Fix progress message

Remove start/stop buttons in webadmin
Fixes #495
2015-09-22 13:02:09 -07:00 · 2015-09-22 22:00:42 +02:00 · 2015-09-22 22:00:42 +02:00 · 2015-09-22 12:51:58 -07:00 · 2015-09-21 16:02:58 -07:00 · 2015-09-21 15:57:06 -07:00
41 changed files with 680 additions and 409 deletions
@@ -4,9 +4,18 @@

 require('supererror')({ splatchError: true });

-var server = require('./src/server.js'),
+// remove timestamp from debug() based output
+require('debug').formatArgs = function formatArgs() {
+    arguments[0] = this.namespace + ' ' + arguments[0];
+    return arguments;
+};
+
+var appHealthMonitor = require('./src/apphealthmonitor.js'),
+    async = require('async'),
+    config = require('./src/config.js'),
    ldap = require('./src/ldap.js'),
-    config = require('./src/config.js');
+    oauthproxy = require('./src/oauthproxy.js'),
+    server = require('./src/server.js');

 console.log();
 console.log('==========================================');
@@ -23,33 +32,30 @@ console.log();
 console.log('==========================================');
 console.log();

-server.start(function (err) {
-    if (err) {
-        console.error('Error starting server', err);
+async.series([
+    server.start,
+    ldap.start,
+    appHealthMonitor.start,
+    oauthproxy.start
+], function (error) {
+    if (error) {
+        console.error('Error starting server', error);
        process.exit(1);
    }
-
-    console.log('Server listening on port ' + config.get('port'));
-
-    ldap.start(function (error) {
-        if (error) {
-            console.error('Error LDAP starting server', err);
-            process.exit(1);
-        }
-
-        console.log('LDAP server listen on port ' + config.get('ldapPort'));
-    });
 });

 var NOOP_CALLBACK = function () { };

 process.on('SIGINT', function () {
    server.stop(NOOP_CALLBACK);
+    ldap.stop(NOOP_CALLBACK);
+    oauthproxy.stop(NOOP_CALLBACK);
    setTimeout(process.exit.bind(process), 3000);
 });

 process.on('SIGTERM', function () {
    server.stop(NOOP_CALLBACK);
+    ldap.stop(NOOP_CALLBACK);
+    oauthproxy.stop(NOOP_CALLBACK);
    setTimeout(process.exit.bind(process), 3000);
 });
-
@@ -4,6 +4,12 @@

 require('supererror')({ splatchError: true });

+// remove timestamp from debug() based output
+require('debug').formatArgs = function formatArgs() {
+    arguments[0] = this.namespace + ' ' + arguments[0];
+    return arguments;
+};
+
 var assert = require('assert'),
    debug = require('debug')('box:janitor'),
    async = require('async'),
@@ -11,8 +17,6 @@ var assert = require('assert'),
    authcodedb = require('./src/authcodedb.js'),
    database = require('./src/database.js');

-var TOKEN_CLEANUP_INTERVAL = 30000;
-
 function initialize(callback) {
    assert.strictEqual(typeof callback, 'function');

@@ -52,7 +56,7 @@ function run() {
        cleanupExpiredAuthCodes(function (error) {
            if (error) console.error(error);

-            setTimeout(run, TOKEN_CLEANUP_INTERVAL);
+            process.exit(0);
        });
    });
 }
@@ -1,185 +0,0 @@
-#!/usr/bin/env node
-
-'use strict';
-
-require('supererror')({ splatchError: true });
-
-var express = require('express'),
-    url = require('url'),
-    uuid = require('node-uuid'),
-    async = require('async'),
-    superagent = require('superagent'),
-    assert = require('assert'),
-    debug = require('debug')('box:proxy'),
-    proxy = require('proxy-middleware'),
-    session = require('cookie-session'),
-    database = require('./src/database.js'),
-    appdb = require('./src/appdb.js'),
-    clientdb = require('./src/clientdb.js'),
-    config = require('./src/config.js'),
-    http = require('http');
-
-// Allow self signed certs!
-process.env.NODE_TLS_REJECT_UNAUTHORIZED = '0';
-
-var gSessions = {};
-var gProxyMiddlewareCache = {};
-var gApp = express();
-var gHttpServer = http.createServer(gApp);
-
-var CALLBACK_URI = '/callback';
-var PORT = 4000;
-
-function startServer(callback) {
-    assert.strictEqual(typeof callback, 'function');
-
-    gHttpServer.on('error', console.error);
-
-    gApp.use(session({
-        keys: ['blue', 'cheese', 'is', 'something']
-    }));
-
-    // ensure we have a in memory store for the session to cache client information
-    gApp.use(function (req, res, next) {
-        assert.strictEqual(typeof req.session, 'object');
-
-        if (!req.session.id || !gSessions[req.session.id]) {
-            req.session.id = uuid.v4();
-            gSessions[req.session.id] = {};
-        }
-
-        // attach the session data to the requeset
-        req.sessionData = gSessions[req.session.id];
-
-        next();
-    });
-
-    gApp.use(function verifySession(req, res, next) {
-        assert.strictEqual(typeof req.sessionData, 'object');
-
-        if (!req.sessionData.accessToken) {
-            req.authenticated = false;
-            return next();
-        }
-
-        superagent.get(config.adminOrigin() + '/api/v1/profile').query({ access_token: req.sessionData.accessToken}).end(function (error, result) {
-            if (error) {
-                console.error(error);
-                req.authenticated = false;
-            } else if (result.statusCode !== 200) {
-                req.sessionData.accessToken = null;
-                req.authenticated = false;
-            } else {
-                req.authenticated = true;
-            }
-
-            next();
-        });
-    });
-
-    gApp.use(function (req, res, next) {
-        // proceed if we are authenticated
-        if (req.authenticated) return next();
-
-        if (req.path === CALLBACK_URI && req.sessionData.returnTo) {
-            // exchange auth code for an access token
-            var query = {
-                response_type: 'token',
-                client_id: req.sessionData.clientId
-            };
-
-            var data = {
-                grant_type: 'authorization_code',
-                code: req.query.code,
-                redirect_uri: req.sessionData.returnTo,
-                client_id: req.sessionData.clientId,
-                client_secret: req.sessionData.clientSecret
-            };
-
-            superagent.post(config.adminOrigin() + '/api/v1/oauth/token').query(query).send(data).end(function (error, result) {
-                if (error) {
-                    console.error(error);
-                    return res.send(500, 'Unable to contact the oauth server.');
-                }
-                if (result.statusCode !== 200) {
-                    console.error('Failed to exchange auth code for a token.', result.statusCode, result.body);
-                    return res.send(500, 'Failed to exchange auth code for a token.');
-                }
-
-                req.sessionData.accessToken = result.body.access_token;
-
-                debug('user verified.');
-
-                // now redirect to the actual initially requested URL
-                res.redirect(req.sessionData.returnTo);
-            });
-        } else {
-            var port = parseInt(req.headers['x-cloudron-proxy-port'], 10);
-
-            if (!Number.isFinite(port)) {
-                console.error('Failed to parse nginx proxy header to get app port.');
-                return res.send(500, 'Routing error. No forwarded port.');
-            }
-
-            debug('begin verifying user for app on port %s.', port);
-
-            appdb.getByHttpPort(port, function (error, result) {
-                if (error) {
-                    console.error('Unknown app.', error);
-                    return res.send(500, 'Unknown app.');
-                }
-
-                clientdb.getByAppId('proxy-' + result.id, function (error, result) {
-                    if (error) {
-                        console.error('Unkonwn OAuth client.', error);
-                        return res.send(500, 'Unknown OAuth client.');
-                    }
-
-                    req.sessionData.port = port;
-                    req.sessionData.returnTo = result.redirectURI + req.path;
-                    req.sessionData.clientId = result.id;
-                    req.sessionData.clientSecret = result.clientSecret;
-
-                    var callbackUrl = result.redirectURI + CALLBACK_URI;
-                    var scope = 'profile,roleUser';
-                    var oauthLogin = config.adminOrigin() + '/api/v1/oauth/dialog/authorize?response_type=code&client_id=' + result.id + '&redirect_uri=' + callbackUrl + '&scope=' + scope;
-
-                    debug('begin OAuth flow for client %s.', result.name);
-
-                    // begin the OAuth flow
-                    res.redirect(oauthLogin);
-                });
-            });
-        }
-    });
-
-    gApp.use(function (req, res, next) {
-        var port = req.sessionData.port;
-
-        debug('proxy request for port %s with path %s.', port, req.path);
-
-        var proxyMiddleware = gProxyMiddlewareCache[port];
-        if (!proxyMiddleware) {
-            console.log('Adding proxy middleware for port %d', port);
-
-            proxyMiddleware = proxy(url.parse('http://127.0.0.1:' + port));
-            gProxyMiddlewareCache[port] = proxyMiddleware;
-        }
-
-        proxyMiddleware(req, res, next);
-    });
-
-    gHttpServer.listen(PORT, callback);
-}
-
-async.series([
-    database.initialize,
-    startServer
-], function (error) {
-    if (error) {
-        console.error('Failed to start proxy server.', error);
-        process.exit(1);
-    }
-
-    console.log('Proxy server listening...');
-});
@@ -12,9 +12,6 @@
  "engines": [
    "node >= 0.12.0"
  ],
-  "bin": {
-    "cloudron": "./app.js"
-  },
  "dependencies": {
    "async": "^1.2.1",
    "aws-sdk": "^2.1.46",
@@ -3,7 +3,7 @@
 # If you change the infra version, be sure to put a warning
 # in the change log

