--- Class[Adduser].orig
+++ Class[Adduser]
@@
- before => ['Package[puppet]', 'Package[facter]', 'Package[augeas-tools]', 'Package[virt-what]', 'Package[puppet-module-puppetlabs-augeas-core]', 'Package[python3-prometheus-client]', 'Package[python3-yaml]', 'Package[ruby-net-ssh]', 'Package[openssl]', 'Package[ssl-cert]', 'Package[ca-certificates]', 'Package[wmf-certificates]', 'Package[ntp]', 'Package[systemd-timesyncd]', 'Package[exim4-config]', 'Package[exim4-daemon-light]', 'Package[logrotate]', 'Package[prometheus-node-exporter]', 'Package[bsdutils]', 'Package[smartmontools]', 'Package[rsyslog]', 'Package[rsyslog-openssl]', 'Package[cadvisor]', 'Package[acct]', 'Package[byobu]', 'Package[colordiff]', 'Package[curl]', 'Package[debian-goodies]', 'Package[ethtool]', 'Package[gdb]', 'Package[gdisk]', 'Package[git]', 'Package[htop]', 'Package[httpry]', 'Package[iotop]', 'Package[iperf]', 'Package[jq]', 'Package[libtemplate-perl]', 'Package[lldpd]', 'Package[lshw]', 'Package[molly-guard]', 'Package[moreutils]', 'Package[net-tools]', 'Package[numactl]', 'Package[ncdu]', 'Package[ngrep]', 'Package[pigz]', 'Package[psmisc]', 'Package[pv]', 'Package[python3]', 'Package[screen]', 'Package[strace]', 'Package[sysstat]', 'Package[tcpdump]', 'Package[tmux]', 'Package[tree]', 'Package[vim]', 'Package[vim-addon-manager]', 'Package[vim-scripts]', 'Package[wipe]', 'Package[xfsprogs]', 'Package[zsh]', 'Package[icdiff]', 'Package[linux-perf]', 'Package[bsd-mailx]', 'Package[ack]', 'Package[netcat-openbsd]', 'Package[tshark]', 'Package[fzf]', 'Package[ripgrep]', 'Package[fd-find]', 'Package[kitty-terminfo]', 'Package[mtr-tiny]', 'Package[bat]', 'Package[efibootmgr]', 'Package[bind9-dnsutils]', 'Package[tzdata]', 'Package[python3-wmflib]', 'Package[starship]', 'Package[ruby-sorted-set]', 'Package[btop]', 'Package[linux-sysctl-defaults]', 'Package[apport]', 'Package[command-not-found]', 'Package[command-not-found-data]', 'Package[ecryptfs-utils]', 'Package[mlocate]', 'Package[os-prober]', 'Package[python3-apport]', 'Package[wpasupplicant]', 'Package[atop]', 'Package[apt-listchanges]', 'Package[isc-dhcp-client]', 'Package[rasdaemon]', 'Package[openssh-client]', 'Package[openssh-server]', 'Package[debdeploy-client]', 'Package[python3-dateutil]', 'Package[sudo]', 'Package[golang-cfssl]', 'Package[debmonitor-client]', 'Package[perccli]', 'Package[nagios-nrpe-server]', 'Package[monitoring-plugins]', 'Package[monitoring-plugins-basic]', 'Package[monitoring-plugins-standard]', 'Package[liburiparser1]', 'Package[python3-attr]', 'Package[iucode-tool]', 'Package[freeipmi-tools]', 'Package[freeipmi-ipmiseld]', 'Package[rsyslog-kafka]', 'Package[emacs-nox]', 'Package[prometheus-ipmi-exporter]', 'Package[python3-conftool]', 'Package[prometheus-varnishkafka-exporter]', 'Package[purged]', 'Package[linux-cpupower]', 'Package[geoip-bin]', 'Package[mmdb-bin]', 'Package[libgeoip-dev]', 'Package[libmaxminddb-dev]', 'Package[python3-logstash]', 'Package[socat]', 'Package[haproxy]', 'Package[python3-pystemd]', 'Package[benthos]', 'Package[lua5.4-maxminddb]', 'Package[wikimedia-lvs-realserver]', 'Package[python3-poolcounter]', 'Package[python3-jsonschema]', 'Package[python3-requests]', 'Package[libvmod-netmapper]', 'Package[libvmod-querysort]', 'Package[libvmod-wmfuniq]', 'Package[varnish]', 'Package[varnish-modules]', 'Package[varnish-re2]', 'Package[libsodium-dev]', 'Package[python3-nacl]', 'Package[tcp-mss-clamper]', 