{"host": "tcp-proxy5004.eqsin.wmnet", "state": "core_diff", "description": "Differences to core resources", "diff": {"full": {"total": 2583, "only_in_self": ["Class[Role::Insetup::Infrastructure_foundations_ferm]", "File[/etc/update-motd.d/05-insetup--infrastructure-foundations-ferm]", "Motd::Message[insetup::infrastructure_foundations_ferm]", "Motd::Script[insetup::infrastructure_foundations_ferm]", "Node[__node_regexp__tcp-proxy50034.eqsin.]"], "only_in_other": ["Augeas[ipip0_127.0.0.42/32]", "Augeas[ipip0_add_up]", "Augeas[ipip0_manual]", "Augeas[ipip0_set_up]", "Augeas[ipip60_add_up]", "Augeas[ipip60_manual]", "Augeas[ipip60_set_up]", "Class[Conftool::Config]", "Class[Conftool::Scripts]", "Class[Etcd::Client::Globalconfig]", "Class[Lvs::Realserver]", "Class[Passwords::Etcd]", "Class[Poolcounter::Client::Python]", "Class[Poolcounter::Client]", "Class[Profile::Conftool::Client]", "Class[Profile::Lvs::Configuration]", "Class[Profile::Lvs::Realserver::Ipip]", "Class[Profile::Lvs::Realserver]", "Class[Profile::Tcpproxy]", "Class[Role::Tcpproxy]", "Class[Wmflib::Service::Catalog]", "Conftool::Scripts::Safe_service_restart[gerrit]", "Etcd::Client::Config[/etc/etcd/etcdrc]", "Etcd::Client::Config[/root/.etcdrc]", "Exec[/usr/sbin/dpkg-reconfigure -p critical -f noninteractive wikimedia-lvs-realserver]", "Exec[/usr/sbin/tc qdisc del dev ens13 clsact]", "Exec[/usr/sbin/tc qdisc del dev lo clsact]", "Exec[disable-rp-filter-ens13]", "Exec[disable-rp-filter-ipip0]", "Exec[disable-rp-filter-ipip60]", "Exec[ip addr add 127.0.0.42/32 dev ipip0]", "Exec[ip link add name ipip0 type ipip external]", "Exec[ip link add name ipip60 type ip6tnl external]", "Exec[ip link set up dev ipip0]", "Exec[ip link set up dev ipip60]", "Exec[systemd daemon-reload for nrpe2nodexp-check_tcp-mss-clamper_status.service (nrpe2nodexp-check_tcp-mss-clamper_status.service)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_tcp-mss-clamper_status.timer (nrpe2nodexp-check_tcp-mss-clamper_status.timer)]", "Exec[systemd daemon-reload for prometheus_ferm_mss.service (prometheus_ferm_mss.service)]", "Exec[systemd daemon-reload for prometheus_ferm_mss.timer (prometheus_ferm_mss.timer)]", "Exec[systemd daemon-reload for prometheus_lvs_realserver_mss.service (prometheus_lvs_realserver_mss.service)]", "Exec[systemd daemon-reload for prometheus_lvs_realserver_mss.timer (prometheus_lvs_realserver_mss.timer)]", "Exec[systemd daemon-reload for tcp-mss-clamper.service (tcp-mss-clamper)]", "Exec[systemd daemon-reload for wmf_auto_restart_haproxy.service (wmf_auto_restart_haproxy.service)]", "Exec[systemd daemon-reload for wmf_auto_restart_haproxy.timer (wmf_auto_restart_haproxy.timer)]", "Ferm::Rule[clamp-mss-ipv4]", "Ferm::Rule[clamp-mss-ipv6]", "Ferm::Rule[ip6ip6]", "Ferm::Rule[ipip]", "Ferm::Service[proxy_gerrit_ssh]", "File[/etc/conftool/config.yaml]", "File[/etc/conftool/json-schema/]", "File[/etc/conftool/local_services.yaml]", "File[/etc/conftool/schema.yaml]", "File[/etc/conftool]", "File[/etc/default/wikimedia-lvs-realserver]", "File[/etc/etcd/etcdrc]", "File[/etc/etcd]", "File[/etc/ferm/conf.d/10_clamp-mss-ipv4]", "File[/etc/ferm/conf.d/10_clamp-mss-ipv6]", "File[/etc/ferm/conf.d/10_ip6ip6]", "File[/etc/ferm/conf.d/10_ipip]", "File[/etc/ferm/conf.d/10_proxy_gerrit_ssh]", "File[/etc/haproxy/haproxy.cfg]", "File[/etc/logrotate.d/prometheus_ferm_mss]", "File[/etc/logrotate.d/prometheus_lvs_realserver_mss]", "File[/etc/logrotate.d/wmf_auto_restart_haproxy]", "File[/etc/nagios/nrpe.d/check_check_tcp-mss-clamper_status.cfg]", "File[/etc/poolcounter-backends.yaml]", "File[/etc/rsyslog.d/25-nrpe2nodexp-check-tcp-mss-clamper-status.conf]", "File[/etc/rsyslog.d/40-prometheus-ferm-mss.conf]", "File[/etc/rsyslog.d/40-prometheus-lvs-realserver-mss.conf]", "File[/etc/rsyslog.d/40-wmf-auto-restart-haproxy.conf]", "File[/etc/sudoers.d/nrpe-check_check_tcp-mss-clamper_status]", "File[/etc/update-motd.d/05-tcpproxy]", "File[/lib/systemd/system/nrpe2nodexp-check_tcp-mss-clamper_status.service]", "File[/lib/systemd/system/nrpe2nodexp-check_tcp-mss-clamper_status.timer]", "File[/lib/systemd/system/prometheus_ferm_mss.service]", "File[/lib/systemd/system/prometheus_ferm_mss.timer]", "File[/lib/systemd/system/prometheus_lvs_realserver_mss.service]", "File[/lib/systemd/system/prometheus_lvs_realserver_mss.timer]", "File[/lib/systemd/system/tcp-mss-clamper.service]", "File[/lib/systemd/system/wmf_auto_restart_haproxy.service]", "File[/lib/systemd/system/wmf_auto_restart_haproxy.timer]", "File[/root/.etcdrc]", "File[/usr/local/bin/decommission]", "File[/usr/local/bin/depool-gerrit]", "File[/usr/local/bin/depool]", "File[/usr/local/bin/drain]", "File[/usr/local/bin/ispooled]", "File[/usr/local/bin/pool-gerrit]", "File[/usr/local/bin/pool]", "File[/usr/local/bin/pooler-loop]", "File[/usr/local/bin/prometheus-ferm-mss]", "File[/usr/local/bin/prometheus-lvs-realserver-mss]", "File[/usr/local/bin/safe-service-restart]", "File[/usr/local/lib/nagios/plugins/check_systemd_unit_status]", "File[/usr/local/sbin/restart-gerrit]", "File[/var/lib/prometheus/node.d/check_check_tcp-mss-clamper_status.prom]", "File[/var/log/prometheus_ferm_mss]", "File[/var/log/prometheus_lvs_realserver_mss]", "File[/var/log/wmf_auto_restart_haproxy]", "File_line[auto_restart_file_presence_haproxy]", "File_line[rm_post-up_ens13_clsact_ens13]", "File_line[rm_post-up_lo_clsact_lo]", "Firewall::Service[proxy-gerrit-ssh]", "Interface::Clsact[clsact_ens13]", "Interface::Clsact[clsact_lo]", "Interface::Ip[ipip_ipv4 ipv4]", "Interface::Ipip[ipip_ipv4]", "Interface::Ipip[ipip_ipv6]", "Interface::Manual[ipip_ipv4]", "Interface::Manual[ipip_ipv6]", "Interface::Post_up_command[clsact_ens13]", "Interface::Post_up_command[clsact_lo]", "Logrotate::Conf[prometheus_ferm_mss]", "Logrotate::Conf[prometheus_lvs_realserver_mss]", "Logrotate::Conf[wmf_auto_restart_haproxy]", "Monitoring::Exported_nagios_service[tcp-proxy5004 check_tcp-mss-clamper_status]", "Monitoring::Service[check_tcp-mss-clamper_status]", "Motd::Message[tcpproxy]", "Motd::Script[tcpproxy]", "Node[__node_regexp__tcp-proxy1-7001-9.codfwdrmrseqiadeqsinesamsmagruulsfo.]", "Nrpe::Check[check_check_tcp-mss-clamper_status]", "Nrpe::Monitor_service[check_tcp-mss-clamper_status]", "Nrpe::Plugin[check_systemd_unit_status]", "Package[haproxy]", "Package[python3-conftool]", "Package[python3-poolcounter]", "Package[tcp-mss-clamper]", "Package[wikimedia-lvs-realserver]", "Profile::Auto_restarts::Service[haproxy]", "Prometheus::Alert::Rule[check_check_tcp-mss-clamper_status_295d6d5dd0a784bb9ba1d5983fd1894f]", "Prometheus::Node_ferm_mss[ferm_clamped_ipport]", "Prometheus::Node_lvs_realserver_mss[lvs_clamped_ipport]", "Rsyslog::Conf[nrpe2nodexp-check_tcp-mss-clamper_status]", "Rsyslog::Conf[prometheus_ferm_mss]", "Rsyslog::Conf[prometheus_lvs_realserver_mss]", "Rsyslog::Conf[wmf_auto_restart_haproxy]", "Service[haproxy]", "Service[nrpe2nodexp-check_tcp-mss-clamper_status.timer]", "Service[prometheus_ferm_mss.timer]", "Service[prometheus_lvs_realserver_mss.timer]", "Service[tcp-mss-clamper]", "Service[wmf_auto_restart_haproxy.timer]", "Sudo::User[nrpe-check_check_tcp-mss-clamper_status]", "Systemd::Monitor[tcp-mss-clamper]", "Systemd::Service[nrpe2nodexp-check_tcp-mss-clamper_status]", "Systemd::Service[prometheus_ferm_mss]", "Systemd::Service[prometheus_lvs_realserver_mss]", "Systemd::Service[tcp-mss-clamper]", "Systemd::Service[wmf_auto_restart_haproxy]", "Systemd::Syslog[prometheus_ferm_mss]", "Systemd::Syslog[prometheus_lvs_realserver_mss]", "Systemd::Syslog[wmf_auto_restart_haproxy]", "Systemd::Timer::Job[nrpe2nodexp-check_tcp-mss-clamper_status]", "Systemd::Timer::Job[prometheus_ferm_mss]", "Systemd::Timer::Job[prometheus_lvs_realserver_mss]", "Systemd::Timer::Job[wmf_auto_restart_haproxy]", "Systemd::Timer[nrpe2nodexp-check_tcp-mss-clamper_status]", "Systemd::Timer[prometheus_ferm_mss]", "Systemd::Timer[prometheus_lvs_realserver_mss]", "Systemd::Timer[wmf_auto_restart_haproxy]", "Systemd::Unit[nrpe2nodexp-check_tcp-mss-clamper_status.service]", "Systemd::Unit[nrpe2nodexp-check_tcp-mss-clamper_status.timer]", "Systemd::Unit[prometheus_ferm_mss.service]", "Systemd::Unit[prometheus_ferm_mss.timer]", "Systemd::Unit[prometheus_lvs_realserver_mss.service]", "Systemd::Unit[prometheus_lvs_realserver_mss.timer]", "Systemd::Unit[tcp-mss-clamper]", "Systemd::Unit[wmf_auto_restart_haproxy.service]", "Systemd::Unit[wmf_auto_restart_haproxy.timer]"], "resource_diffs": [{"resource": "File[/var/lib/prometheus/node.d/check_check_tcp-mss-clamper_status.prom]", "parameters": "--- File[/var/lib/prometheus/node.d/check_check_tcp-mss-clamper_status.prom].orig\n+++ File[/var/lib/prometheus/node.d/check_check_tcp-mss-clamper_status.prom]\n\n+ ensure => absent\n+ group => root\n+ owner => root\n"}, {"resource": "Interface::Manual[ipip_ipv6]", "parameters": "--- Interface::Manual[ipip_ipv6].orig\n+++ Interface::Manual[ipip_ipv6]\n\n+ family => inet6\n+ ensure => present\n+ hotplug => False\n+ interface => ipip60\n"}, {"resource": "Systemd::Unit[wmf_auto_restart_haproxy.service]", "parameters": "--- Systemd::Unit[wmf_auto_restart_haproxy.service].orig\n+++ Systemd::Unit[wmf_auto_restart_haproxy.service]\n\n+ override_filename => puppet-override.conf\n+ override => False\n+ require => ['Class[Systemd]']\n+ unit => wmf_auto_restart_haproxy.service\n+ ensure => present\n+ restart => False\n"}, {"resource": "Service[prometheus_ferm_mss.timer]", "parameters": "--- Service[prometheus_ferm_mss.timer].orig\n+++ Service[prometheus_ferm_mss.timer]\n\n+ enable => True\n+ ensure => running\n+ provider => systemd\n"}, {"resource": "Rsyslog::Conf[prometheus_lvs_realserver_mss]", "parameters": "--- Rsyslog::Conf[prometheus_lvs_realserver_mss].orig\n+++ Rsyslog::Conf[prometheus_lvs_realserver_mss]\n\n+ ensure => present\n+ require => File[/var/log/prometheus_lvs_realserver_mss]\n+ priority => 40\n+ mode => 0444\n"}, {"resource": "Etcd::Client::Config[/root/.etcdrc]", "parameters": "--- Etcd::Client::Config[/root/.etcdrc].orig\n+++ Etcd::Client::Config[/root/.etcdrc]\n\n+ owner => root\n+ ensure => present\n+ group => root\n+ settings => {'username': 'conftool', 'password': 'another_secret'}\n+ world_readable => False\n"}, {"resource": "Class[Profile::Lvs::Realserver::Ipip]", "parameters": "--- Class[Profile::Lvs::Realserver::Ipip].orig\n+++ Class[Profile::Lvs::Realserver::Ipip]\n\n+ firewall_provider => ferm\n+ enabled => True\n+ pools => {'gerrit-ssh': {'services': ['gerrit']}}\n+ interfaces => ['ens13', 'lo']\n+ ipv4_mss => 1440\n+ ipv6_mss => 1400\n+ clamping_enabled => True\n"}, {"resource": "File[/var/log/prometheus_ferm_mss]", "parameters": "--- File[/var/log/prometheus_ferm_mss].orig\n+++ File[/var/log/prometheus_ferm_mss]\n\n+ owner => root\n+ force => True\n+ ensure => directory\n+ group => root\n+ backup => False\n+ mode => 0755\n"}, {"resource": "File[/etc/logrotate.d/prometheus_lvs_realserver_mss]", "content": "--- /etc/logrotate.d/prometheus_lvs_realserver_mss.orig\n+++ /etc/logrotate.d/prometheus_lvs_realserver_mss\n@@ -0,0 +1,12 @@\n+# logrotate(8) config for prometheus_lvs_realserver_mss\n+\n+/var/log/prometheus_lvs_realserver_mss/*.log {\n+ daily\n+ copytruncate\n+ missingok\n+ compress\n+ delaycompress\n+ notifempty\n+ rotate 15\n+ size 256M\n+}", "parameters": "--- File[/etc/logrotate.d/prometheus_lvs_realserver_mss].orig\n+++ File[/etc/logrotate.d/prometheus_lvs_realserver_mss]\n\n+ ensure => present\n+ group => root\n+ owner => root\n+ mode => 0444\n"}, {"resource": "File[/etc/sudoers.d/nrpe-check_check_tcp-mss-clamper_status]", "parameters": "--- File[/etc/sudoers.d/nrpe-check_check_tcp-mss-clamper_status].orig\n+++ File[/etc/sudoers.d/nrpe-check_check_tcp-mss-clamper_status]\n\n+ ensure => absent\n+ group => root\n+ owner => root\n+ require => Package[nagios-nrpe-server]\n"}, {"resource": "Concat_fragment[main contacts]", "content": "--- main contacts.orig\n+++ main contacts\n@@ -1,3 +1,2 @@\n ---\n-role::insetup::infrastructure_foundations_ferm:\n-- Infrastructure Foundations\n+role::tcpproxy: []"}, {"resource": "Class[Base::Sysctl]", "parameters": "--- Class[Base::Sysctl].orig\n+++ Class[Base::Sysctl]\n\n@@\n- default_rp_filter => 1\n+ default_rp_filter => 0\n@@\n- all_rp_filter => 1\n+ all_rp_filter => 0\n"}, {"resource": "Systemd::Timer[wmf_auto_restart_haproxy]", "parameters": "--- Systemd::Timer[wmf_auto_restart_haproxy].orig\n+++ Systemd::Timer[wmf_auto_restart_haproxy]\n\n+ timer_intervals => [{'start': 'OnCalendar', 'interval': 'Mon,Tue,Wed,Thu,Fri *-*-* 2:50:00'}]\n+ accuracy => 15sec\n+ splay => 0\n+ fixed_random_delay => False\n+ ensure => present\n+ unit_name => wmf_auto_restart_haproxy.service\n"}, {"resource": "Exec[ip addr add 127.0.0.42/32 dev ipip0]", "parameters": "--- Exec[ip addr add 127.0.0.42/32 dev ipip0].orig\n+++ Exec[ip addr add 127.0.0.42/32 dev ipip0]\n\n+ returns => [0, 2]\n+ path => /bin:/usr/bin\n+ unless => ip address show ipip0 | grep -q 127.0.0.42/32\n"}, {"resource": "Nrpe::Monitor_service[check_tcp-mss-clamper_status]", "parameters": "--- Nrpe::Monitor_service[check_tcp-mss-clamper_status].orig\n+++ Nrpe::Monitor_service[check_tcp-mss-clamper_status]\n\n+ critical => False\n+ timeout => 10\n+ check_interval => 10\n+ retry_interval => 1\n+ contact_group => admins\n+ nrpe2nodexp_parse_perf_data => False\n+ enable_icinga_check => True\n+ notes_url => https://wikitech.wikimedia.org/wiki/LVS#IPIP_encapsulation_experiments\n+ retries => 2\n+ description => Check unit status of tcp-mss-clamper\n+ alertmanager_team => observability\n+ ensure => absent\n+ migration_task => T407130\n+ enable_nrpe2nodexp => False\n+ nrpe_command => /usr/local/lib/nagios/plugins/check_systemd_unit_status tcp-mss-clamper\n"}, {"resource": "Systemd::Monitor[tcp-mss-clamper]", "parameters": "--- Systemd::Monitor[tcp-mss-clamper].orig\n+++ Systemd::Monitor[tcp-mss-clamper]\n\n+ critical => False\n+ check_interval => 10\n+ notes_url => https://wikitech.wikimedia.org/wiki/LVS#IPIP_encapsulation_experiments\n+ contact_group => admins\n+ retries => 2\n+ ensure => absent\n+ migration_task => T407130\n"}, {"resource": "Logrotate::Conf[prometheus_lvs_realserver_mss]", "parameters": "--- Logrotate::Conf[prometheus_lvs_realserver_mss].orig\n+++ Logrotate::Conf[prometheus_lvs_realserver_mss]\n\n+ ensure => present\n"}, {"resource": "Systemd::Service[prometheus_lvs_realserver_mss]", "parameters": "--- Systemd::Service[prometheus_lvs_realserver_mss].orig\n+++ Systemd::Service[prometheus_lvs_realserver_mss]\n\n+ override => False\n+ require => Systemd::Unit[prometheus_lvs_realserver_mss.service]\n+ monitoring_contact_group => admins\n+ monitoring_enabled => False\n+ service_params => {}\n+ unit_type => timer\n+ monitoring_critical => False\n+ ensure => present\n+ migration_task => T407130\n+ restart => False\n"}, {"resource": "Class[Profile::Contacts]", "parameters": "--- Class[Profile::Contacts].orig\n+++ Class[Profile::Contacts]\n\n@@\n- role_contacts => ['Infrastructure Foundations']\n+ role_contacts => []\n@@\n- cluster => insetup\n+ cluster => misc\n"}, {"resource": "Class[Monitoring]", "parameters": "--- Class[Monitoring].orig\n+++ Class[Monitoring]\n\n@@\n- notifications_enabled => False\n+ notifications_enabled => True\n@@\n- nagios_group => insetup_eqsin\n+ nagios_group => misc_eqsin\n@@\n- cluster => insetup\n+ cluster => misc\n"}, {"resource": "File[/lib/systemd/system/wmf_auto_restart_haproxy.timer]", "content": "--- /lib/systemd/system/wmf_auto_restart_haproxy.timer.orig\n+++ /lib/systemd/system/wmf_auto_restart_haproxy.timer\n@@ -0,0 +1,12 @@\n+[Unit]\n+Description=Periodic execution of wmf_auto_restart_haproxy.service\n+\n+[Timer]\n+Unit=wmf_auto_restart_haproxy.service\n+# Accuracy sets the maximum time interval around the execution time we want to allow\n+AccuracySec=15sec\n+OnCalendar=Mon,Tue,Wed,Thu,Fri *-*-* 2:50:00\n+RandomizedDelaySec=0\n+\n+[Install]\n+WantedBy=multi-user.target", "parameters": "--- File[/lib/systemd/system/wmf_auto_restart_haproxy.timer].orig\n+++ File[/lib/systemd/system/wmf_auto_restart_haproxy.timer]\n\n+ owner => root\n+ notify => Exec[systemd daemon-reload for wmf_auto_restart_haproxy.timer (wmf_auto_restart_haproxy.timer)]\n+ ensure => present\n+ group => root\n+ mode => 0444\n"}, {"resource": "Interface::Post_up_command[clsact_ens13]", "parameters": "--- Interface::Post_up_command[clsact_ens13].orig\n+++ Interface::Post_up_command[clsact_ens13]\n\n+ ensure => absent\n+ interface => ens13\n+ command => /usr/sbin/tc qdisc add dev ens13 clsact\n"}, {"resource": "Motd::Message[tcpproxy]", "parameters": "--- Motd::Message[tcpproxy].orig\n+++ Motd::Message[tcpproxy]\n\n+ ensure => present\n+ priority => 5\n+ message => tcp-proxy5004 is tcpproxy\n"}, {"resource": "Augeas[ipip60_manual]", "parameters": "--- Augeas[ipip60_manual].orig\n+++ Augeas[ipip60_manual]\n\n+ incl => /etc/network/interfaces\n+ changes => [\"set auto[./1 = 'ipip60']/1 'ipip60'\", \"set iface[. = 'ipip60'] 'ipip60'\", \"set iface[. = 'ipip60']/family 'inet6'\", \"set iface[. = 'ipip60']/method 'manual'\"]\n+ context => /files/etc/network/interfaces\n+ lens => Interfaces.lns\n"}, {"resource": "Systemd::Service[tcp-mss-clamper]", "parameters": "--- Systemd::Service[tcp-mss-clamper].orig\n+++ Systemd::Service[tcp-mss-clamper]\n\n+ override => False\n+ monitoring_contact_group => admins\n+ monitoring_enabled => True\n+ service_params => {}\n+ monitoring_notes_url => https://wikitech.wikimedia.org/wiki/LVS#IPIP_encapsulation_experiments\n+ unit_type => service\n+ monitoring_critical => False\n+ ensure => absent\n+ migration_task => T407130\n+ restart => False\n"}, {"resource": "File[/etc/logrotate.d/wmf_auto_restart_haproxy]", "content": "--- /etc/logrotate.d/wmf_auto_restart_haproxy.orig\n+++ /etc/logrotate.d/wmf_auto_restart_haproxy\n@@ -0,0 +1,12 @@\n+# logrotate(8) config for wmf_auto_restart_haproxy\n+\n+/var/log/wmf_auto_restart_haproxy/*.log {\n+ daily\n+ copytruncate\n+ missingok\n+ compress\n+ delaycompress\n+ notifempty\n+ rotate 15\n+ size 256M\n+}", "parameters": "--- File[/etc/logrotate.d/wmf_auto_restart_haproxy].orig\n+++ File[/etc/logrotate.d/wmf_auto_restart_haproxy]\n\n+ ensure => present\n+ group => root\n+ owner => root\n+ mode => 0444\n"}, {"resource": "File[/usr/local/bin/pool-gerrit]", "content": "--- /usr/local/bin/pool-gerrit.orig\n+++ /usr/local/bin/pool-gerrit\n@@ -0,0 +1,2 @@\n+#!/bin/bash\n+/usr/local/bin/safe-service-restart --pools gerrit-ssh --pool --retries 10 --wait 5", "parameters": "--- File[/usr/local/bin/pool-gerrit].orig\n+++ File[/usr/local/bin/pool-gerrit]\n\n+ ensure => present\n+ group => root\n+ owner => root\n+ mode => 0555\n"}, {"resource": "File[/var/log/prometheus_lvs_realserver_mss]", "parameters": "--- File[/var/log/prometheus_lvs_realserver_mss].orig\n+++ File[/var/log/prometheus_lvs_realserver_mss]\n\n+ owner => root\n+ force => True\n+ ensure => directory\n+ group => root\n+ backup => False\n+ mode => 0755\n"}, {"resource": "Systemd::Timer[prometheus_ferm_mss]", "parameters": "--- Systemd::Timer[prometheus_ferm_mss].orig\n+++ Systemd::Timer[prometheus_ferm_mss]\n\n+ timer_intervals => [{'start': 'OnCalendar', 'interval': 'minutely'}]\n+ accuracy => 15sec\n+ splay => 0\n+ fixed_random_delay => False\n+ ensure => present\n+ unit_name => prometheus_ferm_mss.service\n"}, {"resource": "Prometheus::Node_lvs_realserver_mss[lvs_clamped_ipport]", "parameters": "--- Prometheus::Node_lvs_realserver_mss[lvs_clamped_ipport].orig\n+++ Prometheus::Node_lvs_realserver_mss[lvs_clamped_ipport]\n\n+ ensure => present\n+ outfile => /var/lib/prometheus/node.d/lvs-realserver-mss.prom\n+ clamped_ipport => ['103.102.166.225:29418', '[2001:df2:e500:ed1a::2]:29418']\n"}, {"resource": "Systemd::Unit[prometheus_lvs_realserver_mss.timer]", "parameters": "--- Systemd::Unit[prometheus_lvs_realserver_mss.timer].orig\n+++ Systemd::Unit[prometheus_lvs_realserver_mss.timer]\n\n+ override_filename => puppet-override.conf\n+ override => False\n+ require => ['Class[Systemd]']\n+ unit => prometheus_lvs_realserver_mss.timer\n+ ensure => present\n+ restart => False\n"}, {"resource": "Concat::Fragment[main contacts]"}, {"resource": "Etcd::Client::Config[/etc/etcd/etcdrc]", "parameters": "--- Etcd::Client::Config[/etc/etcd/etcdrc].orig\n+++ Etcd::Client::Config[/etc/etcd/etcdrc]\n\n+ owner => root\n+ ensure => present\n+ group => root\n+ settings => {'host': None, 'port': None, 'srv_domain': 'conftool.eqsin.wmnet', 'ca_cert': '/etc/ssl/certs/wmf-ca-certificates.crt', 'protocol': 'https', 'allow_reconnect': True}\n+ world_readable => True\n"}, {"resource": "File[/etc/default/wikimedia-lvs-realserver]", "content": "--- /etc/default/wikimedia-lvs-realserver.orig\n+++ /etc/default/wikimedia-lvs-realserver\n@@ -0,0 +1,10 @@\n+# This file is managed by puppet!\n+\n+\n+\n+# Location of the sysctl file containing LVS ARP settings\n+SYSCTLFILE=/usr/share/wikimedia-lvs-realserver/sysctl.conf\n+\n+# LVS service IPs to be bound to the loopback interface,\n+# separate using spaces\n+LVS_SERVICE_IPS=\"103.102.166.225 2001:df2:e500:ed1a::2\"", "parameters": "--- File[/etc/default/wikimedia-lvs-realserver].orig\n+++ File[/etc/default/wikimedia-lvs-realserver]\n\n+ ensure => present\n+ group => root\n+ owner => root\n+ mode => 0444\n"}, {"resource": "File[/usr/local/bin/depool-gerrit]", "content": "--- /usr/local/bin/depool-gerrit.orig\n+++ /usr/local/bin/depool-gerrit\n@@ -0,0 +1,2 @@\n+#!/bin/bash\n+/usr/local/bin/safe-service-restart --pools gerrit-ssh --depool --retries 10 --wait 5", "parameters": "--- File[/usr/local/bin/depool-gerrit].orig\n+++ File[/usr/local/bin/depool-gerrit]\n\n+ ensure => present\n+ group => root\n+ owner => root\n+ mode => 0555\n"}, {"resource": "Systemd::Syslog[wmf_auto_restart_haproxy]", "parameters": "--- Systemd::Syslog[wmf_auto_restart_haproxy].orig\n+++ Systemd::Syslog[wmf_auto_restart_haproxy]\n\n+ owner => root\n+ force_stop => True\n+ log_filename => syslog.log\n+ readable_by => all\n+ base_dir => /var/log\n+ ensure => present\n+ programname_comparison => startswith\n+ group => root\n"}, {"resource": "Systemd::Service[wmf_auto_restart_haproxy]", "parameters": "--- Systemd::Service[wmf_auto_restart_haproxy].orig\n+++ Systemd::Service[wmf_auto_restart_haproxy]\n\n+ override => False\n+ require => Systemd::Unit[wmf_auto_restart_haproxy.service]\n+ monitoring_contact_group => admins\n+ monitoring_enabled => False\n+ service_params => {}\n+ unit_type => timer\n+ monitoring_critical => False\n+ ensure => present\n+ migration_task => T407130\n+ restart => False\n"}, {"resource": "File[/usr/local/bin/decommission]", "parameters": "--- File[/usr/local/bin/decommission].orig\n+++ File[/usr/local/bin/decommission]\n\n+ owner => root\n+ ensure => present\n+ group => root\n+ source => puppet:///modules/conftool/conftool-simple-command.sh\n+ mode => 0555\n"}, {"resource": "Systemd::Unit[prometheus_lvs_realserver_mss.service]", "parameters": "--- Systemd::Unit[prometheus_lvs_realserver_mss.service].orig\n+++ Systemd::Unit[prometheus_lvs_realserver_mss.service]\n\n+ override_filename => puppet-override.conf\n+ override => False\n+ require => ['Class[Systemd]']\n+ unit => prometheus_lvs_realserver_mss.service\n+ ensure => present\n+ restart => False\n"}, {"resource": "File[/usr/local/lib/nagios/plugins/check_systemd_unit_status]", "parameters": "--- File[/usr/local/lib/nagios/plugins/check_systemd_unit_status].orig\n+++ File[/usr/local/lib/nagios/plugins/check_systemd_unit_status]\n\n+ require => File[/usr/local/lib/nagios/plugins/]\n+ owner => root\n+ ensure => file\n+ tag => nrpe::plugin\n+ group => root\n+ source => puppet:///modules/systemd/check_systemd_unit_status\n+ mode => 0555\n"}, {"resource": "Systemd::Timer[prometheus_lvs_realserver_mss]", "parameters": "--- Systemd::Timer[prometheus_lvs_realserver_mss].orig\n+++ Systemd::Timer[prometheus_lvs_realserver_mss]\n\n+ timer_intervals => [{'start': 'OnCalendar', 'interval': 'minutely'}]\n+ accuracy => 15sec\n+ splay => 0\n+ fixed_random_delay => False\n+ ensure => present\n+ unit_name => prometheus_lvs_realserver_mss.service\n"}, {"resource": "Systemd::Syslog[prometheus_lvs_realserver_mss]", "parameters": "--- Systemd::Syslog[prometheus_lvs_realserver_mss].orig\n+++ Systemd::Syslog[prometheus_lvs_realserver_mss]\n\n+ owner => root\n+ force_stop => True\n+ log_filename => syslog.log\n+ readable_by => all\n+ base_dir => /var/log\n+ ensure => present\n+ programname_comparison => startswith\n+ group => root\n"}, {"resource": "File[/usr/local/bin/pooler-loop]", "parameters": "--- File[/usr/local/bin/pooler-loop].orig\n+++ File[/usr/local/bin/pooler-loop]\n\n+ owner => root\n+ ensure => present\n+ group => root\n+ source => puppet:///modules/conftool/pooler_loop.rb\n+ mode => 0555\n"}, {"resource": "Interface::Post_up_command[clsact_lo]", "parameters": "--- Interface::Post_up_command[clsact_lo].orig\n+++ Interface::Post_up_command[clsact_lo]\n\n+ ensure => absent\n+ interface => lo\n+ command => /usr/sbin/tc qdisc add dev lo clsact\n"}, {"resource": "Exec[systemd daemon-reload for prometheus_lvs_realserver_mss.timer (prometheus_lvs_realserver_mss.timer)]", "parameters": "--- Exec[systemd daemon-reload for prometheus_lvs_realserver_mss.timer (prometheus_lvs_realserver_mss.timer)].orig\n+++ Exec[systemd daemon-reload for prometheus_lvs_realserver_mss.timer (prometheus_lvs_realserver_mss.timer)]\n\n+ before => ['Service[prometheus_lvs_realserver_mss.timer]']\n+ refreshonly => True\n+ command => /bin/systemctl daemon-reload\n"}, {"resource": "Augeas[ipip0_add_up]", "parameters": "--- Augeas[ipip0_add_up].orig\n+++ Augeas[ipip0_add_up]\n\n+ require => Interface::Manual[ipip_ipv4]\n+ context => /files/etc/network/interfaces/*[. = 'ipip0' and ./family = 'inet']\n+ lens => Interfaces.lns\n+ incl => /etc/network/interfaces\n+ onlyif => match up[. = 'ip link add name ipip0 type ipip external'] size == 0\n+ changes => set up[last()+1] 'ip link add name ipip0 type ipip external'\n"}, {"resource": "File[/var/log/wmf_auto_restart_haproxy]", "parameters": "--- File[/var/log/wmf_auto_restart_haproxy].orig\n+++ File[/var/log/wmf_auto_restart_haproxy]\n\n+ owner => root\n+ force => True\n+ ensure => directory\n+ group => root\n+ backup => False\n+ mode => 0755\n"}, {"resource": "Sudo::User[nrpe-check_check_tcp-mss-clamper_status]", "parameters": "--- Sudo::User[nrpe-check_check_tcp-mss-clamper_status].orig\n+++ Sudo::User[nrpe-check_check_tcp-mss-clamper_status]\n\n+ require => ['Class[Sudo]']\n+ privileges => []\n+ ensure => absent\n+ tag => nrpe::check\n+ user => nagios\n"}, {"resource": "File[/lib/systemd/system/prometheus_ferm_mss.service]", "content": "--- /lib/systemd/system/prometheus_ferm_mss.service.orig\n+++ /lib/systemd/system/prometheus_ferm_mss.service\n@@ -0,0 +1,8 @@\n+[Unit]\n+Description=Regular job to collect MSS values of ferm-based hosts\n+Documentation=https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n+\n+[Service]\n+Type=oneshot\n+User=root\n+ExecStart=/usr/local/bin/prometheus-ferm-mss -o /var/lib/prometheus/node.d/ferm-mss.prom -e 103.102.166.225:29418 -e [2001:df2:e500:ed1a::2]:29418", "parameters": "--- File[/lib/systemd/system/prometheus_ferm_mss.service].orig\n+++ File[/lib/systemd/system/prometheus_ferm_mss.service]\n\n+ owner => root\n+ notify => Exec[systemd daemon-reload for prometheus_ferm_mss.service (prometheus_ferm_mss.service)]\n+ ensure => present\n+ group => root\n+ mode => 0444\n"}, {"resource": "Exec[disable-rp-filter-ipip0]", "parameters": "--- Exec[disable-rp-filter-ipip0].orig\n+++ Exec[disable-rp-filter-ipip0]\n\n+ require => Interface::Ipip[ipip_ipv4]\n+ unless => /usr/sbin/sysctl -n net.ipv4.conf.ipip0.rp_filter |grep -- '0'\n+ command => /usr/sbin/sysctl -q net.ipv4.conf.ipip0.rp_filter=0\n"}, {"resource": "File[/root/.etcdrc]", "content": "--- /root/.etcdrc.orig\n+++ /root/.etcdrc\n@@ -0,0 +1,3 @@\n+password: another_secret\n+username: conftool\n+", "parameters": "--- File[/root/.etcdrc].orig\n+++ File[/root/.etcdrc]\n\n+ show_diff => False\n+ owner => root\n+ ensure => present\n+ group => root\n+ mode => 0440\n"}, {"resource": "Systemd::Syslog[prometheus_ferm_mss]", "parameters": "--- Systemd::Syslog[prometheus_ferm_mss].orig\n+++ Systemd::Syslog[prometheus_ferm_mss]\n\n+ owner => root\n+ force_stop => True\n+ log_filename => syslog.log\n+ readable_by => all\n+ base_dir => /var/log\n+ ensure => present\n+ programname_comparison => startswith\n+ group => root\n"}, {"resource": "Monitoring::Exported_nagios_service[tcp-proxy5004 ferm_active]", "parameters": "--- Monitoring::Exported_nagios_service[tcp-proxy5004 ferm_active].orig\n+++ Monitoring::Exported_nagios_service[tcp-proxy5004 ferm_active]\n\n@@\n- notifications_enabled => 0\n+ notifications_enabled => 1\n@@\n- servicegroups => insetup_eqsin\n+ servicegroups => misc_eqsin\n"}, {"resource": "Motd::Script[insetup::infrastructure_foundations_ferm]", "parameters": "--- Motd::Script[insetup::infrastructure_foundations_ferm].orig\n+++ Motd::Script[insetup::infrastructure_foundations_ferm]\n\n- ensure => present\n- priority => 5\n"}, {"resource": "Interface::Ip[ipip_ipv4 ipv4]", "parameters": "--- Interface::Ip[ipip_ipv4 ipv4].orig\n+++ Interface::Ip[ipip_ipv4 ipv4]\n\n+ address => 127.0.0.42\n+ require => Augeas[ipip0_set_up]\n+ prefixlen => 32\n+ ensure => present\n+ interface => ipip0\n"}, {"resource": "Service[prometheus_lvs_realserver_mss.timer]", "parameters": "--- Service[prometheus_lvs_realserver_mss.timer].orig\n+++ Service[prometheus_lvs_realserver_mss.timer]\n\n+ enable => True\n+ ensure => running\n+ provider => systemd\n"}, {"resource": "Augeas[ipip60_set_up]", "parameters": "--- Augeas[ipip60_set_up].orig\n+++ Augeas[ipip60_set_up]\n\n+ require => Augeas[ipip60_add_up]\n+ context => /files/etc/network/interfaces/*[. = 'ipip60' and ./family = 'inet6']\n+ lens => Interfaces.lns\n+ incl => /etc/network/interfaces\n+ onlyif => match up[. = 'ip link set up dev ipip60'] size == 0\n+ changes => set up[last()+1] 'ip link set up dev ipip60'\n"}, {"resource": "Monitoring::Exported_nagios_service[tcp-proxy5004 ssh]", "parameters": "--- Monitoring::Exported_nagios_service[tcp-proxy5004 ssh].orig\n+++ Monitoring::Exported_nagios_service[tcp-proxy5004 ssh]\n\n@@\n- notifications_enabled => 0\n+ notifications_enabled => 1\n@@\n- servicegroups => insetup_eqsin\n+ servicegroups => misc_eqsin\n"}, {"resource": "Exec[systemd daemon-reload for wmf_auto_restart_haproxy.service (wmf_auto_restart_haproxy.service)]", "parameters": "--- Exec[systemd daemon-reload for wmf_auto_restart_haproxy.service (wmf_auto_restart_haproxy.service)].orig\n+++ Exec[systemd daemon-reload for wmf_auto_restart_haproxy.service (wmf_auto_restart_haproxy.service)]\n\n+ refreshonly => True\n+ command => /bin/systemctl daemon-reload\n"}, {"resource": "Exec[systemd daemon-reload for prometheus_ferm_mss.service (prometheus_ferm_mss.service)]", "parameters": "--- Exec[systemd daemon-reload for prometheus_ferm_mss.service (prometheus_ferm_mss.service)].orig\n+++ Exec[systemd daemon-reload for prometheus_ferm_mss.service (prometheus_ferm_mss.service)]\n\n+ refreshonly => True\n+ command => /bin/systemctl daemon-reload\n"}, {"resource": "Augeas[ipip0_manual]", "parameters": "--- Augeas[ipip0_manual].orig\n+++ Augeas[ipip0_manual]\n\n+ incl => /etc/network/interfaces\n+ changes => [\"set auto[./1 = 'ipip0']/1 'ipip0'\", \"set iface[. = 'ipip0'] 'ipip0'\", \"set iface[. = 'ipip0']/family 'inet'\", \"set iface[. = 'ipip0']/method 'manual'\"]\n+ context => /files/etc/network/interfaces\n+ lens => Interfaces.lns\n"}, {"resource": "File[/etc/update-motd.d/05-tcpproxy]", "content": "--- /etc/update-motd.d/05-tcpproxy.orig\n+++ /etc/update-motd.d/05-tcpproxy\n@@ -0,0 +1,2 @@\n+#!/bin/sh\n+printf \"%s\\n\" \"tcp-proxy5004 is tcpproxy\"", "parameters": "--- File[/etc/update-motd.d/05-tcpproxy].orig\n+++ File[/etc/update-motd.d/05-tcpproxy]\n\n+ ensure => present\n+ group => root\n+ owner => root\n+ mode => 0555\n"}, {"resource": "Class[Poolcounter::Client::Python]", "parameters": "--- Class[Poolcounter::Client::Python].orig\n+++ Class[Poolcounter::Client::Python]\n\n+ ensure => absent\n+ backends => []\n"}, {"resource": "File[/etc/etcd]", "parameters": "--- File[/etc/etcd].orig\n+++ File[/etc/etcd]\n\n+ ensure => directory\n+ group => root\n+ owner => root\n+ mode => 0755\n"}, {"resource": "File[/etc/ferm/conf.d/10_proxy_gerrit_ssh]", "content": "--- /etc/ferm/conf.d/10_proxy_gerrit_ssh.orig\n+++ /etc/ferm/conf.d/10_proxy_gerrit_ssh\n@@ -0,0 +1,6 @@\n+# Autogenerated by puppet. DO NOT EDIT BY HAND!\n+#\n+# \n+&SERVICE(tcp, 29418);\n+\n+", "parameters": "--- File[/etc/ferm/conf.d/10_proxy_gerrit_ssh].orig\n+++ File[/etc/ferm/conf.d/10_proxy_gerrit_ssh]\n\n+ require => File[/etc/ferm/conf.d]\n+ owner => root\n+ notify => Service[ferm]\n+ ensure => present\n+ tag => ferm\n+ group => root\n+ mode => 0400\n"}, {"resource": "Interface::Ipip[ipip_ipv4]", "parameters": "--- Interface::Ipip[ipip_ipv4].orig\n+++ Interface::Ipip[ipip_ipv4]\n\n+ ensure => present\n+ address => 127.0.0.42\n+ interface => ipip0\n+ family => inet\n"}, {"resource": "File[/usr/local/bin/safe-service-restart]", "parameters": "--- File[/usr/local/bin/safe-service-restart].orig\n+++ File[/usr/local/bin/safe-service-restart]\n\n+ owner => root\n+ ensure => present\n+ group => root\n+ source => puppet:///modules/conftool/safe-service-restart.py\n+ mode => 0555\n"}, {"resource": "Systemd::Timer::Job[prometheus_lvs_realserver_mss]", "parameters": "--- Systemd::Timer::Job[prometheus_lvs_realserver_mss].orig\n+++ Systemd::Timer::Job[prometheus_lvs_realserver_mss]\n\n+ private_tmp => False\n+ environment => {}\n+ syslog_force_stop => True\n+ ignore_errors => False\n+ fixed_random_delay => False\n+ success_exit_status => []\n+ send_mail_only_on_error => True\n+ monitoring_enabled => False\n+ syslog_match_startswith => True\n+ description => Regular job to collect MSS values of realserver endpoints\n+ logfile_basedir => /var/log\n+ logfile_perms => all\n+ command => /usr/local/bin/prometheus-lvs-realserver-mss -o /var/lib/prometheus/node.d/lvs-realserver-mss.prom -e 103.102.166.225:29418 -e [2001:df2:e500:ed1a::2]:29418\n+ monitoring_contact_groups => admins\n+ monitoring_notes_url => https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n+ send_mail_to => root@tcp-proxy5004.eqsin.wmnet\n+ logging_enabled => True\n+ logfile_name => syslog.log\n+ send_mail => False\n+ interval => {'start': 'OnCalendar', 'interval': 'minutely'}\n+ ensure => present\n+ user => root\n+ logfile_group => root\n"}, {"resource": "File[/lib/systemd/system/prometheus_lvs_realserver_mss.timer]", "content": "--- /lib/systemd/system/prometheus_lvs_realserver_mss.timer.orig\n+++ /lib/systemd/system/prometheus_lvs_realserver_mss.timer\n@@ -0,0 +1,12 @@\n+[Unit]\n+Description=Periodic execution of prometheus_lvs_realserver_mss.service\n+\n+[Timer]\n+Unit=prometheus_lvs_realserver_mss.service\n+# Accuracy sets the maximum time interval around the execution time we want to allow\n+AccuracySec=15sec\n+OnCalendar=minutely\n+RandomizedDelaySec=0\n+\n+[Install]\n+WantedBy=multi-user.target", "parameters": "--- File[/lib/systemd/system/prometheus_lvs_realserver_mss.timer].orig\n+++ File[/lib/systemd/system/prometheus_lvs_realserver_mss.timer]\n\n+ owner => root\n+ notify => Exec[systemd daemon-reload for prometheus_lvs_realserver_mss.timer (prometheus_lvs_realserver_mss.timer)]\n+ ensure => present\n+ group => root\n+ mode => 0444\n"}, {"resource": "Systemd::Unit[nrpe2nodexp-check_tcp-mss-clamper_status.service]", "parameters": "--- Systemd::Unit[nrpe2nodexp-check_tcp-mss-clamper_status.service].orig\n+++ Systemd::Unit[nrpe2nodexp-check_tcp-mss-clamper_status.service]\n\n+ override_filename => puppet-override.conf\n+ override => False\n+ require => ['Class[Systemd]']\n+ unit => nrpe2nodexp-check_tcp-mss-clamper_status.service\n+ ensure => absent\n+ restart => False\n"}, {"resource": "File[/etc/update-motd.d/05-insetup--infrastructure-foundations-ferm]", "content": "--- /etc/update-motd.d/05-insetup--infrastructure-foundations-ferm.orig\n+++ /etc/update-motd.d/05-insetup--infrastructure-foundations-ferm\n@@ -1,2 +0,0 @@\n-#!/bin/sh\n-printf \"%s\\n\" \"tcp-proxy5004 is a Host being setup by Infrastructure Foundations SREs with ferm (insetup::infrastructure_foundations_ferm)\"", "parameters": "--- File[/etc/update-motd.d/05-insetup--infrastructure-foundations-ferm].orig\n+++ File[/etc/update-motd.d/05-insetup--infrastructure-foundations-ferm]\n\n- ensure => present\n- group => root\n- owner => root\n- mode => 0555\n"}, {"resource": "Rsyslog::Conf[nrpe2nodexp-check_tcp-mss-clamper_status]", "parameters": "--- Rsyslog::Conf[nrpe2nodexp-check_tcp-mss-clamper_status].orig\n+++ Rsyslog::Conf[nrpe2nodexp-check_tcp-mss-clamper_status]\n\n+ ensure => absent\n+ priority => 25\n+ mode => 0444\n"}, {"resource": "Interface::Manual[ipip_ipv4]", "parameters": "--- Interface::Manual[ipip_ipv4].orig\n+++ Interface::Manual[ipip_ipv4]\n\n+ family => inet\n+ ensure => present\n+ hotplug => False\n+ interface => ipip0\n"}, {"resource": "Exec[systemd daemon-reload for prometheus_ferm_mss.timer (prometheus_ferm_mss.timer)]", "parameters": "--- Exec[systemd daemon-reload for prometheus_ferm_mss.timer (prometheus_ferm_mss.timer)].orig\n+++ Exec[systemd daemon-reload for prometheus_ferm_mss.timer (prometheus_ferm_mss.timer)]\n\n+ before => ['Service[prometheus_ferm_mss.timer]']\n+ refreshonly => True\n+ command => /bin/systemctl daemon-reload\n"}, {"resource": "Sysctl::Parameters[ubuntu defaults]", "parameters": "--- Sysctl::Parameters[ubuntu defaults].orig\n+++ Sysctl::Parameters[ubuntu defaults]\n\n@@\n- values => {'kernel.printk': [4, 4, 1, 7], 'kernel.kptr_restrict': 1, 'net.ipv4.conf.default.rp_filter': 1, 'net.ipv4.conf.all.rp_filter': 1, 'net.ipv4.tcp_syncookies': 1, 'kernel.yama.ptrace_scope': 1, 'fs.protected_hardlinks': 1, 'fs.protected_symlinks': 1, 'vm.mmap_min_addr': 65536}\n+ values => {'kernel.printk': [4, 4, 1, 7], 'kernel.kptr_restrict': 1, 'net.ipv4.conf.default.rp_filter': 0, 'net.ipv4.conf.all.rp_filter': 0, 'net.ipv4.tcp_syncookies': 1, 'kernel.yama.ptrace_scope': 1, 'fs.protected_hardlinks': 1, 'fs.protected_symlinks': 1, 'vm.mmap_min_addr': 65536}\n"}, {"resource": "Package[python3-conftool]", "parameters": "--- Package[python3-conftool].orig\n+++ Package[python3-conftool]\n\n+ provider => apt\n+ ensure => installed\n"}, {"resource": "Interface::Clsact[clsact_lo]", "parameters": "--- Interface::Clsact[clsact_lo].orig\n+++ Interface::Clsact[clsact_lo]\n\n+ ensure => absent\n+ interface => lo\n"}, {"resource": "Logrotate::Conf[wmf_auto_restart_haproxy]", "parameters": "--- Logrotate::Conf[wmf_auto_restart_haproxy].orig\n+++ Logrotate::Conf[wmf_auto_restart_haproxy]\n\n+ ensure => present\n"}, {"resource": "File[/usr/local/bin/pool]", "parameters": "--- File[/usr/local/bin/pool].orig\n+++ File[/usr/local/bin/pool]\n\n+ owner => root\n+ ensure => present\n+ group => root\n+ source => puppet:///modules/conftool/conftool-simple-command.sh\n+ mode => 0555\n"}, {"resource": "Class[Adduser]", "parameters": "--- Class[Adduser].orig\n+++ Class[Adduser]\n\n@@\n- before => ['Package[puppet]', 'Package[facter]', 'Package[augeas-tools]', 'Package[virt-what]', 'Package[puppet-module-puppetlabs-augeas-core]', 'Package[python3-prometheus-client]', 'Package[python3-yaml]', 'Package[ruby-net-ssh]', 'Package[openssl]', 'Package[ssl-cert]', 'Package[ca-certificates]', 'Package[wmf-certificates]', 'Package[ntp]', 'Package[systemd-timesyncd]', 'Package[exim4-config]', 'Package[exim4-daemon-light]', 'Package[logrotate]', 'Package[prometheus-node-exporter]', 'Package[rsyslog]', 'Package[rsyslog-openssl]', 'Package[cadvisor]', 'Package[acct]', 'Package[byobu]', 'Package[colordiff]', 'Package[curl]', 'Package[debian-goodies]', 'Package[ethtool]', 'Package[gdb]', 'Package[gdisk]', 'Package[git]', 'Package[htop]', 'Package[httpry]', 'Package[iotop]', 'Package[iperf]', 'Package[jq]', 'Package[libtemplate-perl]', 'Package[lldpd]', 'Package[lshw]', 'Package[molly-guard]', 'Package[moreutils]', 'Package[net-tools]', 'Package[numactl]', 'Package[ncdu]', 'Package[ngrep]', 'Package[pigz]', 'Package[psmisc]', 'Package[pv]', 'Package[python3]', 'Package[screen]', 'Package[strace]', 'Package[sysstat]', 'Package[tcpdump]', 'Package[tmux]', 'Package[tree]', 'Package[vim]', 'Package[vim-addon-manager]', 'Package[vim-scripts]', 'Package[wipe]', 'Package[xfsprogs]', 'Package[zsh]', 'Package[icdiff]', 'Package[linux-perf]', 'Package[bsd-mailx]', 'Package[ack]', 'Package[netcat-openbsd]', 'Package[tshark]', 'Package[fzf]', 'Package[ripgrep]', 'Package[fd-find]', 'Package[kitty-terminfo]', 'Package[mtr-tiny]', 'Package[bat]', 'Package[efibootmgr]', 'Package[bind9-dnsutils]', 'Package[tzdata]', 'Package[python3-wmflib]', 'Package[starship]', 'Package[ruby-sorted-set]', 'Package[btop]', 'Package[linux-sysctl-defaults]', 'Package[apport]', 'Package[command-not-found]', 'Package[command-not-found-data]', 'Package[ecryptfs-utils]', 'Package[mlocate]', 'Package[os-prober]', 'Package[python3-apport]', 'Package[wpasupplicant]', 'Package[atop]', 'Package[apt-listchanges]', 'Package[isc-dhcp-client]', 'Package[eject]', 'Package[openssh-client]', 'Package[openssh-server]', 'Package[debdeploy-client]', 'Package[python3-dateutil]', 'Package[sudo]', 'Package[golang-cfssl]', 'Package[debmonitor-client]', 'Package[nagios-nrpe-server]', 'Package[monitoring-plugins]', 'Package[monitoring-plugins-basic]', 'Package[monitoring-plugins-standard]', 