{"host": "aqs1024.eqiad.wmnet", "state": "core_diff", "description": "Differences to core resources", "diff": {"full": {"total": 2774, "only_in_self": ["Class[Role::Insetup::Data_persistence_ferm]", "File[/etc/update-motd.d/05-insetup--data-persistence-ferm]", "Motd::Message[insetup::data_persistence_ferm]", "Motd::Script[insetup::data_persistence_ferm]", "Node[__node_regexp__aqs1024-7.eqiad.]"], "only_in_other": ["Alternatives::Java[11]", "Apt::Package_from_component[cassandra]", "Apt::Repository[component-cassandra41-apt.wikimedia.org-wikimedia-bullseye-wikimedia]", "Augeas[ens8f0np0_10.64.156.18/32]", "Augeas[ens8f0np0_10.64.156.21/32]", "Cassandra::Instance::Monitoring[a]", "Cassandra::Instance::Monitoring[b]", "Cassandra::Instance[a]", "Cassandra::Instance[b]", "Cfssl::Cert[cassandra__aqs1024-a_eqiad_wmnet]", "Cfssl::Cert[cassandra__aqs1024-b_eqiad_wmnet]", "Cfssl::Csr[/etc/cfssl/csr/cassandra__aqs1024-a_eqiad_wmnet.csr]", "Cfssl::Csr[/etc/cfssl/csr/cassandra__aqs1024-b_eqiad_wmnet.csr]", "Class[Cassandra::Logging]", "Class[Cassandra::Sysctl]", "Class[Cassandra]", "Class[Git::Lfs]", "Class[Java]", "Class[Profile::Cassandra]", "Class[Profile::Java]", "Class[Profile::Rsyslog::Udp_json_logback_compat]", "Class[Profile::Rsyslog::Udp_localhost_compat]", "Class[Role::Aqs]", "Class[Scap::Ferm]", "Class[Scap::User]", "Class[Scap]", "Exec[Generate cert cassandra__aqs1024-a_eqiad_wmnet refresh]", "Exec[Generate cert cassandra__aqs1024-a_eqiad_wmnet]", "Exec[Generate cert cassandra__aqs1024-b_eqiad_wmnet refresh]", "Exec[Generate cert cassandra__aqs1024-b_eqiad_wmnet]", "Exec[apt_package_from_component_cassandra]", "Exec[apt_repository_component-cassandra41-apt.wikimedia.org-wikimedia-bullseye-wikimedia]", "Exec[bootstrap-scap-target]", "Exec[chown /srv/deployment/cassandra for deploy-service]", "Exec[create chained cert /etc/cassandra-a/tls/cassandra__aqs1024-a_eqiad_wmnet.chain.pem]", "Exec[create chained cert /etc/cassandra-b/tls/cassandra__aqs1024-b_eqiad_wmnet.chain.pem]", "Exec[install-/srv/cassandra/cassandra-a/commitlog]", "Exec[install-/srv/cassandra/cassandra-a/hints]", "Exec[install-/srv/cassandra/cassandra-a/saved_caches]", "Exec[install-/srv/cassandra/cassandra-a/system]", "Exec[install-/srv/cassandra/cassandra-b/commitlog]", "Exec[install-/srv/cassandra/cassandra-b/hints]", "Exec[install-/srv/cassandra/cassandra-b/saved_caches]", "Exec[install-/srv/cassandra/cassandra-b/system]", "Exec[install-/srv/storage-0/cassandra-a/data]", "Exec[install-/srv/storage-0/cassandra-b/data]", "Exec[install-/srv/storage-1/cassandra-a/data]", "Exec[install-/srv/storage-1/cassandra-b/data]", "Exec[install-/srv/storage-2/cassandra-a/data]", "Exec[install-/srv/storage-2/cassandra-b/data]", "Exec[install-/srv/storage-3/cassandra-a/data]", "Exec[install-/srv/storage-3/cassandra-b/data]", "Exec[install-/srv/storage-4/cassandra-a/data]", "Exec[install-/srv/storage-4/cassandra-b/data]", "Exec[install-/srv/storage-5/cassandra-a/data]", "Exec[install-/srv/storage-5/cassandra-b/data]", "Exec[install-/srv/storage-6/cassandra-a/data]", "Exec[install-/srv/storage-6/cassandra-b/data]", "Exec[install-/srv/storage-7/cassandra-a/data]", "Exec[install-/srv/storage-7/cassandra-b/data]", "Exec[ip addr add 10.64.156.18/32 dev ens8f0np0]", "Exec[ip addr add 10.64.156.21/32 dev ens8f0np0]", "Exec[java__cacert_Puppet_Internal_CA]", "Exec[java__cacert_Wikimedia_Internal_Root_CA]", "Exec[java__cacert_wmf:Wikimedia_Internal_Root_CA]", "Exec[java__cacert_wmf:puppetca.pem]", "Exec[renew certificate - cassandra__aqs1024-a_eqiad_wmnet]", "Exec[renew certificate - cassandra__aqs1024-b_eqiad_wmnet]", "Exec[sslcert generate cassandra_keystore_aqs1024-a.p12]", "Exec[sslcert generate cassandra_keystore_aqs1024-b.p12]", "Exec[systemd daemon-reload for cassandra-a.service (cassandra-a)]", "Exec[systemd daemon-reload for cassandra-b.service (cassandra-b)]", "Exec[update_java_alternatives_11]", "Ferm::Service[cassandra-analytics-cql]", "Ferm::Service[cassandra-cql]", "Ferm::Service[cassandra-intra-node-ssl]", "Ferm::Service[cassandra-intra-node]", "Ferm::Service[cassandra-jmx-rmi]", "Ferm::Service[deployment_ssh]", "File[/etc/apt/sources.list.d/component-cassandra41-apt.wikimedia.org-wikimedia-bullseye-wikimedia.list]", "File[/etc/cassandra-a/cassandra-env.sh]", "File[/etc/cassandra-a/cassandra-rackdc.properties]", "File[/etc/cassandra-a/cassandra.yaml]", "File[/etc/cassandra-a/commitlog_archiving.properties]", "File[/etc/cassandra-a/cqlshrc]", "File[/etc/cassandra-a/credentials]", "File[/etc/cassandra-a/hotspot_compiler]", "File[/etc/cassandra-a/jvm-clients.options]", "File[/etc/cassandra-a/jvm-server.options]", "File[/etc/cassandra-a/jvm11-clients.options]", "File[/etc/cassandra-a/jvm11-server.options]", "File[/etc/cassandra-a/jvm17-server.options]", "File[/etc/cassandra-a/logback-tools.xml]", "File[/etc/cassandra-a/logback.xml]", "File[/etc/cassandra-a/prometheus_jmx_exporter.yaml]", "File[/etc/cassandra-a/tls/cassandra__aqs1024-a_eqiad_wmnet-key.pem]", "File[/etc/cassandra-a/tls/cassandra__aqs1024-a_eqiad_wmnet.chain.pem]", "File[/etc/cassandra-a/tls/cassandra__aqs1024-a_eqiad_wmnet.chained.pem]", "File[/etc/cassandra-a/tls/cassandra__aqs1024-a_eqiad_wmnet.csr]", "File[/etc/cassandra-a/tls/cassandra__aqs1024-a_eqiad_wmnet.pem]", "File[/etc/cassandra-a/tls/server.key]", "File[/etc/cassandra-a/tls]", "File[/etc/cassandra-a/user_aqsloader.cql]", "File[/etc/cassandra-a/user_commons_impact_analytics.cql]", "File[/etc/cassandra-a/user_data_gateway.cql]", "File[/etc/cassandra-a/user_device_analytics.cql]", "File[/etc/cassandra-a/user_edit_analytics.cql]", "File[/etc/cassandra-a/user_editor_analytics.cql]", "File[/etc/cassandra-a/user_geo_analytics.cql]", "File[/etc/cassandra-a/user_image_suggestions.cql]", "File[/etc/cassandra-a/user_media_analytics.cql]", "File[/etc/cassandra-a/user_page_analytics.cql]", "File[/etc/cassandra-a/user_revise_tone_task_generator.cql]", "File[/etc/cassandra-a]", "File[/etc/cassandra-b/cassandra-env.sh]", "File[/etc/cassandra-b/cassandra-rackdc.properties]", "File[/etc/cassandra-b/cassandra.yaml]", "File[/etc/cassandra-b/commitlog_archiving.properties]", "File[/etc/cassandra-b/cqlshrc]", "File[/etc/cassandra-b/credentials]", "File[/etc/cassandra-b/hotspot_compiler]", "File[/etc/cassandra-b/jvm-clients.options]", "File[/etc/cassandra-b/jvm-server.options]", "File[/etc/cassandra-b/jvm11-clients.options]", "File[/etc/cassandra-b/jvm11-server.options]", "File[/etc/cassandra-b/jvm17-server.options]", "File[/etc/cassandra-b/logback-tools.xml]", "File[/etc/cassandra-b/logback.xml]", "File[/etc/cassandra-b/prometheus_jmx_exporter.yaml]", "File[/etc/cassandra-b/tls/cassandra__aqs1024-b_eqiad_wmnet-key.pem]", "File[/etc/cassandra-b/tls/cassandra__aqs1024-b_eqiad_wmnet.chain.pem]", "File[/etc/cassandra-b/tls/cassandra__aqs1024-b_eqiad_wmnet.chained.pem]", "File[/etc/cassandra-b/tls/cassandra__aqs1024-b_eqiad_wmnet.csr]", "File[/etc/cassandra-b/tls/cassandra__aqs1024-b_eqiad_wmnet.pem]", "File[/etc/cassandra-b/tls/server.key]", "File[/etc/cassandra-b/tls]", "File[/etc/cassandra-b/user_aqsloader.cql]", "File[/etc/cassandra-b/user_commons_impact_analytics.cql]", "File[/etc/cassandra-b/user_data_gateway.cql]", "File[/etc/cassandra-b/user_device_analytics.cql]", "File[/etc/cassandra-b/user_edit_analytics.cql]", "File[/etc/cassandra-b/user_editor_analytics.cql]", "File[/etc/cassandra-b/user_geo_analytics.cql]", "File[/etc/cassandra-b/user_image_suggestions.cql]", "File[/etc/cassandra-b/user_media_analytics.cql]", "File[/etc/cassandra-b/user_page_analytics.cql]", "File[/etc/cassandra-b/user_revise_tone_task_generator.cql]", "File[/etc/cassandra-b]", "File[/etc/cassandra-instances.d/aqs1024-a.yaml]", "File[/etc/cassandra-instances.d/aqs1024-b.yaml]", "File[/etc/cassandra-instances.d]", "File[/etc/cassandra.in.sh]", "File[/etc/cfssl/csr/cassandra__aqs1024-a_eqiad_wmnet.csr]", "File[/etc/cfssl/csr/cassandra__aqs1024-b_eqiad_wmnet.csr]", "File[/etc/ferm/conf.d/10_cassandra-analytics-cql]", "File[/etc/ferm/conf.d/10_cassandra-cql]", "File[/etc/ferm/conf.d/10_cassandra-intra-node-ssl]", "File[/etc/ferm/conf.d/10_cassandra-intra-node]", "File[/etc/ferm/conf.d/10_cassandra-jmx-rmi]", "File[/etc/ferm/conf.d/10_deployment_ssh]", "File[/etc/init.d/cassandra]", "File[/etc/rsyslog.d/50-udp-json-logback-compat.conf]", "File[/etc/rsyslog.d/50-udp-localhost-compat.conf]", "File[/etc/scap.cfg]", "File[/etc/ssh/userkeys/deploy-service]", "File[/etc/ssh/userkeys/scap]", "File[/etc/ssl/localcerts/wmf-java-cacerts]", "File[/etc/sudoers.d/scap_deploy-service]", "File[/etc/sysctl.d/05-cassandra.conf]", "File[/etc/sysusers.d/scap.conf]", "File[/etc/tmpfiles.d/cassandra.conf]", "File[/etc/update-motd.d/05-aqs]", "File[/lib/systemd/system/cassandra-a.service]", "File[/lib/systemd/system/cassandra-b.service]", "File[/srv/cassandra-a]", "File[/srv/cassandra-b]", "File[/usr/bin/scap]", "File[/usr/local/bin/bootstrap-scap-target.sh]", "File[/usr/local/bin/cassandra_validate_grants]", "File[/usr/local/bin/cqlsh-a]", "File[/usr/local/bin/cqlsh-b]", "File[/usr/local/bin/nodetool-a]", "File[/usr/local/bin/nodetool-b]", "File[/usr/local/bin/nodetool-instance]", "File[/usr/local/bin/sstable-util-instance]", "File[/usr/local/bin/sstableutil-a]", "File[/usr/local/bin/sstableutil-b]", "File[/usr/share/cassandra/lib/jackson-annotations-2.4.0.jar]", "File[/usr/share/cassandra/lib/jackson-core-2.4.0.jar]", "File[/usr/share/cassandra/lib/jackson-databind-2.4.0.jar]", "File[/usr/share/cassandra/lib/logstash-logback-encoder.jar]", "File[/var/lib/deploy-service]", "File[/var/lib/scap]", "Firewall::Service[deployment-ssh]", "Group[deploy-service]", "Group[scap]", "Interface::Alias[cassandra-a]", "Interface::Alias[cassandra-b]", "Interface::Ip[cassandra-a ipv4]", "Interface::Ip[cassandra-b ipv4]", "Java::Cacert[Puppet_Internal_CA]", "Java::Cacert[Wikimedia_Internal_Root_CA]", "Java::Cacert[wmf:Wikimedia_Internal_Root_CA]", "Java::Cacert[wmf:puppetca.pem]", "Java::Package[openjdk-jdk-11]", "Monitoring::Exported_nagios_service[aqs1024 cassandra-a-cql]", "Monitoring::Exported_nagios_service[aqs1024 cassandra-a-ssl]", "Monitoring::Exported_nagios_service[aqs1024 cassandra-b-cql]", "Monitoring::Exported_nagios_service[aqs1024 cassandra-b-ssl]", "Monitoring::Service[cassandra-a-cql]", "Monitoring::Service[cassandra-a-ssl]", "Monitoring::Service[cassandra-b-cql]", "Monitoring::Service[cassandra-b-ssl]", "Motd::Message[aqs]", "Motd::Script[aqs]", "Node[__node_regexp__aqs1010-214-920-4.eqiad.]", "Package[cassandra-tools-wmf]", "Package[cassandra-tools]", "Package[cassandra/logstash-logback-encoder]", "Package[cassandra]", "Package[git-lfs]", "Package[jvm-tools]", "Package[libjemalloc2]", "Package[openjdk-11-jdk]", "Package[prometheus-jmx-exporter]", "Package[python3-venv]", "Package[rsync]", "Prometheus::Blackbox::Check::Tcp[cassandra-a-cql]", "Prometheus::Blackbox::Check::Tcp[cassandra-a-ssl]", "Prometheus::Blackbox::Check::Tcp[cassandra-b-cql]", "Prometheus::Blackbox::Check::Tcp[cassandra-b-ssl]", "Prometheus::Jmx_exporter_instance[aqs1024-a]", "Prometheus::Jmx_exporter_instance[aqs1024-b]", "Rsyslog::Conf[udp_json_logback_compat]", "Rsyslog::Conf[udp_localhost_compat]", "Scap::Target[cassandra/logstash-logback-encoder]", "Service[cassandra-a]", "Service[cassandra-b]", "Service[cassandra]", "Ssh::Userkey[deploy-service]", "Ssh::Userkey[scap]", "Sslcert::X509_to_pkcs12[cassandra_keystore_aqs1024-a]", "Sslcert::X509_to_pkcs12[cassandra_keystore_aqs1024-b]", "Sudo::User[scap_deploy-service]", "Sysctl::Conffile[cassandra]", "Sysctl::Parameters[cassandra]", "Systemd::Service[cassandra-a]", "Systemd::Service[cassandra-b]", "Systemd::Sysuser[scap]", "Systemd::Unit[cassandra-a]", "Systemd::Unit[cassandra-b]", "User[deploy-service]", "User[scap]"], "resource_diffs": [{"resource": "File[/etc/cassandra-a/cqlshrc]", "content": "--- /etc/cassandra-a/cqlshrc.orig\n+++ /etc/cassandra-a/cqlshrc\n@@ -0,0 +1,7 @@\n+; SPDX-License-Identifier: Apache-2.0\n+\n+[authentication]\n+credentials = /etc/cassandra-a/credentials\n+\n+[ssl]\n+certfile = /etc/ssl/certs/wmf-ca-certificates.crt", "parameters": "--- File[/etc/cassandra-a/cqlshrc].orig\n+++ File[/etc/cassandra-a/cqlshrc]\n\n+ require => Package[cassandra]\n+ group => root\n+ mode => 0400\n+ owner => root\n"}, {"resource": "Package[cassandra/logstash-logback-encoder]", "parameters": "--- Package[cassandra/logstash-logback-encoder].orig\n+++ Package[cassandra/logstash-logback-encoder]\n\n+ require => User[deploy-service]\n+ install_options => [{'owner': 'deploy-service'}]\n+ provider => scap3\n+ ensure => present\n"}, {"resource": "File[/lib/systemd/system/cassandra-b.service]", "content": "--- /lib/systemd/system/cassandra-b.service.orig\n+++ /lib/systemd/system/cassandra-b.service\n@@ -0,0 +1,24 @@\n+[Unit]\n+Description=distributed storage system for structured data\n+After=network.target\n+# On bootstrap / provisioning, don't attempt to start all instances,\n+# wait instead for the guard file to exist, see also T214166\n+ConditionPathExists=/etc/cassandra-b/service-enabled\n+\n+[Service]\n+User=cassandra\n+PIDFile=/var/run/cassandra/cassandra-b.pid\n+LimitNOFILE=100000\n+LimitMEMLOCK=infinity\n+Environment=\"CASSANDRA_INCLUDE=/etc/cassandra.in.sh\"\n+Environment=\"CASSANDRA_CONF=/etc/cassandra-b\"\n+Environment=\"CASSANDRA_INSTANCE=aqs1024-b\"\n+Environment=\"CASSANDRA_LOG_DIR=/var/log/cassandra\"\n+ExecStart=/usr/sbin/cassandra -p /var/run/cassandra/cassandra-b.pid\n+\n+# Deinit on shutdown (see: https://phabricator.wikimedia.org/T327954)\n+ExecStop=-/usr/local/bin/nodetool-b disablethrift\n+ExecStop=-/usr/local/bin/nodetool-b disablebinary\n+ExecStop=-/usr/local/bin/nodetool-b disablegossip\n+ExecStop=-/usr/local/bin/nodetool-b drain\n+ExecStop=/usr/local/bin/nodetool-b stopdaemon", "parameters": "--- File[/lib/systemd/system/cassandra-b.service].orig\n+++ File[/lib/systemd/system/cassandra-b.service]\n\n+ group => root\n+ mode => 0444\n+ ensure => present\n+ notify => Exec[systemd daemon-reload for cassandra-b.service (cassandra-b)]\n+ owner => root\n"}, {"resource": "File[/etc/cassandra-a/tls/cassandra__aqs1024-a_eqiad_wmnet-key.pem]", "parameters": "--- File[/etc/cassandra-a/tls/cassandra__aqs1024-a_eqiad_wmnet-key.pem].orig\n+++ File[/etc/cassandra-a/tls/cassandra__aqs1024-a_eqiad_wmnet-key.pem]\n\n+ group => cassandra\n+ mode => 0440\n+ ensure => file\n+ backup => False\n+ show_diff => False\n+ owner => cassandra\n"}, {"resource": "File[/etc/cassandra-b/cqlshrc]", "content": "--- /etc/cassandra-b/cqlshrc.orig\n+++ /etc/cassandra-b/cqlshrc\n@@ -0,0 +1,7 @@\n+; SPDX-License-Identifier: Apache-2.0\n+\n+[authentication]\n+credentials = /etc/cassandra-b/credentials\n+\n+[ssl]\n+certfile = /etc/ssl/certs/wmf-ca-certificates.crt", "parameters": "--- File[/etc/cassandra-b/cqlshrc].orig\n+++ File[/etc/cassandra-b/cqlshrc]\n\n+ require => Package[cassandra]\n+ group => root\n+ mode => 0400\n+ owner => root\n"}, {"resource": "Cfssl::Cert[cassandra__aqs1024-a_eqiad_wmnet]", "parameters": "--- Cfssl::Cert[cassandra__aqs1024-a_eqiad_wmnet].orig\n+++ Cfssl::Cert[cassandra__aqs1024-a_eqiad_wmnet]\n\n+ group => cassandra\n+ hosts => ['cassandra', 'aqs1024.eqiad.wmnet']\n+ notify => Sslcert::X509_to_pkcs12[cassandra_keystore_aqs1024-a]\n+ provide_chain => True\n+ owner => cassandra\n+ renew_seconds => 952200\n+ names => []\n+ mode => 0400\n+ ensure => present\n+ key => {'algo': 'ecdsa', 'size': 256}\n+ common_name => aqs1024-a.eqiad.wmnet\n+ before_services => []\n+ outdir => /etc/cassandra-a/tls\n+ label => cassandra\n+ auto_renew => True\n+ notify_services => []\n+ environment => ['GODEBUG=x509ignoreCN=0']\n"}, {"resource": "Monitoring::Exported_nagios_service[aqs1024 disk_space]", "parameters": "--- Monitoring::Exported_nagios_service[aqs1024 disk_space].orig\n+++ Monitoring::Exported_nagios_service[aqs1024 disk_space]\n\n@@\n- notifications_enabled => 0\n+ notifications_enabled => 1\n@@\n- servicegroups => insetup_eqiad\n+ servicegroups => aqs_eqiad\n"}, {"resource": "Class[Profile::Base::Production]", "parameters": "--- Class[Profile::Base::Production].orig\n+++ Class[Profile::Base::Production]\n\n@@\n- role_description => Host being setup by Data Persistence SREs\n+ role_description => Analytics Query Service - Cassandra instance\n"}, {"resource": "Sslcert::X509_to_pkcs12[cassandra_keystore_aqs1024-a]", "parameters": "--- Sslcert::X509_to_pkcs12[cassandra_keystore_aqs1024-a].orig\n+++ Sslcert::X509_to_pkcs12[cassandra_keystore_aqs1024-a]\n\n+ group => cassandra\n+ public_key => /etc/cassandra-a/tls/cassandra__aqs1024-a_eqiad_wmnet.chained.pem\n+ outfile => /etc/cassandra-a/tls/server.key\n+ ensure => present\n+ password => test\n+ private_key => /etc/cassandra-a/tls/cassandra__aqs1024-a_eqiad_wmnet-key.pem\n+ owner => cassandra\n"}, {"resource": "File[/usr/local/bin/sstable-util-instance]", "parameters": "--- File[/usr/local/bin/sstable-util-instance].orig\n+++ File[/usr/local/bin/sstable-util-instance]\n\n+ group => cassandra\n+ require => Package[cassandra]\n+ mode => 0555\n+ ensure => present\n+ source => puppet:///modules/cassandra/sstable-util-instance\n+ owner => cassandra\n"}, {"resource": "File[/etc/cassandra-b/tls/cassandra__aqs1024-b_eqiad_wmnet.chain.pem]", "parameters": "--- File[/etc/cassandra-b/tls/cassandra__aqs1024-b_eqiad_wmnet.chain.pem].orig\n+++ File[/etc/cassandra-b/tls/cassandra__aqs1024-b_eqiad_wmnet.chain.pem]\n\n+ group => cassandra\n+ mode => 0440\n+ ensure => file\n+ source => puppet:///modules/profile/pki/intermediates/cassandra-cert.pem\n+ owner => cassandra\n"}, {"resource": "Exec[install-/srv/cassandra/cassandra-a/system]", "parameters": "--- Exec[install-/srv/cassandra/cassandra-a/system].orig\n+++ Exec[install-/srv/cassandra/cassandra-a/system]\n\n+ command => install -o cassandra -g cassandra -m 750 -d /srv/cassandra/cassandra-a/system\n+ path => /usr/bin/:/bin/\n+ creates => /srv/cassandra/cassandra-a/system\n+ before => Systemd::Service[cassandra-a]\n"}, {"resource": "Class[Profile::Base]", "parameters": "--- Class[Profile::Base].orig\n+++ Class[Profile::Base]\n\n@@\n- cluster => insetup\n+ cluster => aqs\n"}, {"resource": "Scap::Target[cassandra/logstash-logback-encoder]", "parameters": "--- Scap::Target[cassandra/logstash-logback-encoder].orig\n+++ Scap::Target[cassandra/logstash-logback-encoder]\n\n+ additional_services_names => []\n+ manage_ssh_key => True\n+ sudo_rules => []\n+ manage_user => True\n+ package_name => cassandra/logstash-logback-encoder\n+ ensure => present\n+ key_name => deploy-service\n+ deploy_user => deploy-service\n"}, {"resource": "File[/usr/local/bin/sstableutil-b]", "parameters": "--- File[/usr/local/bin/sstableutil-b].orig\n+++ File[/usr/local/bin/sstableutil-b]\n\n+ group => root\n+ require => File[/usr/local/bin/sstable-util-instance]\n+ ensure => link\n+ target => /usr/local/bin/sstable-util-instance\n+ owner => root\n"}, {"resource": "File[/srv/cassandra-a]", "parameters": "--- File[/srv/cassandra-a].orig\n+++ File[/srv/cassandra-a]\n\n+ group => cassandra\n+ require => Package[cassandra]\n+ mode => 0750\n+ ensure => directory\n+ owner => cassandra\n"}, {"resource": "Exec[create chained cert /etc/cassandra-b/tls/cassandra__aqs1024-b_eqiad_wmnet.chain.pem]", "parameters": "--- Exec[create chained cert /etc/cassandra-b/tls/cassandra__aqs1024-b_eqiad_wmnet.chain.pem].orig\n+++ Exec[create chained cert /etc/cassandra-b/tls/cassandra__aqs1024-b_eqiad_wmnet.chain.pem]\n\n+ command => /bin/cat /etc/cassandra-b/tls/cassandra__aqs1024-b_eqiad_wmnet.pem /etc/cassandra-b/tls/cassandra__aqs1024-b_eqiad_wmnet.chain.pem > /etc/cassandra-b/tls/cassandra__aqs1024-b_eqiad_wmnet.chained.pem\n+ unless => /usr/bin/test \"$(/bin/cat /etc/cassandra-b/tls/cassandra__aqs1024-b_eqiad_wmnet.pem /etc/cassandra-b/tls/cassandra__aqs1024-b_eqiad_wmnet.chain.pem | sha512sum)\" == \"$(/bin/cat /etc/cassandra-b/tls/cassandra__aqs1024-b_eqiad_wmnet.chained.pem | sha512sum)\"\n\n+ subscribe => ['Exec[renew certificate - cassandra__aqs1024-b_eqiad_wmnet]', 'File[/etc/cassandra-b/tls/cassandra__aqs1024-b_eqiad_wmnet.chain.pem]', 'File[/etc/cassandra-b/tls/cassandra__aqs1024-b_eqiad_wmnet.pem]']\n"}, {"resource": "Package[jvm-tools]", "parameters": "--- Package[jvm-tools].orig\n+++ Package[jvm-tools]\n\n+ provider => apt\n+ ensure => installed\n"}, {"resource": "Exec[install-/srv/storage-7/cassandra-b/data]", "parameters": "--- Exec[install-/srv/storage-7/cassandra-b/data].orig\n+++ Exec[install-/srv/storage-7/cassandra-b/data]\n\n+ command => install -o cassandra -g cassandra -m 750 -d /srv/storage-7/cassandra-b/data\n+ path => /usr/bin/:/bin/\n+ creates => /srv/storage-7/cassandra-b/data\n+ before => Systemd::Service[cassandra-b]\n"}, {"resource": "File[/etc/cassandra-a/logback-tools.xml]", "parameters": "--- File[/etc/cassandra-a/logback-tools.xml].orig\n+++ File[/etc/cassandra-a/logback-tools.xml]\n\n+ group => cassandra\n+ ensure => present\n+ mode => 0444\n+ source => puppet:///modules/cassandra/logback-tools.xml-4.x\n+ links => follow\n+ owner => cassandra\n"}, {"resource": "Class[Profile::Java]", "parameters": "--- Class[Profile::Java].orig\n+++ Class[Profile::Java]\n\n+ trust_puppet_ca => True\n+ egd_source => /dev/random\n+ enable_dbg => False\n+ extra_args => {}\n+ hardened_tls => False\n+ java_packages => [{'version': '11', 'variant': 'jdk'}]\n"}, {"resource": "Ferm::Service[cassandra-jmx-rmi]", "parameters": "--- Ferm::Service[cassandra-jmx-rmi].orig\n+++ Ferm::Service[cassandra-jmx-rmi]\n\n+ prio => 10\n+ srange => @resolve((aqs1010.eqiad.wmnet aqs1010-a.eqiad.wmnet aqs1010-b.eqiad.wmnet aqs1011.eqiad.wmnet aqs1011-a.eqiad.wmnet aqs1011-b.eqiad.wmnet aqs1012.eqiad.wmnet aqs1012-a.eqiad.wmnet aqs1012-b.eqiad.wmnet aqs1014.eqiad.wmnet aqs1014-a.eqiad.wmnet aqs1014-b.eqiad.wmnet aqs1015.eqiad.wmnet aqs1015-a.eqiad.wmnet aqs1015-b.eqiad.wmnet aqs1016.eqiad.wmnet aqs1016-a.eqiad.wmnet aqs1016-b.eqiad.wmnet aqs1017.eqiad.wmnet aqs1017-a.eqiad.wmnet aqs1017-b.eqiad.wmnet aqs1018.eqiad.wmnet aqs1018-a.eqiad.wmnet aqs1018-b.eqiad.wmnet aqs1019.eqiad.wmnet aqs1019-a.eqiad.wmnet aqs1019-b.eqiad.wmnet aqs1020.eqiad.wmnet aqs1020-a.eqiad.wmnet aqs1020-b.eqiad.wmnet aqs1021.eqiad.wmnet aqs1021-a.eqiad.wmnet aqs1021-b.eqiad.wmnet aqs1022.eqiad.wmnet aqs1022-a.eqiad.wmnet aqs1022-b.eqiad.wmnet aqs1023.eqiad.wmnet aqs1023-a.eqiad.wmnet aqs1023-b.eqiad.wmnet aqs1024.eqiad.wmnet aqs1024-a.eqiad.wmnet aqs1024-b.eqiad.wmnet aqs2001.codfw.wmnet aqs2001-a.codfw.wmnet aqs2001-b.codfw.wmnet aqs2002.codfw.wmnet aqs2002-a.codfw.wmnet aqs2002-b.codfw.wmnet aqs2003.codfw.wmnet aqs2003-a.codfw.wmnet aqs2003-b.codfw.wmnet aqs2004.codfw.wmnet aqs2004-a.codfw.wmnet aqs2004-b.codfw.wmnet aqs2005.codfw.wmnet aqs2005-a.codfw.wmnet aqs2005-b.codfw.wmnet aqs2006.codfw.wmnet aqs2006-a.codfw.wmnet aqs2006-b.codfw.wmnet aqs2007.codfw.wmnet aqs2007-a.codfw.wmnet aqs2007-b.codfw.wmnet aqs2008.codfw.wmnet aqs2008-a.codfw.wmnet aqs2008-b.codfw.wmnet aqs2009.codfw.wmnet aqs2009-a.codfw.wmnet aqs2009-b.codfw.wmnet aqs2010.codfw.wmnet aqs2010-a.codfw.wmnet aqs2010-b.codfw.wmnet aqs2011.codfw.wmnet aqs2011-a.codfw.wmnet aqs2011-b.codfw.wmnet aqs2012.codfw.wmnet aqs2012-a.codfw.wmnet aqs2012-b.codfw.wmnet))\n+ ensure => present\n+ desc => \n+ notrack => False\n+ port_range => [7199, 7202]\n+ proto => tcp\n"}, {"resource": "File[/usr/local/bin/nodetool-b]", "parameters": "--- File[/usr/local/bin/nodetool-b].orig\n+++ File[/usr/local/bin/nodetool-b]\n\n+ group => root\n+ require => File[/usr/local/bin/nodetool-instance]\n+ ensure => link\n+ target => /usr/local/bin/nodetool-instance\n+ owner => root\n"}, {"resource": "Firewall::Service[deployment-ssh]", "parameters": "--- Firewall::Service[deployment-ssh].orig\n+++ Firewall::Service[deployment-ssh]\n\n+ desc => \n+ prio => 10\n+ port => 22\n+ ensure => present\n+ notrack => False\n+ src_sets => ['DEPLOYMENT_HOSTS']\n+ proto => tcp\n"}, {"resource": "Augeas[ens8f0np0_10.64.156.21/32]", "parameters": "--- Augeas[ens8f0np0_10.64.156.21/32].orig\n+++ Augeas[ens8f0np0_10.64.156.21/32]\n\n+ onlyif => match up[. = 'ip addr add 10.64.156.21/32 dev ens8f0np0'] size == 0\n+ context => /files/etc/network/interfaces/*[. = 'ens8f0np0' and ./family = 'inet']\n+ changes => set up[last()+1] 'ip addr add 10.64.156.21/32 dev ens8f0np0'\n+ incl => /etc/network/interfaces\n+ lens => Interfaces.lns\n"}, {"resource": "Class[Cassandra::Logging]", "parameters": "--- Class[Cassandra::Logging].orig\n+++ Class[Cassandra::Logging]\n\n+ require => ['Class[Cassandra]']\n"}, {"resource": "Class[Sslcert::Trusted_ca]", "parameters": "--- Class[Sslcert::Trusted_ca].orig\n+++ Class[Sslcert::Trusted_ca]\n\n@@\n- include_bundle_jks => False\n+ include_bundle_jks => True\n"}, {"resource": "File[/etc/cassandra-b/user_page_analytics.cql]", "content": "--- /etc/cassandra-b/user_page_analytics.cql.orig\n+++ /etc/cassandra-b/user_page_analytics.cql\n@@ -0,0 +1,10 @@\n+-- SPDX-License-Identifier: Apache-2.0\n+\n+CREATE ROLE IF NOT EXISTS page_analytics WITH PASSWORD = '' AND LOGIN = true AND SUPERUSER = false;\n+\n+GRANT SELECT ON \"local_group_default_T_pageviews_per_project_v2\".data TO 'page_analytics';\n+GRANT SELECT ON \"local_group_default_T_lgc_pagecounts_per_project\".data TO 'page_analytics';\n+GRANT SELECT ON \"local_group_default_T_pageviews_per_article_flat\".data TO 'page_analytics';\n+GRANT SELECT ON \"local_group_default_T_top_bycountry\".data TO 'page_analytics';\n+GRANT SELECT ON \"local_group_default_T_top_pageviews\".data TO 'page_analytics';\n+GRANT SELECT ON \"local_group_default_T_top_percountry\".data TO 'page_analytics';", "parameters": "--- File[/etc/cassandra-b/user_page_analytics.cql].orig\n+++ File[/etc/cassandra-b/user_page_analytics.cql]\n\n+ require => Package[cassandra]\n+ group => root\n+ mode => 0400\n+ owner => root\n"}, {"resource": "File[/var/lib/scap]", "parameters": "--- File[/var/lib/scap].orig\n+++ File[/var/lib/scap]\n\n+ group => 919\n+ mode => 0755\n+ ensure => directory\n+ owner => 919\n"}, {"resource": "File[/usr/local/bin/cqlsh-b]", "parameters": "--- File[/usr/local/bin/cqlsh-b].orig\n+++ File[/usr/local/bin/cqlsh-b]\n\n+ group => root\n+ require => Package[cassandra-tools-wmf]\n+ ensure => link\n+ target => /usr/bin/cqlsh-instance\n+ owner => root\n"}, {"resource": "File[/etc/cassandra-a/user_page_analytics.cql]", "content": "--- /etc/cassandra-a/user_page_analytics.cql.orig\n+++ /etc/cassandra-a/user_page_analytics.cql\n@@ -0,0 +1,10 @@\n+-- SPDX-License-Identifier: Apache-2.0\n+\n+CREATE ROLE IF NOT EXISTS page_analytics WITH PASSWORD = '' AND LOGIN = true AND SUPERUSER = false;\n+\n+GRANT SELECT ON \"local_group_default_T_pageviews_per_project_v2\".data TO 'page_analytics';\n+GRANT SELECT ON \"local_group_default_T_lgc_pagecounts_per_project\".data TO 'page_analytics';\n+GRANT SELECT ON \"local_group_default_T_pageviews_per_article_flat\".data TO 'page_analytics';\n+GRANT SELECT ON \"local_group_default_T_top_bycountry\".data TO 'page_analytics';\n+GRANT SELECT ON \"local_group_default_T_top_pageviews\".data TO 'page_analytics';\n+GRANT SELECT ON \"local_group_default_T_top_percountry\".data TO 'page_analytics';", "parameters": "--- File[/etc/cassandra-a/user_page_analytics.cql].orig\n+++ File[/etc/cassandra-a/user_page_analytics.cql]\n\n+ require => Package[cassandra]\n+ group => root\n+ mode => 0400\n+ owner => root\n"}, {"resource": "File[/etc/apt/sources.list.d/component-cassandra41-apt.wikimedia.org-wikimedia-bullseye-wikimedia.list]", "content": "--- /etc/apt/sources.list.d/component-cassandra41-apt.wikimedia.org-wikimedia-bullseye-wikimedia.list.orig\n+++ /etc/apt/sources.list.d/component-cassandra41-apt.wikimedia.org-wikimedia-bullseye-wikimedia.list\n@@ -0,0 +1,2 @@\n+deb http://apt.wikimedia.org/wikimedia bullseye-wikimedia component/cassandra41\n+deb-src http://apt.wikimedia.org/wikimedia bullseye-wikimedia component/cassandra41", "parameters": "--- File[/etc/apt/sources.list.d/component-cassandra41-apt.wikimedia.org-wikimedia-bullseye-wikimedia.list].orig\n+++ File[/etc/apt/sources.list.d/component-cassandra41-apt.wikimedia.org-wikimedia-bullseye-wikimedia.list]\n\n+ group => root\n+ mode => 0444\n+ ensure => file\n+ notify => Exec[apt_repository_component-cassandra41-apt.wikimedia.org-wikimedia-bullseye-wikimedia]\n+ owner => root\n"}, {"resource": "File[/etc/cassandra-a/logback.xml]", "content": "--- /etc/cassandra-a/logback.xml.orig\n+++ /etc/cassandra-a/logback.xml\n@@ -0,0 +1,152 @@\n+\n+\n+\n+\n+\n+\n+\n+ \n+\n+ \n+\n+ \n+\n+ \n+ \n+ INFO\n+ \n+ ${cassandra.logdir}/system-a.log\n+ \n+ ${cassandra.logdir}/system-a.log.%i.zip\n+ 1\n+ 40\n+ \n+\n+ \n+ 50MB\n+ \n+ \n+ %-5level [%thread] %date{ISO8601} %F:%L - %msg%n\n+ \n+ \n+\n+ \n+\n+ \n+ ${cassandra.logdir}/debug-a.log\n+ \n+ ${cassandra.logdir}/debug-a.log.%i.zip\n+ 1\n+ 40\n+ \n+\n+ \n+ 50MB\n+ \n+ \n+ %-5level [%thread] %date{ISO8601} %F:%L - %msg%n\n+ \n+ \n+\n+ \n+ localhost\n+ 11514\n+ {\"program\":\"cassandra\", \"cluster\":\"Analytics Query Service Storage\", \"instance_name\":\"a\", \"HOSTNAME\": \"aqs1024.eqiad.wmnet\"}\n+ \n+ INFO\n+ \n+ \n+\n+ \n+\n+ \n+ 1024\n+ 0\n+ true\n+ \n+ \n+\n+ \n+\n+ \n+ \n+ \n+ WARN\n+ \n+ \n+ %-5level [%thread] %date{ISO8601} %F:%L - %msg%n\n+ \n+ \n+\n+ \n+ \n+ \n+ \n+ \n+ \n+\n+ \n+ \n+\n+ \n+\n+ \n+ \n+ \n+ \n+ \n+ \n+ \n+\n+ \n+ \n+ \n+ \n+\n+ \n+", "parameters": "--- File[/etc/cassandra-a/logback.xml].orig\n+++ File[/etc/cassandra-a/logback.xml]\n\n+ group => cassandra\n+ mode => 0444\n+ ensure => present\n+ owner => cassandra\n"}, {"resource": "File[/etc/cassandra-b/commitlog_archiving.properties]", "parameters": "--- File[/etc/cassandra-b/commitlog_archiving.properties].orig\n+++ File[/etc/cassandra-b/commitlog_archiving.properties]\n\n+ group => cassandra\n+ ensure => present\n+ mode => 0444\n+ source => puppet:///modules/cassandra/commitlog_archiving.properties-4.x\n+ links => follow\n+ owner => cassandra\n"}, {"resource": "File[/etc/cassandra-a/hotspot_compiler]", "parameters": "--- File[/etc/cassandra-a/hotspot_compiler].orig\n+++ File[/etc/cassandra-a/hotspot_compiler]\n\n+ group => cassandra\n+ ensure => present\n+ mode => 0444\n+ source => puppet:///modules/cassandra/hotspot_compiler-4.x\n+ links => follow\n+ owner => cassandra\n"}, {"resource": "File[/etc/cassandra-b/user_revise_tone_task_generator.cql]", "content": "--- /etc/cassandra-b/user_revise_tone_task_generator.cql.orig\n+++ /etc/cassandra-b/user_revise_tone_task_generator.cql\n@@ -0,0 +1,7 @@\n+-- SPDX-License-Identifier: Apache-2.0\n+\n+CREATE ROLE IF NOT EXISTS revise_tone_task_generator\n+ WITH PASSWORD = 'asdfasdfasdf' AND LOGIN = true AND SUPERUSER = false;\n+\n+-- Machine learning cache\n+GRANT MODIFY ON ml_cache.page_paragraph_tone_scores TO revise_tone_task_generator;", "parameters": "--- File[/etc/cassandra-b/user_revise_tone_task_generator.cql].orig\n+++ File[/etc/cassandra-b/user_revise_tone_task_generator.cql]\n\n+ require => Package[cassandra]\n+ group => root\n+ mode => 0400\n+ owner => root\n"}, {"resource": "Prometheus::Blackbox::Check::Tcp[cassandra-a-cql]", "parameters": "--- Prometheus::Blackbox::Check::Tcp[cassandra-a-cql].orig\n+++ Prometheus::Blackbox::Check::Tcp[cassandra-a-cql]\n\n+ server_name => cassandra\n+ use_client_auth => False\n+ ip6 => 2620:0:861:124:10:64:156:17\n+ alert_after => 2m\n+ site => eqiad\n+ certificate_expiry_days => 5\n+ ip4 => 10.64.156.18\n+ team => sre\n+ prometheus_instance => ops\n+ client_auth_key => /etc/prometheus/ssl/server.key\n+ port => 9042\n+ force_tls => True\n+ probe_runbook => https://wikitech.wikimedia.org/wiki/TLS/Runbook#{{ $labels.instance }}\n+ instance_label => aqs1024-a\n+ ip_families => ['ip4']\n+ severity => critical\n+ timeout => 3s\n+ client_auth_cert => /etc/prometheus/ssl/cert.pem\n"}, {"resource": "Monitoring::Exported_nagios_service[aqs1024 cassandra-a-ssl]", "parameters": "--- Monitoring::Exported_nagios_service[aqs1024 cassandra-a-ssl].orig\n+++ Monitoring::Exported_nagios_service[aqs1024 cassandra-a-ssl]\n\n+ notes_url => https://wikitech.wikimedia.org/wiki/Cassandra#Installing_and_generating_certificates\n+ host_name => aqs1024\n+ active_checks_enabled => 1\n+ check_interval => 1\n+ check_freshness => 0\n+ notifications_enabled => 1\n+ ensure => absent\n+ notification_interval => 0\n+ max_check_attempts => 3\n+ contact_groups => admins,team-services\n+ check_period => 24x7\n+ service_description => cassandra-a SSL 10.64.156.18:7000\n+ passive_checks_enabled => 1\n+ check_command => check_ssl_on_host_port!aqs1024-a!10.64.156.18!7000\n+ notification_options => c,r,f\n+ retry_interval => 1\n+ servicegroups => aqs_eqiad\n+ notification_period => 24x7\n+ is_volatile => 0\n"}, {"resource": "Sysctl::Parameters[cassandra]", "parameters": "--- Sysctl::Parameters[cassandra].orig\n+++ Sysctl::Parameters[cassandra]\n\n+ values => {'vm.dirty_background_bytes': 25165824, 'vm.max_map_count': 1048575}\n+ priority => 5\n+ ensure => present\n"}, {"resource": "Package[libjemalloc2]", "parameters": "--- Package[libjemalloc2].orig\n+++ Package[libjemalloc2]\n\n+ provider => apt\n+ ensure => installed\n"}, {"resource": "Exec[java__cacert_Wikimedia_Internal_Root_CA]", "parameters": "--- Exec[java__cacert_Wikimedia_Internal_Root_CA].orig\n+++ Exec[java__cacert_Wikimedia_Internal_Root_CA]\n\n+ before => File[/etc/ssl/localcerts/wmf-java-cacerts]\n+ command => /usr/bin/keytool -import -noprompt -keystore /etc/ssl/localcerts/wmf-java-cacerts -file /usr/share/ca-certificates/wikimedia/Wikimedia_Internal_Root_CA.crt -storepass changeit -alias Wikimedia_Internal_Root_CA\n\n+ group => root\n+ unless => /usr/bin/keytool -list -keystore /etc/ssl/localcerts/wmf-java-cacerts -noprompt -storepass changeit -alias Wikimedia_Internal_Root_CA\n+ user => root\n"}, {"resource": "File[/etc/cassandra-b/cassandra-env.sh]", "content": "--- /etc/cassandra-b/cassandra-env.sh.orig\n+++ /etc/cassandra-b/cassandra-env.sh\n@@ -0,0 +1,316 @@\n+# SPDX-License-Identifier: Apache-2.0\n+# Note: This file is managed by Puppet.\n+# It was taken from the Cassandra Debian package and is templatized\n+# here in order to set various options from puppet.\n+\n+# Licensed to the Apache Software Foundation (ASF) under one\n+# or more contributor license agreements. See the NOTICE file\n+# distributed with this work for additional information\n+# regarding copyright ownership. The ASF licenses this file\n+# to you under the Apache License, Version 2.0 (the\n+# \"License\"); you may not use this file except in compliance\n+# with the License. You may obtain a copy of the License at\n+#\n+# http://www.apache.org/licenses/LICENSE-2.0\n+#\n+# Unless required by applicable law or agreed to in writing, software\n+# distributed under the License is distributed on an \"AS IS\" BASIS,\n+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n+# See the License for the specific language governing permissions and\n+# limitations under the License.\n+\n+calculate_heap_sizes()\n+{\n+ case \"`uname`\" in\n+ Linux)\n+ system_memory_in_mb=`free -m | awk '/:/ {print $2;exit}'`\n+ system_cpu_cores=`egrep -c 'processor([[:space:]]+):.*' /proc/cpuinfo`\n+ ;;\n+ FreeBSD)\n+ system_memory_in_bytes=`sysctl hw.physmem | awk '{print $2}'`\n+ system_memory_in_mb=`expr $system_memory_in_bytes / 1024 / 1024`\n+ system_cpu_cores=`sysctl hw.ncpu | awk '{print $2}'`\n+ ;;\n+ SunOS)\n+ system_memory_in_mb=`prtconf | awk '/Memory size:/ {print $3}'`\n+ system_cpu_cores=`psrinfo | wc -l`\n+ ;;\n+ Darwin)\n+ system_memory_in_bytes=`sysctl hw.memsize | awk '{print $2}'`\n+ system_memory_in_mb=`expr $system_memory_in_bytes / 1024 / 1024`\n+ system_cpu_cores=`sysctl hw.ncpu | awk '{print $2}'`\n+ ;;\n+ *)\n+ # assume reasonable defaults for e.g. a modern desktop or\n+ # cheap server\n+ system_memory_in_mb=\"2048\"\n+ system_cpu_cores=\"2\"\n+ ;;\n+ esac\n+\n+ # some systems like the raspberry pi don't report cores, use at least 1\n+ if [ \"$system_cpu_cores\" -lt \"1\" ]\n+ then\n+ system_cpu_cores=\"1\"\n+ fi\n+\n+ # set max heap size based on the following\n+ # max(min(1/2 ram, 1024MB), min(1/4 ram, 8GB))\n+ # calculate 1/2 ram and cap to 1024MB\n+ # calculate 1/4 ram and cap to 8192MB\n+ # pick the max\n+ half_system_memory_in_mb=`expr $system_memory_in_mb / 2`\n+ quarter_system_memory_in_mb=`expr $half_system_memory_in_mb / 2`\n+ if [ \"$half_system_memory_in_mb\" -gt \"1024\" ]\n+ then\n+ half_system_memory_in_mb=\"1024\"\n+ fi\n+ if [ \"$quarter_system_memory_in_mb\" -gt \"8192\" ]\n+ then\n+ quarter_system_memory_in_mb=\"8192\"\n+ fi\n+ if [ \"$half_system_memory_in_mb\" -gt \"$quarter_system_memory_in_mb\" ]\n+ then\n+ max_heap_size_in_mb=\"$half_system_memory_in_mb\"\n+ else\n+ max_heap_size_in_mb=\"$quarter_system_memory_in_mb\"\n+ fi\n+ MAX_HEAP_SIZE=\"${max_heap_size_in_mb}M\"\n+\n+ # Young gen: min(max_sensible_per_modern_cpu_core * num_cores, 1/4 * heap size)\n+ max_sensible_yg_per_core_in_mb=\"100\"\n+ max_sensible_yg_in_mb=`expr $max_sensible_yg_per_core_in_mb \"*\" $system_cpu_cores`\n+\n+ desired_yg_in_mb=`expr $max_heap_size_in_mb / 4`\n+\n+ if [ \"$desired_yg_in_mb\" -gt \"$max_sensible_yg_in_mb\" ]\n+ then\n+ HEAP_NEWSIZE=\"${max_sensible_yg_in_mb}M\"\n+ else\n+ HEAP_NEWSIZE=\"${desired_yg_in_mb}M\"\n+ fi\n+}\n+\n+# Sets the path where logback and GC logs are written.\n+if [ \"x$CASSANDRA_LOG_DIR\" = \"x\" ] ; then\n+ CASSANDRA_LOG_DIR=\"$CASSANDRA_HOME/logs\"\n+fi\n+\n+#GC log path has to be defined here because it needs to access CASSANDRA_HOME\n+if [ $JAVA_VERSION -ge 11 ] ; then\n+ # See description of https://bugs.openjdk.java.net/browse/JDK-8046148 for details about the syntax\n+ # The following is the equivalent to -XX:+PrintGCDetails -XX:+UseGCLogFileRotation -XX:NumberOfGCLogFiles=10 -XX:GCLogFileSize=10M\n+ echo \"$JVM_OPTS\" | grep -qe \"-[X]log:gc\"\n+ if [ \"$?\" = \"1\" ] ; then # [X] to prevent ccm from replacing this line\n+ # only add -Xlog:gc if it's not mentioned in jvm-server.options file\n+ mkdir -p ${CASSANDRA_LOG_DIR}\n+ JVM_OPTS=\"$JVM_OPTS -Xlog:gc=info,heap*=trace,age*=debug,safepoint=info,promotion*=trace:file=${CASSANDRA_LOG_DIR}/gc.log:time,uptime,pid,tid,level:filecount=10,filesize=10485760\"\n+ fi\n+else\n+ # Java 8\n+ echo \"$JVM_OPTS\" | grep -qe \"-[X]loggc\"\n+ if [ \"$?\" = \"1\" ] ; then # [X] to prevent ccm from replacing this line\n+ # only add -Xlog:gc if it's not mentioned in jvm-server.options file\n+ mkdir -p ${CASSANDRA_LOG_DIR}\n+ JVM_OPTS=\"$JVM_OPTS -Xloggc:${CASSANDRA_LOG_DIR}/gc.log\"\n+ fi\n+fi\n+\n+# Check what parameters were defined on jvm-server.options file to avoid conflicts\n+echo $JVM_OPTS | grep -q Xmn\n+DEFINED_XMN=$?\n+echo $JVM_OPTS | grep -q Xmx\n+DEFINED_XMX=$?\n+echo $JVM_OPTS | grep -q Xms\n+DEFINED_XMS=$?\n+echo $JVM_OPTS | grep -q UseConcMarkSweepGC\n+USING_CMS=$?\n+echo $JVM_OPTS | grep -q +UseG1GC\n+USING_G1=$?\n+\n+# Override these to set the amount of memory to allocate to the JVM at\n+# start-up. For production use you may wish to adjust this for your\n+# environment. MAX_HEAP_SIZE is the total amount of memory dedicated\n+# to the Java heap. HEAP_NEWSIZE refers to the size of the young\n+# generation. Both MAX_HEAP_SIZE and HEAP_NEWSIZE should be either set\n+# or not (if you set one, set the other).\n+#\n+# The main trade-off for the young generation is that the larger it\n+# is, the longer GC pause times will be. The shorter it is, the more\n+# expensive GC will be (usually).\n+#\n+# The example HEAP_NEWSIZE assumes a modern 8-core+ machine for decent pause\n+# times. If in doubt, and if you do not particularly want to tweak, go with\n+# 100 MB per physical CPU core.\n+\n+#MAX_HEAP_SIZE=\"4G\"\n+#HEAP_NEWSIZE=\"800M\"\n+\n+# Set this to control the amount of arenas per-thread in glibc\n+#export MALLOC_ARENA_MAX=4\n+\n+# only calculate the size if it's not set manually\n+if [ \"x$MAX_HEAP_SIZE\" = \"x\" ] && [ \"x$HEAP_NEWSIZE\" = \"x\" -o $USING_G1 -eq 0 ]; then\n+ calculate_heap_sizes\n+elif [ \"x$MAX_HEAP_SIZE\" = \"x\" ] || [ \"x$HEAP_NEWSIZE\" = \"x\" -a $USING_G1 -ne 0 ]; then\n+ echo \"please set or unset MAX_HEAP_SIZE and HEAP_NEWSIZE in pairs when using CMS GC (see cassandra-env.sh)\"\n+ exit 1\n+fi\n+\n+if [ \"x$MALLOC_ARENA_MAX\" = \"x\" ] ; then\n+ export MALLOC_ARENA_MAX=4\n+fi\n+\n+# We only set -Xms and -Xmx if they were not defined on jvm-server.options file\n+# If defined, both Xmx and Xms should be defined together.\n+if [ $DEFINED_XMX -ne 0 ] && [ $DEFINED_XMS -ne 0 ]; then\n+ JVM_OPTS=\"$JVM_OPTS -Xms${MAX_HEAP_SIZE}\"\n+ JVM_OPTS=\"$JVM_OPTS -Xmx${MAX_HEAP_SIZE}\"\n+elif [ $DEFINED_XMX -ne 0 ] || [ $DEFINED_XMS -ne 0 ]; then\n+ echo \"Please set or unset -Xmx and -Xms flags in pairs on jvm-server.options file.\"\n+ exit 1\n+fi\n+\n+# We only set -Xmn flag if it was not defined in jvm-server.options file\n+# and if the CMS GC is being used\n+# If defined, both Xmn and Xmx should be defined together.\n+if [ $DEFINED_XMN -eq 0 ] && [ $DEFINED_XMX -ne 0 ]; then\n+ echo \"Please set or unset -Xmx and -Xmn flags in pairs on jvm-server.options file.\"\n+ exit 1\n+elif [ $DEFINED_XMN -ne 0 ] && [ $USING_CMS -eq 0 ]; then\n+ JVM_OPTS=\"$JVM_OPTS -Xmn${HEAP_NEWSIZE}\"\n+fi\n+\n+# We fail to start if -Xmn is used with G1 GC is being used\n+# See comments for -Xmn in jvm-server.options\n+if [ $DEFINED_XMN -eq 0 ] && [ $USING_G1 -eq 0 ]; then\n+ echo \"It is not recommended to set -Xmn with the G1 garbage collector. See comments for -Xmn in jvm-server.options for details.\"\n+ exit 1\n+fi\n+\n+if [ \"$JVM_ARCH\" = \"64-Bit\" ] && [ $USING_CMS -eq 0 ]; then\n+ JVM_OPTS=\"$JVM_OPTS -XX:+UseCondCardMark\"\n+fi\n+\n+# provides hints to the JIT compiler\n+JVM_OPTS=\"$JVM_OPTS -XX:CompileCommandFile=$CASSANDRA_CONF/hotspot_compiler\"\n+\n+# add the jamm javaagent\n+JVM_OPTS=\"$JVM_OPTS -javaagent:$CASSANDRA_HOME/lib/jamm-0.3.2.jar\"\n+\n+CASSANDRA_HEAPDUMP_DIR=/srv/storage-1/cassandra-b\n+# set jvm HeapDumpPath with CASSANDRA_HEAPDUMP_DIR\n+if [ \"x$CASSANDRA_HEAPDUMP_DIR\" != \"x\" ]; then\n+ JVM_OPTS=\"$JVM_OPTS -XX:HeapDumpPath=$CASSANDRA_HEAPDUMP_DIR/cassandra-`date +%s`-pid$$.hprof\"\n+ JVM_OPTS=\"$JVM_OPTS -XX:ErrorFile=$CASSANDRA_HEAPDUMP_DIR/hs_err_pid%p.log\"\n+fi\n+\n+# stop the jvm on OutOfMemoryError as it can result in some data corruption\n+# uncomment the preferred option\n+# ExitOnOutOfMemoryError and CrashOnOutOfMemoryError require a JRE greater or equals to 1.7 update 101 or 1.8 update 92\n+# For OnOutOfMemoryError we cannot use the JVM_OPTS variables because bash commands split words\n+# on white spaces without taking quotes into account\n+# JVM_OPTS=\"$JVM_OPTS -XX:+ExitOnOutOfMemoryError\"\n+# JVM_OPTS=\"$JVM_OPTS -XX:+CrashOnOutOfMemoryError\"\n+JVM_ON_OUT_OF_MEMORY_ERROR_OPT=\"-XX:OnOutOfMemoryError=kill -9 %p\"\n+\n+# print an heap histogram on OutOfMemoryError\n+# JVM_OPTS=\"$JVM_OPTS -Dcassandra.printHeapHistogramOnOutOfMemoryError=true\"\n+\n+# jmx: metrics and administration interface\n+#\n+# add this if you're having trouble connecting:\n+# JVM_OPTS=\"$JVM_OPTS -Djava.rmi.server.hostname=\"\n+#\n+# see\n+# https://blogs.oracle.com/jmxetc/entry/troubleshooting_connection_problems_in_jconsole\n+# for more on configuring JMX through firewalls, etc. (Short version:\n+# get it working with no firewall first.)\n+#\n+# Cassandra ships with JMX accessible *only* from localhost. \n+# To enable remote JMX connections, uncomment lines below\n+# with authentication and/or ssl enabled. See https://wiki.apache.org/cassandra/JmxSecurity \n+#\n+if [ \"x$LOCAL_JMX\" = \"x\" ]; then\n+ LOCAL_JMX=yes\n+fi\n+\n+# Specifies the default port over which Cassandra will be available for\n+# JMX connections.\n+# For security reasons, you should not expose this port to the internet. Firewall it if needed.\n+JMX_PORT=\"7190\"\n+\n+if [ \"$LOCAL_JMX\" = \"yes\" ]; then\n+ JVM_OPTS=\"$JVM_OPTS -Dcassandra.jmx.local.port=$JMX_PORT\"\n+ JVM_OPTS=\"$JVM_OPTS -Dcom.sun.management.jmxremote.authenticate=false\"\n+else\n+ JVM_OPTS=\"$JVM_OPTS -Dcassandra.jmx.remote.port=$JMX_PORT\"\n+ # if ssl is enabled the same port cannot be used for both jmx and rmi so either\n+ # pick another value for this property or comment out to use a random port (though see CASSANDRA-7087 for origins)\n+ JVM_OPTS=\"$JVM_OPTS -Dcom.sun.management.jmxremote.rmi.port=$JMX_PORT\"\n+\n+ # turn on JMX authentication. See below for further options\n+ JVM_OPTS=\"$JVM_OPTS -Dcom.sun.management.jmxremote.authenticate=true\"\n+\n+ # jmx ssl options\n+ #JVM_OPTS=\"$JVM_OPTS -Dcom.sun.management.jmxremote.ssl=true\"\n+ #JVM_OPTS=\"$JVM_OPTS -Dcom.sun.management.jmxremote.ssl.need.client.auth=true\"\n+ #JVM_OPTS=\"$JVM_OPTS -Dcom.sun.management.jmxremote.ssl.enabled.protocols=\"\n+ #JVM_OPTS=\"$JVM_OPTS -Dcom.sun.management.jmxremote.ssl.enabled.cipher.suites=\"\n+ #JVM_OPTS=\"$JVM_OPTS -Djavax.net.ssl.keyStore=/path/to/keystore\"\n+ #JVM_OPTS=\"$JVM_OPTS -Djavax.net.ssl.keyStorePassword=\"\n+ #JVM_OPTS=\"$JVM_OPTS -Djavax.net.ssl.trustStore=/path/to/truststore\"\n+ #JVM_OPTS=\"$JVM_OPTS -Djavax.net.ssl.trustStorePassword=\"\n+fi\n+\n+# jmx authentication and authorization options. By default, auth is only\n+# activated for remote connections but they can also be enabled for local only JMX\n+## Basic file based authn & authz\n+JVM_OPTS=\"$JVM_OPTS -Dcom.sun.management.jmxremote.password.file=/etc/cassandra/jmxremote.password\"\n+#JVM_OPTS=\"$JVM_OPTS -Dcom.sun.management.jmxremote.access.file=/etc/cassandra/jmxremote.access\"\n+## Custom auth settings which can be used as alternatives to JMX's out of the box auth utilities.\n+## JAAS login modules can be used for authentication by uncommenting these two properties.\n+## Cassandra ships with a LoginModule implementation - org.apache.cassandra.auth.CassandraLoginModule -\n+## which delegates to the IAuthenticator configured in cassandra.yaml. See the sample JAAS configuration\n+## file cassandra-jaas.config\n+#JVM_OPTS=\"$JVM_OPTS -Dcassandra.jmx.remote.login.config=CassandraLogin\"\n+#JVM_OPTS=\"$JVM_OPTS -Djava.security.auth.login.config=$CASSANDRA_CONF/cassandra-jaas.config\"\n+\n+## Cassandra also ships with a helper for delegating JMX authz calls to the configured IAuthorizer,\n+## uncomment this to use it. Requires one of the two authentication options to be enabled\n+#JVM_OPTS=\"$JVM_OPTS -Dcassandra.jmx.authorizer=org.apache.cassandra.auth.jmx.AuthorizationProxy\"\n+\n+# To use mx4j, an HTML interface for JMX, add mx4j-tools.jar to the lib/\n+# directory.\n+# See http://cassandra.apache.org/doc/latest/operating/metrics.html#jmx\n+# By default mx4j listens on the broadcast_address, port 8081. Uncomment the following lines\n+# to control its listen address and port.\n+#MX4J_ADDRESS=\"127.0.0.1\"\n+#MX4J_PORT=\"8081\"\n+\n+# Cassandra uses SIGAR to capture OS metrics CASSANDRA-7838\n+# for SIGAR we have to set the java.library.path\n+# to the location of the native libraries.\n+JVM_OPTS=\"$JVM_OPTS -Djava.library.path=$CASSANDRA_HOME/lib/sigar-bin\"\n+\n+if [ \"x$MX4J_ADDRESS\" != \"x\" ]; then\n+ if [ \"$(echo \"$MX4J_ADDRESS\" | grep -c \"\\-Dmx4jaddress\")\" = \"1\" ]; then\n+ # Backward compatible with the older style #13578\n+ JVM_OPTS=\"$JVM_OPTS $MX4J_ADDRESS\"\n+ else\n+ JVM_OPTS=\"$JVM_OPTS -Dmx4jaddress=$MX4J_ADDRESS\"\n+ fi\n+fi\n+if [ \"x$MX4J_PORT\" != \"x\" ]; then\n+ if [ \"$(echo \"$MX4J_PORT\" | grep -c \"\\-Dmx4jport\")\" = \"1\" ]; then\n+ # Backward compatible with the older style #13578\n+ JVM_OPTS=\"$JVM_OPTS $MX4J_PORT\"\n+ else\n+ JVM_OPTS=\"$JVM_OPTS -Dmx4jport=$MX4J_PORT\"\n+ fi\n+fi\n+\n+JVM_OPTS=\"$JVM_OPTS $JVM_EXTRA_OPTS\"\n+\n+\n+JVM_OPTS=\"$JVM_OPTS -javaagent:/usr/share/java/prometheus/jmx_prometheus_javaagent.jar=10.64.156.21:7800:/etc/cassandra-b/prometheus_jmx_exporter.yaml\"", "parameters": "--- File[/etc/cassandra-b/cassandra-env.sh].orig\n+++ File[/etc/cassandra-b/cassandra-env.sh]\n\n+ group => cassandra\n+ mode => 0444\n+ ensure => present\n+ owner => cassandra\n"}, {"resource": "Concat::Fragment[main contacts]"}, {"resource": "Exec[java__cacert_Puppet_Internal_CA]", "parameters": "--- Exec[java__cacert_Puppet_Internal_CA].orig\n+++ Exec[java__cacert_Puppet_Internal_CA]\n\n+ before => File[/etc/ssl/localcerts/wmf-java-cacerts]\n+ command => /usr/bin/keytool -import -noprompt -keystore /etc/ssl/localcerts/wmf-java-cacerts -file /etc/ssl/certs/Puppet_Internal_CA.pem -storepass changeit -alias Puppet_Internal_CA\n\n+ group => root\n+ unless => /usr/bin/keytool -list -keystore /etc/ssl/localcerts/wmf-java-cacerts -noprompt -storepass changeit -alias Puppet_Internal_CA\n+ user => root\n"}, {"resource": "Systemd::Unit[cassandra-b]", "parameters": "--- Systemd::Unit[cassandra-b].orig\n+++ Systemd::Unit[cassandra-b]\n\n+ override_filename => puppet-override.conf\n+ unit => cassandra-b\n+ restart => False\n+ require => ['Class[Systemd]']\n+ override => False\n+ ensure => present\n"}, {"resource": "File[/etc/cassandra-a/user_editor_analytics.cql]", "content": "--- /etc/cassandra-a/user_editor_analytics.cql.orig\n+++ /etc/cassandra-a/user_editor_analytics.cql\n@@ -0,0 +1,5 @@\n+-- SPDX-License-Identifier: Apache-2.0\n+\n+CREATE USER IF NOT EXISTS editor_analytics WITH PASSWORD 'yadayadayada';\n+\n+GRANT SELECT ON aqs.config TO 'editor_analytics';", "parameters": "--- File[/etc/cassandra-a/user_editor_analytics.cql].orig\n+++ File[/etc/cassandra-a/user_editor_analytics.cql]\n\n+ require => Package[cassandra]\n+ group => root\n+ mode => 0400\n+ owner => root\n"}, {"resource": "Ferm::Service[cassandra-intra-node-ssl]", "parameters": "--- Ferm::Service[cassandra-intra-node-ssl].orig\n+++ Ferm::Service[cassandra-intra-node-ssl]\n\n+ desc => \n+ prio => 10\n+ srange => @resolve((aqs1010.eqiad.wmnet aqs1010-a.eqiad.wmnet aqs1010-b.eqiad.wmnet aqs1011.eqiad.wmnet aqs1011-a.eqiad.wmnet aqs1011-b.eqiad.wmnet aqs1012.eqiad.wmnet aqs1012-a.eqiad.wmnet aqs1012-b.eqiad.wmnet aqs1014.eqiad.wmnet aqs1014-a.eqiad.wmnet aqs1014-b.eqiad.wmnet aqs1015.eqiad.wmnet aqs1015-a.eqiad.wmnet aqs1015-b.eqiad.wmnet aqs1016.eqiad.wmnet aqs1016-a.eqiad.wmnet aqs1016-b.eqiad.wmnet aqs1017.eqiad.wmnet aqs1017-a.eqiad.wmnet aqs1017-b.eqiad.wmnet aqs1018.eqiad.wmnet aqs1018-a.eqiad.wmnet aqs1018-b.eqiad.wmnet aqs1019.eqiad.wmnet aqs1019-a.eqiad.wmnet aqs1019-b.eqiad.wmnet aqs1020.eqiad.wmnet aqs1020-a.eqiad.wmnet aqs1020-b.eqiad.wmnet aqs1021.eqiad.wmnet aqs1021-a.eqiad.wmnet aqs1021-b.eqiad.wmnet aqs1022.eqiad.wmnet aqs1022-a.eqiad.wmnet aqs1022-b.eqiad.wmnet aqs1023.eqiad.wmnet aqs1023-a.eqiad.wmnet aqs1023-b.eqiad.wmnet aqs1024.eqiad.wmnet aqs1024-a.eqiad.wmnet aqs1024-b.eqiad.wmnet aqs2001.codfw.wmnet aqs2001-a.codfw.wmnet aqs2001-b.codfw.wmnet aqs2002.codfw.wmnet aqs2002-a.codfw.wmnet aqs2002-b.codfw.wmnet aqs2003.codfw.wmnet aqs2003-a.codfw.wmnet aqs2003-b.codfw.wmnet aqs2004.codfw.wmnet aqs2004-a.codfw.wmnet aqs2004-b.codfw.wmnet aqs2005.codfw.wmnet aqs2005-a.codfw.wmnet aqs2005-b.codfw.wmnet aqs2006.codfw.wmnet aqs2006-a.codfw.wmnet aqs2006-b.codfw.wmnet aqs2007.codfw.wmnet aqs2007-a.codfw.wmnet aqs2007-b.codfw.wmnet aqs2008.codfw.wmnet aqs2008-a.codfw.wmnet aqs2008-b.codfw.wmnet aqs2009.codfw.wmnet aqs2009-a.codfw.wmnet aqs2009-b.codfw.wmnet aqs2010.codfw.wmnet aqs2010-a.codfw.wmnet aqs2010-b.codfw.wmnet aqs2011.codfw.wmnet aqs2011-a.codfw.wmnet aqs2011-b.codfw.wmnet aqs2012.codfw.wmnet aqs2012-a.codfw.wmnet aqs2012-b.codfw.wmnet))\n+ port => 7001\n+ ensure => present\n+ notrack => False\n+ proto => tcp\n"}, {"resource": "Package[openjdk-11-jdk]", "parameters": "--- Package[openjdk-11-jdk].orig\n+++ Package[openjdk-11-jdk]\n\n+ provider => apt\n+ ensure => installed\n"}, {"resource": "File[/etc/cassandra-b/hotspot_compiler]", "parameters": "--- File[/etc/cassandra-b/hotspot_compiler].orig\n+++ File[/etc/cassandra-b/hotspot_compiler]\n\n+ group => cassandra\n+ ensure => present\n+ mode => 0444\n+ source => puppet:///modules/cassandra/hotspot_compiler-4.x\n+ links => follow\n+ owner => cassandra\n"}, {"resource": "Java::Package[openjdk-jdk-11]", "parameters": "--- Java::Package[openjdk-jdk-11].orig\n+++ Java::Package[openjdk-jdk-11]\n\n+ egd_source => /dev/random\n+ package_info => {'version': '11', 'variant': 'jdk'}\n+ hardened_tls => False\n"}, {"resource": "Monitoring::Exported_nagios_service[aqs1024 ssh]", "parameters": "--- Monitoring::Exported_nagios_service[aqs1024 ssh].orig\n+++ Monitoring::Exported_nagios_service[aqs1024 ssh]\n\n@@\n- notifications_enabled => 0\n+ notifications_enabled => 1\n@@\n- servicegroups => insetup_eqiad\n+ servicegroups => aqs_eqiad\n"}, {"resource": "Concat_fragment[main contacts]", "content": "--- main contacts.orig\n+++ main contacts\n@@ -1,3 +1,3 @@\n ---\n-role::insetup::data_persistence_ferm:\n+role::aqs:\n - Data Persistence"}, {"resource": "Ferm::Service[cassandra-intra-node]", "parameters": "--- Ferm::Service[cassandra-intra-node].orig\n+++ Ferm::Service[cassandra-intra-node]\n\n+ desc => \n+ prio => 10\n+ srange => @resolve((aqs1010.eqiad.wmnet aqs1010-a.eqiad.wmnet aqs1010-b.eqiad.wmnet aqs1011.eqiad.wmnet aqs1011-a.eqiad.wmnet aqs1011-b.eqiad.wmnet aqs1012.eqiad.wmnet aqs1012-a.eqiad.wmnet aqs1012-b.eqiad.wmnet aqs1014.eqiad.wmnet aqs1014-a.eqiad.wmnet aqs1014-b.eqiad.wmnet aqs1015.eqiad.wmnet aqs1015-a.eqiad.wmnet aqs1015-b.eqiad.wmnet aqs1016.eqiad.wmnet aqs1016-a.eqiad.wmnet aqs1016-b.eqiad.wmnet aqs1017.eqiad.wmnet aqs1017-a.eqiad.wmnet aqs1017-b.eqiad.wmnet aqs1018.eqiad.wmnet aqs1018-a.eqiad.wmnet aqs1018-b.eqiad.wmnet aqs1019.eqiad.wmnet aqs1019-a.eqiad.wmnet aqs1019-b.eqiad.wmnet aqs1020.eqiad.wmnet aqs1020-a.eqiad.wmnet aqs1020-b.eqiad.wmnet aqs1021.eqiad.wmnet aqs1021-a.eqiad.wmnet aqs1021-b.eqiad.wmnet aqs1022.eqiad.wmnet aqs1022-a.eqiad.wmnet aqs1022-b.eqiad.wmnet aqs1023.eqiad.wmnet aqs1023-a.eqiad.wmnet aqs1023-b.eqiad.wmnet aqs1024.eqiad.wmnet aqs1024-a.eqiad.wmnet aqs1024-b.eqiad.wmnet aqs2001.codfw.wmnet aqs2001-a.codfw.wmnet aqs2001-b.codfw.wmnet aqs2002.codfw.wmnet aqs2002-a.codfw.wmnet aqs2002-b.codfw.wmnet aqs2003.codfw.wmnet aqs2003-a.codfw.wmnet aqs2003-b.codfw.wmnet aqs2004.codfw.wmnet aqs2004-a.codfw.wmnet aqs2004-b.codfw.wmnet aqs2005.codfw.wmnet aqs2005-a.codfw.wmnet aqs2005-b.codfw.wmnet aqs2006.codfw.wmnet aqs2006-a.codfw.wmnet aqs2006-b.codfw.wmnet aqs2007.codfw.wmnet aqs2007-a.codfw.wmnet aqs2007-b.codfw.wmnet aqs2008.codfw.wmnet aqs2008-a.codfw.wmnet aqs2008-b.codfw.wmnet aqs2009.codfw.wmnet aqs2009-a.codfw.wmnet aqs2009-b.codfw.wmnet aqs2010.codfw.wmnet aqs2010-a.codfw.wmnet aqs2010-b.codfw.wmnet aqs2011.codfw.wmnet aqs2011-a.codfw.wmnet aqs2011-b.codfw.wmnet aqs2012.codfw.wmnet aqs2012-a.codfw.wmnet aqs2012-b.codfw.wmnet))\n+ port => 7000\n+ ensure => present\n+ notrack => False\n+ proto => tcp\n"}, {"resource": "Exec[ip addr add 10.64.156.21/32 dev ens8f0np0]", "parameters": "--- Exec[ip addr add 10.64.156.21/32 dev ens8f0np0].orig\n+++ Exec[ip addr add 10.64.156.21/32 dev ens8f0np0]\n\n+ path => /bin:/usr/bin\n+ unless => ip address show ens8f0np0 | grep -q 10.64.156.21/32\n+ returns => [0, 2]\n"}, {"resource": "User[scap]", "parameters": "--- User[scap].orig\n+++ User[scap]\n\n+ home => /var/lib/scap\n+ shell => /bin/bash\n+ gid => 919\n+ password => !\n+ ensure => present\n+ uid => 919\n+ system => True\n+ groups => []\n"}, {"resource": "Prometheus::Blackbox::Check::Tcp[cassandra-a-ssl]", "parameters": "--- Prometheus::Blackbox::Check::Tcp[cassandra-a-ssl].orig\n+++ Prometheus::Blackbox::Check::Tcp[cassandra-a-ssl]\n\n+ server_name => cassandra\n+ use_client_auth => False\n+ ip6 => 2620:0:861:124:10:64:156:17\n+ alert_after => 2m\n+ site => eqiad\n+ certificate_expiry_days => 5\n+ ip4 => 10.64.156.18\n+ team => sre\n+ prometheus_instance => ops\n+ client_auth_key => /etc/prometheus/ssl/server.key\n+ port => 7000\n+ force_tls => True\n+ probe_runbook => https://wikitech.wikimedia.org/wiki/TLS/Runbook#{{ $labels.instance }}\n+ instance_label => aqs1024-a\n+ ip_families => ['ip4']\n+ severity => critical\n+ timeout => 3s\n+ client_auth_cert => /etc/prometheus/ssl/cert.pem\n"}, {"resource": "File[/etc/cassandra-a/tls/cassandra__aqs1024-a_eqiad_wmnet.chain.pem]", "parameters": "--- File[/etc/cassandra-a/tls/cassandra__aqs1024-a_eqiad_wmnet.chain.pem].orig\n+++ File[/etc/cassandra-a/tls/cassandra__aqs1024-a_eqiad_wmnet.chain.pem]\n\n+ group => cassandra\n+ mode => 0440\n+ ensure => file\n+ source => puppet:///modules/profile/pki/intermediates/cassandra-cert.pem\n+ owner => cassandra\n"}, {"resource": "File[/etc/cassandra-b/tls/server.key]", "parameters": "--- File[/etc/cassandra-b/tls/server.key].orig\n+++ File[/etc/cassandra-b/tls/server.key]\n\n+ group => cassandra\n+ mode => 0440\n+ ensure => present\n+ owner => cassandra\n"}, {"resource": "File[/etc/cassandra-b/tls/cassandra__aqs1024-b_eqiad_wmnet.chained.pem]", "parameters": "--- File[/etc/cassandra-b/tls/cassandra__aqs1024-b_eqiad_wmnet.chained.pem].orig\n+++ File[/etc/cassandra-b/tls/cassandra__aqs1024-b_eqiad_wmnet.chained.pem]\n\n+ require => Exec[create chained cert /etc/cassandra-b/tls/cassandra__aqs1024-b_eqiad_wmnet.chain.pem]\n+ group => cassandra\n+ ensure => file\n+ owner => cassandra\n"}, {"resource": "File[/etc/cassandra-b/user_commons_impact_analytics.cql]", "content": "--- /etc/cassandra-b/user_commons_impact_analytics.cql.orig\n+++ /etc/cassandra-b/user_commons_impact_analytics.cql\n@@ -0,0 +1,25 @@\n+-- SPDX-License-Identifier: Apache-2.0\n+\n+-- User/role for the Commons Impact Metrics service: https://phabricator.wikimedia.org/T361835\n+\n+-- Note: This is intended to be temporary; This service will eventually use the Data Gateway\n+-- (https://phabricator.wikimedia.org/T364921) instead of connecting to Cassandra directly. When\n+-- that happens these GRANTs, and the role, can be removed.\n+\n+CREATE ROLE IF NOT EXISTS commons_impact_analytics\n+ WITH PASSWORD = 'notarealpasswd' AND LOGIN = true AND SUPERUSER = false;\n+\n+GRANT SELECT ON commons.category_metrics_snapshot TO commons_impact_analytics;\n+GRANT SELECT ON commons.media_file_metrics_snapshot TO commons_impact_analytics;\n+GRANT SELECT ON commons.pageviews_per_category_monthly TO commons_impact_analytics;\n+GRANT SELECT ON commons.pageviews_per_media_file_monthly TO commons_impact_analytics;\n+GRANT SELECT ON commons.edits_per_category_monthly TO commons_impact_analytics;\n+GRANT SELECT ON commons.edits_per_user_monthly TO commons_impact_analytics;\n+GRANT SELECT ON commons.top_pages_per_category_monthly TO commons_impact_analytics;\n+GRANT SELECT ON commons.top_wikis_per_category_monthly TO commons_impact_analytics;\n+GRANT SELECT ON commons.top_viewed_categories_monthly TO commons_impact_analytics;\n+GRANT SELECT ON commons.top_pages_per_media_file_monthly TO commons_impact_analytics;\n+GRANT SELECT ON commons.top_wikis_per_media_file_monthly TO commons_impact_analytics;\n+GRANT SELECT ON commons.top_viewed_media_files_monthly TO commons_impact_analytics;\n+GRANT SELECT ON commons.top_edited_categories_monthly TO commons_impact_analytics;\n+GRANT SELECT ON commons.top_editors_monthly TO commons_impact_analytics;", "parameters": "--- File[/etc/cassandra-b/user_commons_impact_analytics.cql].orig\n+++ File[/etc/cassandra-b/user_commons_impact_analytics.cql]\n\n+ require => Package[cassandra]\n+ group => root\n+ mode => 0400\n+ owner => root\n"}, {"resource": "File[/etc/cassandra-b/user_image_suggestions.cql]", "content": "--- /etc/cassandra-b/user_image_suggestions.cql.orig\n+++ /etc/cassandra-b/user_image_suggestions.cql\n@@ -0,0 +1,6 @@\n+\n+CREATE ROLE IF NOT EXISTS image_suggestions\n+ WITH PASSWORD = 'blahblahblahblah' AND LOGIN = true AND SUPERUSER = false;\n+\n+GRANT SELECT ON KEYSPACE image_suggestions TO image_suggestions;\n+GRANT MODIFY ON KEYSPACE image_suggestions TO image_suggestions;", "parameters": "--- File[/etc/cassandra-b/user_image_suggestions.cql].orig\n+++ File[/etc/cassandra-b/user_image_suggestions.cql]\n\n+ require => Package[cassandra]\n+ group => root\n+ mode => 0400\n+ owner => root\n"}, {"resource": "File[/etc/cassandra-a/tls/cassandra__aqs1024-a_eqiad_wmnet.chained.pem]", "parameters": "--- File[/etc/cassandra-a/tls/cassandra__aqs1024-a_eqiad_wmnet.chained.pem].orig\n+++ File[/etc/cassandra-a/tls/cassandra__aqs1024-a_eqiad_wmnet.chained.pem]\n\n+ require => Exec[create chained cert /etc/cassandra-a/tls/cassandra__aqs1024-a_eqiad_wmnet.chain.pem]\n+ group => cassandra\n+ ensure => file\n+ owner => cassandra\n"}, {"resource": "File[/etc/cfssl/csr/cassandra__aqs1024-a_eqiad_wmnet.csr]", "content": "--- /etc/cfssl/csr/cassandra__aqs1024-a_eqiad_wmnet.csr.orig\n+++ /etc/cfssl/csr/cassandra__aqs1024-a_eqiad_wmnet.csr\n@@ -0,0 +1,15 @@\n+{\n+ \"CN\": \"aqs1024-a.eqiad.wmnet\",\n+ \"hosts\": [\n+ \"cassandra\",\n+ \"aqs1024.eqiad.wmnet\",\n+ \"aqs1024-a.eqiad.wmnet\"\n+ ],\n+ \"key\": {\n+ \"algo\": \"ecdsa\",\n+ \"size\": 256\n+ },\n+ \"names\": [\n+\n+ ]\n+}", "parameters": "--- File[/etc/cfssl/csr/cassandra__aqs1024-a_eqiad_wmnet.csr].orig\n+++ File[/etc/cfssl/csr/cassandra__aqs1024-a_eqiad_wmnet.csr]\n\n+ group => root\n+ mode => 0400\n+ ensure => file\n+ owner => root\n"}, {"resource": "File[/usr/local/bin/cassandra_validate_grants]", "parameters": "--- File[/usr/local/bin/cassandra_validate_grants].orig\n+++ File[/usr/local/bin/cassandra_validate_grants]\n\n+ group => root\n+ require => Package[cassandra]\n+ mode => 0755\n+ ensure => present\n+ source => puppet:///modules/cassandra/validate_grant_statements.py\n+ owner => root\n"}, {"resource": "File[/etc/cassandra-instances.d/aqs1024-a.yaml]", "content": "--- /etc/cassandra-instances.d/aqs1024-a.yaml.orig\n+++ /etc/cassandra-instances.d/aqs1024-a.yaml\n@@ -0,0 +1,13 @@\n+name: a\n+jmx_port: 7189\n+listen_address: 10.64.156.18\n+service_name: cassandra-a\n+config_directory: /etc/cassandra-a\n+data_file_directories: [/srv/storage-0/cassandra-a/data,/srv/storage-1/cassandra-a/data,/srv/storage-2/cassandra-a/data,/srv/storage-3/cassandra-a/data,/srv/storage-4/cassandra-a/data,/srv/storage-5/cassandra-a/data,/srv/storage-6/cassandra-a/data,/srv/storage-7/cassandra-a/data]\n+rpc_address: 10.64.156.18\n+native_transport_port: 9042\n+commitlog_directory: /srv/cassandra/cassandra-a/commitlog\n+hints_directory: /srv/cassandra/cassandra-a/hints\n+saved_caches_directory: /srv/cassandra/cassandra-a/saved_caches\n+heapdump_directory: /srv/storage-0/cassandra-a\n+local_system_data_file_directory: /srv/cassandra/cassandra-a/system", "parameters": "--- File[/etc/cassandra-instances.d/aqs1024-a.yaml].orig\n+++ File[/etc/cassandra-instances.d/aqs1024-a.yaml]\n\n+ group => cassandra\n+ mode => 0444\n+ owner => cassandra\n"}, {"resource": "Exec[install-/srv/storage-5/cassandra-a/data]", "parameters": "--- Exec[install-/srv/storage-5/cassandra-a/data].orig\n+++ Exec[install-/srv/storage-5/cassandra-a/data]\n\n+ command => install -o cassandra -g cassandra -m 750 -d /srv/storage-5/cassandra-a/data\n+ path => /usr/bin/:/bin/\n+ creates => /srv/storage-5/cassandra-a/data\n+ before => Systemd::Service[cassandra-a]\n"}, {"resource": "File[/etc/cassandra-a/user_data_gateway.cql]", "content": "--- /etc/cassandra-a/user_data_gateway.cql.orig\n+++ /etc/cassandra-a/user_data_gateway.cql\n@@ -0,0 +1,33 @@\n+-- SPDX-License-Identifier: Apache-2.0\n+\n+CREATE ROLE IF NOT EXISTS data_gateway\n+ WITH PASSWORD = 'qwerty' AND LOGIN = true AND SUPERUSER = false;\n+\n+-- Image Suggestions\n+GRANT SELECT ON image_suggestions.suggestions TO data_gateway;\n+GRANT SELECT ON image_suggestions.feedback TO data_gateway;\n+GRANT SELECT ON image_suggestions.title_cache TO data_gateway;\n+GRANT SELECT ON image_suggestions.instanceof_cache TO data_gateway;\n+\n+-- Commons Impact Metrics\n+GRANT SELECT ON commons.category_metrics_snapshot TO data_gateway;\n+GRANT SELECT ON commons.media_file_metrics_snapshot TO data_gateway;\n+GRANT SELECT ON commons.pageviews_per_category_monthly TO data_gateway;\n+GRANT SELECT ON commons.pageviews_per_media_file_monthly TO data_gateway;\n+GRANT SELECT ON commons.edits_per_category_monthly TO data_gateway;\n+GRANT SELECT ON commons.edits_per_user_monthly TO data_gateway;\n+GRANT SELECT ON commons.top_pages_per_category_monthly TO data_gateway;\n+GRANT SELECT ON commons.top_wikis_per_category_monthly TO data_gateway;\n+GRANT SELECT ON commons.top_viewed_categories_monthly TO data_gateway;\n+GRANT SELECT ON commons.top_pages_per_media_file_monthly TO data_gateway;\n+GRANT SELECT ON commons.top_wikis_per_media_file_monthly TO data_gateway;\n+GRANT SELECT ON commons.top_viewed_media_files_monthly TO data_gateway;\n+GRANT SELECT ON commons.top_edited_categories_monthly TO data_gateway;\n+GRANT SELECT ON commons.top_editors_monthly TO data_gateway;\n+\n+-- Machine learning cache\n+GRANT SELECT ON ml_cache.page_paragraph_tone_scores TO data_gateway;\n+\n+-- New-style AQS tables\n+GRANT SELECT ON analytics.pageviews_per_editor TO data_gateway;\n+GRANT SELECT ON analytics.pageviews_top_pages_per_editor TO data_gateway;", "parameters": "--- File[/etc/cassandra-a/user_data_gateway.cql].orig\n+++ File[/etc/cassandra-a/user_data_gateway.cql]\n\n+ require => Package[cassandra]\n+ group => root\n+ mode => 0400\n+ owner => root\n"}, {"resource": "File[/etc/cassandra-a]", "parameters": "--- File[/etc/cassandra-a].orig\n+++ File[/etc/cassandra-a]\n\n+ group => root\n+ require => Package[cassandra]\n+ mode => 0755\n+ ensure => directory\n+ owner => root\n"}, {"resource": "Monitoring::Exported_nagios_host[aqs1024]", "parameters": "--- Monitoring::Exported_nagios_host[aqs1024].orig\n+++ Monitoring::Exported_nagios_host[aqs1024]\n\n@@\n- hostgroups => insetup_eqiad,lsw1-e7-eqiad\n+ hostgroups => aqs_eqiad,lsw1-e7-eqiad\n@@\n- notifications_enabled => 0\n+ notifications_enabled => 1\n"}, {"resource": "File[/etc/cassandra-a/jvm-clients.options]", "parameters": "--- File[/etc/cassandra-a/jvm-clients.options].orig\n+++ File[/etc/cassandra-a/jvm-clients.options]\n\n+ group => root\n+ force => True\n+ ensure => link\n+ target => /etc/cassandra/jvm-clients.options\n+ owner => root\n"}, {"resource": "Augeas[ens8f0np0_10.64.156.18/32]", "parameters": "--- Augeas[ens8f0np0_10.64.156.18/32].orig\n+++ Augeas[ens8f0np0_10.64.156.18/32]\n\n+ onlyif => match up[. = 'ip addr add 10.64.156.18/32 dev ens8f0np0'] size == 0\n+ context => /files/etc/network/interfaces/*[. = 'ens8f0np0' and ./family = 'inet']\n+ changes => set up[last()+1] 'ip addr add 10.64.156.18/32 dev ens8f0np0'\n+ incl => /etc/network/interfaces\n+ lens => Interfaces.lns\n"}, {"resource": "File[/etc/cassandra-b]", "parameters": "--- File[/etc/cassandra-b].orig\n+++ File[/etc/cassandra-b]\n\n+ group => root\n+ require => Package[cassandra]\n+ mode => 0755\n+ ensure => directory\n+ owner => root\n"}, {"resource": "Exec[chown /srv/deployment/cassandra for deploy-service]", "parameters": "--- Exec[chown /srv/deployment/cassandra for deploy-service].orig\n+++ Exec[chown /srv/deployment/cassandra for deploy-service]\n\n+ command => /bin/chown -R deploy-service:deploy-service /srv/deployment/cassandra\n+ onlyif => /usr/bin/test -O /srv/deployment/cassandra/logstash-logback-encoder\n+ require => ['User[deploy-service]', 'Group[deploy-service]']\n"}, {"resource": "File[/etc/ferm/conf.d/10_cassandra-cql]", "content": "--- /etc/ferm/conf.d/10_cassandra-cql.orig\n+++ /etc/ferm/conf.d/10_cassandra-cql\n@@ -0,0 +1,6 @@\n+# Autogenerated by puppet. DO NOT EDIT BY HAND!