeg:location}/include -I${libpng:location}/include -I${libtiff:location}/include -I${webp:location}/include -I${giflib:location}/include
-  LDFLAGS=-L${zlib:location}/lib -Wl,-rpath=${zlib:location}/lib -L${libjpeg:location}/lib -Wl,-rpath=${libjpeg:location}/lib -L${libpng:location}/lib -Wl,-rpath=${libpng:location}/lib -L${libtiff:location}/lib -Wl,-rpath=${libtiff:location}/lib -L${webp:location}/lib -Wl,-rpath=${webp:location}/lib -L${giflib:location}/lib -Wl,-rpath=${giflib:location}/lib
+  CPPFLAGS=-I${zlib:location}/include -I${libjpeg:location}/include -I${libpng:location}/include -I${libtiff:location}/include -I${giflib:location}/include
+  LDFLAGS=-L${zlib:location}/lib -Wl,-rpath=${zlib:location}/lib -L${libjpeg:location}/lib -Wl,-rpath=${libjpeg:location}/lib -L${libpng:location}/lib -Wl,-rpath=${libpng:location}/lib -L${libtiff:location}/lib -Wl,-rpath=${libtiff:location}/lib -L${giflib:location}/lib -Wl,-rpath=${giflib:location}/lib

component/libtiff/buildout.cfg

@@ -22,7 +22,7 @@ configure-options =
   --disable-webp
 patch-options = -p1
 patches =
-  ${:_profile_base_location_}/debian_4.2.0-1+deb11u3.patch#d4396255ca214694501f4a44e8e685c6
+  ${:_profile_base_location_}/debian_4.2.0-1+deb11u4.patch#88940ccaedc6337b8ee1577fbffb9e2e
 environment =
   CPPFLAGS=-I${libjpeg:location}/include -I${jbigkit:location}/include -I${zlib:location}/include
   LDFLAGS=-L${libjpeg:location}/lib -Wl,-rpath=${libjpeg:location}/lib -L${jbigkit:location}/lib -Wl,-rpath=${jbigkit:location}/lib -L${zlib:location}/lib -Wl,-rpath=${zlib:location}/lib

component/nodejs/buildout.cfg

@@ -12,13 +12,25 @@ extends =
 parts =
   nodejs
 
-[nodejs]
-<= nodejs-16.19.0
-
-# nodejs 16 needs gcc > 8.3
+# nodejs >= 16 needs gcc >= 8.3
 [gcc]
 min_version = 8.3
 
+
+[nodejs]
+<= nodejs-18.18.0
+
+[nodejs-headers]
+<= nodejs-headers-18.18.0
+
+
+[node-gyp-environment]
+# environment section to build with node-gyp.
+# node-gyp downloads a tarball containing nodejs headers by default
+# this uses a locally downloaded tarball, for reproductibility.
+npm_config_tarball = ${nodejs-headers:target}
+
+
 [nodejs-16.19.0]
 <= nodejs-base
 openssl_location = ${openssl:location}
@@ -38,6 +50,18 @@ post-install =
 version = v16.19.0
 md5sum = e7bfbf135ae54d1dcca63bf17be84818
 
+[nodejs-18.18.0]
+<= nodejs-base
+openssl_location = ${openssl:location}
+version = v18.18.0
+md5sum = a1ce8df7e6b9df9f4ba3ff1d4e2173d2
+
+[nodejs-headers-18.18.0]
+<= nodejs-headers-base
+version = v18.18.0
+md5sum = c5ab3e98977dfd639d830625d79eff52
+
+
 [nodejs-14.16.0]
 <= nodejs-base
 openssl_location = ${openssl:location}
@@ -57,11 +81,6 @@ version = v8.9.4
 md5sum = 4ddc1daff327d7e6f63da57fdfc24f55
 PATH = ${pkgconfig:location}/bin:${python2.7:location}/bin:%(PATH)s
 
-[nodejs-8.6.0]
-<= nodejs-base
-version = v8.6.0
-md5sum = 0c95e08220667d8a18b97ecec8218ac6
-PATH = ${pkgconfig:location}/bin:${python2.7:location}/bin:%(PATH)s
 
 [nodejs-8.12.0]
 <= nodejs-base

component/openssl/buildout.cfg

@@ -17,8 +17,8 @@ parts =
 [openssl]
 recipe = slapos.recipe.cmmi
 shared = true
-url = https://www.openssl.org/source/openssl-1.1.1v.tar.gz
-md5sum = 9edcfdd9b96523df82b312c404f4b169
+url = https://www.openssl.org/source/openssl-1.1.1w.tar.gz
+md5sum = 3f76825f195e52d4b10c70040681a275
 location = @@LOCATION@@
 # 'prefix' option to override --openssldir/--prefix (which is useful
 # when combined with DESTDIR). Used by slapos.package.git/obs
@@ -48,8 +48,10 @@ environment =
 
 [openssl-quictls]
 <= openssl
-url = https://github.com/quictls/openssl/archive/refs/tags/OpenSSL_1_1_1v-quic1.tar.gz
-md5sum = 4b0e4a81590644a027b78a54c26a75e2
+# XXX tag missing for 1.1.1w
+# url = https://github.com/quictls/openssl/archive/refs/tags/OpenSSL_1_1_1w-quic1.tar.gz
+url = https://github.com/quictls/openssl/archive/612d8e44d687e4b71c4724319d7aa27a733bcbca.tar.gz
+md5sum =4a06f8b195e817c8a0d94ebdbc7c7bb7
 
 [openssl-output]
 # Shared binary location to ease migration

component/pillow/buildout.cfg

@@ -5,7 +5,6 @@ extends =
   ../lcms/buildout.cfg
   ../libjpeg/buildout.cfg
   ../libtiff/buildout.cfg
-  ../webp/buildout.cfg
   ../zlib/buildout.cfg
 
 parts =
@@ -20,7 +19,6 @@ include-dirs =
   ${lcms2:location}/include
   ${libjpeg:location}/include
   ${libtiff:location}/include
-  ${webp:location}/include
   ${zlib:location}/include
 library-dirs =
   ${freetype:location}/lib
@@ -28,7 +26,6 @@ library-dirs =
   ${lcms2:location}/lib
   ${libjpeg:location}/lib
   ${libtiff:location}/lib
-  ${webp:location}/lib
   ${zlib:location}/lib
 rpath =
   ${freetype:location}/lib
@@ -36,5 +33,4 @@ rpath =
   ${lcms2:location}/lib
   ${libjpeg:location}/lib
   ${libtiff:location}/lib
-  ${webp:location}/lib
   ${zlib:location}/lib

component/theia/buildout.cfg

@@ -39,6 +39,7 @@ environment =
   PATH=${nodejs:location}/bin:${pkgconfig:location}/bin:${python3:location}/bin:%(PATH)s
   PKG_CONFIG_PATH=${libsecret:location}/lib/pkgconfig:${libsecret:pkg_config_depends}
   LDFLAGS=-Wl,-rpath=${libsecret:location}/lib -L${gettext:location}/lib -Wl,-rpath=${gettext:location}/lib -Wl,-rpath=${glib:location}/lib
+  npm_config_tarball=${node-gyp-environment:npm_config_tarball}
   NODE_OPTIONS=--max_old_space_size=4096
 pre-configure =
   mkdir -p $TMPDIR
@@ -71,6 +72,7 @@ post-install =
   # and anyway not used once the software is installed
   rm -f %(location)s/node_modules/@msgpackr-extract/*/*.node
   rm -rf $HOME/.cache/yarn/
+  rm -rf $HOME/.cache/puppeteer/
   # remove "which" command added in $PATH that does not correctly
   # handle executables thanks to a secondary group of the user.
   # https://www.npmjs.com/package/which https://www.npmjs.com/package/isexe
@@ -179,6 +181,7 @@ content =
           "@theia/mini-browser": "latest",
           "@theia/monaco": "latest",
           "@theia/navigator": "latest",
+          "@theia/notebook": "latest",
           "@theia/outline-view": "latest",
           "@theia/output": "latest",
           "@theia/plugin-dev": "latest",
@@ -191,9 +194,11 @@ content =
           "@theia/scm": "latest",
           "@theia/scm-extra": "latest",
           "@theia/search-in-workspace": "latest",
+          "@theia/secondary-window": "latest",
           "@theia/task": "latest",
           "@theia/terminal": "latest",
           "@theia/timeline": "latest",
+          "@theia/toolbar": "latest",
           "@theia/typehierarchy": "latest",
           "@theia/userstorage": "latest",
           "@theia/variable-resolver": "latest",

component/theia/buildout.hash.cfg

@@ -15,11 +15,11 @@
 
 [preloadTemplate.html]
 _update_hash_filename_ = preloadTemplate.html
-md5sum = 6343592161a349bb40e0de16ce67aa51
+md5sum = a27e2cb34e4efe2ed0d4698f505554f0
 
 [yarn.lock]
 _update_hash_filename_ = yarn.lock
-md5sum = 6435aaf48cbbfe7911505c2c45cc53ea
+md5sum = bb7444ebfeea21fed1960700aa6becf9
 
 [ms-python-disable-jedi-buildout.patch]
 _update_hash_filename_ = ms-python-disable-jedi-buildout.patch

component/theia/generate_download_plugins_cfg.py

@@ -49,9 +49,7 @@ for plugin_and_version in '''\
     vscode/lua/latest
     vscode/make/latest
     vscode/markdown/latest
-# Activating extension 'Markdown Language Features (built-in)' failed:
-# i.workspace.onWillDropOnTextEditor is not a function
-    vscode/markdown-language-features/1.64.2
+    vscode/markdown-language-features/latest
     vscode/merge-conflict/latest
     vscode/npm/latest
     ms-vscode/node-debug/latest

component/theia/preloadTemplate.html

@@ -7,6 +7,7 @@
   link = document.createElement('link');
   link.rel = "manifest";
   link.href = "/theia.webmanifest";
+  link.crossOrigin = "use-credentials";
   document.head.appendChild(link);
 
   if ('serviceWorker' in navigator) {

component/trafficserver/buildout.cfg

@@ -24,8 +24,8 @@ min_version = 8
 
 [trafficserver]
 recipe = slapos.recipe.cmmi
-url = https://dlcdn.apache.org/trafficserver/trafficserver-9.2.0.tar.bz2
-md5sum = 3188d53f0a2eb618fb9399e098161691
+url = https://dlcdn.apache.org/trafficserver/trafficserver-9.2.2.tar.bz2
+md5sum = 994247ed0f50e6dfcfb8d7200dcad6ea
 shared = true
 patch-options = -p1
 configure-options =

component/webp/buildout.cfg

@@ -13,11 +13,12 @@ extends =
 [webp]
 recipe = slapos.recipe.cmmi
 shared = true
-url = http://downloads.webmproject.org/releases/webp/libwebp-0.4.1.tar.gz
-md5sum = 42bc79613ec5ee5b0e68ba97839c981e
+url = http://downloads.webmproject.org/releases/webp/libwebp-1.3.2.tar.gz
+md5sum = 34869086761c0e2da6361035f7b64771
 configure-options =
   --disable-static
   --disable-gl
+  --disable-sdl
   --disable-wic
   --enable-everything
   --with-jpegincludedir=${libjpeg:location}/include

component/xorg/buildout.cfg

@@ -165,8 +165,8 @@ environment =
 [libX11]
 recipe = slapos.recipe.cmmi
 shared = true
-url = https://www.x.org/releases/individual/lib/libX11-1.8.6.tar.gz
-md5sum = 9767ee0c5819e35142835da61b923421
+url = https://www.x.org/releases/individual/lib/libX11-1.8.7.tar.gz
+md5sum = feb9664ce36111923c0be0b292f6e15b
 pkg_config_depends = ${inputproto:location}/lib/pkgconfig:${xorgproto:location}/share/pkgconfig:${libXau:location}/lib/pkgconfig:${libxcb:location}/lib/pkgconfig:${xextproto:location}/lib/pkgconfig:${xorg-libpthread-stubs:location}/lib/pkgconfig:${xorg-util-macros:location}/share/pkgconfig:${xtrans:location}/share/pkgconfig
 configure-options =
   --disable-static

software/erp5/test/test/test_balancer.py

@@ -805,7 +805,7 @@ class TestFrontendXForwardedFor(BalancerTestCase):
       ).json()
       self.assertEqual(result['Incoming Headers'].get('x-forwarded-for', '').split(', ')[0], '1.2.3.4')
 
-  def test_x_forwarded_for_stripped_when_not_verified_connection(self):
+  def test_x_forwarded_for_stripped_when_no_certificate(self):
     # type: () -> None
     balancer_url = json.loads(self.computer_partition.getConnectionParameterDict()['_'])['default']
     result = requests.get(
@@ -813,7 +813,7 @@ class TestFrontendXForwardedFor(BalancerTestCase):
       headers={'X-Forwarded-For': '1.2.3.4'},
       verify=False,
     ).json()
-    self.assertNotEqual(result['Incoming Headers'].get('x-forwarded-for', '').split(', ')[0], '1.2.3.4')
+    self.assertNotIn('x-fowarded-for', [k.lower() for k in result['Incoming Headers'].keys()])
     balancer_url = json.loads(self.computer_partition.getConnectionParameterDict()['_'])['default-auth']
     with self.assertRaisesRegex(Exception, "certificate required"):
       requests.get(
@@ -822,6 +822,32 @@ class TestFrontendXForwardedFor(BalancerTestCase):
         verify=False,
       )
 
