Implemented simple maintenance information page mechanism.

Sometimes the downtime due to the upgrade or error can be noticable to the users, so the well behaving application should have some kind of maintenance mode to inform the users. This commit contains simple web page with capabilites of variable substitutions (to insert separately generated timestamps about the duration of the downtime), an example site configuration for Apache web server and updated documentation page about sustem upgrade. (Redmine issue: #4277)

conf/apache/maintenance/.htaccess

+SetOutputFilter SUBSTITUTE;DEFLATE
+Substitute "s/__MAINTENANCE_START__/YYYY-MM-DD HH:MM/n"
+Substitute "s/__MAINTENANCE_END__/YYYY-MM-DD HH:MM/n"

conf/apache/maintenance/index.html

+<!DOCTYPE html>
+<html lang="en">
+    <head>
+        <meta charset="utf-8">
+            <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
+        <link rel="stylesheet" href="https://stackpath.bootstrapcdn.com/bootstrap/4.3.1/css/bootstrap.min.css" integrity="sha384-ggOyR0iXCbMQv3Xipma34MD+dH/1fQ784/j6cY/iJTQUOhcWr7x9JvoRxT2MZw1T" crossorigin="anonymous">
+        <title>Mentat - Under maintenance</title>
+    </head>
+    <body>
+        <div class="container">
+            <br>
+            <div class="jumbotron">
+                <h1 class="display-4">
+                    Sorry! We are under maintenance.
+                </h1>
+                <p class="lead">
+                    The Mentat system is currently undergoing some maintenance. It will be up and running shortly, please try again later.
+                </p>
+                <table>
+                    <tr>
+                        <th>Maintenance start: </th> <td>&nbsp;__MAINTENANCE_START__ </td>
+                    </tr>
+                    <tr>
+                        <th>Expected end: </th>        <td>&nbsp;__MAINTENANCE_END__ </td>
+                    </tr>
+                </table>
+                <hr class="my-4">
+                <h1 class="display-4">
+                    Omlouváme se! Právě probíhá údržba.
+                </h1>
+                <p class="lead">
+                    Na systému Mentat v tuto chvíli probíhá plánovaná údržba. Co nevidět bude opět funkční, zkuste to prosím později.
+                </p>
+                <table>
+                    <tr>
+                        <th>Údržba začala: </th>    <td>&nbsp;__MAINTENANCE_START__ </td>
+                    </tr>
+                    <tr>
+                        <th>Očekávaný konec: </th>  <td>&nbsp;__MAINTENANCE_END__ </td>
+                    </tr>
+                </table>
+            </div>
+            <div style="text-align: right; font-size: smaller;">
+                <span>
+                    Mentat
+                </span> &#124;
+                &copy; since 2011 &#124;
+                <a href="http://csirt.cesnet.cz">
+                    CESNET-CERTS
+                </a> &#124;
+                <a href="https://www.cesnet.cz">
+                    CESNET
+                </a>
+            </div>
+        </div>
+    </body>
+</html>