'Package[haproxykafka]', 'Package[ruby-concurrent]', 'Package[ruby]', 'Package[libruby]', 'Package[puppet-agent]', 'Package[prometheus-rsyslog-exporter]', 'Package[initramfs-tools]', 'Package[python3-click]', 'Package[python3-box]', 'Package[varnishkafka]', 'Package[confd]', 'Package[python3-toml]', 'Package[mtail]', 'Package[prometheus-varnish-exporter]', 'Package[trafficserver]', 'Package[trafficserver-experimental-plugins]', 'Package[lua-busted]', 'Package[prometheus-trafficserver-exporter]', 'Package[fifo-log-demux]']
+ before => ['Package[puppet]', 'Package[facter]', 'Package[augeas-tools]', 'Package[virt-what]', 'Package[puppet-module-puppetlabs-augeas-core]', 'Package[python3-prometheus-client]', 'Package[python3-yaml]', 'Package[ruby-net-ssh]', 'Package[openssl]', 'Package[ssl-cert]', 'Package[ca-certificates]', 'Package[wmf-certificates]', 'Package[ntp]', 'Package[systemd-timesyncd]', 'Package[exim4-config]', 'Package[exim4-daemon-light]', 'Package[logrotate]', 'Package[prometheus-node-exporter]', 'Package[bsdutils]', 'Package[smartmontools]', 'Package[rsyslog]', 'Package[rsyslog-openssl]', 'Package[cadvisor]', 'Package[acct]', 'Package[byobu]', 'Package[colordiff]', 'Package[curl]', 'Package[debian-goodies]', 'Package[ethtool]', 'Package[gdb]', 'Package[gdisk]', 'Package[git]', 'Package[htop]', 'Package[httpry]', 'Package[iotop]', 'Package[iperf]', 'Package[jq]', 'Package[libtemplate-perl]', 'Package[lldpd]', 'Package[lshw]', 'Package[molly-guard]', 'Package[moreutils]', 'Package[net-tools]', 'Package[numactl]', 'Package[ncdu]', 'Package[ngrep]', 'Package[pigz]', 'Package[psmisc]', 'Package[pv]', 'Package[python3]', 'Package[screen]', 'Package[strace]', 'Package[sysstat]', 'Package[tcpdump]', 'Package[tmux]', 'Package[tree]', 'Package[vim]', 'Package[vim-addon-manager]', 'Package[vim-scripts]', 'Package[wipe]', 'Package[xfsprogs]', 'Package[zsh]', 'Package[icdiff]', 'Package[linux-perf]', 'Package[bsd-mailx]', 'Package[ack]', 'Package[netcat-openbsd]', 'Package[tshark]', 'Package[fzf]', 'Package[ripgrep]', 'Package[fd-find]', 'Package[kitty-terminfo]', 'Package[mtr-tiny]', 'Package[bat]', 'Package[efibootmgr]', 'Package[bind9-dnsutils]', 'Package[tzdata]', 'Package[python3-wmflib]', 'Package[starship]', 'Package[ruby-sorted-set]', 'Package[btop]', 'Package[linux-sysctl-defaults]', 'Package[apport]', 'Package[command-not-found]', 'Package[command-not-found-data]', 'Package[ecryptfs-utils]', 'Package[mlocate]', 'Package[os-prober]', 'Package[python3-apport]', 'Package[wpasupplicant]', 'Package[atop]', 'Package[apt-listchanges]', 'Package[isc-dhcp-client]', 'Package[rasdaemon]', 'Package[openssh-client]', 'Package[openssh-server]', 'Package[debdeploy-client]', 'Package[python3-dateutil]', 'Package[sudo]', 'Package[golang-cfssl]', 'Package[debmonitor-client]', 'Package[perccli]', 'Package[nagios-nrpe-server]', 'Package[monitoring-plugins]', 'Package[monitoring-plugins-basic]', 'Package[monitoring-plugins-standard]', 'Package[liburiparser1]', 'Package[python3-attr]', 'Package[iucode-tool]', 'Package[freeipmi-tools]', 'Package[freeipmi-ipmiseld]', 'Package[rsyslog-kafka]', 'Package[emacs-nox]', 'Package[prometheus-ipmi-exporter]', 'Package[python3-conftool]', 'Package[prometheus-varnishkafka-exporter]', 'Package[purged]', 'Package[linux-cpupower]', 'Package[geoip-bin]', 'Package[mmdb-bin]', 'Package[libgeoip-dev]', 'Package[libmaxminddb-dev]', 'Package[python3-logstash]', 'Package[socat]', 