+  def test_x_forwarded_for_stripped_when_not_verified_certificate(self):
+    # type: () -> None
+    balancer_url = json.loads(self.computer_partition.getConnectionParameterDict()['_'])['default']
+
+    # certificate from an unknown CA
+    another_unrelated_caucase = self.getManagedResource('another_unrelated_caucase', CaucaseService)
+    unknown_client_certificate = self.getManagedResource('unknown_client_certificate', CaucaseCertificate)
+    unknown_client_certificate.request('unknown client certificate', another_unrelated_caucase)
+
+    result = requests.get(
+      balancer_url,
+      headers={'X-Forwarded-For': '1.2.3.4'},
+      cert=(unknown_client_certificate.cert_file, unknown_client_certificate.key_file),
+      verify=False,
+    ).json()
+    self.assertNotIn('x-fowarded-for', [k.lower() for k in result['Incoming Headers'].keys()])
+
+    balancer_url = json.loads(self.computer_partition.getConnectionParameterDict()['_'])['default-auth']
+    with self.assertRaisesRegex(Exception, "unknown ca"):
+      requests.get(
+        balancer_url,
+        headers={'X-Forwarded-For': '1.2.3.4'},
+        cert=(unknown_client_certificate.cert_file, unknown_client_certificate.key_file),
+        verify=False,
+      )
+
 
 class TestServerTLSProvidedCertificate(BalancerTestCase):
   """Check that certificate and key can be provided as instance parameters.

software/kvm/instance-kvm-cluster-input-schema.json

@@ -279,7 +279,6 @@
               "default": "virtio",
               "enum": [
                 "ide",
-                "scsi",
                 "sd",
                 "mtd",
                 "floppy",

software/kvm/instance-kvm-input-schema.json

@@ -53,7 +53,6 @@
       "default": "virtio",
       "enum": [
         "ide",
-        "scsi",
         "sd",
         "mtd",
         "floppy",

software/mail-server/buildout.hash.cfg

@@ -19,7 +19,7 @@ md5sum = 7ab3b606972e1b338d28fc1374617835
 
 [template-default]
 _update_hash_filename_ = instance-default.cfg.in
-md5sum = 698104b7c3694a69575c965c21629f87
+md5sum = 89a7224c3dd9356bf262100816b67f73
 
 [dovecot.jinja2.conf]
 _update_hash_filename_ = dovecot.jinja2.conf

software/mail-server/instance-default.cfg.in

@@ -147,6 +147,10 @@ recipe = slapos.recipe.template
 output = ${directory:bin}/${:_buildout_section_name_}
 inline =
   #!/bin/sh
+  # If master.pid contains PID of any running process
+  # dovecot will refuse to run. Only the pidfile provided
+  # by wrapper recipe should be used
+  rm -f var/run/dovecot/master.pid
   {{ dovecot_binary }} -F -c ${dovecot-conf:output}
 
 [dovecot-service]
@@ -170,6 +174,7 @@ recipe = slapos.recipe.template
 output = ${directory:bin}/${:_buildout_section_name_}
 inline =
   #!/bin/sh
+  rm -f var/spool/postfix/pid/master.pid
   ${directory:usr-postfix}/libexec/postfix/master -c ${directory:etc-postfix}
 
 [postfix-service]

software/monitor/test/test.py

@@ -30,11 +30,13 @@ import glob
 import hashlib
 import json
 import os
+import psutil
 import re
 import requests
 import shutil
 import subprocess
 import tempfile
+import time
 import xml.etree.ElementTree as ET
 from cryptography import x509
 from cryptography.hazmat.backends import default_backend
@@ -75,6 +77,141 @@ class ServicesTestCase(SlapOSInstanceTestCase):
 
       self.assertIn(expected_process_name, process_names)
 
+  def test_monitor_httpd_normal_reboot(self):
+    # Start the monitor-httpd service
+    with self.slap.instance_supervisor_rpc as supervisor:
+      info, = [i for i in
+         supervisor.getAllProcessInfo() if ('monitor-httpd' in i['name']) and ('on-watch' in i['name'])]
+      partition = info['group']
+      if info['statename'] != "RUNNING":
+        monitor_httpd_process_name = f"{info['group']}:{info['name']}"
+        supervisor.startProcess(monitor_httpd_process_name)
+        for _retries in range(20):
+          time.sleep(1)
+          info, = [i for i in 
+           supervisor.getAllProcessInfo() if ('monitor-httpd' in i['name']) and ('on-watch' in i['name'])]
+          if info['statename'] == "RUNNING":
+            break
+        else:
+          self.fail(f"the supervisord service '{monitor_httpd_process_name}' is not running")
+
+    # Get the partition path
+    partition_path_list = glob.glob(os.path.join(self.slap.instance_directory, '*'))
+    for partition_path in partition_path_list:
+      if os.path.exists(os.path.join(partition_path, 'etc', 'monitor-httpd.conf')):
+        self.partition_path = partition_path
+        break
+
+    # Make sure we are focusing the same httpd service
+    self.assertIn(partition, self.partition_path)
+
+    # Get the monitor-httpd-service
+    monitor_httpd_service_path = glob.glob(os.path.join(
+      self.partition_path, 'etc', 'service', 'monitor-httpd*'
+    ))[0]
+
+    try:
+      output = subprocess.check_output([monitor_httpd_service_path], timeout=10, stderr=subprocess.STDOUT, text=True)
+      # If the httpd-monitor service is running
+      # and the monitor-httpd.pid contains the identical PID as the servicse
+      # run the monitor-httpd service can cause the "already running" error correctly
+      self.assertIn("already running", output)
+    except subprocess.CalledProcessError as e:
+      self.logger.debug("Unexpected error when running the monitor-httpd service:", e)
+      self.fail("Unexpected error when running the monitor-httpd service")
+    except subprocess.TimeoutExpired as e:
+      # Timeout means we run the httpd service corrrectly
+      # This is not the expected behaviour
+      self.logger.debug("Unexpected behaviour: We are not suppose to be able to run the httpd service in the test:", e)
+      # Kill the process that we started manually
+      # Get the pid of the monitor_httpd from the PID file
+      monitor_httpd_pid_file = os.path.join(self.partition_path, 'var', 'run', 'monitor-httpd.pid')
+      monitor_httpd_pid = ""
+      if os.path.exists(monitor_httpd_pid_file):
+        with open(monitor_httpd_pid_file, "r") as pid_file:
+          monitor_httpd_pid = pid_file.read()
+      try:
+        pid_to_kill = monitor_httpd_pid.strip('\n')
+        subprocess.run(["kill", "-9", str(pid_to_kill)], check=True)
+        self.logger.debug(f"Process with PID {pid_to_kill} killed.")
+      except subprocess.CalledProcessError as e:
+        self.logger.debug(f"Error killing process with PID {pid_to_kill}: {e}")
+      self.fail("Unexpected behaviour: We are not suppose to be able to run the httpd service in the test")
+
+    with self.slap.instance_supervisor_rpc as supervisor:
+      info, = [i for i in
+         supervisor.getAllProcessInfo() if ('monitor-httpd' in i['name']) and ('on-watch' in i['name'])]
+      partition = info['group']
+      if info['statename'] == "RUNNING":
+        monitor_httpd_process_name = f"{info['group']}:{info['name']}"
+        supervisor.stopProcess(monitor_httpd_process_name)
+
+  def test_monitor_httpd_crash_reboot(self):
+    # Get the partition path
+    partition_path_list = glob.glob(os.path.join(self.slap.instance_directory, '*'))
+    for partition_path in partition_path_list:
+      if os.path.exists(os.path.join(partition_path, 'etc', 'monitor-httpd.conf')):
+        self.partition_path = partition_path
+        break
+
+    # Get the pid file
+    monitor_httpd_pid_file = os.path.join(self.partition_path, 'var', 'run', 'monitor-httpd.pid')
+    with self.slap.instance_supervisor_rpc as supervisor:
+      info, = [i for i in
+         supervisor.getAllProcessInfo() if ('monitor-httpd' in i['name']) and ('on-watch' in i['name'])]
+      if info['statename'] == "RUNNING":
+        monitor_httpd_process_name = f"{info['group']}:{info['name']}"
+        supervisor.stopProcess(monitor_httpd_process_name)
+
+    # Write the PID of the infinite process to the pid file.
+    with open(monitor_httpd_pid_file, "w") as file:
+      file.write(str(os.getpid()))
+
+    # Get the monitor-httpd-service
+    monitor_httpd_service_path = glob.glob(os.path.join(
+      self.partition_path, 'etc', 'service', 'monitor-httpd*'
+    ))[0]
+
+    monitor_httpd_service_is_running = False
+
+    # Create the subprocess
+    self.logger.debug("Ready to run the process in crash reboot")
+    try:
+      process = subprocess.Popen(monitor_httpd_service_path, stdout=subprocess.PIPE, stderr=subprocess.PIPE, text=True)
+      stdout, stderr = '', ''
+      try:
+        # Wait for the process to finish, but with a timeout
+        stdout, stderr = process.communicate(timeout=3)
+        self.logger.debug("Communicated!")
+      except subprocess.TimeoutExpired:
+        monitor_httpd_service_is_running = True # We didn't get any output within 3 seconds, this means everything is fine.
+        # If the process times out, terminate it
+        try:
+          main_process = psutil.Process(process.pid)
+          child_processes = main_process.children(recursive=True)
+
+          for process in child_processes + [main_process]:
+            process.terminate()
+
+          psutil.wait_procs(child_processes + [main_process])
+
+          self.logger.debug(f"Processes with PID {process.pid} and its subprocesses terminated.")
+        except psutil.NoSuchProcess as e:
+          # This print will generate ResourceWarningm but it is normal in Python 3
+          # See https://github.com/giampaolo/psutil/blob/master/psutil/tests/test_process.py#L1526
+          self.logger.debug("No process found with PID: %s" % process.pid)
+
+      # "httpd (pid 21934) already running" means we start httpd failed
+      if "already running" in stdout:
+        self.fail("Unexepected output from the monitor-httpd process: %s" % stdout)
+        raise Exception("Unexepected output from the monitor-httpd process: %s" % stdout)
+
+    except subprocess.CalledProcessError as e:
+      self.logger.debug("Unexpected error when running the monitor-httpd service:", e)
+      self.fail("Unexpected error when running the monitor-httpd service")
+
+    self.assertTrue(monitor_httpd_service_is_running)
+
 
 class MonitorTestMixin:
   monitor_setup_url_key = 'monitor-setup-url'

software/osie-coupler/buildout.hash.cfg

 [instance-profile]
 filename = instance.cfg.in
-md5sum = f622d8b6e8ce96c75316a856b26caf96
+md5sum = 6610ce91964dda42edbcb5b7837777c2

software/osie-coupler/instance.cfg.in

@@ -55,5 +55,4 @@ log = ${:var}/log
 
 [publish-connection-parameter]
 recipe = slapos.cookbook:publish
-opc_ua_port = ${instance-parameter:configuration.opc_ua_port}
-interface = ${instance-parameter:configuration.interface}
+url-ipv6 = opc.tcp://[${instance-parameter:ipv6-random}]:${instance-parameter:configuration.opc_ua_port}

software/peertube/software.cfg

@@ -43,8 +43,6 @@ parts =
   gcc
   unzip
   curl
-  nodejs
-  yarn
   openssl
   python3
   nginx
@@ -57,6 +55,8 @@ parts =
   peertube-build
   instance-profile
 
+[nodejs]
+<= nodejs-16.19.0
 
 [peertube]
 recipe = slapos.recipe.build:download-unpacked

software/rapid-cdn/buildout.hash.cfg

@@ -22,7 +22,7 @@ md5sum = 5784bea3bd608913769ff9a8afcccb68
 
 [profile-frontend]
 filename = instance-frontend.cfg.in
-md5sum = 5c2f79d0773bd8594ccf1c34a7d27d53
+md5sum = 9a33900d735ef074b5887d61bca54243
 
 [profile-master]
 filename = instance-master.cfg.in
@@ -30,7 +30,7 @@ md5sum = 3006197ddce87bd92866b76b5ce8ce08
 
 [profile-slave-list]
 filename = instance-slave-list.cfg.in
-md5sum = 8289620cb32dbdfcca6ba112c7ec7b2b
+md5sum = b75e42233c1b7bdd5f21971ed8907efc
 
 [profile-master-publish-slave-information]
 filename = instance-master-publish-slave-information.cfg.in
@@ -38,11 +38,11 @@ md5sum = cba4d995962f7fbeae3f61c9372c4181
 
 [template-frontend-haproxy-configuration]
 _update_hash_filename_ = templates/frontend-haproxy.cfg.in
-md5sum = eef9712c6fe4d62b570b9059157c67ea
+md5sum = fc68a825c656bde0ae69a936936b0478
 
 [template-frontend-haproxy-crt-list]
 _update_hash_filename_ = templates/frontend-haproxy-crt-list.in
-md5sum = 238760d48d2875f087ad2d784e2a8fcd
+md5sum = 2f3f75773eb879b97d1ff5e04486591c
 
 [template-not-found-html]
 _update_hash_filename_ = templates/notfound.html
@@ -50,7 +50,7 @@ md5sum = d56e2cfab274cbbbe5b387f2f6e417df
 
 [template-backend-haproxy-configuration]
 _update_hash_filename_ = templates/backend-haproxy.cfg.in
-md5sum = b4b55d931249f11e4e1256afeb74b503
+md5sum = 6457064905f818f21e3733eb4278a580
 
 [template-empty]
 _update_hash_filename_ = templates/empty.in
@@ -102,7 +102,7 @@ md5sum = e82ccdb0b26552a1c88ff523d8fae24a
 
