Compilation results for tcp-proxy5004.eqsin.wmnet: System changes detected

You can retrieve this result from host.json.

Catalog differences

Summary

Total Resources:	2583
Resources added:	171
Resources removed:	5
Resources modified:	188
Change percentage:	14.09%

Resources only in the new catalog

File[/usr/local/bin/depool]
Service[nrpe2nodexp-check_tcp-mss-clamper_status.timer]
File[/lib/systemd/system/nrpe2nodexp-check_tcp-mss-clamper_status.service]
File[/var/lib/prometheus/node.d/check_check_tcp-mss-clamper_status.prom]
Class[Profile::Lvs::Configuration]
Class[Conftool::Config]
Motd::Script[tcpproxy]
File[/usr/local/bin/decommission]
Interface::Clsact[clsact_ens13]
Systemd::Unit[prometheus_lvs_realserver_mss.service]
File[/etc/default/wikimedia-lvs-realserver]
Interface::Ipip[ipip_ipv6]
File[/usr/local/bin/ispooled]
File[/lib/systemd/system/tcp-mss-clamper.service]
Rsyslog::Conf[wmf_auto_restart_haproxy]
File[/etc/rsyslog.d/25-nrpe2nodexp-check-tcp-mss-clamper-status.conf]
Interface::Manual[ipip_ipv6]
Augeas[ipip60_manual]
Rsyslog::Conf[prometheus_ferm_mss]
File[/lib/systemd/system/prometheus_ferm_mss.timer]
Systemd::Timer[wmf_auto_restart_haproxy]
Exec[ip addr add 127.0.0.42/32 dev ipip0]
Systemd::Unit[wmf_auto_restart_haproxy.timer]
Systemd::Unit[prometheus_ferm_mss.timer]
Class[Passwords::Etcd]
File[/etc/conftool/schema.yaml]
File[/etc/conftool/json-schema/]
File[/etc/etcd]
Exec[ip link add name ipip0 type ipip external]
Exec[systemd daemon-reload for prometheus_ferm_mss.timer (prometheus_ferm_mss.timer)]
Systemd::Unit[nrpe2nodexp-check_tcp-mss-clamper_status.timer]
Node[__node_regexp__tcp-proxy1-7001-9.codfwdrmrseqiadeqsinesamsmagruulsfo.]
Exec[systemd daemon-reload for wmf_auto_restart_haproxy.service (wmf_auto_restart_haproxy.service)]
File[/etc/ferm/conf.d/10_proxy_gerrit_ssh]
Nrpe::Monitor_service[check_tcp-mss-clamper_status]
File[/usr/local/bin/prometheus-lvs-realserver-mss]
Class[Role::Tcpproxy]
File[/usr/local/bin/pool]
File[/usr/local/bin/drain]
Service[wmf_auto_restart_haproxy.timer]
Monitoring::Exported_nagios_service[tcp-proxy5004 check_tcp-mss-clamper_status]
File[/usr/local/lib/nagios/plugins/check_systemd_unit_status]
File_line[rm_post-up_lo_clsact_lo]
Systemd::Timer[prometheus_ferm_mss]
File[/etc/nagios/nrpe.d/check_check_tcp-mss-clamper_status.cfg]
File[/etc/rsyslog.d/40-prometheus-ferm-mss.conf]
Interface::Post_up_command[clsact_ens13]
Exec[systemd daemon-reload for prometheus_lvs_realserver_mss.timer (prometheus_lvs_realserver_mss.timer)]
Prometheus::Node_lvs_realserver_mss[lvs_clamped_ipport]
File[/etc/conftool/config.yaml]
Systemd::Unit[prometheus_lvs_realserver_mss.timer]
Motd::Message[tcpproxy]
Systemd::Timer::Job[nrpe2nodexp-check_tcp-mss-clamper_status]
Exec[systemd daemon-reload for wmf_auto_restart_haproxy.timer (wmf_auto_restart_haproxy.timer)]
Systemd::Timer::Job[prometheus_ferm_mss]
Class[Etcd::Client::Globalconfig]
Augeas[ipip0_add_up]
File[/etc/conftool/local_services.yaml]
Class[Conftool::Scripts]
Systemd::Timer[prometheus_lvs_realserver_mss]
Systemd::Service[nrpe2nodexp-check_tcp-mss-clamper_status]
Systemd::Timer::Job[wmf_auto_restart_haproxy]
Systemd::Unit[wmf_auto_restart_haproxy.service]
File[/lib/systemd/system/wmf_auto_restart_haproxy.service]
File[/var/log/prometheus_ferm_mss]
File[/etc/ferm/conf.d/10_ipip]
File[/var/log/wmf_auto_restart_haproxy]
Systemd::Unit[tcp-mss-clamper]
File[/etc/logrotate.d/prometheus_lvs_realserver_mss]
Systemd::Service[prometheus_ferm_mss]
File[/etc/etcd/etcdrc]
Systemd::Syslog[prometheus_lvs_realserver_mss]
Exec[/usr/sbin/tc qdisc del dev ens13 clsact]
Systemd::Monitor[tcp-mss-clamper]
File_line[auto_restart_file_presence_haproxy]
Package[haproxy]
Prometheus::Alert::Rule[check_check_tcp-mss-clamper_status_295d6d5dd0a784bb9ba1d5983fd1894f]
Systemd::Syslog[prometheus_ferm_mss]
File_line[rm_post-up_ens13_clsact_ens13]
Exec[systemd daemon-reload for prometheus_ferm_mss.service (prometheus_ferm_mss.service)]
Interface::Ipip[ipip_ipv4]
File[/etc/conftool]
Augeas[ipip0_set_up]
File[/etc/ferm/conf.d/10_clamp-mss-ipv6]
Augeas[ipip0_manual]
Exec[/usr/sbin/tc qdisc del dev lo clsact]
Exec[systemd daemon-reload for nrpe2nodexp-check_tcp-mss-clamper_status.timer (nrpe2nodexp-check_tcp-mss-clamper_status.timer)]
File[/lib/systemd/system/nrpe2nodexp-check_tcp-mss-clamper_status.timer]
Exec[ip link set up dev ipip0]
Class[Profile::Conftool::Client]
Package[python3-conftool]
File[/etc/poolcounter-backends.yaml]
Class[Lvs::Realserver]
Systemd::Service[tcp-mss-clamper]
Package[python3-poolcounter]
Sudo::User[nrpe-check_check_tcp-mss-clamper_status]
Ferm::Rule[clamp-mss-ipv6]
Interface::Ip[ipip_ipv4 ipv4]
Class[Poolcounter::Client]
Logrotate::Conf[prometheus_ferm_mss]
File[/usr/local/bin/safe-service-restart]
File[/etc/sudoers.d/nrpe-check_check_tcp-mss-clamper_status]
File[/usr/local/sbin/restart-gerrit]
Interface::Clsact[clsact_lo]
Nrpe::Check[check_check_tcp-mss-clamper_status]
File[/etc/logrotate.d/prometheus_ferm_mss]
File[/etc/logrotate.d/wmf_auto_restart_haproxy]
File[/usr/local/bin/depool-gerrit]
Systemd::Timer::Job[prometheus_lvs_realserver_mss]
Exec[systemd daemon-reload for prometheus_lvs_realserver_mss.service (prometheus_lvs_realserver_mss.service)]
Logrotate::Conf[prometheus_lvs_realserver_mss]
File[/etc/update-motd.d/05-tcpproxy]
Exec[ip link set up dev ipip60]
File[/usr/local/bin/pool-gerrit]
Augeas[ipip60_add_up]
Exec[disable-rp-filter-ens13]
Ferm::Rule[ip6ip6]
Ferm::Rule[ipip]
File[/usr/local/bin/pooler-loop]
Service[haproxy]
Service[prometheus_ferm_mss.timer]
Exec[systemd daemon-reload for tcp-mss-clamper.service (tcp-mss-clamper)]
Ferm::Service[proxy_gerrit_ssh]
File[/etc/ferm/conf.d/10_ip6ip6]
Profile::Auto_restarts::Service[haproxy]
Prometheus::Node_ferm_mss[ferm_clamped_ipport]
Etcd::Client::Config[/etc/etcd/etcdrc]
Systemd::Syslog[wmf_auto_restart_haproxy]
Firewall::Service[proxy-gerrit-ssh]
File[/lib/systemd/system/prometheus_lvs_realserver_mss.timer]
Interface::Post_up_command[clsact_lo]
Rsyslog::Conf[prometheus_lvs_realserver_mss]
File[/usr/local/bin/prometheus-ferm-mss]
Logrotate::Conf[wmf_auto_restart_haproxy]
Systemd::Unit[nrpe2nodexp-check_tcp-mss-clamper_status.service]
Exec[ip link add name ipip60 type ip6tnl external]
Systemd::Service[wmf_auto_restart_haproxy]
File[/lib/systemd/system/prometheus_lvs_realserver_mss.service]
Etcd::Client::Config[/root/.etcdrc]
File[/var/log/prometheus_lvs_realserver_mss]
Exec[/usr/sbin/dpkg-reconfigure -p critical -f noninteractive wikimedia-lvs-realserver]
Package[wikimedia-lvs-realserver]
Service[prometheus_lvs_realserver_mss.timer]
Exec[disable-rp-filter-ipip60]
File[/etc/haproxy/haproxy.cfg]
File[/etc/ferm/conf.d/10_clamp-mss-ipv4]
Ferm::Rule[clamp-mss-ipv4]
File[/lib/systemd/system/prometheus_ferm_mss.service]
Rsyslog::Conf[nrpe2nodexp-check_tcp-mss-clamper_status]
File[/etc/rsyslog.d/40-prometheus-lvs-realserver-mss.conf]
Monitoring::Service[check_tcp-mss-clamper_status]
Systemd::Timer[nrpe2nodexp-check_tcp-mss-clamper_status]
Augeas[ipip60_set_up]
Class[Poolcounter::Client::Python]
Systemd::Service[prometheus_lvs_realserver_mss]
Class[Profile::Tcpproxy]
Class[Profile::Lvs::Realserver::Ipip]
Conftool::Scripts::Safe_service_restart[gerrit]
Service[tcp-mss-clamper]
Systemd::Unit[prometheus_ferm_mss.service]
Class[Profile::Lvs::Realserver]
Exec[systemd daemon-reload for nrpe2nodexp-check_tcp-mss-clamper_status.service (nrpe2nodexp-check_tcp-mss-clamper_status.service)]
Exec[disable-rp-filter-ipip0]
File[/etc/rsyslog.d/40-wmf-auto-restart-haproxy.conf]
File[/root/.etcdrc]
Package[tcp-mss-clamper]
File[/lib/systemd/system/wmf_auto_restart_haproxy.timer]
Nrpe::Plugin[check_systemd_unit_status]
Class[Wmflib::Service::Catalog]
Interface::Manual[ipip_ipv4]
Augeas[ipip0_127.0.0.42/32]

Resources only in the old catalog

Class[Role::Insetup::Infrastructure_foundations_ferm]
Motd::Script[insetup::infrastructure_foundations_ferm]
Node[__node_regexp__tcp-proxy50034.eqsin.]
Motd::Message[insetup::infrastructure_foundations_ferm]
File[/etc/update-motd.d/05-insetup--infrastructure-foundations-ferm]

Resources modified

File[/var/lib/prometheus/node.d/check_check_tcp-mss-clamper_status.prom]

Parameters differences:

--- File[/var/lib/prometheus/node.d/check_check_tcp-mss-clamper_status.prom].orig
+++ File[/var/lib/prometheus/node.d/check_check_tcp-mss-clamper_status.prom]

+    ensure => absent
+    group  => root
+    owner  => root

Interface::Manual[ipip_ipv6]

Parameters differences:

--- Interface::Manual[ipip_ipv6].orig
+++ Interface::Manual[ipip_ipv6]

+    family    => inet6
+    ensure    => present
+    hotplug   => False
+    interface => ipip60

Systemd::Unit[wmf_auto_restart_haproxy.service]

Parameters differences:

--- Systemd::Unit[wmf_auto_restart_haproxy.service].orig
+++ Systemd::Unit[wmf_auto_restart_haproxy.service]

+    override_filename => puppet-override.conf
+    override          => False
+    require           => ['Class[Systemd]']
+    unit              => wmf_auto_restart_haproxy.service
+    ensure            => present
+    restart           => False

Service[prometheus_ferm_mss.timer]

Parameters differences:

--- Service[prometheus_ferm_mss.timer].orig
+++ Service[prometheus_ferm_mss.timer]

+    enable   => True
+    ensure   => running
+    provider => systemd

Rsyslog::Conf[prometheus_lvs_realserver_mss]

Parameters differences:

--- Rsyslog::Conf[prometheus_lvs_realserver_mss].orig
+++ Rsyslog::Conf[prometheus_lvs_realserver_mss]

+    ensure   => present
+    require  => File[/var/log/prometheus_lvs_realserver_mss]
+    priority => 40
+    mode     => 0444

Etcd::Client::Config[/root/.etcdrc]

Parameters differences:

--- Etcd::Client::Config[/root/.etcdrc].orig
+++ Etcd::Client::Config[/root/.etcdrc]

+    owner          => root
+    ensure         => present
+    group          => root
+    settings       => {'username': 'conftool', 'password': 'another_secret'}
+    world_readable => False

Class[Profile::Lvs::Realserver::Ipip]

Parameters differences:

--- Class[Profile::Lvs::Realserver::Ipip].orig
+++ Class[Profile::Lvs::Realserver::Ipip]

+    firewall_provider => ferm
+    enabled           => True
+    pools             => {'gerrit-ssh': {'services': ['gerrit']}}
+    interfaces        => ['ens13', 'lo']
+    ipv4_mss          => 1440
+    ipv6_mss          => 1400
+    clamping_enabled  => True

File[/var/log/prometheus_ferm_mss]

Parameters differences:

--- File[/var/log/prometheus_ferm_mss].orig
+++ File[/var/log/prometheus_ferm_mss]

+    owner  => root
+    force  => True
+    ensure => directory
+    group  => root
+    backup => False
+    mode   => 0755

File[/etc/logrotate.d/prometheus_lvs_realserver_mss]

Parameters differences:

--- File[/etc/logrotate.d/prometheus_lvs_realserver_mss].orig
+++ File[/etc/logrotate.d/prometheus_lvs_realserver_mss]

+    ensure => present
+    group  => root
+    owner  => root
+    mode   => 0444

Content differences:

--- /etc/logrotate.d/prometheus_lvs_realserver_mss.orig
+++ /etc/logrotate.d/prometheus_lvs_realserver_mss
@@ -0,0 +1,12 @@
+# logrotate(8) config for prometheus_lvs_realserver_mss
+
+/var/log/prometheus_lvs_realserver_mss/*.log {
+    daily
+    copytruncate
+    missingok
+    compress
+    delaycompress
+    notifempty
+    rotate 15
+    size 256M
+}

File[/etc/sudoers.d/nrpe-check_check_tcp-mss-clamper_status]

Parameters differences:

--- File[/etc/sudoers.d/nrpe-check_check_tcp-mss-clamper_status].orig
+++ File[/etc/sudoers.d/nrpe-check_check_tcp-mss-clamper_status]

+    ensure  => absent
+    group   => root
+    owner   => root
+    require => Package[nagios-nrpe-server]

