From d85dd4d5615c9758cf6efa2d64cd9e5fda7e83fc Mon Sep 17 00:00:00 2001 From: Alain Takoudjou <alain.takoudjou@nexedi.com> Date: Tue, 19 May 2015 09:47:57 +0200 Subject: [PATCH] Introduce GateOne software release --- software/gateone/instance-gateone.cfg.in | 157 ++++++++++++++++++ .../gateone/instance-logrotate-base.cfg.in | 50 ++++++ software/gateone/instance.cfg.in | 53 ++++++ software/gateone/software.cfg | 123 ++++++++++++++ software/gateone/templates/nginx.conf.in | 50 ++++++ 5 files changed, 433 insertions(+) create mode 100644 software/gateone/instance-gateone.cfg.in create mode 100644 software/gateone/instance-logrotate-base.cfg.in create mode 100644 software/gateone/instance.cfg.in create mode 100644 software/gateone/software.cfg create mode 100644 software/gateone/templates/nginx.conf.in diff --git a/software/gateone/instance-gateone.cfg.in b/software/gateone/instance-gateone.cfg.in new file mode 100644 index 000000000..9903fec3a --- /dev/null +++ b/software/gateone/instance-gateone.cfg.in @@ -0,0 +1,157 @@ + +{% set python_bin = parameter_dict['python-executable'] -%} +{% set publish_dict = {} -%} +{% set part_list = [] -%} +{% set ipv6 = (ipv6_set | list)[0] -%} +{% set ipv4 = (ipv4_set | list)[0] -%} +{% macro section(name) %}{% do part_list.append(name) %}{{ name }}{% endmacro -%} + +[directory] +recipe = slapos.cookbook:mkdirectory +bin = ${buildout:directory}/bin +etc = ${buildout:directory}/etc +srv = ${buildout:directory}/srv +var = ${buildout:directory}/var +tmp = ${buildout:directory}/tmp +log = ${:var}/log +services = ${:etc}/service +script = ${:etc}/run +promises = ${:etc}/promise +run = ${:var}/run +ca-dir = ${:etc}/ssl +requests = ${:ca-dir}/requests/ +private = ${:ca-dir}/private/ +certs = ${:ca-dir}/certs/ +newcerts = ${:ca-dir}/newcerts/ +crl = ${:ca-dir}/crl/ + +[gateone-dir] +gateone = ${directory:srv}/gateone +log-prefix = ${directory:log}/gateone +cache = ${:gateone}/cache +sessions = ${:gateone}/sessions +users = ${:gateone}/users +conf = ${directory:etc}/gateone +ssl = ${:conf}/ssl + +[gateone-configure] +recipe = slapos.cookbook:wrapper +port = 10443 +ipv6 = {{ ipv6 }} +ipv4 = {{ ipv4 }} +settings-dir = ${gateone-dir:conf} +wrapper-path = ${directory:bin}/gateone-configure +# XXX- issue with dtach=true, we set --dtach=false +command = + {{ parameter_dict['gateone-bin'] }} --address=${:ipv4} --port=${:port} --certificate=${gateone-dir:ssl}/certificate.pem --keyfile=${gateone-dir:ssl}/keyfile.pem --cache_dir=${gateone-dir:cache} --pid_file=${directory:run}/gateone.pid --session_dir=${gateone-dir:sessions} --settings_dir=${:settings-dir} --user_dir=${gateone-dir:users} --log_file_prefix=${gateone-dir:log-prefix} --origins=${:ipv4} --logging=info --dtach=false +#--gid=1012 --uid=987 +command-line = + ${:command} --configure +environment = + PATH={{ bin_directory }}:{{ openssl_location }}/bin:{{ parameter_dict['dtach-location'] }}/bin:/usr/local/bin:/usr/bin:/bin + LD_LIBRARY_PATH={{ parameter_dict['readline-location'] }}/lib + +[gateone-run] +recipe = slapos.cookbook:wrapper +port = 10443 +ipv6 = {{ ipv6 }} +ipv4 = {{ ipv4 }} +wrapper-path = ${directory:services}/gateone +command-line = ${gateone-configure:command} +environment = + PATH={{ bin_directory }}:{{ openssl_location }}/bin:{{ parameter_dict['dtach-location'] }}/bin:/usr/local/bin:/usr/bin:/bin + LD_LIBRARY_PATH={{ parameter_dict['readline-location'] }}/lib + HOME=${buildout:directory} + PWD=${gateone-dir:gateone} + +# --cookie_secret 45-characters +# --uid needs to be set for slapos +# --origins=${:ipv4};${:ipv6} + +[certificate-authority] +recipe = slapos.cookbook:certificate_authority +openssl-binary = {{ openssl_location }}/bin/openssl +ca-dir = ${directory:ca-dir} +requests-directory = ${directory:requests} +wrapper = ${directory:services}/certificate_authority +ca-private = ${directory:private} +ca-certs = ${directory:certs} +ca-newcerts = ${directory:newcerts} +ca-crl = ${directory:crl} + +[ca-nginx] +<= certificate-authority +recipe = slapos.cookbook:certificate_authority.request +key-file = ${directory:certs}/nginx.key +cert-file = ${directory:certs}/nginx.crt +executable = ${nginx-run:wrapper-path} +wrapper = ${directory:services}/nginx-proxy + +[tempdirectory] +recipe = slapos.cookbook:mkdirectory +client_body_temp_path = ${directory:tmp}/client_body_temp_path +proxy_temp_path = ${directory:tmp}/proxy_temp_path +fastcgi_temp_path = ${directory:tmp}/fastcgi_temp_path +uwsgi_temp_path = ${directory:tmp}/uwsgi_temp_path +scgi_temp_path = ${directory:tmp}/scgi_temp_path + +[nginx-config-dict] +nb_workers = 2 +ipv6 = {{ ipv6 }} +ipv4 = {{ ipv4 }} +port = 10443 +backend-url = https://${gateone-configure:ipv4}:${gateone-configure:port} +ssl-certificate = ${ca-nginx:cert-file} +ssl-key = ${ca-nginx:key-file} +pid = ${directory:run}/nginx.pid +log = ${directory:log}/nginx.log +access-log = ${directory:log}/nginx.access.log +error-log = ${directory:log}/nginx.error.log +tmp = $${directory:tmp}/ + +[nginx-conf] +recipe = slapos.recipe.template:jinja2 +template = {{ parameter_dict['template-ngnix-conf'] }} +rendered = ${directory:etc}/nginx.conf +context = + section parameter_dict nginx-config-dict + section param_tempdir tempdirectory + +[nginx-run] +recipe = slapos.cookbook:wrapper +wrapper-path = ${directory:bin}/nginx_proxy +command-line = {{ parameter_dict['nginx-location'] }}/sbin/nginx -p ${buildout:directory} -c ${nginx-conf:rendered} + +[logrotate-apache] +< = logrotate-entry-base +name = apache +log = ${apache-conf:error-log} ${apache-conf:access-log} +post = {{ parameter_dict['bin-directory'] }}/slapos-kill --pidfile ${apache-conf:pid-file} -s USR1 + +[logrotate-entry-base] +recipe = slapos.cookbook:logrotate.d +logrotate-entries = ${logrotate:logrotate-entries} +backup = ${logrotate:backup} + +[publish] +recipe = slapos.cookbook:publish +url = https://[${nginx-config-dict:ipv6}]:${gateone-run:port} + +[buildout] +extends = + {{ logrotate_cfg }} + +parts = + certificate-authority + ca-nginx + publish + +# Complete parts with sections + {{ part_list | join('\n ') }} + +eggs-directory = {{ eggs_directory }} +develop-eggs-directory = {{ develop_eggs_directory }} +offline = true + +[slap-parameter] + diff --git a/software/gateone/instance-logrotate-base.cfg.in b/software/gateone/instance-logrotate-base.cfg.in new file mode 100644 index 000000000..542bee622 --- /dev/null +++ b/software/gateone/instance-logrotate-base.cfg.in @@ -0,0 +1,50 @@ +[buildout] +parts = + cron-entry-logrotate + +[cron] +recipe = slapos.cookbook:cron +cron-entries = ${logrotate-directory:cron-entries} +dcrond-binary = {{ dcron_location }}/sbin/crond +crontabs = ${logrotate-directory:crontabs} +cronstamps = ${logrotate-directory:cronstamps} +catcher = ${cron-simplelogger:wrapper} +binary = ${logrotate-directory:services}/crond + +[cron-simplelogger] +recipe = slapos.cookbook:simplelogger +wrapper = ${logrotate-directory:bin}/cron_simplelogger +log = ${logrotate-directory:log}/cron.log + +[logrotate] +recipe = slapos.cookbook:logrotate +logrotate-entries = ${logrotate-directory:logrotate-entries} +backup = ${logrotate-directory:logrotate-backup} +logrotate-binary = {{ logrotate_location }}/usr/sbin/logrotate +gzip-binary = {{ gzip_location }}/bin/gzip +gunzip-binary = {{ gzip_location }}/bin/gunzip +wrapper = ${logrotate-directory:bin}/logrotate +conf = ${logrotate-directory:etc}/logrotate.conf +state-file = ${logrotate-directory:srv}/logrotate.status + +[cron-entry-logrotate] +recipe = slapos.cookbook:cron.d +cron-entries = ${cron:cron-entries} +name = logrotate +frequency = 0 0 * * * +command = ${logrotate:wrapper} + +[logrotate-directory] +recipe = slapos.cookbook:mkdirectory +cron-entries = ${:etc}/cron.d +cronstamps = ${:etc}/cronstamps +crontabs = ${:etc}/crontabs +logrotate-backup = ${:backup}/logrotate +logrotate-entries = ${:etc}/logrotate.d +bin = ${buildout:directory}/bin +srv = ${buildout:directory}/srv +backup = ${:srv}/backup +etc = ${buildout:directory}/etc +services = ${:etc}/service +log = ${buildout:directory}/var/log + diff --git a/software/gateone/instance.cfg.in b/software/gateone/instance.cfg.in new file mode 100644 index 000000000..2843529c3 --- /dev/null +++ b/software/gateone/instance.cfg.in @@ -0,0 +1,53 @@ +[buildout] +parts = switch-softwaretype +eggs-directory = {{ eggs_directory }} +develop-eggs-directory = {{ develop_eggs_directory }} + +[slap-configuration] +recipe = slapos.cookbook:slapconfiguration.serialised +computer = ${slap-connection:computer-id} +partition = ${slap-connection:partition-id} +url = ${slap-connection:server-url} +key = ${slap-connection:key-file} +cert = ${slap-connection:cert-file} + +[jinja2-template-base] +recipe = slapos.recipe.template:jinja2 +rendered = ${buildout:parts-directory}/${:_buildout_section_name_}/${:filename} +extra-context = +context = + key develop_eggs_directory buildout:develop-eggs-directory + key eggs_directory buildout:eggs-directory + key ipv6_set slap-configuration:ipv6 + key ipv4_set slap-configuration:ipv4 + key slapparameter_dict slap-configuration:configuration + key computer_id slap-configuration:computer + raw logrotate_cfg {{ template_logrotate_base }} + raw dash_binary {{ dash_location }}/bin/dash + raw bin_directory {{ bin_directory }} + raw openssl_location {{ openssl_location }} + ${:extra-context} + +[dynamic-template-gateone-parameters] +bin-directory = {{ bin_directory }} +#python-executable = +readline-location = {{ readline_location }} +dtach-location = {{ dtach_location }} +gateone-location = {{ gateone_location}} +gateone-bin = {{ gateone_bin }} +nginx-location = {{ nginx_location}} +template-ngnix-conf = {{ template_nginx_conf }} + +[dynamic-template-gateone] +< = jinja2-template-base +template = {{ template_gateone }} +filename = instance-gateone.cfg +extensions = jinja2.ext.do +extra-context = + section parameter_dict dynamic-template-gateone-parameters + +[switch-softwaretype] +recipe = slapos.cookbook:softwaretype + +default = ${dynamic-template-gateone:rendered} +gateone = ${:default} diff --git a/software/gateone/software.cfg b/software/gateone/software.cfg new file mode 100644 index 000000000..a602b49fc --- /dev/null +++ b/software/gateone/software.cfg @@ -0,0 +1,123 @@ +[buildout] + +extends = + ../../component/dash/buildout.cfg + ../../component/git/buildout.cfg + ../../component/dcron/buildout.cfg + ../../component/gzip/buildout.cfg + ../../component/openssl/buildout.cfg + ../../component/logrotate/buildout.cfg + ../../component/kerberos/buildout.cfg + ../../component/python-kerberos/buildout.cfg + ../../component/gateone/buildout.cfg + ../../component/dtach/buildout.cfg + ../../component/python-2.7/buildout.cfg + ../../component/nginx/buildout.cfg + ../../stack/slapos.cfg + +parts = + slapos-cookbook + kerberos + eggs + gateone-develop + gateone + dash + check-recipe + template + + +[eggs] +recipe = zc.recipe.egg +eggs = + ${lxml-python:egg} + ${python-cryptography:egg} + ${python-kerberos:egg} + tornado +scripts = + slapos-kill + +[extra-eggs] +recipe = zc.recipe.egg +interpreter = python +eggs = + ${lxml-python:egg} + ${python-kerberos:egg} + tornado + gateone + setuptools + pyOpenSSL + futures + + +[slapos.cookbook-repository] +recipe = slapos.recipe.build:gitclone +repository = http://git.erp5.org/repos/slapos.git +branch = re6st-master +git-executable = ${git:location}/bin/git + +[download-base] +recipe = slapos.recipe.build:download +url = ${:_profile_base_location_}/${:filename} +mode = 644 + +[template-jinja2-base] +recipe = slapos.recipe.template:jinja2 +template = ${:_profile_base_location_}/${:filename}.in +rendered = ${buildout:directory}/${:filename} +# XXX: extra-context is needed because we cannot append to a key of an extended +# section. +extra-context = +context = + key bin_directory buildout:bin-directory + key develop_eggs_directory buildout:develop-eggs-directory + key eggs_directory buildout:eggs-directory + ${:extra-context} + + +[template] +< = template-jinja2-base +filename = template.cfg +template = ${:_profile_base_location_}/instance.cfg.in +md5sum = 428669a609aca3e0a7cae1387d332a75 +extra-context = + key dash_location dash:location + key dtach_location dtach:location + key gateone_location gateone-repository:location + key logrotate_location logrotate:location + key nginx_location nginx:location + key openssl_location openssl:location + key readline_location readline:location + key template_nginx_conf template-nginx-conf:target + key template_logrotate_base template-logrotate-base:rendered + key template_gateone template-gateone:target + raw gateone_bin ${buildout:bin-directory}/gateone + raw python_with_eggs ${buildout:directory}/bin/${extra-eggs:interpreter} + +[template-gateone] +< = download-base +filename = instance-gateone.cfg.in +md5sum = e7096a17c36c3bd27a011de57b7abfc1 + +[template-logrotate-base] +< = template-jinja2-base +filename = instance-logrotate-base.cfg +md5sum = f28fbd310944f321ccb34b2a34c82005 +extra-context = + key dcron_location dcron:location + key gzip_location gzip:location + key logrotate_location logrotate:location + +[template-nginx-conf] +< = download-base +url = ${:_profile_base_location_}/templates/${:filename}.in +filename = nginx.conf +md5sum = 72f4cc110f618b317793e21124f45121 + +[check-recipe] +recipe = plone.recipe.command +stop-on-error = true +update-command = ${:command} +command = + grep parts ${buildout:develop-eggs-directory}/gateone.egg-link + +[versions] \ No newline at end of file diff --git a/software/gateone/templates/nginx.conf.in b/software/gateone/templates/nginx.conf.in new file mode 100644 index 000000000..9745e3226 --- /dev/null +++ b/software/gateone/templates/nginx.conf.in @@ -0,0 +1,50 @@ +worker_processes {{ parameter_dict['nb_workers'] }}; + +pid {{ parameter_dict['pid'] }}; +error_log {{ parameter_dict['error-log'] }}; + +daemon off; + +events { + worker_connections 1024; + accept_mutex off; +} + + +http { + default_type application/octet-stream; + access_log {{ parameter_dict['access-log'] }} combined; + client_max_body_size 10M; + map $http_upgrade $connection_upgrade { + default upgrade; + '' close; + } + server { + listen [{{ parameter_dict['ipv6'] }}]:{{ parameter_dict['port'] }} ssl; + server_name _; + ssl_certificate {{ parameter_dict['ssl-certificate'] }}; + ssl_certificate_key {{ parameter_dict['ssl-key'] }}; + ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2; + ssl_ciphers HIGH:!aNULL:!MD5; + keepalive_timeout 90s; + client_body_temp_path {{ param_tempdir['client_body_temp_path'] }}; + proxy_temp_path {{ param_tempdir['proxy_temp_path'] }}; + fastcgi_temp_path {{ param_tempdir['fastcgi_temp_path'] }}; + uwsgi_temp_path {{ param_tempdir['uwsgi_temp_path'] }}; + scgi_temp_path {{ param_tempdir['scgi_temp_path'] }}; + error_page 401 /login; + location / { + proxy_pass_header Server; + proxy_set_header Host $http_host; + proxy_redirect off; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Scheme $scheme; + + proxy_pass {{ parameter_dict['backend-url'] }}; + + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + } + } +} \ No newline at end of file -- 2.30.9