 [profile-kedifa]
 filename = instance-kedifa.cfg.in
-md5sum = a9854d48e750b3599043715c95138d5d
+md5sum = 669da915003122e48646dc75fec239a5
 
 [template-frontend-haproxy-rsyslogd-conf]
 _update_hash_filename_ = templates/frontend-haproxy-rsyslogd.conf.in

software/rapid-cdn/instance-frontend.cfg.in

@@ -1105,12 +1105,16 @@ delaycompress =
 url = {{ software_parameter_dict['template_wrapper'] }}
 output = ${directory:scripts}/logrotate-setup-validate
 command =
-  if ${logrotate:wrapper-path} -d > ${:state-file} 2>&1 ; then
+  if ${logrotate:wrapper-path} -d > ${:state-file-tmp} 2>&1 ; then
     cat /dev/null > ${:state-file}
+    rm -f ${:state-file-tmp}
+  else
+    mv ${:state-file-tmp} ${:state-file}
   fi
 extra-context =
   key content :command
 state-file = ${directory:run}/logrotate-setup.state
+state-file-tmp = ${:state-file}.tmp
 
 [promise-logrotate-setup]
 <= monitor-promise-base

software/rapid-cdn/instance-kedifa.cfg.in

@@ -329,12 +329,16 @@ monitor-base-url = ${monitor-instance-parameter:monitor-base-url}
 url = {{ software_parameter_dict['template_wrapper'] }}
 output = ${directory:scripts}/logrotate-setup-validate
 command =
-  if ${logrotate:wrapper-path} -d > ${:state-file} 2>&1 ; then
+  if ${logrotate:wrapper-path} -d > ${:state-file-tmp} 2>&1 ; then
     cat /dev/null > ${:state-file}
+    rm -f ${:state-file-tmp}
+  else
+    mv ${:state-file-tmp} ${:state-file}
   fi
 extra-context =
   key content :command
 state-file = ${directory:run}/logrotate-setup.state
+state-file-tmp = ${:state-file}.tmp
 
 [promise-logrotate-setup]
 <= monitor-promise-base

software/rapid-cdn/instance-slave-list.cfg.in

 {%- set kedifa_updater_mapping = [] %}
 {%- set cached_server_dict = {} %}
-{%- set backend_slave_list = [] %}
-{%- set frontend_slave_list = [] %}
+{%- set backend_slave_dict = {} %}
+{%- set frontend_slave_dict = {} %}
 {%- set part_list = [] %}
 {%- set cache_port = frontend_haproxy_configuration.get('cache-port') %}
 {%- set cache_access = "http://%s:%s/HTTP" % (instance_parameter_dict['ipv4-random'], cache_port) %}
@@ -228,7 +228,8 @@ context =
 {%-   do slave_publish_dict.__setitem__('url', "http://%s" % slave_instance.get('custom_domain')) %}
 {%-   do slave_publish_dict.__setitem__('site_url', "http://%s" % slave_instance.get('custom_domain')) %}
 {%-   do slave_publish_dict.__setitem__('secure_access', 'https://%s' % slave_instance.get('custom_domain')) %}
-{%-   set host_list = slave_instance.get('server-alias', '').split() %}
+{%-   do slave_instance.__setitem__('server-alias', slave_instance.get('server-alias', '').split()) %}
+{%-   set host_list = slave_instance['server-alias'] %}
 {%-   if slave_instance.get('custom_domain') not in host_list %}
 {%-     do host_list.append(slave_instance.get('custom_domain')) %}
 {%-   endif %}
@@ -385,9 +386,9 @@ local_ipv4 = {{ dumps('' ~ instance_parameter_dict['ipv4-random']) }}
 {#-   ###############################  #}
 {#-   Prepare Slave Information        #}
 {%-   do slave_instance_information_list.append(slave_publish_dict) %}
-{%-   do frontend_slave_list.append(slave_instance) %}
+{%-   do frontend_slave_dict.__setitem__(slave_instance['slave_reference'], slave_instance) %}
 {%-   if slave_type != 'redirect' %}
-{%-     do backend_slave_list.append(slave_instance) %}
+{%-     do backend_slave_dict.__setitem__(slave_instance['slave_reference'], slave_instance) %}
 {%-   endif %}
 {%- endfor %} {# Slave iteration ends for slave_instance in slave_instance_list #}
 
@@ -477,14 +478,30 @@ output = ${:file}
 
 ##<Frontend haproxy>
 [frontend-haproxy-slave-list]
-list = {{ dumps(sorted(frontend_slave_list, key=operator_module.itemgetter('slave_reference'))) }}
+dict = {{ dumps(frontend_slave_dict) }}
+{%- set slave_instance_hostname_frontend_order = [] %}
+{%- for slave_instance in frontend_slave_dict.values() %}
+{%-   for hostname in slave_instance['host_list'] %}
+{%-     if '*' in hostname %}
+{%-       set order_value = hostname.count('.') %}
+{%-     else %}
+{%-       set order_value = 1000 %}
+{%-     endif %}
+{%-     do slave_instance_hostname_frontend_order.append({
+  'index': order_value,
+  'hostname': hostname,
+  'slave_reference': slave_instance['slave_reference']}) %}
+{%-   endfor  %}
+{%- endfor %}
+order = {{ dumps(slave_instance_hostname_frontend_order) }}
 
 [frontend-haproxy-crt-list]
 <= jinja2-template-base
 template = {{ template_frontend_haproxy_crt_list }}
 rendered = ${frontend-haproxy-config:crt-list}
 extra-context =
-  key frontend_slave_list frontend-haproxy-slave-list:list
+  key frontend_slave_dict frontend-haproxy-slave-list:dict
+  key frontend_slave_order frontend-haproxy-slave-list:order
   section configuration frontend-haproxy-config
 
 [frontend-haproxy-configuration]
@@ -492,7 +509,8 @@ extra-context =
 template = {{ template_frontend_haproxy_configuration }}
 rendered = ${frontend-haproxy-config:file}
 extra-context =
-  key frontend_slave_list frontend-haproxy-slave-list:list
+  key frontend_slave_dict frontend-haproxy-slave-list:dict
+  key frontend_slave_order frontend-haproxy-slave-list:order
   key crt_list frontend-haproxy-crt-list:rendered
   section configuration frontend-haproxy-config
 
@@ -512,9 +530,25 @@ autocert-directory = {{ frontend_directory['autocert'] }}
 < = jinja2-template-base
 url = {{ template_backend_haproxy_configuration }}
 output = ${backend-haproxy-config:file}
-backend_slave_list = {{ dumps(sorted(backend_slave_list, key=operator_module.itemgetter('slave_reference'))) }}
+backend_slave_dict = {{ dumps(backend_slave_dict) }}
+{%- set slave_instance_hostname_backend_order = [] %}
+{%- for slave_instance in backend_slave_dict.values() %}
+{%-   for hostname in slave_instance['host_list'] %}
+{%-     if '*' in hostname %}
+{%-       set order_value = hostname.count('.') %}
+{%-     else %}
+{%-       set order_value = 1000 %}
+{%-     endif %}
+{%-     do slave_instance_hostname_backend_order.append({
+  'index': order_value,
+  'hostname': hostname,
+  'slave_reference': slave_instance['slave_reference']}) %}
+{%-   endfor  %}
+{%- endfor %}
+order = {{ dumps(slave_instance_hostname_backend_order) }}
 extra-context =
-  key backend_slave_list :backend_slave_list
+  key backend_slave_dict :backend_slave_dict
+  key backend_slave_order :order
   section configuration backend-haproxy-config
 
 [backend-haproxy-config]

software/rapid-cdn/software.cfg

@@ -211,7 +211,7 @@ output = ${buildout:directory}/template-wrapper.cfg
 <=download-template
 
 [versions]
-kedifa = 0.0.6
+kedifa = 0.0.7
 # Modern KeDiFa requires zc.lockfile
 zc.lockfile = 1.4
 

software/rapid-cdn/templates/backend-haproxy.cfg.in

@@ -17,30 +17,20 @@ defaults
   default-server init-addr last,libc,none
 
 {%- set SCHEME_PREFIX_MAPPING = { 'http': 'http_backend', 'https': 'https_backend'} %}
-{%- macro frontend_entry(slave_instance, scheme, wildcard) %}
-{#-   wildcard switch allows to put dangerous entries in the end, as haproxy parses with first match #}
+{%- macro frontend_entry(slave_reference, hostname, slave_instance, scheme) %}
 {%-   if slave_instance[SCHEME_PREFIX_MAPPING[scheme]]['hostname'] and slave_instance[SCHEME_PREFIX_MAPPING[scheme]]['port'] %}
-{%-     set matched = {'count': 0} %}
-{%-     for host in slave_instance['host_list'] %}
-{#-       Match up to the end or optional port (starting with ':') #}
-{#-       Please note that this matching is quite sensitive to changes and hard to test, so avoid needless changes #}
-{%-       if wildcard and host.startswith('*.') %}
-{%-         do matched.__setitem__('count', matched['count'] + 1) %}
-# match wildcard {{ host }}
-  acl is_{{ slave_instance['slave_reference'] }}_{{ scheme }} hdr_reg(host) -i {{ host[2:] }}($|:.*)
-{%-       elif not wildcard and not host.startswith('*.') %}
-{%-         do matched.__setitem__('count', matched['count'] + 1) %}
-  acl is_{{ slave_instance['slave_reference'] }}_{{ scheme }} hdr_reg(host) -i ^{{ host }}($|:.*)
-{%-       endif %}
-{%-     endfor %}
-{%-     if matched['count'] > 0 %}
-{%-       if slave_instance[SCHEME_PREFIX_MAPPING[scheme]]['health-check-failover-hostname'] %}
-  acl is_failover_{{ slave_instance['slave_reference'] }}_{{ scheme }} nbsrv({{ slave_instance['slave_reference'] }}-{{ scheme }}) eq 0
-  use_backend {{ slave_instance['slave_reference'] }}-{{ scheme }} if is_{{ slave_instance['slave_reference'] }}_{{ scheme }} ! is_failover_{{ slave_instance['slave_reference'] }}_{{ scheme }}
-  use_backend {{ slave_instance['slave_reference'] }}-{{ scheme }}-failover if is_{{ slave_instance['slave_reference'] }}_{{ scheme }} is_failover_{{ slave_instance['slave_reference'] }}_{{ scheme }}
-{%-       else %}
-  use_backend {{ slave_instance['slave_reference'] }}-{{ scheme }} if is_{{ slave_instance['slave_reference'] }}_{{ scheme }}
-{%-       endif %}
+{%-     if hostname.startswith('*') %}
+{%-       set matcher = '' ~ hostname[2:] ~ '$' %}
+{%-     else %}
+{%-       set matcher = '^' ~ hostname ~ '$' %}
+{%-     endif %}
+{%-     set acl = '{ req.hdr(host),host_only -m reg ' ~ matcher ~ ' }' %}
+{%-     if slave_instance[SCHEME_PREFIX_MAPPING[scheme]]['health-check-failover-hostname'] %}
+  acl is_failover_{{ slave_reference }}_{{ scheme }} nbsrv({{ slave_reference }}-{{ scheme }}) eq 0
+  use_backend {{ slave_reference }}-{{ scheme }} if {{ acl }} ! is_failover_{{ slave_reference }}_{{ scheme }}
+  use_backend {{ slave_reference }}-{{ scheme }}-failover if {{ acl }} is_failover_{{ slave_reference }}_{{ scheme }}
+{%-     else %}
+  use_backend {{ slave_reference }}-{{ scheme }} if {{ acl }}
 {%-     endif %}
 {%-   endif %}
 {%- endmacro %}
@@ -62,11 +52,8 @@ frontend http-backend
   http-response add-header Via "%HV rapid-cdn-backend-{{ configuration['node-id'] }}-{{ configuration['version-hash']}}"
   # setup Date
   http-response set-header Date %[date(),http_date] if ! { res.hdr(Date) -m found }
-{%- for slave_instance in backend_slave_list -%}
-{{ frontend_entry(slave_instance, 'http', False) }}
-{%- endfor %}
-{%- for slave_instance in backend_slave_list -%}
-{{ frontend_entry(slave_instance, 'http', True) }}
+{%- for entry in backend_slave_order | sort(attribute="index,hostname", reverse=True) %}
+{{- frontend_entry(entry['slave_reference'], entry['hostname'], backend_slave_dict[entry['slave_reference']], 'http') -}}
 {%- endfor %}
 
 frontend https-backend
@@ -75,14 +62,12 @@ frontend https-backend
   http-response add-header Via "%HV rapid-cdn-backend-{{ configuration['node-id'] }}-{{ configuration['version-hash']}}"
   # setup Date
   http-response set-header Date %[date(),http_date] if ! { res.hdr(Date) -m found }
-{%- for slave_instance in backend_slave_list -%}
-{{ frontend_entry(slave_instance, 'https', False) }}
+{%- for entry in backend_slave_order | sort(attribute="index,hostname", reverse=True) %}
+{{- frontend_entry(entry['slave_reference'], entry['hostname'], backend_slave_dict[entry['slave_reference']], 'https') -}}
 {%- endfor %}
-{%- for slave_instance in backend_slave_list -%}
-{{ frontend_entry(slave_instance, 'https', True) }}
-{% endfor %}
 