Concat_fragment[main contacts]

Content differences:

--- main contacts.orig
+++ main contacts
@@ -1,3 +1,2 @@
 ---
-role::insetup::infrastructure_foundations_ferm:
-- Infrastructure Foundations
+role::tcpproxy: []

Class[Base::Sysctl]

Parameters differences:

--- Class[Base::Sysctl].orig
+++ Class[Base::Sysctl]

@@
-    default_rp_filter => 1
+    default_rp_filter => 0
@@
-    all_rp_filter     => 1
+    all_rp_filter     => 0

Systemd::Timer[wmf_auto_restart_haproxy]

Parameters differences:

--- Systemd::Timer[wmf_auto_restart_haproxy].orig
+++ Systemd::Timer[wmf_auto_restart_haproxy]

+    timer_intervals    => [{'start': 'OnCalendar', 'interval': 'Mon,Tue,Wed,Thu,Fri *-*-* 2:50:00'}]
+    accuracy           => 15sec
+    splay              => 0
+    fixed_random_delay => False
+    ensure             => present
+    unit_name          => wmf_auto_restart_haproxy.service

Exec[ip addr add 127.0.0.42/32 dev ipip0]

Parameters differences:

--- Exec[ip addr add 127.0.0.42/32 dev ipip0].orig
+++ Exec[ip addr add 127.0.0.42/32 dev ipip0]

+    returns => [0, 2]
+    path    => /bin:/usr/bin
+    unless  => ip address show ipip0 | grep -q 127.0.0.42/32

Nrpe::Monitor_service[check_tcp-mss-clamper_status]

Parameters differences:

--- Nrpe::Monitor_service[check_tcp-mss-clamper_status].orig
+++ Nrpe::Monitor_service[check_tcp-mss-clamper_status]

+    critical                    => False
+    timeout                     => 10
+    check_interval              => 10
+    retry_interval              => 1
+    contact_group               => admins
+    nrpe2nodexp_parse_perf_data => False
+    enable_icinga_check         => True
+    notes_url                   => https://wikitech.wikimedia.org/wiki/LVS#IPIP_encapsulation_experiments
+    retries                     => 2
+    description                 => Check unit status of tcp-mss-clamper
+    alertmanager_team           => observability
+    ensure                      => absent
+    migration_task              => T407130
+    enable_nrpe2nodexp          => False
+    nrpe_command                => /usr/local/lib/nagios/plugins/check_systemd_unit_status tcp-mss-clamper

Systemd::Monitor[tcp-mss-clamper]

Parameters differences:

--- Systemd::Monitor[tcp-mss-clamper].orig
+++ Systemd::Monitor[tcp-mss-clamper]

+    critical       => False
+    check_interval => 10
+    notes_url      => https://wikitech.wikimedia.org/wiki/LVS#IPIP_encapsulation_experiments
+    contact_group  => admins
+    retries        => 2
+    ensure         => absent
+    migration_task => T407130

Logrotate::Conf[prometheus_lvs_realserver_mss]

Parameters differences:

--- Logrotate::Conf[prometheus_lvs_realserver_mss].orig
+++ Logrotate::Conf[prometheus_lvs_realserver_mss]

+    ensure => present

Systemd::Service[prometheus_lvs_realserver_mss]

Parameters differences:

--- Systemd::Service[prometheus_lvs_realserver_mss].orig
+++ Systemd::Service[prometheus_lvs_realserver_mss]

+    override                 => False
+    require                  => Systemd::Unit[prometheus_lvs_realserver_mss.service]
+    monitoring_contact_group => admins
+    monitoring_enabled       => False
+    service_params           => {}
+    unit_type                => timer
+    monitoring_critical      => False
+    ensure                   => present
+    migration_task           => T407130
+    restart                  => False

Class[Profile::Contacts]

Parameters differences:

--- Class[Profile::Contacts].orig
+++ Class[Profile::Contacts]

@@
-    role_contacts => ['Infrastructure Foundations']
+    role_contacts => []
@@
-    cluster       => insetup
+    cluster       => misc

Class[Monitoring]

Parameters differences:

--- Class[Monitoring].orig
+++ Class[Monitoring]

@@
-    notifications_enabled => False
+    notifications_enabled => True
@@
-    nagios_group          => insetup_eqsin
+    nagios_group          => misc_eqsin
@@
-    cluster               => insetup
+    cluster               => misc

File[/lib/systemd/system/wmf_auto_restart_haproxy.timer]

Parameters differences:

--- File[/lib/systemd/system/wmf_auto_restart_haproxy.timer].orig
+++ File[/lib/systemd/system/wmf_auto_restart_haproxy.timer]

+    owner  => root
+    notify => Exec[systemd daemon-reload for wmf_auto_restart_haproxy.timer (wmf_auto_restart_haproxy.timer)]
+    ensure => present
+    group  => root
+    mode   => 0444

Content differences:

--- /lib/systemd/system/wmf_auto_restart_haproxy.timer.orig
+++ /lib/systemd/system/wmf_auto_restart_haproxy.timer
@@ -0,0 +1,12 @@
+[Unit]
+Description=Periodic execution of wmf_auto_restart_haproxy.service
+
+[Timer]
+Unit=wmf_auto_restart_haproxy.service
+# Accuracy sets the maximum time interval around the execution time we want to allow
+AccuracySec=15sec
+OnCalendar=Mon,Tue,Wed,Thu,Fri *-*-* 2:50:00
+RandomizedDelaySec=0
+
+[Install]
+WantedBy=multi-user.target

Interface::Post_up_command[clsact_ens13]

Parameters differences:

--- Interface::Post_up_command[clsact_ens13].orig
+++ Interface::Post_up_command[clsact_ens13]

+    ensure    => absent
+    interface => ens13
+    command   => /usr/sbin/tc qdisc add dev ens13 clsact

Motd::Message[tcpproxy]

Parameters differences:

--- Motd::Message[tcpproxy].orig
+++ Motd::Message[tcpproxy]

+    ensure   => present
+    priority => 5
+    message  => tcp-proxy5004 is tcpproxy

Augeas[ipip60_manual]

Parameters differences:

--- Augeas[ipip60_manual].orig
+++ Augeas[ipip60_manual]

+    incl    => /etc/network/interfaces
+    changes => ["set auto[./1 = 'ipip60']/1 'ipip60'", "set iface[. = 'ipip60'] 'ipip60'", "set iface[. = 'ipip60']/family 'inet6'", "set iface[. = 'ipip60']/method 'manual'"]
+    context => /files/etc/network/interfaces
+    lens    => Interfaces.lns

Systemd::Service[tcp-mss-clamper]

Parameters differences:

--- Systemd::Service[tcp-mss-clamper].orig
+++ Systemd::Service[tcp-mss-clamper]

+    override                 => False
+    monitoring_contact_group => admins
+    monitoring_enabled       => True
+    service_params           => {}
+    monitoring_notes_url     => https://wikitech.wikimedia.org/wiki/LVS#IPIP_encapsulation_experiments
+    unit_type                => service
+    monitoring_critical      => False
+    ensure                   => absent
+    migration_task           => T407130
+    restart                  => False

File[/etc/logrotate.d/wmf_auto_restart_haproxy]

Parameters differences:

--- File[/etc/logrotate.d/wmf_auto_restart_haproxy].orig
+++ File[/etc/logrotate.d/wmf_auto_restart_haproxy]

+    ensure => present
+    group  => root
+    owner  => root
+    mode   => 0444

Content differences:

--- /etc/logrotate.d/wmf_auto_restart_haproxy.orig
+++ /etc/logrotate.d/wmf_auto_restart_haproxy
@@ -0,0 +1,12 @@
+# logrotate(8) config for wmf_auto_restart_haproxy
+
+/var/log/wmf_auto_restart_haproxy/*.log {
+    daily
+    copytruncate
+    missingok
+    compress
+    delaycompress
+    notifempty
+    rotate 15
+    size 256M
+}

File[/usr/local/bin/pool-gerrit]

Parameters differences:

--- File[/usr/local/bin/pool-gerrit].orig
+++ File[/usr/local/bin/pool-gerrit]

+    ensure => present
+    group  => root
+    owner  => root
+    mode   => 0555

Content differences:

--- /usr/local/bin/pool-gerrit.orig
+++ /usr/local/bin/pool-gerrit
@@ -0,0 +1,2 @@
+#!/bin/bash
+/usr/local/bin/safe-service-restart --pools gerrit-ssh --pool --retries 10 --wait 5

File[/var/log/prometheus_lvs_realserver_mss]

Parameters differences:

--- File[/var/log/prometheus_lvs_realserver_mss].orig
+++ File[/var/log/prometheus_lvs_realserver_mss]

+    owner  => root
+    force  => True
+    ensure => directory
+    group  => root
+    backup => False
+    mode   => 0755

Systemd::Timer[prometheus_ferm_mss]

Parameters differences:

--- Systemd::Timer[prometheus_ferm_mss].orig
+++ Systemd::Timer[prometheus_ferm_mss]

+    timer_intervals    => [{'start': 'OnCalendar', 'interval': 'minutely'}]
+    accuracy           => 15sec
+    splay              => 0
+    fixed_random_delay => False
+    ensure             => present
+    unit_name          => prometheus_ferm_mss.service

Prometheus::Node_lvs_realserver_mss[lvs_clamped_ipport]

Parameters differences:

--- Prometheus::Node_lvs_realserver_mss[lvs_clamped_ipport].orig
+++ Prometheus::Node_lvs_realserver_mss[lvs_clamped_ipport]

+    ensure         => present
+    outfile        => /var/lib/prometheus/node.d/lvs-realserver-mss.prom
+    clamped_ipport => ['103.102.166.225:29418', '[2001:df2:e500:ed1a::2]:29418']

Systemd::Unit[prometheus_lvs_realserver_mss.timer]

Parameters differences:

--- Systemd::Unit[prometheus_lvs_realserver_mss.timer].orig
+++ Systemd::Unit[prometheus_lvs_realserver_mss.timer]

+    override_filename => puppet-override.conf
+    override          => False
+    require           => ['Class[Systemd]']
+    unit              => prometheus_lvs_realserver_mss.timer
+    ensure            => present
+    restart           => False

Concat::Fragment[main contacts]

Etcd::Client::Config[/etc/etcd/etcdrc]

Parameters differences:

--- Etcd::Client::Config[/etc/etcd/etcdrc].orig
+++ Etcd::Client::Config[/etc/etcd/etcdrc]

+    owner          => root
+    ensure         => present
+    group          => root
+    settings       => {'host': None, 'port': None, 'srv_domain': 'conftool.eqsin.wmnet', 'ca_cert': '/etc/ssl/certs/wmf-ca-certificates.crt', 'protocol': 'https', 'allow_reconnect': True}
+    world_readable => True

File[/etc/default/wikimedia-lvs-realserver]

Parameters differences:

--- File[/etc/default/wikimedia-lvs-realserver].orig
+++ File[/etc/default/wikimedia-lvs-realserver]

+    ensure => present
+    group  => root
+    owner  => root
+    mode   => 0444

Content differences:

--- /etc/default/wikimedia-lvs-realserver.orig
+++ /etc/default/wikimedia-lvs-realserver
@@ -0,0 +1,10 @@
+# This file is managed by puppet!
+
+
+
+# Location of the sysctl file containing LVS ARP settings
+SYSCTLFILE=/usr/share/wikimedia-lvs-realserver/sysctl.conf
+
+# LVS service IPs to be bound to the loopback interface,
+# separate using spaces
+LVS_SERVICE_IPS="103.102.166.225 2001:df2:e500:ed1a::2"

File[/usr/local/bin/depool-gerrit]

Parameters differences:

--- File[/usr/local/bin/depool-gerrit].orig
+++ File[/usr/local/bin/depool-gerrit]

+    ensure => present
+    group  => root
+    owner  => root
+    mode   => 0555

Content differences:

--- /usr/local/bin/depool-gerrit.orig
+++ /usr/local/bin/depool-gerrit
@@ -0,0 +1,2 @@
+#!/bin/bash
+/usr/local/bin/safe-service-restart --pools gerrit-ssh --depool --retries 10 --wait 5

Systemd::Syslog[wmf_auto_restart_haproxy]

Parameters differences:

--- Systemd::Syslog[wmf_auto_restart_haproxy].orig
+++ Systemd::Syslog[wmf_auto_restart_haproxy]

+    owner                  => root
+    force_stop             => True
+    log_filename           => syslog.log
+    readable_by            => all
+    base_dir               => /var/log
+    ensure                 => present
+    programname_comparison => startswith
+    group                  => root

Systemd::Service[wmf_auto_restart_haproxy]

Parameters differences:

--- Systemd::Service[wmf_auto_restart_haproxy].orig
+++ Systemd::Service[wmf_auto_restart_haproxy]

+    override                 => False
+    require                  => Systemd::Unit[wmf_auto_restart_haproxy.service]
+    monitoring_contact_group => admins
+    monitoring_enabled       => False
+    service_params           => {}
+    unit_type                => timer
+    monitoring_critical      => False
+    ensure                   => present
+    migration_task           => T407130
+    restart                  => False

File[/usr/local/bin/decommission]

Parameters differences:

--- File[/usr/local/bin/decommission].orig
+++ File[/usr/local/bin/decommission]

+    owner  => root
+    ensure => present
+    group  => root
+    source => puppet:///modules/conftool/conftool-simple-command.sh
+    mode   => 0555

Systemd::Unit[prometheus_lvs_realserver_mss.service]

Parameters differences:

--- Systemd::Unit[prometheus_lvs_realserver_mss.service].orig
+++ Systemd::Unit[prometheus_lvs_realserver_mss.service]

+    override_filename => puppet-override.conf
+    override          => False
+    require           => ['Class[Systemd]']
+    unit              => prometheus_lvs_realserver_mss.service
+    ensure            => present
+    restart           => False

File[/usr/local/lib/nagios/plugins/check_systemd_unit_status]

Parameters differences:

--- File[/usr/local/lib/nagios/plugins/check_systemd_unit_status].orig
+++ File[/usr/local/lib/nagios/plugins/check_systemd_unit_status]

+    require => File[/usr/local/lib/nagios/plugins/]
+    owner   => root
+    ensure  => file
+    tag     => nrpe::plugin
+    group   => root
+    source  => puppet:///modules/systemd/check_systemd_unit_status
+    mode    => 0555

Systemd::Timer[prometheus_lvs_realserver_mss]

Parameters differences:

--- Systemd::Timer[prometheus_lvs_realserver_mss].orig
+++ Systemd::Timer[prometheus_lvs_realserver_mss]

+    timer_intervals    => [{'start': 'OnCalendar', 'interval': 'minutely'}]
+    accuracy           => 15sec
+    splay              => 0
+    fixed_random_delay => False
+    ensure             => present
+    unit_name          => prometheus_lvs_realserver_mss.service

Systemd::Syslog[prometheus_lvs_realserver_mss]

Parameters differences:

--- Systemd::Syslog[prometheus_lvs_realserver_mss].orig
+++ Systemd::Syslog[prometheus_lvs_realserver_mss]

+    owner                  => root
+    force_stop             => True
+    log_filename           => syslog.log
+    readable_by            => all
+    base_dir               => /var/log
+    ensure                 => present
+    programname_comparison => startswith
+    group                  => root