'Package[haproxy]', 'Package[python3-pystemd]', 'Package[benthos]', 'Package[lua5.4-maxminddb]', 'Package[lua5.4-ciderbloom]', 'Package[wikimedia-lvs-realserver]', 'Package[python3-poolcounter]', 'Package[python3-jsonschema]', 'Package[python3-requests]', 'Package[libvmod-netmapper]', 'Package[libvmod-querysort]', 'Package[libvmod-wmfuniq]', 'Package[varnish]', 'Package[varnish-modules]', 'Package[varnish-re2]', 'Package[libsodium-dev]', 'Package[python3-nacl]', 'Package[tcp-mss-clamper]', 'Package[haproxykafka]', 'Package[ruby-concurrent]', 'Package[ruby]', 'Package[libruby]', 'Package[puppet-agent]', 'Package[prometheus-rsyslog-exporter]', 'Package[initramfs-tools]', 'Package[python3-click]', 'Package[python3-box]', 'Package[varnishkafka]', 'Package[confd]', 'Package[python3-toml]', 'Package[mtail]', 'Package[prometheus-varnish-exporter]', 'Package[trafficserver]', 'Package[trafficserver-experimental-plugins]', 'Package[lua-busted]', 'Package[prometheus-trafficserver-exporter]', 'Package[fifo-log-demux]']
File[/usr/share/CIDERGRINDER]
- Parameters differences:
--- File[/usr/share/CIDERGRINDER].orig
+++ File[/usr/share/CIDERGRINDER]
+ recurse => True
+ owner => root
+ notify => Service[haproxy]
+ before => Service[haproxy]
+ ensure => directory
+ group => root
+ source => puppet:///volatile/CIDERGRINDER
- File[/etc/haproxy/haproxy.cfg]
- Content differences:
--- /etc/haproxy/haproxy.cfg.orig
+++ /etc/haproxy/haproxy.cfg
@@ -22,6 +22,8 @@
lua-load-per-thread /etc/haproxy/lua/ja4h.lua
lua-load-per-thread /etc/haproxy/lua/utf8ps.lua
lua-load-per-thread /etc/haproxy/lua/contact_info.lua
+ lua-load-per-thread /etc/haproxy/lua/cidergrinder_mmdb.lua /usr/share/CIDERGRINDER/anonymous-residential.cider.mmdb
+ lua-load-per-thread /etc/haproxy/lua/cidergrinder_bloom.lua /usr/share/CIDERGRINDER/anonymous-residential.cider.bloom
ssl-default-bind-options ssl-min-ver TLSv1.2 ssl-max-ver TLSv1.3
ssl-default-bind-ciphers -ALL:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256
- Class[Profile::Cache::Haproxy]
- Parameters differences:
--- Class[Profile::Cache::Haproxy].orig
+++ Class[Profile::Cache::Haproxy]
@@
- use_cidergrinder => False
+ use_cidergrinder => True
- Package[lua5.4-ciderbloom]
- Parameters differences:
--- Package[lua5.4-ciderbloom].orig
+++ Package[lua5.4-ciderbloom]
+ ensure => installed
+ provider => apt
- Class[Haproxy]
- Parameters differences:
--- Class[Haproxy].orig
+++ Class[Haproxy]
@@
- config_content => # Note: This file is managed by puppet.
global
user haproxy
group haproxy
stats socket /run/haproxy/haproxy.sock mode 600 expose-fd listeners level admin
log /var/lib/haproxy/dev/log local0 info
log /var/run/haproxykafka/haproxykafka.sock len 8192 format rfc5424 local0 info
tune.http.logurilen 2048
# do not keep old processes longer than 1m after a reload
hard-stop-after 1m
set-dumpable
nbthread 48
# NB: mapping too many cores (>~60) will cause HAProxy to complain about
# too long of a line and fail to start
cpu-map 1/1- 0 48 2 50 4 52 6 54 8 56 10 58 12 60 14 62 16 64 18 66 20 68 22 70 24 72 26 74 28 76 30 78 32 80 34 82 36 84 38 86 40 88 42 90 44 92 46 94
lua-prepend-path /etc/haproxy/lua/private/?.lua
lua-load-per-thread /etc/haproxy/lua/private/main.lua
lua-load-per-thread /etc/haproxy/lua/maxmind-lookup.lua
tune.ssl.capture-buffer-size 96
lua-load-per-thread /etc/haproxy/lua/ja3n.lua
lua-load-per-thread /etc/haproxy/lua/ja4h.lua
lua-load-per-thread /etc/haproxy/lua/utf8ps.lua