-{%- for slave_instance in backend_slave_list %}
+{%- for slave_reference in sorted(backend_slave_dict) %}
+{%-   set slave_instance = backend_slave_dict[slave_reference] %}
 {%-   for (scheme, prefix) in SCHEME_PREFIX_MAPPING.items() %}
 {%-     set info_dict = slave_instance[prefix] %}
 {%-     if info_dict['hostname'] and info_dict['port'] %}

software/rapid-cdn/templates/frontend-haproxy-crt-list.in

-{%- for slave in frontend_slave_list %}
+{%- for entry in frontend_slave_order | sort(attribute="index,hostname", reverse=True) %}
+{%-   set slave = frontend_slave_dict[entry['slave_reference']] %}
 {%-   set entry_list = [] %}
 {%-   set sslbindconf = [] %}
 {#-   <crtfile> #}
@@ -9,7 +10,7 @@
 {%-   do sslbindconf.append(slave['alpn']) %}
 {%-   do entry_list.append('[' + ' '.join(sslbindconf) + ']') %}
 {#-   <snifilter> #}
-{%-   do entry_list.extend(slave['host_list']) %}
+{%-   do entry_list.append(entry['hostname']) %}
 {{-    ' '.join(entry_list) }}
 {% endfor -%}
 # Fallback to default certificate

software/rapid-cdn/templates/frontend-haproxy.cfg.in

@@ -23,30 +23,14 @@ defaults
   default-server init-addr last,libc,none
 
 {%- set SCHEME_PREFIX_MAPPING = { 'http': 'backend-http-info', 'https': 'backend-https-info'} %}
-{%- macro frontend_entry(slave_instance, scheme, wildcard) %}
-{#-   wildcard switch allows to put dangerous entries in the end, as haproxy parses with first match #}
-{#-   if slave_instance[SCHEME_PREFIX_MAPPING[scheme]]['hostname'] and slave_instance[SCHEME_PREFIX_MAPPING[scheme]]['port'] #}
-{%-     set host_list = (slave_instance.get('server-alias') or  '').split() %}
-{%-     if slave_instance.get('custom_domain') not in host_list %}
-{%-       do host_list.append(slave_instance.get('custom_domain')) %}
-{%-     endif %}
-{%-     set matched = {'count': 0} %}
-{%-     for host in host_list %}
-{#-       Match up to the end or optional port (starting with ':') #}
-{#-       Please note that this matching is quite sensitive to changes and hard to test, so avoid needless changes #}
-{%-       if wildcard and host.startswith('*.') %}
-{%-         do matched.__setitem__('count', matched['count'] + 1) %}
-# match wildcard {{ host }}
-  acl is_{{ slave_instance['slave_reference'] }} hdr_reg(host) -i {{ host[2:] }}($|:.*)
-{%-       elif not wildcard and not host.startswith('*.') %}
-{%-         do matched.__setitem__('count', matched['count'] + 1) %}
-  acl is_{{ slave_instance['slave_reference'] }} hdr_reg(host) -i ^{{ host }}($|:.*)
-{%-       endif %}
-{%-     endfor %}
-{%-     if matched['count'] > 0 %}
-  use_backend {{ slave_instance['slave_reference'] }}-{{ scheme }} if is_{{ slave_instance['slave_reference'] }}
-{%-     endif %}
-{#-   endif #}
+
+{%- macro frontend_entry(slave_reference, hostname, scheme) %}
+{%-   if hostname.startswith('*') %}
+{%-     set matcher = hostname[2:] %}
+{%-   else %}
+{%-     set matcher = '^' ~ hostname %}
+{%-   endif %}
+  use_backend {{ slave_reference }}-{{ scheme }} if { req.hdr(host),host_only -m reg {{ matcher }}$ }
 {%- endmacro %}
 
 {%- macro frontend_common() %}
@@ -68,11 +52,8 @@ frontend http-frontend
   bind {{ configuration['local-ipv4'] }}:{{ configuration['http-port'] }}
   bind {{ configuration['global-ipv6'] }}:{{ configuration['http-port'] }}
 {{ frontend_common() }}
-{%- for slave_instance in frontend_slave_list -%}
-{{ frontend_entry(slave_instance, 'http', False) }}
-{%- endfor %}
-{%- for slave_instance in frontend_slave_list -%}
-{{ frontend_entry(slave_instance, 'http', True) }}
+{%- for entry in frontend_slave_order | sort(attribute="index,hostname", reverse=True) %}
+{{- frontend_entry(entry['slave_reference'], entry['hostname'], 'http') -}}
 {%- endfor %}
   default_backend BACKEND_NOT_FOUND
 
@@ -84,16 +65,14 @@ frontend https-frontend
   bind quic6@{{ configuration['global-ipv6'] }}:{{ configuration['https-port'] }} ssl crt-list {{ crt_list }} alpn h3
 {%- endif %}
 {{ frontend_common() }}
-{%- for slave_instance in frontend_slave_list -%}
-{{ frontend_entry(slave_instance, 'https', False) }}
-{%- endfor %}
-{%- for slave_instance in frontend_slave_list -%}
-{{ frontend_entry(slave_instance, 'https', True) }}
+{%- for entry in frontend_slave_order | sort(attribute="index,hostname", reverse=True) %}
+{{- frontend_entry(entry['slave_reference'], entry['hostname'], 'https') -}}
 {%- endfor %}
   default_backend BACKEND_NOT_FOUND
 
 # Backends
-{%- for slave_instance in frontend_slave_list %}
+{%- for slave_reference in sorted(frontend_slave_dict) %}
+{%-   set slave_instance = frontend_slave_dict[slave_reference] %}
 {%-   for (scheme, prefix) in SCHEME_PREFIX_MAPPING.items() %}
 {%-     set info_dict = slave_instance.get(prefix, slave_instance.get('backend-http-info')) %}
 backend {{ slave_instance['slave_reference'] }}-{{ scheme }}
@@ -189,7 +168,7 @@ backend {{ slave_instance['slave_reference'] }}-{{ scheme }}
 {%-       endif %} {# if 'hostname' in info_dict and 'port' in info_dict #}
 {%-     endif %} {# if scheme == 'http' and slave_instance['https-only'] #}
 {%-   endfor %} {# for (scheme, prefix) in SCHEME_PREFIX_MAPPING.items() #}
-{%- endfor %} {# for slave_instance in frontend_slave_list #}
+{%- endfor %} {# for slave_reference in sorted(frontend_slave_dict) #}
 
 backend BACKEND_NOT_FOUND
   {#- a bit hacky but working way to provide default CDN's 404 #}

software/rapid-cdn/test/test.py

@@ -1292,7 +1292,9 @@ class SlaveHttpFrontendTestCase(HttpFrontendTestCase):
 
   @classmethod
   def requestSlaves(cls):
-    for slave_reference, partition_parameter_kw in list(
+    # Note: List is sorted here, so that tests which want slaves
+    #       ordered by their slave_reference are stable
+    for slave_reference, partition_parameter_kw in sorted(
       cls.getSlaveParameterDictDict().items()):
       software_url = cls.getSoftwareURL()
       software_type = cls.getInstanceSoftwareType()
@@ -6577,49 +6579,83 @@ class TestSlaveHostHaproxyClash(SlaveHttpFrontendTestCase, TestDataMixin):
 
   @classmethod
   def getSlaveParameterDictDict(cls):
-    # Note: The slaves are specifically constructed to have an order which
-    #       is triggering the problem. Slave list is sorted in many places,
-    #       and such slave configuration will result with them begin seen
-    #       by backend haproxy configuration in exactly the way seen below
-    #       Ordering it here will not help at all.
+    # Note: Slave list is ordered by it's reference, so that requestSlaves
+    #       will result in an order, which will hit the bugs covered here:
+    #        * the most wildcard domain is requested first
+    #        * then the more specific wildcard comes
+    #        * in the end specific slaves are there
     return {
-      'wildcard': {
-        'url': cls.backend_url + 'wildcard',
+      '01wildcard': {
+        'url': cls.backend_url + '01wildcard',
+        'custom_domain': '*.example.com',
+        'server-alias': 'example.com',
+      },
+      '02wildcard': {
+        'url': cls.backend_url + '02wildcard',
         'custom_domain': '*.alias1.example.com',
+        'server-alias': 'alias1.example.com',
+      },
+      '03zspecific': {
+        'url': cls.backend_url + '03zspecific',
+        'custom_domain': 'zspecific.example.com',
       },
-      'zspecific': {
-        'url': cls.backend_url + 'zspecific',
+      '04zspecific': {
+        'url': cls.backend_url + '04zspecific',
         'custom_domain': 'zspecific.alias1.example.com',
       },
     }
 
   def test(self):
+    _, wildcard_key, _, wildcard_crt = createSelfSignedCertificate([
+      '*.example.com'])
+    _, wildcard_alias1_key, _, wildcard_alias1_crt = \
+        createSelfSignedCertificate([
+          '*.alias1.example.com'])
+    _, zspecific_key, _, zspecific_crt = createSelfSignedCertificate([
+      'zspecific.example.com'])
+    _, zspecific_alias1_key, _, zspecific_alias1_crt = \
+        createSelfSignedCertificate([
+          'zspecific.alias1.example.com'])
+
+    def uploadCertificate(key, certificate):
+      auth = mimikra.get(
+        self.current_generate_auth,
+        verify=self.kedifa_caucase_ca_certificate_file)
+      self.assertEqual(http.client.CREATED, auth.status_code)
+      data = certificate + key
+      upload = mimikra.put(
+        self.current_upload_url + auth.text,
+        data=data,
+        verify=self.kedifa_caucase_ca_certificate_file)
+      self.assertEqual(http.client.CREATED, upload.status_code)
+
     self.assertSlaveBase(
-      'wildcard', hostname='*.alias1')
+      '01wildcard', hostname='*')
+    uploadCertificate(wildcard_key, wildcard_crt)
     self.assertSlaveBase(
-      'zspecific', hostname='zspecific.alias1')
-
-    result_wildcard = fakeHTTPSResult(
-      'other.alias1.example.com',
-      'test-path',
-      headers={
-        'Timeout': '10',  # more than default backend-connect-timeout == 5
-        'Accept-Encoding': 'gzip',
-      }
-    )
-    self.assertEqual(self.certificate_pem, result_wildcard.certificate)
-    self.assertEqualResultJson(result_wildcard, 'Path', '/wildcard/test-path')
+      '02wildcard', hostname='*.alias1')
+    uploadCertificate(wildcard_alias1_key, wildcard_alias1_crt)
+    self.assertSlaveBase(
+      '03zspecific', hostname='zspecific')
+    uploadCertificate(zspecific_key, zspecific_crt)
+    self.assertSlaveBase(
+      '04zspecific', hostname='zspecific.alias1')
+    uploadCertificate(zspecific_alias1_key, zspecific_alias1_crt)
+    self.runKedifaUpdater()
 
-    result_specific = fakeHTTPSResult(
-      'zspecific.alias1.example.com',
-      'test-path',
-      headers={
-        'Timeout': '10',  # more than default backend-connect-timeout == 5
-        'Accept-Encoding': 'gzip',
-      }
-    )
-    self.assertEqual(self.certificate_pem, result_specific.certificate)
-    self.assertEqualResultJson(result_specific, 'Path', '/zspecific/test-path')
+    def assertResult(hostname, path, certificate):
+      result_wildcard = fakeHTTPSResult(
+        hostname,
+        'test-path',
+      )
+      self.assertEqual(certificate, result_wildcard.certificate)
+      self.assertEqualResultJson(
+        result_wildcard, 'Path', '/%s/test-path' % (path,))
+    assertResult('www.example.com', '01wildcard', wildcard_crt)
+    assertResult('www.alias1.example.com', '02wildcard', wildcard_alias1_crt)
+    assertResult('zspecific.example.com', '03zspecific', zspecific_crt)
+    assertResult(
+      'zspecific.alias1.example.com', '04zspecific', zspecific_alias1_crt)
 
 
 class TestPassedRequestParameter(HttpFrontendTestCase):

software/rapid-cdn/test/test_data/test.TestSlaveHealthCheck.test00cluster_request_instance_parameter_dict.txt

