{"host": "people2004.codfw.wmnet", "state": "core_diff", "description": "Differences to core resources", "diff": {"full": {"total": 5273, "only_in_self": [], "only_in_other": ["Ferm::Service[bacula_file_daemon_backup1014_eqiad_wmnet]", "Ferm::Service[envoy_tls_termination_src_sets]", "Ferm::Service[full_monitoring_metrics_access_tcp]", "Ferm::Service[full_monitoring_metrics_access_udp]", "Ferm::Service[people_http]", "Ferm::Service[people_http_deployment]", "Ferm::Service[people_https]", "Ferm::Service[rsyncd_access_people_home]", "Ferm::Service[ssh_from_bastion]", "Ferm::Service[ssh_from_cumin_masters]"], "resource_diffs": [{"resource": "Ferm::Service[bacula_file_daemon_backup1014_eqiad_wmnet]", "parameters": "--- Ferm::Service[bacula_file_daemon_backup1014_eqiad_wmnet].orig\n+++ Ferm::Service[bacula_file_daemon_backup1014_eqiad_wmnet]\n\n+ notrack => False\n+ port => 9102\n+ desc => \n+ srange => ['backup1014.eqiad.wmnet']\n+ proto => tcp\n+ unrestricted_access => False\n+ prio => 10\n+ ensure => present\n"}, {"resource": "Nftables::Service[full-monitoring-metrics-access-tcp]", "parameters": "--- Nftables::Service[full-monitoring-metrics-access-tcp].orig\n+++ Nftables::Service[full-monitoring-metrics-access-tcp]\n\n@@\n- src_ips => ['10.192.16.75', '10.192.32.67', '10.192.39.10', '10.192.9.11', '208.80.153.42', '208.80.154.78', '2620:0:860:102:10:192:16:75', '2620:0:860:103:10:192:32:67', '2620:0:860:10a:10:192:9:11', '2620:0:860:11e:10:192:39:10', '2620:0:860:2:208:80:153:42', '2620:0:861:3:208:80:154:78']\n+ src_ips => ['10.192.16.75', '10.192.32.67', '10.192.39.10', '10.192.9.11', '208.80.153.42', '208.80.154.78', '2620:0:860:103:10:192:32:67', '2620:0:860:10a:10:192:9:11', '2620:0:860:11e:10:192:39:10', '2620:0:860:2:208:80:153:42', '2620:0:861:3:208:80:154:78']\n"}, {"resource": "Ferm::Service[ssh_from_cumin_masters]", "parameters": "--- Ferm::Service[ssh_from_cumin_masters].orig\n+++ Ferm::Service[ssh_from_cumin_masters]\n\n+ notrack => False\n+ port => 22\n+ desc => \n+ proto => tcp\n+ unrestricted_access => False\n+ prio => 10\n+ ensure => present\n+ src_sets => ['CUMIN_MASTERS']\n"}, {"resource": "Ferm::Service[full_monitoring_metrics_access_udp]", "parameters": "--- Ferm::Service[full_monitoring_metrics_access_udp].orig\n+++ Ferm::Service[full_monitoring_metrics_access_udp]\n\n+ notrack => False\n+ desc => \n+ srange => ['prometheus2005.codfw.wmnet', 'prometheus2006.codfw.wmnet', 'prometheus2007.codfw.wmnet', 'prometheus2008.codfw.wmnet', '208.80.154.78', '2620:0:861:3:208:80:154:78', '208.80.153.42', '2620:0:860:2:208:80:153:42']\n+ proto => udp\n+ unrestricted_access => False\n+ prio => 10\n+ port_range => [1, 65535]\n+ ensure => present\n"}, {"resource": "Ferm::Service[envoy_tls_termination_src_sets]", "parameters": "--- Ferm::Service[envoy_tls_termination_src_sets].orig\n+++ Ferm::Service[envoy_tls_termination_src_sets]\n\n+ notrack => True\n+ port => 443\n+ desc => \n+ proto => tcp\n+ unrestricted_access => False\n+ prio => 10\n+ ensure => present\n+ src_sets => ['CACHES', 'DEPLOYMENT_HOSTS']\n"}, {"resource": "Ferm::Service[people_http]", "parameters": "--- Ferm::Service[people_http].orig\n+++ Ferm::Service[people_http]\n\n+ notrack => False\n+ port => 80\n+ desc => \n+ proto => tcp\n+ unrestricted_access => False\n+ prio => 10\n+ ensure => present\n+ src_sets => ['CACHES', 'STAGING_KUBEPODS_NETWORKS', 'WIKIKUBE_KUBEPODS_NETWORKS']\n"}, {"resource": "Ferm::Service[people_https]", "parameters": "--- Ferm::Service[people_https].orig\n+++ Ferm::Service[people_https]\n\n+ notrack => False\n+ port => 443\n+ desc => \n+ proto => tcp\n+ unrestricted_access => False\n+ prio => 10\n+ ensure => present\n+ src_sets => ['CACHES', 'STAGING_KUBEPODS_NETWORKS', 'WIKIKUBE_KUBEPODS_NETWORKS']\n"}, {"resource": "Ferm::Service[people_http_deployment]", "parameters": "--- Ferm::Service[people_http_deployment].orig\n+++ Ferm::Service[people_http_deployment]\n\n+ notrack => False\n+ port => 80\n+ desc => \n+ proto => tcp\n+ unrestricted_access => False\n+ prio => 10\n+ ensure => present\n+ src_sets => ['DEPLOYMENT_HOSTS']\n"}, {"resource": "Ferm::Service[full_monitoring_metrics_access_tcp]", "parameters": "--- Ferm::Service[full_monitoring_metrics_access_tcp].orig\n+++ Ferm::Service[full_monitoring_metrics_access_tcp]\n\n+ notrack => False\n+ desc => \n+ srange => ['prometheus2005.codfw.wmnet', 'prometheus2006.codfw.wmnet', 'prometheus2007.codfw.wmnet', 'prometheus2008.codfw.wmnet', '208.80.154.78', '2620:0:861:3:208:80:154:78', '208.80.153.42', '2620:0:860:2:208:80:153:42']\n+ proto => tcp\n+ unrestricted_access => False\n+ prio => 10\n+ port_range => [1, 65535]\n+ ensure => present\n"}, {"resource": "Ferm::Service[ssh_from_bastion]", "parameters": "--- Ferm::Service[ssh_from_bastion].orig\n+++ Ferm::Service[ssh_from_bastion]\n\n+ notrack => False\n+ port => 22\n+ desc => \n+ srange => ['208.80.154.7', '2620:0:861:1:208:80:154:7', '208.80.153.110', '2a02:ec80:300:3:185:15:59:99', '185.15.59.99', '2620:0:860:4:208:80:153:110', '198.35.26.104', '2620:0:863:3:198:35:26:104', '103.102.166.103', '2001:df2:e500:3:103:102:166:103', '185.15.58.6', '2a02:ec80:600:1:185:15:58:6', '195.200.68.99', '2a02:ec80:700:3:195:200:68:99']\n+ proto => tcp\n+ unrestricted_access => False\n+ prio => 10\n+ ensure => present\n"}, {"resource": "File[/etc/nftables/input/10_full-monitoring-metrics-access-tcp.nft]", "content": "--- /etc/nftables/input/10_full-monitoring-metrics-access-tcp.nft.orig\n+++ /etc/nftables/input/10_full-monitoring-metrics-access-tcp.nft\n@@ -1,4 +1,4 @@\n # Managed by puppet\n # \n ip saddr { 10.192.16.75, 10.192.32.67, 10.192.39.10, 10.192.9.11, 208.80.153.42, 208.80.154.78 } tcp dport 1-65535 accept\n-ip6 saddr { 2620:0:860:102:10:192:16:75, 2620:0:860:103:10:192:32:67, 2620:0:860:10a:10:192:9:11, 2620:0:860:11e:10:192:39:10, 2620:0:860:2:208:80:153:42, 2620:0:861:3:208:80:154:78 } tcp dport 1-65535 accept\n+ip6 saddr { 2620:0:860:103:10:192:32:67, 2620:0:860:10a:10:192:9:11, 2620:0:860:11e:10:192:39:10, 2620:0:860:2:208:80:153:42, 2620:0:861:3:208:80:154:78 } tcp dport 1-65535 accept"}, {"resource": "Ferm::Service[rsyncd_access_people_home]", "parameters": "--- Ferm::Service[rsyncd_access_people_home].orig\n+++ Ferm::Service[rsyncd_access_people_home]\n\n+ notrack => False\n+ port => [873, 1873]\n+ desc => \n+ srange => ['people1005.eqiad.wmnet']\n+ proto => tcp\n+ unrestricted_access => False\n+ prio => 10\n+ ensure => present\n"}], "perc_changed": "0.42%"}, "core": {"total": 5273, "only_in_self": [], "only_in_other": [], "resource_diffs": [{"resource": "File[/etc/nftables/input/10_full-monitoring-metrics-access-tcp.nft]", "content": "--- /etc/nftables/input/10_full-monitoring-metrics-access-tcp.nft.orig\n+++ /etc/nftables/input/10_full-monitoring-metrics-access-tcp.nft\n@@ -1,4 +1,4 @@\n # Managed by puppet\n # \n ip saddr { 10.192.16.75, 10.192.32.67, 10.192.39.10, 10.192.9.11, 208.80.153.42, 208.80.154.78 } tcp dport 1-65535 accept\n-ip6 saddr { 2620:0:860:102:10:192:16:75, 2620:0:860:103:10:192:32:67, 2620:0:860:10a:10:192:9:11, 2620:0:860:11e:10:192:39:10, 2620:0:860:2:208:80:153:42, 2620:0:861:3:208:80:154:78 } tcp dport 1-65535 accept\n+ip6 saddr { 2620:0:860:103:10:192:32:67, 2620:0:860:10a:10:192:9:11, 2620:0:860:11e:10:192:39:10, 2620:0:860:2:208:80:153:42, 2620:0:861:3:208:80:154:78 } tcp dport 1-65535 accept"}], "perc_changed": "0.02%"}, "main": {"total": 5273, "only_in_self": [], "only_in_other": ["Ferm::Service[bacula_file_daemon_backup1014_eqiad_wmnet]", "Ferm::Service[envoy_tls_termination_src_sets]", "Ferm::Service[full_monitoring_metrics_access_tcp]", "Ferm::Service[full_monitoring_metrics_access_udp]", "Ferm::Service[people_http]", "Ferm::Service[people_http_deployment]", "Ferm::Service[people_https]", "Ferm::Service[rsyncd_access_people_home]", "Ferm::Service[ssh_from_bastion]", "Ferm::Service[ssh_from_cumin_masters]"], "resource_diffs": [{"resource": "Nftables::Service[full-monitoring-metrics-access-tcp]", "parameters": "--- Nftables::Service[full-monitoring-metrics-access-tcp].orig\n+++ Nftables::Service[full-monitoring-metrics-access-tcp]\n\n@@\n- src_ips => ['10.192.16.75', '10.192.32.67', '10.192.39.10', '10.192.9.11', '208.80.153.42', '208.80.154.78', '2620:0:860:102:10:192:16:75', '2620:0:860:103:10:192:32:67', '2620:0:860:10a:10:192:9:11', '2620:0:860:11e:10:192:39:10', '2620:0:860:2:208:80:153:42', '2620:0:861:3:208:80:154:78']\n+ src_ips => ['10.192.16.75', '10.192.32.67', '10.192.39.10', '10.192.9.11', '208.80.153.42', '208.80.154.78', '2620:0:860:103:10:192:32:67', '2620:0:860:10a:10:192:9:11', '2620:0:860:11e:10:192:39:10', '2620:0:860:2:208:80:153:42', '2620:0:861:3:208:80:154:78']\n"}, {"resource": "File[/etc/nftables/input/10_full-monitoring-metrics-access-tcp.nft]", "content": "--- /etc/nftables/input/10_full-monitoring-metrics-access-tcp.nft.orig\n+++ /etc/nftables/input/10_full-monitoring-metrics-access-tcp.nft\n@@ -1,4 +1,4 @@\n # Managed by puppet\n # \n ip saddr { 10.192.16.75, 10.192.32.67, 10.192.39.10, 10.192.9.11, 208.80.153.42, 208.80.154.78 } tcp dport 1-65535 accept\n-ip6 saddr { 2620:0:860:102:10:192:16:75, 2620:0:860:103:10:192:32:67, 2620:0:860:10a:10:192:9:11, 2620:0:860:11e:10:192:39:10, 2620:0:860:2:208:80:153:42, 2620:0:861:3:208:80:154:78 } tcp dport 1-65535 accept\n+ip6 saddr { 2620:0:860:103:10:192:32:67, 2620:0:860:10a:10:192:9:11, 2620:0:860:11e:10:192:39:10, 2620:0:860:2:208:80:153:42, 2620:0:861:3:208:80:154:78 } tcp dport 1-65535 accept"}], "perc_changed": "0.23%"}}}