The default soft limit of open file descriptors is usually set to 1024
in order to avoid breaking old software which still uses select. In many
projects we may need a higher limit: particularly in Wendelin based
projects we easily reach this limit. Before this patch it was therefore
necessary to either patch ERP5 in the project specific SR or to manually
increase the limit of the zope processes (or the parent supervisor) with
a tool like prlimit [1]. With this patch it becomes possible to increase the
soft limit to the hard limit with a command line argument of the zopewsgi bin.
This simplifies setting the soft limit for any Wendelin project.

[1] https://man7.org/linux/man-pages/man1/prlimit.1.html

/reviewed-by @vpelletier, @jerome
/reviewed-on nexedi/erp5!1827

This linter is too old and no longer relevant

   Redirect with error level, to display the notification properly displayed as error

   The implementation only works with ERP5 Login, since it is the only portal type that
   holds password in ERP5. Other implementations are password-less: Certificate Login,
   Google Login and Facebook Login, so they cannot have their password reset anyway.

   It is overkill split the login on multiple categorization, to use some portal group (ie:
   getPortalLoginPortalTypeThatCanResetPassord...) until we have a a clear usecase.

   This code is only required until the slapos.core relies on the certificate text to extract the COMP-* reference.

    This change shouldnt be merged on main branch of erp5 code base, since it is a pure backward compatibility for a single type of user. I dont think we should make it more flexible neither since the need should be gone on the next releases of slapos-node packages.

  rather them use person directly to Manage it. It might allow an user
  use more them one certificate to authenticate.

  An Unique reference is set whenever issue a certificate, this prevents
  conflicts if the transaction is restarted/retry after getNewCertificate
  is already called, since we cannot rollback the call to openssl.

  Include and improve test coverage

   if a duplicated certificate (with same CN) is eventually generated by a
   bug or external tool (for whatever reason), revoke should revoke them all.

- Use portal_status_level when redirecting
- Check that password and confirmation match
- Fix  wrong argument name `password_confirmation` sometimes used

See merge request nexedi/erp5!1792

If mapping is not a dict, we store a message that would fail later when
being viewed, typically breaking History tab when used in workflow
history.

Instead of displaying the same ImportError without any detail for both
cases of a non existant module or of an existing module which cause
error during import, improve the second case by displaying a different
message containing the original traceback.

The pattern of using > will start by erasing the file, so if mysqldump
does not run to completion developer will loose the previous dump, but
in such case, that previous dump was better than nothing.

User is usually interested by last movement in stock, not by several
months/years old movement. Thus display first fresh movement, and user
could then go to next pages to see oldest movements if needed.

nexedi/erp5@21f85a6f
added zope2 compatibility, but nexedi/erp5@21f85a6f (comment 180420) noted
the given assumption isn't true, which is why fixup commit nexedi/erp5@7a2c616e was
added. But nexedi/erp5@21f85a6f (comment 184548) noted
that nexedi/erp5@7a2c616e missed one case,
which is why this fixup commit is added. Now everything should be ok.

Because these two plugins implement the refresh of the authentication
token (unlike the facebook plugin), we can use a longer cache here.
With the previous value of 1 day, when not using the site for more than
1 day, token would expire from cache and user have to authenticate again.
Because the scenario of "access is revoked from authorization server"
is handled by refreshing the access token, we can use a longer duration
here, so that user do not have to login again after not using for two
days.

After server restarts, mariadb uses an error 1927 which is mariadb
specific, with no corresponding constant in CR module when server
restart. This is the case at least with mariadb 10.3.38.