@@ -14,19 +14,6 @@
     "slap_software_release_url": "@@00getSoftwareURL@@",
     "slap_software_type": "RootSoftwareInstance",
     "slave_instance_list": [
-      {
-        "slap_software_type": "RootSoftwareInstance",
-        "slave_reference": "_health-check-disabled",
-        "slave_title": "_health-check-disabled",
-        "url": "http://@@_ipv4_address@@:@@_server_http_port@@/"
-      },
-      {
-        "health-check": true,
-        "slap_software_type": "RootSoftwareInstance",
-        "slave_reference": "_health-check-default",
-        "slave_title": "_health-check-default",
-        "url": "http://@@_ipv4_address@@:@@_server_http_port@@/"
-      },
       {
         "health-check": true,
         "health-check-http-method": "CONNECT",
@@ -49,6 +36,19 @@
         "slave_title": "_health-check-custom",
         "url": "http://@@_ipv4_address@@:@@_server_http_port@@/"
       },
+      {
+        "health-check": true,
+        "slap_software_type": "RootSoftwareInstance",
+        "slave_reference": "_health-check-default",
+        "slave_title": "_health-check-default",
+        "url": "http://@@_ipv4_address@@:@@_server_http_port@@/"
+      },
+      {
+        "slap_software_type": "RootSoftwareInstance",
+        "slave_reference": "_health-check-disabled",
+        "slave_title": "_health-check-disabled",
+        "url": "http://@@_ipv4_address@@:@@_server_http_port@@/"
+      },
       {
         "enable_cache": true,
         "health-check": true,
@@ -66,32 +66,32 @@
       },
       {
         "health-check": true,
-        "health-check-failover-https-url": "http://@@_ipv4_address@@:@@_server_http_port@@/failover-https-url?a=b&c=",
-        "health-check-failover-url": "http://@@_ipv4_address@@:@@_server_http_port@@/failover-url?a=b&c=",
-        "health-check-failover-url-netloc-list": "@@_ipv4_address@@:@@_server_netloc_a_http_port@@ @@_ipv4_address@@:@@_server_netloc_b_http_port@@",
-        "health-check-http-path": "/health-check-failover-url",
+        "health-check-authenticate-to-failover-backend": true,
+        "health-check-failover-https-url": "https://@@_ipv4_address@@:@@_server_https_auth_port@@/failover-https-url?a=b&c=",
+        "health-check-failover-url": "https://@@_ipv4_address@@:@@_server_https_auth_port@@/failover-url?a=b&c=",
+        "health-check-http-path": "/health-check-failover-url-auth-to-backend",
         "health-check-interval": 1,
         "health-check-timeout": 1,
         "https-only": false,
         "https-url": "http://@@_ipv4_address@@:@@_server_http_port@@/https-url",
         "slap_software_type": "RootSoftwareInstance",
-        "slave_reference": "_health-check-failover-url-netloc-list",
-        "slave_title": "_health-check-failover-url-netloc-list",
+        "slave_reference": "_health-check-failover-url-auth-to-backend",
+        "slave_title": "_health-check-failover-url-auth-to-backend",
         "url": "http://@@_ipv4_address@@:@@_server_http_port@@/url"
       },
       {
         "health-check": true,
-        "health-check-authenticate-to-failover-backend": true,
-        "health-check-failover-https-url": "https://@@_ipv4_address@@:@@_server_https_auth_port@@/failover-https-url?a=b&c=",
-        "health-check-failover-url": "https://@@_ipv4_address@@:@@_server_https_auth_port@@/failover-url?a=b&c=",
-        "health-check-http-path": "/health-check-failover-url-auth-to-backend",
+        "health-check-failover-https-url": "http://@@_ipv4_address@@:@@_server_http_port@@/failover-https-url?a=b&c=",
+        "health-check-failover-url": "http://@@_ipv4_address@@:@@_server_http_port@@/failover-url?a=b&c=",
+        "health-check-failover-url-netloc-list": "@@_ipv4_address@@:@@_server_netloc_a_http_port@@ @@_ipv4_address@@:@@_server_netloc_b_http_port@@",
+        "health-check-http-path": "/health-check-failover-url",
         "health-check-interval": 1,
         "health-check-timeout": 1,
         "https-only": false,
         "https-url": "http://@@_ipv4_address@@:@@_server_http_port@@/https-url",
         "slap_software_type": "RootSoftwareInstance",
-        "slave_reference": "_health-check-failover-url-auth-to-backend",
-        "slave_title": "_health-check-failover-url-auth-to-backend",
+        "slave_reference": "_health-check-failover-url-netloc-list",
+        "slave_title": "_health-check-failover-url-netloc-list",
         "url": "http://@@_ipv4_address@@:@@_server_http_port@@/url"
       },
       {
@@ -109,27 +109,27 @@
       },
       {
         "health-check": true,
-        "health-check-failover-ssl-proxy-ca-crt": "@@another_server_ca.certificate_pem@@",
         "health-check-failover-ssl-proxy-verify": true,
         "health-check-failover-url": "https://@@_ipv4_address@@:@@_server_https_port@@/",
-        "health-check-http-path": "/health-check-failover-url-ssl-proxy-verify-unverified",
+        "health-check-http-path": "/health-check-failover-url-ssl-proxy-verify-missing",
         "health-check-interval": 1,
         "health-check-timeout": 1,
         "slap_software_type": "RootSoftwareInstance",
-        "slave_reference": "_health-check-failover-url-ssl-proxy-verify-unverified",
-        "slave_title": "_health-check-failover-url-ssl-proxy-verify-unverified",
+        "slave_reference": "_health-check-failover-url-ssl-proxy-verify-missing",
+        "slave_title": "_health-check-failover-url-ssl-proxy-verify-missing",
         "url": "http://@@_ipv4_address@@:@@_server_http_port@@/"
       },
       {
         "health-check": true,
+        "health-check-failover-ssl-proxy-ca-crt": "@@another_server_ca.certificate_pem@@",
         "health-check-failover-ssl-proxy-verify": true,
         "health-check-failover-url": "https://@@_ipv4_address@@:@@_server_https_port@@/",
-        "health-check-http-path": "/health-check-failover-url-ssl-proxy-verify-missing",
+        "health-check-http-path": "/health-check-failover-url-ssl-proxy-verify-unverified",
         "health-check-interval": 1,
         "health-check-timeout": 1,
         "slap_software_type": "RootSoftwareInstance",
-        "slave_reference": "_health-check-failover-url-ssl-proxy-verify-missing",
-        "slave_title": "_health-check-failover-url-ssl-proxy-verify-missing",
+        "slave_reference": "_health-check-failover-url-ssl-proxy-verify-unverified",
+        "slave_title": "_health-check-failover-url-ssl-proxy-verify-unverified",
         "url": "http://@@_ipv4_address@@:@@_server_http_port@@/"
       }
     ],

software/rapid-cdn/test/test_data/test.TestSlaveHostHaproxyClash.test00cluster_request_instance_parameter_dict.txt

@@ -14,19 +14,35 @@
     "slap_software_release_url": "@@00getSoftwareURL@@",
     "slap_software_type": "RootSoftwareInstance",
     "slave_instance_list": [
+      {
+        "custom_domain": "*.example.com",
+        "server-alias": "example.com",
+        "slap_software_type": "RootSoftwareInstance",
+        "slave_reference": "_01wildcard",
+        "slave_title": "_01wildcard",
+        "url": "http://@@_ipv4_address@@:@@_server_http_port@@/01wildcard"
+      },
       {
         "custom_domain": "*.alias1.example.com",
+        "server-alias": "alias1.example.com",
+        "slap_software_type": "RootSoftwareInstance",
+        "slave_reference": "_02wildcard",
+        "slave_title": "_02wildcard",
+        "url": "http://@@_ipv4_address@@:@@_server_http_port@@/02wildcard"
+      },
+      {
+        "custom_domain": "zspecific.example.com",
         "slap_software_type": "RootSoftwareInstance",
-        "slave_reference": "_wildcard",
-        "slave_title": "_wildcard",
-        "url": "http://@@_ipv4_address@@:@@_server_http_port@@/wildcard"
+        "slave_reference": "_03zspecific",
+        "slave_title": "_03zspecific",
+        "url": "http://@@_ipv4_address@@:@@_server_http_port@@/03zspecific"
       },
       {
         "custom_domain": "zspecific.alias1.example.com",
         "slap_software_type": "RootSoftwareInstance",
-        "slave_reference": "_zspecific",
-        "slave_title": "_zspecific",
-        "url": "http://@@_ipv4_address@@:@@_server_http_port@@/zspecific"
+        "slave_reference": "_04zspecific",
+        "slave_title": "_04zspecific",
+        "url": "http://@@_ipv4_address@@:@@_server_http_port@@/04zspecific"
       }
     ],
     "timestamp": "@@TIMESTAMP@@"
@@ -41,15 +57,27 @@
       "monitor-password": "@@monitor-password@@",
       "monitor-username": "admin",
       "slave-list": [
+        {
+          "custom_domain": "*.example.com",
+          "server-alias": "example.com",
+          "slave_reference": "_01wildcard",
+          "url": "http://@@_ipv4_address@@:@@_server_http_port@@/01wildcard"
+        },
         {
           "custom_domain": "*.alias1.example.com",
-          "slave_reference": "_wildcard",
-          "url": "http://@@_ipv4_address@@:@@_server_http_port@@/wildcard"
+          "server-alias": "alias1.example.com",
+          "slave_reference": "_02wildcard",
+          "url": "http://@@_ipv4_address@@:@@_server_http_port@@/02wildcard"
+        },
+        {
+          "custom_domain": "zspecific.example.com",
+          "slave_reference": "_03zspecific",
+          "url": "http://@@_ipv4_address@@:@@_server_http_port@@/03zspecific"
         },
         {
           "custom_domain": "zspecific.alias1.example.com",
-          "slave_reference": "_zspecific",
-          "url": "http://@@_ipv4_address@@:@@_server_http_port@@/zspecific"
+          "slave_reference": "_04zspecific",
+          "url": "http://@@_ipv4_address@@:@@_server_http_port@@/04zspecific"
         }
       ]
     },
@@ -69,7 +97,7 @@
       "cluster-identification": "testing partition 0",
       "domain": "example.com",
       "enable-http3": "false",
-      "extra_slave_instance_list": "[{\"custom_domain\": \"*.alias1.example.com\", \"slave_reference\": \"_wildcard\", \"url\": \"http://@@_ipv4_address@@:@@_server_http_port@@/wildcard\"}, {\"custom_domain\": \"zspecific.alias1.example.com\", \"slave_reference\": \"_zspecific\", \"url\": \"http://@@_ipv4_address@@:@@_server_http_port@@/zspecific\"}]",
+      "extra_slave_instance_list": "[{\"custom_domain\": \"*.example.com\", \"server-alias\": \"example.com\", \"slave_reference\": \"_01wildcard\", \"url\": \"http://@@_ipv4_address@@:@@_server_http_port@@/01wildcard\"}, {\"custom_domain\": \"*.alias1.example.com\", \"server-alias\": \"alias1.example.com\", \"slave_reference\": \"_02wildcard\", \"url\": \"http://@@_ipv4_address@@:@@_server_http_port@@/02wildcard\"}, {\"custom_domain\": \"zspecific.example.com\", \"slave_reference\": \"_03zspecific\", \"url\": \"http://@@_ipv4_address@@:@@_server_http_port@@/03zspecific\"}, {\"custom_domain\": \"zspecific.alias1.example.com\", \"slave_reference\": \"_04zspecific\", \"url\": \"http://@@_ipv4_address@@:@@_server_http_port@@/04zspecific\"}]",
       "frontend-name": "caddy-frontend-1",
       "http3-port": "443",
       "kedifa-caucase-url": "http://[@@_ipv6_address@@]:15090",
@@ -81,7 +109,7 @@
       "plain_http_port": "11080",
       "port": "11443",
       "request-timeout": "12",
-      "slave-kedifa-information": "{\"_wildcard\": {\"kedifa-caucase-url\": \"http://[@@_ipv6_address@@]:15090\", \"key-download-url\": \"https://[@@_ipv6_address@@]:15080/@@wildcard_key-generate-auth-url@@\", \"key-generate-auth-url\": \"https://[@@_ipv6_address@@]:15080/@@wildcard_key-generate-auth-url@@/@@wildcard_key-upload-url@@\", \"key-upload-url\": \"https://[@@_ipv6_address@@]:15080/@@wildcard_key-generate-auth-url@@?auth=\"}, \"_zspecific\": {\"kedifa-caucase-url\": \"http://[@@_ipv6_address@@]:15090\", \"key-download-url\": \"https://[@@_ipv6_address@@]:15080/@@zspecific_key-generate-auth-url@@\", \"key-generate-auth-url\": \"https://[@@_ipv6_address@@]:15080/@@zspecific_key-generate-auth-url@@/@@wildcard_key-upload-url@@\", \"key-upload-url\": \"https://[@@_ipv6_address@@]:15080/@@zspecific_key-generate-auth-url@@?auth=\"}}"
+      "slave-kedifa-information": "{\"_01wildcard\": {\"kedifa-caucase-url\": \"http://[@@_ipv6_address@@]:15090\", \"key-download-url\": \"https://[@@_ipv6_address@@]:15080/@@01wildcard_key-generate-auth-url@@\", \"key-generate-auth-url\": \"https://[@@_ipv6_address@@]:15080/@@01wildcard_key-generate-auth-url@@/@@01wildcard_key-upload-url@@\", \"key-upload-url\": \"https://[@@_ipv6_address@@]:15080/@@01wildcard_key-generate-auth-url@@?auth=\"}, \"_02wildcard\": {\"kedifa-caucase-url\": \"http://[@@_ipv6_address@@]:15090\", \"key-download-url\": \"https://[@@_ipv6_address@@]:15080/@@02wildcard_key-generate-auth-url@@\", \"key-generate-auth-url\": \"https://[@@_ipv6_address@@]:15080/@@02wildcard_key-generate-auth-url@@/@@01wildcard_key-upload-url@@\", \"key-upload-url\": \"https://[@@_ipv6_address@@]:15080/@@02wildcard_key-generate-auth-url@@?auth=\"}, \"_03zspecific\": {\"kedifa-caucase-url\": \"http://[@@_ipv6_address@@]:15090\", \"key-download-url\": \"https://[@@_ipv6_address@@]:15080/@@03zspecific_key-generate-auth-url@@\", \"key-generate-auth-url\": \"https://[@@_ipv6_address@@]:15080/@@03zspecific_key-generate-auth-url@@/@@01wildcard_key-upload-url@@\", \"key-upload-url\": \"https://[@@_ipv6_address@@]:15080/@@03zspecific_key-generate-auth-url@@?auth=\"}, \"_04zspecific\": {\"kedifa-caucase-url\": \"http://[@@_ipv6_address@@]:15090\", \"key-download-url\": \"https://[@@_ipv6_address@@]:15080/@@04zspecific_key-generate-auth-url@@\", \"key-generate-auth-url\": \"https://[@@_ipv6_address@@]:15080/@@04zspecific_key-generate-auth-url@@/@@01wildcard_key-upload-url@@\", \"key-upload-url\": \"https://[@@_ipv6_address@@]:15080/@@04zspecific_key-generate-auth-url@@?auth=\"}}"
     },
     "full_address_list": [],
     "instance_title": "caddy-frontend-1",

software/rapid-cdn/test/test_data/test.TestSlaveHostHaproxyClash.test00file_list_log.txt