-INFRA_VERSION=8
+INFRA_VERSION=10

 # WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING
 # These constants are used in the installer script as well
@@ -26,6 +26,10 @@ cp "${container_files}/sudoers" /etc/sudoers.d/yellowtent
 rm -rf /etc/collectd
 ln -sfF "${DATA_DIR}/collectd" /etc/collectd

+########## apparmor docker profile
+cp "${container_files}/docker-cloudron-app.apparmor" /etc/apparmor.d/docker-cloudron-app
+systemctl restart apparmor
+
 ########## nginx
 # link nginx config to system config
 unlink /etc/nginx 2>/dev/null || rm -rf /etc/nginx
@@ -0,0 +1,32 @@
+#include <tunables/global>
+
+
+profile docker-cloudron-app flags=(attach_disconnected,mediate_deleted) {
+
+  #include <abstractions/base>
+
+  ptrace peer=@{profile_name},
+
+  network,
+  capability,
+  file,
+  umount,
+
+  deny @{PROC}/sys/fs/** wklx,
+  deny @{PROC}/sysrq-trigger rwklx,
+  deny @{PROC}/mem rwklx,
+  deny @{PROC}/kmem rwklx,
+  deny @{PROC}/sys/kernel/[^s][^h][^m]* wklx,
+  deny @{PROC}/sys/kernel/*/** wklx,
+
+  deny mount,
+
+  deny /sys/[^f]*/** wklx,
+  deny /sys/f[^s]*/** wklx,
+  deny /sys/fs/[^c]*/** wklx,
+  deny /sys/fs/c[^g]*/** wklx,
+  deny /sys/fs/cg[^r]*/** wklx,
+  deny /sys/firmware/efi/efivars/** rwklx,
+  deny /sys/kernel/security/** rwklx,
+}
+
@@ -1,15 +0,0 @@
-[Unit]
-Description=Cloudron App Health Monitor
-OnFailure=crashnotifier@%n.service
-StopWhenUnneeded=true
-
-[Service]
-Type=idle
-WorkingDirectory=/home/yellowtent/box
-Restart=always
-ExecStart="/home/yellowtent/box/apphealthtask.js"
-Environment="HOME=/home/yellowtent" "USER=yellowtent" "DEBUG=box*,connect-lastmile" "BOX_ENV=cloudron" "NODE_ENV=production"
-KillMode=process
-User=yellowtent
-Group=yellowtent
-MemoryLimit=50M
@@ -7,7 +7,7 @@ StopWhenUnneeded=true
 Type=idle
 WorkingDirectory=/home/yellowtent/box
 Restart=always
-ExecStart="/home/yellowtent/box/app.js"
+ExecStart=/usr/bin/node --max_old_space_size=150 /home/yellowtent/box/box.js
 Environment="HOME=/home/yellowtent" "USER=yellowtent" "DEBUG=box*,connect-lastmile" "BOX_ENV=cloudron" "NODE_ENV=production"
 KillMode=process
 User=yellowtent
@@ -2,8 +2,8 @@
 Description=Cloudron Smart Cloud
 Documentation=https://cloudron.io/documentation.html
 StopWhenUnneeded=true
-Requires=apphealthtask.service box.service janitor.service oauthproxy.service
-After=apphealthtask.service box.service janitor.service oauthproxy.service
+Requires=box.service janitor.timer
+After=box.service janitor.timer
 # AllowIsolate=yes

 [Install]
@@ -12,4 +12,4 @@ Environment="HOME=/home/yellowtent" "USER=yellowtent" "DEBUG=box*,connect-lastmi
 KillMode=process
 User=yellowtent
 Group=yellowtent
-
+MemoryLimit=50M
@@ -1,16 +1,15 @@
 [Unit]
 Description=Cloudron Janitor
 OnFailure=crashnotifier@%n.service
-StopWhenUnneeded=true

 [Service]
-Type=idle
+Type=simple
 WorkingDirectory=/home/yellowtent/box
-Restart=always
-ExecStart="/home/yellowtent/box/janitor.js"
+Restart=no
+ExecStart=/usr/bin/node /home/yellowtent/box/janitor.js
 Environment="HOME=/home/yellowtent" "USER=yellowtent" "DEBUG=box*,connect-lastmile" "BOX_ENV=cloudron" "NODE_ENV=production"
 KillMode=process
 User=yellowtent
 Group=yellowtent
 MemoryLimit=50M
-
+WatchdogSec=30
@@ -0,0 +1,10 @@
+[Unit]
+Description=Cloudron Janitor
+StopWhenUnneeded=true
+
+[Timer]
+# this activates it immediately
+OnBootSec=0
+OnUnitActiveSec=30min
+Unit=janitor.service
+
@@ -1,16 +0,0 @@
-[Unit]
-Description=Cloudron OAuth Proxy Service
-OnFailure=crashnotifier@%n.service
-StopWhenUnneeded=true
-
-[Service]
-Type=idle
-WorkingDirectory=/home/yellowtent/box
-Restart=always
-ExecStart="/home/yellowtent/box/oauthproxy.js"
-Environment="HOME=/home/yellowtent" "USER=yellowtent" "DEBUG=box*,connect-lastmile" "BOX_ENV=cloudron" "NODE_ENV=production"
-KillMode=process
-User=yellowtent
-Group=yellowtent
-MemoryLimit=50M
-
@@ -220,7 +220,7 @@ LoadPlugin write_graphite
 </Plugin>

 <Plugin processes>
-   ProcessMatch "app" "node app.js"
+   ProcessMatch "app" "node box.js"
 </Plugin>

 <Plugin swap>
@@ -69,7 +69,7 @@ server {
        }

 <% } else if ( endpoint === 'oauthproxy' ) { %>
-        proxy_pass http://127.0.0.1:4000;
+        proxy_pass http://127.0.0.1:3003;
        proxy_set_header   X-Cloudron-Proxy-Port   <%= port %>;
 <% } else if ( endpoint === 'app' ) { %>
        proxy_pass http://127.0.0.1:<%= port %>;
@@ -28,6 +28,8 @@ fi

 # graphite
 graphite_container_id=$(docker run --restart=always -d --name="graphite" \
+    -m 75m \
+    --memory-swap 150m \
    -p 127.0.0.1:2003:2003 \
    -p 127.0.0.1:2004:2004 \
    -p 127.0.0.1:8000:8000 \
@@ -37,6 +39,8 @@ echo "Graphite container id: ${graphite_container_id}"

 # mail
 mail_container_id=$(docker run --restart=always -d --name="mail" \
+    -m 75m \
+    --memory-swap 150m \
    -p 127.0.0.1:25:25 \
    -h "${arg_fqdn}" \
    -e "DOMAIN_NAME=${arg_fqdn}" \
@@ -52,6 +56,8 @@ readonly MYSQL_ROOT_PASSWORD='${mysql_addon_root_password}'
 readonly MYSQL_ROOT_HOST='${docker0_ip}'
 EOF
 mysql_container_id=$(docker run --restart=always -d --name="mysql" \
+    -m 100m \
+    --memory-swap 200m \
    -h "${arg_fqdn}" \
    -v "${DATA_DIR}/mysql:/var/lib/mysql" \
    -v "${DATA_DIR}/addons/mysql_vars.sh:/etc/mysql/mysql_vars.sh:ro" \
@@ -64,6 +70,8 @@ cat > "${DATA_DIR}/addons/postgresql_vars.sh" <<EOF
 readonly POSTGRESQL_ROOT_PASSWORD='${postgresql_addon_root_password}'
 EOF
 postgresql_container_id=$(docker run --restart=always -d --name="postgresql" \
+    -m 100m \
+    --memory-swap 200m \
    -h "${arg_fqdn}" \
    -v "${DATA_DIR}/postgresql:/var/lib/postgresql" \
    -v "${DATA_DIR}/addons/postgresql_vars.sh:/etc/postgresql/postgresql_vars.sh:ro" \
@@ -76,6 +84,8 @@ cat > "${DATA_DIR}/addons/mongodb_vars.sh" <<EOF
 readonly MONGODB_ROOT_PASSWORD='${mongodb_addon_root_password}'
 EOF
 mongodb_container_id=$(docker run --restart=always -d --name="mongodb" \
+    -m 100m \
+    --memory-swap 200m \
    -h "${arg_fqdn}" \
    -v "${DATA_DIR}/mongodb:/var/lib/mongodb" \
    -v "${DATA_DIR}/addons/mongodb_vars.sh:/etc/mongodb_vars.sh:ro" \
@@ -677,6 +677,8 @@ function setupRedis(app, callback) {
            redisVarsFile + ':/etc/redis/redis_vars.sh:ro',
            redisDataDir + ':/var/lib/redis:rw'
        ],
+        Memory: 1024 * 1024 * 75, // 100mb
+        MemorySwap: 1024 * 1024 * 75 * 2, // 150mb
        // On Mac (boot2docker), we have to export the port to external world for port forwarding from Mac to work
        // On linux, export to localhost only for testing purposes and not for the app itself
        PortBindings: {
@@ -6,6 +6,7 @@ exports = module.exports = {
    get: get,
    getBySubdomain: getBySubdomain,
    getByHttpPort: getByHttpPort,
+    getByContainerId: getByContainerId,
    add: add,
    exists: exists,
    del: del,
@@ -145,6 +146,22 @@ function getByHttpPort(httpPort, callback) {
    });
 }