\n+#\n+# \n+&R_SERVICE(tcp, 9042, (@resolve((aqs1010.eqiad.wmnet aqs1010-a.eqiad.wmnet aqs1010-b.eqiad.wmnet aqs1011.eqiad.wmnet aqs1011-a.eqiad.wmnet aqs1011-b.eqiad.wmnet aqs1012.eqiad.wmnet aqs1012-a.eqiad.wmnet aqs1012-b.eqiad.wmnet aqs1014.eqiad.wmnet aqs1014-a.eqiad.wmnet aqs1014-b.eqiad.wmnet aqs1015.eqiad.wmnet aqs1015-a.eqiad.wmnet aqs1015-b.eqiad.wmnet aqs1016.eqiad.wmnet aqs1016-a.eqiad.wmnet aqs1016-b.eqiad.wmnet aqs1017.eqiad.wmnet aqs1017-a.eqiad.wmnet aqs1017-b.eqiad.wmnet aqs1018.eqiad.wmnet aqs1018-a.eqiad.wmnet aqs1018-b.eqiad.wmnet aqs1019.eqiad.wmnet aqs1019-a.eqiad.wmnet aqs1019-b.eqiad.wmnet aqs1020.eqiad.wmnet aqs1020-a.eqiad.wmnet aqs1020-b.eqiad.wmnet aqs1021.eqiad.wmnet aqs1021-a.eqiad.wmnet aqs1021-b.eqiad.wmnet aqs1022.eqiad.wmnet aqs1022-a.eqiad.wmnet aqs1022-b.eqiad.wmnet aqs1023.eqiad.wmnet aqs1023-a.eqiad.wmnet aqs1023-b.eqiad.wmnet aqs1024.eqiad.wmnet aqs1024-a.eqiad.wmnet aqs1024-b.eqiad.wmnet aqs2001.codfw.wmnet aqs2001-a.codfw.wmnet aqs2001-b.codfw.wmnet aqs2002.codfw.wmnet aqs2002-a.codfw.wmnet aqs2002-b.codfw.wmnet aqs2003.codfw.wmnet aqs2003-a.codfw.wmnet aqs2003-b.codfw.wmnet aqs2004.codfw.wmnet aqs2004-a.codfw.wmnet aqs2004-b.codfw.wmnet aqs2005.codfw.wmnet aqs2005-a.codfw.wmnet aqs2005-b.codfw.wmnet aqs2006.codfw.wmnet aqs2006-a.codfw.wmnet aqs2006-b.codfw.wmnet aqs2007.codfw.wmnet aqs2007-a.codfw.wmnet aqs2007-b.codfw.wmnet aqs2008.codfw.wmnet aqs2008-a.codfw.wmnet aqs2008-b.codfw.wmnet aqs2009.codfw.wmnet aqs2009-a.codfw.wmnet aqs2009-b.codfw.wmnet aqs2010.codfw.wmnet aqs2010-a.codfw.wmnet aqs2010-b.codfw.wmnet aqs2011.codfw.wmnet aqs2011-a.codfw.wmnet aqs2011-b.codfw.wmnet aqs2012.codfw.wmnet aqs2012-a.codfw.wmnet aqs2012-b.codfw.wmnet)) 10.67.128.0/17 2620:0:861:cabe::/64 10.64.64.0/21 2620:0:861:babe::/64 10.192.64.0/21 2620:0:860:babe::/64 10.194.128.0/17 2620:0:860:cabe::/64 10.67.16.0/21 2620:0:861:300::/64 10.194.16.0/21 2620:0:860:300::/64 10.194.61.0/24 2620:0:860:302::/64));\n+\n+", "parameters": "--- File[/etc/ferm/conf.d/10_cassandra-cql].orig\n+++ File[/etc/ferm/conf.d/10_cassandra-cql]\n\n+ group => root\n+ tag => ferm\n+ require => File[/etc/ferm/conf.d]\n+ mode => 0400\n+ ensure => present\n+ notify => Service[ferm]\n+ owner => root\n"}, {"resource": "Apt::Package_from_component[cassandra]", "parameters": "--- Apt::Package_from_component[cassandra].orig\n+++ Apt::Package_from_component[cassandra]\n\n+ component => component/cassandra41\n+ uri => http://apt.wikimedia.org/wikimedia\n+ require => Package[openjdk-11-jdk]\n+ packages => {'cassandra': '4.1.11'}\n+ priority => 1001\n+ distro => bullseye-wikimedia\n+ ensure => present\n+ ensure_packages => True\n"}, {"resource": "File[/etc/cassandra-a/credentials]", "content": "--- /etc/cassandra-a/credentials.orig\n+++ /etc/cassandra-a/credentials\n@@ -0,0 +1,36 @@\n+; SPDX-License-Identifier: Apache-2.0\n+; Licensed to the Apache Software Foundation (ASF) under one\n+; or more contributor license agreements. See the NOTICE file\n+; distributed with this work for additional information\n+; regarding copyright ownership. The ASF licenses this file\n+; to you under the Apache License, Version 2.0 (the\n+; \"License\"); you may not use this file except in compliance\n+; with the License. You may obtain a copy of the License at\n+;\n+; http://www.apache.org/licenses/LICENSE-2.0\n+;\n+; Unless required by applicable law or agreed to in writing,\n+; software distributed under the License is distributed on an\n+; \"AS IS\" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY\n+; KIND, either express or implied. See the License for the\n+; specific language governing permissions and limitations\n+; under the License.\n+;\n+; Sample ~/.cassandra/credentials file.\n+;\n+; The section name must match the classname from the cqlshrc file\n+; For example, if cqlshrc contains settings\n+;\n+; [auth_provider]\n+; module = cassandra.auth\n+; classname = PlainTextAuthProvider\n+;\n+; then the credentials file should contain a [PlainTextAuthProvider] section with the username and password parameters, as indicated in this example.\n+;\n+; For backward compatibility, it is also possible to specify [plain_text_auth] as a header.\n+;\n+; Please ensure this file is owned by the user and is not readable by group and other users.\n+\n+[PlainTextAuthProvider]\n+username = cassandra\n+password = nosuchpass", "parameters": "--- File[/etc/cassandra-a/credentials].orig\n+++ File[/etc/cassandra-a/credentials]\n\n+ group => root\n+ mode => 0400\n+ owner => root\n"}, {"resource": "Exec[java__cacert_wmf:puppetca.pem]", "parameters": "--- Exec[java__cacert_wmf:puppetca.pem].orig\n+++ Exec[java__cacert_wmf:puppetca.pem]\n\n+ command => /usr/bin/keytool -import -trustcacerts -noprompt -cacerts -file /etc/ssl/certs/Puppet_Internal_CA.pem -storepass changeit -alias wmf:puppetca.pem\n\n+ unless => /usr/bin/keytool -list -cacerts -noprompt -storepass changeit -alias wmf:puppetca.pem\n+ user => root\n+ group => root\n"}, {"resource": "Class[Monitoring]", "parameters": "--- Class[Monitoring].orig\n+++ Class[Monitoring]\n\n@@\n- cluster => insetup\n+ cluster => aqs\n@@\n- nagios_group => insetup_eqiad\n+ nagios_group => aqs_eqiad\n@@\n- notifications_enabled => False\n+ notifications_enabled => True\n"}, {"resource": "Group[scap]", "parameters": "--- Group[scap].orig\n+++ Group[scap]\n\n+ system => True\n+ ensure => present\n+ gid => 919\n"}, {"resource": "File[/etc/cassandra-b/cassandra.yaml]", "content": "--- /etc/cassandra-b/cassandra.yaml.orig\n+++ /etc/cassandra-b/cassandra.yaml\n@@ -0,0 +1,1885 @@\n+# SPDX-License-Identifier: Apache-2.0\n+# Note: This file is managed by Puppet.\n+# It was taken from the Cassandra Debian package and is templatized\n+# here in order to set various options from puppet.\n+\n+# Cassandra storage config YAML\n+\n+# NOTE:\n+# See https://cassandra.apache.org/doc/latest/configuration/ for\n+# full explanations of configuration directives\n+# /NOTE\n+\n+# The name of the cluster. This is mainly used to prevent machines in\n+# one logical cluster from joining another.\n+cluster_name: 'Analytics Query Service Storage'\n+\n+# This defines the number of tokens randomly assigned to this node on the ring\n+# The more tokens, relative to other nodes, the larger the proportion of data\n+# that this node will store. You probably want all nodes to have the same number\n+# of tokens assuming they have equal hardware capability.\n+#\n+# If you leave this unspecified, Cassandra will use the default of 1 token for legacy compatibility,\n+# and will use the initial_token as described below.\n+#\n+# Specifying initial_token will override this setting on the node's initial start,\n+# on subsequent starts, this setting will apply even if initial token is set.\n+#\n+# See https://cassandra.apache.org/doc/latest/getting_started/production.html#tokens for\n+# best practice information about num_tokens.\n+#\n+num_tokens: 256\n+\n+# Triggers automatic allocation of num_tokens tokens for this node. The allocation\n+# algorithm attempts to choose tokens in a way that optimizes replicated load over\n+# the nodes in the datacenter for the replica factor.\n+#\n+# The load assigned to each node will be close to proportional to its number of\n+# vnodes.\n+#\n+# Only supported with the Murmur3Partitioner.\n+\n+# Replica factor is determined via the replication strategy used by the specified\n+# keyspace.\n+# allocate_tokens_for_keyspace: KEYSPACE\n+\n+# Replica factor is explicitly set, regardless of keyspace or datacenter.\n+# This is the replica factor within the datacenter, like NTS.\n+allocate_tokens_for_local_replication_factor: 3\n+\n+# initial_token allows you to specify tokens manually. While you can use it with\n+# vnodes (num_tokens > 1, above) -- in which case you should provide a \n+# comma-separated list -- it's primarily used when adding nodes to legacy clusters \n+# that do not have vnodes enabled.\n+# initial_token:\n+\n+# May either be \"true\" or \"false\" to enable globally\n+hinted_handoff_enabled: true\n+\n+# When hinted_handoff_enabled is true, a black list of data centers that will not\n+# perform hinted handoff\n+# hinted_handoff_disabled_datacenters:\n+# - DC1\n+# - DC2\n+\n+# this defines the maximum amount of time a dead host will have hints\n+# generated. After it has been dead this long, new hints for it will not be\n+# created until it has been seen alive and gone down again.\n+# Min unit: ms\n+max_hint_window: 3h\n+\n+# Maximum throttle in KiBs per second, per delivery thread. This will be\n+# reduced proportionally to the number of nodes in the cluster. (If there\n+# are two nodes in the cluster, each delivery thread will use the maximum\n+# rate; if there are three, each will throttle to half of the maximum,\n+# since we expect two nodes to be delivering hints simultaneously.)\n+# Min unit: KiB\n+hinted_handoff_throttle: 1024KiB\n+\n+# Number of threads with which to deliver hints;\n+# Consider increasing this number when you have multi-dc deployments, since\n+# cross-dc handoff tends to be slower\n+max_hints_delivery_threads: 4\n+\n+# Directory where Cassandra should store hints.\n+# If not set, the default directory is $CASSANDRA_HOME/data/hints.\n+hints_directory: /srv/cassandra/cassandra-b/hints\n+\n+# How often hints should be flushed from the internal buffers to disk.\n+# Will *not* trigger fsync.\n+# Min unit: ms\n+hints_flush_period: 10000ms\n+\n+# Maximum size for a single hints file, in mebibytes.\n+# Min unit: MiB\n+max_hints_file_size: 128MiB\n+\n+# The file size limit to store hints for an unreachable host, in mebibytes.\n+# Once the local hints files have reached the limit, no more new hints will be created.\n+# Set a non-positive value will disable the size limit.\n+# max_hints_size_per_host: 0MiB\n+\n+# Enable / disable automatic cleanup for the expired and orphaned hints file.\n+# Disable the option in order to preserve those hints on the disk.\n+auto_hints_cleanup_enabled: false\n+\n+# Enable/disable transfering hints to a peer during decommission. Even when enabled, this does not guarantee\n+# consistency for logged batches, and it may delay decommission when coupled with a strict hinted_handoff_throttle.\n+# Default: true\n+# transfer_hints_on_decommission: true\n+\n+# Compression to apply to the hint files. If omitted, hints files\n+# will be written uncompressed. LZ4, Snappy, and Deflate compressors\n+# are supported.\n+#hints_compression:\n+# - class_name: LZ4Compressor\n+# parameters:\n+# -\n+\n+# Enable / disable persistent hint windows.\n+#\n+# If set to false, a hint will be stored only in case a respective node\n+# that hint is for is down less than or equal to max_hint_window.\n+#\n+# If set to true, a hint will be stored in case there is not any\n+# hint which was stored earlier than max_hint_window. This is for cases\n+# when a node keeps to restart and hints are not delivered yet, we would be saving\n+# hints for that node indefinitely.\n+#\n+# Defaults to true.\n+#\n+# hint_window_persistent_enabled: true\n+\n+# Maximum throttle in KiBs per second, total. This will be\n+# reduced proportionally to the number of nodes in the cluster.\n+# Min unit: KiB\n+batchlog_replay_throttle: 1024KiB\n+\n+# Strategy to choose the batchlog storage endpoints.\n+#\n+# Available options:\n+#\n+# - random_remote\n+# Default, purely random, prevents the local rack, if possible.\n+#\n+# - prefer_local\n+# Similar to random_remote. Random, except that one of the replications will go to the local rack,\n+# which mean it offers lower availability guarantee than random_remote or dynamic_remote.\n+#\n+# - dynamic_remote\n+# Using DynamicEndpointSnitch to select batchlog storage endpoints, prevents the\n+# local rack, if possible. This strategy offers the same availability guarantees\n+# as random_remote but selects the fastest endpoints according to the DynamicEndpointSnitch.\n+# (DynamicEndpointSnitch currently only tracks reads and not writes - i.e. write-only\n+# (or mostly-write) workloads might not benefit from this strategy.)\n+# Note: this strategy will fall back to random_remote, if dynamic_snitch is not enabled.\n+#\n+# - dynamic\n+# Mostly the same as dynamic_remote, except that local rack is not excluded, which mean it offers lower\n+# availability guarantee than random_remote or dynamic_remote.\n+# Note: this strategy will fall back to random_remote, if dynamic_snitch is not enabled.\n+#\n+# batchlog_endpoint_strategy: random_remote\n+\n+# Authentication backend, implementing IAuthenticator; used to identify users\n+# Out of the box, Cassandra provides org.apache.cassandra.auth.{AllowAllAuthenticator,\n+# PasswordAuthenticator}.\n+#\n+# - AllowAllAuthenticator performs no checks - set it to disable authentication.\n+# - PasswordAuthenticator relies on username/password pairs to authenticate\n+# users. It keeps usernames and hashed passwords in system_auth.roles table.\n+# Please increase system_auth keyspace replication factor if you use this authenticator.\n+# If using PasswordAuthenticator, CassandraRoleManager must also be used (see below)\n+authenticator: PasswordAuthenticator\n+\n+# Authorization backend, implementing IAuthorizer; used to limit access/provide permissions\n+# Out of the box, Cassandra provides org.apache.cassandra.auth.{AllowAllAuthorizer,\n+# CassandraAuthorizer}.\n+#\n+# - AllowAllAuthorizer allows any action to any user - set it to disable authorization.\n+# - CassandraAuthorizer stores permissions in system_auth.role_permissions table. Please\n+# increase system_auth keyspace replication factor if you use this authorizer.\n+authorizer: CassandraAuthorizer\n+\n+# Part of the Authentication & Authorization backend, implementing IRoleManager; used\n+# to maintain grants and memberships between roles.\n+# Out of the box, Cassandra provides org.apache.cassandra.auth.CassandraRoleManager,\n+# which stores role information in the system_auth keyspace. Most functions of the\n+# IRoleManager require an authenticated login, so unless the configured IAuthenticator\n+# actually implements authentication, most of this functionality will be unavailable.\n+#\n+# - CassandraRoleManager stores role data in the system_auth keyspace. Please\n+# increase system_auth keyspace replication factor if you use this role manager.\n+role_manager: CassandraRoleManager\n+\n+# Network authorization backend, implementing INetworkAuthorizer; used to restrict user\n+# access to certain DCs\n+# Out of the box, Cassandra provides org.apache.cassandra.auth.{AllowAllNetworkAuthorizer,\n+# CassandraNetworkAuthorizer}.\n+#\n+# - AllowAllNetworkAuthorizer allows access to any DC to any user - set it to disable authorization.\n+# - CassandraNetworkAuthorizer stores permissions in system_auth.network_permissions table. Please\n+# increase system_auth keyspace replication factor if you use this authorizer.\n+network_authorizer: AllowAllNetworkAuthorizer\n+\n+# Depending on the auth strategy of the cluster, it can be beneficial to iterate\n+# from root to table (root -> ks -> table) instead of table to root (table -> ks -> root).\n+# As the auth entries are whitelisting, once a permission is found you know it to be\n+# valid. We default to false as the legacy behavior is to query at the table level then\n+# move back up to the root. See CASSANDRA-17016 for details.\n+# traverse_auth_from_root: false\n+\n+# Validity period for roles cache (fetching granted roles can be an expensive\n+# operation depending on the role manager, CassandraRoleManager is one example)\n+# Granted roles are cached for authenticated sessions in AuthenticatedUser and\n+# after the period specified here, become eligible for (async) reload.\n+# Defaults to 2000, set to 0 to disable caching entirely.\n+# Will be disabled automatically for AllowAllAuthenticator.\n+# For a long-running cache using roles_cache_active_update, consider\n+# setting to something longer such as a daily validation: 86400000\n+# Min unit: ms\n+roles_validity: 2000ms\n+\n+# Refresh interval for roles cache (if enabled).\n+# After this interval, cache entries become eligible for refresh. Upon next\n+# access, an async reload is scheduled and the old value returned until it\n+# completes. If roles_validity is non-zero, then this must be\n+# also.\n+# This setting is also used to inform the interval of auto-updating if\n+# using roles_cache_active_update.\n+# Defaults to the same value as roles_validity.\n+# For a long-running cache, consider setting this to 60000 (1 hour) etc.\n+# Min unit: ms\n+# roles_update_interval: 2000ms\n+\n+# If true, cache contents are actively updated by a background task at the\n+# interval set by roles_update_interval. If false, cache entries\n+# become eligible for refresh after their update interval. Upon next access,\n+# an async reload is scheduled and the old value returned until it completes.\n+# roles_cache_active_update: false\n+\n+# Validity period for permissions cache (fetching permissions can be an\n+# expensive operation depending on the authorizer, CassandraAuthorizer is\n+# one example). Defaults to 2000, set to 0 to disable.\n+# Will be disabled automatically for AllowAllAuthorizer.\n+# For a long-running cache using permissions_cache_active_update, consider\n+# setting to something longer such as a daily validation: 86400000ms\n+# Min unit: ms\n+permissions_validity: 600000ms\n+\n+# Refresh interval for permissions cache (if enabled).\n+# After this interval, cache entries become eligible for refresh. Upon next\n+# access, an async reload is scheduled and the old value returned until it\n+# completes. If permissions_validity is non-zero, then this must be\n+# also.\n+# This setting is also used to inform the interval of auto-updating if\n+# using permissions_cache_active_update.\n+# Defaults to the same value as permissions_validity.\n+# For a longer-running permissions cache, consider setting to update hourly (60000)\n+# Min unit: ms\n+# permissions_update_interval: 2000ms\n+\n+# If true, cache contents are actively updated by a background task at the\n+# interval set by permissions_update_interval. If false, cache entries\n+# become eligible for refresh after their update interval. Upon next access,\n+# an async reload is scheduled and the old value returned until it completes.\n+# permissions_cache_active_update: false\n+\n+# Validity period for credentials cache. This cache is tightly coupled to\n+# the provided PasswordAuthenticator implementation of IAuthenticator. If\n+# another IAuthenticator implementation is configured, this cache will not\n+# be automatically used and so the following settings will have no effect.\n+# Please note, credentials are cached in their encrypted form, so while\n+# activating this cache may reduce the number of queries made to the\n+# underlying table, it may not bring a significant reduction in the\n+# latency of individual authentication attempts.\n+# Defaults to 2000, set to 0 to disable credentials caching.\n+# For a long-running cache using credentials_cache_active_update, consider\n+# setting to something longer such as a daily validation: 86400000\n+# Min unit: ms\n+credentials_validity: 600000ms\n+\n+# Refresh interval for credentials cache (if enabled).\n+# After this interval, cache entries become eligible for refresh. Upon next\n+# access, an async reload is scheduled and the old value returned until it\n+# completes. If credentials_validity is non-zero, then this must be\n+# also.\n+# This setting is also used to inform the interval of auto-updating if\n+# using credentials_cache_active_update.\n+# Defaults to the same value as credentials_validity.\n+# For a longer-running permissions cache, consider setting to update hourly (60000)\n+# Min unit: ms\n+# credentials_update_interval: 2000ms\n+\n+# If true, cache contents are actively updated by a background task at the\n+# interval set by credentials_update_interval. If false (default), cache entries\n+# become eligible for refresh after their update interval. Upon next access,\n+# an async reload is scheduled and the old value returned until it completes.\n+# credentials_cache_active_update: false\n+\n+# The partitioner is responsible for distributing groups of rows (by\n+# partition key) across nodes in the cluster. The partitioner can NOT be\n+# changed without reloading all data. If you are adding nodes or upgrading,\n+# you should set this to the same partitioner that you are currently using.\n+#\n+# The default partitioner is the Murmur3Partitioner. Older partitioners\n+# such as the RandomPartitioner, ByteOrderedPartitioner, and\n+# OrderPreservingPartitioner have been included for backward compatibility only.\n+# For new clusters, you should NOT change this value.\n+#\n+partitioner: org.apache.cassandra.dht.Murmur3Partitioner\n+\n+# Directories where Cassandra should store data on disk. If multiple\n+# directories are specified, Cassandra will spread data evenly across \n+# them by partitioning the token ranges.\n+# If not set, the default directory is $CASSANDRA_HOME/data/data.\n+data_file_directories:\n+ - /srv/storage-0/cassandra-b/data\n+ - /srv/storage-1/cassandra-b/data\n+ - /srv/storage-2/cassandra-b/data\n+ - /srv/storage-3/cassandra-b/data\n+ - /srv/storage-4/cassandra-b/data\n+ - /srv/storage-5/cassandra-b/data\n+ - /srv/storage-6/cassandra-b/data\n+ - /srv/storage-7/cassandra-b/data\n+\n+\n+# Directory where Cassandra should store the data of the local system keyspaces.\n+# By default Cassandra will store the data of the local system keyspaces in the first of the data directories specified\n+# by data_file_directories.\n+# This approach ensures that if one of the other disks is lost Cassandra can continue to operate. For extra security\n+# this setting allows to store those data on a different directory that provides redundancy.\n+local_system_data_file_directory: /srv/cassandra/cassandra-b/system\n+\n+# commit log. when running on magnetic HDD, this should be a\n+# separate spindle than the data directories.\n+# If not set, the default directory is $CASSANDRA_HOME/data/commitlog.\n+commitlog_directory: /srv/cassandra/cassandra-b/commitlog\n+\n+# Enable / disable CDC functionality on a per-node basis. This modifies the logic used\n+# for write path allocation rejection (standard: never reject. cdc: reject Mutation\n+# containing a CDC-enabled table if at space limit in cdc_raw_directory).\n+cdc_enabled: false\n+\n+# CommitLogSegments are moved to this directory on flush if cdc_enabled: true and the\n+# segment contains mutations for a CDC-enabled table. This should be placed on a\n+# separate spindle than the data directories. If not set, the default directory is\n+# $CASSANDRA_HOME/data/cdc_raw.\n+# cdc_raw_directory: /var/lib/cassandra/cdc_raw\n+\n+# Policy for data disk failures:\n+#\n+# die\n+# shut down gossip and client transports and kill the JVM for any fs errors or\n+# single-sstable errors, so the node can be replaced.\n+#\n+# stop_paranoid\n+# shut down gossip and client transports even for single-sstable errors,\n+# kill the JVM for errors during startup.\n+#\n+# stop\n+# shut down gossip and client transports, leaving the node effectively dead, but\n+# can still be inspected via JMX, kill the JVM for errors during startup.\n+#\n+# best_effort\n+# stop using the failed disk and respond to requests based on\n+# remaining available sstables. This means you WILL see obsolete\n+# data at CL.ONE!\n+#\n+# ignore\n+# ignore fatal errors and let requests fail, as in pre-1.2 Cassandra\n+disk_failure_policy: stop\n+\n+# Policy for commit disk failures:\n+#\n+# die\n+# shut down the node and kill the JVM, so the node can be replaced.\n+#\n+# stop\n+# shut down the node, leaving the node effectively dead, but\n+# can still be inspected via JMX.\n+#\n+# stop_commit\n+# shutdown the commit log, letting writes collect but\n+# continuing to service reads, as in pre-2.0.5 Cassandra\n+#\n+# ignore\n+# ignore fatal errors and let the batches fail\n+commit_failure_policy: stop\n+\n+# Maximum size of the native protocol prepared statement cache\n+#\n+# Valid values are either \"auto\" (omitting the value) or a value greater 0.\n+#\n+# Note that specifying a too large value will result in long running GCs and possbily\n+# out-of-memory errors. Keep the value at a small fraction of the heap.\n+#\n+# If you constantly see \"prepared statements discarded in the last minute because\n+# cache limit reached\" messages, the first step is to investigate the root cause\n+# of these messages and check whether prepared statements are used correctly -\n+# i.e. use bind markers for variable parts.\n+#\n+# Do only change the default value, if you really have more prepared statements than\n+# fit in the cache. In most cases it is not neccessary to change this value.\n+# Constantly re-preparing statements is a performance penalty.\n+#\n+# Default value (\"auto\") is 1/256th of the heap or 10MiB, whichever is greater\n+# Min unit: MiB\n+prepared_statements_cache_size:\n+\n+# Maximum size of the key cache in memory.\n+#\n+# Each key cache hit saves 1 seek and each row cache hit saves 2 seeks at the\n+# minimum, sometimes more. The key cache is fairly tiny for the amount of\n+# time it saves, so it's worthwhile to use it at large numbers.\n+# The row cache saves even more time, but must contain the entire row,\n+# so it is extremely space-intensive. It's best to only use the\n+# row cache if you have hot rows or static rows.\n+#\n+# NOTE: if you reduce the size, you may not get you hottest keys loaded on startup.\n+#\n+# Default value is empty to make it \"auto\" (min(5% of Heap (in MiB), 100MiB)). Set to 0 to disable key cache.\n+# Min unit: MiB\n+key_cache_size: 400MiB\n+\n+# Duration in seconds after which Cassandra should\n+# save the key cache. Caches are saved to saved_caches_directory as\n+# specified in this configuration file.\n+#\n+# Saved caches greatly improve cold-start speeds, and is relatively cheap in\n+# terms of I/O for the key cache. Row cache saving is much more expensive and\n+# has limited use.\n+#\n+# Default is 14400 or 4 hours.\n+# Min unit: s\n+key_cache_save_period: 4h\n+\n+# Number of keys from the key cache to save\n+# Disabled by default, meaning all keys are going to be saved\n+# key_cache_keys_to_save: 100\n+\n+# Row cache implementation class name. Available implementations:\n+#\n+# org.apache.cassandra.cache.OHCProvider\n+# Fully off-heap row cache implementation (default).\n+#\n+# org.apache.cassandra.cache.SerializingCacheProvider\n+# This is the row cache implementation availabile\n+# in previous releases of Cassandra.\n+# row_cache_class_name: org.apache.cassandra.cache.OHCProvider\n+\n+# Maximum size of the row cache in memory.\n+# Please note that OHC cache implementation requires some additional off-heap memory to manage\n+# the map structures and some in-flight memory during operations before/after cache entries can be\n+# accounted against the cache capacity. This overhead is usually small compared to the whole capacity.\n+# Do not specify more memory that the system can afford in the worst usual situation and leave some\n+# headroom for OS block level cache. Do never allow your system to swap.\n+#\n+# Default value is 0, to disable row caching.\n+# Min unit: MiB\n+row_cache_size: 200MiB\n+\n+# Duration in seconds after which Cassandra should save the row cache.\n+# Caches are saved to saved_caches_directory as specified in this configuration file.\n+#\n+# Saved caches greatly improve cold-start speeds, and is relatively cheap in\n+# terms of I/O for the key cache. Row cache saving is much more expensive and\n+# has limited use.\n+#\n+# Default is 0 to disable saving the row cache.\n+# Min unit: s\n+row_cache_save_period: 0s\n+\n+# Number of keys from the row cache to save.\n+# Specify 0 (which is the default), meaning all keys are going to be saved\n+# row_cache_keys_to_save: 100\n+\n+# Maximum size of the counter cache in memory.\n+#\n+# Counter cache helps to reduce counter locks' contention for hot counter cells.\n+# In case of RF = 1 a counter cache hit will cause Cassandra to skip the read before\n+# write entirely. With RF > 1 a counter cache hit will still help to reduce the duration\n+# of the lock hold, helping with hot counter cell updates, but will not allow skipping\n+# the read entirely. Only the local (clock, count) tuple of a counter cell is kept\n+# in memory, not the whole counter, so it's relatively cheap.\n+#\n+# NOTE: if you reduce the size, you may not get you hottest keys loaded on startup.\n+#\n+# Default value is empty to make it \"auto\" (min(2.5% of Heap (in MiB), 50MiB)). Set to 0 to disable counter cache.\n+# NOTE: if you perform counter deletes and rely on low gcgs, you should disable the counter cache.\n+# Min unit: MiB\n+counter_cache_size:\n+\n+# Duration in seconds after which Cassandra should\n+# save the counter cache (keys only). Caches are saved to saved_caches_directory as\n+# specified in this configuration file.\n+#\n+# Default is 7200 or 2 hours.\n+# Min unit: s\n+counter_cache_save_period: 7200s\n+\n+# Number of keys from the counter cache to save\n+# Disabled by default, meaning all keys are going to be saved\n+# counter_cache_keys_to_save: 100\n+\n+# saved caches\n+# If not set, the default directory is $CASSANDRA_HOME/data/saved_caches.\n+saved_caches_directory: /srv/cassandra/cassandra-b/saved_caches\n+\n+# Number of seconds the server will wait for each cache (row, key, etc ...) to load while starting\n+# the Cassandra process. Setting this to zero is equivalent to disabling all cache loading on startup\n+# while still having the cache during runtime.\n+# Min unit: s\n+# cache_load_timeout: 30s\n+\n+# commitlog_sync may be either \"periodic\", \"group\", or \"batch.\" \n+# \n+# When in batch mode, Cassandra won't ack writes until the commit log\n+# has been flushed to disk. Each incoming write will trigger the flush task.\n+# commitlog_sync_batch_window_in_ms is a deprecated value. Previously it had\n+# almost no value, and is being removed.\n+#\n+# commitlog_sync_batch_window_in_ms: 2\n+#\n+# group mode is similar to batch mode, where Cassandra will not ack writes\n+# until the commit log has been flushed to disk. The difference is group\n+# mode will wait up to commitlog_sync_group_window between flushes.\n+#\n+# Min unit: ms\n+# commitlog_sync_group_window: 1000ms\n+#\n+# the default option is \"periodic\" where writes may be acked immediately\n+# and the CommitLog is simply synced every commitlog_sync_period\n+# milliseconds.\n+commitlog_sync: periodic\n+# Min unit: ms\n+commitlog_sync_period: 10000ms\n+\n+# When in periodic commitlog mode, the number of milliseconds to block writes\n+# while waiting for a slow disk flush to complete.\n+# Min unit: ms\n+# periodic_commitlog_sync_lag_block:\n+\n+# The size of the individual commitlog file segments. A commitlog\n+# segment may be archived, deleted, or recycled once all the data\n+# in it (potentially from each columnfamily in the system) has been\n+# flushed to sstables.\n+#\n+# The default size is 32, which is almost always fine, but if you are\n+# archiving commitlog segments (see commitlog_archiving.properties),\n+# then you probably want a finer granularity of archiving; 8 or 16 MB\n+# is reasonable.\n+# Max mutation size is also configurable via max_mutation_size setting in\n+# cassandra.yaml. The default is half the size commitlog_segment_size in bytes.\n+# This should be positive and less than 2048.\n+#\n+# NOTE: If max_mutation_size is set explicitly then commitlog_segment_size must\n+# be set to at least twice the size of max_mutation_size\n+#\n+# Min unit: MiB\n+commitlog_segment_size: 32MiB\n+\n+# Compression to apply to the commit log. If omitted, the commit log\n+# will be written uncompressed. LZ4, Snappy, and Deflate compressors\n+# are supported.\n+# commitlog_compression:\n+# - class_name: LZ4Compressor\n+# parameters:\n+# -\n+\n+# Compression to apply to SSTables as they flush for compressed tables.\n+# Note that tables without compression enabled do not respect this flag.\n+#\n+# As high ratio compressors like LZ4HC, Zstd, and Deflate can potentially\n+# block flushes for too long, the default is to flush with a known fast\n+# compressor in those cases. Options are:\n+#\n+# none : Flush without compressing blocks but while still doing checksums.\n+# fast : Flush with a fast compressor. If the table is already using a\n+# fast compressor that compressor is used.\n+# table: Always flush with the same compressor that the table uses. This\n+# was the pre 4.0 behavior.\n+#\n+# flush_compression: fast\n+\n+# any class that implements the SeedProvider interface and has a\n+# constructor that takes a Map of parameters will do.\n+seed_provider:\n+ # Addresses of hosts that are deemed contact points.\n+ # Cassandra nodes use this list of hosts to find each other and learn\n+ # the topology of the ring. You must change this if you are running\n+ # multiple nodes!\n+ - class_name: org.apache.cassandra.locator.SimpleSeedProvider\n+ parameters:\n+ # seeds is actually a comma-delimited list of addresses.\n+ # Ex: \",,\"\n+ # Omit own host name / IP in multi-node clusters (see\n+ # https://phabricator.wikimedia.org/T91617).\n+ # Also disregard the main DNS interfaces of each node when\n+ # multiple instances are colocated on the same node (see\n+ # https://phabricator.wikimedia.org/T172610)\n+ \n+ - seeds: aqs1010-a.eqiad.wmnet,aqs1010-b.eqiad.wmnet,aqs1011-a.eqiad.wmnet,aqs1011-b.eqiad.wmnet,aqs1012-a.eqiad.wmnet,aqs1012-b.eqiad.wmnet,aqs1014-a.eqiad.wmnet,aqs1014-b.eqiad.wmnet,aqs1015-a.eqiad.wmnet,aqs1015-b.eqiad.wmnet,aqs1016-a.eqiad.wmnet,aqs1016-b.eqiad.wmnet,aqs1017-a.eqiad.wmnet,aqs1017-b.eqiad.wmnet,aqs1018-a.eqiad.wmnet,aqs1018-b.eqiad.wmnet,aqs1019-a.eqiad.wmnet,aqs1019-b.eqiad.wmnet,aqs1020-a.eqiad.wmnet,aqs1020-b.eqiad.wmnet,aqs1021-a.eqiad.wmnet,aqs1021-b.eqiad.wmnet,aqs1022-a.eqiad.wmnet,aqs1022-b.eqiad.wmnet,aqs1023-a.eqiad.wmnet,aqs1023-b.eqiad.wmnet,aqs2001-a.codfw.wmnet,aqs2001-b.codfw.wmnet,aqs2002-a.codfw.wmnet,aqs2002-b.codfw.wmnet,aqs2003-a.codfw.wmnet,aqs2003-b.codfw.wmnet,aqs2004-a.codfw.wmnet,aqs2004-b.codfw.wmnet,aqs2005-a.codfw.wmnet,aqs2005-b.codfw.wmnet,aqs2006-a.codfw.wmnet,aqs2006-b.codfw.wmnet,aqs2007-a.codfw.wmnet,aqs2007-b.codfw.wmnet,aqs2008-a.codfw.wmnet,aqs2008-b.codfw.wmnet,aqs2009-a.codfw.wmnet,aqs2009-b.codfw.wmnet,aqs2010-a.codfw.wmnet,aqs2010-b.codfw.wmnet,aqs2011-a.codfw.wmnet,aqs2011-b.codfw.wmnet,aqs2012-a.codfw.wmnet,aqs2012-b.codfw.wmnet\n+\n+# For workloads with more data than can fit in memory, Cassandra's\n+# bottleneck will be reads that need to fetch data from\n+# disk. \"concurrent_reads\" should be set to (16 * number_of_drives) in\n+# order to allow the operations to enqueue low enough in the stack\n+# that the OS and drives can reorder them. Same applies to\n+# \"concurrent_counter_writes\", since counter writes read the current\n+# values before incrementing and writing them back.\n+#\n+# On the other hand, since writes are almost never IO bound, the ideal\n+# number of \"concurrent_writes\" is dependent on the number of cores in\n+# your system; (8 * number_of_cores) is a good rule of thumb.\n+concurrent_reads: 64\n+concurrent_writes: 64\n+concurrent_counter_writes: 32\n+\n+# For materialized view writes, as there is a read involved, so this should\n+# be limited by the less of concurrent reads or concurrent writes.\n+concurrent_materialized_view_writes: 32\n+\n+# Maximum memory to use for inter-node and client-server networking buffers.\n+#\n+# Defaults to the smaller of 1/16 of heap or 128MB. This pool is allocated off-heap,\n+# so is in addition to the memory allocated for heap. The cache also has on-heap\n+# overhead which is roughly 128 bytes per chunk (i.e. 0.2% of the reserved size\n+# if the default 64k chunk size is used).\n+# Memory is only allocated when needed.\n+# Min unit: MiB\n+# networking_cache_size: 128MiB\n+\n+# Enable the sstable chunk cache. The chunk cache will store recently accessed\n+# sections of the sstable in-memory as uncompressed buffers.\n+# file_cache_enabled: false\n+\n+# Maximum memory to use for sstable chunk cache and buffer pooling.\n+# 32MB of this are reserved for pooling buffers, the rest is used for chunk cache\n+# that holds uncompressed sstable chunks.\n+# Defaults to the smaller of 1/4 of heap or 512MB. This pool is allocated off-heap,\n+# so is in addition to the memory allocated for heap. The cache also has on-heap\n+# overhead which is roughly 128 bytes per chunk (i.e. 0.2% of the reserved size\n+# if the default 64k chunk size is used).\n+# Memory is only allocated when needed.\n+# Min unit: MiB\n+# file_cache_size: 512MiB\n+\n+# Flag indicating whether to allocate on or off heap when the sstable buffer\n+# pool is exhausted, that is when it has exceeded the maximum memory\n+# file_cache_size, beyond which it will not cache buffers but allocate on request.\n+\n+# buffer_pool_use_heap_if_exhausted: true\n+\n+# The strategy for optimizing disk read\n+# Possible values are:\n+# ssd (for solid state disks, the default)\n+# spinning (for spinning disks)\n+# disk_optimization_strategy: ssd\n+\n+# Total permitted memory to use for memtables. Cassandra will stop\n+# accepting writes when the limit is exceeded until a flush completes,\n+# and will trigger a flush based on memtable_cleanup_threshold\n+# If omitted, Cassandra will set both to 1/4 the size of the heap.\n+# Min unit: MiB\n+# memtable_heap_space: 2048MiB\n+# Min unit: MiB\n+# memtable_offheap_space: 2048MiB\n+\n+# memtable_cleanup_threshold is deprecated. The default calculation\n+# is the only reasonable choice. See the comments on memtable_flush_writers\n+# for more information.\n+#\n+# Ratio of occupied non-flushing memtable size to total permitted size\n+# that will trigger a flush of the largest memtable. Larger mct will\n+# mean larger flushes and hence less compaction, but also less concurrent\n+# flush activity which can make it difficult to keep your disks fed\n+# under heavy write load.\n+#\n+# memtable_cleanup_threshold defaults to 1 / (memtable_flush_writers + 1)\n+# memtable_cleanup_threshold: 0.11\n+\n+# Specify the way Cassandra allocates and manages memtable memory.\n+# Options are:\n+#\n+# heap_buffers\n+# on heap nio buffers\n+#\n+# offheap_buffers\n+# off heap (direct) nio buffers\n+#\n+# offheap_objects\n+# off heap objects\n+memtable_allocation_type: heap_buffers\n+\n+# Limit memory usage for Merkle tree calculations during repairs of a certain\n+# table and common token range. Repair commands targetting multiple tables or\n+# virtual nodes can exceed this limit depending on concurrent_merkle_tree_requests.\n+#\n+# The default is 1/16th of the available heap. The main tradeoff is that\n+# smaller trees have less resolution, which can lead to over-streaming data.\n+# If you see heap pressure during repairs, consider lowering this, but you\n+# cannot go below one mebibyte. If you see lots of over-streaming, consider\n+# raising this or using subrange repair.\n+#\n+# For more details see https://issues.apache.org/jira/browse/CASSANDRA-14096.\n+#\n+# Min unit: MiB\n+# repair_session_space:\n+\n+# The number of simultaneous Merkle tree requests during repairs that can\n+# be performed by a repair command. The size of each validation request is\n+# limited by the repair_session_space property, so setting this to 1 will make\n+# sure that a repair command doesn't exceed that limit, even if the repair\n+# command is repairing multiple tables or multiple virtual nodes.\n+#\n+# There isn't a limit by default for backwards compatibility, but this can\n+# produce OOM for commands repairing multiple tables or multiple virtual nodes.\n+# A limit of just 1 simultaneous Merkle tree request is generally recommended\n+# with no virtual nodes so repair_session_space, and thereof the Merkle tree\n+# resolution, can be high. For virtual nodes a value of 1 with the default\n+# repair_session_space value will produce higher resolution Merkle trees\n+# at the expense of speed. Alternatively, when working with virtual nodes it\n+# can make sense to reduce the repair_session_space and increase the value of\n+# concurrent_merkle_tree_requests because each range will contain fewer data.\n+#\n+# For more details see https://issues.apache.org/jira/browse/CASSANDRA-19336.\n+#\n+# A zero value means no limit.\n+# concurrent_merkle_tree_requests: 0\n+\n+# Total space to use for commit logs on disk.\n+#\n+# If space gets above this value, Cassandra will flush every dirty CF\n+# in the oldest segment and remove it. So a small total commitlog space\n+# will tend to cause more flush activity on less-active columnfamilies.\n+#\n+# The default value is the smaller of 8192, and 1/4 of the total space\n+# of the commitlog volume.\n+#\n+# commitlog_total_space: 8192MiB\n+\n+# This sets the number of memtable flush writer threads per disk\n+# as well as the total number of memtables that can be flushed concurrently.\n+# These are generally a combination of compute and IO bound.\n+#\n+# Memtable flushing is more CPU efficient than memtable ingest and a single thread\n+# can keep up with the ingest rate of a whole server on a single fast disk\n+# until it temporarily becomes IO bound under contention typically with compaction.\n+# At that point you need multiple flush threads. At some point in the future\n+# it may become CPU bound all the time.\n+#\n+# You can tell if flushing is falling behind using the MemtablePool.BlockedOnAllocation\n+# metric which should be 0, but will be non-zero if threads are blocked waiting on flushing\n+# to free memory.\n+#\n+# memtable_flush_writers defaults to two for a single data directory.\n+# This means that two memtables can be flushed concurrently to the single data directory.\n+# If you have multiple data directories the default is one memtable flushing at a time\n+# but the flush will use a thread per data directory so you will get two or more writers.\n+#\n+# Two is generally enough to flush on a fast disk [array] mounted as a single data directory.\n+# Adding more flush writers will result in smaller more frequent flushes that introduce more\n+# compaction overhead.\n+#\n+# There is a direct tradeoff between number of memtables that can be flushed concurrently\n+# and flush size and frequency. More is not better you just need enough flush writers\n+# to never stall waiting for flushing to free memory.\n+#\n+# memtable_flush_writers: 2\n+\n+# Total space to use for change-data-capture logs on disk.\n+#\n+# If space gets above this value, Cassandra will throw WriteTimeoutException\n+# on Mutations including tables with CDC enabled. A CDCCompactor is responsible\n+# for parsing the raw CDC logs and deleting them when parsing is completed.\n+#\n+# The default value is the min of 4096 MiB and 1/8th of the total space\n+# of the drive where cdc_raw_directory resides.\n+# Min unit: MiB\n+# cdc_total_space: 4096MiB\n+\n+# When we hit our cdc_raw limit and the CDCCompactor is either running behind\n+# or experiencing backpressure, we check at the following interval to see if any\n+# new space for cdc-tracked tables has been made available. Default to 250ms\n+# Min unit: ms\n+# cdc_free_space_check_interval: 250ms\n+\n+# A fixed memory pool size in MB for for SSTable index summaries. If left\n+# empty, this will default to 5% of the heap size. If the memory usage of\n+# all index summaries exceeds this limit, SSTables with low read rates will\n+# shrink their index summaries in order to meet this limit. However, this\n+# is a best-effort process. In extreme conditions Cassandra may need to use\n+# more than this amount of memory.\n+# Min unit: KiB\n+index_summary_capacity:\n+\n+# How frequently index summaries should be resampled. This is done\n+# periodically to redistribute memory from the fixed-size pool to sstables\n+# proportional their recent read rates. Setting to null value will disable this\n+# process, leaving existing index summaries at their current sampling level.\n+# Min unit: m\n+index_summary_resize_interval: 60m\n+\n+# Whether to, when doing sequential writing, fsync() at intervals in\n+# order to force the operating system to flush the dirty\n+# buffers. Enable this to avoid sudden dirty buffer flushing from\n+# impacting read latencies. Almost always a good idea on SSDs; not\n+# necessarily on platters.\n+trickle_fsync: true\n+# Min unit: KiB\n+trickle_fsync_interval: 30240KiB\n+\n+# TCP port, for commands and data\n+# For security reasons, you should not expose this port to the internet. Firewall it if needed.\n+storage_port: 7000\n+\n+# SSL port, for legacy encrypted communication. This property is unused unless enabled in\n+# server_encryption_options (see below). As of cassandra 4.0, this property is deprecated\n+# as a single port can be used for either/both secure and insecure connections.\n+# For security reasons, you should not expose this port to the internet. Firewall it if needed.\n+ssl_storage_port: 7001\n+\n+# Address or interface to bind to and tell other Cassandra nodes to connect to.\n+# You _must_ change this if you want multiple nodes to be able to communicate!\n+#\n+# Set listen_address OR listen_interface, not both.\n+#\n+# Leaving it blank leaves it up to InetAddress.getLocalHost(). This\n+# will always do the Right Thing _if_ the node is properly configured\n+# (hostname, name resolution, etc), and the Right Thing is to use the\n+# address associated with the hostname (it might not be). If unresolvable\n+# it will fall back to InetAddress.getLoopbackAddress(), which is wrong for production systems.\n+#\n+# Setting listen_address to 0.0.0.0 is always wrong.\n+#\n+listen_address: 10.64.156.21\n+\n+# Set listen_address OR listen_interface, not both. Interfaces must correspond\n+# to a single address, IP aliasing is not supported.\n+# listen_interface: eth0\n+\n+# If you choose to specify the interface by name and the interface has an ipv4 and an ipv6 address\n+# you can specify which should be chosen using listen_interface_prefer_ipv6. If false the first ipv4\n+# address will be used. If true the first ipv6 address will be used. Defaults to false preferring\n+# ipv4. If there is only one address it will be selected regardless of ipv4/ipv6.\n+# listen_interface_prefer_ipv6: false\n+\n+# Address to broadcast to other Cassandra nodes\n+# Leaving this blank will set it to the same value as listen_address\n+# broadcast_address: 1.2.3.4\n+\n+# When using multiple physical network interfaces, set this\n+# to true to listen on broadcast_address in addition to\n+# the listen_address, allowing nodes to communicate in both\n+# interfaces.\n+# Ignore this property if the network configuration automatically\n+# routes between the public and private networks such as EC2.\n+# listen_on_broadcast_address: false\n+\n+# Internode authentication backend, implementing IInternodeAuthenticator;\n+# used to allow/disallow connections from peer nodes.\n+# internode_authenticator: org.apache.cassandra.auth.AllowAllInternodeAuthenticator\n+\n+# Whether to start the native transport server.\n+# The address on which the native transport is bound is defined by rpc_address.\n+start_native_transport: true\n+# port for the CQL native transport to listen for clients on\n+# For security reasons, you should not expose this port to the internet. Firewall it if needed.\n+native_transport_port: 9042\n+# Enabling native transport encryption in client_encryption_options allows you to either use\n+# encryption for the standard port or to use a dedicated, additional port along with the unencrypted\n+# standard native_transport_port.\n+# Enabling client encryption and keeping native_transport_port_ssl disabled will use encryption\n+# for native_transport_port. Setting native_transport_port_ssl to a different value\n+# from native_transport_port will use encryption for native_transport_port_ssl while\n+# keeping native_transport_port unencrypted.\n+# native_transport_port_ssl: 9142\n+# The maximum threads for handling requests (note that idle threads are stopped\n+# after 30 seconds so there is not corresponding minimum setting).\n+# native_transport_max_threads: 128\n+# The maximum threads for handling auth requests in a separate executor from main request executor.\n+# When set to 0, main executor for requests is used.\n+# native_transport_max_auth_threads: 0\n+#\n+# The maximum size of allowed frame. Frame (requests) larger than this will\n+# be rejected as invalid. The default is 16MiB. If you're changing this parameter,\n+# you may want to adjust max_value_size accordingly. This should be positive and less than 2048.\n+# Min unit: MiB\n+# native_transport_max_frame_size: 16MiB\n+\n+# The maximum number of concurrent client connections.\n+# The default is -1, which means unlimited.\n+# native_transport_max_concurrent_connections: -1\n+\n+# The maximum number of concurrent client connections per source ip.\n+# The default is -1, which means unlimited.\n+# native_transport_max_concurrent_connections_per_ip: -1\n+\n+# Controls whether Cassandra honors older, yet currently supported, protocol versions.\n+# The default is true, which means all supported protocols will be honored.\n+native_transport_allow_older_protocols: true\n+\n+# Controls when idle client connections are closed. Idle connections are ones that had neither reads\n+# nor writes for a time period.\n+#\n+# Clients may implement heartbeats by sending OPTIONS native protocol message after a timeout, which\n+# will reset idle timeout timer on the server side. To close idle client connections, corresponding\n+# values for heartbeat intervals have to be set on the client side.\n+#\n+# Idle connection timeouts are disabled by default.\n+# Min unit: ms\n+# native_transport_idle_timeout: 60000ms\n+\n+# When enabled, limits the number of native transport requests dispatched for processing per second.\n+# Behavior once the limit has been breached depends on the value of THROW_ON_OVERLOAD specified in\n+# the STARTUP message sent by the client during connection establishment. (See section \"4.1.1. STARTUP\"\n+# in \"CQL BINARY PROTOCOL v5\".) With the THROW_ON_OVERLOAD flag enabled, messages that breach the limit\n+# are dropped, and an OverloadedException is thrown for the client to handle. When the flag is not\n+# enabled, the server will stop consuming messages from the channel/socket, putting backpressure on\n+# the client while already dispatched messages are processed.\n+# native_transport_rate_limiting_enabled: false\n+# native_transport_max_requests_per_second: 1000000\n+\n+# The address or interface to bind the native transport server to.\n+#\n+# Set rpc_address OR rpc_interface, not both.\n+#\n+# Leaving rpc_address blank has the same effect as on listen_address\n+# (i.e. it will be based on the configured hostname of the node).\n+#\n+# Note that unlike listen_address, you can specify 0.0.0.0, but you must also\n+# set broadcast_rpc_address to a value other than 0.0.0.0.\n+#\n+# For security reasons, you should not expose this port to the internet. Firewall it if needed.\n+rpc_address: 10.64.156.21\n+\n+# Set rpc_address OR rpc_interface, not both. Interfaces must correspond\n+# to a single address, IP aliasing is not supported.\n+# rpc_interface: eth1\n+\n+# If you choose to specify the interface by name and the interface has an ipv4 and an ipv6 address\n+# you can specify which should be chosen using rpc_interface_prefer_ipv6. If false the first ipv4\n+# address will be used. If true the first ipv6 address will be used. Defaults to false preferring\n+# ipv4. If there is only one address it will be selected regardless of ipv4/ipv6.\n+# rpc_interface_prefer_ipv6: false\n+\n+# RPC address to broadcast to drivers and other Cassandra nodes. This cannot\n+# be set to 0.0.0.0. If left blank, this will be set to the value of\n+# rpc_address. If rpc_address is set to 0.0.0.0, broadcast_rpc_address must\n+# be set.\n+# broadcast_rpc_address: 1.2.3.4\n+\n+# enable or disable keepalive on rpc/native connections\n+rpc_keepalive: true\n+\n+# Uncomment to set socket buffer size for internode communication\n+# Note that when setting this, the buffer size is limited by net.core.wmem_max\n+# and when not setting it it is defined by net.ipv4.tcp_wmem\n+# See also:\n+# /proc/sys/net/core/wmem_max\n+# /proc/sys/net/core/rmem_max\n+# /proc/sys/net/ipv4/tcp_wmem\n+# /proc/sys/net/ipv4/tcp_wmem\n+# and 'man tcp'\n+# Min unit: B\n+# internode_socket_send_buffer_size:\n+\n+# Uncomment to set socket buffer size for internode communication\n+# Note that when setting this, the buffer size is limited by net.core.wmem_max\n+# and when not setting it it is defined by net.ipv4.tcp_wmem\n+# Min unit: B\n+# internode_socket_receive_buffer_size:\n+\n+# Set to true to have Cassandra create a hard link to each sstable\n+# flushed or streamed locally in a backups/ subdirectory of the\n+# keyspace data. Removing these links is the operator's\n+# responsibility.\n+incremental_backups: false\n+\n+# Whether or not to take a snapshot before each compaction. Be\n+# careful using this option, since Cassandra won't clean up the\n+# snapshots for you. Mostly useful if you're paranoid when there\n+# is a data format change.\n+snapshot_before_compaction: false\n+\n+# Whether or not a snapshot is taken of the data before keyspace truncation\n+# or dropping of column families. The STRONGLY advised default of true \n+# should be used to provide data safety. If you set this flag to false, you will\n+# lose data on truncation or drop.\n+auto_snapshot: true\n+\n+# Adds a time-to-live (TTL) to auto snapshots generated by table\n+# truncation or drop (when enabled).\n+# After the TTL is elapsed, the snapshot is automatically cleared.\n+# By default, auto snapshots *do not* have TTL, uncomment the property below\n+# to enable TTL on auto snapshots.\n+# Accepted units: d (days), h (hours) or m (minutes)\n+# auto_snapshot_ttl: 30d\n+\n+# The act of creating or clearing a snapshot involves creating or removing\n+# potentially tens of thousands of links, which can cause significant performance\n+# impact, especially on consumer grade SSDs. A non-zero value here can\n+# be used to throttle these links to avoid negative performance impact of\n+# taking and clearing snapshots\n+snapshot_links_per_second: 0\n+\n+# Granularity of the collation index of rows within a partition.\n+# Increase if your rows are large, or if you have a very large\n+# number of rows per partition. The competing goals are these:\n+#\n+# - a smaller granularity means more index entries are generated\n+# and looking up rows withing the partition by collation column\n+# is faster\n+# - but, Cassandra will keep the collation index in memory for hot\n+# rows (as part of the key cache), so a larger granularity means\n+# you can cache more hot rows\n+# Min unit: KiB\n+column_index_size: 64KiB\n+\n+# Per sstable indexed key cache entries (the collation index in memory\n+# mentioned above) exceeding this size will not be held on heap.\n+# This means that only partition information is held on heap and the\n+# index entries are read from disk.\n+#\n+# Note that this size refers to the size of the\n+# serialized index information and not the size of the partition.\n+# Min unit: KiB\n+column_index_cache_size: 2KiB\n+\n+# Number of simultaneous compactions to allow, NOT including\n+# validation \"compactions\" for anti-entropy repair. Simultaneous\n+# compactions can help preserve read performance in a mixed read/write\n+# workload, by mitigating the tendency of small sstables to accumulate\n+# during a single long running compactions. The default is usually\n+# fine and if you experience problems with compaction running too\n+# slowly or too fast, you should look at\n+# compaction_throughput first.\n+#\n+# concurrent_compactors defaults to the smaller of (number of disks,\n+# number of cores), with a minimum of 2 and a maximum of 8.\n+# \n+# If your data directories are backed by SSD, you should increase this\n+# to the number of cores.\n+concurrent_compactors: 12\n+\n+# Number of simultaneous repair validations to allow. If not set or set to\n+# a value less than 1, it defaults to the value of concurrent_compactors.\n+# To set a value greeater than concurrent_compactors at startup, the system\n+# property cassandra.allow_unlimited_concurrent_validations must be set to\n+# true. To dynamically resize to a value > concurrent_compactors on a running\n+# node, first call the bypassConcurrentValidatorsLimit method on the\n+# org.apache.cassandra.db:type=StorageService mbean\n+# concurrent_validations: 0\n+\n+# Number of simultaneous materialized view builder tasks to allow.\n+concurrent_materialized_view_builders: 1\n+\n+# Throttles compaction to the given total throughput across the entire\n+# system. The faster you insert data, the faster you need to compact in\n+# order to keep the sstable count down, but in general, setting this to\n+# 16 to 32 times the rate you are inserting data is more than sufficient.\n+# Setting this to 0 disables throttling. Note that this accounts for all types\n+# of compaction, including validation compaction (building Merkle trees\n+# for repairs).\n+compaction_throughput: 256MiB/s\n+\n+# When compacting, the replacement sstable(s) can be opened before they\n+# are completely written, and used in place of the prior sstables for\n+# any range that has been written. This helps to smoothly transfer reads \n+# between the sstables, reducing page cache churn and keeping hot rows hot\n+# Set sstable_preemptive_open_interval to null for disabled which is equivalent to\n+# sstable_preemptive_open_interval_in_mb being negative\n+# Min unit: MiB\n+sstable_preemptive_open_interval: 50MiB\n+\n+# Starting from 4.1 sstables support UUID based generation identifiers. They are disabled by default\n+# because once enabled, there is no easy way to downgrade. When the node is restarted with this option\n+# set to true, each newly created sstable will have a UUID based generation identifier and such files are\n+# not readable by previous Cassandra versions. At some point, this option will become true by default\n+# and eventually get removed from the configuration.\n+uuid_sstable_identifiers_enabled: false\n+\n+# When enabled, permits Cassandra to zero-copy stream entire eligible\n+# SSTables between nodes, including every component.\n+# This speeds up the network transfer significantly subject to\n+# throttling specified by entire_sstable_stream_throughput_outbound,\n+# and entire_sstable_inter_dc_stream_throughput_outbound\n+# for inter-DC transfers.\n+# Enabling this will reduce the GC pressure on sending and receiving node.\n+# When unset, the default is enabled. While this feature tries to keep the\n+# disks balanced, it cannot guarantee it. This feature will be automatically\n+# disabled if internode encryption is enabled.\n+# stream_entire_sstables: true\n+\n+# Throttles entire SSTable outbound streaming file transfers on\n+# this node to the given total throughput in Mbps.\n+# Setting this value to 0 it disables throttling.\n+# When unset, the default is 200 Mbps or 24 MiB/s.\n+# entire_sstable_stream_throughput_outbound: 24MiB/s\n+\n+# Throttles entire SSTable file streaming between datacenters.\n+# Setting this value to 0 disables throttling for entire SSTable inter-DC file streaming.\n+# When unset, the default is 200 Mbps or 24 MiB/s.\n+# entire_sstable_inter_dc_stream_throughput_outbound: 24MiB/s\n+\n+# Throttles all outbound streaming file transfers on this node to the\n+# given total throughput in Mbps. This is necessary because Cassandra does\n+# mostly sequential IO when streaming data during bootstrap or repair, which\n+# can lead to saturating the network connection and degrading rpc performance.\n+# When unset, the default is 200 Mbps or 24 MiB/s.\n+# stream_throughput_outbound: 24MiB/s\n+\n+# Throttles all streaming file transfer between the datacenters,\n+# this setting allows users to throttle inter dc stream throughput in addition\n+# to throttling all network stream traffic as configured with\n+# stream_throughput_outbound_megabits_per_sec\n+# When unset, the default is 200 Mbps or 24 MiB/s.\n+# inter_dc_stream_throughput_outbound: 24MiB/s\n+\n+# Server side timeouts for requests. The server will return a timeout exception\n+# to the client if it can't complete an operation within the corresponding\n+# timeout. Those settings are a protection against:\n+# 1) having client wait on an operation that might never terminate due to some\n+# failures.\n+# 2) operations that use too much CPU/read too much data (leading to memory build\n+# up) by putting a limit to how long an operation will execute.\n+# For this reason, you should avoid putting these settings too high. In other words,\n+# if you are timing out requests because of underlying resource constraints then\n+# increasing the timeout will just cause more problems. Of course putting them too\n+# low is equally ill-advised since clients could get timeouts even for successful\n+# operations just because the timeout setting is too tight.\n+\n+# How long the coordinator should wait for read operations to complete.\n+# Lowest acceptable value is 10 ms.\n+# Min unit: ms\n+read_request_timeout: 5000ms\n+# How long the coordinator should wait for seq or index scans to complete.\n+# Lowest acceptable value is 10 ms.\n+# Min unit: ms\n+range_request_timeout: 10000ms\n+# How long the coordinator should wait for writes to complete.\n+# Lowest acceptable value is 10 ms.\n+# Min unit: ms\n+write_request_timeout: 2000ms\n+# How long the coordinator should wait for counter writes to complete.\n+# Lowest acceptable value is 10 ms.\n+# Min unit: ms\n+counter_write_request_timeout: 5000ms\n+# How long a coordinator should continue to retry a CAS operation\n+# that contends with other proposals for the same row.