@@ -8,12 +8,18 @@ T-1/var/log/monitor-httpd-error.log
 T-2/var/log/backend-haproxy.log
 T-2/var/log/expose-csr.log
 T-2/var/log/frontend-haproxy.log
-T-2/var/log/httpd/_wildcard_access_log
-T-2/var/log/httpd/_wildcard_backend_log
-T-2/var/log/httpd/_wildcard_frontend_log
-T-2/var/log/httpd/_zspecific_access_log
-T-2/var/log/httpd/_zspecific_backend_log
-T-2/var/log/httpd/_zspecific_frontend_log
+T-2/var/log/httpd/_01wildcard_access_log
+T-2/var/log/httpd/_01wildcard_backend_log
+T-2/var/log/httpd/_01wildcard_frontend_log
+T-2/var/log/httpd/_02wildcard_access_log
+T-2/var/log/httpd/_02wildcard_backend_log
+T-2/var/log/httpd/_02wildcard_frontend_log
+T-2/var/log/httpd/_03zspecific_access_log
+T-2/var/log/httpd/_03zspecific_backend_log
+T-2/var/log/httpd/_03zspecific_frontend_log
+T-2/var/log/httpd/_04zspecific_access_log
+T-2/var/log/httpd/_04zspecific_backend_log
+T-2/var/log/httpd/_04zspecific_frontend_log
 T-2/var/log/monitor-httpd-access.log
 T-2/var/log/monitor-httpd-error.log
 T-2/var/log/slave-introspection-access.log

software/rapid-cdn/test/test_data/test.TestSlaveSlapOSMasterCertificateCompatibility.test00cluster_request_instance_parameter_dict.txt

@@ -15,35 +15,6 @@
     "slap_software_release_url": "@@00getSoftwareURL@@",
     "slap_software_type": "RootSoftwareInstance",
     "slave_instance_list": [
-      {
-        "enable_cache": true,
-        "slap_software_type": "RootSoftwareInstance",
-        "slave_reference": "_ssl_from_master",
-        "slave_title": "_ssl_from_master",
-        "url": "http://@@_ipv4_address@@:@@_server_http_port@@/"
-      },
-      {
-        "slap_software_type": "RootSoftwareInstance",
-        "slave_reference": "_ssl_from_master_kedifa_overrides",
-        "slave_title": "_ssl_from_master_kedifa_overrides",
-        "url": "http://@@_ipv4_address@@:@@_server_http_port@@/"
-      },
-      {
-        "slap_software_type": "RootSoftwareInstance",
-        "slave_reference": "_ssl_from_slave",
-        "slave_title": "_ssl_from_slave",
-        "ssl_crt": "@@ssl_from_slave_certificate_pem@@",
-        "ssl_key": "@@ssl_from_slave_key_pem@@",
-        "url": "http://@@_ipv4_address@@:@@_server_http_port@@/"
-      },
-      {
-        "slap_software_type": "RootSoftwareInstance",
-        "slave_reference": "_ssl_from_slave_kedifa_overrides",
-        "slave_title": "_ssl_from_slave_kedifa_overrides",
-        "ssl_crt": "@@ssl_from_slave_kedifa_overrides_certificate_pem@@",
-        "ssl_key": "@@ssl_from_slave_kedifa_overrides_key_pem@@",
-        "url": "http://@@_ipv4_address@@:@@_server_http_port@@/"
-      },
       {
         "custom_domain": "customdomainsslcrtsslkey.example.com",
         "slap_software_type": "RootSoftwareInstance",
@@ -63,6 +34,15 @@
         "ssl_key": "@@customdomain_ca_key_pem@@",
         "url": "http://@@_ipv4_address@@:@@_server_http_port@@/"
       },
+      {
+        "slap_software_type": "RootSoftwareInstance",
+        "slave_reference": "_ssl_ca_crt_does_not_match",
+        "slave_title": "_ssl_ca_crt_does_not_match",
+        "ssl_ca_crt": "@@ca.certificate_pem@@",
+        "ssl_crt": "@@certificate_pem@@",
+        "ssl_key": "@@key_pem@@",
+        "url": "http://@@_ipv4_address@@:@@_server_http_port@@/"
+      },
       {
         "slap_software_type": "RootSoftwareInstance",
         "slave_reference": "_ssl_ca_crt_garbage",
@@ -73,12 +53,32 @@
         "url": "http://@@_ipv4_address@@:@@_server_http_port@@/"
       },
       {
+        "enable_cache": true,
         "slap_software_type": "RootSoftwareInstance",
-        "slave_reference": "_ssl_ca_crt_does_not_match",
-        "slave_title": "_ssl_ca_crt_does_not_match",
-        "ssl_ca_crt": "@@ca.certificate_pem@@",
-        "ssl_crt": "@@certificate_pem@@",
-        "ssl_key": "@@key_pem@@",
+        "slave_reference": "_ssl_from_master",
+        "slave_title": "_ssl_from_master",
+        "url": "http://@@_ipv4_address@@:@@_server_http_port@@/"
+      },
+      {
+        "slap_software_type": "RootSoftwareInstance",
+        "slave_reference": "_ssl_from_master_kedifa_overrides",
+        "slave_title": "_ssl_from_master_kedifa_overrides",
+        "url": "http://@@_ipv4_address@@:@@_server_http_port@@/"
+      },
+      {
+        "slap_software_type": "RootSoftwareInstance",
+        "slave_reference": "_ssl_from_slave",
+        "slave_title": "_ssl_from_slave",
+        "ssl_crt": "@@ssl_from_slave_certificate_pem@@",
+        "ssl_key": "@@ssl_from_slave_key_pem@@",
+        "url": "http://@@_ipv4_address@@:@@_server_http_port@@/"
+      },
+      {
+        "slap_software_type": "RootSoftwareInstance",
+        "slave_reference": "_ssl_from_slave_kedifa_overrides",
+        "slave_title": "_ssl_from_slave_kedifa_overrides",
+        "ssl_crt": "@@ssl_from_slave_kedifa_overrides_certificate_pem@@",
+        "ssl_key": "@@ssl_from_slave_kedifa_overrides_key_pem@@",
         "url": "http://@@_ipv4_address@@:@@_server_http_port@@/"
       },
       {
@@ -90,17 +90,17 @@
       },
       {
         "slap_software_type": "RootSoftwareInstance",
-        "slave_reference": "_type-notebook-ssl_from_slave",
-        "slave_title": "_type-notebook-ssl_from_slave",
-        "ssl_crt": "@@type_notebook_ssl_from_slave_certificate_pem@@",
-        "ssl_key": "@@type_notebook_ssl_from_slave_key_pem@@",
+        "slave_reference": "_type-notebook-ssl_from_master_kedifa_overrides",
+        "slave_title": "_type-notebook-ssl_from_master_kedifa_overrides",
         "type": "notebook",
         "url": "http://@@_ipv4_address@@:@@_server_http_port@@/"
       },
       {
         "slap_software_type": "RootSoftwareInstance",
-        "slave_reference": "_type-notebook-ssl_from_master_kedifa_overrides",
-        "slave_title": "_type-notebook-ssl_from_master_kedifa_overrides",
+        "slave_reference": "_type-notebook-ssl_from_slave",
+        "slave_title": "_type-notebook-ssl_from_slave",
+        "ssl_crt": "@@type_notebook_ssl_from_slave_certificate_pem@@",
+        "ssl_key": "@@type_notebook_ssl_from_slave_key_pem@@",
         "type": "notebook",
         "url": "http://@@_ipv4_address@@:@@_server_http_port@@/"
       },

software/re6stnet/buildout.hash.cfg

@@ -18,7 +18,7 @@ md5sum = 7be0c21751f8385ef876c3d7192d4057
 
 [template-re6stnet]
 filename = instance-re6stnet.cfg.in
-md5sum = 84320356634f8d241fc827683d211bb8
+md5sum = 01da4462b5e20cab73b87e7415f7483d
 
 [template-apache-conf]
 filename = apache.conf.in

software/re6stnet/instance-re6stnet.cfg.in

@@ -107,6 +107,7 @@ recipe = slapos.cookbook:wrapper
 wrapper-path = ${directory:services}/re6st-registry
 pidfile = ${directory:run}/registry.pid
 command-line = {{ bin_directory }}/re6st-registry @${re6st-registry-conf:output}
+hash-files = ${re6st-registry-conf:output}
 
 [cron-entry-re6st-backup]
 recipe = slapos.cookbook:cron.d

software/slapos-sr-testing/software.cfg

@@ -23,7 +23,7 @@ extends =
 
 parts =
   eggs/scripts
-  python2.7-disabled
+  system-python-disabled
   slapos-cookbook
   template
 
@@ -272,8 +272,8 @@ branch = master
 egg = slapos.core
 setup = ${slapos.core-repository:location}
 
-[python2.7-disabled]
-# An "intentionally broken" python2 command that should catch
+[system-python-disabled]
+# An "intentionally broken" python command that should catch
 # accidental usage of things like #!/usr/bin/env python2
 recipe = zc.recipe.egg
 # we need an egg to generate a script, use the one from this part's recipe
@@ -286,10 +286,11 @@ entry-points =
 scripts =
   python
   python2
+  python3
   python2.7
 initialization =
   import sys
-  print("Error: attempt to use system python2", file=sys.stderr)
+  print("Error: attempt to use system python", file=sys.stderr)
   sys.exit(2)
 
 [recurls-repository]
@@ -314,19 +315,66 @@ eggs +=
   erp5.util
   ${python-pynacl:egg}
   ${python-cryptography:egg}
+  ${python-mysqlclient:egg}
+  ${backports.lzma:egg}
+  ${bcrypt:egg}
+  ${psycopg2:egg}
+  ${selenium:egg}
   slapos.libnetworkcache
   supervisor
+  ${slapos.cookbook-setup:egg}
+  ${slapos.test.backupserver-setup:egg}
+  ${slapos.test.beremiz-ide-setup:egg}
+  ${slapos.test.caucase-setup:egg}
+  ${slapos.test.cloudooo-setup:egg}
+  ${slapos.test.dream-setup:egg}
+  ${slapos.test.dufs-setup:egg}
+  ${slapos.test.erp5-setup:egg}
+  ${slapos.test.erp5testnode-setup:egg}
+  ${slapos.test.fluentd-setup:egg}
+  ${slapos.test.galene-setup:egg}
+  ${slapos.test.headless-chromium-setup:egg}
+  ${slapos.test.html5as-base-setup:egg}
+  ${slapos.test.html5as-setup:egg}
+  ${slapos.test.htmlvalidatorserver-setup:egg}
+  ${slapos.test.hugo-setup:egg}
+  ${slapos.test.js-drone-setup:egg}
+  ${slapos.test.jscrawler-setup:egg}
+  ${slapos.test.jstestnode-setup:egg}
+  ${slapos.test.jupyter-setup:egg}
+  ${slapos.test.kvm-setup:egg}
+  ${slapos.test.matomo-setup:egg}
+  ${slapos.test.metabase-setup:egg}
+  ${slapos.test.monitor-setup:egg}
+  ${slapos.test.mosquitto-setup:egg}
+  ${slapos.test.nextcloud-setup:egg}
+  ${slapos.test.nginx-push-stream-setup:egg}
   ${slapos.test.ors-amarisoft-setup:egg}
+  ${slapos.test.osie-coupler-setup:egg}
+  ${slapos.test.peertube-setup:egg}
+  ${slapos.test.plantuml-setup:egg}
+  ${slapos.test.powerdns-setup:egg}
+  ${slapos.test.proftpd-setup:egg}
+  ${slapos.test.rapid-cdn-setup:egg}
+  ${slapos.test.re6stnet-setup:egg}
+  ${slapos.test.repman-setup:egg}
+  ${slapos.test.restic_rest_server-setup:egg}
+  ${slapos.test.seleniumserver-setup:egg}
+  ${slapos.test.slapos-master-setup:egg}
+  ${slapos.test.ssh-setup:egg}
+  ${slapos.test.theia-setup:egg}
+  ${slapos.test.turnserver-setup:egg}
+  ${slapos.test.upgrade_erp5-setup:egg}
 
 # We don't name this interpreter `python`, so that when we run slapos node
 # software, installation scripts running `python` use a python without any
 # custom eggs pre-installed, not our special python interpreter.
 interpreter = python_for_test
 
-## patches for eggs
-#patch-binary = ${patch:location}/bin/patch
-#PyPDF2-patches = ${:_profile_base_location_}/../../component/egg-patch/PyPDF2/0001-Custom-implementation-of-warnings.formatwarning-remo.patch#d25bb0f5dde7f3337a0a50c2f986f5c8
-#PyPDF2-patch-options = -p1
+# patches for eggs
+patch-binary = ${patch:location}/bin/patch
+PyPDF2-patches = ${:_profile_base_location_}/../../component/egg-patch/PyPDF2/0001-Custom-implementation-of-warnings.formatwarning-remo.patch#d25bb0f5dde7f3337a0a50c2f986f5c8
+PyPDF2-patch-options = -p1
 
