Compilation results for aqs1024.eqiad.wmnet: System changes detected

You can retrieve this result from host.json.

Catalog differences

Summary

Total Resources:	2774
Resources added:	253
Resources removed:	5
Resources modified:	272
Change percentage:	19.11%

Resources only in the new catalog

Sysctl::Parameters[cassandra]
Ferm::Service[cassandra-analytics-cql]
Class[Cassandra::Sysctl]
File[/etc/ferm/conf.d/10_cassandra-intra-node]
Package[libjemalloc2]
Exec[update_java_alternatives_11]
File[/etc/cassandra-a/user_aqsloader.cql]
File[/etc/cassandra-b/user_media_analytics.cql]
File[/etc/cassandra-a/user_image_suggestions.cql]
Package[cassandra-tools]
File[/var/lib/scap]
Class[Scap::Ferm]
File[/etc/cassandra-a/prometheus_jmx_exporter.yaml]
File[/etc/cassandra-b/tls/cassandra__aqs1024-b_eqiad_wmnet.pem]
File[/etc/cassandra-b/jvm11-clients.options]
File[/etc/cassandra-b/hotspot_compiler]
Prometheus::Blackbox::Check::Tcp[cassandra-a-ssl]
Motd::Script[aqs]
File[/etc/cassandra-a/user_edit_analytics.cql]
Ssh::Userkey[deploy-service]
File[/etc/cassandra-a/cassandra.yaml]
Cassandra::Instance[b]
File[/etc/cassandra-a/jvm17-server.options]
Exec[create chained cert /etc/cassandra-b/tls/cassandra__aqs1024-b_eqiad_wmnet.chain.pem]
File[/etc/cassandra-a/tls/cassandra__aqs1024-a_eqiad_wmnet.chain.pem]
Exec[chown /srv/deployment/cassandra for deploy-service]
Exec[install-/srv/cassandra/cassandra-a/system]
File[/etc/cassandra-a/cqlshrc]
File[/usr/local/bin/cqlsh-b]
Monitoring::Service[cassandra-a-ssl]
Java::Package[openjdk-jdk-11]
Exec[java__cacert_Wikimedia_Internal_Root_CA]
Exec[sslcert generate cassandra_keystore_aqs1024-a.p12]
Apt::Repository[component-cassandra41-apt.wikimedia.org-wikimedia-bullseye-wikimedia]
File[/usr/local/bin/nodetool-a]
Service[cassandra]
File[/etc/cassandra-b/prometheus_jmx_exporter.yaml]
Package[cassandra/logstash-logback-encoder]
Exec[renew certificate - cassandra__aqs1024-b_eqiad_wmnet]
File[/etc/ferm/conf.d/10_cassandra-cql]
File[/etc/rsyslog.d/50-udp-localhost-compat.conf]
File[/etc/cassandra-b/logback-tools.xml]
Exec[install-/srv/cassandra/cassandra-a/hints]
Apt::Package_from_component[cassandra]
Exec[install-/srv/storage-0/cassandra-b/data]
File[/lib/systemd/system/cassandra-a.service]
Cfssl::Csr[/etc/cfssl/csr/cassandra__aqs1024-a_eqiad_wmnet.csr]
Exec[install-/srv/cassandra/cassandra-b/saved_caches]
Package[rsync]
Interface::Alias[cassandra-a]
Motd::Message[aqs]
File[/etc/cfssl/csr/cassandra__aqs1024-a_eqiad_wmnet.csr]
Package[jvm-tools]
File[/etc/cassandra-b/jvm-server.options]
Exec[install-/srv/storage-6/cassandra-a/data]
Exec[install-/srv/storage-7/cassandra-b/data]
File[/usr/local/bin/cassandra_validate_grants]
File[/etc/cassandra-a/user_page_analytics.cql]
Systemd::Unit[cassandra-a]
File[/etc/cassandra-a/cassandra-env.sh]
File[/etc/cassandra-a/logback-tools.xml]
Class[Profile::Java]
File[/etc/cassandra-a/user_geo_analytics.cql]
Ssh::Userkey[scap]
File[/etc/cassandra-a/credentials]
Ferm::Service[cassandra-cql]
File[/etc/cassandra-instances.d/aqs1024-a.yaml]
File[/etc/cassandra-b/user_edit_analytics.cql]
Prometheus::Blackbox::Check::Tcp[cassandra-b-ssl]
Interface::Alias[cassandra-b]
File[/etc/ferm/conf.d/10_cassandra-analytics-cql]
Exec[create chained cert /etc/cassandra-a/tls/cassandra__aqs1024-a_eqiad_wmnet.chain.pem]
Exec[install-/srv/cassandra/cassandra-a/saved_caches]
Java::Cacert[wmf:puppetca.pem]
File[/etc/cassandra-b/user_geo_analytics.cql]
Interface::Ip[cassandra-a ipv4]
Exec[install-/srv/storage-5/cassandra-a/data]
Monitoring::Service[cassandra-b-ssl]
Systemd::Service[cassandra-a]
File[/etc/cassandra-b/user_data_gateway.cql]
Exec[Generate cert cassandra__aqs1024-a_eqiad_wmnet]
Alternatives::Java[11]
Ferm::Service[cassandra-jmx-rmi]
Cassandra::Instance::Monitoring[b]
Prometheus::Blackbox::Check::Tcp[cassandra-b-cql]
File[/etc/apt/sources.list.d/component-cassandra41-apt.wikimedia.org-wikimedia-bullseye-wikimedia.list]
File[/etc/cassandra-a/jvm-server.options]
File[/etc/cassandra-b/cassandra-env.sh]
File[/etc/rsyslog.d/50-udp-json-logback-compat.conf]
Node[__node_regexp__aqs1010-214-920-4.eqiad.]
File[/etc/cassandra-a/tls/cassandra__aqs1024-a_eqiad_wmnet.csr]
File[/usr/local/bin/nodetool-instance]
File[/etc/cassandra-b/cassandra-rackdc.properties]
File[/lib/systemd/system/cassandra-b.service]
File[/etc/cassandra-a/logback.xml]
File[/etc/cassandra-a/jvm11-clients.options]
File[/usr/local/bin/nodetool-b]
File[/etc/cassandra-b/jvm-clients.options]
File[/etc/cassandra-a/tls/cassandra__aqs1024-a_eqiad_wmnet-key.pem]
Package[cassandra]
Exec[bootstrap-scap-target]
Exec[install-/srv/storage-3/cassandra-b/data]
Exec[install-/srv/cassandra/cassandra-b/commitlog]
File[/usr/share/cassandra/lib/jackson-annotations-2.4.0.jar]
Prometheus::Jmx_exporter_instance[aqs1024-a]
File[/etc/cassandra-b/jvm11-server.options]
File[/etc/cassandra-b/cqlshrc]
File[/etc/ssh/userkeys/scap]
Exec[ip addr add 10.64.156.18/32 dev ens8f0np0]
File[/etc/cassandra-b/user_aqsloader.cql]
File[/etc/cassandra-a/user_revise_tone_task_generator.cql]
Prometheus::Jmx_exporter_instance[aqs1024-b]
Exec[install-/srv/cassandra/cassandra-b/hints]
File[/var/lib/deploy-service]
File[/etc/cassandra-instances.d]
Cfssl::Cert[cassandra__aqs1024-b_eqiad_wmnet]
File[/etc/cassandra-a/jvm11-server.options]
File[/etc/scap.cfg]
File[/etc/cassandra-a/user_data_gateway.cql]
Service[cassandra-b]
File[/etc/cassandra-a/tls/server.key]
File[/usr/share/cassandra/lib/jackson-databind-2.4.0.jar]
Exec[java__cacert_wmf:puppetca.pem]
File[/etc/ferm/conf.d/10_deployment_ssh]
File[/etc/ferm/conf.d/10_cassandra-jmx-rmi]
Exec[install-/srv/storage-7/cassandra-a/data]
Rsyslog::Conf[udp_json_logback_compat]
File[/usr/share/cassandra/lib/logstash-logback-encoder.jar]
Monitoring::Service[cassandra-a-cql]
Exec[java__cacert_Puppet_Internal_CA]
Group[deploy-service]
Sysctl::Conffile[cassandra]
Java::Cacert[wmf:Wikimedia_Internal_Root_CA]
Cassandra::Instance[a]
Sslcert::X509_to_pkcs12[cassandra_keystore_aqs1024-b]
File[/etc/cassandra-b/commitlog_archiving.properties]
File[/etc/ferm/conf.d/10_cassandra-intra-node-ssl]
Systemd::Service[cassandra-b]
Systemd::Unit[cassandra-b]
File[/etc/update-motd.d/05-aqs]
File[/etc/cassandra-b/tls/server.key]
File[/etc/cassandra-b/user_device_analytics.cql]
Scap::Target[cassandra/logstash-logback-encoder]
Firewall::Service[deployment-ssh]
File[/etc/cassandra-a/hotspot_compiler]
Exec[apt_repository_component-cassandra41-apt.wikimedia.org-wikimedia-bullseye-wikimedia]
File[/etc/cassandra-a/user_editor_analytics.cql]
Exec[install-/srv/storage-5/cassandra-b/data]
Exec[systemd daemon-reload for cassandra-a.service (cassandra-a)]
Exec[install-/srv/cassandra/cassandra-a/commitlog]
Cfssl::Cert[cassandra__aqs1024-a_eqiad_wmnet]
Exec[Generate cert cassandra__aqs1024-a_eqiad_wmnet refresh]
Sudo::User[scap_deploy-service]
Sslcert::X509_to_pkcs12[cassandra_keystore_aqs1024-a]
File[/usr/local/bin/bootstrap-scap-target.sh]
Interface::Ip[cassandra-b ipv4]
Class[Git::Lfs]
Exec[Generate cert cassandra__aqs1024-b_eqiad_wmnet]
Augeas[ens8f0np0_10.64.156.21/32]
File[/etc/cassandra-b/tls]
File[/etc/cassandra-b/user_editor_analytics.cql]
Exec[install-/srv/storage-3/cassandra-a/data]
Cfssl::Csr[/etc/cfssl/csr/cassandra__aqs1024-b_eqiad_wmnet.csr]
File[/etc/cassandra-a]
Group[scap]
File[/usr/bin/scap]
Class[Scap]
Exec[install-/srv/storage-1/cassandra-b/data]
File[/usr/local/bin/sstableutil-b]
File[/etc/cassandra-b/tls/cassandra__aqs1024-b_eqiad_wmnet.chained.pem]
File[/etc/cassandra-b/cassandra.yaml]
File[/etc/cassandra-b/logback.xml]
Rsyslog::Conf[udp_localhost_compat]
File[/etc/cassandra-a/user_device_analytics.cql]
Class[Cassandra]
Cassandra::Instance::Monitoring[a]
Monitoring::Exported_nagios_service[aqs1024 cassandra-b-cql]
Exec[Generate cert cassandra__aqs1024-b_eqiad_wmnet refresh]
Package[python3-venv]
Class[Cassandra::Logging]
Ferm::Service[cassandra-intra-node]
Class[Profile::Rsyslog::Udp_localhost_compat]
Exec[systemd daemon-reload for cassandra-b.service (cassandra-b)]
Exec[install-/srv/storage-1/cassandra-a/data]
Monitoring::Exported_nagios_service[aqs1024 cassandra-a-cql]
Ferm::Service[cassandra-intra-node-ssl]
Exec[install-/srv/storage-6/cassandra-b/data]
File[/etc/ssl/localcerts/wmf-java-cacerts]
Package[git-lfs]
File[/etc/cassandra-b/credentials]
File[/etc/cassandra-b/user_commons_impact_analytics.cql]
Exec[install-/srv/storage-2/cassandra-b/data]
File[/usr/local/bin/sstable-util-instance]
File[/etc/cassandra-b/user_image_suggestions.cql]
File[/usr/local/bin/sstableutil-a]
Exec[sslcert generate cassandra_keystore_aqs1024-b.p12]
File[/etc/ssh/userkeys/deploy-service]
File[/srv/cassandra-b]
Exec[install-/srv/cassandra/cassandra-b/system]
File[/etc/cassandra-b/tls/cassandra__aqs1024-b_eqiad_wmnet.csr]
Ferm::Service[deployment_ssh]
File[/etc/cassandra-a/jvm-clients.options]
File[/etc/cassandra-a/tls/cassandra__aqs1024-a_eqiad_wmnet.pem]
File[/srv/cassandra-a]
Augeas[ens8f0np0_10.64.156.18/32]
User[deploy-service]
Monitoring::Exported_nagios_service[aqs1024 cassandra-b-ssl]
Exec[ip addr add 10.64.156.21/32 dev ens8f0np0]
File[/etc/cassandra-a/tls]
Exec[install-/srv/storage-4/cassandra-a/data]
File[/etc/cassandra-b/tls/cassandra__aqs1024-b_eqiad_wmnet.chain.pem]
Exec[java__cacert_wmf:Wikimedia_Internal_Root_CA]
Exec[renew certificate - cassandra__aqs1024-a_eqiad_wmnet]
Service[cassandra-a]
File[/etc/cfssl/csr/cassandra__aqs1024-b_eqiad_wmnet.csr]
File[/etc/cassandra-instances.d/aqs1024-b.yaml]
File[/etc/cassandra-a/tls/cassandra__aqs1024-a_eqiad_wmnet.chained.pem]
File[/etc/cassandra-a/user_commons_impact_analytics.cql]
Exec[install-/srv/storage-0/cassandra-a/data]
Exec[install-/srv/storage-2/cassandra-a/data]
Systemd::Sysuser[scap]
User[scap]
Java::Cacert[Puppet_Internal_CA]
File[/etc/sudoers.d/scap_deploy-service]
Java::Cacert[Wikimedia_Internal_Root_CA]
File[/etc/cassandra-b/user_revise_tone_task_generator.cql]
File[/usr/local/bin/cqlsh-a]
Exec[install-/srv/storage-4/cassandra-b/data]
Class[Profile::Rsyslog::Udp_json_logback_compat]
Class[Profile::Cassandra]
Class[Scap::User]
File[/etc/sysctl.d/05-cassandra.conf]
File[/etc/sysusers.d/scap.conf]
File[/usr/share/cassandra/lib/jackson-core-2.4.0.jar]
File[/etc/cassandra-a/user_media_analytics.cql]
Exec[apt_package_from_component_cassandra]
Prometheus::Blackbox::Check::Tcp[cassandra-a-cql]
Class[Java]
Monitoring::Exported_nagios_service[aqs1024 cassandra-a-ssl]
Package[cassandra-tools-wmf]
File[/etc/tmpfiles.d/cassandra.conf]
Package[prometheus-jmx-exporter]
File[/etc/cassandra-b]
Class[Role::Aqs]
File[/etc/cassandra-b/user_page_analytics.cql]
File[/etc/cassandra-b/tls/cassandra__aqs1024-b_eqiad_wmnet-key.pem]
Package[openjdk-11-jdk]
File[/etc/cassandra.in.sh]
File[/etc/cassandra-b/jvm17-server.options]
File[/etc/init.d/cassandra]
Monitoring::Service[cassandra-b-cql]
File[/etc/cassandra-a/commitlog_archiving.properties]
File[/etc/cassandra-a/cassandra-rackdc.properties]

Resources only in the old catalog

Node[__node_regexp__aqs1024-7.eqiad.]
Class[Role::Insetup::Data_persistence_ferm]
File[/etc/update-motd.d/05-insetup--data-persistence-ferm]
Motd::Script[insetup::data_persistence_ferm]
Motd::Message[insetup::data_persistence_ferm]

Resources modified

File[/etc/cassandra-a/cqlshrc]

Parameters differences:

--- File[/etc/cassandra-a/cqlshrc].orig
+++ File[/etc/cassandra-a/cqlshrc]

+    require => Package[cassandra]
+    group   => root
+    mode    => 0400
+    owner   => root

Content differences:

--- /etc/cassandra-a/cqlshrc.orig
+++ /etc/cassandra-a/cqlshrc
@@ -0,0 +1,7 @@
+; SPDX-License-Identifier: Apache-2.0
+
+[authentication]
+credentials = /etc/cassandra-a/credentials
+
+[ssl]
+certfile = /etc/ssl/certs/wmf-ca-certificates.crt

Package[cassandra/logstash-logback-encoder]

Parameters differences:

--- Package[cassandra/logstash-logback-encoder].orig
+++ Package[cassandra/logstash-logback-encoder]

+    require         => User[deploy-service]
+    install_options => [{'owner': 'deploy-service'}]
+    provider        => scap3
+    ensure          => present

File[/lib/systemd/system/cassandra-b.service]

Parameters differences:

--- File[/lib/systemd/system/cassandra-b.service].orig
+++ File[/lib/systemd/system/cassandra-b.service]

+    group  => root
+    mode   => 0444
+    ensure => present
+    notify => Exec[systemd daemon-reload for cassandra-b.service (cassandra-b)]
+    owner  => root

Content differences:

--- /lib/systemd/system/cassandra-b.service.orig
+++ /lib/systemd/system/cassandra-b.service
@@ -0,0 +1,24 @@
+[Unit]
+Description=distributed storage system for structured data
+After=network.target
+# On bootstrap / provisioning, don't attempt to start all instances,
+# wait instead for the guard file to exist, see also T214166
+ConditionPathExists=/etc/cassandra-b/service-enabled
+
+[Service]
+User=cassandra
+PIDFile=/var/run/cassandra/cassandra-b.pid
+LimitNOFILE=100000
+LimitMEMLOCK=infinity
+Environment="CASSANDRA_INCLUDE=/etc/cassandra.in.sh"
+Environment="CASSANDRA_CONF=/etc/cassandra-b"
+Environment="CASSANDRA_INSTANCE=aqs1024-b"
+Environment="CASSANDRA_LOG_DIR=/var/log/cassandra"
+ExecStart=/usr/sbin/cassandra -p /var/run/cassandra/cassandra-b.pid
+
+# Deinit on shutdown (see: https://phabricator.wikimedia.org/T327954)
+ExecStop=-/usr/local/bin/nodetool-b disablethrift
+ExecStop=-/usr/local/bin/nodetool-b disablebinary
+ExecStop=-/usr/local/bin/nodetool-b disablegossip
+ExecStop=-/usr/local/bin/nodetool-b drain
+ExecStop=/usr/local/bin/nodetool-b stopdaemon

File[/etc/cassandra-a/tls/cassandra__aqs1024-a_eqiad_wmnet-key.pem]

Parameters differences:

--- File[/etc/cassandra-a/tls/cassandra__aqs1024-a_eqiad_wmnet-key.pem].orig
+++ File[/etc/cassandra-a/tls/cassandra__aqs1024-a_eqiad_wmnet-key.pem]

+    group     => cassandra
+    mode      => 0440
+    ensure    => file
+    backup    => False
+    show_diff => False
+    owner     => cassandra

File[/etc/cassandra-b/cqlshrc]

Parameters differences:

--- File[/etc/cassandra-b/cqlshrc].orig
+++ File[/etc/cassandra-b/cqlshrc]

+    require => Package[cassandra]
+    group   => root
+    mode    => 0400
+    owner   => root

Content differences:

--- /etc/cassandra-b/cqlshrc.orig
+++ /etc/cassandra-b/cqlshrc
@@ -0,0 +1,7 @@
+; SPDX-License-Identifier: Apache-2.0
+
+[authentication]
+credentials = /etc/cassandra-b/credentials
+
+[ssl]
+certfile = /etc/ssl/certs/wmf-ca-certificates.crt

Cfssl::Cert[cassandra__aqs1024-a_eqiad_wmnet]

Parameters differences:

--- Cfssl::Cert[cassandra__aqs1024-a_eqiad_wmnet].orig
+++ Cfssl::Cert[cassandra__aqs1024-a_eqiad_wmnet]

+    group           => cassandra
+    hosts           => ['cassandra', 'aqs1024.eqiad.wmnet']
+    notify          => Sslcert::X509_to_pkcs12[cassandra_keystore_aqs1024-a]
+    provide_chain   => True
+    owner           => cassandra
+    renew_seconds   => 952200
+    names           => []
+    mode            => 0400
+    ensure          => present
+    key             => {'algo': 'ecdsa', 'size': 256}
+    common_name     => aqs1024-a.eqiad.wmnet
+    before_services => []
+    outdir          => /etc/cassandra-a/tls
+    label           => cassandra
+    auto_renew      => True
+    notify_services => []
+    environment     => ['GODEBUG=x509ignoreCN=0']

Monitoring::Exported_nagios_service[aqs1024 disk_space]

Parameters differences:

--- Monitoring::Exported_nagios_service[aqs1024 disk_space].orig
+++ Monitoring::Exported_nagios_service[aqs1024 disk_space]

@@
-    notifications_enabled => 0
+    notifications_enabled => 1
@@
-    servicegroups         => insetup_eqiad
+    servicegroups         => aqs_eqiad

Class[Profile::Base::Production]

Parameters differences:

--- Class[Profile::Base::Production].orig
+++ Class[Profile::Base::Production]

@@
-    role_description => Host being setup by Data Persistence SREs
+    role_description => Analytics Query Service - Cassandra instance

Sslcert::X509_to_pkcs12[cassandra_keystore_aqs1024-a]

Parameters differences:

--- Sslcert::X509_to_pkcs12[cassandra_keystore_aqs1024-a].orig
+++ Sslcert::X509_to_pkcs12[cassandra_keystore_aqs1024-a]

+    group       => cassandra
+    public_key  => /etc/cassandra-a/tls/cassandra__aqs1024-a_eqiad_wmnet.chained.pem
+    outfile     => /etc/cassandra-a/tls/server.key
+    ensure      => present
+    password    => test
+    private_key => /etc/cassandra-a/tls/cassandra__aqs1024-a_eqiad_wmnet-key.pem
+    owner       => cassandra

File[/usr/local/bin/sstable-util-instance]

Parameters differences:

--- File[/usr/local/bin/sstable-util-instance].orig
+++ File[/usr/local/bin/sstable-util-instance]

+    group   => cassandra
+    require => Package[cassandra]
+    mode    => 0555
+    ensure  => present
+    source  => puppet:///modules/cassandra/sstable-util-instance
+    owner   => cassandra

File[/etc/cassandra-b/tls/cassandra__aqs1024-b_eqiad_wmnet.chain.pem]

Parameters differences:

--- File[/etc/cassandra-b/tls/cassandra__aqs1024-b_eqiad_wmnet.chain.pem].orig
+++ File[/etc/cassandra-b/tls/cassandra__aqs1024-b_eqiad_wmnet.chain.pem]

+    group  => cassandra
+    mode   => 0440
+    ensure => file
+    source => puppet:///modules/profile/pki/intermediates/cassandra-cert.pem
+    owner  => cassandra

Exec[install-/srv/cassandra/cassandra-a/system]

Parameters differences:

--- Exec[install-/srv/cassandra/cassandra-a/system].orig
+++ Exec[install-/srv/cassandra/cassandra-a/system]

+    command => install -o cassandra -g cassandra -m 750 -d /srv/cassandra/cassandra-a/system
+    path    => /usr/bin/:/bin/
+    creates => /srv/cassandra/cassandra-a/system
+    before  => Systemd::Service[cassandra-a]

Class[Profile::Base]

Parameters differences:

--- Class[Profile::Base].orig
+++ Class[Profile::Base]

@@
-    cluster => insetup
+    cluster => aqs

Scap::Target[cassandra/logstash-logback-encoder]

Parameters differences:

--- Scap::Target[cassandra/logstash-logback-encoder].orig
+++ Scap::Target[cassandra/logstash-logback-encoder]

+    additional_services_names => []
+    manage_ssh_key            => True
+    sudo_rules                => []
+    manage_user               => True
+    package_name              => cassandra/logstash-logback-encoder
+    ensure                    => present
+    key_name                  => deploy-service
+    deploy_user               => deploy-service

File[/usr/local/bin/sstableutil-b]

Parameters differences:

--- File[/usr/local/bin/sstableutil-b].orig
+++ File[/usr/local/bin/sstableutil-b]

+    group   => root
+    require => File[/usr/local/bin/sstable-util-instance]
+    ensure  => link
+    target  => /usr/local/bin/sstable-util-instance
+    owner   => root

File[/srv/cassandra-a]

Parameters differences:

--- File[/srv/cassandra-a].orig
+++ File[/srv/cassandra-a]

+    group   => cassandra
+    require => Package[cassandra]
+    mode    => 0750
+    ensure  => directory
+    owner   => cassandra

Exec[create chained cert /etc/cassandra-b/tls/cassandra__aqs1024-b_eqiad_wmnet.chain.pem]

Parameters differences:

--- Exec[create chained cert /etc/cassandra-b/tls/cassandra__aqs1024-b_eqiad_wmnet.chain.pem].orig
+++ Exec[create chained cert /etc/cassandra-b/tls/cassandra__aqs1024-b_eqiad_wmnet.chain.pem]

+    command   => /bin/cat /etc/cassandra-b/tls/cassandra__aqs1024-b_eqiad_wmnet.pem /etc/cassandra-b/tls/cassandra__aqs1024-b_eqiad_wmnet.chain.pem > /etc/cassandra-b/tls/cassandra__aqs1024-b_eqiad_wmnet.chained.pem
+    unless    => /usr/bin/test "$(/bin/cat /etc/cassandra-b/tls/cassandra__aqs1024-b_eqiad_wmnet.pem /etc/cassandra-b/tls/cassandra__aqs1024-b_eqiad_wmnet.chain.pem | sha512sum)" == "$(/bin/cat /etc/cassandra-b/tls/cassandra__aqs1024-b_eqiad_wmnet.chained.pem | sha512sum)"

+    subscribe => ['Exec[renew certificate - cassandra__aqs1024-b_eqiad_wmnet]', 'File[/etc/cassandra-b/tls/cassandra__aqs1024-b_eqiad_wmnet.chain.pem]', 'File[/etc/cassandra-b/tls/cassandra__aqs1024-b_eqiad_wmnet.pem]']

Package[jvm-tools]

Parameters differences:

--- Package[jvm-tools].orig
+++ Package[jvm-tools]

+    provider => apt
+    ensure   => installed

Exec[install-/srv/storage-7/cassandra-b/data]

Parameters differences:

--- Exec[install-/srv/storage-7/cassandra-b/data].orig
+++ Exec[install-/srv/storage-7/cassandra-b/data]

+    command => install -o cassandra -g cassandra -m 750 -d /srv/storage-7/cassandra-b/data
+    path    => /usr/bin/:/bin/
+    creates => /srv/storage-7/cassandra-b/data
+    before  => Systemd::Service[cassandra-b]

File[/etc/cassandra-a/logback-tools.xml]

Parameters differences:

--- File[/etc/cassandra-a/logback-tools.xml].orig
+++ File[/etc/cassandra-a/logback-tools.xml]

+    group  => cassandra
+    ensure => present
+    mode   => 0444
+    source => puppet:///modules/cassandra/logback-tools.xml-4.x
+    links  => follow
+    owner  => cassandra

Class[Profile::Java]

Parameters differences:

--- Class[Profile::Java].orig
+++ Class[Profile::Java]

+    trust_puppet_ca => True
+    egd_source      => /dev/random
+    enable_dbg      => False
+    extra_args      => {}
+    hardened_tls    => False
+    java_packages   => [{'version': '11', 'variant': 'jdk'}]

Ferm::Service[cassandra-jmx-rmi]

Parameters differences:

--- Ferm::Service[cassandra-jmx-rmi].orig
+++ Ferm::Service[cassandra-jmx-rmi]

+    prio       => 10
+    srange     => @resolve((aqs1010.eqiad.wmnet aqs1010-a.eqiad.wmnet aqs1010-b.eqiad.wmnet aqs1011.eqiad.wmnet aqs1011-a.eqiad.wmnet aqs1011-b.eqiad.wmnet aqs1012.eqiad.wmnet aqs1012-a.eqiad.wmnet aqs1012-b.eqiad.wmnet aqs1014.eqiad.wmnet aqs1014-a.eqiad.wmnet aqs1014-b.eqiad.wmnet aqs1015.eqiad.wmnet aqs1015-a.eqiad.wmnet aqs1015-b.eqiad.wmnet aqs1016.eqiad.wmnet aqs1016-a.eqiad.wmnet aqs1016-b.eqiad.wmnet aqs1017.eqiad.wmnet aqs1017-a.eqiad.wmnet aqs1017-b.eqiad.wmnet aqs1018.eqiad.wmnet aqs1018-a.eqiad.wmnet aqs1018-b.eqiad.wmnet aqs1019.eqiad.wmnet aqs1019-a.eqiad.wmnet aqs1019-b.eqiad.wmnet aqs1020.eqiad.wmnet aqs1020-a.eqiad.wmnet aqs1020-b.eqiad.wmnet aqs1021.eqiad.wmnet aqs1021-a.eqiad.wmnet aqs1021-b.eqiad.wmnet aqs1022.eqiad.wmnet aqs1022-a.eqiad.wmnet aqs1022-b.eqiad.wmnet aqs1023.eqiad.wmnet aqs1023-a.eqiad.wmnet aqs1023-b.eqiad.wmnet aqs1024.eqiad.wmnet aqs1024-a.eqiad.wmnet aqs1024-b.eqiad.wmnet aqs2001.codfw.wmnet aqs2001-a.codfw.wmnet aqs2001-b.codfw.wmnet aqs2002.codfw.wmnet aqs2002-a.codfw.wmnet aqs2002-b.codfw.wmnet aqs2003.codfw.wmnet aqs2003-a.codfw.wmnet aqs2003-b.codfw.wmnet aqs2004.codfw.wmnet aqs2004-a.codfw.wmnet aqs2004-b.codfw.wmnet aqs2005.codfw.wmnet aqs2005-a.codfw.wmnet aqs2005-b.codfw.wmnet aqs2006.codfw.wmnet aqs2006-a.codfw.wmnet aqs2006-b.codfw.wmnet aqs2007.codfw.wmnet aqs2007-a.codfw.wmnet aqs2007-b.codfw.wmnet aqs2008.codfw.wmnet aqs2008-a.codfw.wmnet aqs2008-b.codfw.wmnet aqs2009.codfw.wmnet aqs2009-a.codfw.wmnet aqs2009-b.codfw.wmnet aqs2010.codfw.wmnet aqs2010-a.codfw.wmnet aqs2010-b.codfw.wmnet aqs2011.codfw.wmnet aqs2011-a.codfw.wmnet aqs2011-b.codfw.wmnet aqs2012.codfw.wmnet aqs2012-a.codfw.wmnet aqs2012-b.codfw.wmnet))
+    ensure     => present
+    desc       => 
+    notrack    => False
+    port_range => [7199, 7202]
+    proto      => tcp

File[/usr/local/bin/nodetool-b]

Parameters differences:

--- File[/usr/local/bin/nodetool-b].orig
+++ File[/usr/local/bin/nodetool-b]

+    group   => root
+    require => File[/usr/local/bin/nodetool-instance]
+    ensure  => link
+    target  => /usr/local/bin/nodetool-instance
+    owner   => root

Firewall::Service[deployment-ssh]

Parameters differences:

--- Firewall::Service[deployment-ssh].orig
+++ Firewall::Service[deployment-ssh]

+    desc     => 
+    prio     => 10
+    port     => 22
+    ensure   => present
+    notrack  => False
+    src_sets => ['DEPLOYMENT_HOSTS']
+    proto    => tcp

Augeas[ens8f0np0_10.64.156.21/32]

Parameters differences:

--- Augeas[ens8f0np0_10.64.156.21/32].orig
+++ Augeas[ens8f0np0_10.64.156.21/32]

+    onlyif  => match up[. = 'ip addr add 10.64.156.21/32 dev ens8f0np0'] size == 0
+    context => /files/etc/network/interfaces/*[. = 'ens8f0np0' and ./family = 'inet']
+    changes => set up[last()+1] 'ip addr add 10.64.156.21/32 dev ens8f0np0'
+    incl    => /etc/network/interfaces
+    lens    => Interfaces.lns

Class[Cassandra::Logging]

Parameters differences:

--- Class[Cassandra::Logging].orig
+++ Class[Cassandra::Logging]

+    require => ['Class[Cassandra]']

Class[Sslcert::Trusted_ca]

Parameters differences:

--- Class[Sslcert::Trusted_ca].orig
+++ Class[Sslcert::Trusted_ca]

@@
-    include_bundle_jks => False
+    include_bundle_jks => True

File[/etc/cassandra-b/user_page_analytics.cql]

Parameters differences:

--- File[/etc/cassandra-b/user_page_analytics.cql].orig
+++ File[/etc/cassandra-b/user_page_analytics.cql]

+    require => Package[cassandra]
+    group   => root
+    mode    => 0400
+    owner   => root

Content differences:

--- /etc/cassandra-b/user_page_analytics.cql.orig
+++ /etc/cassandra-b/user_page_analytics.cql
@@ -0,0 +1,10 @@
+-- SPDX-License-Identifier: Apache-2.0
+
+CREATE ROLE IF NOT EXISTS page_analytics WITH PASSWORD = '' AND LOGIN = true AND SUPERUSER = false;
+
+GRANT SELECT ON "local_group_default_T_pageviews_per_project_v2".data TO 'page_analytics';
+GRANT SELECT ON "local_group_default_T_lgc_pagecounts_per_project".data TO 'page_analytics';
+GRANT SELECT ON "local_group_default_T_pageviews_per_article_flat".data TO 'page_analytics';
+GRANT SELECT ON "local_group_default_T_top_bycountry".data TO 'page_analytics';
+GRANT SELECT ON "local_group_default_T_top_pageviews".data TO 'page_analytics';
+GRANT SELECT ON "local_group_default_T_top_percountry".data TO 'page_analytics';

File[/var/lib/scap]

Parameters differences:

--- File[/var/lib/scap].orig
+++ File[/var/lib/scap]

+    group  => 919
+    mode   => 0755
+    ensure => directory
+    owner  => 919

File[/usr/local/bin/cqlsh-b]

Parameters differences:

--- File[/usr/local/bin/cqlsh-b].orig
+++ File[/usr/local/bin/cqlsh-b]

+    group   => root
+    require => Package[cassandra-tools-wmf]
+    ensure  => link
+    target  => /usr/bin/cqlsh-instance
+    owner   => root

File[/etc/cassandra-a/user_page_analytics.cql]

Parameters differences:

--- File[/etc/cassandra-a/user_page_analytics.cql].orig
+++ File[/etc/cassandra-a/user_page_analytics.cql]

+    require => Package[cassandra]
+    group   => root
+    mode    => 0400
+    owner   => root

Content differences:

--- /etc/cassandra-a/user_page_analytics.cql.orig
+++ /etc/cassandra-a/user_page_analytics.cql
@@ -0,0 +1,10 @@
+-- SPDX-License-Identifier: Apache-2.0
+
+CREATE ROLE IF NOT EXISTS page_analytics WITH PASSWORD = '' AND LOGIN = true AND SUPERUSER = false;
+
+GRANT SELECT ON "local_group_default_T_pageviews_per_project_v2".data TO 'page_analytics';
+GRANT SELECT ON "local_group_default_T_lgc_pagecounts_per_project".data TO 'page_analytics';
+GRANT SELECT ON "local_group_default_T_pageviews_per_article_flat".data TO 'page_analytics';
+GRANT SELECT ON "local_group_default_T_top_bycountry".data TO 'page_analytics';
+GRANT SELECT ON "local_group_default_T_top_pageviews".data TO 'page_analytics';
+GRANT SELECT ON "local_group_default_T_top_percountry".data TO 'page_analytics';

File[/etc/apt/sources.list.d/component-cassandra41-apt.wikimedia.org-wikimedia-bullseye-wikimedia.list]

Parameters differences:

--- File[/etc/apt/sources.list.d/component-cassandra41-apt.wikimedia.org-wikimedia-bullseye-wikimedia.list].orig
+++ File[/etc/apt/sources.list.d/component-cassandra41-apt.wikimedia.org-wikimedia-bullseye-wikimedia.list]

+    group  => root
+    mode   => 0444
+    ensure => file
+    notify => Exec[apt_repository_component-cassandra41-apt.wikimedia.org-wikimedia-bullseye-wikimedia]
+    owner  => root

Content differences:

--- /etc/apt/sources.list.d/component-cassandra41-apt.wikimedia.org-wikimedia-bullseye-wikimedia.list.orig
+++ /etc/apt/sources.list.d/component-cassandra41-apt.wikimedia.org-wikimedia-bullseye-wikimedia.list
@@ -0,0 +1,2 @@
+deb http://apt.wikimedia.org/wikimedia bullseye-wikimedia component/cassandra41
+deb-src http://apt.wikimedia.org/wikimedia bullseye-wikimedia component/cassandra41

File[/etc/cassandra-a/logback.xml]

Parameters differences:

--- File[/etc/cassandra-a/logback.xml].orig
+++ File[/etc/cassandra-a/logback.xml]

+    group  => cassandra
+    mode   => 0444
+    ensure => present
+    owner  => cassandra

Content differences:

--- /etc/cassandra-a/logback.xml.orig
+++ /etc/cassandra-a/logback.xml
@@ -0,0 +1,152 @@
+<!--
+SPDX-License-Identifier: Apache-2.0
+Note:  This file is managed by Puppet.
+       It was taken from the Cassandra Debian package and templatized
+       here in order to assign configuration.
+-->
+
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one
+ or more contributor license agreements.  See the NOTICE file
+ distributed with this work for additional information
+ regarding copyright ownership.  The ASF licenses this file
+ to you under the Apache License, Version 2.0 (the
+ "License"); you may not use this file except in compliance
+ with the License.  You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing,
+ software distributed under the License is distributed on an
+ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ KIND, either express or implied.  See the License for the
+ specific language governing permissions and limitations
+ under the License.
+-->
+
+<!--
+In order to disable debug.log, comment-out the ASYNCDEBUGLOG
+appender reference in the root level section below.
+-->
+
+<configuration scan="true" scanPeriod="60 seconds">
+  <jmxConfigurator />
+
+  <!-- No shutdown hook; we run it ourselves in StorageService after shutdown -->
+
+  <!-- SYSTEMLOG rolling file appender to system.log (INFO level) -->
+
+  <appender name="SYSTEMLOG" class="ch.qos.logback.core.rolling.RollingFileAppender">
+    <filter class="ch.qos.logback.classic.filter.ThresholdFilter">
+      <level>INFO</level>
+    </filter>
+    <file>${cassandra.logdir}/system-a.log</file>
+    <rollingPolicy class="ch.qos.logback.core.rolling.FixedWindowRollingPolicy">
+      <fileNamePattern>${cassandra.logdir}/system-a.log.%i.zip</fileNamePattern>
+      <minIndex>1</minIndex>
+      <maxIndex>40</maxIndex>
+    </rollingPolicy>
+
+    <triggeringPolicy class="ch.qos.logback.core.rolling.SizeBasedTriggeringPolicy">
+      <maxFileSize>50MB</maxFileSize>
+    </triggeringPolicy>
+    <encoder>
+      <pattern>%-5level [%thread] %date{ISO8601} %F:%L - %msg%n</pattern>
+    </encoder>
+  </appender>
+
+  <!-- DEBUGLOG rolling file appender to debug.log (all levels) -->
+
+  <appender name="DEBUGLOG" class="ch.qos.logback.core.rolling.RollingFileAppender">
+    <file>${cassandra.logdir}/debug-a.log</file>
+    <rollingPolicy class="ch.qos.logback.core.rolling.FixedWindowRollingPolicy">
+      <fileNamePattern>${cassandra.logdir}/debug-a.log.%i.zip</fileNamePattern>
+      <minIndex>1</minIndex>
+      <maxIndex>40</maxIndex>
+    </rollingPolicy>
+
+    <triggeringPolicy class="ch.qos.logback.core.rolling.SizeBasedTriggeringPolicy">
+      <maxFileSize>50MB</maxFileSize>
+    </triggeringPolicy>
+    <encoder>
+      <pattern>%-5level [%thread] %date{ISO8601} %F:%L - %msg%n</pattern>
+    </encoder>
+  </appender>
+
+  <appender name="UDP" class="net.logstash.logback.appender.LogstashSocketAppender">
+    <host>localhost</host>
+    <port>11514</port>
+    <customFields>{"program":"cassandra", "cluster":"Analytics Query Service Storage", "instance_name":"a", "HOSTNAME": "aqs1024.eqiad.wmnet"}</customFields>
+    <filter class="ch.qos.logback.classic.filter.ThresholdFilter">
+      <level>INFO</level>
+    </filter>
+  </appender>
+
+  <!-- ASYNCLOG assynchronous appender to debug.log (all levels) -->
+
+  <appender name="ASYNCDEBUGLOG" class="ch.qos.logback.classic.AsyncAppender">
+    <queueSize>1024</queueSize>
+    <discardingThreshold>0</discardingThreshold>
+    <includeCallerData>true</includeCallerData>
+    <appender-ref ref="DEBUGLOG" />
+  </appender>
+
+  <!-- STDOUT console appender to stdout (INFO level) -->
+
+  <appender name="STDOUT" class="ch.qos.logback.core.ConsoleAppender">
+    <!--
+      stdout will be captured by journald, thus show only >= WARN messages
+      in systemctl status
+    -->
+    <filter class="ch.qos.logback.classic.filter.ThresholdFilter">
+      <level>WARN</level>
+    </filter>
+    <encoder>
+      <pattern>%-5level [%thread] %date{ISO8601} %F:%L - %msg%n</pattern>
+    </encoder>
+  </appender>
+
+  <!-- Uncomment below configuration (Audit Logging (FileAuditLogger) rolling file appender and Audit Logging
+  additivity) in order to have the log events flow through separate log file instead of system.log.
+  Audit Logging (FileAuditLogger) rolling file appender to audit.log -->
+  <!-- <appender name="AUDIT" class="ch.qos.logback.core.rolling.RollingFileAppender">
+    <file>${cassandra.logdir}/audit/audit.log</file>
+    <rollingPolicy class="ch.qos.logback.core.rolling.SizeAndTimeBasedRollingPolicy"> -->
+      <!-- rollover daily -->
+      <!-- <fileNamePattern>${cassandra.logdir}/audit/audit.log.%d{yyyy-MM-dd}.%i.zip</fileNamePattern> -->
+      <!-- each file should be at most 50MB, keep 30 days worth of history, but at most 5GB -->
+      <!-- <maxFileSize>50MB</maxFileSize>
+      <maxHistory>30</maxHistory>
+      <totalSizeCap>5GB</totalSizeCap>
+    </rollingPolicy>
+    <encoder>
+      <pattern>%-5level [%thread] %date{ISO8601} %F:%L - %msg%n</pattern>
+    </encoder>
+  </appender> -->
+
+  <!-- Audit Logging additivity to redirect audit logging events to audit/audit.log -->
+  <!-- <logger name="org.apache.cassandra.audit" additivity="false" level="INFO">
+    <appender-ref ref="AUDIT"/>
+  </logger> -->
+
+  <!-- Uncomment bellow and corresponding appender-ref to activate logback metrics
+  <appender name="LogbackMetrics" class="com.codahale.metrics.logback.InstrumentedAppender" />
+   -->
+
+  <root level="INFO">
+    <appender-ref ref="SYSTEMLOG" />
+    <appender-ref ref="STDOUT" />
+    <appender-ref ref="UDP" />
+    <appender-ref ref="ASYNCDEBUGLOG" /> <!-- Comment this line to disable debug.log -->
+    <!--
+    <appender-ref ref="LogbackMetrics" />
+    -->
+  </root>
+
+  <logger name="org.apache.cassandra.utils.StatusLogger" additivity="false">
+    <appender-ref ref="SYSTEMLOG" />
+    <appender-ref ref="STDOUT"/>
+  </logger>
+
+  <logger name="org.apache.cassandra" level="DEBUG"/>
+</configuration>

File[/etc/cassandra-b/commitlog_archiving.properties]

Parameters differences:

--- File[/etc/cassandra-b/commitlog_archiving.properties].orig
+++ File[/etc/cassandra-b/commitlog_archiving.properties]

+    group  => cassandra
+    ensure => present
+    mode   => 0444
+    source => puppet:///modules/cassandra/commitlog_archiving.properties-4.x
+    links  => follow
+    owner  => cassandra

File[/etc/cassandra-a/hotspot_compiler]

Parameters differences:

--- File[/etc/cassandra-a/hotspot_compiler].orig
+++ File[/etc/cassandra-a/hotspot_compiler]

+    group  => cassandra
+    ensure => present
+    mode   => 0444
+    source => puppet:///modules/cassandra/hotspot_compiler-4.x
+    links  => follow
+    owner  => cassandra

File[/etc/cassandra-b/user_revise_tone_task_generator.cql]

Parameters differences:

--- File[/etc/cassandra-b/user_revise_tone_task_generator.cql].orig
+++ File[/etc/cassandra-b/user_revise_tone_task_generator.cql]

+    require => Package[cassandra]
+    group   => root
+    mode    => 0400
+    owner   => root

Content differences:

--- /etc/cassandra-b/user_revise_tone_task_generator.cql.orig
+++ /etc/cassandra-b/user_revise_tone_task_generator.cql
@@ -0,0 +1,7 @@
+-- SPDX-License-Identifier: Apache-2.0
+
+CREATE ROLE IF NOT EXISTS revise_tone_task_generator
+    WITH PASSWORD = 'asdfasdfasdf' AND LOGIN = true AND SUPERUSER = false;
+
+-- Machine learning cache
+GRANT MODIFY ON ml_cache.page_paragraph_tone_scores TO revise_tone_task_generator;

Prometheus::Blackbox::Check::Tcp[cassandra-a-cql]

Parameters differences:

--- Prometheus::Blackbox::Check::Tcp[cassandra-a-cql].orig
+++ Prometheus::Blackbox::Check::Tcp[cassandra-a-cql]

+    server_name             => cassandra
+    use_client_auth         => False
+    ip6                     => 2620:0:861:124:10:64:156:17
+    alert_after             => 2m
+    site                    => eqiad
+    certificate_expiry_days => 5
+    ip4                     => 10.64.156.18
+    team                    => sre
+    prometheus_instance     => ops
+    client_auth_key         => /etc/prometheus/ssl/server.key
+    port                    => 9042
+    force_tls               => True
+    probe_runbook           => https://wikitech.wikimedia.org/wiki/TLS/Runbook#{{ $labels.instance }}
+    instance_label          => aqs1024-a
+    ip_families             => ['ip4']
+    severity                => critical
+    timeout                 => 3s
+    client_auth_cert        => /etc/prometheus/ssl/cert.pem

Monitoring::Exported_nagios_service[aqs1024 cassandra-a-ssl]

Parameters differences:

--- Monitoring::Exported_nagios_service[aqs1024 cassandra-a-ssl].orig
+++ Monitoring::Exported_nagios_service[aqs1024 cassandra-a-ssl]

+    notes_url              => https://wikitech.wikimedia.org/wiki/Cassandra#Installing_and_generating_certificates
+    host_name              => aqs1024
+    active_checks_enabled  => 1
+    check_interval         => 1
+    check_freshness        => 0
+    notifications_enabled  => 1
+    ensure                 => absent
+    notification_interval  => 0
+    max_check_attempts     => 3
+    contact_groups         => admins,team-services
+    check_period           => 24x7
+    service_description    => cassandra-a SSL 10.64.156.18:7000
+    passive_checks_enabled => 1
+    check_command          => check_ssl_on_host_port!aqs1024-a!10.64.156.18!7000
+    notification_options   => c,r,f
+    retry_interval         => 1
+    servicegroups          => aqs_eqiad
+    notification_period    => 24x7
+    is_volatile            => 0

Sysctl::Parameters[cassandra]

Parameters differences:

--- Sysctl::Parameters[cassandra].orig
+++ Sysctl::Parameters[cassandra]

+    values   => {'vm.dirty_background_bytes': 25165824, 'vm.max_map_count': 1048575}
+    priority => 5
+    ensure   => present

Package[libjemalloc2]

Parameters differences:

--- Package[libjemalloc2].orig
+++ Package[libjemalloc2]

+    provider => apt
+    ensure   => installed

Exec[java__cacert_Wikimedia_Internal_Root_CA]

Parameters differences:

--- Exec[java__cacert_Wikimedia_Internal_Root_CA].orig
+++ Exec[java__cacert_Wikimedia_Internal_Root_CA]

+    before  => File[/etc/ssl/localcerts/wmf-java-cacerts]
+    command => /usr/bin/keytool -import  -noprompt -keystore /etc/ssl/localcerts/wmf-java-cacerts     -file /usr/share/ca-certificates/wikimedia/Wikimedia_Internal_Root_CA.crt -storepass changeit -alias Wikimedia_Internal_Root_CA

+    group   => root
+    unless  => /usr/bin/keytool -list -keystore /etc/ssl/localcerts/wmf-java-cacerts -noprompt -storepass changeit -alias Wikimedia_Internal_Root_CA
+    user    => root

File[/etc/cassandra-b/cassandra-env.sh]

Parameters differences:

--- File[/etc/cassandra-b/cassandra-env.sh].orig
+++ File[/etc/cassandra-b/cassandra-env.sh]

+    group  => cassandra
+    mode   => 0444
+    ensure => present
+    owner  => cassandra

Content differences:

--- /etc/cassandra-b/cassandra-env.sh.orig
+++ /etc/cassandra-b/cassandra-env.sh
@@ -0,0 +1,316 @@
+# SPDX-License-Identifier: Apache-2.0
+# Note:  This file is managed by Puppet.
+#        It was taken from the Cassandra Debian package and is templatized
+#        here in order to set various options from puppet.
+
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+calculate_heap_sizes()
+{
+    case "`uname`" in
+        Linux)
+            system_memory_in_mb=`free -m | awk '/:/ {print $2;exit}'`
+            system_cpu_cores=`egrep -c 'processor([[:space:]]+):.*' /proc/cpuinfo`
+        ;;
+        FreeBSD)
+            system_memory_in_bytes=`sysctl hw.physmem | awk '{print $2}'`
+            system_memory_in_mb=`expr $system_memory_in_bytes / 1024 / 1024`
+            system_cpu_cores=`sysctl hw.ncpu | awk '{print $2}'`
+        ;;
+        SunOS)
+            system_memory_in_mb=`prtconf | awk '/Memory size:/ {print $3}'`
+            system_cpu_cores=`psrinfo | wc -l`
+        ;;
+        Darwin)
+            system_memory_in_bytes=`sysctl hw.memsize | awk '{print $2}'`
+            system_memory_in_mb=`expr $system_memory_in_bytes / 1024 / 1024`
+            system_cpu_cores=`sysctl hw.ncpu | awk '{print $2}'`
+        ;;
+        *)
+            # assume reasonable defaults for e.g. a modern desktop or
+            # cheap server
+            system_memory_in_mb="2048"
+            system_cpu_cores="2"
+        ;;
+    esac
+
+    # some systems like the raspberry pi don't report cores, use at least 1
+    if [ "$system_cpu_cores" -lt "1" ]
+    then
+        system_cpu_cores="1"
+    fi
+
+    # set max heap size based on the following
+    # max(min(1/2 ram, 1024MB), min(1/4 ram, 8GB))
+    # calculate 1/2 ram and cap to 1024MB
+    # calculate 1/4 ram and cap to 8192MB
+    # pick the max
+    half_system_memory_in_mb=`expr $system_memory_in_mb / 2`
+    quarter_system_memory_in_mb=`expr $half_system_memory_in_mb / 2`
+    if [ "$half_system_memory_in_mb" -gt "1024" ]
+    then
+        half_system_memory_in_mb="1024"
+    fi
+    if [ "$quarter_system_memory_in_mb" -gt "8192" ]
+    then
+        quarter_system_memory_in_mb="8192"
+    fi
+    if [ "$half_system_memory_in_mb" -gt "$quarter_system_memory_in_mb" ]
+    then
+        max_heap_size_in_mb="$half_system_memory_in_mb"
+    else
+        max_heap_size_in_mb="$quarter_system_memory_in_mb"
+    fi
+    MAX_HEAP_SIZE="${max_heap_size_in_mb}M"
+
+    # Young gen: min(max_sensible_per_modern_cpu_core * num_cores, 1/4 * heap size)
+    max_sensible_yg_per_core_in_mb="100"
+    max_sensible_yg_in_mb=`expr $max_sensible_yg_per_core_in_mb "*" $system_cpu_cores`
+
+    desired_yg_in_mb=`expr $max_heap_size_in_mb / 4`
+
+    if [ "$desired_yg_in_mb" -gt "$max_sensible_yg_in_mb" ]
+    then
+        HEAP_NEWSIZE="${max_sensible_yg_in_mb}M"
+    else
+        HEAP_NEWSIZE="${desired_yg_in_mb}M"
+    fi
+}
+
+# Sets the path where logback and GC logs are written.
+if [ "x$CASSANDRA_LOG_DIR" = "x" ] ; then
+    CASSANDRA_LOG_DIR="$CASSANDRA_HOME/logs"
+fi
+
+#GC log path has to be defined here because it needs to access CASSANDRA_HOME
+if [ $JAVA_VERSION -ge 11 ] ; then
+    # See description of https://bugs.openjdk.java.net/browse/JDK-8046148 for details about the syntax
+    # The following is the equivalent to -XX:+PrintGCDetails -XX:+UseGCLogFileRotation -XX:NumberOfGCLogFiles=10 -XX:GCLogFileSize=10M
+    echo "$JVM_OPTS" | grep -qe "-[X]log:gc"
+    if [ "$?" = "1" ] ; then # [X] to prevent ccm from replacing this line
+        # only add -Xlog:gc if it's not mentioned in jvm-server.options file
+        mkdir -p ${CASSANDRA_LOG_DIR}
+        JVM_OPTS="$JVM_OPTS -Xlog:gc=info,heap*=trace,age*=debug,safepoint=info,promotion*=trace:file=${CASSANDRA_LOG_DIR}/gc.log:time,uptime,pid,tid,level:filecount=10,filesize=10485760"
+    fi
+else
+    # Java 8
+    echo "$JVM_OPTS" | grep -qe "-[X]loggc"
+    if [ "$?" = "1" ] ; then # [X] to prevent ccm from replacing this line
+        # only add -Xlog:gc if it's not mentioned in jvm-server.options file
+        mkdir -p ${CASSANDRA_LOG_DIR}
+        JVM_OPTS="$JVM_OPTS -Xloggc:${CASSANDRA_LOG_DIR}/gc.log"
+    fi
+fi
+
+# Check what parameters were defined on jvm-server.options file to avoid conflicts
+echo $JVM_OPTS | grep -q Xmn
+DEFINED_XMN=$?
+echo $JVM_OPTS | grep -q Xmx
+DEFINED_XMX=$?
+echo $JVM_OPTS | grep -q Xms
+DEFINED_XMS=$?
+echo $JVM_OPTS | grep -q UseConcMarkSweepGC
+USING_CMS=$?
+echo $JVM_OPTS | grep -q +UseG1GC
+USING_G1=$?
+
+# Override these to set the amount of memory to allocate to the JVM at
+# start-up. For production use you may wish to adjust this for your
+# environment. MAX_HEAP_SIZE is the total amount of memory dedicated
+# to the Java heap. HEAP_NEWSIZE refers to the size of the young
+# generation. Both MAX_HEAP_SIZE and HEAP_NEWSIZE should be either set
+# or not (if you set one, set the other).
+#
+# The main trade-off for the young generation is that the larger it
+# is, the longer GC pause times will be. The shorter it is, the more
+# expensive GC will be (usually).
+#
+# The example HEAP_NEWSIZE assumes a modern 8-core+ machine for decent pause
+# times. If in doubt, and if you do not particularly want to tweak, go with
+# 100 MB per physical CPU core.
+
+#MAX_HEAP_SIZE="4G"
+#HEAP_NEWSIZE="800M"
+
+# Set this to control the amount of arenas per-thread in glibc
+#export MALLOC_ARENA_MAX=4
+
+# only calculate the size if it's not set manually
+if [ "x$MAX_HEAP_SIZE" = "x" ] && [ "x$HEAP_NEWSIZE" = "x" -o $USING_G1 -eq 0 ]; then
+    calculate_heap_sizes
+elif [ "x$MAX_HEAP_SIZE" = "x" ] ||  [ "x$HEAP_NEWSIZE" = "x" -a $USING_G1 -ne 0 ]; then
+    echo "please set or unset MAX_HEAP_SIZE and HEAP_NEWSIZE in pairs when using CMS GC (see cassandra-env.sh)"
+    exit 1
+fi
+
+if [ "x$MALLOC_ARENA_MAX" = "x" ] ; then
+    export MALLOC_ARENA_MAX=4
+fi
+
+# We only set -Xms and -Xmx if they were not defined on jvm-server.options file
+# If defined, both Xmx and Xms should be defined together.
+if [ $DEFINED_XMX -ne 0 ] && [ $DEFINED_XMS -ne 0 ]; then
+     JVM_OPTS="$JVM_OPTS -Xms${MAX_HEAP_SIZE}"
+     JVM_OPTS="$JVM_OPTS -Xmx${MAX_HEAP_SIZE}"
+elif [ $DEFINED_XMX -ne 0 ] || [ $DEFINED_XMS -ne 0 ]; then
+     echo "Please set or unset -Xmx and -Xms flags in pairs on jvm-server.options file."
+     exit 1
+fi
+
+# We only set -Xmn flag if it was not defined in jvm-server.options file
+# and if the CMS GC is being used
+# If defined, both Xmn and Xmx should be defined together.
+if [ $DEFINED_XMN -eq 0 ] && [ $DEFINED_XMX -ne 0 ]; then
+    echo "Please set or unset -Xmx and -Xmn flags in pairs on jvm-server.options file."
+    exit 1
+elif [ $DEFINED_XMN -ne 0 ] && [ $USING_CMS -eq 0 ]; then
+    JVM_OPTS="$JVM_OPTS -Xmn${HEAP_NEWSIZE}"
+fi
+
+# We fail to start if -Xmn is used with G1 GC is being used
+# See comments for -Xmn in jvm-server.options
+if [ $DEFINED_XMN -eq 0 ] && [ $USING_G1 -eq 0 ]; then
+    echo "It is not recommended to set -Xmn with the G1 garbage collector. See comments for -Xmn in jvm-server.options for details."
+    exit 1
+fi
+
+if [ "$JVM_ARCH" = "64-Bit" ] && [ $USING_CMS -eq 0 ]; then
+    JVM_OPTS="$JVM_OPTS -XX:+UseCondCardMark"
+fi
+
+# provides hints to the JIT compiler
+JVM_OPTS="$JVM_OPTS -XX:CompileCommandFile=$CASSANDRA_CONF/hotspot_compiler"
+
+# add the jamm javaagent
+JVM_OPTS="$JVM_OPTS -javaagent:$CASSANDRA_HOME/lib/jamm-0.3.2.jar"
+
+CASSANDRA_HEAPDUMP_DIR=/srv/storage-1/cassandra-b
+# set jvm HeapDumpPath with CASSANDRA_HEAPDUMP_DIR
+if [ "x$CASSANDRA_HEAPDUMP_DIR" != "x" ]; then
+    JVM_OPTS="$JVM_OPTS -XX:HeapDumpPath=$CASSANDRA_HEAPDUMP_DIR/cassandra-`date +%s`-pid$$.hprof"
+    JVM_OPTS="$JVM_OPTS -XX:ErrorFile=$CASSANDRA_HEAPDUMP_DIR/hs_err_pid%p.log"
+fi
+
+# stop the jvm on OutOfMemoryError as it can result in some data corruption
+# uncomment the preferred option
+# ExitOnOutOfMemoryError and CrashOnOutOfMemoryError require a JRE greater or equals to 1.7 update 101 or 1.8 update 92
+# For OnOutOfMemoryError we cannot use the JVM_OPTS variables because bash commands split words
+# on white spaces without taking quotes into account
+# JVM_OPTS="$JVM_OPTS -XX:+ExitOnOutOfMemoryError"
+# JVM_OPTS="$JVM_OPTS -XX:+CrashOnOutOfMemoryError"
+JVM_ON_OUT_OF_MEMORY_ERROR_OPT="-XX:OnOutOfMemoryError=kill -9 %p"
+
+# print an heap histogram on OutOfMemoryError
+# JVM_OPTS="$JVM_OPTS -Dcassandra.printHeapHistogramOnOutOfMemoryError=true"
+
+# jmx: metrics and administration interface
+#
+# add this if you're having trouble connecting:
+# JVM_OPTS="$JVM_OPTS -Djava.rmi.server.hostname=<public name>"
+#
+# see
+# https://blogs.oracle.com/jmxetc/entry/troubleshooting_connection_problems_in_jconsole
+# for more on configuring JMX through firewalls, etc. (Short version:
+# get it working with no firewall first.)
+#
+# Cassandra ships with JMX accessible *only* from localhost.  
+# To enable remote JMX connections, uncomment lines below
+# with authentication and/or ssl enabled. See https://wiki.apache.org/cassandra/JmxSecurity 
+#
+if [ "x$LOCAL_JMX" = "x" ]; then
+    LOCAL_JMX=yes
+fi
+
+# Specifies the default port over which Cassandra will be available for
+# JMX connections.
+# For security reasons, you should not expose this port to the internet.  Firewall it if needed.
+JMX_PORT="7190"
+
+if [ "$LOCAL_JMX" = "yes" ]; then
+  JVM_OPTS="$JVM_OPTS -Dcassandra.jmx.local.port=$JMX_PORT"
+  JVM_OPTS="$JVM_OPTS -Dcom.sun.management.jmxremote.authenticate=false"
+else
+  JVM_OPTS="$JVM_OPTS -Dcassandra.jmx.remote.port=$JMX_PORT"
+  # if ssl is enabled the same port cannot be used for both jmx and rmi so either
+  # pick another value for this property or comment out to use a random port (though see CASSANDRA-7087 for origins)
+  JVM_OPTS="$JVM_OPTS -Dcom.sun.management.jmxremote.rmi.port=$JMX_PORT"
+
+  # turn on JMX authentication. See below for further options
+  JVM_OPTS="$JVM_OPTS -Dcom.sun.management.jmxremote.authenticate=true"
+
+  # jmx ssl options
+  #JVM_OPTS="$JVM_OPTS -Dcom.sun.management.jmxremote.ssl=true"
+  #JVM_OPTS="$JVM_OPTS -Dcom.sun.management.jmxremote.ssl.need.client.auth=true"
+  #JVM_OPTS="$JVM_OPTS -Dcom.sun.management.jmxremote.ssl.enabled.protocols=<enabled-protocols>"
+  #JVM_OPTS="$JVM_OPTS -Dcom.sun.management.jmxremote.ssl.enabled.cipher.suites=<enabled-cipher-suites>"
+  #JVM_OPTS="$JVM_OPTS -Djavax.net.ssl.keyStore=/path/to/keystore"
+  #JVM_OPTS="$JVM_OPTS -Djavax.net.ssl.keyStorePassword=<keystore-password>"
+  #JVM_OPTS="$JVM_OPTS -Djavax.net.ssl.trustStore=/path/to/truststore"
+  #JVM_OPTS="$JVM_OPTS -Djavax.net.ssl.trustStorePassword=<truststore-password>"
+fi
+
+# jmx authentication and authorization options. By default, auth is only
+# activated for remote connections but they can also be enabled for local only JMX
+## Basic file based authn & authz
+JVM_OPTS="$JVM_OPTS -Dcom.sun.management.jmxremote.password.file=/etc/cassandra/jmxremote.password"
+#JVM_OPTS="$JVM_OPTS -Dcom.sun.management.jmxremote.access.file=/etc/cassandra/jmxremote.access"
+## Custom auth settings which can be used as alternatives to JMX's out of the box auth utilities.
+## JAAS login modules can be used for authentication by uncommenting these two properties.
+## Cassandra ships with a LoginModule implementation - org.apache.cassandra.auth.CassandraLoginModule -
+## which delegates to the IAuthenticator configured in cassandra.yaml. See the sample JAAS configuration
+## file cassandra-jaas.config
+#JVM_OPTS="$JVM_OPTS -Dcassandra.jmx.remote.login.config=CassandraLogin"
+#JVM_OPTS="$JVM_OPTS -Djava.security.auth.login.config=$CASSANDRA_CONF/cassandra-jaas.config"
+
+## Cassandra also ships with a helper for delegating JMX authz calls to the configured IAuthorizer,
+## uncomment this to use it. Requires one of the two authentication options to be enabled
+#JVM_OPTS="$JVM_OPTS -Dcassandra.jmx.authorizer=org.apache.cassandra.auth.jmx.AuthorizationProxy"
+
+# To use mx4j, an HTML interface for JMX, add mx4j-tools.jar to the lib/
+# directory.
+# See http://cassandra.apache.org/doc/latest/operating/metrics.html#jmx
+# By default mx4j listens on the broadcast_address, port 8081. Uncomment the following lines
+# to control its listen address and port.
+#MX4J_ADDRESS="127.0.0.1"
+#MX4J_PORT="8081"
+
+# Cassandra uses SIGAR to capture OS metrics CASSANDRA-7838
+# for SIGAR we have to set the java.library.path
+# to the location of the native libraries.
+JVM_OPTS="$JVM_OPTS -Djava.library.path=$CASSANDRA_HOME/lib/sigar-bin"
+
+if [ "x$MX4J_ADDRESS" != "x" ]; then
+    if [ "$(echo "$MX4J_ADDRESS" | grep -c "\-Dmx4jaddress")" = "1" ]; then
+        # Backward compatible with the older style #13578
+        JVM_OPTS="$JVM_OPTS $MX4J_ADDRESS"
+    else
+        JVM_OPTS="$JVM_OPTS -Dmx4jaddress=$MX4J_ADDRESS"
+    fi
+fi
+if [ "x$MX4J_PORT" != "x" ]; then
+    if [ "$(echo "$MX4J_PORT" | grep -c "\-Dmx4jport")" = "1" ]; then
+        # Backward compatible with the older style #13578
+        JVM_OPTS="$JVM_OPTS $MX4J_PORT"
+    else
+        JVM_OPTS="$JVM_OPTS -Dmx4jport=$MX4J_PORT"
+    fi
+fi
+
+JVM_OPTS="$JVM_OPTS $JVM_EXTRA_OPTS"
+
+
+JVM_OPTS="$JVM_OPTS -javaagent:/usr/share/java/prometheus/jmx_prometheus_javaagent.jar=10.64.156.21:7800:/etc/cassandra-b/prometheus_jmx_exporter.yaml"

Concat::Fragment[main contacts]

Exec[java__cacert_Puppet_Internal_CA]

Parameters differences:

--- Exec[java__cacert_Puppet_Internal_CA].orig
+++ Exec[java__cacert_Puppet_Internal_CA]

+    before  => File[/etc/ssl/localcerts/wmf-java-cacerts]
+    command => /usr/bin/keytool -import  -noprompt -keystore /etc/ssl/localcerts/wmf-java-cacerts     -file /etc/ssl/certs/Puppet_Internal_CA.pem -storepass changeit -alias Puppet_Internal_CA