'Package[liburiparser1]', 'Package[rsyslog-kafka]', 'Package[emacs-nox]', 'Package[libnet-dns-perl]', 'Package[iptables]', 'Package[ferm]', 'Package[ulogd2]', 'Package[conntrack]', 'Package[ruby-concurrent]', 'Package[ruby]', 'Package[libruby]', 'Package[puppet-agent]', 'Package[prometheus-rsyslog-exporter]', 'Package[initramfs-tools]', 'Package[python3-click]', 'Package[python3-box]', 'Package[confd]', 'Package[python3-toml]']\n+ before => ['Package[puppet]', 'Package[facter]', 'Package[augeas-tools]', 'Package[virt-what]', 'Package[puppet-module-puppetlabs-augeas-core]', 'Package[python3-prometheus-client]', 'Package[python3-yaml]', 'Package[ruby-net-ssh]', 'Package[openssl]', 'Package[ssl-cert]', 'Package[ca-certificates]', 'Package[wmf-certificates]', 'Package[ntp]', 'Package[systemd-timesyncd]', 'Package[exim4-config]', 'Package[exim4-daemon-light]', 'Package[logrotate]', 'Package[prometheus-node-exporter]', 'Package[rsyslog]', 'Package[rsyslog-openssl]', 'Package[cadvisor]', 'Package[acct]', 'Package[byobu]', 'Package[colordiff]', 'Package[curl]', 'Package[debian-goodies]', 'Package[ethtool]', 'Package[gdb]', 'Package[gdisk]', 'Package[git]', 'Package[htop]', 'Package[httpry]', 'Package[iotop]', 'Package[iperf]', 'Package[jq]', 'Package[libtemplate-perl]', 'Package[lldpd]', 'Package[lshw]', 'Package[molly-guard]', 'Package[moreutils]', 'Package[net-tools]', 'Package[numactl]', 'Package[ncdu]', 'Package[ngrep]', 'Package[pigz]', 'Package[psmisc]', 'Package[pv]', 'Package[python3]', 'Package[screen]', 'Package[strace]', 'Package[sysstat]', 'Package[tcpdump]', 'Package[tmux]', 'Package[tree]', 'Package[vim]', 'Package[vim-addon-manager]', 'Package[vim-scripts]', 'Package[wipe]', 'Package[xfsprogs]', 'Package[zsh]', 'Package[icdiff]', 'Package[linux-perf]', 'Package[bsd-mailx]', 'Package[ack]', 'Package[netcat-openbsd]', 'Package[tshark]', 'Package[fzf]', 'Package[ripgrep]', 'Package[fd-find]', 'Package[kitty-terminfo]', 'Package[mtr-tiny]', 'Package[bat]', 'Package[efibootmgr]', 'Package[bind9-dnsutils]', 'Package[tzdata]', 'Package[python3-wmflib]', 'Package[starship]', 'Package[ruby-sorted-set]', 'Package[btop]', 'Package[linux-sysctl-defaults]', 'Package[apport]', 'Package[command-not-found]', 'Package[command-not-found-data]', 'Package[ecryptfs-utils]', 'Package[mlocate]', 'Package[os-prober]', 'Package[python3-apport]', 'Package[wpasupplicant]', 'Package[atop]', 'Package[apt-listchanges]', 'Package[isc-dhcp-client]', 'Package[eject]', 'Package[openssh-client]', 'Package[openssh-server]', 'Package[debdeploy-client]', 'Package[python3-dateutil]', 'Package[sudo]', 'Package[golang-cfssl]', 'Package[debmonitor-client]', 'Package[nagios-nrpe-server]', 'Package[monitoring-plugins]', 'Package[monitoring-plugins-basic]', 'Package[monitoring-plugins-standard]', 'Package[liburiparser1]', 'Package[rsyslog-kafka]', 'Package[emacs-nox]', 'Package[libnet-dns-perl]', 'Package[iptables]', 'Package[ferm]', 'Package[ulogd2]', 'Package[conntrack]', 'Package[haproxy]', 'Package[wikimedia-lvs-realserver]', 'Package[python3-conftool]', 'Package[python3-poolcounter]', 'Package[tcp-mss-clamper]', 'Package[ruby-concurrent]', 'Package[ruby]', 'Package[libruby]', 'Package[puppet-agent]', 'Package[prometheus-rsyslog-exporter]', 'Package[initramfs-tools]', 'Package[python3-click]', 'Package[python3-box]', 'Package[confd]', 'Package[python3-toml]']\n"}, {"resource": "File[/etc/ferm/conf.d/10_clamp-mss-ipv6]", "content": "--- /etc/ferm/conf.d/10_clamp-mss-ipv6.orig\n+++ /etc/ferm/conf.d/10_clamp-mss-ipv6\n@@ -0,0 +1,11 @@\n+# Autogenerated by puppet. DO NOT EDIT BY HAND!\n+#\n+# 10_clamp-mss-ipv6: \n+\n+domain (ip6) {\n+\ttable filter {\n+\t\tchain OUTPUT {\n+\t\t\touterface (ens13 lo) saddr @ipfilter((103.102.166.225 2001:df2:e500:ed1a::2])) proto tcp sport (29418) tcp-flags (SYN) SYN TCPMSS set-mss 1400;\n+\t\t}\n+\t}\n+}", "parameters": "--- File[/etc/ferm/conf.d/10_clamp-mss-ipv6].orig\n+++ File[/etc/ferm/conf.d/10_clamp-mss-ipv6]\n\n+ require => File[/etc/ferm/conf.d]\n+ owner => root\n+ notify => Service[ferm]\n+ ensure => present\n+ tag => ferm\n+ group => root\n+ mode => 0400\n"}, {"resource": "Class[Profile::Cumin::Target]", "parameters": "--- Class[Profile::Cumin::Target].orig\n+++ Class[Profile::Cumin::Target]\n\n@@\n- cluster => insetup\n+ cluster => misc\n"}, {"resource": "File[/usr/local/sbin/restart-gerrit]", "content": "--- /usr/local/sbin/restart-gerrit.orig\n+++ /usr/local/sbin/restart-gerrit\n@@ -0,0 +1,2 @@\n+#!/bin/bash\n+/usr/local/bin/safe-service-restart --pools gerrit-ssh --services gerrit --retries 10 --wait 5 $@", "parameters": "--- File[/usr/local/sbin/restart-gerrit].orig\n+++ File[/usr/local/sbin/restart-gerrit]\n\n+ ensure => present\n+ group => root\n+ owner => root\n+ mode => 0555\n"}, {"resource": "Package[wikimedia-lvs-realserver]", "parameters": "--- Package[wikimedia-lvs-realserver].orig\n+++ Package[wikimedia-lvs-realserver]\n\n+ provider => apt\n+ ensure => present\n+ require => File[/etc/default/wikimedia-lvs-realserver]\n"}, {"resource": "Exec[systemd daemon-reload for nrpe2nodexp-check_tcp-mss-clamper_status.service (nrpe2nodexp-check_tcp-mss-clamper_status.service)]", "parameters": "--- Exec[systemd daemon-reload for nrpe2nodexp-check_tcp-mss-clamper_status.service (nrpe2nodexp-check_tcp-mss-clamper_status.service)].orig\n+++ Exec[systemd daemon-reload for nrpe2nodexp-check_tcp-mss-clamper_status.service (nrpe2nodexp-check_tcp-mss-clamper_status.service)]\n\n+ refreshonly => True\n+ command => /bin/systemctl daemon-reload\n"}, {"resource": "Service[nrpe2nodexp-check_tcp-mss-clamper_status.timer]", "parameters": "--- Service[nrpe2nodexp-check_tcp-mss-clamper_status.timer].orig\n+++ Service[nrpe2nodexp-check_tcp-mss-clamper_status.timer]\n\n+ enable => False\n+ ensure => stopped\n+ before => ['Exec[systemd daemon-reload for nrpe2nodexp-check_tcp-mss-clamper_status.timer (nrpe2nodexp-check_tcp-mss-clamper_status.timer)]']\n+ provider => systemd\n"}, {"resource": "Monitoring::Exported_nagios_host[tcp-proxy5004]", "parameters": "--- Monitoring::Exported_nagios_host[tcp-proxy5004].orig\n+++ Monitoring::Exported_nagios_host[tcp-proxy5004]\n\n@@\n- hostgroups => insetup_eqsin\n+ hostgroups => misc_eqsin\n@@\n- notifications_enabled => 0\n+ notifications_enabled => 1\n"}, {"resource": "Systemd::Service[prometheus_ferm_mss]", "parameters": "--- Systemd::Service[prometheus_ferm_mss].orig\n+++ Systemd::Service[prometheus_ferm_mss]\n\n+ override => False\n+ require => Systemd::Unit[prometheus_ferm_mss.service]\n+ monitoring_contact_group => admins\n+ monitoring_enabled => False\n+ service_params => {}\n+ unit_type => timer\n+ monitoring_critical => False\n+ ensure => present\n+ migration_task => T407130\n+ restart => False\n"}, {"resource": "File[/etc/sysctl.d/51-ubuntu-defaults.conf]", "content": "--- /etc/sysctl.d/51-ubuntu-defaults.conf.orig\n+++ /etc/sysctl.d/51-ubuntu-defaults.conf\n@@ -4,7 +4,7 @@\n kernel.kptr_restrict = 1\n kernel.printk = 4 4 1 7\n kernel.yama.ptrace_scope = 1\n-net.ipv4.conf.all.rp_filter = 1\n-net.ipv4.conf.default.rp_filter = 1\n+net.ipv4.conf.all.rp_filter = 0\n+net.ipv4.conf.default.rp_filter = 0\n net.ipv4.tcp_syncookies = 1\n vm.mmap_min_addr = 65536"}, {"resource": "Class[Profile::Conftool::Client]", "parameters": "--- Class[Profile::Conftool::Client].orig\n+++ Class[Profile::Conftool::Client]\n\n+ require => ['Class[Passwords::Etcd]']\n+ namespace => /conftool\n+ tcpircbot_port => 9200\n+ etcd_user => __auto__\n+ tcpircbot_host => icinga.wikimedia.org\n+ conftool2git_host => puppetserver1003.eqiad.wmnet\n+ srv_domain => conftool.eqsin.wmnet\n+ pool_pwd_seed => 21}@/\n+ conftool2git_bind_addr => 0.0.0.0:1312\n"}, {"resource": "Sysctl::Conffile[ubuntu defaults]"}, {"resource": "Rsyslog::Conf[prometheus_ferm_mss]", "parameters": "--- Rsyslog::Conf[prometheus_ferm_mss].orig\n+++ Rsyslog::Conf[prometheus_ferm_mss]\n\n+ ensure => present\n+ require => File[/var/log/prometheus_ferm_mss]\n+ priority => 40\n+ mode => 0444\n"}, {"resource": "Systemd::Unit[prometheus_ferm_mss.timer]", "parameters": "--- Systemd::Unit[prometheus_ferm_mss.timer].orig\n+++ Systemd::Unit[prometheus_ferm_mss.timer]\n\n+ override_filename => puppet-override.conf\n+ override => False\n+ require => ['Class[Systemd]']\n+ unit => prometheus_ferm_mss.timer\n+ ensure => present\n+ restart => False\n"}, {"resource": "Systemd::Unit[nrpe2nodexp-check_tcp-mss-clamper_status.timer]", "parameters": "--- Systemd::Unit[nrpe2nodexp-check_tcp-mss-clamper_status.timer].orig\n+++ Systemd::Unit[nrpe2nodexp-check_tcp-mss-clamper_status.timer]\n\n+ override_filename => puppet-override.conf\n+ override => False\n+ require => ['Class[Systemd]']\n+ unit => nrpe2nodexp-check_tcp-mss-clamper_status.timer\n+ ensure => absent\n+ restart => False\n"}, {"resource": "Monitoring::Exported_nagios_service[tcp-proxy5004 check_tcp-mss-clamper_status]", "parameters": "--- Monitoring::Exported_nagios_service[tcp-proxy5004 check_tcp-mss-clamper_status].orig\n+++ Monitoring::Exported_nagios_service[tcp-proxy5004 check_tcp-mss-clamper_status]\n\n+ is_volatile => 0\n+ retry_interval => 1\n+ check_interval => 10\n+ service_description => Check unit status of tcp-mss-clamper\n+ notification_interval => 0\n+ notification_options => c,r,f\n+ notifications_enabled => 1\n+ host_name => tcp-proxy5004\n+ active_checks_enabled => 1\n+ check_command => nrpe_check!check_check_tcp-mss-clamper_status!10\n+ max_check_attempts => 2\n+ servicegroups => misc_eqsin\n+ passive_checks_enabled => 1\n+ notification_period => 24x7\n+ notes_url => https://wikitech.wikimedia.org/wiki/LVS#IPIP_encapsulation_experiments\n+ check_period => 24x7\n+ ensure => absent\n+ contact_groups => admins\n+ check_freshness => 0\n"}, {"resource": "File_line[rm_post-up_lo_clsact_lo]", "parameters": "--- File_line[rm_post-up_lo_clsact_lo].orig\n+++ File_line[rm_post-up_lo_clsact_lo]\n\n+ ensure => absent\n+ path => /etc/network/interfaces\n+ match_for_absence => True\n+ match => post-up /usr/sbin/tc qdisc add dev lo clsact\n"}, {"resource": "Class[Profile::Base]", "parameters": "--- Class[Profile::Base].orig\n+++ Class[Profile::Base]\n\n@@\n- cluster => insetup\n+ cluster => misc\n@@\n- rp_filter => True\n+ rp_filter => False\n"}, {"resource": "Exec[systemd daemon-reload for wmf_auto_restart_haproxy.timer (wmf_auto_restart_haproxy.timer)]", "parameters": "--- Exec[systemd daemon-reload for wmf_auto_restart_haproxy.timer (wmf_auto_restart_haproxy.timer)].orig\n+++ Exec[systemd daemon-reload for wmf_auto_restart_haproxy.timer (wmf_auto_restart_haproxy.timer)]\n\n+ before => ['Service[wmf_auto_restart_haproxy.timer]']\n+ refreshonly => True\n+ command => /bin/systemctl daemon-reload\n"}, {"resource": "File[/etc/conftool/local_services.yaml]", "content": "--- /etc/conftool/local_services.yaml.orig\n+++ /etc/conftool/local_services.yaml\n@@ -0,0 +1,7 @@\n+---\n+gerrit-ssh:\n+ cluster: tcp-proxy\n+ service: gerrit\n+ servers:\n+ - pybal-high-traffic1-eqsin.wikimedia.org\n+ port: 29418", "parameters": "--- File[/etc/conftool/local_services.yaml].orig\n+++ File[/etc/conftool/local_services.yaml]\n\n+ ensure => present\n+ group => root\n+ owner => root\n"}, {"resource": "Exec[systemd daemon-reload for prometheus_lvs_realserver_mss.service (prometheus_lvs_realserver_mss.service)]", "parameters": "--- Exec[systemd daemon-reload for prometheus_lvs_realserver_mss.service (prometheus_lvs_realserver_mss.service)].orig\n+++ Exec[systemd daemon-reload for prometheus_lvs_realserver_mss.service (prometheus_lvs_realserver_mss.service)]\n\n+ refreshonly => True\n+ command => /bin/systemctl daemon-reload\n"}, {"resource": "Ferm::Rule[ipip]", "parameters": "--- Ferm::Rule[ipip].orig\n+++ Ferm::Rule[ipip]\n\n+ desc => \n+ domain => (ip)\n+ rule => saddr 172.16.0.0/12 proto ipencap ACCEPT;\n+ prio => 10\n+ ensure => present\n+ table => filter\n+ chain => INPUT\n"}, {"resource": "File[/usr/local/bin/prometheus-ferm-mss]", "parameters": "--- File[/usr/local/bin/prometheus-ferm-mss].orig\n+++ File[/usr/local/bin/prometheus-ferm-mss]\n\n+ owner => root\n+ ensure => file\n+ group => root\n+ source => puppet:///modules/prometheus/usr/local/bin/prometheus-ferm-mss.py\n+ mode => 0555\n"}, {"resource": "Augeas[ipip0_127.0.0.42/32]", "parameters": "--- Augeas[ipip0_127.0.0.42/32].orig\n+++ Augeas[ipip0_127.0.0.42/32]\n\n+ context => /files/etc/network/interfaces/*[. = 'ipip0' and ./family = 'inet']\n+ lens => Interfaces.lns\n+ incl => /etc/network/interfaces\n+ onlyif => match up[. = 'ip addr add 127.0.0.42/32 dev ipip0'] size == 0\n+ changes => set up[last()+1] 'ip addr add 127.0.0.42/32 dev ipip0'\n"}, {"resource": "Motd::Message[insetup::infrastructure_foundations_ferm]", "parameters": "--- Motd::Message[insetup::infrastructure_foundations_ferm].orig\n+++ Motd::Message[insetup::infrastructure_foundations_ferm]\n\n- ensure => present\n- priority => 5\n- message => tcp-proxy5004 is a Host being setup by Infrastructure Foundations SREs with ferm (insetup::infrastructure_foundations_ferm)\n"}, {"resource": "Exec[/usr/sbin/tc qdisc del dev ens13 clsact]", "parameters": "--- Exec[/usr/sbin/tc qdisc del dev ens13 clsact].orig\n+++ Exec[/usr/sbin/tc qdisc del dev ens13 clsact]\n\n+ onlyif => /usr/sbin/tc qdisc show dev ens13 | grep -q clsact\n"}, {"resource": "Exec[ip link set up dev ipip0]", "parameters": "--- Exec[ip link set up dev ipip0].orig\n+++ Exec[ip link set up dev ipip0]\n\n+ returns => [0, 2]\n+ path => /bin:/usr/bin\n+ unless => ip link show ipip0 | grep -q UP\n"}, {"resource": "Class[Conftool::Config]", "parameters": "--- Class[Conftool::Config].orig\n+++ Class[Conftool::Config]\n\n+ namespace => /conftool\n+ tcpircbot_host => icinga.wikimedia.org\n+ tcpircbot_port => 9200\n+ hosts => []\n+ conftool2git_address => puppetserver1003.eqiad.wmnet:1312\n"}, {"resource": "Motd::Script[tcpproxy]", "parameters": "--- Motd::Script[tcpproxy].orig\n+++ Motd::Script[tcpproxy]\n\n+ ensure => present\n+ priority => 5\n"}, {"resource": "Monitoring::Exported_nagios_service[tcp-proxy5004 disk_space]", "parameters": "--- Monitoring::Exported_nagios_service[tcp-proxy5004 disk_space].orig\n+++ Monitoring::Exported_nagios_service[tcp-proxy5004 disk_space]\n\n@@\n- notifications_enabled => 0\n+ notifications_enabled => 1\n@@\n- servicegroups => insetup_eqsin\n+ servicegroups => misc_eqsin\n"}, {"resource": "Systemd::Timer::Job[prometheus_ferm_mss]", "parameters": "--- Systemd::Timer::Job[prometheus_ferm_mss].orig\n+++ Systemd::Timer::Job[prometheus_ferm_mss]\n\n+ private_tmp => False\n+ environment => {}\n+ syslog_force_stop => True\n+ ignore_errors => False\n+ fixed_random_delay => False\n+ success_exit_status => []\n+ send_mail_only_on_error => True\n+ monitoring_enabled => False\n+ syslog_match_startswith => True\n+ description => Regular job to collect MSS values of ferm-based hosts\n+ logfile_basedir => /var/log\n+ logfile_perms => all\n+ command => /usr/local/bin/prometheus-ferm-mss -o /var/lib/prometheus/node.d/ferm-mss.prom -e 103.102.166.225:29418 -e [2001:df2:e500:ed1a::2]:29418\n+ monitoring_contact_groups => admins\n+ monitoring_notes_url => https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n+ send_mail_to => root@tcp-proxy5004.eqsin.wmnet\n+ logging_enabled => True\n+ logfile_name => syslog.log\n+ send_mail => False\n+ interval => {'start': 'OnCalendar', 'interval': 'minutely'}\n+ ensure => present\n+ user => root\n+ logfile_group => root\n"}, {"resource": "File[/etc/logrotate.d/prometheus_ferm_mss]", "content": "--- /etc/logrotate.d/prometheus_ferm_mss.orig\n+++ /etc/logrotate.d/prometheus_ferm_mss\n@@ -0,0 +1,12 @@\n+# logrotate(8) config for prometheus_ferm_mss\n+\n+/var/log/prometheus_ferm_mss/*.log {\n+ daily\n+ copytruncate\n+ missingok\n+ compress\n+ delaycompress\n+ notifempty\n+ rotate 15\n+ size 256M\n+}", "parameters": "--- File[/etc/logrotate.d/prometheus_ferm_mss].orig\n+++ File[/etc/logrotate.d/prometheus_ferm_mss]\n\n+ ensure => present\n+ group => root\n+ owner => root\n+ mode => 0444\n"}, {"resource": "Augeas[ipip60_add_up]", "parameters": "--- Augeas[ipip60_add_up].orig\n+++ Augeas[ipip60_add_up]\n\n+ require => Interface::Manual[ipip_ipv6]\n+ context => /files/etc/network/interfaces/*[. = 'ipip60' and ./family = 'inet6']\n+ lens => Interfaces.lns\n+ incl => /etc/network/interfaces\n+ onlyif => match up[. = 'ip link add name ipip60 type ip6tnl external'] size == 0\n+ changes => set up[last()+1] 'ip link add name ipip60 type ip6tnl external'\n"}, {"resource": "Class[Profile::Apt]", "parameters": "--- Class[Profile::Apt].orig\n+++ Class[Profile::Apt]\n\n@@\n- before => ['Package[puppet]', 'Package[facter]', 'Package[augeas-tools]', 'Package[virt-what]', 'Package[puppet-module-puppetlabs-augeas-core]', 'Package[python3-prometheus-client]', 'Package[python3-yaml]', 'Package[ruby-net-ssh]', 'Package[openssl]', 'Package[ssl-cert]', 'Package[ca-certificates]', 'Package[wmf-certificates]', 'Package[ntp]', 'Package[systemd-timesyncd]', 'Package[exim4-config]', 'Package[exim4-daemon-light]', 'Package[logrotate]', 'Package[prometheus-node-exporter]', 'Package[rsyslog]', 'Package[rsyslog-openssl]', 'Package[cadvisor]', 'Package[acct]', 'Package[byobu]', 'Package[colordiff]', 'Package[curl]', 'Package[debian-goodies]', 'Package[ethtool]', 'Package[gdb]', 'Package[gdisk]', 'Package[git]', 'Package[htop]', 'Package[httpry]', 'Package[iotop]', 'Package[iperf]', 'Package[jq]', 'Package[libtemplate-perl]', 'Package[lldpd]', 'Package[lshw]', 'Package[molly-guard]', 'Package[moreutils]', 'Package[net-tools]', 'Package[numactl]', 'Package[ncdu]', 'Package[ngrep]', 'Package[pigz]', 'Package[psmisc]', 'Package[pv]', 'Package[python3]', 'Package[screen]', 'Package[strace]', 'Package[sysstat]', 'Package[tcpdump]', 'Package[tmux]', 'Package[tree]', 'Package[vim]', 'Package[vim-addon-manager]', 'Package[vim-scripts]', 'Package[wipe]', 'Package[xfsprogs]', 'Package[zsh]', 'Package[icdiff]', 'Package[linux-perf]', 'Package[bsd-mailx]', 'Package[ack]', 'Package[netcat-openbsd]', 'Package[tshark]', 'Package[fzf]', 'Package[ripgrep]', 'Package[fd-find]', 'Package[kitty-terminfo]', 'Package[mtr-tiny]', 'Package[bat]', 'Package[efibootmgr]', 'Package[bind9-dnsutils]', 'Package[tzdata]', 'Package[python3-wmflib]', 'Package[starship]', 'Package[ruby-sorted-set]', 'Package[btop]', 'Package[linux-sysctl-defaults]', 'Package[apport]', 'Package[command-not-found]', 'Package[command-not-found-data]', 'Package[ecryptfs-utils]', 'Package[mlocate]', 'Package[os-prober]', 'Package[python3-apport]', 'Package[wpasupplicant]', 'Package[atop]', 'Package[apt-listchanges]', 'Package[isc-dhcp-client]', 'Package[eject]', 'Package[openssh-client]', 'Package[openssh-server]', 'Package[debdeploy-client]', 'Package[python3-dateutil]', 'Package[sudo]', 'Package[golang-cfssl]', 'Package[debmonitor-client]', 'Package[nagios-nrpe-server]', 'Package[monitoring-plugins]', 'Package[monitoring-plugins-basic]', 'Package[monitoring-plugins-standard]', 'Package[liburiparser1]', 'Package[rsyslog-kafka]', 'Package[emacs-nox]', 'Package[libnet-dns-perl]', 'Package[iptables]', 'Package[ferm]', 'Package[ulogd2]', 'Package[conntrack]', 'Package[ruby-concurrent]', 'Package[ruby]', 'Package[libruby]', 'Package[puppet-agent]', 'Package[prometheus-rsyslog-exporter]', 'Package[initramfs-tools]', 'Package[python3-click]', 'Package[python3-box]', 'Package[confd]', 'Package[python3-toml]']\n+ before => ['Package[puppet]', 'Package[facter]', 'Package[augeas-tools]', 'Package[virt-what]', 'Package[puppet-module-puppetlabs-augeas-core]', 'Package[python3-prometheus-client]', 'Package[python3-yaml]', 'Package[ruby-net-ssh]', 'Package[openssl]', 'Package[ssl-cert]', 'Package[ca-certificates]', 'Package[wmf-certificates]', 'Package[ntp]', 'Package[systemd-timesyncd]', 'Package[exim4-config]', 'Package[exim4-daemon-light]', 'Package[logrotate]', 'Package[prometheus-node-exporter]', 'Package[rsyslog]', 'Package[rsyslog-openssl]', 'Package[cadvisor]', 'Package[acct]', 'Package[byobu]', 'Package[colordiff]', 'Package[curl]', 'Package[debian-goodies]', 'Package[ethtool]', 'Package[gdb]', 'Package[gdisk]', 'Package[git]', 'Package[htop]', 'Package[httpry]', 'Package[iotop]', 'Package[iperf]', 'Package[jq]', 'Package[libtemplate-perl]', 'Package[lldpd]', 'Package[lshw]', 'Package[molly-guard]', 'Package[moreutils]', 'Package[net-tools]', 'Package[numactl]', 'Package[ncdu]', 'Package[ngrep]', 'Package[pigz]', 'Package[psmisc]', 'Package[pv]', 'Package[python3]', 'Package[screen]', 'Package[strace]', 'Package[sysstat]', 'Package[tcpdump]', 'Package[tmux]', 'Package[tree]', 'Package[vim]', 'Package[vim-addon-manager]', 'Package[vim-scripts]', 'Package[wipe]', 'Package[xfsprogs]', 'Package[zsh]', 'Package[icdiff]', 'Package[linux-perf]', 'Package[bsd-mailx]', 'Package[ack]', 'Package[netcat-openbsd]', 'Package[tshark]', 'Package[fzf]', 'Package[ripgrep]', 'Package[fd-find]', 'Package[kitty-terminfo]', 'Package[mtr-tiny]', 'Package[bat]', 'Package[efibootmgr]', 'Package[bind9-dnsutils]', 'Package[tzdata]', 'Package[python3-wmflib]', 'Package[starship]', 'Package[ruby-sorted-set]', 'Package[btop]', 'Package[linux-sysctl-defaults]', 'Package[apport]', 'Package[command-not-found]', 'Package[command-not-found-data]', 'Package[ecryptfs-utils]', 'Package[mlocate]', 'Package[os-prober]', 'Package[python3-apport]', 'Package[wpasupplicant]', 'Package[atop]', 'Package[apt-listchanges]', 'Package[isc-dhcp-client]', 'Package[eject]', 'Package[openssh-client]', 'Package[openssh-server]', 'Package[debdeploy-client]', 'Package[python3-dateutil]', 'Package[sudo]', 'Package[golang-cfssl]', 'Package[debmonitor-client]', 'Package[nagios-nrpe-server]', 'Package[monitoring-plugins]', 'Package[monitoring-plugins-basic]', 'Package[monitoring-plugins-standard]', 'Package[liburiparser1]', 'Package[rsyslog-kafka]', 'Package[emacs-nox]', 'Package[libnet-dns-perl]', 'Package[iptables]', 'Package[ferm]', 'Package[ulogd2]', 'Package[conntrack]', 'Package[haproxy]', 'Package[wikimedia-lvs-realserver]', 'Package[python3-conftool]', 'Package[python3-poolcounter]', 'Package[tcp-mss-clamper]', 'Package[ruby-concurrent]', 'Package[ruby]', 'Package[libruby]', 'Package[puppet-agent]', 'Package[prometheus-rsyslog-exporter]', 'Package[initramfs-tools]', 'Package[python3-click]', 'Package[python3-box]', 'Package[confd]', 'Package[python3-toml]']\n"}, {"resource": "Class[Profile::Tcpproxy]", "parameters": "--- Class[Profile::Tcpproxy].orig\n+++ Class[Profile::Tcpproxy]\n\n+ socket => /run/haproxy/haproxy.sock\n+ prometheus_port => 9422\n"}, {"resource": "File_line[rm_post-up_ens13_clsact_ens13]", "parameters": "--- File_line[rm_post-up_ens13_clsact_ens13].orig\n+++ File_line[rm_post-up_ens13_clsact_ens13]\n\n+ ensure => absent\n+ path => /etc/network/interfaces\n+ match_for_absence => True\n+ match => post-up /usr/sbin/tc qdisc add dev ens13 clsact\n"}, {"resource": "Service[haproxy]", "parameters": "--- Service[haproxy].orig\n+++ Service[haproxy]\n\n+ enable => True\n+ ensure => running\n+ require => Package[haproxy]\n"}, {"resource": "File[/lib/systemd/system/prometheus_lvs_realserver_mss.service]", "content": "--- /lib/systemd/system/prometheus_lvs_realserver_mss.service.orig\n+++ /lib/systemd/system/prometheus_lvs_realserver_mss.service\n@@ -0,0 +1,8 @@\n+[Unit]\n+Description=Regular job to collect MSS values of realserver endpoints\n+Documentation=https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n+\n+[Service]\n+Type=oneshot\n+User=root\n+ExecStart=/usr/local/bin/prometheus-lvs-realserver-mss -o /var/lib/prometheus/node.d/lvs-realserver-mss.prom -e 103.102.166.225:29418 -e [2001:df2:e500:ed1a::2]:29418", "parameters": "--- File[/lib/systemd/system/prometheus_lvs_realserver_mss.service].orig\n+++ File[/lib/systemd/system/prometheus_lvs_realserver_mss.service]\n\n+ owner => root\n+ notify => Exec[systemd daemon-reload for prometheus_lvs_realserver_mss.service (prometheus_lvs_realserver_mss.service)]\n+ ensure => present\n+ group => root\n+ mode => 0444\n"}, {"resource": "File[/lib/systemd/system/nrpe2nodexp-check_tcp-mss-clamper_status.service]", "content": "--- /lib/systemd/system/nrpe2nodexp-check_tcp-mss-clamper_status.service.orig\n+++ /lib/systemd/system/nrpe2nodexp-check_tcp-mss-clamper_status.service\n@@ -0,0 +1,11 @@\n+[Unit]\n+Description=execution of nrpe2nodexp for the check_check_tcp-mss-clamper_status command.\n+Documentation=https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n+\n+[Service]\n+Type=oneshot\n+User=nagios\n+\n+Group=prometheus-node-exporter\n+SyslogIdentifier=nrpe2nodexp-check_tcp-mss-clamper_status\n+ExecStart=-/usr/local/bin/nrpe2nodexp --alert-rule-hash \"295d6d5dd0a784bb9ba1d5983fd1894f\" --timeout 10 --check-command \"check_check_tcp-mss-clamper_status\"", "parameters": "--- File[/lib/systemd/system/nrpe2nodexp-check_tcp-mss-clamper_status.service].orig\n+++ File[/lib/systemd/system/nrpe2nodexp-check_tcp-mss-clamper_status.service]\n\n+ owner => root\n+ notify => Exec[systemd daemon-reload for nrpe2nodexp-check_tcp-mss-clamper_status.service (nrpe2nodexp-check_tcp-mss-clamper_status.service)]\n+ ensure => absent\n+ group => root\n+ mode => 0444\n"}, {"resource": "Package[haproxy]", "parameters": "--- Package[haproxy].orig\n+++ Package[haproxy]\n\n+ provider => apt\n+ ensure => installed\n"}, {"resource": "Class[Profile::Monitoring]", "parameters": "--- Class[Profile::Monitoring].orig\n+++ Class[Profile::Monitoring]\n\n@@\n- notifications_enabled => False\n+ notifications_enabled => True\n@@\n- nagios_group => insetup_eqsin\n+ nagios_group => misc_eqsin\n@@\n- cluster => insetup\n+ cluster => misc\n"}, {"resource": "Package[python3-poolcounter]", "parameters": "--- Package[python3-poolcounter].orig\n+++ Package[python3-poolcounter]\n\n+ provider => apt\n+ ensure => absent\n"}, {"resource": "Ferm::Rule[ip6ip6]", "parameters": "--- Ferm::Rule[ip6ip6].orig\n+++ Ferm::Rule[ip6ip6]\n\n+ desc => \n+ domain => (ip6)\n+ rule => saddr 0100::/64 proto ipv6 ACCEPT;\n+ prio => 10\n+ ensure => present\n+ table => filter\n+ chain => INPUT\n"}, {"resource": "Ferm::Rule[clamp-mss-ipv4]", "parameters": "--- Ferm::Rule[clamp-mss-ipv4].orig\n+++ Ferm::Rule[clamp-mss-ipv4]\n\n+ desc => \n+ domain => (ip)\n+ rule => outerface (ens13 lo) saddr @ipfilter((103.102.166.225 2001:df2:e500:ed1a::2])) proto tcp sport (29418) tcp-flags (SYN) SYN TCPMSS set-mss 1440;\n+ prio => 10\n+ ensure => present\n+ table => filter\n+ chain => OUTPUT\n"}, {"resource": "Monitoring::Service[check_tcp-mss-clamper_status]", "parameters": "--- Monitoring::Service[check_tcp-mss-clamper_status].orig\n+++ Monitoring::Service[check_tcp-mss-clamper_status]\n\n+ critical => False\n+ retry_interval => 1\n+ check_interval => 10\n+ check_command => nrpe_check!check_check_tcp-mss-clamper_status!10\n+ contact_group => admins\n+ passive => False\n+ config_dir => /etc/nagios\n+ freshness => 36000\n+ notes_url => https://wikitech.wikimedia.org/wiki/LVS#IPIP_encapsulation_experiments\n+ host => tcp-proxy5004\n+ retries => 2\n+ description => Check unit status of tcp-mss-clamper\n+ ensure => absent\n+ migration_task => T407130\n"}, {"resource": "Service[tcp-mss-clamper]", "parameters": "--- Service[tcp-mss-clamper].orig\n+++ Service[tcp-mss-clamper]\n\n+ enable => False\n+ ensure => stopped\n+ before => ['Exec[systemd daemon-reload for tcp-mss-clamper.service (tcp-mss-clamper)]']\n"}, {"resource": "Class[Etcd::Client::Globalconfig]", "parameters": "--- Class[Etcd::Client::Globalconfig].orig\n+++ Class[Etcd::Client::Globalconfig]\n\n+ srv_domain => conftool.eqsin.wmnet\n"}, {"resource": "Systemd::Service[nrpe2nodexp-check_tcp-mss-clamper_status]", "parameters": "--- Systemd::Service[nrpe2nodexp-check_tcp-mss-clamper_status].orig\n+++ Systemd::Service[nrpe2nodexp-check_tcp-mss-clamper_status]\n\n+ override => False\n+ require => Systemd::Unit[nrpe2nodexp-check_tcp-mss-clamper_status.service]\n+ monitoring_contact_group => admins\n+ monitoring_enabled => False\n+ service_params => {}\n+ unit_type => timer\n+ monitoring_critical => False\n+ ensure => absent\n+ migration_task => T407130\n+ restart => False\n"}, {"resource": "Exec[systemd daemon-reload for nrpe2nodexp-check_tcp-mss-clamper_status.timer (nrpe2nodexp-check_tcp-mss-clamper_status.timer)]", "parameters": "--- Exec[systemd daemon-reload for nrpe2nodexp-check_tcp-mss-clamper_status.timer (nrpe2nodexp-check_tcp-mss-clamper_status.timer)].orig\n+++ Exec[systemd daemon-reload for nrpe2nodexp-check_tcp-mss-clamper_status.timer (nrpe2nodexp-check_tcp-mss-clamper_status.timer)]\n\n+ refreshonly => True\n+ command => /bin/systemctl daemon-reload\n"}, {"resource": "File[/etc/poolcounter-backends.yaml]", "content": "--- /etc/poolcounter-backends.yaml.orig\n+++ /etc/poolcounter-backends.yaml\n@@ -0,0 +1 @@\n+--- []", "parameters": "--- File[/etc/poolcounter-backends.yaml].orig\n+++ File[/etc/poolcounter-backends.yaml]\n\n+ ensure => absent\n+ group => root\n+ owner => root\n+ mode => 0444\n"}, {"resource": "Firewall::Service[proxy-gerrit-ssh]", "parameters": "--- Firewall::Service[proxy-gerrit-ssh].orig\n+++ Firewall::Service[proxy-gerrit-ssh]\n\n+ desc => \n+ port => [29418]\n+ prio => 10\n+ notrack => False\n+ ensure => present\n+ proto => tcp\n"}, {"resource": "File[/etc/ferm/conf.d/10_clamp-mss-ipv4]", "content": "--- /etc/ferm/conf.d/10_clamp-mss-ipv4.orig\n+++ /etc/ferm/conf.d/10_clamp-mss-ipv4\n@@ -0,0 +1,11 @@\n+# Autogenerated by puppet. DO NOT EDIT BY HAND!