File[/usr/local/bin/pooler-loop]

Parameters differences:

--- File[/usr/local/bin/pooler-loop].orig
+++ File[/usr/local/bin/pooler-loop]

+    owner  => root
+    ensure => present
+    group  => root
+    source => puppet:///modules/conftool/pooler_loop.rb
+    mode   => 0555

Interface::Post_up_command[clsact_lo]

Parameters differences:

--- Interface::Post_up_command[clsact_lo].orig
+++ Interface::Post_up_command[clsact_lo]

+    ensure    => absent
+    interface => lo
+    command   => /usr/sbin/tc qdisc add dev lo clsact

Exec[systemd daemon-reload for prometheus_lvs_realserver_mss.timer (prometheus_lvs_realserver_mss.timer)]

Parameters differences:

--- Exec[systemd daemon-reload for prometheus_lvs_realserver_mss.timer (prometheus_lvs_realserver_mss.timer)].orig
+++ Exec[systemd daemon-reload for prometheus_lvs_realserver_mss.timer (prometheus_lvs_realserver_mss.timer)]

+    before      => ['Service[prometheus_lvs_realserver_mss.timer]']
+    refreshonly => True
+    command     => /bin/systemctl daemon-reload

Augeas[ipip0_add_up]

Parameters differences:

--- Augeas[ipip0_add_up].orig
+++ Augeas[ipip0_add_up]

+    require => Interface::Manual[ipip_ipv4]
+    context => /files/etc/network/interfaces/*[. = 'ipip0' and ./family = 'inet']
+    lens    => Interfaces.lns
+    incl    => /etc/network/interfaces
+    onlyif  => match up[. = 'ip link add name ipip0 type ipip external'] size == 0
+    changes => set up[last()+1] 'ip link add name ipip0 type ipip external'

File[/var/log/wmf_auto_restart_haproxy]

Parameters differences:

--- File[/var/log/wmf_auto_restart_haproxy].orig
+++ File[/var/log/wmf_auto_restart_haproxy]

+    owner  => root
+    force  => True
+    ensure => directory
+    group  => root
+    backup => False
+    mode   => 0755

Sudo::User[nrpe-check_check_tcp-mss-clamper_status]

Parameters differences:

--- Sudo::User[nrpe-check_check_tcp-mss-clamper_status].orig
+++ Sudo::User[nrpe-check_check_tcp-mss-clamper_status]

+    require    => ['Class[Sudo]']
+    privileges => []
+    ensure     => absent
+    tag        => nrpe::check
+    user       => nagios

File[/lib/systemd/system/prometheus_ferm_mss.service]

Parameters differences:

--- File[/lib/systemd/system/prometheus_ferm_mss.service].orig
+++ File[/lib/systemd/system/prometheus_ferm_mss.service]

+    owner  => root
+    notify => Exec[systemd daemon-reload for prometheus_ferm_mss.service (prometheus_ferm_mss.service)]
+    ensure => present
+    group  => root
+    mode   => 0444

Content differences:

--- /lib/systemd/system/prometheus_ferm_mss.service.orig
+++ /lib/systemd/system/prometheus_ferm_mss.service
@@ -0,0 +1,8 @@
+[Unit]
+Description=Regular job to collect MSS values of ferm-based hosts
+Documentation=https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state
+
+[Service]
+Type=oneshot
+User=root
+ExecStart=/usr/local/bin/prometheus-ferm-mss -o /var/lib/prometheus/node.d/ferm-mss.prom -e 103.102.166.225:29418 -e [2001:df2:e500:ed1a::2]:29418

Exec[disable-rp-filter-ipip0]

Parameters differences:

--- Exec[disable-rp-filter-ipip0].orig
+++ Exec[disable-rp-filter-ipip0]

+    require => Interface::Ipip[ipip_ipv4]
+    unless  => /usr/sbin/sysctl -n net.ipv4.conf.ipip0.rp_filter |grep -- '0'
+    command => /usr/sbin/sysctl -q net.ipv4.conf.ipip0.rp_filter=0

File[/root/.etcdrc]

Parameters differences:

--- File[/root/.etcdrc].orig
+++ File[/root/.etcdrc]

+    show_diff => False
+    owner     => root
+    ensure    => present
+    group     => root
+    mode      => 0440

Content differences:

--- /root/.etcdrc.orig
+++ /root/.etcdrc
@@ -0,0 +1,3 @@
+password: another_secret
+username: conftool
+

Systemd::Syslog[prometheus_ferm_mss]

Parameters differences:

--- Systemd::Syslog[prometheus_ferm_mss].orig
+++ Systemd::Syslog[prometheus_ferm_mss]

+    owner                  => root
+    force_stop             => True
+    log_filename           => syslog.log
+    readable_by            => all
+    base_dir               => /var/log
+    ensure                 => present
+    programname_comparison => startswith
+    group                  => root

Monitoring::Exported_nagios_service[tcp-proxy5004 ferm_active]

Parameters differences:

--- Monitoring::Exported_nagios_service[tcp-proxy5004 ferm_active].orig
+++ Monitoring::Exported_nagios_service[tcp-proxy5004 ferm_active]

@@
-    notifications_enabled => 0
+    notifications_enabled => 1
@@
-    servicegroups         => insetup_eqsin
+    servicegroups         => misc_eqsin

Motd::Script[insetup::infrastructure_foundations_ferm]

Parameters differences:

--- Motd::Script[insetup::infrastructure_foundations_ferm].orig
+++ Motd::Script[insetup::infrastructure_foundations_ferm]

-    ensure   => present
-    priority => 5

Interface::Ip[ipip_ipv4 ipv4]

Parameters differences:

--- Interface::Ip[ipip_ipv4 ipv4].orig
+++ Interface::Ip[ipip_ipv4 ipv4]

+    address   => 127.0.0.42
+    require   => Augeas[ipip0_set_up]
+    prefixlen => 32
+    ensure    => present
+    interface => ipip0

Service[prometheus_lvs_realserver_mss.timer]

Parameters differences:

--- Service[prometheus_lvs_realserver_mss.timer].orig
+++ Service[prometheus_lvs_realserver_mss.timer]

+    enable   => True
+    ensure   => running
+    provider => systemd

Augeas[ipip60_set_up]

Parameters differences:

--- Augeas[ipip60_set_up].orig
+++ Augeas[ipip60_set_up]

+    require => Augeas[ipip60_add_up]
+    context => /files/etc/network/interfaces/*[. = 'ipip60' and ./family = 'inet6']
+    lens    => Interfaces.lns
+    incl    => /etc/network/interfaces
+    onlyif  => match up[. = 'ip link set up dev ipip60'] size == 0
+    changes => set up[last()+1] 'ip link set up dev ipip60'

Monitoring::Exported_nagios_service[tcp-proxy5004 ssh]

Parameters differences:

--- Monitoring::Exported_nagios_service[tcp-proxy5004 ssh].orig
+++ Monitoring::Exported_nagios_service[tcp-proxy5004 ssh]

@@
-    notifications_enabled => 0
+    notifications_enabled => 1
@@
-    servicegroups         => insetup_eqsin
+    servicegroups         => misc_eqsin

Exec[systemd daemon-reload for wmf_auto_restart_haproxy.service (wmf_auto_restart_haproxy.service)]

Parameters differences:

--- Exec[systemd daemon-reload for wmf_auto_restart_haproxy.service (wmf_auto_restart_haproxy.service)].orig
+++ Exec[systemd daemon-reload for wmf_auto_restart_haproxy.service (wmf_auto_restart_haproxy.service)]

+    refreshonly => True
+    command     => /bin/systemctl daemon-reload

Exec[systemd daemon-reload for prometheus_ferm_mss.service (prometheus_ferm_mss.service)]

Parameters differences:

--- Exec[systemd daemon-reload for prometheus_ferm_mss.service (prometheus_ferm_mss.service)].orig
+++ Exec[systemd daemon-reload for prometheus_ferm_mss.service (prometheus_ferm_mss.service)]

+    refreshonly => True
+    command     => /bin/systemctl daemon-reload

Augeas[ipip0_manual]

Parameters differences:

--- Augeas[ipip0_manual].orig
+++ Augeas[ipip0_manual]

+    incl    => /etc/network/interfaces
+    changes => ["set auto[./1 = 'ipip0']/1 'ipip0'", "set iface[. = 'ipip0'] 'ipip0'", "set iface[. = 'ipip0']/family 'inet'", "set iface[. = 'ipip0']/method 'manual'"]
+    context => /files/etc/network/interfaces
+    lens    => Interfaces.lns

File[/etc/update-motd.d/05-tcpproxy]

Parameters differences:

--- File[/etc/update-motd.d/05-tcpproxy].orig
+++ File[/etc/update-motd.d/05-tcpproxy]

+    ensure => present
+    group  => root
+    owner  => root
+    mode   => 0555

Content differences:

--- /etc/update-motd.d/05-tcpproxy.orig
+++ /etc/update-motd.d/05-tcpproxy
@@ -0,0 +1,2 @@
+#!/bin/sh
+printf "%s\n" "tcp-proxy5004 is tcpproxy"

Class[Poolcounter::Client::Python]

Parameters differences:

--- Class[Poolcounter::Client::Python].orig
+++ Class[Poolcounter::Client::Python]

+    ensure   => absent
+    backends => []

File[/etc/etcd]

Parameters differences:

--- File[/etc/etcd].orig
+++ File[/etc/etcd]

+    ensure => directory
+    group  => root
+    owner  => root
+    mode   => 0755

File[/etc/ferm/conf.d/10_proxy_gerrit_ssh]

Parameters differences:

--- File[/etc/ferm/conf.d/10_proxy_gerrit_ssh].orig
+++ File[/etc/ferm/conf.d/10_proxy_gerrit_ssh]

+    require => File[/etc/ferm/conf.d]
+    owner   => root
+    notify  => Service[ferm]
+    ensure  => present
+    tag     => ferm
+    group   => root
+    mode    => 0400

Content differences:

--- /etc/ferm/conf.d/10_proxy_gerrit_ssh.orig
+++ /etc/ferm/conf.d/10_proxy_gerrit_ssh
@@ -0,0 +1,6 @@
+# Autogenerated by puppet. DO NOT EDIT BY HAND!
+#
+# 
+&SERVICE(tcp, 29418);
+
+

Interface::Ipip[ipip_ipv4]

Parameters differences:

--- Interface::Ipip[ipip_ipv4].orig
+++ Interface::Ipip[ipip_ipv4]

+    ensure    => present
+    address   => 127.0.0.42
+    interface => ipip0
+    family    => inet

File[/usr/local/bin/safe-service-restart]

Parameters differences:

--- File[/usr/local/bin/safe-service-restart].orig
+++ File[/usr/local/bin/safe-service-restart]

+    owner  => root
+    ensure => present
+    group  => root
+    source => puppet:///modules/conftool/safe-service-restart.py
+    mode   => 0555

Systemd::Timer::Job[prometheus_lvs_realserver_mss]

Parameters differences:

--- Systemd::Timer::Job[prometheus_lvs_realserver_mss].orig
+++ Systemd::Timer::Job[prometheus_lvs_realserver_mss]

+    private_tmp               => False
+    environment               => {}
+    syslog_force_stop         => True
+    ignore_errors             => False
+    fixed_random_delay        => False
+    success_exit_status       => []
+    send_mail_only_on_error   => True
+    monitoring_enabled        => False
+    syslog_match_startswith   => True
+    description               => Regular job to collect MSS values of realserver endpoints
+    logfile_basedir           => /var/log
+    logfile_perms             => all
+    command                   => /usr/local/bin/prometheus-lvs-realserver-mss -o /var/lib/prometheus/node.d/lvs-realserver-mss.prom -e 103.102.166.225:29418 -e [2001:df2:e500:ed1a::2]:29418
+    monitoring_contact_groups => admins
+    monitoring_notes_url      => https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state
+    send_mail_to              => root@tcp-proxy5004.eqsin.wmnet
+    logging_enabled           => True
+    logfile_name              => syslog.log
+    send_mail                 => False
+    interval                  => {'start': 'OnCalendar', 'interval': 'minutely'}
+    ensure                    => present
+    user                      => root
+    logfile_group             => root

File[/lib/systemd/system/prometheus_lvs_realserver_mss.timer]

Parameters differences:

--- File[/lib/systemd/system/prometheus_lvs_realserver_mss.timer].orig
+++ File[/lib/systemd/system/prometheus_lvs_realserver_mss.timer]

+    owner  => root
+    notify => Exec[systemd daemon-reload for prometheus_lvs_realserver_mss.timer (prometheus_lvs_realserver_mss.timer)]
+    ensure => present
+    group  => root
+    mode   => 0444

Content differences:

--- /lib/systemd/system/prometheus_lvs_realserver_mss.timer.orig
+++ /lib/systemd/system/prometheus_lvs_realserver_mss.timer
@@ -0,0 +1,12 @@
+[Unit]
+Description=Periodic execution of prometheus_lvs_realserver_mss.service
+
+[Timer]
+Unit=prometheus_lvs_realserver_mss.service
+# Accuracy sets the maximum time interval around the execution time we want to allow
+AccuracySec=15sec
+OnCalendar=minutely
+RandomizedDelaySec=0
+
+[Install]
+WantedBy=multi-user.target

Systemd::Unit[nrpe2nodexp-check_tcp-mss-clamper_status.service]

Parameters differences:

--- Systemd::Unit[nrpe2nodexp-check_tcp-mss-clamper_status.service].orig
+++ Systemd::Unit[nrpe2nodexp-check_tcp-mss-clamper_status.service]

+    override_filename => puppet-override.conf
+    override          => False
+    require           => ['Class[Systemd]']
+    unit              => nrpe2nodexp-check_tcp-mss-clamper_status.service
+    ensure            => absent
+    restart           => False

File[/etc/update-motd.d/05-insetup--infrastructure-foundations-ferm]

Parameters differences:

--- File[/etc/update-motd.d/05-insetup--infrastructure-foundations-ferm].orig
+++ File[/etc/update-motd.d/05-insetup--infrastructure-foundations-ferm]

-    ensure => present
-    group  => root
-    owner  => root
-    mode   => 0555

Content differences:

--- /etc/update-motd.d/05-insetup--infrastructure-foundations-ferm.orig
+++ /etc/update-motd.d/05-insetup--infrastructure-foundations-ferm
@@ -1,2 +0,0 @@
-#!/bin/sh
-printf "%s\n" "tcp-proxy5004 is a Host being setup by Infrastructure Foundations SREs with ferm (insetup::infrastructure_foundations_ferm)"

Rsyslog::Conf[nrpe2nodexp-check_tcp-mss-clamper_status]

Parameters differences:

--- Rsyslog::Conf[nrpe2nodexp-check_tcp-mss-clamper_status].orig
+++ Rsyslog::Conf[nrpe2nodexp-check_tcp-mss-clamper_status]

+    ensure   => absent
+    priority => 25
+    mode     => 0444

Interface::Manual[ipip_ipv4]

Parameters differences:

--- Interface::Manual[ipip_ipv4].orig
+++ Interface::Manual[ipip_ipv4]

+    family    => inet
+    ensure    => present
+    hotplug   => False
+    interface => ipip0