+    group   => root
+    unless  => /usr/bin/keytool -list -keystore /etc/ssl/localcerts/wmf-java-cacerts -noprompt -storepass changeit -alias Puppet_Internal_CA
+    user    => root

Systemd::Unit[cassandra-b]

Parameters differences:

--- Systemd::Unit[cassandra-b].orig
+++ Systemd::Unit[cassandra-b]

+    override_filename => puppet-override.conf
+    unit              => cassandra-b
+    restart           => False
+    require           => ['Class[Systemd]']
+    override          => False
+    ensure            => present

File[/etc/cassandra-a/user_editor_analytics.cql]

Parameters differences:

--- File[/etc/cassandra-a/user_editor_analytics.cql].orig
+++ File[/etc/cassandra-a/user_editor_analytics.cql]

+    require => Package[cassandra]
+    group   => root
+    mode    => 0400
+    owner   => root

Content differences:

--- /etc/cassandra-a/user_editor_analytics.cql.orig
+++ /etc/cassandra-a/user_editor_analytics.cql
@@ -0,0 +1,5 @@
+-- SPDX-License-Identifier: Apache-2.0
+
+CREATE USER IF NOT EXISTS editor_analytics WITH PASSWORD 'yadayadayada';
+
+GRANT SELECT ON aqs.config TO 'editor_analytics';

Ferm::Service[cassandra-intra-node-ssl]

Parameters differences:

--- Ferm::Service[cassandra-intra-node-ssl].orig
+++ Ferm::Service[cassandra-intra-node-ssl]

+    desc    => 
+    prio    => 10
+    srange  => @resolve((aqs1010.eqiad.wmnet aqs1010-a.eqiad.wmnet aqs1010-b.eqiad.wmnet aqs1011.eqiad.wmnet aqs1011-a.eqiad.wmnet aqs1011-b.eqiad.wmnet aqs1012.eqiad.wmnet aqs1012-a.eqiad.wmnet aqs1012-b.eqiad.wmnet aqs1014.eqiad.wmnet aqs1014-a.eqiad.wmnet aqs1014-b.eqiad.wmnet aqs1015.eqiad.wmnet aqs1015-a.eqiad.wmnet aqs1015-b.eqiad.wmnet aqs1016.eqiad.wmnet aqs1016-a.eqiad.wmnet aqs1016-b.eqiad.wmnet aqs1017.eqiad.wmnet aqs1017-a.eqiad.wmnet aqs1017-b.eqiad.wmnet aqs1018.eqiad.wmnet aqs1018-a.eqiad.wmnet aqs1018-b.eqiad.wmnet aqs1019.eqiad.wmnet aqs1019-a.eqiad.wmnet aqs1019-b.eqiad.wmnet aqs1020.eqiad.wmnet aqs1020-a.eqiad.wmnet aqs1020-b.eqiad.wmnet aqs1021.eqiad.wmnet aqs1021-a.eqiad.wmnet aqs1021-b.eqiad.wmnet aqs1022.eqiad.wmnet aqs1022-a.eqiad.wmnet aqs1022-b.eqiad.wmnet aqs1023.eqiad.wmnet aqs1023-a.eqiad.wmnet aqs1023-b.eqiad.wmnet aqs1024.eqiad.wmnet aqs1024-a.eqiad.wmnet aqs1024-b.eqiad.wmnet aqs2001.codfw.wmnet aqs2001-a.codfw.wmnet aqs2001-b.codfw.wmnet aqs2002.codfw.wmnet aqs2002-a.codfw.wmnet aqs2002-b.codfw.wmnet aqs2003.codfw.wmnet aqs2003-a.codfw.wmnet aqs2003-b.codfw.wmnet aqs2004.codfw.wmnet aqs2004-a.codfw.wmnet aqs2004-b.codfw.wmnet aqs2005.codfw.wmnet aqs2005-a.codfw.wmnet aqs2005-b.codfw.wmnet aqs2006.codfw.wmnet aqs2006-a.codfw.wmnet aqs2006-b.codfw.wmnet aqs2007.codfw.wmnet aqs2007-a.codfw.wmnet aqs2007-b.codfw.wmnet aqs2008.codfw.wmnet aqs2008-a.codfw.wmnet aqs2008-b.codfw.wmnet aqs2009.codfw.wmnet aqs2009-a.codfw.wmnet aqs2009-b.codfw.wmnet aqs2010.codfw.wmnet aqs2010-a.codfw.wmnet aqs2010-b.codfw.wmnet aqs2011.codfw.wmnet aqs2011-a.codfw.wmnet aqs2011-b.codfw.wmnet aqs2012.codfw.wmnet aqs2012-a.codfw.wmnet aqs2012-b.codfw.wmnet))
+    port    => 7001
+    ensure  => present
+    notrack => False
+    proto   => tcp

Package[openjdk-11-jdk]

Parameters differences:

--- Package[openjdk-11-jdk].orig
+++ Package[openjdk-11-jdk]

+    provider => apt
+    ensure   => installed

File[/etc/cassandra-b/hotspot_compiler]

Parameters differences:

--- File[/etc/cassandra-b/hotspot_compiler].orig
+++ File[/etc/cassandra-b/hotspot_compiler]

+    group  => cassandra
+    ensure => present
+    mode   => 0444
+    source => puppet:///modules/cassandra/hotspot_compiler-4.x
+    links  => follow
+    owner  => cassandra

Java::Package[openjdk-jdk-11]

Parameters differences:

--- Java::Package[openjdk-jdk-11].orig
+++ Java::Package[openjdk-jdk-11]

+    egd_source   => /dev/random
+    package_info => {'version': '11', 'variant': 'jdk'}
+    hardened_tls => False

Monitoring::Exported_nagios_service[aqs1024 ssh]

Parameters differences:

--- Monitoring::Exported_nagios_service[aqs1024 ssh].orig
+++ Monitoring::Exported_nagios_service[aqs1024 ssh]

@@
-    notifications_enabled => 0
+    notifications_enabled => 1
@@
-    servicegroups         => insetup_eqiad
+    servicegroups         => aqs_eqiad

Concat_fragment[main contacts]

Content differences:

--- main contacts.orig
+++ main contacts
@@ -1,3 +1,3 @@
 ---
-role::insetup::data_persistence_ferm:
+role::aqs:
 - Data Persistence

Ferm::Service[cassandra-intra-node]

Parameters differences:

--- Ferm::Service[cassandra-intra-node].orig
+++ Ferm::Service[cassandra-intra-node]

+    desc    => 
+    prio    => 10
+    srange  => @resolve((aqs1010.eqiad.wmnet aqs1010-a.eqiad.wmnet aqs1010-b.eqiad.wmnet aqs1011.eqiad.wmnet aqs1011-a.eqiad.wmnet aqs1011-b.eqiad.wmnet aqs1012.eqiad.wmnet aqs1012-a.eqiad.wmnet aqs1012-b.eqiad.wmnet aqs1014.eqiad.wmnet aqs1014-a.eqiad.wmnet aqs1014-b.eqiad.wmnet aqs1015.eqiad.wmnet aqs1015-a.eqiad.wmnet aqs1015-b.eqiad.wmnet aqs1016.eqiad.wmnet aqs1016-a.eqiad.wmnet aqs1016-b.eqiad.wmnet aqs1017.eqiad.wmnet aqs1017-a.eqiad.wmnet aqs1017-b.eqiad.wmnet aqs1018.eqiad.wmnet aqs1018-a.eqiad.wmnet aqs1018-b.eqiad.wmnet aqs1019.eqiad.wmnet aqs1019-a.eqiad.wmnet aqs1019-b.eqiad.wmnet aqs1020.eqiad.wmnet aqs1020-a.eqiad.wmnet aqs1020-b.eqiad.wmnet aqs1021.eqiad.wmnet aqs1021-a.eqiad.wmnet aqs1021-b.eqiad.wmnet aqs1022.eqiad.wmnet aqs1022-a.eqiad.wmnet aqs1022-b.eqiad.wmnet aqs1023.eqiad.wmnet aqs1023-a.eqiad.wmnet aqs1023-b.eqiad.wmnet aqs1024.eqiad.wmnet aqs1024-a.eqiad.wmnet aqs1024-b.eqiad.wmnet aqs2001.codfw.wmnet aqs2001-a.codfw.wmnet aqs2001-b.codfw.wmnet aqs2002.codfw.wmnet aqs2002-a.codfw.wmnet aqs2002-b.codfw.wmnet aqs2003.codfw.wmnet aqs2003-a.codfw.wmnet aqs2003-b.codfw.wmnet aqs2004.codfw.wmnet aqs2004-a.codfw.wmnet aqs2004-b.codfw.wmnet aqs2005.codfw.wmnet aqs2005-a.codfw.wmnet aqs2005-b.codfw.wmnet aqs2006.codfw.wmnet aqs2006-a.codfw.wmnet aqs2006-b.codfw.wmnet aqs2007.codfw.wmnet aqs2007-a.codfw.wmnet aqs2007-b.codfw.wmnet aqs2008.codfw.wmnet aqs2008-a.codfw.wmnet aqs2008-b.codfw.wmnet aqs2009.codfw.wmnet aqs2009-a.codfw.wmnet aqs2009-b.codfw.wmnet aqs2010.codfw.wmnet aqs2010-a.codfw.wmnet aqs2010-b.codfw.wmnet aqs2011.codfw.wmnet aqs2011-a.codfw.wmnet aqs2011-b.codfw.wmnet aqs2012.codfw.wmnet aqs2012-a.codfw.wmnet aqs2012-b.codfw.wmnet))
+    port    => 7000
+    ensure  => present
+    notrack => False
+    proto   => tcp

Exec[ip addr add 10.64.156.21/32 dev ens8f0np0]

Parameters differences:

--- Exec[ip addr add 10.64.156.21/32 dev ens8f0np0].orig
+++ Exec[ip addr add 10.64.156.21/32 dev ens8f0np0]

+    path    => /bin:/usr/bin
+    unless  => ip address show ens8f0np0 | grep -q 10.64.156.21/32
+    returns => [0, 2]

User[scap]

Parameters differences:

--- User[scap].orig
+++ User[scap]

+    home     => /var/lib/scap
+    shell    => /bin/bash
+    gid      => 919
+    password => !
+    ensure   => present
+    uid      => 919
+    system   => True
+    groups   => []

Prometheus::Blackbox::Check::Tcp[cassandra-a-ssl]

Parameters differences:

--- Prometheus::Blackbox::Check::Tcp[cassandra-a-ssl].orig
+++ Prometheus::Blackbox::Check::Tcp[cassandra-a-ssl]

+    server_name             => cassandra
+    use_client_auth         => False
+    ip6                     => 2620:0:861:124:10:64:156:17
+    alert_after             => 2m
+    site                    => eqiad
+    certificate_expiry_days => 5
+    ip4                     => 10.64.156.18
+    team                    => sre
+    prometheus_instance     => ops
+    client_auth_key         => /etc/prometheus/ssl/server.key
+    port                    => 7000
+    force_tls               => True
+    probe_runbook           => https://wikitech.wikimedia.org/wiki/TLS/Runbook#{{ $labels.instance }}
+    instance_label          => aqs1024-a
+    ip_families             => ['ip4']
+    severity                => critical
+    timeout                 => 3s
+    client_auth_cert        => /etc/prometheus/ssl/cert.pem

File[/etc/cassandra-a/tls/cassandra__aqs1024-a_eqiad_wmnet.chain.pem]

Parameters differences:

--- File[/etc/cassandra-a/tls/cassandra__aqs1024-a_eqiad_wmnet.chain.pem].orig
+++ File[/etc/cassandra-a/tls/cassandra__aqs1024-a_eqiad_wmnet.chain.pem]

+    group  => cassandra
+    mode   => 0440
+    ensure => file
+    source => puppet:///modules/profile/pki/intermediates/cassandra-cert.pem
+    owner  => cassandra

File[/etc/cassandra-b/tls/server.key]

Parameters differences:

--- File[/etc/cassandra-b/tls/server.key].orig
+++ File[/etc/cassandra-b/tls/server.key]

+    group  => cassandra
+    mode   => 0440
+    ensure => present
+    owner  => cassandra

File[/etc/cassandra-b/tls/cassandra__aqs1024-b_eqiad_wmnet.chained.pem]

Parameters differences:

--- File[/etc/cassandra-b/tls/cassandra__aqs1024-b_eqiad_wmnet.chained.pem].orig
+++ File[/etc/cassandra-b/tls/cassandra__aqs1024-b_eqiad_wmnet.chained.pem]

+    require => Exec[create chained cert /etc/cassandra-b/tls/cassandra__aqs1024-b_eqiad_wmnet.chain.pem]
+    group   => cassandra
+    ensure  => file
+    owner   => cassandra

File[/etc/cassandra-b/user_commons_impact_analytics.cql]

Parameters differences:

--- File[/etc/cassandra-b/user_commons_impact_analytics.cql].orig
+++ File[/etc/cassandra-b/user_commons_impact_analytics.cql]

+    require => Package[cassandra]
+    group   => root
+    mode    => 0400
+    owner   => root

Content differences:

--- /etc/cassandra-b/user_commons_impact_analytics.cql.orig
+++ /etc/cassandra-b/user_commons_impact_analytics.cql
@@ -0,0 +1,25 @@
+-- SPDX-License-Identifier: Apache-2.0
+
+-- User/role for the Commons Impact Metrics service: https://phabricator.wikimedia.org/T361835
+
+-- Note: This is intended to be temporary; This service will eventually use the Data Gateway
+-- (https://phabricator.wikimedia.org/T364921) instead of connecting to Cassandra directly. When
+-- that happens these GRANTs, and the role, can be removed.
+
+CREATE ROLE IF NOT EXISTS commons_impact_analytics
+    WITH PASSWORD = 'notarealpasswd' AND LOGIN = true AND SUPERUSER = false;
+
+GRANT SELECT ON commons.category_metrics_snapshot        TO commons_impact_analytics;
+GRANT SELECT ON commons.media_file_metrics_snapshot      TO commons_impact_analytics;
+GRANT SELECT ON commons.pageviews_per_category_monthly   TO commons_impact_analytics;
+GRANT SELECT ON commons.pageviews_per_media_file_monthly TO commons_impact_analytics;
+GRANT SELECT ON commons.edits_per_category_monthly       TO commons_impact_analytics;
+GRANT SELECT ON commons.edits_per_user_monthly           TO commons_impact_analytics;
+GRANT SELECT ON commons.top_pages_per_category_monthly   TO commons_impact_analytics;
+GRANT SELECT ON commons.top_wikis_per_category_monthly   TO commons_impact_analytics;
+GRANT SELECT ON commons.top_viewed_categories_monthly    TO commons_impact_analytics;
+GRANT SELECT ON commons.top_pages_per_media_file_monthly TO commons_impact_analytics;
+GRANT SELECT ON commons.top_wikis_per_media_file_monthly TO commons_impact_analytics;
+GRANT SELECT ON commons.top_viewed_media_files_monthly   TO commons_impact_analytics;
+GRANT SELECT ON commons.top_edited_categories_monthly    TO commons_impact_analytics;
+GRANT SELECT ON commons.top_editors_monthly              TO commons_impact_analytics;

File[/etc/cassandra-b/user_image_suggestions.cql]

Parameters differences:

--- File[/etc/cassandra-b/user_image_suggestions.cql].orig
+++ File[/etc/cassandra-b/user_image_suggestions.cql]

+    require => Package[cassandra]
+    group   => root
+    mode    => 0400
+    owner   => root

Content differences:

--- /etc/cassandra-b/user_image_suggestions.cql.orig
+++ /etc/cassandra-b/user_image_suggestions.cql
@@ -0,0 +1,6 @@
+
+CREATE ROLE IF NOT EXISTS image_suggestions
+    WITH PASSWORD = 'blahblahblahblah' AND LOGIN = true AND SUPERUSER = false;
+
+GRANT SELECT ON KEYSPACE image_suggestions TO image_suggestions;
+GRANT MODIFY ON KEYSPACE image_suggestions TO image_suggestions;

File[/etc/cassandra-a/tls/cassandra__aqs1024-a_eqiad_wmnet.chained.pem]

Parameters differences:

--- File[/etc/cassandra-a/tls/cassandra__aqs1024-a_eqiad_wmnet.chained.pem].orig
+++ File[/etc/cassandra-a/tls/cassandra__aqs1024-a_eqiad_wmnet.chained.pem]

+    require => Exec[create chained cert /etc/cassandra-a/tls/cassandra__aqs1024-a_eqiad_wmnet.chain.pem]
+    group   => cassandra
+    ensure  => file
+    owner   => cassandra

File[/etc/cfssl/csr/cassandra__aqs1024-a_eqiad_wmnet.csr]

Parameters differences:

--- File[/etc/cfssl/csr/cassandra__aqs1024-a_eqiad_wmnet.csr].orig
+++ File[/etc/cfssl/csr/cassandra__aqs1024-a_eqiad_wmnet.csr]

+    group  => root
+    mode   => 0400
+    ensure => file
+    owner  => root

Content differences:

--- /etc/cfssl/csr/cassandra__aqs1024-a_eqiad_wmnet.csr.orig
+++ /etc/cfssl/csr/cassandra__aqs1024-a_eqiad_wmnet.csr
@@ -0,0 +1,15 @@
+{
+  "CN": "aqs1024-a.eqiad.wmnet",
+  "hosts": [
+    "cassandra",
+    "aqs1024.eqiad.wmnet",
+    "aqs1024-a.eqiad.wmnet"
+  ],
+  "key": {
+    "algo": "ecdsa",
+    "size": 256
+  },
+  "names": [
+
+  ]
+}

File[/usr/local/bin/cassandra_validate_grants]

Parameters differences:

--- File[/usr/local/bin/cassandra_validate_grants].orig
+++ File[/usr/local/bin/cassandra_validate_grants]

+    group   => root
+    require => Package[cassandra]
+    mode    => 0755
+    ensure  => present
+    source  => puppet:///modules/cassandra/validate_grant_statements.py
+    owner   => root

File[/etc/cassandra-instances.d/aqs1024-a.yaml]

Parameters differences:

--- File[/etc/cassandra-instances.d/aqs1024-a.yaml].orig
+++ File[/etc/cassandra-instances.d/aqs1024-a.yaml]

+    group => cassandra
+    mode  => 0444
+    owner => cassandra

Content differences:

--- /etc/cassandra-instances.d/aqs1024-a.yaml.orig
+++ /etc/cassandra-instances.d/aqs1024-a.yaml
@@ -0,0 +1,13 @@
+name: a
+jmx_port: 7189
+listen_address: 10.64.156.18
+service_name: cassandra-a
+config_directory: /etc/cassandra-a
+data_file_directories: [/srv/storage-0/cassandra-a/data,/srv/storage-1/cassandra-a/data,/srv/storage-2/cassandra-a/data,/srv/storage-3/cassandra-a/data,/srv/storage-4/cassandra-a/data,/srv/storage-5/cassandra-a/data,/srv/storage-6/cassandra-a/data,/srv/storage-7/cassandra-a/data]
+rpc_address: 10.64.156.18
+native_transport_port: 9042
+commitlog_directory: /srv/cassandra/cassandra-a/commitlog
+hints_directory: /srv/cassandra/cassandra-a/hints
+saved_caches_directory: /srv/cassandra/cassandra-a/saved_caches
+heapdump_directory: /srv/storage-0/cassandra-a
+local_system_data_file_directory: /srv/cassandra/cassandra-a/system

Exec[install-/srv/storage-5/cassandra-a/data]

Parameters differences:

--- Exec[install-/srv/storage-5/cassandra-a/data].orig
+++ Exec[install-/srv/storage-5/cassandra-a/data]

+    command => install -o cassandra -g cassandra -m 750 -d /srv/storage-5/cassandra-a/data
+    path    => /usr/bin/:/bin/
+    creates => /srv/storage-5/cassandra-a/data
+    before  => Systemd::Service[cassandra-a]

File[/etc/cassandra-a/user_data_gateway.cql]

Parameters differences:

--- File[/etc/cassandra-a/user_data_gateway.cql].orig
+++ File[/etc/cassandra-a/user_data_gateway.cql]

+    require => Package[cassandra]
+    group   => root
+    mode    => 0400
+    owner   => root

Content differences:

--- /etc/cassandra-a/user_data_gateway.cql.orig
+++ /etc/cassandra-a/user_data_gateway.cql
@@ -0,0 +1,33 @@
+-- SPDX-License-Identifier: Apache-2.0
+
+CREATE ROLE IF NOT EXISTS data_gateway
+    WITH PASSWORD = 'qwerty' AND LOGIN = true AND SUPERUSER = false;
+
+-- Image Suggestions
+GRANT SELECT ON image_suggestions.suggestions      TO data_gateway;
+GRANT SELECT ON image_suggestions.feedback         TO data_gateway;
+GRANT SELECT ON image_suggestions.title_cache      TO data_gateway;
+GRANT SELECT ON image_suggestions.instanceof_cache TO data_gateway;
+
+-- Commons Impact Metrics
+GRANT SELECT ON commons.category_metrics_snapshot        TO data_gateway;
+GRANT SELECT ON commons.media_file_metrics_snapshot      TO data_gateway;
+GRANT SELECT ON commons.pageviews_per_category_monthly   TO data_gateway;
+GRANT SELECT ON commons.pageviews_per_media_file_monthly TO data_gateway;
+GRANT SELECT ON commons.edits_per_category_monthly       TO data_gateway;
+GRANT SELECT ON commons.edits_per_user_monthly           TO data_gateway;
+GRANT SELECT ON commons.top_pages_per_category_monthly   TO data_gateway;
+GRANT SELECT ON commons.top_wikis_per_category_monthly   TO data_gateway;
+GRANT SELECT ON commons.top_viewed_categories_monthly    TO data_gateway;
+GRANT SELECT ON commons.top_pages_per_media_file_monthly TO data_gateway;
+GRANT SELECT ON commons.top_wikis_per_media_file_monthly TO data_gateway;
+GRANT SELECT ON commons.top_viewed_media_files_monthly   TO data_gateway;
+GRANT SELECT ON commons.top_edited_categories_monthly    TO data_gateway;
+GRANT SELECT ON commons.top_editors_monthly              TO data_gateway;
+
+-- Machine learning cache
+GRANT SELECT ON ml_cache.page_paragraph_tone_scores      TO data_gateway;
+
+-- New-style AQS tables
+GRANT SELECT ON analytics.pageviews_per_editor           TO data_gateway;
+GRANT SELECT ON analytics.pageviews_top_pages_per_editor TO data_gateway;

File[/etc/cassandra-a]

Parameters differences:

--- File[/etc/cassandra-a].orig
+++ File[/etc/cassandra-a]

+    group   => root
+    require => Package[cassandra]
+    mode    => 0755
+    ensure  => directory
+    owner   => root

Monitoring::Exported_nagios_host[aqs1024]

Parameters differences:

--- Monitoring::Exported_nagios_host[aqs1024].orig
+++ Monitoring::Exported_nagios_host[aqs1024]

@@
-    hostgroups            => insetup_eqiad,lsw1-e7-eqiad
+    hostgroups            => aqs_eqiad,lsw1-e7-eqiad
@@
-    notifications_enabled => 0
+    notifications_enabled => 1

File[/etc/cassandra-a/jvm-clients.options]

Parameters differences:

--- File[/etc/cassandra-a/jvm-clients.options].orig
+++ File[/etc/cassandra-a/jvm-clients.options]

+    group  => root
+    force  => True
+    ensure => link
+    target => /etc/cassandra/jvm-clients.options
+    owner  => root

Augeas[ens8f0np0_10.64.156.18/32]

Parameters differences:

--- Augeas[ens8f0np0_10.64.156.18/32].orig
+++ Augeas[ens8f0np0_10.64.156.18/32]

+    onlyif  => match up[. = 'ip addr add 10.64.156.18/32 dev ens8f0np0'] size == 0
+    context => /files/etc/network/interfaces/*[. = 'ens8f0np0' and ./family = 'inet']
+    changes => set up[last()+1] 'ip addr add 10.64.156.18/32 dev ens8f0np0'
+    incl    => /etc/network/interfaces
+    lens    => Interfaces.lns

File[/etc/cassandra-b]

Parameters differences:

--- File[/etc/cassandra-b].orig
+++ File[/etc/cassandra-b]

+    group   => root
+    require => Package[cassandra]
+    mode    => 0755
+    ensure  => directory
+    owner   => root

Exec[chown /srv/deployment/cassandra for deploy-service]

Parameters differences:

--- Exec[chown /srv/deployment/cassandra for deploy-service].orig
+++ Exec[chown /srv/deployment/cassandra for deploy-service]

+    command => /bin/chown -R deploy-service:deploy-service /srv/deployment/cassandra
+    onlyif  => /usr/bin/test -O /srv/deployment/cassandra/logstash-logback-encoder
+    require => ['User[deploy-service]', 'Group[deploy-service]']

File[/etc/ferm/conf.d/10_cassandra-cql]

Parameters differences:

--- File[/etc/ferm/conf.d/10_cassandra-cql].orig
+++ File[/etc/ferm/conf.d/10_cassandra-cql]

+    group   => root
+    tag     => ferm
+    require => File[/etc/ferm/conf.d]
+    mode    => 0400
+    ensure  => present
+    notify  => Service[ferm]
+    owner   => root

Content differences:

--- /etc/ferm/conf.d/10_cassandra-cql.orig
+++ /etc/ferm/conf.d/10_cassandra-cql
@@ -0,0 +1,6 @@
+# Autogenerated by puppet. DO NOT EDIT BY HAND!
+#
+# 
+&R_SERVICE(tcp, 9042, (@resolve((aqs1010.eqiad.wmnet aqs1010-a.eqiad.wmnet aqs1010-b.eqiad.wmnet aqs1011.eqiad.wmnet aqs1011-a.eqiad.wmnet aqs1011-b.eqiad.wmnet aqs1012.eqiad.wmnet aqs1012-a.eqiad.wmnet aqs1012-b.eqiad.wmnet aqs1014.eqiad.wmnet aqs1014-a.eqiad.wmnet aqs1014-b.eqiad.wmnet aqs1015.eqiad.wmnet aqs1015-a.eqiad.wmnet aqs1015-b.eqiad.wmnet aqs1016.eqiad.wmnet aqs1016-a.eqiad.wmnet aqs1016-b.eqiad.wmnet aqs1017.eqiad.wmnet aqs1017-a.eqiad.wmnet aqs1017-b.eqiad.wmnet aqs1018.eqiad.wmnet aqs1018-a.eqiad.wmnet aqs1018-b.eqiad.wmnet aqs1019.eqiad.wmnet aqs1019-a.eqiad.wmnet aqs1019-b.eqiad.wmnet aqs1020.eqiad.wmnet aqs1020-a.eqiad.wmnet aqs1020-b.eqiad.wmnet aqs1021.eqiad.wmnet aqs1021-a.eqiad.wmnet aqs1021-b.eqiad.wmnet aqs1022.eqiad.wmnet aqs1022-a.eqiad.wmnet aqs1022-b.eqiad.wmnet aqs1023.eqiad.wmnet aqs1023-a.eqiad.wmnet aqs1023-b.eqiad.wmnet aqs1024.eqiad.wmnet aqs1024-a.eqiad.wmnet aqs1024-b.eqiad.wmnet aqs2001.codfw.wmnet aqs2001-a.codfw.wmnet aqs2001-b.codfw.wmnet aqs2002.codfw.wmnet aqs2002-a.codfw.wmnet aqs2002-b.codfw.wmnet aqs2003.codfw.wmnet aqs2003-a.codfw.wmnet aqs2003-b.codfw.wmnet aqs2004.codfw.wmnet aqs2004-a.codfw.wmnet aqs2004-b.codfw.wmnet aqs2005.codfw.wmnet aqs2005-a.codfw.wmnet aqs2005-b.codfw.wmnet aqs2006.codfw.wmnet aqs2006-a.codfw.wmnet aqs2006-b.codfw.wmnet aqs2007.codfw.wmnet aqs2007-a.codfw.wmnet aqs2007-b.codfw.wmnet aqs2008.codfw.wmnet aqs2008-a.codfw.wmnet aqs2008-b.codfw.wmnet aqs2009.codfw.wmnet aqs2009-a.codfw.wmnet aqs2009-b.codfw.wmnet aqs2010.codfw.wmnet aqs2010-a.codfw.wmnet aqs2010-b.codfw.wmnet aqs2011.codfw.wmnet aqs2011-a.codfw.wmnet aqs2011-b.codfw.wmnet aqs2012.codfw.wmnet aqs2012-a.codfw.wmnet aqs2012-b.codfw.wmnet)) 10.67.128.0/17 2620:0:861:cabe::/64 10.64.64.0/21 2620:0:861:babe::/64 10.192.64.0/21 2620:0:860:babe::/64 10.194.128.0/17 2620:0:860:cabe::/64 10.67.16.0/21 2620:0:861:300::/64 10.194.16.0/21 2620:0:860:300::/64 10.194.61.0/24 2620:0:860:302::/64));
+
+

Apt::Package_from_component[cassandra]

Parameters differences:

--- Apt::Package_from_component[cassandra].orig
+++ Apt::Package_from_component[cassandra]

+    component       => component/cassandra41
+    uri             => http://apt.wikimedia.org/wikimedia
+    require         => Package[openjdk-11-jdk]
+    packages        => {'cassandra': '4.1.11'}
+    priority        => 1001
+    distro          => bullseye-wikimedia
+    ensure          => present
+    ensure_packages => True

File[/etc/cassandra-a/credentials]

Parameters differences:

--- File[/etc/cassandra-a/credentials].orig
+++ File[/etc/cassandra-a/credentials]

+    group => root
+    mode  => 0400
+    owner => root

Content differences:

--- /etc/cassandra-a/credentials.orig
+++ /etc/cassandra-a/credentials
@@ -0,0 +1,36 @@
+; SPDX-License-Identifier: Apache-2.0
+; Licensed to the Apache Software Foundation (ASF) under one
+; or more contributor license agreements.  See the NOTICE file
+; distributed with this work for additional information
+; regarding copyright ownership.  The ASF licenses this file
+; to you under the Apache License, Version 2.0 (the
+; "License"); you may not use this file except in compliance
+; with the License.  You may obtain a copy of the License at
+;
+;   http://www.apache.org/licenses/LICENSE-2.0
+;
+; Unless required by applicable law or agreed to in writing,
+; software distributed under the License is distributed on an
+; "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+; KIND, either express or implied.  See the License for the
+; specific language governing permissions and limitations
+; under the License.
+;
+; Sample ~/.cassandra/credentials file.
+;
+; The section name must match the classname from the cqlshrc file
+; For example, if cqlshrc contains settings
+;
+; [auth_provider]
+; module = cassandra.auth
+; classname = PlainTextAuthProvider
+;
+; then the credentials file should contain a [PlainTextAuthProvider] section with the username and password parameters, as indicated in this example.
+;
+; For backward compatibility, it is also possible to specify [plain_text_auth] as a header.
+;
+; Please ensure this file is owned by the user and is not readable by group and other users.
+
+[PlainTextAuthProvider]
+username = cassandra
+password = nosuchpass

Exec[java__cacert_wmf:puppetca.pem]

Parameters differences:

--- Exec[java__cacert_wmf:puppetca.pem].orig
+++ Exec[java__cacert_wmf:puppetca.pem]

+    command => /usr/bin/keytool -import -trustcacerts -noprompt -cacerts     -file /etc/ssl/certs/Puppet_Internal_CA.pem -storepass changeit -alias wmf:puppetca.pem

+    unless  => /usr/bin/keytool -list -cacerts -noprompt -storepass changeit -alias wmf:puppetca.pem
+    user    => root
+    group   => root

Class[Monitoring]

Parameters differences:

--- Class[Monitoring].orig
+++ Class[Monitoring]

@@
-    cluster               => insetup
+    cluster               => aqs
@@
-    nagios_group          => insetup_eqiad
+    nagios_group          => aqs_eqiad
@@
-    notifications_enabled => False
+    notifications_enabled => True

Group[scap]

Parameters differences:

--- Group[scap].orig
+++ Group[scap]

+    system => True
+    ensure => present
+    gid    => 919

File[/etc/cassandra-b/cassandra.yaml]

Parameters differences:

--- File[/etc/cassandra-b/cassandra.yaml].orig
+++ File[/etc/cassandra-b/cassandra.yaml]

+    group  => cassandra
+    mode   => 0444
+    ensure => present
+    owner  => cassandra

Content differences:

--- /etc/cassandra-b/cassandra.yaml.orig
+++ /etc/cassandra-b/cassandra.yaml
@@ -0,0 +1,1885 @@
+# SPDX-License-Identifier: Apache-2.0
+# Note:  This file is managed by Puppet.
+#        It was taken from the Cassandra Debian package and is templatized
+#        here in order to set various options from puppet.
+
+# Cassandra storage config YAML
+
+# NOTE:
+#   See https://cassandra.apache.org/doc/latest/configuration/ for
+#   full explanations of configuration directives
+# /NOTE
+
+# The name of the cluster. This is mainly used to prevent machines in
+# one logical cluster from joining another.
+cluster_name: 'Analytics Query Service Storage'
+
+# This defines the number of tokens randomly assigned to this node on the ring
+# The more tokens, relative to other nodes, the larger the proportion of data
+# that this node will store. You probably want all nodes to have the same number
+# of tokens assuming they have equal hardware capability.
+#
+# If you leave this unspecified, Cassandra will use the default of 1 token for legacy compatibility,
+# and will use the initial_token as described below.
+#
+# Specifying initial_token will override this setting on the node's initial start,
+# on subsequent starts, this setting will apply even if initial token is set.
+#
+# See https://cassandra.apache.org/doc/latest/getting_started/production.html#tokens for
+# best practice information about num_tokens.
+#
+num_tokens: 256
+
+# Triggers automatic allocation of num_tokens tokens for this node. The allocation
+# algorithm attempts to choose tokens in a way that optimizes replicated load over
+# the nodes in the datacenter for the replica factor.
+#
+# The load assigned to each node will be close to proportional to its number of
+# vnodes.
+#
+# Only supported with the Murmur3Partitioner.
+
+# Replica factor is determined via the replication strategy used by the specified
+# keyspace.
+# allocate_tokens_for_keyspace: KEYSPACE
+
+# Replica factor is explicitly set, regardless of keyspace or datacenter.
+# This is the replica factor within the datacenter, like NTS.
+allocate_tokens_for_local_replication_factor: 3
+
+# initial_token allows you to specify tokens manually.  While you can use it with
+# vnodes (num_tokens > 1, above) -- in which case you should provide a 
+# comma-separated list -- it's primarily used when adding nodes to legacy clusters 
+# that do not have vnodes enabled.
+# initial_token:
+
+# May either be "true" or "false" to enable globally
+hinted_handoff_enabled: true
+
+# When hinted_handoff_enabled is true, a black list of data centers that will not
+# perform hinted handoff
+# hinted_handoff_disabled_datacenters:
+#    - DC1
+#    - DC2
+
+# this defines the maximum amount of time a dead host will have hints
+# generated.  After it has been dead this long, new hints for it will not be
+# created until it has been seen alive and gone down again.
+# Min unit: ms
+max_hint_window: 3h
+
+# Maximum throttle in KiBs per second, per delivery thread.  This will be
+# reduced proportionally to the number of nodes in the cluster.  (If there
+# are two nodes in the cluster, each delivery thread will use the maximum
+# rate; if there are three, each will throttle to half of the maximum,
+# since we expect two nodes to be delivering hints simultaneously.)
+# Min unit: KiB
+hinted_handoff_throttle: 1024KiB
+
+# Number of threads with which to deliver hints;
+# Consider increasing this number when you have multi-dc deployments, since
+# cross-dc handoff tends to be slower
+max_hints_delivery_threads: 4
+
+# Directory where Cassandra should store hints.
+# If not set, the default directory is $CASSANDRA_HOME/data/hints.
+hints_directory: /srv/cassandra/cassandra-b/hints
+
+# How often hints should be flushed from the internal buffers to disk.
+# Will *not* trigger fsync.
+# Min unit: ms
+hints_flush_period: 10000ms
+
+# Maximum size for a single hints file, in mebibytes.
+# Min unit: MiB
+max_hints_file_size: 128MiB
+
+# The file size limit to store hints for an unreachable host, in mebibytes.
+# Once the local hints files have reached the limit, no more new hints will be created.
+# Set a non-positive value will disable the size limit.
+# max_hints_size_per_host: 0MiB
+
+# Enable / disable automatic cleanup for the expired and orphaned hints file.
+# Disable the option in order to preserve those hints on the disk.
+auto_hints_cleanup_enabled: false
+
+# Enable/disable transfering hints to a peer during decommission. Even when enabled, this does not guarantee
+# consistency for logged batches, and it may delay decommission when coupled with a strict hinted_handoff_throttle.
+# Default: true
+# transfer_hints_on_decommission: true
+
+# Compression to apply to the hint files. If omitted, hints files
+# will be written uncompressed. LZ4, Snappy, and Deflate compressors
+# are supported.
+#hints_compression:
+#   - class_name: LZ4Compressor
+#     parameters:
+#         -
+
+# Enable / disable persistent hint windows.
+#
+# If set to false, a hint will be stored only in case a respective node
+# that hint is for is down less than or equal to max_hint_window.
+#
+# If set to true, a hint will be stored in case there is not any
+# hint which was stored earlier than max_hint_window. This is for cases
+# when a node keeps to restart and hints are not delivered yet, we would be saving
+# hints for that node indefinitely.
+#
+# Defaults to true.
+#
+# hint_window_persistent_enabled: true
+
+# Maximum throttle in KiBs per second, total. This will be
+# reduced proportionally to the number of nodes in the cluster.
+# Min unit: KiB
+batchlog_replay_throttle: 1024KiB
+
+# Strategy to choose the batchlog storage endpoints.
+#
+# Available options:
+#
+# - random_remote
+#   Default, purely random, prevents the local rack, if possible.
+#
+# - prefer_local
+#   Similar to random_remote. Random, except that one of the replications will go to the local rack,
+#   which mean it offers lower availability guarantee than random_remote or dynamic_remote.
+#
+# - dynamic_remote
+#   Using DynamicEndpointSnitch to select batchlog storage endpoints, prevents the
+#   local rack, if possible. This strategy offers the same availability guarantees
+#   as random_remote but selects the fastest endpoints according to the DynamicEndpointSnitch.
+#   (DynamicEndpointSnitch currently only tracks reads and not writes - i.e. write-only
+#   (or mostly-write) workloads might not benefit from this strategy.)
+#   Note: this strategy will fall back to random_remote, if dynamic_snitch is not enabled.
+#
+# - dynamic
+#   Mostly the same as dynamic_remote, except that local rack is not excluded, which mean it offers lower
+#   availability guarantee than random_remote or dynamic_remote.
+#   Note: this strategy will fall back to random_remote, if dynamic_snitch is not enabled.
+#
+# batchlog_endpoint_strategy: random_remote
+
+# Authentication backend, implementing IAuthenticator; used to identify users
+# Out of the box, Cassandra provides org.apache.cassandra.auth.{AllowAllAuthenticator,
+# PasswordAuthenticator}.
+#
+# - AllowAllAuthenticator performs no checks - set it to disable authentication.
+# - PasswordAuthenticator relies on username/password pairs to authenticate
+#   users. It keeps usernames and hashed passwords in system_auth.roles table.
+#   Please increase system_auth keyspace replication factor if you use this authenticator.
+#   If using PasswordAuthenticator, CassandraRoleManager must also be used (see below)
+authenticator: PasswordAuthenticator
+
+# Authorization backend, implementing IAuthorizer; used to limit access/provide permissions
+# Out of the box, Cassandra provides org.apache.cassandra.auth.{AllowAllAuthorizer,
+# CassandraAuthorizer}.
+#
+# - AllowAllAuthorizer allows any action to any user - set it to disable authorization.
+# - CassandraAuthorizer stores permissions in system_auth.role_permissions table. Please
+#   increase system_auth keyspace replication factor if you use this authorizer.
+authorizer: CassandraAuthorizer
+
+# Part of the Authentication & Authorization backend, implementing IRoleManager; used
+# to maintain grants and memberships between roles.
+# Out of the box, Cassandra provides org.apache.cassandra.auth.CassandraRoleManager,
+# which stores role information in the system_auth keyspace. Most functions of the
+# IRoleManager require an authenticated login, so unless the configured IAuthenticator
+# actually implements authentication, most of this functionality will be unavailable.
+#
+# - CassandraRoleManager stores role data in the system_auth keyspace. Please
+#   increase system_auth keyspace replication factor if you use this role manager.
+role_manager: CassandraRoleManager
+
+# Network authorization backend, implementing INetworkAuthorizer; used to restrict user
+# access to certain DCs
+# Out of the box, Cassandra provides org.apache.cassandra.auth.{AllowAllNetworkAuthorizer,
+# CassandraNetworkAuthorizer}.
+#
+# - AllowAllNetworkAuthorizer allows access to any DC to any user - set it to disable authorization.
+# - CassandraNetworkAuthorizer stores permissions in system_auth.network_permissions table. Please
+#   increase system_auth keyspace replication factor if you use this authorizer.
+network_authorizer: AllowAllNetworkAuthorizer
+
+# Depending on the auth strategy of the cluster, it can be beneficial to iterate
+# from root to table (root -> ks -> table) instead of table to root (table -> ks -> root).
+# As the auth entries are whitelisting, once a permission is found you know it to be
+# valid. We default to false as the legacy behavior is to query at the table level then
+# move back up to the root. See CASSANDRA-17016 for details.
+# traverse_auth_from_root: false
+
+# Validity period for roles cache (fetching granted roles can be an expensive
+# operation depending on the role manager, CassandraRoleManager is one example)
+# Granted roles are cached for authenticated sessions in AuthenticatedUser and
+# after the period specified here, become eligible for (async) reload.
+# Defaults to 2000, set to 0 to disable caching entirely.
+# Will be disabled automatically for AllowAllAuthenticator.
+# For a long-running cache using roles_cache_active_update, consider
+# setting to something longer such as a daily validation: 86400000
+# Min unit: ms
+roles_validity: 2000ms
+
+# Refresh interval for roles cache (if enabled).
+# After this interval, cache entries become eligible for refresh. Upon next
+# access, an async reload is scheduled and the old value returned until it
+# completes. If roles_validity is non-zero, then this must be
+# also.
+# This setting is also used to inform the interval of auto-updating if
+# using roles_cache_active_update.
+# Defaults to the same value as roles_validity.
+# For a long-running cache, consider setting this to 60000 (1 hour) etc.
+# Min unit: ms
+# roles_update_interval: 2000ms
+
+# If true, cache contents are actively updated by a background task at the
+# interval set by roles_update_interval. If false, cache entries
+# become eligible for refresh after their update interval. Upon next access,
+# an async reload is scheduled and the old value returned until it completes.
+# roles_cache_active_update: false
+
+# Validity period for permissions cache (fetching permissions can be an
+# expensive operation depending on the authorizer, CassandraAuthorizer is
+# one example). Defaults to 2000, set to 0 to disable.
+# Will be disabled automatically for AllowAllAuthorizer.
+# For a long-running cache using permissions_cache_active_update, consider
+# setting to something longer such as a daily validation: 86400000ms
+# Min unit: ms
+permissions_validity: 600000ms
+
+# Refresh interval for permissions cache (if enabled).
+# After this interval, cache entries become eligible for refresh. Upon next
+# access, an async reload is scheduled and the old value returned until it
+# completes. If permissions_validity is non-zero, then this must be
+# also.
+# This setting is also used to inform the interval of auto-updating if
+# using permissions_cache_active_update.
+# Defaults to the same value as permissions_validity.
+# For a longer-running permissions cache, consider setting to update hourly (60000)
+# Min unit: ms
+# permissions_update_interval: 2000ms
+
+# If true, cache contents are actively updated by a background task at the
+# interval set by permissions_update_interval. If false, cache entries
+# become eligible for refresh after their update interval. Upon next access,
+# an async reload is scheduled and the old value returned until it completes.
+# permissions_cache_active_update: false
+
+# Validity period for credentials cache. This cache is tightly coupled to
+# the provided PasswordAuthenticator implementation of IAuthenticator. If
+# another IAuthenticator implementation is configured, this cache will not
+# be automatically used and so the following settings will have no effect.
+# Please note, credentials are cached in their encrypted form, so while
+# activating this cache may reduce the number of queries made to the
+# underlying table, it may not  bring a significant reduction in the
+# latency of individual authentication attempts.
+# Defaults to 2000, set to 0 to disable credentials caching.
+# For a long-running cache using credentials_cache_active_update, consider
+# setting to something longer such as a daily validation: 86400000
+# Min unit: ms
+credentials_validity: 600000ms
+
+# Refresh interval for credentials cache (if enabled).
+# After this interval, cache entries become eligible for refresh. Upon next
+# access, an async reload is scheduled and the old value returned until it
+# completes. If credentials_validity is non-zero, then this must be
+# also.
+# This setting is also used to inform the interval of auto-updating if
+# using credentials_cache_active_update.
+# Defaults to the same value as credentials_validity.
+# For a longer-running permissions cache, consider setting to update hourly (60000)
+# Min unit: ms
+# credentials_update_interval: 2000ms
+
+# If true, cache contents are actively updated by a background task at the
+# interval set by credentials_update_interval. If false (default), cache entries
+# become eligible for refresh after their update interval. Upon next access,
+# an async reload is scheduled and the old value returned until it completes.
+# credentials_cache_active_update: false
+
+# The partitioner is responsible for distributing groups of rows (by
+# partition key) across nodes in the cluster. The partitioner can NOT be
+# changed without reloading all data.  If you are adding nodes or upgrading,
+# you should set this to the same partitioner that you are currently using.
+#
+# The default partitioner is the Murmur3Partitioner. Older partitioners
+# such as the RandomPartitioner, ByteOrderedPartitioner, and
+# OrderPreservingPartitioner have been included for backward compatibility only.
+# For new clusters, you should NOT change this value.
+#
+partitioner: org.apache.cassandra.dht.Murmur3Partitioner
+
+# Directories where Cassandra should store data on disk. If multiple
+# directories are specified, Cassandra will spread data evenly across 
+# them by partitioning the token ranges.
+# If not set, the default directory is $CASSANDRA_HOME/data/data.
+data_file_directories:
+    - /srv/storage-0/cassandra-b/data
+    - /srv/storage-1/cassandra-b/data
+    - /srv/storage-2/cassandra-b/data
+    - /srv/storage-3/cassandra-b/data
+    - /srv/storage-4/cassandra-b/data
+    - /srv/storage-5/cassandra-b/data
+    - /srv/storage-6/cassandra-b/data
+    - /srv/storage-7/cassandra-b/data
+
+
+# Directory where Cassandra should store the data of the local system keyspaces.
+# By default Cassandra will store the data of the local system keyspaces in the first of the data directories specified
+# by data_file_directories.
+# This approach ensures that if one of the other disks is lost Cassandra can continue to operate. For extra security
+# this setting allows to store those data on a different directory that provides redundancy.
+local_system_data_file_directory: /srv/cassandra/cassandra-b/system
+
+# commit log.  when running on magnetic HDD, this should be a
+# separate spindle than the data directories.
+# If not set, the default directory is $CASSANDRA_HOME/data/commitlog.
+commitlog_directory: /srv/cassandra/cassandra-b/commitlog
+
+# Enable / disable CDC functionality on a per-node basis. This modifies the logic used
+# for write path allocation rejection (standard: never reject. cdc: reject Mutation
+# containing a CDC-enabled table if at space limit in cdc_raw_directory).
+cdc_enabled: false
+
+# CommitLogSegments are moved to this directory on flush if cdc_enabled: true and the
+# segment contains mutations for a CDC-enabled table. This should be placed on a
+# separate spindle than the data directories. If not set, the default directory is
+# $CASSANDRA_HOME/data/cdc_raw.
+# cdc_raw_directory: /var/lib/cassandra/cdc_raw
+
+# Policy for data disk failures:
+#
+# die
+#   shut down gossip and client transports and kill the JVM for any fs errors or
+#   single-sstable errors, so the node can be replaced.
+#
+# stop_paranoid
+#   shut down gossip and client transports even for single-sstable errors,
+#   kill the JVM for errors during startup.
+#
+# stop
+#   shut down gossip and client transports, leaving the node effectively dead, but
+#   can still be inspected via JMX, kill the JVM for errors during startup.
+#
+# best_effort
+#    stop using the failed disk and respond to requests based on
+#    remaining available sstables.  This means you WILL see obsolete
+#    data at CL.ONE!
+#
+# ignore
+#    ignore fatal errors and let requests fail, as in pre-1.2 Cassandra
+disk_failure_policy: stop
+
+# Policy for commit disk failures:
+#
+# die
+#   shut down the node and kill the JVM, so the node can be replaced.
+#
+# stop
+#   shut down the node, leaving the node effectively dead, but
+#   can still be inspected via JMX.
+#
+# stop_commit
+#   shutdown the commit log, letting writes collect but
+#   continuing to service reads, as in pre-2.0.5 Cassandra
+#
+# ignore
+#   ignore fatal errors and let the batches fail
+commit_failure_policy: stop
+
+# Maximum size of the native protocol prepared statement cache
+#
+# Valid values are either "auto" (omitting the value) or a value greater 0.
+#
+# Note that specifying a too large value will result in long running GCs and possbily
+# out-of-memory errors. Keep the value at a small fraction of the heap.
+#
+# If you constantly see "prepared statements discarded in the last minute because
+# cache limit reached" messages, the first step is to investigate the root cause
+# of these messages and check whether prepared statements are used correctly -
+# i.e. use bind markers for variable parts.
+#
+# Do only change the default value, if you really have more prepared statements than
+# fit in the cache. In most cases it is not neccessary to change this value.
+# Constantly re-preparing statements is a performance penalty.
+#
+# Default value ("auto") is 1/256th of the heap or 10MiB, whichever is greater
+# Min unit: MiB
+prepared_statements_cache_size:
+
+# Maximum size of the key cache in memory.
+#
+# Each key cache hit saves 1 seek and each row cache hit saves 2 seeks at the
+# minimum, sometimes more. The key cache is fairly tiny for the amount of
+# time it saves, so it's worthwhile to use it at large numbers.
+# The row cache saves even more time, but must contain the entire row,
+# so it is extremely space-intensive. It's best to only use the
+# row cache if you have hot rows or static rows.
+#
+# NOTE: if you reduce the size, you may not get you hottest keys loaded on startup.
+#
+# Default value is empty to make it "auto" (min(5% of Heap (in MiB), 100MiB)). Set to 0 to disable key cache.
+# Min unit: MiB
+key_cache_size: 400MiB
+
+# Duration in seconds after which Cassandra should
+# save the key cache. Caches are saved to saved_caches_directory as
+# specified in this configuration file.
+#
+# Saved caches greatly improve cold-start speeds, and is relatively cheap in
+# terms of I/O for the key cache. Row cache saving is much more expensive and
+# has limited use.
+#
+# Default is 14400 or 4 hours.
+# Min unit: s
+key_cache_save_period: 4h
+
+# Number of keys from the key cache to save
+# Disabled by default, meaning all keys are going to be saved
+# key_cache_keys_to_save: 100
+
+# Row cache implementation class name. Available implementations:
+#
+# org.apache.cassandra.cache.OHCProvider
+#   Fully off-heap row cache implementation (default).
+#
+# org.apache.cassandra.cache.SerializingCacheProvider
+#   This is the row cache implementation availabile
+#   in previous releases of Cassandra.
+# row_cache_class_name: org.apache.cassandra.cache.OHCProvider
+
+# Maximum size of the row cache in memory.
+# Please note that OHC cache implementation requires some additional off-heap memory to manage
+# the map structures and some in-flight memory during operations before/after cache entries can be
+# accounted against the cache capacity. This overhead is usually small compared to the whole capacity.
+# Do not specify more memory that the system can afford in the worst usual situation and leave some
+# headroom for OS block level cache. Do never allow your system to swap.
+#
+# Default value is 0, to disable row caching.
+# Min unit: MiB
+row_cache_size: 200MiB
+
+# Duration in seconds after which Cassandra should save the row cache.
+# Caches are saved to saved_caches_directory as specified in this configuration file.
+#
+# Saved caches greatly improve cold-start speeds, and is relatively cheap in
+# terms of I/O for the key cache. Row cache saving is much more expensive and
+# has limited use.
+#
+# Default is 0 to disable saving the row cache.
+# Min unit: s
+row_cache_save_period: 0s
+
+# Number of keys from the row cache to save.
+# Specify 0 (which is the default), meaning all keys are going to be saved
+# row_cache_keys_to_save: 100
+
+# Maximum size of the counter cache in memory.
+#
+# Counter cache helps to reduce counter locks' contention for hot counter cells.
+# In case of RF = 1 a counter cache hit will cause Cassandra to skip the read before
+# write entirely. With RF > 1 a counter cache hit will still help to reduce the duration
+# of the lock hold, helping with hot counter cell updates, but will not allow skipping
+# the read entirely. Only the local (clock, count) tuple of a counter cell is kept
+# in memory, not the whole counter, so it's relatively cheap.
+#
+# NOTE: if you reduce the size, you may not get you hottest keys loaded on startup.
+#
+# Default value is empty to make it "auto" (min(2.5% of Heap (in MiB), 50MiB)). Set to 0 to disable counter cache.
+# NOTE: if you perform counter deletes and rely on low gcgs, you should disable the counter cache.
+# Min unit: MiB
+counter_cache_size:
+
+# Duration in seconds after which Cassandra should
+# save the counter cache (keys only). Caches are saved to saved_caches_directory as
+# specified in this configuration file.
+#
+# Default is 7200 or 2 hours.
+# Min unit: s
+counter_cache_save_period: 7200s
+
+# Number of keys from the counter cache to save
+# Disabled by default, meaning all keys are going to be saved
+# counter_cache_keys_to_save: 100
+
+# saved caches
+# If not set, the default directory is $CASSANDRA_HOME/data/saved_caches.
+saved_caches_directory: /srv/cassandra/cassandra-b/saved_caches
+
+# Number of seconds the server will wait for each cache (row, key, etc ...) to load while starting
+# the Cassandra process. Setting this to zero is equivalent to disabling all cache loading on startup
+# while still having the cache during runtime.
+# Min unit: s
+# cache_load_timeout: 30s
+
+# commitlog_sync may be either "periodic", "group", or "batch." 
+# 
+# When in batch mode, Cassandra won't ack writes until the commit log
+# has been flushed to disk.  Each incoming write will trigger the flush task.
+# commitlog_sync_batch_window_in_ms is a deprecated value. Previously it had
+# almost no value, and is being removed.
+#
+# commitlog_sync_batch_window_in_ms: 2
+#
+# group mode is similar to batch mode, where Cassandra will not ack writes
+# until the commit log has been flushed to disk. The difference is group
+# mode will wait up to commitlog_sync_group_window between flushes.
+#
+# Min unit: ms
+# commitlog_sync_group_window: 1000ms
+#
+# the default option is "periodic" where writes may be acked immediately
+# and the CommitLog is simply synced every commitlog_sync_period
+# milliseconds.
+commitlog_sync: periodic
+# Min unit: ms
+commitlog_sync_period: 10000ms
+
+# When in periodic commitlog mode, the number of milliseconds to block writes
+# while waiting for a slow disk flush to complete.
+# Min unit: ms
+# periodic_commitlog_sync_lag_block:
+
+# The size of the individual commitlog file segments.  A commitlog
+# segment may be archived, deleted, or recycled once all the data
+# in it (potentially from each columnfamily in the system) has been
+# flushed to sstables.
+#
+# The default size is 32, which is almost always fine, but if you are
+# archiving commitlog segments (see commitlog_archiving.properties),
+# then you probably want a finer granularity of archiving; 8 or 16 MB
+# is reasonable.
+# Max mutation size is also configurable via max_mutation_size setting in
+# cassandra.yaml. The default is half the size commitlog_segment_size in bytes.
+# This should be positive and less than 2048.
+#
+# NOTE: If max_mutation_size is set explicitly then commitlog_segment_size must
+# be set to at least twice the size of max_mutation_size
+#
+# Min unit: MiB
+commitlog_segment_size: 32MiB
+
+# Compression to apply to the commit log. If omitted, the commit log
+# will be written uncompressed.  LZ4, Snappy, and Deflate compressors
+# are supported.
+# commitlog_compression:
+#   - class_name: LZ4Compressor
+#     parameters:
+#         -
+
+# Compression to apply to SSTables as they flush for compressed tables.
+# Note that tables without compression enabled do not respect this flag.
+#
+# As high ratio compressors like LZ4HC, Zstd, and Deflate can potentially
+# block flushes for too long, the default is to flush with a known fast
+# compressor in those cases. Options are:
+#
+# none : Flush without compressing blocks but while still doing checksums.
+# fast : Flush with a fast compressor. If the table is already using a
+#        fast compressor that compressor is used.
+# table: Always flush with the same compressor that the table uses. This
+#        was the pre 4.0 behavior.
+#
+# flush_compression: fast
+
+# any class that implements the SeedProvider interface and has a
+# constructor that takes a Map<String, String> of parameters will do.
+seed_provider:
+  # Addresses of hosts that are deemed contact points.
+  # Cassandra nodes use this list of hosts to find each other and learn
+  # the topology of the ring.  You must change this if you are running
+  # multiple nodes!
+  - class_name: org.apache.cassandra.locator.SimpleSeedProvider
+    parameters:
+      # seeds is actually a comma-delimited list of addresses.
+      # Ex: "<ip1>,<ip2>,<ip3>"
+      # Omit own host name / IP in multi-node clusters (see
+      # https://phabricator.wikimedia.org/T91617).
+      # Also disregard the main DNS interfaces of each node when
+      # multiple instances are colocated on the same node (see
+      # https://phabricator.wikimedia.org/T172610)
+      
+      - seeds: aqs1010-a.eqiad.wmnet,aqs1010-b.eqiad.wmnet,aqs1011-a.eqiad.wmnet,aqs1011-b.eqiad.wmnet,aqs1012-a.eqiad.wmnet,aqs1012-b.eqiad.wmnet,aqs1014-a.eqiad.wmnet,aqs1014-b.eqiad.wmnet,aqs1015-a.eqiad.wmnet,aqs1015-b.eqiad.wmnet,aqs1016-a.eqiad.wmnet,aqs1016-b.eqiad.wmnet,aqs1017-a.eqiad.wmnet,aqs1017-b.eqiad.wmnet,aqs1018-a.eqiad.wmnet,aqs1018-b.eqiad.wmnet,aqs1019-a.eqiad.wmnet,aqs1019-b.eqiad.wmnet,aqs1020-a.eqiad.wmnet,aqs1020-b.eqiad.wmnet,aqs1021-a.eqiad.wmnet,aqs1021-b.eqiad.wmnet,aqs1022-a.eqiad.wmnet,aqs1022-b.eqiad.wmnet,aqs1023-a.eqiad.wmnet,aqs1023-b.eqiad.wmnet,aqs2001-a.codfw.wmnet,aqs2001-b.codfw.wmnet,aqs2002-a.codfw.wmnet,aqs2002-b.codfw.wmnet,aqs2003-a.codfw.wmnet,aqs2003-b.codfw.wmnet,aqs2004-a.codfw.wmnet,aqs2004-b.codfw.wmnet,aqs2005-a.codfw.wmnet,aqs2005-b.codfw.wmnet,aqs2006-a.codfw.wmnet,aqs2006-b.codfw.wmnet,aqs2007-a.codfw.wmnet,aqs2007-b.codfw.wmnet,aqs2008-a.codfw.wmnet,aqs2008-b.codfw.wmnet,aqs2009-a.codfw.wmnet,aqs2009-b.codfw.wmnet,aqs2010-a.codfw.wmnet,aqs2010-b.codfw.wmnet,aqs2011-a.codfw.wmnet,aqs2011-b.codfw.wmnet,aqs2012-a.codfw.wmnet,aqs2012-b.codfw.wmnet
+
+# For workloads with more data than can fit in memory, Cassandra's
+# bottleneck will be reads that need to fetch data from
+# disk. "concurrent_reads" should be set to (16 * number_of_drives) in
+# order to allow the operations to enqueue low enough in the stack
+# that the OS and drives can reorder them. Same applies to
+# "concurrent_counter_writes", since counter writes read the current
+# values before incrementing and writing them back.
+#
+# On the other hand, since writes are almost never IO bound, the ideal
+# number of "concurrent_writes" is dependent on the number of cores in
+# your system; (8 * number_of_cores) is a good rule of thumb.
+concurrent_reads: 64
+concurrent_writes: 64
+concurrent_counter_writes: 32
+
+# For materialized view writes, as there is a read involved, so this should
+# be limited by the less of concurrent reads or concurrent writes.
+concurrent_materialized_view_writes: 32
+
+# Maximum memory to use for inter-node and client-server networking buffers.
+#
+# Defaults to the smaller of 1/16 of heap or 128MB. This pool is allocated off-heap,
+# so is in addition to the memory allocated for heap. The cache also has on-heap
+# overhead which is roughly 128 bytes per chunk (i.e. 0.2% of the reserved size
+# if the default 64k chunk size is used).
+# Memory is only allocated when needed.
+# Min unit: MiB
+# networking_cache_size: 128MiB
+
+# Enable the sstable chunk cache.  The chunk cache will store recently accessed
+# sections of the sstable in-memory as uncompressed buffers.
+# file_cache_enabled: false
+
+# Maximum memory to use for sstable chunk cache and buffer pooling.
+# 32MB of this are reserved for pooling buffers, the rest is used for chunk cache
+# that holds uncompressed sstable chunks.
+# Defaults to the smaller of 1/4 of heap or 512MB. This pool is allocated off-heap,
+# so is in addition to the memory allocated for heap. The cache also has on-heap
+# overhead which is roughly 128 bytes per chunk (i.e. 0.2% of the reserved size
+# if the default 64k chunk size is used).
+# Memory is only allocated when needed.
+# Min unit: MiB
+# file_cache_size: 512MiB
+
+# Flag indicating whether to allocate on or off heap when the sstable buffer
+# pool is exhausted, that is when it has exceeded the maximum memory
+# file_cache_size, beyond which it will not cache buffers but allocate on request.
+
+# buffer_pool_use_heap_if_exhausted: true
+
+# The strategy for optimizing disk read
+# Possible values are:
+# ssd (for solid state disks, the default)
+# spinning (for spinning disks)
+# disk_optimization_strategy: ssd
+
+# Total permitted memory to use for memtables. Cassandra will stop
+# accepting writes when the limit is exceeded until a flush completes,
+# and will trigger a flush based on memtable_cleanup_threshold
+# If omitted, Cassandra will set both to 1/4 the size of the heap.
+# Min unit: MiB
+# memtable_heap_space: 2048MiB
+# Min unit: MiB
+# memtable_offheap_space: 2048MiB
+
+# memtable_cleanup_threshold is deprecated. The default calculation
+# is the only reasonable choice. See the comments on  memtable_flush_writers
+# for more information.
+#
+# Ratio of occupied non-flushing memtable size to total permitted size
+# that will trigger a flush of the largest memtable. Larger mct will
+# mean larger flushes and hence less compaction, but also less concurrent
+# flush activity which can make it difficult to keep your disks fed
+# under heavy write load.
+#
+# memtable_cleanup_threshold defaults to 1 / (memtable_flush_writers + 1)
+# memtable_cleanup_threshold: 0.11
+
+# Specify the way Cassandra allocates and manages memtable memory.
+# Options are:
+#
+# heap_buffers
+#   on heap nio buffers
+#
+# offheap_buffers
+#   off heap (direct) nio buffers
+#
+# offheap_objects
+#    off heap objects
+memtable_allocation_type: heap_buffers
+
+# Limit memory usage for Merkle tree calculations during repairs of a certain
+# table and common token range. Repair commands targetting multiple tables or
+# virtual nodes can exceed this limit depending on concurrent_merkle_tree_requests.
+#
+# The default is 1/16th of the available heap. The main tradeoff is that
+# smaller trees have less resolution, which can lead to over-streaming data.
+# If you see heap pressure during repairs, consider lowering this, but you
+# cannot go below one mebibyte. If you see lots of over-streaming, consider
+# raising this or using subrange repair.
+#
+# For more details see https://issues.apache.org/jira/browse/CASSANDRA-14096.
+#
+# Min unit: MiB
+# repair_session_space:
+
+# The number of simultaneous Merkle tree requests during repairs that can
+# be performed by a repair command. The size of each validation request is
+# limited by the repair_session_space property, so setting this to 1 will make
+# sure that a repair command doesn't exceed that limit, even if the repair
+# command is repairing multiple tables or multiple virtual nodes.
+#
+# There isn't a limit by default for backwards compatibility, but this can
+# produce OOM for  commands repairing multiple tables or multiple virtual nodes.
+# A limit of just 1 simultaneous Merkle tree request is generally recommended
+# with no virtual nodes so repair_session_space, and thereof the Merkle tree
+# resolution, can be high. For virtual nodes a value of 1 with the default
+# repair_session_space value will produce higher resolution Merkle trees
+# at the expense of speed. Alternatively, when working with virtual nodes it
+# can make sense to reduce the repair_session_space and increase the value of
+# concurrent_merkle_tree_requests because each range will contain fewer data.
+#
+# For more details see https://issues.apache.org/jira/browse/CASSANDRA-19336.
+#
+# A zero value means no limit.
+# concurrent_merkle_tree_requests: 0
+
+# Total space to use for commit logs on disk.
+#
+# If space gets above this value, Cassandra will flush every dirty CF
+# in the oldest segment and remove it.  So a small total commitlog space
+# will tend to cause more flush activity on less-active columnfamilies.
+#
+# The default value is the smaller of 8192, and 1/4 of the total space
+# of the commitlog volume.
+#
+# commitlog_total_space: 8192MiB
+
+# This sets the number of memtable flush writer threads per disk
+# as well as the total number of memtables that can be flushed concurrently.
+# These are generally a combination of compute and IO bound.
+#
+# Memtable flushing is more CPU efficient than memtable ingest and a single thread
+# can keep up with the ingest rate of a whole server on a single fast disk
+# until it temporarily becomes IO bound under contention typically with compaction.
+# At that point you need multiple flush threads. At some point in the future
+# it may become CPU bound all the time.
+#
+# You can tell if flushing is falling behind using the MemtablePool.BlockedOnAllocation
+# metric which should be 0, but will be non-zero if threads are blocked waiting on flushing
+# to free memory.
+#
+# memtable_flush_writers defaults to two for a single data directory.
+# This means that two  memtables can be flushed concurrently to the single data directory.
+# If you have multiple data directories the default is one memtable flushing at a time
+# but the flush will use a thread per data directory so you will get two or more writers.
+#
+# Two is generally enough to flush on a fast disk [array] mounted as a single data directory.
+# Adding more flush writers will result in smaller more frequent flushes that introduce more
+# compaction overhead.
+#
+# There is a direct tradeoff between number of memtables that can be flushed concurrently
+# and flush size and frequency. More is not better you just need enough flush writers
+# to never stall waiting for flushing to free memory.
+#
+# memtable_flush_writers: 2
+
+# Total space to use for change-data-capture logs on disk.
+#
+# If space gets above this value, Cassandra will throw WriteTimeoutException
+# on Mutations including tables with CDC enabled. A CDCCompactor is responsible
+# for parsing the raw CDC logs and deleting them when parsing is completed.
+#
+# The default value is the min of 4096 MiB and 1/8th of the total space
+# of the drive where cdc_raw_directory resides.
+# Min unit: MiB
+# cdc_total_space: 4096MiB
+
+# When we hit our cdc_raw limit and the CDCCompactor is either running behind
+# or experiencing backpressure, we check at the following interval to see if any
+# new space for cdc-tracked tables has been made available. Default to 250ms
+# Min unit: ms
+# cdc_free_space_check_interval: 250ms
+
+# A fixed memory pool size in MB for for SSTable index summaries. If left
+# empty, this will default to 5% of the heap size. If the memory usage of
+# all index summaries exceeds this limit, SSTables with low read rates will
+# shrink their index summaries in order to meet this limit.  However, this
+# is a best-effort process. In extreme conditions Cassandra may need to use
+# more than this amount of memory.
+# Min unit: KiB
+index_summary_capacity:
+
+# How frequently index summaries should be resampled.  This is done
+# periodically to redistribute memory from the fixed-size pool to sstables
+# proportional their recent read rates.  Setting to null value will disable this
+# process, leaving existing index summaries at their current sampling level.
+# Min unit: m
+index_summary_resize_interval: 60m
+
+# Whether to, when doing sequential writing, fsync() at intervals in
+# order to force the operating system to flush the dirty
+# buffers. Enable this to avoid sudden dirty buffer flushing from
+# impacting read latencies. Almost always a good idea on SSDs; not
+# necessarily on platters.
+trickle_fsync: true
+# Min unit: KiB
+trickle_fsync_interval: 30240KiB
+
+# TCP port, for commands and data
+# For security reasons, you should not expose this port to the internet.  Firewall it if needed.
+storage_port: 7000
+
+# SSL port, for legacy encrypted communication. This property is unused unless enabled in
+# server_encryption_options (see below). As of cassandra 4.0, this property is deprecated
+# as a single port can be used for either/both secure and insecure connections.
+# For security reasons, you should not expose this port to the internet. Firewall it if needed.
+ssl_storage_port: 7001
+
+# Address or interface to bind to and tell other Cassandra nodes to connect to.
+# You _must_ change this if you want multiple nodes to be able to communicate!
+#
+# Set listen_address OR listen_interface, not both.
+#
+# Leaving it blank leaves it up to InetAddress.getLocalHost(). This
+# will always do the Right Thing _if_ the node is properly configured
+# (hostname, name resolution, etc), and the Right Thing is to use the
+# address associated with the hostname (it might not be). If unresolvable
+# it will fall back to InetAddress.getLoopbackAddress(), which is wrong for production systems.
+#
+# Setting listen_address to 0.0.0.0 is always wrong.
+#
+listen_address: 10.64.156.21
+
+# Set listen_address OR listen_interface, not both. Interfaces must correspond
+# to a single address, IP aliasing is not supported.
+# listen_interface: eth0
+
+# If you choose to specify the interface by name and the interface has an ipv4 and an ipv6 address
+# you can specify which should be chosen using listen_interface_prefer_ipv6. If false the first ipv4
+# address will be used. If true the first ipv6 address will be used. Defaults to false preferring
+# ipv4. If there is only one address it will be selected regardless of ipv4/ipv6.
+# listen_interface_prefer_ipv6: false
+
+# Address to broadcast to other Cassandra nodes
+# Leaving this blank will set it to the same value as listen_address
+# broadcast_address: 1.2.3.4
+
+# When using multiple physical network interfaces, set this
+# to true to listen on broadcast_address in addition to
+# the listen_address, allowing nodes to communicate in both
+# interfaces.
+# Ignore this property if the network configuration automatically
+# routes  between the public and private networks such as EC2.
+# listen_on_broadcast_address: false
+
+# Internode authentication backend, implementing IInternodeAuthenticator;
+# used to allow/disallow connections from peer nodes.
+# internode_authenticator: org.apache.cassandra.auth.AllowAllInternodeAuthenticator
+
+# Whether to start the native transport server.
+# The address on which the native transport is bound is defined by rpc_address.
+start_native_transport: true
+# port for the CQL native transport to listen for clients on
+# For security reasons, you should not expose this port to the internet.  Firewall it if needed.
+native_transport_port: 9042
+# Enabling native transport encryption in client_encryption_options allows you to either use
+# encryption for the standard port or to use a dedicated, additional port along with the unencrypted
+# standard native_transport_port.
+# Enabling client encryption and keeping native_transport_port_ssl disabled will use encryption
+# for native_transport_port. Setting native_transport_port_ssl to a different value
+# from native_transport_port will use encryption for native_transport_port_ssl while
+# keeping native_transport_port unencrypted.
+# native_transport_port_ssl: 9142
+# The maximum threads for handling requests (note that idle threads are stopped
+# after 30 seconds so there is not corresponding minimum setting).
+# native_transport_max_threads: 128
+# The maximum threads for handling auth requests in a separate executor from main request executor.
+# When set to 0, main executor for requests is used.
+# native_transport_max_auth_threads: 0
+#
+# The maximum size of allowed frame. Frame (requests) larger than this will
+# be rejected as invalid. The default is 16MiB. If you're changing this parameter,
+# you may want to adjust max_value_size accordingly. This should be positive and less than 2048.
+# Min unit: MiB
+# native_transport_max_frame_size: 16MiB
+
+# The maximum number of concurrent client connections.
+# The default is -1, which means unlimited.
+# native_transport_max_concurrent_connections: -1
+
+# The maximum number of concurrent client connections per source ip.
+# The default is -1, which means unlimited.
+# native_transport_max_concurrent_connections_per_ip: -1
+
+# Controls whether Cassandra honors older, yet currently supported, protocol versions.
+# The default is true, which means all supported protocols will be honored.
+native_transport_allow_older_protocols: true
+
+# Controls when idle client connections are closed. Idle connections are ones that had neither reads
+# nor writes for a time period.
+#
+# Clients may implement heartbeats by sending OPTIONS native protocol message after a timeout, which
+# will reset idle timeout timer on the server side. To close idle client connections, corresponding
+# values for heartbeat intervals have to be set on the client side.
+#
+# Idle connection timeouts are disabled by default.
+# Min unit: ms
+# native_transport_idle_timeout: 60000ms
+
+# When enabled, limits the number of native transport requests dispatched for processing per second.
+# Behavior once the limit has been breached depends on the value of THROW_ON_OVERLOAD specified in
+# the STARTUP message sent by the client during connection establishment. (See section "4.1.1. STARTUP"
+# in "CQL BINARY PROTOCOL v5".) With the THROW_ON_OVERLOAD flag enabled, messages that breach the limit
+# are dropped, and an OverloadedException is thrown for the client to handle. When the flag is not
+# enabled, the server will stop consuming messages from the channel/socket, putting backpressure on
+# the client while already dispatched messages are processed.
+# native_transport_rate_limiting_enabled: false
+# native_transport_max_requests_per_second: 1000000
+
+# The address or interface to bind the native transport server to.
+#
+# Set rpc_address OR rpc_interface, not both.
+#
+# Leaving rpc_address blank has the same effect as on listen_address
+# (i.e. it will be based on the configured hostname of the node).
+#
+# Note that unlike listen_address, you can specify 0.0.0.0, but you must also
+# set broadcast_rpc_address to a value other than 0.0.0.0.
+#
+# For security reasons, you should not expose this port to the internet.  Firewall it if needed.
+rpc_address: 10.64.156.21
+
+# Set rpc_address OR rpc_interface, not both. Interfaces must correspond
+# to a single address, IP aliasing is not supported.
+# rpc_interface: eth1
+
+# If you choose to specify the interface by name and the interface has an ipv4 and an ipv6 address
+# you can specify which should be chosen using rpc_interface_prefer_ipv6. If false the first ipv4
+# address will be used. If true the first ipv6 address will be used. Defaults to false preferring
+# ipv4. If there is only one address it will be selected regardless of ipv4/ipv6.
+# rpc_interface_prefer_ipv6: false
+
+# RPC address to broadcast to drivers and other Cassandra nodes. This cannot
+# be set to 0.0.0.0. If left blank, this will be set to the value of
+# rpc_address. If rpc_address is set to 0.0.0.0, broadcast_rpc_address must
+# be set.
+# broadcast_rpc_address: 1.2.3.4
+
+# enable or disable keepalive on rpc/native connections
+rpc_keepalive: true
+
+# Uncomment to set socket buffer size for internode communication
+# Note that when setting this, the buffer size is limited by net.core.wmem_max
+# and when not setting it it is defined by net.ipv4.tcp_wmem
+# See also:
+# /proc/sys/net/core/wmem_max
+# /proc/sys/net/core/rmem_max
+# /proc/sys/net/ipv4/tcp_wmem
+# /proc/sys/net/ipv4/tcp_wmem
+# and 'man tcp'
+# Min unit: B
+# internode_socket_send_buffer_size:
+
+# Uncomment to set socket buffer size for internode communication
+# Note that when setting this, the buffer size is limited by net.core.wmem_max
+# and when not setting it it is defined by net.ipv4.tcp_wmem
+# Min unit: B
+# internode_socket_receive_buffer_size:
+
+# Set to true to have Cassandra create a hard link to each sstable
+# flushed or streamed locally in a backups/ subdirectory of the
+# keyspace data.  Removing these links is the operator's
+# responsibility.
+incremental_backups: false
+
+# Whether or not to take a snapshot before each compaction.  Be
+# careful using this option, since Cassandra won't clean up the
+# snapshots for you.  Mostly useful if you're paranoid when there
+# is a data format change.
+snapshot_before_compaction: false
+
+# Whether or not a snapshot is taken of the data before keyspace truncation
+# or dropping of column families. The STRONGLY advised default of true 
+# should be used to provide data safety. If you set this flag to false, you will
+# lose data on truncation or drop.
+auto_snapshot: true
+
+# Adds a time-to-live (TTL) to auto snapshots generated by table
+# truncation or drop (when enabled).
+# After the TTL is elapsed, the snapshot is automatically cleared.
+# By default, auto snapshots *do not* have TTL, uncomment the property below
+# to enable TTL on auto snapshots.
+# Accepted units: d (days), h (hours) or m (minutes)
+# auto_snapshot_ttl: 30d
+
+# The act of creating or clearing a snapshot involves creating or removing
+# potentially tens of thousands of links, which can cause significant performance
+# impact, especially on consumer grade SSDs. A non-zero value here can
+# be used to throttle these links to avoid negative performance impact of
+# taking and clearing snapshots
+snapshot_links_per_second: 0
+
+# Granularity of the collation index of rows within a partition.
+# Increase if your rows are large, or if you have a very large
+# number of rows per partition.  The competing goals are these:
+#
+# - a smaller granularity means more index entries are generated
+#   and looking up rows withing the partition by collation column
+#   is faster
+# - but, Cassandra will keep the collation index in memory for hot
+#   rows (as part of the key cache), so a larger granularity means
+#   you can cache more hot rows
+# Min unit: KiB
+column_index_size: 64KiB
+
+# Per sstable indexed key cache entries (the collation index in memory
+# mentioned above) exceeding this size will not be held on heap.
+# This means that only partition information is held on heap and the
+# index entries are read from disk.
+#
+# Note that this size refers to the size of the
+# serialized index information and not the size of the partition.
+# Min unit: KiB
+column_index_cache_size: 2KiB
+
+# Number of simultaneous compactions to allow, NOT including
+# validation "compactions" for anti-entropy repair.  Simultaneous
+# compactions can help preserve read performance in a mixed read/write
+# workload, by mitigating the tendency of small sstables to accumulate
+# during a single long running compactions. The default is usually
+# fine and if you experience problems with compaction running too
+# slowly or too fast, you should look at
+# compaction_throughput first.
+#
+# concurrent_compactors defaults to the smaller of (number of disks,
+# number of cores), with a minimum of 2 and a maximum of 8.
+# 
+# If your data directories are backed by SSD, you should increase this
+# to the number of cores.
+concurrent_compactors: 12
+
+# Number of simultaneous repair validations to allow. If not set or set to
+# a value less than 1, it defaults to the value of concurrent_compactors.
+# To set a value greeater than concurrent_compactors at startup, the system
+# property cassandra.allow_unlimited_concurrent_validations must be set to
+# true. To dynamically resize to a value > concurrent_compactors on a running
+# node, first call the bypassConcurrentValidatorsLimit method on the
+# org.apache.cassandra.db:type=StorageService mbean
+# concurrent_validations: 0
+
+# Number of simultaneous materialized view builder tasks to allow.
+concurrent_materialized_view_builders: 1
+
+# Throttles compaction to the given total throughput across the entire
+# system. The faster you insert data, the faster you need to compact in
+# order to keep the sstable count down, but in general, setting this to
+# 16 to 32 times the rate you are inserting data is more than sufficient.
+# Setting this to 0 disables throttling. Note that this accounts for all types
+# of compaction, including validation compaction (building Merkle trees
+# for repairs).
+compaction_throughput: 256MiB/s
+
+# When compacting, the replacement sstable(s) can be opened before they
+# are completely written, and used in place of the prior sstables for
+# any range that has been written. This helps to smoothly transfer reads 
+# between the sstables, reducing page cache churn and keeping hot rows hot
+# Set sstable_preemptive_open_interval to null for disabled which is equivalent to
+# sstable_preemptive_open_interval_in_mb being negative
+# Min unit: MiB
+sstable_preemptive_open_interval: 50MiB
+
+# Starting from 4.1 sstables support UUID based generation identifiers. They are disabled by default
+# because once enabled, there is no easy way to downgrade. When the node is restarted with this option
+# set to true, each newly created sstable will have a UUID based generation identifier and such files are
+# not readable by previous Cassandra versions. At some point, this option will become true by default
+# and eventually get removed from the configuration.
+uuid_sstable_identifiers_enabled: false
+
+# When enabled, permits Cassandra to zero-copy stream entire eligible
+# SSTables between nodes, including every component.
+# This speeds up the network transfer significantly subject to
+# throttling specified by entire_sstable_stream_throughput_outbound,
+# and entire_sstable_inter_dc_stream_throughput_outbound
+# for inter-DC transfers.
+# Enabling this will reduce the GC pressure on sending and receiving node.
+# When unset, the default is enabled. While this feature tries to keep the
+# disks balanced, it cannot guarantee it. This feature will be automatically
+# disabled if internode encryption is enabled.
+# stream_entire_sstables: true
+
+# Throttles entire SSTable outbound streaming file transfers on
+# this node to the given total throughput in Mbps.
+# Setting this value to 0 it disables throttling.
+# When unset, the default is 200 Mbps or 24 MiB/s.
+# entire_sstable_stream_throughput_outbound: 24MiB/s
+
+# Throttles entire SSTable file streaming between datacenters.
+# Setting this value to 0 disables throttling for entire SSTable inter-DC file streaming.
+# When unset, the default is 200 Mbps or 24 MiB/s.
+# entire_sstable_inter_dc_stream_throughput_outbound: 24MiB/s
+
+# Throttles all outbound streaming file transfers on this node to the
+# given total throughput in Mbps. This is necessary because Cassandra does
+# mostly sequential IO when streaming data during bootstrap or repair, which
+# can lead to saturating the network connection and degrading rpc performance.
+# When unset, the default is 200 Mbps or 24 MiB/s.
+# stream_throughput_outbound: 24MiB/s
+
+# Throttles all streaming file transfer between the datacenters,
+# this setting allows users to throttle inter dc stream throughput in addition
+# to throttling all network stream traffic as configured with
+# stream_throughput_outbound_megabits_per_sec
+# When unset, the default is 200 Mbps or 24 MiB/s.
+# inter_dc_stream_throughput_outbound: 24MiB/s
+
+# Server side timeouts for requests. The server will return a timeout exception
+# to the client if it can't complete an operation within the corresponding
+# timeout. Those settings are a protection against:
+#   1) having client wait on an operation that might never terminate due to some
+#      failures.
+#   2) operations that use too much CPU/read too much data (leading to memory build
+#      up) by putting a limit to how long an operation will execute.
+# For this reason, you should avoid putting these settings too high. In other words,
+# if you are timing out requests because of underlying resource constraints then
+# increasing the timeout will just cause more problems. Of course putting them too
+# low is equally ill-advised since clients could get timeouts even for successful
+# operations just because the timeout setting is too tight.
+
+# How long the coordinator should wait for read operations to complete.
+# Lowest acceptable value is 10 ms.
+# Min unit: ms
+read_request_timeout: 5000ms
+# How long the coordinator should wait for seq or index scans to complete.
+# Lowest acceptable value is 10 ms.
+# Min unit: ms
+range_request_timeout: 10000ms
+# How long the coordinator should wait for writes to complete.
+# Lowest acceptable value is 10 ms.
+# Min unit: ms
+write_request_timeout: 2000ms
+# How long the coordinator should wait for counter writes to complete.
+# Lowest acceptable value is 10 ms.
+# Min unit: ms
+counter_write_request_timeout: 5000ms
+# How long a coordinator should continue to retry a CAS operation
+# that contends with other proposals for the same row.
+# Lowest acceptable value is 10 ms.
+# Min unit: ms
+cas_contention_timeout: 1000ms
+# How long the coordinator should wait for truncates to complete
+# (This can be much longer, because unless auto_snapshot is disabled
+# we need to flush first so we can snapshot before removing the data.)
+# Lowest acceptable value is 10 ms.
+# Min unit: ms
+truncate_request_timeout: 60000ms
+# The default timeout for other, miscellaneous operations.
+# Lowest acceptable value is 10 ms.
+# Min unit: ms
+request_timeout: 10000ms
+
+# Defensive settings for protecting Cassandra from true network partitions.
+# See (CASSANDRA-14358) for details.
+#
+# The amount of time to wait for internode tcp connections to establish.
+# Min unit: ms
+# internode_tcp_connect_timeout: 2000ms
+#
+# The amount of time unacknowledged data is allowed on a connection before we throw out the connection
+# Note this is only supported on Linux + epoll, and it appears to behave oddly above a setting of 30000
+# (it takes much longer than 30s) as of Linux 4.12. If you want something that high set this to 0
+# which picks up the OS default and configure the net.ipv4.tcp_retries2 sysctl to be ~8.
+# Min unit: ms
+# internode_tcp_user_timeout: 30000ms
+
+# The amount of time unacknowledged data is allowed on a streaming connection.
+# The default is 5 minutes. Increase it or set it to 0 in order to increase the timeout.
+# Min unit: ms
+# internode_streaming_tcp_user_timeout: 300000ms
+
+# Global, per-endpoint and per-connection limits imposed on messages queued for delivery to other nodes
+# and waiting to be processed on arrival from other nodes in the cluster.  These limits are applied to the on-wire
+# size of the message being sent or received.
+#
+# The basic per-link limit is consumed in isolation before any endpoint or global limit is imposed.
+# Each node-pair has three links: urgent, small and large.  So any given node may have a maximum of
+# N*3*(internode_application_send_queue_capacity+internode_application_receive_queue_capacity)
+# messages queued without any coordination between them although in practice, with token-aware routing, only RF*tokens
+# nodes should need to communicate with significant bandwidth.
+#
+# The per-endpoint limit is imposed on all messages exceeding the per-link limit, simultaneously with the global limit,
+# on all links to or from a single node in the cluster.
+# The global limit is imposed on all messages exceeding the per-link limit, simultaneously with the per-endpoint limit,
+# on all links to or from any node in the cluster.
+#
+# Min unit: B
+# internode_application_send_queue_capacity: 4MiB
+# internode_application_send_queue_reserve_endpoint_capacity: 128MiB
+# internode_application_send_queue_reserve_global_capacity: 512MiB
+# internode_application_receive_queue_capacity: 4MiB
+# internode_application_receive_queue_reserve_endpoint_capacity: 128MiB
+# internode_application_receive_queue_reserve_global_capacity: 512MiB
+
+
+# How long before a node logs slow queries. Select queries that take longer than
+# this timeout to execute, will generate an aggregated log message, so that slow queries
+# can be identified. Set this value to zero to disable slow query logging.
+# Min unit: ms
+slow_query_log_timeout: 500ms
+
+# Enable operation timeout information exchange between nodes to accurately
+# measure request timeouts.  If disabled, replicas will assume that requests
+# were forwarded to them instantly by the coordinator, which means that
+# under overload conditions we will waste that much extra time processing 
+# already-timed-out requests.
+#
+# Warning: It is generally assumed that users have setup NTP on their clusters, and that clocks are modestly in sync, 
+# since this is a requirement for general correctness of last write wins.
+# internode_timeout: true
+
+# Set period for idle state control messages for earlier detection of failed streams
+# This node will send a keep-alive message periodically on the streaming's control channel.
+# This ensures that any eventual SocketTimeoutException will occur within 2 keep-alive cycles
+# If the node cannot send, or timeouts sending, the keep-alive message on the netty control channel
+# the stream session is closed.
+# Default value is 300s (5 minutes), which means stalled streams
+# are detected within 10 minutes
+# Specify 0 to disable.
+# Min unit: s
+# streaming_keep_alive_period: 300s
+
+# Limit number of connections per host for streaming
+# Increase this when you notice that joins are CPU-bound rather that network
+# bound (for example a few nodes with big files).
+# streaming_connections_per_host: 1
+
+# Settings for stream stats tracking; used by system_views.streaming table
+# How long before a stream is evicted from tracking; this impacts both historic and currently running
+# streams.
+# streaming_state_expires: 3d
+# How much memory may be used for tracking before evicting session from tracking; once crossed
+# historic and currently running streams maybe impacted.
+# streaming_state_size: 40MiB
+# Enable/Disable tracking of streaming stats
+# streaming_stats_enabled: true
+
+# Allows denying configurable access (rw/rr) to operations on configured ks, table, and partitions, intended for use by
+# operators to manage cluster health vs application access. See CASSANDRA-12106 and CEP-13 for more details.
+# partition_denylist_enabled: false
+
+# denylist_writes_enabled: true
+# denylist_reads_enabled: true
+# denylist_range_reads_enabled: true
+
+# The interval at which keys in the cache for denylisting will "expire" and async refresh from the backing DB.
+# Note: this serves only as a fail-safe, as the usage pattern is expected to be "mutate state, refresh cache" on any
+# changes to the underlying denylist entries. See documentation for details.
+# Min unit: s
+# denylist_refresh: 600s
+
+# In the event of errors on attempting to load the denylist cache, retry on this interval.
+# Min unit: s
+# denylist_initial_load_retry: 5s
+
+# We cap the number of denylisted keys allowed per table to keep things from growing unbounded. Nodes will warn above
+# this limit while allowing new denylisted keys to be inserted. Denied keys are loaded in natural query / clustering
+# ordering by partition key in case of overflow.
+# denylist_max_keys_per_table: 1000
+
+# We cap the total number of denylisted keys allowed in the cluster to keep things from growing unbounded.
+# Nodes will warn on initial cache load that there are too many keys and be direct the operator to trim down excess
+# entries to within the configured limits.
+# denylist_max_keys_total: 10000
+
+# Since the denylist in many ways serves to protect the health of the cluster from partitions operators have identified
+# as being in a bad state, we usually want more robustness than just CL.ONE on operations to/from these tables to
+# ensure that these safeguards are in place. That said, we allow users to configure this if they're so inclined.
+# denylist_consistency_level: QUORUM
+
+# phi value that must be reached for a host to be marked down.
+# most users should never need to adjust this.
+# phi_convict_threshold: 8
+
+# endpoint_snitch -- Set this to a class that implements
+# IEndpointSnitch.  The snitch has two functions:
+#
+# - it teaches Cassandra enough about your network topology to route
+#   requests efficiently
+# - it allows Cassandra to spread replicas around your cluster to avoid
+#   correlated failures. It does this by grouping machines into
+#   "datacenters" and "racks."  Cassandra will do its best not to have
+#   more than one replica on the same "rack" (which may not actually
+#   be a physical location)
+#
+# CASSANDRA WILL NOT ALLOW YOU TO SWITCH TO AN INCOMPATIBLE SNITCH
+# ONCE DATA IS INSERTED INTO THE CLUSTER.  This would cause data loss.
+# This means that if you start with the default SimpleSnitch, which
+# locates every node on "rack1" in "datacenter1", your only options
+# if you need to add another datacenter are GossipingPropertyFileSnitch
+# (and the older PFS).  From there, if you want to migrate to an
+# incompatible snitch like Ec2Snitch you can do it by adding new nodes
+# under Ec2Snitch (which will locate them in a new "datacenter") and
+# decommissioning the old ones.
+#
+# Out of the box, Cassandra provides:
+#
+# SimpleSnitch:
+#    Treats Strategy order as proximity. This can improve cache
+#    locality when disabling read repair.  Only appropriate for
+#    single-datacenter deployments.
+#
+# GossipingPropertyFileSnitch
+#    This should be your go-to snitch for production use.  The rack
+#    and datacenter for the local node are defined in
+#    cassandra-rackdc.properties and propagated to other nodes via
+#    gossip.  If cassandra-topology.properties exists, it is used as a
+#    fallback, allowing migration from the PropertyFileSnitch.
+#
+# PropertyFileSnitch:
+#    Proximity is determined by rack and data center, which are
+#    explicitly configured in cassandra-topology.properties.
+#
+# Ec2Snitch:
+#    Appropriate for EC2 deployments in a single Region. Loads Region
+#    and Availability Zone information from the EC2 API. The Region is
+#    treated as the datacenter, and the Availability Zone as the rack.
+#    Only private IPs are used, so this will not work across multiple
+#    Regions.
+#
+# Ec2MultiRegionSnitch:
+#    Uses public IPs as broadcast_address to allow cross-region
+#    connectivity.  (Thus, you should set seed addresses to the public
+#    IP as well.) You will need to open the storage_port or
+#    ssl_storage_port on the public IP firewall.  (For intra-Region
+#    traffic, Cassandra will switch to the private IP after
+#    establishing a connection.)
+#
+# RackInferringSnitch:
+#    Proximity is determined by rack and data center, which are
+#    assumed to correspond to the 3rd and 2nd octet of each node's IP
+#    address, respectively.  Unless this happens to match your
+#    deployment conventions, this is best used as an example of
+#    writing a custom Snitch class and is provided in that spirit.
+#
+# You can use a custom Snitch by setting this to the full class name
+# of the snitch, which will be assumed to be on your classpath.
+endpoint_snitch: GossipingPropertyFileSnitch
+
+# controls how often to perform the more expensive part of host score
+# calculation
+# Min unit: ms
+dynamic_snitch_update_interval: 100ms
+# controls how often to reset all host scores, allowing a bad host to
+# possibly recover
+# Min unit: ms
+dynamic_snitch_reset_interval: 600000ms
+# if set greater than zero, this will allow
+# 'pinning' of replicas to hosts in order to increase cache capacity.
+# The badness threshold will control how much worse the pinned host has to be
+# before the dynamic snitch will prefer other replicas over it.  This is
+# expressed as a double which represents a percentage.  Thus, a value of
+# 0.2 means Cassandra would continue to prefer the static snitch values
+# until the pinned host was 20% worse than the fastest.
+dynamic_snitch_badness_threshold: 1.0
+
+# Configure server-to-server internode encryption
+#
+# JVM and netty defaults for supported SSL socket protocols and cipher suites can
+# be replaced using custom encryption options. This is not recommended
+# unless you have policies in place that dictate certain settings, or
+# need to disable vulnerable ciphers or protocols in case the JVM cannot
+# be updated.
+#
+# FIPS compliant settings can be configured at JVM level and should not
+# involve changing encryption settings here:
+# https://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/FIPS.html
+#
+# **NOTE** this default configuration is an insecure configuration. If you need to
+# enable server-to-server encryption generate server keystores (and truststores for mutual
+# authentication) per:
+# http://download.oracle.com/javase/8/docs/technotes/guides/security/jsse/JSSERefGuide.html#CreateKeystore
+# Then perform the following configuration changes:
+#
+# Step 1: Set internode_encryption=<dc|rack|all> and explicitly set optional=true. Restart all nodes
+#
+# Step 2: Set optional=false (or remove it) and if you generated truststores and want to use mutual
+# auth set require_client_auth=true. Restart all nodes
+server_encryption_options:
+  # On outbound connections, determine which type of peers to securely connect to.
+  #   The available options are :
+  #     none : Do not encrypt outgoing connections
+  #     dc   : Encrypt connections to peers in other datacenters but not within datacenters
+  #     rack : Encrypt connections to peers in other racks but not within racks
+  #     all  : Always use encrypted connections
+  internode_encryption: all
+  # When set to true, encrypted and unencrypted connections are allowed on the storage_port
+  # This should _only be true_ while in unencrypted or transitional operation
+  # optional defaults to true if internode_encryption is none
+  optional: false
+  # If enabled, will open up an encrypted listening socket on ssl_storage_port. Should only be used
+  # during upgrade to 4.0; otherwise, set to false.
+  legacy_ssl_storage_port_enabled: false
+  # Set to a valid keystore if internode_encryption is dc, rack or all
+  keystore: /etc/cassandra-b/tls/server.key
+  keystore_password: test
+  # Verify peer server certificates
+  require_client_auth: false
+  # Set to a valid trustore if require_client_auth is true
+  truststore: /etc/ssl/localcerts/wmf-java-cacerts
+  truststore_password: changeit
+  # Verify that the host name in the certificate matches the connected host
+  require_endpoint_verification: false
+  # More advanced defaults:
+  # protocol: TLS
+  # store_type: JKS
+  # cipher_suites: [
+  #   TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+  #   TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
+  #   TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA,
+  #   TLS_RSA_WITH_AES_256_CBC_SHA
+  # ]
+
+# Configure client-to-server encryption.
+#
+# **NOTE** this default configuration is an insecure configuration. If you need to
+# enable client-to-server encryption generate server keystores (and truststores for mutual
+# authentication) per:
+# http://download.oracle.com/javase/8/docs/technotes/guides/security/jsse/JSSERefGuide.html#CreateKeystore
+# Then perform the following configuration changes:
+#
+# Step 1: Set enabled=true and explicitly set optional=true. Restart all nodes
+#
+# Step 2: Set optional=false (or remove it) and if you generated truststores and want to use mutual
+# auth set require_client_auth=true. Restart all nodes
+client_encryption_options:
+  # Enable client-to-server encryption
+  enabled: true
+  # When set to true, encrypted and unencrypted connections are allowed on the native_transport_port
+  # This should _only be true_ while in unencrypted or transitional operation
+  # optional defaults to true when enabled is false, and false when enabled is true.
+  optional: true
+  # Set keystore and keystore_password to valid keystores if enabled is true
+  keystore: /etc/cassandra-b/tls/server.key
+  keystore_password: test
+  # Verify client certificates
+  require_client_auth: false
+  # Set trustore and truststore_password if require_client_auth is true
+  # truststore: /etc/cassandra-b/tls/client.trust
+  # truststore_password: placeholder
+  # More advanced defaults:
+  # protocol: TLS
+  # store_type: JKS
+  # cipher_suites: [
+  #   TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+  #   TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
+  #   TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA,
+  #   TLS_RSA_WITH_AES_256_CBC_SHA
+  # ]
+
+# internode_compression controls whether traffic between nodes is
+# compressed.
+# Can be:
+#
+# all
+#   all traffic is compressed
+#
+# dc
+#   traffic between different datacenters is compressed
+#
+# none
+#   nothing is compressed.
+internode_compression: all
+
+# Enable or disable tcp_nodelay for inter-dc communication.
+# Disabling it will result in larger (but fewer) network packets being sent,
+# reducing overhead from the TCP protocol itself, at the cost of increasing
+# latency if you block for cross-datacenter responses.
+inter_dc_tcp_nodelay: false
+
+# TTL for different trace types used during logging of the repair process.
+# Min unit: s
+trace_type_query_ttl: 1d
+# Min unit: s
+trace_type_repair_ttl: 7d
+
+# If unset, all GC Pauses greater than gc_log_threshold will log at
+# INFO level
+# UDFs (user defined functions) are disabled by default.
+# As of Cassandra 3.0 there is a sandbox in place that should prevent execution of evil code.
+user_defined_functions_enabled: false
+
+# Enables scripted UDFs (JavaScript UDFs).
+# Java UDFs are always enabled, if user_defined_functions_enabled is true.
+# Enable this option to be able to use UDFs with "language javascript" or any custom JSR-223 provider.
+# This option has no effect, if user_defined_functions_enabled is false.
+scripted_user_defined_functions_enabled: false
+
+# Enables encrypting data at-rest (on disk). Different key providers can be plugged in, but the default reads from
+# a JCE-style keystore. A single keystore can hold multiple keys, but the one referenced by
+# the "key_alias" is the only key that will be used for encrypt opertaions; previously used keys
+# can still (and should!) be in the keystore and will be used on decrypt operations
+# (to handle the case of key rotation).
+#
+# It is strongly recommended to download and install Java Cryptography Extension (JCE)
+# Unlimited Strength Jurisdiction Policy Files for your version of the JDK.
+# (current link: http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html)
+#
+# Currently, only the following file types are supported for transparent data encryption, although
+# more are coming in future cassandra releases: commitlog, hints
+transparent_data_encryption_options:
+  enabled: false
+  chunk_length_kb: 64
+  cipher: AES/CBC/PKCS5Padding
+  key_alias: testing:1
+  # CBC IV length for AES needs to be 16 bytes (which is also the default size)
+  # iv_length: 16
+  key_provider:
+    - class_name: org.apache.cassandra.security.JKSKeyProvider
+      parameters:
+        - keystore: conf/.keystore
+          keystore_password: cassandra
+          store_type: JCEKS
+          key_password: cassandra
+
+
+#####################
+# SAFETY THRESHOLDS #
+#####################
+
+# When executing a scan, within or across a partition, we need to keep the
+# tombstones seen in memory so we can return them to the coordinator, which
+# will use them to make sure other replicas also know about the deleted rows.
+# With workloads that generate a lot of tombstones, this can cause performance
+# problems and even exaust the server heap.
+# (http://www.datastax.com/dev/blog/cassandra-anti-patterns-queues-and-queue-like-datasets)
+# Adjust the thresholds here if you understand the dangers and want to
+# scan more tombstones anyway.  These thresholds may also be adjusted at runtime
+# using the StorageService mbean.
+tombstone_warn_threshold: 1000
+tombstone_failure_threshold: 100000
+
+# Filtering and secondary index queries at read consistency levels above ONE/LOCAL_ONE use a
+# mechanism called replica filtering protection to ensure that results from stale replicas do
+# not violate consistency. (See CASSANDRA-8272 and CASSANDRA-15907 for more details.) This
+# mechanism materializes replica results by partition on-heap at the coordinator. The more possibly
+# stale results returned by the replicas, the more rows materialized during the query.
+replica_filtering_protection:
+    # These thresholds exist to limit the damage severely out-of-date replicas can cause during these
+    # queries. They limit the number of rows from all replicas individual index and filtering queries
+    # can materialize on-heap to return correct results at the desired read consistency level.
+    #
+    # "cached_replica_rows_warn_threshold" is the per-query threshold at which a warning will be logged.
+    # "cached_replica_rows_fail_threshold" is the per-query threshold at which the query will fail.
+    #
+    # These thresholds may also be adjusted at runtime using the StorageService mbean.
+    #
+    # If the failure threshold is breached, it is likely that either the current page/fetch size
+    # is too large or one or more replicas is severely out-of-sync and in need of repair.
+    cached_rows_warn_threshold: 2000
+    cached_rows_fail_threshold: 32000
+
+# Log WARN on any multiple-partition batch size exceeding this value. 5KiB per batch by default.
+# Caution should be taken on increasing the size of this threshold as it can lead to node instability.
+# Min unit: KiB
+batch_size_warn_threshold: 5KiB
+
+# Fail any multiple-partition batch exceeding this value. 50KiB (10x warn threshold) by default.
+# Min unit: KiB
+batch_size_fail_threshold: 50KiB
+
+# Log WARN on any batches not of type LOGGED than span across more partitions than this limit
+unlogged_batch_across_partitions_warn_threshold: 10
+
+# Log a warning when compacting partitions larger than this value
+compaction_large_partition_warning_threshold: 100MiB
+
+# Log a warning when writing more tombstones than this value to a partition
+compaction_tombstone_warning_threshold: 100000
+
+# GC Pauses greater than 200 ms will be logged at INFO level
+# This threshold can be adjusted to minimize logging if necessary
+# Min unit: ms
+# gc_log_threshold: 200ms
+
+# GC Pauses greater than gc_warn_threshold will be logged at WARN level
+# Adjust the threshold based on your application throughput requirement. Setting to 0
+# will deactivate the feature.
+# Min unit: ms
+# gc_warn_threshold: 1000ms
+
+# Maximum size of any value in SSTables. Safety measure to detect SSTable corruption
+# early. Any value size larger than this threshold will result into marking an SSTable
+# as corrupted. This should be positive and less than 2GiB.
+# Min unit: MiB
+# max_value_size: 256MiB
+
+# ** Impact on keyspace creation **
+# If replication factor is not mentioned as part of keyspace creation, default_keyspace_rf would apply.
+# Changing this configuration would only take effect for keyspaces created after the change, but does not impact
+# existing keyspaces created prior to the change.
+# ** Impact on keyspace alter **
+# When altering a keyspace from NetworkTopologyStrategy to SimpleStrategy, default_keyspace_rf is applied if rf is not
+# explicitly mentioned.
+# ** Impact on system keyspaces **
+# This would also apply for any system keyspaces that need replication factor.
+# A further note about system keyspaces - system_traces and system_distributed keyspaces take RF of 2 or default,
+# whichever is higher, and system_auth keyspace takes RF of 1 or default, whichever is higher.
+# Suggested value for use in production: 3
+# default_keyspace_rf: 1
+
+# Track a metric per keyspace indicating whether replication achieved the ideal consistency
+# level for writes without timing out. This is different from the consistency level requested by
+# each write which may be lower in order to facilitate availability.
+# ideal_consistency_level: EACH_QUORUM
+
+# Automatically upgrade sstables after upgrade - if there is no ordinary compaction to do, the
+# oldest non-upgraded sstable will get upgraded to the latest version
+# automatic_sstable_upgrade: false
+# Limit the number of concurrent sstable upgrades
+# max_concurrent_automatic_sstable_upgrades: 1
+
+# Audit logging - Logs every incoming CQL command request, authentication to a node. See the docs
+# on audit_logging for full details about the various configuration options.
+audit_logging_options:
+  enabled: false
+  logger:
+    - class_name: BinAuditLogger
+  # audit_logs_dir:
+  # included_keyspaces:
+  # excluded_keyspaces: system, system_schema, system_virtual_schema
+  # included_categories:
+  # excluded_categories:
+  # included_users:
+  # excluded_users:
+  # roll_cycle: HOURLY
+  # block: true
+  # max_queue_weight: 268435456 # 256 MiB
+  # max_log_size: 17179869184 # 16 GiB
+  ## archive command is "/path/to/script.sh %path" where %path is replaced with the file being rolled:
+  # archive_command:
+  # max_archive_retries: 10
+
+
+# default options for full query logging - these can be overridden from command line when executing
+# nodetool enablefullquerylog
+# full_query_logging_options:
+  # log_dir:
+  # roll_cycle: HOURLY
+  # block: true
+  # max_queue_weight: 268435456 # 256 MiB
+  # max_log_size: 17179869184 # 16 GiB
+  ## archive command is "/path/to/script.sh %path" where %path is replaced with the file being rolled:
+  # archive_command:
+  ## note that enabling this allows anyone with JMX/nodetool access to run local shell commands as the user running cassandra
+  # allow_nodetool_archive_command: false
+  # max_archive_retries: 10
+
+# validate tombstones on reads and compaction
+# can be either "disabled", "warn" or "exception"
+# corrupted_tombstone_strategy: disabled
+
+# Diagnostic Events #
+# If enabled, diagnostic events can be helpful for troubleshooting operational issues. Emitted events contain details
+# on internal state and temporal relationships across events, accessible by clients via JMX.
+diagnostic_events_enabled: false
+
+# Use native transport TCP message coalescing. If on upgrade to 4.0 you found your throughput decreasing, and in
+# particular you run an old kernel or have very fewer client connections, this option might be worth evaluating.
+#native_transport_flush_in_batches_legacy: false
+
+# Enable tracking of repaired state of data during reads and comparison between replicas
+# Mismatches between the repaired sets of replicas can be characterized as either confirmed
+# or unconfirmed. In this context, unconfirmed indicates that the presence of pending repair
+# sessions, unrepaired partition tombstones, or some other condition means that the disparity
+# cannot be considered conclusive. Confirmed mismatches should be a trigger for investigation
+# as they may be indicative of corruption or data loss.
+# There are separate flags for range vs partition reads as single partition reads are only tracked
+# when CL > 1 and a digest mismatch occurs. Currently, range queries don't use digests so if
+# enabled for range reads, all range reads will include repaired data tracking. As this adds
+# some overhead, operators may wish to disable it whilst still enabling it for partition reads
+repaired_data_tracking_for_range_reads_enabled: false
+repaired_data_tracking_for_partition_reads_enabled: false
+# If false, only confirmed mismatches will be reported. If true, a separate metric for unconfirmed
+# mismatches will also be recorded. This is to avoid potential signal:noise issues are unconfirmed
+# mismatches are less actionable than confirmed ones.
+report_unconfirmed_repaired_data_mismatches: false
+
+# Having many tables and/or keyspaces negatively affects performance of many operations in the
+# cluster. When the number of tables/keyspaces in the cluster exceeds the following thresholds
+# a client warning will be sent back to the user when creating a table or keyspace.
+# As of cassandra 4.1, these properties are deprecated in favor of keyspaces_warn_threshold and tables_warn_threshold
+# table_count_warn_threshold: 150
+# keyspace_count_warn_threshold: 40
+
+# configure the read and write consistency levels for modifications to auth tables
+# auth_read_consistency_level: LOCAL_QUORUM
+# auth_write_consistency_level: EACH_QUORUM
+
+# Delays on auth resolution can lead to a thundering herd problem on reconnects; this option will enable
+# warming of auth caches prior to node completing startup. See CASSANDRA-16958
+# auth_cache_warming_enabled: false
+
+#########################
+# EXPERIMENTAL FEATURES #
+#########################
+
+# Enables materialized view creation on this node.
+# Materialized views are considered experimental and are not recommended for production use.
+materialized_views_enabled: false
+
+# Enables SASI index creation on this node.
+# SASI indexes are considered experimental and are not recommended for production use.
+sasi_indexes_enabled: false
+
+# Enables creation of transiently replicated keyspaces on this node.
+# Transient replication is experimental and is not recommended for production use.
+transient_replication_enabled: false
+
+# Enables the used of 'ALTER ... DROP COMPACT STORAGE' statements on this node.
+# 'ALTER ... DROP COMPACT STORAGE' is considered experimental and is not recommended for production use.
+drop_compact_storage_enabled: false
+
+# Whether or not USE <keyspace> is allowed. This is enabled by default to avoid failure on upgrade.
+#use_statements_enabled: true
+
+# When the client triggers a protocol exception or unknown issue (Cassandra bug) we increment
+# a client metric showing this; this logic will exclude specific subnets from updating these
+# metrics
+#client_error_reporting_exclusions:
+#  subnets:
+#    - 127.0.0.1
+#    - 127.0.0.0/31
+
+# Enables read thresholds (warn/fail) across all replicas for reporting back to the client.
+# See: CASSANDRA-16850
+# read_thresholds_enabled: false # scheduled to be set true in 4.2
+# When read_thresholds_enabled: true, this tracks the materialized size of a query on the
+# coordinator. If coordinator_read_size_warn_threshold is defined, this will emit a warning
+# to clients with details on what query triggered this as well as the size of the result set; if
+# coordinator_read_size_fail_threshold is defined, this will fail the query after it
+# has exceeded this threshold, returning a read error to the user.
+# coordinator_read_size_warn_threshold:
+# coordinator_read_size_fail_threshold:
+# When read_thresholds_enabled: true, this tracks the size of the local read (as defined by
+# heap size), and will warn/fail based off these thresholds; undefined disables these checks.
+# local_read_size_warn_threshold:
+# local_read_size_fail_threshold:
+# When read_thresholds_enabled: true, this tracks the expected memory size of the RowIndexEntry
+# and will warn/fail based off these thresholds; undefined disables these checks
+# row_index_read_size_warn_threshold:
+# row_index_read_size_fail_threshold:
+
+# Guardrail to warn or fail when creating more user keyspaces than threshold.
+# The two thresholds default to -1 to disable.
+# keyspaces_warn_threshold: -1
+# keyspaces_fail_threshold: -1
+# Guardrail to warn or fail when creating more user tables than threshold.
+# The two thresholds default to -1 to disable.
+# tables_warn_threshold: -1
+# tables_fail_threshold: -1
+# Guardrail to enable or disable the ability to create uncompressed tables
+# uncompressed_tables_enabled: true
+# Guardrail to warn or fail when creating/altering a table with more columns per table than threshold.
+# The two thresholds default to -1 to disable.
+# columns_per_table_warn_threshold: -1
+# columns_per_table_fail_threshold: -1
+# Guardrail to warn or fail when creating more secondary indexes per table than threshold.
+# The two thresholds default to -1 to disable.
+# secondary_indexes_per_table_warn_threshold: -1
+# secondary_indexes_per_table_fail_threshold: -1
+# Guardrail to enable or disable the creation of secondary indexes
+# secondary_indexes_enabled: true
+# Guardrail to warn or fail when creating more materialized views per table than threshold.
+# The two thresholds default to -1 to disable.
+# materialized_views_per_table_warn_threshold: -1
+# materialized_views_per_table_fail_threshold: -1
+# Guardrail to warn about, ignore or reject properties when creating tables. By default all properties are allowed.
+# table_properties_warned: []
+# table_properties_ignored: []
+# table_properties_disallowed: []
+# Guardrail to allow/disallow user-provided timestamps. Defaults to true.
+# user_timestamps_enabled: true
+# Guardrail to allow/disallow GROUP BY functionality.
+# group_by_enabled: true
+# Guardrail to allow/disallow TRUNCATE and DROP TABLE statements
+# drop_truncate_table_enabled: true
+# Guardrail to warn or fail when using a page size greater than threshold.
+# The two thresholds default to -1 to disable.
+# page_size_warn_threshold: -1
+# page_size_fail_threshold: -1
+# Guardrail to allow/disallow list operations that require read before write, i.e. setting list element by index and
+# removing list elements by either index or value. Defaults to true.
+# read_before_write_list_operations_enabled: true
+# Guardrail to warn or fail when querying with an IN restriction selecting more partition keys than threshold.
+# The two thresholds default to -1 to disable.
+# partition_keys_in_select_warn_threshold: -1
+# partition_keys_in_select_fail_threshold: -1
+# Guardrail to warn or fail when an IN query creates a cartesian product with a size exceeding threshold,
+# eg. "a in (1,2,...10) and b in (1,2...10)" results in cartesian product of 100.
+# The two thresholds default to -1 to disable.
+# in_select_cartesian_product_warn_threshold: -1
+# in_select_cartesian_product_fail_threshold: -1
+# Guardrail to warn about or reject read consistency levels. By default, all consistency levels are allowed.
+# read_consistency_levels_warned: []
+# read_consistency_levels_disallowed: []
+# Guardrail to warn about or reject write consistency levels. By default, all consistency levels are allowed.
+# write_consistency_levels_warned: []
+# write_consistency_levels_disallowed: []
+# Guardrail to warn or fail when encountering larger size of collection data than threshold.
+# At query time this guardrail is applied only to the collection fragment that is being writen, even though in the case
+# of non-frozen collections there could be unaccounted parts of the collection on the sstables. This is done this way to
+# prevent read-before-write. The guardrail is also checked at sstable write time to detect large non-frozen collections,
+# although in that case exceeding the fail threshold will only log an error message, without interrupting the operation.
+# The two thresholds default to null to disable.
+# Min unit: B
+# collection_size_warn_threshold:
+# Min unit: B
+# collection_size_fail_threshold:
+# Guardrail to warn or fail when encountering more elements in collection than threshold.
+# At query time this guardrail is applied only to the collection fragment that is being writen, even though in the case
+# of non-frozen collections there could be unaccounted parts of the collection on the sstables. This is done this way to
+# prevent read-before-write. The guardrail is also checked at sstable write time to detect large non-frozen collections,
+# although in that case exceeding the fail threshold will only log an error message, without interrupting the operation.
+# The two thresholds default to -1 to disable.
+# items_per_collection_warn_threshold: -1
+# items_per_collection_fail_threshold: -1
+# Guardrail to allow/disallow querying with ALLOW FILTERING. Defaults to true.
+# allow_filtering_enabled: true
+# Guardrail to warn or fail when creating a user-defined-type with more fields in than threshold.
+# Default -1 to disable.
+# fields_per_udt_warn_threshold: -1
+# fields_per_udt_fail_threshold: -1
+# Guardrail to warn or fail when local data disk usage percentage exceeds threshold. Valid values are in [1, 100].
+# This is only used for the disks storing data directories, so it won't count any separate disks used for storing
+# the commitlog, hints nor saved caches. The disk usage is the ratio between the amount of space used by the data
+# directories and the addition of that same space and the remaining free space on disk. The main purpose of this
+# guardrail is rejecting user writes when the disks are over the defined usage percentage, so the writes done by
+# background processes such as compaction and streaming don't fail due to a full disk. The limits should be defined
+# accordingly to the expected data growth due to those background processes, so for example a compaction strategy
+# doubling the size of the data would require to keep the disk usage under 50%.
+# The two thresholds default to -1 to disable.
+# data_disk_usage_percentage_warn_threshold: -1
+# data_disk_usage_percentage_fail_threshold: -1
+# Allows defining the max disk size of the data directories when calculating thresholds for
+# disk_usage_percentage_warn_threshold and disk_usage_percentage_fail_threshold, so if this is greater than zero they
+# become percentages of a fixed size on disk instead of percentages of the physically available disk size. This should
+# be useful when we have a large disk and we only want to use a part of it for Cassandra's data directories.
+# Valid values are in [1, max available disk size of all data directories].
+# Defaults to null to disable and use the physically available disk size of data directories during calculations.
+# Min unit: B
+# data_disk_usage_max_disk_size:
+# Guardrail to warn or fail when the minimum replication factor is lesser than threshold.
+# This would also apply to system keyspaces.
+# Suggested value for use in production: 2 or higher
+# minimum_replication_factor_warn_threshold: -1
+# minimum_replication_factor_fail_threshold: -1
+
+# Startup Checks are executed as part of Cassandra startup process, not all of them
+# are configurable (so you can disable them) but these which are enumerated bellow.
+# Uncomment the startup checks and configure them appropriately to cover your needs.
+#
+#startup_checks:
+# Verifies correct ownership of attached locations on disk at startup. See CASSANDRA-16879 for more details.
+#  check_filesystem_ownership:
+#    enabled: false
+#    ownership_token: "sometoken" # (overriden by "CassandraOwnershipToken" system property)
+#    ownership_filename: ".cassandra_fs_ownership" # (overriden by "cassandra.fs_ownership_filename")
+# Prevents a node from starting if snitch's data center differs from previous data center.
+#  check_dc:
+#    enabled: true # (overriden by cassandra.ignore_dc system property)
+# Prevents a node from starting if snitch's rack differs from previous rack.
+#  check_rack:
+#    enabled: true # (overriden by cassandra.ignore_rack system property)
+# Enable this property to fail startup if the node is down for longer than gc_grace_seconds, to potentially
+# prevent data resurrection on tables with deletes. By default, this will run against all keyspaces and tables
+# except the ones specified on excluded_keyspaces and excluded_tables.
+#  check_data_resurrection:
+#    enabled: false
+# file where Cassandra periodically writes the last time it was known to run
+#    heartbeat_file: /var/lib/cassandra/data/cassandra-heartbeat
+#    excluded_keyspaces: # comma separated list of keyspaces to exclude from the check
+#    excluded_tables: # comma separated list of keyspace.table pairs to exclude from the check

Exec[renew certificate - cassandra__aqs1024-a_eqiad_wmnet]

Parameters differences:

--- Exec[renew certificate - cassandra__aqs1024-a_eqiad_wmnet].orig
+++ Exec[renew certificate - cassandra__aqs1024-a_eqiad_wmnet]

+    command     => /usr/bin/cfssl sign -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/aqs1024.eqiad.wmnet.pem -label cassandra  /etc/cassandra-a/tls/cassandra__aqs1024-a_eqiad_wmnet.csr | /usr/bin/cfssljson -bare /etc/cassandra-a/tls/cassandra__aqs1024-a_eqiad_wmnet

+    unless      => /usr/bin/openssl x509 -in /etc/cassandra-a/tls/cassandra__aqs1024-a_eqiad_wmnet.pem -checkend 952200
+    require     => Exec[Generate cert cassandra__aqs1024-a_eqiad_wmnet]
+    environment => ['GODEBUG=x509ignoreCN=0']

File[/etc/cfssl/csr/cassandra__aqs1024-b_eqiad_wmnet.csr]

Parameters differences:

--- File[/etc/cfssl/csr/cassandra__aqs1024-b_eqiad_wmnet.csr].orig
+++ File[/etc/cfssl/csr/cassandra__aqs1024-b_eqiad_wmnet.csr]

+    group  => root
+    mode   => 0400
+    ensure => file
+    owner  => root

Content differences:

--- /etc/cfssl/csr/cassandra__aqs1024-b_eqiad_wmnet.csr.orig
+++ /etc/cfssl/csr/cassandra__aqs1024-b_eqiad_wmnet.csr
@@ -0,0 +1,15 @@
+{
+  "CN": "aqs1024-b.eqiad.wmnet",
+  "hosts": [
+    "cassandra",
+    "aqs1024.eqiad.wmnet",
+    "aqs1024-b.eqiad.wmnet"
+  ],
+  "key": {
+    "algo": "ecdsa",
+    "size": 256
+  },
+  "names": [
+
+  ]
+}

File[/etc/cassandra.in.sh]

Parameters differences:

--- File[/etc/cassandra.in.sh].orig
+++ File[/etc/cassandra.in.sh]

+    group   => cassandra
+    require => Package[cassandra]
+    mode    => 0444
+    ensure  => present
+    owner   => cassandra

Content differences:

--- /etc/cassandra.in.sh.orig
+++ /etc/cassandra.in.sh
@@ -0,0 +1,107 @@
+# SPDX-License-Identifier: Apache-2.0
+# Note:  This file is managed by Puppet.
+#        It was taken from the Cassandra Debian package and templatized
+#        here in order to set various options from puppet.
+
+# This file is similar to the stock /usr/share/cassandra/cassandra.in.sh
+# but we are not setting CASSANDRA_CONF here, it'll be overridden
+CASSANDRA_HOME=/usr/share/cassandra
+
+# The java classpath (required)
+CLASSPATH="$CASSANDRA_CONF"
+
+for jar in "$CASSANDRA_HOME"/lib/*.jar; do
+    CLASSPATH="$CLASSPATH:$jar"
+done
+
+for jar in /usr/share/cassandra/*.jar; do
+    CLASSPATH=$CLASSPATH:$jar
+done
+
+
+CLASSPATH="$CLASSPATH:$EXTRA_CLASSPATH"
+
+# set JVM javaagent opts to avoid warnings/errors
+JAVA_AGENT="$JAVA_AGENT -javaagent:$CASSANDRA_HOME/lib/jamm-0.3.2.jar"
+
+# Added sigar-bin to the java.library.path CASSANDRA-7838
+JAVA_OPTS="$JAVA_OPTS:-Djava.library.path=$CASSANDRA_HOME/lib/sigar-bin"
+
+#
+# Java executable and per-Java version JVM settings
+#
+
+# Use JAVA_HOME if set, otherwise look for java in PATH
+if [ -n "$JAVA_HOME" ]; then
+    # Why we can't have nice things: Solaris combines x86 and x86_64
+    # installations in the same tree, using an unconventional path for the
+    # 64bit JVM.  Since we prefer 64bit, search the alternate path first,
+    # (see https://issues.apache.org/jira/browse/CASSANDRA-4638).
+    for java in "$JAVA_HOME"/bin/amd64/java "$JAVA_HOME"/bin/java; do
+        if [ -x "$java" ]; then
+            JAVA="$java"
+            break
+        fi
+    done
+else
+    JAVA=`command -v java 2> /dev/null`
+fi
+
+if [ -z $JAVA ] ; then
+    echo Unable to find java executable. Check JAVA_HOME and PATH environment variables. >&2
+    exit 1;
+fi
+
+# Determine the sort of JVM we'll be running on.
+java_ver_output=`"${JAVA:-java}" -version 2>&1`
+jvmver=`echo "$java_ver_output" | grep '[openjdk|java] version' | awk -F'"' 'NR==1 {print $2}' | cut -d\- -f1`
+JVM_VERSION=${jvmver%_*}
+short=$(echo "${jvmver}" | cut -c1-2)
+
+JAVA_VERSION=17
+if [ "$short" = "11" ]  ; then
+     JAVA_VERSION=11
+elif [ "$JVM_VERSION" \< "17" ] ; then
+    echo "Cassandra requires Java 11 or Java 17."
+    exit 1;
+fi
+
+jvm=`echo "$java_ver_output" | grep -A 1 '[openjdk|java] version' | awk 'NR==2 {print $1}'`
+case "$jvm" in
+    OpenJDK)
+        JVM_VENDOR=OpenJDK
+        # this will be "64-Bit" or "32-Bit"
+        JVM_ARCH=`echo "$java_ver_output" | awk 'NR==3 {print $2}'`
+        ;;
+    "Java(TM)")
+        JVM_VENDOR=Oracle
+        # this will be "64-Bit" or "32-Bit"
+        JVM_ARCH=`echo "$java_ver_output" | awk 'NR==3 {print $3}'`
+        ;;
+    *)
+        # Help fill in other JVM values
+        JVM_VENDOR=other
+        JVM_ARCH=unknown
+        ;;
+esac
+
+# Read user-defined JVM options from jvm-server.options file
+JVM_OPTS_FILE=$CASSANDRA_CONF/jvm${jvmoptions_variant:--clients}.options
+if [ $JAVA_VERSION -ge 17 ] ; then
+    JVM_DEP_OPTS_FILE=$CASSANDRA_CONF/jvm17${jvmoptions_variant:--clients}.options
+elif [ $JAVA_VERSION -ge 11 ] ; then
+    JVM_DEP_OPTS_FILE=$CASSANDRA_CONF/jvm11${jvmoptions_variant:--clients}.options
+fi
+
+for opt in `grep "^-" $JVM_OPTS_FILE` `grep "^-" $JVM_DEP_OPTS_FILE`
+do
+  JVM_OPTS="$JVM_OPTS $opt"
+done
+
+# Append additional options when using JDK17+ (CASSANDRA-19001)
+USING_JDK=$(command -v javac || command -v "${JAVA_HOME:-/usr}/bin/javac")
+if [ -n "$USING_JDK" ] && [ "$JAVA_VERSION" -ge 17 ]; then
+  JVM_OPTS="$JVM_OPTS --add-exports jdk.attach/sun.tools.attach=ALL-UNNAMED"
+  JVM_OPTS="$JVM_OPTS --add-exports jdk.compiler/com.sun.tools.javac.file=ALL-UNNAMED"
+  JVM_OPTS="$JVM_OPTS --add-opens jdk.compiler/com.sun.tools.javac=ALL-UNNAMED"
+fi

File[/etc/rsyslog.d/50-udp-localhost-compat.conf]

Parameters differences:

--- File[/etc/rsyslog.d/50-udp-localhost-compat.conf].orig
+++ File[/etc/rsyslog.d/50-udp-localhost-compat.conf]

+    group  => root
+    mode   => 0444
+    ensure => present
+    notify => Service[rsyslog]
+    owner  => root

Content differences:

--- /etc/rsyslog.d/50-udp-localhost-compat.conf.orig
+++ /etc/rsyslog.d/50-udp-localhost-compat.conf
@@ -0,0 +1,37 @@
+# Provide a UDP syslog input to accept JSON payloads (in the syslog message) and forwards them to
+# Kakfa.
+# To be recognized as JSON the syslog message must be prepended with "@cee: "
+# see also https://www.rsyslog.com/doc/v8-stable/configuration/modules/mmjsonparse.html
+
+# Kafka topic selection is based on the syslog message severity.
+
+module(load="imudp")
+
+template(name="udp_localhost_topic" type="string" string="udp_localhost-%syslogseverity-text:::lowercase%")
+
+# Use a separate (in memory) queue to limit message processing to this ruleset only.
+ruleset(name="udp_localhost_to_kafka" queue.type="LinkedList") {
+  action(type="mmjsonparse" name="mmjsonparse_udp_localhost")
+
+  action(type="omkafka"
+         broker=["kafka-logging1001.eqiad.wmnet:9093","kafka-logging1002.eqiad.wmnet:9093","kafka-logging1003.eqiad.wmnet:9093","kafka-logging1004.eqiad.wmnet:9093","kafka-logging1005.eqiad.wmnet:9093"]
+         topic="udp_localhost_topic"
+         dynatopic="on"
+         dynatopic.cachesize="1000"
+         partitions.auto="on"
+         template="syslog_cee"
+         queue.type="LinkedList" queue.size="10000" queue.filename="udp_localhost_compat"
+         queue.highWatermark="7000" queue.lowWatermark="6000"
+         queue.checkpointInterval="5"
+         queue.maxDiskSpace="40960000"
+         confParam=[ "security.protocol=ssl",
+                     "ssl.ca.location=/etc/ssl/certs/wmf-ca-certificates.crt",
+                     "compression.codec=snappy",
+                     "socket.timeout.ms=60000",
+                     "socket.keepalive.enable=true",
+                     "queue.buffering.max.ms=50",
+                     "batch.num.messages=1000" ]
+  )
+}
+
+input(type="imudp" port="10514" address="localhost" ruleset="udp_localhost_to_kafka")

Interface::Alias[cassandra-a]

Parameters differences:

--- Interface::Alias[cassandra-a].orig
+++ Interface::Alias[cassandra-a]

+    ipv4          => 10.64.156.18
+    is_service_ip => True
+    interface     => ens8f0np0

File[/etc/cassandra-a/user_geo_analytics.cql]

Parameters differences:

--- File[/etc/cassandra-a/user_geo_analytics.cql].orig
+++ File[/etc/cassandra-a/user_geo_analytics.cql]

+    require => Package[cassandra]
+    group   => root
+    mode    => 0400
+    owner   => root

Content differences:

--- /etc/cassandra-a/user_geo_analytics.cql.orig
+++ /etc/cassandra-a/user_geo_analytics.cql
@@ -0,0 +1,5 @@
+-- SPDX-License-Identifier: Apache-2.0
+
+CREATE ROLE IF NOT EXISTS geo_analytics WITH PASSWORD = '' AND LOGIN = true AND SUPERUSER = false;
+
+GRANT SELECT ON "local_group_default_T_editors_bycountry".data TO 'geo_analytics';

Class[Profile::Base::Certificates]

Parameters differences:

--- Class[Profile::Base::Certificates].orig
+++ Class[Profile::Base::Certificates]

@@
-    include_bundle_jks => False
+    include_bundle_jks => True

File[/etc/cassandra-b/user_data_gateway.cql]

Parameters differences:

--- File[/etc/cassandra-b/user_data_gateway.cql].orig
+++ File[/etc/cassandra-b/user_data_gateway.cql]

+    require => Package[cassandra]
+    group   => root
+    mode    => 0400
+    owner   => root

Content differences:

--- /etc/cassandra-b/user_data_gateway.cql.orig
+++ /etc/cassandra-b/user_data_gateway.cql
@@ -0,0 +1,33 @@
+-- SPDX-License-Identifier: Apache-2.0
+
+CREATE ROLE IF NOT EXISTS data_gateway
+    WITH PASSWORD = 'qwerty' AND LOGIN = true AND SUPERUSER = false;
+
+-- Image Suggestions
+GRANT SELECT ON image_suggestions.suggestions      TO data_gateway;
+GRANT SELECT ON image_suggestions.feedback         TO data_gateway;
+GRANT SELECT ON image_suggestions.title_cache      TO data_gateway;
+GRANT SELECT ON image_suggestions.instanceof_cache TO data_gateway;
+
+-- Commons Impact Metrics
+GRANT SELECT ON commons.category_metrics_snapshot        TO data_gateway;
+GRANT SELECT ON commons.media_file_metrics_snapshot      TO data_gateway;
+GRANT SELECT ON commons.pageviews_per_category_monthly   TO data_gateway;
+GRANT SELECT ON commons.pageviews_per_media_file_monthly TO data_gateway;
+GRANT SELECT ON commons.edits_per_category_monthly       TO data_gateway;
+GRANT SELECT ON commons.edits_per_user_monthly           TO data_gateway;
+GRANT SELECT ON commons.top_pages_per_category_monthly   TO data_gateway;
+GRANT SELECT ON commons.top_wikis_per_category_monthly   TO data_gateway;
+GRANT SELECT ON commons.top_viewed_categories_monthly    TO data_gateway;
+GRANT SELECT ON commons.top_pages_per_media_file_monthly TO data_gateway;
+GRANT SELECT ON commons.top_wikis_per_media_file_monthly TO data_gateway;
+GRANT SELECT ON commons.top_viewed_media_files_monthly   TO data_gateway;
+GRANT SELECT ON commons.top_edited_categories_monthly    TO data_gateway;
+GRANT SELECT ON commons.top_editors_monthly              TO data_gateway;
+
+-- Machine learning cache
+GRANT SELECT ON ml_cache.page_paragraph_tone_scores      TO data_gateway;
+
+-- New-style AQS tables
+GRANT SELECT ON analytics.pageviews_per_editor           TO data_gateway;
+GRANT SELECT ON analytics.pageviews_top_pages_per_editor TO data_gateway;

File[/etc/ssh/userkeys/deploy-service]

Parameters differences:

--- File[/etc/ssh/userkeys/deploy-service].orig
+++ File[/etc/ssh/userkeys/deploy-service]

+    group     => root
+    mode      => 0444
+    force     => True
+    ensure    => file
+    show_diff => False
+    owner     => root

Content differences:

--- /etc/ssh/userkeys/deploy-service.orig
+++ /etc/ssh/userkeys/deploy-service
@@ -0,0 +1 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC5X7MHT3YfRGM1lCjLpvGjh2mz0n8E1A3SAY6AD1ZkZVxQcPxCjKAx5a/wsod4DeNaW+t3i1GiRAvaPrxVG8EqZ/AtXhNeMKHFXSGXh7t1zq+dd0cMus4481CCxEwUDGG+T4FsbFh/5Npi4LEFTiYaPNabqMjkeO2bd04/BQXvJFIvuA8EivPdB6Me4esZ/fas+oAwgTlYxY7MGtnpF8/i+3OJ6cU6R8yQpkoFsoXzb/QIopxeQ2GwABKf2PpS6YJq9urS1vRZcxTNYnPRm/XrbVshl8WWLIH6o9ZcV8B3sEIL8stj+hrrlW7p/h7Kupy5UThdxdTyegpZ6isLT/7wHVBTupSCFsSap2sL8qn7epSjfgooRYzJKi4JZXnalYFVJscCYOgQBOkWUfbU509qU0kk/FgGVGw4EAvyLLEXNtMZ6VQ5JMUkVuLe8xka+OCoTW6ABAHEzoKZuTRs8yvzKenc13sQqZmfbcGNkkADVpZLfvfdD082lWkPfBJIIbJjuH4OcTjyDHYs45k0SOv2hJE4DjG7/9z0SlOjxgtfxJh9t6B4Q7hjPnLfBpBW0rEtUz04pTYgAmHKUZEHUAVh1wrwQslB8ugrBI8ZFcxHdie0OyLYJAdnaGnY2RyqSviBEWyMJdTO46q86sMNmBU4BO/pfuok2SBc48+WBk8mEQ==

File[/etc/sudoers.d/scap_deploy-service]

Parameters differences:

--- File[/etc/sudoers.d/scap_deploy-service].orig
+++ File[/etc/sudoers.d/scap_deploy-service]

+    group        => root
+    mode         => 0440
+    ensure       => present
+    validate_cmd => /usr/sbin/visudo -cqf %
+    owner        => root

Content differences:

--- /etc/sudoers.d/scap_deploy-service.orig
+++ /etc/sudoers.d/scap_deploy-service
@@ -0,0 +1,3 @@
+# This file is managed by Puppet!
+
+deploy-service ALL=(deploy-service) NOPASSWD: ALL

File[/etc/cassandra-a/user_image_suggestions.cql]

Parameters differences:

--- File[/etc/cassandra-a/user_image_suggestions.cql].orig
+++ File[/etc/cassandra-a/user_image_suggestions.cql]

+    require => Package[cassandra]
+    group   => root
+    mode    => 0400
+    owner   => root

Content differences:

--- /etc/cassandra-a/user_image_suggestions.cql.orig
+++ /etc/cassandra-a/user_image_suggestions.cql
@@ -0,0 +1,6 @@
+
+CREATE ROLE IF NOT EXISTS image_suggestions
+    WITH PASSWORD = 'blahblahblahblah' AND LOGIN = true AND SUPERUSER = false;
+
+GRANT SELECT ON KEYSPACE image_suggestions TO image_suggestions;
+GRANT MODIFY ON KEYSPACE image_suggestions TO image_suggestions;

File[/etc/cassandra-b/jvm11-clients.options]

Parameters differences:

--- File[/etc/cassandra-b/jvm11-clients.options].orig
+++ File[/etc/cassandra-b/jvm11-clients.options]

+    group  => root
+    force  => True
+    ensure => link
+    target => /etc/cassandra/jvm11-clients.options
+    owner  => root

File[/etc/cassandra-a/jvm11-server.options]

Parameters differences:

--- File[/etc/cassandra-a/jvm11-server.options].orig
+++ File[/etc/cassandra-a/jvm11-server.options]

+    group  => cassandra
+    mode   => 0444
+    ensure => present
+    owner  => cassandra

Content differences:

--- /etc/cassandra-a/jvm11-server.options.orig
+++ /etc/cassandra-a/jvm11-server.options
@@ -0,0 +1,112 @@
+# SPDX-License-Identifier: Apache-2.0
+# Note:  This file is managed by Puppet.
+#        It was taken from the Cassandra Debian package and templatized
+#        here in order to assign configuration.
+
+###########################################################################
+#                         jvm11-server.options                            #
+#                                                                         #
+# See jvm-server.options. This file is specific for Java 11 and newer.    #
+###########################################################################
+
+#################
+#  GC SETTINGS  #
+#################
+
+
+
+### CMS Settings
+# -XX:+UseConcMarkSweepGC
+# -XX:+CMSParallelRemarkEnabled
+# -XX:SurvivorRatio=8
+# -XX:MaxTenuringThreshold=1
+# -XX:CMSInitiatingOccupancyFraction=75
+# -XX:+UseCMSInitiatingOccupancyOnly
+# -XX:CMSWaitDuration=10000
+# -XX:+CMSParallelInitialMarkEnabled
+# -XX:+CMSEdenChunksRecordAlways
+## some JVMs will fill up their heap when accessed via JMX, see CASSANDRA-6541
+# -XX:+CMSClassUnloadingEnabled
+
+
+
+### G1 Settings
+## Use the Hotspot garbage-first collector.
+-XX:+UseG1GC
+#-XX:+ParallelRefProcEnabled
+#-XX:MaxTenuringThreshold=1
+-XX:G1HeapRegionSize=8m
+
+#
+## Have the JVM do less remembered set work during STW, instead
+## preferring concurrent GC. Reduces p99.9 latency.
+-XX:G1RSetUpdatingPauseTimePercent=5
+#
+## Main G1GC tunable: lowering the pause target will lower throughput and vise versa.
+## 200ms is the JVM default and lowest viable setting
+## 1000ms increases throughput. Keep it smaller than the timeouts in cassandra.yaml.
+#-XX:MaxGCPauseMillis=300
+
+## Optional G1 Settings
+# Save CPU time on large (>= 16GB) heaps by delaying region scanning
+# until the heap is 70% full. The default in Hotspot 8u40 is 40%.
+#-XX:InitiatingHeapOccupancyPercent=70
+
+# For systems with > 8 cores, the default ParallelGCThreads is 5/8 the number of logical cores.
+# Otherwise equal to the number of cores when 8 or less.
+# Machines with > 10 cores should try setting these to <= full cores.
+#-XX:ParallelGCThreads=16
+# By default, ConcGCThreads is 1/4 of ParallelGCThreads.
+# Setting both to the same value can reduce STW durations.
+#-XX:ConcGCThreads=16
+
+
+### JPMS
+
+-Djdk.attach.allowAttachSelf=true
+--add-exports java.base/jdk.internal.misc=ALL-UNNAMED
+--add-exports java.base/jdk.internal.ref=ALL-UNNAMED
+--add-exports java.base/sun.nio.ch=ALL-UNNAMED
+--add-exports java.management.rmi/com.sun.jmx.remote.internal.rmi=ALL-UNNAMED
+--add-exports java.rmi/sun.rmi.registry=ALL-UNNAMED
+--add-exports java.rmi/sun.rmi.server=ALL-UNNAMED
+--add-exports java.sql/java.sql=ALL-UNNAMED
+
+--add-opens java.base/java.lang.module=ALL-UNNAMED
+--add-opens java.base/jdk.internal.loader=ALL-UNNAMED
+--add-opens java.base/jdk.internal.ref=ALL-UNNAMED
+--add-opens java.base/jdk.internal.reflect=ALL-UNNAMED
+--add-opens java.base/jdk.internal.math=ALL-UNNAMED
+--add-opens java.base/jdk.internal.module=ALL-UNNAMED
+--add-opens java.base/jdk.internal.util.jar=ALL-UNNAMED
+--add-opens jdk.management/com.sun.management.internal=ALL-UNNAMED
+
+
+### GC logging options -- uncomment to enable
+
+# Java 11 (and newer) GC logging options:
+# See description of https://bugs.openjdk.java.net/browse/JDK-8046148 for details about the syntax
+# The following is the equivalent to -XX:+PrintGCDetails -XX:+UseGCLogFileRotation -XX:NumberOfGCLogFiles=10 -XX:GCLogFileSize=10M
+#-Xlog:gc=info,heap*=trace,age*=debug,safepoint=info,promotion*=trace:file=/var/log/cassandra/gc.log:time,uptime,pid,tid,level:filecount=10,filesize=10485760
+
+-Xlog:gc=info,heap*=trace,age*=debug,safepoint=info,promotion*=trace:file=/var/log/cassandra/gc-a.log:time,uptime,pid,tid,level:filecount=10,filesize=10485760
+
+# Notes for Java 8 migration:
+#
+# -XX:+PrintGCDetails                   maps to -Xlog:gc*:... - i.e. add a '*' after "gc"
+# -XX:+PrintGCDateStamps                maps to decorator 'time'
+#
+# -XX:+PrintHeapAtGC                    maps to 'heap' with level 'trace'
+# -XX:+PrintTenuringDistribution        maps to 'age' with level 'debug'
+# -XX:+PrintGCApplicationStoppedTime    maps to 'safepoint' with level 'info'
+# -XX:+PrintPromotionFailure            maps to 'promotion' with level 'trace'
+# -XX:PrintFLSStatistics=1              maps to 'freelist' with level 'trace'
+
+### Netty Options
+
+# On Java >= 9 Netty requires the io.netty.tryReflectionSetAccessible system property to be set to true to enable
+# creation of direct buffers using Unsafe. Without it, this falls back to ByteBuffer.allocateDirect which has
+# inferior performance and risks exceeding MaxDirectMemory
+-Dio.netty.tryReflectionSetAccessible=true
+
+# The newline in the end of file is intentional

Cassandra::Instance[a]

Parameters differences:

--- Cassandra::Instance[a].orig
+++ Cassandra::Instance[a]

+    max_heap_size                    => 16g
+    num_tokens                       => 256
+    legacy_ssl_storage_port_enabled  => False
+    tls_cluster_name                 => aqs
+    auto_apply_grants                => False
+    cluster_name                     => Analytics Query Service Storage
+    concurrent_counter_writes        => 32
+    config_directory                 => /etc/cassandra-a
+    target_version                   => 4.x
+    endpoint_snitch                  => GossipingPropertyFileSnitch
+    data_directories                 => ['data']
+    row_cache_size_in_mb             => 200
+    pid_file                         => /var/run/cassandra/cassandra-a.pid
+    tls_use_pki_truststore           => True
+    heap_newsize                     => 2048m
+    memory_allocator                 => JEMallocAllocator
+    start_native_transport           => True
+    service_name                     => cassandra-a
+    permissions_validity_in_ms       => 600000
+    data_file_directories            => ['/srv/storage-0/cassandra-a/data', '/srv/storage-1/cassandra-a/data', '/srv/storage-2/cassandra-a/data', '/srv/storage-3/cassandra-a/data', '/srv/storage-4/cassandra-a/data', '/srv/storage-5/cassandra-a/data', '/srv/storage-6/cassandra-a/data', '/srv/storage-7/cassandra-a/data']
+    native_transport_port            => 9042
+    commitlog_directory              => /srv/cassandra/cassandra-a/commitlog
+    internode_encryption             => all
+    tls_use_pki                      => True
+    heapdump_directory               => /srv/storage-0/cassandra-a
+    super_password                   => nosuchpass
+    hints_directory                  => /srv/cassandra/cassandra-a/hints
+    logstash_port                    => 11514
+    client_encryption_enabled        => True
+    extra_classpath                  => []
+    trickle_fsync                    => True
+    auto_bootstrap                   => True
+    saved_caches_directory           => /srv/cassandra/cassandra-a/saved_caches
+    streaming_socket_timeout_in_ms   => 0
+    auto_snapshot                    => True
+    local_system_data_file_directory => /srv/cassandra/cassandra-a/system
+    nodetool_path                    => /usr/local/bin/nodetool-a
+    client_encryption_optional       => True
+    concurrent_reads                 => 64
+    compaction_throughput_mb_per_sec => 256
+    rpc_server_type                  => sync
+    users                            => ['aqsloader', 'image_suggestions', 'device_analytics', 'geo_analytics', 'media_analytics', 'page_analytics', 'edit_analytics', 'editor_analytics', 'data_gateway', 'commons_impact_analytics', 'revise_tone_task_generator']
+    instance_id                      => aqs1024-a
+    concurrent_writes                => 64
+    rack                             => rack2
+    concurrent_compactors            => 12
+    tls_use_pki_keep_old_ca          => False
+    dc                               => eqiad
+    tls_keystore_password            => test
+    monitor_enabled                  => True
+    incremental_backups              => False
+    seeds                            => ['aqs1010-a.eqiad.wmnet', 'aqs1010-b.eqiad.wmnet', 'aqs1011-a.eqiad.wmnet', 'aqs1011-b.eqiad.wmnet', 'aqs1012-a.eqiad.wmnet', 'aqs1012-b.eqiad.wmnet', 'aqs1014-a.eqiad.wmnet', 'aqs1014-b.eqiad.wmnet', 'aqs1015-a.eqiad.wmnet', 'aqs1015-b.eqiad.wmnet', 'aqs1016-a.eqiad.wmnet', 'aqs1016-b.eqiad.wmnet', 'aqs1017-a.eqiad.wmnet', 'aqs1017-b.eqiad.wmnet', 'aqs1018-a.eqiad.wmnet', 'aqs1018-b.eqiad.wmnet', 'aqs1019-a.eqiad.wmnet', 'aqs1019-b.eqiad.wmnet', 'aqs1020-a.eqiad.wmnet', 'aqs1020-b.eqiad.wmnet', 'aqs1021-a.eqiad.wmnet', 'aqs1021-b.eqiad.wmnet', 'aqs1022-a.eqiad.wmnet', 'aqs1022-b.eqiad.wmnet', 'aqs1023-a.eqiad.wmnet', 'aqs1023-b.eqiad.wmnet', 'aqs1024-a.eqiad.wmnet', 'aqs1024-b.eqiad.wmnet', 'aqs2001-a.codfw.wmnet', 'aqs2001-b.codfw.wmnet', 'aqs2002-a.codfw.wmnet', 'aqs2002-b.codfw.wmnet', 'aqs2003-a.codfw.wmnet', 'aqs2003-b.codfw.wmnet', 'aqs2004-a.codfw.wmnet', 'aqs2004-b.codfw.wmnet', 'aqs2005-a.codfw.wmnet', 'aqs2005-b.codfw.wmnet', 'aqs2006-a.codfw.wmnet', 'aqs2006-b.codfw.wmnet', 'aqs2007-a.codfw.wmnet', 'aqs2007-b.codfw.wmnet', 'aqs2008-a.codfw.wmnet', 'aqs2008-b.codfw.wmnet', 'aqs2009-a.codfw.wmnet', 'aqs2009-b.codfw.wmnet', 'aqs2010-a.codfw.wmnet', 'aqs2010-b.codfw.wmnet', 'aqs2011-a.codfw.wmnet', 'aqs2011-b.codfw.wmnet', 'aqs2012-a.codfw.wmnet', 'aqs2012-b.codfw.wmnet']
+    super_username                   => cassandra
+    snapshot_before_compaction       => False
+    logstash_host                    => localhost
+    start_rpc                        => False
+    storage_port                     => 7000
+    data_directory_base              => /srv/cassandra-a
+    additional_jvm_opts              => []
+    server_encryption_optional       => False
+    internode_compression            => all
+    trickle_fsync_interval_in_kb     => 30240
+    rpc_port                         => 9160
+    tls_hostname                     => aqs1024-a
+    listen_address                   => 10.64.156.18
+    authenticator                    => True
+    cassandra_passwords              => {'restbase': 'blahblahblah', 'restbase_dev': 'blahblahblahblah', 'aqs': 'blahblah', 'sessionstore': 'blahblah', 'image_suggestions': 'blahblahblahblah', 'aqs_testing': 'blahblahblahblah', 'device_analytics': 'blahblahblahblah', 'mediawiki_services_mobileapps': 'yadayadayada', 'aqsloader': 'yadayadayada', 'edit_analytics': 'blahblahblahblah', 'editor_analytics': 'yadayadayada', 'cassandra_devel': 'foobarbaz', 'data_gateway': 'qwerty', 'commons_impact_analytics': 'notarealpasswd', 'revise_tone_task_generator': 'asdfasdfasdf', 'linked_artifacts': 'yadayadayada'}
+    disk_failure_policy              => stop
+    key_cache_size_in_mb             => 400
+    authorizor                       => True

Class[Cassandra::Sysctl]

Parameters differences:

--- Class[Cassandra::Sysctl].orig
+++ Class[Cassandra::Sysctl]

+    vm_max_map_count          => 1048575
+    vm_dirty_background_bytes => 25165824

File[/etc/cassandra-b/user_media_analytics.cql]

Parameters differences:

--- File[/etc/cassandra-b/user_media_analytics.cql].orig
+++ File[/etc/cassandra-b/user_media_analytics.cql]

+    require => Package[cassandra]
+    group   => root
+    mode    => 0400
+    owner   => root

Content differences:

--- /etc/cassandra-b/user_media_analytics.cql.orig
+++ /etc/cassandra-b/user_media_analytics.cql
@@ -0,0 +1,7 @@
+-- SPDX-License-Identifier: Apache-2.0
+
+CREATE ROLE IF NOT EXISTS media_analytics WITH PASSWORD = '' AND LOGIN = true AND SUPERUSER = false;
+
+GRANT SELECT ON "local_group_default_T_mediarequest_per_referer".data TO 'media_analytics';
+GRANT SELECT ON "local_group_default_T_mediarequest_per_file".data TO 'media_analytics';
+GRANT SELECT ON "local_group_default_T_mediarequest_top_files".data TO 'media_analytics';

Class[Scap::Ferm]

Parameters differences:

--- Class[Scap::Ferm].orig
+++ Class[Scap::Ferm]

+    ensure => present

Cassandra::Instance[b]

Parameters differences:

--- Cassandra::Instance[b].orig
+++ Cassandra::Instance[b]

+    max_heap_size                    => 16g
+    num_tokens                       => 256
+    legacy_ssl_storage_port_enabled  => False
+    tls_cluster_name                 => aqs
+    auto_apply_grants                => False
+    cluster_name                     => Analytics Query Service Storage
+    concurrent_counter_writes        => 32
+    config_directory                 => /etc/cassandra-b
+    target_version                   => 4.x
+    endpoint_snitch                  => GossipingPropertyFileSnitch
+    data_directories                 => ['data']
+    row_cache_size_in_mb             => 200
+    pid_file                         => /var/run/cassandra/cassandra-b.pid
+    tls_use_pki_truststore           => True
+    heap_newsize                     => 2048m
+    memory_allocator                 => JEMallocAllocator
+    start_native_transport           => True
+    service_name                     => cassandra-b
+    permissions_validity_in_ms       => 600000
+    data_file_directories            => ['/srv/storage-0/cassandra-b/data', '/srv/storage-1/cassandra-b/data', '/srv/storage-2/cassandra-b/data', '/srv/storage-3/cassandra-b/data', '/srv/storage-4/cassandra-b/data', '/srv/storage-5/cassandra-b/data', '/srv/storage-6/cassandra-b/data', '/srv/storage-7/cassandra-b/data']
+    native_transport_port            => 9042
+    commitlog_directory              => /srv/cassandra/cassandra-b/commitlog
+    internode_encryption             => all
+    tls_use_pki                      => True
+    heapdump_directory               => /srv/storage-1/cassandra-b
+    super_password                   => nosuchpass
+    hints_directory                  => /srv/cassandra/cassandra-b/hints
+    logstash_port                    => 11514
+    client_encryption_enabled        => True
+    extra_classpath                  => []
+    trickle_fsync                    => True
+    auto_bootstrap                   => True
+    saved_caches_directory           => /srv/cassandra/cassandra-b/saved_caches
+    streaming_socket_timeout_in_ms   => 0
+    auto_snapshot                    => True
+    local_system_data_file_directory => /srv/cassandra/cassandra-b/system
+    nodetool_path                    => /usr/local/bin/nodetool-b
+    client_encryption_optional       => True
+    concurrent_reads                 => 64
+    compaction_throughput_mb_per_sec => 256
+    rpc_server_type                  => sync
+    users                            => ['aqsloader', 'image_suggestions', 'device_analytics', 'geo_analytics', 'media_analytics', 'page_analytics', 'edit_analytics', 'editor_analytics', 'data_gateway', 'commons_impact_analytics', 'revise_tone_task_generator']
+    instance_id                      => aqs1024-b
+    concurrent_writes                => 64
+    rack                             => rack2
+    concurrent_compactors            => 12
+    tls_use_pki_keep_old_ca          => False
+    dc                               => eqiad
+    tls_keystore_password            => test
+    monitor_enabled                  => True
+    incremental_backups              => False
+    seeds                            => ['aqs1010-a.eqiad.wmnet', 'aqs1010-b.eqiad.wmnet', 'aqs1011-a.eqiad.wmnet', 'aqs1011-b.eqiad.wmnet', 'aqs1012-a.eqiad.wmnet', 'aqs1012-b.eqiad.wmnet', 'aqs1014-a.eqiad.wmnet', 'aqs1014-b.eqiad.wmnet', 'aqs1015-a.eqiad.wmnet', 'aqs1015-b.eqiad.wmnet', 'aqs1016-a.eqiad.wmnet', 'aqs1016-b.eqiad.wmnet', 'aqs1017-a.eqiad.wmnet', 'aqs1017-b.eqiad.wmnet', 'aqs1018-a.eqiad.wmnet', 'aqs1018-b.eqiad.wmnet', 'aqs1019-a.eqiad.wmnet', 'aqs1019-b.eqiad.wmnet', 'aqs1020-a.eqiad.wmnet', 'aqs1020-b.eqiad.wmnet', 'aqs1021-a.eqiad.wmnet', 'aqs1021-b.eqiad.wmnet', 'aqs1022-a.eqiad.wmnet', 'aqs1022-b.eqiad.wmnet', 'aqs1023-a.eqiad.wmnet', 'aqs1023-b.eqiad.wmnet', 'aqs1024-a.eqiad.wmnet', 'aqs1024-b.eqiad.wmnet', 'aqs2001-a.codfw.wmnet', 'aqs2001-b.codfw.wmnet', 'aqs2002-a.codfw.wmnet', 'aqs2002-b.codfw.wmnet', 'aqs2003-a.codfw.wmnet', 'aqs2003-b.codfw.wmnet', 'aqs2004-a.codfw.wmnet', 'aqs2004-b.codfw.wmnet', 'aqs2005-a.codfw.wmnet', 'aqs2005-b.codfw.wmnet', 'aqs2006-a.codfw.wmnet', 'aqs2006-b.codfw.wmnet', 'aqs2007-a.codfw.wmnet', 'aqs2007-b.codfw.wmnet', 'aqs2008-a.codfw.wmnet', 'aqs2008-b.codfw.wmnet', 'aqs2009-a.codfw.wmnet', 'aqs2009-b.codfw.wmnet', 'aqs2010-a.codfw.wmnet', 'aqs2010-b.codfw.wmnet', 'aqs2011-a.codfw.wmnet', 'aqs2011-b.codfw.wmnet', 'aqs2012-a.codfw.wmnet', 'aqs2012-b.codfw.wmnet']
+    super_username                   => cassandra
+    snapshot_before_compaction       => False
+    logstash_host                    => localhost
+    start_rpc                        => False
+    storage_port                     => 7000
+    data_directory_base              => /srv/cassandra-b
+    additional_jvm_opts              => []
+    server_encryption_optional       => False
+    internode_compression            => all
+    trickle_fsync_interval_in_kb     => 30240
+    rpc_port                         => 9160
+    tls_hostname                     => aqs1024-b
+    listen_address                   => 10.64.156.21
+    authenticator                    => True
+    cassandra_passwords              => {'restbase': 'blahblahblah', 'restbase_dev': 'blahblahblahblah', 'aqs': 'blahblah', 'sessionstore': 'blahblah', 'image_suggestions': 'blahblahblahblah', 'aqs_testing': 'blahblahblahblah', 'device_analytics': 'blahblahblahblah', 'mediawiki_services_mobileapps': 'yadayadayada', 'aqsloader': 'yadayadayada', 'edit_analytics': 'blahblahblahblah', 'editor_analytics': 'yadayadayada', 'cassandra_devel': 'foobarbaz', 'data_gateway': 'qwerty', 'commons_impact_analytics': 'notarealpasswd', 'revise_tone_task_generator': 'asdfasdfasdf', 'linked_artifacts': 'yadayadayada'}
+    disk_failure_policy              => stop
+    key_cache_size_in_mb             => 400
+    authorizor                       => True

File[/etc/cassandra-a/cassandra-env.sh]

Parameters differences:

--- File[/etc/cassandra-a/cassandra-env.sh].orig
+++ File[/etc/cassandra-a/cassandra-env.sh]

+    group  => cassandra
+    mode   => 0444
+    ensure => present
+    owner  => cassandra

Content differences:

--- /etc/cassandra-a/cassandra-env.sh.orig
+++ /etc/cassandra-a/cassandra-env.sh
@@ -0,0 +1,316 @@
+# SPDX-License-Identifier: Apache-2.0
+# Note:  This file is managed by Puppet.
+#        It was taken from the Cassandra Debian package and is templatized
+#        here in order to set various options from puppet.
+
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+calculate_heap_sizes()
+{
+    case "`uname`" in
+        Linux)
+            system_memory_in_mb=`free -m | awk '/:/ {print $2;exit}'`
+            system_cpu_cores=`egrep -c 'processor([[:space:]]+):.*' /proc/cpuinfo`
+        ;;
+        FreeBSD)
+            system_memory_in_bytes=`sysctl hw.physmem | awk '{print $2}'`
+            system_memory_in_mb=`expr $system_memory_in_bytes / 1024 / 1024`
+            system_cpu_cores=`sysctl hw.ncpu | awk '{print $2}'`
+        ;;
+        SunOS)
+            system_memory_in_mb=`prtconf | awk '/Memory size:/ {print $3}'`
+            system_cpu_cores=`psrinfo | wc -l`
+        ;;
+        Darwin)
+            system_memory_in_bytes=`sysctl hw.memsize | awk '{print $2}'`
+            system_memory_in_mb=`expr $system_memory_in_bytes / 1024 / 1024`
+            system_cpu_cores=`sysctl hw.ncpu | awk '{print $2}'`
+        ;;
+        *)
+            # assume reasonable defaults for e.g. a modern desktop or
+            # cheap server
+            system_memory_in_mb="2048"
+            system_cpu_cores="2"
+        ;;
+    esac
+
+    # some systems like the raspberry pi don't report cores, use at least 1
+    if [ "$system_cpu_cores" -lt "1" ]
+    then
+        system_cpu_cores="1"
+    fi
+
+    # set max heap size based on the following
+    # max(min(1/2 ram, 1024MB), min(1/4 ram, 8GB))
+    # calculate 1/2 ram and cap to 1024MB
+    # calculate 1/4 ram and cap to 8192MB
+    # pick the max
+    half_system_memory_in_mb=`expr $system_memory_in_mb / 2`
+    quarter_system_memory_in_mb=`expr $half_system_memory_in_mb / 2`
+    if [ "$half_system_memory_in_mb" -gt "1024" ]
+    then
+        half_system_memory_in_mb="1024"
+    fi
+    if [ "$quarter_system_memory_in_mb" -gt "8192" ]
+    then
+        quarter_system_memory_in_mb="8192"
+    fi
+    if [ "$half_system_memory_in_mb" -gt "$quarter_system_memory_in_mb" ]
+    then
+        max_heap_size_in_mb="$half_system_memory_in_mb"
+    else
+        max_heap_size_in_mb="$quarter_system_memory_in_mb"
+    fi
+    MAX_HEAP_SIZE="${max_heap_size_in_mb}M"
+
+    # Young gen: min(max_sensible_per_modern_cpu_core * num_cores, 1/4 * heap size)
+    max_sensible_yg_per_core_in_mb="100"
+    max_sensible_yg_in_mb=`expr $max_sensible_yg_per_core_in_mb "*" $system_cpu_cores`
+
+    desired_yg_in_mb=`expr $max_heap_size_in_mb / 4`
+
+    if [ "$desired_yg_in_mb" -gt "$max_sensible_yg_in_mb" ]
+    then
+        HEAP_NEWSIZE="${max_sensible_yg_in_mb}M"
+    else
+        HEAP_NEWSIZE="${desired_yg_in_mb}M"
+    fi
+}
+
+# Sets the path where logback and GC logs are written.
+if [ "x$CASSANDRA_LOG_DIR" = "x" ] ; then
+    CASSANDRA_LOG_DIR="$CASSANDRA_HOME/logs"
+fi
+
+#GC log path has to be defined here because it needs to access CASSANDRA_HOME
+if [ $JAVA_VERSION -ge 11 ] ; then
+    # See description of https://bugs.openjdk.java.net/browse/JDK-8046148 for details about the syntax
+    # The following is the equivalent to -XX:+PrintGCDetails -XX:+UseGCLogFileRotation -XX:NumberOfGCLogFiles=10 -XX:GCLogFileSize=10M
+    echo "$JVM_OPTS" | grep -qe "-[X]log:gc"
+    if [ "$?" = "1" ] ; then # [X] to prevent ccm from replacing this line
+        # only add -Xlog:gc if it's not mentioned in jvm-server.options file
+        mkdir -p ${CASSANDRA_LOG_DIR}
+        JVM_OPTS="$JVM_OPTS -Xlog:gc=info,heap*=trace,age*=debug,safepoint=info,promotion*=trace:file=${CASSANDRA_LOG_DIR}/gc.log:time,uptime,pid,tid,level:filecount=10,filesize=10485760"
+    fi
+else
+    # Java 8
+    echo "$JVM_OPTS" | grep -qe "-[X]loggc"
+    if [ "$?" = "1" ] ; then # [X] to prevent ccm from replacing this line
+        # only add -Xlog:gc if it's not mentioned in jvm-server.options file
+        mkdir -p ${CASSANDRA_LOG_DIR}
+        JVM_OPTS="$JVM_OPTS -Xloggc:${CASSANDRA_LOG_DIR}/gc.log"
+    fi
+fi
+
+# Check what parameters were defined on jvm-server.options file to avoid conflicts
+echo $JVM_OPTS | grep -q Xmn
+DEFINED_XMN=$?
+echo $JVM_OPTS | grep -q Xmx
+DEFINED_XMX=$?
+echo $JVM_OPTS | grep -q Xms
+DEFINED_XMS=$?
+echo $JVM_OPTS | grep -q UseConcMarkSweepGC
+USING_CMS=$?
+echo $JVM_OPTS | grep -q +UseG1GC
+USING_G1=$?
+
+# Override these to set the amount of memory to allocate to the JVM at
+# start-up. For production use you may wish to adjust this for your
+# environment. MAX_HEAP_SIZE is the total amount of memory dedicated
+# to the Java heap. HEAP_NEWSIZE refers to the size of the young
+# generation. Both MAX_HEAP_SIZE and HEAP_NEWSIZE should be either set
+# or not (if you set one, set the other).
+#
+# The main trade-off for the young generation is that the larger it
+# is, the longer GC pause times will be. The shorter it is, the more
+# expensive GC will be (usually).
+#
+# The example HEAP_NEWSIZE assumes a modern 8-core+ machine for decent pause
+# times. If in doubt, and if you do not particularly want to tweak, go with
+# 100 MB per physical CPU core.
+
+#MAX_HEAP_SIZE="4G"
+#HEAP_NEWSIZE="800M"
+
+# Set this to control the amount of arenas per-thread in glibc
+#export MALLOC_ARENA_MAX=4
+
+# only calculate the size if it's not set manually
+if [ "x$MAX_HEAP_SIZE" = "x" ] && [ "x$HEAP_NEWSIZE" = "x" -o $USING_G1 -eq 0 ]; then
+    calculate_heap_sizes
+elif [ "x$MAX_HEAP_SIZE" = "x" ] ||  [ "x$HEAP_NEWSIZE" = "x" -a $USING_G1 -ne 0 ]; then
+    echo "please set or unset MAX_HEAP_SIZE and HEAP_NEWSIZE in pairs when using CMS GC (see cassandra-env.sh)"
+    exit 1
+fi
+
+if [ "x$MALLOC_ARENA_MAX" = "x" ] ; then
+    export MALLOC_ARENA_MAX=4
+fi
+
+# We only set -Xms and -Xmx if they were not defined on jvm-server.options file
+# If defined, both Xmx and Xms should be defined together.
+if [ $DEFINED_XMX -ne 0 ] && [ $DEFINED_XMS -ne 0 ]; then
+     JVM_OPTS="$JVM_OPTS -Xms${MAX_HEAP_SIZE}"
+     JVM_OPTS="$JVM_OPTS -Xmx${MAX_HEAP_SIZE}"
+elif [ $DEFINED_XMX -ne 0 ] || [ $DEFINED_XMS -ne 0 ]; then
+     echo "Please set or unset -Xmx and -Xms flags in pairs on jvm-server.options file."
+     exit 1
+fi
+
+# We only set -Xmn flag if it was not defined in jvm-server.options file
+# and if the CMS GC is being used
+# If defined, both Xmn and Xmx should be defined together.
+if [ $DEFINED_XMN -eq 0 ] && [ $DEFINED_XMX -ne 0 ]; then
+    echo "Please set or unset -Xmx and -Xmn flags in pairs on jvm-server.options file."
+    exit 1
+elif [ $DEFINED_XMN -ne 0 ] && [ $USING_CMS -eq 0 ]; then
+    JVM_OPTS="$JVM_OPTS -Xmn${HEAP_NEWSIZE}"
+fi
+
+# We fail to start if -Xmn is used with G1 GC is being used
+# See comments for -Xmn in jvm-server.options
+if [ $DEFINED_XMN -eq 0 ] && [ $USING_G1 -eq 0 ]; then
+    echo "It is not recommended to set -Xmn with the G1 garbage collector. See comments for -Xmn in jvm-server.options for details."
+    exit 1
+fi
+
+if [ "$JVM_ARCH" = "64-Bit" ] && [ $USING_CMS -eq 0 ]; then
+    JVM_OPTS="$JVM_OPTS -XX:+UseCondCardMark"
+fi
+
+# provides hints to the JIT compiler
+JVM_OPTS="$JVM_OPTS -XX:CompileCommandFile=$CASSANDRA_CONF/hotspot_compiler"
+
+# add the jamm javaagent
+JVM_OPTS="$JVM_OPTS -javaagent:$CASSANDRA_HOME/lib/jamm-0.3.2.jar"
+
+CASSANDRA_HEAPDUMP_DIR=/srv/storage-0/cassandra-a
+# set jvm HeapDumpPath with CASSANDRA_HEAPDUMP_DIR
+if [ "x$CASSANDRA_HEAPDUMP_DIR" != "x" ]; then
+    JVM_OPTS="$JVM_OPTS -XX:HeapDumpPath=$CASSANDRA_HEAPDUMP_DIR/cassandra-`date +%s`-pid$$.hprof"
+    JVM_OPTS="$JVM_OPTS -XX:ErrorFile=$CASSANDRA_HEAPDUMP_DIR/hs_err_pid%p.log"
+fi
+
+# stop the jvm on OutOfMemoryError as it can result in some data corruption
+# uncomment the preferred option
+# ExitOnOutOfMemoryError and CrashOnOutOfMemoryError require a JRE greater or equals to 1.7 update 101 or 1.8 update 92
+# For OnOutOfMemoryError we cannot use the JVM_OPTS variables because bash commands split words
+# on white spaces without taking quotes into account
+# JVM_OPTS="$JVM_OPTS -XX:+ExitOnOutOfMemoryError"
+# JVM_OPTS="$JVM_OPTS -XX:+CrashOnOutOfMemoryError"
+JVM_ON_OUT_OF_MEMORY_ERROR_OPT="-XX:OnOutOfMemoryError=kill -9 %p"
+
+# print an heap histogram on OutOfMemoryError
+# JVM_OPTS="$JVM_OPTS -Dcassandra.printHeapHistogramOnOutOfMemoryError=true"
+
+# jmx: metrics and administration interface
+#
+# add this if you're having trouble connecting:
+# JVM_OPTS="$JVM_OPTS -Djava.rmi.server.hostname=<public name>"
+#
+# see
+# https://blogs.oracle.com/jmxetc/entry/troubleshooting_connection_problems_in_jconsole
+# for more on configuring JMX through firewalls, etc. (Short version:
+# get it working with no firewall first.)
+#
+# Cassandra ships with JMX accessible *only* from localhost.  
+# To enable remote JMX connections, uncomment lines below
+# with authentication and/or ssl enabled. See https://wiki.apache.org/cassandra/JmxSecurity 
+#
+if [ "x$LOCAL_JMX" = "x" ]; then
+    LOCAL_JMX=yes
+fi
+
+# Specifies the default port over which Cassandra will be available for
+# JMX connections.
+# For security reasons, you should not expose this port to the internet.  Firewall it if needed.
+JMX_PORT="7189"
+
+if [ "$LOCAL_JMX" = "yes" ]; then
+  JVM_OPTS="$JVM_OPTS -Dcassandra.jmx.local.port=$JMX_PORT"
+  JVM_OPTS="$JVM_OPTS -Dcom.sun.management.jmxremote.authenticate=false"
+else
+  JVM_OPTS="$JVM_OPTS -Dcassandra.jmx.remote.port=$JMX_PORT"
+  # if ssl is enabled the same port cannot be used for both jmx and rmi so either
+  # pick another value for this property or comment out to use a random port (though see CASSANDRA-7087 for origins)
+  JVM_OPTS="$JVM_OPTS -Dcom.sun.management.jmxremote.rmi.port=$JMX_PORT"
+
+  # turn on JMX authentication. See below for further options
+  JVM_OPTS="$JVM_OPTS -Dcom.sun.management.jmxremote.authenticate=true"
+
+  # jmx ssl options
+  #JVM_OPTS="$JVM_OPTS -Dcom.sun.management.jmxremote.ssl=true"
+  #JVM_OPTS="$JVM_OPTS -Dcom.sun.management.jmxremote.ssl.need.client.auth=true"
+  #JVM_OPTS="$JVM_OPTS -Dcom.sun.management.jmxremote.ssl.enabled.protocols=<enabled-protocols>"
+  #JVM_OPTS="$JVM_OPTS -Dcom.sun.management.jmxremote.ssl.enabled.cipher.suites=<enabled-cipher-suites>"
+  #JVM_OPTS="$JVM_OPTS -Djavax.net.ssl.keyStore=/path/to/keystore"
+  #JVM_OPTS="$JVM_OPTS -Djavax.net.ssl.keyStorePassword=<keystore-password>"
+  #JVM_OPTS="$JVM_OPTS -Djavax.net.ssl.trustStore=/path/to/truststore"
+  #JVM_OPTS="$JVM_OPTS -Djavax.net.ssl.trustStorePassword=<truststore-password>"
+fi
+
+# jmx authentication and authorization options. By default, auth is only
+# activated for remote connections but they can also be enabled for local only JMX
+## Basic file based authn & authz
+JVM_OPTS="$JVM_OPTS -Dcom.sun.management.jmxremote.password.file=/etc/cassandra/jmxremote.password"
+#JVM_OPTS="$JVM_OPTS -Dcom.sun.management.jmxremote.access.file=/etc/cassandra/jmxremote.access"
+## Custom auth settings which can be used as alternatives to JMX's out of the box auth utilities.
+## JAAS login modules can be used for authentication by uncommenting these two properties.
+## Cassandra ships with a LoginModule implementation - org.apache.cassandra.auth.CassandraLoginModule -
+## which delegates to the IAuthenticator configured in cassandra.yaml. See the sample JAAS configuration
+## file cassandra-jaas.config
+#JVM_OPTS="$JVM_OPTS -Dcassandra.jmx.remote.login.config=CassandraLogin"
+#JVM_OPTS="$JVM_OPTS -Djava.security.auth.login.config=$CASSANDRA_CONF/cassandra-jaas.config"
+
+## Cassandra also ships with a helper for delegating JMX authz calls to the configured IAuthorizer,
+## uncomment this to use it. Requires one of the two authentication options to be enabled
+#JVM_OPTS="$JVM_OPTS -Dcassandra.jmx.authorizer=org.apache.cassandra.auth.jmx.AuthorizationProxy"
+
+# To use mx4j, an HTML interface for JMX, add mx4j-tools.jar to the lib/
+# directory.
+# See http://cassandra.apache.org/doc/latest/operating/metrics.html#jmx
+# By default mx4j listens on the broadcast_address, port 8081. Uncomment the following lines
+# to control its listen address and port.
+#MX4J_ADDRESS="127.0.0.1"
+#MX4J_PORT="8081"
+
+# Cassandra uses SIGAR to capture OS metrics CASSANDRA-7838
+# for SIGAR we have to set the java.library.path
+# to the location of the native libraries.
+JVM_OPTS="$JVM_OPTS -Djava.library.path=$CASSANDRA_HOME/lib/sigar-bin"
+
+if [ "x$MX4J_ADDRESS" != "x" ]; then
+    if [ "$(echo "$MX4J_ADDRESS" | grep -c "\-Dmx4jaddress")" = "1" ]; then
+        # Backward compatible with the older style #13578
+        JVM_OPTS="$JVM_OPTS $MX4J_ADDRESS"
+    else
+        JVM_OPTS="$JVM_OPTS -Dmx4jaddress=$MX4J_ADDRESS"
+    fi
+fi
+if [ "x$MX4J_PORT" != "x" ]; then
+    if [ "$(echo "$MX4J_PORT" | grep -c "\-Dmx4jport")" = "1" ]; then
+        # Backward compatible with the older style #13578
+        JVM_OPTS="$JVM_OPTS $MX4J_PORT"
+    else
+        JVM_OPTS="$JVM_OPTS -Dmx4jport=$MX4J_PORT"
+    fi
+fi
+
+JVM_OPTS="$JVM_OPTS $JVM_EXTRA_OPTS"
+
+
+JVM_OPTS="$JVM_OPTS -javaagent:/usr/share/java/prometheus/jmx_prometheus_javaagent.jar=10.64.156.18:7800:/etc/cassandra-a/prometheus_jmx_exporter.yaml"

Class[Cumin::Selector]

Parameters differences:

--- Class[Cumin::Selector].orig
+++ Class[Cumin::Selector]

@@
-    cluster => insetup
+    cluster => aqs

File[/usr/share/cassandra/lib/logstash-logback-encoder.jar]

Parameters differences:

--- File[/usr/share/cassandra/lib/logstash-logback-encoder.jar].orig
+++ File[/usr/share/cassandra/lib/logstash-logback-encoder.jar]

+    group   => root
+    require => Scap::Target[cassandra/logstash-logback-encoder]
+    ensure  => link
+    target  => /srv/deployment/cassandra/logstash-logback-encoder/lib/logstash-logback-encoder-4.2.jar
+    owner   => root

File[/etc/ferm/conf.d/10_cassandra-intra-node-ssl]

Parameters differences:

--- File[/etc/ferm/conf.d/10_cassandra-intra-node-ssl].orig
+++ File[/etc/ferm/conf.d/10_cassandra-intra-node-ssl]

+    group   => root
+    tag     => ferm
+    require => File[/etc/ferm/conf.d]
+    mode    => 0400
+    ensure  => present
+    notify  => Service[ferm]
+    owner   => root

Content differences:

--- /etc/ferm/conf.d/10_cassandra-intra-node-ssl.orig
+++ /etc/ferm/conf.d/10_cassandra-intra-node-ssl
@@ -0,0 +1,6 @@
+# Autogenerated by puppet. DO NOT EDIT BY HAND!
+#
+# 
+&R_SERVICE(tcp, 7001, @resolve((aqs1010.eqiad.wmnet aqs1010-a.eqiad.wmnet aqs1010-b.eqiad.wmnet aqs1011.eqiad.wmnet aqs1011-a.eqiad.wmnet aqs1011-b.eqiad.wmnet aqs1012.eqiad.wmnet aqs1012-a.eqiad.wmnet aqs1012-b.eqiad.wmnet aqs1014.eqiad.wmnet aqs1014-a.eqiad.wmnet aqs1014-b.eqiad.wmnet aqs1015.eqiad.wmnet aqs1015-a.eqiad.wmnet aqs1015-b.eqiad.wmnet aqs1016.eqiad.wmnet aqs1016-a.eqiad.wmnet aqs1016-b.eqiad.wmnet aqs1017.eqiad.wmnet aqs1017-a.eqiad.wmnet aqs1017-b.eqiad.wmnet aqs1018.eqiad.wmnet aqs1018-a.eqiad.wmnet aqs1018-b.eqiad.wmnet aqs1019.eqiad.wmnet aqs1019-a.eqiad.wmnet aqs1019-b.eqiad.wmnet aqs1020.eqiad.wmnet aqs1020-a.eqiad.wmnet aqs1020-b.eqiad.wmnet aqs1021.eqiad.wmnet aqs1021-a.eqiad.wmnet aqs1021-b.eqiad.wmnet aqs1022.eqiad.wmnet aqs1022-a.eqiad.wmnet aqs1022-b.eqiad.wmnet aqs1023.eqiad.wmnet aqs1023-a.eqiad.wmnet aqs1023-b.eqiad.wmnet aqs1024.eqiad.wmnet aqs1024-a.eqiad.wmnet aqs1024-b.eqiad.wmnet aqs2001.codfw.wmnet aqs2001-a.codfw.wmnet aqs2001-b.codfw.wmnet aqs2002.codfw.wmnet aqs2002-a.codfw.wmnet aqs2002-b.codfw.wmnet aqs2003.codfw.wmnet aqs2003-a.codfw.wmnet aqs2003-b.codfw.wmnet aqs2004.codfw.wmnet aqs2004-a.codfw.wmnet aqs2004-b.codfw.wmnet aqs2005.codfw.wmnet aqs2005-a.codfw.wmnet aqs2005-b.codfw.wmnet aqs2006.codfw.wmnet aqs2006-a.codfw.wmnet aqs2006-b.codfw.wmnet aqs2007.codfw.wmnet aqs2007-a.codfw.wmnet aqs2007-b.codfw.wmnet aqs2008.codfw.wmnet aqs2008-a.codfw.wmnet aqs2008-b.codfw.wmnet aqs2009.codfw.wmnet aqs2009-a.codfw.wmnet aqs2009-b.codfw.wmnet aqs2010.codfw.wmnet aqs2010-a.codfw.wmnet aqs2010-b.codfw.wmnet aqs2011.codfw.wmnet aqs2011-a.codfw.wmnet aqs2011-b.codfw.wmnet aqs2012.codfw.wmnet aqs2012-a.codfw.wmnet aqs2012-b.codfw.wmnet)));
+
+

File[/etc/cassandra-b/logback.xml]

Parameters differences:

--- File[/etc/cassandra-b/logback.xml].orig
+++ File[/etc/cassandra-b/logback.xml]

+    group  => cassandra
+    mode   => 0444
+    ensure => present
+    owner  => cassandra

Content differences:

--- /etc/cassandra-b/logback.xml.orig
+++ /etc/cassandra-b/logback.xml
@@ -0,0 +1,152 @@
+<!--
+SPDX-License-Identifier: Apache-2.0
+Note:  This file is managed by Puppet.
+       It was taken from the Cassandra Debian package and templatized
+       here in order to assign configuration.
+-->
+
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one
+ or more contributor license agreements.  See the NOTICE file
+ distributed with this work for additional information
+ regarding copyright ownership.  The ASF licenses this file
+ to you under the Apache License, Version 2.0 (the
+ "License"); you may not use this file except in compliance
+ with the License.  You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing,
+ software distributed under the License is distributed on an
+ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ KIND, either express or implied.  See the License for the
+ specific language governing permissions and limitations
+ under the License.
+-->
+
+<!--
+In order to disable debug.log, comment-out the ASYNCDEBUGLOG
+appender reference in the root level section below.
+-->
+
+<configuration scan="true" scanPeriod="60 seconds">
+  <jmxConfigurator />
+
+  <!-- No shutdown hook; we run it ourselves in StorageService after shutdown -->
+
+  <!-- SYSTEMLOG rolling file appender to system.log (INFO level) -->
+
+  <appender name="SYSTEMLOG" class="ch.qos.logback.core.rolling.RollingFileAppender">
+    <filter class="ch.qos.logback.classic.filter.ThresholdFilter">
+      <level>INFO</level>
+    </filter>
+    <file>${cassandra.logdir}/system-b.log</file>
+    <rollingPolicy class="ch.qos.logback.core.rolling.FixedWindowRollingPolicy">
+      <fileNamePattern>${cassandra.logdir}/system-b.log.%i.zip</fileNamePattern>
+      <minIndex>1</minIndex>
+      <maxIndex>40</maxIndex>
+    </rollingPolicy>
+
+    <triggeringPolicy class="ch.qos.logback.core.rolling.SizeBasedTriggeringPolicy">
+      <maxFileSize>50MB</maxFileSize>
+    </triggeringPolicy>
+    <encoder>
+      <pattern>%-5level [%thread] %date{ISO8601} %F:%L - %msg%n</pattern>
+    </encoder>
+  </appender>
+
+  <!-- DEBUGLOG rolling file appender to debug.log (all levels) -->
+
+  <appender name="DEBUGLOG" class="ch.qos.logback.core.rolling.RollingFileAppender">
+    <file>${cassandra.logdir}/debug-b.log</file>
+    <rollingPolicy class="ch.qos.logback.core.rolling.FixedWindowRollingPolicy">
+      <fileNamePattern>${cassandra.logdir}/debug-b.log.%i.zip</fileNamePattern>
+      <minIndex>1</minIndex>
+      <maxIndex>40</maxIndex>
+    </rollingPolicy>
+
+    <triggeringPolicy class="ch.qos.logback.core.rolling.SizeBasedTriggeringPolicy">
+      <maxFileSize>50MB</maxFileSize>
+    </triggeringPolicy>
+    <encoder>
+      <pattern>%-5level [%thread] %date{ISO8601} %F:%L - %msg%n</pattern>
+    </encoder>
+  </appender>
+
+  <appender name="UDP" class="net.logstash.logback.appender.LogstashSocketAppender">
+    <host>localhost</host>
+    <port>11514</port>
+    <customFields>{"program":"cassandra", "cluster":"Analytics Query Service Storage", "instance_name":"b", "HOSTNAME": "aqs1024.eqiad.wmnet"}</customFields>
+    <filter class="ch.qos.logback.classic.filter.ThresholdFilter">
+      <level>INFO</level>
+    </filter>
+  </appender>
+
+  <!-- ASYNCLOG assynchronous appender to debug.log (all levels) -->
+
+  <appender name="ASYNCDEBUGLOG" class="ch.qos.logback.classic.AsyncAppender">
+    <queueSize>1024</queueSize>
+    <discardingThreshold>0</discardingThreshold>
+    <includeCallerData>true</includeCallerData>
+    <appender-ref ref="DEBUGLOG" />
+  </appender>
+
+  <!-- STDOUT console appender to stdout (INFO level) -->
+
+  <appender name="STDOUT" class="ch.qos.logback.core.ConsoleAppender">
+    <!--
+      stdout will be captured by journald, thus show only >= WARN messages
+      in systemctl status
+    -->
+    <filter class="ch.qos.logback.classic.filter.ThresholdFilter">
+      <level>WARN</level>
+    </filter>
+    <encoder>
+      <pattern>%-5level [%thread] %date{ISO8601} %F:%L - %msg%n</pattern>
+    </encoder>
+  </appender>
+
+  <!-- Uncomment below configuration (Audit Logging (FileAuditLogger) rolling file appender and Audit Logging
+  additivity) in order to have the log events flow through separate log file instead of system.log.
+  Audit Logging (FileAuditLogger) rolling file appender to audit.log -->
+  <!-- <appender name="AUDIT" class="ch.qos.logback.core.rolling.RollingFileAppender">
+    <file>${cassandra.logdir}/audit/audit.log</file>
+    <rollingPolicy class="ch.qos.logback.core.rolling.SizeAndTimeBasedRollingPolicy"> -->
+      <!-- rollover daily -->
+      <!-- <fileNamePattern>${cassandra.logdir}/audit/audit.log.%d{yyyy-MM-dd}.%i.zip</fileNamePattern> -->
+      <!-- each file should be at most 50MB, keep 30 days worth of history, but at most 5GB -->
+      <!-- <maxFileSize>50MB</maxFileSize>
+      <maxHistory>30</maxHistory>
+      <totalSizeCap>5GB</totalSizeCap>
+    </rollingPolicy>
+    <encoder>
+      <pattern>%-5level [%thread] %date{ISO8601} %F:%L - %msg%n</pattern>
+    </encoder>
+  </appender> -->
+
+  <!-- Audit Logging additivity to redirect audit logging events to audit/audit.log -->
+  <!-- <logger name="org.apache.cassandra.audit" additivity="false" level="INFO">
+    <appender-ref ref="AUDIT"/>
+  </logger> -->
+
+  <!-- Uncomment bellow and corresponding appender-ref to activate logback metrics
+  <appender name="LogbackMetrics" class="com.codahale.metrics.logback.InstrumentedAppender" />
+   -->
+
+  <root level="INFO">
+    <appender-ref ref="SYSTEMLOG" />
+    <appender-ref ref="STDOUT" />
+    <appender-ref ref="UDP" />
+    <appender-ref ref="ASYNCDEBUGLOG" /> <!-- Comment this line to disable debug.log -->
+    <!--
+    <appender-ref ref="LogbackMetrics" />
+    -->
+  </root>
+
+  <logger name="org.apache.cassandra.utils.StatusLogger" additivity="false">
+    <appender-ref ref="SYSTEMLOG" />
+    <appender-ref ref="STDOUT"/>
+  </logger>
+
+  <logger name="org.apache.cassandra" level="DEBUG"/>
+</configuration>

File[/etc/cassandra-a/cassandra-rackdc.properties]

Parameters differences:

--- File[/etc/cassandra-a/cassandra-rackdc.properties].orig
+++ File[/etc/cassandra-a/cassandra-rackdc.properties]

+    group  => cassandra
+    mode   => 0444
+    ensure => present
+    owner  => cassandra

Content differences:

--- /etc/cassandra-a/cassandra-rackdc.properties.orig
+++ /etc/cassandra-a/cassandra-rackdc.properties
@@ -0,0 +1,6 @@
+# Note: This file is managed by Puppet.
+
+# These properties are used with GossipingPropertyFileSnitch and will
+# indicate the rack and dc for this node
+dc=eqiad
+rack=rack2

File[/etc/cassandra-b/tls/cassandra__aqs1024-b_eqiad_wmnet.pem]

Parameters differences:

--- File[/etc/cassandra-b/tls/cassandra__aqs1024-b_eqiad_wmnet.pem].orig
+++ File[/etc/cassandra-b/tls/cassandra__aqs1024-b_eqiad_wmnet.pem]

+    group  => cassandra
+    mode   => 0440
+    ensure => file
+    owner  => cassandra

File[/usr/local/bin/nodetool-a]

Parameters differences:

--- File[/usr/local/bin/nodetool-a].orig
+++ File[/usr/local/bin/nodetool-a]

+    group   => root
+    require => File[/usr/local/bin/nodetool-instance]
+    ensure  => link
+    target  => /usr/local/bin/nodetool-instance
+    owner   => root

Exec[install-/srv/storage-0/cassandra-b/data]

Parameters differences:

--- Exec[install-/srv/storage-0/cassandra-b/data].orig
+++ Exec[install-/srv/storage-0/cassandra-b/data]

+    command => install -o cassandra -g cassandra -m 750 -d /srv/storage-0/cassandra-b/data
+    path    => /usr/bin/:/bin/
+    creates => /srv/storage-0/cassandra-b/data
+    before  => Systemd::Service[cassandra-b]

File[/lib/systemd/system/cassandra-a.service]

Parameters differences:

--- File[/lib/systemd/system/cassandra-a.service].orig
+++ File[/lib/systemd/system/cassandra-a.service]

+    group  => root
+    mode   => 0444
+    ensure => present
+    notify => Exec[systemd daemon-reload for cassandra-a.service (cassandra-a)]
+    owner  => root

Content differences:

--- /lib/systemd/system/cassandra-a.service.orig
+++ /lib/systemd/system/cassandra-a.service
@@ -0,0 +1,24 @@
+[Unit]
+Description=distributed storage system for structured data
+After=network.target
+# On bootstrap / provisioning, don't attempt to start all instances,
+# wait instead for the guard file to exist, see also T214166
+ConditionPathExists=/etc/cassandra-a/service-enabled
+
+[Service]
+User=cassandra
+PIDFile=/var/run/cassandra/cassandra-a.pid
+LimitNOFILE=100000
+LimitMEMLOCK=infinity
+Environment="CASSANDRA_INCLUDE=/etc/cassandra.in.sh"
+Environment="CASSANDRA_CONF=/etc/cassandra-a"
+Environment="CASSANDRA_INSTANCE=aqs1024-a"
+Environment="CASSANDRA_LOG_DIR=/var/log/cassandra"
+ExecStart=/usr/sbin/cassandra -p /var/run/cassandra/cassandra-a.pid
+
+# Deinit on shutdown (see: https://phabricator.wikimedia.org/T327954)
+ExecStop=-/usr/local/bin/nodetool-a disablethrift
+ExecStop=-/usr/local/bin/nodetool-a disablebinary
+ExecStop=-/usr/local/bin/nodetool-a disablegossip
+ExecStop=-/usr/local/bin/nodetool-a drain
+ExecStop=/usr/local/bin/nodetool-a stopdaemon

File[/etc/cassandra-b/jvm11-server.options]

Parameters differences:

--- File[/etc/cassandra-b/jvm11-server.options].orig
+++ File[/etc/cassandra-b/jvm11-server.options]

+    group  => cassandra
+    mode   => 0444
+    ensure => present
+    owner  => cassandra

Content differences:

--- /etc/cassandra-b/jvm11-server.options.orig
+++ /etc/cassandra-b/jvm11-server.options
@@ -0,0 +1,112 @@
+# SPDX-License-Identifier: Apache-2.0
+# Note:  This file is managed by Puppet.
+#        It was taken from the Cassandra Debian package and templatized
+#        here in order to assign configuration.
+
+###########################################################################
+#                         jvm11-server.options                            #
+#                                                                         #
+# See jvm-server.options. This file is specific for Java 11 and newer.    #
+###########################################################################
+
+#################
+#  GC SETTINGS  #
+#################
+
+
+
+### CMS Settings
+# -XX:+UseConcMarkSweepGC
+# -XX:+CMSParallelRemarkEnabled
+# -XX:SurvivorRatio=8
+# -XX:MaxTenuringThreshold=1
+# -XX:CMSInitiatingOccupancyFraction=75
+# -XX:+UseCMSInitiatingOccupancyOnly
+# -XX:CMSWaitDuration=10000
+# -XX:+CMSParallelInitialMarkEnabled
+# -XX:+CMSEdenChunksRecordAlways
+## some JVMs will fill up their heap when accessed via JMX, see CASSANDRA-6541
+# -XX:+CMSClassUnloadingEnabled
+
+
+
+### G1 Settings
+## Use the Hotspot garbage-first collector.
+-XX:+UseG1GC
+#-XX:+ParallelRefProcEnabled
+#-XX:MaxTenuringThreshold=1
+-XX:G1HeapRegionSize=8m
+
+#
+## Have the JVM do less remembered set work during STW, instead
+## preferring concurrent GC. Reduces p99.9 latency.
+-XX:G1RSetUpdatingPauseTimePercent=5
+#
+## Main G1GC tunable: lowering the pause target will lower throughput and vise versa.
+## 200ms is the JVM default and lowest viable setting
+## 1000ms increases throughput. Keep it smaller than the timeouts in cassandra.yaml.
+#-XX:MaxGCPauseMillis=300
+
+## Optional G1 Settings
+# Save CPU time on large (>= 16GB) heaps by delaying region scanning
+# until the heap is 70% full. The default in Hotspot 8u40 is 40%.
+#-XX:InitiatingHeapOccupancyPercent=70
+
+# For systems with > 8 cores, the default ParallelGCThreads is 5/8 the number of logical cores.
+# Otherwise equal to the number of cores when 8 or less.
+# Machines with > 10 cores should try setting these to <= full cores.
+#-XX:ParallelGCThreads=16
+# By default, ConcGCThreads is 1/4 of ParallelGCThreads.
+# Setting both to the same value can reduce STW durations.
+#-XX:ConcGCThreads=16
+
+
+### JPMS
+
+-Djdk.attach.allowAttachSelf=true
+--add-exports java.base/jdk.internal.misc=ALL-UNNAMED
+--add-exports java.base/jdk.internal.ref=ALL-UNNAMED
+--add-exports java.base/sun.nio.ch=ALL-UNNAMED
+--add-exports java.management.rmi/com.sun.jmx.remote.internal.rmi=ALL-UNNAMED
+--add-exports java.rmi/sun.rmi.registry=ALL-UNNAMED
+--add-exports java.rmi/sun.rmi.server=ALL-UNNAMED
+--add-exports java.sql/java.sql=ALL-UNNAMED
+
+--add-opens java.base/java.lang.module=ALL-UNNAMED
+--add-opens java.base/jdk.internal.loader=ALL-UNNAMED
+--add-opens java.base/jdk.internal.ref=ALL-UNNAMED
+--add-opens java.base/jdk.internal.reflect=ALL-UNNAMED
+--add-opens java.base/jdk.internal.math=ALL-UNNAMED
+--add-opens java.base/jdk.internal.module=ALL-UNNAMED
+--add-opens java.base/jdk.internal.util.jar=ALL-UNNAMED
+--add-opens jdk.management/com.sun.management.internal=ALL-UNNAMED
+
+
+### GC logging options -- uncomment to enable
+
+# Java 11 (and newer) GC logging options:
+# See description of https://bugs.openjdk.java.net/browse/JDK-8046148 for details about the syntax
+# The following is the equivalent to -XX:+PrintGCDetails -XX:+UseGCLogFileRotation -XX:NumberOfGCLogFiles=10 -XX:GCLogFileSize=10M
+#-Xlog:gc=info,heap*=trace,age*=debug,safepoint=info,promotion*=trace:file=/var/log/cassandra/gc.log:time,uptime,pid,tid,level:filecount=10,filesize=10485760
+
+-Xlog:gc=info,heap*=trace,age*=debug,safepoint=info,promotion*=trace:file=/var/log/cassandra/gc-b.log:time,uptime,pid,tid,level:filecount=10,filesize=10485760
+
+# Notes for Java 8 migration:
+#
+# -XX:+PrintGCDetails                   maps to -Xlog:gc*:... - i.e. add a '*' after "gc"
+# -XX:+PrintGCDateStamps                maps to decorator 'time'
+#
+# -XX:+PrintHeapAtGC                    maps to 'heap' with level 'trace'
+# -XX:+PrintTenuringDistribution        maps to 'age' with level 'debug'
+# -XX:+PrintGCApplicationStoppedTime    maps to 'safepoint' with level 'info'
+# -XX:+PrintPromotionFailure            maps to 'promotion' with level 'trace'
+# -XX:PrintFLSStatistics=1              maps to 'freelist' with level 'trace'
+
+### Netty Options
+
+# On Java >= 9 Netty requires the io.netty.tryReflectionSetAccessible system property to be set to true to enable
+# creation of direct buffers using Unsafe. Without it, this falls back to ByteBuffer.allocateDirect which has
+# inferior performance and risks exceeding MaxDirectMemory
+-Dio.netty.tryReflectionSetAccessible=true
+
+# The newline in the end of file is intentional

Exec[apt_repository_component-cassandra41-apt.wikimedia.org-wikimedia-bullseye-wikimedia]

Parameters differences:

--- Exec[apt_repository_component-cassandra41-apt.wikimedia.org-wikimedia-bullseye-wikimedia].orig
+++ Exec[apt_repository_component-cassandra41-apt.wikimedia.org-wikimedia-bullseye-wikimedia]

+    command     => /usr/bin/apt-get update 
+    refreshonly => True

Class[Cassandra]

Parameters differences:

--- Class[Cassandra].orig
+++ Class[Cassandra]

+    additional_jvm_opts     => []
+    java_package            => openjdk-11-jdk
+    native_transport_port   => 9042
+    tls_cluster_name        => aqs
+    auto_apply_grants       => False
+    default_instance_params => {'max_heap_size': '16g', 'heap_newsize': '2048m', 'compaction_throughput_mb_per_sec': 256, 'concurrent_compactors': 12, 'concurrent_writes': 64, 'concurrent_reads': 64, 'permissions_validity_in_ms': 600000, 'internode_encryption': 'all', 'client_encryption_enabled': True, 'client_encryption_optional': True}
+    users                   => ['aqsloader', 'image_suggestions', 'device_analytics', 'geo_analytics', 'media_analytics', 'page_analytics', 'edit_analytics', 'editor_analytics', 'data_gateway', 'commons_impact_analytics', 'revise_tone_task_generator']
+    tls_use_pki             => True
+    jbod_devices            => []
+    rack                    => rack2
+    super_password          => nosuchpass
+    cluster_name            => Analytics Query Service Storage
+    instances               => {'a': {'listen_address': '10.64.156.18', 'data_file_directories': ['/srv/storage-0/cassandra-a/data', '/srv/storage-1/cassandra-a/data', '/srv/storage-2/cassandra-a/data', '/srv/storage-3/cassandra-a/data', '/srv/storage-4/cassandra-a/data', '/srv/storage-5/cassandra-a/data', '/srv/storage-6/cassandra-a/data', '/srv/storage-7/cassandra-a/data'], 'heapdump_directory': '/srv/storage-0/cassandra-a', 'commitlog_directory': '/srv/cassandra/cassandra-a/commitlog', 'hints_directory': '/srv/cassandra/cassandra-a/hints', 'saved_caches_directory': '/srv/cassandra/cassandra-a/saved_caches', 'local_system_data_file_directory': '/srv/cassandra/cassandra-a/system'}, 'b': {'listen_address': '10.64.156.21', 'data_file_directories': ['/srv/storage-0/cassandra-b/data', '/srv/storage-1/cassandra-b/data', '/srv/storage-2/cassandra-b/data', '/srv/storage-3/cassandra-b/data', '/srv/storage-4/cassandra-b/data', '/srv/storage-5/cassandra-b/data', '/srv/storage-6/cassandra-b/data', '/srv/storage-7/cassandra-b/data'], 'heapdump_directory': '/srv/storage-1/cassandra-b', 'commitlog_directory': '/srv/cassandra/cassandra-b/commitlog', 'hints_directory': '/srv/cassandra/cassandra-b/hints', 'saved_caches_directory': '/srv/cassandra/cassandra-b/saved_caches', 'local_system_data_file_directory': '/srv/cassandra/cassandra-b/system'}}
+    listen_address          => 10.64.156.17
+    tls_use_pki_keep_old_ca => False
+    dc                      => eqiad
+    logstash_port           => 11514
+    tls_keystore_password   => test
+    extra_classpath         => []
+    target_version          => 4.x
+    seeds                   => ['aqs1010-a.eqiad.wmnet', 'aqs1010-b.eqiad.wmnet', 'aqs1011-a.eqiad.wmnet', 'aqs1011-b.eqiad.wmnet', 'aqs1012-a.eqiad.wmnet', 'aqs1012-b.eqiad.wmnet', 'aqs1014-a.eqiad.wmnet', 'aqs1014-b.eqiad.wmnet', 'aqs1015-a.eqiad.wmnet', 'aqs1015-b.eqiad.wmnet', 'aqs1016-a.eqiad.wmnet', 'aqs1016-b.eqiad.wmnet', 'aqs1017-a.eqiad.wmnet', 'aqs1017-b.eqiad.wmnet', 'aqs1018-a.eqiad.wmnet', 'aqs1018-b.eqiad.wmnet', 'aqs1019-a.eqiad.wmnet', 'aqs1019-b.eqiad.wmnet', 'aqs1020-a.eqiad.wmnet', 'aqs1020-b.eqiad.wmnet', 'aqs1021-a.eqiad.wmnet', 'aqs1021-b.eqiad.wmnet', 'aqs1022-a.eqiad.wmnet', 'aqs1022-b.eqiad.wmnet', 'aqs1023-a.eqiad.wmnet', 'aqs1023-b.eqiad.wmnet', 'aqs1024-a.eqiad.wmnet', 'aqs1024-b.eqiad.wmnet', 'aqs2001-a.codfw.wmnet', 'aqs2001-b.codfw.wmnet', 'aqs2002-a.codfw.wmnet', 'aqs2002-b.codfw.wmnet', 'aqs2003-a.codfw.wmnet', 'aqs2003-b.codfw.wmnet', 'aqs2004-a.codfw.wmnet', 'aqs2004-b.codfw.wmnet', 'aqs2005-a.codfw.wmnet', 'aqs2005-b.codfw.wmnet', 'aqs2006-a.codfw.wmnet', 'aqs2006-b.codfw.wmnet', 'aqs2007-a.codfw.wmnet', 'aqs2007-b.codfw.wmnet', 'aqs2008-a.codfw.wmnet', 'aqs2008-b.codfw.wmnet', 'aqs2009-a.codfw.wmnet', 'aqs2009-b.codfw.wmnet', 'aqs2010-a.codfw.wmnet', 'aqs2010-b.codfw.wmnet', 'aqs2011-a.codfw.wmnet', 'aqs2011-b.codfw.wmnet', 'aqs2012-a.codfw.wmnet', 'aqs2012-b.codfw.wmnet']
+    cassandra_passwords     => {'restbase': 'blahblahblah', 'restbase_dev': 'blahblahblahblah', 'aqs': 'blahblah', 'sessionstore': 'blahblah', 'image_suggestions': 'blahblahblahblah', 'aqs_testing': 'blahblahblahblah', 'device_analytics': 'blahblahblahblah', 'mediawiki_services_mobileapps': 'yadayadayada', 'aqsloader': 'yadayadayada', 'edit_analytics': 'blahblahblahblah', 'editor_analytics': 'yadayadayada', 'cassandra_devel': 'foobarbaz', 'data_gateway': 'qwerty', 'commons_impact_analytics': 'notarealpasswd', 'revise_tone_task_generator': 'asdfasdfasdf', 'linked_artifacts': 'yadayadayada'}
+    super_username          => cassandra
+    tls_use_pki_truststore  => True
+    memory_allocator        => JEMallocAllocator
+    logstash_host           => localhost
+    start_rpc               => False