+function getByContainerId(containerId, callback) {
+    assert.strictEqual(typeof containerId, 'string');
+    assert.strictEqual(typeof callback, 'function');
+
+    database.query('SELECT ' + APPS_FIELDS_PREFIXED + ','
+        + 'GROUP_CONCAT(CAST(appPortBindings.hostPort AS CHAR(6))) AS hostPorts, GROUP_CONCAT(appPortBindings.environmentVariable) AS environmentVariables'
+        + '  FROM apps LEFT OUTER JOIN appPortBindings ON apps.id = appPortBindings.appId WHERE containerId = ? GROUP BY apps.id', [ containerId ], function (error, result) {
+        if (error) return callback(new DatabaseError(DatabaseError.INTERNAL_ERROR, error));
+        if (result.length === 0) return callback(new DatabaseError(DatabaseError.NOT_FOUND));
+
+        postProcess(result[0]);
+
+        callback(null, result[0]);
+    });
+}
+
 function getAll(callback) {
    assert.strictEqual(typeof callback, 'function');

@@ -1,44 +1,33 @@
-#!/usr/bin/env node
-
 'use strict';

-require('supererror')({ splatchError: true });
-
-var appdb = require('./src/appdb.js'),
+var appdb = require('./appdb.js'),
    assert = require('assert'),
    async = require('async'),
-    database = require('./src/database.js'),
-    DatabaseError = require('./src/databaseerror.js'),
-    debug = require('debug')('box:apphealthtask'),
-    docker = require('./src/docker.js'),
-    mailer = require('./src/mailer.js'),
+    DatabaseError = require('./databaseerror.js'),
+    debug = require('debug')('box:apphealthmonitor'),
+    docker = require('./docker.js'),
+    mailer = require('./mailer.js'),
    superagent = require('superagent'),
    util = require('util');

 exports = module.exports = {
-    run: run
+    start: start,
+    stop: stop
 };

 var HEALTHCHECK_INTERVAL = 10 * 1000; // every 10 seconds. this needs to be small since the UI makes only healthy apps clickable
 var UNHEALTHY_THRESHOLD = 3 * 60 * 1000; // 3 minutes
 var gHealthInfo = { }; // { time, emailSent }
+var gRunTimeout = null;
+var gDockerEventStream = null;

-function debugApp(app, args) {
+function debugApp(app) {
    assert(!app || typeof app === 'object');

    var prefix = app ? app.location : '(no app)';
    debug(prefix + ' ' + util.format.apply(util, Array.prototype.slice.call(arguments, 1)));
 }

-function initialize(callback) {
-    assert.strictEqual(typeof callback, 'function');
-
-    async.series([
-        database.initialize,
-        mailer.initialize
-    ], callback);
-}
-
 function setHealth(app, health, callback) {
    assert.strictEqual(typeof app, 'object');
    assert.strictEqual(typeof health, 'string');
@@ -130,18 +119,68 @@ function run() {
    processApps(function (error) {
        if (error) console.error(error);

-        setTimeout(run, HEALTHCHECK_INTERVAL);
+        gRunTimeout = setTimeout(run, HEALTHCHECK_INTERVAL);
    });
 }

-if (require.main === module) {
-    initialize(function (error) {
-        if (error) {
-            console.error('apphealth task exiting with error', error);
-            process.exit(1);
-        }
+/*
+    OOM can be tested using stress tool like so:
+        docker run -ti -m 100M cloudron/base:0.3.3 /bin/bash
+        apt-get update && apt-get install stress
+        stress --vm 1 --vm-bytes 200M --vm-hang 0
+*/
+function processDockerEvents() {
+    // note that for some reason, the callback is called only on the first event
+    debug('Listening for docker events');
+    docker.getEvents({ filters: JSON.stringify({ event: [ 'oom' ] }) }, function (error, stream) {
+        if (error) return console.error(error);

-        run();
+        gDockerEventStream = stream;
+
+        stream.setEncoding('utf8');
+        stream.on('data', function (data) {
+            var ev = JSON.parse(data);
+            debug('Container ' + ev.id + ' went OOM');
+            appdb.getByContainerId(ev.id, function (error, app) {
+                var program = error || !app.appStoreId ? ev.id : app.appStoreId;
+                var context = JSON.stringify(ev);
+                if (app) context = context + '\n\n' + JSON.stringify(app, null, 4) + '\n';
+
+                debug('OOM Context: %s', context);
+                mailer.sendCrashNotification(program, context); // app can be null if it's an addon crash
+            });
+        });
+
+        stream.on('error', function (error) {
+            console.error('Error reading docker events', error);
+            gDockerEventStream = null; // TODO: reconnect?
+        });
+
+        stream.on('end', function () {
+            console.error('Docke event stream ended');
+            gDockerEventStream = null; // TODO: reconnect?
+            stream.end();
+        });
    });
 }

+function start(callback) {
+    assert.strictEqual(typeof callback, 'function');
+
+    debug('Starting apphealthmonitor');
+
+    processDockerEvents();
+
+    run();
+
+    callback();
+}
+
+function stop(callback) {
+    assert.strictEqual(typeof callback, 'function');
+
+    clearTimeout(gRunTimeout);
+    gDockerEventStream.end();
+
+    callback();
+}
@@ -140,16 +140,18 @@ function validatePortBindings(portBindings, tcpPorts) {
    // these ports are reserved even if we listen only on 127.0.0.1 because we setup HostIp to be 127.0.0.1
    // for custom tcp ports
    var RESERVED_PORTS = [
-        22, /* ssh */
        25, /* smtp */
        53, /* dns */
        80, /* http */
        443, /* https */
+        919, /* ssh */
        2003, /* graphite (lo) */
        2004, /* graphite (lo) */
        2020, /* install server */
        config.get('port'), /* app server (lo) */
        config.get('internalPort'), /* internal app server (lo) */
+        config.get('ldapPort'), /* ldap server (lo) */
+        config.get('oauthProxyPort'), /* oauth proxy server (lo) */
        3306, /* mysql (lo) */
        8000 /* graphite (lo) */
    ];
@@ -649,27 +651,38 @@ function autoupdateApps(updateInfo, callback) { // updateInfo is { appId -> { ma
    assert.strictEqual(typeof callback, 'function');

    function canAutoupdateApp(app, newManifest) {
-        // TODO: maybe check the description as well?
-        if (!newManifest.tcpPorts && !app.portBindings) return true;
-        if (!newManifest.tcpPorts || !app.portBindings) return false;
+        var tcpPorts = newManifest.tcpPorts || { };
+        var portBindings = app.portBindings; // this is never null

-        for (var env in newManifest.tcpPorts) {
-            if (!(env in app.portBindings)) return false;
-       }
+        if (Object.keys(tcpPorts).length === 0 && Object.keys(portBindings).length === 0) return null;
+        if (Object.keys(tcpPorts).length === 0) return new Error('tcpPorts is now empty but portBindings is not');
+        if (Object.keys(portBindings).length === 0) return new Error('portBindings is now empty but tcpPorts is not');

-        return true;
+        for (var env in tcpPorts) {
+            if (!(env in portBindings)) return new Error(env + ' is required from user');
+        }
+
+        // it's fine if one or more keys got removed
+        return null;
    }

    if (!updateInfo) return callback(null);

    async.eachSeries(Object.keys(updateInfo), function iterator(appId, iteratorDone) {
        get(appId, function (error, app) {
-            if (!canAutoupdateApp(app, updateInfo[appId].manifest)) {
+            if (error) {
+                debug('Cannot autoupdate app %s : %s', appId, error.message);
+                return iteratorDone();
+           }
+
+            error = canAutoupdateApp(app, updateInfo[appId].manifest);
+            if (error) {
+                debug('app %s requires manual update. %s', appId, error.message);
                return iteratorDone();
            }

           update(appId, false /* force */, updateInfo[appId].manifest, app.portBindings, null /* icon */, function (error) {
-                if (error) debug('Error initiating autoupdate of %s', appId);
+                if (error) debug('Error initiating autoupdate of %s. %s', appId, error.message);

                iteratorDone(null);
            });
@@ -677,33 +690,35 @@ function autoupdateApps(updateInfo, callback) { // updateInfo is { appId -> { ma
    }, callback);
 }

-function backupApp(app, addonsToBackup, callback) {
+function canBackupApp(app) {
+    // only backup apps that are installed or pending configure. Rest of them are in some
+    // state not good for consistent backup (i.e addons may not have been setup completely)
+    return (app.installationState === appdb.ISTATE_INSTALLED && app.health === appdb.HEALTH_HEALTHY) ||
+            app.installationState === appdb.ISTATE_PENDING_CONFIGURE ||
+            app.installationState === appdb.ISTATE_PENDING_BACKUP ||
+            app.installationState === appdb.ISTATE_PENDING_UPDATE; // called from apptask
+}
+
+// set the 'creation' date of lastBackup so that the backup persists across time based archival rules
+// s3 does not allow changing creation time, so copying the last backup is easy way out for now
+function reuseOldBackup(app, callback) {
+    assert.strictEqual(typeof app.lastBackupId, 'string');
+    assert.strictEqual(typeof callback, 'function');
+
+    backups.copyLastBackup(app, function (error, newBackupId) {
+        if (error) return callback(new AppsError(AppsError.INTERNAL_ERROR, error));
+
+        debugApp(app, 'reuseOldBackup: reused old backup %s as %s', app.lastBackupId, newBackupId);
+
+        callback(null, newBackupId);
+    });
+}
+
+function createNewBackup(app, addonsToBackup, callback) {
    assert.strictEqual(typeof app, 'object');
    assert(!addonsToBackup || typeof addonsToBackup, 'object');
    assert.strictEqual(typeof callback, 'function');