\n+# Lowest acceptable value is 10 ms.\n+# Min unit: ms\n+cas_contention_timeout: 1000ms\n+# How long the coordinator should wait for truncates to complete\n+# (This can be much longer, because unless auto_snapshot is disabled\n+# we need to flush first so we can snapshot before removing the data.)\n+# Lowest acceptable value is 10 ms.\n+# Min unit: ms\n+truncate_request_timeout: 60000ms\n+# The default timeout for other, miscellaneous operations.\n+# Lowest acceptable value is 10 ms.\n+# Min unit: ms\n+request_timeout: 10000ms\n+\n+# Defensive settings for protecting Cassandra from true network partitions.\n+# See (CASSANDRA-14358) for details.\n+#\n+# The amount of time to wait for internode tcp connections to establish.\n+# Min unit: ms\n+# internode_tcp_connect_timeout: 2000ms\n+#\n+# The amount of time unacknowledged data is allowed on a connection before we throw out the connection\n+# Note this is only supported on Linux + epoll, and it appears to behave oddly above a setting of 30000\n+# (it takes much longer than 30s) as of Linux 4.12. If you want something that high set this to 0\n+# which picks up the OS default and configure the net.ipv4.tcp_retries2 sysctl to be ~8.\n+# Min unit: ms\n+# internode_tcp_user_timeout: 30000ms\n+\n+# The amount of time unacknowledged data is allowed on a streaming connection.\n+# The default is 5 minutes. Increase it or set it to 0 in order to increase the timeout.\n+# Min unit: ms\n+# internode_streaming_tcp_user_timeout: 300000ms\n+\n+# Global, per-endpoint and per-connection limits imposed on messages queued for delivery to other nodes\n+# and waiting to be processed on arrival from other nodes in the cluster. These limits are applied to the on-wire\n+# size of the message being sent or received.\n+#\n+# The basic per-link limit is consumed in isolation before any endpoint or global limit is imposed.\n+# Each node-pair has three links: urgent, small and large. So any given node may have a maximum of\n+# N*3*(internode_application_send_queue_capacity+internode_application_receive_queue_capacity)\n+# messages queued without any coordination between them although in practice, with token-aware routing, only RF*tokens\n+# nodes should need to communicate with significant bandwidth.\n+#\n+# The per-endpoint limit is imposed on all messages exceeding the per-link limit, simultaneously with the global limit,\n+# on all links to or from a single node in the cluster.\n+# The global limit is imposed on all messages exceeding the per-link limit, simultaneously with the per-endpoint limit,\n+# on all links to or from any node in the cluster.\n+#\n+# Min unit: B\n+# internode_application_send_queue_capacity: 4MiB\n+# internode_application_send_queue_reserve_endpoint_capacity: 128MiB\n+# internode_application_send_queue_reserve_global_capacity: 512MiB\n+# internode_application_receive_queue_capacity: 4MiB\n+# internode_application_receive_queue_reserve_endpoint_capacity: 128MiB\n+# internode_application_receive_queue_reserve_global_capacity: 512MiB\n+\n+\n+# How long before a node logs slow queries. Select queries that take longer than\n+# this timeout to execute, will generate an aggregated log message, so that slow queries\n+# can be identified. Set this value to zero to disable slow query logging.\n+# Min unit: ms\n+slow_query_log_timeout: 500ms\n+\n+# Enable operation timeout information exchange between nodes to accurately\n+# measure request timeouts. If disabled, replicas will assume that requests\n+# were forwarded to them instantly by the coordinator, which means that\n+# under overload conditions we will waste that much extra time processing \n+# already-timed-out requests.\n+#\n+# Warning: It is generally assumed that users have setup NTP on their clusters, and that clocks are modestly in sync, \n+# since this is a requirement for general correctness of last write wins.\n+# internode_timeout: true\n+\n+# Set period for idle state control messages for earlier detection of failed streams\n+# This node will send a keep-alive message periodically on the streaming's control channel.\n+# This ensures that any eventual SocketTimeoutException will occur within 2 keep-alive cycles\n+# If the node cannot send, or timeouts sending, the keep-alive message on the netty control channel\n+# the stream session is closed.\n+# Default value is 300s (5 minutes), which means stalled streams\n+# are detected within 10 minutes\n+# Specify 0 to disable.\n+# Min unit: s\n+# streaming_keep_alive_period: 300s\n+\n+# Limit number of connections per host for streaming\n+# Increase this when you notice that joins are CPU-bound rather that network\n+# bound (for example a few nodes with big files).\n+# streaming_connections_per_host: 1\n+\n+# Settings for stream stats tracking; used by system_views.streaming table\n+# How long before a stream is evicted from tracking; this impacts both historic and currently running\n+# streams.\n+# streaming_state_expires: 3d\n+# How much memory may be used for tracking before evicting session from tracking; once crossed\n+# historic and currently running streams maybe impacted.\n+# streaming_state_size: 40MiB\n+# Enable/Disable tracking of streaming stats\n+# streaming_stats_enabled: true\n+\n+# Allows denying configurable access (rw/rr) to operations on configured ks, table, and partitions, intended for use by\n+# operators to manage cluster health vs application access. See CASSANDRA-12106 and CEP-13 for more details.\n+# partition_denylist_enabled: false\n+\n+# denylist_writes_enabled: true\n+# denylist_reads_enabled: true\n+# denylist_range_reads_enabled: true\n+\n+# The interval at which keys in the cache for denylisting will \"expire\" and async refresh from the backing DB.\n+# Note: this serves only as a fail-safe, as the usage pattern is expected to be \"mutate state, refresh cache\" on any\n+# changes to the underlying denylist entries. See documentation for details.\n+# Min unit: s\n+# denylist_refresh: 600s\n+\n+# In the event of errors on attempting to load the denylist cache, retry on this interval.\n+# Min unit: s\n+# denylist_initial_load_retry: 5s\n+\n+# We cap the number of denylisted keys allowed per table to keep things from growing unbounded. Nodes will warn above\n+# this limit while allowing new denylisted keys to be inserted. Denied keys are loaded in natural query / clustering\n+# ordering by partition key in case of overflow.\n+# denylist_max_keys_per_table: 1000\n+\n+# We cap the total number of denylisted keys allowed in the cluster to keep things from growing unbounded.\n+# Nodes will warn on initial cache load that there are too many keys and be direct the operator to trim down excess\n+# entries to within the configured limits.\n+# denylist_max_keys_total: 10000\n+\n+# Since the denylist in many ways serves to protect the health of the cluster from partitions operators have identified\n+# as being in a bad state, we usually want more robustness than just CL.ONE on operations to/from these tables to\n+# ensure that these safeguards are in place. That said, we allow users to configure this if they're so inclined.\n+# denylist_consistency_level: QUORUM\n+\n+# phi value that must be reached for a host to be marked down.\n+# most users should never need to adjust this.\n+# phi_convict_threshold: 8\n+\n+# endpoint_snitch -- Set this to a class that implements\n+# IEndpointSnitch. The snitch has two functions:\n+#\n+# - it teaches Cassandra enough about your network topology to route\n+# requests efficiently\n+# - it allows Cassandra to spread replicas around your cluster to avoid\n+# correlated failures. It does this by grouping machines into\n+# \"datacenters\" and \"racks.\" Cassandra will do its best not to have\n+# more than one replica on the same \"rack\" (which may not actually\n+# be a physical location)\n+#\n+# CASSANDRA WILL NOT ALLOW YOU TO SWITCH TO AN INCOMPATIBLE SNITCH\n+# ONCE DATA IS INSERTED INTO THE CLUSTER. This would cause data loss.\n+# This means that if you start with the default SimpleSnitch, which\n+# locates every node on \"rack1\" in \"datacenter1\", your only options\n+# if you need to add another datacenter are GossipingPropertyFileSnitch\n+# (and the older PFS). From there, if you want to migrate to an\n+# incompatible snitch like Ec2Snitch you can do it by adding new nodes\n+# under Ec2Snitch (which will locate them in a new \"datacenter\") and\n+# decommissioning the old ones.\n+#\n+# Out of the box, Cassandra provides:\n+#\n+# SimpleSnitch:\n+# Treats Strategy order as proximity. This can improve cache\n+# locality when disabling read repair. Only appropriate for\n+# single-datacenter deployments.\n+#\n+# GossipingPropertyFileSnitch\n+# This should be your go-to snitch for production use. The rack\n+# and datacenter for the local node are defined in\n+# cassandra-rackdc.properties and propagated to other nodes via\n+# gossip. If cassandra-topology.properties exists, it is used as a\n+# fallback, allowing migration from the PropertyFileSnitch.\n+#\n+# PropertyFileSnitch:\n+# Proximity is determined by rack and data center, which are\n+# explicitly configured in cassandra-topology.properties.\n+#\n+# Ec2Snitch:\n+# Appropriate for EC2 deployments in a single Region. Loads Region\n+# and Availability Zone information from the EC2 API. The Region is\n+# treated as the datacenter, and the Availability Zone as the rack.\n+# Only private IPs are used, so this will not work across multiple\n+# Regions.\n+#\n+# Ec2MultiRegionSnitch:\n+# Uses public IPs as broadcast_address to allow cross-region\n+# connectivity. (Thus, you should set seed addresses to the public\n+# IP as well.) You will need to open the storage_port or\n+# ssl_storage_port on the public IP firewall. (For intra-Region\n+# traffic, Cassandra will switch to the private IP after\n+# establishing a connection.)\n+#\n+# RackInferringSnitch:\n+# Proximity is determined by rack and data center, which are\n+# assumed to correspond to the 3rd and 2nd octet of each node's IP\n+# address, respectively. Unless this happens to match your\n+# deployment conventions, this is best used as an example of\n+# writing a custom Snitch class and is provided in that spirit.\n+#\n+# You can use a custom Snitch by setting this to the full class name\n+# of the snitch, which will be assumed to be on your classpath.\n+endpoint_snitch: GossipingPropertyFileSnitch\n+\n+# controls how often to perform the more expensive part of host score\n+# calculation\n+# Min unit: ms\n+dynamic_snitch_update_interval: 100ms\n+# controls how often to reset all host scores, allowing a bad host to\n+# possibly recover\n+# Min unit: ms\n+dynamic_snitch_reset_interval: 600000ms\n+# if set greater than zero, this will allow\n+# 'pinning' of replicas to hosts in order to increase cache capacity.\n+# The badness threshold will control how much worse the pinned host has to be\n+# before the dynamic snitch will prefer other replicas over it. This is\n+# expressed as a double which represents a percentage. Thus, a value of\n+# 0.2 means Cassandra would continue to prefer the static snitch values\n+# until the pinned host was 20% worse than the fastest.\n+dynamic_snitch_badness_threshold: 1.0\n+\n+# Configure server-to-server internode encryption\n+#\n+# JVM and netty defaults for supported SSL socket protocols and cipher suites can\n+# be replaced using custom encryption options. This is not recommended\n+# unless you have policies in place that dictate certain settings, or\n+# need to disable vulnerable ciphers or protocols in case the JVM cannot\n+# be updated.\n+#\n+# FIPS compliant settings can be configured at JVM level and should not\n+# involve changing encryption settings here:\n+# https://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/FIPS.html\n+#\n+# **NOTE** this default configuration is an insecure configuration. If you need to\n+# enable server-to-server encryption generate server keystores (and truststores for mutual\n+# authentication) per:\n+# http://download.oracle.com/javase/8/docs/technotes/guides/security/jsse/JSSERefGuide.html#CreateKeystore\n+# Then perform the following configuration changes:\n+#\n+# Step 1: Set internode_encryption= and explicitly set optional=true. Restart all nodes\n+#\n+# Step 2: Set optional=false (or remove it) and if you generated truststores and want to use mutual\n+# auth set require_client_auth=true. Restart all nodes\n+server_encryption_options:\n+ # On outbound connections, determine which type of peers to securely connect to.\n+ # The available options are :\n+ # none : Do not encrypt outgoing connections\n+ # dc : Encrypt connections to peers in other datacenters but not within datacenters\n+ # rack : Encrypt connections to peers in other racks but not within racks\n+ # all : Always use encrypted connections\n+ internode_encryption: all\n+ # When set to true, encrypted and unencrypted connections are allowed on the storage_port\n+ # This should _only be true_ while in unencrypted or transitional operation\n+ # optional defaults to true if internode_encryption is none\n+ optional: false\n+ # If enabled, will open up an encrypted listening socket on ssl_storage_port. Should only be used\n+ # during upgrade to 4.0; otherwise, set to false.\n+ legacy_ssl_storage_port_enabled: false\n+ # Set to a valid keystore if internode_encryption is dc, rack or all\n+ keystore: /etc/cassandra-b/tls/server.key\n+ keystore_password: test\n+ # Verify peer server certificates\n+ require_client_auth: false\n+ # Set to a valid trustore if require_client_auth is true\n+ truststore: /etc/ssl/localcerts/wmf-java-cacerts\n+ truststore_password: changeit\n+ # Verify that the host name in the certificate matches the connected host\n+ require_endpoint_verification: false\n+ # More advanced defaults:\n+ # protocol: TLS\n+ # store_type: JKS\n+ # cipher_suites: [\n+ # TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,\n+ # TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,\n+ # TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA,\n+ # TLS_RSA_WITH_AES_256_CBC_SHA\n+ # ]\n+\n+# Configure client-to-server encryption.\n+#\n+# **NOTE** this default configuration is an insecure configuration. If you need to\n+# enable client-to-server encryption generate server keystores (and truststores for mutual\n+# authentication) per:\n+# http://download.oracle.com/javase/8/docs/technotes/guides/security/jsse/JSSERefGuide.html#CreateKeystore\n+# Then perform the following configuration changes:\n+#\n+# Step 1: Set enabled=true and explicitly set optional=true. Restart all nodes\n+#\n+# Step 2: Set optional=false (or remove it) and if you generated truststores and want to use mutual\n+# auth set require_client_auth=true. Restart all nodes\n+client_encryption_options:\n+ # Enable client-to-server encryption\n+ enabled: true\n+ # When set to true, encrypted and unencrypted connections are allowed on the native_transport_port\n+ # This should _only be true_ while in unencrypted or transitional operation\n+ # optional defaults to true when enabled is false, and false when enabled is true.\n+ optional: true\n+ # Set keystore and keystore_password to valid keystores if enabled is true\n+ keystore: /etc/cassandra-b/tls/server.key\n+ keystore_password: test\n+ # Verify client certificates\n+ require_client_auth: false\n+ # Set trustore and truststore_password if require_client_auth is true\n+ # truststore: /etc/cassandra-b/tls/client.trust\n+ # truststore_password: placeholder\n+ # More advanced defaults:\n+ # protocol: TLS\n+ # store_type: JKS\n+ # cipher_suites: [\n+ # TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,\n+ # TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,\n+ # TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA,\n+ # TLS_RSA_WITH_AES_256_CBC_SHA\n+ # ]\n+\n+# internode_compression controls whether traffic between nodes is\n+# compressed.\n+# Can be:\n+#\n+# all\n+# all traffic is compressed\n+#\n+# dc\n+# traffic between different datacenters is compressed\n+#\n+# none\n+# nothing is compressed.\n+internode_compression: all\n+\n+# Enable or disable tcp_nodelay for inter-dc communication.\n+# Disabling it will result in larger (but fewer) network packets being sent,\n+# reducing overhead from the TCP protocol itself, at the cost of increasing\n+# latency if you block for cross-datacenter responses.\n+inter_dc_tcp_nodelay: false\n+\n+# TTL for different trace types used during logging of the repair process.\n+# Min unit: s\n+trace_type_query_ttl: 1d\n+# Min unit: s\n+trace_type_repair_ttl: 7d\n+\n+# If unset, all GC Pauses greater than gc_log_threshold will log at\n+# INFO level\n+# UDFs (user defined functions) are disabled by default.\n+# As of Cassandra 3.0 there is a sandbox in place that should prevent execution of evil code.\n+user_defined_functions_enabled: false\n+\n+# Enables scripted UDFs (JavaScript UDFs).\n+# Java UDFs are always enabled, if user_defined_functions_enabled is true.\n+# Enable this option to be able to use UDFs with \"language javascript\" or any custom JSR-223 provider.\n+# This option has no effect, if user_defined_functions_enabled is false.\n+scripted_user_defined_functions_enabled: false\n+\n+# Enables encrypting data at-rest (on disk). Different key providers can be plugged in, but the default reads from\n+# a JCE-style keystore. A single keystore can hold multiple keys, but the one referenced by\n+# the \"key_alias\" is the only key that will be used for encrypt opertaions; previously used keys\n+# can still (and should!) be in the keystore and will be used on decrypt operations\n+# (to handle the case of key rotation).\n+#\n+# It is strongly recommended to download and install Java Cryptography Extension (JCE)\n+# Unlimited Strength Jurisdiction Policy Files for your version of the JDK.\n+# (current link: http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html)\n+#\n+# Currently, only the following file types are supported for transparent data encryption, although\n+# more are coming in future cassandra releases: commitlog, hints\n+transparent_data_encryption_options:\n+ enabled: false\n+ chunk_length_kb: 64\n+ cipher: AES/CBC/PKCS5Padding\n+ key_alias: testing:1\n+ # CBC IV length for AES needs to be 16 bytes (which is also the default size)\n+ # iv_length: 16\n+ key_provider:\n+ - class_name: org.apache.cassandra.security.JKSKeyProvider\n+ parameters:\n+ - keystore: conf/.keystore\n+ keystore_password: cassandra\n+ store_type: JCEKS\n+ key_password: cassandra\n+\n+\n+#####################\n+# SAFETY THRESHOLDS #\n+#####################\n+\n+# When executing a scan, within or across a partition, we need to keep the\n+# tombstones seen in memory so we can return them to the coordinator, which\n+# will use them to make sure other replicas also know about the deleted rows.\n+# With workloads that generate a lot of tombstones, this can cause performance\n+# problems and even exaust the server heap.\n+# (http://www.datastax.com/dev/blog/cassandra-anti-patterns-queues-and-queue-like-datasets)\n+# Adjust the thresholds here if you understand the dangers and want to\n+# scan more tombstones anyway. These thresholds may also be adjusted at runtime\n+# using the StorageService mbean.\n+tombstone_warn_threshold: 1000\n+tombstone_failure_threshold: 100000\n+\n+# Filtering and secondary index queries at read consistency levels above ONE/LOCAL_ONE use a\n+# mechanism called replica filtering protection to ensure that results from stale replicas do\n+# not violate consistency. (See CASSANDRA-8272 and CASSANDRA-15907 for more details.) This\n+# mechanism materializes replica results by partition on-heap at the coordinator. The more possibly\n+# stale results returned by the replicas, the more rows materialized during the query.\n+replica_filtering_protection:\n+ # These thresholds exist to limit the damage severely out-of-date replicas can cause during these\n+ # queries. They limit the number of rows from all replicas individual index and filtering queries\n+ # can materialize on-heap to return correct results at the desired read consistency level.\n+ #\n+ # \"cached_replica_rows_warn_threshold\" is the per-query threshold at which a warning will be logged.\n+ # \"cached_replica_rows_fail_threshold\" is the per-query threshold at which the query will fail.\n+ #\n+ # These thresholds may also be adjusted at runtime using the StorageService mbean.\n+ #\n+ # If the failure threshold is breached, it is likely that either the current page/fetch size\n+ # is too large or one or more replicas is severely out-of-sync and in need of repair.\n+ cached_rows_warn_threshold: 2000\n+ cached_rows_fail_threshold: 32000\n+\n+# Log WARN on any multiple-partition batch size exceeding this value. 5KiB per batch by default.\n+# Caution should be taken on increasing the size of this threshold as it can lead to node instability.\n+# Min unit: KiB\n+batch_size_warn_threshold: 5KiB\n+\n+# Fail any multiple-partition batch exceeding this value. 50KiB (10x warn threshold) by default.\n+# Min unit: KiB\n+batch_size_fail_threshold: 50KiB\n+\n+# Log WARN on any batches not of type LOGGED than span across more partitions than this limit\n+unlogged_batch_across_partitions_warn_threshold: 10\n+\n+# Log a warning when compacting partitions larger than this value\n+compaction_large_partition_warning_threshold: 100MiB\n+\n+# Log a warning when writing more tombstones than this value to a partition\n+compaction_tombstone_warning_threshold: 100000\n+\n+# GC Pauses greater than 200 ms will be logged at INFO level\n+# This threshold can be adjusted to minimize logging if necessary\n+# Min unit: ms\n+# gc_log_threshold: 200ms\n+\n+# GC Pauses greater than gc_warn_threshold will be logged at WARN level\n+# Adjust the threshold based on your application throughput requirement. Setting to 0\n+# will deactivate the feature.\n+# Min unit: ms\n+# gc_warn_threshold: 1000ms\n+\n+# Maximum size of any value in SSTables. Safety measure to detect SSTable corruption\n+# early. Any value size larger than this threshold will result into marking an SSTable\n+# as corrupted. This should be positive and less than 2GiB.\n+# Min unit: MiB\n+# max_value_size: 256MiB\n+\n+# ** Impact on keyspace creation **\n+# If replication factor is not mentioned as part of keyspace creation, default_keyspace_rf would apply.\n+# Changing this configuration would only take effect for keyspaces created after the change, but does not impact\n+# existing keyspaces created prior to the change.\n+# ** Impact on keyspace alter **\n+# When altering a keyspace from NetworkTopologyStrategy to SimpleStrategy, default_keyspace_rf is applied if rf is not\n+# explicitly mentioned.\n+# ** Impact on system keyspaces **\n+# This would also apply for any system keyspaces that need replication factor.\n+# A further note about system keyspaces - system_traces and system_distributed keyspaces take RF of 2 or default,\n+# whichever is higher, and system_auth keyspace takes RF of 1 or default, whichever is higher.\n+# Suggested value for use in production: 3\n+# default_keyspace_rf: 1\n+\n+# Track a metric per keyspace indicating whether replication achieved the ideal consistency\n+# level for writes without timing out. This is different from the consistency level requested by\n+# each write which may be lower in order to facilitate availability.\n+# ideal_consistency_level: EACH_QUORUM\n+\n+# Automatically upgrade sstables after upgrade - if there is no ordinary compaction to do, the\n+# oldest non-upgraded sstable will get upgraded to the latest version\n+# automatic_sstable_upgrade: false\n+# Limit the number of concurrent sstable upgrades\n+# max_concurrent_automatic_sstable_upgrades: 1\n+\n+# Audit logging - Logs every incoming CQL command request, authentication to a node. See the docs\n+# on audit_logging for full details about the various configuration options.\n+audit_logging_options:\n+ enabled: false\n+ logger:\n+ - class_name: BinAuditLogger\n+ # audit_logs_dir:\n+ # included_keyspaces:\n+ # excluded_keyspaces: system, system_schema, system_virtual_schema\n+ # included_categories:\n+ # excluded_categories:\n+ # included_users:\n+ # excluded_users:\n+ # roll_cycle: HOURLY\n+ # block: true\n+ # max_queue_weight: 268435456 # 256 MiB\n+ # max_log_size: 17179869184 # 16 GiB\n+ ## archive command is \"/path/to/script.sh %path\" where %path is replaced with the file being rolled:\n+ # archive_command:\n+ # max_archive_retries: 10\n+\n+\n+# default options for full query logging - these can be overridden from command line when executing\n+# nodetool enablefullquerylog\n+# full_query_logging_options:\n+ # log_dir:\n+ # roll_cycle: HOURLY\n+ # block: true\n+ # max_queue_weight: 268435456 # 256 MiB\n+ # max_log_size: 17179869184 # 16 GiB\n+ ## archive command is \"/path/to/script.sh %path\" where %path is replaced with the file being rolled:\n+ # archive_command:\n+ ## note that enabling this allows anyone with JMX/nodetool access to run local shell commands as the user running cassandra\n+ # allow_nodetool_archive_command: false\n+ # max_archive_retries: 10\n+\n+# validate tombstones on reads and compaction\n+# can be either \"disabled\", \"warn\" or \"exception\"\n+# corrupted_tombstone_strategy: disabled\n+\n+# Diagnostic Events #\n+# If enabled, diagnostic events can be helpful for troubleshooting operational issues. Emitted events contain details\n+# on internal state and temporal relationships across events, accessible by clients via JMX.\n+diagnostic_events_enabled: false\n+\n+# Use native transport TCP message coalescing. If on upgrade to 4.0 you found your throughput decreasing, and in\n+# particular you run an old kernel or have very fewer client connections, this option might be worth evaluating.\n+#native_transport_flush_in_batches_legacy: false\n+\n+# Enable tracking of repaired state of data during reads and comparison between replicas\n+# Mismatches between the repaired sets of replicas can be characterized as either confirmed\n+# or unconfirmed. In this context, unconfirmed indicates that the presence of pending repair\n+# sessions, unrepaired partition tombstones, or some other condition means that the disparity\n+# cannot be considered conclusive. Confirmed mismatches should be a trigger for investigation\n+# as they may be indicative of corruption or data loss.\n+# There are separate flags for range vs partition reads as single partition reads are only tracked\n+# when CL > 1 and a digest mismatch occurs. Currently, range queries don't use digests so if\n+# enabled for range reads, all range reads will include repaired data tracking. As this adds\n+# some overhead, operators may wish to disable it whilst still enabling it for partition reads\n+repaired_data_tracking_for_range_reads_enabled: false\n+repaired_data_tracking_for_partition_reads_enabled: false\n+# If false, only confirmed mismatches will be reported. If true, a separate metric for unconfirmed\n+# mismatches will also be recorded. This is to avoid potential signal:noise issues are unconfirmed\n+# mismatches are less actionable than confirmed ones.\n+report_unconfirmed_repaired_data_mismatches: false\n+\n+# Having many tables and/or keyspaces negatively affects performance of many operations in the\n+# cluster. When the number of tables/keyspaces in the cluster exceeds the following thresholds\n+# a client warning will be sent back to the user when creating a table or keyspace.\n+# As of cassandra 4.1, these properties are deprecated in favor of keyspaces_warn_threshold and tables_warn_threshold\n+# table_count_warn_threshold: 150\n+# keyspace_count_warn_threshold: 40\n+\n+# configure the read and write consistency levels for modifications to auth tables\n+# auth_read_consistency_level: LOCAL_QUORUM\n+# auth_write_consistency_level: EACH_QUORUM\n+\n+# Delays on auth resolution can lead to a thundering herd problem on reconnects; this option will enable\n+# warming of auth caches prior to node completing startup. See CASSANDRA-16958\n+# auth_cache_warming_enabled: false\n+\n+#########################\n+# EXPERIMENTAL FEATURES #\n+#########################\n+\n+# Enables materialized view creation on this node.\n+# Materialized views are considered experimental and are not recommended for production use.\n+materialized_views_enabled: false\n+\n+# Enables SASI index creation on this node.\n+# SASI indexes are considered experimental and are not recommended for production use.\n+sasi_indexes_enabled: false\n+\n+# Enables creation of transiently replicated keyspaces on this node.\n+# Transient replication is experimental and is not recommended for production use.\n+transient_replication_enabled: false\n+\n+# Enables the used of 'ALTER ... DROP COMPACT STORAGE' statements on this node.\n+# 'ALTER ... DROP COMPACT STORAGE' is considered experimental and is not recommended for production use.\n+drop_compact_storage_enabled: false\n+\n+# Whether or not USE is allowed. This is enabled by default to avoid failure on upgrade.\n+#use_statements_enabled: true\n+\n+# When the client triggers a protocol exception or unknown issue (Cassandra bug) we increment\n+# a client metric showing this; this logic will exclude specific subnets from updating these\n+# metrics\n+#client_error_reporting_exclusions:\n+# subnets:\n+# - 127.0.0.1\n+# - 127.0.0.0/31\n+\n+# Enables read thresholds (warn/fail) across all replicas for reporting back to the client.\n+# See: CASSANDRA-16850\n+# read_thresholds_enabled: false # scheduled to be set true in 4.2\n+# When read_thresholds_enabled: true, this tracks the materialized size of a query on the\n+# coordinator. If coordinator_read_size_warn_threshold is defined, this will emit a warning\n+# to clients with details on what query triggered this as well as the size of the result set; if\n+# coordinator_read_size_fail_threshold is defined, this will fail the query after it\n+# has exceeded this threshold, returning a read error to the user.\n+# coordinator_read_size_warn_threshold:\n+# coordinator_read_size_fail_threshold:\n+# When read_thresholds_enabled: true, this tracks the size of the local read (as defined by\n+# heap size), and will warn/fail based off these thresholds; undefined disables these checks.\n+# local_read_size_warn_threshold:\n+# local_read_size_fail_threshold:\n+# When read_thresholds_enabled: true, this tracks the expected memory size of the RowIndexEntry\n+# and will warn/fail based off these thresholds; undefined disables these checks\n+# row_index_read_size_warn_threshold:\n+# row_index_read_size_fail_threshold:\n+\n+# Guardrail to warn or fail when creating more user keyspaces than threshold.\n+# The two thresholds default to -1 to disable.\n+# keyspaces_warn_threshold: -1\n+# keyspaces_fail_threshold: -1\n+# Guardrail to warn or fail when creating more user tables than threshold.\n+# The two thresholds default to -1 to disable.\n+# tables_warn_threshold: -1\n+# tables_fail_threshold: -1\n+# Guardrail to enable or disable the ability to create uncompressed tables\n+# uncompressed_tables_enabled: true\n+# Guardrail to warn or fail when creating/altering a table with more columns per table than threshold.\n+# The two thresholds default to -1 to disable.\n+# columns_per_table_warn_threshold: -1\n+# columns_per_table_fail_threshold: -1\n+# Guardrail to warn or fail when creating more secondary indexes per table than threshold.\n+# The two thresholds default to -1 to disable.\n+# secondary_indexes_per_table_warn_threshold: -1\n+# secondary_indexes_per_table_fail_threshold: -1\n+# Guardrail to enable or disable the creation of secondary indexes\n+# secondary_indexes_enabled: true\n+# Guardrail to warn or fail when creating more materialized views per table than threshold.\n+# The two thresholds default to -1 to disable.\n+# materialized_views_per_table_warn_threshold: -1\n+# materialized_views_per_table_fail_threshold: -1\n+# Guardrail to warn about, ignore or reject properties when creating tables. By default all properties are allowed.\n+# table_properties_warned: []\n+# table_properties_ignored: []\n+# table_properties_disallowed: []\n+# Guardrail to allow/disallow user-provided timestamps. Defaults to true.\n+# user_timestamps_enabled: true\n+# Guardrail to allow/disallow GROUP BY functionality.\n+# group_by_enabled: true\n+# Guardrail to allow/disallow TRUNCATE and DROP TABLE statements\n+# drop_truncate_table_enabled: true\n+# Guardrail to warn or fail when using a page size greater than threshold.\n+# The two thresholds default to -1 to disable.\n+# page_size_warn_threshold: -1\n+# page_size_fail_threshold: -1\n+# Guardrail to allow/disallow list operations that require read before write, i.e. setting list element by index and\n+# removing list elements by either index or value. Defaults to true.\n+# read_before_write_list_operations_enabled: true\n+# Guardrail to warn or fail when querying with an IN restriction selecting more partition keys than threshold.\n+# The two thresholds default to -1 to disable.\n+# partition_keys_in_select_warn_threshold: -1\n+# partition_keys_in_select_fail_threshold: -1\n+# Guardrail to warn or fail when an IN query creates a cartesian product with a size exceeding threshold,\n+# eg. \"a in (1,2,...10) and b in (1,2...10)\" results in cartesian product of 100.\n+# The two thresholds default to -1 to disable.\n+# in_select_cartesian_product_warn_threshold: -1\n+# in_select_cartesian_product_fail_threshold: -1\n+# Guardrail to warn about or reject read consistency levels. By default, all consistency levels are allowed.\n+# read_consistency_levels_warned: []\n+# read_consistency_levels_disallowed: []\n+# Guardrail to warn about or reject write consistency levels. By default, all consistency levels are allowed.\n+# write_consistency_levels_warned: []\n+# write_consistency_levels_disallowed: []\n+# Guardrail to warn or fail when encountering larger size of collection data than threshold.\n+# At query time this guardrail is applied only to the collection fragment that is being writen, even though in the case\n+# of non-frozen collections there could be unaccounted parts of the collection on the sstables. This is done this way to\n+# prevent read-before-write. The guardrail is also checked at sstable write time to detect large non-frozen collections,\n+# although in that case exceeding the fail threshold will only log an error message, without interrupting the operation.\n+# The two thresholds default to null to disable.\n+# Min unit: B\n+# collection_size_warn_threshold:\n+# Min unit: B\n+# collection_size_fail_threshold:\n+# Guardrail to warn or fail when encountering more elements in collection than threshold.\n+# At query time this guardrail is applied only to the collection fragment that is being writen, even though in the case\n+# of non-frozen collections there could be unaccounted parts of the collection on the sstables. This is done this way to\n+# prevent read-before-write. The guardrail is also checked at sstable write time to detect large non-frozen collections,\n+# although in that case exceeding the fail threshold will only log an error message, without interrupting the operation.\n+# The two thresholds default to -1 to disable.\n+# items_per_collection_warn_threshold: -1\n+# items_per_collection_fail_threshold: -1\n+# Guardrail to allow/disallow querying with ALLOW FILTERING. Defaults to true.\n+# allow_filtering_enabled: true\n+# Guardrail to warn or fail when creating a user-defined-type with more fields in than threshold.\n+# Default -1 to disable.\n+# fields_per_udt_warn_threshold: -1\n+# fields_per_udt_fail_threshold: -1\n+# Guardrail to warn or fail when local data disk usage percentage exceeds threshold. Valid values are in [1, 100].\n+# This is only used for the disks storing data directories, so it won't count any separate disks used for storing\n+# the commitlog, hints nor saved caches. The disk usage is the ratio between the amount of space used by the data\n+# directories and the addition of that same space and the remaining free space on disk. The main purpose of this\n+# guardrail is rejecting user writes when the disks are over the defined usage percentage, so the writes done by\n+# background processes such as compaction and streaming don't fail due to a full disk. The limits should be defined\n+# accordingly to the expected data growth due to those background processes, so for example a compaction strategy\n+# doubling the size of the data would require to keep the disk usage under 50%.\n+# The two thresholds default to -1 to disable.\n+# data_disk_usage_percentage_warn_threshold: -1\n+# data_disk_usage_percentage_fail_threshold: -1\n+# Allows defining the max disk size of the data directories when calculating thresholds for\n+# disk_usage_percentage_warn_threshold and disk_usage_percentage_fail_threshold, so if this is greater than zero they\n+# become percentages of a fixed size on disk instead of percentages of the physically available disk size. This should\n+# be useful when we have a large disk and we only want to use a part of it for Cassandra's data directories.\n+# Valid values are in [1, max available disk size of all data directories].\n+# Defaults to null to disable and use the physically available disk size of data directories during calculations.\n+# Min unit: B\n+# data_disk_usage_max_disk_size:\n+# Guardrail to warn or fail when the minimum replication factor is lesser than threshold.\n+# This would also apply to system keyspaces.\n+# Suggested value for use in production: 2 or higher\n+# minimum_replication_factor_warn_threshold: -1\n+# minimum_replication_factor_fail_threshold: -1\n+\n+# Startup Checks are executed as part of Cassandra startup process, not all of them\n+# are configurable (so you can disable them) but these which are enumerated bellow.\n+# Uncomment the startup checks and configure them appropriately to cover your needs.\n+#\n+#startup_checks:\n+# Verifies correct ownership of attached locations on disk at startup. See CASSANDRA-16879 for more details.\n+# check_filesystem_ownership:\n+# enabled: false\n+# ownership_token: \"sometoken\" # (overriden by \"CassandraOwnershipToken\" system property)\n+# ownership_filename: \".cassandra_fs_ownership\" # (overriden by \"cassandra.fs_ownership_filename\")\n+# Prevents a node from starting if snitch's data center differs from previous data center.\n+# check_dc:\n+# enabled: true # (overriden by cassandra.ignore_dc system property)\n+# Prevents a node from starting if snitch's rack differs from previous rack.\n+# check_rack:\n+# enabled: true # (overriden by cassandra.ignore_rack system property)\n+# Enable this property to fail startup if the node is down for longer than gc_grace_seconds, to potentially\n+# prevent data resurrection on tables with deletes. By default, this will run against all keyspaces and tables\n+# except the ones specified on excluded_keyspaces and excluded_tables.\n+# check_data_resurrection:\n+# enabled: false\n+# file where Cassandra periodically writes the last time it was known to run\n+# heartbeat_file: /var/lib/cassandra/data/cassandra-heartbeat\n+# excluded_keyspaces: # comma separated list of keyspaces to exclude from the check\n+# excluded_tables: # comma separated list of keyspace.table pairs to exclude from the check", "parameters": "--- File[/etc/cassandra-b/cassandra.yaml].orig\n+++ File[/etc/cassandra-b/cassandra.yaml]\n\n+ group => cassandra\n+ mode => 0444\n+ ensure => present\n+ owner => cassandra\n"}, {"resource": "Exec[renew certificate - cassandra__aqs1024-a_eqiad_wmnet]", "parameters": "--- Exec[renew certificate - cassandra__aqs1024-a_eqiad_wmnet].orig\n+++ Exec[renew certificate - cassandra__aqs1024-a_eqiad_wmnet]\n\n+ command => /usr/bin/cfssl sign -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/aqs1024.eqiad.wmnet.pem -label cassandra /etc/cassandra-a/tls/cassandra__aqs1024-a_eqiad_wmnet.csr | /usr/bin/cfssljson -bare /etc/cassandra-a/tls/cassandra__aqs1024-a_eqiad_wmnet\n\n+ unless => /usr/bin/openssl x509 -in /etc/cassandra-a/tls/cassandra__aqs1024-a_eqiad_wmnet.pem -checkend 952200\n+ require => Exec[Generate cert cassandra__aqs1024-a_eqiad_wmnet]\n+ environment => ['GODEBUG=x509ignoreCN=0']\n"}, {"resource": "File[/etc/cfssl/csr/cassandra__aqs1024-b_eqiad_wmnet.csr]", "content": "--- /etc/cfssl/csr/cassandra__aqs1024-b_eqiad_wmnet.csr.orig\n+++ /etc/cfssl/csr/cassandra__aqs1024-b_eqiad_wmnet.csr\n@@ -0,0 +1,15 @@\n+{\n+ \"CN\": \"aqs1024-b.eqiad.wmnet\",\n+ \"hosts\": [\n+ \"cassandra\",\n+ \"aqs1024.eqiad.wmnet\",\n+ \"aqs1024-b.eqiad.wmnet\"\n+ ],\n+ \"key\": {\n+ \"algo\": \"ecdsa\",\n+ \"size\": 256\n+ },\n+ \"names\": [\n+\n+ ]\n+}", "parameters": "--- File[/etc/cfssl/csr/cassandra__aqs1024-b_eqiad_wmnet.csr].orig\n+++ File[/etc/cfssl/csr/cassandra__aqs1024-b_eqiad_wmnet.csr]\n\n+ group => root\n+ mode => 0400\n+ ensure => file\n+ owner => root\n"}, {"resource": "File[/etc/cassandra.in.sh]", "content": "--- /etc/cassandra.in.sh.orig\n+++ /etc/cassandra.in.sh\n@@ -0,0 +1,107 @@\n+# SPDX-License-Identifier: Apache-2.0\n+# Note: This file is managed by Puppet.\n+# It was taken from the Cassandra Debian package and templatized\n+# here in order to set various options from puppet.\n+\n+# This file is similar to the stock /usr/share/cassandra/cassandra.in.sh\n+# but we are not setting CASSANDRA_CONF here, it'll be overridden\n+CASSANDRA_HOME=/usr/share/cassandra\n+\n+# The java classpath (required)\n+CLASSPATH=\"$CASSANDRA_CONF\"\n+\n+for jar in \"$CASSANDRA_HOME\"/lib/*.jar; do\n+ CLASSPATH=\"$CLASSPATH:$jar\"\n+done\n+\n+for jar in /usr/share/cassandra/*.jar; do\n+ CLASSPATH=$CLASSPATH:$jar\n+done\n+\n+\n+CLASSPATH=\"$CLASSPATH:$EXTRA_CLASSPATH\"\n+\n+# set JVM javaagent opts to avoid warnings/errors\n+JAVA_AGENT=\"$JAVA_AGENT -javaagent:$CASSANDRA_HOME/lib/jamm-0.3.2.jar\"\n+\n+# Added sigar-bin to the java.library.path CASSANDRA-7838\n+JAVA_OPTS=\"$JAVA_OPTS:-Djava.library.path=$CASSANDRA_HOME/lib/sigar-bin\"\n+\n+#\n+# Java executable and per-Java version JVM settings\n+#\n+\n+# Use JAVA_HOME if set, otherwise look for java in PATH\n+if [ -n \"$JAVA_HOME\" ]; then\n+ # Why we can't have nice things: Solaris combines x86 and x86_64\n+ # installations in the same tree, using an unconventional path for the\n+ # 64bit JVM. Since we prefer 64bit, search the alternate path first,\n+ # (see https://issues.apache.org/jira/browse/CASSANDRA-4638).\n+ for java in \"$JAVA_HOME\"/bin/amd64/java \"$JAVA_HOME\"/bin/java; do\n+ if [ -x \"$java\" ]; then\n+ JAVA=\"$java\"\n+ break\n+ fi\n+ done\n+else\n+ JAVA=`command -v java 2> /dev/null`\n+fi\n+\n+if [ -z $JAVA ] ; then\n+ echo Unable to find java executable. Check JAVA_HOME and PATH environment variables. >&2\n+ exit 1;\n+fi\n+\n+# Determine the sort of JVM we'll be running on.\n+java_ver_output=`\"${JAVA:-java}\" -version 2>&1`\n+jvmver=`echo \"$java_ver_output\" | grep '[openjdk|java] version' | awk -F'\"' 'NR==1 {print $2}' | cut -d\\- -f1`\n+JVM_VERSION=${jvmver%_*}\n+short=$(echo \"${jvmver}\" | cut -c1-2)\n+\n+JAVA_VERSION=17\n+if [ \"$short\" = \"11\" ] ; then\n+ JAVA_VERSION=11\n+elif [ \"$JVM_VERSION\" \\< \"17\" ] ; then\n+ echo \"Cassandra requires Java 11 or Java 17.\"\n+ exit 1;\n+fi\n+\n+jvm=`echo \"$java_ver_output\" | grep -A 1 '[openjdk|java] version' | awk 'NR==2 {print $1}'`\n+case \"$jvm\" in\n+ OpenJDK)\n+ JVM_VENDOR=OpenJDK\n+ # this will be \"64-Bit\" or \"32-Bit\"\n+ JVM_ARCH=`echo \"$java_ver_output\" | awk 'NR==3 {print $2}'`\n+ ;;\n+ \"Java(TM)\")\n+ JVM_VENDOR=Oracle\n+ # this will be \"64-Bit\" or \"32-Bit\"\n+ JVM_ARCH=`echo \"$java_ver_output\" | awk 'NR==3 {print $3}'`\n+ ;;\n+ *)\n+ # Help fill in other JVM values\n+ JVM_VENDOR=other\n+ JVM_ARCH=unknown\n+ ;;\n+esac\n+\n+# Read user-defined JVM options from jvm-server.options file\n+JVM_OPTS_FILE=$CASSANDRA_CONF/jvm${jvmoptions_variant:--clients}.options\n+if [ $JAVA_VERSION -ge 17 ] ; then\n+ JVM_DEP_OPTS_FILE=$CASSANDRA_CONF/jvm17${jvmoptions_variant:--clients}.options\n+elif [ $JAVA_VERSION -ge 11 ] ; then\n+ JVM_DEP_OPTS_FILE=$CASSANDRA_CONF/jvm11${jvmoptions_variant:--clients}.options\n+fi\n+\n+for opt in `grep \"^-\" $JVM_OPTS_FILE` `grep \"^-\" $JVM_DEP_OPTS_FILE`\n+do\n+ JVM_OPTS=\"$JVM_OPTS $opt\"\n+done\n+\n+# Append additional options when using JDK17+ (CASSANDRA-19001)\n+USING_JDK=$(command -v javac || command -v \"${JAVA_HOME:-/usr}/bin/javac\")\n+if [ -n \"$USING_JDK\" ] && [ \"$JAVA_VERSION\" -ge 17 ]; then\n+ JVM_OPTS=\"$JVM_OPTS --add-exports jdk.attach/sun.tools.attach=ALL-UNNAMED\"\n+ JVM_OPTS=\"$JVM_OPTS --add-exports jdk.compiler/com.sun.tools.javac.file=ALL-UNNAMED\"\n+ JVM_OPTS=\"$JVM_OPTS --add-opens jdk.compiler/com.sun.tools.javac=ALL-UNNAMED\"\n+fi", "parameters": "--- File[/etc/cassandra.in.sh].orig\n+++ File[/etc/cassandra.in.sh]\n\n+ group => cassandra\n+ require => Package[cassandra]\n+ mode => 0444\n+ ensure => present\n+ owner => cassandra\n"}, {"resource": "File[/etc/rsyslog.d/50-udp-localhost-compat.conf]", "content": "--- /etc/rsyslog.d/50-udp-localhost-compat.conf.orig\n+++ /etc/rsyslog.d/50-udp-localhost-compat.conf\n@@ -0,0 +1,37 @@\n+# Provide a UDP syslog input to accept JSON payloads (in the syslog message) and forwards them to\n+# Kakfa.\n+# To be recognized as JSON the syslog message must be prepended with \"@cee: \"\n+# see also https://www.rsyslog.com/doc/v8-stable/configuration/modules/mmjsonparse.html\n+\n+# Kafka topic selection is based on the syslog message severity.\n+\n+module(load=\"imudp\")\n+\n+template(name=\"udp_localhost_topic\" type=\"string\" string=\"udp_localhost-%syslogseverity-text:::lowercase%\")\n+\n+# Use a separate (in memory) queue to limit message processing to this ruleset only.\n+ruleset(name=\"udp_localhost_to_kafka\" queue.type=\"LinkedList\") {\n+ action(type=\"mmjsonparse\" name=\"mmjsonparse_udp_localhost\")\n+\n+ action(type=\"omkafka\"\n+ broker=[\"kafka-logging1001.eqiad.wmnet:9093\",\"kafka-logging1002.eqiad.wmnet:9093\",\"kafka-logging1003.eqiad.wmnet:9093\",\"kafka-logging1004.eqiad.wmnet:9093\",\"kafka-logging1005.eqiad.wmnet:9093\"]\n+ topic=\"udp_localhost_topic\"\n+ dynatopic=\"on\"\n+ dynatopic.cachesize=\"1000\"\n+ partitions.auto=\"on\"\n+ template=\"syslog_cee\"\n+ queue.type=\"LinkedList\" queue.size=\"10000\" queue.filename=\"udp_localhost_compat\"\n+ queue.highWatermark=\"7000\" queue.lowWatermark=\"6000\"\n+ queue.checkpointInterval=\"5\"\n+ queue.maxDiskSpace=\"40960000\"\n+ confParam=[ \"security.protocol=ssl\",\n+ \"ssl.ca.location=/etc/ssl/certs/wmf-ca-certificates.crt\",\n+ \"compression.codec=snappy\",\n+ \"socket.timeout.ms=60000\",\n+ \"socket.keepalive.enable=true\",\n+ \"queue.buffering.max.ms=50\",\n+ \"batch.num.messages=1000\" ]\n+ )\n+}\n+\n+input(type=\"imudp\" port=\"10514\" address=\"localhost\" ruleset=\"udp_localhost_to_kafka\")", "parameters": "--- File[/etc/rsyslog.d/50-udp-localhost-compat.conf].orig\n+++ File[/etc/rsyslog.d/50-udp-localhost-compat.conf]\n\n+ group => root\n+ mode => 0444\n+ ensure => present\n+ notify => Service[rsyslog]\n+ owner => root\n"}, {"resource": "Interface::Alias[cassandra-a]", "parameters": "--- Interface::Alias[cassandra-a].orig\n+++ Interface::Alias[cassandra-a]\n\n+ ipv4 => 10.64.156.18\n+ is_service_ip => True\n+ interface => ens8f0np0\n"}, {"resource": "File[/etc/cassandra-a/user_geo_analytics.cql]", "content": "--- /etc/cassandra-a/user_geo_analytics.cql.orig\n+++ /etc/cassandra-a/user_geo_analytics.cql\n@@ -0,0 +1,5 @@\n+-- SPDX-License-Identifier: Apache-2.0\n+\n+CREATE ROLE IF NOT EXISTS geo_analytics WITH PASSWORD = '' AND LOGIN = true AND SUPERUSER = false;\n+\n+GRANT SELECT ON \"local_group_default_T_editors_bycountry\".data TO 'geo_analytics';", "parameters": "--- File[/etc/cassandra-a/user_geo_analytics.cql].orig\n+++ File[/etc/cassandra-a/user_geo_analytics.cql]\n\n+ require => Package[cassandra]\n+ group => root\n+ mode => 0400\n+ owner => root\n"}, {"resource": "Class[Profile::Base::Certificates]", "parameters": "--- Class[Profile::Base::Certificates].orig\n+++ Class[Profile::Base::Certificates]\n\n@@\n- include_bundle_jks => False\n+ include_bundle_jks => True\n"}, {"resource": "File[/etc/cassandra-b/user_data_gateway.cql]", "content": "--- /etc/cassandra-b/user_data_gateway.cql.orig\n+++ /etc/cassandra-b/user_data_gateway.cql\n@@ -0,0 +1,33 @@\n+-- SPDX-License-Identifier: Apache-2.0\n+\n+CREATE ROLE IF NOT EXISTS data_gateway\n+ WITH PASSWORD = 'qwerty' AND LOGIN = true AND SUPERUSER = false;\n+\n+-- Image Suggestions\n+GRANT SELECT ON image_suggestions.suggestions TO data_gateway;\n+GRANT SELECT ON image_suggestions.feedback TO data_gateway;\n+GRANT SELECT ON image_suggestions.title_cache TO data_gateway;\n+GRANT SELECT ON image_suggestions.instanceof_cache TO data_gateway;\n+\n+-- Commons Impact Metrics\n+GRANT SELECT ON commons.category_metrics_snapshot TO data_gateway;\n+GRANT SELECT ON commons.media_file_metrics_snapshot TO data_gateway;\n+GRANT SELECT ON commons.pageviews_per_category_monthly TO data_gateway;\n+GRANT SELECT ON commons.pageviews_per_media_file_monthly TO data_gateway;\n+GRANT SELECT ON commons.edits_per_category_monthly TO data_gateway;\n+GRANT SELECT ON commons.edits_per_user_monthly TO data_gateway;\n+GRANT SELECT ON commons.top_pages_per_category_monthly TO data_gateway;\n+GRANT SELECT ON commons.top_wikis_per_category_monthly TO data_gateway;\n+GRANT SELECT ON commons.top_viewed_categories_monthly TO data_gateway;\n+GRANT SELECT ON commons.top_pages_per_media_file_monthly TO data_gateway;\n+GRANT SELECT ON commons.top_wikis_per_media_file_monthly TO data_gateway;\n+GRANT SELECT ON commons.top_viewed_media_files_monthly TO data_gateway;\n+GRANT SELECT ON commons.top_edited_categories_monthly TO data_gateway;\n+GRANT SELECT ON commons.top_editors_monthly TO data_gateway;\n+\n+-- Machine learning cache\n+GRANT SELECT ON ml_cache.page_paragraph_tone_scores TO data_gateway;\n+\n+-- New-style AQS tables\n+GRANT SELECT ON analytics.pageviews_per_editor TO data_gateway;\n+GRANT SELECT ON analytics.pageviews_top_pages_per_editor TO data_gateway;", "parameters": "--- File[/etc/cassandra-b/user_data_gateway.cql].orig\n+++ File[/etc/cassandra-b/user_data_gateway.cql]\n\n+ require => Package[cassandra]\n+ group => root\n+ mode => 0400\n+ owner => root\n"}, {"resource": "File[/etc/ssh/userkeys/deploy-service]", "content": "--- /etc/ssh/userkeys/deploy-service.orig\n+++ /etc/ssh/userkeys/deploy-service\n@@ -0,0 +1 @@\n+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC5X7MHT3YfRGM1lCjLpvGjh2mz0n8E1A3SAY6AD1ZkZVxQcPxCjKAx5a/wsod4DeNaW+t3i1GiRAvaPrxVG8EqZ/AtXhNeMKHFXSGXh7t1zq+dd0cMus4481CCxEwUDGG+T4FsbFh/5Npi4LEFTiYaPNabqMjkeO2bd04/BQXvJFIvuA8EivPdB6Me4esZ/fas+oAwgTlYxY7MGtnpF8/i+3OJ6cU6R8yQpkoFsoXzb/QIopxeQ2GwABKf2PpS6YJq9urS1vRZcxTNYnPRm/XrbVshl8WWLIH6o9ZcV8B3sEIL8stj+hrrlW7p/h7Kupy5UThdxdTyegpZ6isLT/7wHVBTupSCFsSap2sL8qn7epSjfgooRYzJKi4JZXnalYFVJscCYOgQBOkWUfbU509qU0kk/FgGVGw4EAvyLLEXNtMZ6VQ5JMUkVuLe8xka+OCoTW6ABAHEzoKZuTRs8yvzKenc13sQqZmfbcGNkkADVpZLfvfdD082lWkPfBJIIbJjuH4OcTjyDHYs45k0SOv2hJE4DjG7/9z0SlOjxgtfxJh9t6B4Q7hjPnLfBpBW0rEtUz04pTYgAmHKUZEHUAVh1wrwQslB8ugrBI8ZFcxHdie0OyLYJAdnaGnY2RyqSviBEWyMJdTO46q86sMNmBU4BO/pfuok2SBc48+WBk8mEQ==", "parameters": "--- File[/etc/ssh/userkeys/deploy-service].orig\n+++ File[/etc/ssh/userkeys/deploy-service]\n\n+ group => root\n+ mode => 0444\n+ force => True\n+ ensure => file\n+ show_diff => False\n+ owner => root\n"}, {"resource": "File[/etc/sudoers.d/scap_deploy-service]", "content": "--- /etc/sudoers.d/scap_deploy-service.orig\n+++ /etc/sudoers.d/scap_deploy-service\n@@ -0,0 +1,3 @@\n+# This file is managed by Puppet!\n+\n+deploy-service ALL=(deploy-service) NOPASSWD: ALL", "parameters": "--- File[/etc/sudoers.d/scap_deploy-service].orig\n+++ File[/etc/sudoers.d/scap_deploy-service]\n\n+ group => root\n+ mode => 0440\n+ ensure => present\n+ validate_cmd => /usr/sbin/visudo -cqf %\n+ owner => root\n"}, {"resource": "File[/etc/cassandra-a/user_image_suggestions.cql]", "content": "--- /etc/cassandra-a/user_image_suggestions.cql.orig\n+++ /etc/cassandra-a/user_image_suggestions.cql\n@@ -0,0 +1,6 @@\n+\n+CREATE ROLE IF NOT EXISTS image_suggestions\n+ WITH PASSWORD = 'blahblahblahblah' AND LOGIN = true AND SUPERUSER = false;\n+\n+GRANT SELECT ON KEYSPACE image_suggestions TO image_suggestions;\n+GRANT MODIFY ON KEYSPACE image_suggestions TO image_suggestions;", "parameters": "--- File[/etc/cassandra-a/user_image_suggestions.cql].orig\n+++ File[/etc/cassandra-a/user_image_suggestions.cql]\n\n+ require => Package[cassandra]\n+ group => root\n+ mode => 0400\n+ owner => root\n"}, {"resource": "File[/etc/cassandra-b/jvm11-clients.options]", "parameters": "--- File[/etc/cassandra-b/jvm11-clients.options].orig\n+++ File[/etc/cassandra-b/jvm11-clients.options]\n\n+ group => root\n+ force => True\n+ ensure => link\n+ target => /etc/cassandra/jvm11-clients.options\n+ owner => root\n"}, {"resource": "File[/etc/cassandra-a/jvm11-server.options]", "content": "--- /etc/cassandra-a/jvm11-server.options.orig\n+++ /etc/cassandra-a/jvm11-server.options\n@@ -0,0 +1,112 @@\n+# SPDX-License-Identifier: Apache-2.0\n+# Note: This file is managed by Puppet.\n+# It was taken from the Cassandra Debian package and templatized\n+# here in order to assign configuration.\n+\n+###########################################################################\n+# jvm11-server.options #\n+# #\n+# See jvm-server.options. This file is specific for Java 11 and newer. #\n+###########################################################################\n+\n+#################\n+# GC SETTINGS #\n+#################\n+\n+\n+\n+### CMS Settings\n+# -XX:+UseConcMarkSweepGC\n+# -XX:+CMSParallelRemarkEnabled\n+# -XX:SurvivorRatio=8\n+# -XX:MaxTenuringThreshold=1\n+# -XX:CMSInitiatingOccupancyFraction=75\n+# -XX:+UseCMSInitiatingOccupancyOnly\n+# -XX:CMSWaitDuration=10000\n+# -XX:+CMSParallelInitialMarkEnabled\n+# -XX:+CMSEdenChunksRecordAlways\n+## some JVMs will fill up their heap when accessed via JMX, see CASSANDRA-6541\n+# -XX:+CMSClassUnloadingEnabled\n+\n+\n+\n+### G1 Settings\n+## Use the Hotspot garbage-first collector.\n+-XX:+UseG1GC\n+#-XX:+ParallelRefProcEnabled\n+#-XX:MaxTenuringThreshold=1\n+-XX:G1HeapRegionSize=8m\n+\n+#\n+## Have the JVM do less remembered set work during STW, instead\n+## preferring concurrent GC. Reduces p99.9 latency.\n+-XX:G1RSetUpdatingPauseTimePercent=5\n+#\n+## Main G1GC tunable: lowering the pause target will lower throughput and vise versa.\n+## 200ms is the JVM default and lowest viable setting\n+## 1000ms increases throughput. Keep it smaller than the timeouts in cassandra.yaml.\n+#-XX:MaxGCPauseMillis=300\n+\n+## Optional G1 Settings\n+# Save CPU time on large (>= 16GB) heaps by delaying region scanning\n+# until the heap is 70% full. The default in Hotspot 8u40 is 40%.\n+#-XX:InitiatingHeapOccupancyPercent=70\n+\n+# For systems with > 8 cores, the default ParallelGCThreads is 5/8 the number of logical cores.\n+# Otherwise equal to the number of cores when 8 or less.\n+# Machines with > 10 cores should try setting these to <= full cores.\n+#-XX:ParallelGCThreads=16\n+# By default, ConcGCThreads is 1/4 of ParallelGCThreads.\n+# Setting both to the same value can reduce STW durations.\n+#-XX:ConcGCThreads=16\n+\n+\n+### JPMS\n+\n+-Djdk.attach.allowAttachSelf=true\n+--add-exports java.base/jdk.internal.misc=ALL-UNNAMED\n+--add-exports java.base/jdk.internal.ref=ALL-UNNAMED\n+--add-exports java.base/sun.nio.ch=ALL-UNNAMED\n+--add-exports java.management.rmi/com.sun.jmx.remote.internal.rmi=ALL-UNNAMED\n+--add-exports java.rmi/sun.rmi.registry=ALL-UNNAMED\n+--add-exports java.rmi/sun.rmi.server=ALL-UNNAMED\n+--add-exports java.sql/java.sql=ALL-UNNAMED\n+\n+--add-opens java.base/java.lang.module=ALL-UNNAMED\n+--add-opens java.base/jdk.internal.loader=ALL-UNNAMED\n+--add-opens java.base/jdk.internal.ref=ALL-UNNAMED\n+--add-opens java.base/jdk.internal.reflect=ALL-UNNAMED\n+--add-opens java.base/jdk.internal.math=ALL-UNNAMED\n+--add-opens java.base/jdk.internal.module=ALL-UNNAMED\n+--add-opens java.base/jdk.internal.util.jar=ALL-UNNAMED\n+--add-opens jdk.management/com.sun.management.internal=ALL-UNNAMED\n+\n+\n+### GC logging options -- uncomment to enable\n+\n+# Java 11 (and newer) GC logging options:\n+# See description of https://bugs.openjdk.java.net/browse/JDK-8046148 for details about the syntax\n+# The following is the equivalent to -XX:+PrintGCDetails -XX:+UseGCLogFileRotation -XX:NumberOfGCLogFiles=10 -XX:GCLogFileSize=10M\n+#-Xlog:gc=info,heap*=trace,age*=debug,safepoint=info,promotion*=trace:file=/var/log/cassandra/gc.log:time,uptime,pid,tid,level:filecount=10,filesize=10485760\n+\n+-Xlog:gc=info,heap*=trace,age*=debug,safepoint=info,promotion*=trace:file=/var/log/cassandra/gc-a.log:time,uptime,pid,tid,level:filecount=10,filesize=10485760\n+\n+# Notes for Java 8 migration:\n+#\n+# -XX:+PrintGCDetails maps to -Xlog:gc*:... - i.e. add a '*' after \"gc\"\n+# -XX:+PrintGCDateStamps maps to decorator 'time'\n+#\n+# -XX:+PrintHeapAtGC maps to 'heap' with level 'trace'\n+# -XX:+PrintTenuringDistribution maps to 'age' with level 'debug'\n+# -XX:+PrintGCApplicationStoppedTime maps to 'safepoint' with level 'info'\n+# -XX:+PrintPromotionFailure maps to 'promotion' with level 'trace'\n+# -XX:PrintFLSStatistics=1 maps to 'freelist' with level 'trace'\n+\n+### Netty Options\n+\n+# On Java >= 9 Netty requires the io.netty.tryReflectionSetAccessible system property to be set to true to enable\n+# creation of direct buffers using Unsafe. Without it, this falls back to ByteBuffer.allocateDirect which has\n+# inferior performance and risks exceeding MaxDirectMemory\n+-Dio.netty.tryReflectionSetAccessible=true\n+\n+# The newline in the end of file is intentional", "parameters": "--- File[/etc/cassandra-a/jvm11-server.options].orig\n+++ File[/etc/cassandra-a/jvm11-server.options]\n\n+ group => cassandra\n+ mode => 0444\n+ ensure => present\n+ owner => cassandra\n"}, {"resource": "Cassandra::Instance[a]", "parameters": "--- Cassandra::Instance[a].orig\n+++ Cassandra::Instance[a]\n\n+ max_heap_size => 16g\n+ num_tokens => 256\n+ legacy_ssl_storage_port_enabled => False\n+ tls_cluster_name => aqs\n+ auto_apply_grants => False\n+ cluster_name => Analytics Query Service Storage\n+ concurrent_counter_writes => 32\n+ config_directory => /etc/cassandra-a\n+ target_version => 4.x\n+ endpoint_snitch => GossipingPropertyFileSnitch\n+ data_directories => ['data']\n+ row_cache_size_in_mb => 200\n+ pid_file => /var/run/cassandra/cassandra-a.pid\n+ tls_use_pki_truststore => True\n+ heap_newsize => 2048m\n+ memory_allocator => JEMallocAllocator\n+ start_native_transport => True\n+ service_name => cassandra-a\n+ permissions_validity_in_ms => 600000\n+ data_file_directories => ['/srv/storage-0/cassandra-a/data', '/srv/storage-1/cassandra-a/data', '/srv/storage-2/cassandra-a/data', '/srv/storage-3/cassandra-a/data', '/srv/storage-4/cassandra-a/data', '/srv/storage-5/cassandra-a/data', '/srv/storage-6/cassandra-a/data', '/srv/storage-7/cassandra-a/data']\n+ native_transport_port => 9042\n+ commitlog_directory => /srv/cassandra/cassandra-a/commitlog\n+ internode_encryption => all\n+ tls_use_pki => True\n+ heapdump_directory => /srv/storage-0/cassandra-a\n+ super_password => nosuchpass\n+ hints_directory => /srv/cassandra/cassandra-a/hints\n+ logstash_port => 11514\n+ client_encryption_enabled => True\n+ extra_classpath => []\n+ trickle_fsync => True\n+ auto_bootstrap => True\n+ saved_caches_directory => /srv/cassandra/cassandra-a/saved_caches\n+ streaming_socket_timeout_in_ms => 0\n+ auto_snapshot => True\n+ local_system_data_file_directory => /srv/cassandra/cassandra-a/system\n+ nodetool_path => /usr/local/bin/nodetool-a\n+ client_encryption_optional => True\n+ concurrent_reads => 64\n+ compaction_throughput_mb_per_sec => 256\n+ rpc_server_type => sync\n+ users => ['aqsloader', 'image_suggestions', 'device_analytics', 'geo_analytics', 'media_analytics', 'page_analytics', 'edit_analytics', 'editor_analytics', 'data_gateway', 'commons_impact_analytics', 'revise_tone_task_generator']\n+ instance_id => aqs1024-a\n+ concurrent_writes => 64\n+ rack => rack2\n+ concurrent_compactors => 12\n+ tls_use_pki_keep_old_ca => False\n+ dc => eqiad\n+ tls_keystore_password => test\n+ monitor_enabled => True\n+ incremental_backups => False\n+ seeds => ['aqs1010-a.eqiad.wmnet', 'aqs1010-b.eqiad.wmnet', 'aqs1011-a.eqiad.wmnet', 'aqs1011-b.eqiad.wmnet', 'aqs1012-a.eqiad.wmnet', 'aqs1012-b.eqiad.wmnet', 'aqs1014-a.eqiad.wmnet', 'aqs1014-b.eqiad.wmnet', 'aqs1015-a.eqiad.wmnet', 'aqs1015-b.eqiad.wmnet', 'aqs1016-a.eqiad.wmnet', 'aqs1016-b.eqiad.wmnet', 'aqs1017-a.eqiad.wmnet', 'aqs1017-b.eqiad.wmnet', 'aqs1018-a.eqiad.wmnet', 'aqs1018-b.eqiad.wmnet', 'aqs1019-a.eqiad.wmnet', 'aqs1019-b.eqiad.wmnet', 'aqs1020-a.eqiad.wmnet', 'aqs1020-b.eqiad.wmnet', 'aqs1021-a.eqiad.wmnet', 'aqs1021-b.eqiad.wmnet', 'aqs1022-a.eqiad.wmnet', 'aqs1022-b.eqiad.wmnet', 'aqs1023-a.eqiad.wmnet', 'aqs1023-b.eqiad.wmnet', 'aqs1024-a.eqiad.wmnet', 'aqs1024-b.eqiad.wmnet', 'aqs2001-a.codfw.wmnet', 'aqs2001-b.codfw.wmnet', 'aqs2002-a.codfw.wmnet', 'aqs2002-b.codfw.wmnet', 'aqs2003-a.codfw.wmnet', 'aqs2003-b.codfw.wmnet', 'aqs2004-a.codfw.wmnet', 'aqs2004-b.codfw.wmnet', 'aqs2005-a.codfw.wmnet', 'aqs2005-b.codfw.wmnet', 'aqs2006-a.codfw.wmnet', 'aqs2006-b.codfw.wmnet', 'aqs2007-a.codfw.wmnet', 'aqs2007-b.codfw.wmnet', 'aqs2008-a.codfw.wmnet', 'aqs2008-b.codfw.wmnet', 'aqs2009-a.codfw.wmnet', 'aqs2009-b.codfw.wmnet', 'aqs2010-a.codfw.wmnet', 'aqs2010-b.codfw.wmnet', 'aqs2011-a.codfw.wmnet', 'aqs2011-b.codfw.wmnet', 'aqs2012-a.codfw.wmnet', 'aqs2012-b.codfw.wmnet']\n+ super_username => cassandra\n+ snapshot_before_compaction => False\n+ logstash_host => localhost\n+ start_rpc => False\n+ storage_port => 7000\n+ data_directory_base => /srv/cassandra-a\n+ additional_jvm_opts => []\n+ server_encryption_optional => False\n+ internode_compression => all\n+ trickle_fsync_interval_in_kb => 30240\n+ rpc_port => 9160\n+ tls_hostname => aqs1024-a\n+ listen_address => 10.64.156.18\n+ authenticator => True\n+ cassandra_passwords => {'restbase': 'blahblahblah', 'restbase_dev': 'blahblahblahblah', 'aqs': 'blahblah', 'sessionstore': 'blahblah', 'image_suggestions': 'blahblahblahblah', 'aqs_testing': 'blahblahblahblah', 'device_analytics': 'blahblahblahblah', 'mediawiki_services_mobileapps': 'yadayadayada', 'aqsloader': 'yadayadayada', 'edit_analytics': 'blahblahblahblah', 'editor_analytics': 'yadayadayada', 'cassandra_devel': 'foobarbaz', 'data_gateway': 'qwerty', 'commons_impact_analytics': 'notarealpasswd', 'revise_tone_task_generator': 'asdfasdfasdf', 'linked_artifacts': 'yadayadayada'}\n+ disk_failure_policy => stop\n+ key_cache_size_in_mb => 400\n+ authorizor => True\n"}, {"resource": "Class[Cassandra::Sysctl]", "parameters": "--- Class[Cassandra::Sysctl].orig\n+++ Class[Cassandra::Sysctl]\n\n+ vm_max_map_count => 1048575\n+ vm_dirty_background_bytes => 25165824\n"}, {"resource": "File[/etc/cassandra-b/user_media_analytics.cql]", "content": "--- /etc/cassandra-b/user_media_analytics.cql.orig\n+++ /etc/cassandra-b/user_media_analytics.cql\n@@ -0,0 +1,7 @@\n+-- SPDX-License-Identifier: Apache-2.0\n+\n+CREATE ROLE IF NOT EXISTS media_analytics WITH PASSWORD = '' AND LOGIN = true AND SUPERUSER = false;\n+\n+GRANT SELECT ON \"local_group_default_T_mediarequest_per_referer\".data TO 'media_analytics';\n+GRANT SELECT ON \"local_group_default_T_mediarequest_per_file\".data TO 'media_analytics';\n+GRANT SELECT ON \"local_group_default_T_mediarequest_top_files\".data TO 'media_analytics';", "parameters": "--- File[/etc/cassandra-b/user_media_analytics.cql].orig\n+++ File[/etc/cassandra-b/user_media_analytics.cql]\n\n+ require => Package[cassandra]\n+ group => root\n+ mode => 0400\n+ owner => root\n"}, {"resource": "Class[Scap::Ferm]", "parameters": "--- Class[Scap::Ferm].orig\n+++ Class[Scap::Ferm]\n\n+ ensure => present\n"}, {"resource": "Cassandra::Instance[b]", "parameters": "--- Cassandra::Instance[b].orig\n+++ Cassandra::Instance[b]\n\n+ max_heap_size => 16g\n+ num_tokens => 256\n+ legacy_ssl_storage_port_enabled => False\n+ tls_cluster_name => aqs\n+ auto_apply_grants => False\n+ cluster_name => Analytics Query Service Storage\n+ concurrent_counter_writes => 32\n+ config_directory => /etc/cassandra-b\n+ target_version => 4.x\n+ endpoint_snitch => GossipingPropertyFileSnitch\n+ data_directories => ['data']\n+ row_cache_size_in_mb => 200\n+ pid_file => /var/run/cassandra/cassandra-b.pid\n+ tls_use_pki_truststore => True\n+ heap_newsize => 2048m\n+ memory_allocator => JEMallocAllocator\n+ start_native_transport => True\n+ service_name => cassandra-b\n+ permissions_validity_in_ms => 600000\n+ data_file_directories => ['/srv/storage-0/cassandra-b/data', '/srv/storage-1/cassandra-b/data', '/srv/storage-2/cassandra-b/data', '/srv/storage-3/cassandra-b/data', '/srv/storage-4/cassandra-b/data', '/srv/storage-5/cassandra-b/data', '/srv/storage-6/cassandra-b/data', '/srv/storage-7/cassandra-b/data']\n+ native_transport_port => 9042\n+ commitlog_directory => /srv/cassandra/cassandra-b/commitlog\n+ internode_encryption => all\n+ tls_use_pki => True\n+ heapdump_directory => /srv/storage-1/cassandra-b\n+ super_password => nosuchpass\n+ hints_directory => /srv/cassandra/cassandra-b/hints\n+ logstash_port => 11514\n+ client_encryption_enabled => True\n+ extra_classpath => []\n+ trickle_fsync => True\n+ auto_bootstrap => True\n+ saved_caches_directory => /srv/cassandra/cassandra-b/saved_caches\n+ streaming_socket_timeout_in_ms => 0\n+ auto_snapshot => True\n+ local_system_data_file_directory => /srv/cassandra/cassandra-b/system\n+ nodetool_path => /usr/local/bin/nodetool-b\n+ client_encryption_optional => True\n+ concurrent_reads => 64\n+ compaction_throughput_mb_per_sec => 256\n+ rpc_server_type => sync\n+ users => ['aqsloader', 'image_suggestions', 'device_analytics', 'geo_analytics', 'media_analytics', 'page_analytics', 'edit_analytics', 'editor_analytics', 'data_gateway', 'commons_impact_analytics', 'revise_tone_task_generator']\n+ instance_id => aqs1024-b\n+ concurrent_writes => 64\n+ rack => rack2\n+ concurrent_compactors => 12\n+ tls_use_pki_keep_old_ca => False\n+ dc => eqiad\n+ tls_keystore_password => test\n+ monitor_enabled => True\n+ incremental_backups => False\n+ seeds => ['aqs1010-a.eqiad.wmnet', 'aqs1010-b.eqiad.wmnet', 'aqs1011-a.eqiad.wmnet', 'aqs1011-b.eqiad.wmnet', 'aqs1012-a.eqiad.wmnet', 'aqs1012-b.eqiad.wmnet', 'aqs1014-a.eqiad.wmnet', 'aqs1014-b.eqiad.wmnet', 'aqs1015-a.eqiad.wmnet', 'aqs1015-b.eqiad.wmnet', 'aqs1016-a.eqiad.wmnet', 'aqs1016-b.eqiad.wmnet', 'aqs1017-a.eqiad.wmnet', 'aqs1017-b.eqiad.wmnet', 'aqs1018-a.eqiad.wmnet', 'aqs1018-b.eqiad.wmnet', 'aqs1019-a.eqiad.wmnet', 'aqs1019-b.eqiad.wmnet', 'aqs1020-a.eqiad.wmnet', 'aqs1020-b.eqiad.wmnet', 'aqs1021-a.eqiad.wmnet', 'aqs1021-b.eqiad.wmnet', 'aqs1022-a.eqiad.wmnet', 'aqs1022-b.eqiad.wmnet', 'aqs1023-a.eqiad.wmnet', 'aqs1023-b.eqiad.wmnet', 'aqs1024-a.eqiad.wmnet', 'aqs1024-b.eqiad.wmnet', 'aqs2001-a.codfw.wmnet', 'aqs2001-b.codfw.wmnet', 'aqs2002-a.codfw.wmnet', 'aqs2002-b.codfw.wmnet', 'aqs2003-a.codfw.wmnet', 'aqs2003-b.codfw.wmnet', 'aqs2004-a.codfw.wmnet', 'aqs2004-b.codfw.wmnet', 'aqs2005-a.codfw.wmnet', 'aqs2005-b.codfw.wmnet', 'aqs2006-a.codfw.wmnet', 'aqs2006-b.codfw.wmnet', 'aqs2007-a.codfw.wmnet', 'aqs2007-b.codfw.wmnet', 'aqs2008-a.codfw.wmnet', 'aqs2008-b.codfw.wmnet', 'aqs2009-a.codfw.wmnet', 'aqs2009-b.codfw.wmnet', 'aqs2010-a.codfw.wmnet', 'aqs2010-b.codfw.wmnet', 'aqs2011-a.codfw.wmnet', 'aqs2011-b.codfw.wmnet', 'aqs2012-a.codfw.wmnet', 'aqs2012-b.codfw.wmnet']\n+ super_username => cassandra\n+ snapshot_before_compaction => False\n+ logstash_host => localhost\n+ start_rpc => False\n+ storage_port => 7000\n+ data_directory_base => /srv/cassandra-b\n+ additional_jvm_opts => []\n+ server_encryption_optional => False\n+ internode_compression => all\n+ trickle_fsync_interval_in_kb => 30240\n+ rpc_port => 9160\n+ tls_hostname => aqs1024-b\n+ listen_address => 10.64.156.21\n+ authenticator => True\n+ cassandra_passwords => {'restbase': 'blahblahblah', 'restbase_dev': 'blahblahblahblah', 'aqs': 'blahblah', 'sessionstore': 'blahblah', 'image_suggestions': 'blahblahblahblah', 'aqs_testing': 'blahblahblahblah', 'device_analytics': 'blahblahblahblah', 'mediawiki_services_mobileapps': 'yadayadayada', 'aqsloader': 'yadayadayada', 'edit_analytics': 'blahblahblahblah', 'editor_analytics': 'yadayadayada', 'cassandra_devel': 'foobarbaz', 'data_gateway': 'qwerty', 'commons_impact_analytics': 'notarealpasswd', 'revise_tone_task_generator': 'asdfasdfasdf', 'linked_artifacts': 'yadayadayada'}\n+ disk_failure_policy => stop\n+ key_cache_size_in_mb => 400\n+ authorizor => True\n"}, {"resource": "File[/etc/cassandra-a/cassandra-env.sh]", "content": "--- /etc/cassandra-a/cassandra-env.sh.orig\n+++ /etc/cassandra-a/cassandra-env.sh\n@@ -0,0 +1,316 @@\n+# SPDX-License-Identifier: Apache-2.0\n+# Note: This file is managed by Puppet.