Exec[systemd daemon-reload for prometheus_ferm_mss.timer (prometheus_ferm_mss.timer)]

Parameters differences:

--- Exec[systemd daemon-reload for prometheus_ferm_mss.timer (prometheus_ferm_mss.timer)].orig
+++ Exec[systemd daemon-reload for prometheus_ferm_mss.timer (prometheus_ferm_mss.timer)]

+    before      => ['Service[prometheus_ferm_mss.timer]']
+    refreshonly => True
+    command     => /bin/systemctl daemon-reload

Sysctl::Parameters[ubuntu defaults]

Parameters differences:

--- Sysctl::Parameters[ubuntu defaults].orig
+++ Sysctl::Parameters[ubuntu defaults]

@@
-    values => {'kernel.printk': [4, 4, 1, 7], 'kernel.kptr_restrict': 1, 'net.ipv4.conf.default.rp_filter': 1, 'net.ipv4.conf.all.rp_filter': 1, 'net.ipv4.tcp_syncookies': 1, 'kernel.yama.ptrace_scope': 1, 'fs.protected_hardlinks': 1, 'fs.protected_symlinks': 1, 'vm.mmap_min_addr': 65536}
+    values => {'kernel.printk': [4, 4, 1, 7], 'kernel.kptr_restrict': 1, 'net.ipv4.conf.default.rp_filter': 0, 'net.ipv4.conf.all.rp_filter': 0, 'net.ipv4.tcp_syncookies': 1, 'kernel.yama.ptrace_scope': 1, 'fs.protected_hardlinks': 1, 'fs.protected_symlinks': 1, 'vm.mmap_min_addr': 65536}

Package[python3-conftool]

Parameters differences:

--- Package[python3-conftool].orig
+++ Package[python3-conftool]

+    provider => apt
+    ensure   => installed

Interface::Clsact[clsact_lo]

Parameters differences:

--- Interface::Clsact[clsact_lo].orig
+++ Interface::Clsact[clsact_lo]

+    ensure    => absent
+    interface => lo

Logrotate::Conf[wmf_auto_restart_haproxy]

Parameters differences:

--- Logrotate::Conf[wmf_auto_restart_haproxy].orig
+++ Logrotate::Conf[wmf_auto_restart_haproxy]

+    ensure => present

File[/usr/local/bin/pool]

Parameters differences:

--- File[/usr/local/bin/pool].orig
+++ File[/usr/local/bin/pool]

+    owner  => root
+    ensure => present
+    group  => root
+    source => puppet:///modules/conftool/conftool-simple-command.sh
+    mode   => 0555

Class[Adduser]

Parameters differences:

--- Class[Adduser].orig
+++ Class[Adduser]

@@
-    before => ['Package[puppet]', 'Package[facter]', 'Package[augeas-tools]', 'Package[virt-what]', 'Package[puppet-module-puppetlabs-augeas-core]', 'Package[python3-prometheus-client]', 'Package[python3-yaml]', 'Package[ruby-net-ssh]', 'Package[openssl]', 'Package[ssl-cert]', 'Package[ca-certificates]', 'Package[wmf-certificates]', 'Package[ntp]', 'Package[systemd-timesyncd]', 'Package[exim4-config]', 'Package[exim4-daemon-light]', 'Package[logrotate]', 'Package[prometheus-node-exporter]', 'Package[rsyslog]', 'Package[rsyslog-openssl]', 'Package[cadvisor]', 'Package[acct]', 'Package[byobu]', 'Package[colordiff]', 'Package[curl]', 'Package[debian-goodies]', 'Package[ethtool]', 'Package[gdb]', 'Package[gdisk]', 'Package[git]', 'Package[htop]', 'Package[httpry]', 'Package[iotop]', 'Package[iperf]', 'Package[jq]', 'Package[libtemplate-perl]', 'Package[lldpd]', 'Package[lshw]', 'Package[molly-guard]', 'Package[moreutils]', 'Package[net-tools]', 'Package[numactl]', 'Package[ncdu]', 'Package[ngrep]', 'Package[pigz]', 'Package[psmisc]', 'Package[pv]', 'Package[python3]', 'Package[screen]', 'Package[strace]', 'Package[sysstat]', 'Package[tcpdump]', 'Package[tmux]', 'Package[tree]', 'Package[vim]', 'Package[vim-addon-manager]', 'Package[vim-scripts]', 'Package[wipe]', 'Package[xfsprogs]', 'Package[zsh]', 'Package[icdiff]', 'Package[linux-perf]', 'Package[bsd-mailx]', 'Package[ack]', 'Package[netcat-openbsd]', 'Package[tshark]', 'Package[fzf]', 'Package[ripgrep]', 'Package[fd-find]', 'Package[kitty-terminfo]', 'Package[mtr-tiny]', 'Package[bat]', 'Package[efibootmgr]', 'Package[bind9-dnsutils]', 'Package[tzdata]', 'Package[python3-wmflib]', 'Package[starship]', 'Package[ruby-sorted-set]', 'Package[btop]', 'Package[linux-sysctl-defaults]', 'Package[apport]', 'Package[command-not-found]', 'Package[command-not-found-data]', 'Package[ecryptfs-utils]', 'Package[mlocate]', 'Package[os-prober]', 'Package[python3-apport]', 'Package[wpasupplicant]', 'Package[atop]', 'Package[apt-listchanges]', 'Package[isc-dhcp-client]', 'Package[eject]', 'Package[openssh-client]', 'Package[openssh-server]', 'Package[debdeploy-client]', 'Package[python3-dateutil]', 'Package[sudo]', 'Package[golang-cfssl]', 'Package[debmonitor-client]', 'Package[nagios-nrpe-server]', 'Package[monitoring-plugins]', 'Package[monitoring-plugins-basic]', 'Package[monitoring-plugins-standard]', 'Package[liburiparser1]', 'Package[rsyslog-kafka]', 'Package[emacs-nox]', 'Package[libnet-dns-perl]', 'Package[iptables]', 'Package[ferm]', 'Package[ulogd2]', 'Package[conntrack]', 'Package[ruby-concurrent]', 'Package[ruby]', 'Package[libruby]', 'Package[puppet-agent]', 'Package[prometheus-rsyslog-exporter]', 'Package[initramfs-tools]', 'Package[python3-click]', 'Package[python3-box]', 'Package[confd]', 'Package[python3-toml]']
+    before => ['Package[puppet]', 'Package[facter]', 'Package[augeas-tools]', 'Package[virt-what]', 'Package[puppet-module-puppetlabs-augeas-core]', 'Package[python3-prometheus-client]', 'Package[python3-yaml]', 'Package[ruby-net-ssh]', 'Package[openssl]', 'Package[ssl-cert]', 'Package[ca-certificates]', 'Package[wmf-certificates]', 'Package[ntp]', 'Package[systemd-timesyncd]', 'Package[exim4-config]', 'Package[exim4-daemon-light]', 'Package[logrotate]', 'Package[prometheus-node-exporter]', 'Package[rsyslog]', 'Package[rsyslog-openssl]', 'Package[cadvisor]', 'Package[acct]', 'Package[byobu]', 'Package[colordiff]', 'Package[curl]', 'Package[debian-goodies]', 'Package[ethtool]', 'Package[gdb]', 'Package[gdisk]', 'Package[git]', 'Package[htop]', 'Package[httpry]', 'Package[iotop]', 'Package[iperf]', 'Package[jq]', 'Package[libtemplate-perl]', 'Package[lldpd]', 'Package[lshw]', 'Package[molly-guard]', 'Package[moreutils]', 'Package[net-tools]', 'Package[numactl]', 'Package[ncdu]', 'Package[ngrep]', 'Package[pigz]', 'Package[psmisc]', 'Package[pv]', 'Package[python3]', 'Package[screen]', 'Package[strace]', 'Package[sysstat]', 'Package[tcpdump]', 'Package[tmux]', 'Package[tree]', 'Package[vim]', 'Package[vim-addon-manager]', 'Package[vim-scripts]', 'Package[wipe]', 'Package[xfsprogs]', 'Package[zsh]', 'Package[icdiff]', 'Package[linux-perf]', 'Package[bsd-mailx]', 'Package[ack]', 'Package[netcat-openbsd]', 'Package[tshark]', 'Package[fzf]', 'Package[ripgrep]', 'Package[fd-find]', 'Package[kitty-terminfo]', 'Package[mtr-tiny]', 'Package[bat]', 'Package[efibootmgr]', 'Package[bind9-dnsutils]', 'Package[tzdata]', 'Package[python3-wmflib]', 'Package[starship]', 'Package[ruby-sorted-set]', 'Package[btop]', 'Package[linux-sysctl-defaults]', 'Package[apport]', 'Package[command-not-found]', 'Package[command-not-found-data]', 'Package[ecryptfs-utils]', 'Package[mlocate]', 'Package[os-prober]', 'Package[python3-apport]', 'Package[wpasupplicant]', 'Package[atop]', 'Package[apt-listchanges]', 'Package[isc-dhcp-client]', 'Package[eject]', 'Package[openssh-client]', 'Package[openssh-server]', 'Package[debdeploy-client]', 'Package[python3-dateutil]', 'Package[sudo]', 'Package[golang-cfssl]', 'Package[debmonitor-client]', 'Package[nagios-nrpe-server]', 'Package[monitoring-plugins]', 'Package[monitoring-plugins-basic]', 'Package[monitoring-plugins-standard]', 'Package[liburiparser1]', 'Package[rsyslog-kafka]', 'Package[emacs-nox]', 'Package[libnet-dns-perl]', 'Package[iptables]', 'Package[ferm]', 'Package[ulogd2]', 'Package[conntrack]', 'Package[haproxy]', 'Package[wikimedia-lvs-realserver]', 'Package[python3-conftool]', 'Package[python3-poolcounter]', 'Package[tcp-mss-clamper]', 'Package[ruby-concurrent]', 'Package[ruby]', 'Package[libruby]', 'Package[puppet-agent]', 'Package[prometheus-rsyslog-exporter]', 'Package[initramfs-tools]', 'Package[python3-click]', 'Package[python3-box]', 'Package[confd]', 'Package[python3-toml]']

File[/etc/ferm/conf.d/10_clamp-mss-ipv6]

Parameters differences:

--- File[/etc/ferm/conf.d/10_clamp-mss-ipv6].orig
+++ File[/etc/ferm/conf.d/10_clamp-mss-ipv6]

+    require => File[/etc/ferm/conf.d]
+    owner   => root
+    notify  => Service[ferm]
+    ensure  => present
+    tag     => ferm
+    group   => root
+    mode    => 0400

Content differences:

--- /etc/ferm/conf.d/10_clamp-mss-ipv6.orig
+++ /etc/ferm/conf.d/10_clamp-mss-ipv6
@@ -0,0 +1,11 @@
+# Autogenerated by puppet. DO NOT EDIT BY HAND!
+#
+# 10_clamp-mss-ipv6: 
+
+domain (ip6) {
+	table filter {
+		chain OUTPUT {
+			outerface (ens13 lo) saddr @ipfilter((103.102.166.225 2001:df2:e500:ed1a::2])) proto tcp sport (29418) tcp-flags (SYN) SYN TCPMSS set-mss 1400;
+		}
+	}
+}

Class[Profile::Cumin::Target]

Parameters differences:

--- Class[Profile::Cumin::Target].orig
+++ Class[Profile::Cumin::Target]

@@
-    cluster => insetup
+    cluster => misc

File[/usr/local/sbin/restart-gerrit]

Parameters differences:

--- File[/usr/local/sbin/restart-gerrit].orig
+++ File[/usr/local/sbin/restart-gerrit]

+    ensure => present
+    group  => root
+    owner  => root
+    mode   => 0555

Content differences:

--- /usr/local/sbin/restart-gerrit.orig
+++ /usr/local/sbin/restart-gerrit
@@ -0,0 +1,2 @@
+#!/bin/bash
+/usr/local/bin/safe-service-restart --pools gerrit-ssh --services gerrit --retries 10 --wait 5 $@

Package[wikimedia-lvs-realserver]

Parameters differences:

--- Package[wikimedia-lvs-realserver].orig
+++ Package[wikimedia-lvs-realserver]

+    provider => apt
+    ensure   => present
+    require  => File[/etc/default/wikimedia-lvs-realserver]

Exec[systemd daemon-reload for nrpe2nodexp-check_tcp-mss-clamper_status.service (nrpe2nodexp-check_tcp-mss-clamper_status.service)]

Parameters differences:

--- Exec[systemd daemon-reload for nrpe2nodexp-check_tcp-mss-clamper_status.service (nrpe2nodexp-check_tcp-mss-clamper_status.service)].orig
+++ Exec[systemd daemon-reload for nrpe2nodexp-check_tcp-mss-clamper_status.service (nrpe2nodexp-check_tcp-mss-clamper_status.service)]

+    refreshonly => True
+    command     => /bin/systemctl daemon-reload

Service[nrpe2nodexp-check_tcp-mss-clamper_status.timer]

Parameters differences:

--- Service[nrpe2nodexp-check_tcp-mss-clamper_status.timer].orig
+++ Service[nrpe2nodexp-check_tcp-mss-clamper_status.timer]

+    enable   => False
+    ensure   => stopped
+    before   => ['Exec[systemd daemon-reload for nrpe2nodexp-check_tcp-mss-clamper_status.timer (nrpe2nodexp-check_tcp-mss-clamper_status.timer)]']
+    provider => systemd

Monitoring::Exported_nagios_host[tcp-proxy5004]

Parameters differences:

--- Monitoring::Exported_nagios_host[tcp-proxy5004].orig
+++ Monitoring::Exported_nagios_host[tcp-proxy5004]

@@
-    hostgroups            => insetup_eqsin
+    hostgroups            => misc_eqsin
@@
-    notifications_enabled => 0
+    notifications_enabled => 1

Systemd::Service[prometheus_ferm_mss]

Parameters differences:

--- Systemd::Service[prometheus_ferm_mss].orig
+++ Systemd::Service[prometheus_ferm_mss]

+    override                 => False
+    require                  => Systemd::Unit[prometheus_ferm_mss.service]
+    monitoring_contact_group => admins
+    monitoring_enabled       => False
+    service_params           => {}
+    unit_type                => timer
+    monitoring_critical      => False
+    ensure                   => present
+    migration_task           => T407130
+    restart                  => False

File[/etc/sysctl.d/51-ubuntu-defaults.conf]

Content differences:

--- /etc/sysctl.d/51-ubuntu-defaults.conf.orig
+++ /etc/sysctl.d/51-ubuntu-defaults.conf
@@ -4,7 +4,7 @@
 kernel.kptr_restrict = 1
 kernel.printk = 4 4 1 7
 kernel.yama.ptrace_scope = 1
-net.ipv4.conf.all.rp_filter = 1
-net.ipv4.conf.default.rp_filter = 1
+net.ipv4.conf.all.rp_filter = 0
+net.ipv4.conf.default.rp_filter = 0
 net.ipv4.tcp_syncookies = 1
 vm.mmap_min_addr = 65536

Class[Profile::Conftool::Client]

Parameters differences:

--- Class[Profile::Conftool::Client].orig
+++ Class[Profile::Conftool::Client]

