{"host": "deploy1003.eqiad.wmnet", "state": "diff", "description": "Differences to Puppet defined resources", "diff": {"full": {"total": 17284, "only_in_self": [], "only_in_other": ["Nftables::Service[bacula-file-daemon-backup1014.eqiad.wmnet]", "Nftables::Service[deployment-ssh]", "Nftables::Service[full-monitoring-metrics-access-tcp]", "Nftables::Service[full-monitoring-metrics-access-udp]", "Nftables::Service[fundraising-data-uploader sftp]", "Nftables::Service[git-daemon]", "Nftables::Service[http_deployment_server]", "Nftables::Service[rsyncd_access_deployment_home]", "Nftables::Service[rsyncd_access_deployment_module]", "Nftables::Service[rsyncd_access_patches_module]", "Nftables::Service[rsyncd_access_releases]", "Nftables::Service[rsyncd_access_srv-mediawiki-private-primary]", "Nftables::Service[rsyncd_access_srv-mediawiki-private-releases1003.eqiad.wmnet]", "Nftables::Service[rsyncd_access_srv-mediawiki-private-releases2003.codfw.wmnet]", "Nftables::Service[rsyncd_access_srv-patches-releases-primary]", "Nftables::Service[rsyncd_access_srv-patches-releases1003.eqiad.wmnet]", "Nftables::Service[rsyncd_access_srv-patches-releases2003.codfw.wmnet]", "Nftables::Service[rsyncd_scap_master]", "Nftables::Service[ssh-from-bastion]", "Nftables::Service[ssh-from-cumin-masters]"], "resource_diffs": [{"resource": "Nftables::Service[rsyncd_access_srv-mediawiki-private-releases2003.codfw.wmnet]", "parameters": "--- Nftables::Service[rsyncd_access_srv-mediawiki-private-releases2003.codfw.wmnet].orig\n+++ Nftables::Service[rsyncd_access_srv-mediawiki-private-releases2003.codfw.wmnet]\n\n+    notrack             => False\n+    port                => [873, 1873]\n+    desc                => \n+    src_ips             => ['10.192.16.72', '2620:0:860:102:10:192:16:72']\n+    proto               => tcp\n+    unrestricted_access => False\n+    prio                => 10\n+    ensure              => absent\n"}, {"resource": "Nftables::Service[git-daemon]", "parameters": "--- Nftables::Service[git-daemon].orig\n+++ Nftables::Service[git-daemon]\n\n+    notrack             => False\n+    port                => 9418\n+    desc                => Git daemon\n+    src_ips             => ['10.192.16.72', '10.64.48.34', '2620:0:860:102:10:192:16:72', '2620:0:861:107:10:64:48:34']\n+    proto               => tcp\n+    unrestricted_access => False\n+    prio                => 10\n+    ensure              => present\n"}, {"resource": "Nftables::Service[rsyncd_scap_master]", "parameters": "--- Nftables::Service[rsyncd_scap_master].orig\n+++ Nftables::Service[rsyncd_scap_master]\n\n+    notrack             => False\n+    port                => 873\n+    desc                => \n+    proto               => tcp\n+    unrestricted_access => False\n+    prio                => 10\n+    ensure              => present\n+    src_sets            => ['MW_APPSERVER_NETWORKS', 'ANALYTICS_NETWORKS']\n"}, {"resource": "Nftables::Service[rsyncd_access_srv-patches-releases1003.eqiad.wmnet]", "parameters": "--- Nftables::Service[rsyncd_access_srv-patches-releases1003.eqiad.wmnet].orig\n+++ Nftables::Service[rsyncd_access_srv-patches-releases1003.eqiad.wmnet]\n\n+    notrack             => False\n+    port                => [873, 1873]\n+    desc                => \n+    src_ips             => ['10.64.48.34', '2620:0:861:107:10:64:48:34']\n+    proto               => tcp\n+    unrestricted_access => False\n+    prio                => 10\n+    ensure              => present\n"}, {"resource": "Nftables::Service[rsyncd_access_patches_module]", "parameters": "--- Nftables::Service[rsyncd_access_patches_module].orig\n+++ Nftables::Service[rsyncd_access_patches_module]\n\n+    notrack             => False\n+    port                => [873, 1873]\n+    desc                => \n+    src_ips             => ['10.192.32.7', '2620:0:860:103:10:192:32:7']\n+    proto               => tcp\n+    unrestricted_access => False\n+    prio                => 10\n+    ensure              => present\n"}, {"resource": "Nftables::Service[rsyncd_access_deployment_module]", "parameters": "--- Nftables::Service[rsyncd_access_deployment_module].orig\n+++ Nftables::Service[rsyncd_access_deployment_module]\n\n+    notrack             => False\n+    port                => [873, 1873]\n+    desc                => \n+    src_ips             => ['10.192.32.7', '2620:0:860:103:10:192:32:7']\n+    proto               => tcp\n+    unrestricted_access => False\n+    prio                => 10\n+    ensure              => present\n"}, {"resource": "Nftables::Service[full-monitoring-metrics-access-tcp]", "parameters": "--- Nftables::Service[full-monitoring-metrics-access-tcp].orig\n+++ Nftables::Service[full-monitoring-metrics-access-tcp]\n\n+    notrack             => False\n+    desc                => \n+    src_ips             => ['10.64.0.82', '10.64.16.62', '10.64.32.85', '10.64.48.171', '208.80.153.42', '208.80.154.78', '2620:0:860:2:208:80:153:42', '2620:0:861:101:10:64:0:82', '2620:0:861:102:10:64:16:62', '2620:0:861:103:10:64:32:85', '2620:0:861:107:10:64:48:171', '2620:0:861:3:208:80:154:78']\n+    proto               => tcp\n+    unrestricted_access => False\n+    prio                => 10\n+    port_range          => [1, 65535]\n+    ensure              => present\n"}, {"resource": "Nftables::Service[ssh-from-bastion]", "parameters": "--- Nftables::Service[ssh-from-bastion].orig\n+++ Nftables::Service[ssh-from-bastion]\n\n+    notrack             => False\n+    port                => 22\n+    desc                => \n+    src_ips             => ['103.102.166.103', '185.15.58.6', '185.15.59.99', '195.200.68.99', '198.35.26.104', '2001:df2:e500:3:103:102:166:103', '208.80.153.110', '208.80.154.7', '2620:0:860:4:208:80:153:110', '2620:0:861:1:208:80:154:7', '2620:0:863:3:198:35:26:104', '2a02:ec80:300:3:185:15:59:99', '2a02:ec80:600:1:185:15:58:6', '2a02:ec80:700:3:195:200:68:99']\n+    proto               => tcp\n+    unrestricted_access => False\n+    prio                => 10\n+    ensure              => present\n"}, {"resource": "Nftables::Service[ssh-from-cumin-masters]", "parameters": "--- Nftables::Service[ssh-from-cumin-masters].orig\n+++ Nftables::Service[ssh-from-cumin-masters]\n\n+    notrack             => False\n+    port                => 22\n+    desc                => \n+    proto               => tcp\n+    unrestricted_access => False\n+    prio                => 10\n+    ensure              => present\n+    src_sets            => ['CUMIN_MASTERS']\n"}, {"resource": "Nftables::Service[deployment-ssh]", "parameters": "--- Nftables::Service[deployment-ssh].orig\n+++ Nftables::Service[deployment-ssh]\n\n+    notrack             => False\n+    port                => 22\n+    desc                => \n+    proto               => tcp\n+    unrestricted_access => False\n+    prio                => 10\n+    ensure              => present\n+    src_sets            => ['DEPLOYMENT_HOSTS']\n"}, {"resource": "Nftables::Service[rsyncd_access_releases]", "parameters": "--- Nftables::Service[rsyncd_access_releases].orig\n+++ Nftables::Service[rsyncd_access_releases]\n\n+    notrack             => False\n+    port                => [873, 1873]\n+    desc                => \n+    src_ips             => ['10.192.10.6', '10.192.12.30', '10.192.14.8', '10.192.14.9', '10.192.15.22', '10.192.15.23', '10.192.21.22', '10.192.22.11', '10.192.22.7', '10.192.26.10', '10.192.28.11', '10.192.28.7', '10.192.29.15', '10.192.31.9', '10.192.32.41', '10.192.32.7', '10.192.37.10', '10.192.39.13', '10.192.39.14', '10.192.4.12', '10.192.41.16', '10.192.41.20', '10.192.5.11', '10.192.5.14', '10.192.5.15', '10.192.5.27', '10.192.5.28', '10.192.5.29', '10.192.5.30', '10.192.5.31', '10.192.5.32', '10.192.5.34', '10.192.5.7', '10.192.6.14', '10.192.7.10', '10.192.7.11', '10.192.7.20', '10.192.7.6', '10.192.7.7', '10.192.7.8', '10.192.8.12', '10.192.8.14', '10.64.0.105', '10.64.131.5', '10.64.131.8', '10.64.154.6', '10.64.16.114', '10.64.16.116', '10.64.16.117', '10.64.16.118', '10.64.16.120', '10.64.16.123', '10.64.16.131', '10.64.16.220', '10.64.16.93', '10.64.164.12', '10.64.164.8', '10.64.32.171', '10.64.48.55', '2620:0:860:100:10:192:4:12', '2620:0:860:103:10:192:32:41', '2620:0:860:103:10:192:32:7', '2620:0:860:105:10:192:26:10', '2