This fix the following problem:
 - start zope and use mariadb connection
 - restart mariadb
 - use mariadb connection again, see an error:
    Error Type: OperationalError
    Error Value: (1927, 'Connection was killed')

This change to treat 1927 as an error for which we can reconnect and
retry the query. Some other connectors do it, for example sqlalchemy in
https://github.com/sqlalchemy/sqlalchemy/issues/5493

This prevents tracebacks during shutdown:

  Unhandled exception in thread started by <bound method Thread.__bootstrap of <Thread(Thread-1, stopped daemon 139820471113472)>>
  Traceback (most recent call last):
    File "soft/lib/python2.7/threading.py", line 774, in __bootstrap
      self.__bootstrap_inner()
    File "soft/lib/python2.7/threading.py", line 814, in __bootstrap_inner
      (self.name, _format_exc()))
    File "soft/lib/python2.7/traceback.py", line 242, in format_exc
      return ''.join(format_exception(etype, value, tb, limit))
    File "soft/lib/python2.7/traceback.py", line 141, in format_exception
      list = list + format_tb(tb, limit)
    File "soft/lib/python2.7/traceback.py", line 76, in format_tb
      return format_list(extract_tb(tb, limit))
    File "soft/lib/python2.7/traceback.py", line 100, in extract_tb
      linecache.checkcache(filename)
  TypeError: 'NoneType' object is not callable

Also rename the method because this is not longer *Z*server.

This waitress close() API is not public part of API, so we still ignore
the case where the server thread does not stop after 5 seconds. This
happens if some HTTP connections are still open at the end of test.

See merge request nexedi/erp5!1772

This is supposed to be catched by an external validator on the field,
but checking the one more time here supports custom dialogs where there
might not be form level validation.

to indicate success or failure

Also add a code comment about the changes from e50e45e4 (erp5_core:
Password Tool should not leak info on users, 2020-12-30), because while
looking at this code it seems there was a mistake here.

It was wrongly named password_confirmation in some places and this was
silently ignored because the parameter is not used at the moment and
because of **kw in the signature.

This is a preparatory commit so that we can check that the password and
the confirmation match

Rewrite to not use legacy "Sequence", some python3 fixes, use urllib
to assert URLs, use more consistent passwords.

Also extend coverage a bit: check that the email contains the key, check
that login lookup does not use catalog search syntax.

There is no zmi_icon on Zope2.

See merge request nexedi/erp5!1791

See merge request nexedi/erp5!1789

   This is expected that constraints can call getConstraintType() if they are filtered:

    return context.checkConsistency(fixit=1, filter={'constraint_type': 'post_upgrade'},)
  Module Products.ERP5Type.Core.Folder, line 1476, in checkConsistency
    error_list.extend(obj.fixConsistency(filter=filter, **kw))
  Module Products.ERP5Type.Base, line 2714, in fixConsistency
    return self.checkConsistency(fixit=True, filter=filter, **kw)
  Module Products.ERP5Type.Core.Folder, line 1476, in checkConsistency
    error_list.extend(obj.fixConsistency(filter=filter, **kw))
  Module Products.ERP5Type.Base, line 2714, in fixConsistency
    return self.checkConsistency(fixit=True, filter=filter, **kw)
  Module Products.ERP5Type.Core.Folder, line 1462, in checkConsistency
    **kw
  Module Products.ERP5Type.Base, line 2686, in checkConsistency
    for constraint_instance in self._filteredConstraintList(filter):
  Module Products.ERP5Type.Base, line 2739, in _filteredConstraintList
    constraints = [x for x in constraints if x.__of__(self).getConstraintType() in \
AttributeError: 'RequestContainer' object has no attribute 'getConstraintType'

   There is a missing "r" on the link, acording to apache documentation:

    Additionally you have to create symbolic links named hash-value.rN. And you should always make sure this directory contains the appropriate symbolic links.

    See: https://httpd.apache.org/docs/2.4/mod/mod_ssl.html

   There is a missing "r" on the link, acording to apache documentation:

    Additionally you have to create symbolic links named hash-value.rN. And you should always make sure this directory contains the appropriate symbolic links.

    See: https://httpd.apache.org/docs/2.4/mod/mod_ssl.html

This reverts commit 89aa2a6b.
The assumption that FOR UPDATE was unnecessary is wrong: when SQLDict
reserves similar activities, it will race against these primo-reservations.
So this change actually opens the possibility for duplicate activity
reservation.
Revert this change until (hopefully) a better fix is implemented.