lua-load-per-thread /etc/haproxy/lua/contact_info.lua
ssl-default-bind-options ssl-min-ver TLSv1.2 ssl-max-ver TLSv1.3
ssl-default-bind-ciphers -ALL:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256
ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384
ssl-dh-param-file /etc/ssl/dhparam.pem
tune.ssl.cachesize 512000
tune.ssl.lifetime 86400
maxconn 200000
tune.h2.header-table-size 4096
tune.h2.initial-window-size 65535
tune.h2.max-concurrent-streams 100
defaults
mode http
log-format "%rt %Tr %Tw %Tc %ST {%[capture.req.hdr(0)]} {%[capture.res.hdr(0)]} %ts"
log-format-sd %{+E}o\ [haproxykafka@0\ server_pid=\"%pid\"\ ip=\"%ci\"\ sequence=\"%rt\"\ dt=\"%tr\"\ time_backend_response=\"%Tr\"\ http_status=\"%ST\"\ response_size=\"%B\"\ termination_state=\"%ts\"\ uri_host=\"%[capture.req.hdr(0),lua.utf8ps]\"\ referer=\"%[capture.req.hdr(1),lua.utf8ps]\"\ user_agent=\"%[capture.req.hdr(2),lua.utf8ps]\"\ accept_language=\"%[capture.req.hdr(3),lua.utf8ps]\"\ range=\"%[capture.req.hdr(4),lua.utf8ps]\"\ accept=\"%[capture.req.hdr(5),lua.utf8ps]\"\ tls=\"%[var(txn.tls)]\"\ cache_status=\"%[var(txn.x_cache_status)]\"\ content_type=\"%[var(txn.content_type)]\"\ x_analytics=\"%[var(txn.x_analytics)]\"\ x_cache=\"%[var(txn.x_cache)]\"\ backend=\"%[var(txn.server)]\"\ http_method=\"%HM\"\ uri_path=\"%HPO\"\ uri_query=\"%HQ\"]
option dontlognull
option accept-invalid-http-request
option accept-invalid-http-response
option http-ignore-probes
retries 1
timeout connect 50000
timeout client 500000
timeout server 500000
+ config_content => # Note: This file is managed by puppet.
global
user haproxy
group haproxy
stats socket /run/haproxy/haproxy.sock mode 600 expose-fd listeners level admin
log /var/lib/haproxy/dev/log local0 info
log /var/run/haproxykafka/haproxykafka.sock len 8192 format rfc5424 local0 info
tune.http.logurilen 2048
# do not keep old processes longer than 1m after a reload
hard-stop-after 1m
set-dumpable
nbthread 48
# NB: mapping too many cores (>~60) will cause HAProxy to complain about
# too long of a line and fail to start
cpu-map 1/1- 0 48 2 50 4 52 6 54 8 56 10 58 12 60 14 62 16 64 18 66 20 68 22 70 24 72 26 74 28 76 30 78 32 80 34 82 36 84 38 86 40 88 42 90 44 92 46 94
lua-prepend-path /etc/haproxy/lua/private/?.lua
lua-load-per-thread /etc/haproxy/lua/private/main.lua
lua-load-per-thread /etc/haproxy/lua/maxmind-lookup.lua
tune.ssl.capture-buffer-size 96
lua-load-per-thread /etc/haproxy/lua/ja3n.lua
lua-load-per-thread /etc/haproxy/lua/ja4h.lua
lua-load-per-thread /etc/haproxy/lua/utf8ps.lua
lua-load-per-thread /etc/haproxy/lua/contact_info.lua
lua-load-per-thread /etc/haproxy/lua/cidergrinder_mmdb.lua /usr/share/CIDERGRINDER/anonymous-residential.cider.mmdb
lua-load-per-thread /etc/haproxy/lua/cidergrinder_bloom.lua /usr/share/CIDERGRINDER/anonymous-residential.cider.bloom
ssl-default-bind-options ssl-min-ver TLSv1.2 ssl-max-ver TLSv1.3
ssl-default-bind-ciphers -ALL:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256
ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384
ssl-dh-param-file /etc/ssl/dhparam.pem
tune.ssl.cachesize 512000
tune.ssl.lifetime 86400
maxconn 200000
tune.h2.header-table-size 4096
tune.h2.initial-window-size 65535
tune.h2.max-concurrent-streams 100
defaults
mode http
log-format "%rt %Tr %Tw %Tc %ST {%[capture.req.hdr(0)]} {%[capture.res.hdr(0)]} %ts"