-    function canBackupApp(app) {
-        // only backup apps that are installed or pending configure. Rest of them are in some
-        // state not good for consistent backup (i.e addons may not have been setup completely)
-        return (app.installationState === appdb.ISTATE_INSTALLED && app.health === appdb.HEALTH_HEALTHY) ||
-                app.installationState === appdb.ISTATE_PENDING_CONFIGURE ||
-                app.installationState === appdb.ISTATE_PENDING_BACKUP ||
-                app.installationState === appdb.ISTATE_PENDING_UPDATE; // called from apptask
-    }
-
-    if (!canBackupApp(app)) return callback(new AppsError(AppsError.BAD_STATE, 'App not healthy'));
-
-    var appConfig = {
-        manifest: app.manifest,
-        location: app.location,
-        portBindings: app.portBindings,
-        accessRestriction: app.accessRestriction
-    };
-
-    if (!safe.fs.writeFileSync(path.join(paths.DATA_DIR, app.id + '/config.json'), JSON.stringify(appConfig), 'utf8')) {
-        return callback(safe.error);
-    }
-
    backups.getBackupUrl(app, function (error, result) {
        if (error && error.reason === BackupsError.EXTERNAL_ERROR) return callback(new AppsError(AppsError.EXTERNAL_ERROR, error.message));
        if (error) return callback(new AppsError(AppsError.INTERNAL_ERROR, error));
@@ -718,13 +733,49 @@ function backupApp(app, addonsToBackup, callback) {
        ], function (error) {
            if (error) return callback(new AppsError(AppsError.INTERNAL_ERROR, error));

-            debugApp(app, 'backupApp: successful id:%s', result.id);
+            callback(null, result.id);
+        });
+    });
+}

-            setRestorePoint(app.id, result.id, appConfig, function (error) {
-                if (error) return callback(new AppsError(AppsError.INTERNAL_ERROR, error));
+function backupApp(app, addonsToBackup, callback) {
+    assert.strictEqual(typeof app, 'object');
+    assert(!addonsToBackup || typeof addonsToBackup, 'object');
+    assert.strictEqual(typeof callback, 'function');

-                return callback(null, result.id);
-            });
+    var appConfig = null, backupFunction;
+
+    if (!canBackupApp(app)) {
+        if (!app.lastBackupId) {
+            debugApp(app, 'backupApp: cannot backup app');
+            return callback(new AppsError(AppsError.BAD_STATE, 'App not healthy and never backed up previously'));
+        }
+
+        appConfig = app.lastBackupConfig;
+        backupFunction = reuseOldBackup.bind(null, app);
+    } else {
+        appConfig = {
+            manifest: app.manifest,
+            location: app.location,
+            portBindings: app.portBindings,
+            accessRestriction: app.accessRestriction
+        };
+        backupFunction = createNewBackup.bind(null, app, addonsToBackup);
+
+        if (!safe.fs.writeFileSync(path.join(paths.DATA_DIR, app.id + '/config.json'), JSON.stringify(appConfig), 'utf8')) {
+            return callback(safe.error);
+        }
+    }
+
+    backupFunction(function (error, backupId) {
+        if (error) return callback(new AppsError(AppsError.INTERNAL_ERROR, error));
+
+        debugApp(app, 'backupApp: successful id:%s', backupId);
+
+        setRestorePoint(app.id, backupId, appConfig, function (error) {
+            if (error) return callback(new AppsError(AppsError.INTERNAL_ERROR, error));
+
+            return callback(null, backupId);
        });
    });
 }
@@ -25,6 +25,12 @@ exports = module.exports = {

 require('supererror')({ splatchError: true });

+// remove timestamp from debug() based output
+require('debug').formatArgs = function formatArgs() {
+    arguments[0] = this.namespace + ' ' + arguments[0];
+    return arguments;
+};
+
 var addons = require('./addons.js'),
    appdb = require('./appdb.js'),
    apps = require('./apps.js'),
@@ -346,7 +352,8 @@ function startContainer(app, callback) {
                "Name": "always",
                "MaximumRetryCount": 0
            },
-            CpuShares: 512 // relative to 1024 for system processes
+            CpuShares: 512, // relative to 1024 for system processes
+            SecurityOpt: config.CLOUDRON ? [ "apparmor:docker-cloudron-app" ] : null // profile available only on cloudron
        };

        var container = docker.getContainer(app.containerId);
@@ -429,11 +436,11 @@ function registerSubdomain(app, callback) {
    // need to register it so that we have a dnsRecordId to wait for it to complete
    var record = { subdomain: app.location, type: 'A', value: sysinfo.getIp() };

-    async.retry({ times: 30, interval: 5000 }, function (retryCallback) {
+    async.retry({ times: 200, interval: 5000 }, function (retryCallback) {
        debugApp(app, 'Registering subdomain location [%s]', app.location);

        subdomains.add(record, function (error, changeId) {
-            if (error && error.reason === SubdomainError.STILL_BUSY) return retryCallback(error); // try again
+            if (error && (error.reason === SubdomainError.STILL_BUSY || error.reason === SubdomainError.EXTERNAL_ERROR)) return retryCallback(error); // try again

            retryCallback(null, error || changeId);
        });
@@ -457,9 +464,9 @@ function unregisterSubdomain(app, location, callback) {
        debugApp(app, 'Unregistering subdomain: %s', location);

        subdomains.remove(record, function (error) {
-            if (error && error.reason === SubdomainError.STILL_BUSY) return retryCallback(error); // try again
+            if (error && (error.reason === SubdomainError.STILL_BUSY || error.reason === SubdomainError.EXTERNAL_ERROR))return retryCallback(error); // try again

-            retryCallback(null);
+            retryCallback(error);
        });
    }, function (error) {
        if (error) debugApp(app, 'Error unregistering subdomain: %s', error);
@@ -684,8 +691,8 @@ function configure(app, callback) {
        stopApp.bind(null, app),
        deleteContainer.bind(null, app),
        function (next) {
-            // oldConfig can be null during an infra update
-            if (!app.oldConfig || app.oldConfig.location === app.location) return next();
+            // oldConfig can be null during an infra update. location can be null when infra updated for an updated app
+            if (!app.oldConfig || !app.oldConfig.location || app.oldConfig.location === app.location) return next();
            unregisterSubdomain(app, app.oldConfig.location, next);
        },
        removeOAuthProxyCredentials.bind(null, app),
@@ -8,7 +8,9 @@ exports = module.exports = {

    addSubdomain: addSubdomain,
    delSubdomain: delSubdomain,
-    getChangeStatus: getChangeStatus
+    getChangeStatus: getChangeStatus,
+
+    copyObject: copyObject
 };

 var assert = require('assert'),
@@ -259,3 +261,22 @@ function getChangeStatus(changeId, callback) {
        });
    });
 }
+
+function copyObject(from, to, callback) {
+    assert.strictEqual(typeof from, 'string');
+    assert.strictEqual(typeof to, 'string');
+    assert.strictEqual(typeof callback, 'function');
+
+    getAWSCredentials(function (error, credentials) {
+        if (error) return callback(error);
+
+        var params = {
+            Bucket: config.aws().backupBucket, // target bucket
+            Key: config.aws().backupPrefix + '/' + to, // target file
+            CopySource: config.aws().backupBucket + '/' + config.aws().backupPrefix + '/' + from, // source
+        };
+
+        var s3 = new AWS.S3(credentials);
+        s3.copyObject(params, callback);
+    });
+}
@@ -6,7 +6,9 @@ exports = module.exports = {
    getAllPaged: getAllPaged,

    getBackupUrl: getBackupUrl,
-    getRestoreUrl: getRestoreUrl
+    getRestoreUrl: getRestoreUrl,
+
+    copyLastBackup: copyLastBackup
 };

 var assert = require('assert'),
@@ -76,7 +78,7 @@ function getBackupUrl(app, callback) {
            backupKey: config.backupKey()
        };

-        debug('getBackupUrl: ', obj);
+        debug('getBackupUrl: id:%s url:%s sessionToken:%s backupKey:%s', obj.id, obj.url, obj.sessionToken, obj.backupKey);

        callback(null, obj);
    });
@@ -97,8 +99,21 @@ function getRestoreUrl(backupId, callback) {
            backupKey: config.backupKey()
        };