620:0:860:106:10:192:5:11', '2620:0:860:106:10:192:5:14', '2620:0:860:106:10:192:5:15', '2620:0:860:106:10:192:5:27', '2620:0:860:106:10:192:5:28', '2620:0:860:106:10:192:5:29', '2620:0:860:106:10:192:5:30', '2620:0:860:106:10:192:5:31', '2620:0:860:106:10:192:5:32', '2620:0:860:106:10:192:5:34', '2620:0:860:106:10:192:5:7', '2620:0:860:107:10:192:6:14', '2620:0:860:108:10:192:7:10', '2620:0:860:108:10:192:7:11', '2620:0:860:108:10:192:7:20', '2620:0:860:108:10:192:7:6', '2620:0:860:108:10:192:7:7', '2620:0:860:108:10:192:7:8', '2620:0:860:109:10:192:8:12', '2620:0:860:109:10:192:8:14', '2620:0:860:10b:10:192:10:6', '2620:0:860:10d:10:192:12:30', '2620:0:860:10f:10:192:14:8', '2620:0:860:10f:10:192:14:9', '2620:0:860:110:10:192:15:22', '2620:0:860:110:10:192:15:23', '2620:0:860:111:10:192:21:22', '2620:0:860:112:10:192:22:11', '2620:0:860:112:10:192:22:7', '2620:0:860:115:10:192:28:11', '2620:0:860:115:10:192:28:7', '2620:0:860:116:10:192:29:15', '2620:0:860:11a:10:192:31:9', '2620:0:860:11c:10:192:37:10', '2620:0:860:11e:10:192:39:13', '2620:0:860:11e:10:192:39:14', '2620:0:860:120:10:192:41:16', '2620:0:860:120:10:192:41:20', '2620:0:861:101:10:64:0:105', '2620:0:861:102:10:64:16:114', '2620:0:861:102:10:64:16:116', '2620:0:861:102:10:64:16:117', '2620:0:861:102:10:64:16:118', '2620:0:861:102:10:64:16:120', '2620:0:861:102:10:64:16:123', '2620:0:861:102:10:64:16:131', '2620:0:861:102:10:64:16:220', '2620:0:861:102:10:64:16:93', '2620:0:861:103:10:64:32:171', '2620:0:861:107:10:64:48:55', '2620:0:861:10a:10:64:131:5', '2620:0:861:10a:10:64:131:8', '2620:0:861:122:10:64:154:6', '2620:0:861:12c:10:64:164:12', '2620:0:861:12c:10:64:164:8']\n+    proto               => tcp\n+    unrestricted_access => False\n+    prio                => 10\n+    ensure              => present\n"}, {"resource": "Nftables::Service[fundraising-data-uploader sftp]", "parameters": "--- Nftables::Service[fundraising-data-uploader sftp].orig\n+++ Nftables::Service[fundraising-data-uploader sftp]\n\n+    notrack             => False\n+    port                => 22\n+    desc                => sftp access for FR Tech Donor Export role user\n+    proto               => tcp\n+    unrestricted_access => False\n+    prio                => 10\n+    ensure              => present\n+    src_sets            => ['FRACK_NETWORKS']\n"}, {"resource": "Nftables::Service[http_deployment_server]", "parameters": "--- Nftables::Service[http_deployment_server].orig\n+++ Nftables::Service[http_deployment_server]\n\n+    notrack             => False\n+    port                => 80\n+    desc                => HTTP on deployment servers, for serving actual files to deploy\n+    proto               => tcp\n+    unrestricted_access => False\n+    prio                => 10\n+    ensure              => present\n+    src_sets            => ['MW_APPSERVER_NETWORKS', 'ANALYTICS_NETWORKS']\n"}, {"resource": "Nftables::Service[rsyncd_access_srv-patches-releases-primary]", "parameters": "--- Nftables::Service[rsyncd_access_srv-patches-releases-primary].orig\n+++ Nftables::Service[rsyncd_access_srv-patches-releases-primary]\n\n+    notrack             => False\n+    port                => [873, 1873]\n+    desc                => \n+    src_ips             => ['10.192.16.72', '2620:0:860:102:10:192:16:72']\n+    proto               => tcp\n+    unrestricted_access => False\n+    prio                => 10\n+    ensure              => present\n"}, {"resource": "Nftables::Service[bacula-file-daemon-backup1014.eqiad.wmnet]", "parameters": "--- Nftables::Service[bacula-file-daemon-backup1014.eqiad.wmnet].orig\n+++ Nftables::Service[bacula-file-daemon-backup1014.eqiad.wmnet]\n\n+    notrack             => False\n+    port                => 9102\n+    desc                => \n+    src_ips             => ['10.64.183.10', '2620:0:861:13d:10:64:183:10']\n+    proto               => tcp\n+    unrestricted_access => False\n+    prio                => 10\n+    ensure              => present\n"}, {"resource": "Nftables::Service[full-monitoring-metrics-access-udp]", "parameters": "--- Nftables::Service[full-monitoring-metrics-access-udp].orig\n+++ Nftables::Service[full-monitoring-metrics-access-udp]\n\n+    notrack             => False\n+    desc                => \n+    src_ips             => ['10.64.0.82', '10.64.16.62', '10.64.32.85', '10.64.48.171', '208.80.153.42', '208.80.154.78', '2620:0:860:2:208:80:153:42', '2620:0:861:101:10:64:0:82', '2620:0:861:102:10:64:16:62', '2620:0:861:103:10:64:32:85', '2620:0:861:107:10:64:48:171', '2620:0:861:3:208:80:154:78']\n+    proto               => udp\n+    unrestricted_access => False\n+    prio                => 10\n+    port_range          => [1, 65535]\n+    ensure              => present\n"}, {"resource": "Nftables::Service[rsyncd_access_deployment_home]", "parameters": "--- Nftables::Service[rsyncd_access_deployment_home].orig\n+++ Nftables::Service[rsyncd_access_deployment_home]\n\n+    notrack             => False\n+    port                => [873, 1873]\n+    desc                => \n+    src_ips             => ['10.192.32.7', '2620:0:860:103:10:192:32:7']\n+    proto               => tcp\n+    unrestricted_access => False\n+    prio                => 10\n+    ensure              => present\n"}, {"resource": "Nftables::Service[rsyncd_access_srv-mediawiki-private-primary]", "parameters": "--- Nftables::Service[rsyncd_access_srv-mediawiki-private-primary].orig\n+++ Nftables::Service[rsyncd_access_srv-mediawiki-private-primary]\n\n+    notrack             => False\n+    port                => [873, 1873]\n+    desc                => \n+    src_ips             => ['10.192.16.72', '2620:0:860:102:10:192:16:72']\n+    proto               => tcp\n+    unrestricted_access => False\n+    prio                => 10\n+    ensure              => present\n"}, {"resource": "Nftables::Service[rsyncd_access_srv-mediawiki-private-releases1003.eqiad.wmnet]", "parameters": "--- Nftables::Service[rsyncd_access_srv-mediawiki-private-releases1003.eqiad.wmnet].orig\n+++ Nftables::Service[rsyncd_access_srv-mediawiki-private-releases1003.eqiad.wmnet]\n\n+    notrack             => False\n+    port                => [873, 1873]\n+    desc                => \n+    src_ips             => ['10.64.48.34', '2620:0:861:107:10:64:48:34']\n+    proto               => tcp\n+    unrestricted_access => False\n+    prio                => 10\n+    ensure              => present\n"}, {"resource": "Nftables::Service[rsyncd_access_srv-patches-releases2003.codfw.wmnet]", "parameters": "--- Nftables::Service[rsyncd_access_srv-patches-releases2003.codfw.wmnet].orig\n+++ Nftables::Service[rsyncd_access_srv-patches-releases2003.codfw.wmnet]\n\n+    notrack             => False\n+    port                => [873, 1873]\n+    desc                => \n+    src_ips             => ['10.192.16.72', '2620:0:860:102:10:192:16:72']\n+    proto               => tcp\n+    unrestricted_access => False\n+    prio                => 10\n+    ensure              => absent\n"}], "perc_changed": "0.23%"}, "core": null, "main": {"total": 17284, "only_in_self": [], "only_in_other": ["Nftables::Service[bacula-file-daemon-backup1014.eqiad.wmnet]", "Nftables::Service[deployment-ssh]", "Nftables::Service[full-monitoring-metrics-access-tcp]", "Nftables::Service[full-monitoring-metrics-access-udp]", "Nftables::Service[fundraising-data-uploader sftp]", "Nftables::Service[git-daemon]", "Nftables::Service[http_deployment_server]", "Nftables::Service[rsyncd_access_deployment_home]", "Nftables::Service[rsyncd_access_deployment_module]", "Nftables::Service[rsyncd_access_patches_module]", "Nftables::Service[rsyncd_access_releases]", "Nftables::Service[rsyncd_access_srv-mediawiki-private-primary]", "Nftables::Service[rsyncd_access_srv-mediawiki-private-releases1003.eqiad.wmnet]", "Nftables::Service[rsyncd_access_srv-mediawiki-private-releases2003.codfw.wmnet]", "Nftables::Service[rsyncd_access_srv-patches-releases-primary]", "Nftables::Service[rsyncd_access_srv-patches-releases1003.eqiad.wmnet]", "Nftables::Service[rsyncd_access_srv-patches-releases2003.codfw.wmnet]", "Nftables::Service[rsyncd_scap_master]", "Nftables::Service[ssh-from-bastion]", "Nftables::Service[ssh-from-cumin-masters]"], "resource_diffs": [], "perc_changed": "0.12%"}}}