\n+# It was taken from the Cassandra Debian package and is templatized\n+# here in order to set various options from puppet.\n+\n+# Licensed to the Apache Software Foundation (ASF) under one\n+# or more contributor license agreements. See the NOTICE file\n+# distributed with this work for additional information\n+# regarding copyright ownership. The ASF licenses this file\n+# to you under the Apache License, Version 2.0 (the\n+# \"License\"); you may not use this file except in compliance\n+# with the License. You may obtain a copy of the License at\n+#\n+# http://www.apache.org/licenses/LICENSE-2.0\n+#\n+# Unless required by applicable law or agreed to in writing, software\n+# distributed under the License is distributed on an \"AS IS\" BASIS,\n+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n+# See the License for the specific language governing permissions and\n+# limitations under the License.\n+\n+calculate_heap_sizes()\n+{\n+ case \"`uname`\" in\n+ Linux)\n+ system_memory_in_mb=`free -m | awk '/:/ {print $2;exit}'`\n+ system_cpu_cores=`egrep -c 'processor([[:space:]]+):.*' /proc/cpuinfo`\n+ ;;\n+ FreeBSD)\n+ system_memory_in_bytes=`sysctl hw.physmem | awk '{print $2}'`\n+ system_memory_in_mb=`expr $system_memory_in_bytes / 1024 / 1024`\n+ system_cpu_cores=`sysctl hw.ncpu | awk '{print $2}'`\n+ ;;\n+ SunOS)\n+ system_memory_in_mb=`prtconf | awk '/Memory size:/ {print $3}'`\n+ system_cpu_cores=`psrinfo | wc -l`\n+ ;;\n+ Darwin)\n+ system_memory_in_bytes=`sysctl hw.memsize | awk '{print $2}'`\n+ system_memory_in_mb=`expr $system_memory_in_bytes / 1024 / 1024`\n+ system_cpu_cores=`sysctl hw.ncpu | awk '{print $2}'`\n+ ;;\n+ *)\n+ # assume reasonable defaults for e.g. a modern desktop or\n+ # cheap server\n+ system_memory_in_mb=\"2048\"\n+ system_cpu_cores=\"2\"\n+ ;;\n+ esac\n+\n+ # some systems like the raspberry pi don't report cores, use at least 1\n+ if [ \"$system_cpu_cores\" -lt \"1\" ]\n+ then\n+ system_cpu_cores=\"1\"\n+ fi\n+\n+ # set max heap size based on the following\n+ # max(min(1/2 ram, 1024MB), min(1/4 ram, 8GB))\n+ # calculate 1/2 ram and cap to 1024MB\n+ # calculate 1/4 ram and cap to 8192MB\n+ # pick the max\n+ half_system_memory_in_mb=`expr $system_memory_in_mb / 2`\n+ quarter_system_memory_in_mb=`expr $half_system_memory_in_mb / 2`\n+ if [ \"$half_system_memory_in_mb\" -gt \"1024\" ]\n+ then\n+ half_system_memory_in_mb=\"1024\"\n+ fi\n+ if [ \"$quarter_system_memory_in_mb\" -gt \"8192\" ]\n+ then\n+ quarter_system_memory_in_mb=\"8192\"\n+ fi\n+ if [ \"$half_system_memory_in_mb\" -gt \"$quarter_system_memory_in_mb\" ]\n+ then\n+ max_heap_size_in_mb=\"$half_system_memory_in_mb\"\n+ else\n+ max_heap_size_in_mb=\"$quarter_system_memory_in_mb\"\n+ fi\n+ MAX_HEAP_SIZE=\"${max_heap_size_in_mb}M\"\n+\n+ # Young gen: min(max_sensible_per_modern_cpu_core * num_cores, 1/4 * heap size)\n+ max_sensible_yg_per_core_in_mb=\"100\"\n+ max_sensible_yg_in_mb=`expr $max_sensible_yg_per_core_in_mb \"*\" $system_cpu_cores`\n+\n+ desired_yg_in_mb=`expr $max_heap_size_in_mb / 4`\n+\n+ if [ \"$desired_yg_in_mb\" -gt \"$max_sensible_yg_in_mb\" ]\n+ then\n+ HEAP_NEWSIZE=\"${max_sensible_yg_in_mb}M\"\n+ else\n+ HEAP_NEWSIZE=\"${desired_yg_in_mb}M\"\n+ fi\n+}\n+\n+# Sets the path where logback and GC logs are written.\n+if [ \"x$CASSANDRA_LOG_DIR\" = \"x\" ] ; then\n+ CASSANDRA_LOG_DIR=\"$CASSANDRA_HOME/logs\"\n+fi\n+\n+#GC log path has to be defined here because it needs to access CASSANDRA_HOME\n+if [ $JAVA_VERSION -ge 11 ] ; then\n+ # See description of https://bugs.openjdk.java.net/browse/JDK-8046148 for details about the syntax\n+ # The following is the equivalent to -XX:+PrintGCDetails -XX:+UseGCLogFileRotation -XX:NumberOfGCLogFiles=10 -XX:GCLogFileSize=10M\n+ echo \"$JVM_OPTS\" | grep -qe \"-[X]log:gc\"\n+ if [ \"$?\" = \"1\" ] ; then # [X] to prevent ccm from replacing this line\n+ # only add -Xlog:gc if it's not mentioned in jvm-server.options file\n+ mkdir -p ${CASSANDRA_LOG_DIR}\n+ JVM_OPTS=\"$JVM_OPTS -Xlog:gc=info,heap*=trace,age*=debug,safepoint=info,promotion*=trace:file=${CASSANDRA_LOG_DIR}/gc.log:time,uptime,pid,tid,level:filecount=10,filesize=10485760\"\n+ fi\n+else\n+ # Java 8\n+ echo \"$JVM_OPTS\" | grep -qe \"-[X]loggc\"\n+ if [ \"$?\" = \"1\" ] ; then # [X] to prevent ccm from replacing this line\n+ # only add -Xlog:gc if it's not mentioned in jvm-server.options file\n+ mkdir -p ${CASSANDRA_LOG_DIR}\n+ JVM_OPTS=\"$JVM_OPTS -Xloggc:${CASSANDRA_LOG_DIR}/gc.log\"\n+ fi\n+fi\n+\n+# Check what parameters were defined on jvm-server.options file to avoid conflicts\n+echo $JVM_OPTS | grep -q Xmn\n+DEFINED_XMN=$?\n+echo $JVM_OPTS | grep -q Xmx\n+DEFINED_XMX=$?\n+echo $JVM_OPTS | grep -q Xms\n+DEFINED_XMS=$?\n+echo $JVM_OPTS | grep -q UseConcMarkSweepGC\n+USING_CMS=$?\n+echo $JVM_OPTS | grep -q +UseG1GC\n+USING_G1=$?\n+\n+# Override these to set the amount of memory to allocate to the JVM at\n+# start-up. For production use you may wish to adjust this for your\n+# environment. MAX_HEAP_SIZE is the total amount of memory dedicated\n+# to the Java heap. HEAP_NEWSIZE refers to the size of the young\n+# generation. Both MAX_HEAP_SIZE and HEAP_NEWSIZE should be either set\n+# or not (if you set one, set the other).\n+#\n+# The main trade-off for the young generation is that the larger it\n+# is, the longer GC pause times will be. The shorter it is, the more\n+# expensive GC will be (usually).\n+#\n+# The example HEAP_NEWSIZE assumes a modern 8-core+ machine for decent pause\n+# times. If in doubt, and if you do not particularly want to tweak, go with\n+# 100 MB per physical CPU core.\n+\n+#MAX_HEAP_SIZE=\"4G\"\n+#HEAP_NEWSIZE=\"800M\"\n+\n+# Set this to control the amount of arenas per-thread in glibc\n+#export MALLOC_ARENA_MAX=4\n+\n+# only calculate the size if it's not set manually\n+if [ \"x$MAX_HEAP_SIZE\" = \"x\" ] && [ \"x$HEAP_NEWSIZE\" = \"x\" -o $USING_G1 -eq 0 ]; then\n+ calculate_heap_sizes\n+elif [ \"x$MAX_HEAP_SIZE\" = \"x\" ] || [ \"x$HEAP_NEWSIZE\" = \"x\" -a $USING_G1 -ne 0 ]; then\n+ echo \"please set or unset MAX_HEAP_SIZE and HEAP_NEWSIZE in pairs when using CMS GC (see cassandra-env.sh)\"\n+ exit 1\n+fi\n+\n+if [ \"x$MALLOC_ARENA_MAX\" = \"x\" ] ; then\n+ export MALLOC_ARENA_MAX=4\n+fi\n+\n+# We only set -Xms and -Xmx if they were not defined on jvm-server.options file\n+# If defined, both Xmx and Xms should be defined together.\n+if [ $DEFINED_XMX -ne 0 ] && [ $DEFINED_XMS -ne 0 ]; then\n+ JVM_OPTS=\"$JVM_OPTS -Xms${MAX_HEAP_SIZE}\"\n+ JVM_OPTS=\"$JVM_OPTS -Xmx${MAX_HEAP_SIZE}\"\n+elif [ $DEFINED_XMX -ne 0 ] || [ $DEFINED_XMS -ne 0 ]; then\n+ echo \"Please set or unset -Xmx and -Xms flags in pairs on jvm-server.options file.\"\n+ exit 1\n+fi\n+\n+# We only set -Xmn flag if it was not defined in jvm-server.options file\n+# and if the CMS GC is being used\n+# If defined, both Xmn and Xmx should be defined together.\n+if [ $DEFINED_XMN -eq 0 ] && [ $DEFINED_XMX -ne 0 ]; then\n+ echo \"Please set or unset -Xmx and -Xmn flags in pairs on jvm-server.options file.\"\n+ exit 1\n+elif [ $DEFINED_XMN -ne 0 ] && [ $USING_CMS -eq 0 ]; then\n+ JVM_OPTS=\"$JVM_OPTS -Xmn${HEAP_NEWSIZE}\"\n+fi\n+\n+# We fail to start if -Xmn is used with G1 GC is being used\n+# See comments for -Xmn in jvm-server.options\n+if [ $DEFINED_XMN -eq 0 ] && [ $USING_G1 -eq 0 ]; then\n+ echo \"It is not recommended to set -Xmn with the G1 garbage collector. See comments for -Xmn in jvm-server.options for details.\"\n+ exit 1\n+fi\n+\n+if [ \"$JVM_ARCH\" = \"64-Bit\" ] && [ $USING_CMS -eq 0 ]; then\n+ JVM_OPTS=\"$JVM_OPTS -XX:+UseCondCardMark\"\n+fi\n+\n+# provides hints to the JIT compiler\n+JVM_OPTS=\"$JVM_OPTS -XX:CompileCommandFile=$CASSANDRA_CONF/hotspot_compiler\"\n+\n+# add the jamm javaagent\n+JVM_OPTS=\"$JVM_OPTS -javaagent:$CASSANDRA_HOME/lib/jamm-0.3.2.jar\"\n+\n+CASSANDRA_HEAPDUMP_DIR=/srv/storage-0/cassandra-a\n+# set jvm HeapDumpPath with CASSANDRA_HEAPDUMP_DIR\n+if [ \"x$CASSANDRA_HEAPDUMP_DIR\" != \"x\" ]; then\n+ JVM_OPTS=\"$JVM_OPTS -XX:HeapDumpPath=$CASSANDRA_HEAPDUMP_DIR/cassandra-`date +%s`-pid$$.hprof\"\n+ JVM_OPTS=\"$JVM_OPTS -XX:ErrorFile=$CASSANDRA_HEAPDUMP_DIR/hs_err_pid%p.log\"\n+fi\n+\n+# stop the jvm on OutOfMemoryError as it can result in some data corruption\n+# uncomment the preferred option\n+# ExitOnOutOfMemoryError and CrashOnOutOfMemoryError require a JRE greater or equals to 1.7 update 101 or 1.8 update 92\n+# For OnOutOfMemoryError we cannot use the JVM_OPTS variables because bash commands split words\n+# on white spaces without taking quotes into account\n+# JVM_OPTS=\"$JVM_OPTS -XX:+ExitOnOutOfMemoryError\"\n+# JVM_OPTS=\"$JVM_OPTS -XX:+CrashOnOutOfMemoryError\"\n+JVM_ON_OUT_OF_MEMORY_ERROR_OPT=\"-XX:OnOutOfMemoryError=kill -9 %p\"\n+\n+# print an heap histogram on OutOfMemoryError\n+# JVM_OPTS=\"$JVM_OPTS -Dcassandra.printHeapHistogramOnOutOfMemoryError=true\"\n+\n+# jmx: metrics and administration interface\n+#\n+# add this if you're having trouble connecting:\n+# JVM_OPTS=\"$JVM_OPTS -Djava.rmi.server.hostname=\"\n+#\n+# see\n+# https://blogs.oracle.com/jmxetc/entry/troubleshooting_connection_problems_in_jconsole\n+# for more on configuring JMX through firewalls, etc. (Short version:\n+# get it working with no firewall first.)\n+#\n+# Cassandra ships with JMX accessible *only* from localhost. \n+# To enable remote JMX connections, uncomment lines below\n+# with authentication and/or ssl enabled. See https://wiki.apache.org/cassandra/JmxSecurity \n+#\n+if [ \"x$LOCAL_JMX\" = \"x\" ]; then\n+ LOCAL_JMX=yes\n+fi\n+\n+# Specifies the default port over which Cassandra will be available for\n+# JMX connections.\n+# For security reasons, you should not expose this port to the internet. Firewall it if needed.\n+JMX_PORT=\"7189\"\n+\n+if [ \"$LOCAL_JMX\" = \"yes\" ]; then\n+ JVM_OPTS=\"$JVM_OPTS -Dcassandra.jmx.local.port=$JMX_PORT\"\n+ JVM_OPTS=\"$JVM_OPTS -Dcom.sun.management.jmxremote.authenticate=false\"\n+else\n+ JVM_OPTS=\"$JVM_OPTS -Dcassandra.jmx.remote.port=$JMX_PORT\"\n+ # if ssl is enabled the same port cannot be used for both jmx and rmi so either\n+ # pick another value for this property or comment out to use a random port (though see CASSANDRA-7087 for origins)\n+ JVM_OPTS=\"$JVM_OPTS -Dcom.sun.management.jmxremote.rmi.port=$JMX_PORT\"\n+\n+ # turn on JMX authentication. See below for further options\n+ JVM_OPTS=\"$JVM_OPTS -Dcom.sun.management.jmxremote.authenticate=true\"\n+\n+ # jmx ssl options\n+ #JVM_OPTS=\"$JVM_OPTS -Dcom.sun.management.jmxremote.ssl=true\"\n+ #JVM_OPTS=\"$JVM_OPTS -Dcom.sun.management.jmxremote.ssl.need.client.auth=true\"\n+ #JVM_OPTS=\"$JVM_OPTS -Dcom.sun.management.jmxremote.ssl.enabled.protocols=\"\n+ #JVM_OPTS=\"$JVM_OPTS -Dcom.sun.management.jmxremote.ssl.enabled.cipher.suites=\"\n+ #JVM_OPTS=\"$JVM_OPTS -Djavax.net.ssl.keyStore=/path/to/keystore\"\n+ #JVM_OPTS=\"$JVM_OPTS -Djavax.net.ssl.keyStorePassword=\"\n+ #JVM_OPTS=\"$JVM_OPTS -Djavax.net.ssl.trustStore=/path/to/truststore\"\n+ #JVM_OPTS=\"$JVM_OPTS -Djavax.net.ssl.trustStorePassword=\"\n+fi\n+\n+# jmx authentication and authorization options. By default, auth is only\n+# activated for remote connections but they can also be enabled for local only JMX\n+## Basic file based authn & authz\n+JVM_OPTS=\"$JVM_OPTS -Dcom.sun.management.jmxremote.password.file=/etc/cassandra/jmxremote.password\"\n+#JVM_OPTS=\"$JVM_OPTS -Dcom.sun.management.jmxremote.access.file=/etc/cassandra/jmxremote.access\"\n+## Custom auth settings which can be used as alternatives to JMX's out of the box auth utilities.\n+## JAAS login modules can be used for authentication by uncommenting these two properties.\n+## Cassandra ships with a LoginModule implementation - org.apache.cassandra.auth.CassandraLoginModule -\n+## which delegates to the IAuthenticator configured in cassandra.yaml. See the sample JAAS configuration\n+## file cassandra-jaas.config\n+#JVM_OPTS=\"$JVM_OPTS -Dcassandra.jmx.remote.login.config=CassandraLogin\"\n+#JVM_OPTS=\"$JVM_OPTS -Djava.security.auth.login.config=$CASSANDRA_CONF/cassandra-jaas.config\"\n+\n+## Cassandra also ships with a helper for delegating JMX authz calls to the configured IAuthorizer,\n+## uncomment this to use it. Requires one of the two authentication options to be enabled\n+#JVM_OPTS=\"$JVM_OPTS -Dcassandra.jmx.authorizer=org.apache.cassandra.auth.jmx.AuthorizationProxy\"\n+\n+# To use mx4j, an HTML interface for JMX, add mx4j-tools.jar to the lib/\n+# directory.\n+# See http://cassandra.apache.org/doc/latest/operating/metrics.html#jmx\n+# By default mx4j listens on the broadcast_address, port 8081. Uncomment the following lines\n+# to control its listen address and port.\n+#MX4J_ADDRESS=\"127.0.0.1\"\n+#MX4J_PORT=\"8081\"\n+\n+# Cassandra uses SIGAR to capture OS metrics CASSANDRA-7838\n+# for SIGAR we have to set the java.library.path\n+# to the location of the native libraries.\n+JVM_OPTS=\"$JVM_OPTS -Djava.library.path=$CASSANDRA_HOME/lib/sigar-bin\"\n+\n+if [ \"x$MX4J_ADDRESS\" != \"x\" ]; then\n+ if [ \"$(echo \"$MX4J_ADDRESS\" | grep -c \"\\-Dmx4jaddress\")\" = \"1\" ]; then\n+ # Backward compatible with the older style #13578\n+ JVM_OPTS=\"$JVM_OPTS $MX4J_ADDRESS\"\n+ else\n+ JVM_OPTS=\"$JVM_OPTS -Dmx4jaddress=$MX4J_ADDRESS\"\n+ fi\n+fi\n+if [ \"x$MX4J_PORT\" != \"x\" ]; then\n+ if [ \"$(echo \"$MX4J_PORT\" | grep -c \"\\-Dmx4jport\")\" = \"1\" ]; then\n+ # Backward compatible with the older style #13578\n+ JVM_OPTS=\"$JVM_OPTS $MX4J_PORT\"\n+ else\n+ JVM_OPTS=\"$JVM_OPTS -Dmx4jport=$MX4J_PORT\"\n+ fi\n+fi\n+\n+JVM_OPTS=\"$JVM_OPTS $JVM_EXTRA_OPTS\"\n+\n+\n+JVM_OPTS=\"$JVM_OPTS -javaagent:/usr/share/java/prometheus/jmx_prometheus_javaagent.jar=10.64.156.18:7800:/etc/cassandra-a/prometheus_jmx_exporter.yaml\"", "parameters": "--- File[/etc/cassandra-a/cassandra-env.sh].orig\n+++ File[/etc/cassandra-a/cassandra-env.sh]\n\n+ group => cassandra\n+ mode => 0444\n+ ensure => present\n+ owner => cassandra\n"}, {"resource": "Class[Cumin::Selector]", "parameters": "--- Class[Cumin::Selector].orig\n+++ Class[Cumin::Selector]\n\n@@\n- cluster => insetup\n+ cluster => aqs\n"}, {"resource": "File[/usr/share/cassandra/lib/logstash-logback-encoder.jar]", "parameters": "--- File[/usr/share/cassandra/lib/logstash-logback-encoder.jar].orig\n+++ File[/usr/share/cassandra/lib/logstash-logback-encoder.jar]\n\n+ group => root\n+ require => Scap::Target[cassandra/logstash-logback-encoder]\n+ ensure => link\n+ target => /srv/deployment/cassandra/logstash-logback-encoder/lib/logstash-logback-encoder-4.2.jar\n+ owner => root\n"}, {"resource": "File[/etc/ferm/conf.d/10_cassandra-intra-node-ssl]", "content": "--- /etc/ferm/conf.d/10_cassandra-intra-node-ssl.orig\n+++ /etc/ferm/conf.d/10_cassandra-intra-node-ssl\n@@ -0,0 +1,6 @@\n+# Autogenerated by puppet. DO NOT EDIT BY HAND!\n+#\n+# \n+&R_SERVICE(tcp, 7001, @resolve((aqs1010.eqiad.wmnet aqs1010-a.eqiad.wmnet aqs1010-b.eqiad.wmnet aqs1011.eqiad.wmnet aqs1011-a.eqiad.wmnet aqs1011-b.eqiad.wmnet aqs1012.eqiad.wmnet aqs1012-a.eqiad.wmnet aqs1012-b.eqiad.wmnet aqs1014.eqiad.wmnet aqs1014-a.eqiad.wmnet aqs1014-b.eqiad.wmnet aqs1015.eqiad.wmnet aqs1015-a.eqiad.wmnet aqs1015-b.eqiad.wmnet aqs1016.eqiad.wmnet aqs1016-a.eqiad.wmnet aqs1016-b.eqiad.wmnet aqs1017.eqiad.wmnet aqs1017-a.eqiad.wmnet aqs1017-b.eqiad.wmnet aqs1018.eqiad.wmnet aqs1018-a.eqiad.wmnet aqs1018-b.eqiad.wmnet aqs1019.eqiad.wmnet aqs1019-a.eqiad.wmnet aqs1019-b.eqiad.wmnet aqs1020.eqiad.wmnet aqs1020-a.eqiad.wmnet aqs1020-b.eqiad.wmnet aqs1021.eqiad.wmnet aqs1021-a.eqiad.wmnet aqs1021-b.eqiad.wmnet aqs1022.eqiad.wmnet aqs1022-a.eqiad.wmnet aqs1022-b.eqiad.wmnet aqs1023.eqiad.wmnet aqs1023-a.eqiad.wmnet aqs1023-b.eqiad.wmnet aqs1024.eqiad.wmnet aqs1024-a.eqiad.wmnet aqs1024-b.eqiad.wmnet aqs2001.codfw.wmnet aqs2001-a.codfw.wmnet aqs2001-b.codfw.wmnet aqs2002.codfw.wmnet aqs2002-a.codfw.wmnet aqs2002-b.codfw.wmnet aqs2003.codfw.wmnet aqs2003-a.codfw.wmnet aqs2003-b.codfw.wmnet aqs2004.codfw.wmnet aqs2004-a.codfw.wmnet aqs2004-b.codfw.wmnet aqs2005.codfw.wmnet aqs2005-a.codfw.wmnet aqs2005-b.codfw.wmnet aqs2006.codfw.wmnet aqs2006-a.codfw.wmnet aqs2006-b.codfw.wmnet aqs2007.codfw.wmnet aqs2007-a.codfw.wmnet aqs2007-b.codfw.wmnet aqs2008.codfw.wmnet aqs2008-a.codfw.wmnet aqs2008-b.codfw.wmnet aqs2009.codfw.wmnet aqs2009-a.codfw.wmnet aqs2009-b.codfw.wmnet aqs2010.codfw.wmnet aqs2010-a.codfw.wmnet aqs2010-b.codfw.wmnet aqs2011.codfw.wmnet aqs2011-a.codfw.wmnet aqs2011-b.codfw.wmnet aqs2012.codfw.wmnet aqs2012-a.codfw.wmnet aqs2012-b.codfw.wmnet)));\n+\n+", "parameters": "--- File[/etc/ferm/conf.d/10_cassandra-intra-node-ssl].orig\n+++ File[/etc/ferm/conf.d/10_cassandra-intra-node-ssl]\n\n+ group => root\n+ tag => ferm\n+ require => File[/etc/ferm/conf.d]\n+ mode => 0400\n+ ensure => present\n+ notify => Service[ferm]\n+ owner => root\n"}, {"resource": "File[/etc/cassandra-b/logback.xml]", "content": "--- /etc/cassandra-b/logback.xml.orig\n+++ /etc/cassandra-b/logback.xml\n@@ -0,0 +1,152 @@\n+\n+\n+\n+\n+\n+\n+\n+ \n+\n+ \n+\n+ \n+\n+ \n+ \n+ INFO\n+ \n+ ${cassandra.logdir}/system-b.log\n+ \n+ ${cassandra.logdir}/system-b.log.%i.zip\n+ 1\n+ 40\n+ \n+\n+ \n+ 50MB\n+ \n+ \n+ %-5level [%thread] %date{ISO8601} %F:%L - %msg%n\n+ \n+ \n+\n+ \n+\n+ \n+ ${cassandra.logdir}/debug-b.log\n+ \n+ ${cassandra.logdir}/debug-b.log.%i.zip\n+ 1\n+ 40\n+ \n+\n+ \n+ 50MB\n+ \n+ \n+ %-5level [%thread] %date{ISO8601} %F:%L - %msg%n\n+ \n+ \n+\n+ \n+ localhost\n+ 11514\n+ {\"program\":\"cassandra\", \"cluster\":\"Analytics Query Service Storage\", \"instance_name\":\"b\", \"HOSTNAME\": \"aqs1024.eqiad.wmnet\"}\n+ \n+ INFO\n+ \n+ \n+\n+ \n+\n+ \n+ 1024\n+ 0\n+ true\n+ \n+ \n+\n+ \n+\n+ \n+ \n+ \n+ WARN\n+ \n+ \n+ %-5level [%thread] %date{ISO8601} %F:%L - %msg%n\n+ \n+ \n+\n+ \n+ \n+ \n+ \n+ \n+ \n+\n+ \n+ \n+\n+ \n+\n+ \n+ \n+ \n+ \n+ \n+ \n+ \n+\n+ \n+ \n+ \n+ \n+\n+ \n+", "parameters": "--- File[/etc/cassandra-b/logback.xml].orig\n+++ File[/etc/cassandra-b/logback.xml]\n\n+ group => cassandra\n+ mode => 0444\n+ ensure => present\n+ owner => cassandra\n"}, {"resource": "File[/etc/cassandra-a/cassandra-rackdc.properties]", "content": "--- /etc/cassandra-a/cassandra-rackdc.properties.orig\n+++ /etc/cassandra-a/cassandra-rackdc.properties\n@@ -0,0 +1,6 @@\n+# Note: This file is managed by Puppet.\n+\n+# These properties are used with GossipingPropertyFileSnitch and will\n+# indicate the rack and dc for this node\n+dc=eqiad\n+rack=rack2", "parameters": "--- File[/etc/cassandra-a/cassandra-rackdc.properties].orig\n+++ File[/etc/cassandra-a/cassandra-rackdc.properties]\n\n+ group => cassandra\n+ mode => 0444\n+ ensure => present\n+ owner => cassandra\n"}, {"resource": "File[/etc/cassandra-b/tls/cassandra__aqs1024-b_eqiad_wmnet.pem]", "parameters": "--- File[/etc/cassandra-b/tls/cassandra__aqs1024-b_eqiad_wmnet.pem].orig\n+++ File[/etc/cassandra-b/tls/cassandra__aqs1024-b_eqiad_wmnet.pem]\n\n+ group => cassandra\n+ mode => 0440\n+ ensure => file\n+ owner => cassandra\n"}, {"resource": "File[/usr/local/bin/nodetool-a]", "parameters": "--- File[/usr/local/bin/nodetool-a].orig\n+++ File[/usr/local/bin/nodetool-a]\n\n+ group => root\n+ require => File[/usr/local/bin/nodetool-instance]\n+ ensure => link\n+ target => /usr/local/bin/nodetool-instance\n+ owner => root\n"}, {"resource": "Exec[install-/srv/storage-0/cassandra-b/data]", "parameters": "--- Exec[install-/srv/storage-0/cassandra-b/data].orig\n+++ Exec[install-/srv/storage-0/cassandra-b/data]\n\n+ command => install -o cassandra -g cassandra -m 750 -d /srv/storage-0/cassandra-b/data\n+ path => /usr/bin/:/bin/\n+ creates => /srv/storage-0/cassandra-b/data\n+ before => Systemd::Service[cassandra-b]\n"}, {"resource": "File[/lib/systemd/system/cassandra-a.service]", "content": "--- /lib/systemd/system/cassandra-a.service.orig\n+++ /lib/systemd/system/cassandra-a.service\n@@ -0,0 +1,24 @@\n+[Unit]\n+Description=distributed storage system for structured data\n+After=network.target\n+# On bootstrap / provisioning, don't attempt to start all instances,\n+# wait instead for the guard file to exist, see also T214166\n+ConditionPathExists=/etc/cassandra-a/service-enabled\n+\n+[Service]\n+User=cassandra\n+PIDFile=/var/run/cassandra/cassandra-a.pid\n+LimitNOFILE=100000\n+LimitMEMLOCK=infinity\n+Environment=\"CASSANDRA_INCLUDE=/etc/cassandra.in.sh\"\n+Environment=\"CASSANDRA_CONF=/etc/cassandra-a\"\n+Environment=\"CASSANDRA_INSTANCE=aqs1024-a\"\n+Environment=\"CASSANDRA_LOG_DIR=/var/log/cassandra\"\n+ExecStart=/usr/sbin/cassandra -p /var/run/cassandra/cassandra-a.pid\n+\n+# Deinit on shutdown (see: https://phabricator.wikimedia.org/T327954)\n+ExecStop=-/usr/local/bin/nodetool-a disablethrift\n+ExecStop=-/usr/local/bin/nodetool-a disablebinary\n+ExecStop=-/usr/local/bin/nodetool-a disablegossip\n+ExecStop=-/usr/local/bin/nodetool-a drain\n+ExecStop=/usr/local/bin/nodetool-a stopdaemon", "parameters": "--- File[/lib/systemd/system/cassandra-a.service].orig\n+++ File[/lib/systemd/system/cassandra-a.service]\n\n+ group => root\n+ mode => 0444\n+ ensure => present\n+ notify => Exec[systemd daemon-reload for cassandra-a.service (cassandra-a)]\n+ owner => root\n"}, {"resource": "File[/etc/cassandra-b/jvm11-server.options]", "content": "--- /etc/cassandra-b/jvm11-server.options.orig\n+++ /etc/cassandra-b/jvm11-server.options\n@@ -0,0 +1,112 @@\n+# SPDX-License-Identifier: Apache-2.0\n+# Note: This file is managed by Puppet.\n+# It was taken from the Cassandra Debian package and templatized\n+# here in order to assign configuration.\n+\n+###########################################################################\n+# jvm11-server.options #\n+# #\n+# See jvm-server.options. This file is specific for Java 11 and newer. #\n+###########################################################################\n+\n+#################\n+# GC SETTINGS #\n+#################\n+\n+\n+\n+### CMS Settings\n+# -XX:+UseConcMarkSweepGC\n+# -XX:+CMSParallelRemarkEnabled\n+# -XX:SurvivorRatio=8\n+# -XX:MaxTenuringThreshold=1\n+# -XX:CMSInitiatingOccupancyFraction=75\n+# -XX:+UseCMSInitiatingOccupancyOnly\n+# -XX:CMSWaitDuration=10000\n+# -XX:+CMSParallelInitialMarkEnabled\n+# -XX:+CMSEdenChunksRecordAlways\n+## some JVMs will fill up their heap when accessed via JMX, see CASSANDRA-6541\n+# -XX:+CMSClassUnloadingEnabled\n+\n+\n+\n+### G1 Settings\n+## Use the Hotspot garbage-first collector.\n+-XX:+UseG1GC\n+#-XX:+ParallelRefProcEnabled\n+#-XX:MaxTenuringThreshold=1\n+-XX:G1HeapRegionSize=8m\n+\n+#\n+## Have the JVM do less remembered set work during STW, instead\n+## preferring concurrent GC. Reduces p99.9 latency.\n+-XX:G1RSetUpdatingPauseTimePercent=5\n+#\n+## Main G1GC tunable: lowering the pause target will lower throughput and vise versa.\n+## 200ms is the JVM default and lowest viable setting\n+## 1000ms increases throughput. Keep it smaller than the timeouts in cassandra.yaml.\n+#-XX:MaxGCPauseMillis=300\n+\n+## Optional G1 Settings\n+# Save CPU time on large (>= 16GB) heaps by delaying region scanning\n+# until the heap is 70% full. The default in Hotspot 8u40 is 40%.\n+#-XX:InitiatingHeapOccupancyPercent=70\n+\n+# For systems with > 8 cores, the default ParallelGCThreads is 5/8 the number of logical cores.\n+# Otherwise equal to the number of cores when 8 or less.\n+# Machines with > 10 cores should try setting these to <= full cores.\n+#-XX:ParallelGCThreads=16\n+# By default, ConcGCThreads is 1/4 of ParallelGCThreads.\n+# Setting both to the same value can reduce STW durations.\n+#-XX:ConcGCThreads=16\n+\n+\n+### JPMS\n+\n+-Djdk.attach.allowAttachSelf=true\n+--add-exports java.base/jdk.internal.misc=ALL-UNNAMED\n+--add-exports java.base/jdk.internal.ref=ALL-UNNAMED\n+--add-exports java.base/sun.nio.ch=ALL-UNNAMED\n+--add-exports java.management.rmi/com.sun.jmx.remote.internal.rmi=ALL-UNNAMED\n+--add-exports java.rmi/sun.rmi.registry=ALL-UNNAMED\n+--add-exports java.rmi/sun.rmi.server=ALL-UNNAMED\n+--add-exports java.sql/java.sql=ALL-UNNAMED\n+\n+--add-opens java.base/java.lang.module=ALL-UNNAMED\n+--add-opens java.base/jdk.internal.loader=ALL-UNNAMED\n+--add-opens java.base/jdk.internal.ref=ALL-UNNAMED\n+--add-opens java.base/jdk.internal.reflect=ALL-UNNAMED\n+--add-opens java.base/jdk.internal.math=ALL-UNNAMED\n+--add-opens java.base/jdk.internal.module=ALL-UNNAMED\n+--add-opens java.base/jdk.internal.util.jar=ALL-UNNAMED\n+--add-opens jdk.management/com.sun.management.internal=ALL-UNNAMED\n+\n+\n+### GC logging options -- uncomment to enable\n+\n+# Java 11 (and newer) GC logging options:\n+# See description of https://bugs.openjdk.java.net/browse/JDK-8046148 for details about the syntax\n+# The following is the equivalent to -XX:+PrintGCDetails -XX:+UseGCLogFileRotation -XX:NumberOfGCLogFiles=10 -XX:GCLogFileSize=10M\n+#-Xlog:gc=info,heap*=trace,age*=debug,safepoint=info,promotion*=trace:file=/var/log/cassandra/gc.log:time,uptime,pid,tid,level:filecount=10,filesize=10485760\n+\n+-Xlog:gc=info,heap*=trace,age*=debug,safepoint=info,promotion*=trace:file=/var/log/cassandra/gc-b.log:time,uptime,pid,tid,level:filecount=10,filesize=10485760\n+\n+# Notes for Java 8 migration:\n+#\n+# -XX:+PrintGCDetails maps to -Xlog:gc*:... - i.e. add a '*' after \"gc\"\n+# -XX:+PrintGCDateStamps maps to decorator 'time'\n+#\n+# -XX:+PrintHeapAtGC maps to 'heap' with level 'trace'\n+# -XX:+PrintTenuringDistribution maps to 'age' with level 'debug'\n+# -XX:+PrintGCApplicationStoppedTime maps to 'safepoint' with level 'info'\n+# -XX:+PrintPromotionFailure maps to 'promotion' with level 'trace'\n+# -XX:PrintFLSStatistics=1 maps to 'freelist' with level 'trace'\n+\n+### Netty Options\n+\n+# On Java >= 9 Netty requires the io.netty.tryReflectionSetAccessible system property to be set to true to enable\n+# creation of direct buffers using Unsafe. Without it, this falls back to ByteBuffer.allocateDirect which has\n+# inferior performance and risks exceeding MaxDirectMemory\n+-Dio.netty.tryReflectionSetAccessible=true\n+\n+# The newline in the end of file is intentional", "parameters": "--- File[/etc/cassandra-b/jvm11-server.options].orig\n+++ File[/etc/cassandra-b/jvm11-server.options]\n\n+ group => cassandra\n+ mode => 0444\n+ ensure => present\n+ owner => cassandra\n"}, {"resource": "Exec[apt_repository_component-cassandra41-apt.wikimedia.org-wikimedia-bullseye-wikimedia]", "parameters": "--- Exec[apt_repository_component-cassandra41-apt.wikimedia.org-wikimedia-bullseye-wikimedia].orig\n+++ Exec[apt_repository_component-cassandra41-apt.wikimedia.org-wikimedia-bullseye-wikimedia]\n\n+ command => /usr/bin/apt-get update \n+ refreshonly => True\n"}, {"resource": "Class[Cassandra]", "parameters": "--- Class[Cassandra].orig\n+++ Class[Cassandra]\n\n+ additional_jvm_opts => []\n+ java_package => openjdk-11-jdk\n+ native_transport_port => 9042\n+ tls_cluster_name => aqs\n+ auto_apply_grants => False\n+ default_instance_params => {'max_heap_size': '16g', 'heap_newsize': '2048m', 'compaction_throughput_mb_per_sec': 256, 'concurrent_compactors': 12, 'concurrent_writes': 64, 'concurrent_reads': 64, 'permissions_validity_in_ms': 600000, 'internode_encryption': 'all', 'client_encryption_enabled': True, 'client_encryption_optional': True}\n+ users => ['aqsloader', 'image_suggestions', 'device_analytics', 'geo_analytics', 'media_analytics', 'page_analytics', 'edit_analytics', 'editor_analytics', 'data_gateway', 'commons_impact_analytics', 'revise_tone_task_generator']\n+ tls_use_pki => True\n+ jbod_devices => []\n+ rack => rack2\n+ super_password => nosuchpass\n+ cluster_name => Analytics Query Service Storage\n+ instances => {'a': {'listen_address': '10.64.156.18', 'data_file_directories': ['/srv/storage-0/cassandra-a/data', '/srv/storage-1/cassandra-a/data', '/srv/storage-2/cassandra-a/data', '/srv/storage-3/cassandra-a/data', '/srv/storage-4/cassandra-a/data', '/srv/storage-5/cassandra-a/data', '/srv/storage-6/cassandra-a/data', '/srv/storage-7/cassandra-a/data'], 'heapdump_directory': '/srv/storage-0/cassandra-a', 'commitlog_directory': '/srv/cassandra/cassandra-a/commitlog', 'hints_directory': '/srv/cassandra/cassandra-a/hints', 'saved_caches_directory': '/srv/cassandra/cassandra-a/saved_caches', 'local_system_data_file_directory': '/srv/cassandra/cassandra-a/system'}, 'b': {'listen_address': '10.64.156.21', 'data_file_directories': ['/srv/storage-0/cassandra-b/data', '/srv/storage-1/cassandra-b/data', '/srv/storage-2/cassandra-b/data', '/srv/storage-3/cassandra-b/data', '/srv/storage-4/cassandra-b/data', '/srv/storage-5/cassandra-b/data', '/srv/storage-6/cassandra-b/data', '/srv/storage-7/cassandra-b/data'], 'heapdump_directory': '/srv/storage-1/cassandra-b', 'commitlog_directory': '/srv/cassandra/cassandra-b/commitlog', 'hints_directory': '/srv/cassandra/cassandra-b/hints', 'saved_caches_directory': '/srv/cassandra/cassandra-b/saved_caches', 'local_system_data_file_directory': '/srv/cassandra/cassandra-b/system'}}\n+ listen_address => 10.64.156.17\n+ tls_use_pki_keep_old_ca => False\n+ dc => eqiad\n+ logstash_port => 11514\n+ tls_keystore_password => test\n+ extra_classpath => []\n+ target_version => 4.x\n+ seeds => ['aqs1010-a.eqiad.wmnet', 'aqs1010-b.eqiad.wmnet', 'aqs1011-a.eqiad.wmnet', 'aqs1011-b.eqiad.wmnet', 'aqs1012-a.eqiad.wmnet', 'aqs1012-b.eqiad.wmnet', 'aqs1014-a.eqiad.wmnet', 'aqs1014-b.eqiad.wmnet', 'aqs1015-a.eqiad.wmnet', 'aqs1015-b.eqiad.wmnet', 'aqs1016-a.eqiad.wmnet', 'aqs1016-b.eqiad.wmnet', 'aqs1017-a.eqiad.wmnet', 'aqs1017-b.eqiad.wmnet', 'aqs1018-a.eqiad.wmnet', 'aqs1018-b.eqiad.wmnet', 'aqs1019-a.eqiad.wmnet', 'aqs1019-b.eqiad.wmnet', 'aqs1020-a.eqiad.wmnet', 'aqs1020-b.eqiad.wmnet', 'aqs1021-a.eqiad.wmnet', 'aqs1021-b.eqiad.wmnet', 'aqs1022-a.eqiad.wmnet', 'aqs1022-b.eqiad.wmnet', 'aqs1023-a.eqiad.wmnet', 'aqs1023-b.eqiad.wmnet', 'aqs1024-a.eqiad.wmnet', 'aqs1024-b.eqiad.wmnet', 'aqs2001-a.codfw.wmnet', 'aqs2001-b.codfw.wmnet', 'aqs2002-a.codfw.wmnet', 'aqs2002-b.codfw.wmnet', 'aqs2003-a.codfw.wmnet', 'aqs2003-b.codfw.wmnet', 'aqs2004-a.codfw.wmnet', 'aqs2004-b.codfw.wmnet', 'aqs2005-a.codfw.wmnet', 'aqs2005-b.codfw.wmnet', 'aqs2006-a.codfw.wmnet', 'aqs2006-b.codfw.wmnet', 'aqs2007-a.codfw.wmnet', 'aqs2007-b.codfw.wmnet', 'aqs2008-a.codfw.wmnet', 'aqs2008-b.codfw.wmnet', 'aqs2009-a.codfw.wmnet', 'aqs2009-b.codfw.wmnet', 'aqs2010-a.codfw.wmnet', 'aqs2010-b.codfw.wmnet', 'aqs2011-a.codfw.wmnet', 'aqs2011-b.codfw.wmnet', 'aqs2012-a.codfw.wmnet', 'aqs2012-b.codfw.wmnet']\n+ cassandra_passwords => {'restbase': 'blahblahblah', 'restbase_dev': 'blahblahblahblah', 'aqs': 'blahblah', 'sessionstore': 'blahblah', 'image_suggestions': 'blahblahblahblah', 'aqs_testing': 'blahblahblahblah', 'device_analytics': 'blahblahblahblah', 'mediawiki_services_mobileapps': 'yadayadayada', 'aqsloader': 'yadayadayada', 'edit_analytics': 'blahblahblahblah', 'editor_analytics': 'yadayadayada', 'cassandra_devel': 'foobarbaz', 'data_gateway': 'qwerty', 'commons_impact_analytics': 'notarealpasswd', 'revise_tone_task_generator': 'asdfasdfasdf', 'linked_artifacts': 'yadayadayada'}\n+ super_username => cassandra\n+ tls_use_pki_truststore => True\n+ memory_allocator => JEMallocAllocator\n+ logstash_host => localhost\n+ start_rpc => False\n"}, {"resource": "Systemd::Sysuser[scap]", "parameters": "--- Systemd::Sysuser[scap].orig\n+++ Systemd::Sysuser[scap]\n\n+ shell => /bin/bash\n+ additional_groups => []\n+ require => File[/var/lib/scap]\n+ allow_login => False\n+ description => used to install the scap deployment tool\n+ home_dir => /var/lib/scap\n+ ensure => present\n+ id => 919:919\n+ usertype => user\n+ username => scap\n"}, {"resource": "Package[cassandra-tools]", "parameters": "--- Package[cassandra-tools].orig\n+++ Package[cassandra-tools]\n\n+ ensure => 4.1.11\n+ provider => apt\n+ require => Package[cassandra]\n"}, {"resource": "Monitoring::Service[cassandra-a-ssl]", "parameters": "--- Monitoring::Service[cassandra-a-ssl].orig\n+++ Monitoring::Service[cassandra-a-ssl]\n\n+ critical => False\n+ notes_url => https://wikitech.wikimedia.org/wiki/Cassandra#Installing_and_generating_certificates\n+ check_command => check_ssl_on_host_port!aqs1024-a!10.64.156.18!7000\n+ host => aqs1024\n+ retry_interval => 1\n+ config_dir => /etc/nagios\n+ description => cassandra-a SSL 10.64.156.18:7000\n+ check_interval => 1\n+ migration_task => T407117\n+ ensure => absent\n+ freshness => 36000\n+ retries => 3\n+ contact_group => admins,team-services\n+ passive => False\n"}, {"resource": "Motd::Message[aqs]", "parameters": "--- Motd::Message[aqs].orig\n+++ Motd::Message[aqs]\n\n+ priority => 5\n+ ensure => present\n+ message => aqs1024 is a Analytics Query Service - Cassandra instance (aqs)\n"}, {"resource": "Exec[install-/srv/storage-6/cassandra-a/data]", "parameters": "--- Exec[install-/srv/storage-6/cassandra-a/data].orig\n+++ Exec[install-/srv/storage-6/cassandra-a/data]\n\n+ command => install -o cassandra -g cassandra -m 750 -d /srv/storage-6/cassandra-a/data\n+ path => /usr/bin/:/bin/\n+ creates => /srv/storage-6/cassandra-a/data\n+ before => Systemd::Service[cassandra-a]\n"}, {"resource": "Monitoring::Service[cassandra-b-ssl]", "parameters": "--- Monitoring::Service[cassandra-b-ssl].orig\n+++ Monitoring::Service[cassandra-b-ssl]\n\n+ critical => False\n+ notes_url => https://wikitech.wikimedia.org/wiki/Cassandra#Installing_and_generating_certificates\n+ check_command => check_ssl_on_host_port!aqs1024-b!10.64.156.21!7000\n+ host => aqs1024\n+ retry_interval => 1\n+ config_dir => /etc/nagios\n+ description => cassandra-b SSL 10.64.156.21:7000\n+ check_interval => 1\n+ migration_task => T407117\n+ ensure => absent\n+ freshness => 36000\n+ retries => 3\n+ contact_group => admins,team-services\n+ passive => False\n"}, {"resource": "Exec[Generate cert cassandra__aqs1024-a_eqiad_wmnet]", "parameters": "--- Exec[Generate cert cassandra__aqs1024-a_eqiad_wmnet].orig\n+++ Exec[Generate cert cassandra__aqs1024-a_eqiad_wmnet]\n\n+ command => /usr/bin/cfssl gencert -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/aqs1024.eqiad.wmnet.pem -label cassandra /etc/cfssl/csr/cassandra__aqs1024-a_eqiad_wmnet.csr | /usr/bin/cfssljson -bare /etc/cassandra-a/tls/cassandra__aqs1024-a_eqiad_wmnet\n\n+ unless => /usr/bin/test \"$(/usr/bin/openssl x509 -in /etc/cassandra-a/tls/cassandra__aqs1024-a_eqiad_wmnet.pem -noout -pubkey 2>&1)\" == \"$(/usr/bin/openssl pkey -pubout -in /etc/cassandra-a/tls/cassandra__aqs1024-a_eqiad_wmnet-key.pem 2>&1)\"\n\n+ require => Cfssl::Csr[/etc/cfssl/csr/cassandra__aqs1024-a_eqiad_wmnet.csr]\n+ environment => ['GODEBUG=x509ignoreCN=0']\n"}, {"resource": "File[/etc/scap.cfg]", "content": "--- /etc/scap.cfg.orig\n+++ /etc/scap.cfg\n@@ -0,0 +1,152 @@\n+#####################################################################\n+### THIS FILE IS MANAGED BY PUPPET\n+### modules/scap/templates/scap.cfg.erb\n+#####################################################################\n+\n+# Configuration for scap and related scripts\n+#\n+# Values are selected based on the fully qualified domain name of the local\n+# host from the most specific to the least specific. As an example, on the\n+# host deploy1003.eqiad.wmnet lookups cascade in this order:\n+#\n+# [deploy1003.eqiad.wmnet] > [eqiad.wmnet] > [wmnet] > [global]\n+#\n+# Additional configuration can be given on the command line for most\n+# applications by specifying a separate configuration file and/or using `-D`\n+# defines. When an alternate configuration file is specified, values from this\n+# file are ignored. `-D` definitions always take precedence over\n+# other configuration.\n+\n+[global]\n+\n+# deployment git server hostname\n+git_server: deploy1003.eqiad.wmnet\n+\n+statsd_port: 8125\n+\n+# Deployment realm\n+wmf_realm: production\n+\n+# Deployment datacenter\n+datacenter: eqiad\n+\n+# Ssh agent to use to connect to cluster servers\n+ssh_auth_sock: /run/keyholder/proxy.sock\n+# User to perform ssh commands as\n+ssh_user: mwdeploy\n+\n+# PID file for Apache service\n+apache_pid_file: /var/run/apache2/apache2.pid\n+\n+# Local interface that indicates that pybal is in use\n+pybal_interface: lo:LVS\n+\n+# DSH group naming hosts to use as scap masters\n+dsh_masters: scap-masters\n+# DSH group naming hosts to use as scap proxies\n+dsh_proxies: scap-proxies\n+# DSH group naming hosts to use as scap targets\n+dsh_targets: mediawiki-installation\n+# DSH group naming hosts to use as mediawiki api canaries\n+dsh_api_canaries: mediawiki-api-canaries\n+# DSH group naming hosts to use as mediawiki app canaries\n+dsh_app_canaries: mediawiki-appserver-canaries\n+\n+logstash_host: logstash1023.eqiad.wmnet:9200\n+canary_service: mwdeploy\n+\n+use_syslog: True\n+\n+# The Gerrit user to use when pushing commits to gerrit (used by scap\n+# deploy-promote)\n+gerrit_push_user: trainbranchbot\n+\n+# The user to sudo as when running scap subcommands that require access to\n+# docker (e.g. scap mwscript and scap mwshell).\n+docker_user: mwbuilder\n+\n+# Settings for mediawiki container image building (T297673)\n+release_repo_dir: /srv/mwbuilder/release\n+release_repo_update_cmd: sudo -u mwbuilder /usr/local/bin/update-mediawiki-tools-release\n+release_repo_build_and_push_images_cmd: sudo -u mwbuilder /srv/mwbuilder/release/make-container-image/build-images.py\n+\n+\n+block_deployments: false\n+\n+# T359643\n+manage_mediawiki_php_symlink: False\n+\n+# T361724: Make scap require screen/tmux for certain subcommands\n+require_terminal_multiplexer: False\n+\n+[eqiad.wmnet]\n+# Wikimedia Foundation production eqiad datacenter\n+datacenter: eqiad\n+\n+[codfw.wmnet]\n+# Wikimedia Foundation production codfw datacenter\n+datacenter: codfw\n+master_rsync: deployment.codfw.wmnet\n+\n+[wmnet]\n+# Wikimedia Foundation production cluster configuration\n+master_rsync: deploy1003.eqiad.wmnet\n+statsd_host: statsd.eqiad.wmnet\n+tcpircbot_host: icinga.wikimedia.org\n+web_proxy: http://webproxy:8080\n+php_fpm_restart_script: /usr/local/sbin/restart-php-fpm-all\n+\n+canary_dashboard_url: https://logstash.wikimedia.org\n+#php7-admin-port: 9181\n+mw_web_clusters: testserver\n+# These keys contain check commands executed against the bare-metal and k8s\n+# deployments of mediawiki following the testservers-stage update. Each may\n+# contain multiple independent check (sub)commands separated by newlines, all\n+# of which will execute concurrently.\n+testservers_check_cmd_baremetal: httpbb /srv/deployment/httpbb-tests/appserver/* --hosts=$BAREMETAL_TESTSERVERS --retry_on_timeout\n+testservers_check_cmd_k8s: httpbb /srv/deployment/httpbb-tests/appserver/* --hosts=mwdebug.discovery.wmnet --https_port=4444 --retry_on_timeout\n+ httpbb /srv/deployment/httpbb-tests/appserver/* --hosts=mwdebug-next.discovery.wmnet --https_port=4453 --retry_on_timeout\n+\n+beta_only_config_files: wmf-config/CirrusSearch-labs.php\n+ wmf-config/CommonSettings-labs.php\n+ wmf-config/InitialiseSettings-labs.php\n+ wmf-config/LabsServices.php\n+ wmf-config/db-labs.php\n+ wmf-config/interwiki-labs.php\n+ wmf-config/mc-labs.php\n+ wmf-config/reverse-proxy-labs.php\n+ wikiversions-labs.json\n+ langlist-labs\n+\n+# Settings for mediawiki container image building (T297673)\n+build_mw_container_image: True\n+deploy_mw_container_image: True\n+\n+# SpiderPig settings\n+spiderpig_auth_server: https://idp.wikimedia.org\n+spiderpig_user_groups: cn=spiderpig-access,ou=groups,dc=wikimedia,dc=org\n+spiderpig_admin_groups: cn=releng,ou=groups,dc=wikimedia,dc=org\n+ cn=ops,ou=groups,dc=wikimedia,dc=org\n+\n+[eqiad1.wikimedia.cloud]\n+# Wikimedia Foundation beta eqiad datacenter\n+datacenter: eqiad\n+git_server: deployment-deploy04.deployment-prep.eqiad1.wikimedia.cloud\n+master_rsync: deployment-deploy04.deployment-prep.eqiad1.wikimedia.cloud\n+logstash_host: logs-api.svc.logging.eqiad1.wikimedia.cloud:9200\n+udp2log_host: deployment-mwlog02.deployment-prep.eqiad1.wikimedia.cloud\n+canary_dashboard_url: https://beta-logs.wmcloud.org\n+# T99740: LCStoreStaticArray\n+php_l10n: true\n+wmf_realm: labs\n+delay_messageblobstore_purge: true\n+php_fpm_restart_script: /usr/local/sbin/restart-php-fpm-all\n+mw_web_clusters: appserver,api_appserver,testserver\n+require_security_patches: False\n+\n+[wikimedia.org]\n+# Wikimedia Foundation production cluster configuration for \"public\" hosts\n+# This should match the [wmnet] configuration\n+master_rsync: deploy1003.eqiad.wmnet\n+statsd_host: statsd.eqiad.wmnet\n+tcpircbot_host: icinga.wikimedia.org", "parameters": "--- File[/etc/scap.cfg].orig\n+++ File[/etc/scap.cfg]\n\n+ group => root\n+ mode => 0444\n+ owner => root\n"}, {"resource": "Cassandra::Instance::Monitoring[a]", "parameters": "--- Cassandra::Instance::Monitoring[a].orig\n+++ Cassandra::Instance::Monitoring[a]\n\n+ tls_cluster_name => aqs\n+ tls_port => 7000\n+ tls_use_pki => True\n+ cql_port => 9042\n+ monitor_enabled => True\n+ contact_group => admins,team-services\n+ instances => {'a': {'listen_address': '10.64.156.18', 'data_file_directories': ['/srv/storage-0/cassandra-a/data', '/srv/storage-1/cassandra-a/data', '/srv/storage-2/cassandra-a/data', '/srv/storage-3/cassandra-a/data', '/srv/storage-4/cassandra-a/data', '/srv/storage-5/cassandra-a/data', '/srv/storage-6/cassandra-a/data', '/srv/storage-7/cassandra-a/data'], 'heapdump_directory': '/srv/storage-0/cassandra-a', 'commitlog_directory': '/srv/cassandra/cassandra-a/commitlog', 'hints_directory': '/srv/cassandra/cassandra-a/hints', 'saved_caches_directory': '/srv/cassandra/cassandra-a/saved_caches', 'local_system_data_file_directory': '/srv/cassandra/cassandra-a/system'}, 'b': {'listen_address': '10.64.156.21', 'data_file_directories': ['/srv/storage-0/cassandra-b/data', '/srv/storage-1/cassandra-b/data', '/srv/storage-2/cassandra-b/data', '/srv/storage-3/cassandra-b/data', '/srv/storage-4/cassandra-b/data', '/srv/storage-5/cassandra-b/data', '/srv/storage-6/cassandra-b/data', '/srv/storage-7/cassandra-b/data'], 'heapdump_directory': '/srv/storage-1/cassandra-b', 'commitlog_directory': '/srv/cassandra/cassandra-b/commitlog', 'hints_directory': '/srv/cassandra/cassandra-b/hints', 'saved_caches_directory': '/srv/cassandra/cassandra-b/saved_caches', 'local_system_data_file_directory': '/srv/cassandra/cassandra-b/system'}}\n"}, {"resource": "Exec[install-/srv/cassandra/cassandra-b/system]", "parameters": "--- Exec[install-/srv/cassandra/cassandra-b/system].orig\n+++ Exec[install-/srv/cassandra/cassandra-b/system]\n\n+ command => install -o cassandra -g cassandra -m 750 -d /srv/cassandra/cassandra-b/system\n+ path => /usr/bin/:/bin/\n+ creates => /srv/cassandra/cassandra-b/system\n+ before => Systemd::Service[cassandra-b]\n"}, {"resource": "File[/etc/cassandra-a/tls/cassandra__aqs1024-a_eqiad_wmnet.pem]", "parameters": "--- File[/etc/cassandra-a/tls/cassandra__aqs1024-a_eqiad_wmnet.pem].orig\n+++ File[/etc/cassandra-a/tls/cassandra__aqs1024-a_eqiad_wmnet.pem]\n\n+ group => cassandra\n+ mode => 0440\n+ ensure => file\n+ owner => cassandra\n"}, {"resource": "Exec[install-/srv/storage-0/cassandra-a/data]", "parameters": "--- Exec[install-/srv/storage-0/cassandra-a/data].orig\n+++ Exec[install-/srv/storage-0/cassandra-a/data]\n\n+ command => install -o cassandra -g cassandra -m 750 -d /srv/storage-0/cassandra-a/data\n+ path => /usr/bin/:/bin/\n+ creates => /srv/storage-0/cassandra-a/data\n+ before => Systemd::Service[cassandra-a]\n"}, {"resource": "File[/etc/sysusers.d/scap.conf]", "content": "--- /etc/sysusers.d/scap.conf.orig\n+++ /etc/sysusers.d/scap.conf\n@@ -0,0 +1 @@\n+u\tscap\t919:919\t\"used to install the scap deployment tool\"\t/var/lib/scap\t/bin/bash", "parameters": "--- File[/etc/sysusers.d/scap.conf].orig\n+++ File[/etc/sysusers.d/scap.conf]\n\n+ group => root\n+ require => File[/etc/sysusers.d]\n+ mode => 0444\n+ ensure => file\n+ notify => ['Exec[Refresh sysusers]']\n+ owner => root\n"}, {"resource": "File[/etc/cassandra-b/jvm-server.options]", "content": "--- /etc/cassandra-b/jvm-server.options.orig\n+++ /etc/cassandra-b/jvm-server.options\n@@ -0,0 +1,220 @@\n+# SPDX-License-Identifier: Apache-2.0\n+# Note: This file is managed by Puppet.\n+# It was taken from the Cassandra Debian package and templatized\n+# here in order to assign configuration.\n+\n+#\n+# Licensed to the Apache Software Foundation (ASF) under one\n+# or more contributor license agreements. See the NOTICE file\n+# distributed with this work for additional information\n+# regarding copyright ownership. The ASF licenses this file\n+# to you under the Apache License, Version 2.0 (the\n+# \"License\"); you may not use this file except in compliance\n+# with the License. You may obtain a copy of the License at\n+#\n+# http://www.apache.org/licenses/LICENSE-2.0\n+#\n+# Unless required by applicable law or agreed to in writing, software\n+# distributed under the License is distributed on an \"AS IS\" BASIS,\n+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n+# See the License for the specific language governing permissions and\n+# limitations under the License.\n+#\n+#\n+###########################################################################\n+# jvm-server.options #\n+# #\n+# - all flags defined here will be used by cassandra to startup the JVM #\n+# - one flag should be specified per line #\n+# - lines that do not start with '-' will be ignored #\n+# - only static flags are accepted (no variables or parameters) #\n+# - dynamic flags will be appended to these on cassandra-env #\n+# #\n+# See jvm8-server.options and jvm11-server.options for Java version #\n+# specific options. #\n+###########################################################################\n+\n+######################\n+# STARTUP PARAMETERS #\n+######################\n+\n+# Uncomment any of the following properties to enable specific startup parameters\n+\n+# In a multi-instance deployment, multiple Cassandra instances will independently assume that all\n+# CPU processors are available to it. This setting allows you to specify a smaller set of processors\n+# and perhaps have affinity.\n+#-Dcassandra.available_processors=number_of_processors\n+\n+# The directory location of the cassandra.yaml file.\n+#-Dcassandra.config=directory\n+\n+# Sets the initial partitioner token for a node the first time the node is started.\n+#-Dcassandra.initial_token=token\n+\n+# Set to false to start Cassandra on a node but not have the node join the cluster.\n+#-Dcassandra.join_ring=true|false\n+\n+# Set to false to clear all gossip state for the node on restart. Use when you have changed node\n+# information in cassandra.yaml (such as listen_address).\n+#-Dcassandra.load_ring_state=true|false\n+\n+# Enable pluggable metrics reporter. See Pluggable metrics reporting in Cassandra 2.0.2.\n+#-Dcassandra.metricsReporterConfigFile=file\n+\n+# Set the port on which the CQL native transport listens for clients. (Default: 9042)\n+#-Dcassandra.native_transport_port=port\n+\n+# Overrides the partitioner. (Default: org.apache.cassandra.dht.Murmur3Partitioner)\n+#-Dcassandra.partitioner=partitioner\n+\n+# To replace a node that has died, restart a new node in its place specifying the address of the\n+# dead node. The new node must not have any data in its data directory, that is, it must be in the\n+# same state as before bootstrapping.\n+#-Dcassandra.replace_address=listen_address or broadcast_address of dead node\n+\n+# Allow restoring specific tables from an archived commit log.\n+#-Dcassandra.replayList=table\n+\n+# Allows overriding of the default RING_DELAY (30000ms), which is the amount of time a node waits\n+# before joining the ring.\n+#-Dcassandra.ring_delay_ms=ms\n+\n+# Allows overriding the timeout after which an unresponsive bootstrapping node is considered failed\n+# and is removed from gossip state and bootstrapTokens. (Default: cassandra.ring_delay * 2)\n+#-Dcassandra.failed_bootstrap_timeout_ms=ms\n+\n+# Set the SSL port for encrypted communication. (Default: 7001)\n+#-Dcassandra.ssl_storage_port=port\n+\n+# Set the port for inter-node communication. (Default: 7000)\n+#-Dcassandra.storage_port=port\n+\n+# Set the default location for the trigger JARs. (Default: conf/triggers)\n+#-Dcassandra.triggers_dir=directory\n+\n+# For testing new compaction and compression strategies. It allows you to experiment with different\n+# strategies and benchmark write performance differences without affecting the production workload. \n+#-Dcassandra.write_survey=true\n+\n+# To disable configuration via JMX of auth caches (such as those for credentials, permissions and\n+# roles). This will mean those config options can only be set (persistently) in cassandra.yaml\n+# and will require a restart for new values to take effect.\n+#-Dcassandra.disable_auth_caches_remote_configuration=true\n+\n+# To disable dynamic calculation of the page size used when indexing an entire partition (during\n+# initial index build/rebuild). If set to true, the page size will be fixed to the default of\n+# 10000 rows per page.\n+#-Dcassandra.force_default_indexing_page_size=true\n+\n+# Imposes an upper bound on hint lifetime below the normal min gc_grace_seconds\n+#-Dcassandra.maxHintTTL=max_hint_ttl_in_seconds\n+\n+########################\n+# GENERAL JVM SETTINGS #\n+########################\n+\n+# enable assertions. highly suggested for correct application functionality.\n+-ea\n+\n+# disable assertions for net.openhft.** because it runs out of memory by design\n+# if enabled and run for more than just brief testing\n+-da:net.openhft...\n+\n+# enable thread priorities, primarily so we can give periodic tasks\n+# a lower priority to avoid interfering with client workload\n+-XX:+UseThreadPriorities\n+\n+# Enable heap-dump if there's an OOM\n+-XX:+HeapDumpOnOutOfMemoryError\n+\n+# Per-thread stack size.\n+-Xss256k\n+\n+# Make sure all memory is faulted and zeroed on startup.\n+# This helps prevent soft faults in containers and makes\n+# transparent hugepage allocation more effective.\n+-XX:+AlwaysPreTouch\n+\n+# Disable biased locking as it does not benefit Cassandra.\n+-XX:-UseBiasedLocking\n+\n+# Enable thread-local allocation blocks and allow the JVM to automatically\n+# resize them at runtime.\n+-XX:+UseTLAB\n+-XX:+ResizeTLAB\n+-XX:+UseNUMA\n+\n+# http://www.evanjones.ca/jvm-mmap-pause.html\n+-XX:+PerfDisableSharedMem\n+\n+# Prefer binding to IPv4 network intefaces (when net.ipv6.bindv6only=1). See\n+# http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=6342561 (short version:\n+# comment out this entry to enable IPv6 support).\n+-Djava.net.preferIPv4Stack=true\n+\n+### Debug options\n+\n+# uncomment to enable flight recorder\n+#-XX:+UnlockCommercialFeatures\n+#-XX:+FlightRecorder\n+\n+# uncomment to have Cassandra JVM listen for remote debuggers/profilers on port 1414\n+#-agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=1414\n+\n+# uncomment to have Cassandra JVM log internal method compilation (developers only)\n+#-XX:+UnlockDiagnosticVMOptions\n+#-XX:+LogCompilation\n+\n+#################\n+# HEAP SETTINGS #\n+#################\n+\n+# Heap size is automatically calculated by cassandra-env based on this\n+# formula: max(min(1/2 ram, 1024MB), min(1/4 ram, 8GB))\n+# That is:\n+# - calculate 1/2 ram and cap to 1024MB\n+# - calculate 1/4 ram and cap to 8192MB\n+# - pick the max\n+#\n+# For production use you may wish to adjust this for your environment.\n+# If that's the case, uncomment the -Xmx and Xms options below to override the\n+# automatic calculation of JVM heap memory.\n+#\n+# It is recommended to set min (-Xms) and max (-Xmx) heap sizes to\n+# the same value to avoid stop-the-world GC pauses during resize, and\n+# so that we can lock the heap in memory on startup to prevent any\n+# of it from being swapped out.\n+-Xms16g\n+-Xmx16g\n+\n+# Young generation size is automatically calculated by cassandra-env\n+# based on this formula: min(100 * num_cores, 1/4 * heap size)\n+#\n+# The main trade-off for the young generation is that the larger it\n+# is, the longer GC pause times will be. The shorter it is, the more\n+# expensive GC will be (usually).\n+#\n+# It is not recommended to set the young generation size if using the\n+# G1 GC, since that will override the target pause-time goal.\n+# More info: http://www.oracle.com/technetwork/articles/java/g1gc-1984535.html\n+#\n+# The example below assumes a modern 8-core+ machine for decent\n+# times. If in doubt, and if you do not particularly want to tweak, go\n+# 100 MB per physical CPU core.\n+#-Xmn800M\n+\n+###################################\n+# EXPIRATION DATE OVERFLOW POLICY #\n+###################################\n+\n+# Defines how to handle INSERT requests with TTL exceeding the maximum supported expiration date:\n+# * REJECT: this is the default policy and will reject any requests with expiration date timestamp after 2038-01-19T03:14:06+00:00.\n+# * CAP: any insert with TTL expiring after 2038-01-19T03:14:06+00:00 will expire on 2038-01-19T03:14:06+00:00 and the client will receive a warning.\n+# * CAP_NOWARN: same as previous, except that the client warning will not be emitted.