-        debug('getRestoreUrl: ', obj);
+        debug('getRestoreUrl: id:%s url:%s sessionToken:%s backupKey:%s', obj.id, obj.url, obj.sessionToken, obj.backupKey);

        callback(null, obj);
    });
 }
+
+function copyLastBackup(app, callback) {
+    assert(app && typeof app === 'object');
+    assert.strictEqual(typeof app.lastBackupId, 'string');
+    assert.strictEqual(typeof callback, 'function');
+
+    var toFilename = util.format('appbackup_%s_%s-v%s.tar.gz', app.id, (new Date()).toISOString(), app.manifest.version);
+    aws.copyObject(app.lastBackupId, toFilename, function (error) {
+        if (error) return callback(new BackupsError(BackupsError.EXTERNAL_ERROR, error));
+
+        return callback(null, toFilename);
+    });
+}
@@ -0,0 +1,88 @@
+/* jslint node:true */
+
+'use strict';
+
+exports = module.exports = {
+    addSubdomain: addSubdomain,
+    delSubdomain: delSubdomain,
+    getChangeStatus: getChangeStatus
+};
+
+var assert = require('assert'),
+    config = require('./config.js'),
+    debug = require('debug')('box:caas'),
+    SubdomainError = require('./subdomainerror.js'),
+    superagent = require('superagent'),
+    util = require('util');
+
+function addSubdomain(zoneName, subdomain, type, value, callback) {
+    assert.strictEqual(typeof zoneName, 'string');
+    assert.strictEqual(typeof subdomain, 'string');
+    assert.strictEqual(typeof type, 'string');
+    assert.strictEqual(typeof value, 'string');
+    assert.strictEqual(typeof callback, 'function');
+
+    debug('addSubdomain: ' + subdomain + ' for domain ' + zoneName + ' with value ' + value);
+
+    var data = {
+        type: type,
+        value: value
+    };
+
+    superagent
+        .post(config.apiServerOrigin() + '/api/v1/domains/' + config.appFqdn(subdomain))
+        .query({ token: config.token() })
+        .send(data)
+        .end(function (error, result) {
+            if (error) return callback(error);
+            if (result.status === 420) return callback(new SubdomainError(SubdomainError.STILL_BUSY));
+            if (result.status !== 201) return callback(new SubdomainError(SubdomainError.EXTERNAL_ERROR, util.format('%s %j', result.status, result.body)));
+
+            return callback(null, result.body.changeId);
+        });
+}
+
+function delSubdomain(zoneName, subdomain, type, value, callback) {
+    assert.strictEqual(typeof zoneName, 'string');
+    assert.strictEqual(typeof subdomain, 'string');
+    assert.strictEqual(typeof type, 'string');
+    assert.strictEqual(typeof value, 'string');
+    assert.strictEqual(typeof callback, 'function');
+
+    debug('delSubdomain: %s for domain %s.', subdomain, zoneName);
+
+    var data = {
+        type: type,
+        value: value
+    };
+
+    superagent
+        .del(config.apiServerOrigin() + '/api/v1/domains/' + config.appFqdn(subdomain))
+        .query({ token: config.token() })
+        .send(data)
+        .end(function (error, result) {
+            if (error) return callback(error);
+            if (result.status === 420) return callback(new SubdomainError(SubdomainError.STILL_BUSY));
+            if (result.status !== 204) return callback(new SubdomainError(SubdomainError.EXTERNAL_ERROR, util.format('%s %j', result.status, result.body)));
+
+            return callback(null);
+        });
+}
+
+function getChangeStatus(changeId, callback) {
+    assert.strictEqual(typeof changeId, 'string');
+    assert.strictEqual(typeof callback, 'function');
+
+    if (changeId === '') return callback(null, 'INSYNC');
+
+    superagent
+        .get(config.apiServerOrigin() + '/api/v1/domains/' + config.fqdn() + '/status/' + changeId)
+        .query({ token: config.token() })
+        .end(function (error, result) {
+            if (error) return callback(error);
+            if (result.status !== 200) return callback(new SubdomainError(SubdomainError.EXTERNAL_ERROR, util.format('%s %j', result.status, result.body)));
+
+            return callback(null, result.body.status);
+        });
+
+}
@@ -138,7 +138,7 @@ function setTimeZone(ip, callback) {
        }

        if (!result.body.timezone) {
-            debug('No timezone in geoip response');
+            debug('No timezone in geoip response : %j', result.body);
            return callback(null);
        }

@@ -158,7 +158,7 @@ function activate(username, password, email, name, ip, callback) {

    debug('activating user:%s email:%s', username, email);

-    setTimeZone(ip, function () { });
+    setTimeZone(ip, function () { }); // TODO: get this from user. note that timezone is detected based on the browser location and not the cloudron region

    if (!name) name = settings.getDefaultSync(settings.CLOUDRON_NAME_KEY);

@@ -463,7 +463,7 @@ function doUpgrade(boxUpdateInfo, callback) {
        callback(e);
    }

-    progress.set(progress.UPDATE, 5, 'Create app and box backup for upgrade');
+    progress.set(progress.UPDATE, 5, 'Backing up for upgrade');

    backupBoxAndApps(function (error) {
        if (error) return upgradeError(error);
@@ -492,9 +492,9 @@ function doUpdate(boxUpdateInfo, callback) {
        callback(e);
    }

-    progress.set(progress.UPDATE, 5, 'Create box backup for update');
+    progress.set(progress.UPDATE, 5, 'Backing up for update');

-    backupBox(function (error) {
+    backupBoxAndApps(function (error) {
        if (error) return updateError(error);

        // fetch a signed sourceTarballUrl
@@ -549,6 +549,9 @@ function backup(callback) {
    var error = locker.lock(locker.OP_FULL_BACKUP);
    if (error) return callback(new CloudronError(CloudronError.BAD_STATE, error.message));

+    // clearing backup ensures tools can 'wait' on progress
+    progress.clear(progress.BACKUP);
+
    // start the backup operation in the background
    backupBoxAndApps(function (error) {
        if (error) console.error('backup failed.', error);
@@ -633,12 +636,12 @@ function backupBoxAndApps(callback) {
            apps.backupApp(app, app.manifest.addons, function (error, backupId) {
                progress.set(progress.BACKUP, step * processed, 'Backed up app at ' + app.location);

-                if (error && error.reason === AppsError.BAD_STATE) {
-                    debugApp(app, 'Skipping backup (istate:%s health:%s). using lastBackupId:%s', app.installationState, app.health, app.lastBackupId);
-                    backupId = app.lastBackupId;
+                if (error && error.reason !== AppsError.BAD_STATE) {
+                    debugApp(app, 'Unable to backup', error);
+                    return iteratorCallback(error);
                }

-                return iteratorCallback(null, backupId);
+                iteratorCallback(null, backupId || null); // clear backupId if is in BAD_STATE and never backed up
            });
        }, function appsBackedUp(error, backupIds) {
            if (error) {
@@ -646,7 +649,7 @@ function backupBoxAndApps(callback) {
                return callback(error);
            }

-            backupIds = backupIds.filter(function (id) { return id !== null; }); // remove apps that were never backed up
+            backupIds = backupIds.filter(function (id) { return id !== null; }); // remove apps in bad state that were never backed up

            backupBoxWithAppBackupIds(backupIds, function (error, restoreKey) {
                progress.set(progress.BACKUP, 100, error ? error.message : '');
@@ -25,6 +25,7 @@ exports = module.exports = {

    // these values are derived
    adminOrigin: adminOrigin,
+    internalAdminOrigin: internalAdminOrigin,
    appFqdn: appFqdn,
    zoneName: zoneName,

@@ -73,6 +74,7 @@ function initConfig() {
    data.webServerOrigin = null;
    data.internalPort = 3001;
    data.ldapPort = 3002;
+    data.oauthProxyPort = 3003;
    data.backupKey = 'backupKey';
    data.aws = {
        backupBucket: null,
@@ -162,6 +164,10 @@ function adminOrigin() {
    return 'https://' + appFqdn(constants.ADMIN_LOCATION);
 }

+function internalAdminOrigin() {
+    return 'http://127.0.0.1:' + get('port');
+}
+
 function token() {
    return get('token');
 }
@@ -48,6 +48,8 @@ function recreateJobs(unusedTimeZone, callback) {
    if (typeof unusedTimeZone === 'function') callback = unusedTimeZone;

    settings.getAll(function (error, allSettings) {
+        debug('Creating jobs with timezone %s', allSettings[settings.TIME_ZONE_KEY]);
+
        if (gHeartbeatJob) gHeartbeatJob.stop();
        gHeartbeatJob = new CronJob({
            cronTime: '00 */1 * * * *', // every minute
@@ -110,7 +112,7 @@ function autoupdatePatternChanged(pattern) {
            }
        },
        start: true,
-        timeZone: gBoxUpdateCheckerJob.cronTime.timeZone // hack
+        timeZone: gBoxUpdateCheckerJob.cronTime.zone // hack
    });
 }

@@ -1,7 +1,8 @@
 'use strict';

 exports = module.exports = {
-    start: start
+    start: start,
+    stop: stop
 };

 var assert = require('assert'),
@@ -28,7 +29,7 @@ var GROUP_USERS_DN = 'cn=users,ou=groups,dc=cloudron';
 var GROUP_ADMINS_DN = 'cn=admins,ou=groups,dc=cloudron';

 function start(callback) {
-    assert(typeof callback === 'function');
+    assert.strictEqual(typeof callback, 'function');

    gServer = ldap.createServer({ log: gLogger });

@@ -123,3 +124,11 @@ function start(callback) {

    gServer.listen(config.get('ldapPort'), callback);
 }
+
+function stop(callback) {
+    assert.strictEqual(typeof callback, 'function');
+
+    gServer.close();
+
+    callback();
+}
@@ -2,7 +2,7 @@

 Dear Cloudron Team,

-unfortunately the <%= program %> on <%= fqdn %> crashed unexpectedly!
+Unfortunately <%= program %> on <%= fqdn %> crashed unexpectedly!

 Please see some excerpt of the logs below.