Systemd::Sysuser[scap]

Parameters differences:

--- Systemd::Sysuser[scap].orig
+++ Systemd::Sysuser[scap]

+    shell             => /bin/bash
+    additional_groups => []
+    require           => File[/var/lib/scap]
+    allow_login       => False
+    description       => used to install the scap deployment tool
+    home_dir          => /var/lib/scap
+    ensure            => present
+    id                => 919:919
+    usertype          => user
+    username          => scap

Package[cassandra-tools]

Parameters differences:

--- Package[cassandra-tools].orig
+++ Package[cassandra-tools]

+    ensure   => 4.1.11
+    provider => apt
+    require  => Package[cassandra]

Monitoring::Service[cassandra-a-ssl]

Parameters differences:

--- Monitoring::Service[cassandra-a-ssl].orig
+++ Monitoring::Service[cassandra-a-ssl]

+    critical       => False
+    notes_url      => https://wikitech.wikimedia.org/wiki/Cassandra#Installing_and_generating_certificates
+    check_command  => check_ssl_on_host_port!aqs1024-a!10.64.156.18!7000
+    host           => aqs1024
+    retry_interval => 1
+    config_dir     => /etc/nagios
+    description    => cassandra-a SSL 10.64.156.18:7000
+    check_interval => 1
+    migration_task => T407117
+    ensure         => absent
+    freshness      => 36000
+    retries        => 3
+    contact_group  => admins,team-services
+    passive        => False

Motd::Message[aqs]

Parameters differences:

--- Motd::Message[aqs].orig
+++ Motd::Message[aqs]

+    priority => 5
+    ensure   => present
+    message  => aqs1024 is a Analytics Query Service - Cassandra instance (aqs)

Exec[install-/srv/storage-6/cassandra-a/data]

Parameters differences:

--- Exec[install-/srv/storage-6/cassandra-a/data].orig
+++ Exec[install-/srv/storage-6/cassandra-a/data]

+    command => install -o cassandra -g cassandra -m 750 -d /srv/storage-6/cassandra-a/data
+    path    => /usr/bin/:/bin/
+    creates => /srv/storage-6/cassandra-a/data
+    before  => Systemd::Service[cassandra-a]

Monitoring::Service[cassandra-b-ssl]

Parameters differences:

--- Monitoring::Service[cassandra-b-ssl].orig
+++ Monitoring::Service[cassandra-b-ssl]

+    critical       => False
+    notes_url      => https://wikitech.wikimedia.org/wiki/Cassandra#Installing_and_generating_certificates
+    check_command  => check_ssl_on_host_port!aqs1024-b!10.64.156.21!7000
+    host           => aqs1024
+    retry_interval => 1
+    config_dir     => /etc/nagios
+    description    => cassandra-b SSL 10.64.156.21:7000
+    check_interval => 1
+    migration_task => T407117
+    ensure         => absent
+    freshness      => 36000
+    retries        => 3
+    contact_group  => admins,team-services
+    passive        => False

Exec[Generate cert cassandra__aqs1024-a_eqiad_wmnet]

Parameters differences:

--- Exec[Generate cert cassandra__aqs1024-a_eqiad_wmnet].orig
+++ Exec[Generate cert cassandra__aqs1024-a_eqiad_wmnet]

+    command     => /usr/bin/cfssl gencert -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/aqs1024.eqiad.wmnet.pem -label cassandra  /etc/cfssl/csr/cassandra__aqs1024-a_eqiad_wmnet.csr | /usr/bin/cfssljson -bare /etc/cassandra-a/tls/cassandra__aqs1024-a_eqiad_wmnet

+    unless      => /usr/bin/test "$(/usr/bin/openssl x509 -in /etc/cassandra-a/tls/cassandra__aqs1024-a_eqiad_wmnet.pem -noout -pubkey 2>&1)" == "$(/usr/bin/openssl pkey -pubout -in /etc/cassandra-a/tls/cassandra__aqs1024-a_eqiad_wmnet-key.pem 2>&1)"

+    require     => Cfssl::Csr[/etc/cfssl/csr/cassandra__aqs1024-a_eqiad_wmnet.csr]
+    environment => ['GODEBUG=x509ignoreCN=0']

File[/etc/scap.cfg]

Parameters differences:

--- File[/etc/scap.cfg].orig
+++ File[/etc/scap.cfg]

+    group => root
+    mode  => 0444
+    owner => root

Content differences:

--- /etc/scap.cfg.orig
+++ /etc/scap.cfg
@@ -0,0 +1,152 @@
+#####################################################################
+### THIS FILE IS MANAGED BY PUPPET
+### modules/scap/templates/scap.cfg.erb
+#####################################################################
+
+# Configuration for scap and related scripts
+#
+# Values are selected based on the fully qualified domain name of the local
+# host from the most specific to the least specific. As an example, on the
+# host deploy1003.eqiad.wmnet lookups cascade in this order:
+#
+#   [deploy1003.eqiad.wmnet] > [eqiad.wmnet] > [wmnet] > [global]
+#
+# Additional configuration can be given on the command line for most
+# applications by specifying a separate configuration file and/or using `-D`
+# defines. When an alternate configuration file is specified, values from this
+# file are ignored. `-D` definitions always take precedence over
+# other configuration.
+
+[global]
+
+# deployment git server hostname
+git_server: deploy1003.eqiad.wmnet
+
+statsd_port: 8125
+
+# Deployment realm
+wmf_realm: production
+
+# Deployment datacenter
+datacenter: eqiad
+
+# Ssh agent to use to connect to cluster servers
+ssh_auth_sock: /run/keyholder/proxy.sock
+# User to perform ssh commands as
+ssh_user: mwdeploy
+
+# PID file for Apache service
+apache_pid_file: /var/run/apache2/apache2.pid
+
+# Local interface that indicates that pybal is in use
+pybal_interface: lo:LVS
+
+# DSH group naming hosts to use as scap masters
+dsh_masters: scap-masters
+# DSH group naming hosts to use as scap proxies
+dsh_proxies: scap-proxies
+# DSH group naming hosts to use as scap targets
+dsh_targets: mediawiki-installation
+# DSH group naming hosts to use as mediawiki api canaries
+dsh_api_canaries: mediawiki-api-canaries
+# DSH group naming hosts to use as mediawiki app canaries
+dsh_app_canaries: mediawiki-appserver-canaries
+
+logstash_host: logstash1023.eqiad.wmnet:9200
+canary_service: mwdeploy
+
+use_syslog: True
+
+# The Gerrit user to use when pushing commits to gerrit (used by scap
+# deploy-promote)
+gerrit_push_user: trainbranchbot
+
+# The user to sudo as when running scap subcommands that require access to
+# docker (e.g. scap mwscript and scap mwshell).
+docker_user: mwbuilder
+
+# Settings for mediawiki container image building (T297673)
+release_repo_dir: /srv/mwbuilder/release
+release_repo_update_cmd: sudo -u mwbuilder /usr/local/bin/update-mediawiki-tools-release
+release_repo_build_and_push_images_cmd: sudo -u mwbuilder /srv/mwbuilder/release/make-container-image/build-images.py
+
+
+block_deployments: false
+
+# T359643
+manage_mediawiki_php_symlink: False
+
+# T361724: Make scap require screen/tmux for certain subcommands
+require_terminal_multiplexer: False
+
+[eqiad.wmnet]
+# Wikimedia Foundation production eqiad datacenter
+datacenter: eqiad
+
+[codfw.wmnet]
+# Wikimedia Foundation production codfw datacenter
+datacenter: codfw
+master_rsync: deployment.codfw.wmnet
+
+[wmnet]
+# Wikimedia Foundation production cluster configuration
+master_rsync: deploy1003.eqiad.wmnet
+statsd_host: statsd.eqiad.wmnet
+tcpircbot_host: icinga.wikimedia.org
+web_proxy: http://webproxy:8080
+php_fpm_restart_script: /usr/local/sbin/restart-php-fpm-all
+
+canary_dashboard_url: https://logstash.wikimedia.org
+#php7-admin-port: 9181
+mw_web_clusters: testserver
+# These keys contain check commands executed against the bare-metal and k8s
+# deployments of mediawiki following the testservers-stage update. Each may
+# contain multiple independent check (sub)commands separated by newlines, all
+# of which will execute concurrently.
+testservers_check_cmd_baremetal: httpbb /srv/deployment/httpbb-tests/appserver/* --hosts=$BAREMETAL_TESTSERVERS --retry_on_timeout
+testservers_check_cmd_k8s: httpbb /srv/deployment/httpbb-tests/appserver/* --hosts=mwdebug.discovery.wmnet --https_port=4444 --retry_on_timeout
+                           httpbb /srv/deployment/httpbb-tests/appserver/* --hosts=mwdebug-next.discovery.wmnet --https_port=4453 --retry_on_timeout
+
+beta_only_config_files: wmf-config/CirrusSearch-labs.php
+                        wmf-config/CommonSettings-labs.php
+                        wmf-config/InitialiseSettings-labs.php
+                        wmf-config/LabsServices.php
+                        wmf-config/db-labs.php
+                        wmf-config/interwiki-labs.php
+                        wmf-config/mc-labs.php
+                        wmf-config/reverse-proxy-labs.php
+                        wikiversions-labs.json
+                        langlist-labs
+
+# Settings for mediawiki container image building (T297673)
+build_mw_container_image: True
+deploy_mw_container_image: True
+
+# SpiderPig settings
+spiderpig_auth_server: https://idp.wikimedia.org
+spiderpig_user_groups: cn=spiderpig-access,ou=groups,dc=wikimedia,dc=org
+spiderpig_admin_groups: cn=releng,ou=groups,dc=wikimedia,dc=org
+                        cn=ops,ou=groups,dc=wikimedia,dc=org
+
+[eqiad1.wikimedia.cloud]
+# Wikimedia Foundation beta eqiad datacenter
+datacenter: eqiad
+git_server: deployment-deploy04.deployment-prep.eqiad1.wikimedia.cloud
+master_rsync: deployment-deploy04.deployment-prep.eqiad1.wikimedia.cloud
+logstash_host: logs-api.svc.logging.eqiad1.wikimedia.cloud:9200
+udp2log_host: deployment-mwlog02.deployment-prep.eqiad1.wikimedia.cloud
+canary_dashboard_url: https://beta-logs.wmcloud.org
+# T99740: LCStoreStaticArray
+php_l10n: true
+wmf_realm: labs
+delay_messageblobstore_purge: true
+php_fpm_restart_script: /usr/local/sbin/restart-php-fpm-all
+mw_web_clusters: appserver,api_appserver,testserver
+require_security_patches: False
+
+[wikimedia.org]
+# Wikimedia Foundation production cluster configuration for "public" hosts
+# This should match the [wmnet] configuration
+master_rsync: deploy1003.eqiad.wmnet
+statsd_host: statsd.eqiad.wmnet
+tcpircbot_host: icinga.wikimedia.org

Cassandra::Instance::Monitoring[a]

Parameters differences:

--- Cassandra::Instance::Monitoring[a].orig
+++ Cassandra::Instance::Monitoring[a]

+    tls_cluster_name => aqs
+    tls_port         => 7000
+    tls_use_pki      => True
+    cql_port         => 9042
+    monitor_enabled  => True
+    contact_group    => admins,team-services
+    instances        => {'a': {'listen_address': '10.64.156.18', 'data_file_directories': ['/srv/storage-0/cassandra-a/data', '/srv/storage-1/cassandra-a/data', '/srv/storage-2/cassandra-a/data', '/srv/storage-3/cassandra-a/data', '/srv/storage-4/cassandra-a/data', '/srv/storage-5/cassandra-a/data', '/srv/storage-6/cassandra-a/data', '/srv/storage-7/cassandra-a/data'], 'heapdump_directory': '/srv/storage-0/cassandra-a', 'commitlog_directory': '/srv/cassandra/cassandra-a/commitlog', 'hints_directory': '/srv/cassandra/cassandra-a/hints', 'saved_caches_directory': '/srv/cassandra/cassandra-a/saved_caches', 'local_system_data_file_directory': '/srv/cassandra/cassandra-a/system'}, 'b': {'listen_address': '10.64.156.21', 'data_file_directories': ['/srv/storage-0/cassandra-b/data', '/srv/storage-1/cassandra-b/data', '/srv/storage-2/cassandra-b/data', '/srv/storage-3/cassandra-b/data', '/srv/storage-4/cassandra-b/data', '/srv/storage-5/cassandra-b/data', '/srv/storage-6/cassandra-b/data', '/srv/storage-7/cassandra-b/data'], 'heapdump_directory': '/srv/storage-1/cassandra-b', 'commitlog_directory': '/srv/cassandra/cassandra-b/commitlog', 'hints_directory': '/srv/cassandra/cassandra-b/hints', 'saved_caches_directory': '/srv/cassandra/cassandra-b/saved_caches', 'local_system_data_file_directory': '/srv/cassandra/cassandra-b/system'}}

Exec[install-/srv/cassandra/cassandra-b/system]

Parameters differences:

--- Exec[install-/srv/cassandra/cassandra-b/system].orig
+++ Exec[install-/srv/cassandra/cassandra-b/system]

+    command => install -o cassandra -g cassandra -m 750 -d /srv/cassandra/cassandra-b/system
+    path    => /usr/bin/:/bin/
+    creates => /srv/cassandra/cassandra-b/system
+    before  => Systemd::Service[cassandra-b]

File[/etc/cassandra-a/tls/cassandra__aqs1024-a_eqiad_wmnet.pem]

Parameters differences:

--- File[/etc/cassandra-a/tls/cassandra__aqs1024-a_eqiad_wmnet.pem].orig
+++ File[/etc/cassandra-a/tls/cassandra__aqs1024-a_eqiad_wmnet.pem]

+    group  => cassandra
+    mode   => 0440
+    ensure => file
+    owner  => cassandra

Exec[install-/srv/storage-0/cassandra-a/data]

Parameters differences:

--- Exec[install-/srv/storage-0/cassandra-a/data].orig
+++ Exec[install-/srv/storage-0/cassandra-a/data]

+    command => install -o cassandra -g cassandra -m 750 -d /srv/storage-0/cassandra-a/data
+    path    => /usr/bin/:/bin/
+    creates => /srv/storage-0/cassandra-a/data
+    before  => Systemd::Service[cassandra-a]

File[/etc/sysusers.d/scap.conf]

Parameters differences:

--- File[/etc/sysusers.d/scap.conf].orig
+++ File[/etc/sysusers.d/scap.conf]

+    group   => root
+    require => File[/etc/sysusers.d]
+    mode    => 0444
+    ensure  => file
+    notify  => ['Exec[Refresh sysusers]']
+    owner   => root

Content differences:

--- /etc/sysusers.d/scap.conf.orig
+++ /etc/sysusers.d/scap.conf
@@ -0,0 +1 @@
+u	scap	919:919	"used to install the scap deployment tool"	/var/lib/scap	/bin/bash

File[/etc/cassandra-b/jvm-server.options]

Parameters differences:

--- File[/etc/cassandra-b/jvm-server.options].orig
+++ File[/etc/cassandra-b/jvm-server.options]

+    group  => cassandra
+    mode   => 0444
+    ensure => present
+    owner  => cassandra

Content differences:

--- /etc/cassandra-b/jvm-server.options.orig
+++ /etc/cassandra-b/jvm-server.options
@@ -0,0 +1,220 @@
+# SPDX-License-Identifier: Apache-2.0
+# Note:  This file is managed by Puppet.
+#        It was taken from the Cassandra Debian package and templatized
+#        here in order to assign configuration.
+
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+#
+###########################################################################
+#                         jvm-server.options                              #
+#                                                                         #
+# - all flags defined here will be used by cassandra to startup the JVM   #
+# - one flag should be specified per line                                 #
+# - lines that do not start with '-' will be ignored                      #
+# - only static flags are accepted (no variables or parameters)           #
+# - dynamic flags will be appended to these on cassandra-env              #
+#                                                                         #
+# See jvm8-server.options and jvm11-server.options for Java version       #
+# specific options.                                                       #
+###########################################################################
+
+######################
+# STARTUP PARAMETERS #
+######################
+
+# Uncomment any of the following properties to enable specific startup parameters
+
+# In a multi-instance deployment, multiple Cassandra instances will independently assume that all
+# CPU processors are available to it. This setting allows you to specify a smaller set of processors
+# and perhaps have affinity.
+#-Dcassandra.available_processors=number_of_processors
+
+# The directory location of the cassandra.yaml file.
+#-Dcassandra.config=directory
+
+# Sets the initial partitioner token for a node the first time the node is started.
+#-Dcassandra.initial_token=token
+
+# Set to false to start Cassandra on a node but not have the node join the cluster.
+#-Dcassandra.join_ring=true|false
+
+# Set to false to clear all gossip state for the node on restart. Use when you have changed node
+# information in cassandra.yaml (such as listen_address).
+#-Dcassandra.load_ring_state=true|false
+
+# Enable pluggable metrics reporter. See Pluggable metrics reporting in Cassandra 2.0.2.
+#-Dcassandra.metricsReporterConfigFile=file
+
+# Set the port on which the CQL native transport listens for clients. (Default: 9042)
+#-Dcassandra.native_transport_port=port
+
+# Overrides the partitioner. (Default: org.apache.cassandra.dht.Murmur3Partitioner)
+#-Dcassandra.partitioner=partitioner
+
+# To replace a node that has died, restart a new node in its place specifying the address of the
+# dead node. The new node must not have any data in its data directory, that is, it must be in the
+# same state as before bootstrapping.
+#-Dcassandra.replace_address=listen_address or broadcast_address of dead node
+
+# Allow restoring specific tables from an archived commit log.
+#-Dcassandra.replayList=table
+
+# Allows overriding of the default RING_DELAY (30000ms), which is the amount of time a node waits
+# before joining the ring.
+#-Dcassandra.ring_delay_ms=ms
+
+# Allows overriding the timeout after which an unresponsive bootstrapping node is considered failed
+# and is removed from gossip state and bootstrapTokens. (Default: cassandra.ring_delay * 2)
+#-Dcassandra.failed_bootstrap_timeout_ms=ms
+
+# Set the SSL port for encrypted communication. (Default: 7001)
+#-Dcassandra.ssl_storage_port=port
+
+# Set the port for inter-node communication. (Default: 7000)
+#-Dcassandra.storage_port=port
+
+# Set the default location for the trigger JARs. (Default: conf/triggers)
+#-Dcassandra.triggers_dir=directory
+
+# For testing new compaction and compression strategies. It allows you to experiment with different
+# strategies and benchmark write performance differences without affecting the production workload. 
+#-Dcassandra.write_survey=true
+
+# To disable configuration via JMX of auth caches (such as those for credentials, permissions and
+# roles). This will mean those config options can only be set (persistently) in cassandra.yaml
+# and will require a restart for new values to take effect.
+#-Dcassandra.disable_auth_caches_remote_configuration=true
+
+# To disable dynamic calculation of the page size used when indexing an entire partition (during
+# initial index build/rebuild). If set to true, the page size will be fixed to the default of
+# 10000 rows per page.
+#-Dcassandra.force_default_indexing_page_size=true
+
+# Imposes an upper bound on hint lifetime below the normal min gc_grace_seconds
+#-Dcassandra.maxHintTTL=max_hint_ttl_in_seconds
+
+########################
+# GENERAL JVM SETTINGS #
+########################
+
+# enable assertions. highly suggested for correct application functionality.
+-ea
+
+# disable assertions for net.openhft.** because it runs out of memory by design
+# if enabled and run for more than just brief testing
+-da:net.openhft...
+
+# enable thread priorities, primarily so we can give periodic tasks
+# a lower priority to avoid interfering with client workload
+-XX:+UseThreadPriorities
+
+# Enable heap-dump if there's an OOM
+-XX:+HeapDumpOnOutOfMemoryError
+
+# Per-thread stack size.
+-Xss256k
+
+# Make sure all memory is faulted and zeroed on startup.
+# This helps prevent soft faults in containers and makes
+# transparent hugepage allocation more effective.
+-XX:+AlwaysPreTouch
+
+# Disable biased locking as it does not benefit Cassandra.
+-XX:-UseBiasedLocking
+
+# Enable thread-local allocation blocks and allow the JVM to automatically
+# resize them at runtime.
+-XX:+UseTLAB
+-XX:+ResizeTLAB
+-XX:+UseNUMA
+
+# http://www.evanjones.ca/jvm-mmap-pause.html
+-XX:+PerfDisableSharedMem
+
+# Prefer binding to IPv4 network intefaces (when net.ipv6.bindv6only=1). See
+# http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=6342561 (short version:
+# comment out this entry to enable IPv6 support).
+-Djava.net.preferIPv4Stack=true
+
+### Debug options
+
+# uncomment to enable flight recorder
+#-XX:+UnlockCommercialFeatures
+#-XX:+FlightRecorder
+
+# uncomment to have Cassandra JVM listen for remote debuggers/profilers on port 1414
+#-agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=1414
+
+# uncomment to have Cassandra JVM log internal method compilation (developers only)
+#-XX:+UnlockDiagnosticVMOptions
+#-XX:+LogCompilation
+
+#################
+# HEAP SETTINGS #
+#################
+
+# Heap size is automatically calculated by cassandra-env based on this
+# formula: max(min(1/2 ram, 1024MB), min(1/4 ram, 8GB))
+# That is:
+# - calculate 1/2 ram and cap to 1024MB
+# - calculate 1/4 ram and cap to 8192MB
+# - pick the max
+#
+# For production use you may wish to adjust this for your environment.
+# If that's the case, uncomment the -Xmx and Xms options below to override the
+# automatic calculation of JVM heap memory.
+#
+# It is recommended to set min (-Xms) and max (-Xmx) heap sizes to
+# the same value to avoid stop-the-world GC pauses during resize, and
+# so that we can lock the heap in memory on startup to prevent any
+# of it from being swapped out.
+-Xms16g
+-Xmx16g
+
+# Young generation size is automatically calculated by cassandra-env
+# based on this formula: min(100 * num_cores, 1/4 * heap size)
+#
+# The main trade-off for the young generation is that the larger it
+# is, the longer GC pause times will be. The shorter it is, the more
+# expensive GC will be (usually).
+#
+# It is not recommended to set the young generation size if using the
+# G1 GC, since that will override the target pause-time goal.
+# More info: http://www.oracle.com/technetwork/articles/java/g1gc-1984535.html
+#
+# The example below assumes a modern 8-core+ machine for decent
+# times. If in doubt, and if you do not particularly want to tweak, go
+# 100 MB per physical CPU core.
+#-Xmn800M
+
+###################################
+# EXPIRATION DATE OVERFLOW POLICY #
+###################################
+
+# Defines how to handle INSERT requests with TTL exceeding the maximum supported expiration date:
+# * REJECT: this is the default policy and will reject any requests with expiration date timestamp after 2038-01-19T03:14:06+00:00.
+# * CAP: any insert with TTL expiring after 2038-01-19T03:14:06+00:00 will expire on 2038-01-19T03:14:06+00:00 and the client will receive a warning.
+# * CAP_NOWARN: same as previous, except that the client warning will not be emitted.
+#
+#-Dcassandra.expiration_date_overflow_policy=REJECT
+
+###################################
+# WMF-specific customizations     #
+###################################
+-Dcassandra.instance-id=aqs1024-b

Exec[install-/srv/cassandra/cassandra-b/hints]

Parameters differences:

--- Exec[install-/srv/cassandra/cassandra-b/hints].orig
+++ Exec[install-/srv/cassandra/cassandra-b/hints]

+    command => install -o cassandra -g cassandra -m 750 -d /srv/cassandra/cassandra-b/hints
+    path    => /usr/bin/:/bin/
+    creates => /srv/cassandra/cassandra-b/hints
+    before  => Systemd::Service[cassandra-b]

Cfssl::Cert[cassandra__aqs1024-b_eqiad_wmnet]

Parameters differences:

--- Cfssl::Cert[cassandra__aqs1024-b_eqiad_wmnet].orig
+++ Cfssl::Cert[cassandra__aqs1024-b_eqiad_wmnet]

+    group           => cassandra
+    hosts           => ['cassandra', 'aqs1024.eqiad.wmnet']
+    notify          => Sslcert::X509_to_pkcs12[cassandra_keystore_aqs1024-b]
+    provide_chain   => True
+    owner           => cassandra
+    renew_seconds   => 952200
+    names           => []
+    mode            => 0400
+    ensure          => present
+    key             => {'algo': 'ecdsa', 'size': 256}
+    common_name     => aqs1024-b.eqiad.wmnet
+    before_services => []
+    outdir          => /etc/cassandra-b/tls
+    label           => cassandra
+    auto_renew      => True
+    notify_services => []
+    environment     => ['GODEBUG=x509ignoreCN=0']

Sysctl::Conffile[cassandra]

Parameters differences:

--- Sysctl::Conffile[cassandra].orig
+++ Sysctl::Conffile[cassandra]

+    priority => 5
+    ensure   => present

Exec[install-/srv/storage-5/cassandra-b/data]

Parameters differences:

--- Exec[install-/srv/storage-5/cassandra-b/data].orig
+++ Exec[install-/srv/storage-5/cassandra-b/data]

+    command => install -o cassandra -g cassandra -m 750 -d /srv/storage-5/cassandra-b/data
+    path    => /usr/bin/:/bin/
+    creates => /srv/storage-5/cassandra-b/data
+    before  => Systemd::Service[cassandra-b]

File[/etc/cassandra-a/user_device_analytics.cql]

Parameters differences:

--- File[/etc/cassandra-a/user_device_analytics.cql].orig
+++ File[/etc/cassandra-a/user_device_analytics.cql]

+    require => Package[cassandra]
+    group   => root
+    mode    => 0400
+    owner   => root

Content differences:

--- /etc/cassandra-a/user_device_analytics.cql.orig
+++ /etc/cassandra-a/user_device_analytics.cql
@@ -0,0 +1,5 @@
+-- SPDX-License-Identifier: Apache-2.0
+
+CREATE ROLE IF NOT EXISTS device_analytics WITH PASSWORD = 'blahblahblahblah' AND LOGIN = true AND SUPERUSER = false;
+
+GRANT SELECT ON "local_group_default_T_unique_devices".data TO 'device_analytics';

Exec[Generate cert cassandra__aqs1024-b_eqiad_wmnet refresh]

Parameters differences:

--- Exec[Generate cert cassandra__aqs1024-b_eqiad_wmnet refresh].orig
+++ Exec[Generate cert cassandra__aqs1024-b_eqiad_wmnet refresh]

+    command     => /usr/bin/cfssl gencert -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/aqs1024.eqiad.wmnet.pem -label cassandra  /etc/cfssl/csr/cassandra__aqs1024-b_eqiad_wmnet.csr | /usr/bin/cfssljson -bare /etc/cassandra-b/tls/cassandra__aqs1024-b_eqiad_wmnet

+    subscribe   => File[/etc/cfssl/csr/cassandra__aqs1024-b_eqiad_wmnet.csr]
+    refreshonly => True
+    environment => ['GODEBUG=x509ignoreCN=0']

File[/etc/cassandra-b/tls/cassandra__aqs1024-b_eqiad_wmnet.csr]

Parameters differences:

--- File[/etc/cassandra-b/tls/cassandra__aqs1024-b_eqiad_wmnet.csr].orig
+++ File[/etc/cassandra-b/tls/cassandra__aqs1024-b_eqiad_wmnet.csr]

+    group  => cassandra
+    mode   => 0440
+    ensure => file
+    owner  => cassandra

Class[Profile::Rsyslog::Udp_json_logback_compat]

Parameters differences:

--- Class[Profile::Rsyslog::Udp_json_logback_compat].orig
+++ Class[Profile::Rsyslog::Udp_json_logback_compat]

+    queue_enabled_sites   => ['ulsfo', 'esams', 'eqsin', 'eqiad', 'codfw', 'drmrs', 'magru']
+    logging_kafka_brokers => ['kafka-logging1001.eqiad.wmnet:9093', 'kafka-logging1002.eqiad.wmnet:9093', 'kafka-logging1003.eqiad.wmnet:9093', 'kafka-logging1004.eqiad.wmnet:9093', 'kafka-logging1005.eqiad.wmnet:9093']
+    port                  => 11514

Class[Java]

Parameters differences:

--- Class[Java].orig
+++ Class[Java]

+    before        => ['Java::Cacert[Puppet_Internal_CA]', 'Java::Cacert[Wikimedia_Internal_Root_CA]', 'Java::Cacert[Puppet_Internal_CA]', 'Java::Cacert[Wikimedia_Internal_Root_CA]', 'Java::Cacert[wmf:puppetca.pem]', 'Java::Cacert[wmf:Wikimedia_Internal_Root_CA]', 'Java::Cacert[Puppet_Internal_CA]', 'Java::Cacert[Wikimedia_Internal_Root_CA]', 'Java::Cacert[wmf:puppetca.pem]', 'Java::Cacert[wmf:Wikimedia_Internal_Root_CA]', 'Java::Cacert[Puppet_Internal_CA]', 'Java::Cacert[Wikimedia_Internal_Root_CA]', 'Java::Cacert[wmf:puppetca.pem]', 'Java::Cacert[wmf:Wikimedia_Internal_Root_CA]', 'Java::Cacert[Puppet_Internal_CA]', 'Java::Cacert[Wikimedia_Internal_Root_CA]', 'Java::Cacert[wmf:puppetca.pem]', 'Java::Cacert[wmf:Wikimedia_Internal_Root_CA]']
+    egd_source    => /dev/random
+    enable_dbg    => False
+    require       => Package[wmf-certificates]
+    hardened_tls  => False
+    java_packages => [{'version': '11', 'variant': 'jdk'}]

Monitoring::Service[cassandra-b-cql]

Parameters differences:

--- Monitoring::Service[cassandra-b-cql].orig
+++ Monitoring::Service[cassandra-b-cql]

+    critical       => False
+    notes_url      => https://phabricator.wikimedia.org/T93886
+    check_command  => check_tcp_ip!10.64.156.21!9042
+    host           => aqs1024
+    retry_interval => 1
+    config_dir     => /etc/nagios
+    description    => cassandra-b CQL 10.64.156.21:9042
+    check_interval => 1
+    migration_task => T407117
+    ensure         => absent
+    freshness      => 36000
+    retries        => 3
+    contact_group  => admins,team-services
+    passive        => False

File[/etc/cassandra-b/user_edit_analytics.cql]

Parameters differences:

--- File[/etc/cassandra-b/user_edit_analytics.cql].orig
+++ File[/etc/cassandra-b/user_edit_analytics.cql]

+    require => Package[cassandra]
+    group   => root
+    mode    => 0400
+    owner   => root

Content differences:

--- /etc/cassandra-b/user_edit_analytics.cql.orig
+++ /etc/cassandra-b/user_edit_analytics.cql
@@ -0,0 +1,5 @@
+-- SPDX-License-Identifier: Apache-2.0
+
+CREATE USER IF NOT EXISTS edit_analytics WITH PASSWORD 'blahblahblahblah';
+
+GRANT SELECT ON aqs.config TO 'edit_analytics';

Exec[install-/srv/cassandra/cassandra-a/commitlog]

Parameters differences:

--- Exec[install-/srv/cassandra/cassandra-a/commitlog].orig
+++ Exec[install-/srv/cassandra/cassandra-a/commitlog]

+    command => install -o cassandra -g cassandra -m 750 -d /srv/cassandra/cassandra-a/commitlog
+    path    => /usr/bin/:/bin/
+    creates => /srv/cassandra/cassandra-a/commitlog
+    before  => Systemd::Service[cassandra-a]

Monitoring::Exported_nagios_service[aqs1024 cassandra-a-cql]

Parameters differences:

--- Monitoring::Exported_nagios_service[aqs1024 cassandra-a-cql].orig
+++ Monitoring::Exported_nagios_service[aqs1024 cassandra-a-cql]

+    notes_url              => https://phabricator.wikimedia.org/T93886
+    host_name              => aqs1024
+    active_checks_enabled  => 1
+    check_interval         => 1
+    check_freshness        => 0
+    notifications_enabled  => 1
+    ensure                 => absent
+    notification_interval  => 0
+    max_check_attempts     => 3
+    contact_groups         => admins,team-services
+    check_period           => 24x7
+    service_description    => cassandra-a CQL 10.64.156.18:9042
+    passive_checks_enabled => 1
+    check_command          => check_tcp_ip!10.64.156.18!9042
+    notification_options   => c,r,f
+    retry_interval         => 1
+    servicegroups          => aqs_eqiad
+    notification_period    => 24x7
+    is_volatile            => 0

Class[Profile::Contacts]

Parameters differences:

--- Class[Profile::Contacts].orig
+++ Class[Profile::Contacts]

@@
-    cluster => insetup
+    cluster => aqs

Exec[bootstrap-scap-target]

Parameters differences:

--- Exec[bootstrap-scap-target].orig
+++ Exec[bootstrap-scap-target]

+    command => /usr/local/bin/bootstrap-scap-target.sh deploy1003.eqiad.wmnet /var/lib/scap
+    user    => scap
+    creates => /var/lib/scap/scap/bin/scap
+    require => File[/usr/local/bin/bootstrap-scap-target.sh]

Sslcert::X509_to_pkcs12[cassandra_keystore_aqs1024-b]

Parameters differences:

--- Sslcert::X509_to_pkcs12[cassandra_keystore_aqs1024-b].orig
+++ Sslcert::X509_to_pkcs12[cassandra_keystore_aqs1024-b]

+    group       => cassandra
+    public_key  => /etc/cassandra-b/tls/cassandra__aqs1024-b_eqiad_wmnet.chained.pem
+    outfile     => /etc/cassandra-b/tls/server.key
+    ensure      => present
+    password    => test
+    private_key => /etc/cassandra-b/tls/cassandra__aqs1024-b_eqiad_wmnet-key.pem
+    owner       => cassandra

Exec[systemd daemon-reload for cassandra-a.service (cassandra-a)]

Parameters differences:

--- Exec[systemd daemon-reload for cassandra-a.service (cassandra-a)].orig
+++ Exec[systemd daemon-reload for cassandra-a.service (cassandra-a)]

+    command     => /bin/systemctl daemon-reload
+    before      => ['Service[cassandra-a]']
+    refreshonly => True

File[/usr/bin/scap]

Parameters differences:

--- File[/usr/bin/scap].orig
+++ File[/usr/bin/scap]

+    group   => root
+    require => Exec[bootstrap-scap-target]
+    mode    => 0755
+    ensure  => link
+    target  => /var/lib/scap/scap/bin/scap
+    owner   => root

Exec[install-/srv/storage-1/cassandra-b/data]

Parameters differences:

--- Exec[install-/srv/storage-1/cassandra-b/data].orig
+++ Exec[install-/srv/storage-1/cassandra-b/data]

+    command => install -o cassandra -g cassandra -m 750 -d /srv/storage-1/cassandra-b/data
+    path    => /usr/bin/:/bin/
+    creates => /srv/storage-1/cassandra-b/data
+    before  => Systemd::Service[cassandra-b]

File[/etc/cassandra-instances.d/aqs1024-b.yaml]

Parameters differences:

--- File[/etc/cassandra-instances.d/aqs1024-b.yaml].orig
+++ File[/etc/cassandra-instances.d/aqs1024-b.yaml]

+    group => cassandra
+    mode  => 0444
+    owner => cassandra

Content differences:

--- /etc/cassandra-instances.d/aqs1024-b.yaml.orig
+++ /etc/cassandra-instances.d/aqs1024-b.yaml
@@ -0,0 +1,13 @@
+name: b
+jmx_port: 7190
+listen_address: 10.64.156.21
+service_name: cassandra-b
+config_directory: /etc/cassandra-b
+data_file_directories: [/srv/storage-0/cassandra-b/data,/srv/storage-1/cassandra-b/data,/srv/storage-2/cassandra-b/data,/srv/storage-3/cassandra-b/data,/srv/storage-4/cassandra-b/data,/srv/storage-5/cassandra-b/data,/srv/storage-6/cassandra-b/data,/srv/storage-7/cassandra-b/data]
+rpc_address: 10.64.156.21
+native_transport_port: 9042
+commitlog_directory: /srv/cassandra/cassandra-b/commitlog
+hints_directory: /srv/cassandra/cassandra-b/hints
+saved_caches_directory: /srv/cassandra/cassandra-b/saved_caches
+heapdump_directory: /srv/storage-1/cassandra-b
+local_system_data_file_directory: /srv/cassandra/cassandra-b/system

Ferm::Service[cassandra-analytics-cql]

Parameters differences:

--- Ferm::Service[cassandra-analytics-cql].orig
+++ Ferm::Service[cassandra-analytics-cql]

+    desc    => 
+    prio    => 10
+    srange  => (@resolve((aqs1010.eqiad.wmnet aqs1010-a.eqiad.wmnet aqs1010-b.eqiad.wmnet aqs1011.eqiad.wmnet aqs1011-a.eqiad.wmnet aqs1011-b.eqiad.wmnet aqs1012.eqiad.wmnet aqs1012-a.eqiad.wmnet aqs1012-b.eqiad.wmnet aqs1014.eqiad.wmnet aqs1014-a.eqiad.wmnet aqs1014-b.eqiad.wmnet aqs1015.eqiad.wmnet aqs1015-a.eqiad.wmnet aqs1015-b.eqiad.wmnet aqs1016.eqiad.wmnet aqs1016-a.eqiad.wmnet aqs1016-b.eqiad.wmnet aqs1017.eqiad.wmnet aqs1017-a.eqiad.wmnet aqs1017-b.eqiad.wmnet aqs1018.eqiad.wmnet aqs1018-a.eqiad.wmnet aqs1018-b.eqiad.wmnet aqs1019.eqiad.wmnet aqs1019-a.eqiad.wmnet aqs1019-b.eqiad.wmnet aqs1020.eqiad.wmnet aqs1020-a.eqiad.wmnet aqs1020-b.eqiad.wmnet aqs1021.eqiad.wmnet aqs1021-a.eqiad.wmnet aqs1021-b.eqiad.wmnet aqs1022.eqiad.wmnet aqs1022-a.eqiad.wmnet aqs1022-b.eqiad.wmnet aqs1023.eqiad.wmnet aqs1023-a.eqiad.wmnet aqs1023-b.eqiad.wmnet aqs1024.eqiad.wmnet aqs1024-a.eqiad.wmnet aqs1024-b.eqiad.wmnet aqs2001.codfw.wmnet aqs2001-a.codfw.wmnet aqs2001-b.codfw.wmnet aqs2002.codfw.wmnet aqs2002-a.codfw.wmnet aqs2002-b.codfw.wmnet aqs2003.codfw.wmnet aqs2003-a.codfw.wmnet aqs2003-b.codfw.wmnet aqs2004.codfw.wmnet aqs2004-a.codfw.wmnet aqs2004-b.codfw.wmnet aqs2005.codfw.wmnet aqs2005-a.codfw.wmnet aqs2005-b.codfw.wmnet aqs2006.codfw.wmnet aqs2006-a.codfw.wmnet aqs2006-b.codfw.wmnet aqs2007.codfw.wmnet aqs2007-a.codfw.wmnet aqs2007-b.codfw.wmnet aqs2008.codfw.wmnet aqs2008-a.codfw.wmnet aqs2008-b.codfw.wmnet aqs2009.codfw.wmnet aqs2009-a.codfw.wmnet aqs2009-b.codfw.wmnet aqs2010.codfw.wmnet aqs2010-a.codfw.wmnet aqs2010-b.codfw.wmnet aqs2011.codfw.wmnet aqs2011-a.codfw.wmnet aqs2011-b.codfw.wmnet aqs2012.codfw.wmnet aqs2012-a.codfw.wmnet aqs2012-b.codfw.wmnet)) 10.64.137.0/24 10.64.138.0/24 10.64.139.0/24 10.64.140.0/24 10.64.142.0/24 10.64.143.0/24 10.64.144.0/24 10.64.145.0/24 10.64.153.0/24 10.64.155.0/24 10.64.157.0/24 10.64.159.0/24 10.64.161.0/24 10.64.163.0/24 10.64.165.0/24 10.64.167.0/24 10.64.170.0/24 10.64.172.0/24 10.64.174.0/24 10.64.176.0/24 10.64.178.0/24 10.64.180.0/24 10.64.182.0/24 10.64.184.0/24 10.64.186.0/24 10.64.188.0/24 10.64.190.0/24 10.64.21.0/24 10.64.36.0/24 10.64.5.0/24 10.64.53.0/24 2620:0:861:100::/64 2620:0:861:104::/64 2620:0:861:105::/64 2620:0:861:106::/64 2620:0:861:108::/64 2620:0:861:110::/64 2620:0:861:111::/64 2620:0:861:112::/64 2620:0:861:114::/64 2620:0:861:115::/64 2620:0:861:116::/64 2620:0:861:117::/64 2620:0:861:11a::/64 2620:0:861:121::/64 2620:0:861:123::/64 2620:0:861:125::/64 2620:0:861:127::/64 2620:0:861:129::/64 2620:0:861:12b::/64 2620:0:861:12d::/64 2620:0:861:12f::/64 2620:0:861:132::/64 2620:0:861:134::/64 2620:0:861:136::/64 2620:0:861:138::/64 2620:0:861:13a::/64 2620:0:861:13c::/64 2620:0:861:13e::/64 2620:0:861:141::/64 2620:0:861:143::/64 2620:0:861:145::/64)
+    port    => 9042
+    ensure  => present
+    notrack => False
+    proto   => tcp

File[/etc/ssh/userkeys/scap]

Parameters differences:

--- File[/etc/ssh/userkeys/scap].orig
+++ File[/etc/ssh/userkeys/scap]

+    group     => root
+    mode      => 0444
+    force     => True
+    ensure    => file
+    show_diff => False
+    owner     => root

Content differences:

--- /etc/ssh/userkeys/scap.orig
+++ /etc/ssh/userkeys/scap
@@ -0,0 +1 @@
+ssh-rsa SNAKEOIL scap

File[/etc/ferm/conf.d/10_cassandra-jmx-rmi]

Parameters differences:

--- File[/etc/ferm/conf.d/10_cassandra-jmx-rmi].orig
+++ File[/etc/ferm/conf.d/10_cassandra-jmx-rmi]

+    group   => root
+    tag     => ferm
+    require => File[/etc/ferm/conf.d]
+    mode    => 0400
+    ensure  => present
+    notify  => Service[ferm]
+    owner   => root

Content differences:

--- /etc/ferm/conf.d/10_cassandra-jmx-rmi.orig
+++ /etc/ferm/conf.d/10_cassandra-jmx-rmi
@@ -0,0 +1,6 @@
+# Autogenerated by puppet. DO NOT EDIT BY HAND!
+#
+# 
+&R_SERVICE(tcp, 7199:7202, @resolve((aqs1010.eqiad.wmnet aqs1010-a.eqiad.wmnet aqs1010-b.eqiad.wmnet aqs1011.eqiad.wmnet aqs1011-a.eqiad.wmnet aqs1011-b.eqiad.wmnet aqs1012.eqiad.wmnet aqs1012-a.eqiad.wmnet aqs1012-b.eqiad.wmnet aqs1014.eqiad.wmnet aqs1014-a.eqiad.wmnet aqs1014-b.eqiad.wmnet aqs1015.eqiad.wmnet aqs1015-a.eqiad.wmnet aqs1015-b.eqiad.wmnet aqs1016.eqiad.wmnet aqs1016-a.eqiad.wmnet aqs1016-b.eqiad.wmnet aqs1017.eqiad.wmnet aqs1017-a.eqiad.wmnet aqs1017-b.eqiad.wmnet aqs1018.eqiad.wmnet aqs1018-a.eqiad.wmnet aqs1018-b.eqiad.wmnet aqs1019.eqiad.wmnet aqs1019-a.eqiad.wmnet aqs1019-b.eqiad.wmnet aqs1020.eqiad.wmnet aqs1020-a.eqiad.wmnet aqs1020-b.eqiad.wmnet aqs1021.eqiad.wmnet aqs1021-a.eqiad.wmnet aqs1021-b.eqiad.wmnet aqs1022.eqiad.wmnet aqs1022-a.eqiad.wmnet aqs1022-b.eqiad.wmnet aqs1023.eqiad.wmnet aqs1023-a.eqiad.wmnet aqs1023-b.eqiad.wmnet aqs1024.eqiad.wmnet aqs1024-a.eqiad.wmnet aqs1024-b.eqiad.wmnet aqs2001.codfw.wmnet aqs2001-a.codfw.wmnet aqs2001-b.codfw.wmnet aqs2002.codfw.wmnet aqs2002-a.codfw.wmnet aqs2002-b.codfw.wmnet aqs2003.codfw.wmnet aqs2003-a.codfw.wmnet aqs2003-b.codfw.wmnet aqs2004.codfw.wmnet aqs2004-a.codfw.wmnet aqs2004-b.codfw.wmnet aqs2005.codfw.wmnet aqs2005-a.codfw.wmnet aqs2005-b.codfw.wmnet aqs2006.codfw.wmnet aqs2006-a.codfw.wmnet aqs2006-b.codfw.wmnet aqs2007.codfw.wmnet aqs2007-a.codfw.wmnet aqs2007-b.codfw.wmnet aqs2008.codfw.wmnet aqs2008-a.codfw.wmnet aqs2008-b.codfw.wmnet aqs2009.codfw.wmnet aqs2009-a.codfw.wmnet aqs2009-b.codfw.wmnet aqs2010.codfw.wmnet aqs2010-a.codfw.wmnet aqs2010-b.codfw.wmnet aqs2011.codfw.wmnet aqs2011-a.codfw.wmnet aqs2011-b.codfw.wmnet aqs2012.codfw.wmnet aqs2012-a.codfw.wmnet aqs2012-b.codfw.wmnet)));
+
+

Systemd::Service[cassandra-b]

Parameters differences:

--- Systemd::Service[cassandra-b].orig
+++ Systemd::Service[cassandra-b]

+    restart                  => False
+    require                  => ['File[/etc/cassandra-b/cassandra-env.sh]', 'File[/etc/cassandra-b/cassandra.yaml]', 'File[/etc/cassandra-b/cassandra-rackdc.properties]']
+    override                 => False
+    monitoring_contact_group => admins
+    service_params           => {}
+    monitoring_enabled       => False
+    unit_type                => service
+    migration_task           => T407130
+    ensure                   => present
+    monitoring_critical      => False

Exec[sslcert generate cassandra_keystore_aqs1024-b.p12]

Parameters differences:

--- Exec[sslcert generate cassandra_keystore_aqs1024-b.p12].orig
+++ Exec[sslcert generate cassandra_keystore_aqs1024-b.p12]

+    command => /usr/bin/openssl pkcs12 -export  -in /etc/cassandra-b/tls/cassandra__aqs1024-b_eqiad_wmnet.chained.pem -inkey /etc/cassandra-b/tls/cassandra__aqs1024-b_eqiad_wmnet-key.pem -out /etc/cassandra-b/tls/server.key -password 'pass:test'
+    unless  => /usr/bin/test     "$(/usr/bin/openssl x509 -in /etc/cassandra-b/tls/cassandra__aqs1024-b_eqiad_wmnet.chained.pem)" ==     "$(/usr/bin/openssl pkcs12 -password 'pass:test' -in /etc/cassandra-b/tls/server.key -clcerts -nokeys | openssl x509)"
+    before  => File[/etc/cassandra-b/tls/server.key]
+    require => Package[openssl]

Ferm::Service[deployment_ssh]

Parameters differences:

--- Ferm::Service[deployment_ssh].orig
+++ Ferm::Service[deployment_ssh]

+    desc     => 
+    prio     => 10
+    port     => 22
+    ensure   => present
+    notrack  => False
+    src_sets => ['DEPLOYMENT_HOSTS']
+    proto    => tcp

Exec[java__cacert_wmf:Wikimedia_Internal_Root_CA]

Parameters differences:

--- Exec[java__cacert_wmf:Wikimedia_Internal_Root_CA].orig
+++ Exec[java__cacert_wmf:Wikimedia_Internal_Root_CA]

+    command => /usr/bin/keytool -import -trustcacerts -noprompt -cacerts     -file /usr/share/ca-certificates/wikimedia/Wikimedia_Internal_Root_CA.crt -storepass changeit -alias wmf:Wikimedia_Internal_Root_CA

+    unless  => /usr/bin/keytool -list -cacerts -noprompt -storepass changeit -alias wmf:Wikimedia_Internal_Root_CA
+    user    => root
+    group   => root

File[/etc/cassandra-a/commitlog_archiving.properties]

Parameters differences:

--- File[/etc/cassandra-a/commitlog_archiving.properties].orig
+++ File[/etc/cassandra-a/commitlog_archiving.properties]

+    group  => cassandra
+    ensure => present
+    mode   => 0444
+    source => puppet:///modules/cassandra/commitlog_archiving.properties-4.x
+    links  => follow
+    owner  => cassandra

Interface::Ip[cassandra-a ipv4]

Parameters differences:

--- Interface::Ip[cassandra-a ipv4].orig
+++ Interface::Ip[cassandra-a ipv4]

+    ensure    => present
+    address   => 10.64.156.18
+    prefixlen => 32
+    interface => ens8f0np0

Package[cassandra]

Parameters differences:

--- Package[cassandra].orig
+++ Package[cassandra]

+    provider => apt
+    ensure   => 4.1.11

Rsyslog::Conf[udp_json_logback_compat]

Parameters differences:

--- Rsyslog::Conf[udp_json_logback_compat].orig
+++ Rsyslog::Conf[udp_json_logback_compat]

+    ensure   => present
+    priority => 50
+    mode     => 0444

Java::Cacert[wmf:Wikimedia_Internal_Root_CA]

Parameters differences:

--- Java::Cacert[wmf:Wikimedia_Internal_Root_CA].orig
+++ Java::Cacert[wmf:Wikimedia_Internal_Root_CA]

+    path      => /usr/share/ca-certificates/wikimedia/Wikimedia_Internal_Root_CA.crt
+    group     => root
+    storepass => changeit
+    require   => Alternatives::Java[11]
+    ensure    => present
+    owner     => root

Motd::Message[insetup::data_persistence_ferm]

Parameters differences:

--- Motd::Message[insetup::data_persistence_ferm].orig
+++ Motd::Message[insetup::data_persistence_ferm]

-    priority => 5
-    ensure   => present
-    message  => aqs1024 is a Host being setup by Data Persistence SREs (insetup::data_persistence_ferm)

Package[python3-venv]

Parameters differences:

--- Package[python3-venv].orig
+++ Package[python3-venv]

+    provider => apt
+    ensure   => installed

Exec[install-/srv/storage-4/cassandra-b/data]

Parameters differences:

--- Exec[install-/srv/storage-4/cassandra-b/data].orig
+++ Exec[install-/srv/storage-4/cassandra-b/data]

+    command => install -o cassandra -g cassandra -m 750 -d /srv/storage-4/cassandra-b/data
+    path    => /usr/bin/:/bin/
+    creates => /srv/storage-4/cassandra-b/data
+    before  => Systemd::Service[cassandra-b]

Class[Profile::Cumin::Target]

Parameters differences:

--- Class[Profile::Cumin::Target].orig
+++ Class[Profile::Cumin::Target]

@@
-    cluster => insetup
+    cluster => aqs

File[/etc/cassandra-a/user_media_analytics.cql]

Parameters differences:

--- File[/etc/cassandra-a/user_media_analytics.cql].orig
+++ File[/etc/cassandra-a/user_media_analytics.cql]

+    require => Package[cassandra]
+    group   => root
+    mode    => 0400
+    owner   => root

Content differences:

--- /etc/cassandra-a/user_media_analytics.cql.orig
+++ /etc/cassandra-a/user_media_analytics.cql
@@ -0,0 +1,7 @@
+-- SPDX-License-Identifier: Apache-2.0
+
+CREATE ROLE IF NOT EXISTS media_analytics WITH PASSWORD = '' AND LOGIN = true AND SUPERUSER = false;
+
+GRANT SELECT ON "local_group_default_T_mediarequest_per_referer".data TO 'media_analytics';
+GRANT SELECT ON "local_group_default_T_mediarequest_per_file".data TO 'media_analytics';
+GRANT SELECT ON "local_group_default_T_mediarequest_top_files".data TO 'media_analytics';

Package[prometheus-jmx-exporter]

Parameters differences:

--- Package[prometheus-jmx-exporter].orig
+++ Package[prometheus-jmx-exporter]

+    provider => apt
+    ensure   => installed

File[/etc/cassandra-b/jvm17-server.options]

Parameters differences:

--- File[/etc/cassandra-b/jvm17-server.options].orig
+++ File[/etc/cassandra-b/jvm17-server.options]

+    group  => cassandra
+    mode   => 0444
+    ensure => present
+    owner  => cassandra

Content differences:

--- /etc/cassandra-b/jvm17-server.options.orig
+++ /etc/cassandra-b/jvm17-server.options
@@ -0,0 +1,128 @@
+# SPDX-License-Identifier: Apache-2.0
+# Note:  This file is managed by Puppet.
+#        It was taken from the Cassandra Debian package and templatized
+#        here in order to assign configuration.
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+###########################################################################
+#                         jvm17-server.options                            #
+#                                                                         #
+# See jvm-server.options. This file is specific for Java 17 and newer.    #
+###########################################################################
+
+#################
+#  GC SETTINGS  #
+#################
+
+
+
+### G1 Settings
+## Use the Hotspot garbage-first collector.
+-XX:+UseG1GC
+-XX:+ParallelRefProcEnabled
+-XX:MaxTenuringThreshold=2
+-XX:G1HeapRegionSize=16m
+
+# Floor the young generation size to 50% of the heap size
+-XX:+UnlockExperimentalVMOptions
+-XX:G1NewSizePercent=50
+
+# Have the JVM do less remembered set work during STW, instead
+# preferring concurrent GC. Reduces p99.9 latency.
+-XX:G1RSetUpdatingPauseTimePercent=5
+
+# Main G1GC tunable: lowering the pause target will lower throughput and vise versa.
+# 200ms is the JVM default and lowest viable setting
+# 1000ms increases throughput. Keep it smaller than the timeouts in cassandra.yaml.
+-XX:MaxGCPauseMillis=300
+
+## Optional G1 Settings
+# Save CPU time on large (>= 16GB) heaps by delaying region scanning
+# until the heap is 70% full. The default in Hotspot 8u40 is 40%.
+-XX:InitiatingHeapOccupancyPercent=70
+
+# For systems with > 8 cores, the default ParallelGCThreads is 5/8 the number of logical cores.
+# Otherwise equal to the number of cores when 8 or less.
+# Machines with > 10 cores should try setting these to <= full cores.
+# By default, ConcGCThreads is 1/4 of ParallelGCThreads.
+# Setting both to the same value can reduce STW durations.
+# When leaving both unset then cassandra-env.sh will set them both to the number of your cores.
+#-XX:ParallelGCThreads=16
+#-XX:ConcGCThreads=16
+
+
+### JPMS
+
+-Djdk.attach.allowAttachSelf=true
+--add-exports java.base/jdk.internal.misc=ALL-UNNAMED
+--add-exports java.management.rmi/com.sun.jmx.remote.internal.rmi=ALL-UNNAMED
+--add-exports java.management/com.sun.jmx.remote.security=ALL-UNNAMED
+--add-exports java.rmi/sun.rmi.registry=ALL-UNNAMED
+--add-exports java.rmi/sun.rmi.server=ALL-UNNAMED
+--add-exports java.sql/java.sql=ALL-UNNAMED
+--add-exports java.base/java.lang.ref=ALL-UNNAMED
+--add-exports jdk.unsupported/sun.misc=ALL-UNNAMED
+
+--add-opens java.base/java.lang.module=ALL-UNNAMED
+--add-opens java.base/jdk.internal.loader=ALL-UNNAMED
+--add-opens java.base/jdk.internal.ref=ALL-UNNAMED
+--add-opens java.base/jdk.internal.reflect=ALL-UNNAMED
+--add-opens java.base/jdk.internal.math=ALL-UNNAMED
+--add-opens java.base/jdk.internal.module=ALL-UNNAMED
+--add-opens java.base/jdk.internal.util.jar=ALL-UNNAMED
+--add-opens jdk.management/com.sun.management.internal=ALL-UNNAMED
+--add-opens java.base/sun.nio.ch=ALL-UNNAMED
+--add-opens java.base/java.io=ALL-UNNAMED
+--add-opens java.base/java.lang.reflect=ALL-UNNAMED
+--add-opens java.base/java.lang=ALL-UNNAMED
+--add-opens java.base/java.util=ALL-UNNAMED
+--add-opens java.base/java.nio=ALL-UNNAMED
+
+### GC logging options -- uncomment to enable
+
+# Java 11 (and newer) GC logging options:
+# See description of https://bugs.openjdk.java.net/browse/JDK-8046148 for details about the syntax
+# The following is the equivalent to -XX:+PrintGCDetails -XX:+UseGCLogFileRotation -XX:NumberOfGCLogFiles=10 -XX:GCLogFileSize=10M
+#-Xlog:gc=info,heap*=trace,age*=debug,safepoint=info,promotion*=trace:file=/var/log/cassandra/gc.log:time,uptime,pid,tid,level:filecount=10,filesize=10485760
+
+-Xlog:gc=info,heap*=trace,age*=debug,safepoint=info,promotion*=trace:file=/var/log/cassandra/gc-b.log:time,uptime,pid,tid,level:filecount=10,filesize=10485760
+
+# Notes for Java 8 migration:
+#
+# -XX:+PrintGCDetails                   maps to -Xlog:gc*:... - i.e. add a '*' after "gc"
+# -XX:+PrintGCDateStamps                maps to decorator 'time'
+#
+# -XX:+PrintHeapAtGC                    maps to 'heap' with level 'trace'
+# -XX:+PrintTenuringDistribution        maps to 'age' with level 'debug'
+# -XX:+PrintGCApplicationStoppedTime    maps to 'safepoint' with level 'info'
+# -XX:+PrintPromotionFailure            maps to 'promotion' with level 'trace'
+# -XX:PrintFLSStatistics=1              maps to 'freelist' with level 'trace'
+
+### Netty Options
+
+# On Java >= 9 Netty requires the io.netty.tryReflectionSetAccessible system property to be set to true to enable
+# creation of direct buffers using Unsafe. Without it, this falls back to ByteBuffer.allocateDirect which has
+# inferior performance and risks exceeding MaxDirectMemory
+-Dio.netty.tryReflectionSetAccessible=true
+
+# Revert changes in defaults introduced in https://netty.io/news/2022/03/10/4-1-75-Final.html
+-Dio.netty.allocator.useCacheForAllThreads=true
+-Dio.netty.allocator.maxOrder=11
+
+# The newline in the end of file is intentional

Systemd::Unit[cassandra-a]

Parameters differences:

--- Systemd::Unit[cassandra-a].orig
+++ Systemd::Unit[cassandra-a]

+    override_filename => puppet-override.conf
+    unit              => cassandra-a
+    restart           => False
+    require           => ['Class[Systemd]']
+    override          => False
+    ensure            => present

Ssh::Userkey[scap]

Parameters differences:

--- Ssh::Userkey[scap].orig
+++ Ssh::Userkey[scap]

+    user   => scap
+    ensure => present

Exec[install-/srv/storage-3/cassandra-b/data]

Parameters differences:

--- Exec[install-/srv/storage-3/cassandra-b/data].orig
+++ Exec[install-/srv/storage-3/cassandra-b/data]

+    command => install -o cassandra -g cassandra -m 750 -d /srv/storage-3/cassandra-b/data
+    path    => /usr/bin/:/bin/
+    creates => /srv/storage-3/cassandra-b/data
+    before  => Systemd::Service[cassandra-b]

Exec[ip addr add 10.64.156.18/32 dev ens8f0np0]

Parameters differences:

--- Exec[ip addr add 10.64.156.18/32 dev ens8f0np0].orig
+++ Exec[ip addr add 10.64.156.18/32 dev ens8f0np0]

+    path    => /bin:/usr/bin
+    unless  => ip address show ens8f0np0 | grep -q 10.64.156.18/32
+    returns => [0, 2]

Group[deploy-service]

Parameters differences:

--- Group[deploy-service].orig
+++ Group[deploy-service]

+    before => User[deploy-service]
+    system => True
+    ensure => present

Exec[install-/srv/storage-6/cassandra-b/data]

Parameters differences:

--- Exec[install-/srv/storage-6/cassandra-b/data].orig
+++ Exec[install-/srv/storage-6/cassandra-b/data]

+    command => install -o cassandra -g cassandra -m 750 -d /srv/storage-6/cassandra-b/data
+    path    => /usr/bin/:/bin/
+    creates => /srv/storage-6/cassandra-b/data
+    before  => Systemd::Service[cassandra-b]

Exec[install-/srv/storage-4/cassandra-a/data]

Parameters differences:

--- Exec[install-/srv/storage-4/cassandra-a/data].orig
+++ Exec[install-/srv/storage-4/cassandra-a/data]

+    command => install -o cassandra -g cassandra -m 750 -d /srv/storage-4/cassandra-a/data
+    path    => /usr/bin/:/bin/
+    creates => /srv/storage-4/cassandra-a/data
+    before  => Systemd::Service[cassandra-a]

File[/etc/tmpfiles.d/cassandra.conf]

Parameters differences:

--- File[/etc/tmpfiles.d/cassandra.conf].orig
+++ File[/etc/tmpfiles.d/cassandra.conf]

+    group   => cassandra
+    require => Package[cassandra]
+    mode    => 0444
+    ensure  => present
+    source  => puppet:///modules/cassandra/cassandra-tmpfiles.conf
+    owner   => cassandra

Package[rsync]

Parameters differences:

--- Package[rsync].orig
+++ Package[rsync]

+    provider => apt
+    ensure   => installed

Exec[create chained cert /etc/cassandra-a/tls/cassandra__aqs1024-a_eqiad_wmnet.chain.pem]

Parameters differences:

--- Exec[create chained cert /etc/cassandra-a/tls/cassandra__aqs1024-a_eqiad_wmnet.chain.pem].orig
+++ Exec[create chained cert /etc/cassandra-a/tls/cassandra__aqs1024-a_eqiad_wmnet.chain.pem]

+    command   => /bin/cat /etc/cassandra-a/tls/cassandra__aqs1024-a_eqiad_wmnet.pem /etc/cassandra-a/tls/cassandra__aqs1024-a_eqiad_wmnet.chain.pem > /etc/cassandra-a/tls/cassandra__aqs1024-a_eqiad_wmnet.chained.pem
+    unless    => /usr/bin/test "$(/bin/cat /etc/cassandra-a/tls/cassandra__aqs1024-a_eqiad_wmnet.pem /etc/cassandra-a/tls/cassandra__aqs1024-a_eqiad_wmnet.chain.pem | sha512sum)" == "$(/bin/cat /etc/cassandra-a/tls/cassandra__aqs1024-a_eqiad_wmnet.chained.pem | sha512sum)"

+    subscribe => ['Exec[renew certificate - cassandra__aqs1024-a_eqiad_wmnet]', 'File[/etc/cassandra-a/tls/cassandra__aqs1024-a_eqiad_wmnet.chain.pem]', 'File[/etc/cassandra-a/tls/cassandra__aqs1024-a_eqiad_wmnet.pem]']

Systemd::Service[cassandra-a]

Parameters differences:

--- Systemd::Service[cassandra-a].orig
+++ Systemd::Service[cassandra-a]

+    restart                  => False
+    require                  => ['File[/etc/cassandra-a/cassandra-env.sh]', 'File[/etc/cassandra-a/cassandra.yaml]', 'File[/etc/cassandra-a/cassandra-rackdc.properties]']
+    override                 => False
+    monitoring_contact_group => admins
+    service_params           => {}
+    monitoring_enabled       => False
+    unit_type                => service
+    migration_task           => T407130
+    ensure                   => present
+    monitoring_critical      => False

File[/var/lib/deploy-service]

Parameters differences:

--- File[/var/lib/deploy-service].orig
+++ File[/var/lib/deploy-service]

+    group  => deploy-service
+    mode   => 0755
+    ensure => directory
+    owner  => deploy-service

File[/etc/cassandra-b/user_device_analytics.cql]

Parameters differences:

--- File[/etc/cassandra-b/user_device_analytics.cql].orig
+++ File[/etc/cassandra-b/user_device_analytics.cql]