\n+#\n+#-Dcassandra.expiration_date_overflow_policy=REJECT\n+\n+###################################\n+# WMF-specific customizations #\n+###################################\n+-Dcassandra.instance-id=aqs1024-b", "parameters": "--- File[/etc/cassandra-b/jvm-server.options].orig\n+++ File[/etc/cassandra-b/jvm-server.options]\n\n+ group => cassandra\n+ mode => 0444\n+ ensure => present\n+ owner => cassandra\n"}, {"resource": "Exec[install-/srv/cassandra/cassandra-b/hints]", "parameters": "--- Exec[install-/srv/cassandra/cassandra-b/hints].orig\n+++ Exec[install-/srv/cassandra/cassandra-b/hints]\n\n+ command => install -o cassandra -g cassandra -m 750 -d /srv/cassandra/cassandra-b/hints\n+ path => /usr/bin/:/bin/\n+ creates => /srv/cassandra/cassandra-b/hints\n+ before => Systemd::Service[cassandra-b]\n"}, {"resource": "Cfssl::Cert[cassandra__aqs1024-b_eqiad_wmnet]", "parameters": "--- Cfssl::Cert[cassandra__aqs1024-b_eqiad_wmnet].orig\n+++ Cfssl::Cert[cassandra__aqs1024-b_eqiad_wmnet]\n\n+ group => cassandra\n+ hosts => ['cassandra', 'aqs1024.eqiad.wmnet']\n+ notify => Sslcert::X509_to_pkcs12[cassandra_keystore_aqs1024-b]\n+ provide_chain => True\n+ owner => cassandra\n+ renew_seconds => 952200\n+ names => []\n+ mode => 0400\n+ ensure => present\n+ key => {'algo': 'ecdsa', 'size': 256}\n+ common_name => aqs1024-b.eqiad.wmnet\n+ before_services => []\n+ outdir => /etc/cassandra-b/tls\n+ label => cassandra\n+ auto_renew => True\n+ notify_services => []\n+ environment => ['GODEBUG=x509ignoreCN=0']\n"}, {"resource": "Sysctl::Conffile[cassandra]", "parameters": "--- Sysctl::Conffile[cassandra].orig\n+++ Sysctl::Conffile[cassandra]\n\n+ priority => 5\n+ ensure => present\n"}, {"resource": "Exec[install-/srv/storage-5/cassandra-b/data]", "parameters": "--- Exec[install-/srv/storage-5/cassandra-b/data].orig\n+++ Exec[install-/srv/storage-5/cassandra-b/data]\n\n+ command => install -o cassandra -g cassandra -m 750 -d /srv/storage-5/cassandra-b/data\n+ path => /usr/bin/:/bin/\n+ creates => /srv/storage-5/cassandra-b/data\n+ before => Systemd::Service[cassandra-b]\n"}, {"resource": "File[/etc/cassandra-a/user_device_analytics.cql]", "content": "--- /etc/cassandra-a/user_device_analytics.cql.orig\n+++ /etc/cassandra-a/user_device_analytics.cql\n@@ -0,0 +1,5 @@\n+-- SPDX-License-Identifier: Apache-2.0\n+\n+CREATE ROLE IF NOT EXISTS device_analytics WITH PASSWORD = 'blahblahblahblah' AND LOGIN = true AND SUPERUSER = false;\n+\n+GRANT SELECT ON \"local_group_default_T_unique_devices\".data TO 'device_analytics';", "parameters": "--- File[/etc/cassandra-a/user_device_analytics.cql].orig\n+++ File[/etc/cassandra-a/user_device_analytics.cql]\n\n+ require => Package[cassandra]\n+ group => root\n+ mode => 0400\n+ owner => root\n"}, {"resource": "Exec[Generate cert cassandra__aqs1024-b_eqiad_wmnet refresh]", "parameters": "--- Exec[Generate cert cassandra__aqs1024-b_eqiad_wmnet refresh].orig\n+++ Exec[Generate cert cassandra__aqs1024-b_eqiad_wmnet refresh]\n\n+ command => /usr/bin/cfssl gencert -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/aqs1024.eqiad.wmnet.pem -label cassandra /etc/cfssl/csr/cassandra__aqs1024-b_eqiad_wmnet.csr | /usr/bin/cfssljson -bare /etc/cassandra-b/tls/cassandra__aqs1024-b_eqiad_wmnet\n\n+ subscribe => File[/etc/cfssl/csr/cassandra__aqs1024-b_eqiad_wmnet.csr]\n+ refreshonly => True\n+ environment => ['GODEBUG=x509ignoreCN=0']\n"}, {"resource": "File[/etc/cassandra-b/tls/cassandra__aqs1024-b_eqiad_wmnet.csr]", "parameters": "--- File[/etc/cassandra-b/tls/cassandra__aqs1024-b_eqiad_wmnet.csr].orig\n+++ File[/etc/cassandra-b/tls/cassandra__aqs1024-b_eqiad_wmnet.csr]\n\n+ group => cassandra\n+ mode => 0440\n+ ensure => file\n+ owner => cassandra\n"}, {"resource": "Class[Profile::Rsyslog::Udp_json_logback_compat]", "parameters": "--- Class[Profile::Rsyslog::Udp_json_logback_compat].orig\n+++ Class[Profile::Rsyslog::Udp_json_logback_compat]\n\n+ queue_enabled_sites => ['ulsfo', 'esams', 'eqsin', 'eqiad', 'codfw', 'drmrs', 'magru']\n+ logging_kafka_brokers => ['kafka-logging1001.eqiad.wmnet:9093', 'kafka-logging1002.eqiad.wmnet:9093', 'kafka-logging1003.eqiad.wmnet:9093', 'kafka-logging1004.eqiad.wmnet:9093', 'kafka-logging1005.eqiad.wmnet:9093']\n+ port => 11514\n"}, {"resource": "Class[Java]", "parameters": "--- Class[Java].orig\n+++ Class[Java]\n\n+ before => ['Java::Cacert[Puppet_Internal_CA]', 'Java::Cacert[Wikimedia_Internal_Root_CA]', 'Java::Cacert[Puppet_Internal_CA]', 'Java::Cacert[Wikimedia_Internal_Root_CA]', 'Java::Cacert[wmf:puppetca.pem]', 'Java::Cacert[wmf:Wikimedia_Internal_Root_CA]', 'Java::Cacert[Puppet_Internal_CA]', 'Java::Cacert[Wikimedia_Internal_Root_CA]', 'Java::Cacert[wmf:puppetca.pem]', 'Java::Cacert[wmf:Wikimedia_Internal_Root_CA]', 'Java::Cacert[Puppet_Internal_CA]', 'Java::Cacert[Wikimedia_Internal_Root_CA]', 'Java::Cacert[wmf:puppetca.pem]', 'Java::Cacert[wmf:Wikimedia_Internal_Root_CA]', 'Java::Cacert[Puppet_Internal_CA]', 'Java::Cacert[Wikimedia_Internal_Root_CA]', 'Java::Cacert[wmf:puppetca.pem]', 'Java::Cacert[wmf:Wikimedia_Internal_Root_CA]']\n+ egd_source => /dev/random\n+ enable_dbg => False\n+ require => Package[wmf-certificates]\n+ hardened_tls => False\n+ java_packages => [{'version': '11', 'variant': 'jdk'}]\n"}, {"resource": "Monitoring::Service[cassandra-b-cql]", "parameters": "--- Monitoring::Service[cassandra-b-cql].orig\n+++ Monitoring::Service[cassandra-b-cql]\n\n+ critical => False\n+ notes_url => https://phabricator.wikimedia.org/T93886\n+ check_command => check_tcp_ip!10.64.156.21!9042\n+ host => aqs1024\n+ retry_interval => 1\n+ config_dir => /etc/nagios\n+ description => cassandra-b CQL 10.64.156.21:9042\n+ check_interval => 1\n+ migration_task => T407117\n+ ensure => absent\n+ freshness => 36000\n+ retries => 3\n+ contact_group => admins,team-services\n+ passive => False\n"}, {"resource": "File[/etc/cassandra-b/user_edit_analytics.cql]", "content": "--- /etc/cassandra-b/user_edit_analytics.cql.orig\n+++ /etc/cassandra-b/user_edit_analytics.cql\n@@ -0,0 +1,5 @@\n+-- SPDX-License-Identifier: Apache-2.0\n+\n+CREATE USER IF NOT EXISTS edit_analytics WITH PASSWORD 'blahblahblahblah';\n+\n+GRANT SELECT ON aqs.config TO 'edit_analytics';", "parameters": "--- File[/etc/cassandra-b/user_edit_analytics.cql].orig\n+++ File[/etc/cassandra-b/user_edit_analytics.cql]\n\n+ require => Package[cassandra]\n+ group => root\n+ mode => 0400\n+ owner => root\n"}, {"resource": "Exec[install-/srv/cassandra/cassandra-a/commitlog]", "parameters": "--- Exec[install-/srv/cassandra/cassandra-a/commitlog].orig\n+++ Exec[install-/srv/cassandra/cassandra-a/commitlog]\n\n+ command => install -o cassandra -g cassandra -m 750 -d /srv/cassandra/cassandra-a/commitlog\n+ path => /usr/bin/:/bin/\n+ creates => /srv/cassandra/cassandra-a/commitlog\n+ before => Systemd::Service[cassandra-a]\n"}, {"resource": "Monitoring::Exported_nagios_service[aqs1024 cassandra-a-cql]", "parameters": "--- Monitoring::Exported_nagios_service[aqs1024 cassandra-a-cql].orig\n+++ Monitoring::Exported_nagios_service[aqs1024 cassandra-a-cql]\n\n+ notes_url => https://phabricator.wikimedia.org/T93886\n+ host_name => aqs1024\n+ active_checks_enabled => 1\n+ check_interval => 1\n+ check_freshness => 0\n+ notifications_enabled => 1\n+ ensure => absent\n+ notification_interval => 0\n+ max_check_attempts => 3\n+ contact_groups => admins,team-services\n+ check_period => 24x7\n+ service_description => cassandra-a CQL 10.64.156.18:9042\n+ passive_checks_enabled => 1\n+ check_command => check_tcp_ip!10.64.156.18!9042\n+ notification_options => c,r,f\n+ retry_interval => 1\n+ servicegroups => aqs_eqiad\n+ notification_period => 24x7\n+ is_volatile => 0\n"}, {"resource": "Class[Profile::Contacts]", "parameters": "--- Class[Profile::Contacts].orig\n+++ Class[Profile::Contacts]\n\n@@\n- cluster => insetup\n+ cluster => aqs\n"}, {"resource": "Exec[bootstrap-scap-target]", "parameters": "--- Exec[bootstrap-scap-target].orig\n+++ Exec[bootstrap-scap-target]\n\n+ command => /usr/local/bin/bootstrap-scap-target.sh deploy1003.eqiad.wmnet /var/lib/scap\n+ user => scap\n+ creates => /var/lib/scap/scap/bin/scap\n+ require => File[/usr/local/bin/bootstrap-scap-target.sh]\n"}, {"resource": "Sslcert::X509_to_pkcs12[cassandra_keystore_aqs1024-b]", "parameters": "--- Sslcert::X509_to_pkcs12[cassandra_keystore_aqs1024-b].orig\n+++ Sslcert::X509_to_pkcs12[cassandra_keystore_aqs1024-b]\n\n+ group => cassandra\n+ public_key => /etc/cassandra-b/tls/cassandra__aqs1024-b_eqiad_wmnet.chained.pem\n+ outfile => /etc/cassandra-b/tls/server.key\n+ ensure => present\n+ password => test\n+ private_key => /etc/cassandra-b/tls/cassandra__aqs1024-b_eqiad_wmnet-key.pem\n+ owner => cassandra\n"}, {"resource": "Exec[systemd daemon-reload for cassandra-a.service (cassandra-a)]", "parameters": "--- Exec[systemd daemon-reload for cassandra-a.service (cassandra-a)].orig\n+++ Exec[systemd daemon-reload for cassandra-a.service (cassandra-a)]\n\n+ command => /bin/systemctl daemon-reload\n+ before => ['Service[cassandra-a]']\n+ refreshonly => True\n"}, {"resource": "File[/usr/bin/scap]", "parameters": "--- File[/usr/bin/scap].orig\n+++ File[/usr/bin/scap]\n\n+ group => root\n+ require => Exec[bootstrap-scap-target]\n+ mode => 0755\n+ ensure => link\n+ target => /var/lib/scap/scap/bin/scap\n+ owner => root\n"}, {"resource": "Exec[install-/srv/storage-1/cassandra-b/data]", "parameters": "--- Exec[install-/srv/storage-1/cassandra-b/data].orig\n+++ Exec[install-/srv/storage-1/cassandra-b/data]\n\n+ command => install -o cassandra -g cassandra -m 750 -d /srv/storage-1/cassandra-b/data\n+ path => /usr/bin/:/bin/\n+ creates => /srv/storage-1/cassandra-b/data\n+ before => Systemd::Service[cassandra-b]\n"}, {"resource": "File[/etc/cassandra-instances.d/aqs1024-b.yaml]", "content": "--- /etc/cassandra-instances.d/aqs1024-b.yaml.orig\n+++ /etc/cassandra-instances.d/aqs1024-b.yaml\n@@ -0,0 +1,13 @@\n+name: b\n+jmx_port: 7190\n+listen_address: 10.64.156.21\n+service_name: cassandra-b\n+config_directory: /etc/cassandra-b\n+data_file_directories: [/srv/storage-0/cassandra-b/data,/srv/storage-1/cassandra-b/data,/srv/storage-2/cassandra-b/data,/srv/storage-3/cassandra-b/data,/srv/storage-4/cassandra-b/data,/srv/storage-5/cassandra-b/data,/srv/storage-6/cassandra-b/data,/srv/storage-7/cassandra-b/data]\n+rpc_address: 10.64.156.21\n+native_transport_port: 9042\n+commitlog_directory: /srv/cassandra/cassandra-b/commitlog\n+hints_directory: /srv/cassandra/cassandra-b/hints\n+saved_caches_directory: /srv/cassandra/cassandra-b/saved_caches\n+heapdump_directory: /srv/storage-1/cassandra-b\n+local_system_data_file_directory: /srv/cassandra/cassandra-b/system", "parameters": "--- File[/etc/cassandra-instances.d/aqs1024-b.yaml].orig\n+++ File[/etc/cassandra-instances.d/aqs1024-b.yaml]\n\n+ group => cassandra\n+ mode => 0444\n+ owner => cassandra\n"}, {"resource": "Ferm::Service[cassandra-analytics-cql]", "parameters": "--- Ferm::Service[cassandra-analytics-cql].orig\n+++ Ferm::Service[cassandra-analytics-cql]\n\n+ desc => \n+ prio => 10\n+ srange => (@resolve((aqs1010.eqiad.wmnet aqs1010-a.eqiad.wmnet aqs1010-b.eqiad.wmnet aqs1011.eqiad.wmnet aqs1011-a.eqiad.wmnet aqs1011-b.eqiad.wmnet aqs1012.eqiad.wmnet aqs1012-a.eqiad.wmnet aqs1012-b.eqiad.wmnet aqs1014.eqiad.wmnet aqs1014-a.eqiad.wmnet aqs1014-b.eqiad.wmnet aqs1015.eqiad.wmnet aqs1015-a.eqiad.wmnet aqs1015-b.eqiad.wmnet aqs1016.eqiad.wmnet aqs1016-a.eqiad.wmnet aqs1016-b.eqiad.wmnet aqs1017.eqiad.wmnet aqs1017-a.eqiad.wmnet aqs1017-b.eqiad.wmnet aqs1018.eqiad.wmnet aqs1018-a.eqiad.wmnet aqs1018-b.eqiad.wmnet aqs1019.eqiad.wmnet aqs1019-a.eqiad.wmnet aqs1019-b.eqiad.wmnet aqs1020.eqiad.wmnet aqs1020-a.eqiad.wmnet aqs1020-b.eqiad.wmnet aqs1021.eqiad.wmnet aqs1021-a.eqiad.wmnet aqs1021-b.eqiad.wmnet aqs1022.eqiad.wmnet aqs1022-a.eqiad.wmnet aqs1022-b.eqiad.wmnet aqs1023.eqiad.wmnet aqs1023-a.eqiad.wmnet aqs1023-b.eqiad.wmnet aqs1024.eqiad.wmnet aqs1024-a.eqiad.wmnet aqs1024-b.eqiad.wmnet aqs2001.codfw.wmnet aqs2001-a.codfw.wmnet aqs2001-b.codfw.wmnet aqs2002.codfw.wmnet aqs2002-a.codfw.wmnet aqs2002-b.codfw.wmnet aqs2003.codfw.wmnet aqs2003-a.codfw.wmnet aqs2003-b.codfw.wmnet aqs2004.codfw.wmnet aqs2004-a.codfw.wmnet aqs2004-b.codfw.wmnet aqs2005.codfw.wmnet aqs2005-a.codfw.wmnet aqs2005-b.codfw.wmnet aqs2006.codfw.wmnet aqs2006-a.codfw.wmnet aqs2006-b.codfw.wmnet aqs2007.codfw.wmnet aqs2007-a.codfw.wmnet aqs2007-b.codfw.wmnet aqs2008.codfw.wmnet aqs2008-a.codfw.wmnet aqs2008-b.codfw.wmnet aqs2009.codfw.wmnet aqs2009-a.codfw.wmnet aqs2009-b.codfw.wmnet aqs2010.codfw.wmnet aqs2010-a.codfw.wmnet aqs2010-b.codfw.wmnet aqs2011.codfw.wmnet aqs2011-a.codfw.wmnet aqs2011-b.codfw.wmnet aqs2012.codfw.wmnet aqs2012-a.codfw.wmnet aqs2012-b.codfw.wmnet)) 10.64.137.0/24 10.64.138.0/24 10.64.139.0/24 10.64.140.0/24 10.64.142.0/24 10.64.143.0/24 10.64.144.0/24 10.64.145.0/24 10.64.153.0/24 10.64.155.0/24 10.64.157.0/24 10.64.159.0/24 10.64.161.0/24 10.64.163.0/24 10.64.165.0/24 10.64.167.0/24 10.64.170.0/24 10.64.172.0/24 10.64.174.0/24 10.64.176.0/24 10.64.178.0/24 10.64.180.0/24 10.64.182.0/24 10.64.184.0/24 10.64.186.0/24 10.64.188.0/24 10.64.190.0/24 10.64.21.0/24 10.64.36.0/24 10.64.5.0/24 10.64.53.0/24 2620:0:861:100::/64 2620:0:861:104::/64 2620:0:861:105::/64 2620:0:861:106::/64 2620:0:861:108::/64 2620:0:861:110::/64 2620:0:861:111::/64 2620:0:861:112::/64 2620:0:861:114::/64 2620:0:861:115::/64 2620:0:861:116::/64 2620:0:861:117::/64 2620:0:861:11a::/64 2620:0:861:121::/64 2620:0:861:123::/64 2620:0:861:125::/64 2620:0:861:127::/64 2620:0:861:129::/64 2620:0:861:12b::/64 2620:0:861:12d::/64 2620:0:861:12f::/64 2620:0:861:132::/64 2620:0:861:134::/64 2620:0:861:136::/64 2620:0:861:138::/64 2620:0:861:13a::/64 2620:0:861:13c::/64 2620:0:861:13e::/64 2620:0:861:141::/64 2620:0:861:143::/64 2620:0:861:145::/64)\n+ port => 9042\n+ ensure => present\n+ notrack => False\n+ proto => tcp\n"}, {"resource": "File[/etc/ssh/userkeys/scap]", "content": "--- /etc/ssh/userkeys/scap.orig\n+++ /etc/ssh/userkeys/scap\n@@ -0,0 +1 @@\n+ssh-rsa SNAKEOIL scap", "parameters": "--- File[/etc/ssh/userkeys/scap].orig\n+++ File[/etc/ssh/userkeys/scap]\n\n+ group => root\n+ mode => 0444\n+ force => True\n+ ensure => file\n+ show_diff => False\n+ owner => root\n"}, {"resource": "File[/etc/ferm/conf.d/10_cassandra-jmx-rmi]", "content": "--- /etc/ferm/conf.d/10_cassandra-jmx-rmi.orig\n+++ /etc/ferm/conf.d/10_cassandra-jmx-rmi\n@@ -0,0 +1,6 @@\n+# Autogenerated by puppet. DO NOT EDIT BY HAND!\n+#\n+# \n+&R_SERVICE(tcp, 7199:7202, @resolve((aqs1010.eqiad.wmnet aqs1010-a.eqiad.wmnet aqs1010-b.eqiad.wmnet aqs1011.eqiad.wmnet aqs1011-a.eqiad.wmnet aqs1011-b.eqiad.wmnet aqs1012.eqiad.wmnet aqs1012-a.eqiad.wmnet aqs1012-b.eqiad.wmnet aqs1014.eqiad.wmnet aqs1014-a.eqiad.wmnet aqs1014-b.eqiad.wmnet aqs1015.eqiad.wmnet aqs1015-a.eqiad.wmnet aqs1015-b.eqiad.wmnet aqs1016.eqiad.wmnet aqs1016-a.eqiad.wmnet aqs1016-b.eqiad.wmnet aqs1017.eqiad.wmnet aqs1017-a.eqiad.wmnet aqs1017-b.eqiad.wmnet aqs1018.eqiad.wmnet aqs1018-a.eqiad.wmnet aqs1018-b.eqiad.wmnet aqs1019.eqiad.wmnet aqs1019-a.eqiad.wmnet aqs1019-b.eqiad.wmnet aqs1020.eqiad.wmnet aqs1020-a.eqiad.wmnet aqs1020-b.eqiad.wmnet aqs1021.eqiad.wmnet aqs1021-a.eqiad.wmnet aqs1021-b.eqiad.wmnet aqs1022.eqiad.wmnet aqs1022-a.eqiad.wmnet aqs1022-b.eqiad.wmnet aqs1023.eqiad.wmnet aqs1023-a.eqiad.wmnet aqs1023-b.eqiad.wmnet aqs1024.eqiad.wmnet aqs1024-a.eqiad.wmnet aqs1024-b.eqiad.wmnet aqs2001.codfw.wmnet aqs2001-a.codfw.wmnet aqs2001-b.codfw.wmnet aqs2002.codfw.wmnet aqs2002-a.codfw.wmnet aqs2002-b.codfw.wmnet aqs2003.codfw.wmnet aqs2003-a.codfw.wmnet aqs2003-b.codfw.wmnet aqs2004.codfw.wmnet aqs2004-a.codfw.wmnet aqs2004-b.codfw.wmnet aqs2005.codfw.wmnet aqs2005-a.codfw.wmnet aqs2005-b.codfw.wmnet aqs2006.codfw.wmnet aqs2006-a.codfw.wmnet aqs2006-b.codfw.wmnet aqs2007.codfw.wmnet aqs2007-a.codfw.wmnet aqs2007-b.codfw.wmnet aqs2008.codfw.wmnet aqs2008-a.codfw.wmnet aqs2008-b.codfw.wmnet aqs2009.codfw.wmnet aqs2009-a.codfw.wmnet aqs2009-b.codfw.wmnet aqs2010.codfw.wmnet aqs2010-a.codfw.wmnet aqs2010-b.codfw.wmnet aqs2011.codfw.wmnet aqs2011-a.codfw.wmnet aqs2011-b.codfw.wmnet aqs2012.codfw.wmnet aqs2012-a.codfw.wmnet aqs2012-b.codfw.wmnet)));\n+\n+", "parameters": "--- File[/etc/ferm/conf.d/10_cassandra-jmx-rmi].orig\n+++ File[/etc/ferm/conf.d/10_cassandra-jmx-rmi]\n\n+ group => root\n+ tag => ferm\n+ require => File[/etc/ferm/conf.d]\n+ mode => 0400\n+ ensure => present\n+ notify => Service[ferm]\n+ owner => root\n"}, {"resource": "Systemd::Service[cassandra-b]", "parameters": "--- Systemd::Service[cassandra-b].orig\n+++ Systemd::Service[cassandra-b]\n\n+ restart => False\n+ require => ['File[/etc/cassandra-b/cassandra-env.sh]', 'File[/etc/cassandra-b/cassandra.yaml]', 'File[/etc/cassandra-b/cassandra-rackdc.properties]']\n+ override => False\n+ monitoring_contact_group => admins\n+ service_params => {}\n+ monitoring_enabled => False\n+ unit_type => service\n+ migration_task => T407130\n+ ensure => present\n+ monitoring_critical => False\n"}, {"resource": "Exec[sslcert generate cassandra_keystore_aqs1024-b.p12]", "parameters": "--- Exec[sslcert generate cassandra_keystore_aqs1024-b.p12].orig\n+++ Exec[sslcert generate cassandra_keystore_aqs1024-b.p12]\n\n+ command => /usr/bin/openssl pkcs12 -export -in /etc/cassandra-b/tls/cassandra__aqs1024-b_eqiad_wmnet.chained.pem -inkey /etc/cassandra-b/tls/cassandra__aqs1024-b_eqiad_wmnet-key.pem -out /etc/cassandra-b/tls/server.key -password 'pass:test'\n+ unless => /usr/bin/test \"$(/usr/bin/openssl x509 -in /etc/cassandra-b/tls/cassandra__aqs1024-b_eqiad_wmnet.chained.pem)\" == \"$(/usr/bin/openssl pkcs12 -password 'pass:test' -in /etc/cassandra-b/tls/server.key -clcerts -nokeys | openssl x509)\"\n+ before => File[/etc/cassandra-b/tls/server.key]\n+ require => Package[openssl]\n"}, {"resource": "Ferm::Service[deployment_ssh]", "parameters": "--- Ferm::Service[deployment_ssh].orig\n+++ Ferm::Service[deployment_ssh]\n\n+ desc => \n+ prio => 10\n+ port => 22\n+ ensure => present\n+ notrack => False\n+ src_sets => ['DEPLOYMENT_HOSTS']\n+ proto => tcp\n"}, {"resource": "Exec[java__cacert_wmf:Wikimedia_Internal_Root_CA]", "parameters": "--- Exec[java__cacert_wmf:Wikimedia_Internal_Root_CA].orig\n+++ Exec[java__cacert_wmf:Wikimedia_Internal_Root_CA]\n\n+ command => /usr/bin/keytool -import -trustcacerts -noprompt -cacerts -file /usr/share/ca-certificates/wikimedia/Wikimedia_Internal_Root_CA.crt -storepass changeit -alias wmf:Wikimedia_Internal_Root_CA\n\n+ unless => /usr/bin/keytool -list -cacerts -noprompt -storepass changeit -alias wmf:Wikimedia_Internal_Root_CA\n+ user => root\n+ group => root\n"}, {"resource": "File[/etc/cassandra-a/commitlog_archiving.properties]", "parameters": "--- File[/etc/cassandra-a/commitlog_archiving.properties].orig\n+++ File[/etc/cassandra-a/commitlog_archiving.properties]\n\n+ group => cassandra\n+ ensure => present\n+ mode => 0444\n+ source => puppet:///modules/cassandra/commitlog_archiving.properties-4.x\n+ links => follow\n+ owner => cassandra\n"}, {"resource": "Interface::Ip[cassandra-a ipv4]", "parameters": "--- Interface::Ip[cassandra-a ipv4].orig\n+++ Interface::Ip[cassandra-a ipv4]\n\n+ ensure => present\n+ address => 10.64.156.18\n+ prefixlen => 32\n+ interface => ens8f0np0\n"}, {"resource": "Package[cassandra]", "parameters": "--- Package[cassandra].orig\n+++ Package[cassandra]\n\n+ provider => apt\n+ ensure => 4.1.11\n"}, {"resource": "Rsyslog::Conf[udp_json_logback_compat]", "parameters": "--- Rsyslog::Conf[udp_json_logback_compat].orig\n+++ Rsyslog::Conf[udp_json_logback_compat]\n\n+ ensure => present\n+ priority => 50\n+ mode => 0444\n"}, {"resource": "Java::Cacert[wmf:Wikimedia_Internal_Root_CA]", "parameters": "--- Java::Cacert[wmf:Wikimedia_Internal_Root_CA].orig\n+++ Java::Cacert[wmf:Wikimedia_Internal_Root_CA]\n\n+ path => /usr/share/ca-certificates/wikimedia/Wikimedia_Internal_Root_CA.crt\n+ group => root\n+ storepass => changeit\n+ require => Alternatives::Java[11]\n+ ensure => present\n+ owner => root\n"}, {"resource": "Motd::Message[insetup::data_persistence_ferm]", "parameters": "--- Motd::Message[insetup::data_persistence_ferm].orig\n+++ Motd::Message[insetup::data_persistence_ferm]\n\n- priority => 5\n- ensure => present\n- message => aqs1024 is a Host being setup by Data Persistence SREs (insetup::data_persistence_ferm)\n"}, {"resource": "Package[python3-venv]", "parameters": "--- Package[python3-venv].orig\n+++ Package[python3-venv]\n\n+ provider => apt\n+ ensure => installed\n"}, {"resource": "Exec[install-/srv/storage-4/cassandra-b/data]", "parameters": "--- Exec[install-/srv/storage-4/cassandra-b/data].orig\n+++ Exec[install-/srv/storage-4/cassandra-b/data]\n\n+ command => install -o cassandra -g cassandra -m 750 -d /srv/storage-4/cassandra-b/data\n+ path => /usr/bin/:/bin/\n+ creates => /srv/storage-4/cassandra-b/data\n+ before => Systemd::Service[cassandra-b]\n"}, {"resource": "Class[Profile::Cumin::Target]", "parameters": "--- Class[Profile::Cumin::Target].orig\n+++ Class[Profile::Cumin::Target]\n\n@@\n- cluster => insetup\n+ cluster => aqs\n"}, {"resource": "File[/etc/cassandra-a/user_media_analytics.cql]", "content": "--- /etc/cassandra-a/user_media_analytics.cql.orig\n+++ /etc/cassandra-a/user_media_analytics.cql\n@@ -0,0 +1,7 @@\n+-- SPDX-License-Identifier: Apache-2.0\n+\n+CREATE ROLE IF NOT EXISTS media_analytics WITH PASSWORD = '' AND LOGIN = true AND SUPERUSER = false;\n+\n+GRANT SELECT ON \"local_group_default_T_mediarequest_per_referer\".data TO 'media_analytics';\n+GRANT SELECT ON \"local_group_default_T_mediarequest_per_file\".data TO 'media_analytics';\n+GRANT SELECT ON \"local_group_default_T_mediarequest_top_files\".data TO 'media_analytics';", "parameters": "--- File[/etc/cassandra-a/user_media_analytics.cql].orig\n+++ File[/etc/cassandra-a/user_media_analytics.cql]\n\n+ require => Package[cassandra]\n+ group => root\n+ mode => 0400\n+ owner => root\n"}, {"resource": "Package[prometheus-jmx-exporter]", "parameters": "--- Package[prometheus-jmx-exporter].orig\n+++ Package[prometheus-jmx-exporter]\n\n+ provider => apt\n+ ensure => installed\n"}, {"resource": "File[/etc/cassandra-b/jvm17-server.options]", "content": "--- /etc/cassandra-b/jvm17-server.options.orig\n+++ /etc/cassandra-b/jvm17-server.options\n@@ -0,0 +1,128 @@\n+# SPDX-License-Identifier: Apache-2.0\n+# Note: This file is managed by Puppet.\n+# It was taken from the Cassandra Debian package and templatized\n+# here in order to assign configuration.\n+#\n+# Licensed to the Apache Software Foundation (ASF) under one\n+# or more contributor license agreements. See the NOTICE file\n+# distributed with this work for additional information\n+# regarding copyright ownership. The ASF licenses this file\n+# to you under the Apache License, Version 2.0 (the\n+# \"License\"); you may not use this file except in compliance\n+# with the License. You may obtain a copy of the License at\n+#\n+# http://www.apache.org/licenses/LICENSE-2.0\n+#\n+# Unless required by applicable law or agreed to in writing, software\n+# distributed under the License is distributed on an \"AS IS\" BASIS,\n+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n+# See the License for the specific language governing permissions and\n+# limitations under the License.\n+#\n+\n+###########################################################################\n+# jvm17-server.options #\n+# #\n+# See jvm-server.options. This file is specific for Java 17 and newer. #\n+###########################################################################\n+\n+#################\n+# GC SETTINGS #\n+#################\n+\n+\n+\n+### G1 Settings\n+## Use the Hotspot garbage-first collector.\n+-XX:+UseG1GC\n+-XX:+ParallelRefProcEnabled\n+-XX:MaxTenuringThreshold=2\n+-XX:G1HeapRegionSize=16m\n+\n+# Floor the young generation size to 50% of the heap size\n+-XX:+UnlockExperimentalVMOptions\n+-XX:G1NewSizePercent=50\n+\n+# Have the JVM do less remembered set work during STW, instead\n+# preferring concurrent GC. Reduces p99.9 latency.\n+-XX:G1RSetUpdatingPauseTimePercent=5\n+\n+# Main G1GC tunable: lowering the pause target will lower throughput and vise versa.\n+# 200ms is the JVM default and lowest viable setting\n+# 1000ms increases throughput. Keep it smaller than the timeouts in cassandra.yaml.\n+-XX:MaxGCPauseMillis=300\n+\n+## Optional G1 Settings\n+# Save CPU time on large (>= 16GB) heaps by delaying region scanning\n+# until the heap is 70% full. The default in Hotspot 8u40 is 40%.\n+-XX:InitiatingHeapOccupancyPercent=70\n+\n+# For systems with > 8 cores, the default ParallelGCThreads is 5/8 the number of logical cores.\n+# Otherwise equal to the number of cores when 8 or less.\n+# Machines with > 10 cores should try setting these to <= full cores.\n+# By default, ConcGCThreads is 1/4 of ParallelGCThreads.\n+# Setting both to the same value can reduce STW durations.\n+# When leaving both unset then cassandra-env.sh will set them both to the number of your cores.\n+#-XX:ParallelGCThreads=16\n+#-XX:ConcGCThreads=16\n+\n+\n+### JPMS\n+\n+-Djdk.attach.allowAttachSelf=true\n+--add-exports java.base/jdk.internal.misc=ALL-UNNAMED\n+--add-exports java.management.rmi/com.sun.jmx.remote.internal.rmi=ALL-UNNAMED\n+--add-exports java.management/com.sun.jmx.remote.security=ALL-UNNAMED\n+--add-exports java.rmi/sun.rmi.registry=ALL-UNNAMED\n+--add-exports java.rmi/sun.rmi.server=ALL-UNNAMED\n+--add-exports java.sql/java.sql=ALL-UNNAMED\n+--add-exports java.base/java.lang.ref=ALL-UNNAMED\n+--add-exports jdk.unsupported/sun.misc=ALL-UNNAMED\n+\n+--add-opens java.base/java.lang.module=ALL-UNNAMED\n+--add-opens java.base/jdk.internal.loader=ALL-UNNAMED\n+--add-opens java.base/jdk.internal.ref=ALL-UNNAMED\n+--add-opens java.base/jdk.internal.reflect=ALL-UNNAMED\n+--add-opens java.base/jdk.internal.math=ALL-UNNAMED\n+--add-opens java.base/jdk.internal.module=ALL-UNNAMED\n+--add-opens java.base/jdk.internal.util.jar=ALL-UNNAMED\n+--add-opens jdk.management/com.sun.management.internal=ALL-UNNAMED\n+--add-opens java.base/sun.nio.ch=ALL-UNNAMED\n+--add-opens java.base/java.io=ALL-UNNAMED\n+--add-opens java.base/java.lang.reflect=ALL-UNNAMED\n+--add-opens java.base/java.lang=ALL-UNNAMED\n+--add-opens java.base/java.util=ALL-UNNAMED\n+--add-opens java.base/java.nio=ALL-UNNAMED\n+\n+### GC logging options -- uncomment to enable\n+\n+# Java 11 (and newer) GC logging options:\n+# See description of https://bugs.openjdk.java.net/browse/JDK-8046148 for details about the syntax\n+# The following is the equivalent to -XX:+PrintGCDetails -XX:+UseGCLogFileRotation -XX:NumberOfGCLogFiles=10 -XX:GCLogFileSize=10M\n+#-Xlog:gc=info,heap*=trace,age*=debug,safepoint=info,promotion*=trace:file=/var/log/cassandra/gc.log:time,uptime,pid,tid,level:filecount=10,filesize=10485760\n+\n+-Xlog:gc=info,heap*=trace,age*=debug,safepoint=info,promotion*=trace:file=/var/log/cassandra/gc-b.log:time,uptime,pid,tid,level:filecount=10,filesize=10485760\n+\n+# Notes for Java 8 migration:\n+#\n+# -XX:+PrintGCDetails maps to -Xlog:gc*:... - i.e. add a '*' after \"gc\"\n+# -XX:+PrintGCDateStamps maps to decorator 'time'\n+#\n+# -XX:+PrintHeapAtGC maps to 'heap' with level 'trace'\n+# -XX:+PrintTenuringDistribution maps to 'age' with level 'debug'\n+# -XX:+PrintGCApplicationStoppedTime maps to 'safepoint' with level 'info'\n+# -XX:+PrintPromotionFailure maps to 'promotion' with level 'trace'\n+# -XX:PrintFLSStatistics=1 maps to 'freelist' with level 'trace'\n+\n+### Netty Options\n+\n+# On Java >= 9 Netty requires the io.netty.tryReflectionSetAccessible system property to be set to true to enable\n+# creation of direct buffers using Unsafe. Without it, this falls back to ByteBuffer.allocateDirect which has\n+# inferior performance and risks exceeding MaxDirectMemory\n+-Dio.netty.tryReflectionSetAccessible=true\n+\n+# Revert changes in defaults introduced in https://netty.io/news/2022/03/10/4-1-75-Final.html\n+-Dio.netty.allocator.useCacheForAllThreads=true\n+-Dio.netty.allocator.maxOrder=11\n+\n+# The newline in the end of file is intentional", "parameters": "--- File[/etc/cassandra-b/jvm17-server.options].orig\n+++ File[/etc/cassandra-b/jvm17-server.options]\n\n+ group => cassandra\n+ mode => 0444\n+ ensure => present\n+ owner => cassandra\n"}, {"resource": "Systemd::Unit[cassandra-a]", "parameters": "--- Systemd::Unit[cassandra-a].orig\n+++ Systemd::Unit[cassandra-a]\n\n+ override_filename => puppet-override.conf\n+ unit => cassandra-a\n+ restart => False\n+ require => ['Class[Systemd]']\n+ override => False\n+ ensure => present\n"}, {"resource": "Ssh::Userkey[scap]", "parameters": "--- Ssh::Userkey[scap].orig\n+++ Ssh::Userkey[scap]\n\n+ user => scap\n+ ensure => present\n"}, {"resource": "Exec[install-/srv/storage-3/cassandra-b/data]", "parameters": "--- Exec[install-/srv/storage-3/cassandra-b/data].orig\n+++ Exec[install-/srv/storage-3/cassandra-b/data]\n\n+ command => install -o cassandra -g cassandra -m 750 -d /srv/storage-3/cassandra-b/data\n+ path => /usr/bin/:/bin/\n+ creates => /srv/storage-3/cassandra-b/data\n+ before => Systemd::Service[cassandra-b]\n"}, {"resource": "Exec[ip addr add 10.64.156.18/32 dev ens8f0np0]", "parameters": "--- Exec[ip addr add 10.64.156.18/32 dev ens8f0np0].orig\n+++ Exec[ip addr add 10.64.156.18/32 dev ens8f0np0]\n\n+ path => /bin:/usr/bin\n+ unless => ip address show ens8f0np0 | grep -q 10.64.156.18/32\n+ returns => [0, 2]\n"}, {"resource": "Group[deploy-service]", "parameters": "--- Group[deploy-service].orig\n+++ Group[deploy-service]\n\n+ before => User[deploy-service]\n+ system => True\n+ ensure => present\n"}, {"resource": "Exec[install-/srv/storage-6/cassandra-b/data]", "parameters": "--- Exec[install-/srv/storage-6/cassandra-b/data].orig\n+++ Exec[install-/srv/storage-6/cassandra-b/data]\n\n+ command => install -o cassandra -g cassandra -m 750 -d /srv/storage-6/cassandra-b/data\n+ path => /usr/bin/:/bin/\n+ creates => /srv/storage-6/cassandra-b/data\n+ before => Systemd::Service[cassandra-b]\n"}, {"resource": "Exec[install-/srv/storage-4/cassandra-a/data]", "parameters": "--- Exec[install-/srv/storage-4/cassandra-a/data].orig\n+++ Exec[install-/srv/storage-4/cassandra-a/data]\n\n+ command => install -o cassandra -g cassandra -m 750 -d /srv/storage-4/cassandra-a/data\n+ path => /usr/bin/:/bin/\n+ creates => /srv/storage-4/cassandra-a/data\n+ before => Systemd::Service[cassandra-a]\n"}, {"resource": "File[/etc/tmpfiles.d/cassandra.conf]", "parameters": "--- File[/etc/tmpfiles.d/cassandra.conf].orig\n+++ File[/etc/tmpfiles.d/cassandra.conf]\n\n+ group => cassandra\n+ require => Package[cassandra]\n+ mode => 0444\n+ ensure => present\n+ source => puppet:///modules/cassandra/cassandra-tmpfiles.conf\n+ owner => cassandra\n"}, {"resource": "Package[rsync]", "parameters": "--- Package[rsync].orig\n+++ Package[rsync]\n\n+ provider => apt\n+ ensure => installed\n"}, {"resource": "Exec[create chained cert /etc/cassandra-a/tls/cassandra__aqs1024-a_eqiad_wmnet.chain.pem]", "parameters": "--- Exec[create chained cert /etc/cassandra-a/tls/cassandra__aqs1024-a_eqiad_wmnet.chain.pem].orig\n+++ Exec[create chained cert /etc/cassandra-a/tls/cassandra__aqs1024-a_eqiad_wmnet.chain.pem]\n\n+ command => /bin/cat /etc/cassandra-a/tls/cassandra__aqs1024-a_eqiad_wmnet.pem /etc/cassandra-a/tls/cassandra__aqs1024-a_eqiad_wmnet.chain.pem > /etc/cassandra-a/tls/cassandra__aqs1024-a_eqiad_wmnet.chained.pem\n+ unless => /usr/bin/test \"$(/bin/cat /etc/cassandra-a/tls/cassandra__aqs1024-a_eqiad_wmnet.pem /etc/cassandra-a/tls/cassandra__aqs1024-a_eqiad_wmnet.chain.pem | sha512sum)\" == \"$(/bin/cat /etc/cassandra-a/tls/cassandra__aqs1024-a_eqiad_wmnet.chained.pem | sha512sum)\"\n\n+ subscribe => ['Exec[renew certificate - cassandra__aqs1024-a_eqiad_wmnet]', 'File[/etc/cassandra-a/tls/cassandra__aqs1024-a_eqiad_wmnet.chain.pem]', 'File[/etc/cassandra-a/tls/cassandra__aqs1024-a_eqiad_wmnet.pem]']\n"}, {"resource": "Systemd::Service[cassandra-a]", "parameters": "--- Systemd::Service[cassandra-a].orig\n+++ Systemd::Service[cassandra-a]\n\n+ restart => False\n+ require => ['File[/etc/cassandra-a/cassandra-env.sh]', 'File[/etc/cassandra-a/cassandra.yaml]', 'File[/etc/cassandra-a/cassandra-rackdc.properties]']\n+ override => False\n+ monitoring_contact_group => admins\n+ service_params => {}\n+ monitoring_enabled => False\n+ unit_type => service\n+ migration_task => T407130\n+ ensure => present\n+ monitoring_critical => False\n"}, {"resource": "File[/var/lib/deploy-service]", "parameters": "--- File[/var/lib/deploy-service].orig\n+++ File[/var/lib/deploy-service]\n\n+ group => deploy-service\n+ mode => 0755\n+ ensure => directory\n+ owner => deploy-service\n"}, {"resource": "File[/etc/cassandra-b/user_device_analytics.cql]", "content": "--- /etc/cassandra-b/user_device_analytics.cql.orig\n+++ /etc/cassandra-b/user_device_analytics.cql\n@@ -0,0 +1,5 @@\n+-- SPDX-License-Identifier: Apache-2.0\n+\n+CREATE ROLE IF NOT EXISTS device_analytics WITH PASSWORD = 'blahblahblahblah' AND LOGIN = true AND SUPERUSER = false;\n+\n+GRANT SELECT ON \"local_group_default_T_unique_devices\".data TO 'device_analytics';", "parameters": "--- File[/etc/cassandra-b/user_device_analytics.cql].orig\n+++ File[/etc/cassandra-b/user_device_analytics.cql]\n\n+ require => Package[cassandra]\n+ group => root\n+ mode => 0400\n+ owner => root\n"}, {"resource": "Exec[Generate cert cassandra__aqs1024-b_eqiad_wmnet]", "parameters": "--- Exec[Generate cert cassandra__aqs1024-b_eqiad_wmnet].orig\n+++ Exec[Generate cert cassandra__aqs1024-b_eqiad_wmnet]\n\n+ command => /usr/bin/cfssl gencert -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/aqs1024.eqiad.wmnet.pem -label cassandra /etc/cfssl/csr/cassandra__aqs1024-b_eqiad_wmnet.csr | /usr/bin/cfssljson -bare /etc/cassandra-b/tls/cassandra__aqs1024-b_eqiad_wmnet\n\n+ unless => /usr/bin/test \"$(/usr/bin/openssl x509 -in /etc/cassandra-b/tls/cassandra__aqs1024-b_eqiad_wmnet.pem -noout -pubkey 2>&1)\" == \"$(/usr/bin/openssl pkey -pubout -in /etc/cassandra-b/tls/cassandra__aqs1024-b_eqiad_wmnet-key.pem 2>&1)\"\n\n+ require => Cfssl::Csr[/etc/cfssl/csr/cassandra__aqs1024-b_eqiad_wmnet.csr]\n+ environment => ['GODEBUG=x509ignoreCN=0']\n"}, {"resource": "File[/var/lib/prometheus/node.d/role_owner.prom]", "content": "--- /var/lib/prometheus/node.d/role_owner.prom.orig\n+++ /var/lib/prometheus/node.d/role_owner.prom\n@@ -1,3 +1,3 @@\n # HELP role_owner The team owner of the server role\n # TYPE role_owner gauge\n-role_owner{team=\"data-persistence\",role=\"insetup::data_persistence_ferm\",cluster=\"insetup\"} 1.0\n+role_owner{team=\"data-persistence\",role=\"aqs\",cluster=\"aqs\"} 1.0"}, {"resource": "Monitoring::Exported_nagios_service[aqs1024 cassandra-b-cql]", "parameters": "--- Monitoring::Exported_nagios_service[aqs1024 cassandra-b-cql].orig\n+++ Monitoring::Exported_nagios_service[aqs1024 cassandra-b-cql]\n\n+ notes_url => https://phabricator.wikimedia.org/T93886\n+ host_name => aqs1024\n+ active_checks_enabled => 1\n+ check_interval => 1\n+ check_freshness => 0\n+ notifications_enabled => 1\n+ ensure => absent\n+ notification_interval => 0\n+ max_check_attempts => 3\n+ contact_groups => admins,team-services\n+ check_period => 24x7\n+ service_description => cassandra-b CQL 10.64.156.21:9042\n+ passive_checks_enabled => 1\n+ check_command => check_tcp_ip!10.64.156.21!9042\n+ notification_options => c,r,f\n+ retry_interval => 1\n+ servicegroups => aqs_eqiad\n+ notification_period => 24x7\n+ is_volatile => 0\n"}, {"resource": "File[/etc/init.d/cassandra]", "parameters": "--- File[/etc/init.d/cassandra].orig\n+++ File[/etc/init.d/cassandra]\n\n+ group => root\n+ require => Package[cassandra]\n+ mode => 0755\n+ ensure => present\n+ source => puppet:///modules/cassandra/cassandra-init.d\n+ owner => root\n"}, {"resource": "Interface::Alias[cassandra-b]", "parameters": "--- Interface::Alias[cassandra-b].orig\n+++ Interface::Alias[cassandra-b]\n\n+ ipv4 => 10.64.156.21\n+ is_service_ip => True\n+ interface => ens8f0np0\n"}, {"resource": "File[/etc/cassandra-b/user_geo_analytics.cql]", "content": "--- /etc/cassandra-b/user_geo_analytics.cql.orig\n+++ /etc/cassandra-b/user_geo_analytics.cql\n@@ -0,0 +1,5 @@\n+-- SPDX-License-Identifier: Apache-2.0\n+\n+CREATE ROLE IF NOT EXISTS geo_analytics WITH PASSWORD = '' AND LOGIN = true AND SUPERUSER = false;\n+\n+GRANT SELECT ON \"local_group_default_T_editors_bycountry\".data TO 'geo_analytics';", "parameters": "--- File[/etc/cassandra-b/user_geo_analytics.cql].orig\n+++ File[/etc/cassandra-b/user_geo_analytics.cql]\n\n+ require => Package[cassandra]\n+ group => root\n+ mode => 0400\n+ owner => root\n"}, {"resource": "Alternatives::Java[11]", "parameters": "--- Alternatives::Java[11].orig\n+++ Alternatives::Java[11]\n\n+ require => Java::Package[openjdk-jdk-11]\n"}, {"resource": "Cassandra::Instance::Monitoring[b]", "parameters": "--- Cassandra::Instance::Monitoring[b].orig\n+++ Cassandra::Instance::Monitoring[b]\n\n+ tls_cluster_name => aqs\n+ tls_port => 7000\n+ tls_use_pki => True\n+ cql_port => 9042\n+ monitor_enabled => True\n+ contact_group => admins,team-services\n+ instances => {'a': {'listen_address': '10.64.156.18', 'data_file_directories': ['/srv/storage-0/cassandra-a/data', '/srv/storage-1/cassandra-a/data', '/srv/storage-2/cassandra-a/data', '/srv/storage-3/cassandra-a/data', '/srv/storage-4/cassandra-a/data', '/srv/storage-5/cassandra-a/data', '/srv/storage-6/cassandra-a/data', '/srv/storage-7/cassandra-a/data'], 'heapdump_directory': '/srv/storage-0/cassandra-a', 'commitlog_directory': '/srv/cassandra/cassandra-a/commitlog', 'hints_directory': '/srv/cassandra/cassandra-a/hints', 'saved_caches_directory': '/srv/cassandra/cassandra-a/saved_caches', 'local_system_data_file_directory': '/srv/cassandra/cassandra-a/system'}, 'b': {'listen_address': '10.64.156.21', 'data_file_directories': ['/srv/storage-0/cassandra-b/data', '/srv/storage-1/cassandra-b/data', '/srv/storage-2/cassandra-b/data', '/srv/storage-3/cassandra-b/data', '/srv/storage-4/cassandra-b/data', '/srv/storage-5/cassandra-b/data', '/srv/storage-6/cassandra-b/data', '/srv/storage-7/cassandra-b/data'], 'heapdump_directory': '/srv/storage-1/cassandra-b', 'commitlog_directory': '/srv/cassandra/cassandra-b/commitlog', 'hints_directory': '/srv/cassandra/cassandra-b/hints', 'saved_caches_directory': '/srv/cassandra/cassandra-b/saved_caches', 'local_system_data_file_directory': '/srv/cassandra/cassandra-b/system'}}\n"}, {"resource": "File[/etc/cassandra-b/user_aqsloader.cql]", "content": "--- /etc/cassandra-b/user_aqsloader.cql.orig\n+++ /etc/cassandra-b/user_aqsloader.cql\n@@ -0,0 +1,27 @@\n+-- SPDX-License-Identifier: Apache-2.0\n+\n+CREATE USER IF NOT EXISTS aqsloader WITH PASSWORD 'yadayadayada';\n+\n+GRANT MODIFY ON KEYSPACE aqs TO 'aqsloader';\n+GRANT MODIFY ON KEYSPACE \"local_group_default_T_editors_bycountry\" TO 'aqsloader';\n+GRANT MODIFY ON KEYSPACE \"local_group_default_T_knowledge_gap_by_category\" TO 'aqsloader';\n+GRANT MODIFY ON KEYSPACE \"local_group_default_T_lgc_pagecounts_per_project\" TO 'aqsloader';\n+GRANT MODIFY ON KEYSPACE \"local_group_default_T_mediarequest_per_file\" TO 'aqsloader';\n+GRANT MODIFY ON KEYSPACE \"local_group_default_T_mediarequest_per_referer\" TO 'aqsloader';\n+GRANT MODIFY ON KEYSPACE \"local_group_default_T_mediarequest_top_files\" TO 'aqsloader';\n+GRANT MODIFY ON KEYSPACE \"local_group_default_T_pageviews_per_article_flat\" TO 'aqsloader';\n+GRANT MODIFY ON KEYSPACE \"local_group_default_T_pageviews_per_project_v2\" TO 'aqsloader';\n+GRANT MODIFY ON KEYSPACE \"local_group_default_T_top_bycountry\" TO 'aqsloader';\n+GRANT MODIFY ON KEYSPACE \"local_group_default_T_top_pageviews\" TO 'aqsloader';\n+GRANT MODIFY ON KEYSPACE \"local_group_default_T_top_percountry\" TO 'aqsloader';\n+GRANT MODIFY ON KEYSPACE \"local_group_default_T_unique_devices\" TO 'aqsloader';\n+\n+-- FIXME: image suggestions should *not* being using the aqsloader; This\n+-- was added as a break-fix (see: https://phabricator.wikimedia.org/T356400).\n+GRANT MODIFY ON KEYSPACE image_suggestions TO aqsloader;\n+\n+-- Commons Impact Metrics \u00e2\u0080\u0094 https://phabricator.wikimedia.org/T362697\n+GRANT MODIFY ON KEYSPACE commons TO aqsloader;\n+\n+-- New-style AQS tables\n+GRANT MODIFY ON KEYSPACE analytics TO aqsloader;", "parameters": "--- File[/etc/cassandra-b/user_aqsloader.cql].orig\n+++ File[/etc/cassandra-b/user_aqsloader.cql]\n\n+ require => Package[cassandra]\n+ group => root\n+ mode => 0400\n+ owner => root\n"}, {"resource": "File[/etc/cassandra-instances.d]", "parameters": "--- File[/etc/cassandra-instances.d].orig\n+++ File[/etc/cassandra-instances.d]\n\n+ group => cassandra\n+ require => Package[cassandra]\n+ mode => 0755\n+ ensure => directory\n+ owner => cassandra\n"}, {"resource": "Motd::Script[insetup::data_persistence_ferm]", "parameters": "--- Motd::Script[insetup::data_persistence_ferm].orig\n+++ Motd::Script[insetup::data_persistence_ferm]\n\n- priority => 5\n- ensure => present\n"}, {"resource": "File[/etc/cassandra-b/user_editor_analytics.cql]", "content": "--- /etc/cassandra-b/user_editor_analytics.cql.orig\n+++ /etc/cassandra-b/user_editor_analytics.cql\n@@ -0,0 +1,5 @@\n+-- SPDX-License-Identifier: Apache-2.0\n+\n+CREATE USER IF NOT EXISTS editor_analytics WITH PASSWORD 'yadayadayada';\n+\n+GRANT SELECT ON aqs.config TO 'editor_analytics';", "parameters": "--- File[/etc/cassandra-b/user_editor_analytics.cql].orig\n+++ File[/etc/cassandra-b/user_editor_analytics.cql]\n\n+ require => Package[cassandra]\n+ group => root\n+ mode => 0400\n+ owner => root\n"}, {"resource": "Class[Scap]", "parameters": "--- Class[Scap].orig\n+++ Class[Scap]\n\n+ betacluster_udplog_host => deployment-mwlog02.deployment-prep.eqiad1.wikimedia.cloud\n+ is_master => False\n+ require => ['Class[Git::Lfs]']\n+ wmflabs_master => deployment-deploy04.deployment-prep.eqiad1.wikimedia.cloud\n+ deployment_server => deploy1003.eqiad.wmnet\n+ k8s_deployments => {}\n+ php7_admin_port => 9181\n+ enable_bootstrapping => True\n"}, {"resource": "Service[cassandra-a]", "parameters": "--- Service[cassandra-a].orig\n+++ Service[cassandra-a]\n\n+ enable => True\n+ ensure => running\n"}, {"resource": "Java::Cacert[Wikimedia_Internal_Root_CA]", "parameters": "--- Java::Cacert[Wikimedia_Internal_Root_CA].orig\n+++ Java::Cacert[Wikimedia_Internal_Root_CA]\n\n+ path => /usr/share/ca-certificates/wikimedia/Wikimedia_Internal_Root_CA.crt\n+ group => root\n+ storepass => changeit\n+ keystore_path => /etc/ssl/localcerts/wmf-java-cacerts\n+ ensure => present\n+ subscribe => Package[wmf-certificates]\n+ owner => root\n"}, {"resource": "Exec[update_java_alternatives_11]", "parameters": "--- Exec[update_java_alternatives_11].orig\n+++ Exec[update_java_alternatives_11]\n\n+ command => /usr/sbin/update-java-alternatives -s /usr/lib/jvm/java-1.11.0-openjdk-amd64\n+ unless => /usr/bin/update-alternatives --query java | /bin/grep 'Value: /usr/lib/jvm/java-11-openjdk-amd64'\n"}, {"resource": "Exec[sslcert generate cassandra_keystore_aqs1024-a.p12]", "parameters": "--- Exec[sslcert generate cassandra_keystore_aqs1024-a.p12].orig\n+++ Exec[sslcert generate cassandra_keystore_aqs1024-a.p12]\n\n+ command => /usr/bin/openssl pkcs12 -export -in /etc/cassandra-a/tls/cassandra__aqs1024-a_eqiad_wmnet.chained.pem -inkey /etc/cassandra-a/tls/cassandra__aqs1024-a_eqiad_wmnet-key.pem -out /etc/cassandra-a/tls/server.key -password 'pass:test'\n+ unless => /usr/bin/test \"$(/usr/bin/openssl x509 -in /etc/cassandra-a/tls/cassandra__aqs1024-a_eqiad_wmnet.chained.pem)\" == \"$(/usr/bin/openssl pkcs12 -password 'pass:test' -in /etc/cassandra-a/tls/server.key -clcerts -nokeys | openssl x509)\"\n+ before => File[/etc/cassandra-a/tls/server.key]\n+ require => Package[openssl]\n"}, {"resource": "File[/etc/cassandra-b/prometheus_jmx_exporter.yaml]", "parameters": "--- File[/etc/cassandra-b/prometheus_jmx_exporter.yaml].orig\n+++ File[/etc/cassandra-b/prometheus_jmx_exporter.yaml]\n\n+ group => cassandra\n+ require => Package[cassandra]\n+ mode => 0400\n+ ensure => present\n+ source => puppet:///modules/cassandra/prometheus_jmx_exporter-4.x.yaml\n+ links => follow\n+ owner => cassandra\n"}, {"resource": "File[/etc/ferm/conf.d/10_cassandra-analytics-cql]", "content": "--- /etc/ferm/conf.d/10_cassandra-analytics-cql.orig\n+++ /etc/ferm/conf.d/10_cassandra-analytics-cql\n@@ -0,0 +1,6 @@\n+# Autogenerated by puppet. DO NOT EDIT BY HAND!\n+#\n+# \n+&R_SERVICE(tcp, 9042, (@resolve((aqs1010.eqiad.wmnet aqs1010-a.eqiad.wmnet aqs1010-b.eqiad.wmnet aqs1011.eqiad.wmnet aqs1011-a.eqiad.wmnet aqs1011-b.eqiad.wmnet aqs1012.eqiad.wmnet aqs1012-a.eqiad.wmnet aqs1012-b.eqiad.wmnet aqs1014.eqiad.wmnet aqs1014-a.eqiad.wmnet aqs1014-b.eqiad.wmnet aqs1015.eqiad.wmnet aqs1015-a.eqiad.wmnet aqs1015-b.eqiad.wmnet aqs1016.eqiad.wmnet aqs1016-a.eqiad.wmnet aqs1016-b.eqiad.wmnet aqs1017.eqiad.wmnet aqs1017-a.eqiad.wmnet aqs1017-b.eqiad.wmnet aqs1018.eqiad.wmnet aqs1018-a.eqiad.wmnet aqs1018-b.eqiad.wmnet aqs1019.eqiad.wmnet aqs1019-a.eqiad.wmnet aqs1019-b.eqiad.wmnet aqs1020.eqiad.wmnet aqs1020-a.eqiad.wmnet aqs1020-b.eqiad.wmnet aqs1021.eqiad.wmnet aqs1021-a.eqiad.wmnet aqs1021-b.eqiad.wmnet aqs1022.eqiad.wmnet aqs1022-a.eqiad.wmnet aqs1022-b.eqiad.wmnet aqs1023.eqiad.wmnet aqs1023-a.eqiad.wmnet aqs1023-b.eqiad.wmnet aqs1024.eqiad.wmnet aqs1024-a.eqiad.wmnet aqs1024-b.eqiad.wmnet aqs2001.codfw.wmnet aqs2001-a.codfw.wmnet aqs2001-b.codfw.wmnet aqs2002.codfw.wmnet aqs2002-a.codfw.wmnet aqs2002-b.codfw.wmnet aqs2003.codfw.wmnet aqs2003-a.codfw.wmnet aqs2003-b.codfw.wmnet aqs2004.codfw.wmnet aqs2004-a.codfw.wmnet aqs2004-b.codfw.wmnet aqs2005.codfw.wmnet aqs2005-a.codfw.wmnet aqs2005-b.codfw.wmnet aqs2006.codfw.wmnet aqs2006-a.codfw.wmnet aqs2006-b.codfw.wmnet aqs2007.codfw.wmnet aqs2007-a.codfw.wmnet aqs2007-b.codfw.wmnet aqs2008.codfw.wmnet aqs2008-a.codfw.wmnet aqs2008-b.codfw.wmnet aqs2009.codfw.wmnet aqs2009-a.codfw.wmnet aqs2009-b.codfw.wmnet aqs2010.codfw.wmnet aqs2010-a.codfw.wmnet aqs2010-b.codfw.wmnet aqs2011.codfw.wmnet aqs2011-a.codfw.wmnet aqs2011-b.codfw.wmnet aqs2012.codfw.wmnet aqs2012-a.codfw.wmnet aqs2012-b.codfw.wmnet)) 10.64.137.0/24 10.64.138.0/24 10.64.139.0/24 10.64.140.0/24 10.64.142.0/24 10.64.143.0/24 10.64.144.0/24 10.64.145.0/24 10.64.153.0/24 10.64.155.0/24 10.64.157.0/24 10.64.159.0/24 10.64.161.0/24 10.64.163.0/24 10.64.165.0/24 10.64.167.0/24 10.64.170.0/24 10.64.172.0/24 10.64.174.0/24 10.64.176.0/24 10.64.178.0/24 10.64.180.0/24 10.64.182.0/24 10.64.184.0/24 10.64.186.0/24 10.64.188.0/24 10.64.190.0/24 10.64.21.0/24 10.64.36.0/24 10.64.5.0/24 10.64.53.0/24 2620:0:861:100::/64 2620:0:861:104::/64 2620:0:861:105::/64 2620:0:861:106::/64 2620:0:861:108::/64 2620:0:861:110::/64 2620:0:861:111::/64 2620:0:861:112::/64 2620:0:861:114::/64 2620:0:861:115::/64 2620:0:861:116::/64 2620:0:861:117::/64 2620:0:861:11a::/64 2620:0:861:121::/64 2620:0:861:123::/64 2620:0:861:125::/64 2620:0:861:127::/64 2620:0:861:129::/64 2620:0:861:12b::/64 2620:0:861:12d::/64 2620:0:861:12f::/64 2620:0:861:132::/64 2620:0:861:134::/64 2620:0:861:136::/64 2620:0:861:138::/64 2620:0:861:13a::/64 2620:0:861:13c::/64 2620:0:861:13e::/64 2620:0:861:141::/64 2620:0:861:143::/64 2620:0:861:145::/64));\n+\n+", "parameters": "--- File[/etc/ferm/conf.d/10_cassandra-analytics-cql].orig\n+++ File[/etc/ferm/conf.d/10_cassandra-analytics-cql]\n\n+ group => root\n+ tag => ferm\n+ require => File[/etc/ferm/conf.d]\n+ mode => 0400\n+ ensure => present\n+ notify => Service[ferm]\n+ owner => root\n"}, {"resource": "File[/etc/cassandra-b/jvm-clients.options]", "parameters": "--- File[/etc/cassandra-b/jvm-clients.options].orig\n+++ File[/etc/cassandra-b/jvm-clients.options]\n\n+ group => root\n+ force => True\n+ ensure => link\n+ target => /etc/cassandra/jvm-clients.options\n+ owner => root\n"}, {"resource": "File[/usr/share/cassandra/lib/jackson-databind-2.4.0.jar]", "parameters": "--- File[/usr/share/cassandra/lib/jackson-databind-2.4.0.jar].orig\n+++ File[/usr/share/cassandra/lib/jackson-databind-2.4.0.jar]\n\n+ group => root\n+ require => Scap::Target[cassandra/logstash-logback-encoder]\n+ ensure => link\n+ target => /srv/deployment/cassandra/logstash-logback-encoder/lib/jackson-databind-2.4.0.jar\n+ owner => root\n"}, {"resource": "Exec[install-/srv/storage-7/cassandra-a/data]", "parameters": "--- Exec[install-/srv/storage-7/cassandra-a/data].orig\n+++ Exec[install-/srv/storage-7/cassandra-a/data]\n\n+ command => install -o cassandra -g cassandra -m 750 -d /srv/storage-7/cassandra-a/data\n+ path => /usr/bin/:/bin/\n+ creates => /srv/storage-7/cassandra-a/data\n+ before => Systemd::Service[cassandra-a]\n"}, {"resource": "Exec[Generate cert cassandra__aqs1024-a_eqiad_wmnet refresh]", "parameters": "--- Exec[Generate cert cassandra__aqs1024-a_eqiad_wmnet refresh].orig\n+++ Exec[Generate cert cassandra__aqs1024-a_eqiad_wmnet refresh]\n\n+ command => /usr/bin/cfssl gencert -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/aqs1024.eqiad.wmnet.pem -label cassandra /etc/cfssl/csr/cassandra__aqs1024-a_eqiad_wmnet.csr | /usr/bin/cfssljson -bare /etc/cassandra-a/tls/cassandra__aqs1024-a_eqiad_wmnet\n\n+ subscribe => File[/etc/cfssl/csr/cassandra__aqs1024-a_eqiad_wmnet.csr]\n+ refreshonly => True\n+ environment => ['GODEBUG=x509ignoreCN=0']\n"}, {"resource": "Exec[systemd daemon-reload for cassandra-b.service (cassandra-b)]", "parameters": "--- Exec[systemd daemon-reload for cassandra-b.service (cassandra-b)].orig\n+++ Exec[systemd daemon-reload for cassandra-b.service (cassandra-b)]\n\n+ command => /bin/systemctl daemon-reload\n+ before => ['Service[cassandra-b]']\n+ refreshonly => True\n"}, {"resource": "File[/etc/cassandra-a/user_commons_impact_analytics.cql]", "content": "--- /etc/cassandra-a/user_commons_impact_analytics.cql.orig\n+++ /etc/cassandra-a/user_commons_impact_analytics.cql\n@@ -0,0 +1,25 @@\n+-- SPDX-License-Identifier: Apache-2.0\n+\n+-- User/role for the Commons Impact Metrics service: https://phabricator.wikimedia.org/T361835\n+\n+-- Note: This is intended to be temporary; This service will eventually use the Data Gateway\n+-- (https://phabricator.wikimedia.org/T364921) instead of connecting to Cassandra directly. When\n+-- that happens these GRANTs, and the role, can be removed.\n+\n+CREATE ROLE IF NOT EXISTS commons_impact_analytics\n+ WITH PASSWORD = 'notarealpasswd' AND LOGIN = true AND SUPERUSER = false;\n+\n+GRANT SELECT ON commons.category_metrics_snapshot TO commons_impact_analytics;\n+GRANT SELECT ON commons.media_file_metrics_snapshot TO commons_impact_analytics;\n+GRANT SELECT ON commons.pageviews_per_category_monthly TO commons_impact_analytics;\n+GRANT SELECT ON commons.pageviews_per_media_file_monthly TO commons_impact_analytics;\n+GRANT SELECT ON commons.edits_per_category_monthly TO commons_impact_analytics;\n+GRANT SELECT ON commons.edits_per_user_monthly TO commons_impact_analytics;\n+GRANT SELECT ON commons.top_pages_per_category_monthly TO commons_impact_analytics;\n+GRANT SELECT ON commons.top_wikis_per_category_monthly TO commons_impact_analytics;\n+GRANT SELECT ON commons.top_viewed_categories_monthly TO commons_impact_analytics;\n+GRANT SELECT ON commons.top_pages_per_media_file_monthly TO commons_impact_analytics;\n+GRANT SELECT ON commons.top_wikis_per_media_file_monthly TO commons_impact_analytics;\n+GRANT SELECT ON commons.top_viewed_media_files_monthly TO commons_impact_analytics;\n+GRANT SELECT ON commons.top_edited_categories_monthly TO commons_impact_analytics;\n+GRANT SELECT ON commons.top_editors_monthly TO commons_impact_analytics;", "parameters": "--- File[/etc/cassandra-a/user_commons_impact_analytics.cql].orig\n+++ File[/etc/cassandra-a/user_commons_impact_analytics.cql]\n\n+ require => Package[cassandra]\n+ group => root\n+ mode => 0400\n+ owner => root\n"}, {"resource": "File[/usr/share/cassandra/lib/jackson-core-2.4.0.jar]", "parameters": "--- File[/usr/share/cassandra/lib/jackson-core-2.4.0.jar].orig\n+++ File[/usr/share/cassandra/lib/jackson-core-2.4.0.jar]\n\n+ group => root\n+ require => Scap::Target[cassandra/logstash-logback-encoder]\n+ ensure => link\n+ target => /srv/deployment/cassandra/logstash-logback-encoder/lib/jackson-core-2.4.0.jar\n+ owner => root\n"}, {"resource": "Exec[apt_package_from_component_cassandra]", "parameters": "--- Exec[apt_package_from_component_cassandra].orig\n+++ Exec[apt_package_from_component_cassandra]\n\n+ command => /usr/bin/apt-get update\n+ subscribe => Apt::Repository[component-cassandra41-apt.wikimedia.org-wikimedia-bullseye-wikimedia]\n+ before => ['Package[cassandra]']\n+ refreshonly => True\n"}, {"resource": "Package[cassandra-tools-wmf]", "parameters": "--- Package[cassandra-tools-wmf].orig\n+++ Package[cassandra-tools-wmf]\n\n+ provider => apt\n+ ensure => installed\n"}, {"resource": "Prometheus::Blackbox::Check::Tcp[cassandra-b-ssl]", "parameters": "--- Prometheus::Blackbox::Check::Tcp[cassandra-b-ssl].orig\n+++ Prometheus::Blackbox::Check::Tcp[cassandra-b-ssl]\n\n+ server_name => cassandra\n+ use_client_auth => False\n+ ip6 => 2620:0:861:124:10:64:156:17\n+ alert_after => 2m\n+ site => eqiad\n+ certificate_expiry_days => 5\n+ ip4 => 10.64.156.21\n+ team => sre\n+ prometheus_instance => ops\n+ client_auth_key => /etc/prometheus/ssl/server.key\n+ port => 7000\n+ force_tls => True\n+ probe_runbook => https://wikitech.wikimedia.org/wiki/TLS/Runbook#{{ $labels.instance }}\n+ instance_label => aqs1024-b\n+ ip_families => ['ip4']\n+ severity => critical\n+ timeout => 3s\n+ client_auth_cert => /etc/prometheus/ssl/cert.pem\n"}, {"resource": "Prometheus::Blackbox::Check::Tcp[cassandra-b-cql]", "parameters": "--- Prometheus::Blackbox::Check::Tcp[cassandra-b-cql].orig\n+++ Prometheus::Blackbox::Check::Tcp[cassandra-b-cql]\n\n+ server_name => cassandra\n+ use_client_auth => False\n+ ip6 => 2620:0:861:124:10:64:156:17\n+ alert_after => 2m\n+ site => eqiad\n+ certificate_expiry_days => 5\n+ ip4 => 10.64.156.21\n+ team => sre\n+ prometheus_instance => ops\n+ client_auth_key => /etc/prometheus/ssl/server.key\n+ port => 9042\n+ force_tls => True\n+ probe_runbook => https://wikitech.wikimedia.org/wiki/TLS/Runbook#{{ $labels.instance }}\n+ instance_label => aqs1024-b\n+ ip_families => ['ip4']\n+ severity => critical\n+ timeout => 3s\n+ client_auth_cert => /etc/prometheus/ssl/cert.pem\n"}, {"resource": "File[/etc/cassandra-a/tls/cassandra__aqs1024-a_eqiad_wmnet.csr]", "parameters": "--- File[/etc/cassandra-a/tls/cassandra__aqs1024-a_eqiad_wmnet.csr].orig\n+++ File[/etc/cassandra-a/tls/cassandra__aqs1024-a_eqiad_wmnet.csr]\n\n+ group => cassandra\n+ mode => 0440\n+ ensure => file\n+ owner => cassandra\n"}, {"resource": "File[/etc/cassandra-a/tls]", "parameters": "--- File[/etc/cassandra-a/tls].orig\n+++ File[/etc/cassandra-a/tls]\n\n+ group => cassandra\n+ mode => 0400\n+ ensure => directory\n+ recurse => True\n+ owner => cassandra\n"}, {"resource": "File[/etc/ssl/localcerts/wmf-java-cacerts]", "parameters": "--- File[/etc/ssl/localcerts/wmf-java-cacerts].orig\n+++ File[/etc/ssl/localcerts/wmf-java-cacerts]\n\n+ group => root\n+ ensure => file\n+ owner => root\n"}, {"resource": "Exec[install-/srv/cassandra/cassandra-b/commitlog]", "parameters": "--- Exec[install-/srv/cassandra/cassandra-b/commitlog].orig\n+++ Exec[install-/srv/cassandra/cassandra-b/commitlog]\n\n+ command => install -o cassandra -g cassandra -m 750 -d /srv/cassandra/cassandra-b/commitlog\n+ path => /usr/bin/:/bin/\n+ creates => /srv/cassandra/cassandra-b/commitlog\n+ before => Systemd::Service[cassandra-b]\n"}, {"resource": "File[/etc/cassandra-a/user_revise_tone_task_generator.cql]", "content": "--- /etc/cassandra-a/user_revise_tone_task_generator.cql.orig\n+++ /etc/cassandra-a/user_revise_tone_task_generator.cql\n@@ -0,0 +1,7 @@\n+-- SPDX-License-Identifier: Apache-2.0\n+\n+CREATE ROLE IF NOT EXISTS revise_tone_task_generator\n+ WITH PASSWORD = 'asdfasdfasdf' AND LOGIN = true AND SUPERUSER = false;\n+\n+-- Machine learning cache\n+GRANT MODIFY ON ml_cache.page_paragraph_tone_scores TO revise_tone_task_generator;", "parameters": "--- File[/etc/cassandra-a/user_revise_tone_task_generator.cql].orig\n+++ File[/etc/cassandra-a/user_revise_tone_task_generator.cql]\n\n+ require => Package[cassandra]\n+ group => root\n+ mode => 0400\n+ owner => root\n"}, {"resource": "Prometheus::Jmx_exporter_instance[aqs1024-b]", "parameters": "--- Prometheus::Jmx_exporter_instance[aqs1024-b].orig\n+++ Prometheus::Jmx_exporter_instance[aqs1024-b]\n\n+ labels => {}\n+ port => 7800\n+ hostname => aqs1024-b\n"}, {"resource": "File[/etc/apt/sources.list]", "parameters": "--- File[/etc/apt/sources.list].orig\n+++ File[/etc/apt/sources.list]\n\n@@\n- before => ['Exec[apt_repository_wikimedia]', 'Exec[apt_repository_wikimedia-private]', 'Exec[apt_repository_debian-debug]', 'Exec[apt_repository_component-puppet7-apt.wikimedia.org-wikimedia-bullseye-wikimedia]']\n+ before => ['Exec[apt_repository_wikimedia]', 'Exec[apt_repository_wikimedia-private]', 'Exec[apt_repository_debian-debug]', 'Exec[apt_repository_component-puppet7-apt.wikimedia.org-wikimedia-bullseye-wikimedia]', 'Exec[apt_repository_component-cassandra41-apt.wikimedia.org-wikimedia-bullseye-wikimedia]']\n"}, {"resource": "Exec[install-/srv/storage-2/cassandra-b/data]", "parameters": "--- Exec[install-/srv/storage-2/cassandra-b/data].orig\n+++ Exec[install-/srv/storage-2/cassandra-b/data]\n\n+ command => install -o cassandra -g cassandra -m 750 -d /srv/storage-2/cassandra-b/data\n+ path => /usr/bin/:/bin/\n+ creates => /srv/storage-2/cassandra-b/data\n+ before => Systemd::Service[cassandra-b]\n"}, {"resource": "Class[Profile::Monitoring]", "parameters": "--- Class[Profile::Monitoring].orig\n+++ Class[Profile::Monitoring]\n\n@@\n- cluster => insetup\n+ cluster => aqs\n@@\n- nagios_group => insetup_eqiad\n+ nagios_group => aqs_eqiad\n@@\n- notifications_enabled => False\n+ notifications_enabled => True\n"}, {"resource": "Exec[install-/srv/storage-2/cassandra-a/data]", "parameters": "--- Exec[install-/srv/storage-2/cassandra-a/data].orig\n+++ Exec[install-/srv/storage-2/cassandra-a/data]\n\n+ command => install -o cassandra -g cassandra -m 750 -d /srv/storage-2/cassandra-a/data\n+ path => /usr/bin/:/bin/\n+ creates => /srv/storage-2/cassandra-a/data\n+ before => Systemd::Service[cassandra-a]\n"}, {"resource": "File[/etc/cassandra-a/prometheus_jmx_exporter.yaml]", "parameters": "--- File[/etc/cassandra-a/prometheus_jmx_exporter.yaml].orig\n+++ File[/etc/cassandra-a/prometheus_jmx_exporter.yaml]\n\n+ group => cassandra\n+ require => Package[cassandra]\n+ mode => 0400\n+ ensure => present\n+ source => puppet:///modules/cassandra/prometheus_jmx_exporter-4.x.yaml\n+ links => follow\n+ owner => cassandra\n"}, {"resource": "Motd::Script[aqs]", "parameters": "--- Motd::Script[aqs].orig\n+++ Motd::Script[aqs]\n\n+ priority => 5\n+ ensure => present\n"}, {"resource": "File[/etc/cassandra-a/jvm17-server.options]", "content": "--- /etc/cassandra-a/jvm17-server.options.orig\n+++ /etc/cassandra-a/jvm17-server.options\n@@ -0,0 +1,128 @@\n+# SPDX-License-Identifier: Apache-2.0\n+# Note: This file is managed by Puppet.\n+# It was taken from the Cassandra Debian package and templatized\n+# here in order to assign configuration.\n+#\n+# Licensed to the Apache Software Foundation (ASF) under one\n+# or more contributor license agreements. See the NOTICE file\n+# distributed with this work for additional information\n+# regarding copyright ownership. The ASF licenses this file\n+# to you under the Apache License, Version 2.0 (the\n+# \"License\"); you may not use this file except in compliance\n+# with the License. You may obtain a copy of the License at\n+#\n+# http://www.apache.org/licenses/LICENSE-2.0\n+#\n+# Unless required by applicable law or agreed to in writing, software\n+# distributed under the License is distributed on an \"AS IS\" BASIS,\n+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n+# See the License for the specific language governing permissions and\n+# limitations under the License.\n+#\n+\n+###########################################################################\n+# jvm17-server.options #\n+# #\n+# See jvm-server.options. This file is specific for Java 17 and newer. #\n+###########################################################################\n+\n+#################\n+# GC SETTINGS #\n+#################\n+\n+\n+\n+### G1 Settings\n+## Use the Hotspot garbage-first collector.\n+-XX:+UseG1GC\n+-XX:+ParallelRefProcEnabled\n+-XX:MaxTenuringThreshold=2\n+-XX:G1HeapRegionSize=16m\n+\n+# Floor the young generation size to 50% of the heap size\n+-XX:+UnlockExperimentalVMOptions\n+-XX:G1NewSizePercent=50\n+\n+# Have the JVM do less remembered set work during STW, instead\n+# preferring concurrent GC. Reduces p99.9 latency.\n+-XX:G1RSetUpdatingPauseTimePercent=5\n+\n+# Main G1GC tunable: lowering the pause target will lower throughput and vise versa.\n+# 200ms is the JVM default and lowest viable setting\n+# 1000ms increases throughput. Keep it smaller than the timeouts in cassandra.yaml.\n+-XX:MaxGCPauseMillis=300\n+\n+## Optional G1 Settings\n+# Save CPU time on large (>= 16GB) heaps by delaying region scanning\n+# until the heap is 70% full. The default in Hotspot 8u40 is 40%.\n+-XX:InitiatingHeapOccupancyPercent=70\n+\n+# For systems with > 8 cores, the default ParallelGCThreads is 5/8 the number of logical cores.\n+# Otherwise equal to the number of cores when 8 or less.\n+# Machines with > 10 cores should try setting these to <= full cores.\n+# By default, ConcGCThreads is 1/4 of ParallelGCThreads.\n+# Setting both to the same value can reduce STW durations.\n+# When leaving both unset then cassandra-env.sh will set them both to the number of your cores.\n+#-XX:ParallelGCThreads=16\n+#-XX:ConcGCThreads=16\n+\n+\n+### JPMS\n+\n+-Djdk.attach.allowAttachSelf=true\n+--add-exports java.base/jdk.internal.misc=ALL-UNNAMED\n+--add-exports java.management.rmi/com.sun.jmx.remote.internal.rmi=ALL-UNNAMED\n+--add-exports java.management/com.sun.jmx.remote.security=ALL-UNNAMED\n+--add-exports java.rmi/sun.rmi.registry=ALL-UNNAMED\n+--add-exports java.rmi/sun.rmi.server=ALL-UNNAMED\n+--add-exports java.sql/java.sql=ALL-UNNAMED\n+--add-exports java.base/java.lang.ref=ALL-UNNAMED\n+--add-exports jdk.unsupported/sun.misc=ALL-UNNAMED\n+\n+--add-opens java.base/java.lang.module=ALL-UNNAMED\n+--add-opens java.base/jdk.internal.loader=ALL-UNNAMED\n+--add-opens java.base/jdk.internal.ref=ALL-UNNAMED\n+--add-opens java.base/jdk.internal.reflect=ALL-UNNAMED\n+--add-opens java.base/jdk.internal.math=ALL-UNNAMED\n+--add-opens java.base/jdk.internal.module=ALL-UNNAMED\n+--add-opens java.base/jdk.internal.util.jar=ALL-UNNAMED\n+--add-opens jdk.management/com.sun.management.internal=ALL-UNNAMED\n+--add-opens java.base/sun.nio.ch=ALL-UNNAMED\n+--add-opens java.base/java.io=ALL-UNNAMED\n+--add-opens java.base/java.lang.reflect=ALL-UNNAMED\n+--add-opens java.base/java.lang=ALL-UNNAMED\n+--add-opens java.base/java.util=ALL-UNNAMED\n+--add-opens java.base/java.nio=ALL-UNNAMED\n+\n+### GC logging options -- uncomment to enable\n+\n+# Java 11 (and newer) GC logging options:\n+# See description of https://bugs.openjdk.java.net/browse/JDK-8046148 for details about the syntax\n+# The following is the equivalent to -XX:+PrintGCDetails -XX:+UseGCLogFileRotation -XX:NumberOfGCLogFiles=10 -XX:GCLogFileSize=10M\n+#-Xlog:gc=info,heap*=trace,age*=debug,safepoint=info,promotion*=trace:file=/var/log/cassandra/gc.log:time,uptime,pid,tid,level:filecount=10,filesize=10485760\n+\n+-Xlog:gc=info,heap*=trace,age*=debug,safepoint=info,promotion*=trace:file=/var/log/cassandra/gc-a.log:time,uptime,pid,tid,level:filecount=10,filesize=10485760\n+\n+# Notes for Java 8 migration:\n+#\n+# -XX:+PrintGCDetails maps to -Xlog:gc*:... - i.e. add a '*' after \"gc\"\n+# -XX:+PrintGCDateStamps maps to decorator 'time'\n+#\n+# -XX:+PrintHeapAtGC maps to 'heap' with level 'trace'\n+# -XX:+PrintTenuringDistribution maps to 'age' with level 'debug'\n+# -XX:+PrintGCApplicationStoppedTime maps to 'safepoint' with level 'info'\n+# -XX:+PrintPromotionFailure maps to 'promotion' with level 'trace'\n+# -XX:PrintFLSStatistics=1 maps to 'freelist' with level 'trace'\n+\n+### Netty Options\n+\n+# On Java >= 9 Netty requires the io.netty.tryReflectionSetAccessible system property to be set to true to enable\n+# creation of direct buffers using Unsafe. Without it, this falls back to ByteBuffer.allocateDirect which has\n+# inferior performance and risks exceeding MaxDirectMemory\n+-Dio.netty.tryReflectionSetAccessible=true\n+\n+# Revert changes in defaults introduced in https://netty.io/news/2022/03/10/4-1-75-Final.html\n+-Dio.netty.allocator.useCacheForAllThreads=true\n+-Dio.netty.allocator.maxOrder=11\n+\n+# The newline in the end of file is intentional", "parameters": "--- File[/etc/cassandra-a/jvm17-server.options].orig\n+++ File[/etc/cassandra-a/jvm17-server.options]\n\n+ group => cassandra\n+ mode => 0444\n+ ensure => present\n+ owner => cassandra\n"}, {"resource": "Service[cassandra]", "parameters": "--- Service[cassandra].orig\n+++ Service[cassandra]\n\n+ ensure => stopped\n"}, {"resource": "Exec[renew certificate - cassandra__aqs1024-b_eqiad_wmnet]", "parameters": "--- Exec[renew certificate - cassandra__aqs1024-b_eqiad_wmnet].orig\n+++ Exec[renew certificate - cassandra__aqs1024-b_eqiad_wmnet]\n\n+ command => /usr/bin/cfssl sign -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/aqs1024.eqiad.wmnet.pem -label cassandra /etc/cassandra-b/tls/cassandra__aqs1024-b_eqiad_wmnet.csr | /usr/bin/cfssljson -bare /etc/cassandra-b/tls/cassandra__aqs1024-b_eqiad_wmnet\n\n+ unless => /usr/bin/openssl x509 -in /etc/cassandra-b/tls/cassandra__aqs1024-b_eqiad_wmnet.pem -checkend 952200\n+ require => Exec[Generate cert cassandra__aqs1024-b_eqiad_wmnet]\n+ environment => ['GODEBUG=x509ignoreCN=0']\n"}, {"resource": "Exec[install-/srv/cassandra/cassandra-a/saved_caches]", "parameters": "--- Exec[install-/srv/cassandra/cassandra-a/saved_caches].orig\n+++ Exec[install-/srv/cassandra/cassandra-a/saved_caches]\n\n+ command => install -o cassandra -g cassandra -m 750 -d /srv/cassandra/cassandra-a/saved_caches\n+ path => /usr/bin/:/bin/\n+ creates => /srv/cassandra/cassandra-a/saved_caches\n+ before => Systemd::Service[cassandra-a]\n"}, {"resource": "File[/usr/share/cassandra/lib/jackson-annotations-2.4.0.jar]", "parameters": "--- File[/usr/share/cassandra/lib/jackson-annotations-2.4.0.jar].orig\n+++ File[/usr/share/cassandra/lib/jackson-annotations-2.4.0.jar]\n\n+ group => root\n+ require => Scap::Target[cassandra/logstash-logback-encoder]\n+ ensure => link\n+ target => /srv/deployment/cassandra/logstash-logback-encoder/lib/jackson-annotations-2.4.0.jar\n+ owner => root\n"}, {"resource": "Java::Cacert[Puppet_Internal_CA]", "parameters": "--- Java::Cacert[Puppet_Internal_CA].orig\n+++ Java::Cacert[Puppet_Internal_CA]\n\n+ path => /etc/ssl/certs/Puppet_Internal_CA.pem\n+ group => root\n+ storepass => changeit\n+ keystore_path => /etc/ssl/localcerts/wmf-java-cacerts\n+ ensure => present\n+ subscribe => Package[wmf-certificates]\n+ owner => root\n"}, {"resource": "File[/etc/cassandra-a/user_edit_analytics.cql]", "content": "--- /etc/cassandra-a/user_edit_analytics.cql.orig\n+++ /etc/cassandra-a/user_edit_analytics.cql\n@@ -0,0 +1,5 @@\n+-- SPDX-License-Identifier: Apache-2.0\n+\n+CREATE USER IF NOT EXISTS edit_analytics WITH PASSWORD 'blahblahblahblah';\n+\n+GRANT SELECT ON aqs.config TO 'edit_analytics';", "parameters": "--- File[/etc/cassandra-a/user_edit_analytics.cql].orig\n+++ File[/etc/cassandra-a/user_edit_analytics.cql]\n\n+ require => Package[cassandra]\n+ group => root\n+ mode => 0400\n+ owner => root\n"}, {"resource": "File[/etc/cassandra-a/cassandra.yaml]", "content": "--- /etc/cassandra-a/cassandra.yaml.orig\n+++ /etc/cassandra-a/cassandra.yaml\n@@ -0,0 +1,1885 @@\n+# SPDX-License-Identifier: Apache-2.0\n+# Note: This file is managed by Puppet.\n+# It was taken from the Cassandra Debian package and is templatized\n+# here in order to set various options from puppet.\n+\n+# Cassandra storage config YAML\n+\n+# NOTE:\n+# See https://cassandra.apache.org/doc/latest/configuration/ for\n+# full explanations of configuration directives\n+# /NOTE\n+\n+# The name of the cluster. This is mainly used to prevent machines in\n+# one logical cluster from joining another.\n+cluster_name: 'Analytics Query Service Storage'\n+\n+# This defines the number of tokens randomly assigned to this node on the ring\n+# The more tokens, relative to other nodes, the larger the proportion of data\n+# that this node will store. You probably want all nodes to have the same number\n+# of tokens assuming they have equal hardware capability.\n+#\n+# If you leave this unspecified, Cassandra will use the default of 1 token for legacy compatibility,\n+# and will use the initial_token as described below.\n+#\n+# Specifying initial_token will override this setting on the node's initial start,\n+# on subsequent starts, this setting will apply even if initial token is set.\n+#\n+# See https://cassandra.apache.org/doc/latest/getting_started/production.html#tokens for\n+# best practice information about num_tokens.\n+#\n+num_tokens: 256\n+\n+# Triggers automatic allocation of num_tokens tokens for this node. The allocation\n+# algorithm attempts to choose tokens in a way that optimizes replicated load over\n+# the nodes in the datacenter for the replica factor.\n+#\n+# The load assigned to each node will be close to proportional to its number of\n+# vnodes.\n+#\n+# Only supported with the Murmur3Partitioner.\n+\n+# Replica factor is determined via the replication strategy used by the specified\n+# keyspace.\n+# allocate_tokens_for_keyspace: KEYSPACE\n+\n+# Replica factor is explicitly set, regardless of keyspace or datacenter.\n+# This is the replica factor within the datacenter, like NTS.\n+allocate_tokens_for_local_replication_factor: 3\n+\n+# initial_token allows you to specify tokens manually. While you can use it with\n+# vnodes (num_tokens > 1, above) -- in which case you should provide a \n+# comma-separated list -- it's primarily used when adding nodes to legacy clusters \n+# that do not have vnodes enabled.\n+# initial_token:\n+\n+# May either be \"true\" or \"false\" to enable globally\n+hinted_handoff_enabled: true\n+\n+# When hinted_handoff_enabled is true, a black list of data centers that will not\n+# perform hinted handoff\n+# hinted_handoff_disabled_datacenters:\n+# - DC1\n+# - DC2\n+\n+# this defines the maximum amount of time a dead host will have hints\n+# generated. After it has been dead this long, new hints for it will not be\n+# created until it has been seen alive and gone down again.\n+# Min unit: ms\n+max_hint_window: 3h\n+\n+# Maximum throttle in KiBs per second, per delivery thread. This will be\n+# reduced proportionally to the number of nodes in the cluster. (If there\n+# are two nodes in the cluster, each delivery thread will use the maximum\n+# rate; if there are three, each will throttle to half of the maximum,\n+# since we expect two nodes to be delivering hints simultaneously.)\n+# Min unit: KiB\n+hinted_handoff_throttle: 1024KiB\n+\n+# Number of threads with which to deliver hints;\n+# Consider increasing this number when you have multi-dc deployments, since\n+# cross-dc handoff tends to be slower\n+max_hints_delivery_threads: 4\n+\n+# Directory where Cassandra should store hints.\n+# If not set, the default directory is $CASSANDRA_HOME/data/hints.\n+hints_directory: /srv/cassandra/cassandra-a/hints\n+\n+# How often hints should be flushed from the internal buffers to disk.\n+# Will *not* trigger fsync.