\n+#\n+# 10_clamp-mss-ipv4: \n+\n+domain (ip) {\n+\ttable filter {\n+\t\tchain OUTPUT {\n+\t\t\touterface (ens13 lo) saddr @ipfilter((103.102.166.225 2001:df2:e500:ed1a::2])) proto tcp sport (29418) tcp-flags (SYN) SYN TCPMSS set-mss 1440;\n+\t\t}\n+\t}\n+}", "parameters": "--- File[/etc/ferm/conf.d/10_clamp-mss-ipv4].orig\n+++ File[/etc/ferm/conf.d/10_clamp-mss-ipv4]\n\n+ require => File[/etc/ferm/conf.d]\n+ owner => root\n+ notify => Service[ferm]\n+ ensure => present\n+ tag => ferm\n+ group => root\n+ mode => 0400\n"}, {"resource": "Conftool::Scripts::Safe_service_restart[gerrit]", "parameters": "--- Conftool::Scripts::Safe_service_restart[gerrit].orig\n+++ Conftool::Scripts::Safe_service_restart[gerrit]\n\n+ require => ['Class[Conftool::Scripts]']\n+ max_concurrency => 0\n+ lvs_pools => ['gerrit-ssh']\n"}, {"resource": "File[/lib/systemd/system/prometheus_ferm_mss.timer]", "content": "--- /lib/systemd/system/prometheus_ferm_mss.timer.orig\n+++ /lib/systemd/system/prometheus_ferm_mss.timer\n@@ -0,0 +1,12 @@\n+[Unit]\n+Description=Periodic execution of prometheus_ferm_mss.service\n+\n+[Timer]\n+Unit=prometheus_ferm_mss.service\n+# Accuracy sets the maximum time interval around the execution time we want to allow\n+AccuracySec=15sec\n+OnCalendar=minutely\n+RandomizedDelaySec=0\n+\n+[Install]\n+WantedBy=multi-user.target", "parameters": "--- File[/lib/systemd/system/prometheus_ferm_mss.timer].orig\n+++ File[/lib/systemd/system/prometheus_ferm_mss.timer]\n\n+ owner => root\n+ notify => Exec[systemd daemon-reload for prometheus_ferm_mss.timer (prometheus_ferm_mss.timer)]\n+ ensure => present\n+ group => root\n+ mode => 0444\n"}, {"resource": "Prometheus::Alert::Rule[check_check_tcp-mss-clamper_status_295d6d5dd0a784bb9ba1d5983fd1894f]", "parameters": "--- Prometheus::Alert::Rule[check_check_tcp-mss-clamper_status_295d6d5dd0a784bb9ba1d5983fd1894f].orig\n+++ Prometheus::Alert::Rule[check_check_tcp-mss-clamper_status_295d6d5dd0a784bb9ba1d5983fd1894f]\n\n+ logs => https://logstash.wikimedia.org/app/dashboards#/view/2d343ac0-6df8-11f0-8e08-7fab0da52b33?_g=(filters:!((query:(match_phrase:(event.module:check_check_tcp-mss-clamper_status))),(query:(match_phrase:(host.name:{{$labels.instance|stripPort}})))))\n+ runbook => https://wikitech.wikimedia.org/wiki/LVS#IPIP_encapsulation_experiments\n+ severity => info\n+ for => 11m\n+ def_label_whitelst => ['team', 'severity']\n+ dashboard => TODO\n+ group => nrpechecks\n+ description => NRPE CHECK: Check unit status of tcp-mss-clamper\n+ instance => ops\n+ expr => (nagios_nrpe_check_result{alert_rule_hash=\"295d6d5dd0a784bb9ba1d5983fd1894f\",check_name=\"check_check_tcp-mss-clamper_status\", status=~\"(WARNING|CRITICAL)\", severity=~\"(warning|critical)\"} > 0) * on (instance) group_left (team) role_owner\n+ ensure => absent\n+ site => eqsin\n+ summary => NRPE CHECK: Check unit status of tcp-mss-clamper\n+ alert_name => nrpe_Check_unit_status_of_tcp_mss_clamper\n+ team => observability\n"}, {"resource": "Class[Profile::Lvs::Realserver]", "parameters": "--- Class[Profile::Lvs::Realserver].orig\n+++ Class[Profile::Lvs::Realserver]\n\n+ pools => {'gerrit-ssh': {'services': ['gerrit']}}\n+ require => ['Class[Profile::Conftool::Client]']\n+ use_conftool => True\n"}, {"resource": "Interface::Clsact[clsact_ens13]", "parameters": "--- Interface::Clsact[clsact_ens13].orig\n+++ Interface::Clsact[clsact_ens13]\n\n+ ensure => absent\n+ interface => ens13\n"}, {"resource": "Rsyslog::Conf[wmf_auto_restart_haproxy]", "parameters": "--- Rsyslog::Conf[wmf_auto_restart_haproxy].orig\n+++ Rsyslog::Conf[wmf_auto_restart_haproxy]\n\n+ ensure => present\n+ require => File[/var/log/wmf_auto_restart_haproxy]\n+ priority => 40\n+ mode => 0444\n"}, {"resource": "File[/etc/rsyslog.d/25-nrpe2nodexp-check-tcp-mss-clamper-status.conf]", "content": "--- /etc/rsyslog.d/25-nrpe2nodexp-check-tcp-mss-clamper-status.conf.orig\n+++ /etc/rsyslog.d/25-nrpe2nodexp-check-tcp-mss-clamper-status.conf\n@@ -0,0 +1,10 @@\n+# SPDX-License-Identifier: Apache-2.0\n+if $programname contains \"nrpe2nodexp-check_tcp-mss-clamper_status\" then {\n+ if ($msg contains \"\\\"ecs.version\\\": \\\"1.7.0\\\"\") then {\n+ # Send logs to kafka\n+ set $.log_outputs = \"kafka ecs_170 local\";\n+ } else {\n+ # Filter out non-relevant nrpe2nodexp messages\n+ stop\n+ }\n+}", "parameters": "--- File[/etc/rsyslog.d/25-nrpe2nodexp-check-tcp-mss-clamper-status.conf].orig\n+++ File[/etc/rsyslog.d/25-nrpe2nodexp-check-tcp-mss-clamper-status.conf]\n\n+ owner => root\n+ notify => Service[rsyslog]\n+ ensure => absent\n+ group => root\n+ mode => 0444\n"}, {"resource": "File[/etc/conftool/config.yaml]", "content": "--- /etc/conftool/config.yaml.orig\n+++ /etc/conftool/config.yaml\n@@ -0,0 +1,14 @@\n+---\n+hosts: []\n+tcpircbot_host: icinga.wikimedia.org\n+tcpircbot_port: 9200\n+driver_options:\n+ allow_reconnect: true\n+ suppress_san_warnings: false\n+namespace: \"/conftool\"\n+extensions_config:\n+ reqconfig:\n+ haproxy_reserved_slots:\n+ - 0\n+ varnish_acl_ipblocks: []\n+conftool2git_address: puppetserver1003.eqiad.wmnet:1312", "parameters": "--- File[/etc/conftool/config.yaml].orig\n+++ File[/etc/conftool/config.yaml]\n\n+ ensure => present\n+ group => root\n+ owner => root\n+ mode => 0444\n"}, {"resource": "File[/etc/ferm/conf.d/10_ipip]", "content": "--- /etc/ferm/conf.d/10_ipip.orig\n+++ /etc/ferm/conf.d/10_ipip\n@@ -0,0 +1,11 @@\n+# Autogenerated by puppet. DO NOT EDIT BY HAND!\n+#\n+# 10_ipip: \n+\n+domain (ip) {\n+\ttable filter {\n+\t\tchain INPUT {\n+\t\t\tsaddr 172.16.0.0/12 proto ipencap ACCEPT;\n+\t\t}\n+\t}\n+}", "parameters": "--- File[/etc/ferm/conf.d/10_ipip].orig\n+++ File[/etc/ferm/conf.d/10_ipip]\n\n+ require => File[/etc/ferm/conf.d]\n+ owner => root\n+ notify => Service[ferm]\n+ ensure => present\n+ tag => ferm\n+ group => root\n+ mode => 0400\n"}, {"resource": "File[/etc/haproxy/haproxy.cfg]", "content": "--- /etc/haproxy/haproxy.cfg.orig\n+++ /etc/haproxy/haproxy.cfg\n@@ -0,0 +1,38 @@\n+# Note: This file is managed by puppet.\n+global\n+ user haproxy\n+ group haproxy\n+ stats socket /run/haproxy/haproxy.sock mode 600 level admin\n+ hard-stop-after 5m\n+ set-dumpable\n+ log stderr local0 info\n+\n+defaults\n+ mode tcp\n+ option dontlognull\n+ option tcplog\n+ option tcp-check\n+ retries 1\n+ timeout connect 10s\n+ timeout client 50s\n+ timeout server 50s\n+ timeout tunnel 3636s # just a bit more than 1 hour (Gerrit's SSH idle timeout) -- overrides client and server timeouts once TCP tunnel established\n+ timeout client-fin 50s # once gerrit closes the connection, close the other side quickly, in case clients disappear mid-tunnel\n+ log global\n+\n+listen gerrit_ssh\n+ bind :::29418 v4v6\n+ server backend_server gerrit.discovery.wmnet port 29418 resolvers default init-addr none check maxconn 200 \n+\n+frontend stats\n+ mode http\n+ no log\n+ maxconn 100\n+ bind :::9422 v4v6\n+ http-request use-service prometheus-exporter if { path /metrics }\n+ stats enable\n+ stats uri /stats\n+ stats refresh 10s\n+ # Explicitly avoid keep-alive to prevent Prometheus scrapers from\n+ # reusing indefinitelly the same TCP connection. See T343000\n+ http-after-response set-header Connection Close", "parameters": "--- File[/etc/haproxy/haproxy.cfg].orig\n+++ File[/etc/haproxy/haproxy.cfg]\n\n+ require => Package[haproxy]\n+ owner => root\n+ notify => Service[haproxy]\n+ ensure => file\n+ group => root\n+ mode => 0544\n"}, {"resource": "Package[tcp-mss-clamper]", "parameters": "--- Package[tcp-mss-clamper].orig\n+++ Package[tcp-mss-clamper]\n\n+ provider => apt\n+ ensure => absent\n"}, {"resource": "Nrpe::Plugin[check_systemd_unit_status]", "parameters": "--- Nrpe::Plugin[check_systemd_unit_status].orig\n+++ Nrpe::Plugin[check_systemd_unit_status]\n\n+ ensure => present\n+ source => puppet:///modules/systemd/check_systemd_unit_status\n"}, {"resource": "Interface::Ipip[ipip_ipv6]", "parameters": "--- Interface::Ipip[ipip_ipv6].orig\n+++ Interface::Ipip[ipip_ipv6]\n\n+ ensure => present\n+ interface => ipip60\n+ family => inet6\n"}, {"resource": "File[/etc/conftool/schema.yaml]", "parameters": "--- File[/etc/conftool/schema.yaml].orig\n+++ File[/etc/conftool/schema.yaml]\n\n+ owner => root\n+ ensure => file\n+ group => root\n+ source => puppet:///modules/profile/conftool/schema.yaml\n+ mode => 0444\n"}, {"resource": "Augeas[ipip0_set_up]", "parameters": "--- Augeas[ipip0_set_up].orig\n+++ Augeas[ipip0_set_up]\n\n+ require => Augeas[ipip0_add_up]\n+ context => /files/etc/network/interfaces/*[. = 'ipip0' and ./family = 'inet']\n+ lens => Interfaces.lns\n+ incl => /etc/network/interfaces\n+ onlyif => match up[. = 'ip link set up dev ipip0'] size == 0\n+ changes => set up[last()+1] 'ip link set up dev ipip0'\n"}, {"resource": "Class[Profile::Base::Production]", "parameters": "--- Class[Profile::Base::Production].orig\n+++ Class[Profile::Base::Production]\n\n- role_description => Host being setup by Infrastructure Foundations SREs with ferm\n"}, {"resource": "Exec[/usr/sbin/dpkg-reconfigure -p critical -f noninteractive wikimedia-lvs-realserver]", "parameters": "--- Exec[/usr/sbin/dpkg-reconfigure -p critical -f noninteractive wikimedia-lvs-realserver].orig\n+++ Exec[/usr/sbin/dpkg-reconfigure -p critical -f noninteractive wikimedia-lvs-realserver]\n\n+ subscribe => File[/etc/default/wikimedia-lvs-realserver]\n+ path => /bin:/sbin:/usr/bin:/usr/sbin\n+ refreshonly => True\n+ require => Package[wikimedia-lvs-realserver]\n"}, {"resource": "File[/usr/local/bin/depool]", "parameters": "--- File[/usr/local/bin/depool].orig\n+++ File[/usr/local/bin/depool]\n\n+ owner => root\n+ ensure => present\n+ group => root\n+ source => puppet:///modules/conftool/conftool-simple-command.sh\n+ mode => 0555\n"}, {"resource": "File[/usr/local/bin/ispooled]", "parameters": "--- File[/usr/local/bin/ispooled].orig\n+++ File[/usr/local/bin/ispooled]\n\n+ owner => root\n+ ensure => present\n+ group => root\n+ source => puppet:///modules/conftool/ispooled.sh\n+ mode => 0555\n"}, {"resource": "File[/etc/conftool]", "parameters": "--- File[/etc/conftool].orig\n+++ File[/etc/conftool]\n\n+ ensure => directory\n+ group => root\n+ owner => root\n+ mode => 0755\n"}, {"resource": "File[/var/lib/prometheus/node.d/role_owner.prom]", "content": "--- /var/lib/prometheus/node.d/role_owner.prom.orig\n+++ /var/lib/prometheus/node.d/role_owner.prom\n@@ -1,3 +1,3 @@\n # HELP role_owner The team owner of the server role\n # TYPE role_owner gauge\n-role_owner{team=\"infrastructure-foundations\",role=\"insetup::infrastructure_foundations_ferm\",cluster=\"insetup\"} 1.0\n+role_owner{team=\"unknown\",role=\"tcpproxy\",cluster=\"misc\"} 1.0"}, {"resource": "Profile::Auto_restarts::Service[haproxy]", "parameters": "--- Profile::Auto_restarts::Service[haproxy].orig\n+++ Profile::Auto_restarts::Service[haproxy]\n\n+ ensure => present\n"}, {"resource": "Systemd::Unit[prometheus_ferm_mss.service]", "parameters": "--- Systemd::Unit[prometheus_ferm_mss.service].orig\n+++ Systemd::Unit[prometheus_ferm_mss.service]\n\n+ override_filename => puppet-override.conf\n+ override => False\n+ require => ['Class[Systemd]']\n+ unit => prometheus_ferm_mss.service\n+ ensure => present\n+ restart => False\n"}, {"resource": "Systemd::Unit[wmf_auto_restart_haproxy.timer]", "parameters": "--- Systemd::Unit[wmf_auto_restart_haproxy.timer].orig\n+++ Systemd::Unit[wmf_auto_restart_haproxy.timer]\n\n+ override_filename => puppet-override.conf\n+ override => False\n+ require => ['Class[Systemd]']\n+ unit => wmf_auto_restart_haproxy.timer\n+ ensure => present\n+ restart => False\n"}, {"resource": "File[/usr/local/bin/drain]", "parameters": "--- File[/usr/local/bin/drain].orig\n+++ File[/usr/local/bin/drain]\n\n+ owner => root\n+ ensure => present\n+ group => root\n+ source => puppet:///modules/conftool/conftool-simple-command.sh\n+ mode => 0555\n"}, {"resource": "File[/etc/nagios/nrpe.d/check_check_tcp-mss-clamper_status.cfg]", "content": "--- /etc/nagios/nrpe.d/check_check_tcp-mss-clamper_status.cfg.orig\n+++ /etc/nagios/nrpe.d/check_check_tcp-mss-clamper_status.cfg\n@@ -0,0 +1,2 @@\n+# File generated by puppet. DO NOT edit by hand\n+command[check_check_tcp-mss-clamper_status]=/usr/local/lib/nagios/plugins/check_systemd_unit_status tcp-mss-clamper", "parameters": "--- File[/etc/nagios/nrpe.d/check_check_tcp-mss-clamper_status.cfg].orig\n+++ File[/etc/nagios/nrpe.d/check_check_tcp-mss-clamper_status.cfg]\n\n+ require => Package[nagios-nrpe-server]\n+ owner => root\n+ notify => Service[nagios-nrpe-server]\n+ ensure => absent\n+ tag => nrpe::check\n+ group => root\n+ mode => 0444\n"}, {"resource": "Exec[systemd daemon-reload for tcp-mss-clamper.service (tcp-mss-clamper)]", "parameters": "--- Exec[systemd daemon-reload for tcp-mss-clamper.service (tcp-mss-clamper)].orig\n+++ Exec[systemd daemon-reload for tcp-mss-clamper.service (tcp-mss-clamper)]\n\n+ refreshonly => True\n+ command => /bin/systemctl daemon-reload\n"}, {"resource": "Service[wmf_auto_restart_haproxy.timer]", "parameters": "--- Service[wmf_auto_restart_haproxy.timer].orig\n+++ Service[wmf_auto_restart_haproxy.timer]\n\n+ enable => True\n+ ensure => running\n+ provider => systemd\n"}, {"resource": "File[/etc/rsyslog.d/40-prometheus-ferm-mss.conf]", "content": "--- /etc/rsyslog.d/40-prometheus-ferm-mss.conf.orig\n+++ /etc/rsyslog.d/40-prometheus-ferm-mss.conf\n@@ -0,0 +1,10 @@\n+# rsyslog.conf(5) configuration file for services.