log-format-sd %{+E}o\ [haproxykafka@0\ server_pid=\"%pid\"\ ip=\"%ci\"\ sequence=\"%rt\"\ dt=\"%tr\"\ time_backend_response=\"%Tr\"\ http_status=\"%ST\"\ response_size=\"%B\"\ termination_state=\"%ts\"\ uri_host=\"%[capture.req.hdr(0),lua.utf8ps]\"\ referer=\"%[capture.req.hdr(1),lua.utf8ps]\"\ user_agent=\"%[capture.req.hdr(2),lua.utf8ps]\"\ accept_language=\"%[capture.req.hdr(3),lua.utf8ps]\"\ range=\"%[capture.req.hdr(4),lua.utf8ps]\"\ accept=\"%[capture.req.hdr(5),lua.utf8ps]\"\ tls=\"%[var(txn.tls)]\"\ cache_status=\"%[var(txn.x_cache_status)]\"\ content_type=\"%[var(txn.content_type)]\"\ x_analytics=\"%[var(txn.x_analytics)]\"\ x_cache=\"%[var(txn.x_cache)]\"\ backend=\"%[var(txn.server)]\"\ http_method=\"%HM\"\ uri_path=\"%HPO\"\ uri_query=\"%HQ\"]
option dontlognull
option accept-invalid-http-request
option accept-invalid-http-response
option http-ignore-probes
retries 1
timeout connect 50000
timeout client 500000
timeout server 500000
- File[/etc/haproxy/lua/cidergrinder_bloom.lua]
- Parameters differences:
--- File[/etc/haproxy/lua/cidergrinder_bloom.lua].orig
+++ File[/etc/haproxy/lua/cidergrinder_bloom.lua]
+ owner => haproxy
+ notify => Service[haproxy]
+ require => ['File[/etc/haproxy/lua]', 'Package[lua5.4-ciderbloom]']
+ mode => 0644
+ before => Service[haproxy]
+ ensure => file
+ group => haproxy
- Content differences:
--- /etc/haproxy/lua/cidergrinder_bloom.lua.orig
+++ /etc/haproxy/lua/cidergrinder_bloom.lua
@@ -0,0 +1,123 @@
+-- Bloom filter lookup action for HAProxy
+-- This module is part of the CIDERGRINDER project: https://gitlab.wikimedia.org/repos/sre/CIDERGRINDER
+-- SPDX-License-Identifier: GPL-3.0-or-later
+-- Copyright (C) 2026 Chris Danis & the Wikimedia Foundation
+
+local Bloom = require("bloom") -- our C library
+
+-- Global bloom filter instance
+local bloom_filter = nil
+local expected_payload_hash = nil
+
+local args = table.pack(...)
+
+core.register_init(function()
+ if #args < 1 then
+ core.Alert("Bloom filter file name not provided")
+ return
+ end
+
+ local fname = args[1]
+ local file = io.open(fname, "rb") -- file io allowed in init context
+ if not file then
+ core.Alert("Failed to open bloom filter file: " .. fname)
+ return
+ end
+
+ -- Parse the headers, make note of the checksum
+ -- Example file contents:
+ -- PUT /spur.bloom CIDERBLOOM/0.1\r\n
+ -- Bits: 1234567\r\n
+ -- Hashes: 13\r\n
+ -- Payload-Xxhash3: abcdef1234567890\r\n
+ -- Other-user-defined-metadata: value\r\n
+ -- \r\n[binary data begins]
+
+ -- check the header line, should contain "CIDERBLOOM/0.1"
+ local header = file:read("*l")
+ if not header or not header:match("CIDERBLOOM/0%.1") then
+ core.Alert("Invalid bloom filter file header: " .. tostring(header))
+ file:close()
+ return
+ end
+
+ local hdrs = {}
+ -- parse key: value lines until we hit an empty line
+ -- (keys will never contain whitespace or colons)
+ while true do
+ local line = file:read("*l")
+ if not line or line == "" or line == "\r" then
+ break
+ end
+ local key, value = line:match("^(.-):%s*(.-)%s*$")
+ if key and value then
+ key = key:lower()
+ hdrs[key] = value
+ end
+ end
+
+ if not hdrs["bits"] or not hdrs["hashes"] then
+ core.Alert("Unable to load Bloom filter -- missing required metadata")
+ file:close()
+ return
+ end
+
+ if hdrs["payload-xxhash3"] then
+ local hash = tonumber(hdrs["payload-xxhash3"], 16)
+ expected_payload_hash = hash
+ end
+
+-- TODO: we could take an expected granularity as an arg from the config file and
+-- crosscheck that against the x-granularity header.