\n+# Min unit: ms\n+hints_flush_period: 10000ms\n+\n+# Maximum size for a single hints file, in mebibytes.\n+# Min unit: MiB\n+max_hints_file_size: 128MiB\n+\n+# The file size limit to store hints for an unreachable host, in mebibytes.\n+# Once the local hints files have reached the limit, no more new hints will be created.\n+# Set a non-positive value will disable the size limit.\n+# max_hints_size_per_host: 0MiB\n+\n+# Enable / disable automatic cleanup for the expired and orphaned hints file.\n+# Disable the option in order to preserve those hints on the disk.\n+auto_hints_cleanup_enabled: false\n+\n+# Enable/disable transfering hints to a peer during decommission. Even when enabled, this does not guarantee\n+# consistency for logged batches, and it may delay decommission when coupled with a strict hinted_handoff_throttle.\n+# Default: true\n+# transfer_hints_on_decommission: true\n+\n+# Compression to apply to the hint files. If omitted, hints files\n+# will be written uncompressed. LZ4, Snappy, and Deflate compressors\n+# are supported.\n+#hints_compression:\n+# - class_name: LZ4Compressor\n+# parameters:\n+# -\n+\n+# Enable / disable persistent hint windows.\n+#\n+# If set to false, a hint will be stored only in case a respective node\n+# that hint is for is down less than or equal to max_hint_window.\n+#\n+# If set to true, a hint will be stored in case there is not any\n+# hint which was stored earlier than max_hint_window. This is for cases\n+# when a node keeps to restart and hints are not delivered yet, we would be saving\n+# hints for that node indefinitely.\n+#\n+# Defaults to true.\n+#\n+# hint_window_persistent_enabled: true\n+\n+# Maximum throttle in KiBs per second, total. This will be\n+# reduced proportionally to the number of nodes in the cluster.\n+# Min unit: KiB\n+batchlog_replay_throttle: 1024KiB\n+\n+# Strategy to choose the batchlog storage endpoints.\n+#\n+# Available options:\n+#\n+# - random_remote\n+# Default, purely random, prevents the local rack, if possible.\n+#\n+# - prefer_local\n+# Similar to random_remote. Random, except that one of the replications will go to the local rack,\n+# which mean it offers lower availability guarantee than random_remote or dynamic_remote.\n+#\n+# - dynamic_remote\n+# Using DynamicEndpointSnitch to select batchlog storage endpoints, prevents the\n+# local rack, if possible. This strategy offers the same availability guarantees\n+# as random_remote but selects the fastest endpoints according to the DynamicEndpointSnitch.\n+# (DynamicEndpointSnitch currently only tracks reads and not writes - i.e. write-only\n+# (or mostly-write) workloads might not benefit from this strategy.)\n+# Note: this strategy will fall back to random_remote, if dynamic_snitch is not enabled.\n+#\n+# - dynamic\n+# Mostly the same as dynamic_remote, except that local rack is not excluded, which mean it offers lower\n+# availability guarantee than random_remote or dynamic_remote.\n+# Note: this strategy will fall back to random_remote, if dynamic_snitch is not enabled.\n+#\n+# batchlog_endpoint_strategy: random_remote\n+\n+# Authentication backend, implementing IAuthenticator; used to identify users\n+# Out of the box, Cassandra provides org.apache.cassandra.auth.{AllowAllAuthenticator,\n+# PasswordAuthenticator}.\n+#\n+# - AllowAllAuthenticator performs no checks - set it to disable authentication.\n+# - PasswordAuthenticator relies on username/password pairs to authenticate\n+# users. It keeps usernames and hashed passwords in system_auth.roles table.\n+# Please increase system_auth keyspace replication factor if you use this authenticator.\n+# If using PasswordAuthenticator, CassandraRoleManager must also be used (see below)\n+authenticator: PasswordAuthenticator\n+\n+# Authorization backend, implementing IAuthorizer; used to limit access/provide permissions\n+# Out of the box, Cassandra provides org.apache.cassandra.auth.{AllowAllAuthorizer,\n+# CassandraAuthorizer}.\n+#\n+# - AllowAllAuthorizer allows any action to any user - set it to disable authorization.\n+# - CassandraAuthorizer stores permissions in system_auth.role_permissions table. Please\n+# increase system_auth keyspace replication factor if you use this authorizer.\n+authorizer: CassandraAuthorizer\n+\n+# Part of the Authentication & Authorization backend, implementing IRoleManager; used\n+# to maintain grants and memberships between roles.\n+# Out of the box, Cassandra provides org.apache.cassandra.auth.CassandraRoleManager,\n+# which stores role information in the system_auth keyspace. Most functions of the\n+# IRoleManager require an authenticated login, so unless the configured IAuthenticator\n+# actually implements authentication, most of this functionality will be unavailable.\n+#\n+# - CassandraRoleManager stores role data in the system_auth keyspace. Please\n+# increase system_auth keyspace replication factor if you use this role manager.\n+role_manager: CassandraRoleManager\n+\n+# Network authorization backend, implementing INetworkAuthorizer; used to restrict user\n+# access to certain DCs\n+# Out of the box, Cassandra provides org.apache.cassandra.auth.{AllowAllNetworkAuthorizer,\n+# CassandraNetworkAuthorizer}.\n+#\n+# - AllowAllNetworkAuthorizer allows access to any DC to any user - set it to disable authorization.\n+# - CassandraNetworkAuthorizer stores permissions in system_auth.network_permissions table. Please\n+# increase system_auth keyspace replication factor if you use this authorizer.\n+network_authorizer: AllowAllNetworkAuthorizer\n+\n+# Depending on the auth strategy of the cluster, it can be beneficial to iterate\n+# from root to table (root -> ks -> table) instead of table to root (table -> ks -> root).\n+# As the auth entries are whitelisting, once a permission is found you know it to be\n+# valid. We default to false as the legacy behavior is to query at the table level then\n+# move back up to the root. See CASSANDRA-17016 for details.\n+# traverse_auth_from_root: false\n+\n+# Validity period for roles cache (fetching granted roles can be an expensive\n+# operation depending on the role manager, CassandraRoleManager is one example)\n+# Granted roles are cached for authenticated sessions in AuthenticatedUser and\n+# after the period specified here, become eligible for (async) reload.\n+# Defaults to 2000, set to 0 to disable caching entirely.\n+# Will be disabled automatically for AllowAllAuthenticator.\n+# For a long-running cache using roles_cache_active_update, consider\n+# setting to something longer such as a daily validation: 86400000\n+# Min unit: ms\n+roles_validity: 2000ms\n+\n+# Refresh interval for roles cache (if enabled).\n+# After this interval, cache entries become eligible for refresh. Upon next\n+# access, an async reload is scheduled and the old value returned until it\n+# completes. If roles_validity is non-zero, then this must be\n+# also.\n+# This setting is also used to inform the interval of auto-updating if\n+# using roles_cache_active_update.\n+# Defaults to the same value as roles_validity.\n+# For a long-running cache, consider setting this to 60000 (1 hour) etc.\n+# Min unit: ms\n+# roles_update_interval: 2000ms\n+\n+# If true, cache contents are actively updated by a background task at the\n+# interval set by roles_update_interval. If false, cache entries\n+# become eligible for refresh after their update interval. Upon next access,\n+# an async reload is scheduled and the old value returned until it completes.\n+# roles_cache_active_update: false\n+\n+# Validity period for permissions cache (fetching permissions can be an\n+# expensive operation depending on the authorizer, CassandraAuthorizer is\n+# one example). Defaults to 2000, set to 0 to disable.\n+# Will be disabled automatically for AllowAllAuthorizer.\n+# For a long-running cache using permissions_cache_active_update, consider\n+# setting to something longer such as a daily validation: 86400000ms\n+# Min unit: ms\n+permissions_validity: 600000ms\n+\n+# Refresh interval for permissions cache (if enabled).\n+# After this interval, cache entries become eligible for refresh. Upon next\n+# access, an async reload is scheduled and the old value returned until it\n+# completes. If permissions_validity is non-zero, then this must be\n+# also.\n+# This setting is also used to inform the interval of auto-updating if\n+# using permissions_cache_active_update.\n+# Defaults to the same value as permissions_validity.\n+# For a longer-running permissions cache, consider setting to update hourly (60000)\n+# Min unit: ms\n+# permissions_update_interval: 2000ms\n+\n+# If true, cache contents are actively updated by a background task at the\n+# interval set by permissions_update_interval. If false, cache entries\n+# become eligible for refresh after their update interval. Upon next access,\n+# an async reload is scheduled and the old value returned until it completes.\n+# permissions_cache_active_update: false\n+\n+# Validity period for credentials cache. This cache is tightly coupled to\n+# the provided PasswordAuthenticator implementation of IAuthenticator. If\n+# another IAuthenticator implementation is configured, this cache will not\n+# be automatically used and so the following settings will have no effect.\n+# Please note, credentials are cached in their encrypted form, so while\n+# activating this cache may reduce the number of queries made to the\n+# underlying table, it may not bring a significant reduction in the\n+# latency of individual authentication attempts.\n+# Defaults to 2000, set to 0 to disable credentials caching.\n+# For a long-running cache using credentials_cache_active_update, consider\n+# setting to something longer such as a daily validation: 86400000\n+# Min unit: ms\n+credentials_validity: 600000ms\n+\n+# Refresh interval for credentials cache (if enabled).\n+# After this interval, cache entries become eligible for refresh. Upon next\n+# access, an async reload is scheduled and the old value returned until it\n+# completes. If credentials_validity is non-zero, then this must be\n+# also.\n+# This setting is also used to inform the interval of auto-updating if\n+# using credentials_cache_active_update.\n+# Defaults to the same value as credentials_validity.\n+# For a longer-running permissions cache, consider setting to update hourly (60000)\n+# Min unit: ms\n+# credentials_update_interval: 2000ms\n+\n+# If true, cache contents are actively updated by a background task at the\n+# interval set by credentials_update_interval. If false (default), cache entries\n+# become eligible for refresh after their update interval. Upon next access,\n+# an async reload is scheduled and the old value returned until it completes.\n+# credentials_cache_active_update: false\n+\n+# The partitioner is responsible for distributing groups of rows (by\n+# partition key) across nodes in the cluster. The partitioner can NOT be\n+# changed without reloading all data. If you are adding nodes or upgrading,\n+# you should set this to the same partitioner that you are currently using.\n+#\n+# The default partitioner is the Murmur3Partitioner. Older partitioners\n+# such as the RandomPartitioner, ByteOrderedPartitioner, and\n+# OrderPreservingPartitioner have been included for backward compatibility only.\n+# For new clusters, you should NOT change this value.\n+#\n+partitioner: org.apache.cassandra.dht.Murmur3Partitioner\n+\n+# Directories where Cassandra should store data on disk. If multiple\n+# directories are specified, Cassandra will spread data evenly across \n+# them by partitioning the token ranges.\n+# If not set, the default directory is $CASSANDRA_HOME/data/data.\n+data_file_directories:\n+ - /srv/storage-0/cassandra-a/data\n+ - /srv/storage-1/cassandra-a/data\n+ - /srv/storage-2/cassandra-a/data\n+ - /srv/storage-3/cassandra-a/data\n+ - /srv/storage-4/cassandra-a/data\n+ - /srv/storage-5/cassandra-a/data\n+ - /srv/storage-6/cassandra-a/data\n+ - /srv/storage-7/cassandra-a/data\n+\n+\n+# Directory where Cassandra should store the data of the local system keyspaces.\n+# By default Cassandra will store the data of the local system keyspaces in the first of the data directories specified\n+# by data_file_directories.\n+# This approach ensures that if one of the other disks is lost Cassandra can continue to operate. For extra security\n+# this setting allows to store those data on a different directory that provides redundancy.\n+local_system_data_file_directory: /srv/cassandra/cassandra-a/system\n+\n+# commit log. when running on magnetic HDD, this should be a\n+# separate spindle than the data directories.\n+# If not set, the default directory is $CASSANDRA_HOME/data/commitlog.\n+commitlog_directory: /srv/cassandra/cassandra-a/commitlog\n+\n+# Enable / disable CDC functionality on a per-node basis. This modifies the logic used\n+# for write path allocation rejection (standard: never reject. cdc: reject Mutation\n+# containing a CDC-enabled table if at space limit in cdc_raw_directory).\n+cdc_enabled: false\n+\n+# CommitLogSegments are moved to this directory on flush if cdc_enabled: true and the\n+# segment contains mutations for a CDC-enabled table. This should be placed on a\n+# separate spindle than the data directories. If not set, the default directory is\n+# $CASSANDRA_HOME/data/cdc_raw.\n+# cdc_raw_directory: /var/lib/cassandra/cdc_raw\n+\n+# Policy for data disk failures:\n+#\n+# die\n+# shut down gossip and client transports and kill the JVM for any fs errors or\n+# single-sstable errors, so the node can be replaced.\n+#\n+# stop_paranoid\n+# shut down gossip and client transports even for single-sstable errors,\n+# kill the JVM for errors during startup.\n+#\n+# stop\n+# shut down gossip and client transports, leaving the node effectively dead, but\n+# can still be inspected via JMX, kill the JVM for errors during startup.\n+#\n+# best_effort\n+# stop using the failed disk and respond to requests based on\n+# remaining available sstables. This means you WILL see obsolete\n+# data at CL.ONE!\n+#\n+# ignore\n+# ignore fatal errors and let requests fail, as in pre-1.2 Cassandra\n+disk_failure_policy: stop\n+\n+# Policy for commit disk failures:\n+#\n+# die\n+# shut down the node and kill the JVM, so the node can be replaced.\n+#\n+# stop\n+# shut down the node, leaving the node effectively dead, but\n+# can still be inspected via JMX.\n+#\n+# stop_commit\n+# shutdown the commit log, letting writes collect but\n+# continuing to service reads, as in pre-2.0.5 Cassandra\n+#\n+# ignore\n+# ignore fatal errors and let the batches fail\n+commit_failure_policy: stop\n+\n+# Maximum size of the native protocol prepared statement cache\n+#\n+# Valid values are either \"auto\" (omitting the value) or a value greater 0.\n+#\n+# Note that specifying a too large value will result in long running GCs and possbily\n+# out-of-memory errors. Keep the value at a small fraction of the heap.\n+#\n+# If you constantly see \"prepared statements discarded in the last minute because\n+# cache limit reached\" messages, the first step is to investigate the root cause\n+# of these messages and check whether prepared statements are used correctly -\n+# i.e. use bind markers for variable parts.\n+#\n+# Do only change the default value, if you really have more prepared statements than\n+# fit in the cache. In most cases it is not neccessary to change this value.\n+# Constantly re-preparing statements is a performance penalty.\n+#\n+# Default value (\"auto\") is 1/256th of the heap or 10MiB, whichever is greater\n+# Min unit: MiB\n+prepared_statements_cache_size:\n+\n+# Maximum size of the key cache in memory.\n+#\n+# Each key cache hit saves 1 seek and each row cache hit saves 2 seeks at the\n+# minimum, sometimes more. The key cache is fairly tiny for the amount of\n+# time it saves, so it's worthwhile to use it at large numbers.\n+# The row cache saves even more time, but must contain the entire row,\n+# so it is extremely space-intensive. It's best to only use the\n+# row cache if you have hot rows or static rows.\n+#\n+# NOTE: if you reduce the size, you may not get you hottest keys loaded on startup.\n+#\n+# Default value is empty to make it \"auto\" (min(5% of Heap (in MiB), 100MiB)). Set to 0 to disable key cache.\n+# Min unit: MiB\n+key_cache_size: 400MiB\n+\n+# Duration in seconds after which Cassandra should\n+# save the key cache. Caches are saved to saved_caches_directory as\n+# specified in this configuration file.\n+#\n+# Saved caches greatly improve cold-start speeds, and is relatively cheap in\n+# terms of I/O for the key cache. Row cache saving is much more expensive and\n+# has limited use.\n+#\n+# Default is 14400 or 4 hours.\n+# Min unit: s\n+key_cache_save_period: 4h\n+\n+# Number of keys from the key cache to save\n+# Disabled by default, meaning all keys are going to be saved\n+# key_cache_keys_to_save: 100\n+\n+# Row cache implementation class name. Available implementations:\n+#\n+# org.apache.cassandra.cache.OHCProvider\n+# Fully off-heap row cache implementation (default).\n+#\n+# org.apache.cassandra.cache.SerializingCacheProvider\n+# This is the row cache implementation availabile\n+# in previous releases of Cassandra.\n+# row_cache_class_name: org.apache.cassandra.cache.OHCProvider\n+\n+# Maximum size of the row cache in memory.\n+# Please note that OHC cache implementation requires some additional off-heap memory to manage\n+# the map structures and some in-flight memory during operations before/after cache entries can be\n+# accounted against the cache capacity. This overhead is usually small compared to the whole capacity.\n+# Do not specify more memory that the system can afford in the worst usual situation and leave some\n+# headroom for OS block level cache. Do never allow your system to swap.\n+#\n+# Default value is 0, to disable row caching.\n+# Min unit: MiB\n+row_cache_size: 200MiB\n+\n+# Duration in seconds after which Cassandra should save the row cache.\n+# Caches are saved to saved_caches_directory as specified in this configuration file.\n+#\n+# Saved caches greatly improve cold-start speeds, and is relatively cheap in\n+# terms of I/O for the key cache. Row cache saving is much more expensive and\n+# has limited use.\n+#\n+# Default is 0 to disable saving the row cache.\n+# Min unit: s\n+row_cache_save_period: 0s\n+\n+# Number of keys from the row cache to save.\n+# Specify 0 (which is the default), meaning all keys are going to be saved\n+# row_cache_keys_to_save: 100\n+\n+# Maximum size of the counter cache in memory.\n+#\n+# Counter cache helps to reduce counter locks' contention for hot counter cells.\n+# In case of RF = 1 a counter cache hit will cause Cassandra to skip the read before\n+# write entirely. With RF > 1 a counter cache hit will still help to reduce the duration\n+# of the lock hold, helping with hot counter cell updates, but will not allow skipping\n+# the read entirely. Only the local (clock, count) tuple of a counter cell is kept\n+# in memory, not the whole counter, so it's relatively cheap.\n+#\n+# NOTE: if you reduce the size, you may not get you hottest keys loaded on startup.\n+#\n+# Default value is empty to make it \"auto\" (min(2.5% of Heap (in MiB), 50MiB)). Set to 0 to disable counter cache.\n+# NOTE: if you perform counter deletes and rely on low gcgs, you should disable the counter cache.\n+# Min unit: MiB\n+counter_cache_size:\n+\n+# Duration in seconds after which Cassandra should\n+# save the counter cache (keys only). Caches are saved to saved_caches_directory as\n+# specified in this configuration file.\n+#\n+# Default is 7200 or 2 hours.\n+# Min unit: s\n+counter_cache_save_period: 7200s\n+\n+# Number of keys from the counter cache to save\n+# Disabled by default, meaning all keys are going to be saved\n+# counter_cache_keys_to_save: 100\n+\n+# saved caches\n+# If not set, the default directory is $CASSANDRA_HOME/data/saved_caches.\n+saved_caches_directory: /srv/cassandra/cassandra-a/saved_caches\n+\n+# Number of seconds the server will wait for each cache (row, key, etc ...) to load while starting\n+# the Cassandra process. Setting this to zero is equivalent to disabling all cache loading on startup\n+# while still having the cache during runtime.\n+# Min unit: s\n+# cache_load_timeout: 30s\n+\n+# commitlog_sync may be either \"periodic\", \"group\", or \"batch.\" \n+# \n+# When in batch mode, Cassandra won't ack writes until the commit log\n+# has been flushed to disk. Each incoming write will trigger the flush task.\n+# commitlog_sync_batch_window_in_ms is a deprecated value. Previously it had\n+# almost no value, and is being removed.\n+#\n+# commitlog_sync_batch_window_in_ms: 2\n+#\n+# group mode is similar to batch mode, where Cassandra will not ack writes\n+# until the commit log has been flushed to disk. The difference is group\n+# mode will wait up to commitlog_sync_group_window between flushes.\n+#\n+# Min unit: ms\n+# commitlog_sync_group_window: 1000ms\n+#\n+# the default option is \"periodic\" where writes may be acked immediately\n+# and the CommitLog is simply synced every commitlog_sync_period\n+# milliseconds.\n+commitlog_sync: periodic\n+# Min unit: ms\n+commitlog_sync_period: 10000ms\n+\n+# When in periodic commitlog mode, the number of milliseconds to block writes\n+# while waiting for a slow disk flush to complete.\n+# Min unit: ms\n+# periodic_commitlog_sync_lag_block:\n+\n+# The size of the individual commitlog file segments. A commitlog\n+# segment may be archived, deleted, or recycled once all the data\n+# in it (potentially from each columnfamily in the system) has been\n+# flushed to sstables.\n+#\n+# The default size is 32, which is almost always fine, but if you are\n+# archiving commitlog segments (see commitlog_archiving.properties),\n+# then you probably want a finer granularity of archiving; 8 or 16 MB\n+# is reasonable.\n+# Max mutation size is also configurable via max_mutation_size setting in\n+# cassandra.yaml. The default is half the size commitlog_segment_size in bytes.\n+# This should be positive and less than 2048.\n+#\n+# NOTE: If max_mutation_size is set explicitly then commitlog_segment_size must\n+# be set to at least twice the size of max_mutation_size\n+#\n+# Min unit: MiB\n+commitlog_segment_size: 32MiB\n+\n+# Compression to apply to the commit log. If omitted, the commit log\n+# will be written uncompressed. LZ4, Snappy, and Deflate compressors\n+# are supported.\n+# commitlog_compression:\n+# - class_name: LZ4Compressor\n+# parameters:\n+# -\n+\n+# Compression to apply to SSTables as they flush for compressed tables.\n+# Note that tables without compression enabled do not respect this flag.\n+#\n+# As high ratio compressors like LZ4HC, Zstd, and Deflate can potentially\n+# block flushes for too long, the default is to flush with a known fast\n+# compressor in those cases. Options are:\n+#\n+# none : Flush without compressing blocks but while still doing checksums.\n+# fast : Flush with a fast compressor. If the table is already using a\n+# fast compressor that compressor is used.\n+# table: Always flush with the same compressor that the table uses. This\n+# was the pre 4.0 behavior.\n+#\n+# flush_compression: fast\n+\n+# any class that implements the SeedProvider interface and has a\n+# constructor that takes a Map of parameters will do.\n+seed_provider:\n+ # Addresses of hosts that are deemed contact points.\n+ # Cassandra nodes use this list of hosts to find each other and learn\n+ # the topology of the ring. You must change this if you are running\n+ # multiple nodes!\n+ - class_name: org.apache.cassandra.locator.SimpleSeedProvider\n+ parameters:\n+ # seeds is actually a comma-delimited list of addresses.\n+ # Ex: \",,\"\n+ # Omit own host name / IP in multi-node clusters (see\n+ # https://phabricator.wikimedia.org/T91617).\n+ # Also disregard the main DNS interfaces of each node when\n+ # multiple instances are colocated on the same node (see\n+ # https://phabricator.wikimedia.org/T172610)\n+ \n+ - seeds: aqs1010-a.eqiad.wmnet,aqs1010-b.eqiad.wmnet,aqs1011-a.eqiad.wmnet,aqs1011-b.eqiad.wmnet,aqs1012-a.eqiad.wmnet,aqs1012-b.eqiad.wmnet,aqs1014-a.eqiad.wmnet,aqs1014-b.eqiad.wmnet,aqs1015-a.eqiad.wmnet,aqs1015-b.eqiad.wmnet,aqs1016-a.eqiad.wmnet,aqs1016-b.eqiad.wmnet,aqs1017-a.eqiad.wmnet,aqs1017-b.eqiad.wmnet,aqs1018-a.eqiad.wmnet,aqs1018-b.eqiad.wmnet,aqs1019-a.eqiad.wmnet,aqs1019-b.eqiad.wmnet,aqs1020-a.eqiad.wmnet,aqs1020-b.eqiad.wmnet,aqs1021-a.eqiad.wmnet,aqs1021-b.eqiad.wmnet,aqs1022-a.eqiad.wmnet,aqs1022-b.eqiad.wmnet,aqs1023-a.eqiad.wmnet,aqs1023-b.eqiad.wmnet,aqs2001-a.codfw.wmnet,aqs2001-b.codfw.wmnet,aqs2002-a.codfw.wmnet,aqs2002-b.codfw.wmnet,aqs2003-a.codfw.wmnet,aqs2003-b.codfw.wmnet,aqs2004-a.codfw.wmnet,aqs2004-b.codfw.wmnet,aqs2005-a.codfw.wmnet,aqs2005-b.codfw.wmnet,aqs2006-a.codfw.wmnet,aqs2006-b.codfw.wmnet,aqs2007-a.codfw.wmnet,aqs2007-b.codfw.wmnet,aqs2008-a.codfw.wmnet,aqs2008-b.codfw.wmnet,aqs2009-a.codfw.wmnet,aqs2009-b.codfw.wmnet,aqs2010-a.codfw.wmnet,aqs2010-b.codfw.wmnet,aqs2011-a.codfw.wmnet,aqs2011-b.codfw.wmnet,aqs2012-a.codfw.wmnet,aqs2012-b.codfw.wmnet\n+\n+# For workloads with more data than can fit in memory, Cassandra's\n+# bottleneck will be reads that need to fetch data from\n+# disk. \"concurrent_reads\" should be set to (16 * number_of_drives) in\n+# order to allow the operations to enqueue low enough in the stack\n+# that the OS and drives can reorder them. Same applies to\n+# \"concurrent_counter_writes\", since counter writes read the current\n+# values before incrementing and writing them back.\n+#\n+# On the other hand, since writes are almost never IO bound, the ideal\n+# number of \"concurrent_writes\" is dependent on the number of cores in\n+# your system; (8 * number_of_cores) is a good rule of thumb.\n+concurrent_reads: 64\n+concurrent_writes: 64\n+concurrent_counter_writes: 32\n+\n+# For materialized view writes, as there is a read involved, so this should\n+# be limited by the less of concurrent reads or concurrent writes.\n+concurrent_materialized_view_writes: 32\n+\n+# Maximum memory to use for inter-node and client-server networking buffers.\n+#\n+# Defaults to the smaller of 1/16 of heap or 128MB. This pool is allocated off-heap,\n+# so is in addition to the memory allocated for heap. The cache also has on-heap\n+# overhead which is roughly 128 bytes per chunk (i.e. 0.2% of the reserved size\n+# if the default 64k chunk size is used).\n+# Memory is only allocated when needed.\n+# Min unit: MiB\n+# networking_cache_size: 128MiB\n+\n+# Enable the sstable chunk cache. The chunk cache will store recently accessed\n+# sections of the sstable in-memory as uncompressed buffers.\n+# file_cache_enabled: false\n+\n+# Maximum memory to use for sstable chunk cache and buffer pooling.\n+# 32MB of this are reserved for pooling buffers, the rest is used for chunk cache\n+# that holds uncompressed sstable chunks.\n+# Defaults to the smaller of 1/4 of heap or 512MB. This pool is allocated off-heap,\n+# so is in addition to the memory allocated for heap. The cache also has on-heap\n+# overhead which is roughly 128 bytes per chunk (i.e. 0.2% of the reserved size\n+# if the default 64k chunk size is used).\n+# Memory is only allocated when needed.\n+# Min unit: MiB\n+# file_cache_size: 512MiB\n+\n+# Flag indicating whether to allocate on or off heap when the sstable buffer\n+# pool is exhausted, that is when it has exceeded the maximum memory\n+# file_cache_size, beyond which it will not cache buffers but allocate on request.\n+\n+# buffer_pool_use_heap_if_exhausted: true\n+\n+# The strategy for optimizing disk read\n+# Possible values are:\n+# ssd (for solid state disks, the default)\n+# spinning (for spinning disks)\n+# disk_optimization_strategy: ssd\n+\n+# Total permitted memory to use for memtables. Cassandra will stop\n+# accepting writes when the limit is exceeded until a flush completes,\n+# and will trigger a flush based on memtable_cleanup_threshold\n+# If omitted, Cassandra will set both to 1/4 the size of the heap.\n+# Min unit: MiB\n+# memtable_heap_space: 2048MiB\n+# Min unit: MiB\n+# memtable_offheap_space: 2048MiB\n+\n+# memtable_cleanup_threshold is deprecated. The default calculation\n+# is the only reasonable choice. See the comments on memtable_flush_writers\n+# for more information.\n+#\n+# Ratio of occupied non-flushing memtable size to total permitted size\n+# that will trigger a flush of the largest memtable. Larger mct will\n+# mean larger flushes and hence less compaction, but also less concurrent\n+# flush activity which can make it difficult to keep your disks fed\n+# under heavy write load.\n+#\n+# memtable_cleanup_threshold defaults to 1 / (memtable_flush_writers + 1)\n+# memtable_cleanup_threshold: 0.11\n+\n+# Specify the way Cassandra allocates and manages memtable memory.\n+# Options are:\n+#\n+# heap_buffers\n+# on heap nio buffers\n+#\n+# offheap_buffers\n+# off heap (direct) nio buffers\n+#\n+# offheap_objects\n+# off heap objects\n+memtable_allocation_type: heap_buffers\n+\n+# Limit memory usage for Merkle tree calculations during repairs of a certain\n+# table and common token range. Repair commands targetting multiple tables or\n+# virtual nodes can exceed this limit depending on concurrent_merkle_tree_requests.\n+#\n+# The default is 1/16th of the available heap. The main tradeoff is that\n+# smaller trees have less resolution, which can lead to over-streaming data.\n+# If you see heap pressure during repairs, consider lowering this, but you\n+# cannot go below one mebibyte. If you see lots of over-streaming, consider\n+# raising this or using subrange repair.\n+#\n+# For more details see https://issues.apache.org/jira/browse/CASSANDRA-14096.\n+#\n+# Min unit: MiB\n+# repair_session_space:\n+\n+# The number of simultaneous Merkle tree requests during repairs that can\n+# be performed by a repair command. The size of each validation request is\n+# limited by the repair_session_space property, so setting this to 1 will make\n+# sure that a repair command doesn't exceed that limit, even if the repair\n+# command is repairing multiple tables or multiple virtual nodes.\n+#\n+# There isn't a limit by default for backwards compatibility, but this can\n+# produce OOM for commands repairing multiple tables or multiple virtual nodes.\n+# A limit of just 1 simultaneous Merkle tree request is generally recommended\n+# with no virtual nodes so repair_session_space, and thereof the Merkle tree\n+# resolution, can be high. For virtual nodes a value of 1 with the default\n+# repair_session_space value will produce higher resolution Merkle trees\n+# at the expense of speed. Alternatively, when working with virtual nodes it\n+# can make sense to reduce the repair_session_space and increase the value of\n+# concurrent_merkle_tree_requests because each range will contain fewer data.\n+#\n+# For more details see https://issues.apache.org/jira/browse/CASSANDRA-19336.\n+#\n+# A zero value means no limit.\n+# concurrent_merkle_tree_requests: 0\n+\n+# Total space to use for commit logs on disk.\n+#\n+# If space gets above this value, Cassandra will flush every dirty CF\n+# in the oldest segment and remove it. So a small total commitlog space\n+# will tend to cause more flush activity on less-active columnfamilies.\n+#\n+# The default value is the smaller of 8192, and 1/4 of the total space\n+# of the commitlog volume.\n+#\n+# commitlog_total_space: 8192MiB\n+\n+# This sets the number of memtable flush writer threads per disk\n+# as well as the total number of memtables that can be flushed concurrently.\n+# These are generally a combination of compute and IO bound.\n+#\n+# Memtable flushing is more CPU efficient than memtable ingest and a single thread\n+# can keep up with the ingest rate of a whole server on a single fast disk\n+# until it temporarily becomes IO bound under contention typically with compaction.\n+# At that point you need multiple flush threads. At some point in the future\n+# it may become CPU bound all the time.\n+#\n+# You can tell if flushing is falling behind using the MemtablePool.BlockedOnAllocation\n+# metric which should be 0, but will be non-zero if threads are blocked waiting on flushing\n+# to free memory.\n+#\n+# memtable_flush_writers defaults to two for a single data directory.\n+# This means that two memtables can be flushed concurrently to the single data directory.\n+# If you have multiple data directories the default is one memtable flushing at a time\n+# but the flush will use a thread per data directory so you will get two or more writers.\n+#\n+# Two is generally enough to flush on a fast disk [array] mounted as a single data directory.\n+# Adding more flush writers will result in smaller more frequent flushes that introduce more\n+# compaction overhead.\n+#\n+# There is a direct tradeoff between number of memtables that can be flushed concurrently\n+# and flush size and frequency. More is not better you just need enough flush writers\n+# to never stall waiting for flushing to free memory.\n+#\n+# memtable_flush_writers: 2\n+\n+# Total space to use for change-data-capture logs on disk.\n+#\n+# If space gets above this value, Cassandra will throw WriteTimeoutException\n+# on Mutations including tables with CDC enabled. A CDCCompactor is responsible\n+# for parsing the raw CDC logs and deleting them when parsing is completed.\n+#\n+# The default value is the min of 4096 MiB and 1/8th of the total space\n+# of the drive where cdc_raw_directory resides.\n+# Min unit: MiB\n+# cdc_total_space: 4096MiB\n+\n+# When we hit our cdc_raw limit and the CDCCompactor is either running behind\n+# or experiencing backpressure, we check at the following interval to see if any\n+# new space for cdc-tracked tables has been made available. Default to 250ms\n+# Min unit: ms\n+# cdc_free_space_check_interval: 250ms\n+\n+# A fixed memory pool size in MB for for SSTable index summaries. If left\n+# empty, this will default to 5% of the heap size. If the memory usage of\n+# all index summaries exceeds this limit, SSTables with low read rates will\n+# shrink their index summaries in order to meet this limit. However, this\n+# is a best-effort process. In extreme conditions Cassandra may need to use\n+# more than this amount of memory.\n+# Min unit: KiB\n+index_summary_capacity:\n+\n+# How frequently index summaries should be resampled. This is done\n+# periodically to redistribute memory from the fixed-size pool to sstables\n+# proportional their recent read rates. Setting to null value will disable this\n+# process, leaving existing index summaries at their current sampling level.\n+# Min unit: m\n+index_summary_resize_interval: 60m\n+\n+# Whether to, when doing sequential writing, fsync() at intervals in\n+# order to force the operating system to flush the dirty\n+# buffers. Enable this to avoid sudden dirty buffer flushing from\n+# impacting read latencies. Almost always a good idea on SSDs; not\n+# necessarily on platters.\n+trickle_fsync: true\n+# Min unit: KiB\n+trickle_fsync_interval: 30240KiB\n+\n+# TCP port, for commands and data\n+# For security reasons, you should not expose this port to the internet. Firewall it if needed.\n+storage_port: 7000\n+\n+# SSL port, for legacy encrypted communication. This property is unused unless enabled in\n+# server_encryption_options (see below). As of cassandra 4.0, this property is deprecated\n+# as a single port can be used for either/both secure and insecure connections.\n+# For security reasons, you should not expose this port to the internet. Firewall it if needed.\n+ssl_storage_port: 7001\n+\n+# Address or interface to bind to and tell other Cassandra nodes to connect to.\n+# You _must_ change this if you want multiple nodes to be able to communicate!\n+#\n+# Set listen_address OR listen_interface, not both.\n+#\n+# Leaving it blank leaves it up to InetAddress.getLocalHost(). This\n+# will always do the Right Thing _if_ the node is properly configured\n+# (hostname, name resolution, etc), and the Right Thing is to use the\n+# address associated with the hostname (it might not be). If unresolvable\n+# it will fall back to InetAddress.getLoopbackAddress(), which is wrong for production systems.\n+#\n+# Setting listen_address to 0.0.0.0 is always wrong.\n+#\n+listen_address: 10.64.156.18\n+\n+# Set listen_address OR listen_interface, not both. Interfaces must correspond\n+# to a single address, IP aliasing is not supported.\n+# listen_interface: eth0\n+\n+# If you choose to specify the interface by name and the interface has an ipv4 and an ipv6 address\n+# you can specify which should be chosen using listen_interface_prefer_ipv6. If false the first ipv4\n+# address will be used. If true the first ipv6 address will be used. Defaults to false preferring\n+# ipv4. If there is only one address it will be selected regardless of ipv4/ipv6.\n+# listen_interface_prefer_ipv6: false\n+\n+# Address to broadcast to other Cassandra nodes\n+# Leaving this blank will set it to the same value as listen_address\n+# broadcast_address: 1.2.3.4\n+\n+# When using multiple physical network interfaces, set this\n+# to true to listen on broadcast_address in addition to\n+# the listen_address, allowing nodes to communicate in both\n+# interfaces.\n+# Ignore this property if the network configuration automatically\n+# routes between the public and private networks such as EC2.\n+# listen_on_broadcast_address: false\n+\n+# Internode authentication backend, implementing IInternodeAuthenticator;\n+# used to allow/disallow connections from peer nodes.\n+# internode_authenticator: org.apache.cassandra.auth.AllowAllInternodeAuthenticator\n+\n+# Whether to start the native transport server.\n+# The address on which the native transport is bound is defined by rpc_address.\n+start_native_transport: true\n+# port for the CQL native transport to listen for clients on\n+# For security reasons, you should not expose this port to the internet. Firewall it if needed.\n+native_transport_port: 9042\n+# Enabling native transport encryption in client_encryption_options allows you to either use\n+# encryption for the standard port or to use a dedicated, additional port along with the unencrypted\n+# standard native_transport_port.\n+# Enabling client encryption and keeping native_transport_port_ssl disabled will use encryption\n+# for native_transport_port. Setting native_transport_port_ssl to a different value\n+# from native_transport_port will use encryption for native_transport_port_ssl while\n+# keeping native_transport_port unencrypted.\n+# native_transport_port_ssl: 9142\n+# The maximum threads for handling requests (note that idle threads are stopped\n+# after 30 seconds so there is not corresponding minimum setting).\n+# native_transport_max_threads: 128\n+# The maximum threads for handling auth requests in a separate executor from main request executor.\n+# When set to 0, main executor for requests is used.\n+# native_transport_max_auth_threads: 0\n+#\n+# The maximum size of allowed frame. Frame (requests) larger than this will\n+# be rejected as invalid. The default is 16MiB. If you're changing this parameter,\n+# you may want to adjust max_value_size accordingly. This should be positive and less than 2048.\n+# Min unit: MiB\n+# native_transport_max_frame_size: 16MiB\n+\n+# The maximum number of concurrent client connections.\n+# The default is -1, which means unlimited.\n+# native_transport_max_concurrent_connections: -1\n+\n+# The maximum number of concurrent client connections per source ip.\n+# The default is -1, which means unlimited.\n+# native_transport_max_concurrent_connections_per_ip: -1\n+\n+# Controls whether Cassandra honors older, yet currently supported, protocol versions.\n+# The default is true, which means all supported protocols will be honored.\n+native_transport_allow_older_protocols: true\n+\n+# Controls when idle client connections are closed. Idle connections are ones that had neither reads\n+# nor writes for a time period.\n+#\n+# Clients may implement heartbeats by sending OPTIONS native protocol message after a timeout, which\n+# will reset idle timeout timer on the server side. To close idle client connections, corresponding\n+# values for heartbeat intervals have to be set on the client side.\n+#\n+# Idle connection timeouts are disabled by default.\n+# Min unit: ms\n+# native_transport_idle_timeout: 60000ms\n+\n+# When enabled, limits the number of native transport requests dispatched for processing per second.\n+# Behavior once the limit has been breached depends on the value of THROW_ON_OVERLOAD specified in\n+# the STARTUP message sent by the client during connection establishment. (See section \"4.1.1. STARTUP\"\n+# in \"CQL BINARY PROTOCOL v5\".) With the THROW_ON_OVERLOAD flag enabled, messages that breach the limit\n+# are dropped, and an OverloadedException is thrown for the client to handle. When the flag is not\n+# enabled, the server will stop consuming messages from the channel/socket, putting backpressure on\n+# the client while already dispatched messages are processed.\n+# native_transport_rate_limiting_enabled: false\n+# native_transport_max_requests_per_second: 1000000\n+\n+# The address or interface to bind the native transport server to.\n+#\n+# Set rpc_address OR rpc_interface, not both.\n+#\n+# Leaving rpc_address blank has the same effect as on listen_address\n+# (i.e. it will be based on the configured hostname of the node).\n+#\n+# Note that unlike listen_address, you can specify 0.0.0.0, but you must also\n+# set broadcast_rpc_address to a value other than 0.0.0.0.\n+#\n+# For security reasons, you should not expose this port to the internet. Firewall it if needed.\n+rpc_address: 10.64.156.18\n+\n+# Set rpc_address OR rpc_interface, not both. Interfaces must correspond\n+# to a single address, IP aliasing is not supported.\n+# rpc_interface: eth1\n+\n+# If you choose to specify the interface by name and the interface has an ipv4 and an ipv6 address\n+# you can specify which should be chosen using rpc_interface_prefer_ipv6. If false the first ipv4\n+# address will be used. If true the first ipv6 address will be used. Defaults to false preferring\n+# ipv4. If there is only one address it will be selected regardless of ipv4/ipv6.\n+# rpc_interface_prefer_ipv6: false\n+\n+# RPC address to broadcast to drivers and other Cassandra nodes. This cannot\n+# be set to 0.0.0.0. If left blank, this will be set to the value of\n+# rpc_address. If rpc_address is set to 0.0.0.0, broadcast_rpc_address must\n+# be set.\n+# broadcast_rpc_address: 1.2.3.4\n+\n+# enable or disable keepalive on rpc/native connections\n+rpc_keepalive: true\n+\n+# Uncomment to set socket buffer size for internode communication\n+# Note that when setting this, the buffer size is limited by net.core.wmem_max\n+# and when not setting it it is defined by net.ipv4.tcp_wmem\n+# See also:\n+# /proc/sys/net/core/wmem_max\n+# /proc/sys/net/core/rmem_max\n+# /proc/sys/net/ipv4/tcp_wmem\n+# /proc/sys/net/ipv4/tcp_wmem\n+# and 'man tcp'\n+# Min unit: B\n+# internode_socket_send_buffer_size:\n+\n+# Uncomment to set socket buffer size for internode communication\n+# Note that when setting this, the buffer size is limited by net.core.wmem_max\n+# and when not setting it it is defined by net.ipv4.tcp_wmem\n+# Min unit: B\n+# internode_socket_receive_buffer_size:\n+\n+# Set to true to have Cassandra create a hard link to each sstable\n+# flushed or streamed locally in a backups/ subdirectory of the\n+# keyspace data. Removing these links is the operator's\n+# responsibility.\n+incremental_backups: false\n+\n+# Whether or not to take a snapshot before each compaction. Be\n+# careful using this option, since Cassandra won't clean up the\n+# snapshots for you. Mostly useful if you're paranoid when there\n+# is a data format change.\n+snapshot_before_compaction: false\n+\n+# Whether or not a snapshot is taken of the data before keyspace truncation\n+# or dropping of column families. The STRONGLY advised default of true \n+# should be used to provide data safety. If you set this flag to false, you will\n+# lose data on truncation or drop.\n+auto_snapshot: true\n+\n+# Adds a time-to-live (TTL) to auto snapshots generated by table\n+# truncation or drop (when enabled).\n+# After the TTL is elapsed, the snapshot is automatically cleared.\n+# By default, auto snapshots *do not* have TTL, uncomment the property below\n+# to enable TTL on auto snapshots.\n+# Accepted units: d (days), h (hours) or m (minutes)\n+# auto_snapshot_ttl: 30d\n+\n+# The act of creating or clearing a snapshot involves creating or removing\n+# potentially tens of thousands of links, which can cause significant performance\n+# impact, especially on consumer grade SSDs. A non-zero value here can\n+# be used to throttle these links to avoid negative performance impact of\n+# taking and clearing snapshots\n+snapshot_links_per_second: 0\n+\n+# Granularity of the collation index of rows within a partition.\n+# Increase if your rows are large, or if you have a very large\n+# number of rows per partition. The competing goals are these:\n+#\n+# - a smaller granularity means more index entries are generated\n+# and looking up rows withing the partition by collation column\n+# is faster\n+# - but, Cassandra will keep the collation index in memory for hot\n+# rows (as part of the key cache), so a larger granularity means\n+# you can cache more hot rows\n+# Min unit: KiB\n+column_index_size: 64KiB\n+\n+# Per sstable indexed key cache entries (the collation index in memory\n+# mentioned above) exceeding this size will not be held on heap.\n+# This means that only partition information is held on heap and the\n+# index entries are read from disk.\n+#\n+# Note that this size refers to the size of the\n+# serialized index information and not the size of the partition.\n+# Min unit: KiB\n+column_index_cache_size: 2KiB\n+\n+# Number of simultaneous compactions to allow, NOT including\n+# validation \"compactions\" for anti-entropy repair. Simultaneous\n+# compactions can help preserve read performance in a mixed read/write\n+# workload, by mitigating the tendency of small sstables to accumulate\n+# during a single long running compactions. The default is usually\n+# fine and if you experience problems with compaction running too\n+# slowly or too fast, you should look at\n+# compaction_throughput first.\n+#\n+# concurrent_compactors defaults to the smaller of (number of disks,\n+# number of cores), with a minimum of 2 and a maximum of 8.\n+# \n+# If your data directories are backed by SSD, you should increase this\n+# to the number of cores.\n+concurrent_compactors: 12\n+\n+# Number of simultaneous repair validations to allow. If not set or set to\n+# a value less than 1, it defaults to the value of concurrent_compactors.\n+# To set a value greeater than concurrent_compactors at startup, the system\n+# property cassandra.allow_unlimited_concurrent_validations must be set to\n+# true. To dynamically resize to a value > concurrent_compactors on a running\n+# node, first call the bypassConcurrentValidatorsLimit method on the\n+# org.apache.cassandra.db:type=StorageService mbean\n+# concurrent_validations: 0\n+\n+# Number of simultaneous materialized view builder tasks to allow.\n+concurrent_materialized_view_builders: 1\n+\n+# Throttles compaction to the given total throughput across the entire\n+# system. The faster you insert data, the faster you need to compact in\n+# order to keep the sstable count down, but in general, setting this to\n+# 16 to 32 times the rate you are inserting data is more than sufficient.\n+# Setting this to 0 disables throttling. Note that this accounts for all types\n+# of compaction, including validation compaction (building Merkle trees\n+# for repairs).\n+compaction_throughput: 256MiB/s\n+\n+# When compacting, the replacement sstable(s) can be opened before they\n+# are completely written, and used in place of the prior sstables for\n+# any range that has been written. This helps to smoothly transfer reads \n+# between the sstables, reducing page cache churn and keeping hot rows hot\n+# Set sstable_preemptive_open_interval to null for disabled which is equivalent to\n+# sstable_preemptive_open_interval_in_mb being negative\n+# Min unit: MiB\n+sstable_preemptive_open_interval: 50MiB\n+\n+# Starting from 4.1 sstables support UUID based generation identifiers. They are disabled by default\n+# because once enabled, there is no easy way to downgrade. When the node is restarted with this option\n+# set to true, each newly created sstable will have a UUID based generation identifier and such files are\n+# not readable by previous Cassandra versions. At some point, this option will become true by default\n+# and eventually get removed from the configuration.\n+uuid_sstable_identifiers_enabled: false\n+\n+# When enabled, permits Cassandra to zero-copy stream entire eligible\n+# SSTables between nodes, including every component.\n+# This speeds up the network transfer significantly subject to\n+# throttling specified by entire_sstable_stream_throughput_outbound,\n+# and entire_sstable_inter_dc_stream_throughput_outbound\n+# for inter-DC transfers.\n+# Enabling this will reduce the GC pressure on sending and receiving node.\n+# When unset, the default is enabled. While this feature tries to keep the\n+# disks balanced, it cannot guarantee it. This feature will be automatically\n+# disabled if internode encryption is enabled.\n+# stream_entire_sstables: true\n+\n+# Throttles entire SSTable outbound streaming file transfers on\n+# this node to the given total throughput in Mbps.\n+# Setting this value to 0 it disables throttling.\n+# When unset, the default is 200 Mbps or 24 MiB/s.\n+# entire_sstable_stream_throughput_outbound: 24MiB/s\n+\n+# Throttles entire SSTable file streaming between datacenters.\n+# Setting this value to 0 disables throttling for entire SSTable inter-DC file streaming.\n+# When unset, the default is 200 Mbps or 24 MiB/s.\n+# entire_sstable_inter_dc_stream_throughput_outbound: 24MiB/s\n+\n+# Throttles all outbound streaming file transfers on this node to the\n+# given total throughput in Mbps. This is necessary because Cassandra does\n+# mostly sequential IO when streaming data during bootstrap or repair, which\n+# can lead to saturating the network connection and degrading rpc performance.\n+# When unset, the default is 200 Mbps or 24 MiB/s.\n+# stream_throughput_outbound: 24MiB/s\n+\n+# Throttles all streaming file transfer between the datacenters,\n+# this setting allows users to throttle inter dc stream throughput in addition\n+# to throttling all network stream traffic as configured with\n+# stream_throughput_outbound_megabits_per_sec\n+# When unset, the default is 200 Mbps or 24 MiB/s.\n+# inter_dc_stream_throughput_outbound: 24MiB/s\n+\n+# Server side timeouts for requests. The server will return a timeout exception\n+# to the client if it can't complete an operation within the corresponding\n+# timeout. Those settings are a protection against:\n+# 1) having client wait on an operation that might never terminate due to some\n+# failures.\n+# 2) operations that use too much CPU/read too much data (leading to memory build\n+# up) by putting a limit to how long an operation will execute.\n+# For this reason, you should avoid putting these settings too high. In other words,\n+# if you are timing out requests because of underlying resource constraints then\n+# increasing the timeout will just cause more problems. Of course putting them too\n+# low is equally ill-advised since clients could get timeouts even for successful\n+# operations just because the timeout setting is too tight.\n+\n+# How long the coordinator should wait for read operations to complete.\n+# Lowest acceptable value is 10 ms.\n+# Min unit: ms\n+read_request_timeout: 5000ms\n+# How long the coordinator should wait for seq or index scans to complete.\n+# Lowest acceptable value is 10 ms.\n+# Min unit: ms\n+range_request_timeout: 10000ms\n+# How long the coordinator should wait for writes to complete.\n+# Lowest acceptable value is 10 ms.\n+# Min unit: ms\n+write_request_timeout: 2000ms\n+# How long the coordinator should wait for counter writes to complete.\n+# Lowest acceptable value is 10 ms.\n+# Min unit: ms\n+counter_write_request_timeout: 5000ms\n+# How long a coordinator should continue to retry a CAS operation\n+# that contends with other proposals for the same row.\n+# Lowest acceptable value is 10 ms.\n+# Min unit: ms\n+cas_contention_timeout: 1000ms\n+# How long the coordinator should wait for truncates to complete\n+# (This can be much longer, because unless auto_snapshot is disabled\n+# we need to flush first so we can snapshot before removing the data.)\n+# Lowest acceptable value is 10 ms.\n+# Min unit: ms\n+truncate_request_timeout: 60000ms\n+# The default timeout for other, miscellaneous operations.\n+# Lowest acceptable value is 10 ms.\n+# Min unit: ms\n+request_timeout: 10000ms\n+\n+# Defensive settings for protecting Cassandra from true network partitions.\n+# See (CASSANDRA-14358) for details.\n+#\n+# The amount of time to wait for internode tcp connections to establish.\n+# Min unit: ms\n+# internode_tcp_connect_timeout: 2000ms\n+#\n+# The amount of time unacknowledged data is allowed on a connection before we throw out the connection\n+# Note this is only supported on Linux + epoll, and it appears to behave oddly above a setting of 30000\n+# (it takes much longer than 30s) as of Linux 4.12. If you want something that high set this to 0\n+# which picks up the OS default and configure the net.ipv4.tcp_retries2 sysctl to be ~8.\n+# Min unit: ms\n+# internode_tcp_user_timeout: 30000ms\n+\n+# The amount of time unacknowledged data is allowed on a streaming connection.\n+# The default is 5 minutes. Increase it or set it to 0 in order to increase the timeout.\n+# Min unit: ms\n+# internode_streaming_tcp_user_timeout: 300000ms\n+\n+# Global, per-endpoint and per-connection limits imposed on messages queued for delivery to other nodes\n+# and waiting to be processed on arrival from other nodes in the cluster. These limits are applied to the on-wire\n+# size of the message being sent or received.\n+#\n+# The basic per-link limit is consumed in isolation before any endpoint or global limit is imposed.\n+# Each node-pair has three links: urgent, small and large. So any given node may have a maximum of\n+# N*3*(internode_application_send_queue_capacity+internode_application_receive_queue_capacity)\n+# messages queued without any coordination between them although in practice, with token-aware routing, only RF*tokens\n+# nodes should need to communicate with significant bandwidth.\n+#\n+# The per-endpoint limit is imposed on all messages exceeding the per-link limit, simultaneously with the global limit,\n+# on all links to or from a single node in the cluster.\n+# The global limit is imposed on all messages exceeding the per-link limit, simultaneously with the per-endpoint limit,\n+# on all links to or from any node in the cluster.\n+#\n+# Min unit: B\n+# internode_application_send_queue_capacity: 4MiB\n+# internode_application_send_queue_reserve_endpoint_capacity: 128MiB\n+# internode_application_send_queue_reserve_global_capacity: 512MiB\n+# internode_application_receive_queue_capacity: 4MiB\n+# internode_application_receive_queue_reserve_endpoint_capacity: 128MiB\n+# internode_application_receive_queue_reserve_global_capacity: 512MiB\n+\n+\n+# How long before a node logs slow queries. Select queries that take longer than\n+# this timeout to execute, will generate an aggregated log message, so that slow queries\n+# can be identified. Set this value to zero to disable slow query logging.\n+# Min unit: ms\n+slow_query_log_timeout: 500ms\n+\n+# Enable operation timeout information exchange between nodes to accurately\n+# measure request timeouts. If disabled, replicas will assume that requests\n+# were forwarded to them instantly by the coordinator, which means that\n+# under overload conditions we will waste that much extra time processing \n+# already-timed-out requests.\n+#\n+# Warning: It is generally assumed that users have setup NTP on their clusters, and that clocks are modestly in sync, \n+# since this is a requirement for general correctness of last write wins.\n+# internode_timeout: true\n+\n+# Set period for idle state control messages for earlier detection of failed streams\n+# This node will send a keep-alive message periodically on the streaming's control channel.\n+# This ensures that any eventual SocketTimeoutException will occur within 2 keep-alive cycles\n+# If the node cannot send, or timeouts sending, the keep-alive message on the netty control channel\n+# the stream session is closed.\n+# Default value is 300s (5 minutes), which means stalled streams\n+# are detected within 10 minutes\n+# Specify 0 to disable.\n+# Min unit: s\n+# streaming_keep_alive_period: 300s\n+\n+# Limit number of connections per host for streaming\n+# Increase this when you notice that joins are CPU-bound rather that network\n+# bound (for example a few nodes with big files).\n+# streaming_connections_per_host: 1\n+\n+# Settings for stream stats tracking; used by system_views.streaming table\n+# How long before a stream is evicted from tracking; this impacts both historic and currently running\n+# streams.\n+# streaming_state_expires: 3d\n+# How much memory may be used for tracking before evicting session from tracking; once crossed\n+# historic and currently running streams maybe impacted.\n+# streaming_state_size: 40MiB\n+# Enable/Disable tracking of streaming stats\n+# streaming_stats_enabled: true\n+\n+# Allows denying configurable access (rw/rr) to operations on configured ks, table, and partitions, intended for use by\n+# operators to manage cluster health vs application access. See CASSANDRA-12106 and CEP-13 for more details.\n+# partition_denylist_enabled: false\n+\n+# denylist_writes_enabled: true\n+# denylist_reads_enabled: true\n+# denylist_range_reads_enabled: true\n+\n+# The interval at which keys in the cache for denylisting will \"expire\" and async refresh from the backing DB.\n+# Note: this serves only as a fail-safe, as the usage pattern is expected to be \"mutate state, refresh cache\" on any\n+# changes to the underlying denylist entries. See documentation for details.\n+# Min unit: s\n+# denylist_refresh: 600s\n+\n+# In the event of errors on attempting to load the denylist cache, retry on this interval.\n+# Min unit: s\n+# denylist_initial_load_retry: 5s\n+\n+# We cap the number of denylisted keys allowed per table to keep things from growing unbounded. Nodes will warn above\n+# this limit while allowing new denylisted keys to be inserted. Denied keys are loaded in natural query / clustering\n+# ordering by partition key in case of overflow.\n+# denylist_max_keys_per_table: 1000\n+\n+# We cap the total number of denylisted keys allowed in the cluster to keep things from growing unbounded.\n+# Nodes will warn on initial cache load that there are too many keys and be direct the operator to trim down excess\n+# entries to within the configured limits.\n+# denylist_max_keys_total: 10000\n+\n+# Since the denylist in many ways serves to protect the health of the cluster from partitions operators have identified\n+# as being in a bad state, we usually want more robustness than just CL.ONE on operations to/from these tables to\n+# ensure that these safeguards are in place. That said, we allow users to configure this if they're so inclined.\n+# denylist_consistency_level: QUORUM\n+\n+# phi value that must be reached for a host to be marked down.\n+# most users should never need to adjust this.\n+# phi_convict_threshold: 8\n+\n+# endpoint_snitch -- Set this to a class that implements\n+# IEndpointSnitch. The snitch has two functions:\n+#\n+# - it teaches Cassandra enough about your network topology to route\n+# requests efficiently\n+# - it allows Cassandra to spread replicas around your cluster to avoid\n+# correlated failures. It does this by grouping machines into\n+# \"datacenters\" and \"racks.\" Cassandra will do its best not to have\n+# more than one replica on the same \"rack\" (which may not actually\n+# be a physical location)\n+#\n+# CASSANDRA WILL NOT ALLOW YOU TO SWITCH TO AN INCOMPATIBLE SNITCH\n+# ONCE DATA IS INSERTED INTO THE CLUSTER. This would cause data loss.\n+# This means that if you start with the default SimpleSnitch, which\n+# locates every node on \"rack1\" in \"datacenter1\", your only options\n+# if you need to add another datacenter are GossipingPropertyFileSnitch\n+# (and the older PFS). From there, if you want to migrate to an\n+# incompatible snitch like Ec2Snitch you can do it by adding new nodes\n+# under Ec2Snitch (which will locate them in a new \"datacenter\") and\n+# decommissioning the old ones.\n+#\n+# Out of the box, Cassandra provides:\n+#\n+# SimpleSnitch:\n+# Treats Strategy order as proximity. This can improve cache\n+# locality when disabling read repair. Only appropriate for\n+# single-datacenter deployments.\n+#\n+# GossipingPropertyFileSnitch\n+# This should be your go-to snitch for production use. The rack\n+# and datacenter for the local node are defined in\n+# cassandra-rackdc.properties and propagated to other nodes via\n+# gossip. If cassandra-topology.properties exists, it is used as a\n+# fallback, allowing migration from the PropertyFileSnitch.\n+#\n+# PropertyFileSnitch:\n+# Proximity is determined by rack and data center, which are\n+# explicitly configured in cassandra-topology.properties.\n+#\n+# Ec2Snitch:\n+# Appropriate for EC2 deployments in a single Region. Loads Region\n+# and Availability Zone information from the EC2 API. The Region is\n+# treated as the datacenter, and the Availability Zone as the rack.\n+# Only private IPs are used, so this will not work across multiple\n+# Regions.\n+#\n+# Ec2MultiRegionSnitch:\n+# Uses public IPs as broadcast_address to allow cross-region\n+# connectivity. (Thus, you should set seed addresses to the public\n+# IP as well.) You will need to open the storage_port or\n+# ssl_storage_port on the public IP firewall. (For intra-Region\n+# traffic, Cassandra will switch to the private IP after\n+# establishing a connection.)\n+#\n+# RackInferringSnitch:\n+# Proximity is determined by rack and data center, which are\n+# assumed to correspond to the 3rd and 2nd octet of each node's IP\n+# address, respectively. Unless this happens to match your\n+# deployment conventions, this is best used as an example of\n+# writing a custom Snitch class and is provided in that spirit.\n+#\n+# You can use a custom Snitch by setting this to the full class name\n+# of the snitch, which will be assumed to be on your classpath.\n+endpoint_snitch: GossipingPropertyFileSnitch\n+\n+# controls how often to perform the more expensive part of host score\n+# calculation\n+# Min unit: ms\n+dynamic_snitch_update_interval: 100ms\n+# controls how often to reset all host scores, allowing a bad host to\n+# possibly recover\n+# Min unit: ms\n+dynamic_snitch_reset_interval: 600000ms\n+# if set greater than zero, this will allow\n+# 'pinning' of replicas to hosts in order to increase cache capacity.\n+# The badness threshold will control how much worse the pinned host has to be\n+# before the dynamic snitch will prefer other replicas over it. This is\n+# expressed as a double which represents a percentage. Thus, a value of\n+# 0.2 means Cassandra would continue to prefer the static snitch values\n+# until the pinned host was 20% worse than the fastest.\n+dynamic_snitch_badness_threshold: 1.0\n+\n+# Configure server-to-server internode encryption\n+#\n+# JVM and netty defaults for supported SSL socket protocols and cipher suites can\n+# be replaced using custom encryption options. This is not recommended\n+# unless you have policies in place that dictate certain settings, or\n+# need to disable vulnerable ciphers or protocols in case the JVM cannot\n+# be updated.