+    require                => ['Class[Passwords::Etcd]']
+    namespace              => /conftool
+    tcpircbot_port         => 9200
+    etcd_user              => __auto__
+    tcpircbot_host         => icinga.wikimedia.org
+    conftool2git_host      => puppetserver1003.eqiad.wmnet
+    srv_domain             => conftool.eqsin.wmnet
+    pool_pwd_seed          => 21}@/
+    conftool2git_bind_addr => 0.0.0.0:1312

Sysctl::Conffile[ubuntu defaults]

Rsyslog::Conf[prometheus_ferm_mss]

Parameters differences:

--- Rsyslog::Conf[prometheus_ferm_mss].orig
+++ Rsyslog::Conf[prometheus_ferm_mss]

+    ensure   => present
+    require  => File[/var/log/prometheus_ferm_mss]
+    priority => 40
+    mode     => 0444

Systemd::Unit[prometheus_ferm_mss.timer]

Parameters differences:

--- Systemd::Unit[prometheus_ferm_mss.timer].orig
+++ Systemd::Unit[prometheus_ferm_mss.timer]

+    override_filename => puppet-override.conf
+    override          => False
+    require           => ['Class[Systemd]']
+    unit              => prometheus_ferm_mss.timer
+    ensure            => present
+    restart           => False

Systemd::Unit[nrpe2nodexp-check_tcp-mss-clamper_status.timer]

Parameters differences:

--- Systemd::Unit[nrpe2nodexp-check_tcp-mss-clamper_status.timer].orig
+++ Systemd::Unit[nrpe2nodexp-check_tcp-mss-clamper_status.timer]

+    override_filename => puppet-override.conf
+    override          => False
+    require           => ['Class[Systemd]']
+    unit              => nrpe2nodexp-check_tcp-mss-clamper_status.timer
+    ensure            => absent
+    restart           => False

Monitoring::Exported_nagios_service[tcp-proxy5004 check_tcp-mss-clamper_status]

Parameters differences:

--- Monitoring::Exported_nagios_service[tcp-proxy5004 check_tcp-mss-clamper_status].orig
+++ Monitoring::Exported_nagios_service[tcp-proxy5004 check_tcp-mss-clamper_status]

+    is_volatile            => 0
+    retry_interval         => 1
+    check_interval         => 10
+    service_description    => Check unit status of tcp-mss-clamper
+    notification_interval  => 0
+    notification_options   => c,r,f
+    notifications_enabled  => 1
+    host_name              => tcp-proxy5004
+    active_checks_enabled  => 1
+    check_command          => nrpe_check!check_check_tcp-mss-clamper_status!10
+    max_check_attempts     => 2
+    servicegroups          => misc_eqsin
+    passive_checks_enabled => 1
+    notification_period    => 24x7
+    notes_url              => https://wikitech.wikimedia.org/wiki/LVS#IPIP_encapsulation_experiments
+    check_period           => 24x7
+    ensure                 => absent
+    contact_groups         => admins
+    check_freshness        => 0

File_line[rm_post-up_lo_clsact_lo]

Parameters differences:

--- File_line[rm_post-up_lo_clsact_lo].orig
+++ File_line[rm_post-up_lo_clsact_lo]

+    ensure            => absent
+    path              => /etc/network/interfaces
+    match_for_absence => True
+    match             => post-up /usr/sbin/tc qdisc add dev lo clsact

Class[Profile::Base]

Parameters differences:

--- Class[Profile::Base].orig
+++ Class[Profile::Base]

@@
-    cluster   => insetup
+    cluster   => misc
@@
-    rp_filter => True
+    rp_filter => False

Exec[systemd daemon-reload for wmf_auto_restart_haproxy.timer (wmf_auto_restart_haproxy.timer)]

Parameters differences:

--- Exec[systemd daemon-reload for wmf_auto_restart_haproxy.timer (wmf_auto_restart_haproxy.timer)].orig
+++ Exec[systemd daemon-reload for wmf_auto_restart_haproxy.timer (wmf_auto_restart_haproxy.timer)]

+    before      => ['Service[wmf_auto_restart_haproxy.timer]']
+    refreshonly => True
+    command     => /bin/systemctl daemon-reload

File[/etc/conftool/local_services.yaml]

Parameters differences:

--- File[/etc/conftool/local_services.yaml].orig
+++ File[/etc/conftool/local_services.yaml]

+    ensure => present
+    group  => root
+    owner  => root

Content differences:

--- /etc/conftool/local_services.yaml.orig
+++ /etc/conftool/local_services.yaml
@@ -0,0 +1,7 @@
+---
+gerrit-ssh:
+  cluster: tcp-proxy
+  service: gerrit
+  servers:
+  - pybal-high-traffic1-eqsin.wikimedia.org
+  port: 29418

Exec[systemd daemon-reload for prometheus_lvs_realserver_mss.service (prometheus_lvs_realserver_mss.service)]

Parameters differences:

--- Exec[systemd daemon-reload for prometheus_lvs_realserver_mss.service (prometheus_lvs_realserver_mss.service)].orig
+++ Exec[systemd daemon-reload for prometheus_lvs_realserver_mss.service (prometheus_lvs_realserver_mss.service)]

+    refreshonly => True
+    command     => /bin/systemctl daemon-reload

Ferm::Rule[ipip]

Parameters differences:

--- Ferm::Rule[ipip].orig
+++ Ferm::Rule[ipip]

+    desc   => 
+    domain => (ip)
+    rule   => saddr 172.16.0.0/12 proto ipencap ACCEPT;
+    prio   => 10
+    ensure => present
+    table  => filter
+    chain  => INPUT

File[/usr/local/bin/prometheus-ferm-mss]

Parameters differences:

--- File[/usr/local/bin/prometheus-ferm-mss].orig
+++ File[/usr/local/bin/prometheus-ferm-mss]

+    owner  => root
+    ensure => file
+    group  => root
+    source => puppet:///modules/prometheus/usr/local/bin/prometheus-ferm-mss.py
+    mode   => 0555

Augeas[ipip0_127.0.0.42/32]

Parameters differences:

--- Augeas[ipip0_127.0.0.42/32].orig
+++ Augeas[ipip0_127.0.0.42/32]

+    context => /files/etc/network/interfaces/*[. = 'ipip0' and ./family = 'inet']
+    lens    => Interfaces.lns
+    incl    => /etc/network/interfaces
+    onlyif  => match up[. = 'ip addr add 127.0.0.42/32 dev ipip0'] size == 0
+    changes => set up[last()+1] 'ip addr add 127.0.0.42/32 dev ipip0'

Motd::Message[insetup::infrastructure_foundations_ferm]

Parameters differences:

--- Motd::Message[insetup::infrastructure_foundations_ferm].orig
+++ Motd::Message[insetup::infrastructure_foundations_ferm]

-    ensure   => present
-    priority => 5
-    message  => tcp-proxy5004 is a Host being setup by Infrastructure Foundations SREs with ferm (insetup::infrastructure_foundations_ferm)

Exec[/usr/sbin/tc qdisc del dev ens13 clsact]

Parameters differences:

--- Exec[/usr/sbin/tc qdisc del dev ens13 clsact].orig
+++ Exec[/usr/sbin/tc qdisc del dev ens13 clsact]

+    onlyif => /usr/sbin/tc qdisc show dev ens13 | grep -q clsact

Exec[ip link set up dev ipip0]

Parameters differences:

--- Exec[ip link set up dev ipip0].orig
+++ Exec[ip link set up dev ipip0]

+    returns => [0, 2]
+    path    => /bin:/usr/bin
+    unless  => ip link show ipip0 | grep -q UP

Class[Conftool::Config]

Parameters differences:

--- Class[Conftool::Config].orig
+++ Class[Conftool::Config]

+    namespace            => /conftool
+    tcpircbot_host       => icinga.wikimedia.org
+    tcpircbot_port       => 9200
+    hosts                => []
+    conftool2git_address => puppetserver1003.eqiad.wmnet:1312

Motd::Script[tcpproxy]

Parameters differences:

--- Motd::Script[tcpproxy].orig
+++ Motd::Script[tcpproxy]

+    ensure   => present
+    priority => 5

Monitoring::Exported_nagios_service[tcp-proxy5004 disk_space]

Parameters differences:

--- Monitoring::Exported_nagios_service[tcp-proxy5004 disk_space].orig
+++ Monitoring::Exported_nagios_service[tcp-proxy5004 disk_space]

@@
-    notifications_enabled => 0
+    notifications_enabled => 1
@@
-    servicegroups         => insetup_eqsin
+    servicegroups         => misc_eqsin

Systemd::Timer::Job[prometheus_ferm_mss]

Parameters differences:

--- Systemd::Timer::Job[prometheus_ferm_mss].orig
+++ Systemd::Timer::Job[prometheus_ferm_mss]

+    private_tmp               => False
+    environment               => {}
+    syslog_force_stop         => True
+    ignore_errors             => False
+    fixed_random_delay        => False
+    success_exit_status       => []
+    send_mail_only_on_error   => True
+    monitoring_enabled        => False
+    syslog_match_startswith   => True
+    description               => Regular job to collect MSS values of ferm-based hosts
+    logfile_basedir           => /var/log
+    logfile_perms             => all
+    command                   => /usr/local/bin/prometheus-ferm-mss -o /var/lib/prometheus/node.d/ferm-mss.prom -e 103.102.166.225:29418 -e [2001:df2:e500:ed1a::2]:29418
+    monitoring_contact_groups => admins
+    monitoring_notes_url      => https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state
+    send_mail_to              => root@tcp-proxy5004.eqsin.wmnet
+    logging_enabled           => True
+    logfile_name              => syslog.log
+    send_mail                 => False
+    interval                  => {'start': 'OnCalendar', 'interval': 'minutely'}
+    ensure                    => present
+    user                      => root
+    logfile_group             => root

File[/etc/logrotate.d/prometheus_ferm_mss]

Parameters differences:

--- File[/etc/logrotate.d/prometheus_ferm_mss].orig
+++ File[/etc/logrotate.d/prometheus_ferm_mss]

+    ensure => present
+    group  => root
+    owner  => root
+    mode   => 0444

Content differences:

--- /etc/logrotate.d/prometheus_ferm_mss.orig
+++ /etc/logrotate.d/prometheus_ferm_mss
@@ -0,0 +1,12 @@
+# logrotate(8) config for prometheus_ferm_mss
+
+/var/log/prometheus_ferm_mss/*.log {
+    daily
+    copytruncate
+    missingok
+    compress
+    delaycompress
+    notifempty
+    rotate 15
+    size 256M
+}

Augeas[ipip60_add_up]

Parameters differences:

--- Augeas[ipip60_add_up].orig
+++ Augeas[ipip60_add_up]

+    require => Interface::Manual[ipip_ipv6]
+    context => /files/etc/network/interfaces/*[. = 'ipip60' and ./family = 'inet6']
+    lens    => Interfaces.lns
+    incl    => /etc/network/interfaces
+    onlyif  => match up[. = 'ip link add name ipip60 type ip6tnl external'] size == 0
+    changes => set up[last()+1] 'ip link add name ipip60 type ip6tnl external'

Class[Profile::Apt]

Parameters differences:

--- Class[Profile::Apt].orig
+++ Class[Profile::Apt]

@@
-    before => ['Package[puppet]', 'Package[facter]', 'Package[augeas-tools]', 'Package[virt-what]', 'Package[puppet-module-puppetlabs-augeas-core]', 'Package[python3-prometheus-client]', 'Package[python3-yaml]', 'Package[ruby-net-ssh]', 'Package[openssl]', 'Package[ssl-cert]', 'Package[ca-certificates]', 'Package[wmf-certificates]', 'Package[ntp]', 'Package[systemd-timesyncd]', 'Package[exim4-config]', 'Package[exim4-daemon-light]', 'Package[logrotate]', 'Package[prometheus-node-exporter]', 'Package[rsyslog]', 'Package[rsyslog-openssl]', 'Package[cadvisor]', 'Package[acct]', 'Package[byobu]', 'Package[colordiff]', 'Package[curl]', 'Package[debian-goodies]', 'Package[ethtool]', 'Package[gdb]', 'Package[gdisk]', 'Package[git]', 'Package[htop]', 'Package[httpry]', 'Package[iotop]', 'Package[iperf]', 'Package[jq]', 'Package[libtemplate-perl]', 'Package[lldpd]', 'Package[lshw]', 'Package[molly-guard]', 'Package[moreutils]', 'Package[net-tools]', 'Package[numactl]', 'Package[ncdu]', 'Package[ngrep]', 'Package[pigz]', 'Package[psmisc]', 'Package[pv]', 'Package[python3]', 'Package[screen]', 'Package[strace]', 'Package[sysstat]', 'Package[tcpdump]', 'Package[tmux]', 'Package[tree]', 'Package[vim]', 'Package[vim-addon-manager]', 'Package[vim-scripts]', 'Package[wipe]', 'Package[xfsprogs]', 'Package[zsh]', 'Package[icdiff]', 'Package[linux-perf]', 'Package[bsd-mailx]', 'Package[ack]', 'Package[netcat-openbsd]', 'Package[tshark]', 'Package[fzf]', 'Package[ripgrep]', 'Package[fd-find]', 'Package[kitty-terminfo]', 'Package[mtr-tiny]', 'Package[bat]', 'Package[efibootmgr]', 'Package[bind9-dnsutils]', 'Package[tzdata]', 'Package[python3-wmflib]', 'Package[starship]', 'Package[ruby-sorted-set]', 'Package[btop]', 'Package[linux-sysctl-defaults]', 'Package[apport]', 'Package[command-not-found]', 'Package[command-not-found-data]', 'Package[ecryptfs-utils]', 'Package[mlocate]', 'Package[os-prober]', 'Package[python3-apport]', 'Package[wpasupplicant]', 'Package[atop]', 'Package[apt-listchanges]', 'Package[isc-dhcp-client]', 'Package[eject]', 'Package[openssh-client]', 'Package[openssh-server]', 'Package[debdeploy-client]', 'Package[python3-dateutil]', 'Package[sudo]', 'Package[golang-cfssl]', 'Package[debmonitor-client]', 'Package[nagios-nrpe-server]', 'Package[monitoring-plugins]', 'Package[monitoring-plugins-basic]', 'Package[monitoring-plugins-standard]', 'Package[liburiparser1]', 'Package[rsyslog-kafka]', 'Package[emacs-nox]', 'Package[libnet-dns-perl]', 'Package[iptables]', 'Package[ferm]', 'Package[ulogd2]', 'Package[conntrack]', 'Package[ruby-concurrent]', 'Package[ruby]', 'Package[libruby]', 'Package[puppet-agent]', 'Package[prometheus-rsyslog-exporter]', 'Package[initramfs-tools]', 'Package[python3-click]', 'Package[python3-box]', 'Package[confd]', 'Package[python3-toml]']
+    before => ['Package[puppet]', 'Package[facter]', 'Package[augeas-tools]', 'Package[virt-what]', 'Package[puppet-module-puppetlabs-augeas-core]', 'Package[python3-prometheus-client]', 'Package[python3-yaml]', 'Package[ruby-net-ssh]', 'Package[openssl]', 'Package[ssl-cert]', 'Package[ca-certificates]', 'Package[wmf-certificates]', 'Package[ntp]', 'Package[systemd-timesyncd]', 'Package[exim4-config]', 'Package[exim4-daemon-light]', 'Package[logrotate]', 'Package[prometheus-node-exporter]', 'Package[rsyslog]', 'Package[rsyslog-openssl]', 'Package[cadvisor]', 'Package[acct]', 'Package[byobu]', 'Package[colordiff]', 'Package[curl]', 'Package[debian-goodies]', 'Package[ethtool]', 'Package[gdb]', 'Package[gdisk]', 'Package[git]', 'Package[htop]', 'Package[httpry]', 'Package[iotop]', 'Package[iperf]', 'Package[jq]', 'Package[libtemplate-perl]', 'Package[lldpd]', 'Package[lshw]', 'Package[molly-guard]', 'Package[moreutils]', 'Package[net-tools]', 'Package[numactl]', 'Package[ncdu]', 'Package[ngrep]', 'Package[pigz]', 'Package[psmisc]', 'Package[pv]', 'Package[python3]', 'Package[screen]', 'Package[strace]', 'Package[sysstat]', 'Package[tcpdump]', 'Package[tmux]', 'Package[tree]', 'Package[vim]', 'Package[vim-addon-manager]', 'Package[vim-scripts]', 'Package[wipe]', 'Package[xfsprogs]', 'Package[zsh]', 'Package[icdiff]', 'Package[linux-perf]', 'Package[bsd-mailx]', 'Package[ack]', 'Package[netcat-openbsd]', 'Package[tshark]', 'Package[fzf]', 'Package[ripgrep]', 'Package[fd-find]', 'Package[kitty-terminfo]', 'Package[mtr-tiny]', 'Package[bat]', 'Package[efibootmgr]', 'Package[bind9-dnsutils]', 'Package[tzdata]', 'Package[python3-wmflib]', 'Package[starship]', 'Package[ruby-sorted-set]', 'Package[btop]', 'Package[linux-sysctl-defaults]', 'Package[apport]', 'Package[command-not-found]', 'Package[command-not-found-data]', 'Package[ecryptfs-utils]', 'Package[mlocate]', 'Package[os-prober]', 'Package[python3-apport]', 'Package[wpasupplicant]', 'Package[atop]', 'Package[apt-listchanges]', 'Package[isc-dhcp-client]', 'Package[eject]', 'Package[openssh-client]', 'Package[openssh-server]', 'Package[debdeploy-client]', 'Package[python3-dateutil]', 'Package[sudo]', 'Package[golang-cfssl]', 'Package[debmonitor-client]', 'Package[nagios-nrpe-server]', 'Package[monitoring-plugins]', 'Package[monitoring-plugins-basic]', 'Package[monitoring-plugins-standard]', 'Package[liburiparser1]', 'Package[rsyslog-kafka]', 'Package[emacs-nox]', 'Package[libnet-dns-perl]', 'Package[iptables]', 'Package[ferm]', 'Package[ulogd2]', 'Package[conntrack]', 'Package[haproxy]', 'Package[wikimedia-lvs-realserver]', 'Package[python3-conftool]', 'Package[python3-poolcounter]', 'Package[tcp-mss-clamper]', 'Package[ruby-concurrent]', 'Package[ruby]', 'Package[libruby]', 'Package[puppet-agent]', 'Package[prometheus-rsyslog-exporter]', 'Package[initramfs-tools]', 'Package[python3-click]', 'Package[python3-box]', 'Package[confd]', 'Package[python3-toml]']