@@ -11,7 +11,7 @@ Your Cloudron

 -------------------------------------

-<%= context %>
+<%- context %>

 <% } else { %>

@@ -0,0 +1,192 @@
+'use strict';
+
+exports = module.exports = {
+    start: start,
+    stop: stop
+};
+
+var appdb = require('./appdb.js'),
+    assert = require('assert'),
+    clientdb = require('./clientdb.js'),
+    config = require('./config.js'),
+    debug = require('debug')('box:proxy'),
+    express = require('express'),
+    http = require('http'),
+    proxy = require('proxy-middleware'),
+    session = require('cookie-session'),
+    superagent = require('superagent'),
+    url = require('url'),
+    uuid = require('node-uuid');
+
+var gSessions = {};
+var gProxyMiddlewareCache = {};
+var gHttpServer = null;
+
+var CALLBACK_URI = '/callback';
+
+function attachSessionData(req, res, next) {
+    assert.strictEqual(typeof req.session, 'object');
+
+    if (!req.session.id || !gSessions[req.session.id]) {
+        req.session.id = uuid.v4();
+        gSessions[req.session.id] = {};
+    }
+
+    // attach the session data to the requeset
+    req.sessionData = gSessions[req.session.id];
+
+    next();
+}
+
+function verifySession(req, res, next) {
+    assert.strictEqual(typeof req.sessionData, 'object');
+
+    if (!req.sessionData.accessToken) {
+        req.authenticated = false;
+        return next();
+    }
+
+    // use http admin origin so that it works with self-signed certs
+    superagent
+        .get(config.internalAdminOrigin() + '/api/v1/profile')
+        .query({ access_token: req.sessionData.accessToken})
+        .end(function (error, result) {
+        if (error) {
+            console.error(error);
+            req.authenticated = false;
+        } else if (result.statusCode !== 200) {
+            req.sessionData.accessToken = null;
+            req.authenticated = false;
+        } else {
+            req.authenticated = true;
+        }
+
+        next();
+    });
+}
+
+function authenticate(req, res, next) {
+    // proceed if we are authenticated
+    if (req.authenticated) return next();
+
+    if (req.path === CALLBACK_URI && req.sessionData.returnTo) {
+        // exchange auth code for an access token
+        var query = {
+            response_type: 'token',
+            client_id: req.sessionData.clientId
+        };
+
+        var data = {
+            grant_type: 'authorization_code',
+            code: req.query.code,
+            redirect_uri: req.sessionData.returnTo,
+            client_id: req.sessionData.clientId,
+            client_secret: req.sessionData.clientSecret
+        };
+
+        // use http admin origin so that it works with self-signed certs
+        superagent
+            .post(config.internalAdminOrigin() + '/api/v1/oauth/token')
+            .query(query).send(data)
+            .end(function (error, result) {
+            if (error) {
+                console.error(error);
+                return res.send(500, 'Unable to contact the oauth server.');
+            }
+            if (result.statusCode !== 200) {
+                console.error('Failed to exchange auth code for a token.', result.statusCode, result.body);
+                return res.send(500, 'Failed to exchange auth code for a token.');
+            }
+
+            req.sessionData.accessToken = result.body.access_token;
+
+            debug('user verified.');
+
+            // now redirect to the actual initially requested URL
+            res.redirect(req.sessionData.returnTo);
+        });
+    } else {
+        var port = parseInt(req.headers['x-cloudron-proxy-port'], 10);
+
+        if (!Number.isFinite(port)) {
+            console.error('Failed to parse nginx proxy header to get app port.');
+            return res.send(500, 'Routing error. No forwarded port.');
+        }
+
+        debug('begin verifying user for app on port %s.', port);
+
+        appdb.getByHttpPort(port, function (error, result) {
+            if (error) {
+                console.error('Unknown app.', error);
+                return res.send(500, 'Unknown app.');
+            }
+
+            clientdb.getByAppId('proxy-' + result.id, function (error, result) {
+                if (error) {
+                    console.error('Unkonwn OAuth client.', error);
+                    return res.send(500, 'Unknown OAuth client.');
+                }
+
+                req.sessionData.port = port;
+                req.sessionData.returnTo = result.redirectURI + req.path;
+                req.sessionData.clientId = result.id;
+                req.sessionData.clientSecret = result.clientSecret;
+
+                var callbackUrl = result.redirectURI + CALLBACK_URI;
+                var scope = 'profile,roleUser';
+                var oauthLogin = config.adminOrigin() + '/api/v1/oauth/dialog/authorize?response_type=code&client_id=' + result.id + '&redirect_uri=' + callbackUrl + '&scope=' + scope;
+
+                debug('begin OAuth flow for client %s.', result.name);
+
+                // begin the OAuth flow
+                res.redirect(oauthLogin);
+            });
+        });
+    }
+}
+
+function forwardRequestToApp(req, res, next) {
+    var port = req.sessionData.port;
+
+    debug('proxy request for port %s with path %s.', port, req.path);
+
+    var proxyMiddleware = gProxyMiddlewareCache[port];
+    if (!proxyMiddleware) {
+        console.log('Adding proxy middleware for port %d', port);
+
+        proxyMiddleware = proxy(url.parse('http://127.0.0.1:' + port));
+        gProxyMiddlewareCache[port] = proxyMiddleware;
+    }
+
+    proxyMiddleware(req, res, next);
+}
+
+function initializeServer() {
+    var app = express();
+    var httpServer = http.createServer(app);
+
+    httpServer.on('error', console.error);
+
+    app
+        .use(session({ keys: ['blue', 'cheese', 'is', 'something'] }))
+        .use(attachSessionData)
+        .use(verifySession)
+        .use(authenticate)
+        .use(forwardRequestToApp);
+
+    return httpServer;
+}
+
+function start(callback) {
+    assert.strictEqual(typeof callback, 'function');
+
+    gHttpServer = initializeServer();
+
+    gHttpServer.listen(config.get('oauthProxyPort'), callback);
+}
+
+function stop(callback) {
+    assert.strictEqual(typeof callback, 'function');
+
+    gHttpServer.close(callback);
+}
@@ -7,6 +7,7 @@ exports = module.exports = {
 };

 var cloudron = require('../cloudron.js'),
+    CloudronError = require('../cloudron.js').CloudronError,
    debug = require('debug')('box:routes/internal'),
    HttpError = require('connect-lastmile').HttpError,
    HttpSuccess = require('connect-lastmile').HttpSuccess;
@@ -14,10 +15,12 @@ var cloudron = require('../cloudron.js'),
 function backup(req, res, next) {
    debug('trigger backup');

+    // note that cloudron.backup only waits for backup initiation and not for backup to complete
+    // backup progress can be checked up ny polling the progress api call
    cloudron.backup(function (error) {
-        if (error) debug('Internal route backup failed', error);
-    });
+        if (error && error.reason === CloudronError.BAD_STATE) return next(new HttpError(409, error.message));
+        if (error) return next(new HttpError(500, error));

-    // we always succeed to trigger a backup
-    next(new HttpSuccess(202, {}));
+        next(new HttpSuccess(202, {}));
+    });
 }
@@ -591,8 +591,8 @@ describe('Clients', function () {
        email: 'some@email.com',
        admin: true,
        salt: 'somesalt',
-        createdAt: (new Date()).toUTCString(),
-        modifiedAt: (new Date()).toUTCString(),
+        createdAt: (new Date()).toISOString(),
+        modifiedAt: (new Date()).toISOString(),
        resetToken: hat(256)
    };

@@ -199,6 +199,7 @@ function initializeExpressSync() {
    return httpServer;
 }

+// provides hooks for the 'installer'
 function initializeInternalExpressSync() {
    var app = express();
    var httpServer = http.createServer(app);
@@ -42,12 +42,9 @@ var assert = require('assert'),
    _ = require('underscore');

 var gDefaults = (function () {
-    var tz = safe.fs.readFileSync('/etc/timezone', 'utf8');
-    tz = tz ? tz.trim() : 'America/Los_Angeles';
-
    var result = { };
    result[exports.AUTOUPDATE_PATTERN_KEY] = '00 00 1,3,5,23 * * *';
-    result[exports.TIME_ZONE_KEY] = tz;
+    result[exports.TIME_ZONE_KEY] = 'America/Los_Angeles';
    result[exports.CLOUDRON_NAME_KEY] = 'Cloudron';
    result[exports.DEVELOPER_MODE_KEY] = false;

@@ -5,6 +5,7 @@
 var assert = require('assert'),
    async = require('async'),
    aws = require('./aws.js'),
+    caas = require('./caas.js'),
    config = require('./config.js'),
    debug = require('debug')('box:subdomains'),
    util = require('util'),
@@ -17,6 +18,12 @@ module.exports = exports = {
    status: status
 };

+// choose which subdomain backend we use
+// for test purpose we use aws
+function api() {
+    return config.token() && !config.TEST ? caas : aws;
+}
+
 function add(record, callback) {
    assert.strictEqual(typeof record, 'object');
    assert.strictEqual(typeof record.subdomain, 'string');
@@ -26,7 +33,7 @@ function add(record, callback) {

    debug('add: ', record);

-    aws.addSubdomain(config.zoneName(), record.subdomain, record.type, record.value, function (error, changeId) {
+    api().addSubdomain(config.zoneName(), record.subdomain, record.type, record.value, function (error, changeId) {
        if (error) return callback(error);
        callback(null, changeId);
    });
@@ -60,7 +67,7 @@ function remove(record, callback) {

    debug('remove: ', record);

-    aws.delSubdomain(config.zoneName(), record.subdomain, record.type, record.value, function (error) {
+    api().delSubdomain(config.zoneName(), record.subdomain, record.type, record.value, function (error) {
        if (error && error.reason !== SubdomainError.NOT_FOUND) return callback(error);

        debug('deleteSubdomain: successfully deleted subdomain from aws.');
@@ -73,9 +80,7 @@ function status(changeId, callback) {
    assert.strictEqual(typeof changeId, 'string');
    assert.strictEqual(typeof callback, 'function');