\n+#\n+# FIPS compliant settings can be configured at JVM level and should not\n+# involve changing encryption settings here:\n+# https://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/FIPS.html\n+#\n+# **NOTE** this default configuration is an insecure configuration. If you need to\n+# enable server-to-server encryption generate server keystores (and truststores for mutual\n+# authentication) per:\n+# http://download.oracle.com/javase/8/docs/technotes/guides/security/jsse/JSSERefGuide.html#CreateKeystore\n+# Then perform the following configuration changes:\n+#\n+# Step 1: Set internode_encryption= and explicitly set optional=true. Restart all nodes\n+#\n+# Step 2: Set optional=false (or remove it) and if you generated truststores and want to use mutual\n+# auth set require_client_auth=true. Restart all nodes\n+server_encryption_options:\n+ # On outbound connections, determine which type of peers to securely connect to.\n+ # The available options are :\n+ # none : Do not encrypt outgoing connections\n+ # dc : Encrypt connections to peers in other datacenters but not within datacenters\n+ # rack : Encrypt connections to peers in other racks but not within racks\n+ # all : Always use encrypted connections\n+ internode_encryption: all\n+ # When set to true, encrypted and unencrypted connections are allowed on the storage_port\n+ # This should _only be true_ while in unencrypted or transitional operation\n+ # optional defaults to true if internode_encryption is none\n+ optional: false\n+ # If enabled, will open up an encrypted listening socket on ssl_storage_port. Should only be used\n+ # during upgrade to 4.0; otherwise, set to false.\n+ legacy_ssl_storage_port_enabled: false\n+ # Set to a valid keystore if internode_encryption is dc, rack or all\n+ keystore: /etc/cassandra-a/tls/server.key\n+ keystore_password: test\n+ # Verify peer server certificates\n+ require_client_auth: false\n+ # Set to a valid trustore if require_client_auth is true\n+ truststore: /etc/ssl/localcerts/wmf-java-cacerts\n+ truststore_password: changeit\n+ # Verify that the host name in the certificate matches the connected host\n+ require_endpoint_verification: false\n+ # More advanced defaults:\n+ # protocol: TLS\n+ # store_type: JKS\n+ # cipher_suites: [\n+ # TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,\n+ # TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,\n+ # TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA,\n+ # TLS_RSA_WITH_AES_256_CBC_SHA\n+ # ]\n+\n+# Configure client-to-server encryption.\n+#\n+# **NOTE** this default configuration is an insecure configuration. If you need to\n+# enable client-to-server encryption generate server keystores (and truststores for mutual\n+# authentication) per:\n+# http://download.oracle.com/javase/8/docs/technotes/guides/security/jsse/JSSERefGuide.html#CreateKeystore\n+# Then perform the following configuration changes:\n+#\n+# Step 1: Set enabled=true and explicitly set optional=true. Restart all nodes\n+#\n+# Step 2: Set optional=false (or remove it) and if you generated truststores and want to use mutual\n+# auth set require_client_auth=true. Restart all nodes\n+client_encryption_options:\n+ # Enable client-to-server encryption\n+ enabled: true\n+ # When set to true, encrypted and unencrypted connections are allowed on the native_transport_port\n+ # This should _only be true_ while in unencrypted or transitional operation\n+ # optional defaults to true when enabled is false, and false when enabled is true.\n+ optional: true\n+ # Set keystore and keystore_password to valid keystores if enabled is true\n+ keystore: /etc/cassandra-a/tls/server.key\n+ keystore_password: test\n+ # Verify client certificates\n+ require_client_auth: false\n+ # Set trustore and truststore_password if require_client_auth is true\n+ # truststore: /etc/cassandra-a/tls/client.trust\n+ # truststore_password: placeholder\n+ # More advanced defaults:\n+ # protocol: TLS\n+ # store_type: JKS\n+ # cipher_suites: [\n+ # TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,\n+ # TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,\n+ # TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA,\n+ # TLS_RSA_WITH_AES_256_CBC_SHA\n+ # ]\n+\n+# internode_compression controls whether traffic between nodes is\n+# compressed.\n+# Can be:\n+#\n+# all\n+# all traffic is compressed\n+#\n+# dc\n+# traffic between different datacenters is compressed\n+#\n+# none\n+# nothing is compressed.\n+internode_compression: all\n+\n+# Enable or disable tcp_nodelay for inter-dc communication.\n+# Disabling it will result in larger (but fewer) network packets being sent,\n+# reducing overhead from the TCP protocol itself, at the cost of increasing\n+# latency if you block for cross-datacenter responses.\n+inter_dc_tcp_nodelay: false\n+\n+# TTL for different trace types used during logging of the repair process.\n+# Min unit: s\n+trace_type_query_ttl: 1d\n+# Min unit: s\n+trace_type_repair_ttl: 7d\n+\n+# If unset, all GC Pauses greater than gc_log_threshold will log at\n+# INFO level\n+# UDFs (user defined functions) are disabled by default.\n+# As of Cassandra 3.0 there is a sandbox in place that should prevent execution of evil code.\n+user_defined_functions_enabled: false\n+\n+# Enables scripted UDFs (JavaScript UDFs).\n+# Java UDFs are always enabled, if user_defined_functions_enabled is true.\n+# Enable this option to be able to use UDFs with \"language javascript\" or any custom JSR-223 provider.\n+# This option has no effect, if user_defined_functions_enabled is false.\n+scripted_user_defined_functions_enabled: false\n+\n+# Enables encrypting data at-rest (on disk). Different key providers can be plugged in, but the default reads from\n+# a JCE-style keystore. A single keystore can hold multiple keys, but the one referenced by\n+# the \"key_alias\" is the only key that will be used for encrypt opertaions; previously used keys\n+# can still (and should!) be in the keystore and will be used on decrypt operations\n+# (to handle the case of key rotation).\n+#\n+# It is strongly recommended to download and install Java Cryptography Extension (JCE)\n+# Unlimited Strength Jurisdiction Policy Files for your version of the JDK.\n+# (current link: http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html)\n+#\n+# Currently, only the following file types are supported for transparent data encryption, although\n+# more are coming in future cassandra releases: commitlog, hints\n+transparent_data_encryption_options:\n+ enabled: false\n+ chunk_length_kb: 64\n+ cipher: AES/CBC/PKCS5Padding\n+ key_alias: testing:1\n+ # CBC IV length for AES needs to be 16 bytes (which is also the default size)\n+ # iv_length: 16\n+ key_provider:\n+ - class_name: org.apache.cassandra.security.JKSKeyProvider\n+ parameters:\n+ - keystore: conf/.keystore\n+ keystore_password: cassandra\n+ store_type: JCEKS\n+ key_password: cassandra\n+\n+\n+#####################\n+# SAFETY THRESHOLDS #\n+#####################\n+\n+# When executing a scan, within or across a partition, we need to keep the\n+# tombstones seen in memory so we can return them to the coordinator, which\n+# will use them to make sure other replicas also know about the deleted rows.\n+# With workloads that generate a lot of tombstones, this can cause performance\n+# problems and even exaust the server heap.\n+# (http://www.datastax.com/dev/blog/cassandra-anti-patterns-queues-and-queue-like-datasets)\n+# Adjust the thresholds here if you understand the dangers and want to\n+# scan more tombstones anyway. These thresholds may also be adjusted at runtime\n+# using the StorageService mbean.\n+tombstone_warn_threshold: 1000\n+tombstone_failure_threshold: 100000\n+\n+# Filtering and secondary index queries at read consistency levels above ONE/LOCAL_ONE use a\n+# mechanism called replica filtering protection to ensure that results from stale replicas do\n+# not violate consistency. (See CASSANDRA-8272 and CASSANDRA-15907 for more details.) This\n+# mechanism materializes replica results by partition on-heap at the coordinator. The more possibly\n+# stale results returned by the replicas, the more rows materialized during the query.\n+replica_filtering_protection:\n+ # These thresholds exist to limit the damage severely out-of-date replicas can cause during these\n+ # queries. They limit the number of rows from all replicas individual index and filtering queries\n+ # can materialize on-heap to return correct results at the desired read consistency level.\n+ #\n+ # \"cached_replica_rows_warn_threshold\" is the per-query threshold at which a warning will be logged.\n+ # \"cached_replica_rows_fail_threshold\" is the per-query threshold at which the query will fail.\n+ #\n+ # These thresholds may also be adjusted at runtime using the StorageService mbean.\n+ #\n+ # If the failure threshold is breached, it is likely that either the current page/fetch size\n+ # is too large or one or more replicas is severely out-of-sync and in need of repair.\n+ cached_rows_warn_threshold: 2000\n+ cached_rows_fail_threshold: 32000\n+\n+# Log WARN on any multiple-partition batch size exceeding this value. 5KiB per batch by default.\n+# Caution should be taken on increasing the size of this threshold as it can lead to node instability.\n+# Min unit: KiB\n+batch_size_warn_threshold: 5KiB\n+\n+# Fail any multiple-partition batch exceeding this value. 50KiB (10x warn threshold) by default.\n+# Min unit: KiB\n+batch_size_fail_threshold: 50KiB\n+\n+# Log WARN on any batches not of type LOGGED than span across more partitions than this limit\n+unlogged_batch_across_partitions_warn_threshold: 10\n+\n+# Log a warning when compacting partitions larger than this value\n+compaction_large_partition_warning_threshold: 100MiB\n+\n+# Log a warning when writing more tombstones than this value to a partition\n+compaction_tombstone_warning_threshold: 100000\n+\n+# GC Pauses greater than 200 ms will be logged at INFO level\n+# This threshold can be adjusted to minimize logging if necessary\n+# Min unit: ms\n+# gc_log_threshold: 200ms\n+\n+# GC Pauses greater than gc_warn_threshold will be logged at WARN level\n+# Adjust the threshold based on your application throughput requirement. Setting to 0\n+# will deactivate the feature.\n+# Min unit: ms\n+# gc_warn_threshold: 1000ms\n+\n+# Maximum size of any value in SSTables. Safety measure to detect SSTable corruption\n+# early. Any value size larger than this threshold will result into marking an SSTable\n+# as corrupted. This should be positive and less than 2GiB.\n+# Min unit: MiB\n+# max_value_size: 256MiB\n+\n+# ** Impact on keyspace creation **\n+# If replication factor is not mentioned as part of keyspace creation, default_keyspace_rf would apply.\n+# Changing this configuration would only take effect for keyspaces created after the change, but does not impact\n+# existing keyspaces created prior to the change.\n+# ** Impact on keyspace alter **\n+# When altering a keyspace from NetworkTopologyStrategy to SimpleStrategy, default_keyspace_rf is applied if rf is not\n+# explicitly mentioned.\n+# ** Impact on system keyspaces **\n+# This would also apply for any system keyspaces that need replication factor.\n+# A further note about system keyspaces - system_traces and system_distributed keyspaces take RF of 2 or default,\n+# whichever is higher, and system_auth keyspace takes RF of 1 or default, whichever is higher.\n+# Suggested value for use in production: 3\n+# default_keyspace_rf: 1\n+\n+# Track a metric per keyspace indicating whether replication achieved the ideal consistency\n+# level for writes without timing out. This is different from the consistency level requested by\n+# each write which may be lower in order to facilitate availability.\n+# ideal_consistency_level: EACH_QUORUM\n+\n+# Automatically upgrade sstables after upgrade - if there is no ordinary compaction to do, the\n+# oldest non-upgraded sstable will get upgraded to the latest version\n+# automatic_sstable_upgrade: false\n+# Limit the number of concurrent sstable upgrades\n+# max_concurrent_automatic_sstable_upgrades: 1\n+\n+# Audit logging - Logs every incoming CQL command request, authentication to a node. See the docs\n+# on audit_logging for full details about the various configuration options.\n+audit_logging_options:\n+ enabled: false\n+ logger:\n+ - class_name: BinAuditLogger\n+ # audit_logs_dir:\n+ # included_keyspaces:\n+ # excluded_keyspaces: system, system_schema, system_virtual_schema\n+ # included_categories:\n+ # excluded_categories:\n+ # included_users:\n+ # excluded_users:\n+ # roll_cycle: HOURLY\n+ # block: true\n+ # max_queue_weight: 268435456 # 256 MiB\n+ # max_log_size: 17179869184 # 16 GiB\n+ ## archive command is \"/path/to/script.sh %path\" where %path is replaced with the file being rolled:\n+ # archive_command:\n+ # max_archive_retries: 10\n+\n+\n+# default options for full query logging - these can be overridden from command line when executing\n+# nodetool enablefullquerylog\n+# full_query_logging_options:\n+ # log_dir:\n+ # roll_cycle: HOURLY\n+ # block: true\n+ # max_queue_weight: 268435456 # 256 MiB\n+ # max_log_size: 17179869184 # 16 GiB\n+ ## archive command is \"/path/to/script.sh %path\" where %path is replaced with the file being rolled:\n+ # archive_command:\n+ ## note that enabling this allows anyone with JMX/nodetool access to run local shell commands as the user running cassandra\n+ # allow_nodetool_archive_command: false\n+ # max_archive_retries: 10\n+\n+# validate tombstones on reads and compaction\n+# can be either \"disabled\", \"warn\" or \"exception\"\n+# corrupted_tombstone_strategy: disabled\n+\n+# Diagnostic Events #\n+# If enabled, diagnostic events can be helpful for troubleshooting operational issues. Emitted events contain details\n+# on internal state and temporal relationships across events, accessible by clients via JMX.\n+diagnostic_events_enabled: false\n+\n+# Use native transport TCP message coalescing. If on upgrade to 4.0 you found your throughput decreasing, and in\n+# particular you run an old kernel or have very fewer client connections, this option might be worth evaluating.\n+#native_transport_flush_in_batches_legacy: false\n+\n+# Enable tracking of repaired state of data during reads and comparison between replicas\n+# Mismatches between the repaired sets of replicas can be characterized as either confirmed\n+# or unconfirmed. In this context, unconfirmed indicates that the presence of pending repair\n+# sessions, unrepaired partition tombstones, or some other condition means that the disparity\n+# cannot be considered conclusive. Confirmed mismatches should be a trigger for investigation\n+# as they may be indicative of corruption or data loss.\n+# There are separate flags for range vs partition reads as single partition reads are only tracked\n+# when CL > 1 and a digest mismatch occurs. Currently, range queries don't use digests so if\n+# enabled for range reads, all range reads will include repaired data tracking. As this adds\n+# some overhead, operators may wish to disable it whilst still enabling it for partition reads\n+repaired_data_tracking_for_range_reads_enabled: false\n+repaired_data_tracking_for_partition_reads_enabled: false\n+# If false, only confirmed mismatches will be reported. If true, a separate metric for unconfirmed\n+# mismatches will also be recorded. This is to avoid potential signal:noise issues are unconfirmed\n+# mismatches are less actionable than confirmed ones.\n+report_unconfirmed_repaired_data_mismatches: false\n+\n+# Having many tables and/or keyspaces negatively affects performance of many operations in the\n+# cluster. When the number of tables/keyspaces in the cluster exceeds the following thresholds\n+# a client warning will be sent back to the user when creating a table or keyspace.\n+# As of cassandra 4.1, these properties are deprecated in favor of keyspaces_warn_threshold and tables_warn_threshold\n+# table_count_warn_threshold: 150\n+# keyspace_count_warn_threshold: 40\n+\n+# configure the read and write consistency levels for modifications to auth tables\n+# auth_read_consistency_level: LOCAL_QUORUM\n+# auth_write_consistency_level: EACH_QUORUM\n+\n+# Delays on auth resolution can lead to a thundering herd problem on reconnects; this option will enable\n+# warming of auth caches prior to node completing startup. See CASSANDRA-16958\n+# auth_cache_warming_enabled: false\n+\n+#########################\n+# EXPERIMENTAL FEATURES #\n+#########################\n+\n+# Enables materialized view creation on this node.\n+# Materialized views are considered experimental and are not recommended for production use.\n+materialized_views_enabled: false\n+\n+# Enables SASI index creation on this node.\n+# SASI indexes are considered experimental and are not recommended for production use.\n+sasi_indexes_enabled: false\n+\n+# Enables creation of transiently replicated keyspaces on this node.\n+# Transient replication is experimental and is not recommended for production use.\n+transient_replication_enabled: false\n+\n+# Enables the used of 'ALTER ... DROP COMPACT STORAGE' statements on this node.\n+# 'ALTER ... DROP COMPACT STORAGE' is considered experimental and is not recommended for production use.\n+drop_compact_storage_enabled: false\n+\n+# Whether or not USE is allowed. This is enabled by default to avoid failure on upgrade.\n+#use_statements_enabled: true\n+\n+# When the client triggers a protocol exception or unknown issue (Cassandra bug) we increment\n+# a client metric showing this; this logic will exclude specific subnets from updating these\n+# metrics\n+#client_error_reporting_exclusions:\n+# subnets:\n+# - 127.0.0.1\n+# - 127.0.0.0/31\n+\n+# Enables read thresholds (warn/fail) across all replicas for reporting back to the client.\n+# See: CASSANDRA-16850\n+# read_thresholds_enabled: false # scheduled to be set true in 4.2\n+# When read_thresholds_enabled: true, this tracks the materialized size of a query on the\n+# coordinator. If coordinator_read_size_warn_threshold is defined, this will emit a warning\n+# to clients with details on what query triggered this as well as the size of the result set; if\n+# coordinator_read_size_fail_threshold is defined, this will fail the query after it\n+# has exceeded this threshold, returning a read error to the user.\n+# coordinator_read_size_warn_threshold:\n+# coordinator_read_size_fail_threshold:\n+# When read_thresholds_enabled: true, this tracks the size of the local read (as defined by\n+# heap size), and will warn/fail based off these thresholds; undefined disables these checks.\n+# local_read_size_warn_threshold:\n+# local_read_size_fail_threshold:\n+# When read_thresholds_enabled: true, this tracks the expected memory size of the RowIndexEntry\n+# and will warn/fail based off these thresholds; undefined disables these checks\n+# row_index_read_size_warn_threshold:\n+# row_index_read_size_fail_threshold:\n+\n+# Guardrail to warn or fail when creating more user keyspaces than threshold.\n+# The two thresholds default to -1 to disable.\n+# keyspaces_warn_threshold: -1\n+# keyspaces_fail_threshold: -1\n+# Guardrail to warn or fail when creating more user tables than threshold.\n+# The two thresholds default to -1 to disable.\n+# tables_warn_threshold: -1\n+# tables_fail_threshold: -1\n+# Guardrail to enable or disable the ability to create uncompressed tables\n+# uncompressed_tables_enabled: true\n+# Guardrail to warn or fail when creating/altering a table with more columns per table than threshold.\n+# The two thresholds default to -1 to disable.\n+# columns_per_table_warn_threshold: -1\n+# columns_per_table_fail_threshold: -1\n+# Guardrail to warn or fail when creating more secondary indexes per table than threshold.\n+# The two thresholds default to -1 to disable.\n+# secondary_indexes_per_table_warn_threshold: -1\n+# secondary_indexes_per_table_fail_threshold: -1\n+# Guardrail to enable or disable the creation of secondary indexes\n+# secondary_indexes_enabled: true\n+# Guardrail to warn or fail when creating more materialized views per table than threshold.\n+# The two thresholds default to -1 to disable.\n+# materialized_views_per_table_warn_threshold: -1\n+# materialized_views_per_table_fail_threshold: -1\n+# Guardrail to warn about, ignore or reject properties when creating tables. By default all properties are allowed.\n+# table_properties_warned: []\n+# table_properties_ignored: []\n+# table_properties_disallowed: []\n+# Guardrail to allow/disallow user-provided timestamps. Defaults to true.\n+# user_timestamps_enabled: true\n+# Guardrail to allow/disallow GROUP BY functionality.\n+# group_by_enabled: true\n+# Guardrail to allow/disallow TRUNCATE and DROP TABLE statements\n+# drop_truncate_table_enabled: true\n+# Guardrail to warn or fail when using a page size greater than threshold.\n+# The two thresholds default to -1 to disable.\n+# page_size_warn_threshold: -1\n+# page_size_fail_threshold: -1\n+# Guardrail to allow/disallow list operations that require read before write, i.e. setting list element by index and\n+# removing list elements by either index or value. Defaults to true.\n+# read_before_write_list_operations_enabled: true\n+# Guardrail to warn or fail when querying with an IN restriction selecting more partition keys than threshold.\n+# The two thresholds default to -1 to disable.\n+# partition_keys_in_select_warn_threshold: -1\n+# partition_keys_in_select_fail_threshold: -1\n+# Guardrail to warn or fail when an IN query creates a cartesian product with a size exceeding threshold,\n+# eg. \"a in (1,2,...10) and b in (1,2...10)\" results in cartesian product of 100.\n+# The two thresholds default to -1 to disable.\n+# in_select_cartesian_product_warn_threshold: -1\n+# in_select_cartesian_product_fail_threshold: -1\n+# Guardrail to warn about or reject read consistency levels. By default, all consistency levels are allowed.\n+# read_consistency_levels_warned: []\n+# read_consistency_levels_disallowed: []\n+# Guardrail to warn about or reject write consistency levels. By default, all consistency levels are allowed.\n+# write_consistency_levels_warned: []\n+# write_consistency_levels_disallowed: []\n+# Guardrail to warn or fail when encountering larger size of collection data than threshold.\n+# At query time this guardrail is applied only to the collection fragment that is being writen, even though in the case\n+# of non-frozen collections there could be unaccounted parts of the collection on the sstables. This is done this way to\n+# prevent read-before-write. The guardrail is also checked at sstable write time to detect large non-frozen collections,\n+# although in that case exceeding the fail threshold will only log an error message, without interrupting the operation.\n+# The two thresholds default to null to disable.\n+# Min unit: B\n+# collection_size_warn_threshold:\n+# Min unit: B\n+# collection_size_fail_threshold:\n+# Guardrail to warn or fail when encountering more elements in collection than threshold.\n+# At query time this guardrail is applied only to the collection fragment that is being writen, even though in the case\n+# of non-frozen collections there could be unaccounted parts of the collection on the sstables. This is done this way to\n+# prevent read-before-write. The guardrail is also checked at sstable write time to detect large non-frozen collections,\n+# although in that case exceeding the fail threshold will only log an error message, without interrupting the operation.\n+# The two thresholds default to -1 to disable.\n+# items_per_collection_warn_threshold: -1\n+# items_per_collection_fail_threshold: -1\n+# Guardrail to allow/disallow querying with ALLOW FILTERING. Defaults to true.\n+# allow_filtering_enabled: true\n+# Guardrail to warn or fail when creating a user-defined-type with more fields in than threshold.\n+# Default -1 to disable.\n+# fields_per_udt_warn_threshold: -1\n+# fields_per_udt_fail_threshold: -1\n+# Guardrail to warn or fail when local data disk usage percentage exceeds threshold. Valid values are in [1, 100].\n+# This is only used for the disks storing data directories, so it won't count any separate disks used for storing\n+# the commitlog, hints nor saved caches. The disk usage is the ratio between the amount of space used by the data\n+# directories and the addition of that same space and the remaining free space on disk. The main purpose of this\n+# guardrail is rejecting user writes when the disks are over the defined usage percentage, so the writes done by\n+# background processes such as compaction and streaming don't fail due to a full disk. The limits should be defined\n+# accordingly to the expected data growth due to those background processes, so for example a compaction strategy\n+# doubling the size of the data would require to keep the disk usage under 50%.\n+# The two thresholds default to -1 to disable.\n+# data_disk_usage_percentage_warn_threshold: -1\n+# data_disk_usage_percentage_fail_threshold: -1\n+# Allows defining the max disk size of the data directories when calculating thresholds for\n+# disk_usage_percentage_warn_threshold and disk_usage_percentage_fail_threshold, so if this is greater than zero they\n+# become percentages of a fixed size on disk instead of percentages of the physically available disk size. This should\n+# be useful when we have a large disk and we only want to use a part of it for Cassandra's data directories.\n+# Valid values are in [1, max available disk size of all data directories].\n+# Defaults to null to disable and use the physically available disk size of data directories during calculations.\n+# Min unit: B\n+# data_disk_usage_max_disk_size:\n+# Guardrail to warn or fail when the minimum replication factor is lesser than threshold.\n+# This would also apply to system keyspaces.\n+# Suggested value for use in production: 2 or higher\n+# minimum_replication_factor_warn_threshold: -1\n+# minimum_replication_factor_fail_threshold: -1\n+\n+# Startup Checks are executed as part of Cassandra startup process, not all of them\n+# are configurable (so you can disable them) but these which are enumerated bellow.\n+# Uncomment the startup checks and configure them appropriately to cover your needs.\n+#\n+#startup_checks:\n+# Verifies correct ownership of attached locations on disk at startup. See CASSANDRA-16879 for more details.\n+# check_filesystem_ownership:\n+# enabled: false\n+# ownership_token: \"sometoken\" # (overriden by \"CassandraOwnershipToken\" system property)\n+# ownership_filename: \".cassandra_fs_ownership\" # (overriden by \"cassandra.fs_ownership_filename\")\n+# Prevents a node from starting if snitch's data center differs from previous data center.\n+# check_dc:\n+# enabled: true # (overriden by cassandra.ignore_dc system property)\n+# Prevents a node from starting if snitch's rack differs from previous rack.\n+# check_rack:\n+# enabled: true # (overriden by cassandra.ignore_rack system property)\n+# Enable this property to fail startup if the node is down for longer than gc_grace_seconds, to potentially\n+# prevent data resurrection on tables with deletes. By default, this will run against all keyspaces and tables\n+# except the ones specified on excluded_keyspaces and excluded_tables.\n+# check_data_resurrection:\n+# enabled: false\n+# file where Cassandra periodically writes the last time it was known to run\n+# heartbeat_file: /var/lib/cassandra/data/cassandra-heartbeat\n+# excluded_keyspaces: # comma separated list of keyspaces to exclude from the check\n+# excluded_tables: # comma separated list of keyspace.table pairs to exclude from the check", "parameters": "--- File[/etc/cassandra-a/cassandra.yaml].orig\n+++ File[/etc/cassandra-a/cassandra.yaml]\n\n+ group => cassandra\n+ mode => 0444\n+ ensure => present\n+ owner => cassandra\n"}, {"resource": "Exec[install-/srv/cassandra/cassandra-b/saved_caches]", "parameters": "--- Exec[install-/srv/cassandra/cassandra-b/saved_caches].orig\n+++ Exec[install-/srv/cassandra/cassandra-b/saved_caches]\n\n+ command => install -o cassandra -g cassandra -m 750 -d /srv/cassandra/cassandra-b/saved_caches\n+ path => /usr/bin/:/bin/\n+ creates => /srv/cassandra/cassandra-b/saved_caches\n+ before => Systemd::Service[cassandra-b]\n"}, {"resource": "Ferm::Service[cassandra-cql]", "parameters": "--- Ferm::Service[cassandra-cql].orig\n+++ Ferm::Service[cassandra-cql]\n\n+ desc => \n+ prio => 10\n+ srange => (@resolve((aqs1010.eqiad.wmnet aqs1010-a.eqiad.wmnet aqs1010-b.eqiad.wmnet aqs1011.eqiad.wmnet aqs1011-a.eqiad.wmnet aqs1011-b.eqiad.wmnet aqs1012.eqiad.wmnet aqs1012-a.eqiad.wmnet aqs1012-b.eqiad.wmnet aqs1014.eqiad.wmnet aqs1014-a.eqiad.wmnet aqs1014-b.eqiad.wmnet aqs1015.eqiad.wmnet aqs1015-a.eqiad.wmnet aqs1015-b.eqiad.wmnet aqs1016.eqiad.wmnet aqs1016-a.eqiad.wmnet aqs1016-b.eqiad.wmnet aqs1017.eqiad.wmnet aqs1017-a.eqiad.wmnet aqs1017-b.eqiad.wmnet aqs1018.eqiad.wmnet aqs1018-a.eqiad.wmnet aqs1018-b.eqiad.wmnet aqs1019.eqiad.wmnet aqs1019-a.eqiad.wmnet aqs1019-b.eqiad.wmnet aqs1020.eqiad.wmnet aqs1020-a.eqiad.wmnet aqs1020-b.eqiad.wmnet aqs1021.eqiad.wmnet aqs1021-a.eqiad.wmnet aqs1021-b.eqiad.wmnet aqs1022.eqiad.wmnet aqs1022-a.eqiad.wmnet aqs1022-b.eqiad.wmnet aqs1023.eqiad.wmnet aqs1023-a.eqiad.wmnet aqs1023-b.eqiad.wmnet aqs1024.eqiad.wmnet aqs1024-a.eqiad.wmnet aqs1024-b.eqiad.wmnet aqs2001.codfw.wmnet aqs2001-a.codfw.wmnet aqs2001-b.codfw.wmnet aqs2002.codfw.wmnet aqs2002-a.codfw.wmnet aqs2002-b.codfw.wmnet aqs2003.codfw.wmnet aqs2003-a.codfw.wmnet aqs2003-b.codfw.wmnet aqs2004.codfw.wmnet aqs2004-a.codfw.wmnet aqs2004-b.codfw.wmnet aqs2005.codfw.wmnet aqs2005-a.codfw.wmnet aqs2005-b.codfw.wmnet aqs2006.codfw.wmnet aqs2006-a.codfw.wmnet aqs2006-b.codfw.wmnet aqs2007.codfw.wmnet aqs2007-a.codfw.wmnet aqs2007-b.codfw.wmnet aqs2008.codfw.wmnet aqs2008-a.codfw.wmnet aqs2008-b.codfw.wmnet aqs2009.codfw.wmnet aqs2009-a.codfw.wmnet aqs2009-b.codfw.wmnet aqs2010.codfw.wmnet aqs2010-a.codfw.wmnet aqs2010-b.codfw.wmnet aqs2011.codfw.wmnet aqs2011-a.codfw.wmnet aqs2011-b.codfw.wmnet aqs2012.codfw.wmnet aqs2012-a.codfw.wmnet aqs2012-b.codfw.wmnet)) 10.67.128.0/17 2620:0:861:cabe::/64 10.64.64.0/21 2620:0:861:babe::/64 10.192.64.0/21 2620:0:860:babe::/64 10.194.128.0/17 2620:0:860:cabe::/64 10.67.16.0/21 2620:0:861:300::/64 10.194.16.0/21 2620:0:860:300::/64 10.194.61.0/24 2620:0:860:302::/64)\n+ port => 9042\n+ ensure => present\n+ notrack => False\n+ proto => tcp\n"}, {"resource": "Java::Cacert[wmf:puppetca.pem]", "parameters": "--- Java::Cacert[wmf:puppetca.pem].orig\n+++ Java::Cacert[wmf:puppetca.pem]\n\n+ path => /etc/ssl/certs/Puppet_Internal_CA.pem\n+ group => root\n+ storepass => changeit\n+ require => Alternatives::Java[11]\n+ ensure => present\n+ owner => root\n"}, {"resource": "Prometheus::Jmx_exporter_instance[aqs1024-a]", "parameters": "--- Prometheus::Jmx_exporter_instance[aqs1024-a].orig\n+++ Prometheus::Jmx_exporter_instance[aqs1024-a]\n\n+ labels => {}\n+ port => 7800\n+ hostname => aqs1024-a\n"}, {"resource": "Interface::Ip[cassandra-b ipv4]", "parameters": "--- Interface::Ip[cassandra-b ipv4].orig\n+++ Interface::Ip[cassandra-b ipv4]\n\n+ ensure => present\n+ address => 10.64.156.21\n+ prefixlen => 32\n+ interface => ens8f0np0\n"}, {"resource": "File[/etc/cassandra-b/tls]", "parameters": "--- File[/etc/cassandra-b/tls].orig\n+++ File[/etc/cassandra-b/tls]\n\n+ group => cassandra\n+ mode => 0400\n+ ensure => directory\n+ recurse => True\n+ owner => cassandra\n"}, {"resource": "Monitoring::Exported_nagios_service[aqs1024 cassandra-b-ssl]", "parameters": "--- Monitoring::Exported_nagios_service[aqs1024 cassandra-b-ssl].orig\n+++ Monitoring::Exported_nagios_service[aqs1024 cassandra-b-ssl]\n\n+ notes_url => https://wikitech.wikimedia.org/wiki/Cassandra#Installing_and_generating_certificates\n+ host_name => aqs1024\n+ active_checks_enabled => 1\n+ check_interval => 1\n+ check_freshness => 0\n+ notifications_enabled => 1\n+ ensure => absent\n+ notification_interval => 0\n+ max_check_attempts => 3\n+ contact_groups => admins,team-services\n+ check_period => 24x7\n+ service_description => cassandra-b SSL 10.64.156.21:7000\n+ passive_checks_enabled => 1\n+ check_command => check_ssl_on_host_port!aqs1024-b!10.64.156.21!7000\n+ notification_options => c,r,f\n+ retry_interval => 1\n+ servicegroups => aqs_eqiad\n+ notification_period => 24x7\n+ is_volatile => 0\n"}, {"resource": "Monitoring::Exported_nagios_service[aqs1024 raid_md]", "parameters": "--- Monitoring::Exported_nagios_service[aqs1024 raid_md].orig\n+++ Monitoring::Exported_nagios_service[aqs1024 raid_md]\n\n@@\n- notifications_enabled => 0\n+ notifications_enabled => 1\n@@\n- servicegroups => insetup_eqiad\n+ servicegroups => aqs_eqiad\n"}, {"resource": "Monitoring::Service[cassandra-a-cql]", "parameters": "--- Monitoring::Service[cassandra-a-cql].orig\n+++ Monitoring::Service[cassandra-a-cql]\n\n+ critical => False\n+ notes_url => https://phabricator.wikimedia.org/T93886\n+ check_command => check_tcp_ip!10.64.156.18!9042\n+ host => aqs1024\n+ retry_interval => 1\n+ config_dir => /etc/nagios\n+ description => cassandra-a CQL 10.64.156.18:9042\n+ check_interval => 1\n+ migration_task => T407117\n+ ensure => absent\n+ freshness => 36000\n+ retries => 3\n+ contact_group => admins,team-services\n+ passive => False\n"}, {"resource": "File[/etc/update-motd.d/05-aqs]", "content": "--- /etc/update-motd.d/05-aqs.orig\n+++ /etc/update-motd.d/05-aqs\n@@ -0,0 +1,2 @@\n+#!/bin/sh\n+printf \"%s\\n\" \"aqs1024 is a Analytics Query Service - Cassandra instance (aqs)\"", "parameters": "--- File[/etc/update-motd.d/05-aqs].orig\n+++ File[/etc/update-motd.d/05-aqs]\n\n+ group => root\n+ mode => 0555\n+ ensure => present\n+ owner => root\n"}, {"resource": "Cfssl::Csr[/etc/cfssl/csr/cassandra__aqs1024-b_eqiad_wmnet.csr]", "parameters": "--- Cfssl::Csr[/etc/cfssl/csr/cassandra__aqs1024-b_eqiad_wmnet.csr].orig\n+++ Cfssl::Csr[/etc/cfssl/csr/cassandra__aqs1024-b_eqiad_wmnet.csr]\n\n+ common_name => aqs1024-b.eqiad.wmnet\n+ names => []\n+ ensure => present\n+ hosts => ['cassandra', 'aqs1024.eqiad.wmnet']\n+ key => {'algo': 'ecdsa', 'size': 256}\n"}, {"resource": "Class[Profile::Apt]", "parameters": "--- Class[Profile::Apt].orig\n+++ Class[Profile::Apt]\n\n@@\n- before => ['Package[puppet]', 'Package[facter]', 'Package[augeas-tools]', 'Package[virt-what]', 'Package[puppet-module-puppetlabs-augeas-core]', 'Package[python3-prometheus-client]', 'Package[python3-yaml]', 'Package[ruby-net-ssh]', 'Package[openssl]', 'Package[ssl-cert]', 'Package[ca-certificates]', 'Package[wmf-certificates]', 'Package[ntp]', 'Package[systemd-timesyncd]', 'Package[exim4-config]', 'Package[exim4-daemon-light]', 'Package[logrotate]', 'Package[prometheus-node-exporter]', 'Package[bsdutils]', 'Package[smartmontools]', 'Package[rsyslog]', 'Package[rsyslog-openssl]', 'Package[cadvisor]', 'Package[acct]', 'Package[byobu]', 'Package[colordiff]', 'Package[curl]', 'Package[debian-goodies]', 'Package[ethtool]', 'Package[gdb]', 'Package[gdisk]', 'Package[git]', 'Package[htop]', 'Package[httpry]', 'Package[iotop]', 'Package[iperf]', 'Package[jq]', 'Package[libtemplate-perl]', 'Package[lldpd]', 'Package[lshw]', 'Package[molly-guard]', 'Package[moreutils]', 'Package[net-tools]', 'Package[numactl]', 'Package[ncdu]', 'Package[ngrep]', 'Package[pigz]', 'Package[psmisc]', 'Package[pv]', 'Package[python3]', 'Package[screen]', 'Package[strace]', 'Package[sysstat]', 'Package[tcpdump]', 'Package[tmux]', 'Package[tree]', 'Package[vim]', 'Package[vim-addon-manager]', 'Package[vim-scripts]', 'Package[wipe]', 'Package[xfsprogs]', 'Package[zsh]', 'Package[icdiff]', 'Package[linux-perf]', 'Package[bsd-mailx]', 'Package[ack]', 'Package[netcat-openbsd]', 'Package[tshark]', 'Package[fzf]', 'Package[ripgrep]', 'Package[fd-find]', 'Package[kitty-terminfo]', 'Package[mtr-tiny]', 'Package[bat]', 'Package[efibootmgr]', 'Package[bind9-dnsutils]', 'Package[tzdata]', 'Package[python3-wmflib]', 'Package[quickstack]', 'Package[dstat]', 'Package[apport]', 'Package[command-not-found]', 'Package[command-not-found-data]', 'Package[ecryptfs-utils]', 'Package[mlocate]', 'Package[os-prober]', 'Package[python3-apport]', 'Package[wpasupplicant]', 'Package[atop]', 'Package[apt-listchanges]', 'Package[isc-dhcp-client]', 'Package[libpython2.7]', 'Package[libpython2.7-dev]', 'Package[libpython2.7-minimal]', 'Package[python2.7]', 'Package[libpython2.7-stdlib]', 'Package[python2.7-dev]', 'Package[python2.7-minimal]', 'Package[python2.7-dbg]', 'Package[python2.7-doc]', 'Package[python2.7-examples]', 'Package[libpython2.7-testsuite]', 'Package[intel-microcode]', 'Package[rasdaemon]', 'Package[libsnmp30]', 'Package[libdns-export1104]', 'Package[libdns1104]', 'Package[libisc-export1100]', 'Package[libisc1100]', 'Package[multiarch-support]', 'Package[libjson-c3]', 'Package[libpython3.7]', 'Package[libpython3.7-minimal]', 'Package[libpython3.7-stdlib]', 'Package[python3.7]', 'Package[python3.7-minimal]', 'Package[libevent-2.1-6]', 'Package[libwireshark11]', 'Package[libwiretap8]', 'Package[libwsutil9]', 'Package[libwscodecs2]', 'Package[libperl5.28]', 'Package[libmpdec2]', 'Package[perl-modules-5.28]', 'Package[libhogweed4]', 'Package[libnettle6]', 'Package[libprocps7]', 'Package[libip6tc0]', 'Package[libip4tc0]', 'Package[libiptc0]', 'Package[openssh-client]', 'Package[openssh-server]', 'Package[debdeploy-client]', 'Package[python3-dateutil]', 'Package[sudo]', 'Package[golang-cfssl]', 'Package[debmonitor-client]', 'Package[nagios-nrpe-server]', 'Package[monitoring-plugins]', 'Package[monitoring-plugins-basic]', 'Package[monitoring-plugins-standard]', 'Package[liburiparser1]', 'Package[python3-attr]', 'Package[iucode-tool]', 'Package[freeipmi-tools]', 'Package[freeipmi-ipmiseld]', 'Package[rsyslog-kafka]', 'Package[emacs-nox]', 'Package[prometheus-ipmi-exporter]', 'Package[libnet-dns-perl]', 'Package[iptables]', 'Package[ferm]', 'Package[ulogd2]', 'Package[conntrack]', 'Package[ruby-sys-filesystem]', 'Package[prometheus-rsyslog-exporter]', 'Package[initramfs-tools]', 'Package[python3-click]', 'Package[python3-box]', 'Package[confd]', 'Package[python3-toml]']\n+ before => ['Package[puppet]', 'Package[facter]', 'Package[augeas-tools]', 'Package[virt-what]', 'Package[puppet-module-puppetlabs-augeas-core]', 'Package[python3-prometheus-client]', 'Package[python3-yaml]', 'Package[ruby-net-ssh]', 'Package[openssl]', 'Package[ssl-cert]', 'Package[ca-certificates]', 'Package[wmf-certificates]', 'Package[ntp]', 'Package[systemd-timesyncd]', 'Package[exim4-config]', 'Package[exim4-daemon-light]', 'Package[logrotate]', 'Package[prometheus-node-exporter]', 'Package[bsdutils]', 'Package[smartmontools]', 'Package[rsyslog]', 'Package[rsyslog-openssl]', 'Package[cadvisor]', 'Package[acct]', 'Package[byobu]', 'Package[colordiff]', 'Package[curl]', 'Package[debian-goodies]', 'Package[ethtool]', 'Package[gdb]', 'Package[gdisk]', 'Package[git]', 'Package[htop]', 'Package[httpry]', 'Package[iotop]', 'Package[iperf]', 'Package[jq]', 'Package[libtemplate-perl]', 'Package[lldpd]', 'Package[lshw]', 'Package[molly-guard]', 'Package[moreutils]', 'Package[net-tools]', 'Package[numactl]', 'Package[ncdu]', 'Package[ngrep]', 'Package[pigz]', 'Package[psmisc]', 'Package[pv]', 'Package[python3]', 'Package[screen]', 'Package[strace]', 'Package[sysstat]', 'Package[tcpdump]', 'Package[tmux]', 'Package[tree]', 'Package[vim]', 'Package[vim-addon-manager]', 'Package[vim-scripts]', 'Package[wipe]', 'Package[xfsprogs]', 'Package[zsh]', 'Package[icdiff]', 'Package[linux-perf]', 'Package[bsd-mailx]', 'Package[ack]', 'Package[netcat-openbsd]', 'Package[tshark]', 'Package[fzf]', 'Package[ripgrep]', 'Package[fd-find]', 'Package[kitty-terminfo]', 'Package[mtr-tiny]', 'Package[bat]', 'Package[efibootmgr]', 'Package[bind9-dnsutils]', 'Package[tzdata]', 'Package[python3-wmflib]', 'Package[quickstack]', 'Package[dstat]', 'Package[apport]', 'Package[command-not-found]', 'Package[command-not-found-data]', 'Package[ecryptfs-utils]', 'Package[mlocate]', 'Package[os-prober]', 'Package[python3-apport]', 'Package[wpasupplicant]', 'Package[atop]', 'Package[apt-listchanges]', 'Package[isc-dhcp-client]', 'Package[libpython2.7]', 'Package[libpython2.7-dev]', 'Package[libpython2.7-minimal]', 'Package[python2.7]', 'Package[libpython2.7-stdlib]', 'Package[python2.7-dev]', 'Package[python2.7-minimal]', 'Package[python2.7-dbg]', 'Package[python2.7-doc]', 'Package[python2.7-examples]', 'Package[libpython2.7-testsuite]', 'Package[intel-microcode]', 'Package[rasdaemon]', 'Package[libsnmp30]', 'Package[libdns-export1104]', 'Package[libdns1104]', 'Package[libisc-export1100]', 'Package[libisc1100]', 'Package[multiarch-support]', 'Package[libjson-c3]', 'Package[libpython3.7]', 'Package[libpython3.7-minimal]', 'Package[libpython3.7-stdlib]', 'Package[python3.7]', 'Package[python3.7-minimal]', 'Package[libevent-2.1-6]', 'Package[libwireshark11]', 'Package[libwiretap8]', 'Package[libwsutil9]', 'Package[libwscodecs2]', 'Package[libperl5.28]', 'Package[libmpdec2]', 'Package[perl-modules-5.28]', 'Package[libhogweed4]', 'Package[libnettle6]', 'Package[libprocps7]', 'Package[libip6tc0]', 'Package[libip4tc0]', 'Package[libiptc0]', 'Package[openssh-client]', 'Package[openssh-server]', 'Package[debdeploy-client]', 'Package[python3-dateutil]', 'Package[sudo]', 'Package[golang-cfssl]', 'Package[debmonitor-client]', 'Package[nagios-nrpe-server]', 'Package[monitoring-plugins]', 'Package[monitoring-plugins-basic]', 'Package[monitoring-plugins-standard]', 'Package[liburiparser1]', 'Package[python3-attr]', 'Package[iucode-tool]', 'Package[freeipmi-tools]', 'Package[freeipmi-ipmiseld]', 'Package[rsyslog-kafka]', 'Package[emacs-nox]', 'Package[prometheus-ipmi-exporter]', 'Package[libnet-dns-perl]', 'Package[iptables]', 'Package[ferm]', 'Package[ulogd2]', 'Package[conntrack]', 'Package[cassandra-tools-wmf]', 'Package[jvm-tools]', 'Package[cassandra-tools]', 'Package[libjemalloc2]', 'Package[ruby-sys-filesystem]', 'Package[prometheus-rsyslog-exporter]', 'Package[initramfs-tools]', 'Package[python3-click]', 'Package[python3-box]', 'Package[confd]', 'Package[python3-toml]', 'Package[openjdk-11-jdk]', 'Package[cassandra]', 'Package[prometheus-jmx-exporter]', 'Package[git-lfs]', 'Package[rsync]', 'Package[python3-venv]']\n"}, {"resource": "File[/etc/cassandra-a/tls/server.key]", "parameters": "--- File[/etc/cassandra-a/tls/server.key].orig\n+++ File[/etc/cassandra-a/tls/server.key]\n\n+ group => cassandra\n+ mode => 0440\n+ ensure => present\n+ owner => cassandra\n"}, {"resource": "Sudo::User[scap_deploy-service]", "parameters": "--- Sudo::User[scap_deploy-service].orig\n+++ Sudo::User[scap_deploy-service]\n\n+ require => ['Class[Sudo]']\n+ user => deploy-service\n+ privileges => ['ALL=(deploy-service) NOPASSWD: ALL']\n+ ensure => present\n"}, {"resource": "File[/usr/local/bin/bootstrap-scap-target.sh]", "parameters": "--- File[/usr/local/bin/bootstrap-scap-target.sh].orig\n+++ File[/usr/local/bin/bootstrap-scap-target.sh]\n\n+ source => puppet:///modules/scap/bootstrap-scap-target.sh\n+ group => root\n+ mode => 0755\n+ owner => root\n"}, {"resource": "Class[Profile::Rsyslog::Udp_localhost_compat]", "parameters": "--- Class[Profile::Rsyslog::Udp_localhost_compat].orig\n+++ Class[Profile::Rsyslog::Udp_localhost_compat]\n\n+ queue_enabled_sites => ['ulsfo', 'esams', 'eqsin', 'eqiad', 'codfw', 'drmrs', 'magru']\n+ logging_kafka_brokers => ['kafka-logging1001.eqiad.wmnet:9093', 'kafka-logging1002.eqiad.wmnet:9093', 'kafka-logging1003.eqiad.wmnet:9093', 'kafka-logging1004.eqiad.wmnet:9093', 'kafka-logging1005.eqiad.wmnet:9093']\n+ port => 10514\n"}, {"resource": "File[/etc/cassandra-b/credentials]", "content": "--- /etc/cassandra-b/credentials.orig\n+++ /etc/cassandra-b/credentials\n@@ -0,0 +1,36 @@\n+; SPDX-License-Identifier: Apache-2.0\n+; Licensed to the Apache Software Foundation (ASF) under one\n+; or more contributor license agreements. See the NOTICE file\n+; distributed with this work for additional information\n+; regarding copyright ownership. The ASF licenses this file\n+; to you under the Apache License, Version 2.0 (the\n+; \"License\"); you may not use this file except in compliance\n+; with the License. You may obtain a copy of the License at\n+;\n+; http://www.apache.org/licenses/LICENSE-2.0\n+;\n+; Unless required by applicable law or agreed to in writing,\n+; software distributed under the License is distributed on an\n+; \"AS IS\" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY\n+; KIND, either express or implied. See the License for the\n+; specific language governing permissions and limitations\n+; under the License.\n+;\n+; Sample ~/.cassandra/credentials file.\n+;\n+; The section name must match the classname from the cqlshrc file\n+; For example, if cqlshrc contains settings\n+;\n+; [auth_provider]\n+; module = cassandra.auth\n+; classname = PlainTextAuthProvider\n+;\n+; then the credentials file should contain a [PlainTextAuthProvider] section with the username and password parameters, as indicated in this example.\n+;\n+; For backward compatibility, it is also possible to specify [plain_text_auth] as a header.\n+;\n+; Please ensure this file is owned by the user and is not readable by group and other users.\n+\n+[PlainTextAuthProvider]\n+username = cassandra\n+password = nosuchpass", "parameters": "--- File[/etc/cassandra-b/credentials].orig\n+++ File[/etc/cassandra-b/credentials]\n\n+ group => root\n+ mode => 0400\n+ owner => root\n"}, {"resource": "File[/etc/cassandra-a/user_aqsloader.cql]", "content": "--- /etc/cassandra-a/user_aqsloader.cql.orig\n+++ /etc/cassandra-a/user_aqsloader.cql\n@@ -0,0 +1,27 @@\n+-- SPDX-License-Identifier: Apache-2.0\n+\n+CREATE USER IF NOT EXISTS aqsloader WITH PASSWORD 'yadayadayada';\n+\n+GRANT MODIFY ON KEYSPACE aqs TO 'aqsloader';\n+GRANT MODIFY ON KEYSPACE \"local_group_default_T_editors_bycountry\" TO 'aqsloader';\n+GRANT MODIFY ON KEYSPACE \"local_group_default_T_knowledge_gap_by_category\" TO 'aqsloader';\n+GRANT MODIFY ON KEYSPACE \"local_group_default_T_lgc_pagecounts_per_project\" TO 'aqsloader';\n+GRANT MODIFY ON KEYSPACE \"local_group_default_T_mediarequest_per_file\" TO 'aqsloader';\n+GRANT MODIFY ON KEYSPACE \"local_group_default_T_mediarequest_per_referer\" TO 'aqsloader';\n+GRANT MODIFY ON KEYSPACE \"local_group_default_T_mediarequest_top_files\" TO 'aqsloader';\n+GRANT MODIFY ON KEYSPACE \"local_group_default_T_pageviews_per_article_flat\" TO 'aqsloader';\n+GRANT MODIFY ON KEYSPACE \"local_group_default_T_pageviews_per_project_v2\" TO 'aqsloader';\n+GRANT MODIFY ON KEYSPACE \"local_group_default_T_top_bycountry\" TO 'aqsloader';\n+GRANT MODIFY ON KEYSPACE \"local_group_default_T_top_pageviews\" TO 'aqsloader';\n+GRANT MODIFY ON KEYSPACE \"local_group_default_T_top_percountry\" TO 'aqsloader';\n+GRANT MODIFY ON KEYSPACE \"local_group_default_T_unique_devices\" TO 'aqsloader';\n+\n+-- FIXME: image suggestions should *not* being using the aqsloader; This\n+-- was added as a break-fix (see: https://phabricator.wikimedia.org/T356400).\n+GRANT MODIFY ON KEYSPACE image_suggestions TO aqsloader;\n+\n+-- Commons Impact Metrics \u00e2\u0080\u0094 https://phabricator.wikimedia.org/T362697\n+GRANT MODIFY ON KEYSPACE commons TO aqsloader;\n+\n+-- New-style AQS tables\n+GRANT MODIFY ON KEYSPACE analytics TO aqsloader;", "parameters": "--- File[/etc/cassandra-a/user_aqsloader.cql].orig\n+++ File[/etc/cassandra-a/user_aqsloader.cql]\n\n+ require => Package[cassandra]\n+ group => root\n+ mode => 0400\n+ owner => root\n"}, {"resource": "Ssh::Userkey[deploy-service]", "parameters": "--- Ssh::Userkey[deploy-service].orig\n+++ Ssh::Userkey[deploy-service]\n\n+ user => deploy-service\n+ ensure => present\n"}, {"resource": "Cfssl::Csr[/etc/cfssl/csr/cassandra__aqs1024-a_eqiad_wmnet.csr]", "parameters": "--- Cfssl::Csr[/etc/cfssl/csr/cassandra__aqs1024-a_eqiad_wmnet.csr].orig\n+++ Cfssl::Csr[/etc/cfssl/csr/cassandra__aqs1024-a_eqiad_wmnet.csr]\n\n+ common_name => aqs1024-a.eqiad.wmnet\n+ names => []\n+ ensure => present\n+ hosts => ['cassandra', 'aqs1024.eqiad.wmnet']\n+ key => {'algo': 'ecdsa', 'size': 256}\n"}, {"resource": "File[/etc/cassandra-a/jvm-server.options]", "content": "--- /etc/cassandra-a/jvm-server.options.orig\n+++ /etc/cassandra-a/jvm-server.options\n@@ -0,0 +1,220 @@\n+# SPDX-License-Identifier: Apache-2.0\n+# Note: This file is managed by Puppet.\n+# It was taken from the Cassandra Debian package and templatized\n+# here in order to assign configuration.\n+\n+#\n+# Licensed to the Apache Software Foundation (ASF) under one\n+# or more contributor license agreements. See the NOTICE file\n+# distributed with this work for additional information\n+# regarding copyright ownership. The ASF licenses this file\n+# to you under the Apache License, Version 2.0 (the\n+# \"License\"); you may not use this file except in compliance\n+# with the License. You may obtain a copy of the License at\n+#\n+# http://www.apache.org/licenses/LICENSE-2.0\n+#\n+# Unless required by applicable law or agreed to in writing, software\n+# distributed under the License is distributed on an \"AS IS\" BASIS,\n+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n+# See the License for the specific language governing permissions and\n+# limitations under the License.\n+#\n+#\n+###########################################################################\n+# jvm-server.options #\n+# #\n+# - all flags defined here will be used by cassandra to startup the JVM #\n+# - one flag should be specified per line #\n+# - lines that do not start with '-' will be ignored #\n+# - only static flags are accepted (no variables or parameters) #\n+# - dynamic flags will be appended to these on cassandra-env #\n+# #\n+# See jvm8-server.options and jvm11-server.options for Java version #\n+# specific options. #\n+###########################################################################\n+\n+######################\n+# STARTUP PARAMETERS #\n+######################\n+\n+# Uncomment any of the following properties to enable specific startup parameters\n+\n+# In a multi-instance deployment, multiple Cassandra instances will independently assume that all\n+# CPU processors are available to it. This setting allows you to specify a smaller set of processors\n+# and perhaps have affinity.\n+#-Dcassandra.available_processors=number_of_processors\n+\n+# The directory location of the cassandra.yaml file.\n+#-Dcassandra.config=directory\n+\n+# Sets the initial partitioner token for a node the first time the node is started.\n+#-Dcassandra.initial_token=token\n+\n+# Set to false to start Cassandra on a node but not have the node join the cluster.\n+#-Dcassandra.join_ring=true|false\n+\n+# Set to false to clear all gossip state for the node on restart. Use when you have changed node\n+# information in cassandra.yaml (such as listen_address).\n+#-Dcassandra.load_ring_state=true|false\n+\n+# Enable pluggable metrics reporter. See Pluggable metrics reporting in Cassandra 2.0.2.\n+#-Dcassandra.metricsReporterConfigFile=file\n+\n+# Set the port on which the CQL native transport listens for clients. (Default: 9042)\n+#-Dcassandra.native_transport_port=port\n+\n+# Overrides the partitioner. (Default: org.apache.cassandra.dht.Murmur3Partitioner)\n+#-Dcassandra.partitioner=partitioner\n+\n+# To replace a node that has died, restart a new node in its place specifying the address of the\n+# dead node. The new node must not have any data in its data directory, that is, it must be in the\n+# same state as before bootstrapping.\n+#-Dcassandra.replace_address=listen_address or broadcast_address of dead node\n+\n+# Allow restoring specific tables from an archived commit log.\n+#-Dcassandra.replayList=table\n+\n+# Allows overriding of the default RING_DELAY (30000ms), which is the amount of time a node waits\n+# before joining the ring.\n+#-Dcassandra.ring_delay_ms=ms\n+\n+# Allows overriding the timeout after which an unresponsive bootstrapping node is considered failed\n+# and is removed from gossip state and bootstrapTokens. (Default: cassandra.ring_delay * 2)\n+#-Dcassandra.failed_bootstrap_timeout_ms=ms\n+\n+# Set the SSL port for encrypted communication. (Default: 7001)\n+#-Dcassandra.ssl_storage_port=port\n+\n+# Set the port for inter-node communication. (Default: 7000)\n+#-Dcassandra.storage_port=port\n+\n+# Set the default location for the trigger JARs. (Default: conf/triggers)\n+#-Dcassandra.triggers_dir=directory\n+\n+# For testing new compaction and compression strategies. It allows you to experiment with different\n+# strategies and benchmark write performance differences without affecting the production workload. \n+#-Dcassandra.write_survey=true\n+\n+# To disable configuration via JMX of auth caches (such as those for credentials, permissions and\n+# roles). This will mean those config options can only be set (persistently) in cassandra.yaml\n+# and will require a restart for new values to take effect.\n+#-Dcassandra.disable_auth_caches_remote_configuration=true\n+\n+# To disable dynamic calculation of the page size used when indexing an entire partition (during\n+# initial index build/rebuild). If set to true, the page size will be fixed to the default of\n+# 10000 rows per page.\n+#-Dcassandra.force_default_indexing_page_size=true\n+\n+# Imposes an upper bound on hint lifetime below the normal min gc_grace_seconds\n+#-Dcassandra.maxHintTTL=max_hint_ttl_in_seconds\n+\n+########################\n+# GENERAL JVM SETTINGS #\n+########################\n+\n+# enable assertions. highly suggested for correct application functionality.\n+-ea\n+\n+# disable assertions for net.openhft.** because it runs out of memory by design\n+# if enabled and run for more than just brief testing\n+-da:net.openhft...\n+\n+# enable thread priorities, primarily so we can give periodic tasks\n+# a lower priority to avoid interfering with client workload\n+-XX:+UseThreadPriorities\n+\n+# Enable heap-dump if there's an OOM\n+-XX:+HeapDumpOnOutOfMemoryError\n+\n+# Per-thread stack size.\n+-Xss256k\n+\n+# Make sure all memory is faulted and zeroed on startup.\n+# This helps prevent soft faults in containers and makes\n+# transparent hugepage allocation more effective.\n+-XX:+AlwaysPreTouch\n+\n+# Disable biased locking as it does not benefit Cassandra.\n+-XX:-UseBiasedLocking\n+\n+# Enable thread-local allocation blocks and allow the JVM to automatically\n+# resize them at runtime.\n+-XX:+UseTLAB\n+-XX:+ResizeTLAB\n+-XX:+UseNUMA\n+\n+# http://www.evanjones.ca/jvm-mmap-pause.html\n+-XX:+PerfDisableSharedMem\n+\n+# Prefer binding to IPv4 network intefaces (when net.ipv6.bindv6only=1). See\n+# http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=6342561 (short version:\n+# comment out this entry to enable IPv6 support).\n+-Djava.net.preferIPv4Stack=true\n+\n+### Debug options\n+\n+# uncomment to enable flight recorder\n+#-XX:+UnlockCommercialFeatures\n+#-XX:+FlightRecorder\n+\n+# uncomment to have Cassandra JVM listen for remote debuggers/profilers on port 1414\n+#-agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=1414\n+\n+# uncomment to have Cassandra JVM log internal method compilation (developers only)\n+#-XX:+UnlockDiagnosticVMOptions\n+#-XX:+LogCompilation\n+\n+#################\n+# HEAP SETTINGS #\n+#################\n+\n+# Heap size is automatically calculated by cassandra-env based on this\n+# formula: max(min(1/2 ram, 1024MB), min(1/4 ram, 8GB))\n+# That is:\n+# - calculate 1/2 ram and cap to 1024MB\n+# - calculate 1/4 ram and cap to 8192MB\n+# - pick the max\n+#\n+# For production use you may wish to adjust this for your environment.\n+# If that's the case, uncomment the -Xmx and Xms options below to override the\n+# automatic calculation of JVM heap memory.\n+#\n+# It is recommended to set min (-Xms) and max (-Xmx) heap sizes to\n+# the same value to avoid stop-the-world GC pauses during resize, and\n+# so that we can lock the heap in memory on startup to prevent any\n+# of it from being swapped out.\n+-Xms16g\n+-Xmx16g\n+\n+# Young generation size is automatically calculated by cassandra-env\n+# based on this formula: min(100 * num_cores, 1/4 * heap size)\n+#\n+# The main trade-off for the young generation is that the larger it\n+# is, the longer GC pause times will be. The shorter it is, the more\n+# expensive GC will be (usually).\n+#\n+# It is not recommended to set the young generation size if using the\n+# G1 GC, since that will override the target pause-time goal.\n+# More info: http://www.oracle.com/technetwork/articles/java/g1gc-1984535.html\n+#\n+# The example below assumes a modern 8-core+ machine for decent\n+# times. If in doubt, and if you do not particularly want to tweak, go\n+# 100 MB per physical CPU core.\n+#-Xmn800M\n+\n+###################################\n+# EXPIRATION DATE OVERFLOW POLICY #\n+###################################\n+\n+# Defines how to handle INSERT requests with TTL exceeding the maximum supported expiration date:\n+# * REJECT: this is the default policy and will reject any requests with expiration date timestamp after 2038-01-19T03:14:06+00:00.\n+# * CAP: any insert with TTL expiring after 2038-01-19T03:14:06+00:00 will expire on 2038-01-19T03:14:06+00:00 and the client will receive a warning.\n+# * CAP_NOWARN: same as previous, except that the client warning will not be emitted.\n+#\n+#-Dcassandra.expiration_date_overflow_policy=REJECT\n+\n+###################################\n+# WMF-specific customizations #\n+###################################\n+-Dcassandra.instance-id=aqs1024-a", "parameters": "--- File[/etc/cassandra-a/jvm-server.options].orig\n+++ File[/etc/cassandra-a/jvm-server.options]\n\n+ group => cassandra\n+ mode => 0444\n+ ensure => present\n+ owner => cassandra\n"}, {"resource": "File[/etc/cassandra-a/jvm11-clients.options]", "parameters": "--- File[/etc/cassandra-a/jvm11-clients.options].orig\n+++ File[/etc/cassandra-a/jvm11-clients.options]\n\n+ group => root\n+ force => True\n+ ensure => link\n+ target => /etc/cassandra/jvm11-clients.options\n+ owner => root\n"}, {"resource": "File[/etc/ferm/conf.d/10_deployment_ssh]", "content": "--- /etc/ferm/conf.d/10_deployment_ssh.orig\n+++ /etc/ferm/conf.d/10_deployment_ssh\n@@ -0,0 +1,6 @@\n+# Autogenerated by puppet. DO NOT EDIT BY HAND!\n+#\n+# \n+&R_SERVICE(tcp, 22, $DEPLOYMENT_HOSTS);\n+\n+", "parameters": "--- File[/etc/ferm/conf.d/10_deployment_ssh].orig\n+++ File[/etc/ferm/conf.d/10_deployment_ssh]\n\n+ group => root\n+ tag => ferm\n+ require => File[/etc/ferm/conf.d]\n+ mode => 0400\n+ ensure => present\n+ notify => Service[ferm]\n+ owner => root\n"}, {"resource": "Rsyslog::Conf[udp_localhost_compat]", "parameters": "--- Rsyslog::Conf[udp_localhost_compat].orig\n+++ Rsyslog::Conf[udp_localhost_compat]\n\n+ ensure => present\n+ priority => 50\n+ mode => 0444\n"}, {"resource": "File[/usr/local/bin/sstableutil-a]", "parameters": "--- File[/usr/local/bin/sstableutil-a].orig\n+++ File[/usr/local/bin/sstableutil-a]\n\n+ group => root\n+ require => File[/usr/local/bin/sstable-util-instance]\n+ ensure => link\n+ target => /usr/local/bin/sstable-util-instance\n+ owner => root\n"}, {"resource": "User[deploy-service]", "parameters": "--- User[deploy-service].orig\n+++ User[deploy-service]\n\n+ shell => /bin/bash\n+ home => /var/lib/deploy-service\n+ membership => minimum\n+ ensure => present\n+ system => True\n+ groups => ['deploy-service']\n"}, {"resource": "File[/usr/local/bin/cqlsh-a]", "parameters": "--- File[/usr/local/bin/cqlsh-a].orig\n+++ File[/usr/local/bin/cqlsh-a]\n\n+ group => root\n+ require => Package[cassandra-tools-wmf]\n+ ensure => link\n+ target => /usr/bin/cqlsh-instance\n+ owner => root\n"}, {"resource": "File[/etc/cassandra-b/tls/cassandra__aqs1024-b_eqiad_wmnet-key.pem]", "parameters": "--- File[/etc/cassandra-b/tls/cassandra__aqs1024-b_eqiad_wmnet-key.pem].orig\n+++ File[/etc/cassandra-b/tls/cassandra__aqs1024-b_eqiad_wmnet-key.pem]\n\n+ group => cassandra\n+ mode => 0440\n+ ensure => file\n+ backup => False\n+ show_diff => False\n+ owner => cassandra\n"}, {"resource": "Apt::Repository[component-cassandra41-apt.wikimedia.org-wikimedia-bullseye-wikimedia]", "parameters": "--- Apt::Repository[component-cassandra41-apt.wikimedia.org-wikimedia-bullseye-wikimedia].orig\n+++ Apt::Repository[component-cassandra41-apt.wikimedia.org-wikimedia-bullseye-wikimedia]\n\n+ uri => http://apt.wikimedia.org/wikimedia\n+ source => True\n+ trust_repo => False\n+ allow_releaseinfo_change => False\n+ bin => True\n+ dist => bullseye-wikimedia\n+ ensure => present\n+ components => component/cassandra41\n"}, {"resource": "File[/etc/update-motd.d/05-insetup--data-persistence-ferm]", "content": "--- /etc/update-motd.d/05-insetup--data-persistence-ferm.orig\n+++ /etc/update-motd.d/05-insetup--data-persistence-ferm\n@@ -1,2 +0,0 @@\n-#!