+    require => Package[cassandra]
+    group   => root
+    mode    => 0400
+    owner   => root

Content differences:

--- /etc/cassandra-b/user_device_analytics.cql.orig
+++ /etc/cassandra-b/user_device_analytics.cql
@@ -0,0 +1,5 @@
+-- SPDX-License-Identifier: Apache-2.0
+
+CREATE ROLE IF NOT EXISTS device_analytics WITH PASSWORD = 'blahblahblahblah' AND LOGIN = true AND SUPERUSER = false;
+
+GRANT SELECT ON "local_group_default_T_unique_devices".data TO 'device_analytics';

Exec[Generate cert cassandra__aqs1024-b_eqiad_wmnet]

Parameters differences:

--- Exec[Generate cert cassandra__aqs1024-b_eqiad_wmnet].orig
+++ Exec[Generate cert cassandra__aqs1024-b_eqiad_wmnet]

+    command     => /usr/bin/cfssl gencert -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/aqs1024.eqiad.wmnet.pem -label cassandra  /etc/cfssl/csr/cassandra__aqs1024-b_eqiad_wmnet.csr | /usr/bin/cfssljson -bare /etc/cassandra-b/tls/cassandra__aqs1024-b_eqiad_wmnet

+    unless      => /usr/bin/test "$(/usr/bin/openssl x509 -in /etc/cassandra-b/tls/cassandra__aqs1024-b_eqiad_wmnet.pem -noout -pubkey 2>&1)" == "$(/usr/bin/openssl pkey -pubout -in /etc/cassandra-b/tls/cassandra__aqs1024-b_eqiad_wmnet-key.pem 2>&1)"

+    require     => Cfssl::Csr[/etc/cfssl/csr/cassandra__aqs1024-b_eqiad_wmnet.csr]
+    environment => ['GODEBUG=x509ignoreCN=0']

File[/var/lib/prometheus/node.d/role_owner.prom]

Content differences:

--- /var/lib/prometheus/node.d/role_owner.prom.orig
+++ /var/lib/prometheus/node.d/role_owner.prom
@@ -1,3 +1,3 @@
 # HELP role_owner The team owner of the server role
 # TYPE role_owner gauge
-role_owner{team="data-persistence",role="insetup::data_persistence_ferm",cluster="insetup"} 1.0
+role_owner{team="data-persistence",role="aqs",cluster="aqs"} 1.0

Monitoring::Exported_nagios_service[aqs1024 cassandra-b-cql]

Parameters differences:

--- Monitoring::Exported_nagios_service[aqs1024 cassandra-b-cql].orig
+++ Monitoring::Exported_nagios_service[aqs1024 cassandra-b-cql]

+    notes_url              => https://phabricator.wikimedia.org/T93886
+    host_name              => aqs1024
+    active_checks_enabled  => 1
+    check_interval         => 1
+    check_freshness        => 0
+    notifications_enabled  => 1
+    ensure                 => absent
+    notification_interval  => 0
+    max_check_attempts     => 3
+    contact_groups         => admins,team-services
+    check_period           => 24x7
+    service_description    => cassandra-b CQL 10.64.156.21:9042
+    passive_checks_enabled => 1
+    check_command          => check_tcp_ip!10.64.156.21!9042
+    notification_options   => c,r,f
+    retry_interval         => 1
+    servicegroups          => aqs_eqiad
+    notification_period    => 24x7
+    is_volatile            => 0

File[/etc/init.d/cassandra]

Parameters differences:

--- File[/etc/init.d/cassandra].orig
+++ File[/etc/init.d/cassandra]

+    group   => root
+    require => Package[cassandra]
+    mode    => 0755
+    ensure  => present
+    source  => puppet:///modules/cassandra/cassandra-init.d
+    owner   => root

Interface::Alias[cassandra-b]

Parameters differences:

--- Interface::Alias[cassandra-b].orig
+++ Interface::Alias[cassandra-b]

+    ipv4          => 10.64.156.21
+    is_service_ip => True
+    interface     => ens8f0np0

File[/etc/cassandra-b/user_geo_analytics.cql]

Parameters differences:

--- File[/etc/cassandra-b/user_geo_analytics.cql].orig
+++ File[/etc/cassandra-b/user_geo_analytics.cql]

+    require => Package[cassandra]
+    group   => root
+    mode    => 0400
+    owner   => root

Content differences:

--- /etc/cassandra-b/user_geo_analytics.cql.orig
+++ /etc/cassandra-b/user_geo_analytics.cql
@@ -0,0 +1,5 @@
+-- SPDX-License-Identifier: Apache-2.0
+
+CREATE ROLE IF NOT EXISTS geo_analytics WITH PASSWORD = '' AND LOGIN = true AND SUPERUSER = false;
+
+GRANT SELECT ON "local_group_default_T_editors_bycountry".data TO 'geo_analytics';

Alternatives::Java[11]

Parameters differences:

--- Alternatives::Java[11].orig
+++ Alternatives::Java[11]

+    require => Java::Package[openjdk-jdk-11]

Cassandra::Instance::Monitoring[b]

Parameters differences:

--- Cassandra::Instance::Monitoring[b].orig
+++ Cassandra::Instance::Monitoring[b]

+    tls_cluster_name => aqs
+    tls_port         => 7000
+    tls_use_pki      => True
+    cql_port         => 9042
+    monitor_enabled  => True
+    contact_group    => admins,team-services
+    instances        => {'a': {'listen_address': '10.64.156.18', 'data_file_directories': ['/srv/storage-0/cassandra-a/data', '/srv/storage-1/cassandra-a/data', '/srv/storage-2/cassandra-a/data', '/srv/storage-3/cassandra-a/data', '/srv/storage-4/cassandra-a/data', '/srv/storage-5/cassandra-a/data', '/srv/storage-6/cassandra-a/data', '/srv/storage-7/cassandra-a/data'], 'heapdump_directory': '/srv/storage-0/cassandra-a', 'commitlog_directory': '/srv/cassandra/cassandra-a/commitlog', 'hints_directory': '/srv/cassandra/cassandra-a/hints', 'saved_caches_directory': '/srv/cassandra/cassandra-a/saved_caches', 'local_system_data_file_directory': '/srv/cassandra/cassandra-a/system'}, 'b': {'listen_address': '10.64.156.21', 'data_file_directories': ['/srv/storage-0/cassandra-b/data', '/srv/storage-1/cassandra-b/data', '/srv/storage-2/cassandra-b/data', '/srv/storage-3/cassandra-b/data', '/srv/storage-4/cassandra-b/data', '/srv/storage-5/cassandra-b/data', '/srv/storage-6/cassandra-b/data', '/srv/storage-7/cassandra-b/data'], 'heapdump_directory': '/srv/storage-1/cassandra-b', 'commitlog_directory': '/srv/cassandra/cassandra-b/commitlog', 'hints_directory': '/srv/cassandra/cassandra-b/hints', 'saved_caches_directory': '/srv/cassandra/cassandra-b/saved_caches', 'local_system_data_file_directory': '/srv/cassandra/cassandra-b/system'}}

File[/etc/cassandra-b/user_aqsloader.cql]

Parameters differences:

--- File[/etc/cassandra-b/user_aqsloader.cql].orig
+++ File[/etc/cassandra-b/user_aqsloader.cql]

+    require => Package[cassandra]
+    group   => root
+    mode    => 0400
+    owner   => root

Content differences:

--- /etc/cassandra-b/user_aqsloader.cql.orig
+++ /etc/cassandra-b/user_aqsloader.cql
@@ -0,0 +1,27 @@
+-- SPDX-License-Identifier: Apache-2.0
+
+CREATE USER IF NOT EXISTS aqsloader WITH PASSWORD 'yadayadayada';
+
+GRANT MODIFY ON KEYSPACE aqs TO 'aqsloader';
+GRANT MODIFY ON KEYSPACE "local_group_default_T_editors_bycountry" TO 'aqsloader';
+GRANT MODIFY ON KEYSPACE "local_group_default_T_knowledge_gap_by_category" TO 'aqsloader';
+GRANT MODIFY ON KEYSPACE "local_group_default_T_lgc_pagecounts_per_project" TO 'aqsloader';
+GRANT MODIFY ON KEYSPACE "local_group_default_T_mediarequest_per_file" TO 'aqsloader';
+GRANT MODIFY ON KEYSPACE "local_group_default_T_mediarequest_per_referer" TO 'aqsloader';
+GRANT MODIFY ON KEYSPACE "local_group_default_T_mediarequest_top_files" TO 'aqsloader';
+GRANT MODIFY ON KEYSPACE "local_group_default_T_pageviews_per_article_flat" TO 'aqsloader';
+GRANT MODIFY ON KEYSPACE "local_group_default_T_pageviews_per_project_v2" TO 'aqsloader';
+GRANT MODIFY ON KEYSPACE "local_group_default_T_top_bycountry" TO 'aqsloader';
+GRANT MODIFY ON KEYSPACE "local_group_default_T_top_pageviews" TO 'aqsloader';
+GRANT MODIFY ON KEYSPACE "local_group_default_T_top_percountry" TO 'aqsloader';
+GRANT MODIFY ON KEYSPACE "local_group_default_T_unique_devices" TO 'aqsloader';
+
+-- FIXME: image suggestions should *not* being using the aqsloader; This
+-- was added as a break-fix (see: https://phabricator.wikimedia.org/T356400).
+GRANT MODIFY ON KEYSPACE image_suggestions TO aqsloader;
+
+-- Commons Impact Metrics â https://phabricator.wikimedia.org/T362697
+GRANT MODIFY ON KEYSPACE commons TO aqsloader;
+
+-- New-style AQS tables
+GRANT MODIFY ON KEYSPACE analytics TO aqsloader;

File[/etc/cassandra-instances.d]

Parameters differences:

--- File[/etc/cassandra-instances.d].orig
+++ File[/etc/cassandra-instances.d]

+    group   => cassandra
+    require => Package[cassandra]
+    mode    => 0755
+    ensure  => directory
+    owner   => cassandra

Motd::Script[insetup::data_persistence_ferm]

Parameters differences:

--- Motd::Script[insetup::data_persistence_ferm].orig
+++ Motd::Script[insetup::data_persistence_ferm]

-    priority => 5
-    ensure   => present

File[/etc/cassandra-b/user_editor_analytics.cql]

Parameters differences:

--- File[/etc/cassandra-b/user_editor_analytics.cql].orig
+++ File[/etc/cassandra-b/user_editor_analytics.cql]

+    require => Package[cassandra]
+    group   => root
+    mode    => 0400
+    owner   => root

Content differences:

--- /etc/cassandra-b/user_editor_analytics.cql.orig
+++ /etc/cassandra-b/user_editor_analytics.cql
@@ -0,0 +1,5 @@
+-- SPDX-License-Identifier: Apache-2.0
+
+CREATE USER IF NOT EXISTS editor_analytics WITH PASSWORD 'yadayadayada';
+
+GRANT SELECT ON aqs.config TO 'editor_analytics';

Class[Scap]

Parameters differences:

--- Class[Scap].orig
+++ Class[Scap]

+    betacluster_udplog_host => deployment-mwlog02.deployment-prep.eqiad1.wikimedia.cloud
+    is_master               => False
+    require                 => ['Class[Git::Lfs]']
+    wmflabs_master          => deployment-deploy04.deployment-prep.eqiad1.wikimedia.cloud
+    deployment_server       => deploy1003.eqiad.wmnet
+    k8s_deployments         => {}
+    php7_admin_port         => 9181
+    enable_bootstrapping    => True

Service[cassandra-a]

Parameters differences:

--- Service[cassandra-a].orig
+++ Service[cassandra-a]

+    enable => True
+    ensure => running

Java::Cacert[Wikimedia_Internal_Root_CA]

Parameters differences:

--- Java::Cacert[Wikimedia_Internal_Root_CA].orig
+++ Java::Cacert[Wikimedia_Internal_Root_CA]

+    path          => /usr/share/ca-certificates/wikimedia/Wikimedia_Internal_Root_CA.crt
+    group         => root
+    storepass     => changeit
+    keystore_path => /etc/ssl/localcerts/wmf-java-cacerts
+    ensure        => present
+    subscribe     => Package[wmf-certificates]
+    owner         => root

Exec[update_java_alternatives_11]

Parameters differences:

--- Exec[update_java_alternatives_11].orig
+++ Exec[update_java_alternatives_11]

+    command => /usr/sbin/update-java-alternatives -s /usr/lib/jvm/java-1.11.0-openjdk-amd64
+    unless  => /usr/bin/update-alternatives --query java | /bin/grep 'Value: /usr/lib/jvm/java-11-openjdk-amd64'

Exec[sslcert generate cassandra_keystore_aqs1024-a.p12]

Parameters differences:

--- Exec[sslcert generate cassandra_keystore_aqs1024-a.p12].orig
+++ Exec[sslcert generate cassandra_keystore_aqs1024-a.p12]

+    command => /usr/bin/openssl pkcs12 -export  -in /etc/cassandra-a/tls/cassandra__aqs1024-a_eqiad_wmnet.chained.pem -inkey /etc/cassandra-a/tls/cassandra__aqs1024-a_eqiad_wmnet-key.pem -out /etc/cassandra-a/tls/server.key -password 'pass:test'
+    unless  => /usr/bin/test     "$(/usr/bin/openssl x509 -in /etc/cassandra-a/tls/cassandra__aqs1024-a_eqiad_wmnet.chained.pem)" ==     "$(/usr/bin/openssl pkcs12 -password 'pass:test' -in /etc/cassandra-a/tls/server.key -clcerts -nokeys | openssl x509)"
+    before  => File[/etc/cassandra-a/tls/server.key]
+    require => Package[openssl]

File[/etc/cassandra-b/prometheus_jmx_exporter.yaml]

Parameters differences:

--- File[/etc/cassandra-b/prometheus_jmx_exporter.yaml].orig
+++ File[/etc/cassandra-b/prometheus_jmx_exporter.yaml]

+    group   => cassandra
+    require => Package[cassandra]
+    mode    => 0400
+    ensure  => present
+    source  => puppet:///modules/cassandra/prometheus_jmx_exporter-4.x.yaml
+    links   => follow
+    owner   => cassandra

File[/etc/ferm/conf.d/10_cassandra-analytics-cql]

Parameters differences:

--- File[/etc/ferm/conf.d/10_cassandra-analytics-cql].orig
+++ File[/etc/ferm/conf.d/10_cassandra-analytics-cql]

+    group   => root
+    tag     => ferm
+    require => File[/etc/ferm/conf.d]
+    mode    => 0400
+    ensure  => present
+    notify  => Service[ferm]
+    owner   => root

Content differences:

--- /etc/ferm/conf.d/10_cassandra-analytics-cql.orig
+++ /etc/ferm/conf.d/10_cassandra-analytics-cql
@@ -0,0 +1,6 @@
+# Autogenerated by puppet. DO NOT EDIT BY HAND!
+#
+# 
+&R_SERVICE(tcp, 9042, (@resolve((aqs1010.eqiad.wmnet aqs1010-a.eqiad.wmnet aqs1010-b.eqiad.wmnet aqs1011.eqiad.wmnet aqs1011-a.eqiad.wmnet aqs1011-b.eqiad.wmnet aqs1012.eqiad.wmnet aqs1012-a.eqiad.wmnet aqs1012-b.eqiad.wmnet aqs1014.eqiad.wmnet aqs1014-a.eqiad.wmnet aqs1014-b.eqiad.wmnet aqs1015.eqiad.wmnet aqs1015-a.eqiad.wmnet aqs1015-b.eqiad.wmnet aqs1016.eqiad.wmnet aqs1016-a.eqiad.wmnet aqs1016-b.eqiad.wmnet aqs1017.eqiad.wmnet aqs1017-a.eqiad.wmnet aqs1017-b.eqiad.wmnet aqs1018.eqiad.wmnet aqs1018-a.eqiad.wmnet aqs1018-b.eqiad.wmnet aqs1019.eqiad.wmnet aqs1019-a.eqiad.wmnet aqs1019-b.eqiad.wmnet aqs1020.eqiad.wmnet aqs1020-a.eqiad.wmnet aqs1020-b.eqiad.wmnet aqs1021.eqiad.wmnet aqs1021-a.eqiad.wmnet aqs1021-b.eqiad.wmnet aqs1022.eqiad.wmnet aqs1022-a.eqiad.wmnet aqs1022-b.eqiad.wmnet aqs1023.eqiad.wmnet aqs1023-a.eqiad.wmnet aqs1023-b.eqiad.wmnet aqs1024.eqiad.wmnet aqs1024-a.eqiad.wmnet aqs1024-b.eqiad.wmnet aqs2001.codfw.wmnet aqs2001-a.codfw.wmnet aqs2001-b.codfw.wmnet aqs2002.codfw.wmnet aqs2002-a.codfw.wmnet aqs2002-b.codfw.wmnet aqs2003.codfw.wmnet aqs2003-a.codfw.wmnet aqs2003-b.codfw.wmnet aqs2004.codfw.wmnet aqs2004-a.codfw.wmnet aqs2004-b.codfw.wmnet aqs2005.codfw.wmnet aqs2005-a.codfw.wmnet aqs2005-b.codfw.wmnet aqs2006.codfw.wmnet aqs2006-a.codfw.wmnet aqs2006-b.codfw.wmnet aqs2007.codfw.wmnet aqs2007-a.codfw.wmnet aqs2007-b.codfw.wmnet aqs2008.codfw.wmnet aqs2008-a.codfw.wmnet aqs2008-b.codfw.wmnet aqs2009.codfw.wmnet aqs2009-a.codfw.wmnet aqs2009-b.codfw.wmnet aqs2010.codfw.wmnet aqs2010-a.codfw.wmnet aqs2010-b.codfw.wmnet aqs2011.codfw.wmnet aqs2011-a.codfw.wmnet aqs2011-b.codfw.wmnet aqs2012.codfw.wmnet aqs2012-a.codfw.wmnet aqs2012-b.codfw.wmnet)) 10.64.137.0/24 10.64.138.0/24 10.64.139.0/24 10.64.140.0/24 10.64.142.0/24 10.64.143.0/24 10.64.144.0/24 10.64.145.0/24 10.64.153.0/24 10.64.155.0/24 10.64.157.0/24 10.64.159.0/24 10.64.161.0/24 10.64.163.0/24 10.64.165.0/24 10.64.167.0/24 10.64.170.0/24 10.64.172.0/24 10.64.174.0/24 10.64.176.0/24 10.64.178.0/24 10.64.180.0/24 10.64.182.0/24 10.64.184.0/24 10.64.186.0/24 10.64.188.0/24 10.64.190.0/24 10.64.21.0/24 10.64.36.0/24 10.64.5.0/24 10.64.53.0/24 2620:0:861:100::/64 2620:0:861:104::/64 2620:0:861:105::/64 2620:0:861:106::/64 2620:0:861:108::/64 2620:0:861:110::/64 2620:0:861:111::/64 2620:0:861:112::/64 2620:0:861:114::/64 2620:0:861:115::/64 2620:0:861:116::/64 2620:0:861:117::/64 2620:0:861:11a::/64 2620:0:861:121::/64 2620:0:861:123::/64 2620:0:861:125::/64 2620:0:861:127::/64 2620:0:861:129::/64 2620:0:861:12b::/64 2620:0:861:12d::/64 2620:0:861:12f::/64 2620:0:861:132::/64 2620:0:861:134::/64 2620:0:861:136::/64 2620:0:861:138::/64 2620:0:861:13a::/64 2620:0:861:13c::/64 2620:0:861:13e::/64 2620:0:861:141::/64 2620:0:861:143::/64 2620:0:861:145::/64));
+
+

File[/etc/cassandra-b/jvm-clients.options]

Parameters differences:

--- File[/etc/cassandra-b/jvm-clients.options].orig
+++ File[/etc/cassandra-b/jvm-clients.options]

+    group  => root
+    force  => True
+    ensure => link
+    target => /etc/cassandra/jvm-clients.options
+    owner  => root

File[/usr/share/cassandra/lib/jackson-databind-2.4.0.jar]

Parameters differences:

--- File[/usr/share/cassandra/lib/jackson-databind-2.4.0.jar].orig
+++ File[/usr/share/cassandra/lib/jackson-databind-2.4.0.jar]

+    group   => root
+    require => Scap::Target[cassandra/logstash-logback-encoder]
+    ensure  => link
+    target  => /srv/deployment/cassandra/logstash-logback-encoder/lib/jackson-databind-2.4.0.jar
+    owner   => root

Exec[install-/srv/storage-7/cassandra-a/data]

Parameters differences:

--- Exec[install-/srv/storage-7/cassandra-a/data].orig
+++ Exec[install-/srv/storage-7/cassandra-a/data]

+    command => install -o cassandra -g cassandra -m 750 -d /srv/storage-7/cassandra-a/data
+    path    => /usr/bin/:/bin/
+    creates => /srv/storage-7/cassandra-a/data
+    before  => Systemd::Service[cassandra-a]

Exec[Generate cert cassandra__aqs1024-a_eqiad_wmnet refresh]

Parameters differences:

--- Exec[Generate cert cassandra__aqs1024-a_eqiad_wmnet refresh].orig
+++ Exec[Generate cert cassandra__aqs1024-a_eqiad_wmnet refresh]

+    command     => /usr/bin/cfssl gencert -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/aqs1024.eqiad.wmnet.pem -label cassandra  /etc/cfssl/csr/cassandra__aqs1024-a_eqiad_wmnet.csr | /usr/bin/cfssljson -bare /etc/cassandra-a/tls/cassandra__aqs1024-a_eqiad_wmnet

+    subscribe   => File[/etc/cfssl/csr/cassandra__aqs1024-a_eqiad_wmnet.csr]
+    refreshonly => True
+    environment => ['GODEBUG=x509ignoreCN=0']

Exec[systemd daemon-reload for cassandra-b.service (cassandra-b)]

Parameters differences:

--- Exec[systemd daemon-reload for cassandra-b.service (cassandra-b)].orig
+++ Exec[systemd daemon-reload for cassandra-b.service (cassandra-b)]

+    command     => /bin/systemctl daemon-reload
+    before      => ['Service[cassandra-b]']
+    refreshonly => True

File[/etc/cassandra-a/user_commons_impact_analytics.cql]

Parameters differences:

--- File[/etc/cassandra-a/user_commons_impact_analytics.cql].orig
+++ File[/etc/cassandra-a/user_commons_impact_analytics.cql]

+    require => Package[cassandra]
+    group   => root
+    mode    => 0400
+    owner   => root

Content differences:

--- /etc/cassandra-a/user_commons_impact_analytics.cql.orig
+++ /etc/cassandra-a/user_commons_impact_analytics.cql
@@ -0,0 +1,25 @@
+-- SPDX-License-Identifier: Apache-2.0
+
+-- User/role for the Commons Impact Metrics service: https://phabricator.wikimedia.org/T361835
+
+-- Note: This is intended to be temporary; This service will eventually use the Data Gateway
+-- (https://phabricator.wikimedia.org/T364921) instead of connecting to Cassandra directly. When
+-- that happens these GRANTs, and the role, can be removed.
+
+CREATE ROLE IF NOT EXISTS commons_impact_analytics
+    WITH PASSWORD = 'notarealpasswd' AND LOGIN = true AND SUPERUSER = false;
+
+GRANT SELECT ON commons.category_metrics_snapshot        TO commons_impact_analytics;
+GRANT SELECT ON commons.media_file_metrics_snapshot      TO commons_impact_analytics;
+GRANT SELECT ON commons.pageviews_per_category_monthly   TO commons_impact_analytics;
+GRANT SELECT ON commons.pageviews_per_media_file_monthly TO commons_impact_analytics;
+GRANT SELECT ON commons.edits_per_category_monthly       TO commons_impact_analytics;
+GRANT SELECT ON commons.edits_per_user_monthly           TO commons_impact_analytics;
+GRANT SELECT ON commons.top_pages_per_category_monthly   TO commons_impact_analytics;
+GRANT SELECT ON commons.top_wikis_per_category_monthly   TO commons_impact_analytics;
+GRANT SELECT ON commons.top_viewed_categories_monthly    TO commons_impact_analytics;
+GRANT SELECT ON commons.top_pages_per_media_file_monthly TO commons_impact_analytics;
+GRANT SELECT ON commons.top_wikis_per_media_file_monthly TO commons_impact_analytics;
+GRANT SELECT ON commons.top_viewed_media_files_monthly   TO commons_impact_analytics;
+GRANT SELECT ON commons.top_edited_categories_monthly    TO commons_impact_analytics;
+GRANT SELECT ON commons.top_editors_monthly              TO commons_impact_analytics;

File[/usr/share/cassandra/lib/jackson-core-2.4.0.jar]

Parameters differences:

--- File[/usr/share/cassandra/lib/jackson-core-2.4.0.jar].orig
+++ File[/usr/share/cassandra/lib/jackson-core-2.4.0.jar]

+    group   => root
+    require => Scap::Target[cassandra/logstash-logback-encoder]
+    ensure  => link
+    target  => /srv/deployment/cassandra/logstash-logback-encoder/lib/jackson-core-2.4.0.jar
+    owner   => root

Exec[apt_package_from_component_cassandra]

Parameters differences:

--- Exec[apt_package_from_component_cassandra].orig
+++ Exec[apt_package_from_component_cassandra]

+    command     => /usr/bin/apt-get update
+    subscribe   => Apt::Repository[component-cassandra41-apt.wikimedia.org-wikimedia-bullseye-wikimedia]
+    before      => ['Package[cassandra]']
+    refreshonly => True

Package[cassandra-tools-wmf]

Parameters differences:

--- Package[cassandra-tools-wmf].orig
+++ Package[cassandra-tools-wmf]

+    provider => apt
+    ensure   => installed

Prometheus::Blackbox::Check::Tcp[cassandra-b-ssl]

Parameters differences:

--- Prometheus::Blackbox::Check::Tcp[cassandra-b-ssl].orig
+++ Prometheus::Blackbox::Check::Tcp[cassandra-b-ssl]

+    server_name             => cassandra
+    use_client_auth         => False
+    ip6                     => 2620:0:861:124:10:64:156:17
+    alert_after             => 2m
+    site                    => eqiad
+    certificate_expiry_days => 5
+    ip4                     => 10.64.156.21
+    team                    => sre
+    prometheus_instance     => ops
+    client_auth_key         => /etc/prometheus/ssl/server.key
+    port                    => 7000
+    force_tls               => True
+    probe_runbook           => https://wikitech.wikimedia.org/wiki/TLS/Runbook#{{ $labels.instance }}
+    instance_label          => aqs1024-b
+    ip_families             => ['ip4']
+    severity                => critical
+    timeout                 => 3s
+    client_auth_cert        => /etc/prometheus/ssl/cert.pem

Prometheus::Blackbox::Check::Tcp[cassandra-b-cql]

Parameters differences:

--- Prometheus::Blackbox::Check::Tcp[cassandra-b-cql].orig
+++ Prometheus::Blackbox::Check::Tcp[cassandra-b-cql]

+    server_name             => cassandra
+    use_client_auth         => False
+    ip6                     => 2620:0:861:124:10:64:156:17
+    alert_after             => 2m
+    site                    => eqiad
+    certificate_expiry_days => 5
+    ip4                     => 10.64.156.21
+    team                    => sre
+    prometheus_instance     => ops
+    client_auth_key         => /etc/prometheus/ssl/server.key
+    port                    => 9042
+    force_tls               => True
+    probe_runbook           => https://wikitech.wikimedia.org/wiki/TLS/Runbook#{{ $labels.instance }}
+    instance_label          => aqs1024-b
+    ip_families             => ['ip4']
+    severity                => critical
+    timeout                 => 3s
+    client_auth_cert        => /etc/prometheus/ssl/cert.pem

File[/etc/cassandra-a/tls/cassandra__aqs1024-a_eqiad_wmnet.csr]

Parameters differences:

--- File[/etc/cassandra-a/tls/cassandra__aqs1024-a_eqiad_wmnet.csr].orig
+++ File[/etc/cassandra-a/tls/cassandra__aqs1024-a_eqiad_wmnet.csr]

+    group  => cassandra
+    mode   => 0440
+    ensure => file
+    owner  => cassandra

File[/etc/cassandra-a/tls]

Parameters differences:

--- File[/etc/cassandra-a/tls].orig
+++ File[/etc/cassandra-a/tls]

+    group   => cassandra
+    mode    => 0400
+    ensure  => directory
+    recurse => True
+    owner   => cassandra

File[/etc/ssl/localcerts/wmf-java-cacerts]

Parameters differences:

--- File[/etc/ssl/localcerts/wmf-java-cacerts].orig
+++ File[/etc/ssl/localcerts/wmf-java-cacerts]

+    group  => root
+    ensure => file
+    owner  => root

Exec[install-/srv/cassandra/cassandra-b/commitlog]

Parameters differences:

--- Exec[install-/srv/cassandra/cassandra-b/commitlog].orig
+++ Exec[install-/srv/cassandra/cassandra-b/commitlog]

+    command => install -o cassandra -g cassandra -m 750 -d /srv/cassandra/cassandra-b/commitlog
+    path    => /usr/bin/:/bin/
+    creates => /srv/cassandra/cassandra-b/commitlog
+    before  => Systemd::Service[cassandra-b]

File[/etc/cassandra-a/user_revise_tone_task_generator.cql]

Parameters differences:

--- File[/etc/cassandra-a/user_revise_tone_task_generator.cql].orig
+++ File[/etc/cassandra-a/user_revise_tone_task_generator.cql]

+    require => Package[cassandra]
+    group   => root
+    mode    => 0400
+    owner   => root

Content differences:

--- /etc/cassandra-a/user_revise_tone_task_generator.cql.orig
+++ /etc/cassandra-a/user_revise_tone_task_generator.cql
@@ -0,0 +1,7 @@
+-- SPDX-License-Identifier: Apache-2.0
+
+CREATE ROLE IF NOT EXISTS revise_tone_task_generator
+    WITH PASSWORD = 'asdfasdfasdf' AND LOGIN = true AND SUPERUSER = false;
+
+-- Machine learning cache
+GRANT MODIFY ON ml_cache.page_paragraph_tone_scores TO revise_tone_task_generator;

Prometheus::Jmx_exporter_instance[aqs1024-b]

Parameters differences:

--- Prometheus::Jmx_exporter_instance[aqs1024-b].orig
+++ Prometheus::Jmx_exporter_instance[aqs1024-b]

+    labels   => {}
+    port     => 7800
+    hostname => aqs1024-b

File[/etc/apt/sources.list]

Parameters differences:

--- File[/etc/apt/sources.list].orig
+++ File[/etc/apt/sources.list]

@@
-    before => ['Exec[apt_repository_wikimedia]', 'Exec[apt_repository_wikimedia-private]', 'Exec[apt_repository_debian-debug]', 'Exec[apt_repository_component-puppet7-apt.wikimedia.org-wikimedia-bullseye-wikimedia]']
+    before => ['Exec[apt_repository_wikimedia]', 'Exec[apt_repository_wikimedia-private]', 'Exec[apt_repository_debian-debug]', 'Exec[apt_repository_component-puppet7-apt.wikimedia.org-wikimedia-bullseye-wikimedia]', 'Exec[apt_repository_component-cassandra41-apt.wikimedia.org-wikimedia-bullseye-wikimedia]']

Exec[install-/srv/storage-2/cassandra-b/data]

Parameters differences:

--- Exec[install-/srv/storage-2/cassandra-b/data].orig
+++ Exec[install-/srv/storage-2/cassandra-b/data]

+    command => install -o cassandra -g cassandra -m 750 -d /srv/storage-2/cassandra-b/data
+    path    => /usr/bin/:/bin/
+    creates => /srv/storage-2/cassandra-b/data
+    before  => Systemd::Service[cassandra-b]

Class[Profile::Monitoring]

Parameters differences:

--- Class[Profile::Monitoring].orig
+++ Class[Profile::Monitoring]

@@
-    cluster               => insetup
+    cluster               => aqs
@@
-    nagios_group          => insetup_eqiad
+    nagios_group          => aqs_eqiad
@@
-    notifications_enabled => False
+    notifications_enabled => True

Exec[install-/srv/storage-2/cassandra-a/data]

Parameters differences:

--- Exec[install-/srv/storage-2/cassandra-a/data].orig
+++ Exec[install-/srv/storage-2/cassandra-a/data]

+    command => install -o cassandra -g cassandra -m 750 -d /srv/storage-2/cassandra-a/data
+    path    => /usr/bin/:/bin/
+    creates => /srv/storage-2/cassandra-a/data
+    before  => Systemd::Service[cassandra-a]

File[/etc/cassandra-a/prometheus_jmx_exporter.yaml]

Parameters differences:

--- File[/etc/cassandra-a/prometheus_jmx_exporter.yaml].orig
+++ File[/etc/cassandra-a/prometheus_jmx_exporter.yaml]

+    group   => cassandra
+    require => Package[cassandra]
+    mode    => 0400
+    ensure  => present
+    source  => puppet:///modules/cassandra/prometheus_jmx_exporter-4.x.yaml
+    links   => follow
+    owner   => cassandra

Motd::Script[aqs]

Parameters differences:

--- Motd::Script[aqs].orig
+++ Motd::Script[aqs]

+    priority => 5
+    ensure   => present

File[/etc/cassandra-a/jvm17-server.options]

Parameters differences:

--- File[/etc/cassandra-a/jvm17-server.options].orig
+++ File[/etc/cassandra-a/jvm17-server.options]

+    group  => cassandra
+    mode   => 0444
+    ensure => present
+    owner  => cassandra

Content differences:

--- /etc/cassandra-a/jvm17-server.options.orig
+++ /etc/cassandra-a/jvm17-server.options
@@ -0,0 +1,128 @@
+# SPDX-License-Identifier: Apache-2.0
+# Note:  This file is managed by Puppet.
+#        It was taken from the Cassandra Debian package and templatized
+#        here in order to assign configuration.
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+###########################################################################
+#                         jvm17-server.options                            #
+#                                                                         #
+# See jvm-server.options. This file is specific for Java 17 and newer.    #
+###########################################################################
+
+#################
+#  GC SETTINGS  #
+#################
+
+
+
+### G1 Settings
+## Use the Hotspot garbage-first collector.
+-XX:+UseG1GC
+-XX:+ParallelRefProcEnabled
+-XX:MaxTenuringThreshold=2
+-XX:G1HeapRegionSize=16m
+
+# Floor the young generation size to 50% of the heap size
+-XX:+UnlockExperimentalVMOptions
+-XX:G1NewSizePercent=50
+
+# Have the JVM do less remembered set work during STW, instead
+# preferring concurrent GC. Reduces p99.9 latency.
+-XX:G1RSetUpdatingPauseTimePercent=5
+
+# Main G1GC tunable: lowering the pause target will lower throughput and vise versa.
+# 200ms is the JVM default and lowest viable setting
+# 1000ms increases throughput. Keep it smaller than the timeouts in cassandra.yaml.
+-XX:MaxGCPauseMillis=300
+
+## Optional G1 Settings
+# Save CPU time on large (>= 16GB) heaps by delaying region scanning
+# until the heap is 70% full. The default in Hotspot 8u40 is 40%.
+-XX:InitiatingHeapOccupancyPercent=70
+
+# For systems with > 8 cores, the default ParallelGCThreads is 5/8 the number of logical cores.
+# Otherwise equal to the number of cores when 8 or less.
+# Machines with > 10 cores should try setting these to <= full cores.
+# By default, ConcGCThreads is 1/4 of ParallelGCThreads.
+# Setting both to the same value can reduce STW durations.
+# When leaving both unset then cassandra-env.sh will set them both to the number of your cores.
+#-XX:ParallelGCThreads=16
+#-XX:ConcGCThreads=16
+
+
+### JPMS
+
+-Djdk.attach.allowAttachSelf=true
+--add-exports java.base/jdk.internal.misc=ALL-UNNAMED
+--add-exports java.management.rmi/com.sun.jmx.remote.internal.rmi=ALL-UNNAMED
+--add-exports java.management/com.sun.jmx.remote.security=ALL-UNNAMED
+--add-exports java.rmi/sun.rmi.registry=ALL-UNNAMED
+--add-exports java.rmi/sun.rmi.server=ALL-UNNAMED
+--add-exports java.sql/java.sql=ALL-UNNAMED
+--add-exports java.base/java.lang.ref=ALL-UNNAMED
+--add-exports jdk.unsupported/sun.misc=ALL-UNNAMED
+
+--add-opens java.base/java.lang.module=ALL-UNNAMED
+--add-opens java.base/jdk.internal.loader=ALL-UNNAMED
+--add-opens java.base/jdk.internal.ref=ALL-UNNAMED
+--add-opens java.base/jdk.internal.reflect=ALL-UNNAMED
+--add-opens java.base/jdk.internal.math=ALL-UNNAMED
+--add-opens java.base/jdk.internal.module=ALL-UNNAMED
+--add-opens java.base/jdk.internal.util.jar=ALL-UNNAMED
+--add-opens jdk.management/com.sun.management.internal=ALL-UNNAMED
+--add-opens java.base/sun.nio.ch=ALL-UNNAMED
+--add-opens java.base/java.io=ALL-UNNAMED
+--add-opens java.base/java.lang.reflect=ALL-UNNAMED
+--add-opens java.base/java.lang=ALL-UNNAMED
+--add-opens java.base/java.util=ALL-UNNAMED
+--add-opens java.base/java.nio=ALL-UNNAMED
+
+### GC logging options -- uncomment to enable
+
+# Java 11 (and newer) GC logging options:
+# See description of https://bugs.openjdk.java.net/browse/JDK-8046148 for details about the syntax
+# The following is the equivalent to -XX:+PrintGCDetails -XX:+UseGCLogFileRotation -XX:NumberOfGCLogFiles=10 -XX:GCLogFileSize=10M
+#-Xlog:gc=info,heap*=trace,age*=debug,safepoint=info,promotion*=trace:file=/var/log/cassandra/gc.log:time,uptime,pid,tid,level:filecount=10,filesize=10485760
+
+-Xlog:gc=info,heap*=trace,age*=debug,safepoint=info,promotion*=trace:file=/var/log/cassandra/gc-a.log:time,uptime,pid,tid,level:filecount=10,filesize=10485760
+
+# Notes for Java 8 migration:
+#
+# -XX:+PrintGCDetails                   maps to -Xlog:gc*:... - i.e. add a '*' after "gc"
+# -XX:+PrintGCDateStamps                maps to decorator 'time'
+#
+# -XX:+PrintHeapAtGC                    maps to 'heap' with level 'trace'
+# -XX:+PrintTenuringDistribution        maps to 'age' with level 'debug'
+# -XX:+PrintGCApplicationStoppedTime    maps to 'safepoint' with level 'info'
+# -XX:+PrintPromotionFailure            maps to 'promotion' with level 'trace'
+# -XX:PrintFLSStatistics=1              maps to 'freelist' with level 'trace'
+
+### Netty Options
+
+# On Java >= 9 Netty requires the io.netty.tryReflectionSetAccessible system property to be set to true to enable
+# creation of direct buffers using Unsafe. Without it, this falls back to ByteBuffer.allocateDirect which has
+# inferior performance and risks exceeding MaxDirectMemory
+-Dio.netty.tryReflectionSetAccessible=true
+
+# Revert changes in defaults introduced in https://netty.io/news/2022/03/10/4-1-75-Final.html
+-Dio.netty.allocator.useCacheForAllThreads=true
+-Dio.netty.allocator.maxOrder=11
+
+# The newline in the end of file is intentional

Service[cassandra]

Parameters differences:

--- Service[cassandra].orig
+++ Service[cassandra]

+    ensure => stopped

Exec[renew certificate - cassandra__aqs1024-b_eqiad_wmnet]

Parameters differences:

--- Exec[renew certificate - cassandra__aqs1024-b_eqiad_wmnet].orig
+++ Exec[renew certificate - cassandra__aqs1024-b_eqiad_wmnet]

+    command     => /usr/bin/cfssl sign -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/aqs1024.eqiad.wmnet.pem -label cassandra  /etc/cassandra-b/tls/cassandra__aqs1024-b_eqiad_wmnet.csr | /usr/bin/cfssljson -bare /etc/cassandra-b/tls/cassandra__aqs1024-b_eqiad_wmnet

+    unless      => /usr/bin/openssl x509 -in /etc/cassandra-b/tls/cassandra__aqs1024-b_eqiad_wmnet.pem -checkend 952200
+    require     => Exec[Generate cert cassandra__aqs1024-b_eqiad_wmnet]
+    environment => ['GODEBUG=x509ignoreCN=0']

Exec[install-/srv/cassandra/cassandra-a/saved_caches]

Parameters differences:

--- Exec[install-/srv/cassandra/cassandra-a/saved_caches].orig
+++ Exec[install-/srv/cassandra/cassandra-a/saved_caches]

+    command => install -o cassandra -g cassandra -m 750 -d /srv/cassandra/cassandra-a/saved_caches
+    path    => /usr/bin/:/bin/
+    creates => /srv/cassandra/cassandra-a/saved_caches
+    before  => Systemd::Service[cassandra-a]

File[/usr/share/cassandra/lib/jackson-annotations-2.4.0.jar]

Parameters differences:

--- File[/usr/share/cassandra/lib/jackson-annotations-2.4.0.jar].orig
+++ File[/usr/share/cassandra/lib/jackson-annotations-2.4.0.jar]

+    group   => root
+    require => Scap::Target[cassandra/logstash-logback-encoder]
+    ensure  => link
+    target  => /srv/deployment/cassandra/logstash-logback-encoder/lib/jackson-annotations-2.4.0.jar
+    owner   => root

Java::Cacert[Puppet_Internal_CA]

Parameters differences:

--- Java::Cacert[Puppet_Internal_CA].orig
+++ Java::Cacert[Puppet_Internal_CA]

+    path          => /etc/ssl/certs/Puppet_Internal_CA.pem
+    group         => root
+    storepass     => changeit
+    keystore_path => /etc/ssl/localcerts/wmf-java-cacerts
+    ensure        => present
+    subscribe     => Package[wmf-certificates]
+    owner         => root

File[/etc/cassandra-a/user_edit_analytics.cql]

Parameters differences:

--- File[/etc/cassandra-a/user_edit_analytics.cql].orig
+++ File[/etc/cassandra-a/user_edit_analytics.cql]

+    require => Package[cassandra]
+    group   => root
+    mode    => 0400
+    owner   => root

Content differences:

--- /etc/cassandra-a/user_edit_analytics.cql.orig
+++ /etc/cassandra-a/user_edit_analytics.cql
@@ -0,0 +1,5 @@
+-- SPDX-License-Identifier: Apache-2.0
+
+CREATE USER IF NOT EXISTS edit_analytics WITH PASSWORD 'blahblahblahblah';
+
+GRANT SELECT ON aqs.config TO 'edit_analytics';

File[/etc/cassandra-a/cassandra.yaml]

Parameters differences:

--- File[/etc/cassandra-a/cassandra.yaml].orig
+++ File[/etc/cassandra-a/cassandra.yaml]

+    group  => cassandra
+    mode   => 0444
+    ensure => present
+    owner  => cassandra

Content differences:

--- /etc/cassandra-a/cassandra.yaml.orig
+++ /etc/cassandra-a/cassandra.yaml
@@ -0,0 +1,1885 @@
+# SPDX-License-Identifier: Apache-2.0
+# Note:  This file is managed by Puppet.
+#        It was taken from the Cassandra Debian package and is templatized
+#        here in order to set various options from puppet.
+
+# Cassandra storage config YAML
+
+# NOTE:
+#   See https://cassandra.apache.org/doc/latest/configuration/ for
+#   full explanations of configuration directives
+# /NOTE
+
+# The name of the cluster. This is mainly used to prevent machines in
+# one logical cluster from joining another.
+cluster_name: 'Analytics Query Service Storage'
+
+# This defines the number of tokens randomly assigned to this node on the ring
+# The more tokens, relative to other nodes, the larger the proportion of data
+# that this node will store. You probably want all nodes to have the same number
+# of tokens assuming they have equal hardware capability.
+#
+# If you leave this unspecified, Cassandra will use the default of 1 token for legacy compatibility,
+# and will use the initial_token as described below.
+#
+# Specifying initial_token will override this setting on the node's initial start,
+# on subsequent starts, this setting will apply even if initial token is set.
+#
+# See https://cassandra.apache.org/doc/latest/getting_started/production.html#tokens for
+# best practice information about num_tokens.
+#
+num_tokens: 256
+
+# Triggers automatic allocation of num_tokens tokens for this node. The allocation
+# algorithm attempts to choose tokens in a way that optimizes replicated load over
+# the nodes in the datacenter for the replica factor.
+#
+# The load assigned to each node will be close to proportional to its number of
+# vnodes.
+#
+# Only supported with the Murmur3Partitioner.
+
+# Replica factor is determined via the replication strategy used by the specified
+# keyspace.
+# allocate_tokens_for_keyspace: KEYSPACE
+
+# Replica factor is explicitly set, regardless of keyspace or datacenter.
+# This is the replica factor within the datacenter, like NTS.
+allocate_tokens_for_local_replication_factor: 3
+
+# initial_token allows you to specify tokens manually.  While you can use it with
+# vnodes (num_tokens > 1, above) -- in which case you should provide a 
+# comma-separated list -- it's primarily used when adding nodes to legacy clusters 
+# that do not have vnodes enabled.
+# initial_token:
+
+# May either be "true" or "false" to enable globally
+hinted_handoff_enabled: true
+
+# When hinted_handoff_enabled is true, a black list of data centers that will not
+# perform hinted handoff
+# hinted_handoff_disabled_datacenters:
+#    - DC1
+#    - DC2
+
+# this defines the maximum amount of time a dead host will have hints
+# generated.  After it has been dead this long, new hints for it will not be
+# created until it has been seen alive and gone down again.
+# Min unit: ms
+max_hint_window: 3h
+
+# Maximum throttle in KiBs per second, per delivery thread.  This will be
+# reduced proportionally to the number of nodes in the cluster.  (If there
+# are two nodes in the cluster, each delivery thread will use the maximum
+# rate; if there are three, each will throttle to half of the maximum,
+# since we expect two nodes to be delivering hints simultaneously.)
+# Min unit: KiB
+hinted_handoff_throttle: 1024KiB
+
+# Number of threads with which to deliver hints;
+# Consider increasing this number when you have multi-dc deployments, since
+# cross-dc handoff tends to be slower
+max_hints_delivery_threads: 4
+
+# Directory where Cassandra should store hints.
+# If not set, the default directory is $CASSANDRA_HOME/data/hints.
+hints_directory: /srv/cassandra/cassandra-a/hints
+
+# How often hints should be flushed from the internal buffers to disk.
+# Will *not* trigger fsync.
+# Min unit: ms
+hints_flush_period: 10000ms
+
+# Maximum size for a single hints file, in mebibytes.
+# Min unit: MiB
+max_hints_file_size: 128MiB
+
+# The file size limit to store hints for an unreachable host, in mebibytes.
+# Once the local hints files have reached the limit, no more new hints will be created.
+# Set a non-positive value will disable the size limit.
+# max_hints_size_per_host: 0MiB
+
+# Enable / disable automatic cleanup for the expired and orphaned hints file.
+# Disable the option in order to preserve those hints on the disk.
+auto_hints_cleanup_enabled: false
+
+# Enable/disable transfering hints to a peer during decommission. Even when enabled, this does not guarantee
+# consistency for logged batches, and it may delay decommission when coupled with a strict hinted_handoff_throttle.
+# Default: true
+# transfer_hints_on_decommission: true
+
+# Compression to apply to the hint files. If omitted, hints files
+# will be written uncompressed. LZ4, Snappy, and Deflate compressors
+# are supported.
+#hints_compression:
+#   - class_name: LZ4Compressor
+#     parameters:
+#         -
+
+# Enable / disable persistent hint windows.
+#
+# If set to false, a hint will be stored only in case a respective node
+# that hint is for is down less than or equal to max_hint_window.
+#
+# If set to true, a hint will be stored in case there is not any
+# hint which was stored earlier than max_hint_window. This is for cases
+# when a node keeps to restart and hints are not delivered yet, we would be saving
+# hints for that node indefinitely.
+#
+# Defaults to true.
+#
+# hint_window_persistent_enabled: true
+
+# Maximum throttle in KiBs per second, total. This will be
+# reduced proportionally to the number of nodes in the cluster.
+# Min unit: KiB
+batchlog_replay_throttle: 1024KiB
+
+# Strategy to choose the batchlog storage endpoints.
+#
+# Available options:
+#
+# - random_remote
+#   Default, purely random, prevents the local rack, if possible.
+#
+# - prefer_local
+#   Similar to random_remote. Random, except that one of the replications will go to the local rack,
+#   which mean it offers lower availability guarantee than random_remote or dynamic_remote.
+#
+# - dynamic_remote
+#   Using DynamicEndpointSnitch to select batchlog storage endpoints, prevents the
+#   local rack, if possible. This strategy offers the same availability guarantees
+#   as random_remote but selects the fastest endpoints according to the DynamicEndpointSnitch.
+#   (DynamicEndpointSnitch currently only tracks reads and not writes - i.e. write-only
+#   (or mostly-write) workloads might not benefit from this strategy.)
+#   Note: this strategy will fall back to random_remote, if dynamic_snitch is not enabled.
+#
+# - dynamic
+#   Mostly the same as dynamic_remote, except that local rack is not excluded, which mean it offers lower
+#   availability guarantee than random_remote or dynamic_remote.
+#   Note: this strategy will fall back to random_remote, if dynamic_snitch is not enabled.
+#
+# batchlog_endpoint_strategy: random_remote
+
+# Authentication backend, implementing IAuthenticator; used to identify users
+# Out of the box, Cassandra provides org.apache.cassandra.auth.{AllowAllAuthenticator,
+# PasswordAuthenticator}.
+#
+# - AllowAllAuthenticator performs no checks - set it to disable authentication.
+# - PasswordAuthenticator relies on username/password pairs to authenticate
+#   users. It keeps usernames and hashed passwords in system_auth.roles table.
+#   Please increase system_auth keyspace replication factor if you use this authenticator.
+#   If using PasswordAuthenticator, CassandraRoleManager must also be used (see below)
+authenticator: PasswordAuthenticator
+
+# Authorization backend, implementing IAuthorizer; used to limit access/provide permissions
+# Out of the box, Cassandra provides org.apache.cassandra.auth.{AllowAllAuthorizer,
+# CassandraAuthorizer}.
+#
+# - AllowAllAuthorizer allows any action to any user - set it to disable authorization.
+# - CassandraAuthorizer stores permissions in system_auth.role_permissions table. Please
+#   increase system_auth keyspace replication factor if you use this authorizer.
+authorizer: CassandraAuthorizer
+
+# Part of the Authentication & Authorization backend, implementing IRoleManager; used
+# to maintain grants and memberships between roles.
+# Out of the box, Cassandra provides org.apache.cassandra.auth.CassandraRoleManager,
+# which stores role information in the system_auth keyspace. Most functions of the
+# IRoleManager require an authenticated login, so unless the configured IAuthenticator
+# actually implements authentication, most of this functionality will be unavailable.
+#
+# - CassandraRoleManager stores role data in the system_auth keyspace. Please
+#   increase system_auth keyspace replication factor if you use this role manager.
+role_manager: CassandraRoleManager
+
+# Network authorization backend, implementing INetworkAuthorizer; used to restrict user
+# access to certain DCs
+# Out of the box, Cassandra provides org.apache.cassandra.auth.{AllowAllNetworkAuthorizer,
+# CassandraNetworkAuthorizer}.
+#
+# - AllowAllNetworkAuthorizer allows access to any DC to any user - set it to disable authorization.
+# - CassandraNetworkAuthorizer stores permissions in system_auth.network_permissions table. Please
+#   increase system_auth keyspace replication factor if you use this authorizer.
+network_authorizer: AllowAllNetworkAuthorizer
+
+# Depending on the auth strategy of the cluster, it can be beneficial to iterate
+# from root to table (root -> ks -> table) instead of table to root (table -> ks -> root).
+# As the auth entries are whitelisting, once a permission is found you know it to be
+# valid. We default to false as the legacy behavior is to query at the table level then
+# move back up to the root. See CASSANDRA-17016 for details.
+# traverse_auth_from_root: false
+
+# Validity period for roles cache (fetching granted roles can be an expensive
+# operation depending on the role manager, CassandraRoleManager is one example)
+# Granted roles are cached for authenticated sessions in AuthenticatedUser and
+# after the period specified here, become eligible for (async) reload.
+# Defaults to 2000, set to 0 to disable caching entirely.
+# Will be disabled automatically for AllowAllAuthenticator.
+# For a long-running cache using roles_cache_active_update, consider
+# setting to something longer such as a daily validation: 86400000
+# Min unit: ms
+roles_validity: 2000ms
+
+# Refresh interval for roles cache (if enabled).
+# After this interval, cache entries become eligible for refresh. Upon next
+# access, an async reload is scheduled and the old value returned until it
+# completes. If roles_validity is non-zero, then this must be
+# also.
+# This setting is also used to inform the interval of auto-updating if
+# using roles_cache_active_update.
+# Defaults to the same value as roles_validity.
+# For a long-running cache, consider setting this to 60000 (1 hour) etc.
+# Min unit: ms
+# roles_update_interval: 2000ms
+
+# If true, cache contents are actively updated by a background task at the
+# interval set by roles_update_interval. If false, cache entries
+# become eligible for refresh after their update interval. Upon next access,
+# an async reload is scheduled and the old value returned until it completes.
+# roles_cache_active_update: false
+
+# Validity period for permissions cache (fetching permissions can be an
+# expensive operation depending on the authorizer, CassandraAuthorizer is
+# one example). Defaults to 2000, set to 0 to disable.
+# Will be disabled automatically for AllowAllAuthorizer.
+# For a long-running cache using permissions_cache_active_update, consider
+# setting to something longer such as a daily validation: 86400000ms
+# Min unit: ms
+permissions_validity: 600000ms
+
+# Refresh interval for permissions cache (if enabled).
+# After this interval, cache entries become eligible for refresh. Upon next
+# access, an async reload is scheduled and the old value returned until it
+# completes. If permissions_validity is non-zero, then this must be
+# also.
+# This setting is also used to inform the interval of auto-updating if
+# using permissions_cache_active_update.
+# Defaults to the same value as permissions_validity.
+# For a longer-running permissions cache, consider setting to update hourly (60000)
+# Min unit: ms
+# permissions_update_interval: 2000ms
+
+# If true, cache contents are actively updated by a background task at the
+# interval set by permissions_update_interval. If false, cache entries
+# become eligible for refresh after their update interval. Upon next access,
+# an async reload is scheduled and the old value returned until it completes.
+# permissions_cache_active_update: false
+
+# Validity period for credentials cache. This cache is tightly coupled to
+# the provided PasswordAuthenticator implementation of IAuthenticator. If
+# another IAuthenticator implementation is configured, this cache will not
+# be automatically used and so the following settings will have no effect.
+# Please note, credentials are cached in their encrypted form, so while
+# activating this cache may reduce the number of queries made to the
+# underlying table, it may not  bring a significant reduction in the
+# latency of individual authentication attempts.
+# Defaults to 2000, set to 0 to disable credentials caching.
+# For a long-running cache using credentials_cache_active_update, consider
+# setting to something longer such as a daily validation: 86400000
+# Min unit: ms
+credentials_validity: 600000ms
+
+# Refresh interval for credentials cache (if enabled).
+# After this interval, cache entries become eligible for refresh. Upon next
+# access, an async reload is scheduled and the old value returned until it
+# completes. If credentials_validity is non-zero, then this must be
+# also.
+# This setting is also used to inform the interval of auto-updating if
+# using credentials_cache_active_update.
+# Defaults to the same value as credentials_validity.
+# For a longer-running permissions cache, consider setting to update hourly (60000)
+# Min unit: ms
+# credentials_update_interval: 2000ms
+
+# If true, cache contents are actively updated by a background task at the
+# interval set by credentials_update_interval. If false (default), cache entries
+# become eligible for refresh after their update interval. Upon next access,
+# an async reload is scheduled and the old value returned until it completes.
+# credentials_cache_active_update: false
+
+# The partitioner is responsible for distributing groups of rows (by
+# partition key) across nodes in the cluster. The partitioner can NOT be
+# changed without reloading all data.  If you are adding nodes or upgrading,
+# you should set this to the same partitioner that you are currently using.
+#
+# The default partitioner is the Murmur3Partitioner. Older partitioners
+# such as the RandomPartitioner, ByteOrderedPartitioner, and
+# OrderPreservingPartitioner have been included for backward compatibility only.
+# For new clusters, you should NOT change this value.
+#
+partitioner: org.apache.cassandra.dht.Murmur3Partitioner
+
+# Directories where Cassandra should store data on disk. If multiple
+# directories are specified, Cassandra will spread data evenly across 
+# them by partitioning the token ranges.
+# If not set, the default directory is $CASSANDRA_HOME/data/data.
+data_file_directories:
+    - /srv/storage-0/cassandra-a/data
+    - /srv/storage-1/cassandra-a/data
+    - /srv/storage-2/cassandra-a/data
+    - /srv/storage-3/cassandra-a/data
+    - /srv/storage-4/cassandra-a/data
+    - /srv/storage-5/cassandra-a/data
+    - /srv/storage-6/cassandra-a/data
+    - /srv/storage-7/cassandra-a/data
+
+
+# Directory where Cassandra should store the data of the local system keyspaces.
+# By default Cassandra will store the data of the local system keyspaces in the first of the data directories specified
+# by data_file_directories.
+# This approach ensures that if one of the other disks is lost Cassandra can continue to operate. For extra security
+# this setting allows to store those data on a different directory that provides redundancy.
+local_system_data_file_directory: /srv/cassandra/cassandra-a/system
+
+# commit log.  when running on magnetic HDD, this should be a
+# separate spindle than the data directories.
+# If not set, the default directory is $CASSANDRA_HOME/data/commitlog.
+commitlog_directory: /srv/cassandra/cassandra-a/commitlog
+
+# Enable / disable CDC functionality on a per-node basis. This modifies the logic used
+# for write path allocation rejection (standard: never reject. cdc: reject Mutation
+# containing a CDC-enabled table if at space limit in cdc_raw_directory).
+cdc_enabled: false
+
+# CommitLogSegments are moved to this directory on flush if cdc_enabled: true and the
+# segment contains mutations for a CDC-enabled table. This should be placed on a
+# separate spindle than the data directories. If not set, the default directory is
+# $CASSANDRA_HOME/data/cdc_raw.
+# cdc_raw_directory: /var/lib/cassandra/cdc_raw
+
+# Policy for data disk failures:
+#
+# die
+#   shut down gossip and client transports and kill the JVM for any fs errors or
+#   single-sstable errors, so the node can be replaced.
+#
+# stop_paranoid
+#   shut down gossip and client transports even for single-sstable errors,
+#   kill the JVM for errors during startup.
+#
+# stop
+#   shut down gossip and client transports, leaving the node effectively dead, but
+#   can still be inspected via JMX, kill the JVM for errors during startup.
+#
+# best_effort
+#    stop using the failed disk and respond to requests based on
+#    remaining available sstables.  This means you WILL see obsolete
+#    data at CL.ONE!
+#
+# ignore
+#    ignore fatal errors and let requests fail, as in pre-1.2 Cassandra
+disk_failure_policy: stop
+
+# Policy for commit disk failures:
+#
+# die
+#   shut down the node and kill the JVM, so the node can be replaced.
+#
+# stop
+#   shut down the node, leaving the node effectively dead, but
+#   can still be inspected via JMX.
+#
+# stop_commit
+#   shutdown the commit log, letting writes collect but
+#   continuing to service reads, as in pre-2.0.5 Cassandra
+#
+# ignore
+#   ignore fatal errors and let the batches fail
+commit_failure_policy: stop
+
+# Maximum size of the native protocol prepared statement cache
+#
+# Valid values are either "auto" (omitting the value) or a value greater 0.
+#
+# Note that specifying a too large value will result in long running GCs and possbily
+# out-of-memory errors. Keep the value at a small fraction of the heap.
+#
+# If you constantly see "prepared statements discarded in the last minute because
+# cache limit reached" messages, the first step is to investigate the root cause
+# of these messages and check whether prepared statements are used correctly -
+# i.e. use bind markers for variable parts.
+#
+# Do only change the default value, if you really have more prepared statements than
+# fit in the cache. In most cases it is not neccessary to change this value.
+# Constantly re-preparing statements is a performance penalty.
+#
+# Default value ("auto") is 1/256th of the heap or 10MiB, whichever is greater
+# Min unit: MiB
+prepared_statements_cache_size:
+
+# Maximum size of the key cache in memory.
+#
+# Each key cache hit saves 1 seek and each row cache hit saves 2 seeks at the
+# minimum, sometimes more. The key cache is fairly tiny for the amount of
+# time it saves, so it's worthwhile to use it at large numbers.
+# The row cache saves even more time, but must contain the entire row,
+# so it is extremely space-intensive. It's best to only use the
+# row cache if you have hot rows or static rows.
+#
+# NOTE: if you reduce the size, you may not get you hottest keys loaded on startup.
+#
+# Default value is empty to make it "auto" (min(5% of Heap (in MiB), 100MiB)). Set to 0 to disable key cache.
+# Min unit: MiB
+key_cache_size: 400MiB
+
+# Duration in seconds after which Cassandra should
+# save the key cache. Caches are saved to saved_caches_directory as
+# specified in this configuration file.
+#
+# Saved caches greatly improve cold-start speeds, and is relatively cheap in
+# terms of I/O for the key cache. Row cache saving is much more expensive and
+# has limited use.
+#
+# Default is 14400 or 4 hours.
+# Min unit: s
+key_cache_save_period: 4h
+
+# Number of keys from the key cache to save
+# Disabled by default, meaning all keys are going to be saved
+# key_cache_keys_to_save: 100
+
+# Row cache implementation class name. Available implementations:
+#
+# org.apache.cassandra.cache.OHCProvider
+#   Fully off-heap row cache implementation (default).
+#
+# org.apache.cassandra.cache.SerializingCacheProvider
+#   This is the row cache implementation availabile
+#   in previous releases of Cassandra.
+# row_cache_class_name: org.apache.cassandra.cache.OHCProvider
+
+# Maximum size of the row cache in memory.
+# Please note that OHC cache implementation requires some additional off-heap memory to manage
+# the map structures and some in-flight memory during operations before/after cache entries can be
+# accounted against the cache capacity. This overhead is usually small compared to the whole capacity.
+# Do not specify more memory that the system can afford in the worst usual situation and leave some
+# headroom for OS block level cache. Do never allow your system to swap.
+#
+# Default value is 0, to disable row caching.
+# Min unit: MiB
+row_cache_size: 200MiB
+
+# Duration in seconds after which Cassandra should save the row cache.
+# Caches are saved to saved_caches_directory as specified in this configuration file.
+#
+# Saved caches greatly improve cold-start speeds, and is relatively cheap in
+# terms of I/O for the key cache. Row cache saving is much more expensive and
+# has limited use.
+#
+# Default is 0 to disable saving the row cache.
+# Min unit: s
+row_cache_save_period: 0s
+
+# Number of keys from the row cache to save.
+# Specify 0 (which is the default), meaning all keys are going to be saved
+# row_cache_keys_to_save: 100
+
+# Maximum size of the counter cache in memory.
+#
+# Counter cache helps to reduce counter locks' contention for hot counter cells.
+# In case of RF = 1 a counter cache hit will cause Cassandra to skip the read before
+# write entirely. With RF > 1 a counter cache hit will still help to reduce the duration
+# of the lock hold, helping with hot counter cell updates, but will not allow skipping
+# the read entirely. Only the local (clock, count) tuple of a counter cell is kept
+# in memory, not the whole counter, so it's relatively cheap.
+#
+# NOTE: if you reduce the size, you may not get you hottest keys loaded on startup.
+#
+# Default value is empty to make it "auto" (min(2.5% of Heap (in MiB), 50MiB)). Set to 0 to disable counter cache.
+# NOTE: if you perform counter deletes and rely on low gcgs, you should disable the counter cache.
+# Min unit: MiB
+counter_cache_size:
+
+# Duration in seconds after which Cassandra should
+# save the counter cache (keys only). Caches are saved to saved_caches_directory as
+# specified in this configuration file.
+#
+# Default is 7200 or 2 hours.
+# Min unit: s
+counter_cache_save_period: 7200s
+
+# Number of keys from the counter cache to save
+# Disabled by default, meaning all keys are going to be saved
+# counter_cache_keys_to_save: 100
+
+# saved caches
+# If not set, the default directory is $CASSANDRA_HOME/data/saved_caches.
+saved_caches_directory: /srv/cassandra/cassandra-a/saved_caches
+
+# Number of seconds the server will wait for each cache (row, key, etc ...) to load while starting
+# the Cassandra process. Setting this to zero is equivalent to disabling all cache loading on startup
+# while still having the cache during runtime.
+# Min unit: s
+# cache_load_timeout: 30s
+
+# commitlog_sync may be either "periodic", "group", or "batch." 
+# 
+# When in batch mode, Cassandra won't ack writes until the commit log
+# has been flushed to disk.  Each incoming write will trigger the flush task.
+# commitlog_sync_batch_window_in_ms is a deprecated value. Previously it had
+# almost no value, and is being removed.
+#
+# commitlog_sync_batch_window_in_ms: 2
+#
+# group mode is similar to batch mode, where Cassandra will not ack writes
+# until the commit log has been flushed to disk. The difference is group
+# mode will wait up to commitlog_sync_group_window between flushes.
+#
+# Min unit: ms
+# commitlog_sync_group_window: 1000ms
+#
+# the default option is "periodic" where writes may be acked immediately
+# and the CommitLog is simply synced every commitlog_sync_period
+# milliseconds.
+commitlog_sync: periodic
+# Min unit: ms
+commitlog_sync_period: 10000ms
+
+# When in periodic commitlog mode, the number of milliseconds to block writes
+# while waiting for a slow disk flush to complete.
+# Min unit: ms
+# periodic_commitlog_sync_lag_block:
+
+# The size of the individual commitlog file segments.  A commitlog
+# segment may be archived, deleted, or recycled once all the data
+# in it (potentially from each columnfamily in the system) has been
+# flushed to sstables.
+#
+# The default size is 32, which is almost always fine, but if you are
+# archiving commitlog segments (see commitlog_archiving.properties),
+# then you probably want a finer granularity of archiving; 8 or 16 MB
+# is reasonable.
+# Max mutation size is also configurable via max_mutation_size setting in
+# cassandra.yaml. The default is half the size commitlog_segment_size in bytes.
+# This should be positive and less than 2048.
+#
+# NOTE: If max_mutation_size is set explicitly then commitlog_segment_size must
+# be set to at least twice the size of max_mutation_size
+#
+# Min unit: MiB
+commitlog_segment_size: 32MiB
+
+# Compression to apply to the commit log. If omitted, the commit log
+# will be written uncompressed.  LZ4, Snappy, and Deflate compressors
+# are supported.
+# commitlog_compression:
+#   - class_name: LZ4Compressor
+#     parameters:
+#         -
+
+# Compression to apply to SSTables as they flush for compressed tables.
+# Note that tables without compression enabled do not respect this flag.
+#
+# As high ratio compressors like LZ4HC, Zstd, and Deflate can potentially
+# block flushes for too long, the default is to flush with a known fast
+# compressor in those cases. Options are:
+#
+# none : Flush without compressing blocks but while still doing checksums.
+# fast : Flush with a fast compressor. If the table is already using a
+#        fast compressor that compressor is used.
+# table: Always flush with the same compressor that the table uses. This
+#        was the pre 4.0 behavior.
+#
+# flush_compression: fast
+
+# any class that implements the SeedProvider interface and has a
+# constructor that takes a Map<String, String> of parameters will do.
+seed_provider:
+  # Addresses of hosts that are deemed contact points.
+  # Cassandra nodes use this list of hosts to find each other and learn
+  # the topology of the ring.  You must change this if you are running
+  # multiple nodes!
+  - class_name: org.apache.cassandra.locator.SimpleSeedProvider
+    parameters:
+      # seeds is actually a comma-delimited list of addresses.
+      # Ex: "<ip1>,<ip2>,<ip3>"
+      # Omit own host name / IP in multi-node clusters (see
+      # https://phabricator.wikimedia.org/T91617).
+      # Also disregard the main DNS interfaces of each node when
+      # multiple instances are colocated on the same node (see
+      # https://phabricator.wikimedia.org/T172610)
+      
+      - seeds: aqs1010-a.eqiad.wmnet,aqs1010-b.eqiad.wmnet,aqs1011-a.eqiad.wmnet,aqs1011-b.eqiad.wmnet,aqs1012-a.eqiad.wmnet,aqs1012-b.eqiad.wmnet,aqs1014-a.eqiad.wmnet,aqs1014-b.eqiad.wmnet,aqs1015-a.eqiad.wmnet,aqs1015-b.eqiad.wmnet,aqs1016-a.eqiad.wmnet,aqs1016-b.eqiad.wmnet,aqs1017-a.eqiad.wmnet,aqs1017-b.eqiad.wmnet,aqs1018-a.eqiad.wmnet,aqs1018-b.eqiad.wmnet,aqs1019-a.eqiad.wmnet,aqs1019-b.eqiad.wmnet,aqs1020-a.eqiad.wmnet,aqs1020-b.eqiad.wmnet,aqs1021-a.eqiad.wmnet,aqs1021-b.eqiad.wmnet,aqs1022-a.eqiad.wmnet,aqs1022-b.eqiad.wmnet,aqs1023-a.eqiad.wmnet,aqs1023-b.eqiad.wmnet,aqs2001-a.codfw.wmnet,aqs2001-b.codfw.wmnet,aqs2002-a.codfw.wmnet,aqs2002-b.codfw.wmnet,aqs2003-a.codfw.wmnet,aqs2003-b.codfw.wmnet,aqs2004-a.codfw.wmnet,aqs2004-b.codfw.wmnet,aqs2005-a.codfw.wmnet,aqs2005-b.codfw.wmnet,aqs2006-a.codfw.wmnet,aqs2006-b.codfw.wmnet,aqs2007-a.codfw.wmnet,aqs2007-b.codfw.wmnet,aqs2008-a.codfw.wmnet,aqs2008-b.codfw.wmnet,aqs2009-a.codfw.wmnet,aqs2009-b.codfw.wmnet,aqs2010-a.codfw.wmnet,aqs2010-b.codfw.wmnet,aqs2011-a.codfw.wmnet,aqs2011-b.codfw.wmnet,aqs2012-a.codfw.wmnet,aqs2012-b.codfw.wmnet
+
+# For workloads with more data than can fit in memory, Cassandra's
+# bottleneck will be reads that need to fetch data from
+# disk. "concurrent_reads" should be set to (16 * number_of_drives) in
+# order to allow the operations to enqueue low enough in the stack
+# that the OS and drives can reorder them. Same applies to
+# "concurrent_counter_writes", since counter writes read the current
+# values before incrementing and writing them back.
+#
+# On the other hand, since writes are almost never IO bound, the ideal
+# number of "concurrent_writes" is dependent on the number of cores in
+# your system; (8 * number_of_cores) is a good rule of thumb.
+concurrent_reads: 64
+concurrent_writes: 64
+concurrent_counter_writes: 32
+
+# For materialized view writes, as there is a read involved, so this should
+# be limited by the less of concurrent reads or concurrent writes.
+concurrent_materialized_view_writes: 32
+
+# Maximum memory to use for inter-node and client-server networking buffers.
+#
+# Defaults to the smaller of 1/16 of heap or 128MB. This pool is allocated off-heap,
+# so is in addition to the memory allocated for heap. The cache also has on-heap
+# overhead which is roughly 128 bytes per chunk (i.e. 0.2% of the reserved size
+# if the default 64k chunk size is used).
+# Memory is only allocated when needed.
+# Min unit: MiB
+# networking_cache_size: 128MiB
+
+# Enable the sstable chunk cache.  The chunk cache will store recently accessed
+# sections of the sstable in-memory as uncompressed buffers.
+# file_cache_enabled: false
+
+# Maximum memory to use for sstable chunk cache and buffer pooling.
+# 32MB of this are reserved for pooling buffers, the rest is used for chunk cache
+# that holds uncompressed sstable chunks.
+# Defaults to the smaller of 1/4 of heap or 512MB. This pool is allocated off-heap,
+# so is in addition to the memory allocated for heap. The cache also has on-heap
+# overhead which is roughly 128 bytes per chunk (i.e. 0.2% of the reserved size
+# if the default 64k chunk size is used).
+# Memory is only allocated when needed.
+# Min unit: MiB
+# file_cache_size: 512MiB
+
+# Flag indicating whether to allocate on or off heap when the sstable buffer
+# pool is exhausted, that is when it has exceeded the maximum memory
+# file_cache_size, beyond which it will not cache buffers but allocate on request.
+
+# buffer_pool_use_heap_if_exhausted: true
+
+# The strategy for optimizing disk read
+# Possible values are:
+# ssd (for solid state disks, the default)
+# spinning (for spinning disks)
+# disk_optimization_strategy: ssd
+
+# Total permitted memory to use for memtables. Cassandra will stop
+# accepting writes when the limit is exceeded until a flush completes,
+# and will trigger a flush based on memtable_cleanup_threshold
+# If omitted, Cassandra will set both to 1/4 the size of the heap.
+# Min unit: MiB
+# memtable_heap_space: 2048MiB
+# Min unit: MiB
+# memtable_offheap_space: 2048MiB
+
+# memtable_cleanup_threshold is deprecated. The default calculation
+# is the only reasonable choice. See the comments on  memtable_flush_writers
+# for more information.
+#
+# Ratio of occupied non-flushing memtable size to total permitted size
+# that will trigger a flush of the largest memtable. Larger mct will
+# mean larger flushes and hence less compaction, but also less concurrent
+# flush activity which can make it difficult to keep your disks fed
+# under heavy write load.
+#
+# memtable_cleanup_threshold defaults to 1 / (memtable_flush_writers + 1)
+# memtable_cleanup_threshold: 0.11
+
+# Specify the way Cassandra allocates and manages memtable memory.
+# Options are:
+#
+# heap_buffers
+#   on heap nio buffers
+#
+# offheap_buffers
+#   off heap (direct) nio buffers
+#
+# offheap_objects
+#    off heap objects
+memtable_allocation_type: heap_buffers
+
+# Limit memory usage for Merkle tree calculations during repairs of a certain
+# table and common token range. Repair commands targetting multiple tables or
+# virtual nodes can exceed this limit depending on concurrent_merkle_tree_requests.
+#
+# The default is 1/16th of the available heap. The main tradeoff is that
+# smaller trees have less resolution, which can lead to over-streaming data.
+# If you see heap pressure during repairs, consider lowering this, but you
+# cannot go below one mebibyte. If you see lots of over-streaming, consider
+# raising this or using subrange repair.
+#
+# For more details see https://issues.apache.org/jira/browse/CASSANDRA-14096.
+#
+# Min unit: MiB
+# repair_session_space:
+
+# The number of simultaneous Merkle tree requests during repairs that can
+# be performed by a repair command. The size of each validation request is
+# limited by the repair_session_space property, so setting this to 1 will make
+# sure that a repair command doesn't exceed that limit, even if the repair
+# command is repairing multiple tables or multiple virtual nodes.
+#
+# There isn't a limit by default for backwards compatibility, but this can
+# produce OOM for  commands repairing multiple tables or multiple virtual nodes.
+# A limit of just 1 simultaneous Merkle tree request is generally recommended
+# with no virtual nodes so repair_session_space, and thereof the Merkle tree
+# resolution, can be high. For virtual nodes a value of 1 with the default
+# repair_session_space value will produce higher resolution Merkle trees
+# at the expense of speed. Alternatively, when working with virtual nodes it
+# can make sense to reduce the repair_session_space and increase the value of
+# concurrent_merkle_tree_requests because each range will contain fewer data.
+#
+# For more details see https://issues.apache.org/jira/browse/CASSANDRA-19336.
+#
+# A zero value means no limit.
+# concurrent_merkle_tree_requests: 0
+
+# Total space to use for commit logs on disk.
+#
+# If space gets above this value, Cassandra will flush every dirty CF
+# in the oldest segment and remove it.  So a small total commitlog space
+# will tend to cause more flush activity on less-active columnfamilies.
+#
+# The default value is the smaller of 8192, and 1/4 of the total space
+# of the commitlog volume.
+#
+# commitlog_total_space: 8192MiB
+
+# This sets the number of memtable flush writer threads per disk
+# as well as the total number of memtables that can be flushed concurrently.
+# These are generally a combination of compute and IO bound.
+#
+# Memtable flushing is more CPU efficient than memtable ingest and a single thread
+# can keep up with the ingest rate of a whole server on a single fast disk
+# until it temporarily becomes IO bound under contention typically with compaction.
+# At that point you need multiple flush threads. At some point in the future
+# it may become CPU bound all the time.
+#
+# You can tell if flushing is falling behind using the MemtablePool.BlockedOnAllocation
+# metric which should be 0, but will be non-zero if threads are blocked waiting on flushing
+# to free memory.
+#
+# memtable_flush_writers defaults to two for a single data directory.
+# This means that two  memtables can be flushed concurrently to the single data directory.
+# If you have multiple data directories the default is one memtable flushing at a time
+# but the flush will use a thread per data directory so you will get two or more writers.
+#
+# Two is generally enough to flush on a fast disk [array] mounted as a single data directory.
+# Adding more flush writers will result in smaller more frequent flushes that introduce more
+# compaction overhead.
+#
+# There is a direct tradeoff between number of memtables that can be flushed concurrently
+# and flush size and frequency. More is not better you just need enough flush writers
+# to never stall waiting for flushing to free memory.
+#
+# memtable_flush_writers: 2
+
+# Total space to use for change-data-capture logs on disk.
+#
+# If space gets above this value, Cassandra will throw WriteTimeoutException
+# on Mutations including tables with CDC enabled. A CDCCompactor is responsible
+# for parsing the raw CDC logs and deleting them when parsing is completed.
+#
+# The default value is the min of 4096 MiB and 1/8th of the total space
+# of the drive where cdc_raw_directory resides.
+# Min unit: MiB
+# cdc_total_space: 4096MiB
+
+# When we hit our cdc_raw limit and the CDCCompactor is either running behind
+# or experiencing backpressure, we check at the following interval to see if any
+# new space for cdc-tracked tables has been made available. Default to 250ms
+# Min unit: ms
+# cdc_free_space_check_interval: 250ms
+
+# A fixed memory pool size in MB for for SSTable index summaries. If left
+# empty, this will default to 5% of the heap size. If the memory usage of
+# all index summaries exceeds this limit, SSTables with low read rates will
+# shrink their index summaries in order to meet this limit.  However, this
+# is a best-effort process. In extreme conditions Cassandra may need to use
+# more than this amount of memory.
+# Min unit: KiB
+index_summary_capacity:
+
+# How frequently index summaries should be resampled.  This is done
+# periodically to redistribute memory from the fixed-size pool to sstables
+# proportional their recent read rates.  Setting to null value will disable this
+# process, leaving existing index summaries at their current sampling level.
+# Min unit: m
+index_summary_resize_interval: 60m
+
+# Whether to, when doing sequential writing, fsync() at intervals in
+# order to force the operating system to flush the dirty
+# buffers. Enable this to avoid sudden dirty buffer flushing from
+# impacting read latencies. Almost always a good idea on SSDs; not
+# necessarily on platters.
+trickle_fsync: true
+# Min unit: KiB
+trickle_fsync_interval: 30240KiB
+
+# TCP port, for commands and data
+# For security reasons, you should not expose this port to the internet.  Firewall it if needed.
+storage_port: 7000
+
+# SSL port, for legacy encrypted communication. This property is unused unless enabled in
+# server_encryption_options (see below). As of cassandra 4.0, this property is deprecated
+# as a single port can be used for either/both secure and insecure connections.
+# For security reasons, you should not expose this port to the internet. Firewall it if needed.
+ssl_storage_port: 7001
+
+# Address or interface to bind to and tell other Cassandra nodes to connect to.
+# You _must_ change this if you want multiple nodes to be able to communicate!
+#
+# Set listen_address OR listen_interface, not both.
+#
+# Leaving it blank leaves it up to InetAddress.getLocalHost(). This
+# will always do the Right Thing _if_ the node is properly configured
+# (hostname, name resolution, etc), and the Right Thing is to use the
+# address associated with the hostname (it might not be). If unresolvable
+# it will fall back to InetAddress.getLoopbackAddress(), which is wrong for production systems.
+#
+# Setting listen_address to 0.0.0.0 is always wrong.
+#
+listen_address: 10.64.156.18
+
+# Set listen_address OR listen_interface, not both. Interfaces must correspond
+# to a single address, IP aliasing is not supported.
+# listen_interface: eth0
+
+# If you choose to specify the interface by name and the interface has an ipv4 and an ipv6 address
+# you can specify which should be chosen using listen_interface_prefer_ipv6. If false the first ipv4
+# address will be used. If true the first ipv6 address will be used. Defaults to false preferring
+# ipv4. If there is only one address it will be selected regardless of ipv4/ipv6.
+# listen_interface_prefer_ipv6: false
+
+# Address to broadcast to other Cassandra nodes
+# Leaving this blank will set it to the same value as listen_address
+# broadcast_address: 1.2.3.4
+
+# When using multiple physical network interfaces, set this
+# to true to listen on broadcast_address in addition to
+# the listen_address, allowing nodes to communicate in both
+# interfaces.
+# Ignore this property if the network configuration automatically
+# routes  between the public and private networks such as EC2.
+# listen_on_broadcast_address: false
+
+# Internode authentication backend, implementing IInternodeAuthenticator;
+# used to allow/disallow connections from peer nodes.
+# internode_authenticator: org.apache.cassandra.auth.AllowAllInternodeAuthenticator
+
+# Whether to start the native transport server.
+# The address on which the native transport is bound is defined by rpc_address.
+start_native_transport: true
+# port for the CQL native transport to listen for clients on
+# For security reasons, you should not expose this port to the internet.  Firewall it if needed.
+native_transport_port: 9042
+# Enabling native transport encryption in client_encryption_options allows you to either use
+# encryption for the standard port or to use a dedicated, additional port along with the unencrypted
+# standard native_transport_port.
+# Enabling client encryption and keeping native_transport_port_ssl disabled will use encryption
+# for native_transport_port. Setting native_transport_port_ssl to a different value
+# from native_transport_port will use encryption for native_transport_port_ssl while
+# keeping native_transport_port unencrypted.
+# native_transport_port_ssl: 9142
+# The maximum threads for handling requests (note that idle threads are stopped
+# after 30 seconds so there is not corresponding minimum setting).
+# native_transport_max_threads: 128
+# The maximum threads for handling auth requests in a separate executor from main request executor.
+# When set to 0, main executor for requests is used.
+# native_transport_max_auth_threads: 0
+#
+# The maximum size of allowed frame. Frame (requests) larger than this will
+# be rejected as invalid. The default is 16MiB. If you're changing this parameter,
+# you may want to adjust max_value_size accordingly. This should be positive and less than 2048.
+# Min unit: MiB
+# native_transport_max_frame_size: 16MiB
+
+# The maximum number of concurrent client connections.
+# The default is -1, which means unlimited.
+# native_transport_max_concurrent_connections: -1
+
+# The maximum number of concurrent client connections per source ip.
+# The default is -1, which means unlimited.
+# native_transport_max_concurrent_connections_per_ip: -1
+
+# Controls whether Cassandra honors older, yet currently supported, protocol versions.
+# The default is true, which means all supported protocols will be honored.
+native_transport_allow_older_protocols: true
+
+# Controls when idle client connections are closed. Idle connections are ones that had neither reads
+# nor writes for a time period.
+#
+# Clients may implement heartbeats by sending OPTIONS native protocol message after a timeout, which
+# will reset idle timeout timer on the server side. To close idle client connections, corresponding
+# values for heartbeat intervals have to be set on the client side.
+#
+# Idle connection timeouts are disabled by default.
+# Min unit: ms
+# native_transport_idle_timeout: 60000ms
+
+# When enabled, limits the number of native transport requests dispatched for processing per second.
+# Behavior once the limit has been breached depends on the value of THROW_ON_OVERLOAD specified in
+# the STARTUP message sent by the client during connection establishment. (See section "4.1.1. STARTUP"
+# in "CQL BINARY PROTOCOL v5".) With the THROW_ON_OVERLOAD flag enabled, messages that breach the limit
+# are dropped, and an OverloadedException is thrown for the client to handle. When the flag is not
+# enabled, the server will stop consuming messages from the channel/socket, putting backpressure on
+# the client while already dispatched messages are processed.
+# native_transport_rate_limiting_enabled: false
+# native_transport_max_requests_per_second: 1000000
+
+# The address or interface to bind the native transport server to.
+#
+# Set rpc_address OR rpc_interface, not both.
+#
+# Leaving rpc_address blank has the same effect as on listen_address
+# (i.e. it will be based on the configured hostname of the node).
+#
+# Note that unlike listen_address, you can specify 0.0.0.0, but you must also
+# set broadcast_rpc_address to a value other than 0.0.0.0.
+#
+# For security reasons, you should not expose this port to the internet.  Firewall it if needed.
+rpc_address: 10.64.156.18
+
+# Set rpc_address OR rpc_interface, not both. Interfaces must correspond
+# to a single address, IP aliasing is not supported.
+# rpc_interface: eth1
+
+# If you choose to specify the interface by name and the interface has an ipv4 and an ipv6 address
+# you can specify which should be chosen using rpc_interface_prefer_ipv6. If false the first ipv4
+# address will be used. If true the first ipv6 address will be used. Defaults to false preferring
+# ipv4. If there is only one address it will be selected regardless of ipv4/ipv6.
+# rpc_interface_prefer_ipv6: false
+
+# RPC address to broadcast to drivers and other Cassandra nodes. This cannot
+# be set to 0.0.0.0. If left blank, this will be set to the value of
+# rpc_address. If rpc_address is set to 0.0.0.0, broadcast_rpc_address must
+# be set.
+# broadcast_rpc_address: 1.2.3.4
+
+# enable or disable keepalive on rpc/native connections
+rpc_keepalive: true
+
+# Uncomment to set socket buffer size for internode communication
+# Note that when setting this, the buffer size is limited by net.core.wmem_max
+# and when not setting it it is defined by net.ipv4.tcp_wmem
+# See also:
+# /proc/sys/net/core/wmem_max
+# /proc/sys/net/core/rmem_max
+# /proc/sys/net/ipv4/tcp_wmem
+# /proc/sys/net/ipv4/tcp_wmem
+# and 'man tcp'
+# Min unit: B
+# internode_socket_send_buffer_size:
+
+# Uncomment to set socket buffer size for internode communication
+# Note that when setting this, the buffer size is limited by net.core.wmem_max
+# and when not setting it it is defined by net.ipv4.tcp_wmem
+# Min unit: B
+# internode_socket_receive_buffer_size:
+
+# Set to true to have Cassandra create a hard link to each sstable
+# flushed or streamed locally in a backups/ subdirectory of the
+# keyspace data.  Removing these links is the operator's
+# responsibility.
+incremental_backups: false
+
+# Whether or not to take a snapshot before each compaction.  Be
+# careful using this option, since Cassandra won't clean up the
+# snapshots for you.  Mostly useful if you're paranoid when there
+# is a data format change.
+snapshot_before_compaction: false
+
+# Whether or not a snapshot is taken of the data before keyspace truncation
+# or dropping of column families. The STRONGLY advised default of true 
+# should be used to provide data safety. If you set this flag to false, you will
+# lose data on truncation or drop.
+auto_snapshot: true
+
+# Adds a time-to-live (TTL) to auto snapshots generated by table
+# truncation or drop (when enabled).
+# After the TTL is elapsed, the snapshot is automatically cleared.
+# By default, auto snapshots *do not* have TTL, uncomment the property below
+# to enable TTL on auto snapshots.
+# Accepted units: d (days), h (hours) or m (minutes)
+# auto_snapshot_ttl: 30d
+
+# The act of creating or clearing a snapshot involves creating or removing
+# potentially tens of thousands of links, which can cause significant performance
+# impact, especially on consumer grade SSDs. A non-zero value here can
+# be used to throttle these links to avoid negative performance impact of
+# taking and clearing snapshots
+snapshot_links_per_second: 0
+
+# Granularity of the collation index of rows within a partition.
+# Increase if your rows are large, or if you have a very large
+# number of rows per partition.  The competing goals are these:
+#
+# - a smaller granularity means more index entries are generated
+#   and looking up rows withing the partition by collation column
+#   is faster
+# - but, Cassandra will keep the collation index in memory for hot
+#   rows (as part of the key cache), so a larger granularity means
+#   you can cache more hot rows
+# Min unit: KiB
+column_index_size: 64KiB
+
+# Per sstable indexed key cache entries (the collation index in memory
+# mentioned above) exceeding this size will not be held on heap.
+# This means that only partition information is held on heap and the
+# index entries are read from disk.
+#
+# Note that this size refers to the size of the
+# serialized index information and not the size of the partition.
+# Min unit: KiB
+column_index_cache_size: 2KiB
+
+# Number of simultaneous compactions to allow, NOT including
+# validation "compactions" for anti-entropy repair.  Simultaneous
+# compactions can help preserve read performance in a mixed read/write
+# workload, by mitigating the tendency of small sstables to accumulate
+# during a single long running compactions. The default is usually
+# fine and if you experience problems with compaction running too
+# slowly or too fast, you should look at
+# compaction_throughput first.
+#
+# concurrent_compactors defaults to the smaller of (number of disks,
+# number of cores), with a minimum of 2 and a maximum of 8.
+# 
+# If your data directories are backed by SSD, you should increase this
+# to the number of cores.
+concurrent_compactors: 12
+
+# Number of simultaneous repair validations to allow. If not set or set to
+# a value less than 1, it defaults to the value of concurrent_compactors.
+# To set a value greeater than concurrent_compactors at startup, the system
+# property cassandra.allow_unlimited_concurrent_validations must be set to
+# true. To dynamically resize to a value > concurrent_compactors on a running
+# node, first call the bypassConcurrentValidatorsLimit method on the
+# org.apache.cassandra.db:type=StorageService mbean
+# concurrent_validations: 0
+
+# Number of simultaneous materialized view builder tasks to allow.
+concurrent_materialized_view_builders: 1
+
+# Throttles compaction to the given total throughput across the entire
+# system. The faster you insert data, the faster you need to compact in
+# order to keep the sstable count down, but in general, setting this to
+# 16 to 32 times the rate you are inserting data is more than sufficient.
+# Setting this to 0 disables throttling. Note that this accounts for all types
+# of compaction, including validation compaction (building Merkle trees
+# for repairs).
+compaction_throughput: 256MiB/s
+
+# When compacting, the replacement sstable(s) can be opened before they
+# are completely written, and used in place of the prior sstables for
+# any range that has been written. This helps to smoothly transfer reads 
+# between the sstables, reducing page cache churn and keeping hot rows hot
+# Set sstable_preemptive_open_interval to null for disabled which is equivalent to
+# sstable_preemptive_open_interval_in_mb being negative
+# Min unit: MiB
+sstable_preemptive_open_interval: 50MiB
+
+# Starting from 4.1 sstables support UUID based generation identifiers. They are disabled by default
+# because once enabled, there is no easy way to downgrade. When the node is restarted with this option
+# set to true, each newly created sstable will have a UUID based generation identifier and such files are
+# not readable by previous Cassandra versions. At some point, this option will become true by default
+# and eventually get removed from the configuration.
+uuid_sstable_identifiers_enabled: false
+
+# When enabled, permits Cassandra to zero-copy stream entire eligible
+# SSTables between nodes, including every component.
+# This speeds up the network transfer significantly subject to
+# throttling specified by entire_sstable_stream_throughput_outbound,
+# and entire_sstable_inter_dc_stream_throughput_outbound
+# for inter-DC transfers.
+# Enabling this will reduce the GC pressure on sending and receiving node.
+# When unset, the default is enabled. While this feature tries to keep the
+# disks balanced, it cannot guarantee it. This feature will be automatically
+# disabled if internode encryption is enabled.
+# stream_entire_sstables: true
+
+# Throttles entire SSTable outbound streaming file transfers on
+# this node to the given total throughput in Mbps.
+# Setting this value to 0 it disables throttling.
+# When unset, the default is 200 Mbps or 24 MiB/s.
+# entire_sstable_stream_throughput_outbound: 24MiB/s
+
+# Throttles entire SSTable file streaming between datacenters.
+# Setting this value to 0 disables throttling for entire SSTable inter-DC file streaming.
+# When unset, the default is 200 Mbps or 24 MiB/s.
+# entire_sstable_inter_dc_stream_throughput_outbound: 24MiB/s
+
+# Throttles all outbound streaming file transfers on this node to the
+# given total throughput in Mbps. This is necessary because Cassandra does
+# mostly sequential IO when streaming data during bootstrap or repair, which
+# can lead to saturating the network connection and degrading rpc performance.
+# When unset, the default is 200 Mbps or 24 MiB/s.
+# stream_throughput_outbound: 24MiB/s
+
+# Throttles all streaming file transfer between the datacenters,
+# this setting allows users to throttle inter dc stream throughput in addition
+# to throttling all network stream traffic as configured with
+# stream_throughput_outbound_megabits_per_sec
+# When unset, the default is 200 Mbps or 24 MiB/s.
+# inter_dc_stream_throughput_outbound: 24MiB/s
+
+# Server side timeouts for requests. The server will return a timeout exception
+# to the client if it can't complete an operation within the corresponding
+# timeout. Those settings are a protection against:
+#   1) having client wait on an operation that might never terminate due to some
+#      failures.
+#   2) operations that use too much CPU/read too much data (leading to memory build
+#      up) by putting a limit to how long an operation will execute.
+# For this reason, you should avoid putting these settings too high. In other words,
+# if you are timing out requests because of underlying resource constraints then
+# increasing the timeout will just cause more problems. Of course putting them too
+# low is equally ill-advised since clients could get timeouts even for successful
+# operations just because the timeout setting is too tight.
+
+# How long the coordinator should wait for read operations to complete.
+# Lowest acceptable value is 10 ms.
+# Min unit: ms
+read_request_timeout: 5000ms
+# How long the coordinator should wait for seq or index scans to complete.
+# Lowest acceptable value is 10 ms.
+# Min unit: ms
+range_request_timeout: 10000ms
+# How long the coordinator should wait for writes to complete.
+# Lowest acceptable value is 10 ms.
+# Min unit: ms
+write_request_timeout: 2000ms
+# How long the coordinator should wait for counter writes to complete.
+# Lowest acceptable value is 10 ms.
+# Min unit: ms
+counter_write_request_timeout: 5000ms
+# How long a coordinator should continue to retry a CAS operation
+# that contends with other proposals for the same row.
+# Lowest acceptable value is 10 ms.
+# Min unit: ms
+cas_contention_timeout: 1000ms
+# How long the coordinator should wait for truncates to complete
+# (This can be much longer, because unless auto_snapshot is disabled
+# we need to flush first so we can snapshot before removing the data.)
+# Lowest acceptable value is 10 ms.
+# Min unit: ms
+truncate_request_timeout: 60000ms
+# The default timeout for other, miscellaneous operations.
+# Lowest acceptable value is 10 ms.
+# Min unit: ms
+request_timeout: 10000ms
+
+# Defensive settings for protecting Cassandra from true network partitions.
+# See (CASSANDRA-14358) for details.
+#
+# The amount of time to wait for internode tcp connections to establish.
+# Min unit: ms
+# internode_tcp_connect_timeout: 2000ms
+#
+# The amount of time unacknowledged data is allowed on a connection before we throw out the connection
+# Note this is only supported on Linux + epoll, and it appears to behave oddly above a setting of 30000
+# (it takes much longer than 30s) as of Linux 4.12. If you want something that high set this to 0
+# which picks up the OS default and configure the net.ipv4.tcp_retries2 sysctl to be ~8.
+# Min unit: ms
+# internode_tcp_user_timeout: 30000ms
+
+# The amount of time unacknowledged data is allowed on a streaming connection.
+# The default is 5 minutes. Increase it or set it to 0 in order to increase the timeout.
+# Min unit: ms
+# internode_streaming_tcp_user_timeout: 300000ms
+
+# Global, per-endpoint and per-connection limits imposed on messages queued for delivery to other nodes
+# and waiting to be processed on arrival from other nodes in the cluster.  These limits are applied to the on-wire
+# size of the message being sent or received.
+#
+# The basic per-link limit is consumed in isolation before any endpoint or global limit is imposed.
+# Each node-pair has three links: urgent, small and large.  So any given node may have a maximum of
+# N*3*(internode_application_send_queue_capacity+internode_application_receive_queue_capacity)
+# messages queued without any coordination between them although in practice, with token-aware routing, only RF*tokens
+# nodes should need to communicate with significant bandwidth.
+#
+# The per-endpoint limit is imposed on all messages exceeding the per-link limit, simultaneously with the global limit,
+# on all links to or from a single node in the cluster.
+# The global limit is imposed on all messages exceeding the per-link limit, simultaneously with the per-endpoint limit,
+# on all links to or from any node in the cluster.
+#
+# Min unit: B
+# internode_application_send_queue_capacity: 4MiB
+# internode_application_send_queue_reserve_endpoint_capacity: 128MiB
+# internode_application_send_queue_reserve_global_capacity: 512MiB
+# internode_application_receive_queue_capacity: 4MiB
+# internode_application_receive_queue_reserve_endpoint_capacity: 128MiB
+# internode_application_receive_queue_reserve_global_capacity: 512MiB
+
+
+# How long before a node logs slow queries. Select queries that take longer than
+# this timeout to execute, will generate an aggregated log message, so that slow queries
+# can be identified. Set this value to zero to disable slow query logging.
+# Min unit: ms
+slow_query_log_timeout: 500ms
+
+# Enable operation timeout information exchange between nodes to accurately
+# measure request timeouts.  If disabled, replicas will assume that requests
+# were forwarded to them instantly by the coordinator, which means that
+# under overload conditions we will waste that much extra time processing 
+# already-timed-out requests.
+#
+# Warning: It is generally assumed that users have setup NTP on their clusters, and that clocks are modestly in sync, 
+# since this is a requirement for general correctness of last write wins.
+# internode_timeout: true
+
+# Set period for idle state control messages for earlier detection of failed streams
+# This node will send a keep-alive message periodically on the streaming's control channel.
+# This ensures that any eventual SocketTimeoutException will occur within 2 keep-alive cycles
+# If the node cannot send, or timeouts sending, the keep-alive message on the netty control channel
+# the stream session is closed.
+# Default value is 300s (5 minutes), which means stalled streams
+# are detected within 10 minutes
+# Specify 0 to disable.
+# Min unit: s
+# streaming_keep_alive_period: 300s
+
+# Limit number of connections per host for streaming
+# Increase this when you notice that joins are CPU-bound rather that network
+# bound (for example a few nodes with big files).
+# streaming_connections_per_host: 1
+
+# Settings for stream stats tracking; used by system_views.streaming table
+# How long before a stream is evicted from tracking; this impacts both historic and currently running
+# streams.
+# streaming_state_expires: 3d
+# How much memory may be used for tracking before evicting session from tracking; once crossed
+# historic and currently running streams maybe impacted.
+# streaming_state_size: 40MiB
+# Enable/Disable tracking of streaming stats
+# streaming_stats_enabled: true
+
+# Allows denying configurable access (rw/rr) to operations on configured ks, table, and partitions, intended for use by
+# operators to manage cluster health vs application access. See CASSANDRA-12106 and CEP-13 for more details.
+# partition_denylist_enabled: false
+
+# denylist_writes_enabled: true
+# denylist_reads_enabled: true
+# denylist_range_reads_enabled: true
+
+# The interval at which keys in the cache for denylisting will "expire" and async refresh from the backing DB.
+# Note: this serves only as a fail-safe, as the usage pattern is expected to be "mutate state, refresh cache" on any
+# changes to the underlying denylist entries. See documentation for details.
+# Min unit: s
+# denylist_refresh: 600s
+
+# In the event of errors on attempting to load the denylist cache, retry on this interval.
+# Min unit: s
+# denylist_initial_load_retry: 5s
+
+# We cap the number of denylisted keys allowed per table to keep things from growing unbounded. Nodes will warn above
+# this limit while allowing new denylisted keys to be inserted. Denied keys are loaded in natural query / clustering
+# ordering by partition key in case of overflow.
+# denylist_max_keys_per_table: 1000
+
+# We cap the total number of denylisted keys allowed in the cluster to keep things from growing unbounded.
+# Nodes will warn on initial cache load that there are too many keys and be direct the operator to trim down excess
+# entries to within the configured limits.
+# denylist_max_keys_total: 10000
+
+# Since the denylist in many ways serves to protect the health of the cluster from partitions operators have identified
+# as being in a bad state, we usually want more robustness than just CL.ONE on operations to/from these tables to
+# ensure that these safeguards are in place. That said, we allow users to configure this if they're so inclined.
+# denylist_consistency_level: QUORUM
+
+# phi value that must be reached for a host to be marked down.
+# most users should never need to adjust this.
+# phi_convict_threshold: 8
+
+# endpoint_snitch -- Set this to a class that implements
+# IEndpointSnitch.  The snitch has two functions:
+#
+# - it teaches Cassandra enough about your network topology to route
+#   requests efficiently
+# - it allows Cassandra to spread replicas around your cluster to avoid
+#   correlated failures. It does this by grouping machines into
+#   "datacenters" and "racks."  Cassandra will do its best not to have
+#   more than one replica on the same "rack" (which may not actually
+#   be a physical location)
+#
+# CASSANDRA WILL NOT ALLOW YOU TO SWITCH TO AN INCOMPATIBLE SNITCH
+# ONCE DATA IS INSERTED INTO THE CLUSTER.  This would cause data loss.
+# This means that if you start with the default SimpleSnitch, which
+# locates every node on "rack1" in "datacenter1", your only options
+# if you need to add another datacenter are GossipingPropertyFileSnitch
+# (and the older PFS).  From there, if you want to migrate to an
+# incompatible snitch like Ec2Snitch you can do it by adding new nodes
+# under Ec2Snitch (which will locate them in a new "datacenter") and
+# decommissioning the old ones.
+#
+# Out of the box, Cassandra provides:
+#
+# SimpleSnitch:
+#    Treats Strategy order as proximity. This can improve cache
+#    locality when disabling read repair.  Only appropriate for
+#    single-datacenter deployments.
+#
+# GossipingPropertyFileSnitch
+#    This should be your go-to snitch for production use.  The rack
+#    and datacenter for the local node are defined in
+#    cassandra-rackdc.properties and propagated to other nodes via
+#    gossip.  If cassandra-topology.properties exists, it is used as a
+#    fallback, allowing migration from the PropertyFileSnitch.
+#
+# PropertyFileSnitch:
+#    Proximity is determined by rack and data center, which are
+#    explicitly configured in cassandra-topology.properties.
+#
+# Ec2Snitch:
+#    Appropriate for EC2 deployments in a single Region. Loads Region
+#    and Availability Zone information from the EC2 API. The Region is
+#    treated as the datacenter, and the Availability Zone as the rack.
+#    Only private IPs are used, so this will not work across multiple
+#    Regions.
+#
+# Ec2MultiRegionSnitch:
+#    Uses public IPs as broadcast_address to allow cross-region
+#    connectivity.  (Thus, you should set seed addresses to the public
+#    IP as well.) You will need to open the storage_port or
+#    ssl_storage_port on the public IP firewall.  (For intra-Region
+#    traffic, Cassandra will switch to the private IP after
+#    establishing a connection.)
+#
+# RackInferringSnitch:
+#    Proximity is determined by rack and data center, which are
+#    assumed to correspond to the 3rd and 2nd octet of each node's IP
+#    address, respectively.  Unless this happens to match your
+#    deployment conventions, this is best used as an example of
+#    writing a custom Snitch class and is provided in that spirit.
+#
+# You can use a custom Snitch by setting this to the full class name
+# of the snitch, which will be assumed to be on your classpath.
+endpoint_snitch: GossipingPropertyFileSnitch
+
+# controls how often to perform the more expensive part of host score
+# calculation
+# Min unit: ms
+dynamic_snitch_update_interval: 100ms
+# controls how often to reset all host scores, allowing a bad host to
+# possibly recover
+# Min unit: ms
+dynamic_snitch_reset_interval: 600000ms
+# if set greater than zero, this will allow
+# 'pinning' of replicas to hosts in order to increase cache capacity.
+# The badness threshold will control how much worse the pinned host has to be
+# before the dynamic snitch will prefer other replicas over it.  This is
+# expressed as a double which represents a percentage.  Thus, a value of
+# 0.2 means Cassandra would continue to prefer the static snitch values
+# until the pinned host was 20% worse than the fastest.
+dynamic_snitch_badness_threshold: 1.0
+
+# Configure server-to-server internode encryption
+#
+# JVM and netty defaults for supported SSL socket protocols and cipher suites can
+# be replaced using custom encryption options. This is not recommended
+# unless you have policies in place that dictate certain settings, or
+# need to disable vulnerable ciphers or protocols in case the JVM cannot
+# be updated.
+#
+# FIPS compliant settings can be configured at JVM level and should not
+# involve changing encryption settings here:
+# https://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/FIPS.html
+#
+# **NOTE** this default configuration is an insecure configuration. If you need to
+# enable server-to-server encryption generate server keystores (and truststores for mutual
+# authentication) per:
+# http://download.oracle.com/javase/8/docs/technotes/guides/security/jsse/JSSERefGuide.html#CreateKeystore
+# Then perform the following configuration changes:
+#
+# Step 1: Set internode_encryption=<dc|rack|all> and explicitly set optional=true. Restart all nodes
+#
+# Step 2: Set optional=false (or remove it) and if you generated truststores and want to use mutual
+# auth set require_client_auth=true. Restart all nodes
+server_encryption_options:
+  # On outbound connections, determine which type of peers to securely connect to.
+  #   The available options are :
+  #     none : Do not encrypt outgoing connections
+  #     dc   : Encrypt connections to peers in other datacenters but not within datacenters
+  #     rack : Encrypt connections to peers in other racks but not within racks
+  #     all  : Always use encrypted connections
+  internode_encryption: all
+  # When set to true, encrypted and unencrypted connections are allowed on the storage_port
+  # This should _only be true_ while in unencrypted or transitional operation
+  # optional defaults to true if internode_encryption is none
+  optional: false
+  # If enabled, will open up an encrypted listening socket on ssl_storage_port. Should only be used
+  # during upgrade to 4.0; otherwise, set to false.
+  legacy_ssl_storage_port_enabled: false
+  # Set to a valid keystore if internode_encryption is dc, rack or all
+  keystore: /etc/cassandra-a/tls/server.key
+  keystore_password: test
+  # Verify peer server certificates
+  require_client_auth: false
+  # Set to a valid trustore if require_client_auth is true
+  truststore: /etc/ssl/localcerts/wmf-java-cacerts
+  truststore_password: changeit
+  # Verify that the host name in the certificate matches the connected host
+  require_endpoint_verification: false
+  # More advanced defaults:
+  # protocol: TLS
+  # store_type: JKS
+  # cipher_suites: [
+  #   TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+  #   TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
+  #   TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA,
+  #   TLS_RSA_WITH_AES_256_CBC_SHA
+  # ]
+
+# Configure client-to-server encryption.
+#
+# **NOTE** this default configuration is an insecure configuration. If you need to
+# enable client-to-server encryption generate server keystores (and truststores for mutual
+# authentication) per:
+# http://download.oracle.com/javase/8/docs/technotes/guides/security/jsse/JSSERefGuide.html#CreateKeystore
+# Then perform the following configuration changes:
+#
+# Step 1: Set enabled=true and explicitly set optional=true. Restart all nodes
+#
+# Step 2: Set optional=false (or remove it) and if you generated truststores and want to use mutual
+# auth set require_client_auth=true. Restart all nodes
+client_encryption_options:
+  # Enable client-to-server encryption
+  enabled: true
+  # When set to true, encrypted and unencrypted connections are allowed on the native_transport_port
+  # This should _only be true_ while in unencrypted or transitional operation
+  # optional defaults to true when enabled is false, and false when enabled is true.
+  optional: true
+  # Set keystore and keystore_password to valid keystores if enabled is true
+  keystore: /etc/cassandra-a/tls/server.key
+  keystore_password: test
+  # Verify client certificates
+  require_client_auth: false
+  # Set trustore and truststore_password if require_client_auth is true
+  # truststore: /etc/cassandra-a/tls/client.trust
+  # truststore_password: placeholder
+  # More advanced defaults:
+  # protocol: TLS
+  # store_type: JKS
+  # cipher_suites: [
+  #   TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+  #   TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
+  #   TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA,
+  #   TLS_RSA_WITH_AES_256_CBC_SHA
+  # ]
+
+# internode_compression controls whether traffic between nodes is
+# compressed.
+# Can be:
+#
+# all
+#   all traffic is compressed
+#
+# dc
+#   traffic between different datacenters is compressed
+#
+# none
+#   nothing is compressed.
+internode_compression: all
+
+# Enable or disable tcp_nodelay for inter-dc communication.
+# Disabling it will result in larger (but fewer) network packets being sent,
+# reducing overhead from the TCP protocol itself, at the cost of increasing
+# latency if you block for cross-datacenter responses.
+inter_dc_tcp_nodelay: false
+
+# TTL for different trace types used during logging of the repair process.
+# Min unit: s
+trace_type_query_ttl: 1d
+# Min unit: s
+trace_type_repair_ttl: 7d
+
+# If unset, all GC Pauses greater than gc_log_threshold will log at
+# INFO level
+# UDFs (user defined functions) are disabled by default.
+# As of Cassandra 3.0 there is a sandbox in place that should prevent execution of evil code.
+user_defined_functions_enabled: false
+
+# Enables scripted UDFs (JavaScript UDFs).
+# Java UDFs are always enabled, if user_defined_functions_enabled is true.
+# Enable this option to be able to use UDFs with "language javascript" or any custom JSR-223 provider.
+# This option has no effect, if user_defined_functions_enabled is false.
+scripted_user_defined_functions_enabled: false
+
+# Enables encrypting data at-rest (on disk). Different key providers can be plugged in, but the default reads from
+# a JCE-style keystore. A single keystore can hold multiple keys, but the one referenced by
+# the "key_alias" is the only key that will be used for encrypt opertaions; previously used keys
+# can still (and should!) be in the keystore and will be used on decrypt operations
+# (to handle the case of key rotation).
+#
+# It is strongly recommended to download and install Java Cryptography Extension (JCE)
+# Unlimited Strength Jurisdiction Policy Files for your version of the JDK.
+# (current link: http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html)
+#
+# Currently, only the following file types are supported for transparent data encryption, although
+# more are coming in future cassandra releases: commitlog, hints
+transparent_data_encryption_options:
+  enabled: false
+  chunk_length_kb: 64
+  cipher: AES/CBC/PKCS5Padding
+  key_alias: testing:1
+  # CBC IV length for AES needs to be 16 bytes (which is also the default size)
+  # iv_length: 16
+  key_provider:
+    - class_name: org.apache.cassandra.security.JKSKeyProvider
+      parameters:
+        - keystore: conf/.keystore
+          keystore_password: cassandra
+          store_type: JCEKS
+          key_password: cassandra
+
+
+#####################
+# SAFETY THRESHOLDS #
+#####################
+
+# When executing a scan, within or across a partition, we need to keep the
+# tombstones seen in memory so we can return them to the coordinator, which
+# will use them to make sure other replicas also know about the deleted rows.
+# With workloads that generate a lot of tombstones, this can cause performance
+# problems and even exaust the server heap.
+# (http://www.datastax.com/dev/blog/cassandra-anti-patterns-queues-and-queue-like-datasets)
+# Adjust the thresholds here if you understand the dangers and want to
+# scan more tombstones anyway.  These thresholds may also be adjusted at runtime
+# using the StorageService mbean.
+tombstone_warn_threshold: 1000
+tombstone_failure_threshold: 100000
+
+# Filtering and secondary index queries at read consistency levels above ONE/LOCAL_ONE use a
+# mechanism called replica filtering protection to ensure that results from stale replicas do
+# not violate consistency. (See CASSANDRA-8272 and CASSANDRA-15907 for more details.) This
+# mechanism materializes replica results by partition on-heap at the coordinator. The more possibly
+# stale results returned by the replicas, the more rows materialized during the query.
+replica_filtering_protection:
+    # These thresholds exist to limit the damage severely out-of-date replicas can cause during these
+    # queries. They limit the number of rows from all replicas individual index and filtering queries
+    # can materialize on-heap to return correct results at the desired read consistency level.
+    #
+    # "cached_replica_rows_warn_threshold" is the per-query threshold at which a warning will be logged.
+    # "cached_replica_rows_fail_threshold" is the per-query threshold at which the query will fail.
+    #
+    # These thresholds may also be adjusted at runtime using the StorageService mbean.
+    #
+    # If the failure threshold is breached, it is likely that either the current page/fetch size
+    # is too large or one or more replicas is severely out-of-sync and in need of repair.
+    cached_rows_warn_threshold: 2000
+    cached_rows_fail_threshold: 32000
+
+# Log WARN on any multiple-partition batch size exceeding this value. 5KiB per batch by default.
+# Caution should be taken on increasing the size of this threshold as it can lead to node instability.
+# Min unit: KiB
+batch_size_warn_threshold: 5KiB
+
+# Fail any multiple-partition batch exceeding this value. 50KiB (10x warn threshold) by default.
+# Min unit: KiB
+batch_size_fail_threshold: 50KiB
+
+# Log WARN on any batches not of type LOGGED than span across more partitions than this limit
+unlogged_batch_across_partitions_warn_threshold: 10
+
+# Log a warning when compacting partitions larger than this value
+compaction_large_partition_warning_threshold: 100MiB
+
+# Log a warning when writing more tombstones than this value to a partition
+compaction_tombstone_warning_threshold: 100000
+
+# GC Pauses greater than 200 ms will be logged at INFO level
+# This threshold can be adjusted to minimize logging if necessary
+# Min unit: ms
+# gc_log_threshold: 200ms
+
+# GC Pauses greater than gc_warn_threshold will be logged at WARN level
+# Adjust the threshold based on your application throughput requirement. Setting to 0
+# will deactivate the feature.
+# Min unit: ms
+# gc_warn_threshold: 1000ms
+
+# Maximum size of any value in SSTables. Safety measure to detect SSTable corruption
+# early. Any value size larger than this threshold will result into marking an SSTable
+# as corrupted. This should be positive and less than 2GiB.
+# Min unit: MiB
+# max_value_size: 256MiB
+
+# ** Impact on keyspace creation **
+# If replication factor is not mentioned as part of keyspace creation, default_keyspace_rf would apply.
+# Changing this configuration would only take effect for keyspaces created after the change, but does not impact
+# existing keyspaces created prior to the change.
+# ** Impact on keyspace alter **
+# When altering a keyspace from NetworkTopologyStrategy to SimpleStrategy, default_keyspace_rf is applied if rf is not
+# explicitly mentioned.
+# ** Impact on system keyspaces **
+# This would also apply for any system keyspaces that need replication factor.
+# A further note about system keyspaces - system_traces and system_distributed keyspaces take RF of 2 or default,
+# whichever is higher, and system_auth keyspace takes RF of 1 or default, whichever is higher.
+# Suggested value for use in production: 3
+# default_keyspace_rf: 1
+
+# Track a metric per keyspace indicating whether replication achieved the ideal consistency
+# level for writes without timing out. This is different from the consistency level requested by
+# each write which may be lower in order to facilitate availability.
+# ideal_consistency_level: EACH_QUORUM
+
+# Automatically upgrade sstables after upgrade - if there is no ordinary compaction to do, the
+# oldest non-upgraded sstable will get upgraded to the latest version
+# automatic_sstable_upgrade: false
+# Limit the number of concurrent sstable upgrades
+# max_concurrent_automatic_sstable_upgrades: 1
+
+# Audit logging - Logs every incoming CQL command request, authentication to a node. See the docs
+# on audit_logging for full details about the various configuration options.
+audit_logging_options:
+  enabled: false
+  logger:
+    - class_name: BinAuditLogger
+  # audit_logs_dir:
+  # included_keyspaces:
+  # excluded_keyspaces: system, system_schema, system_virtual_schema
+  # included_categories:
+  # excluded_categories:
+  # included_users:
+  # excluded_users:
+  # roll_cycle: HOURLY
+  # block: true
+  # max_queue_weight: 268435456 # 256 MiB
+  # max_log_size: 17179869184 # 16 GiB
+  ## archive command is "/path/to/script.sh %path" where %path is replaced with the file being rolled:
+  # archive_command:
+  # max_archive_retries: 10
+
+
+# default options for full query logging - these can be overridden from command line when executing
+# nodetool enablefullquerylog
+# full_query_logging_options:
+  # log_dir:
+  # roll_cycle: HOURLY
+  # block: true
+  # max_queue_weight: 268435456 # 256 MiB
+  # max_log_size: 17179869184 # 16 GiB
+  ## archive command is "/path/to/script.sh %path" where %path is replaced with the file being rolled:
+  # archive_command:
+  ## note that enabling this allows anyone with JMX/nodetool access to run local shell commands as the user running cassandra
+  # allow_nodetool_archive_command: false
+  # max_archive_retries: 10
+
+# validate tombstones on reads and compaction
+# can be either "disabled", "warn" or "exception"
+# corrupted_tombstone_strategy: disabled
+
+# Diagnostic Events #
+# If enabled, diagnostic events can be helpful for troubleshooting operational issues. Emitted events contain details
+# on internal state and temporal relationships across events, accessible by clients via JMX.
+diagnostic_events_enabled: false
+
+# Use native transport TCP message coalescing. If on upgrade to 4.0 you found your throughput decreasing, and in
+# particular you run an old kernel or have very fewer client connections, this option might be worth evaluating.
+#native_transport_flush_in_batches_legacy: false
+
+# Enable tracking of repaired state of data during reads and comparison between replicas
+# Mismatches between the repaired sets of replicas can be characterized as either confirmed
+# or unconfirmed. In this context, unconfirmed indicates that the presence of pending repair
+# sessions, unrepaired partition tombstones, or some other condition means that the disparity
+# cannot be considered conclusive. Confirmed mismatches should be a trigger for investigation
+# as they may be indicative of corruption or data loss.
+# There are separate flags for range vs partition reads as single partition reads are only tracked
+# when CL > 1 and a digest mismatch occurs. Currently, range queries don't use digests so if
+# enabled for range reads, all range reads will include repaired data tracking. As this adds
+# some overhead, operators may wish to disable it whilst still enabling it for partition reads
+repaired_data_tracking_for_range_reads_enabled: false
+repaired_data_tracking_for_partition_reads_enabled: false
+# If false, only confirmed mismatches will be reported. If true, a separate metric for unconfirmed
+# mismatches will also be recorded. This is to avoid potential signal:noise issues are unconfirmed
+# mismatches are less actionable than confirmed ones.
+report_unconfirmed_repaired_data_mismatches: false
+
+# Having many tables and/or keyspaces negatively affects performance of many operations in the
+# cluster. When the number of tables/keyspaces in the cluster exceeds the following thresholds
+# a client warning will be sent back to the user when creating a table or keyspace.
+# As of cassandra 4.1, these properties are deprecated in favor of keyspaces_warn_threshold and tables_warn_threshold
+# table_count_warn_threshold: 150
+# keyspace_count_warn_threshold: 40
+
+# configure the read and write consistency levels for modifications to auth tables
+# auth_read_consistency_level: LOCAL_QUORUM
+# auth_write_consistency_level: EACH_QUORUM
+
+# Delays on auth resolution can lead to a thundering herd problem on reconnects; this option will enable
+# warming of auth caches prior to node completing startup. See CASSANDRA-16958
+# auth_cache_warming_enabled: false
+
+#########################
+# EXPERIMENTAL FEATURES #
+#########################
+
+# Enables materialized view creation on this node.
+# Materialized views are considered experimental and are not recommended for production use.
+materialized_views_enabled: false
+
+# Enables SASI index creation on this node.
+# SASI indexes are considered experimental and are not recommended for production use.
+sasi_indexes_enabled: false
+
+# Enables creation of transiently replicated keyspaces on this node.
+# Transient replication is experimental and is not recommended for production use.
+transient_replication_enabled: false
+
+# Enables the used of 'ALTER ... DROP COMPACT STORAGE' statements on this node.
+# 'ALTER ... DROP COMPACT STORAGE' is considered experimental and is not recommended for production use.
+drop_compact_storage_enabled: false
+
+# Whether or not USE <keyspace> is allowed. This is enabled by default to avoid failure on upgrade.
+#use_statements_enabled: true
+
+# When the client triggers a protocol exception or unknown issue (Cassandra bug) we increment
+# a client metric showing this; this logic will exclude specific subnets from updating these
+# metrics
+#client_error_reporting_exclusions:
+#  subnets:
+#    - 127.0.0.1
+#    - 127.0.0.0/31
+
+# Enables read thresholds (warn/fail) across all replicas for reporting back to the client.
+# See: CASSANDRA-16850
+# read_thresholds_enabled: false # scheduled to be set true in 4.2
+# When read_thresholds_enabled: true, this tracks the materialized size of a query on the
+# coordinator. If coordinator_read_size_warn_threshold is defined, this will emit a warning
+# to clients with details on what query triggered this as well as the size of the result set; if
+# coordinator_read_size_fail_threshold is defined, this will fail the query after it
+# has exceeded this threshold, returning a read error to the user.
+# coordinator_read_size_warn_threshold:
+# coordinator_read_size_fail_threshold:
+# When read_thresholds_enabled: true, this tracks the size of the local read (as defined by
+# heap size), and will warn/fail based off these thresholds; undefined disables these checks.
+# local_read_size_warn_threshold:
+# local_read_size_fail_threshold:
+# When read_thresholds_enabled: true, this tracks the expected memory size of the RowIndexEntry
+# and will warn/fail based off these thresholds; undefined disables these checks
+# row_index_read_size_warn_threshold:
+# row_index_read_size_fail_threshold:
+
+# Guardrail to warn or fail when creating more user keyspaces than threshold.
+# The two thresholds default to -1 to disable.
+# keyspaces_warn_threshold: -1
+# keyspaces_fail_threshold: -1
+# Guardrail to warn or fail when creating more user tables than threshold.
+# The two thresholds default to -1 to disable.
+# tables_warn_threshold: -1
+# tables_fail_threshold: -1
+# Guardrail to enable or disable the ability to create uncompressed tables
+# uncompressed_tables_enabled: true
+# Guardrail to warn or fail when creating/altering a table with more columns per table than threshold.
+# The two thresholds default to -1 to disable.
+# columns_per_table_warn_threshold: -1
+# columns_per_table_fail_threshold: -1
+# Guardrail to warn or fail when creating more secondary indexes per table than threshold.
+# The two thresholds default to -1 to disable.
+# secondary_indexes_per_table_warn_threshold: -1
+# secondary_indexes_per_table_fail_threshold: -1
+# Guardrail to enable or disable the creation of secondary indexes
+# secondary_indexes_enabled: true
+# Guardrail to warn or fail when creating more materialized views per table than threshold.
+# The two thresholds default to -1 to disable.
+# materialized_views_per_table_warn_threshold: -1
+# materialized_views_per_table_fail_threshold: -1
+# Guardrail to warn about, ignore or reject properties when creating tables. By default all properties are allowed.
+# table_properties_warned: []
+# table_properties_ignored: []
+# table_properties_disallowed: []
+# Guardrail to allow/disallow user-provided timestamps. Defaults to true.
+# user_timestamps_enabled: true
+# Guardrail to allow/disallow GROUP BY functionality.
+# group_by_enabled: true
+# Guardrail to allow/disallow TRUNCATE and DROP TABLE statements
+# drop_truncate_table_enabled: true
+# Guardrail to warn or fail when using a page size greater than threshold.
+# The two thresholds default to -1 to disable.
+# page_size_warn_threshold: -1
+# page_size_fail_threshold: -1
+# Guardrail to allow/disallow list operations that require read before write, i.e. setting list element by index and
+# removing list elements by either index or value. Defaults to true.
+# read_before_write_list_operations_enabled: true
+# Guardrail to warn or fail when querying with an IN restriction selecting more partition keys than threshold.
+# The two thresholds default to -1 to disable.
+# partition_keys_in_select_warn_threshold: -1
+# partition_keys_in_select_fail_threshold: -1
+# Guardrail to warn or fail when an IN query creates a cartesian product with a size exceeding threshold,
+# eg. "a in (1,2,...10) and b in (1,2...10)" results in cartesian product of 100.
+# The two thresholds default to -1 to disable.
+# in_select_cartesian_product_warn_threshold: -1
+# in_select_cartesian_product_fail_threshold: -1
+# Guardrail to warn about or reject read consistency levels. By default, all consistency levels are allowed.
+# read_consistency_levels_warned: []
+# read_consistency_levels_disallowed: []
+# Guardrail to warn about or reject write consistency levels. By default, all consistency levels are allowed.
+# write_consistency_levels_warned: []
+# write_consistency_levels_disallowed: []
+# Guardrail to warn or fail when encountering larger size of collection data than threshold.
+# At query time this guardrail is applied only to the collection fragment that is being writen, even though in the case
+# of non-frozen collections there could be unaccounted parts of the collection on the sstables. This is done this way to
+# prevent read-before-write. The guardrail is also checked at sstable write time to detect large non-frozen collections,
+# although in that case exceeding the fail threshold will only log an error message, without interrupting the operation.
+# The two thresholds default to null to disable.
+# Min unit: B
+# collection_size_warn_threshold:
+# Min unit: B
+# collection_size_fail_threshold:
+# Guardrail to warn or fail when encountering more elements in collection than threshold.
+# At query time this guardrail is applied only to the collection fragment that is being writen, even though in the case
+# of non-frozen collections there could be unaccounted parts of the collection on the sstables. This is done this way to
+# prevent read-before-write. The guardrail is also checked at sstable write time to detect large non-frozen collections,
+# although in that case exceeding the fail threshold will only log an error message, without interrupting the operation.
+# The two thresholds default to -1 to disable.
+# items_per_collection_warn_threshold: -1
+# items_per_collection_fail_threshold: -1
+# Guardrail to allow/disallow querying with ALLOW FILTERING. Defaults to true.
+# allow_filtering_enabled: true
+# Guardrail to warn or fail when creating a user-defined-type with more fields in than threshold.
+# Default -1 to disable.
+# fields_per_udt_warn_threshold: -1
+# fields_per_udt_fail_threshold: -1
+# Guardrail to warn or fail when local data disk usage percentage exceeds threshold. Valid values are in [1, 100].
+# This is only used for the disks storing data directories, so it won't count any separate disks used for storing
+# the commitlog, hints nor saved caches. The disk usage is the ratio between the amount of space used by the data
+# directories and the addition of that same space and the remaining free space on disk. The main purpose of this
+# guardrail is rejecting user writes when the disks are over the defined usage percentage, so the writes done by
+# background processes such as compaction and streaming don't fail due to a full disk. The limits should be defined
+# accordingly to the expected data growth due to those background processes, so for example a compaction strategy
+# doubling the size of the data would require to keep the disk usage under 50%.
+# The two thresholds default to -1 to disable.
+# data_disk_usage_percentage_warn_threshold: -1
+# data_disk_usage_percentage_fail_threshold: -1
+# Allows defining the max disk size of the data directories when calculating thresholds for
+# disk_usage_percentage_warn_threshold and disk_usage_percentage_fail_threshold, so if this is greater than zero they
+# become percentages of a fixed size on disk instead of percentages of the physically available disk size. This should
+# be useful when we have a large disk and we only want to use a part of it for Cassandra's data directories.
+# Valid values are in [1, max available disk size of all data directories].
+# Defaults to null to disable and use the physically available disk size of data directories during calculations.
+# Min unit: B
+# data_disk_usage_max_disk_size:
+# Guardrail to warn or fail when the minimum replication factor is lesser than threshold.
+# This would also apply to system keyspaces.
+# Suggested value for use in production: 2 or higher
+# minimum_replication_factor_warn_threshold: -1
+# minimum_replication_factor_fail_threshold: -1
+
+# Startup Checks are executed as part of Cassandra startup process, not all of them
+# are configurable (so you can disable them) but these which are enumerated bellow.
+# Uncomment the startup checks and configure them appropriately to cover your needs.
+#
+#startup_checks:
+# Verifies correct ownership of attached locations on disk at startup. See CASSANDRA-16879 for more details.
+#  check_filesystem_ownership:
+#    enabled: false
+#    ownership_token: "sometoken" # (overriden by "CassandraOwnershipToken" system property)
+#    ownership_filename: ".cassandra_fs_ownership" # (overriden by "cassandra.fs_ownership_filename")
+# Prevents a node from starting if snitch's data center differs from previous data center.
+#  check_dc:
+#    enabled: true # (overriden by cassandra.ignore_dc system property)
+# Prevents a node from starting if snitch's rack differs from previous rack.
+#  check_rack:
+#    enabled: true # (overriden by cassandra.ignore_rack system property)
+# Enable this property to fail startup if the node is down for longer than gc_grace_seconds, to potentially
+# prevent data resurrection on tables with deletes. By default, this will run against all keyspaces and tables
+# except the ones specified on excluded_keyspaces and excluded_tables.
+#  check_data_resurrection:
+#    enabled: false
+# file where Cassandra periodically writes the last time it was known to run
+#    heartbeat_file: /var/lib/cassandra/data/cassandra-heartbeat
+#    excluded_keyspaces: # comma separated list of keyspaces to exclude from the check
+#    excluded_tables: # comma separated list of keyspace.table pairs to exclude from the check

Exec[install-/srv/cassandra/cassandra-b/saved_caches]

Parameters differences:

--- Exec[install-/srv/cassandra/cassandra-b/saved_caches].orig
+++ Exec[install-/srv/cassandra/cassandra-b/saved_caches]

+    command => install -o cassandra -g cassandra -m 750 -d /srv/cassandra/cassandra-b/saved_caches
+    path    => /usr/bin/:/bin/
+    creates => /srv/cassandra/cassandra-b/saved_caches
+    before  => Systemd::Service[cassandra-b]

Ferm::Service[cassandra-cql]

Parameters differences:

--- Ferm::Service[cassandra-cql].orig
+++ Ferm::Service[cassandra-cql]

+    desc    => 
+    prio    => 10
+    srange  => (@resolve((aqs1010.eqiad.wmnet aqs1010-a.eqiad.wmnet aqs1010-b.eqiad.wmnet aqs1011.eqiad.wmnet aqs1011-a.eqiad.wmnet aqs1011-b.eqiad.wmnet aqs1012.eqiad.wmnet aqs1012-a.eqiad.wmnet aqs1012-b.eqiad.wmnet aqs1014.eqiad.wmnet aqs1014-a.eqiad.wmnet aqs1014-b.eqiad.wmnet aqs1015.eqiad.wmnet aqs1015-a.eqiad.wmnet aqs1015-b.eqiad.wmnet aqs1016.eqiad.wmnet aqs1016-a.eqiad.wmnet aqs1016-b.eqiad.wmnet aqs1017.eqiad.wmnet aqs1017-a.eqiad.wmnet aqs1017-b.eqiad.wmnet aqs1018.eqiad.wmnet aqs1018-a.eqiad.wmnet aqs1018-b.eqiad.wmnet aqs1019.eqiad.wmnet aqs1019-a.eqiad.wmnet aqs1019-b.eqiad.wmnet aqs1020.eqiad.wmnet aqs1020-a.eqiad.wmnet aqs1020-b.eqiad.wmnet aqs1021.eqiad.wmnet aqs1021-a.eqiad.wmnet aqs1021-b.eqiad.wmnet aqs1022.eqiad.wmnet aqs1022-a.eqiad.wmnet aqs1022-b.eqiad.wmnet aqs1023.eqiad.wmnet aqs1023-a.eqiad.wmnet aqs1023-b.eqiad.wmnet aqs1024.eqiad.wmnet aqs1024-a.eqiad.wmnet aqs1024-b.eqiad.wmnet aqs2001.codfw.wmnet aqs2001-a.codfw.wmnet aqs2001-b.codfw.wmnet aqs2002.codfw.wmnet aqs2002-a.codfw.wmnet aqs2002-b.codfw.wmnet aqs2003.codfw.wmnet aqs2003-a.codfw.wmnet aqs2003-b.codfw.wmnet aqs2004.codfw.wmnet aqs2004-a.codfw.wmnet aqs2004-b.codfw.wmnet aqs2005.codfw.wmnet aqs2005-a.codfw.wmnet aqs2005-b.codfw.wmnet aqs2006.codfw.wmnet aqs2006-a.codfw.wmnet aqs2006-b.codfw.wmnet aqs2007.codfw.wmnet aqs2007-a.codfw.wmnet aqs2007-b.codfw.wmnet aqs2008.codfw.wmnet aqs2008-a.codfw.wmnet aqs2008-b.codfw.wmnet aqs2009.codfw.wmnet aqs2009-a.codfw.wmnet aqs2009-b.codfw.wmnet aqs2010.codfw.wmnet aqs2010-a.codfw.wmnet aqs2010-b.codfw.wmnet aqs2011.codfw.wmnet aqs2011-a.codfw.wmnet aqs2011-b.codfw.wmnet aqs2012.codfw.wmnet aqs2012-a.codfw.wmnet aqs2012-b.codfw.wmnet)) 10.67.128.0/17 2620:0:861:cabe::/64 10.64.64.0/21 2620:0:861:babe::/64 10.192.64.0/21 2620:0:860:babe::/64 10.194.128.0/17 2620:0:860:cabe::/64 10.67.16.0/21 2620:0:861:300::/64 10.194.16.0/21 2620:0:860:300::/64 10.194.61.0/24 2620:0:860:302::/64)
+    port    => 9042
+    ensure  => present
+    notrack => False
+    proto   => tcp