Class[Profile::Tcpproxy]

Parameters differences:

--- Class[Profile::Tcpproxy].orig
+++ Class[Profile::Tcpproxy]

+    socket          => /run/haproxy/haproxy.sock
+    prometheus_port => 9422

File_line[rm_post-up_ens13_clsact_ens13]

Parameters differences:

--- File_line[rm_post-up_ens13_clsact_ens13].orig
+++ File_line[rm_post-up_ens13_clsact_ens13]

+    ensure            => absent
+    path              => /etc/network/interfaces
+    match_for_absence => True
+    match             => post-up /usr/sbin/tc qdisc add dev ens13 clsact

Service[haproxy]

Parameters differences:

--- Service[haproxy].orig
+++ Service[haproxy]

+    enable  => True
+    ensure  => running
+    require => Package[haproxy]

File[/lib/systemd/system/prometheus_lvs_realserver_mss.service]

Parameters differences:

--- File[/lib/systemd/system/prometheus_lvs_realserver_mss.service].orig
+++ File[/lib/systemd/system/prometheus_lvs_realserver_mss.service]

+    owner  => root
+    notify => Exec[systemd daemon-reload for prometheus_lvs_realserver_mss.service (prometheus_lvs_realserver_mss.service)]
+    ensure => present
+    group  => root
+    mode   => 0444

Content differences:

--- /lib/systemd/system/prometheus_lvs_realserver_mss.service.orig
+++ /lib/systemd/system/prometheus_lvs_realserver_mss.service
@@ -0,0 +1,8 @@
+[Unit]
+Description=Regular job to collect MSS values of realserver endpoints
+Documentation=https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state
+
+[Service]
+Type=oneshot
+User=root
+ExecStart=/usr/local/bin/prometheus-lvs-realserver-mss -o /var/lib/prometheus/node.d/lvs-realserver-mss.prom -e 103.102.166.225:29418 -e [2001:df2:e500:ed1a::2]:29418

File[/lib/systemd/system/nrpe2nodexp-check_tcp-mss-clamper_status.service]

Parameters differences:

--- File[/lib/systemd/system/nrpe2nodexp-check_tcp-mss-clamper_status.service].orig
+++ File[/lib/systemd/system/nrpe2nodexp-check_tcp-mss-clamper_status.service]

+    owner  => root
+    notify => Exec[systemd daemon-reload for nrpe2nodexp-check_tcp-mss-clamper_status.service (nrpe2nodexp-check_tcp-mss-clamper_status.service)]
+    ensure => absent
+    group  => root
+    mode   => 0444

Content differences:

--- /lib/systemd/system/nrpe2nodexp-check_tcp-mss-clamper_status.service.orig
+++ /lib/systemd/system/nrpe2nodexp-check_tcp-mss-clamper_status.service
@@ -0,0 +1,11 @@
+[Unit]
+Description=execution of nrpe2nodexp for the check_check_tcp-mss-clamper_status command.
+Documentation=https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state
+
+[Service]
+Type=oneshot
+User=nagios
+
+Group=prometheus-node-exporter
+SyslogIdentifier=nrpe2nodexp-check_tcp-mss-clamper_status
+ExecStart=-/usr/local/bin/nrpe2nodexp --alert-rule-hash "295d6d5dd0a784bb9ba1d5983fd1894f" --timeout 10 --check-command "check_check_tcp-mss-clamper_status"

Package[haproxy]

Parameters differences:

--- Package[haproxy].orig
+++ Package[haproxy]

+    provider => apt
+    ensure   => installed

Class[Profile::Monitoring]

Parameters differences:

--- Class[Profile::Monitoring].orig
+++ Class[Profile::Monitoring]

@@
-    notifications_enabled => False
+    notifications_enabled => True
@@
-    nagios_group          => insetup_eqsin
+    nagios_group          => misc_eqsin
@@
-    cluster               => insetup
+    cluster               => misc

Package[python3-poolcounter]

Parameters differences:

--- Package[python3-poolcounter].orig
+++ Package[python3-poolcounter]

+    provider => apt
+    ensure   => absent

Ferm::Rule[ip6ip6]

Parameters differences:

--- Ferm::Rule[ip6ip6].orig
+++ Ferm::Rule[ip6ip6]

+    desc   => 
+    domain => (ip6)
+    rule   => saddr 0100::/64 proto ipv6 ACCEPT;
+    prio   => 10
+    ensure => present
+    table  => filter
+    chain  => INPUT

Ferm::Rule[clamp-mss-ipv4]

Parameters differences:

--- Ferm::Rule[clamp-mss-ipv4].orig
+++ Ferm::Rule[clamp-mss-ipv4]

+    desc   => 
+    domain => (ip)
+    rule   => outerface (ens13 lo) saddr @ipfilter((103.102.166.225 2001:df2:e500:ed1a::2])) proto tcp sport (29418) tcp-flags (SYN) SYN TCPMSS set-mss 1440;
+    prio   => 10
+    ensure => present
+    table  => filter
+    chain  => OUTPUT

Monitoring::Service[check_tcp-mss-clamper_status]

Parameters differences:

--- Monitoring::Service[check_tcp-mss-clamper_status].orig
+++ Monitoring::Service[check_tcp-mss-clamper_status]

+    critical       => False
+    retry_interval => 1
+    check_interval => 10
+    check_command  => nrpe_check!check_check_tcp-mss-clamper_status!10
+    contact_group  => admins
+    passive        => False
+    config_dir     => /etc/nagios
+    freshness      => 36000
+    notes_url      => https://wikitech.wikimedia.org/wiki/LVS#IPIP_encapsulation_experiments
+    host           => tcp-proxy5004
+    retries        => 2
+    description    => Check unit status of tcp-mss-clamper
+    ensure         => absent
+    migration_task => T407130

Service[tcp-mss-clamper]

Parameters differences:

--- Service[tcp-mss-clamper].orig
+++ Service[tcp-mss-clamper]

+    enable => False
+    ensure => stopped
+    before => ['Exec[systemd daemon-reload for tcp-mss-clamper.service (tcp-mss-clamper)]']

Class[Etcd::Client::Globalconfig]

Parameters differences:

--- Class[Etcd::Client::Globalconfig].orig
+++ Class[Etcd::Client::Globalconfig]

+    srv_domain => conftool.eqsin.wmnet

Systemd::Service[nrpe2nodexp-check_tcp-mss-clamper_status]

Parameters differences:

--- Systemd::Service[nrpe2nodexp-check_tcp-mss-clamper_status].orig
+++ Systemd::Service[nrpe2nodexp-check_tcp-mss-clamper_status]

+    override                 => False
+    require                  => Systemd::Unit[nrpe2nodexp-check_tcp-mss-clamper_status.service]
+    monitoring_contact_group => admins
+    monitoring_enabled       => False
+    service_params           => {}
+    unit_type                => timer
+    monitoring_critical      => False
+    ensure                   => absent
+    migration_task           => T407130
+    restart                  => False

Exec[systemd daemon-reload for nrpe2nodexp-check_tcp-mss-clamper_status.timer (nrpe2nodexp-check_tcp-mss-clamper_status.timer)]

Parameters differences:

--- Exec[systemd daemon-reload for nrpe2nodexp-check_tcp-mss-clamper_status.timer (nrpe2nodexp-check_tcp-mss-clamper_status.timer)].orig
+++ Exec[systemd daemon-reload for nrpe2nodexp-check_tcp-mss-clamper_status.timer (nrpe2nodexp-check_tcp-mss-clamper_status.timer)]

+    refreshonly => True
+    command     => /bin/systemctl daemon-reload

File[/etc/poolcounter-backends.yaml]

Parameters differences:

--- File[/etc/poolcounter-backends.yaml].orig
+++ File[/etc/poolcounter-backends.yaml]

+    ensure => absent
+    group  => root
+    owner  => root
+    mode   => 0444

Content differences:

--- /etc/poolcounter-backends.yaml.orig
+++ /etc/poolcounter-backends.yaml
@@ -0,0 +1 @@
+--- []

Firewall::Service[proxy-gerrit-ssh]

Parameters differences:

--- Firewall::Service[proxy-gerrit-ssh].orig
+++ Firewall::Service[proxy-gerrit-ssh]

+    desc    => 
+    port    => [29418]
+    prio    => 10
+    notrack => False
+    ensure  => present
+    proto   => tcp

File[/etc/ferm/conf.d/10_clamp-mss-ipv4]

Parameters differences:

--- File[/etc/ferm/conf.d/10_clamp-mss-ipv4].orig
+++ File[/etc/ferm/conf.d/10_clamp-mss-ipv4]

+    require => File[/etc/ferm/conf.d]
+    owner   => root
+    notify  => Service[ferm]
+    ensure  => present
+    tag     => ferm
+    group   => root
+    mode    => 0400

Content differences:

--- /etc/ferm/conf.d/10_clamp-mss-ipv4.orig
+++ /etc/ferm/conf.d/10_clamp-mss-ipv4
@@ -0,0 +1,11 @@
+# Autogenerated by puppet. DO NOT EDIT BY HAND!
+#
+# 10_clamp-mss-ipv4: 
+
+domain (ip) {
+	table filter {
+		chain OUTPUT {
+			outerface (ens13 lo) saddr @ipfilter((103.102.166.225 2001:df2:e500:ed1a::2])) proto tcp sport (29418) tcp-flags (SYN) SYN TCPMSS set-mss 1440;
+		}
+	}
+}

Conftool::Scripts::Safe_service_restart[gerrit]

Parameters differences:

--- Conftool::Scripts::Safe_service_restart[gerrit].orig
+++ Conftool::Scripts::Safe_service_restart[gerrit]

+    require         => ['Class[Conftool::Scripts]']
+    max_concurrency => 0
+    lvs_pools       => ['gerrit-ssh']

File[/lib/systemd/system/prometheus_ferm_mss.timer]

Parameters differences:

--- File[/lib/systemd/system/prometheus_ferm_mss.timer].orig
+++ File[/lib/systemd/system/prometheus_ferm_mss.timer]

+    owner  => root
+    notify => Exec[systemd daemon-reload for prometheus_ferm_mss.timer (prometheus_ferm_mss.timer)]
+    ensure => present
+    group  => root
+    mode   => 0444

Content differences:

--- /lib/systemd/system/prometheus_ferm_mss.timer.orig
+++ /lib/systemd/system/prometheus_ferm_mss.timer
@@ -0,0 +1,12 @@
+[Unit]
+Description=Periodic execution of prometheus_ferm_mss.service
+
+[Timer]
+Unit=prometheus_ferm_mss.service
+# Accuracy sets the maximum time interval around the execution time we want to allow
+AccuracySec=15sec
+OnCalendar=minutely
+RandomizedDelaySec=0
+
+[Install]
+WantedBy=multi-user.target

Prometheus::Alert::Rule[check_check_tcp-mss-clamper_status_295d6d5dd0a784bb9ba1d5983fd1894f]

Parameters differences:

--- Prometheus::Alert::Rule[check_check_tcp-mss-clamper_status_295d6d5dd0a784bb9ba1d5983fd1894f].orig
+++ Prometheus::Alert::Rule[check_check_tcp-mss-clamper_status_295d6d5dd0a784bb9ba1d5983fd1894f]

+    logs               => https://logstash.wikimedia.org/app/dashboards#/view/2d343ac0-6df8-11f0-8e08-7fab0da52b33?_g=(filters:!((query:(match_phrase:(event.module:check_check_tcp-mss-clamper_status))),(query:(match_phrase:(host.name:{{$labels.instance|stripPort}})))))
+    runbook            => https://wikitech.wikimedia.org/wiki/LVS#IPIP_encapsulation_experiments
+    severity           => info
+    for                => 11m
+    def_label_whitelst => ['team', 'severity']
+    dashboard          => TODO
+    group              => nrpechecks
+    description        => NRPE CHECK: Check unit status of tcp-mss-clamper
+    instance           => ops
+    expr               => (nagios_nrpe_check_result{alert_rule_hash="295d6d5dd0a784bb9ba1d5983fd1894f",check_name="check_check_tcp-mss-clamper_status", status=~"(WARNING|CRITICAL)", severity=~"(warning|critical)"} > 0) * on (instance) group_left (team) role_owner
+    ensure             => absent
+    site               => eqsin
+    summary            => NRPE CHECK: Check unit status of tcp-mss-clamper
+    alert_name         => nrpe_Check_unit_status_of_tcp_mss_clamper
+    team               => observability