-    debug('status: ', changeId);
-
-    aws.getChangeStatus(changeId, function (error, status) {
+    api().getChangeStatus(changeId, function (error, status) {
        if (error) return callback(new SubdomainError(SubdomainError.EXTERNAL_ERROR, error));
        callback(null, status === 'INSYNC' ? 'done' : 'pending');
    });
@@ -6,8 +6,6 @@

 'use strict';

-require('supererror', { splatchError: true});
-
 var database = require('../database.js'),
    expect = require('expect.js'),
    EventEmitter = require('events').EventEmitter,
@@ -134,7 +134,7 @@ function createUser(username, password, email, admin, invitor, callback) {
        crypto.pbkdf2(password, salt, CRYPTO_ITERATIONS, CRYPTO_KEY_LENGTH, function (error, derivedKey) {
            if (error) return callback(new UserError(UserError.INTERNAL_ERROR, error));

-            var now = (new Date()).toUTCString();
+            var now = (new Date()).toISOString();
            var user = {
                id: username,
                username: username,
@@ -331,7 +331,7 @@ function setPassword(userId, newPassword, callback) {
        crypto.pbkdf2(newPassword, saltBuffer, CRYPTO_ITERATIONS, CRYPTO_KEY_LENGTH, function (error, derivedKey) {
            if (error) return callback(new UserError(UserError.INTERNAL_ERROR, error));

-            user.modifiedAt = (new Date()).toUTCString();
+            user.modifiedAt = (new Date()).toISOString();
            user.password = new Buffer(derivedKey, 'binary').toString('hex');
            user.resetToken = '';

@@ -120,7 +120,6 @@ html {
 .grid-item {
    padding: 10px;
    min-width: 200px;
-    overflow: hidden;
 }

 .grid-item:hover .grid-item-bottom {
@@ -175,6 +174,12 @@ html {
    }
 }

+.app-update-badge {
+    position: absolute;
+    right: 0;
+    top: 0;
+}
+
 // ----------------------------
 // Appstore view
 // ----------------------------
@@ -354,23 +359,6 @@ html {
    max-width: 800px;
 }

-.app-update-badge {
-    font-size: $font-size-h4;
-    position: absolute;
-    left: 2px;
-    top: 2px;
-    width: $font-size-h4 + 6px;
-    text-overflow: ellipsis;
-    white-space: nowrap;
-    overflow: hidden;
-    background-color: transparent;
-}
-
-.app-update-badge:hover {
-    width: inherit;
-    background-color: #5CB85C;
-}
-
 .text-success {
    color: #5CB85C;
 }
@@ -55,10 +55,6 @@
                </fieldset>
            </div>
            <div class="modal-footer ">
-                <button type="button" class="btn btn-default" style="float: left;" ng-click="startApp(appConfigure.app)" ng-show="appConfigure.app.runState === 'stopped' && !appConfigure.runStateBusy && !(appConfigure.app | installationActive)"><i class="fa fa-play"></i> Start</button>
-                <button type="button" class="btn btn-default" style="float: left;" ng-show="appConfigure.app.runState !== 'stopped' && appConfigure.app.runState !== 'running' || appConfigure.runStateBusy && !(appConfigure.app | installationActive)" disabled ><i class="fa fa-refresh fa-spin"></i></button>
-                <button type="button" class="btn btn-default" style="float: left;" ng-click="stopApp(appConfigure.app)" ng-show="appConfigure.app.runState === 'running' && !appConfigure.runStateBusy && !(appConfigure.app | installationActive)"><i class="fa fa-pause"></i> Stop</button>
-
                <button type="button" class="btn btn-default" data-dismiss="modal">Cancel</button>
                <button type="button" class="btn btn-success" ng-click="doConfigure()" ng-disabled="appConfigureForm.$invalid || appConfigure.busy"><i class="fa fa-spinner fa-pulse" ng-show="appConfigure.busy"></i> Save</button>
            </div>
@@ -244,26 +240,27 @@
                    </div>
                    <div class="grid-item-bottom" ng-show="user.admin">
                        <br/>
+                        <br/>

                        <div>
-                            <a href="" ng-click="showUninstall(app)"><i class="fa fa-remove scale"></i></a>
+                            <a href="" ng-click="showUninstall(app)" title="Uninstall App"><i class="fa fa-remove scale"></i></a>
                        </div>

                        <div ng-show="(app | installError) === true">
-                            <a href="" ng-click="showRestore(app)"><i class="fa fa-undo scale"></i></a>
+                            <a href="" ng-click="showRestore(app)" title="Restore App"><i class="fa fa-undo scale"></i></a>
                        </div>

                        <div ng-show="(app | installSuccess) == true">
-                            <a href="" ng-click="showConfigure(app)"><i class="fa fa-wrench scale"></i></a>
-                        </div>
-
-                        <!-- we check the version here because the box updater does not know when an app gets updated -->
-                        <div ng-show="config.update.apps[app.id].manifest.version && config.update.apps[app.id].manifest.version !== app.manifest.version && (app | installSuccess)">
-                            <a href="" ng-click="showUpdate(app)"><i class="fa fa-arrow-up text-success scale"></i></a>
+                            <a href="" ng-click="showConfigure(app)" title="Configure App"><i class="fa fa-wrench scale"></i></a>
                        </div>

                        <br/>
                    </div>
+
+                    <!-- we check the version here because the box updater does not know when an app gets updated -->
+                    <div class="app-update-badge" ng-show="config.update.apps[app.id].manifest.version && config.update.apps[app.id].manifest.version !== app.manifest.version && (app | installSuccess)">
+                        <a href="" ng-click="showUpdate(app)" title="Update Available"><i class="fa fa-asterisk fa-2x text-success scale"></i></a>
+                    </div>
                </a>
            </div>
        </div>
@@ -313,22 +313,6 @@ angular.module('Application').controller('AppsController', ['$scope', '$location
        });
    };