+
+ local bits = tonumber(hdrs["bits"])
+ local hashes = tonumber(hdrs["hashes"])
+ if not bits or not hashes then
+ core.Alert("Invalid bloom filter header values")
+ file:close()
+ return
+ end
+
+ core.Debug("File payload offset: " .. file:seek("cur", 0))
+
+ local ok, bf_or_err = pcall(Bloom.open, file, bits, hashes)
+ -- Safe to close the file on error or success; mmap() has our back.
+ file:close()
+ if not ok then
+ core.Alert("Failed to initialize bloom filter from file: " .. fname .. " (" .. tostring(bf_or_err) .. ")")
+ bloom_filter = nil
+ return
+ end
+ bloom_filter = bf_or_err
+
+ if expected_payload_hash then
+ local hash = bloom_filter:checksum()
+ if hash ~= expected_payload_hash then
+ core.Alert(string.format("Unloading the Bloom filter! checksum mismatch: expected %016x, got %016x", expected_payload_hash, hash))
+ bloom_filter = nil
+ else
+ core.Debug(string.format("Bloom filter checksum matches expected value: %016x", hash))
+ end
+ else
+ core.Warning("Bloom filter metadata lacks payload-xxhash3; skipping integrity check")
+ end
+
+ core.Info(string.format("Bloom filter %s loaded OK! parameters: bits=%d, hashes=%d", fname, bits, hashes))
+end)
+
+-- `http-request lua.bloom_lookup`
+-- expects var(sess.prehashed) to be set to a hash value to check against the bloom filter
+-- sets var(sess.bloom_result) to true or false based on the lookup
+core.register_action("bloom_lookup", { "http-req", "tcp-req" }, function(txn)
+ if not bloom_filter then
+ return
+ end
+
+ local h = txn:get_var("sess.prehashed")
+ if h then
+ local r = bloom_filter:contains_hashval(h)
+ txn:set_var("sess.bloom_result", r)
+ end
+end)
+
+core.Info("Bloom filter action registered")
- Class[Profile::Apt]
- Parameters differences:
--- Class[Profile::Apt].orig
+++ Class[Profile::Apt]
@@
- before => ['Package[puppet]', 'Package[facter]', 'Package[augeas-tools]', 'Package[virt-what]', 'Package[puppet-module-puppetlabs-augeas-core]', 'Package[python3-prometheus-client]', 'Package[python3-yaml]', 'Package[ruby-net-ssh]', 'Package[openssl]', 'Package[ssl-cert]', 'Package[ca-certificates]', 'Package[wmf-certificates]', 'Package[ntp]', 'Package[systemd-timesyncd]', 'Package[exim4-config]', 'Package[exim4-daemon-light]', 'Package[logrotate]', 'Package[prometheus-node-exporter]', 'Package[bsdutils]', 'Package[smartmontools]', 'Package[rsyslog]', 'Package[rsyslog-openssl]', 'Package[cadvisor]', 'Package[acct]', 'Package[byobu]', 'Package[colordiff]', 'Package[curl]', 'Package[debian-goodies]', 'Package[ethtool]', 'Package[gdb]', 'Package[gdisk]', 'Package[git]', 'Package[htop]', 'Package[httpry]', 'Package[iotop]', 'Package[iperf]', 'Package[jq]', 'Package[libtemplate-perl]', 'Package[lldpd]', 'Package[lshw]', 'Package[molly-guard]', 'Package[moreutils]', 'Package[net-tools]', 'Package[numactl]', 'Package[ncdu]', 'Package[ngrep]', 'Package[pigz]', 'Package[psmisc]', 'Package[pv]', 'Package[python3]', 'Package[screen]', 'Package[strace]', 'Package[sysstat]', 'Package[tcpdump]', 'Package[tmux]', 'Package[tree]', 'Package[vim]', 'Package[vim-addon-manager]', 'Package[vim-scripts]', 'Package[wipe]', 'Package[xfsprogs]', 'Package[zsh]', 'Package[icdiff]', 'Package[linux-perf]', 'Package[bsd-mailx]', 'Package[ack]', 'Package[netcat-openbsd]', 'Package[tshark]', 'Package[fzf]', 'Package[ripgrep]', 'Package[fd-find]', 'Package[kitty-terminfo]', 'Package[mtr-tiny]', 'Package[bat]', 'Package[efibootmgr]', 'Package[bind9-dnsutils]', 'Package[tzdata]', 'Package[python3-wmflib]', 'Package[starship]', 'Package[ruby-sorted-set]', 'Package[btop]', 'Package[linux-sysctl-defaults]', 'Package[apport]', 