 [eggs/scripts]
 recipe = zc.recipe.egg
@@ -364,7 +412,52 @@ context =
   key tests :tests
 
 tests =
+  json-schemas ${slapos.cookbook-setup:setup}
+  backupserver ${slapos.test.backupserver-setup:setup}
+  beremiz-ide ${slapos.test.beremiz-ide-setup:setup}
+  caucase ${slapos.test.caucase-setup:setup}
+  cloudooo ${slapos.test.cloudooo-setup:setup}
+  dream ${slapos.test.dream-setup:setup}
+  dufs ${slapos.test.dufs-setup:setup}
+  erp5 ${slapos.test.erp5-setup:setup}
+  erp5testnode ${slapos.test.erp5testnode-setup:setup}
+  fluentd ${slapos.test.fluentd-setup:setup}
+  galene ${slapos.test.galene-setup:setup}
+  gitlab ${slapos.test.gitlab-setup:setup}
+  grafana ${slapos.test.grafana-setup:setup}
+  headless-chromium ${slapos.test.headless-chromium-setup:setup}
+  helloworld ${slapos.test.helloworld-setup:setup}
+  html5as ${slapos.test.html5as-setup:setup}
+  html5as-base ${slapos.test.html5as-base-setup:setup}
+  htmlvalidatorserver ${slapos.test.htmlvalidatorserver-setup:setup}
+  hugo ${slapos.test.hugo-setup:setup}
+  js-drone ${slapos.test.js-drone-setup:setup}
+  jscrawler ${slapos.test.jscrawler-setup:setup}
+  jstestnode ${slapos.test.jstestnode-setup:setup}
+  jupyter ${slapos.test.jupyter-setup:setup}
+  kvm ${slapos.test.kvm-setup:setup}
+  matomo ${slapos.test.matomo-setup:setup}
+  metabase ${slapos.test.metabase-setup:setup}
+  monitor ${slapos.test.monitor-setup:setup}
+  mosquitto ${slapos.test.mosquitto-setup:setup}
+  nextcloud ${slapos.test.nextcloud-setup:setup}
+  nginx-push-stream ${slapos.test.nginx-push-stream-setup:setup}
   ors-amarisoft ${slapos.test.ors-amarisoft-setup:setup}
+  osie-coupler ${slapos.test.osie-coupler-setup:setup}
+  peertube ${slapos.test.peertube-setup:setup}
+  plantuml ${slapos.test.plantuml-setup:setup}
+  powerdns ${slapos.test.powerdns-setup:setup}
+  proftpd ${slapos.test.proftpd-setup:setup}
+  rapid-cdn ${slapos.test.rapid-cdn-setup:setup}
+  re6stnet ${slapos.test.re6stnet-setup:setup}
+  repman ${slapos.test.repman-setup:setup}
+  restic-rest-server ${slapos.test.restic_rest_server-setup:setup}
+  seleniumserver ${slapos.test.seleniumserver-setup:setup}
+  slapos-master ${slapos.test.slapos-master-setup:setup}
+  ssh ${slapos.test.ssh-setup:setup}
+  theia ${slapos.test.theia-setup:setup}
+  turnserver ${slapos.test.turnserver-setup:setup}
+  upgrade_erp5 ${slapos.test.upgrade_erp5-setup:setup}
 
 [versions]
 # recurls are under development

software/theia/buildout.hash.cfg

@@ -15,7 +15,7 @@
 
 [instance-theia]
 _update_hash_filename_ = instance-theia.cfg.jinja.in
-md5sum = c484bba770c6404ba0a5b2a958b07a68
+md5sum = b31e74f018ae92607f4ff63984b33c7a
 
 [instance]
 _update_hash_filename_ = instance.cfg.in

software/theia/instance-theia.cfg.jinja.in

@@ -260,15 +260,18 @@ content =
   frontend app
     log global
     bind $${:ip}:$${:port} ssl crt $${frontend-instance-certificate:cert-file} alpn h2,http/1.1
-    # writing twice the same ACL is doing OR
     acl is_public path_beg /public/
-    acl is_public path /$${frontend-instance-favicon.ico:filename}
-    acl is_public path /$${frontend-instance-theia.webmanifest:filename}
-    acl is_public path /$${frontend-instance-theia-serviceworker.js:filename}
     acl auth_ok http_auth(basic-auth-list)
+    # writing twice the same ACL is doing OR
+    acl is_static path_beg /$${frontend-instance-fonts:folder-name}
+    acl is_static path_beg /$${frontend-instance-slapos.css:folder-name}
+    acl is_static path /$${frontend-instance-logo:filename}
+    acl is_static path /$${frontend-instance-favicon.ico:filename}
+    acl is_static path /$${frontend-instance-theia.webmanifest:filename}
+    acl is_static path /$${frontend-instance-theia-serviceworker.js:filename}
     # No authentication for public folder
     http-request auth unless auth_ok || is_public
-    use_backend static if { path_beg /$${frontend-instance-fonts:folder-name} } || { path_beg /$${frontend-instance-slapos.css:folder-name} } || { path /$${frontend-instance-logo:filename} } || is_public
+    use_backend static if is_static || is_public
     default_backend nodejs
 
   backend nodejs

software/theia/test/test.py

@@ -161,10 +161,22 @@ class TestTheia(TheiaTestCase):
     self.assertIn('test_file', get('/public/'))
     self.assertEqual('hello', get('/public/test_file'))
 
-    # there's a (not empty) favicon (no need for authentication)
-    resp = self.get(urljoin(url, '/favicon.ico'))
+    # favicon is not empty
+    self.get(urljoin(url, '/favicon.ico'), requests.codes.unauthorized)
+    resp = self.get(urljoin(authenticated_url, '/favicon.ico'))
+    resp.raise_for_status()
     self.assertTrue(resp.raw)
 
+    self.get(urljoin(url, '/theia-serviceworker.js'), requests.codes.unauthorized)
+    resp = self.get(urljoin(authenticated_url, '/theia-serviceworker.js'))
+    resp.raise_for_status()
+    self.assertTrue(resp.raw)
+
+    self.get(urljoin(url, '/theia.webmanifest'), requests.codes.unauthorized)
+    resp = self.get(urljoin(authenticated_url, '/theia.webmanifest'))
+    resp.raise_for_status()
+    self.assertIn('Theia SlapOS', resp.text)
+
     # there is a CSS referencing fonts
     css_text = self.get(urljoin(authenticated_url, '/css/slapos.css')).text
     css_urls = re.findall(r'url\([\'"]+([^\)]+)[\'"]+\)', css_text)

stack/erp5-zope2/buildout.cfg

@@ -15,7 +15,6 @@ extends =
   ../../component/socat/buildout.cfg
   ../../component/rsyslogd/buildout.cfg
   ../../component/findutils/buildout.cfg
-  ../../component/librsvg/buildout.cfg
   ../../component/imagemagick/buildout.cfg
   ../../component/jpegoptim/buildout.cfg
   ../../component/kumo/buildout.cfg
@@ -260,7 +259,6 @@ link-binary =
   ${imagemagick:location}/bin/identify
   ${jpegoptim:location}/bin/jpegoptim
   ${jsl:location}/bin/jsl
-  ${librsvg:location}/bin/rsvg-convert
   ${mariadb:location}/bin/mysql
   ${mariadb:location}/bin/mysqldump
   ${openssl:location}/bin/openssl

stack/erp5-zope2/buildout.hash.cfg

@@ -42,7 +42,7 @@ md5sum = 43556e5bca8336dd543ae8068512aa6d
 
 [template-my-cnf]
 filename = my.cnf.in
-md5sum = c0bde08ec6bd6d333315a15026266b65
+md5sum = 2c553103f1196f95e4b6d0716a1e0638
 
 [template-mariadb-initial-setup]
 filename = mariadb_initial_setup.sql.in

stack/erp5-zope2/my.cnf.in

@@ -50,6 +50,10 @@ max_connections = {{ parameter_dict['max-connection-count'] }}
 # doesn't use "insert ... select" (in any number of queries) pattern.
 innodb_locks_unsafe_for_binlog = 1
 
+# disable innodb_change_buffering to prevent potential risk of crash or data corruption,
+# that is default from 10.5.14.
+innodb_change_buffering = none
+
 {% set log_bin = parameter_dict['binlog-path'] -%}
 {% if log_bin -%}
 log_bin = {{ log_bin }}
@@ -74,6 +78,7 @@ relay-log = mariadb-relay-bin
 {{x}}innodb_flush_log_at_trx_commit = 0
 {{x}}innodb_flush_method = nosync
 {{x}}innodb_doublewrite = 0
+{{x}}innodb_change_buffering = all
 {{x}}sync_frm = 0
 
 character_set_server = {{ parameter_dict['character-set-server'] }}

stack/erp5/buildout.cfg

@@ -2,7 +2,7 @@
 
 extends =
 # versions pins from zope, vendored with:
-#   curl https://zopefoundation.github.io/Zope/releases/4.8.8/versions-prod.cfg > zope-versions.cfg
+#   curl https://zopefoundation.github.io/Zope/releases/4.8.9/versions-prod.cfg > zope-versions.cfg
 # When updating, keep in mind that some versions are defined in other places,
 # for example component/ZEO , component/ZODB and stack/slapos
   zope-versions.cfg
@@ -18,7 +18,6 @@ extends =
   ../../component/socat/buildout.cfg
   ../../component/rsyslogd/buildout.cfg
   ../../component/findutils/buildout.cfg
-  ../../component/librsvg/buildout.cfg
   ../../component/imagemagick/buildout.cfg
   ../../component/jpegoptim/buildout.cfg
   ../../component/kumo/buildout.cfg
@@ -263,7 +262,6 @@ link-binary =
   ${imagemagick:location}/bin/identify
   ${jpegoptim:location}/bin/jpegoptim
   ${jsl:location}/bin/jsl
-  ${librsvg:location}/bin/rsvg-convert
   ${mariadb:location}/bin/mysql
   ${mariadb:location}/bin/mysqldump
   ${openssl:location}/bin/openssl
@@ -709,6 +707,9 @@ waitress-patches =
   ${:_profile_base_location_}/../../component/egg-patch/waitress/CVE-2022-24761-5.patch#ad2765822397cd1e28e02a68a52d7768
   ${:_profile_base_location_}/../../component/egg-patch/waitress/CVE-2022-24761-6.patch#85fc9c4105eabee3ff71c800b2ddf63b
 waitress-patch-options = -p1
+Zope-patches =
+  ${:_profile_base_location_}/../../component/egg-patch/Zope/0001-WSGIPublisher-set-REMOTE_USER-even-in-case-of-error-.patch#a437f4da28975f94dd07db0b02954111
+Zope-patch-options = -p1
 
 # neoppod installs bin/coverage so we inject erp5 plugin here so that coverage script can use it in report
 [neoppod]
@@ -743,11 +744,12 @@ depends =
 Acquisition = 4.7+SlapOSPatched001
 Products.DCWorkflow = 2.4.1+SlapOSPatched001
 ocropy = 1.0+SlapOSPatched001
+PyPDF2 = 1.26.0+SlapOSPatched001
 pysvn = 1.9.15+SlapOSPatched001
 python-ldap = 2.4.32+SlapOSPatched001
 python-magic = 0.4.12+SlapOSPatched001
-PyPDF2 = 1.26.0+SlapOSPatched001
 waitress = 1.4.4+SlapOSPatched006
+Zope = 4.8.9+SlapOSPatched001
 ## https://lab.nexedi.com/nexedi/slapos/merge_requests/648
 pylint = 1.4.4+SlapOSPatched002
 # astroid 1.4.1 breaks testDynamicClassGeneration
@@ -810,7 +812,7 @@ Products.GenericSetup = 2.3.0
 Products.MailHost = 4.13
 Products.MimetypesRegistry = 2.1.8
 Products.PluggableAuthService = 2.8.1
-Products.PluginRegistry = 1.6
+Products.PluginRegistry = 1.11
 Products.PythonScripts = 4.15
 Products.Sessions = 4.15
 Products.SiteErrorLog = 5.7

stack/erp5/buildout.hash.cfg

@@ -42,7 +42,7 @@ md5sum = f45dc4568b63de39f49b8fecca5deef1
 
 [template-my-cnf]
 filename = my.cnf.in
-md5sum = c0bde08ec6bd6d333315a15026266b65
+md5sum = 2c553103f1196f95e4b6d0716a1e0638
 
 [template-mariadb-initial-setup]
 filename = mariadb_initial_setup.sql.in
@@ -94,7 +94,7 @@ md5sum = b0751d3d12cfcc8934cb1027190f5e5e
 
 [template-haproxy-cfg]
 filename = haproxy.cfg.in
-md5sum = 1645ef8990ab2b50f91a4c02f0cf8882
+md5sum = 85a8c0dadf7b648ef9748b6199dcfeb6
 
 [template-rsyslogd-cfg]
 filename = rsyslogd.cfg.in

stack/erp5/haproxy.cfg.in

@@ -154,7 +154,7 @@ defaults
 {% for name, (port, _, certificate_authentication, timeout, backend_list) in sorted(six.iteritems(parameter_dict['backend-dict'])) -%}
 listen family_{{ name }}
 {%-  if parameter_dict.get('ca-cert') -%}
-{%-    set ssl_auth = ' ca-file ' ~ parameter_dict['ca-cert'] ~ ' verify' ~ ( ' required' if certificate_authentication else ' optional' ) ~ ' crl-file ' ~ parameter_dict['crl'] %}
+{%-    set ssl_auth = ' ca-file ' ~ parameter_dict['ca-cert'] ~ ' verify' ~ ( ' required' if certificate_authentication else ' optional crt-ignore-err all' ) ~ ' crl-file ' ~ parameter_dict['crl'] %}
 {%-  else %}
 {%-    set ssl_auth = '' %}
 {%-  endif %}
@@ -173,11 +173,10 @@ listen family_{{ name }}
 {%-  endif %}
 
   # remove X-Forwarded-For unless client presented a verified certificate
-  acl client_cert_verified ssl_c_used ssl_c_verify 0
-  http-request del-header X-Forwarded-For unless client_cert_verified
+  http-request del-header X-Forwarded-For unless { ssl_c_verify 0 } { ssl_c_used 1 }
   # set Remote-User if client presented a verified certificate
   http-request del-header Remote-User
-  http-request set-header Remote-User %{+Q}[ssl_c_s_dn(cn)] if client_cert_verified
+  http-request set-header Remote-User %{+Q}[ssl_c_s_dn(cn)] if { ssl_c_verify 0 } { ssl_c_used 1 }
 
   # logs
   capture request header Referer len 512

stack/erp5/my.cnf.in

@@ -50,6 +50,10 @@ max_connections = {{ parameter_dict['max-connection-count'] }}
 # doesn't use "insert ... select" (in any number of queries) pattern.
 innodb_locks_unsafe_for_binlog = 1
 
+# disable innodb_change_buffering to prevent potential risk of crash or data corruption,
+# that is default from 10.5.14.
+innodb_change_buffering = none
+
 {% set log_bin = parameter_dict['binlog-path'] -%}
 {% if log_bin -%}
 log_bin = {{ log_bin }}
@@ -74,6 +78,7 @@ relay-log = mariadb-relay-bin
 {{x}}innodb_flush_log_at_trx_commit = 0
 {{x}}innodb_flush_method = nosync
 {{x}}innodb_doublewrite = 0
+{{x}}innodb_change_buffering = all
 {{x}}sync_frm = 0
 
 character_set_server = {{ parameter_dict['character-set-server'] }}

stack/erp5/zope-versions.cfg

@@ -2,10 +2,10 @@
 # Version pins for required and commonly used dependencies.
 