Class[Profile::Lvs::Realserver]

Parameters differences:

--- Class[Profile::Lvs::Realserver].orig
+++ Class[Profile::Lvs::Realserver]

+    pools        => {'gerrit-ssh': {'services': ['gerrit']}}
+    require      => ['Class[Profile::Conftool::Client]']
+    use_conftool => True

Interface::Clsact[clsact_ens13]

Parameters differences:

--- Interface::Clsact[clsact_ens13].orig
+++ Interface::Clsact[clsact_ens13]

+    ensure    => absent
+    interface => ens13

Rsyslog::Conf[wmf_auto_restart_haproxy]

Parameters differences:

--- Rsyslog::Conf[wmf_auto_restart_haproxy].orig
+++ Rsyslog::Conf[wmf_auto_restart_haproxy]

+    ensure   => present
+    require  => File[/var/log/wmf_auto_restart_haproxy]
+    priority => 40
+    mode     => 0444

File[/etc/rsyslog.d/25-nrpe2nodexp-check-tcp-mss-clamper-status.conf]

Parameters differences:

--- File[/etc/rsyslog.d/25-nrpe2nodexp-check-tcp-mss-clamper-status.conf].orig
+++ File[/etc/rsyslog.d/25-nrpe2nodexp-check-tcp-mss-clamper-status.conf]

+    owner  => root
+    notify => Service[rsyslog]
+    ensure => absent
+    group  => root
+    mode   => 0444

Content differences:

--- /etc/rsyslog.d/25-nrpe2nodexp-check-tcp-mss-clamper-status.conf.orig
+++ /etc/rsyslog.d/25-nrpe2nodexp-check-tcp-mss-clamper-status.conf
@@ -0,0 +1,10 @@
+# SPDX-License-Identifier: Apache-2.0
+if $programname contains "nrpe2nodexp-check_tcp-mss-clamper_status" then {
+    if ($msg contains "\"ecs.version\": \"1.7.0\"") then {
+        # Send logs to kafka
+        set $.log_outputs = "kafka ecs_170 local";
+    } else {
+        # Filter out non-relevant nrpe2nodexp messages
+        stop
+    }
+}

File[/etc/conftool/config.yaml]

Parameters differences:

--- File[/etc/conftool/config.yaml].orig
+++ File[/etc/conftool/config.yaml]

+    ensure => present
+    group  => root
+    owner  => root
+    mode   => 0444

Content differences:

--- /etc/conftool/config.yaml.orig
+++ /etc/conftool/config.yaml
@@ -0,0 +1,14 @@
+---
+hosts: []
+tcpircbot_host: icinga.wikimedia.org
+tcpircbot_port: 9200
+driver_options:
+  allow_reconnect: true
+  suppress_san_warnings: false
+namespace: "/conftool"
+extensions_config:
+  reqconfig:
+    haproxy_reserved_slots:
+    - 0
+    varnish_acl_ipblocks: []
+conftool2git_address: puppetserver1003.eqiad.wmnet:1312

File[/etc/ferm/conf.d/10_ipip]

Parameters differences:

--- File[/etc/ferm/conf.d/10_ipip].orig
+++ File[/etc/ferm/conf.d/10_ipip]

+    require => File[/etc/ferm/conf.d]
+    owner   => root
+    notify  => Service[ferm]
+    ensure  => present
+    tag     => ferm
+    group   => root
+    mode    => 0400

Content differences:

--- /etc/ferm/conf.d/10_ipip.orig
+++ /etc/ferm/conf.d/10_ipip
@@ -0,0 +1,11 @@
+# Autogenerated by puppet. DO NOT EDIT BY HAND!
+#
+# 10_ipip: 
+
+domain (ip) {
+	table filter {
+		chain INPUT {
+			saddr 172.16.0.0/12 proto ipencap ACCEPT;
+		}
+	}
+}

File[/etc/haproxy/haproxy.cfg]

Parameters differences:

--- File[/etc/haproxy/haproxy.cfg].orig
+++ File[/etc/haproxy/haproxy.cfg]

+    require => Package[haproxy]
+    owner   => root
+    notify  => Service[haproxy]
+    ensure  => file
+    group   => root
+    mode    => 0544

Content differences:

--- /etc/haproxy/haproxy.cfg.orig
+++ /etc/haproxy/haproxy.cfg
@@ -0,0 +1,38 @@
+# Note: This file is managed by puppet.
+global
+    user haproxy
+    group haproxy
+        stats socket /run/haproxy/haproxy.sock mode 600 level admin
+    hard-stop-after 5m
+    set-dumpable
+    log stderr local0 info
+
+defaults
+    mode tcp
+    option dontlognull
+    option tcplog
+    option tcp-check
+    retries 1
+    timeout connect 10s
+    timeout client 50s
+    timeout server 50s
+    timeout tunnel 3636s  # just a bit more than 1 hour (Gerrit's SSH idle timeout) -- overrides client and server timeouts once TCP tunnel established
+    timeout client-fin 50s  # once gerrit closes the connection, close the other side quickly, in case clients disappear mid-tunnel
+    log global
+
+listen gerrit_ssh
+    bind :::29418 v4v6
+    server backend_server gerrit.discovery.wmnet port 29418 resolvers default init-addr none check maxconn 200 
+
+frontend stats
+    mode http
+    no log
+    maxconn 100
+    bind :::9422 v4v6
+    http-request use-service prometheus-exporter if { path /metrics }
+    stats enable
+    stats uri /stats
+    stats refresh 10s
+    # Explicitly avoid keep-alive to prevent Prometheus scrapers from
+    # reusing indefinitelly the same TCP connection. See T343000
+    http-after-response set-header Connection Close

Package[tcp-mss-clamper]

Parameters differences:

--- Package[tcp-mss-clamper].orig
+++ Package[tcp-mss-clamper]

+    provider => apt
+    ensure   => absent

Nrpe::Plugin[check_systemd_unit_status]

Parameters differences:

--- Nrpe::Plugin[check_systemd_unit_status].orig
+++ Nrpe::Plugin[check_systemd_unit_status]

+    ensure => present
+    source => puppet:///modules/systemd/check_systemd_unit_status

Interface::Ipip[ipip_ipv6]

Parameters differences:

--- Interface::Ipip[ipip_ipv6].orig
+++ Interface::Ipip[ipip_ipv6]

+    ensure    => present
+    interface => ipip60
+    family    => inet6

File[/etc/conftool/schema.yaml]

Parameters differences:

--- File[/etc/conftool/schema.yaml].orig
+++ File[/etc/conftool/schema.yaml]

+    owner  => root
+    ensure => file
+    group  => root
+    source => puppet:///modules/profile/conftool/schema.yaml
+    mode   => 0444

Augeas[ipip0_set_up]

Parameters differences:

--- Augeas[ipip0_set_up].orig
+++ Augeas[ipip0_set_up]

+    require => Augeas[ipip0_add_up]
+    context => /files/etc/network/interfaces/*[. = 'ipip0' and ./family = 'inet']
+    lens    => Interfaces.lns
+    incl    => /etc/network/interfaces
+    onlyif  => match up[. = 'ip link set up dev ipip0'] size == 0
+    changes => set up[last()+1] 'ip link set up dev ipip0'

Class[Profile::Base::Production]

Parameters differences:

--- Class[Profile::Base::Production].orig
+++ Class[Profile::Base::Production]

-    role_description => Host being setup by Infrastructure Foundations SREs with ferm

Exec[/usr/sbin/dpkg-reconfigure -p critical -f noninteractive wikimedia-lvs-realserver]

Parameters differences:

--- Exec[/usr/sbin/dpkg-reconfigure -p critical -f noninteractive wikimedia-lvs-realserver].orig
+++ Exec[/usr/sbin/dpkg-reconfigure -p critical -f noninteractive wikimedia-lvs-realserver]

+    subscribe   => File[/etc/default/wikimedia-lvs-realserver]
+    path        => /bin:/sbin:/usr/bin:/usr/sbin
+    refreshonly => True
+    require     => Package[wikimedia-lvs-realserver]

File[/usr/local/bin/depool]

Parameters differences:

--- File[/usr/local/bin/depool].orig
+++ File[/usr/local/bin/depool]

+    owner  => root
+    ensure => present
+    group  => root
+    source => puppet:///modules/conftool/conftool-simple-command.sh
+    mode   => 0555

File[/usr/local/bin/ispooled]

Parameters differences:

--- File[/usr/local/bin/ispooled].orig
+++ File[/usr/local/bin/ispooled]

+    owner  => root
+    ensure => present
+    group  => root
+    source => puppet:///modules/conftool/ispooled.sh
+    mode   => 0555

File[/etc/conftool]

Parameters differences:

--- File[/etc/conftool].orig
+++ File[/etc/conftool]

+    ensure => directory
+    group  => root
+    owner  => root
+    mode   => 0755

File[/var/lib/prometheus/node.d/role_owner.prom]

Content differences:

--- /var/lib/prometheus/node.d/role_owner.prom.orig
+++ /var/lib/prometheus/node.d/role_owner.prom
@@ -1,3 +1,3 @@
 # HELP role_owner The team owner of the server role
 # TYPE role_owner gauge
-role_owner{team="infrastructure-foundations",role="insetup::infrastructure_foundations_ferm",cluster="insetup"} 1.0
+role_owner{team="unknown",role="tcpproxy",cluster="misc"} 1.0

Profile::Auto_restarts::Service[haproxy]

Parameters differences:

--- Profile::Auto_restarts::Service[haproxy].orig
+++ Profile::Auto_restarts::Service[haproxy]

+    ensure => present

Systemd::Unit[prometheus_ferm_mss.service]

Parameters differences:

--- Systemd::Unit[prometheus_ferm_mss.service].orig
+++ Systemd::Unit[prometheus_ferm_mss.service]

+    override_filename => puppet-override.conf
+    override          => False
+    require           => ['Class[Systemd]']
+    unit              => prometheus_ferm_mss.service
+    ensure            => present
+    restart           => False

Systemd::Unit[wmf_auto_restart_haproxy.timer]

Parameters differences:

--- Systemd::Unit[wmf_auto_restart_haproxy.timer].orig
+++ Systemd::Unit[wmf_auto_restart_haproxy.timer]

+    override_filename => puppet-override.conf
+    override          => False
+    require           => ['Class[Systemd]']
+    unit              => wmf_auto_restart_haproxy.timer
+    ensure            => present
+    restart           => False

File[/usr/local/bin/drain]

Parameters differences:

--- File[/usr/local/bin/drain].orig
+++ File[/usr/local/bin/drain]

+    owner  => root
+    ensure => present
+    group  => root
+    source => puppet:///modules/conftool/conftool-simple-command.sh
+    mode   => 0555

File[/etc/nagios/nrpe.d/check_check_tcp-mss-clamper_status.cfg]

Parameters differences:

--- File[/etc/nagios/nrpe.d/check_check_tcp-mss-clamper_status.cfg].orig
+++ File[/etc/nagios/nrpe.d/check_check_tcp-mss-clamper_status.cfg]

+    require => Package[nagios-nrpe-server]
+    owner   => root
+    notify  => Service[nagios-nrpe-server]
+    ensure  => absent
+    tag     => nrpe::check
+    group   => root
+    mode    => 0444

Content differences:

--- /etc/nagios/nrpe.d/check_check_tcp-mss-clamper_status.cfg.orig
+++ /etc/nagios/nrpe.d/check_check_tcp-mss-clamper_status.cfg
@@ -0,0 +1,2 @@
+# File generated by puppet. DO NOT edit by hand
+command[check_check_tcp-mss-clamper_status]=/usr/local/lib/nagios/plugins/check_systemd_unit_status tcp-mss-clamper

Exec[systemd daemon-reload for tcp-mss-clamper.service (tcp-mss-clamper)]

Parameters differences:

--- Exec[systemd daemon-reload for tcp-mss-clamper.service (tcp-mss-clamper)].orig
+++ Exec[systemd daemon-reload for tcp-mss-clamper.service (tcp-mss-clamper)]

+    refreshonly => True
+    command     => /bin/systemctl daemon-reload

Service[wmf_auto_restart_haproxy.timer]

Parameters differences:

--- Service[wmf_auto_restart_haproxy.timer].orig
+++ Service[wmf_auto_restart_haproxy.timer]

+    enable   => True
+    ensure   => running
+    provider => systemd

File[/etc/rsyslog.d/40-prometheus-ferm-mss.conf]

Parameters differences:

--- File[/etc/rsyslog.d/40-prometheus-ferm-mss.conf].orig
+++ File[/etc/rsyslog.d/40-prometheus-ferm-mss.conf]

+    owner  => root
+    notify => Service[rsyslog]
+    ensure => present
+    group  => root
+    mode   => 0444

Content differences:

--- /etc/rsyslog.d/40-prometheus-ferm-mss.conf.orig
+++ /etc/rsyslog.d/40-prometheus-ferm-mss.conf
@@ -0,0 +1,10 @@
+# rsyslog.conf(5) configuration file for services.
+# This file is managed by Puppet.
+if $programname startswith "prometheus_ferm_mss" then {
+    action(
+        type="omfile" file="/var/log/prometheus_ferm_mss/syslog.log"
+        fileOwner="root" fileGroup="root"
+        fileCreateMode="0644"
+    )
+    & stop
+}

Exec[/usr/sbin/tc qdisc del dev lo clsact]

Parameters differences:

--- Exec[/usr/sbin/tc qdisc del dev lo clsact].orig
+++ Exec[/usr/sbin/tc qdisc del dev lo clsact]

+    onlyif => /usr/sbin/tc qdisc show dev lo | grep -q clsact

Logrotate::Conf[prometheus_ferm_mss]

Parameters differences:

--- Logrotate::Conf[prometheus_ferm_mss].orig
+++ Logrotate::Conf[prometheus_ferm_mss]

+    ensure => present

Exec[disable-rp-filter-ens13]

Parameters differences:

--- Exec[disable-rp-filter-ens13].orig
+++ Exec[disable-rp-filter-ens13]

+    unless  => /usr/sbin/sysctl -n net.ipv4.conf.ens13.rp_filter |grep -- '0'
+    command => /usr/sbin/sysctl -q net.ipv4.conf.ens13.rp_filter=0

Prometheus::Node_ferm_mss[ferm_clamped_ipport]

Parameters differences:

--- Prometheus::Node_ferm_mss[ferm_clamped_ipport].orig
+++ Prometheus::Node_ferm_mss[ferm_clamped_ipport]

+    ensure         => present
+    outfile        => /var/lib/prometheus/node.d/ferm-mss.prom
+    clamped_ipport => ['103.102.166.225:29418', '[2001:df2:e500:ed1a::2]:29418']

Exec[ip link add name ipip60 type ip6tnl external]

Parameters differences:

--- Exec[ip link add name ipip60 type ip6tnl external].orig
+++ Exec[ip link add name ipip60 type ip6tnl external]

+    returns => [0, 2]
+    path    => /bin:/usr/bin
+    unless  => ip link show ipip60

File[/etc/rsyslog.d/40-wmf-auto-restart-haproxy.conf]

Parameters differences:

--- File[/etc/rsyslog.d/40-wmf-auto-restart-haproxy.conf].orig
+++ File[/etc/rsyslog.d/40-wmf-auto-restart-haproxy.conf]

+    owner  => root
+    notify => Service[rsyslog]
+    ensure => present
+    group  => root
+    mode   => 0444

Content differences:

--- /etc/rsyslog.d/40-wmf-auto-restart-haproxy.conf.orig
+++ /etc/rsyslog.d/40-wmf-auto-restart-haproxy.conf
@@ -0,0 +1,10 @@
+# rsyslog.conf(5) configuration file for services.
+# This file is managed by Puppet.
+if $programname startswith "wmf_auto_restart_haproxy" then {
+    action(
+        type="omfile" file="/var/log/wmf_auto_restart_haproxy/syslog.log"
+        fileOwner="root" fileGroup="root"
+        fileCreateMode="0644"
+    )
+    & stop
+}

File[/lib/systemd/system/tcp-mss-clamper.service]

Parameters differences:

--- File[/lib/systemd/system/tcp-mss-clamper.service].orig
+++ File[/lib/systemd/system/tcp-mss-clamper.service]

+    owner  => root
+    notify => Exec[systemd daemon-reload for tcp-mss-clamper.service (tcp-mss-clamper)]
+    ensure => absent
+    group  => root
+    mode   => 0444

Content differences:

--- /lib/systemd/system/tcp-mss-clamper.service.orig
+++ /lib/systemd/system/tcp-mss-clamper.service
@@ -0,0 +1,11 @@
+[Unit]
+Description=eBPF based TCP MSS clamper
+After=network.target
+
+[Install]
+WantedBy=multi-user.target
+
+[Service]
+LimitMEMLOCK=infinity
+ExecStart=/usr/bin/tcp-mss-clamper --ipv4-mss 1440 --ipv6-mss 1400 -p :2200 -s "103.102.166.225:29418,[2001:df2:e500:ed1a::2]:29418" -i ens13,lo
+Restart=on-failure

Exec[ip link add name ipip0 type ipip external]

Parameters differences:

--- Exec[ip link add name ipip0 type ipip external].orig
+++ Exec[ip link add name ipip0 type ipip external]

+    returns => [0, 2]
+    path    => /bin:/usr/bin
+    unless  => ip link show ipip0

File[/etc/etcd/etcdrc]

Parameters differences:

--- File[/etc/etcd/etcdrc].orig
+++ File[/etc/etcd/etcdrc]

+    show_diff => True
+    owner     => root
+    ensure    => present
+    group     => root
+    mode      => 0444

Content differences:

--- /etc/etcd/etcdrc.orig
+++ /etc/etcd/etcdrc
@@ -0,0 +1,7 @@
+allow_reconnect: true
+ca_cert: /etc/ssl/certs/wmf-ca-certificates.crt
+host: 
+port: 
+protocol: https
+srv_domain: conftool.eqsin.wmnet
+

Class[Poolcounter::Client]

Parameters differences:

--- Class[Poolcounter::Client].orig
+++ Class[Poolcounter::Client]

+    ensure   => absent
+    backends => []

Exec[disable-rp-filter-ipip60]

Parameters differences:

--- Exec[disable-rp-filter-ipip60].orig
+++ Exec[disable-rp-filter-ipip60]

+    require => Interface::Ipip[ipip_ipv6]
+    unless  => /usr/sbin/sysctl -n net.ipv4.conf.ipip60.rp_filter |grep -- '0'
+    command => /usr/sbin/sysctl -q net.ipv4.conf.ipip60.rp_filter=0

Class[Cumin::Selector]

Parameters differences:

--- Class[Cumin::Selector].orig
+++ Class[Cumin::Selector]

@@
-    cluster => insetup
+    cluster => misc

File[/usr/local/bin/prometheus-lvs-realserver-mss]

Parameters differences:

--- File[/usr/local/bin/prometheus-lvs-realserver-mss].orig
+++ File[/usr/local/bin/prometheus-lvs-realserver-mss]

+    owner  => root
+    ensure => file
+    group  => root
+    source => puppet:///modules/prometheus/usr/local/bin/prometheus-lvs-realserver-mss.py
+    mode   => 0555

Systemd::Timer::Job[nrpe2nodexp-check_tcp-mss-clamper_status]

Parameters differences:

--- Systemd::Timer::Job[nrpe2nodexp-check_tcp-mss-clamper_status].orig
+++ Systemd::Timer::Job[nrpe2nodexp-check_tcp-mss-clamper_status]

+    private_tmp               => False
+    environment               => {}
+    syslog_force_stop         => True
+    ignore_errors             => True
+    fixed_random_delay        => True
+    success_exit_status       => []
+    send_mail_only_on_error   => True
+    monitoring_enabled        => False
+    syslog_match_startswith   => True
+    description               => execution of nrpe2nodexp for the check_check_tcp-mss-clamper_status command.
+    logfile_basedir           => /var/log
+    group                     => prometheus-node-exporter
+    syslog_identifier         => nrpe2nodexp-check_tcp-mss-clamper_status
+    logfile_perms             => all
+    command                   => /usr/local/bin/nrpe2nodexp --alert-rule-hash "295d6d5dd0a784bb9ba1d5983fd1894f" --timeout 10 --check-command "check_check_tcp-mss-clamper_status"
+    ensure                    => absent
+    monitoring_contact_groups => admins
+    monitoring_notes_url      => https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state
+    send_mail_to              => root@tcp-proxy5004.eqsin.wmnet
+    logging_enabled           => False
+    logfile_name              => syslog.log
+    send_mail                 => False
+    interval                  => [{'start': 'OnUnitInactiveSec', 'interval': '5min'}]
+    splay                     => 300
+    user                      => nagios
+    logfile_group             => root

File[/lib/systemd/system/wmf_auto_restart_haproxy.service]

Parameters differences:

--- File[/lib/systemd/system/wmf_auto_restart_haproxy.service].orig
+++ File[/lib/systemd/system/wmf_auto_restart_haproxy.service]

+    owner  => root
+    notify => Exec[systemd daemon-reload for wmf_auto_restart_haproxy.service (wmf_auto_restart_haproxy.service)]
+    ensure => present
+    group  => root
+    mode   => 0444

Content differences:

--- /lib/systemd/system/wmf_auto_restart_haproxy.service.orig
+++ /lib/systemd/system/wmf_auto_restart_haproxy.service
@@ -0,0 +1,8 @@
+[Unit]
+Description=Auto restart job: haproxy
+Documentation=https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state
+
+[Service]
+Type=oneshot
+User=root
+ExecStart=/usr/local/sbin/wmf-auto-restart -s haproxy

File_line[auto_restart_file_presence_haproxy]

Parameters differences:

--- File_line[auto_restart_file_presence_haproxy].orig
+++ File_line[auto_restart_file_presence_haproxy]

+    ensure  => present
+    line    => haproxy
+    path    => /etc/debdeploy-client/autorestarts.conf
+    require => File[/etc/debdeploy-client/autorestarts.conf]

File[/lib/systemd/system/nrpe2nodexp-check_tcp-mss-clamper_status.timer]

Parameters differences:

--- File[/lib/systemd/system/nrpe2nodexp-check_tcp-mss-clamper_status.timer].orig
+++ File[/lib/systemd/system/nrpe2nodexp-check_tcp-mss-clamper_status.timer]

+    owner  => root
+    notify => Exec[systemd daemon-reload for nrpe2nodexp-check_tcp-mss-clamper_status.timer (nrpe2nodexp-check_tcp-mss-clamper_status.timer)]
+    ensure => absent
+    group  => root
+    mode   => 0444

Content differences:

--- /lib/systemd/system/nrpe2nodexp-check_tcp-mss-clamper_status.timer.orig
+++ /lib/systemd/system/nrpe2nodexp-check_tcp-mss-clamper_status.timer
@@ -0,0 +1,14 @@
+[Unit]
+Description=Periodic execution of nrpe2nodexp-check_tcp-mss-clamper_status.service
+
+[Timer]
+Unit=nrpe2nodexp-check_tcp-mss-clamper_status.service
+# Accuracy sets the maximum time interval around the execution time we want to allow
+AccuracySec=15sec
+OnUnitInactiveSec=5min
+OnActiveSec=1s
+RandomizedDelaySec=300
+FixedRandomDelay=true
+
+[Install]
+WantedBy=multi-user.target

Nrpe::Check[check_check_tcp-mss-clamper_status]

Parameters differences:

--- Nrpe::Check[check_check_tcp-mss-clamper_status].orig
+++ Nrpe::Check[check_check_tcp-mss-clamper_status]

+    ensure  => absent
+    before  => Monitoring::Service[check_tcp-mss-clamper_status]
+    command => /usr/local/lib/nagios/plugins/check_systemd_unit_status tcp-mss-clamper

Exec[ip link set up dev ipip60]

Parameters differences:

--- Exec[ip link set up dev ipip60].orig
+++ Exec[ip link set up dev ipip60]

+    returns => [0, 2]
+    path    => /bin:/usr/bin
+    unless  => ip link show ipip60 | grep -q UP

File[/etc/ferm/conf.d/10_ip6ip6]

Parameters differences:

--- File[/etc/ferm/conf.d/10_ip6ip6].orig
+++ File[/etc/ferm/conf.d/10_ip6ip6]

+    require => File[/etc/ferm/conf.d]
+    owner   => root
+    notify  => Service[ferm]
+    ensure  => present
+    tag     => ferm
+    group   => root
+    mode    => 0400

Content differences:

--- /etc/ferm/conf.d/10_ip6ip6.orig
+++ /etc/ferm/conf.d/10_ip6ip6
@@ -0,0 +1,11 @@
+# Autogenerated by puppet. DO NOT EDIT BY HAND!
+#
+# 10_ip6ip6: 
+
+domain (ip6) {
+	table filter {
+		chain INPUT {
+			saddr 0100::/64 proto ipv6 ACCEPT;
+		}
+	}
+}

Systemd::Timer[nrpe2nodexp-check_tcp-mss-clamper_status]

Parameters differences:

--- Systemd::Timer[nrpe2nodexp-check_tcp-mss-clamper_status].orig
+++ Systemd::Timer[nrpe2nodexp-check_tcp-mss-clamper_status]

+    timer_intervals    => [{'start': 'OnUnitInactiveSec', 'interval': '5min'}, {'interval': '1s', 'start': 'OnActiveSec'}]
+    accuracy           => 15sec
+    splay              => 300
+    fixed_random_delay => True
+    ensure             => absent
+    unit_name          => nrpe2nodexp-check_tcp-mss-clamper_status.service

File[/etc/conftool/json-schema/]

Parameters differences:

--- File[/etc/conftool/json-schema/].orig
+++ File[/etc/conftool/json-schema/]

+    path    => /etc/conftool/json-schema
+    owner   => root
+    recurse => True
+    ensure  => directory
+    group   => root
+    source  => puppet:///modules/profile/conftool/json-schema/
+    mode    => 0555

Systemd::Timer::Job[wmf_auto_restart_haproxy]

Parameters differences:

--- Systemd::Timer::Job[wmf_auto_restart_haproxy].orig
+++ Systemd::Timer::Job[wmf_auto_restart_haproxy]

+    private_tmp               => False
+    environment               => {}
+    syslog_force_stop         => True
+    ignore_errors             => False
+    fixed_random_delay        => False
+    success_exit_status       => []
+    send_mail_only_on_error   => True
+    monitoring_enabled        => False
+    syslog_match_startswith   => True
+    description               => Auto restart job: haproxy
+    logfile_basedir           => /var/log
+    require                   => File[/usr/local/sbin/wmf-auto-restart]
+    logfile_perms             => all
+    command                   => /usr/local/sbin/wmf-auto-restart -s haproxy
+    monitoring_contact_groups => admins
+    monitoring_notes_url      => https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state
+    send_mail_to              => root@tcp-proxy5004.eqsin.wmnet
+    logging_enabled           => True
+    logfile_name              => syslog.log
+    send_mail                 => False
+    interval                  => {'start': 'OnCalendar', 'interval': 'Mon,Tue,Wed,Thu,Fri *-*-* 2:50:00'}
+    ensure                    => present
+    user                      => root
+    logfile_group             => root

Systemd::Unit[tcp-mss-clamper]

Parameters differences:

--- Systemd::Unit[tcp-mss-clamper].orig
+++ Systemd::Unit[tcp-mss-clamper]

+    override_filename => puppet-override.conf
+    override          => False
+    require           => ['Class[Systemd]']
+    unit              => tcp-mss-clamper
+    ensure            => absent
+    restart           => False

Class[Lvs::Realserver]

Parameters differences:

--- Class[Lvs::Realserver].orig
+++ Class[Lvs::Realserver]

+    realserver_ips => ['103.102.166.225', '2001:df2:e500:ed1a::2']

Ferm::Rule[clamp-mss-ipv6]

Parameters differences:

--- Ferm::Rule[clamp-mss-ipv6].orig
+++ Ferm::Rule[clamp-mss-ipv6]

+    desc   => 
+    domain => (ip6)
+    rule   => outerface (ens13 lo) saddr @ipfilter((103.102.166.225 2001:df2:e500:ed1a::2])) proto tcp sport (29418) tcp-flags (SYN) SYN TCPMSS set-mss 1400;
+    prio   => 10
+    ensure => present
+    table  => filter
+    chain  => OUTPUT

Ferm::Service[proxy_gerrit_ssh]

Parameters differences:

--- Ferm::Service[proxy_gerrit_ssh].orig
+++ Ferm::Service[proxy_gerrit_ssh]

+    desc    => 
+    port    => [29418]
+    prio    => 10
+    notrack => False
+    ensure  => present
+    proto   => tcp

File[/etc/rsyslog.d/40-prometheus-lvs-realserver-mss.conf]

Parameters differences:

--- File[/etc/rsyslog.d/40-prometheus-lvs-realserver-mss.conf].orig
+++ File[/etc/rsyslog.d/40-prometheus-lvs-realserver-mss.conf]

+    owner  => root
+    notify => Service[rsyslog]
+    ensure => present
+    group  => root
+    mode   => 0444

Content differences:

--- /etc/rsyslog.d/40-prometheus-lvs-realserver-mss.conf.orig
+++ /etc/rsyslog.d/40-prometheus-lvs-realserver-mss.conf
@@ -0,0 +1,10 @@
+# rsyslog.conf(5) configuration file for services.
+# This file is managed by Puppet.
+if $programname startswith "prometheus_lvs_realserver_mss" then {
+    action(
+        type="omfile" file="/var/log/prometheus_lvs_realserver_mss/syslog.log"
+        fileOwner="root" fileGroup="root"
+        fileCreateMode="0644"
+    )
+    & stop
+}

Compilation results for tcp-proxy5004.eqsin.wmnet: System changes detected

Catalog differences

Summary

Resources only in the new catalog

Resources only in the old catalog

Resources modified

Relevant files