'Package[command-not-found]', 'Package[command-not-found-data]', 'Package[ecryptfs-utils]', 'Package[mlocate]', 'Package[os-prober]', 'Package[python3-apport]', 'Package[wpasupplicant]', 'Package[atop]', 'Package[apt-listchanges]', 'Package[isc-dhcp-client]', 'Package[rasdaemon]', 'Package[openssh-client]', 'Package[openssh-server]', 'Package[debdeploy-client]', 'Package[python3-dateutil]', 'Package[sudo]', 'Package[golang-cfssl]', 'Package[debmonitor-client]', 'Package[perccli]', 'Package[nagios-nrpe-server]', 'Package[monitoring-plugins]', 'Package[monitoring-plugins-basic]', 'Package[monitoring-plugins-standard]', 'Package[liburiparser1]', 'Package[python3-attr]', 'Package[iucode-tool]', 'Package[freeipmi-tools]', 'Package[freeipmi-ipmiseld]', 'Package[rsyslog-kafka]', 'Package[emacs-nox]', 'Package[prometheus-ipmi-exporter]', 'Package[python3-conftool]', 'Package[prometheus-varnishkafka-exporter]', 'Package[purged]', 'Package[linux-cpupower]', 'Package[geoip-bin]', 'Package[mmdb-bin]', 'Package[libgeoip-dev]', 'Package[libmaxminddb-dev]', 'Package[python3-logstash]', 'Package[socat]', 'Package[haproxy]', 'Package[python3-pystemd]', 'Package[benthos]', 'Package[lua5.4-maxminddb]', 'Package[wikimedia-lvs-realserver]', 'Package[python3-poolcounter]', 'Package[python3-jsonschema]', 'Package[python3-requests]', 'Package[libvmod-netmapper]', 'Package[libvmod-querysort]', 'Package[libvmod-wmfuniq]', 'Package[varnish]', 'Package[varnish-modules]', 'Package[varnish-re2]', 'Package[libsodium-dev]', 'Package[python3-nacl]', 'Package[tcp-mss-clamper]', 'Package[haproxykafka]', 'Package[ruby-concurrent]', 'Package[ruby]', 'Package[libruby]', 'Package[puppet-agent]', 'Package[prometheus-rsyslog-exporter]', 'Package[initramfs-tools]', 'Package[python3-click]', 'Package[python3-box]', 'Package[varnishkafka]', 'Package[confd]', 'Package[python3-toml]', 'Package[mtail]', 'Package[prometheus-varnish-exporter]', 'Package[trafficserver]', 'Package[trafficserver-experimental-plugins]', 'Package[lua-busted]', 'Package[prometheus-trafficserver-exporter]', 'Package[fifo-log-demux]']
+ before => ['Package[puppet]', 'Package[facter]', 'Package[augeas-tools]', 'Package[virt-what]', 'Package[puppet-module-puppetlabs-augeas-core]', 'Package[python3-prometheus-client]', 'Package[python3-yaml]', 'Package[ruby-net-ssh]', 'Package[openssl]', 'Package[ssl-cert]', 'Package[ca-certificates]', 'Package[wmf-certificates]', 'Package[ntp]', 'Package[systemd-timesyncd]', 'Package[exim4-config]', 'Package[exim4-daemon-light]', 'Package[logrotate]', 'Package[prometheus-node-exporter]', 'Package[bsdutils]', 'Package[smartmontools]', 'Package[rsyslog]', 'Package[rsyslog-openssl]', 'Package[cadvisor]', 'Package[acct]', 'Package[byobu]', 'Package[colordiff]', 'Package[curl]', 'Package[debian-goodies]', 'Package[ethtool]', 'Package[gdb]', 'Package[gdisk]', 'Package[git]', 'Package[htop]', 'Package[httpry]', 'Package[iotop]', 'Package[iperf]', 'Package[jq]', 'Package[libtemplate-perl]', 'Package[lldpd]', 'Package[lshw]', 'Package[molly-guard]', 'Package[moreutils]', 'Package[net-tools]', 'Package[numactl]', 'Package[ncdu]', 'Package[ngrep]', 'Package[pigz]', 'Package[psmisc]', 'Package[pv]', 'Package[python3]', 'Package[screen]', 'Package[strace]', 'Package[sysstat]', 'Package[tcpdump]', 'Package[tmux]', 'Package[tree]', 'Package[vim]', 'Package[vim-addon-manager]', 'Package[vim-scripts]', 'Package[wipe]', 'Package[xfsprogs]', 'Package[zsh]', 'Package[icdiff]', 'Package[linux-perf]', 'Package[bsd-mailx]', 'Package[ack]', 'Package[netcat-openbsd]', 'Package[tshark]', 'Package[fzf]', 'Package[ripgrep]', 