conf/apache/site_maintenance.conf.example

+#-------------------------------------------------------------------------------
+# Example APACHE web server configuration file for HAWAT maintenance site.
+#
+# This is an example configuration that can be used to inform users about undergoing
+# maintenance. Please adjust the configuration file according to your needs.
+# In most cases customization of following directives should be enough to
+# get it working properly and quickly:
+#
+#   * ServerAdmin
+#   * ServerName
+#   * SSLCertificateFile
+#   * SSLCertificateKeyFile
+#   * SSLCertificateChainFile
+#
+# This file is part of Mentat system (https://mentat.cesnet.cz/).
+#
+# Copyright (C) since 2011 CESNET, z.s.p.o (http://www.ces.net/)
+# Use of this source is governed by the MIT license, see LICENSE file.
+#-------------------------------------------------------------------------------
+
+<IfModule mod_ssl.c>
+    <VirtualHost _default_:443>
+        ServerAdmin webmaster@mentat.organization.org
+        ServerName mentat.organization.org
+
+        <IfModule mod_headers.c>
+                # Enforce HTTPS protocol at all times.
+                Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
+                # Deny access to content via HTML iframe.
+                Header always set X-Frame-Options DENY
+        </IfModule>
+
+        DocumentRoot /etc/mentat/apache/maintenance
+
+        <Location />
+            Require all granted
+        </Location>
+        <Directory /etc/mentat/apache/maintenance>
+            AllowOverride All
+            Require all granted
+        </Directory>
+
+        # Rewrite any URL to server root to maintenance information page.
+        RewriteEngine on
+        RewriteRule ^/mentat / [R=307]
+
+        ErrorLog ${APACHE_LOG_DIR}/error.log
+
+        # Possible values: debug, info, notice, warn, error, crit, alert, emerg.
+        LogLevel warn
+
+        CustomLog ${APACHE_LOG_DIR}/ssl_access.log combined
+
+        SSLEngine on
+        #SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
+
+        # Using default self-signed server certificates
+        SSLCertificateFile  /etc/ssl/certs/ssl-cert-snakeoil.pem
+        SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
+
+        # Using custom server certificates
+        #SSLCertificateFile      /etc/ssl/servercert/cert.pem
+        #SSLCertificateKeyFile   /etc/ssl/servercert/key.pem
+        #SSLCertificateChainFile /etc/ssl/servercert/chain.pem
+
+        # Enforce only strong SSL protocols. Generator as of August 2016. This
+        # tool is available at https://mozilla.github.io/server-side-tls/ssl-config-generator/
+        # Resource: https://httpd.apache.org/docs/trunk/ssl/ssl_howto.html#onlystrong
+        SSLProtocol         all -SSLv3 -TLSv1 -TLSv1.1
+        SSLCipherSuite      ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
+        SSLHonorCipherOrder on
+        SSLCompression      off
+        SSLSessionTickets   off
+
+        <FilesMatch "\.(cgi|shtml|phtml|php)$">
+                SSLOptions +StdEnvVars
+        </FilesMatch>
+        <Directory /usr/lib/cgi-bin>
+                SSLOptions +StdEnvVars
+        </Directory>
+
+        BrowserMatch "MSIE [2-6]" \
+                nokeepalive ssl-unclean-shutdown \
+                downgrade-1.0 force-response-1.0
+        # MSIE 7 and newer should be able to use keepalive
+        BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
+
+    </VirtualHost>
+</IfModule>

doc/sphinx/_doclib/upgrading.rst

@@ -23,6 +23,15 @@ to latest version:
 
 .. code-block:: shell
 
+    # Step 0: Activate maintenance mode in case the downtime will be noticable for users:
+    # First update timestamps of maintenance start and maintenance end:
+    $ vim /etc/mentat/apache/maintenance/.htaccess
+    # Now bring the Mentat system web interface down and maintenance site up:
+    $ a2enmod substitute
+    $ a2dissite site_mentat-ng.conf
+    $ a2ensite site_maintenance.conf
+    $ systemctl restart apache2
+
     # Step 1: It is recommended to stop Mentat daemons and cronjobs before upgrade:
     $ mentat-controller.py --command stop
     $ mentat-controller.py --command disable
@@ -47,7 +56,10 @@ to latest version:
     $ mentat-controller.py --command enable
 
     # Step 7: Restart the web server that is serving web interface:
-    $ service apache2 restart
+    $ a2dismod substitute
+    $ a2dissite site_maintenance.conf
+    $ a2ensite site_mentat-ng.conf
+    $ systemctl restart apache2
 
 
 .. _section-upgrading-postgresql:

lib/mentat/__init__.py

@@ -20,4 +20,4 @@ open-source project.
 
 __author__  = "Jan Mach <jan.mach@cesnet.cz>"
 __credits__ = "Pavel Kácha <pavel.kacha@cesnet.cz>, Andrea Kropáčová <andrea.kropacova@cesnet.cz>"
-__version__ = "2.4.22"
+__version__ = "2.4.23"