\n+# This file is managed by Puppet.\n+if $programname startswith \"prometheus_ferm_mss\" then {\n+ action(\n+ type=\"omfile\" file=\"/var/log/prometheus_ferm_mss/syslog.log\"\n+ fileOwner=\"root\" fileGroup=\"root\"\n+ fileCreateMode=\"0644\"\n+ )\n+ & stop\n+}", "parameters": "--- File[/etc/rsyslog.d/40-prometheus-ferm-mss.conf].orig\n+++ File[/etc/rsyslog.d/40-prometheus-ferm-mss.conf]\n\n+ owner => root\n+ notify => Service[rsyslog]\n+ ensure => present\n+ group => root\n+ mode => 0444\n"}, {"resource": "Exec[/usr/sbin/tc qdisc del dev lo clsact]", "parameters": "--- Exec[/usr/sbin/tc qdisc del dev lo clsact].orig\n+++ Exec[/usr/sbin/tc qdisc del dev lo clsact]\n\n+ onlyif => /usr/sbin/tc qdisc show dev lo | grep -q clsact\n"}, {"resource": "Logrotate::Conf[prometheus_ferm_mss]", "parameters": "--- Logrotate::Conf[prometheus_ferm_mss].orig\n+++ Logrotate::Conf[prometheus_ferm_mss]\n\n+ ensure => present\n"}, {"resource": "Exec[disable-rp-filter-ens13]", "parameters": "--- Exec[disable-rp-filter-ens13].orig\n+++ Exec[disable-rp-filter-ens13]\n\n+ unless => /usr/sbin/sysctl -n net.ipv4.conf.ens13.rp_filter |grep -- '0'\n+ command => /usr/sbin/sysctl -q net.ipv4.conf.ens13.rp_filter=0\n"}, {"resource": "Prometheus::Node_ferm_mss[ferm_clamped_ipport]", "parameters": "--- Prometheus::Node_ferm_mss[ferm_clamped_ipport].orig\n+++ Prometheus::Node_ferm_mss[ferm_clamped_ipport]\n\n+ ensure => present\n+ outfile => /var/lib/prometheus/node.d/ferm-mss.prom\n+ clamped_ipport => ['103.102.166.225:29418', '[2001:df2:e500:ed1a::2]:29418']\n"}, {"resource": "Exec[ip link add name ipip60 type ip6tnl external]", "parameters": "--- Exec[ip link add name ipip60 type ip6tnl external].orig\n+++ Exec[ip link add name ipip60 type ip6tnl external]\n\n+ returns => [0, 2]\n+ path => /bin:/usr/bin\n+ unless => ip link show ipip60\n"}, {"resource": "File[/etc/rsyslog.d/40-wmf-auto-restart-haproxy.conf]", "content": "--- /etc/rsyslog.d/40-wmf-auto-restart-haproxy.conf.orig\n+++ /etc/rsyslog.d/40-wmf-auto-restart-haproxy.conf\n@@ -0,0 +1,10 @@\n+# rsyslog.conf(5) configuration file for services.\n+# This file is managed by Puppet.\n+if $programname startswith \"wmf_auto_restart_haproxy\" then {\n+ action(\n+ type=\"omfile\" file=\"/var/log/wmf_auto_restart_haproxy/syslog.log\"\n+ fileOwner=\"root\" fileGroup=\"root\"\n+ fileCreateMode=\"0644\"\n+ )\n+ & stop\n+}", "parameters": "--- File[/etc/rsyslog.d/40-wmf-auto-restart-haproxy.conf].orig\n+++ File[/etc/rsyslog.d/40-wmf-auto-restart-haproxy.conf]\n\n+ owner => root\n+ notify => Service[rsyslog]\n+ ensure => present\n+ group => root\n+ mode => 0444\n"}, {"resource": "File[/lib/systemd/system/tcp-mss-clamper.service]", "content": "--- /lib/systemd/system/tcp-mss-clamper.service.orig\n+++ /lib/systemd/system/tcp-mss-clamper.service\n@@ -0,0 +1,11 @@\n+[Unit]\n+Description=eBPF based TCP MSS clamper\n+After=network.target\n+\n+[Install]\n+WantedBy=multi-user.target\n+\n+[Service]\n+LimitMEMLOCK=infinity\n+ExecStart=/usr/bin/tcp-mss-clamper --ipv4-mss 1440 --ipv6-mss 1400 -p :2200 -s \"103.102.166.225:29418,[2001:df2:e500:ed1a::2]:29418\" -i ens13,lo\n+Restart=on-failure", "parameters": "--- File[/lib/systemd/system/tcp-mss-clamper.service].orig\n+++ File[/lib/systemd/system/tcp-mss-clamper.service]\n\n+ owner => root\n+ notify => Exec[systemd daemon-reload for tcp-mss-clamper.service (tcp-mss-clamper)]\n+ ensure => absent\n+ group => root\n+ mode => 0444\n"}, {"resource": "Exec[ip link add name ipip0 type ipip external]", "parameters": "--- Exec[ip link add name ipip0 type ipip external].orig\n+++ Exec[ip link add name ipip0 type ipip external]\n\n+ returns => [0, 2]\n+ path => /bin:/usr/bin\n+ unless => ip link show ipip0\n"}, {"resource": "File[/etc/etcd/etcdrc]", "content": "--- /etc/etcd/etcdrc.orig\n+++ /etc/etcd/etcdrc\n@@ -0,0 +1,7 @@\n+allow_reconnect: true\n+ca_cert: /etc/ssl/certs/wmf-ca-certificates.crt\n+host: \n+port: \n+protocol: https\n+srv_domain: conftool.eqsin.wmnet\n+", "parameters": "--- File[/etc/etcd/etcdrc].orig\n+++ File[/etc/etcd/etcdrc]\n\n+ show_diff => True\n+ owner => root\n+ ensure => present\n+ group => root\n+ mode => 0444\n"}, {"resource": "Class[Poolcounter::Client]", "parameters": "--- Class[Poolcounter::Client].orig\n+++ Class[Poolcounter::Client]\n\n+ ensure => absent\n+ backends => []\n"}, {"resource": "Exec[disable-rp-filter-ipip60]", "parameters": "--- Exec[disable-rp-filter-ipip60].orig\n+++ Exec[disable-rp-filter-ipip60]\n\n+ require => Interface::Ipip[ipip_ipv6]\n+ unless => /usr/sbin/sysctl -n net.ipv4.conf.ipip60.rp_filter |grep -- '0'\n+ command => /usr/sbin/sysctl -q net.ipv4.conf.ipip60.rp_filter=0\n"}, {"resource": "Class[Cumin::Selector]", "parameters": "--- Class[Cumin::Selector].orig\n+++ Class[Cumin::Selector]\n\n@@\n- cluster => insetup\n+ cluster => misc\n"}, {"resource": "File[/usr/local/bin/prometheus-lvs-realserver-mss]", "parameters": "--- File[/usr/local/bin/prometheus-lvs-realserver-mss].orig\n+++ File[/usr/local/bin/prometheus-lvs-realserver-mss]\n\n+ owner => root\n+ ensure => file\n+ group => root\n+ source => puppet:///modules/prometheus/usr/local/bin/prometheus-lvs-realserver-mss.py\n+ mode => 0555\n"}, {"resource": "Systemd::Timer::Job[nrpe2nodexp-check_tcp-mss-clamper_status]", "parameters": "--- Systemd::Timer::Job[nrpe2nodexp-check_tcp-mss-clamper_status].orig\n+++ Systemd::Timer::Job[nrpe2nodexp-check_tcp-mss-clamper_status]\n\n+ private_tmp => False\n+ environment => {}\n+ syslog_force_stop => True\n+ ignore_errors => True\n+ fixed_random_delay => True\n+ success_exit_status => []\n+ send_mail_only_on_error => True\n+ monitoring_enabled => False\n+ syslog_match_startswith => True\n+ description => execution of nrpe2nodexp for the check_check_tcp-mss-clamper_status command.\n+ logfile_basedir => /var/log\n+ group => prometheus-node-exporter\n+ syslog_identifier => nrpe2nodexp-check_tcp-mss-clamper_status\n+ logfile_perms => all\n+ command => /usr/local/bin/nrpe2nodexp --alert-rule-hash \"295d6d5dd0a784bb9ba1d5983fd1894f\" --timeout 10 --check-command \"check_check_tcp-mss-clamper_status\"\n+ ensure => absent\n+ monitoring_contact_groups => admins\n+ monitoring_notes_url => https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n+ send_mail_to => root@tcp-proxy5004.eqsin.wmnet\n+ logging_enabled => False\n+ logfile_name => syslog.log\n+ send_mail => False\n+ interval => [{'start': 'OnUnitInactiveSec', 'interval': '5min'}]\n+ splay => 300\n+ user => nagios\n+ logfile_group => root\n"}, {"resource": "File[/lib/systemd/system/wmf_auto_restart_haproxy.service]", "content": "--- /lib/systemd/system/wmf_auto_restart_haproxy.service.orig\n+++ /lib/systemd/system/wmf_auto_restart_haproxy.service\n@@ -0,0 +1,8 @@\n+[Unit]\n+Description=Auto restart job: haproxy\n+Documentation=https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n+\n+[Service]\n+Type=oneshot\n+User=root\n+ExecStart=/usr/local/sbin/wmf-auto-restart -s haproxy", "parameters": "--- File[/lib/systemd/system/wmf_auto_restart_haproxy.service].orig\n+++ File[/lib/systemd/system/wmf_auto_restart_haproxy.service]\n\n+ owner => root\n+ notify => Exec[systemd daemon-reload for wmf_auto_restart_haproxy.service (wmf_auto_restart_haproxy.service)]\n+ ensure => present\n+ group => root\n+ mode => 0444\n"}, {"resource": "File_line[auto_restart_file_presence_haproxy]", "parameters": "--- File_line[auto_restart_file_presence_haproxy].orig\n+++ File_line[auto_restart_file_presence_haproxy]\n\n+ ensure => present\n+ line => haproxy\n+ path => /etc/debdeploy-client/autorestarts.conf\n+ require => File[/etc/debdeploy-client/autorestarts.conf]\n"}, {"resource": "File[/lib/systemd/system/nrpe2nodexp-check_tcp-mss-clamper_status.timer]", "content": "--- /lib/systemd/system/nrpe2nodexp-check_tcp-mss-clamper_status.timer.orig\n+++ /lib/systemd/system/nrpe2nodexp-check_tcp-mss-clamper_status.timer\n@@ -0,0 +1,14 @@\n+[Unit]\n+Description=Periodic execution of nrpe2nodexp-check_tcp-mss-clamper_status.service\n+\n+[Timer]\n+Unit=nrpe2nodexp-check_tcp-mss-clamper_status.service\n+# Accuracy sets the maximum time interval around the execution time we want to allow\n+AccuracySec=15sec\n+OnUnitInactiveSec=5min\n+OnActiveSec=1s\n+RandomizedDelaySec=300\n+FixedRandomDelay=true\n+\n+[Install]\n+WantedBy=multi-user.target", "parameters": "--- File[/lib/systemd/system/nrpe2nodexp-check_tcp-mss-clamper_status.timer].orig\n+++ File[/lib/systemd/system/nrpe2nodexp-check_tcp-mss-clamper_status.timer]\n\n+ owner => root\n+ notify => Exec[systemd daemon-reload for nrpe2nodexp-check_tcp-mss-clamper_status.timer (nrpe2nodexp-check_tcp-mss-clamper_status.timer)]\n+ ensure => absent\n+ group => root\n+ mode => 0444\n"}, {"resource": "Nrpe::Check[check_check_tcp-mss-clamper_status]", "parameters": "--- Nrpe::Check[check_check_tcp-mss-clamper_status].orig\n+++ Nrpe::Check[check_check_tcp-mss-clamper_status]\n\n+ ensure => absent\n+ before => Monitoring::Service[check_tcp-mss-clamper_status]\n+ command => /usr/local/lib/nagios/plugins/check_systemd_unit_status tcp-mss-clamper\n"}, {"resource": "Exec[ip link set up dev ipip60]", "parameters": "--- Exec[ip link set up dev ipip60].orig\n+++ Exec[ip link set up dev ipip60]\n\n+ returns => [0, 2]\n+ path => /bin:/usr/bin\n+ unless => ip link show ipip60 | grep -q UP\n"}, {"resource": "File[/etc/ferm/conf.d/10_ip6ip6]", "content": "--- /etc/ferm/conf.d/10_ip6ip6.orig\n+++ /etc/ferm/conf.d/10_ip6ip6\n@@ -0,0 +1,11 @@\n+# Autogenerated by puppet. DO NOT EDIT BY HAND!\n+#\n+# 10_ip6ip6: \n+\n+domain (ip6) {\n+\ttable filter {\n+\t\tchain INPUT {\n+\t\t\tsaddr 0100::/64 proto ipv6 ACCEPT;\n+\t\t}\n+\t}\n+}", "parameters": "--- File[/etc/ferm/conf.d/10_ip6ip6].orig\n+++ File[/etc/ferm/conf.d/10_ip6ip6]\n\n+ require => File[/etc/ferm/conf.d]\n+ owner => root\n+ notify => Service[ferm]\n+ ensure => present\n+ tag => ferm\n+ group => root\n+ mode => 0400\n"}, {"resource": "Systemd::Timer[nrpe2nodexp-check_tcp-mss-clamper_status]", "parameters": "--- Systemd::Timer[nrpe2nodexp-check_tcp-mss-clamper_status].orig\n+++ Systemd::Timer[nrpe2nodexp-check_tcp-mss-clamper_status]\n\n+ timer_intervals => [{'start': 'OnUnitInactiveSec', 'interval': '5min'}, {'interval': '1s', 'start': 'OnActiveSec'}]\n+ accuracy => 15sec\n+ splay => 300\n+ fixed_random_delay => True\n+ ensure => absent\n+ unit_name => nrpe2nodexp-check_tcp-mss-clamper_status.service\n"}, {"resource": "File[/etc/conftool/json-schema/]", "parameters": "--- File[/etc/conftool/json-schema/].orig\n+++ File[/etc/conftool/json-schema/]\n\n+ path => /etc/conftool/json-schema\n+ owner => root\n+ recurse => True\n+ ensure => directory\n+ group => root\n+ source => puppet:///modules/profile/conftool/json-schema/\n+ mode => 0555\n"}, {"resource": "Systemd::Timer::Job[wmf_auto_restart_haproxy]", "parameters": "--- Systemd::Timer::Job[wmf_auto_restart_haproxy].orig\n+++ Systemd::Timer::Job[wmf_auto_restart_haproxy]\n\n+ private_tmp => False\n+ environment => {}\n+ syslog_force_stop => True\n+ ignore_errors => False\n+ fixed_random_delay => False\n+ success_exit_status => []\n+ send_mail_only_on_error => True\n+ monitoring_enabled => False\n+ syslog_match_startswith => True\n+ description => Auto restart job: haproxy\n+ logfile_basedir => /var/log\n+ require => File[/usr/local/sbin/wmf-auto-restart]\n+ logfile_perms => all\n+ command => /usr/local/sbin/wmf-auto-restart -s haproxy\n+ monitoring_contact_groups => admins\n+ monitoring_notes_url => https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n+ send_mail_to => root@tcp-proxy5004.eqsin.wmnet\n+ logging_enabled => True\n+ logfile_name => syslog.log\n+ send_mail => False\n+ interval => {'start': 'OnCalendar', 'interval': 'Mon,Tue,Wed,Thu,Fri *-*-* 2:50:00'}\n+ ensure => present\n+ user => root\n+ logfile_group => root\n"}, {"resource": "Systemd::Unit[tcp-mss-clamper]", "parameters": "--- Systemd::Unit[tcp-mss-clamper].orig\n+++ Systemd::Unit[tcp-mss-clamper]\n\n+ override_filename => puppet-override.conf\n+ override => False\n+ require => ['Class[Systemd]']\n+ unit => tcp-mss-clamper\n+ ensure => absent\n+ restart => False\n"}, {"resource": "Class[Lvs::Realserver]", "parameters": "--- Class[Lvs::Realserver].orig\n+++ Class[Lvs::Realserver]\n\n+ realserver_ips => ['103.102.166.225', '2001:df2:e500:ed1a::2']\n"}, {"resource": "Ferm::Rule[clamp-mss-ipv6]", "parameters": "--- Ferm::Rule[clamp-mss-ipv6].orig\n+++ Ferm::Rule[clamp-mss-ipv6]\n\n+ desc => \n+ domain => (ip6)\n+ rule => outerface (ens13 lo) saddr @ipfilter((103.102.166.225 2001:df2:e500:ed1a::2])) proto tcp sport (29418) tcp-flags (SYN) SYN TCPMSS set-mss 1400;\n+ prio => 10\n+ ensure => present\n+ table => filter\n+ chain => OUTPUT\n"}, {"resource": "Ferm::Service[proxy_gerrit_ssh]", "parameters": "--- Ferm::Service[proxy_gerrit_ssh].orig\n+++ Ferm::Service[proxy_gerrit_ssh]\n\n+ desc => \n+ port => [29418]\n+ prio => 10\n+ notrack => False\n+ ensure => present\n+ proto => tcp\n"}, {"resource": "File[/etc/rsyslog.d/40-prometheus-lvs-realserver-mss.conf]", "content": "--- /etc/rsyslog.d/40-prometheus-lvs-realserver-mss.conf.orig\n+++ /etc/rsyslog.d/40-prometheus-lvs-realserver-mss.conf\n@@ -0,0 +1,10 @@\n+# rsyslog.conf(5) configuration file for services.