'Package[fd-find]', 'Package[kitty-terminfo]', 'Package[mtr-tiny]', 'Package[bat]', 'Package[efibootmgr]', 'Package[bind9-dnsutils]', 'Package[tzdata]', 'Package[python3-wmflib]', 'Package[starship]', 'Package[ruby-sorted-set]', 'Package[btop]', 'Package[linux-sysctl-defaults]', 'Package[apport]', 'Package[command-not-found]', 'Package[command-not-found-data]', 'Package[ecryptfs-utils]', 'Package[mlocate]', 'Package[os-prober]', 'Package[python3-apport]', 'Package[wpasupplicant]', 'Package[atop]', 'Package[apt-listchanges]', 'Package[isc-dhcp-client]', 'Package[rasdaemon]', 'Package[openssh-client]', 'Package[openssh-server]', 'Package[debdeploy-client]', 'Package[python3-dateutil]', 'Package[sudo]', 'Package[golang-cfssl]', 'Package[debmonitor-client]', 'Package[perccli]', 'Package[nagios-nrpe-server]', 'Package[monitoring-plugins]', 'Package[monitoring-plugins-basic]', 'Package[monitoring-plugins-standard]', 'Package[liburiparser1]', 'Package[python3-attr]', 'Package[iucode-tool]', 'Package[freeipmi-tools]', 'Package[freeipmi-ipmiseld]', 'Package[rsyslog-kafka]', 'Package[emacs-nox]', 'Package[prometheus-ipmi-exporter]', 'Package[python3-conftool]', 'Package[prometheus-varnishkafka-exporter]', 'Package[purged]', 'Package[linux-cpupower]', 'Package[geoip-bin]', 'Package[mmdb-bin]', 'Package[libgeoip-dev]', 'Package[libmaxminddb-dev]', 'Package[python3-logstash]', 'Package[socat]', 'Package[haproxy]', 'Package[python3-pystemd]', 'Package[benthos]', 'Package[lua5.4-maxminddb]', 'Package[lua5.4-ciderbloom]', 'Package[wikimedia-lvs-realserver]', 'Package[python3-poolcounter]', 'Package[python3-jsonschema]', 'Package[python3-requests]', 'Package[libvmod-netmapper]', 'Package[libvmod-querysort]', 'Package[libvmod-wmfuniq]', 'Package[varnish]', 'Package[varnish-modules]', 'Package[varnish-re2]', 'Package[libsodium-dev]', 'Package[python3-nacl]', 'Package[tcp-mss-clamper]', 'Package[haproxykafka]', 'Package[ruby-concurrent]', 'Package[ruby]', 'Package[libruby]', 'Package[puppet-agent]', 'Package[prometheus-rsyslog-exporter]', 'Package[initramfs-tools]', 'Package[python3-click]', 'Package[python3-box]', 'Package[varnishkafka]', 'Package[confd]', 'Package[python3-toml]', 'Package[mtail]', 'Package[prometheus-varnish-exporter]', 'Package[trafficserver]', 'Package[trafficserver-experimental-plugins]', 'Package[lua-busted]', 'Package[prometheus-trafficserver-exporter]', 'Package[fifo-log-demux]']
- File[/etc/confd/templates/_etc_haproxy_conf.d_tls.cfg.tmpl]
- Content differences:
--- /etc/confd/templates/_etc_haproxy_conf.d_tls.cfg.tmpl.orig
+++ /etc/confd/templates/_etc_haproxy_conf.d_tls.cfg.tmpl
@@ -181,6 +181,10 @@
# Check if the request originates from a known datacenter.
http-request lua.is_datacenter
http-request set-var(req.provenance) var(req.provenance),add_item(";",,"datacenter=true") if { var(txn.is_datacenter) -m bool }
+ http-request lua.cidergrinder_mmdb_lookup unless { var(sess.cidergrinder_mmdb_result) -m found }
+ http-request set-var(sess.prehashed) src,ipmask(32,64),xxh3 unless { var(sess.cidergrinder_mmdb_result) -m found } || { var(sess.prehashed) -m found }
+ http-request lua.bloom_lookup unless { var(sess.cidergrinder_mmdb_result) -m bool }
+ http-request set-var(req.provenance) var(req.provenance),add_item(";",,"likely_resiproxy=true") if { var(sess.cidergrinder_mmdb_result) -m bool } || { var(sess.bloom_result) -m bool }
http-request lua.res_proxy # sets var txn.res_proxy to `proxy=foo` (or, doesn't)
http-request set-var(req.provenance) var(req.provenance),add_item(";",txn.res_proxy,"") if { var(txn.res_proxy) -m found }
Relevant files