 [versions]
-Zope = 4.8.8
+Zope = 4.8.9
 Zope2 = 4.0
 # AccessControl 5+ no longer supports Zope 4.
-AccessControl = 4.3
+AccessControl = 4.4
 Acquisition = 4.13
 AuthEncoding = 4.3
 BTrees = 4.11.3
@@ -23,7 +23,7 @@ Products.BTreeFolder2 = 4.4
 Products.ZCatalog = 5.4
 Record = 3.6
 # RestrictedPython >= 6 no longer supports Zope 4
-RestrictedPython = 5.2
+RestrictedPython = 5.4
 WSGIProxy2 = 0.5.1
 WebOb = 1.8.7
 WebTest = 3.0.0
@@ -59,7 +59,7 @@ zope.cachedescriptors = 4.4
 zope.component = 5.0.1
 zope.componentvocabulary = 2.3.0
 zope.configuration = 4.4.1
-zope.container = 4.10
+zope.container = 5.1
 zope.contentprovider = 4.2.1
 zope.contenttype = 4.6
 zope.datetime = 4.3.0
@@ -119,6 +119,8 @@ multipart = 0.1.1
 waitress = 1.4.4
 # zope.dottedname >= 5 requires Python 3.6 or higher
 zope.dottedname = 4.3
+# zope.container 5.x requires Python 3.7 or higher
+zope.container = 4.10
 
 [versions:python35]
 # DocumentTemplate 4+ cannot be installed on Zope 4 for Python 3.5
@@ -135,6 +137,8 @@ mock = 3.0.5
 waitress = 1.4.4
 # zope.dottedname >= 5 requires Python 3.6 or higher
 zope.dottedname = 4.3
+# zope.container 5.x requires Python 3.7 or higher
+zope.container = 4.10
 
 [versions:python36]
 # PasteDeploy >3 requires Python 3.7
@@ -143,3 +147,5 @@ PasteDeploy = 2.1.1
 WSGIProxy2 = 0.4.6
 # waitress 2.1 requires Python 3.7 or higher
 waitress = 2.0.0
+# zope.container 5.x requires Python 3.7 or higher
+zope.container = 4.10

stack/monitor/buildout.cfg

@@ -51,6 +51,10 @@ filename = monitor.conf.in
 [monitor-httpd-cors]
 <= monitor-download-base
 filename = httpd-cors.cfg.in
+
+[template-monitor-httpd-wrapper]
+<= monitor-download-base
+filename = template-monitor-httpd-wrapper.sh.in
 # End templates files
 
 [monitor-template]
@@ -82,6 +86,7 @@ context =
     raw python_executable ${buildout:executable}
     raw python_with_eggs ${buildout:bin-directory}/${monitor-eggs:interpreter}
     raw template_wrapper ${monitor-template-wrapper:location}/${monitor-template-wrapper:filename}
+    raw template_monitor_httpd_wrapper  ${template-monitor-httpd-wrapper:location}/${template-monitor-httpd-wrapper:filename}
     raw check_disk_space ${buildout:bin-directory}/check-free-disk
     raw bin_directory ${buildout:directory}/bin
 

stack/monitor/buildout.hash.cfg

@@ -14,12 +14,16 @@
 # not need these here).
 [monitor2-template]
 filename = instance-monitor.cfg.jinja2.in
-md5sum = 255b4f5f2d960ec958899114cef4cfd9
+md5sum = dda9b2355134517dae601cc20709685a
 
 [monitor-httpd-conf]
 _update_hash_filename_ = templates/monitor-httpd.conf.in
 md5sum = 0540fc5cc439a06079e9e724a5a55a70
 
+[template-monitor-httpd-wrapper]
+_update_hash_filename_ = templates/template-monitor-httpd-wrapper.sh.in
+md5sum = 45929a22527b71620555326f4dd78c34
+
 [monitor-template-wrapper]
 _update_hash_filename_ = templates/wrapper.in
 md5sum = e8566c00b28f6f86adde11b6b6371403

stack/monitor/instance-monitor.cfg.jinja2.in

@@ -67,9 +67,22 @@ hash-existing-files = ${buildout:directory}/software_release/buildout.cfg
 recipe = slapos.cookbook:certificate_authority.request
 key-file = ${monitor-httpd-conf-parameter:key-file}
 cert-file = ${monitor-httpd-conf-parameter:cert-file}
-executable = ${monitor-httpd-wrapper:wrapper-path}
+executable = ${monitor-httpd-service-wrapper:output}
 wrapper = ${directory:bin}/ca-monitor-httpd
 
+[monitor-httpd-service-wrapper]
+recipe = slapos.recipe.template:jinja2
+url = {{ template_monitor_httpd_wrapper }}
+output = ${directory:bin}/monitor-httpd-service-wrapper
+pid-file = ${monitor-httpd-conf-parameter:pid-file}
+monitor-httpd-wrapper-path = ${monitor-httpd-wrapper:wrapper-path}
+monitor-httpd-conf = ${monitor-httpd-conf:output}
+context =
+    key pid_file :pid-file
+    key monitor_httpd_wrapper_path :monitor-httpd-wrapper-path
+    key monitor_httpd_conf :monitor-httpd-conf
+    raw dash_binary {{ dash_executable_location }}
+
 [ca-monitor-httpd-service]
 recipe = slapos.cookbook:wrapper
 command-line = ${ca-monitor-httpd:wrapper}
@@ -338,7 +351,6 @@ configuration-file-path = ${monitor-directory:etc}/monitor_knowledge0.cfg
 
 interface-url = https://monitor.app.officejs.com
 
-# NOTE
 [monitor-frontend]
 <= slap-connection
 recipe = slapos.cookbook:requestoptional

stack/monitor/templates/template-monitor-httpd-wrapper.sh.in

+#!{{ dash_binary }}
+# BEWARE: This file is operated by slapos node
+# BEWARE: It will be overwritten automatically
+
+pid_file="{{ pid_file }}"
+monitor_httpd_conf_file={{ monitor_httpd_conf }}
+
+if [ -f "$pid_file" ]; then
+    pid=$(cat "$pid_file")
+    result=$(ps aux | grep "^\S*\s*$pid\s")
+
+    # The process with the specified PID is running
+    if [ -n "$result" ]; then
+        echo "there is a process running with the same pid"
+        # Get the command line of the process and replace null characters with spaces
+        cmdline=$(tr '\0' ' ' < "/proc/$pid/cmdline")
+
+        # There is a process running with the pid,
+        # but it is not one using our monitor-httpd.conf
+        if ! expr "$cmdline" : ".*$monitor_httpd_conf_file" > /dev/null; then
+            echo "The process is not running with the monitor_httpd_conf"
+            rm -f {{ pid_file }};
+        fi
+    fi
+fi
+
+exec {{ monitor_httpd_wrapper_path }} "$@"

stack/slapos.cfg

@@ -136,17 +136,17 @@ zc.buildout = 2.7.1+slapos019
 # Use SlapOS patched zc.recipe.egg (zc.recipe.egg 2.x is for Buildout 2)
 zc.recipe.egg = 2.0.3+slapos003
 
-aiohttp = 3.8.3:whl
+aiohttp = 3.8.5:whl
 aiosignal = 1.3.1:whl
 apache-libcloud = 2.4.0
 argon2-cffi = 20.1.0
 asn1crypto = 1.3.0
 astor = 0.5
 async-generator = 1.10
-async-timeout = 4.0.2
+async-timeout = 4.0.3
 atomicwrites = 1.4.0
 atomize = 0.2.0
-attrs = 22.2.0
+attrs = 23.1.0:whl
 backcall = 0.2.0
 backports-abc = 0.5
 backports.functools-lru-cache = 1.6.1:whl
@@ -155,12 +155,12 @@ backports.shutil-get-terminal-size = 1.0.0
 bcrypt = 3.1.4
 bleach = 5.0.1
 CacheControl = 0.12.6:whl
-cachetools = 5.2.0
+cachetools = 5.3.1
 cattrs = 22.2.0
-certifi = 2022.12.7
+certifi = 2023.7.22
 cffi = 1.15.0
 chardet = 3.0.4
-charset-normalizer = 2.1.1
+charset-normalizer = 3.3.0
 click = 8.1.3
 cliff = 2.8.3:whl
 cmd2 = 0.7.0
@@ -180,10 +180,10 @@ entrypoints = 0.3
 enum34 = 1.1.10
 erp5.util = 0.4.74
 et-xmlfile = 1.0.1
-exceptiongroup = 1.0.0:whl
+exceptiongroup = 1.1.3:whl
 feedparser = 6.0.10
 Flask = 1.1.2
-frozenlist = 1.3.3:whl
+frozenlist = 1.4.0:whl
 funcsigs = 1.0.2
 functools32 = 3.2.3.post2
 gevent = 20.9.0
@@ -196,7 +196,7 @@ h5py = 2.7.1
 idna = 3.4:whl
 igmp = 1.0.4
 Importing = 1.10
-importlib-metadata = 1.7.0:whl
+importlib-metadata = 6.8.0:whl
 importlib-resources = 5.10.2:whl
 inotify-simple = 1.1.1
 ipaddress = 1.0.23
@@ -218,7 +218,7 @@ jupyterlab-launcher = 0.3.1
 jupyterlab-pygments = 0.1.2
 lock-file = 2.0
 lockfile = 0.12.2:whl
-lsprotocol = 2022.0.0a9:whl
+lsprotocol = 2023.0.0b1:whl
 lxml = 4.9.1
 manuel = 1.11.2
 MarkupSafe = 2.0.1
@@ -239,7 +239,7 @@ netifaces = 0.10.7
 notebook = 6.1.5
 openpyxl = 2.5.2
 outcome = 1.2.0
-packaging = 22.0:whl
+packaging = 23.2:whl
 pandocfilters = 1.4.3
 paramiko = 2.11.0
 parso = 0.7.1
@@ -266,7 +266,7 @@ pyasn1 = 0.4.5
 pycparser = 2.20
 pycurl = 7.43.0
 pydantic = 1.9.1
-pygls = 1.0.0:whl
+pygls = 1.1.0:whl
 Pygments = 2.9.0
 PyNaCl = 1.3.0
 pyOpenSSL = 19.1.0
@@ -283,7 +283,7 @@ pyzmq = 22.3.0
 qtconsole = 4.3.0
 random2 = 1.0.1
 regex = 2020.9.27
-requests = 2.28.1
+requests = 2.31.0
 rpdb = 0.1.5
 rubygemsrecipe  = 0.4.3
 scandir = 1.10.0
@@ -297,7 +297,7 @@ simplegeneric = 0.8.1
 singledispatch = 3.4.0.3
 six = 1.16.0
 slapos.cookbook = 1.0.329
-slapos.core = 1.10.2
+slapos.core = 1.10.3
 slapos.extension.shared = 1.0
 slapos.libnetworkcache = 0.25
 slapos.rebootstrap = 4.5
@@ -319,8 +319,8 @@ tornado = 6.1
 traitlets = 5.0.5
 trio = 0.22.0
 trio-websocket = 0.9.2
-typeguard = 2.13.3:whl
-typing-extensions = 4.3.0:whl
+typeguard = 3.0.2:whl
+typing-extensions = 4.8.0:whl
 tzlocal = 1.5.1
 unicodecsv = 0.14.1
 uritemplate = 3.0.0
@@ -330,13 +330,13 @@ webencodings = 0.5.1
 websockets = 10.4
 websocket-client = 1.5.1
 Werkzeug = 2.0.2
-wheel = 0.38.4:whl
+wheel = 0.41.2:whl
 widgetsnbextension = 2.0.0
 wsproto = 1.2.0
 xlrd = 1.1.0
 xml-marshaller = 1.0.2
-yarl = 1.8.2
-zc.buildout.languageserver = 0.9.0
+yarl = 1.9.2
+zc.buildout.languageserver = 0.11.0
 zc.lockfile = 1.4
 ZConfig = 3.6.1
 zdaemon = 4.2.0