/bin/sh\n-printf \"%s\\n\" \"aqs1024 is a Host being setup by Data Persistence SREs (insetup::data_persistence_ferm)\"", "parameters": "--- File[/etc/update-motd.d/05-insetup--data-persistence-ferm].orig\n+++ File[/etc/update-motd.d/05-insetup--data-persistence-ferm]\n\n- group => root\n- mode => 0555\n- ensure => present\n- owner => root\n"}, {"resource": "File[/usr/local/bin/nodetool-instance]", "parameters": "--- File[/usr/local/bin/nodetool-instance].orig\n+++ File[/usr/local/bin/nodetool-instance]\n\n+ group => cassandra\n+ require => Package[cassandra]\n+ mode => 0555\n+ ensure => present\n+ source => puppet:///modules/cassandra/nodetool-instance\n+ owner => cassandra\n"}, {"resource": "Service[cassandra-b]", "parameters": "--- Service[cassandra-b].orig\n+++ Service[cassandra-b]\n\n+ enable => True\n+ ensure => running\n"}, {"resource": "Exec[install-/srv/storage-3/cassandra-a/data]", "parameters": "--- Exec[install-/srv/storage-3/cassandra-a/data].orig\n+++ Exec[install-/srv/storage-3/cassandra-a/data]\n\n+ command => install -o cassandra -g cassandra -m 750 -d /srv/storage-3/cassandra-a/data\n+ path => /usr/bin/:/bin/\n+ creates => /srv/storage-3/cassandra-a/data\n+ before => Systemd::Service[cassandra-a]\n"}, {"resource": "Class[Adduser]", "parameters": "--- Class[Adduser].orig\n+++ Class[Adduser]\n\n@@\n- before => ['Package[puppet]', 'Package[facter]', 'Package[augeas-tools]', 'Package[virt-what]', 'Package[puppet-module-puppetlabs-augeas-core]', 'Package[python3-prometheus-client]', 'Package[python3-yaml]', 'Package[ruby-net-ssh]', 'Package[openssl]', 'Package[ssl-cert]', 'Package[ca-certificates]', 'Package[wmf-certificates]', 'Package[ntp]', 'Package[systemd-timesyncd]', 'Package[exim4-config]', 'Package[exim4-daemon-light]', 'Package[logrotate]', 'Package[prometheus-node-exporter]', 'Package[bsdutils]', 'Package[smartmontools]', 'Package[rsyslog]', 'Package[rsyslog-openssl]', 'Package[cadvisor]', 'Package[acct]', 'Package[byobu]', 'Package[colordiff]', 'Package[curl]', 'Package[debian-goodies]', 'Package[ethtool]', 'Package[gdb]', 'Package[gdisk]', 'Package[git]', 'Package[htop]', 'Package[httpry]', 'Package[iotop]', 'Package[iperf]', 'Package[jq]', 'Package[libtemplate-perl]', 'Package[lldpd]', 'Package[lshw]', 'Package[molly-guard]', 'Package[moreutils]', 'Package[net-tools]', 'Package[numactl]', 'Package[ncdu]', 'Package[ngrep]', 'Package[pigz]', 'Package[psmisc]', 'Package[pv]', 'Package[python3]', 'Package[screen]', 'Package[strace]', 'Package[sysstat]', 'Package[tcpdump]', 'Package[tmux]', 'Package[tree]', 'Package[vim]', 'Package[vim-addon-manager]', 'Package[vim-scripts]', 'Package[wipe]', 'Package[xfsprogs]', 'Package[zsh]', 'Package[icdiff]', 'Package[linux-perf]', 'Package[bsd-mailx]', 'Package[ack]', 'Package[netcat-openbsd]', 'Package[tshark]', 'Package[fzf]', 'Package[ripgrep]', 'Package[fd-find]', 'Package[kitty-terminfo]', 'Package[mtr-tiny]', 'Package[bat]', 'Package[efibootmgr]', 'Package[bind9-dnsutils]', 'Package[tzdata]', 'Package[python3-wmflib]', 'Package[quickstack]', 'Package[dstat]', 'Package[apport]', 'Package[command-not-found]', 'Package[command-not-found-data]', 'Package[ecryptfs-utils]', 'Package[mlocate]', 'Package[os-prober]', 'Package[python3-apport]', 'Package[wpasupplicant]', 'Package[atop]', 'Package[apt-listchanges]', 'Package[isc-dhcp-client]', 'Package[libpython2.7]', 'Package[libpython2.7-dev]', 'Package[libpython2.7-minimal]', 'Package[python2.7]', 'Package[libpython2.7-stdlib]', 'Package[python2.7-dev]', 'Package[python2.7-minimal]', 'Package[python2.7-dbg]', 'Package[python2.7-doc]', 'Package[python2.7-examples]', 'Package[libpython2.7-testsuite]', 'Package[intel-microcode]', 'Package[rasdaemon]', 'Package[libsnmp30]', 'Package[libdns-export1104]', 'Package[libdns1104]', 'Package[libisc-export1100]', 'Package[libisc1100]', 'Package[multiarch-support]', 'Package[libjson-c3]', 'Package[libpython3.7]', 'Package[libpython3.7-minimal]', 'Package[libpython3.7-stdlib]', 'Package[python3.7]', 'Package[python3.7-minimal]', 'Package[libevent-2.1-6]', 'Package[libwireshark11]', 'Package[libwiretap8]', 'Package[libwsutil9]', 'Package[libwscodecs2]', 'Package[libperl5.28]', 'Package[libmpdec2]', 'Package[perl-modules-5.28]', 'Package[libhogweed4]', 'Package[libnettle6]', 'Package[libprocps7]', 'Package[libip6tc0]', 'Package[libip4tc0]', 'Package[libiptc0]', 'Package[openssh-client]', 'Package[openssh-server]', 'Package[debdeploy-client]', 'Package[python3-dateutil]', 'Package[sudo]', 'Package[golang-cfssl]', 'Package[debmonitor-client]', 'Package[nagios-nrpe-server]', 'Package[monitoring-plugins]', 'Package[monitoring-plugins-basic]', 'Package[monitoring-plugins-standard]', 'Package[liburiparser1]', 'Package[python3-attr]', 'Package[iucode-tool]', 'Package[freeipmi-tools]', 'Package[freeipmi-ipmiseld]', 'Package[rsyslog-kafka]', 'Package[emacs-nox]', 'Package[prometheus-ipmi-exporter]', 'Package[libnet-dns-perl]', 'Package[iptables]', 'Package[ferm]', 'Package[ulogd2]', 'Package[conntrack]', 'Package[ruby-sys-filesystem]', 'Package[prometheus-rsyslog-exporter]', 'Package[initramfs-tools]', 'Package[python3-click]', 'Package[python3-box]', 'Package[confd]', 'Package[python3-toml]']\n+ before => ['Package[puppet]', 'Package[facter]', 'Package[augeas-tools]', 'Package[virt-what]', 'Package[puppet-module-puppetlabs-augeas-core]', 'Package[python3-prometheus-client]', 'Package[python3-yaml]', 'Package[ruby-net-ssh]', 'Package[openssl]', 'Package[ssl-cert]', 'Package[ca-certificates]', 'Package[wmf-certificates]', 'Package[ntp]', 'Package[systemd-timesyncd]', 'Package[exim4-config]', 'Package[exim4-daemon-light]', 'Package[logrotate]', 'Package[prometheus-node-exporter]', 'Package[bsdutils]', 'Package[smartmontools]', 'Package[rsyslog]', 'Package[rsyslog-openssl]', 'Package[cadvisor]', 'Package[acct]', 'Package[byobu]', 'Package[colordiff]', 'Package[curl]', 'Package[debian-goodies]', 'Package[ethtool]', 'Package[gdb]', 'Package[gdisk]', 'Package[git]', 'Package[htop]', 'Package[httpry]', 'Package[iotop]', 'Package[iperf]', 'Package[jq]', 'Package[libtemplate-perl]', 'Package[lldpd]', 'Package[lshw]', 'Package[molly-guard]', 'Package[moreutils]', 'Package[net-tools]', 'Package[numactl]', 'Package[ncdu]', 'Package[ngrep]', 'Package[pigz]', 'Package[psmisc]', 'Package[pv]', 'Package[python3]', 'Package[screen]', 'Package[strace]', 'Package[sysstat]', 'Package[tcpdump]', 'Package[tmux]', 'Package[tree]', 'Package[vim]', 'Package[vim-addon-manager]', 'Package[vim-scripts]', 'Package[wipe]', 'Package[xfsprogs]', 'Package[zsh]', 'Package[icdiff]', 'Package[linux-perf]', 'Package[bsd-mailx]', 'Package[ack]', 'Package[netcat-openbsd]', 'Package[tshark]', 'Package[fzf]', 'Package[ripgrep]', 'Package[fd-find]', 'Package[kitty-terminfo]', 'Package[mtr-tiny]', 'Package[bat]', 'Package[efibootmgr]', 'Package[bind9-dnsutils]', 'Package[tzdata]', 'Package[python3-wmflib]', 'Package[quickstack]', 'Package[dstat]', 'Package[apport]', 'Package[command-not-found]', 'Package[command-not-found-data]', 'Package[ecryptfs-utils]', 'Package[mlocate]', 'Package[os-prober]', 'Package[python3-apport]', 'Package[wpasupplicant]', 'Package[atop]', 'Package[apt-listchanges]', 'Package[isc-dhcp-client]', 'Package[libpython2.7]', 'Package[libpython2.7-dev]', 'Package[libpython2.7-minimal]', 'Package[python2.7]', 'Package[libpython2.7-stdlib]', 'Package[python2.7-dev]', 'Package[python2.7-minimal]', 'Package[python2.7-dbg]', 'Package[python2.7-doc]', 'Package[python2.7-examples]', 'Package[libpython2.7-testsuite]', 'Package[intel-microcode]', 'Package[rasdaemon]', 'Package[libsnmp30]', 'Package[libdns-export1104]', 'Package[libdns1104]', 'Package[libisc-export1100]', 'Package[libisc1100]', 'Package[multiarch-support]', 'Package[libjson-c3]', 'Package[libpython3.7]', 'Package[libpython3.7-minimal]', 'Package[libpython3.7-stdlib]', 'Package[python3.7]', 'Package[python3.7-minimal]', 'Package[libevent-2.1-6]', 'Package[libwireshark11]', 'Package[libwiretap8]', 'Package[libwsutil9]', 'Package[libwscodecs2]', 'Package[libperl5.28]', 'Package[libmpdec2]', 'Package[perl-modules-5.28]', 'Package[libhogweed4]', 'Package[libnettle6]', 'Package[libprocps7]', 'Package[libip6tc0]', 'Package[libip4tc0]', 'Package[libiptc0]', 'Package[openssh-client]', 'Package[openssh-server]', 'Package[debdeploy-client]', 'Package[python3-dateutil]', 'Package[sudo]', 'Package[golang-cfssl]', 'Package[debmonitor-client]', 'Package[nagios-nrpe-server]', 'Package[monitoring-plugins]', 'Package[monitoring-plugins-basic]', 'Package[monitoring-plugins-standard]', 'Package[liburiparser1]', 'Package[python3-attr]', 'Package[iucode-tool]', 'Package[freeipmi-tools]', 'Package[freeipmi-ipmiseld]', 'Package[rsyslog-kafka]', 'Package[emacs-nox]', 'Package[prometheus-ipmi-exporter]', 'Package[libnet-dns-perl]', 'Package[iptables]', 'Package[ferm]', 'Package[ulogd2]', 'Package[conntrack]', 'Package[cassandra-tools-wmf]', 'Package[jvm-tools]', 'Package[cassandra-tools]', 'Package[libjemalloc2]', 'Package[ruby-sys-filesystem]', 'Package[prometheus-rsyslog-exporter]', 'Package[initramfs-tools]', 'Package[python3-click]', 'Package[python3-box]', 'Package[confd]', 'Package[python3-toml]', 'Package[openjdk-11-jdk]', 'Package[cassandra]', 'Package[prometheus-jmx-exporter]', 'Package[git-lfs]', 'Package[rsync]', 'Package[python3-venv]', 'Package[cassandra/logstash-logback-encoder]']\n"}, {"resource": "Exec[install-/srv/storage-1/cassandra-a/data]", "parameters": "--- Exec[install-/srv/storage-1/cassandra-a/data].orig\n+++ Exec[install-/srv/storage-1/cassandra-a/data]\n\n+ command => install -o cassandra -g cassandra -m 750 -d /srv/storage-1/cassandra-a/data\n+ path => /usr/bin/:/bin/\n+ creates => /srv/storage-1/cassandra-a/data\n+ before => Systemd::Service[cassandra-a]\n"}, {"resource": "Package[git-lfs]", "parameters": "--- Package[git-lfs].orig\n+++ Package[git-lfs]\n\n+ provider => apt\n+ ensure => installed\n"}, {"resource": "File[/srv/cassandra-b]", "parameters": "--- File[/srv/cassandra-b].orig\n+++ File[/srv/cassandra-b]\n\n+ group => cassandra\n+ require => Package[cassandra]\n+ mode => 0750\n+ ensure => directory\n+ owner => cassandra\n"}, {"resource": "File[/etc/ferm/conf.d/10_cassandra-intra-node]", "content": "--- /etc/ferm/conf.d/10_cassandra-intra-node.orig\n+++ /etc/ferm/conf.d/10_cassandra-intra-node\n@@ -0,0 +1,6 @@\n+# Autogenerated by puppet. DO NOT EDIT BY HAND!\n+#\n+# \n+&R_SERVICE(tcp, 7000, @resolve((aqs1010.eqiad.wmnet aqs1010-a.eqiad.wmnet aqs1010-b.eqiad.wmnet aqs1011.eqiad.wmnet aqs1011-a.eqiad.wmnet aqs1011-b.eqiad.wmnet aqs1012.eqiad.wmnet aqs1012-a.eqiad.wmnet aqs1012-b.eqiad.wmnet aqs1014.eqiad.wmnet aqs1014-a.eqiad.wmnet aqs1014-b.eqiad.wmnet aqs1015.eqiad.wmnet aqs1015-a.eqiad.wmnet aqs1015-b.eqiad.wmnet aqs1016.eqiad.wmnet aqs1016-a.eqiad.wmnet aqs1016-b.eqiad.wmnet aqs1017.eqiad.wmnet aqs1017-a.eqiad.wmnet aqs1017-b.eqiad.wmnet aqs1018.eqiad.wmnet aqs1018-a.eqiad.wmnet aqs1018-b.eqiad.wmnet aqs1019.eqiad.wmnet aqs1019-a.eqiad.wmnet aqs1019-b.eqiad.wmnet aqs1020.eqiad.wmnet aqs1020-a.eqiad.wmnet aqs1020-b.eqiad.wmnet aqs1021.eqiad.wmnet aqs1021-a.eqiad.wmnet aqs1021-b.eqiad.wmnet aqs1022.eqiad.wmnet aqs1022-a.eqiad.wmnet aqs1022-b.eqiad.wmnet aqs1023.eqiad.wmnet aqs1023-a.eqiad.wmnet aqs1023-b.eqiad.wmnet aqs1024.eqiad.wmnet aqs1024-a.eqiad.wmnet aqs1024-b.eqiad.wmnet aqs2001.codfw.wmnet aqs2001-a.codfw.wmnet aqs2001-b.codfw.wmnet aqs2002.codfw.wmnet aqs2002-a.codfw.wmnet aqs2002-b.codfw.wmnet aqs2003.codfw.wmnet aqs2003-a.codfw.wmnet aqs2003-b.codfw.wmnet aqs2004.codfw.wmnet aqs2004-a.codfw.wmnet aqs2004-b.codfw.wmnet aqs2005.codfw.wmnet aqs2005-a.codfw.wmnet aqs2005-b.codfw.wmnet aqs2006.codfw.wmnet aqs2006-a.codfw.wmnet aqs2006-b.codfw.wmnet aqs2007.codfw.wmnet aqs2007-a.codfw.wmnet aqs2007-b.codfw.wmnet aqs2008.codfw.wmnet aqs2008-a.codfw.wmnet aqs2008-b.codfw.wmnet aqs2009.codfw.wmnet aqs2009-a.codfw.wmnet aqs2009-b.codfw.wmnet aqs2010.codfw.wmnet aqs2010-a.codfw.wmnet aqs2010-b.codfw.wmnet aqs2011.codfw.wmnet aqs2011-a.codfw.wmnet aqs2011-b.codfw.wmnet aqs2012.codfw.wmnet aqs2012-a.codfw.wmnet aqs2012-b.codfw.wmnet)));\n+\n+", "parameters": "--- File[/etc/ferm/conf.d/10_cassandra-intra-node].orig\n+++ File[/etc/ferm/conf.d/10_cassandra-intra-node]\n\n+ group => root\n+ tag => ferm\n+ require => File[/etc/ferm/conf.d]\n+ mode => 0400\n+ ensure => present\n+ notify => Service[ferm]\n+ owner => root\n"}, {"resource": "File[/etc/cassandra-b/logback-tools.xml]", "parameters": "--- File[/etc/cassandra-b/logback-tools.xml].orig\n+++ File[/etc/cassandra-b/logback-tools.xml]\n\n+ group => cassandra\n+ ensure => present\n+ mode => 0444\n+ source => puppet:///modules/cassandra/logback-tools.xml-4.x\n+ links => follow\n+ owner => cassandra\n"}, {"resource": "Exec[install-/srv/cassandra/cassandra-a/hints]", "parameters": "--- Exec[install-/srv/cassandra/cassandra-a/hints].orig\n+++ Exec[install-/srv/cassandra/cassandra-a/hints]\n\n+ command => install -o cassandra -g cassandra -m 750 -d /srv/cassandra/cassandra-a/hints\n+ path => /usr/bin/:/bin/\n+ creates => /srv/cassandra/cassandra-a/hints\n+ before => Systemd::Service[cassandra-a]\n"}, {"resource": "File[/etc/rsyslog.d/50-udp-json-logback-compat.conf]", "content": "--- /etc/rsyslog.d/50-udp-json-logback-compat.conf.orig\n+++ /etc/rsyslog.d/50-udp-json-logback-compat.conf\n@@ -0,0 +1,43 @@\n+# Provide a UDP input to accept JSON payloads on localhost and forward them to logstash via Kakfa.\n+\n+module(load=\"imudp\")\n+module(load=\"mmjsonparse\")\n+module(load=\"omkafka\")\n+\n+template(name=\"template_udp_json_logback_compat\" type=\"list\") {\n+ property(name=\"$!all-json\")\n+}\n+\n+# Use the parsed json \"level\" field value as the kafka topic suffix\n+template(name=\"udp_json_logback_compat_topic\" type=\"string\" string=\"logback-%!level:::lowercase%\")\n+\n+# Use a separate (in memory) queue to limit message processing to this ruleset only.\n+ruleset(name=\"ruleset_udp_json_logback_compat\" queue.type=\"LinkedList\") {\n+\n+ action(type=\"mmjsonparse\" name=\"mmjsonparse_udp_json_logback_compat\" cookie=\"\" useRawMsg=\"on\")\n+\n+ if $parsesuccess == \"OK\" then {\n+ action(type=\"omkafka\"\n+ broker=[\"kafka-logging1001.eqiad.wmnet:9093\",\"kafka-logging1002.eqiad.wmnet:9093\",\"kafka-logging1003.eqiad.wmnet:9093\",\"kafka-logging1004.eqiad.wmnet:9093\",\"kafka-logging1005.eqiad.wmnet:9093\"]\n+ topic=\"udp_json_logback_compat_topic\"\n+ dynatopic=\"on\"\n+ dynatopic.cachesize=\"1000\"\n+ partitions.auto=\"on\"\n+ template=\"template_udp_json_logback_compat\"\n+ queue.type=\"LinkedList\" queue.size=\"10000\" queue.filename=\"udp_json_logback_compat\"\n+ queue.highWatermark=\"7000\" queue.lowWatermark=\"6000\"\n+ queue.checkpointInterval=\"5\"\n+ queue.maxDiskSpace=\"40960000\"\n+ confParam=[ \"security.protocol=ssl\",\n+ \"ssl.ca.location=/etc/ssl/certs/wmf-ca-certificates.crt\",\n+ \"compression.codec=snappy\",\n+ \"socket.timeout.ms=60000\",\n+ \"socket.keepalive.enable=true\",\n+ \"queue.buffering.max.ms=50\",\n+ \"batch.num.messages=1000\" ]\n+ )\n+ }\n+\n+}\n+\n+input(type=\"imudp\" port=\"11514\" address=\"localhost\" ruleset=\"ruleset_udp_json_logback_compat\")", "parameters": "--- File[/etc/rsyslog.d/50-udp-json-logback-compat.conf].orig\n+++ File[/etc/rsyslog.d/50-udp-json-logback-compat.conf]\n\n+ group => root\n+ mode => 0444\n+ ensure => present\n+ notify => Service[rsyslog]\n+ owner => root\n"}, {"resource": "File[/etc/cassandra-b/cassandra-rackdc.properties]", "content": "--- /etc/cassandra-b/cassandra-rackdc.properties.orig\n+++ /etc/cassandra-b/cassandra-rackdc.properties\n@@ -0,0 +1,6 @@\n+# Note: This file is managed by Puppet.\n+\n+# These properties are used with GossipingPropertyFileSnitch and will\n+# indicate the rack and dc for this node\n+dc=eqiad\n+rack=rack2", "parameters": "--- File[/etc/cassandra-b/cassandra-rackdc.properties].orig\n+++ File[/etc/cassandra-b/cassandra-rackdc.properties]\n\n+ group => cassandra\n+ mode => 0444\n+ ensure => present\n+ owner => cassandra\n"}, {"resource": "Class[Profile::Cassandra]", "parameters": "--- Class[Profile::Cassandra].orig\n+++ Class[Profile::Cassandra]\n\n+ allow_analytics => True\n+ tls_keystore_password => test\n+ monitor_enabled => True\n+ cassandra_settings => {'dc': 'eqiad', 'cluster_name': 'Analytics Query Service Storage', 'tls_cluster_name': 'aqs', 'tls_use_pki_truststore': True, 'tls_use_pki': True, 'start_rpc': False, 'target_version': '4.x', 'default_instance_params': {'max_heap_size': '16g', 'heap_newsize': '2048m', 'compaction_throughput_mb_per_sec': 256, 'concurrent_compactors': 12, 'concurrent_writes': 64, 'concurrent_reads': 64, 'permissions_validity_in_ms': 600000, 'internode_encryption': 'all', 'client_encryption_enabled': True, 'client_encryption_optional': True}, 'users': ['aqsloader', 'image_suggestions', 'device_analytics', 'geo_analytics', 'media_analytics', 'page_analytics', 'edit_analytics', 'editor_analytics', 'data_gateway', 'commons_impact_analytics', 'revise_tone_task_generator']}\n+ cassandra_passwords => {'restbase': 'blahblahblah', 'restbase_dev': 'blahblahblahblah', 'aqs': 'blahblah', 'sessionstore': 'blahblah', 'image_suggestions': 'blahblahblahblah', 'aqs_testing': 'blahblahblahblah', 'device_analytics': 'blahblahblahblah', 'mediawiki_services_mobileapps': 'yadayadayada', 'aqsloader': 'yadayadayada', 'edit_analytics': 'blahblahblahblah', 'editor_analytics': 'yadayadayada', 'cassandra_devel': 'foobarbaz', 'data_gateway': 'qwerty', 'commons_impact_analytics': 'notarealpasswd', 'revise_tone_task_generator': 'asdfasdfasdf', 'linked_artifacts': 'yadayadayada'}\n+ monitor_tls_port => 7000\n+ all_instances => {'aqs1010.eqiad.wmnet': {'a': {'listen_address': '10.64.0.88'}, 'b': {'listen_address': '10.64.0.120'}}, 'aqs1011.eqiad.wmnet': {'a': {'listen_address': '10.64.16.204'}, 'b': {'listen_address': '10.64.16.206'}}, 'aqs1012.eqiad.wmnet': {'a': {'listen_address': '10.64.32.128', 'data_file_directories': ['/srv/storage-0/cassandra-a/data', '/srv/storage-1/cassandra-a/data', '/srv/storage-2/cassandra-a/data', '/srv/storage-3/cassandra-a/data', '/srv/storage-4/cassandra-a/data', '/srv/storage-5/cassandra-a/data', '/srv/storage-6/cassandra-a/data', '/srv/storage-7/cassandra-a/data'], 'heapdump_directory': '/srv/storage-0/cassandra-a', 'commitlog_directory': '/srv/cassandra/cassandra-a/commitlog', 'hints_directory': '/srv/cassandra/cassandra-a/hints', 'saved_caches_directory': '/srv/cassandra/cassandra-a/saved_caches', 'local_system_data_file_directory': '/srv/cassandra/cassandra-a/system'}, 'b': {'listen_address': '10.64.32.145', 'data_file_directories': ['/srv/storage-0/cassandra-b/data', '/srv/storage-1/cassandra-b/data', '/srv/storage-2/cassandra-b/data', '/srv/storage-3/cassandra-b/data', '/srv/storage-4/cassandra-b/data', '/srv/storage-5/cassandra-b/data', '/srv/storage-6/cassandra-b/data', '/srv/storage-7/cassandra-b/data'], 'heapdump_directory': '/srv/storage-1/cassandra-b', 'commitlog_directory': '/srv/cassandra/cassandra-b/commitlog', 'hints_directory': '/srv/cassandra/cassandra-b/hints', 'saved_caches_directory': '/srv/cassandra/cassandra-b/saved_caches', 'local_system_data_file_directory': '/srv/cassandra/cassandra-b/system'}}, 'aqs1014.eqiad.wmnet': {'a': {'listen_address': '10.64.48.65'}, 'b': {'listen_address': '10.64.48.67'}}, 'aqs1015.eqiad.wmnet': {'a': {'listen_address': '10.64.48.68'}, 'b': {'listen_address': '10.64.48.69'}}, 'aqs1016.eqiad.wmnet': {'a': {'listen_address': '10.64.0.199'}, 'b': {'listen_address': '10.64.0.213'}}, 'aqs1017.eqiad.wmnet': {'a': {'listen_address': '10.64.16.74'}, 'b': {'listen_address': '10.64.16.78'}}, 'aqs1018.eqiad.wmnet': {'a': {'listen_address': '10.64.32.22'}, 'b': {'listen_address': '10.64.32.31'}}, 'aqs1019.eqiad.wmnet': {'a': {'listen_address': '10.64.48.119'}, 'b': {'listen_address': '10.64.48.122'}}, 'aqs1020.eqiad.wmnet': {'a': {'listen_address': '10.64.131.14'}, 'b': {'listen_address': '10.64.131.15'}}, 'aqs1021.eqiad.wmnet': {'a': {'listen_address': '10.64.135.14'}, 'b': {'listen_address': '10.64.135.15'}}, 'aqs1022.eqiad.wmnet': {'a': {'listen_address': '10.64.48.94'}, 'b': {'listen_address': '10.64.48.181'}}, 'aqs1023.eqiad.wmnet': {'a': {'listen_address': '10.64.177.6', 'data_file_directories': ['/srv/storage-0/cassandra-a/data', '/srv/storage-1/cassandra-a/data', '/srv/storage-2/cassandra-a/data', '/srv/storage-3/cassandra-a/data', '/srv/storage-4/cassandra-a/data', '/srv/storage-5/cassandra-a/data', '/srv/storage-6/cassandra-a/data', '/srv/storage-7/cassandra-a/data'], 'heapdump_directory': '/srv/storage-0/cassandra-a', 'commitlog_directory': '/srv/cassandra/cassandra-a/commitlog', 'hints_directory': '/srv/cassandra/cassandra-a/hints', 'saved_caches_directory': '/srv/cassandra/cassandra-a/saved_caches', 'local_system_data_file_directory': '/srv/cassandra/cassandra-a/system'}, 'b': {'listen_address': '10.64.177.7', 'data_file_directories': ['/srv/storage-0/cassandra-b/data', '/srv/storage-1/cassandra-b/data', '/srv/storage-2/cassandra-b/data', '/srv/storage-3/cassandra-b/data', '/srv/storage-4/cassandra-b/data', '/srv/storage-5/cassandra-b/data', '/srv/storage-6/cassandra-b/data', '/srv/storage-7/cassandra-b/data'], 'heapdump_directory': '/srv/storage-1/cassandra-b', 'commitlog_directory': '/srv/cassandra/cassandra-b/commitlog', 'hints_directory': '/srv/cassandra/cassandra-b/hints', 'saved_caches_directory': '/srv/cassandra/cassandra-b/saved_caches', 'local_system_data_file_directory': '/srv/cassandra/cassandra-b/system'}}, 'aqs1024.eqiad.wmnet': {'a': {'listen_address': '10.64.156.18', 'data_file_directories': ['/srv/storage-0/cassandra-a/data', '/srv/storage-1/cassandra-a/data', '/srv/storage-2/cassandra-a/data', '/srv/storage-3/cassandra-a/data', '/srv/storage-4/cassandra-a/data', '/srv/storage-5/cassandra-a/data', '/srv/storage-6/cassandra-a/data', '/srv/storage-7/cassandra-a/data'], 'heapdump_directory': '/srv/storage-0/cassandra-a', 'commitlog_directory': '/srv/cassandra/cassandra-a/commitlog', 'hints_directory': '/srv/cassandra/cassandra-a/hints', 'saved_caches_directory': '/srv/cassandra/cassandra-a/saved_caches', 'local_system_data_file_directory': '/srv/cassandra/cassandra-a/system'}, 'b': {'listen_address': '10.64.156.21', 'data_file_directories': ['/srv/storage-0/cassandra-b/data', '/srv/storage-1/cassandra-b/data', '/srv/storage-2/cassandra-b/data', '/srv/storage-3/cassandra-b/data', '/srv/storage-4/cassandra-b/data', '/srv/storage-5/cassandra-b/data', '/srv/storage-6/cassandra-b/data', '/srv/storage-7/cassandra-b/data'], 'heapdump_directory': '/srv/storage-1/cassandra-b', 'commitlog_directory': '/srv/cassandra/cassandra-b/commitlog', 'hints_directory': '/srv/cassandra/cassandra-b/hints', 'saved_caches_directory': '/srv/cassandra/cassandra-b/saved_caches', 'local_system_data_file_directory': '/srv/cassandra/cassandra-b/system'}}, 'aqs2001.codfw.wmnet': {'a': {'listen_address': '10.192.0.214'}, 'b': {'listen_address': '10.192.0.215'}}, 'aqs2002.codfw.wmnet': {'a': {'listen_address': '10.192.0.216'}, 'b': {'listen_address': '10.192.0.217'}}, 'aqs2003.codfw.wmnet': {'a': {'listen_address': '10.192.0.218'}, 'b': {'listen_address': '10.192.0.219'}}, 'aqs2004.codfw.wmnet': {'a': {'listen_address': '10.192.0.220'}, 'b': {'listen_address': '10.192.0.221'}}, 'aqs2005.codfw.wmnet': {'a': {'listen_address': '10.192.16.174'}, 'b': {'listen_address': '10.192.16.179'}}, 'aqs2006.codfw.wmnet': {'a': {'listen_address': '10.192.16.183'}, 'b': {'listen_address': '10.192.16.185'}}, 'aqs2007.codfw.wmnet': {'a': {'listen_address': '10.192.16.186'}, 'b': {'listen_address': '10.192.16.187'}}, 'aqs2008.codfw.wmnet': {'a': {'listen_address': '10.192.16.188'}, 'b': {'listen_address': '10.192.16.189'}}, 'aqs2009.codfw.wmnet': {'a': {'listen_address': '10.192.48.192'}, 'b': {'listen_address': '10.192.48.193'}}, 'aqs2010.codfw.wmnet': {'a': {'listen_address': '10.192.48.194'}, 'b': {'listen_address': '10.192.48.195'}}, 'aqs2011.codfw.wmnet': {'a': {'listen_address': '10.192.48.196'}, 'b': {'listen_address': '10.192.48.197'}}, 'aqs2012.codfw.wmnet': {'a': {'listen_address': '10.192.48.198'}, 'b': {'listen_address': '10.192.48.199'}}}\n+ auto_apply_grants => False\n+ client_ips => ['10.67.128.0/17', '2620:0:861:cabe::/64', '10.64.64.0/21', '2620:0:861:babe::/64', '10.192.64.0/21', '2620:0:860:babe::/64', '10.194.128.0/17', '2620:0:860:cabe::/64', '10.67.16.0/21', '2620:0:861:300::/64', '10.194.16.0/21', '2620:0:860:300::/64', '10.194.61.0/24', '2620:0:860:302::/64']\n+ rack => rack2\n"}, {"resource": "File[/etc/sysctl.d/05-cassandra.conf]", "content": "--- /etc/sysctl.d/05-cassandra.conf.orig\n+++ /etc/sysctl.d/05-cassandra.conf\n@@ -0,0 +1,3 @@\n+# sysctl parameters managed by Puppet.\n+vm.dirty_background_bytes = 25165824\n+vm.max_map_count = 1048575", "parameters": "--- File[/etc/sysctl.d/05-cassandra.conf].orig\n+++ File[/etc/sysctl.d/05-cassandra.conf]\n\n+ group => root\n+ notify => Exec[update_sysctl]\n+ ensure => present\n+ owner => root\n"}, {"resource": "Monitoring::Exported_nagios_service[aqs1024 ferm_active]", "parameters": "--- Monitoring::Exported_nagios_service[aqs1024 ferm_active].orig\n+++ Monitoring::Exported_nagios_service[aqs1024 ferm_active]\n\n@@\n- notifications_enabled => 0\n+ notifications_enabled => 1\n@@\n- servicegroups => insetup_eqiad\n+ servicegroups => aqs_eqiad\n"}], "perc_changed": "19.11%"}, "core": {"total": 2774, "only_in_self": ["File[/etc/update-motd.d/05-insetup--data-persistence-ferm]", "Node[__node_regexp__aqs1024-7.eqiad.]"], "only_in_other": ["Augeas[ens8f0np0_10.64.156.18/32]", "Augeas[ens8f0np0_10.64.156.21/32]", "Exec[Generate cert cassandra__aqs1024-a_eqiad_wmnet refresh]", "Exec[Generate cert cassandra__aqs1024-a_eqiad_wmnet]", "Exec[Generate cert cassandra__aqs1024-b_eqiad_wmnet refresh]", "Exec[Generate cert cassandra__aqs1024-b_eqiad_wmnet]", "Exec[apt_package_from_component_cassandra]", "Exec[apt_repository_component-cassandra41-apt.wikimedia.org-wikimedia-bullseye-wikimedia]", "Exec[bootstrap-scap-target]", "Exec[chown /srv/deployment/cassandra for deploy-service]", "Exec[create chained cert /etc/cassandra-a/tls/cassandra__aqs1024-a_eqiad_wmnet.chain.pem]", "Exec[create chained cert /etc/cassandra-b/tls/cassandra__aqs1024-b_eqiad_wmnet.chain.pem]", "Exec[install-/srv/cassandra/cassandra-a/commitlog]", "Exec[install-/srv/cassandra/cassandra-a/hints]", "Exec[install-/srv/cassandra/cassandra-a/saved_caches]", "Exec[install-/srv/cassandra/cassandra-a/system]", "Exec[install-/srv/cassandra/cassandra-b/commitlog]", "Exec[install-/srv/cassandra/cassandra-b/hints]", "Exec[install-/srv/cassandra/cassandra-b/saved_caches]", "Exec[install-/srv/cassandra/cassandra-b/system]", "Exec[install-/srv/storage-0/cassandra-a/data]", "Exec[install-/srv/storage-0/cassandra-b/data]", "Exec[install-/srv/storage-1/cassandra-a/data]", "Exec[install-/srv/storage-1/cassandra-b/data]", "Exec[install-/srv/storage-2/cassandra-a/data]", "Exec[install-/srv/storage-2/cassandra-b/data]", "Exec[install-/srv/storage-3/cassandra-a/data]", "Exec[install-/srv/storage-3/cassandra-b/data]", "Exec[install-/srv/storage-4/cassandra-a/data]", "Exec[install-/srv/storage-4/cassandra-b/data]", "Exec[install-/srv/storage-5/cassandra-a/data]", "Exec[install-/srv/storage-5/cassandra-b/data]", "Exec[install-/srv/storage-6/cassandra-a/data]", "Exec[install-/srv/storage-6/cassandra-b/data]", "Exec[install-/srv/storage-7/cassandra-a/data]", "Exec[install-/srv/storage-7/cassandra-b/data]", "Exec[ip addr add 10.64.156.18/32 dev ens8f0np0]", "Exec[ip addr add 10.64.156.21/32 dev ens8f0np0]", "Exec[java__cacert_Puppet_Internal_CA]", "Exec[java__cacert_Wikimedia_Internal_Root_CA]", "Exec[java__cacert_wmf:Wikimedia_Internal_Root_CA]", "Exec[java__cacert_wmf:puppetca.pem]", "Exec[renew certificate - cassandra__aqs1024-a_eqiad_wmnet]", "Exec[renew certificate - cassandra__aqs1024-b_eqiad_wmnet]", "Exec[sslcert generate cassandra_keystore_aqs1024-a.p12]", "Exec[sslcert generate cassandra_keystore_aqs1024-b.p12]", "Exec[systemd daemon-reload for cassandra-a.service (cassandra-a)]", "Exec[systemd daemon-reload for cassandra-b.service (cassandra-b)]", "Exec[update_java_alternatives_11]", "File[/etc/apt/sources.list.d/component-cassandra41-apt.wikimedia.org-wikimedia-bullseye-wikimedia.list]", "File[/etc/cassandra-a/cassandra-env.sh]", "File[/etc/cassandra-a/cassandra-rackdc.properties]", "File[/etc/cassandra-a/cassandra.yaml]", "File[/etc/cassandra-a/commitlog_archiving.properties]", "File[/etc/cassandra-a/cqlshrc]", "File[/etc/cassandra-a/credentials]", "File[/etc/cassandra-a/hotspot_compiler]", "File[/etc/cassandra-a/jvm-clients.options]", "File[/etc/cassandra-a/jvm-server.options]", "File[/etc/cassandra-a/jvm11-clients.options]", "File[/etc/cassandra-a/jvm11-server.options]", "File[/etc/cassandra-a/jvm17-server.options]", "File[/etc/cassandra-a/logback-tools.xml]", "File[/etc/cassandra-a/logback.xml]", "File[/etc/cassandra-a/prometheus_jmx_exporter.yaml]", "File[/etc/cassandra-a/tls/cassandra__aqs1024-a_eqiad_wmnet-key.pem]", "File[/etc/cassandra-a/tls/cassandra__aqs1024-a_eqiad_wmnet.chain.pem]", "File[/etc/cassandra-a/tls/cassandra__aqs1024-a_eqiad_wmnet.chained.pem]", "File[/etc/cassandra-a/tls/cassandra__aqs1024-a_eqiad_wmnet.csr]", "File[/etc/cassandra-a/tls/cassandra__aqs1024-a_eqiad_wmnet.pem]", "File[/etc/cassandra-a/tls/server.key]", "File[/etc/cassandra-a/tls]", "File[/etc/cassandra-a/user_aqsloader.cql]", "File[/etc/cassandra-a/user_commons_impact_analytics.cql]", "File[/etc/cassandra-a/user_data_gateway.cql]", "File[/etc/cassandra-a/user_device_analytics.cql]", "File[/etc/cassandra-a/user_edit_analytics.cql]", "File[/etc/cassandra-a/user_editor_analytics.cql]", "File[/etc/cassandra-a/user_geo_analytics.cql]", "File[/etc/cassandra-a/user_image_suggestions.cql]", "File[/etc/cassandra-a/user_media_analytics.cql]", "File[/etc/cassandra-a/user_page_analytics.cql]", "File[/etc/cassandra-a/user_revise_tone_task_generator.cql]", "File[/etc/cassandra-a]", "File[/etc/cassandra-b/cassandra-env.sh]", "File[/etc/cassandra-b/cassandra-rackdc.properties]", "File[/etc/cassandra-b/cassandra.yaml]", "File[/etc/cassandra-b/commitlog_archiving.properties]", "File[/etc/cassandra-b/cqlshrc]", "File[/etc/cassandra-b/credentials]", "File[/etc/cassandra-b/hotspot_compiler]", "File[/etc/cassandra-b/jvm-clients.options]", "File[/etc/cassandra-b/jvm-server.options]", "File[/etc/cassandra-b/jvm11-clients.options]", "File[/etc/cassandra-b/jvm11-server.options]", "File[/etc/cassandra-b/jvm17-server.options]", "File[/etc/cassandra-b/logback-tools.xml]", "File[/etc/cassandra-b/logback.xml]", "File[/etc/cassandra-b/prometheus_jmx_exporter.yaml]", "File[/etc/cassandra-b/tls/cassandra__aqs1024-b_eqiad_wmnet-key.pem]", "File[/etc/cassandra-b/tls/cassandra__aqs1024-b_eqiad_wmnet.chain.pem]", "File[/etc/cassandra-b/tls/cassandra__aqs1024-b_eqiad_wmnet.chained.pem]", "File[/etc/cassandra-b/tls/cassandra__aqs1024-b_eqiad_wmnet.csr]", "File[/etc/cassandra-b/tls/cassandra__aqs1024-b_eqiad_wmnet.pem]", "File[/etc/cassandra-b/tls/server.key]", "File[/etc/cassandra-b/tls]", "File[/etc/cassandra-b/user_aqsloader.cql]", "File[/etc/cassandra-b/user_commons_impact_analytics.cql]", "File[/etc/cassandra-b/user_data_gateway.cql]", "File[/etc/cassandra-b/user_device_analytics.cql]", "File[/etc/cassandra-b/user_edit_analytics.cql]", "File[/etc/cassandra-b/user_editor_analytics.cql]", "File[/etc/cassandra-b/user_geo_analytics.cql]", "File[/etc/cassandra-b/user_image_suggestions.cql]", "File[/etc/cassandra-b/user_media_analytics.cql]", "File[/etc/cassandra-b/user_page_analytics.cql]", "File[/etc/cassandra-b/user_revise_tone_task_generator.cql]", "File[/etc/cassandra-b]", "File[/etc/cassandra-instances.d/aqs1024-a.yaml]", "File[/etc/cassandra-instances.d/aqs1024-b.yaml]", "File[/etc/cassandra-instances.d]", "File[/etc/cassandra.in.sh]", "File[/etc/cfssl/csr/cassandra__aqs1024-a_eqiad_wmnet.csr]", "File[/etc/cfssl/csr/cassandra__aqs1024-b_eqiad_wmnet.csr]", "File[/etc/ferm/conf.d/10_cassandra-analytics-cql]", "File[/etc/ferm/conf.d/10_cassandra-cql]", "File[/etc/ferm/conf.d/10_cassandra-intra-node-ssl]", "File[/etc/ferm/conf.d/10_cassandra-intra-node]", "File[/etc/ferm/conf.d/10_cassandra-jmx-rmi]", "File[/etc/ferm/conf.d/10_deployment_ssh]", "File[/etc/init.d/cassandra]", "File[/etc/rsyslog.d/50-udp-json-logback-compat.conf]", "File[/etc/rsyslog.d/50-udp-localhost-compat.conf]", "File[/etc/scap.cfg]", "File[/etc/ssh/userkeys/deploy-service]", "File[/etc/ssh/userkeys/scap]", "File[/etc/ssl/localcerts/wmf-java-cacerts]", "File[/etc/sudoers.d/scap_deploy-service]", "File[/etc/sysctl.d/05-cassandra.conf]", "File[/etc/sysusers.d/scap.conf]", "File[/etc/tmpfiles.d/cassandra.conf]", "File[/etc/update-motd.d/05-aqs]", "File[/lib/systemd/system/cassandra-a.service]", "File[/lib/systemd/system/cassandra-b.service]", "File[/srv/cassandra-a]", "File[/srv/cassandra-b]", "File[/usr/bin/scap]", "File[/usr/local/bin/bootstrap-scap-target.sh]", "File[/usr/local/bin/cassandra_validate_grants]", "File[/usr/local/bin/cqlsh-a]", "File[/usr/local/bin/cqlsh-b]", "File[/usr/local/bin/nodetool-a]", "File[/usr/local/bin/nodetool-b]", "File[/usr/local/bin/nodetool-instance]", "File[/usr/local/bin/sstable-util-instance]", "File[/usr/local/bin/sstableutil-a]", "File[/usr/local/bin/sstableutil-b]", "File[/usr/share/cassandra/lib/jackson-annotations-2.4.0.jar]", "File[/usr/share/cassandra/lib/jackson-core-2.4.0.jar]", "File[/usr/share/cassandra/lib/jackson-databind-2.4.0.jar]", "File[/usr/share/cassandra/lib/logstash-logback-encoder.jar]", "File[/var/lib/deploy-service]", "File[/var/lib/scap]", "Group[deploy-service]", "Group[scap]", "Node[__node_regexp__aqs1010-214-920-4.eqiad.]", "Package[cassandra-tools-wmf]", "Package[cassandra-tools]", "Package[cassandra/logstash-logback-encoder]", "Package[cassandra]", "Package[git-lfs]", "Package[jvm-tools]", "Package[libjemalloc2]", "Package[openjdk-11-jdk]", "Package[prometheus-jmx-exporter]", "Package[python3-venv]", "Package[rsync]", "Service[cassandra-a]", "Service[cassandra-b]", "Service[cassandra]", "User[deploy-service]", "User[scap]"], "resource_diffs": [{"resource": "File[/var/lib/prometheus/node.d/role_owner.prom]", "content": "--- /var/lib/prometheus/node.d/role_owner.prom.orig\n+++ /var/lib/prometheus/node.d/role_owner.prom\n@@ -1,3 +1,3 @@\n # HELP role_owner The team owner of the server role\n # TYPE role_owner gauge\n-role_owner{team=\"data-persistence\",role=\"insetup::data_persistence_ferm\",cluster=\"insetup\"} 1.0\n+role_owner{team=\"data-persistence\",role=\"aqs\",cluster=\"aqs\"} 1.0"}, {"resource": "Concat_fragment[main contacts]", "content": "--- main contacts.orig\n+++ main contacts\n@@ -1,3 +1,3 @@\n ---\n-role::insetup::data_persistence_ferm:\n+role::aqs:\n - Data Persistence"}, {"resource": "File[/etc/apt/sources.list]", "parameters": "--- File[/etc/apt/sources.list].orig\n+++ File[/etc/apt/sources.list]\n\n@@\n- before => ['Exec[apt_repository_wikimedia]', 'Exec[apt_repository_wikimedia-private]', 'Exec[apt_repository_debian-debug]', 'Exec[apt_repository_component-puppet7-apt.wikimedia.org-wikimedia-bullseye-wikimedia]']\n+ before => ['Exec[apt_repository_wikimedia]', 'Exec[apt_repository_wikimedia-private]', 'Exec[apt_repository_debian-debug]', 'Exec[apt_repository_component-puppet7-apt.wikimedia.org-wikimedia-bullseye-wikimedia]', 'Exec[apt_repository_component-cassandra41-apt.wikimedia.org-wikimedia-bullseye-wikimedia]']\n"}], "perc_changed": "6.74%"}, "main": {"total": 2774, "only_in_self": ["Class[Role::Insetup::Data_persistence_ferm]", "File[/etc/update-motd.d/05-insetup--data-persistence-ferm]", "Motd::Message[insetup::data_persistence_ferm]", "Motd::Script[insetup::data_persistence_ferm]", "Node[__node_regexp__aqs1024-7.eqiad.]"], "only_in_other": ["Alternatives::Java[11]", "Apt::Package_from_component[cassandra]", "Apt::Repository[component-cassandra41-apt.wikimedia.org-wikimedia-bullseye-wikimedia]", "Augeas[ens8f0np0_10.64.156.18/32]", "Augeas[ens8f0np0_10.64.156.21/32]", "Cassandra::Instance::Monitoring[a]", "Cassandra::Instance::Monitoring[b]", "Cassandra::Instance[a]", "Cassandra::Instance[b]", "Cfssl::Cert[cassandra__aqs1024-a_eqiad_wmnet]", "Cfssl::Cert[cassandra__aqs1024-b_eqiad_wmnet]", "Cfssl::Csr[/etc/cfssl/csr/cassandra__aqs1024-a_eqiad_wmnet.csr]", "Cfssl::Csr[/etc/cfssl/csr/cassandra__aqs1024-b_eqiad_wmnet.csr]", "Class[Cassandra::Logging]", "Class[Cassandra::Sysctl]", "Class[Cassandra]", "Class[Git::Lfs]", "Class[Java]", "Class[Profile::Cassandra]", "Class[Profile::Java]", "Class[Profile::Rsyslog::Udp_json_logback_compat]", "Class[Profile::Rsyslog::Udp_localhost_compat]", "Class[Role::Aqs]", "Class[Scap::Ferm]", "Class[Scap::User]", "Class[Scap]", "Exec[Generate cert cassandra__aqs1024-a_eqiad_wmnet refresh]", "Exec[Generate cert cassandra__aqs1024-a_eqiad_wmnet]", "Exec[Generate cert cassandra__aqs1024-b_eqiad_wmnet refresh]", "Exec[Generate cert cassandra__aqs1024-b_eqiad_wmnet]", "Exec[apt_package_from_component_cassandra]", "Exec[apt_repository_component-cassandra41-apt.wikimedia.org-wikimedia-bullseye-wikimedia]", "Exec[bootstrap-scap-target]", "Exec[chown /srv/deployment/cassandra for deploy-service]", "Exec[create chained cert /etc/cassandra-a/tls/cassandra__aqs1024-a_eqiad_wmnet.chain.pem]", "Exec[create chained cert /etc/cassandra-b/tls/cassandra__aqs1024-b_eqiad_wmnet.chain.pem]", "Exec[install-/srv/cassandra/cassandra-a/commitlog]", "Exec[install-/srv/cassandra/cassandra-a/hints]", "Exec[install-/srv/cassandra/cassandra-a/saved_caches]", "Exec[install-/srv/cassandra/cassandra-a/system]", "Exec[install-/srv/cassandra/cassandra-b/commitlog]", "Exec[install-/srv/cassandra/cassandra-b/hints]", "Exec[install-/srv/cassandra/cassandra-b/saved_caches]", "Exec[install-/srv/cassandra/cassandra-b/system]", "Exec[install-/srv/storage-0/cassandra-a/data]", "Exec[install-/srv/storage-0/cassandra-b/data]", "Exec[install-/srv/storage-1/cassandra-a/data]", "Exec[install-/srv/storage-1/cassandra-b/data]", "Exec[install-/srv/storage-2/cassandra-a/data]", "Exec[install-/srv/storage-2/cassandra-b/data]", "Exec[install-/srv/storage-3/cassandra-a/data]", "Exec[install-/srv/storage-3/cassandra-b/data]", "Exec[install-/srv/storage-4/cassandra-a/data]", "Exec[install-/srv/storage-4/cassandra-b/data]", "Exec[install-/srv/storage-5/cassandra-a/data]", "Exec[install-/srv/storage-5/cassandra-b/data]", "Exec[install-/srv/storage-6/cassandra-a/data]", "Exec[install-/srv/storage-6/cassandra-b/data]", "Exec[install-/srv/storage-7/cassandra-a/data]", "Exec[install-/srv/storage-7/cassandra-b/data]", "Exec[ip addr add 10.64.156.18/32 dev ens8f0np0]", "Exec[ip addr add 10.64.156.21/32 dev ens8f0np0]", "Exec[java__cacert_Puppet_Internal_CA]", "Exec[java__cacert_Wikimedia_Internal_Root_CA]", "Exec[java__cacert_wmf:Wikimedia_Internal_Root_CA]", "Exec[java__cacert_wmf:puppetca.pem]", "Exec[renew certificate - cassandra__aqs1024-a_eqiad_wmnet]", "Exec[renew certificate - cassandra__aqs1024-b_eqiad_wmnet]", "Exec[sslcert generate cassandra_keystore_aqs1024-a.p12]", "Exec[sslcert generate cassandra_keystore_aqs1024-b.p12]", "Exec[systemd daemon-reload for cassandra-a.service (cassandra-a)]", "Exec[systemd daemon-reload for cassandra-b.service (cassandra-b)]", "Exec[update_java_alternatives_11]", "Ferm::Service[cassandra-analytics-cql]", "Ferm::Service[cassandra-cql]", "Ferm::Service[cassandra-intra-node-ssl]", "Ferm::Service[cassandra-intra-node]", "Ferm::Service[cassandra-jmx-rmi]", "Ferm::Service[deployment_ssh]", "File[/etc/apt/sources.list.d/component-cassandra41-apt.wikimedia.org-wikimedia-bullseye-wikimedia.list]", "File[/etc/cassandra-a/cassandra-env.sh]", "File[/etc/cassandra-a/cassandra-rackdc.properties]", "File[/etc/cassandra-a/cassandra.yaml]", "File[/etc/cassandra-a/commitlog_archiving.properties]", "File[/etc/cassandra-a/cqlshrc]", "File[/etc/cassandra-a/credentials]", "File[/etc/cassandra-a/hotspot_compiler]", "File[/etc/cassandra-a/jvm-clients.options]", "File[/etc/cassandra-a/jvm-server.options]", "File[/etc/cassandra-a/jvm11-clients.options]", "File[/etc/cassandra-a/jvm11-server.options]", "File[/etc/cassandra-a/jvm17-server.options]", "File[/etc/cassandra-a/logback-tools.xml]", "File[/etc/cassandra-a/logback.xml]", "File[/etc/cassandra-a/prometheus_jmx_exporter.yaml]", "File[/etc/cassandra-a/tls/cassandra__aqs1024-a_eqiad_wmnet-key.pem]", "File[/etc/cassandra-a/tls/cassandra__aqs1024-a_eqiad_wmnet.chain.pem]", "File[/etc/cassandra-a/tls/cassandra__aqs1024-a_eqiad_wmnet.chained.pem]", "File[/etc/cassandra-a/tls/cassandra__aqs1024-a_eqiad_wmnet.csr]", "File[/etc/cassandra-a/tls/cassandra__aqs1024-a_eqiad_wmnet.pem]", "File[/etc/cassandra-a/tls/server.key]", "File[/etc/cassandra-a/tls]", "File[/etc/cassandra-a/user_aqsloader.cql]", "File[/etc/cassandra-a/user_commons_impact_analytics.cql]", "File[/etc/cassandra-a/user_data_gateway.cql]", "File[/etc/cassandra-a/user_device_analytics.cql]", "File[/etc/cassandra-a/user_edit_analytics.cql]", "File[/etc/cassandra-a/user_editor_analytics.cql]", "File[/etc/cassandra-a/user_geo_analytics.cql]", "File[/etc/cassandra-a/user_image_suggestions.cql]", "File[/etc/cassandra-a/user_media_analytics.cql]", "File[/etc/cassandra-a/user_page_analytics.cql]", "File[/etc/cassandra-a/user_revise_tone_task_generator.cql]", "File[/etc/cassandra-a]", "File[/etc/cassandra-b/cassandra-env.sh]", "File[/etc/cassandra-b/cassandra-rackdc.properties]", "File[/etc/cassandra-b/cassandra.yaml]", "File[/etc/cassandra-b/commitlog_archiving.properties]", "File[/etc/cassandra-b/cqlshrc]", "File[/etc/cassandra-b/credentials]", "File[/etc/cassandra-b/hotspot_compiler]", "File[/etc/cassandra-b/jvm-clients.options]", "File[/etc/cassandra-b/jvm-server.options]", "File[/etc/cassandra-b/jvm11-clients.options]", "File[/etc/cassandra-b/jvm11-server.options]", "File[/etc/cassandra-b/jvm17-server.options]", "File[/etc/cassandra-b/logback-tools.xml]", "File[/etc/cassandra-b/logback.xml]", "File[/etc/cassandra-b/prometheus_jmx_exporter.yaml]", "File[/etc/cassandra-b/tls/cassandra__aqs1024-b_eqiad_wmnet-key.pem]", "File[/etc/cassandra-b/tls/cassandra__aqs1024-b_eqiad_wmnet.chain.pem]", "File[/etc/cassandra-b/tls/cassandra__aqs1024-b_eqiad_wmnet.chained.pem]", "File[/etc/cassandra-b/tls/cassandra__aqs1024-b_eqiad_wmnet.csr]", "File[/etc/cassandra-b/tls/cassandra__aqs1024-b_eqiad_wmnet.pem]", "File[/etc/cassandra-b/tls/server.key]", "File[/etc/cassandra-b/tls]", "File[/etc/cassandra-b/user_aqsloader.cql]", "File[/etc/cassandra-b/user_commons_impact_analytics.cql]", "File[/etc/cassandra-b/user_data_gateway.cql]", "File[/etc/cassandra-b/user_device_analytics.cql]", "File[/etc/cassandra-b/user_edit_analytics.cql]", "File[/etc/cassandra-b/user_editor_analytics.cql]", "File[/etc/cassandra-b/user_geo_analytics.cql]", "File[/etc/cassandra-b/user_image_suggestions.cql]", "File[/etc/cassandra-b/user_media_analytics.cql]", "File[/etc/cassandra-b/user_page_analytics.cql]", "File[/etc/cassandra-b/user_revise_tone_task_generator.cql]", "File[/etc/cassandra-b]", "File[/etc/cassandra-instances.d/aqs1024-a.yaml]", "File[/etc/cassandra-instances.d/aqs1024-b.yaml]", "File[/etc/cassandra-instances.d]", "File[/etc/cassandra.in.sh]", "File[/etc/cfssl/csr/cassandra__aqs1024-a_eqiad_wmnet.csr]", "File[/etc/cfssl/csr/cassandra__aqs1024-b_eqiad_wmnet.csr]", "File[/etc/ferm/conf.d/10_cassandra-analytics-cql]", "File[/etc/ferm/conf.d/10_cassandra-cql]", "File[/etc/ferm/conf.d/10_cassandra-intra-node-ssl]", "File[/etc/ferm/conf.d/10_cassandra-intra-node]", "File[/etc/ferm/conf.d/10_cassandra-jmx-rmi]", "File[/etc/ferm/conf.d/10_deployment_ssh]", "File[/etc/init.d/cassandra]", "File[/etc/rsyslog.d/50-udp-json-logback-compat.conf]", "File[/etc/rsyslog.d/50-udp-localhost-compat.conf]", "File[/etc/scap.cfg]", "File[/etc/ssh/userkeys/deploy-service]", "File[/etc/ssh/userkeys/scap]", "File[/etc/ssl/localcerts/wmf-java-cacerts]", "File[/etc/sudoers.d/scap_deploy-service]", "File[/etc/sysctl.d/05-cassandra.conf]", "File[/etc/sysusers.d/scap.conf]", "File[/etc/tmpfiles.d/cassandra.conf]", "File[/etc/update-motd.d/05-aqs]", "File[/lib/systemd/system/cassandra-a.service]", "File[/lib/systemd/system/cassandra-b.service]", "File[/srv/cassandra-a]", "File[/srv/cassandra-b]", "File[/usr/bin/scap]", "File[/usr/local/bin/bootstrap-scap-target.sh]", "File[/usr/local/bin/cassandra_validate_grants]", "File[/usr/local/bin/cqlsh-a]", "File[/usr/local/bin/cqlsh-b]", "File[/usr/local/bin/nodetool-a]", "File[/usr/local/bin/nodetool-b]", "File[/usr/local/bin/nodetool-instance]", "File[/usr/local/bin/sstable-util-instance]", "File[/usr/local/bin/sstableutil-a]", "File[/usr/local/bin/sstableutil-b]", "File[/usr/share/cassandra/lib/jackson-annotations-2.4.0.jar]", "File[/usr/share/cassandra/lib/jackson-core-2.4.0.jar]", "File[/usr/share/cassandra/lib/jackson-databind-2.4.0.jar]", "File[/usr/share/cassandra/lib/logstash-logback-encoder.jar]", "File[/var/lib/deploy-service]", "File[/var/lib/scap]", "Firewall::Service[deployment-ssh]", "Group[deploy-service]", "Group[scap]", "Interface::Alias[cassandra-a]", "Interface::Alias[cassandra-b]", "Interface::Ip[cassandra-a ipv4]", "Interface::Ip[cassandra-b ipv4]", "Java::Cacert[Puppet_Internal_CA]", "Java::Cacert[Wikimedia_Internal_Root_CA]", "Java::Cacert[wmf:Wikimedia_Internal_Root_CA]", "Java::Cacert[wmf:puppetca.pem]", "Java::Package[openjdk-jdk-11]", "Monitoring::Exported_nagios_service[aqs1024 cassandra-a-cql]", "Monitoring::Exported_nagios_service[aqs1024 cassandra-a-ssl]", "Monitoring::Exported_nagios_service[aqs1024 cassandra-b-cql]", "Monitoring::Exported_nagios_service[aqs1024 cassandra-b-ssl]", "Monitoring::Service[cassandra-a-cql]", "Monitoring::Service[cassandra-a-ssl]", "Monitoring::Service[cassandra-b-cql]", "Monitoring::Service[cassandra-b-ssl]", "Motd::Message[aqs]", "Motd::Script[aqs]", "Node[__node_regexp__aqs1010-214-920-4.eqiad.]", "Package[cassandra-tools-wmf]", "Package[cassandra-tools]", "Package[cassandra/logstash-logback-encoder]", "Package[cassandra]", "Package[git-lfs]", "Package[jvm-tools]", "Package[libjemalloc2]", "Package[openjdk-11-jdk]", "Package[prometheus-jmx-exporter]", "Package[python3-venv]", "Package[rsync]", "Prometheus::Blackbox::Check::Tcp[cassandra-a-cql]", "Prometheus::Blackbox::Check::Tcp[cassandra-a-ssl]", "Prometheus::Blackbox::Check::Tcp[cassandra-b-cql]", "Prometheus::Blackbox::Check::Tcp[cassandra-b-ssl]", "Prometheus::Jmx_exporter_instance[aqs1024-a]", "Prometheus::Jmx_exporter_instance[aqs1024-b]", "Rsyslog::Conf[udp_json_logback_compat]", "Rsyslog::Conf[udp_localhost_compat]", "Scap::Target[cassandra/logstash-logback-encoder]", "Service[cassandra-a]", "Service[cassandra-b]", "Service[cassandra]", "Ssh::Userkey[deploy-service]", "Ssh::Userkey[scap]", "Sslcert::X509_to_pkcs12[cassandra_keystore_aqs1024-a]", "Sslcert::X509_to_pkcs12[cassandra_keystore_aqs1024-b]", "Sudo::User[scap_deploy-service]", "Sysctl::Conffile[cassandra]", "Sysctl::Parameters[cassandra]", "Systemd::Service[cassandra-a]", "Systemd::Service[cassandra-b]", "Systemd::Sysuser[scap]", "Systemd::Unit[cassandra-a]", "Systemd::Unit[cassandra-b]", "User[deploy-service]", "User[scap]"], "resource_diffs": [{"resource": "Class[Profile::Contacts]", "parameters": "--- Class[Profile::Contacts].orig\n+++ Class[Profile::Contacts]\n\n@@\n- cluster => insetup\n+ cluster => aqs\n"}, {"resource": "Monitoring::Exported_nagios_service[aqs1024 disk_space]", "parameters": "--- Monitoring::Exported_nagios_service[aqs1024 disk_space].orig\n+++ Monitoring::Exported_nagios_service[aqs1024 disk_space]\n\n@@\n- notifications_enabled => 0\n+ notifications_enabled => 1\n@@\n- servicegroups => insetup_eqiad\n+ servicegroups => aqs_eqiad\n"}, {"resource": "Class[Profile::Base::Production]", "parameters": "--- Class[Profile::Base::Production].orig\n+++ Class[Profile::Base::Production]\n\n@@\n- role_description => Host being setup by Data Persistence SREs\n+ role_description => Analytics Query Service - Cassandra instance\n"}, {"resource": "Class[Profile::Base]", "parameters": "--- Class[Profile::Base].orig\n+++ Class[Profile::Base]\n\n@@\n- cluster => insetup\n+ cluster => aqs\n"}, {"resource": "Class[Sslcert::Trusted_ca]", "parameters": "--- Class[Sslcert::Trusted_ca].orig\n+++ Class[Sslcert::Trusted_ca]\n\n@@\n- include_bundle_jks => False\n+ include_bundle_jks => True\n"}, {"resource": "Class[Profile::Cumin::Target]", "parameters": "--- Class[Profile::Cumin::Target].orig\n+++ Class[Profile::Cumin::Target]\n\n@@\n- cluster => insetup\n+ cluster => aqs\n"}, {"resource": "Concat::Fragment[main contacts]"}, {"resource": "File[/var/lib/prometheus/node.d/role_owner.prom]", "content": "--- /var/lib/prometheus/node.d/role_owner.prom.orig\n+++ /var/lib/prometheus/node.d/role_owner.prom\n@@ -1,3 +1,3 @@\n # HELP role_owner The team owner of the server role\n # TYPE role_owner gauge\n-role_owner{team=\"data-persistence\",role=\"insetup::data_persistence_ferm\",cluster=\"insetup\"} 1.0\n+role_owner{team=\"data-persistence\",role=\"aqs\",cluster=\"aqs\"} 1.0"}, {"resource": "Monitoring::Exported_nagios_service[aqs1024 ssh]", "parameters": "--- Monitoring::Exported_nagios_service[aqs1024 ssh].orig\n+++ Monitoring::Exported_nagios_service[aqs1024 ssh]\n\n@@\n- notifications_enabled => 0\n+ notifications_enabled => 1\n@@\n- servicegroups => insetup_eqiad\n+ servicegroups => aqs_eqiad\n"}, {"resource": "Concat_fragment[main contacts]", "content": "--- main contacts.orig\n+++ main contacts\n@@ -1,3 +1,3 @@\n ---\n-role::insetup::data_persistence_ferm:\n+role::aqs:\n - Data Persistence"}, {"resource": "Monitoring::Exported_nagios_host[aqs1024]", "parameters": "--- Monitoring::Exported_nagios_host[aqs1024].orig\n+++ Monitoring::Exported_nagios_host[aqs1024]\n\n@@\n- hostgroups => insetup_eqiad,lsw1-e7-eqiad\n+ hostgroups => aqs_eqiad,lsw1-e7-eqiad\n@@\n- notifications_enabled => 0\n+ notifications_enabled => 1\n"}, {"resource": "Class[Monitoring]", "parameters": "--- Class[Monitoring].orig\n+++ Class[Monitoring]\n\n@@\n- cluster => insetup\n+ cluster => aqs\n@@\n- nagios_group => insetup_eqiad\n+ nagios_group => aqs_eqiad\n@@\n- notifications_enabled => False\n+ notifications_enabled => True\n"}, {"resource": "File[/etc/apt/sources.list]", "parameters": "--- File[/etc/apt/sources.list].orig\n+++ File[/etc/apt/sources.list]\n\n@@\n- before => ['Exec[apt_repository_wikimedia]', 'Exec[apt_repository_wikimedia-private]', 'Exec[apt_repository_debian-debug]', 'Exec[apt_repository_component-puppet7-apt.wikimedia.org-wikimedia-bullseye-wikimedia]']\n+ before => ['Exec[apt_repository_wikimedia]', 'Exec[apt_repository_wikimedia-private]', 'Exec[apt_repository_debian-debug]', 'Exec[apt_repository_component-puppet7-apt.wikimedia.org-wikimedia-bullseye-wikimedia]', 'Exec[apt_repository_component-cassandra41-apt.wikimedia.org-wikimedia-bullseye-wikimedia]']\n"}, {"resource": "Class[Profile::Monitoring]", "parameters": "--- Class[Profile::Monitoring].orig\n+++ Class[Profile::Monitoring]\n\n@@\n- cluster => insetup\n+ cluster => aqs\n@@\n- nagios_group => insetup_eqiad\n+ nagios_group => aqs_eqiad\n@@\n- notifications_enabled => False\n+ notifications_enabled => True\n"}, {"resource": "Class[Profile::Base::Certificates]", "parameters": "--- Class[Profile::Base::Certificates].orig\n+++ Class[Profile::Base::Certificates]\n\n@@\n- include_bundle_jks => False\n+ include_bundle_jks => True\n"}, {"resource": "Monitoring::Exported_nagios_service[aqs1024 raid_md]", "parameters": "--- Monitoring::Exported_nagios_service[aqs1024 raid_md].orig\n+++ Monitoring::Exported_nagios_service[aqs1024 raid_md]\n\n@@\n- notifications_enabled => 0\n+ notifications_enabled => 1\n@@\n- servicegroups => insetup_eqiad\n+ servicegroups => aqs_eqiad\n"}, {"resource": "Class[Cumin::Selector]", "parameters": "--- Class[Cumin::Selector].orig\n+++ Class[Cumin::Selector]\n\n@@\n- cluster => insetup\n+ cluster => aqs\n"}, {"resource": "Class[Profile::Apt]", "parameters": "--- Class[Profile::Apt].orig\n+++ Class[Profile::Apt]\n\n@@\n- before => ['Package[puppet]', 'Package[facter]', 'Package[augeas-tools]', 'Package[virt-what]', 'Package[puppet-module-puppetlabs-augeas-core]', 'Package[python3-prometheus-client]', 'Package[python3-yaml]', 'Package[ruby-net-ssh]', 'Package[openssl]', 'Package[ssl-cert]', 'Package[ca-certificates]', 'Package[wmf-certificates]', 'Package[ntp]', 'Package[systemd-timesyncd]', 'Package[exim4-config]', 'Package[exim4-daemon-light]', 'Package[logrotate]', 'Package[prometheus-node-exporter]', 'Package[bsdutils]', 'Package[smartmontools]', 'Package[rsyslog]', 'Package[rsyslog-openssl]', 'Package[cadvisor]', 'Package[acct]', 'Package[byobu]', 'Package[colordiff]', 'Package[curl]', 'Package[debian-goodies]', 'Package[ethtool]', 'Package[gdb]', 'Package[gdisk]', 'Package[git]', 'Package[htop]', 'Package[httpry]', 'Package[iotop]', 'Package[iperf]', 'Package[jq]', 'Package[libtemplate-perl]', 'Package[lldpd]', 'Package[lshw]', 'Package[molly-guard]', 'Package[moreutils]', 'Package[net-tools]', 'Package[numactl]', 'Package[ncdu]', 'Package[ngrep]', 'Package[pigz]', 'Package[psmisc]', 'Package[pv]', 'Package[python3]', 'Package[screen]', 'Package[strace]', 'Package[sysstat]', 'Package[tcpdump]', 'Package[tmux]', 'Package[tree]', 'Package[vim]', 'Package[vim-addon-manager]', 'Package[vim-scripts]', 'Package[wipe]', 'Package[xfsprogs]', 'Package[zsh]', 'Package[icdiff]', 'Package[linux-perf]', 'Package[bsd-mailx]', 'Package[ack]', 'Package[netcat-openbsd]', 'Package[tshark]', 'Package[fzf]', 'Package[ripgrep]', 'Package[fd-find]', 'Package[kitty-terminfo]', 'Package[mtr-tiny]', 'Package[bat]', 'Package[efibootmgr]', 'Package[bind9-dnsutils]', 'Package[tzdata]', 'Package[python3-wmflib]', 'Package[quickstack]', 'Package[dstat]', 'Package[apport]', 'Package[command-not-found]', 'Package[command-not-found-data]', 'Package[ecryptfs-utils]', 'Package[mlocate]', 'Package[os-prober]', 'Package[python3-apport]', 'Package[wpasupplicant]', 'Package[atop]', 'Package[apt-listchanges]', 'Package[isc-dhcp-client]', 'Package[libpython2.7]', 'Package[libpython2.7-dev]', 'Package[libpython2.7-minimal]', 'Package[python2.7]', 'Package[libpython2.7-stdlib]', 'Package[python2.7-dev]', 'Package[python2.7-minimal]', 'Package[python2.7-dbg]', 'Package[python2.7-doc]', 'Package[python2.7-examples]', 'Package[libpython2.7-testsuite]', 'Package[intel-microcode]', 'Package[rasdaemon]', 'Package[libsnmp30]', 'Package[libdns-export1104]', 'Package[libdns1104]', 'Package[libisc-export1100]', 'Package[libisc1100]', 'Package[multiarch-support]', 'Package[libjson-c3]', 'Package[libpython3.7]', 'Package[libpython3.7-minimal]', 'Package[libpython3.7-stdlib]', 'Package[python3.7]', 'Package[python3.7-minimal]', 'Package[libevent-2.1-6]', 'Package[libwireshark11]', 'Package[libwiretap8]', 'Package[libwsutil9]', 'Package[libwscodecs2]', 'Package[libperl5.28]', 'Package[libmpdec2]', 'Package[perl-modules-5.28]', 'Package[libhogweed4]', 'Package[libnettle6]', 'Package[libprocps7]', 'Package[libip6tc0]', 'Package[libip4tc0]', 'Package[libiptc0]', 'Package[openssh-client]', 'Package[openssh-server]', 'Package[debdeploy-client]', 'Package[python3-dateutil]', 'Package[sudo]', 'Package[golang-cfssl]', 'Package[debmonitor-client]', 'Package[nagios-nrpe-server]', 'Package[monitoring-plugins]', 'Package[monitoring-plugins-basic]', 'Package[monitoring-plugins-standard]', 'Package[liburiparser1]', 'Package[python3-attr]', 'Package[iucode-tool]', 'Package[freeipmi-tools]', 'Package[freeipmi-ipmiseld]', 'Package[rsyslog-kafka]', 'Package[emacs-nox]', 'Package[prometheus-ipmi-exporter]', 'Package[libnet-dns-perl]', 'Package[iptables]', 'Package[ferm]', 'Package[ulogd2]', 'Package[conntrack]', 'Package[ruby-sys-filesystem]', 'Package[prometheus-rsyslog-exporter]', 'Package[initramfs-tools]', 'Package[python3-click]', 'Package[python3-box]', 'Package[confd]', 'Package[python3-toml]']\n+ before => ['Package[puppet]', 'Package[facter]', 'Package[augeas-tools]', 'Package[virt-what]', 'Package[puppet-module-puppetlabs-augeas-core]', 'Package[python3-prometheus-client]', 'Package[python3-yaml]', 'Package[ruby-net-ssh]', 'Package[openssl]', 'Package[ssl-cert]', 'Package[ca-certificates]', 'Package[wmf-certificates]', 'Package[ntp]', 'Package[systemd-timesyncd]', 'Package[exim4-config]', 'Package[exim4-daemon-light]', 'Package[logrotate]', 'Package[prometheus-node-exporter]', 'Package[bsdutils]', 'Package[smartmontools]', 'Package[rsyslog]', 'Package[rsyslog-openssl]', 'Package[cadvisor]', 'Package[acct]', 'Package[byobu]', 'Package[colordiff]', 'Package[curl]', 'Package[debian-goodies]', 'Package[ethtool]', 'Package[gdb]', 'Package[gdisk]', 'Package[git]', 'Package[htop]', 'Package[httpry]', 'Package[iotop]', 'Package[iperf]', 'Package[jq]', 'Package[libtemplate-perl]', 'Package[lldpd]', 'Package[lshw]', 'Package[molly-guard]', 'Package[moreutils]', 'Package[net-tools]', 'Package[numactl]', 'Package[ncdu]', 'Package[ngrep]', 'Package[pigz]', 'Package[psmisc]', 'Package[pv]', 'Package[python3]', 'Package[screen]', 'Package[strace]', 'Package[sysstat]', 'Package[tcpdump]', 'Package[tmux]', 'Package[tree]', 'Package[vim]', 'Package[vim-addon-manager]', 'Package[vim-scripts]', 'Package[wipe]', 'Package[xfsprogs]', 'Package[zsh]', 'Package[icdiff]', 'Package[linux-perf]', 'Package[bsd-mailx]', 'Package[ack]', 'Package[netcat-openbsd]', 'Package[tshark]', 'Package[fzf]', 'Package[ripgrep]', 'Package[fd-find]', 'Package[kitty-terminfo]', 'Package[mtr-tiny]', 'Package[bat]', 'Package[efibootmgr]', 'Package[bind9-dnsutils]', 'Package[tzdata]', 'Package[python3-wmflib]', 'Package[quickstack]', 'Package[dstat]', 'Package[apport]', 'Package[command-not-found]', 'Package[command-not-found-data]', 'Package[ecryptfs-utils]', 'Package[mlocate]', 'Package[os-prober]', 'Package[python3-apport]', 'Package[wpasupplicant]', 'Package[atop]', 'Package[apt-listchanges]', 'Package[isc-dhcp-client]', 'Package[libpython2.7]', 'Package[libpython2.7-dev]', 'Package[libpython2.7-minimal]', 'Package[python2.7]', 'Package[libpython2.7-stdlib]', 'Package[python2.7-dev]', 'Package[python2.7-minimal]', 'Package[python2.7-dbg]', 'Package[python2.7-doc]', 'Package[python2.7-examples]', 'Package[libpython2.7-testsuite]', 'Package[intel-microcode]', 'Package[rasdaemon]', 'Package[libsnmp30]', 'Package[libdns-export1104]', 'Package[libdns1104]', 'Package[libisc-export1100]', 'Package[libisc1100]', 'Package[multiarch-support]', 'Package[libjson-c3]', 'Package[libpython3.7]', 'Package[libpython3.7-minimal]', 'Package[libpython3.7-stdlib]', 'Package[python3.7]', 'Package[python3.7-minimal]', 'Package[libevent-2.1-6]', 'Package[libwireshark11]', 'Package[libwiretap8]', 'Package[libwsutil9]', 'Package[libwscodecs2]', 'Package[libperl5.28]', 'Package[libmpdec2]', 'Package[perl-modules-5.28]', 'Package[libhogweed4]', 'Package[libnettle6]', 'Package[libprocps7]', 'Package[libip6tc0]', 'Package[libip4tc0]', 'Package[libiptc0]', 'Package[openssh-client]', 'Package[openssh-server]', 'Package[debdeploy-client]', 'Package[python3-dateutil]', 'Package[sudo]', 'Package[golang-cfssl]', 'Package[debmonitor-client]', 'Package[nagios-nrpe-server]', 'Package[monitoring-plugins]', 'Package[monitoring-plugins-basic]', 'Package[monitoring-plugins-standard]', 'Package[liburiparser1]', 'Package[python3-attr]', 'Package[iucode-tool]', 'Package[freeipmi-tools]', 'Package[freeipmi-ipmiseld]', 'Package[rsyslog-kafka]', 'Package[emacs-nox]', 'Package[prometheus-ipmi-exporter]', 'Package[libnet-dns-perl]', 'Package[iptables]', 'Package[ferm]', 'Package[ulogd2]', 'Package[conntrack]', 'Package[cassandra-tools-wmf]', 'Package[jvm-tools]', 'Package[cassandra-tools]', 'Package[libjemalloc2]', 'Package[ruby-sys-filesystem]', 'Package[prometheus-rsyslog-exporter]', 'Package[initramfs-tools]', 'Package[python3-click]', 'Package[python3-box]', 'Package[confd]', 'Package[python3-toml]', 'Package[openjdk-11-jdk]', 'Package[cassandra]', 'Package[prometheus-jmx-exporter]', 'Package[git-lfs]', 'Package[rsync]', 'Package[python3-venv]']\n"}, {"resource": "Class[Adduser]", "parameters": "--- Class[Adduser].orig\n+++ Class[Adduser]\n\n@@\n- before => ['Package[puppet]', 'Package[facter]', 'Package[augeas-tools]', 'Package[virt-what]', 'Package[puppet-module-puppetlabs-augeas-core]', 'Package[python3-prometheus-client]', 'Package[python3-yaml]', 'Package[ruby-net-ssh]', 'Package[openssl]', 'Package[ssl-cert]', 'Package[ca-certificates]', 'Package[wmf-certificates]', 'Package[ntp]', 'Package[systemd-timesyncd]', 'Package[exim4-config]', 'Package[exim4-daemon-light]', 'Package[logrotate]', 'Package[prometheus-node-exporter]', 'Package[bsdutils]', 'Package[smartmontools]', 'Package[rsyslog]', 'Package[rsyslog-openssl]', 'Package[cadvisor]', 'Package[acct]', 'Package[byobu]', 'Package[colordiff]', 'Package[curl]', 'Package[debian-goodies]', 'Package[ethtool]', 'Package[gdb]', 'Package[gdisk]', 'Package[git]', 'Package[htop]', 'Package[httpry]', 'Package[iotop]', 'Package[iperf]', 'Package[jq]', 'Package[libtemplate-perl]', 'Package[lldpd]', 'Package[lshw]', 'Package[molly-guard]', 'Package[moreutils]', 'Package[net-tools]', 'Package[numactl]', 'Package[ncdu]', 'Package[ngrep]', 'Package[pigz]', 'Package[psmisc]', 'Package[pv]', 'Package[python3]', 'Package[screen]', 'Package[strace]', 'Package[sysstat]', 'Package[tcpdump]', 'Package[tmux]', 'Package[tree]', 'Package[vim]', 'Package[vim-addon-manager]', 'Package[vim-scripts]', 'Package[wipe]', 'Package[xfsprogs]', 'Package[zsh]', 'Package[icdiff]', 'Package[linux-perf]', 'Package[bsd-mailx]', 'Package[ack]', 'Package[netcat-openbsd]', 'Package[tshark]', 'Package[fzf]', 'Package[ripgrep]', 'Package[fd-find]', 'Package[kitty-terminfo]', 'Package[mtr-tiny]', 'Package[bat]', 'Package[efibootmgr]', 'Package[bind9-dnsutils]', 'Package[tzdata]', 'Package[python3-wmflib]', 'Package[quickstack]', 'Package[dstat]', 'Package[apport]', 'Package[command-not-found]', 'Package[command-not-found-data]', 'Package[ecryptfs-utils]', 'Package[mlocate]', 'Package[os-prober]', 'Package[python3-apport]', 'Package[wpasupplicant]', 'Package[atop]', 'Package[apt-listchanges]', 'Package[isc-dhcp-client]', 'Package[libpython2.7]', 'Package[libpython2.7-dev]', 'Package[libpython2.7-minimal]', 'Package[python2.7]', 'Package[libpython2.7-stdlib]', 'Package[python2.7-dev]', 'Package[python2.7-minimal]', 'Package[python2.7-dbg]', 'Package[python2.7-doc]', 'Package[python2.7-examples]', 'Package[libpython2.7-testsuite]', 'Package[intel-microcode]', 'Package[rasdaemon]', 'Package[libsnmp30]', 'Package[libdns-export1104]', 'Package[libdns1104]', 'Package[libisc-export1100]', 'Package[libisc1100]', 'Package[multiarch-support]', 'Package[libjson-c3]', 'Package[libpython3.7]', 'Package[libpython3.7-minimal]', 'Package[libpython3.7-stdlib]', 'Package[python3.7]', 'Package[python3.7-minimal]', 'Package[libevent-2.1-6]', 'Package[libwireshark11]', 'Package[libwiretap8]', 'Package[libwsutil9]', 'Package[libwscodecs2]', 'Package[libperl5.28]', 'Package[libmpdec2]', 'Package[perl-modules-5.28]', 'Package[libhogweed4]', 'Package[libnettle6]', 'Package[libprocps7]', 'Package[libip6tc0]', 'Package[libip4tc0]', 'Package[libiptc0]', 'Package[openssh-client]', 'Package[openssh-server]', 'Package[debdeploy-client]', 'Package[python3-dateutil]', 'Package[sudo]', 'Package[golang-cfssl]', 'Package[debmonitor-client]', 'Package[nagios-nrpe-server]', 'Package[monitoring-plugins]', 'Package[monitoring-plugins-basic]', 'Package[monitoring-plugins-standard]', 'Package[liburiparser1]', 'Package[python3-attr]', 'Package[iucode-tool]', 'Package[freeipmi-tools]', 'Package[freeipmi-ipmiseld]', 'Package[rsyslog-kafka]', 'Package[emacs-nox]', 'Package[prometheus-ipmi-exporter]', 'Package[libnet-dns-perl]', 'Package[iptables]', 'Package[ferm]', 'Package[ulogd2]', 'Package[conntrack]', 'Package[ruby-sys-filesystem]', 'Package[prometheus-rsyslog-exporter]', 'Package[initramfs-tools]', 'Package[python3-click]', 'Package[python3-box]', 'Package[confd]', 'Package[python3-toml]']\n+ before => ['Package[puppet]', 'Package[facter]', 'Package[augeas-tools]', 'Package[virt-what]', 'Package[puppet-module-puppetlabs-augeas-core]', 'Package[python3-prometheus-client]', 'Package[python3-yaml]', 'Package[ruby-net-ssh]', 'Package[openssl]', 'Package[ssl-cert]', 'Package[ca-certificates]', 'Package[wmf-certificates]', 'Package[ntp]', 'Package[systemd-timesyncd]', 'Package[exim4-config]', 'Package[exim4-daemon-light]', 'Package[logrotate]', 'Package[prometheus-node-exporter]', 'Package[bsdutils]', 'Package[smartmontools]', 'Package[rsyslog]', 'Package[rsyslog-openssl]', 'Package[cadvisor]', 'Package[acct]', 'Package[byobu]', 'Package[colordiff]', 'Package[curl]', 'Package[debian-goodies]', 'Package[ethtool]', 'Package[gdb]', 'Package[gdisk]', 'Package[git]', 'Package[htop]', 'Package[httpry]', 'Package[iotop]', 'Package[iperf]', 'Package[jq]', 'Package[libtemplate-perl]', 'Package[lldpd]', 'Package[lshw]', 'Package[molly-guard]', 'Package[moreutils]', 'Package[net-tools]', 'Package[numactl]', 'Package[ncdu]', 'Package[ngrep]', 'Package[pigz]', 'Package[psmisc]', 'Package[pv]', 'Package[python3]', 'Package[screen]', 'Package[strace]', 'Package[sysstat]', 'Package[tcpdump]', 'Package[tmux]', 'Package[tree]', 'Package[vim]', 'Package[vim-addon-manager]', 'Package[vim-scripts]', 'Package[wipe]', 'Package[xfsprogs]', 'Package[zsh]', 'Package[icdiff]', 'Package[linux-perf]', 'Package[bsd-mailx]', 'Package[ack]', 'Package[netcat-openbsd]', 'Package[tshark]', 'Package[fzf]', 'Package[ripgrep]', 'Package[fd-find]', 'Package[kitty-terminfo]', 'Package[mtr-tiny]', 'Package[bat]', 'Package[efibootmgr]', 'Package[bind9-dnsutils]', 'Package[tzdata]', 'Package[python3-wmflib]', 'Package[quickstack]', 'Package[dstat]', 'Package[apport]', 'Package[command-not-found]', 'Package[command-not-found-data]', 'Package[ecryptfs-utils]', 'Package[mlocate]', 'Package[os-prober]', 'Package[python3-apport]', 'Package[wpasupplicant]', 'Package[atop]', 'Package[apt-listchanges]', 'Package[isc-dhcp-client]', 'Package[libpython2.7]', 'Package[libpython2.7-dev]', 'Package[libpython2.7-minimal]', 'Package[python2.7]', 'Package[libpython2.7-stdlib]', 'Package[python2.7-dev]', 'Package[python2.7-minimal]', 'Package[python2.7-dbg]', 'Package[python2.7-doc]', 'Package[python2.7-examples]', 'Package[libpython2.7-testsuite]', 'Package[intel-microcode]', 'Package[rasdaemon]', 'Package[libsnmp30]', 'Package[libdns-export1104]', 'Package[libdns1104]', 'Package[libisc-export1100]', 'Package[libisc1100]', 'Package[multiarch-support]', 'Package[libjson-c3]', 'Package[libpython3.7]', 'Package[libpython3.7-minimal]', 'Package[libpython3.7-stdlib]', 'Package[python3.7]', 'Package[python3.7-minimal]', 'Package[libevent-2.1-6]', 'Package[libwireshark11]', 'Package[libwiretap8]', 'Package[libwsutil9]', 'Package[libwscodecs2]', 'Package[libperl5.28]', 'Package[libmpdec2]', 'Package[perl-modules-5.28]', 'Package[libhogweed4]', 'Package[libnettle6]', 'Package[libprocps7]', 'Package[libip6tc0]', 'Package[libip4tc0]', 'Package[libiptc0]', 'Package[openssh-client]', 'Package[openssh-server]', 'Package[debdeploy-client]', 'Package[python3-dateutil]', 'Package[sudo]', 'Package[golang-cfssl]', 'Package[debmonitor-client]', 'Package[nagios-nrpe-server]', 'Package[monitoring-plugins]', 'Package[monitoring-plugins-basic]', 'Package[monitoring-plugins-standard]', 'Package[liburiparser1]', 'Package[python3-attr]', 'Package[iucode-tool]', 'Package[freeipmi-tools]', 'Package[freeipmi-ipmiseld]', 'Package[rsyslog-kafka]', 'Package[emacs-nox]', 'Package[prometheus-ipmi-exporter]', 'Package[libnet-dns-perl]', 'Package[iptables]', 'Package[ferm]', 'Package[ulogd2]', 'Package[conntrack]', 'Package[cassandra-tools-wmf]', 'Package[jvm-tools]', 'Package[cassandra-tools]', 'Package[libjemalloc2]', 'Package[ruby-sys-filesystem]', 'Package[prometheus-rsyslog-exporter]', 'Package[initramfs-tools]', 'Package[python3-click]', 'Package[python3-box]', 'Package[confd]', 'Package[python3-toml]', 'Package[openjdk-11-jdk]', 'Package[cassandra]', 'Package[prometheus-jmx-exporter]', 'Package[git-lfs]', 'Package[rsync]', 'Package[python3-venv]', 'Package[cassandra/logstash-logback-encoder]']\n"}, {"resource": "Monitoring::Exported_nagios_service[aqs1024 ferm_active]", "parameters": "--- Monitoring::Exported_nagios_service[aqs1024 ferm_active].orig\n+++ Monitoring::Exported_nagios_service[aqs1024 ferm_active]\n\n@@\n- notifications_enabled => 0\n+ notifications_enabled => 1\n@@\n- servicegroups => insetup_eqiad\n+ servicegroups => aqs_eqiad\n"}], "perc_changed": "10.02%"}}}