Java::Cacert[wmf:puppetca.pem]

Parameters differences:

--- Java::Cacert[wmf:puppetca.pem].orig
+++ Java::Cacert[wmf:puppetca.pem]

+    path      => /etc/ssl/certs/Puppet_Internal_CA.pem
+    group     => root
+    storepass => changeit
+    require   => Alternatives::Java[11]
+    ensure    => present
+    owner     => root

Prometheus::Jmx_exporter_instance[aqs1024-a]

Parameters differences:

--- Prometheus::Jmx_exporter_instance[aqs1024-a].orig
+++ Prometheus::Jmx_exporter_instance[aqs1024-a]

+    labels   => {}
+    port     => 7800
+    hostname => aqs1024-a

Interface::Ip[cassandra-b ipv4]

Parameters differences:

--- Interface::Ip[cassandra-b ipv4].orig
+++ Interface::Ip[cassandra-b ipv4]

+    ensure    => present
+    address   => 10.64.156.21
+    prefixlen => 32
+    interface => ens8f0np0

File[/etc/cassandra-b/tls]

Parameters differences:

--- File[/etc/cassandra-b/tls].orig
+++ File[/etc/cassandra-b/tls]

+    group   => cassandra
+    mode    => 0400
+    ensure  => directory
+    recurse => True
+    owner   => cassandra

Monitoring::Exported_nagios_service[aqs1024 cassandra-b-ssl]

Parameters differences:

--- Monitoring::Exported_nagios_service[aqs1024 cassandra-b-ssl].orig
+++ Monitoring::Exported_nagios_service[aqs1024 cassandra-b-ssl]

+    notes_url              => https://wikitech.wikimedia.org/wiki/Cassandra#Installing_and_generating_certificates
+    host_name              => aqs1024
+    active_checks_enabled  => 1
+    check_interval         => 1
+    check_freshness        => 0
+    notifications_enabled  => 1
+    ensure                 => absent
+    notification_interval  => 0
+    max_check_attempts     => 3
+    contact_groups         => admins,team-services
+    check_period           => 24x7
+    service_description    => cassandra-b SSL 10.64.156.21:7000
+    passive_checks_enabled => 1
+    check_command          => check_ssl_on_host_port!aqs1024-b!10.64.156.21!7000
+    notification_options   => c,r,f
+    retry_interval         => 1
+    servicegroups          => aqs_eqiad
+    notification_period    => 24x7
+    is_volatile            => 0

Monitoring::Exported_nagios_service[aqs1024 raid_md]

Parameters differences:

--- Monitoring::Exported_nagios_service[aqs1024 raid_md].orig
+++ Monitoring::Exported_nagios_service[aqs1024 raid_md]

@@
-    notifications_enabled => 0
+    notifications_enabled => 1
@@
-    servicegroups         => insetup_eqiad
+    servicegroups         => aqs_eqiad

Monitoring::Service[cassandra-a-cql]

Parameters differences:

--- Monitoring::Service[cassandra-a-cql].orig
+++ Monitoring::Service[cassandra-a-cql]

+    critical       => False
+    notes_url      => https://phabricator.wikimedia.org/T93886
+    check_command  => check_tcp_ip!10.64.156.18!9042
+    host           => aqs1024
+    retry_interval => 1
+    config_dir     => /etc/nagios
+    description    => cassandra-a CQL 10.64.156.18:9042
+    check_interval => 1
+    migration_task => T407117
+    ensure         => absent
+    freshness      => 36000
+    retries        => 3
+    contact_group  => admins,team-services
+    passive        => False

File[/etc/update-motd.d/05-aqs]

Parameters differences:

--- File[/etc/update-motd.d/05-aqs].orig
+++ File[/etc/update-motd.d/05-aqs]

+    group  => root
+    mode   => 0555
+    ensure => present
+    owner  => root

Content differences:

--- /etc/update-motd.d/05-aqs.orig
+++ /etc/update-motd.d/05-aqs
@@ -0,0 +1,2 @@
+#!/bin/sh
+printf "%s\n" "aqs1024 is a Analytics Query Service - Cassandra instance (aqs)"

Cfssl::Csr[/etc/cfssl/csr/cassandra__aqs1024-b_eqiad_wmnet.csr]

Parameters differences:

--- Cfssl::Csr[/etc/cfssl/csr/cassandra__aqs1024-b_eqiad_wmnet.csr].orig
+++ Cfssl::Csr[/etc/cfssl/csr/cassandra__aqs1024-b_eqiad_wmnet.csr]

+    common_name => aqs1024-b.eqiad.wmnet
+    names       => []
+    ensure      => present
+    hosts       => ['cassandra', 'aqs1024.eqiad.wmnet']
+    key         => {'algo': 'ecdsa', 'size': 256}

Class[Profile::Apt]

Parameters differences:

--- Class[Profile::Apt].orig
+++ Class[Profile::Apt]

@@
-    before => ['Package[puppet]', 'Package[facter]', 'Package[augeas-tools]', 'Package[virt-what]', 'Package[puppet-module-puppetlabs-augeas-core]', 'Package[python3-prometheus-client]', 'Package[python3-yaml]', 'Package[ruby-net-ssh]', 'Package[openssl]', 'Package[ssl-cert]', 'Package[ca-certificates]', 'Package[wmf-certificates]', 'Package[ntp]', 'Package[systemd-timesyncd]', 'Package[exim4-config]', 'Package[exim4-daemon-light]', 'Package[logrotate]', 'Package[prometheus-node-exporter]', 'Package[bsdutils]', 'Package[smartmontools]', 'Package[rsyslog]', 'Package[rsyslog-openssl]', 'Package[cadvisor]', 'Package[acct]', 'Package[byobu]', 'Package[colordiff]', 'Package[curl]', 'Package[debian-goodies]', 'Package[ethtool]', 'Package[gdb]', 'Package[gdisk]', 'Package[git]', 'Package[htop]', 'Package[httpry]', 'Package[iotop]', 'Package[iperf]', 'Package[jq]', 'Package[libtemplate-perl]', 'Package[lldpd]', 'Package[lshw]', 'Package[molly-guard]', 'Package[moreutils]', 'Package[net-tools]', 'Package[numactl]', 'Package[ncdu]', 'Package[ngrep]', 'Package[pigz]', 'Package[psmisc]', 'Package[pv]', 'Package[python3]', 'Package[screen]', 'Package[strace]', 'Package[sysstat]', 'Package[tcpdump]', 'Package[tmux]', 'Package[tree]', 'Package[vim]', 'Package[vim-addon-manager]', 'Package[vim-scripts]', 'Package[wipe]', 'Package[xfsprogs]', 'Package[zsh]', 'Package[icdiff]', 'Package[linux-perf]', 'Package[bsd-mailx]', 'Package[ack]', 'Package[netcat-openbsd]', 'Package[tshark]', 'Package[fzf]', 'Package[ripgrep]', 'Package[fd-find]', 'Package[kitty-terminfo]', 'Package[mtr-tiny]', 'Package[bat]', 'Package[efibootmgr]', 'Package[bind9-dnsutils]', 'Package[tzdata]', 'Package[python3-wmflib]', 'Package[quickstack]', 'Package[dstat]', 'Package[apport]', 'Package[command-not-found]', 'Package[command-not-found-data]', 'Package[ecryptfs-utils]', 'Package[mlocate]', 'Package[os-prober]', 'Package[python3-apport]', 'Package[wpasupplicant]', 'Package[atop]', 'Package[apt-listchanges]', 'Package[isc-dhcp-client]', 'Package[libpython2.7]', 'Package[libpython2.7-dev]', 'Package[libpython2.7-minimal]', 'Package[python2.7]', 'Package[libpython2.7-stdlib]', 'Package[python2.7-dev]', 'Package[python2.7-minimal]', 'Package[python2.7-dbg]', 'Package[python2.7-doc]', 'Package[python2.7-examples]', 'Package[libpython2.7-testsuite]', 'Package[intel-microcode]', 'Package[rasdaemon]', 'Package[libsnmp30]', 'Package[libdns-export1104]', 'Package[libdns1104]', 'Package[libisc-export1100]', 'Package[libisc1100]', 'Package[multiarch-support]', 'Package[libjson-c3]', 'Package[libpython3.7]', 'Package[libpython3.7-minimal]', 'Package[libpython3.7-stdlib]', 'Package[python3.7]', 'Package[python3.7-minimal]', 'Package[libevent-2.1-6]', 'Package[libwireshark11]', 'Package[libwiretap8]', 'Package[libwsutil9]', 'Package[libwscodecs2]', 'Package[libperl5.28]', 'Package[libmpdec2]', 'Package[perl-modules-5.28]', 'Package[libhogweed4]', 'Package[libnettle6]', 'Package[libprocps7]', 'Package[libip6tc0]', 'Package[libip4tc0]', 'Package[libiptc0]', 'Package[openssh-client]', 'Package[openssh-server]', 'Package[debdeploy-client]', 'Package[python3-dateutil]', 'Package[sudo]', 'Package[golang-cfssl]', 'Package[debmonitor-client]', 'Package[nagios-nrpe-server]', 'Package[monitoring-plugins]', 'Package[monitoring-plugins-basic]', 'Package[monitoring-plugins-standard]', 'Package[liburiparser1]', 'Package[python3-attr]', 'Package[iucode-tool]', 'Package[freeipmi-tools]', 'Package[freeipmi-ipmiseld]', 'Package[rsyslog-kafka]', 'Package[emacs-nox]', 'Package[prometheus-ipmi-exporter]', 'Package[libnet-dns-perl]', 'Package[iptables]', 'Package[ferm]', 'Package[ulogd2]', 'Package[conntrack]', 'Package[ruby-sys-filesystem]', 'Package[prometheus-rsyslog-exporter]', 'Package[initramfs-tools]', 'Package[python3-click]', 'Package[python3-box]', 'Package[confd]', 'Package[python3-toml]']
+    before => ['Package[puppet]', 'Package[facter]', 'Package[augeas-tools]', 'Package[virt-what]', 'Package[puppet-module-puppetlabs-augeas-core]', 'Package[python3-prometheus-client]', 'Package[python3-yaml]', 'Package[ruby-net-ssh]', 'Package[openssl]', 'Package[ssl-cert]', 'Package[ca-certificates]', 'Package[wmf-certificates]', 'Package[ntp]', 'Package[systemd-timesyncd]', 'Package[exim4-config]', 'Package[exim4-daemon-light]', 'Package[logrotate]', 'Package[prometheus-node-exporter]', 'Package[bsdutils]', 'Package[smartmontools]', 'Package[rsyslog]', 'Package[rsyslog-openssl]', 'Package[cadvisor]', 'Package[acct]', 'Package[byobu]', 'Package[colordiff]', 'Package[curl]', 'Package[debian-goodies]', 'Package[ethtool]', 'Package[gdb]', 'Package[gdisk]', 'Package[git]', 'Package[htop]', 'Package[httpry]', 'Package[iotop]', 'Package[iperf]', 'Package[jq]', 'Package[libtemplate-perl]', 'Package[lldpd]', 'Package[lshw]', 'Package[molly-guard]', 'Package[moreutils]', 'Package[net-tools]', 'Package[numactl]', 'Package[ncdu]', 'Package[ngrep]', 'Package[pigz]', 'Package[psmisc]', 'Package[pv]', 'Package[python3]', 'Package[screen]', 'Package[strace]', 'Package[sysstat]', 'Package[tcpdump]', 'Package[tmux]', 'Package[tree]', 'Package[vim]', 'Package[vim-addon-manager]', 'Package[vim-scripts]', 'Package[wipe]', 'Package[xfsprogs]', 'Package[zsh]', 'Package[icdiff]', 'Package[linux-perf]', 'Package[bsd-mailx]', 'Package[ack]', 'Package[netcat-openbsd]', 'Package[tshark]', 'Package[fzf]', 'Package[ripgrep]', 'Package[fd-find]', 'Package[kitty-terminfo]', 'Package[mtr-tiny]', 'Package[bat]', 'Package[efibootmgr]', 'Package[bind9-dnsutils]', 'Package[tzdata]', 'Package[python3-wmflib]', 'Package[quickstack]', 'Package[dstat]', 'Package[apport]', 'Package[command-not-found]', 'Package[command-not-found-data]', 'Package[ecryptfs-utils]', 'Package[mlocate]', 'Package[os-prober]', 'Package[python3-apport]', 'Package[wpasupplicant]', 'Package[atop]', 'Package[apt-listchanges]', 'Package[isc-dhcp-client]', 'Package[libpython2.7]', 'Package[libpython2.7-dev]', 'Package[libpython2.7-minimal]', 'Package[python2.7]', 'Package[libpython2.7-stdlib]', 'Package[python2.7-dev]', 'Package[python2.7-minimal]', 'Package[python2.7-dbg]', 'Package[python2.7-doc]', 'Package[python2.7-examples]', 'Package[libpython2.7-testsuite]', 'Package[intel-microcode]', 'Package[rasdaemon]', 'Package[libsnmp30]', 'Package[libdns-export1104]', 'Package[libdns1104]', 'Package[libisc-export1100]', 'Package[libisc1100]', 'Package[multiarch-support]', 'Package[libjson-c3]', 'Package[libpython3.7]', 'Package[libpython3.7-minimal]', 'Package[libpython3.7-stdlib]', 'Package[python3.7]', 'Package[python3.7-minimal]', 'Package[libevent-2.1-6]', 'Package[libwireshark11]', 'Package[libwiretap8]', 'Package[libwsutil9]', 'Package[libwscodecs2]', 'Package[libperl5.28]', 'Package[libmpdec2]', 'Package[perl-modules-5.28]', 'Package[libhogweed4]', 'Package[libnettle6]', 'Package[libprocps7]', 'Package[libip6tc0]', 'Package[libip4tc0]', 'Package[libiptc0]', 'Package[openssh-client]', 'Package[openssh-server]', 'Package[debdeploy-client]', 'Package[python3-dateutil]', 'Package[sudo]', 'Package[golang-cfssl]', 'Package[debmonitor-client]', 'Package[nagios-nrpe-server]', 'Package[monitoring-plugins]', 'Package[monitoring-plugins-basic]', 'Package[monitoring-plugins-standard]', 'Package[liburiparser1]', 'Package[python3-attr]', 'Package[iucode-tool]', 'Package[freeipmi-tools]', 'Package[freeipmi-ipmiseld]', 'Package[rsyslog-kafka]', 'Package[emacs-nox]', 'Package[prometheus-ipmi-exporter]', 'Package[libnet-dns-perl]', 'Package[iptables]', 'Package[ferm]', 'Package[ulogd2]', 'Package[conntrack]', 'Package[cassandra-tools-wmf]', 'Package[jvm-tools]', 'Package[cassandra-tools]', 'Package[libjemalloc2]', 'Package[ruby-sys-filesystem]', 'Package[prometheus-rsyslog-exporter]', 'Package[initramfs-tools]', 'Package[python3-click]', 'Package[python3-box]', 'Package[confd]', 'Package[python3-toml]', 'Package[openjdk-11-jdk]', 'Package[cassandra]', 'Package[prometheus-jmx-exporter]', 'Package[git-lfs]', 'Package[rsync]', 'Package[python3-venv]']

File[/etc/cassandra-a/tls/server.key]

Parameters differences:

--- File[/etc/cassandra-a/tls/server.key].orig
+++ File[/etc/cassandra-a/tls/server.key]

+    group  => cassandra
+    mode   => 0440
+    ensure => present
+    owner  => cassandra

Sudo::User[scap_deploy-service]

Parameters differences:

--- Sudo::User[scap_deploy-service].orig
+++ Sudo::User[scap_deploy-service]

+    require    => ['Class[Sudo]']
+    user       => deploy-service
+    privileges => ['ALL=(deploy-service) NOPASSWD: ALL']
+    ensure     => present

File[/usr/local/bin/bootstrap-scap-target.sh]

Parameters differences:

--- File[/usr/local/bin/bootstrap-scap-target.sh].orig
+++ File[/usr/local/bin/bootstrap-scap-target.sh]

+    source => puppet:///modules/scap/bootstrap-scap-target.sh
+    group  => root
+    mode   => 0755
+    owner  => root

Class[Profile::Rsyslog::Udp_localhost_compat]

Parameters differences:

--- Class[Profile::Rsyslog::Udp_localhost_compat].orig
+++ Class[Profile::Rsyslog::Udp_localhost_compat]

+    queue_enabled_sites   => ['ulsfo', 'esams', 'eqsin', 'eqiad', 'codfw', 'drmrs', 'magru']
+    logging_kafka_brokers => ['kafka-logging1001.eqiad.wmnet:9093', 'kafka-logging1002.eqiad.wmnet:9093', 'kafka-logging1003.eqiad.wmnet:9093', 'kafka-logging1004.eqiad.wmnet:9093', 'kafka-logging1005.eqiad.wmnet:9093']
+    port                  => 10514

File[/etc/cassandra-b/credentials]

Parameters differences:

--- File[/etc/cassandra-b/credentials].orig
+++ File[/etc/cassandra-b/credentials]

+    group => root
+    mode  => 0400
+    owner => root

Content differences:

--- /etc/cassandra-b/credentials.orig
+++ /etc/cassandra-b/credentials
@@ -0,0 +1,36 @@
+; SPDX-License-Identifier: Apache-2.0
+; Licensed to the Apache Software Foundation (ASF) under one
+; or more contributor license agreements.  See the NOTICE file
+; distributed with this work for additional information
+; regarding copyright ownership.  The ASF licenses this file
+; to you under the Apache License, Version 2.0 (the
+; "License"); you may not use this file except in compliance
+; with the License.  You may obtain a copy of the License at
+;
+;   http://www.apache.org/licenses/LICENSE-2.0
+;
+; Unless required by applicable law or agreed to in writing,
+; software distributed under the License is distributed on an
+; "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+; KIND, either express or implied.  See the License for the
+; specific language governing permissions and limitations
+; under the License.
+;
+; Sample ~/.cassandra/credentials file.
+;
+; The section name must match the classname from the cqlshrc file
+; For example, if cqlshrc contains settings
+;
+; [auth_provider]
+; module = cassandra.auth
+; classname = PlainTextAuthProvider
+;
+; then the credentials file should contain a [PlainTextAuthProvider] section with the username and password parameters, as indicated in this example.
+;
+; For backward compatibility, it is also possible to specify [plain_text_auth] as a header.
+;
+; Please ensure this file is owned by the user and is not readable by group and other users.
+
+[PlainTextAuthProvider]
+username = cassandra
+password = nosuchpass

File[/etc/cassandra-a/user_aqsloader.cql]

Parameters differences:

--- File[/etc/cassandra-a/user_aqsloader.cql].orig
+++ File[/etc/cassandra-a/user_aqsloader.cql]

+    require => Package[cassandra]
+    group   => root
+    mode    => 0400
+    owner   => root

Content differences:

--- /etc/cassandra-a/user_aqsloader.cql.orig
+++ /etc/cassandra-a/user_aqsloader.cql
@@ -0,0 +1,27 @@
+-- SPDX-License-Identifier: Apache-2.0
+
+CREATE USER IF NOT EXISTS aqsloader WITH PASSWORD 'yadayadayada';
+
+GRANT MODIFY ON KEYSPACE aqs TO 'aqsloader';
+GRANT MODIFY ON KEYSPACE "local_group_default_T_editors_bycountry" TO 'aqsloader';
+GRANT MODIFY ON KEYSPACE "local_group_default_T_knowledge_gap_by_category" TO 'aqsloader';
+GRANT MODIFY ON KEYSPACE "local_group_default_T_lgc_pagecounts_per_project" TO 'aqsloader';
+GRANT MODIFY ON KEYSPACE "local_group_default_T_mediarequest_per_file" TO 'aqsloader';
+GRANT MODIFY ON KEYSPACE "local_group_default_T_mediarequest_per_referer" TO 'aqsloader';
+GRANT MODIFY ON KEYSPACE "local_group_default_T_mediarequest_top_files" TO 'aqsloader';
+GRANT MODIFY ON KEYSPACE "local_group_default_T_pageviews_per_article_flat" TO 'aqsloader';
+GRANT MODIFY ON KEYSPACE "local_group_default_T_pageviews_per_project_v2" TO 'aqsloader';
+GRANT MODIFY ON KEYSPACE "local_group_default_T_top_bycountry" TO 'aqsloader';
+GRANT MODIFY ON KEYSPACE "local_group_default_T_top_pageviews" TO 'aqsloader';
+GRANT MODIFY ON KEYSPACE "local_group_default_T_top_percountry" TO 'aqsloader';
+GRANT MODIFY ON KEYSPACE "local_group_default_T_unique_devices" TO 'aqsloader';
+
+-- FIXME: image suggestions should *not* being using the aqsloader; This
+-- was added as a break-fix (see: https://phabricator.wikimedia.org/T356400).
+GRANT MODIFY ON KEYSPACE image_suggestions TO aqsloader;
+
+-- Commons Impact Metrics â https://phabricator.wikimedia.org/T362697
+GRANT MODIFY ON KEYSPACE commons TO aqsloader;
+
+-- New-style AQS tables
+GRANT MODIFY ON KEYSPACE analytics TO aqsloader;

Ssh::Userkey[deploy-service]

Parameters differences:

--- Ssh::Userkey[deploy-service].orig
+++ Ssh::Userkey[deploy-service]

+    user   => deploy-service
+    ensure => present

Cfssl::Csr[/etc/cfssl/csr/cassandra__aqs1024-a_eqiad_wmnet.csr]

Parameters differences:

--- Cfssl::Csr[/etc/cfssl/csr/cassandra__aqs1024-a_eqiad_wmnet.csr].orig
+++ Cfssl::Csr[/etc/cfssl/csr/cassandra__aqs1024-a_eqiad_wmnet.csr]

+    common_name => aqs1024-a.eqiad.wmnet
+    names       => []
+    ensure      => present
+    hosts       => ['cassandra', 'aqs1024.eqiad.wmnet']
+    key         => {'algo': 'ecdsa', 'size': 256}

File[/etc/cassandra-a/jvm-server.options]

Parameters differences:

--- File[/etc/cassandra-a/jvm-server.options].orig
+++ File[/etc/cassandra-a/jvm-server.options]

+    group  => cassandra
+    mode   => 0444
+    ensure => present
+    owner  => cassandra

Content differences:

--- /etc/cassandra-a/jvm-server.options.orig
+++ /etc/cassandra-a/jvm-server.options
@@ -0,0 +1,220 @@
+# SPDX-License-Identifier: Apache-2.0
+# Note:  This file is managed by Puppet.
+#        It was taken from the Cassandra Debian package and templatized
+#        here in order to assign configuration.
+
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+#
+###########################################################################
+#                         jvm-server.options                              #
+#                                                                         #
+# - all flags defined here will be used by cassandra to startup the JVM   #
+# - one flag should be specified per line                                 #
+# - lines that do not start with '-' will be ignored                      #
+# - only static flags are accepted (no variables or parameters)           #
+# - dynamic flags will be appended to these on cassandra-env              #
+#                                                                         #
+# See jvm8-server.options and jvm11-server.options for Java version       #
+# specific options.                                                       #
+###########################################################################
+
+######################
+# STARTUP PARAMETERS #
+######################
+
+# Uncomment any of the following properties to enable specific startup parameters
+
+# In a multi-instance deployment, multiple Cassandra instances will independently assume that all
+# CPU processors are available to it. This setting allows you to specify a smaller set of processors
+# and perhaps have affinity.
+#-Dcassandra.available_processors=number_of_processors
+
+# The directory location of the cassandra.yaml file.
+#-Dcassandra.config=directory
+
+# Sets the initial partitioner token for a node the first time the node is started.
+#-Dcassandra.initial_token=token
+
+# Set to false to start Cassandra on a node but not have the node join the cluster.
+#-Dcassandra.join_ring=true|false
+
+# Set to false to clear all gossip state for the node on restart. Use when you have changed node
+# information in cassandra.yaml (such as listen_address).
+#-Dcassandra.load_ring_state=true|false
+
+# Enable pluggable metrics reporter. See Pluggable metrics reporting in Cassandra 2.0.2.
+#-Dcassandra.metricsReporterConfigFile=file
+
+# Set the port on which the CQL native transport listens for clients. (Default: 9042)
+#-Dcassandra.native_transport_port=port
+
+# Overrides the partitioner. (Default: org.apache.cassandra.dht.Murmur3Partitioner)
+#-Dcassandra.partitioner=partitioner
+
+# To replace a node that has died, restart a new node in its place specifying the address of the
+# dead node. The new node must not have any data in its data directory, that is, it must be in the
+# same state as before bootstrapping.
+#-Dcassandra.replace_address=listen_address or broadcast_address of dead node
+
+# Allow restoring specific tables from an archived commit log.
+#-Dcassandra.replayList=table
+
+# Allows overriding of the default RING_DELAY (30000ms), which is the amount of time a node waits
+# before joining the ring.
+#-Dcassandra.ring_delay_ms=ms
+
+# Allows overriding the timeout after which an unresponsive bootstrapping node is considered failed
+# and is removed from gossip state and bootstrapTokens. (Default: cassandra.ring_delay * 2)
+#-Dcassandra.failed_bootstrap_timeout_ms=ms
+
+# Set the SSL port for encrypted communication. (Default: 7001)
+#-Dcassandra.ssl_storage_port=port
+
+# Set the port for inter-node communication. (Default: 7000)
+#-Dcassandra.storage_port=port
+
+# Set the default location for the trigger JARs. (Default: conf/triggers)
+#-Dcassandra.triggers_dir=directory
+
+# For testing new compaction and compression strategies. It allows you to experiment with different
+# strategies and benchmark write performance differences without affecting the production workload. 
+#-Dcassandra.write_survey=true
+
+# To disable configuration via JMX of auth caches (such as those for credentials, permissions and
+# roles). This will mean those config options can only be set (persistently) in cassandra.yaml
+# and will require a restart for new values to take effect.
+#-Dcassandra.disable_auth_caches_remote_configuration=true
+
+# To disable dynamic calculation of the page size used when indexing an entire partition (during
+# initial index build/rebuild). If set to true, the page size will be fixed to the default of
+# 10000 rows per page.
+#-Dcassandra.force_default_indexing_page_size=true
+
+# Imposes an upper bound on hint lifetime below the normal min gc_grace_seconds
+#-Dcassandra.maxHintTTL=max_hint_ttl_in_seconds
+
+########################
+# GENERAL JVM SETTINGS #
+########################
+
+# enable assertions. highly suggested for correct application functionality.
+-ea
+
+# disable assertions for net.openhft.** because it runs out of memory by design
+# if enabled and run for more than just brief testing
+-da:net.openhft...
+
+# enable thread priorities, primarily so we can give periodic tasks
+# a lower priority to avoid interfering with client workload
+-XX:+UseThreadPriorities
+
+# Enable heap-dump if there's an OOM
+-XX:+HeapDumpOnOutOfMemoryError
+
+# Per-thread stack size.
+-Xss256k
+
+# Make sure all memory is faulted and zeroed on startup.
+# This helps prevent soft faults in containers and makes
+# transparent hugepage allocation more effective.
+-XX:+AlwaysPreTouch
+
+# Disable biased locking as it does not benefit Cassandra.
+-XX:-UseBiasedLocking
+
+# Enable thread-local allocation blocks and allow the JVM to automatically
+# resize them at runtime.
+-XX:+UseTLAB
+-XX:+ResizeTLAB
+-XX:+UseNUMA
+
+# http://www.evanjones.ca/jvm-mmap-pause.html
+-XX:+PerfDisableSharedMem
+
+# Prefer binding to IPv4 network intefaces (when net.ipv6.bindv6only=1). See
+# http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=6342561 (short version:
+# comment out this entry to enable IPv6 support).
+-Djava.net.preferIPv4Stack=true
+
+### Debug options
+
+# uncomment to enable flight recorder
+#-XX:+UnlockCommercialFeatures
+#-XX:+FlightRecorder
+
+# uncomment to have Cassandra JVM listen for remote debuggers/profilers on port 1414
+#-agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=1414
+
+# uncomment to have Cassandra JVM log internal method compilation (developers only)
+#-XX:+UnlockDiagnosticVMOptions
+#-XX:+LogCompilation
+
+#################
+# HEAP SETTINGS #
+#################
+
+# Heap size is automatically calculated by cassandra-env based on this
+# formula: max(min(1/2 ram, 1024MB), min(1/4 ram, 8GB))
+# That is:
+# - calculate 1/2 ram and cap to 1024MB
+# - calculate 1/4 ram and cap to 8192MB
+# - pick the max
+#
+# For production use you may wish to adjust this for your environment.
+# If that's the case, uncomment the -Xmx and Xms options below to override the
+# automatic calculation of JVM heap memory.
+#
+# It is recommended to set min (-Xms) and max (-Xmx) heap sizes to
+# the same value to avoid stop-the-world GC pauses during resize, and
+# so that we can lock the heap in memory on startup to prevent any
+# of it from being swapped out.
+-Xms16g
+-Xmx16g
+
+# Young generation size is automatically calculated by cassandra-env
+# based on this formula: min(100 * num_cores, 1/4 * heap size)
+#
+# The main trade-off for the young generation is that the larger it
+# is, the longer GC pause times will be. The shorter it is, the more
+# expensive GC will be (usually).
+#
+# It is not recommended to set the young generation size if using the
+# G1 GC, since that will override the target pause-time goal.
+# More info: http://www.oracle.com/technetwork/articles/java/g1gc-1984535.html
+#
+# The example below assumes a modern 8-core+ machine for decent
+# times. If in doubt, and if you do not particularly want to tweak, go
+# 100 MB per physical CPU core.
+#-Xmn800M
+
+###################################
+# EXPIRATION DATE OVERFLOW POLICY #
+###################################
+
+# Defines how to handle INSERT requests with TTL exceeding the maximum supported expiration date:
+# * REJECT: this is the default policy and will reject any requests with expiration date timestamp after 2038-01-19T03:14:06+00:00.
+# * CAP: any insert with TTL expiring after 2038-01-19T03:14:06+00:00 will expire on 2038-01-19T03:14:06+00:00 and the client will receive a warning.
+# * CAP_NOWARN: same as previous, except that the client warning will not be emitted.
+#
+#-Dcassandra.expiration_date_overflow_policy=REJECT
+
+###################################
+# WMF-specific customizations     #
+###################################
+-Dcassandra.instance-id=aqs1024-a

File[/etc/cassandra-a/jvm11-clients.options]

Parameters differences:

--- File[/etc/cassandra-a/jvm11-clients.options].orig
+++ File[/etc/cassandra-a/jvm11-clients.options]

+    group  => root
+    force  => True
+    ensure => link
+    target => /etc/cassandra/jvm11-clients.options
+    owner  => root

File[/etc/ferm/conf.d/10_deployment_ssh]

Parameters differences:

--- File[/etc/ferm/conf.d/10_deployment_ssh].orig
+++ File[/etc/ferm/conf.d/10_deployment_ssh]

+    group   => root
+    tag     => ferm
+    require => File[/etc/ferm/conf.d]
+    mode    => 0400
+    ensure  => present
+    notify  => Service[ferm]
+    owner   => root

Content differences:

--- /etc/ferm/conf.d/10_deployment_ssh.orig
+++ /etc/ferm/conf.d/10_deployment_ssh
@@ -0,0 +1,6 @@
+# Autogenerated by puppet. DO NOT EDIT BY HAND!
+#
+# 
+&R_SERVICE(tcp, 22, $DEPLOYMENT_HOSTS);
+
+

Rsyslog::Conf[udp_localhost_compat]

Parameters differences:

--- Rsyslog::Conf[udp_localhost_compat].orig
+++ Rsyslog::Conf[udp_localhost_compat]

+    ensure   => present
+    priority => 50
+    mode     => 0444

File[/usr/local/bin/sstableutil-a]

Parameters differences:

--- File[/usr/local/bin/sstableutil-a].orig
+++ File[/usr/local/bin/sstableutil-a]

+    group   => root
+    require => File[/usr/local/bin/sstable-util-instance]
+    ensure  => link
+    target  => /usr/local/bin/sstable-util-instance
+    owner   => root

User[deploy-service]

Parameters differences:

--- User[deploy-service].orig
+++ User[deploy-service]

+    shell      => /bin/bash
+    home       => /var/lib/deploy-service
+    membership => minimum
+    ensure     => present
+    system     => True
+    groups     => ['deploy-service']

File[/usr/local/bin/cqlsh-a]

Parameters differences:

--- File[/usr/local/bin/cqlsh-a].orig
+++ File[/usr/local/bin/cqlsh-a]

+    group   => root
+    require => Package[cassandra-tools-wmf]
+    ensure  => link
+    target  => /usr/bin/cqlsh-instance
+    owner   => root

File[/etc/cassandra-b/tls/cassandra__aqs1024-b_eqiad_wmnet-key.pem]

Parameters differences:

--- File[/etc/cassandra-b/tls/cassandra__aqs1024-b_eqiad_wmnet-key.pem].orig
+++ File[/etc/cassandra-b/tls/cassandra__aqs1024-b_eqiad_wmnet-key.pem]

+    group     => cassandra
+    mode      => 0440
+    ensure    => file
+    backup    => False
+    show_diff => False
+    owner     => cassandra

Apt::Repository[component-cassandra41-apt.wikimedia.org-wikimedia-bullseye-wikimedia]

Parameters differences:

--- Apt::Repository[component-cassandra41-apt.wikimedia.org-wikimedia-bullseye-wikimedia].orig
+++ Apt::Repository[component-cassandra41-apt.wikimedia.org-wikimedia-bullseye-wikimedia]

+    uri                      => http://apt.wikimedia.org/wikimedia
+    source                   => True
+    trust_repo               => False
+    allow_releaseinfo_change => False
+    bin                      => True
+    dist                     => bullseye-wikimedia
+    ensure                   => present
+    components               => component/cassandra41

File[/etc/update-motd.d/05-insetup--data-persistence-ferm]

Parameters differences:

--- File[/etc/update-motd.d/05-insetup--data-persistence-ferm].orig
+++ File[/etc/update-motd.d/05-insetup--data-persistence-ferm]

-    group  => root
-    mode   => 0555
-    ensure => present
-    owner  => root

Content differences:

--- /etc/update-motd.d/05-insetup--data-persistence-ferm.orig
+++ /etc/update-motd.d/05-insetup--data-persistence-ferm
@@ -1,2 +0,0 @@
-#!/bin/sh
-printf "%s\n" "aqs1024 is a Host being setup by Data Persistence SREs (insetup::data_persistence_ferm)"

File[/usr/local/bin/nodetool-instance]

Parameters differences:

--- File[/usr/local/bin/nodetool-instance].orig
+++ File[/usr/local/bin/nodetool-instance]

+    group   => cassandra
+    require => Package[cassandra]
+    mode    => 0555
+    ensure  => present
+    source  => puppet:///modules/cassandra/nodetool-instance
+    owner   => cassandra

Service[cassandra-b]

Parameters differences:

--- Service[cassandra-b].orig
+++ Service[cassandra-b]

+    enable => True
+    ensure => running

Exec[install-/srv/storage-3/cassandra-a/data]

Parameters differences:

--- Exec[install-/srv/storage-3/cassandra-a/data].orig
+++ Exec[install-/srv/storage-3/cassandra-a/data]

+    command => install -o cassandra -g cassandra -m 750 -d /srv/storage-3/cassandra-a/data
+    path    => /usr/bin/:/bin/
+    creates => /srv/storage-3/cassandra-a/data
+    before  => Systemd::Service[cassandra-a]

Class[Adduser]

Parameters differences:

--- Class[Adduser].orig
+++ Class[Adduser]

@@
-    before => ['Package[puppet]', 'Package[facter]', 'Package[augeas-tools]', 'Package[virt-what]', 'Package[puppet-module-puppetlabs-augeas-core]', 'Package[python3-prometheus-client]', 'Package[python3-yaml]', 'Package[ruby-net-ssh]', 'Package[openssl]', 'Package[ssl-cert]', 'Package[ca-certificates]', 'Package[wmf-certificates]', 'Package[ntp]', 'Package[systemd-timesyncd]', 'Package[exim4-config]', 'Package[exim4-daemon-light]', 'Package[logrotate]', 'Package[prometheus-node-exporter]', 'Package[bsdutils]', 'Package[smartmontools]', 'Package[rsyslog]', 'Package[rsyslog-openssl]', 'Package[cadvisor]', 'Package[acct]', 'Package[byobu]', 'Package[colordiff]', 'Package[curl]', 'Package[debian-goodies]', 'Package[ethtool]', 'Package[gdb]', 'Package[gdisk]', 'Package[git]', 'Package[htop]', 'Package[httpry]', 'Package[iotop]', 'Package[iperf]', 'Package[jq]', 'Package[libtemplate-perl]', 'Package[lldpd]', 'Package[lshw]', 'Package[molly-guard]', 'Package[moreutils]', 'Package[net-tools]', 'Package[numactl]', 'Package[ncdu]', 'Package[ngrep]', 'Package[pigz]', 'Package[psmisc]', 'Package[pv]', 'Package[python3]', 'Package[screen]', 'Package[strace]', 'Package[sysstat]', 'Package[tcpdump]', 'Package[tmux]', 'Package[tree]', 'Package[vim]', 'Package[vim-addon-manager]', 'Package[vim-scripts]', 'Package[wipe]', 'Package[xfsprogs]', 'Package[zsh]', 'Package[icdiff]', 'Package[linux-perf]', 'Package[bsd-mailx]', 'Package[ack]', 'Package[netcat-openbsd]', 'Package[tshark]', 'Package[fzf]', 'Package[ripgrep]', 'Package[fd-find]', 'Package[kitty-terminfo]', 'Package[mtr-tiny]', 'Package[bat]', 'Package[efibootmgr]', 'Package[bind9-dnsutils]', 'Package[tzdata]', 'Package[python3-wmflib]', 'Package[quickstack]', 'Package[dstat]', 'Package[apport]', 'Package[command-not-found]', 'Package[command-not-found-data]', 'Package[ecryptfs-utils]', 'Package[mlocate]', 'Package[os-prober]', 'Package[python3-apport]', 'Package[wpasupplicant]', 'Package[atop]', 'Package[apt-listchanges]', 'Package[isc-dhcp-client]', 'Package[libpython2.7]', 'Package[libpython2.7-dev]', 'Package[libpython2.7-minimal]', 'Package[python2.7]', 'Package[libpython2.7-stdlib]', 'Package[python2.7-dev]', 'Package[python2.7-minimal]', 'Package[python2.7-dbg]', 'Package[python2.7-doc]', 'Package[python2.7-examples]', 'Package[libpython2.7-testsuite]', 'Package[intel-microcode]', 'Package[rasdaemon]', 'Package[libsnmp30]', 'Package[libdns-export1104]', 'Package[libdns1104]', 'Package[libisc-export1100]', 'Package[libisc1100]', 'Package[multiarch-support]', 'Package[libjson-c3]', 'Package[libpython3.7]', 'Package[libpython3.7-minimal]', 'Package[libpython3.7-stdlib]', 'Package[python3.7]', 'Package[python3.7-minimal]', 'Package[libevent-2.1-6]', 'Package[libwireshark11]', 'Package[libwiretap8]', 'Package[libwsutil9]', 'Package[libwscodecs2]', 'Package[libperl5.28]', 'Package[libmpdec2]', 'Package[perl-modules-5.28]', 'Package[libhogweed4]', 'Package[libnettle6]', 'Package[libprocps7]', 'Package[libip6tc0]', 'Package[libip4tc0]', 'Package[libiptc0]', 'Package[openssh-client]', 'Package[openssh-server]', 'Package[debdeploy-client]', 'Package[python3-dateutil]', 'Package[sudo]', 'Package[golang-cfssl]', 'Package[debmonitor-client]', 'Package[nagios-nrpe-server]', 'Package[monitoring-plugins]', 'Package[monitoring-plugins-basic]', 'Package[monitoring-plugins-standard]', 'Package[liburiparser1]', 'Package[python3-attr]', 'Package[iucode-tool]', 'Package[freeipmi-tools]', 'Package[freeipmi-ipmiseld]', 'Package[rsyslog-kafka]', 'Package[emacs-nox]', 'Package[prometheus-ipmi-exporter]', 'Package[libnet-dns-perl]', 'Package[iptables]', 'Package[ferm]', 'Package[ulogd2]', 'Package[conntrack]', 'Package[ruby-sys-filesystem]', 'Package[prometheus-rsyslog-exporter]', 'Package[initramfs-tools]', 'Package[python3-click]', 'Package[python3-box]', 'Package[confd]', 'Package[python3-toml]']
+    before => ['Package[puppet]', 'Package[facter]', 'Package[augeas-tools]', 'Package[virt-what]', 'Package[puppet-module-puppetlabs-augeas-core]', 'Package[python3-prometheus-client]', 'Package[python3-yaml]', 'Package[ruby-net-ssh]', 'Package[openssl]', 'Package[ssl-cert]', 'Package[ca-certificates]', 'Package[wmf-certificates]', 'Package[ntp]', 'Package[systemd-timesyncd]', 'Package[exim4-config]', 'Package[exim4-daemon-light]', 'Package[logrotate]', 'Package[prometheus-node-exporter]', 'Package[bsdutils]', 'Package[smartmontools]', 'Package[rsyslog]', 'Package[rsyslog-openssl]', 'Package[cadvisor]', 'Package[acct]', 'Package[byobu]', 'Package[colordiff]', 'Package[curl]', 'Package[debian-goodies]', 'Package[ethtool]', 'Package[gdb]', 'Package[gdisk]', 'Package[git]', 'Package[htop]', 'Package[httpry]', 'Package[iotop]', 'Package[iperf]', 'Package[jq]', 'Package[libtemplate-perl]', 'Package[lldpd]', 'Package[lshw]', 'Package[molly-guard]', 'Package[moreutils]', 'Package[net-tools]', 'Package[numactl]', 'Package[ncdu]', 'Package[ngrep]', 'Package[pigz]', 'Package[psmisc]', 'Package[pv]', 'Package[python3]', 'Package[screen]', 'Package[strace]', 'Package[sysstat]', 'Package[tcpdump]', 'Package[tmux]', 'Package[tree]', 'Package[vim]', 'Package[vim-addon-manager]', 'Package[vim-scripts]', 'Package[wipe]', 'Package[xfsprogs]', 'Package[zsh]', 'Package[icdiff]', 'Package[linux-perf]', 'Package[bsd-mailx]', 'Package[ack]', 'Package[netcat-openbsd]', 'Package[tshark]', 'Package[fzf]', 'Package[ripgrep]', 'Package[fd-find]', 'Package[kitty-terminfo]', 'Package[mtr-tiny]', 'Package[bat]', 'Package[efibootmgr]', 'Package[bind9-dnsutils]', 'Package[tzdata]', 'Package[python3-wmflib]', 'Package[quickstack]', 'Package[dstat]', 'Package[apport]', 'Package[command-not-found]', 'Package[command-not-found-data]', 'Package[ecryptfs-utils]', 'Package[mlocate]', 'Package[os-prober]', 'Package[python3-apport]', 'Package[wpasupplicant]', 'Package[atop]', 'Package[apt-listchanges]', 'Package[isc-dhcp-client]', 'Package[libpython2.7]', 'Package[libpython2.7-dev]', 'Package[libpython2.7-minimal]', 'Package[python2.7]', 'Package[libpython2.7-stdlib]', 'Package[python2.7-dev]', 'Package[python2.7-minimal]', 'Package[python2.7-dbg]', 'Package[python2.7-doc]', 'Package[python2.7-examples]', 'Package[libpython2.7-testsuite]', 'Package[intel-microcode]', 'Package[rasdaemon]', 'Package[libsnmp30]', 'Package[libdns-export1104]', 'Package[libdns1104]', 'Package[libisc-export1100]', 'Package[libisc1100]', 'Package[multiarch-support]', 'Package[libjson-c3]', 'Package[libpython3.7]', 'Package[libpython3.7-minimal]', 'Package[libpython3.7-stdlib]', 'Package[python3.7]', 'Package[python3.7-minimal]', 'Package[libevent-2.1-6]', 'Package[libwireshark11]', 'Package[libwiretap8]', 'Package[libwsutil9]', 'Package[libwscodecs2]', 'Package[libperl5.28]', 'Package[libmpdec2]', 'Package[perl-modules-5.28]', 'Package[libhogweed4]', 'Package[libnettle6]', 'Package[libprocps7]', 'Package[libip6tc0]', 'Package[libip4tc0]', 'Package[libiptc0]', 'Package[openssh-client]', 'Package[openssh-server]', 'Package[debdeploy-client]', 'Package[python3-dateutil]', 'Package[sudo]', 'Package[golang-cfssl]', 'Package[debmonitor-client]', 'Package[nagios-nrpe-server]', 'Package[monitoring-plugins]', 'Package[monitoring-plugins-basic]', 'Package[monitoring-plugins-standard]', 'Package[liburiparser1]', 'Package[python3-attr]', 'Package[iucode-tool]', 'Package[freeipmi-tools]', 'Package[freeipmi-ipmiseld]', 'Package[rsyslog-kafka]', 'Package[emacs-nox]', 'Package[prometheus-ipmi-exporter]', 'Package[libnet-dns-perl]', 'Package[iptables]', 'Package[ferm]', 'Package[ulogd2]', 'Package[conntrack]', 'Package[cassandra-tools-wmf]', 'Package[jvm-tools]', 'Package[cassandra-tools]', 'Package[libjemalloc2]', 'Package[ruby-sys-filesystem]', 'Package[prometheus-rsyslog-exporter]', 'Package[initramfs-tools]', 'Package[python3-click]', 'Package[python3-box]', 'Package[confd]', 'Package[python3-toml]', 'Package[openjdk-11-jdk]', 'Package[cassandra]', 'Package[prometheus-jmx-exporter]', 'Package[git-lfs]', 'Package[rsync]', 'Package[python3-venv]', 'Package[cassandra/logstash-logback-encoder]']

Exec[install-/srv/storage-1/cassandra-a/data]

Parameters differences:

--- Exec[install-/srv/storage-1/cassandra-a/data].orig
+++ Exec[install-/srv/storage-1/cassandra-a/data]

+    command => install -o cassandra -g cassandra -m 750 -d /srv/storage-1/cassandra-a/data
+    path    => /usr/bin/:/bin/
+    creates => /srv/storage-1/cassandra-a/data
+    before  => Systemd::Service[cassandra-a]

Package[git-lfs]

Parameters differences:

--- Package[git-lfs].orig
+++ Package[git-lfs]

+    provider => apt
+    ensure   => installed

File[/srv/cassandra-b]

Parameters differences:

--- File[/srv/cassandra-b].orig
+++ File[/srv/cassandra-b]

+    group   => cassandra
+    require => Package[cassandra]
+    mode    => 0750
+    ensure  => directory
+    owner   => cassandra

File[/etc/ferm/conf.d/10_cassandra-intra-node]

Parameters differences:

--- File[/etc/ferm/conf.d/10_cassandra-intra-node].orig
+++ File[/etc/ferm/conf.d/10_cassandra-intra-node]

+    group   => root
+    tag     => ferm
+    require => File[/etc/ferm/conf.d]
+    mode    => 0400
+    ensure  => present
+    notify  => Service[ferm]
+    owner   => root

Content differences:

--- /etc/ferm/conf.d/10_cassandra-intra-node.orig
+++ /etc/ferm/conf.d/10_cassandra-intra-node
@@ -0,0 +1,6 @@
+# Autogenerated by puppet. DO NOT EDIT BY HAND!
+#
+# 
+&R_SERVICE(tcp, 7000, @resolve((aqs1010.eqiad.wmnet aqs1010-a.eqiad.wmnet aqs1010-b.eqiad.wmnet aqs1011.eqiad.wmnet aqs1011-a.eqiad.wmnet aqs1011-b.eqiad.wmnet aqs1012.eqiad.wmnet aqs1012-a.eqiad.wmnet aqs1012-b.eqiad.wmnet aqs1014.eqiad.wmnet aqs1014-a.eqiad.wmnet aqs1014-b.eqiad.wmnet aqs1015.eqiad.wmnet aqs1015-a.eqiad.wmnet aqs1015-b.eqiad.wmnet aqs1016.eqiad.wmnet aqs1016-a.eqiad.wmnet aqs1016-b.eqiad.wmnet aqs1017.eqiad.wmnet aqs1017-a.eqiad.wmnet aqs1017-b.eqiad.wmnet aqs1018.eqiad.wmnet aqs1018-a.eqiad.wmnet aqs1018-b.eqiad.wmnet aqs1019.eqiad.wmnet aqs1019-a.eqiad.wmnet aqs1019-b.eqiad.wmnet aqs1020.eqiad.wmnet aqs1020-a.eqiad.wmnet aqs1020-b.eqiad.wmnet aqs1021.eqiad.wmnet aqs1021-a.eqiad.wmnet aqs1021-b.eqiad.wmnet aqs1022.eqiad.wmnet aqs1022-a.eqiad.wmnet aqs1022-b.eqiad.wmnet aqs1023.eqiad.wmnet aqs1023-a.eqiad.wmnet aqs1023-b.eqiad.wmnet aqs1024.eqiad.wmnet aqs1024-a.eqiad.wmnet aqs1024-b.eqiad.wmnet aqs2001.codfw.wmnet aqs2001-a.codfw.wmnet aqs2001-b.codfw.wmnet aqs2002.codfw.wmnet aqs2002-a.codfw.wmnet aqs2002-b.codfw.wmnet aqs2003.codfw.wmnet aqs2003-a.codfw.wmnet aqs2003-b.codfw.wmnet aqs2004.codfw.wmnet aqs2004-a.codfw.wmnet aqs2004-b.codfw.wmnet aqs2005.codfw.wmnet aqs2005-a.codfw.wmnet aqs2005-b.codfw.wmnet aqs2006.codfw.wmnet aqs2006-a.codfw.wmnet aqs2006-b.codfw.wmnet aqs2007.codfw.wmnet aqs2007-a.codfw.wmnet aqs2007-b.codfw.wmnet aqs2008.codfw.wmnet aqs2008-a.codfw.wmnet aqs2008-b.codfw.wmnet aqs2009.codfw.wmnet aqs2009-a.codfw.wmnet aqs2009-b.codfw.wmnet aqs2010.codfw.wmnet aqs2010-a.codfw.wmnet aqs2010-b.codfw.wmnet aqs2011.codfw.wmnet aqs2011-a.codfw.wmnet aqs2011-b.codfw.wmnet aqs2012.codfw.wmnet aqs2012-a.codfw.wmnet aqs2012-b.codfw.wmnet)));
+
+

File[/etc/cassandra-b/logback-tools.xml]

Parameters differences:

--- File[/etc/cassandra-b/logback-tools.xml].orig
+++ File[/etc/cassandra-b/logback-tools.xml]

+    group  => cassandra
+    ensure => present
+    mode   => 0444
+    source => puppet:///modules/cassandra/logback-tools.xml-4.x
+    links  => follow
+    owner  => cassandra

Exec[install-/srv/cassandra/cassandra-a/hints]

Parameters differences:

--- Exec[install-/srv/cassandra/cassandra-a/hints].orig
+++ Exec[install-/srv/cassandra/cassandra-a/hints]

+    command => install -o cassandra -g cassandra -m 750 -d /srv/cassandra/cassandra-a/hints
+    path    => /usr/bin/:/bin/
+    creates => /srv/cassandra/cassandra-a/hints
+    before  => Systemd::Service[cassandra-a]

File[/etc/rsyslog.d/50-udp-json-logback-compat.conf]

Parameters differences:

--- File[/etc/rsyslog.d/50-udp-json-logback-compat.conf].orig
+++ File[/etc/rsyslog.d/50-udp-json-logback-compat.conf]

+    group  => root
+    mode   => 0444
+    ensure => present
+    notify => Service[rsyslog]
+    owner  => root

Content differences:

--- /etc/rsyslog.d/50-udp-json-logback-compat.conf.orig
+++ /etc/rsyslog.d/50-udp-json-logback-compat.conf
@@ -0,0 +1,43 @@
+# Provide a UDP input to accept JSON payloads on localhost and forward them to logstash via Kakfa.
+
+module(load="imudp")
+module(load="mmjsonparse")
+module(load="omkafka")
+
+template(name="template_udp_json_logback_compat" type="list") {
+  property(name="$!all-json")
+}
+
+# Use the parsed json "level" field value as the kafka topic suffix
+template(name="udp_json_logback_compat_topic" type="string" string="logback-%!level:::lowercase%")
+
+# Use a separate (in memory) queue to limit message processing to this ruleset only.
+ruleset(name="ruleset_udp_json_logback_compat" queue.type="LinkedList") {
+
+  action(type="mmjsonparse" name="mmjsonparse_udp_json_logback_compat" cookie="" useRawMsg="on")
+
+  if $parsesuccess == "OK" then {
+    action(type="omkafka"
+           broker=["kafka-logging1001.eqiad.wmnet:9093","kafka-logging1002.eqiad.wmnet:9093","kafka-logging1003.eqiad.wmnet:9093","kafka-logging1004.eqiad.wmnet:9093","kafka-logging1005.eqiad.wmnet:9093"]
+           topic="udp_json_logback_compat_topic"
+           dynatopic="on"
+           dynatopic.cachesize="1000"
+           partitions.auto="on"
+           template="template_udp_json_logback_compat"
+           queue.type="LinkedList" queue.size="10000" queue.filename="udp_json_logback_compat"
+           queue.highWatermark="7000" queue.lowWatermark="6000"
+           queue.checkpointInterval="5"
+           queue.maxDiskSpace="40960000"
+           confParam=[ "security.protocol=ssl",
+                       "ssl.ca.location=/etc/ssl/certs/wmf-ca-certificates.crt",
+                       "compression.codec=snappy",
+                       "socket.timeout.ms=60000",
+                       "socket.keepalive.enable=true",
+                       "queue.buffering.max.ms=50",
+                       "batch.num.messages=1000" ]
+    )
+  }
+
+}
+
+input(type="imudp" port="11514" address="localhost" ruleset="ruleset_udp_json_logback_compat")

File[/etc/cassandra-b/cassandra-rackdc.properties]

Parameters differences:

--- File[/etc/cassandra-b/cassandra-rackdc.properties].orig
+++ File[/etc/cassandra-b/cassandra-rackdc.properties]

+    group  => cassandra
+    mode   => 0444
+    ensure => present
+    owner  => cassandra

Content differences:

--- /etc/cassandra-b/cassandra-rackdc.properties.orig
+++ /etc/cassandra-b/cassandra-rackdc.properties
@@ -0,0 +1,6 @@
+# Note: This file is managed by Puppet.
+
+# These properties are used with GossipingPropertyFileSnitch and will
+# indicate the rack and dc for this node
+dc=eqiad
+rack=rack2

Class[Profile::Cassandra]

Parameters differences:

--- Class[Profile::Cassandra].orig
+++ Class[Profile::Cassandra]

+    allow_analytics       => True
+    tls_keystore_password => test
+    monitor_enabled       => True
+    cassandra_settings    => {'dc': 'eqiad', 'cluster_name': 'Analytics Query Service Storage', 'tls_cluster_name': 'aqs', 'tls_use_pki_truststore': True, 'tls_use_pki': True, 'start_rpc': False, 'target_version': '4.x', 'default_instance_params': {'max_heap_size': '16g', 'heap_newsize': '2048m', 'compaction_throughput_mb_per_sec': 256, 'concurrent_compactors': 12, 'concurrent_writes': 64, 'concurrent_reads': 64, 'permissions_validity_in_ms': 600000, 'internode_encryption': 'all', 'client_encryption_enabled': True, 'client_encryption_optional': True}, 'users': ['aqsloader', 'image_suggestions', 'device_analytics', 'geo_analytics', 'media_analytics', 'page_analytics', 'edit_analytics', 'editor_analytics', 'data_gateway', 'commons_impact_analytics', 'revise_tone_task_generator']}
+    cassandra_passwords   => {'restbase': 'blahblahblah', 'restbase_dev': 'blahblahblahblah', 'aqs': 'blahblah', 'sessionstore': 'blahblah', 'image_suggestions': 'blahblahblahblah', 'aqs_testing': 'blahblahblahblah', 'device_analytics': 'blahblahblahblah', 'mediawiki_services_mobileapps': 'yadayadayada', 'aqsloader': 'yadayadayada', 'edit_analytics': 'blahblahblahblah', 'editor_analytics': 'yadayadayada', 'cassandra_devel': 'foobarbaz', 'data_gateway': 'qwerty', 'commons_impact_analytics': 'notarealpasswd', 'revise_tone_task_generator': 'asdfasdfasdf', 'linked_artifacts': 'yadayadayada'}
+    monitor_tls_port      => 7000
+    all_instances         => {'aqs1010.eqiad.wmnet': {'a': {'listen_address': '10.64.0.88'}, 'b': {'listen_address': '10.64.0.120'}}, 'aqs1011.eqiad.wmnet': {'a': {'listen_address': '10.64.16.204'}, 'b': {'listen_address': '10.64.16.206'}}, 'aqs1012.eqiad.wmnet': {'a': {'listen_address': '10.64.32.128', 'data_file_directories': ['/srv/storage-0/cassandra-a/data', '/srv/storage-1/cassandra-a/data', '/srv/storage-2/cassandra-a/data', '/srv/storage-3/cassandra-a/data', '/srv/storage-4/cassandra-a/data', '/srv/storage-5/cassandra-a/data', '/srv/storage-6/cassandra-a/data', '/srv/storage-7/cassandra-a/data'], 'heapdump_directory': '/srv/storage-0/cassandra-a', 'commitlog_directory': '/srv/cassandra/cassandra-a/commitlog', 'hints_directory': '/srv/cassandra/cassandra-a/hints', 'saved_caches_directory': '/srv/cassandra/cassandra-a/saved_caches', 'local_system_data_file_directory': '/srv/cassandra/cassandra-a/system'}, 'b': {'listen_address': '10.64.32.145', 'data_file_directories': ['/srv/storage-0/cassandra-b/data', '/srv/storage-1/cassandra-b/data', '/srv/storage-2/cassandra-b/data', '/srv/storage-3/cassandra-b/data', '/srv/storage-4/cassandra-b/data', '/srv/storage-5/cassandra-b/data', '/srv/storage-6/cassandra-b/data', '/srv/storage-7/cassandra-b/data'], 'heapdump_directory': '/srv/storage-1/cassandra-b', 'commitlog_directory': '/srv/cassandra/cassandra-b/commitlog', 'hints_directory': '/srv/cassandra/cassandra-b/hints', 'saved_caches_directory': '/srv/cassandra/cassandra-b/saved_caches', 'local_system_data_file_directory': '/srv/cassandra/cassandra-b/system'}}, 'aqs1014.eqiad.wmnet': {'a': {'listen_address': '10.64.48.65'}, 'b': {'listen_address': '10.64.48.67'}}, 'aqs1015.eqiad.wmnet': {'a': {'listen_address': '10.64.48.68'}, 'b': {'listen_address': '10.64.48.69'}}, 'aqs1016.eqiad.wmnet': {'a': {'listen_address': '10.64.0.199'}, 'b': {'listen_address': '10.64.0.213'}}, 'aqs1017.eqiad.wmnet': {'a': {'listen_address': '10.64.16.74'}, 'b': {'listen_address': '10.64.16.78'}}, 'aqs1018.eqiad.wmnet': {'a': {'listen_address': '10.64.32.22'}, 'b': {'listen_address': '10.64.32.31'}}, 'aqs1019.eqiad.wmnet': {'a': {'listen_address': '10.64.48.119'}, 'b': {'listen_address': '10.64.48.122'}}, 'aqs1020.eqiad.wmnet': {'a': {'listen_address': '10.64.131.14'}, 'b': {'listen_address': '10.64.131.15'}}, 'aqs1021.eqiad.wmnet': {'a': {'listen_address': '10.64.135.14'}, 'b': {'listen_address': '10.64.135.15'}}, 'aqs1022.eqiad.wmnet': {'a': {'listen_address': '10.64.48.94'}, 'b': {'listen_address': '10.64.48.181'}}, 'aqs1023.eqiad.wmnet': {'a': {'listen_address': '10.64.177.6', 'data_file_directories': ['/srv/storage-0/cassandra-a/data', '/srv/storage-1/cassandra-a/data', '/srv/storage-2/cassandra-a/data', '/srv/storage-3/cassandra-a/data', '/srv/storage-4/cassandra-a/data', '/srv/storage-5/cassandra-a/data', '/srv/storage-6/cassandra-a/data', '/srv/storage-7/cassandra-a/data'], 'heapdump_directory': '/srv/storage-0/cassandra-a', 'commitlog_directory': '/srv/cassandra/cassandra-a/commitlog', 'hints_directory': '/srv/cassandra/cassandra-a/hints', 'saved_caches_directory': '/srv/cassandra/cassandra-a/saved_caches', 'local_system_data_file_directory': '/srv/cassandra/cassandra-a/system'}, 'b': {'listen_address': '10.64.177.7', 'data_file_directories': ['/srv/storage-0/cassandra-b/data', '/srv/storage-1/cassandra-b/data', '/srv/storage-2/cassandra-b/data', '/srv/storage-3/cassandra-b/data', '/srv/storage-4/cassandra-b/data', '/srv/storage-5/cassandra-b/data', '/srv/storage-6/cassandra-b/data', '/srv/storage-7/cassandra-b/data'], 'heapdump_directory': '/srv/storage-1/cassandra-b', 'commitlog_directory': '/srv/cassandra/cassandra-b/commitlog', 'hints_directory': '/srv/cassandra/cassandra-b/hints', 'saved_caches_directory': '/srv/cassandra/cassandra-b/saved_caches', 'local_system_data_file_directory': '/srv/cassandra/cassandra-b/system'}}, 'aqs1024.eqiad.wmnet': {'a': {'listen_address': '10.64.156.18', 'data_file_directories': ['/srv/storage-0/cassandra-a/data', '/srv/storage-1/cassandra-a/data', '/srv/storage-2/cassandra-a/data', '/srv/storage-3/cassandra-a/data', '/srv/storage-4/cassandra-a/data', '/srv/storage-5/cassandra-a/data', '/srv/storage-6/cassandra-a/data', '/srv/storage-7/cassandra-a/data'], 'heapdump_directory': '/srv/storage-0/cassandra-a', 'commitlog_directory': '/srv/cassandra/cassandra-a/commitlog', 'hints_directory': '/srv/cassandra/cassandra-a/hints', 'saved_caches_directory': '/srv/cassandra/cassandra-a/saved_caches', 'local_system_data_file_directory': '/srv/cassandra/cassandra-a/system'}, 'b': {'listen_address': '10.64.156.21', 'data_file_directories': ['/srv/storage-0/cassandra-b/data', '/srv/storage-1/cassandra-b/data', '/srv/storage-2/cassandra-b/data', '/srv/storage-3/cassandra-b/data', '/srv/storage-4/cassandra-b/data', '/srv/storage-5/cassandra-b/data', '/srv/storage-6/cassandra-b/data', '/srv/storage-7/cassandra-b/data'], 'heapdump_directory': '/srv/storage-1/cassandra-b', 'commitlog_directory': '/srv/cassandra/cassandra-b/commitlog', 'hints_directory': '/srv/cassandra/cassandra-b/hints', 'saved_caches_directory': '/srv/cassandra/cassandra-b/saved_caches', 'local_system_data_file_directory': '/srv/cassandra/cassandra-b/system'}}, 'aqs2001.codfw.wmnet': {'a': {'listen_address': '10.192.0.214'}, 'b': {'listen_address': '10.192.0.215'}}, 'aqs2002.codfw.wmnet': {'a': {'listen_address': '10.192.0.216'}, 'b': {'listen_address': '10.192.0.217'}}, 'aqs2003.codfw.wmnet': {'a': {'listen_address': '10.192.0.218'}, 'b': {'listen_address': '10.192.0.219'}}, 'aqs2004.codfw.wmnet': {'a': {'listen_address': '10.192.0.220'}, 'b': {'listen_address': '10.192.0.221'}}, 'aqs2005.codfw.wmnet': {'a': {'listen_address': '10.192.16.174'}, 'b': {'listen_address': '10.192.16.179'}}, 'aqs2006.codfw.wmnet': {'a': {'listen_address': '10.192.16.183'}, 'b': {'listen_address': '10.192.16.185'}}, 'aqs2007.codfw.wmnet': {'a': {'listen_address': '10.192.16.186'}, 'b': {'listen_address': '10.192.16.187'}}, 'aqs2008.codfw.wmnet': {'a': {'listen_address': '10.192.16.188'}, 'b': {'listen_address': '10.192.16.189'}}, 'aqs2009.codfw.wmnet': {'a': {'listen_address': '10.192.48.192'}, 'b': {'listen_address': '10.192.48.193'}}, 'aqs2010.codfw.wmnet': {'a': {'listen_address': '10.192.48.194'}, 'b': {'listen_address': '10.192.48.195'}}, 'aqs2011.codfw.wmnet': {'a': {'listen_address': '10.192.48.196'}, 'b': {'listen_address': '10.192.48.197'}}, 'aqs2012.codfw.wmnet': {'a': {'listen_address': '10.192.48.198'}, 'b': {'listen_address': '10.192.48.199'}}}
+    auto_apply_grants     => False
+    client_ips            => ['10.67.128.0/17', '2620:0:861:cabe::/64', '10.64.64.0/21', '2620:0:861:babe::/64', '10.192.64.0/21', '2620:0:860:babe::/64', '10.194.128.0/17', '2620:0:860:cabe::/64', '10.67.16.0/21', '2620:0:861:300::/64', '10.194.16.0/21', '2620:0:860:300::/64', '10.194.61.0/24', '2620:0:860:302::/64']
+    rack                  => rack2

File[/etc/sysctl.d/05-cassandra.conf]

Parameters differences:

--- File[/etc/sysctl.d/05-cassandra.conf].orig
+++ File[/etc/sysctl.d/05-cassandra.conf]

+    group  => root
+    notify => Exec[update_sysctl]
+    ensure => present
+    owner  => root

Content differences:

--- /etc/sysctl.d/05-cassandra.conf.orig
+++ /etc/sysctl.d/05-cassandra.conf
@@ -0,0 +1,3 @@
+# sysctl parameters managed by Puppet.
+vm.dirty_background_bytes = 25165824
+vm.max_map_count = 1048575

Monitoring::Exported_nagios_service[aqs1024 ferm_active]

Parameters differences:

--- Monitoring::Exported_nagios_service[aqs1024 ferm_active].orig
+++ Monitoring::Exported_nagios_service[aqs1024 ferm_active]

@@
-    notifications_enabled => 0
+    notifications_enabled => 1
@@
-    servicegroups         => insetup_eqiad
+    servicegroups         => aqs_eqiad

Compilation results for aqs1024.eqiad.wmnet: System changes detected

Catalog differences

Summary

Resources only in the new catalog

Resources only in the old catalog

Resources modified

Relevant files