-    $scope.startApp = function (app) {
-        $scope.appConfigure.runStateBusy = true;
-        app.runState = 'pending_start';   // we assume we will end up there
-        Client.startApp(app.id, function () {
-            $scope.appConfigure.runStateBusy = false;
-        });
-    };
-
-    $scope.stopApp = function (app) {
-        $scope.appConfigure.runStateBusy = true;
-        app.runState = 'pending_stop';   // we assume we will end up there
-        Client.stopApp(app.id, function () {
-            $scope.appConfigure.runStateBusy = false;
-        });
-    };
-
    $scope.cancel = function () {
        window.history.back();
    };
Author	SHA1	Message	Date
Girish Ramakrishnan	5819cfe412	Fix progress message	2015-09-22 13:02:09 -07:00
Johannes Zellner	5cb62ca412	Remove start/stop buttons in webadmin Fixes #495	2015-09-22 22:00:42 +02:00
Johannes Zellner	df10c245de	app.js is no more	2015-09-22 22:00:42 +02:00
Girish Ramakrishnan	4a804dc52b	Do a complete backup for updates The backup cron job ensures backups every 4 hours which simply does a 'box' backup listing. If we do only a 'box' backup during update, this means that this cron job skips doing a backup and thus the apps are not backed up. This results in the janitor on the CaaS side complaining that the app backups are too old. Since we don't stop apps anymore during updates, it makes sense to simply backup everything for updates as well. This is probably what the user wants anyway.	2015-09-22 12:51:58 -07:00
Girish Ramakrishnan	ed2f25a998	better debugs	2015-09-21 16:02:58 -07:00
Girish Ramakrishnan	7510c9fe29	Fix typo	2015-09-21 15:57:06 -07:00
Girish Ramakrishnan	78a1d53728	copy old backup as failed/errored apps This ensures that a) we don't get emails from janitor about bad app backups b) that the backups are persisted over the s3 lifecycle Fixes #493	2015-09-21 15:03:10 -07:00
Girish Ramakrishnan	e9b078cd58	add backups.copyLastBackup	2015-09-21 14:14:43 -07:00
Girish Ramakrishnan	dd8b928684	aws: add copyObject	2015-09-21 14:02:00 -07:00
Girish Ramakrishnan	185b574bdc	Add custom apparmor profile for cloudron apps Docker generates an apparmor profile on the fly under /etc/apparmor.d/docker. This profile gets overwritten on every docker daemon start. This profile allows processes to ptrace themselves. This is required by circus (python process manager) for reasons unknown to me. It floods the logs with audit[7623]: <audit-1400> apparmor="DENIED" operation="ptrace" profile="docker-default" pid=7623 comm="python3.4" requested_mask="trace" denied_mask="trace" peer="docker-default" This is easily tested using: docker run -it cloudron/base:0.3.3 /bin/bash a) now do ps b) journalctl should show error log as above docker run --security-opt=apparmor:docker-cloudron-app -it cloudron/base:0.3.3 /bin/bash a) now do ps b) no error! Note that despite this, the process may not have ability to ptrace since it does not have CAP_PTRACE. Also, security-opt is the profile name (inside the apparmor config file) and not the filename. References: https://groups.google.com/forum/#!topic/docker-user/xvxpaceTCyw https://github.com/docker/docker/issues/7276 https://bugs.launchpad.net/ubuntu/+source/docker.io/+bug/1320869 This is an infra update because we need to recreate containers to get the right profile. Fixes #492	2015-09-21 11:01:44 -07:00
Girish Ramakrishnan	a89726a8c6	Add custom debug.formatArgs to remove timestamp prefix in logs Fixes #490 See also: https://github.com/visionmedia/debug/issues/216	2015-09-21 09:05:14 -07:00
Girish Ramakrishnan	c80aca27e6	remove unnecessary supererror call	2015-09-21 09:04:16 -07:00
Girish Ramakrishnan	029acab333	use correct timezone in updater fixes #491	2015-09-18 14:46:44 -07:00
Girish Ramakrishnan	4f9f10e130	timezone detection is based on browser location/ip and not cloudron region intentionally	2015-09-18 13:40:22 -07:00
Girish Ramakrishnan	9ba11d2e14	print body on failure	2015-09-18 12:03:48 -07:00
Girish Ramakrishnan	23a5a1f79f	timezone is already determined automatically using activation	2015-09-18 12:02:36 -07:00
Girish Ramakrishnan	e8dc617d40	print tz for debugging	2015-09-18 10:51:52 -07:00
Girish Ramakrishnan	d56794e846	clear backup progress when initiating backup this ensures that tools can do: 1. backup 2. wait_for_backup without the synchronous clear, we might get the progress state of an earlier backup.	2015-09-17 21:17:59 -07:00
Girish Ramakrishnan	2663ec7da0	cloudron.backup does not wait for backup to complete	2015-09-17 16:35:59 -07:00
Girish Ramakrishnan	eec4ae98cd	add comment for purpose on internal server	2015-09-17 16:27:46 -07:00
Girish Ramakrishnan	c31a0f4e09	Store dates as iso strings in database ideally, the database schema should be TIMESTAMP	2015-09-17 13:51:55 -07:00
Girish Ramakrishnan	739db23514	Use the default timezone in settings Fixes #485	2015-09-16 16:36:08 -07:00
Girish Ramakrishnan	8598fb444b	store timezone in config.js (part of provision data)	2015-09-16 15:54:56 -07:00
Girish Ramakrishnan	0b630ff504	Remove debug that is flooding the logs	2015-09-16 10:50:15 -07:00
Girish Ramakrishnan	84169dea3d	Do not set process.env.NODE_TLS_REJECT_UNAUTHORIZED Doing so will affect all https requests which is dangerous. We have these options to solve this: 1. Use superagent.ca(). Appstore already provides wildcard certs for dev, staging signed with appstore_ca. But we then need to send across the appstore_ca cert across in the provision call. This is a bit of work. 2. Convert superagent into https.request calls and use the rejectUnauthorized option. 3. Simply use http. This is what is done in this commit. Fixes #488	2015-09-16 10:36:03 -07:00
Girish Ramakrishnan	d83b5de47a	reserve the ldap and oauthproxy port	2015-09-16 10:12:59 -07:00
Girish Ramakrishnan	2719c4240f	Get oauth proxy port from the configs	2015-09-16 10:06:34 -07:00
Johannes Zellner	d749756b53	Do not show the update action button in non mobile view	2015-09-16 09:36:46 +02:00
Johannes Zellner	0401c61c15	Add tooltip text for the app action icons	2015-09-16 09:36:22 +02:00
Johannes Zellner	34f45da2de	Show indicator when app update is available Fixes #489	2015-09-16 09:28:43 +02:00
Girish Ramakrishnan	baecbf783c	journalctl seems to barf on this debug	2015-09-15 20:50:22 -07:00
Girish Ramakrishnan	2f141cd6e0	Make the times absurdly high but that is how long in takes	2015-09-15 18:56:25 -07:00
Girish Ramakrishnan	1296299d02	error is undefined	2015-09-15 18:27:09 -07:00
Girish Ramakrishnan	998ac74d32	oldConfig.location can be null If we had an update, location is not part of oldConfig. if we now do an infra update, location is undefined.	2015-09-15 18:08:29 -07:00
Girish Ramakrishnan	b4a34e6432	Explicity debug the fields for some reason, journalctl barfs on this line	2015-09-15 14:55:20 -07:00
Girish Ramakrishnan	e70c9d55db	apptask: retry for external error as well	2015-09-14 21:45:27 -07:00
Girish Ramakrishnan	268aee6265	Return busy code for 420 response	2015-09-14 21:44:44 -07:00
Girish Ramakrishnan	1ba7b0e0fb	context is raw text	2015-09-14 17:25:27 -07:00
Girish Ramakrishnan	72788fdb11	add note on how to test the oom	2015-09-14 17:20:30 -07:00
Girish Ramakrishnan	435afec13c	Print OOM context	2015-09-14 17:18:11 -07:00
Girish Ramakrishnan	2cb1877669	Do not reconnect for now	2015-09-14 17:10:49 -07:00
Girish Ramakrishnan	edd672cba7	fix typo	2015-09-14 17:07:44 -07:00
Girish Ramakrishnan	991f37fe05	Provide app information if possible	2015-09-14 17:06:04 -07:00
Girish Ramakrishnan	c147d8004b	Add appdb.getByContainerId	2015-09-14 17:01:04 -07:00
Girish Ramakrishnan	cdcc4dfda8	Get notification on app oom currently, oom events arrive a little late : https://github.com/docker/docker/issues/16074 fixes #489	2015-09-14 16:51:32 -07:00
Girish Ramakrishnan	2eaba686fb	apphealthmonitor.js is not executable	2015-09-14 16:51:32 -07:00
Girish Ramakrishnan	236032b4a6	Remove supererror setup in oauthproxy and apphealthmonitor	2015-09-14 16:49:10 -07:00
Girish Ramakrishnan	5fcba59b3e	set memory limits for addons mysql, postgresql, mongodb - 100m each mail, graphite, redis (each instance) - 75m For reference, in yellowtent: mongo - 5m postgresql - 33m mysql - 3.5m mail: 26m graphite - 26m redis - 32m	2015-09-14 13:47:45 -07:00
Girish Ramakrishnan	6efd8fddeb	fix require paths	2015-09-14 13:00:03 -07:00
Girish Ramakrishnan	8aff2b9e74	remove oauthproxy systemd configs	2015-09-14 12:02:38 -07:00
Girish Ramakrishnan	fbae432b98	merge oauthproxy server into box server	2015-09-14 11:58:28 -07:00
Girish Ramakrishnan	9cad7773ff	refactor code to prepare for merge into box server	2015-09-14 11:28:49 -07:00
Girish Ramakrishnan	4adf122486	oauthproxy: refactor for readability	2015-09-14 11:22:33 -07:00
Girish Ramakrishnan	ea47c26d3f	apphealthmonitor is not a executable anymore	2015-09-14 11:09:58 -07:00
Girish Ramakrishnan	f57aae9545	Fix typo in assert	2015-09-14 11:09:41 -07:00
Girish Ramakrishnan	cdeb830706	Add apphealthmonitor.stop	2015-09-14 11:02:06 -07:00
Girish Ramakrishnan	0c9618f19a	Add ldap.stop	2015-09-14 11:01:35 -07:00
Girish Ramakrishnan	1cd9d07d8c	Merge apphealthtask into box server We used to run this as a separate process but no amount of node/v8 tweaking makes them run as standalone with 50M RSS. Three solutions were considered for the memory issue: 1. Use systemd timer. apphealthtask needs to run quiet frequently (10 sec) for the ui to get the app health update immediately after install. 2. Merge into box server (this commit) 3. Increase memory to 80M. This seems to make apphealthtask run as-is.	2015-09-14 10:52:11 -07:00
Girish Ramakrishnan	f028649582	Rename app.js to box.js	2015-09-14 10:43:47 -07:00
Johannes Zellner	d57236959a	choose aws subdomain backend for test purpose	2015-09-13 22:02:04 +02:00
Johannes Zellner	ebe975f463	Also send data with the domain deletion	2015-09-13 22:02:04 +02:00
Johannes Zellner	a94267fc98	Use caas.js for subdomain business	2015-09-13 22:02:04 +02:00
Johannes Zellner	f186ea7cc3	Add initial caas.js	2015-09-13 22:02:04 +02:00
Girish Ramakrishnan	29e05b1caa	make janitor a systemd timer one process lesser	2015-09-11 18:43:51 -07:00
Girish Ramakrishnan	6945a712df	limit node memory usage node needs to be told how much space it can usage, otherwise it keeps allocating and we cannot keep it under 50M. keeping old space to 30M, lets the memory hover around 40M there are many options to v8 but I haven't explored them all: --expose_gc - allows scripts to call gc() --max_old_space_size=30 --max_semi_space_size=2048 (old/new space) node first allocates new objects in new space. if these objects are in use around for some time, it moves them to old space. the idea here is that it runs gc aggressively on new space since new objects die more than old ones. the new space is split into two halves of equal size called semi spaces. --gc_interval=100 --optimize_for_size --max_executable_size=5 --gc_global --stack_size=1024 http://erikcorry.blogspot.com/2012/11/memory-management-flags-in-v8.html http://jayconrod.com/posts/55/a-tour-of-v8-garbage-collection https://code.google.com/p/chromium/issues/detail?id=280984 http://stackoverflow.com/questions/30252905/nodejs-decrease-v8-garbage-collector-memory-usage http://www.appfruits.com/2014/08/running-node-js-on-arduino-yun/ note: this is not part of shebang because linux shebang does not support args! so we cannot pass node args as part of shebang.	2015-09-10 21:24:36 -07:00
Girish Ramakrishnan	03048d7d2f	set memorylimit for crashnotifier as well	2015-09-10 14:19:44 -07:00
Girish Ramakrishnan	28b768b146	Fix app autoupdater logic The main issue was that app.portBindings is never null but { }	2015-09-10 11:39:29 -07:00
Girish Ramakrishnan	c1e4dceb01	ssh is now on port 919	2015-09-10 10:08:40 -07:00