\n+# This file is managed by Puppet.\n+if $programname startswith \"prometheus_lvs_realserver_mss\" then {\n+ action(\n+ type=\"omfile\" file=\"/var/log/prometheus_lvs_realserver_mss/syslog.log\"\n+ fileOwner=\"root\" fileGroup=\"root\"\n+ fileCreateMode=\"0644\"\n+ )\n+ & stop\n+}", "parameters": "--- File[/etc/rsyslog.d/40-prometheus-lvs-realserver-mss.conf].orig\n+++ File[/etc/rsyslog.d/40-prometheus-lvs-realserver-mss.conf]\n\n+ owner => root\n+ notify => Service[rsyslog]\n+ ensure => present\n+ group => root\n+ mode => 0444\n"}], "perc_changed": "14.09%"}, "core": {"total": 2583, "only_in_self": ["File[/etc/update-motd.d/05-insetup--infrastructure-foundations-ferm]", "Node[__node_regexp__tcp-proxy50034.eqsin.]"], "only_in_other": ["Augeas[ipip0_127.0.0.42/32]", "Augeas[ipip0_add_up]", "Augeas[ipip0_manual]", "Augeas[ipip0_set_up]", "Augeas[ipip60_add_up]", "Augeas[ipip60_manual]", "Augeas[ipip60_set_up]", "Exec[/usr/sbin/dpkg-reconfigure -p critical -f noninteractive wikimedia-lvs-realserver]", "Exec[/usr/sbin/tc qdisc del dev ens13 clsact]", "Exec[/usr/sbin/tc qdisc del dev lo clsact]", "Exec[disable-rp-filter-ens13]", "Exec[disable-rp-filter-ipip0]", "Exec[disable-rp-filter-ipip60]", "Exec[ip addr add 127.0.0.42/32 dev ipip0]", "Exec[ip link add name ipip0 type ipip external]", "Exec[ip link add name ipip60 type ip6tnl external]", "Exec[ip link set up dev ipip0]", "Exec[ip link set up dev ipip60]", "Exec[systemd daemon-reload for nrpe2nodexp-check_tcp-mss-clamper_status.service (nrpe2nodexp-check_tcp-mss-clamper_status.service)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_tcp-mss-clamper_status.timer (nrpe2nodexp-check_tcp-mss-clamper_status.timer)]", "Exec[systemd daemon-reload for prometheus_ferm_mss.service (prometheus_ferm_mss.service)]", "Exec[systemd daemon-reload for prometheus_ferm_mss.timer (prometheus_ferm_mss.timer)]", "Exec[systemd daemon-reload for prometheus_lvs_realserver_mss.service (prometheus_lvs_realserver_mss.service)]", "Exec[systemd daemon-reload for prometheus_lvs_realserver_mss.timer (prometheus_lvs_realserver_mss.timer)]", "Exec[systemd daemon-reload for tcp-mss-clamper.service (tcp-mss-clamper)]", "Exec[systemd daemon-reload for wmf_auto_restart_haproxy.service (wmf_auto_restart_haproxy.service)]", "Exec[systemd daemon-reload for wmf_auto_restart_haproxy.timer (wmf_auto_restart_haproxy.timer)]", "File[/etc/conftool/config.yaml]", "File[/etc/conftool/json-schema/]", "File[/etc/conftool/local_services.yaml]", "File[/etc/conftool/schema.yaml]", "File[/etc/conftool]", "File[/etc/default/wikimedia-lvs-realserver]", "File[/etc/etcd/etcdrc]", "File[/etc/etcd]", "File[/etc/ferm/conf.d/10_clamp-mss-ipv4]", "File[/etc/ferm/conf.d/10_clamp-mss-ipv6]", "File[/etc/ferm/conf.d/10_ip6ip6]", "File[/etc/ferm/conf.d/10_ipip]", "File[/etc/ferm/conf.d/10_proxy_gerrit_ssh]", "File[/etc/haproxy/haproxy.cfg]", "File[/etc/logrotate.d/prometheus_ferm_mss]", "File[/etc/logrotate.d/prometheus_lvs_realserver_mss]", "File[/etc/logrotate.d/wmf_auto_restart_haproxy]", "File[/etc/nagios/nrpe.d/check_check_tcp-mss-clamper_status.cfg]", "File[/etc/poolcounter-backends.yaml]", "File[/etc/rsyslog.d/25-nrpe2nodexp-check-tcp-mss-clamper-status.conf]", "File[/etc/rsyslog.d/40-prometheus-ferm-mss.conf]", "File[/etc/rsyslog.d/40-prometheus-lvs-realserver-mss.conf]", "File[/etc/rsyslog.d/40-wmf-auto-restart-haproxy.conf]", "File[/etc/sudoers.d/nrpe-check_check_tcp-mss-clamper_status]", "File[/etc/update-motd.d/05-tcpproxy]", "File[/lib/systemd/system/nrpe2nodexp-check_tcp-mss-clamper_status.service]", "File[/lib/systemd/system/nrpe2nodexp-check_tcp-mss-clamper_status.timer]", "File[/lib/systemd/system/prometheus_ferm_mss.service]", "File[/lib/systemd/system/prometheus_ferm_mss.timer]", "File[/lib/systemd/system/prometheus_lvs_realserver_mss.service]", "File[/lib/systemd/system/prometheus_lvs_realserver_mss.timer]", "File[/lib/systemd/system/tcp-mss-clamper.service]", "File[/lib/systemd/system/wmf_auto_restart_haproxy.service]", "File[/lib/systemd/system/wmf_auto_restart_haproxy.timer]", "File[/root/.etcdrc]", "File[/usr/local/bin/decommission]", "File[/usr/local/bin/depool-gerrit]", "File[/usr/local/bin/depool]", "File[/usr/local/bin/drain]", "File[/usr/local/bin/ispooled]", "File[/usr/local/bin/pool-gerrit]", "File[/usr/local/bin/pool]", "File[/usr/local/bin/pooler-loop]", "File[/usr/local/bin/prometheus-ferm-mss]", "File[/usr/local/bin/prometheus-lvs-realserver-mss]", "File[/usr/local/bin/safe-service-restart]", "File[/usr/local/lib/nagios/plugins/check_systemd_unit_status]", "File[/usr/local/sbin/restart-gerrit]", "File[/var/lib/prometheus/node.d/check_check_tcp-mss-clamper_status.prom]", "File[/var/log/prometheus_ferm_mss]", "File[/var/log/prometheus_lvs_realserver_mss]", "File[/var/log/wmf_auto_restart_haproxy]", "File_line[auto_restart_file_presence_haproxy]", "File_line[rm_post-up_ens13_clsact_ens13]", "File_line[rm_post-up_lo_clsact_lo]", "Node[__node_regexp__tcp-proxy1-7001-9.codfwdrmrseqiadeqsinesamsmagruulsfo.]", "Package[haproxy]", "Package[python3-conftool]", "Package[python3-poolcounter]", "Package[tcp-mss-clamper]", "Package[wikimedia-lvs-realserver]", "Service[haproxy]", "Service[nrpe2nodexp-check_tcp-mss-clamper_status.timer]", "Service[prometheus_ferm_mss.timer]", "Service[prometheus_lvs_realserver_mss.timer]", "Service[tcp-mss-clamper]", "Service[wmf_auto_restart_haproxy.timer]"], "resource_diffs": [{"resource": "File[/etc/sysctl.d/51-ubuntu-defaults.conf]", "content": "--- /etc/sysctl.d/51-ubuntu-defaults.conf.orig\n+++ /etc/sysctl.d/51-ubuntu-defaults.conf\n@@ -4,7 +4,7 @@\n kernel.kptr_restrict = 1\n kernel.printk = 4 4 1 7\n kernel.yama.ptrace_scope = 1\n-net.ipv4.conf.all.rp_filter = 1\n-net.ipv4.conf.default.rp_filter = 1\n+net.ipv4.conf.all.rp_filter = 0\n+net.ipv4.conf.default.rp_filter = 0\n net.ipv4.tcp_syncookies = 1\n vm.mmap_min_addr = 65536"}, {"resource": "Concat_fragment[main contacts]", "content": "--- main contacts.orig\n+++ main contacts\n@@ -1,3 +1,2 @@\n ---\n-role::insetup::infrastructure_foundations_ferm:\n-- Infrastructure Foundations\n+role::tcpproxy: []"}, {"resource": "File[/var/lib/prometheus/node.d/role_owner.prom]", "content": "--- /var/lib/prometheus/node.d/role_owner.prom.orig\n+++ /var/lib/prometheus/node.d/role_owner.prom\n@@ -1,3 +1,3 @@\n # HELP role_owner The team owner of the server role\n # TYPE role_owner gauge\n-role_owner{team=\"infrastructure-foundations\",role=\"insetup::infrastructure_foundations_ferm\",cluster=\"insetup\"} 1.0\n+role_owner{team=\"unknown\",role=\"tcpproxy\",cluster=\"misc\"} 1.0"}], "perc_changed": "3.83%"}, "main": {"total": 2583, "only_in_self": ["Class[Role::Insetup::Infrastructure_foundations_ferm]", "File[/etc/update-motd.d/05-insetup--infrastructure-foundations-ferm]", "Motd::Message[insetup::infrastructure_foundations_ferm]", "Motd::Script[insetup::infrastructure_foundations_ferm]", "Node[__node_regexp__tcp-proxy50034.eqsin.]"], "only_in_other": ["Augeas[ipip0_127.0.0.42/32]", "Augeas[ipip0_add_up]", "Augeas[ipip0_manual]", "Augeas[ipip0_set_up]", "Augeas[ipip60_add_up]", "Augeas[ipip60_manual]", "Augeas[ipip60_set_up]", "Class[Conftool::Config]", "Class[Conftool::Scripts]", "Class[Etcd::Client::Globalconfig]", "Class[Lvs::Realserver]", "Class[Passwords::Etcd]", "Class[Poolcounter::Client::Python]", "Class[Poolcounter::Client]", "Class[Profile::Conftool::Client]", "Class[Profile::Lvs::Configuration]", "Class[Profile::Lvs::Realserver::Ipip]", "Class[Profile::Lvs::Realserver]", "Class[Profile::Tcpproxy]", "Class[Role::Tcpproxy]", "Class[Wmflib::Service::Catalog]", "Conftool::Scripts::Safe_service_restart[gerrit]", "Etcd::Client::Config[/etc/etcd/etcdrc]", "Etcd::Client::Config[/root/.etcdrc]", "Exec[/usr/sbin/dpkg-reconfigure -p critical -f noninteractive wikimedia-lvs-realserver]", "Exec[/usr/sbin/tc qdisc del dev ens13 clsact]", "Exec[/usr/sbin/tc qdisc del dev lo clsact]", "Exec[disable-rp-filter-ens13]", "Exec[disable-rp-filter-ipip0]", "Exec[disable-rp-filter-ipip60]", "Exec[ip addr add 127.0.0.42/32 dev ipip0]", "Exec[ip link add name ipip0 type ipip external]", "Exec[ip link add name ipip60 type ip6tnl external]", "Exec[ip link set up dev ipip0]", "Exec[ip link set up dev ipip60]", "Exec[systemd daemon-reload for nrpe2nodexp-check_tcp-mss-clamper_status.service (nrpe2nodexp-check_tcp-mss-clamper_status.service)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_tcp-mss-clamper_status.timer (nrpe2nodexp-check_tcp-mss-clamper_status.timer)]", "Exec[systemd daemon-reload for prometheus_ferm_mss.service (prometheus_ferm_mss.service)]", "Exec[systemd daemon-reload for prometheus_ferm_mss.timer (prometheus_ferm_mss.timer)]", "Exec[systemd daemon-reload for prometheus_lvs_realserver_mss.service (prometheus_lvs_realserver_mss.service)]", "Exec[systemd daemon-reload for prometheus_lvs_realserver_mss.timer (prometheus_lvs_realserver_mss.timer)]", "Exec[systemd daemon-reload for tcp-mss-clamper.service (tcp-mss-clamper)]", "Exec[systemd daemon-reload for wmf_auto_restart_haproxy.service (wmf_auto_restart_haproxy.service)]", "Exec[systemd daemon-reload for wmf_auto_restart_haproxy.timer (wmf_auto_restart_haproxy.timer)]", "Ferm::Rule[clamp-mss-ipv4]", "Ferm::Rule[clamp-mss-ipv6]", "Ferm::Rule[ip6ip6]", "Ferm::Rule[ipip]", "Ferm::Service[proxy_gerrit_ssh]", "File[/etc/conftool/config.yaml]", "File[/etc/conftool/json-schema/]", "File[/etc/conftool/local_services.yaml]", "File[/etc/conftool/schema.yaml]", "File[/etc/conftool]", "File[/etc/default/wikimedia-lvs-realserver]", "File[/etc/etcd/etcdrc]", "File[/etc/etcd]", "File[/etc/ferm/conf.d/10_clamp-mss-ipv4]", "File[/etc/ferm/conf.d/10_clamp-mss-ipv6]", "File[/etc/ferm/conf.d/10_ip6ip6]", "File[/etc/ferm/conf.d/10_ipip]", "File[/etc/ferm/conf.d/10_proxy_gerrit_ssh]", "File[/etc/haproxy/haproxy.cfg]", "File[/etc/logrotate.d/prometheus_ferm_mss]", "File[/etc/logrotate.d/prometheus_lvs_realserver_mss]", "File[/etc/logrotate.d/wmf_auto_restart_haproxy]", "File[/etc/nagios/nrpe.d/check_check_tcp-mss-clamper_status.cfg]", "File[/etc/poolcounter-backends.yaml]", "File[/etc/rsyslog.d/25-nrpe2nodexp-check-tcp-mss-clamper-status.conf]", "File[/etc/rsyslog.d/40-prometheus-ferm-mss.conf]", "File[/etc/rsyslog.d/40-prometheus-lvs-realserver-mss.conf]", "File[/etc/rsyslog.d/40-wmf-auto-restart-haproxy.conf]", "File[/etc/sudoers.d/nrpe-check_check_tcp-mss-clamper_status]", "File[/etc/update-motd.d/05-tcpproxy]", "File[/lib/systemd/system/nrpe2nodexp-check_tcp-mss-clamper_status.service]", "File[/lib/systemd/system/nrpe2nodexp-check_tcp-mss-clamper_status.timer]", "File[/lib/systemd/system/prometheus_ferm_mss.service]", "File[/lib/systemd/system/prometheus_ferm_mss.timer]", "File[/lib/systemd/system/prometheus_lvs_realserver_mss.service]", "File[/lib/systemd/system/prometheus_lvs_realserver_mss.timer]", "File[/lib/systemd/system/tcp-mss-clamper.service]", "File[/lib/systemd/system/wmf_auto_restart_haproxy.service]", "File[/lib/systemd/system/wmf_auto_restart_haproxy.timer]", "File[/root/.etcdrc]", "File[/usr/local/bin/decommission]", "File[/usr/local/bin/depool-gerrit]", "File[/usr/local/bin/depool]", "File[/usr/local/bin/drain]", "File[/usr/local/bin/ispooled]", "File[/usr/local/bin/pool-gerrit]", "File[/usr/local/bin/pool]", "File[/usr/local/bin/pooler-loop]", "File[/usr/local/bin/prometheus-ferm-mss]", "File[/usr/local/bin/prometheus-lvs-realserver-mss]", "File[/usr/local/bin/safe-service-restart]", "File[/usr/local/lib/nagios/plugins/check_systemd_unit_status]", "File[/usr/local/sbin/restart-gerrit]", "File[/var/lib/prometheus/node.d/check_check_tcp-mss-clamper_status.prom]", "File[/var/log/prometheus_ferm_mss]", "File[/var/log/prometheus_lvs_realserver_mss]", "File[/var/log/wmf_auto_restart_haproxy]", "File_line[auto_restart_file_presence_haproxy]", "File_line[rm_post-up_ens13_clsact_ens13]", "File_line[rm_post-up_lo_clsact_lo]", "Firewall::Service[proxy-gerrit-ssh]", "Interface::Clsact[clsact_ens13]", "Interface::Clsact[clsact_lo]", "Interface::Ip[ipip_ipv4 ipv4]", "Interface::Ipip[ipip_ipv4]", "Interface::Ipip[ipip_ipv6]", "Interface::Manual[ipip_ipv4]", "Interface::Manual[ipip_ipv6]", "Interface::Post_up_command[clsact_ens13]", "Interface::Post_up_command[clsact_lo]", "Logrotate::Conf[prometheus_ferm_mss]", "Logrotate::Conf[prometheus_lvs_realserver_mss]", "Logrotate::Conf[wmf_auto_restart_haproxy]", "Monitoring::Exported_nagios_service[tcp-proxy5004 check_tcp-mss-clamper_status]", "Monitoring::Service[check_tcp-mss-clamper_status]", "Motd::Message[tcpproxy]", "Motd::Script[tcpproxy]", "Node[__node_regexp__tcp-proxy1-7001-9.codfwdrmrseqiadeqsinesamsmagruulsfo.]", "Nrpe::Check[check_check_tcp-mss-clamper_status]", "Nrpe::Monitor_service[check_tcp-mss-clamper_status]", "Nrpe::Plugin[check_systemd_unit_status]", "Package[haproxy]", "Package[python3-conftool]", "Package[python3-poolcounter]", "Package[tcp-mss-clamper]", "Package[wikimedia-lvs-realserver]", "Profile::Auto_restarts::Service[haproxy]", "Prometheus::Alert::Rule[check_check_tcp-mss-clamper_status_295d6d5dd0a784bb9ba1d5983fd1894f]", "Prometheus::Node_ferm_mss[ferm_clamped_ipport]", "Prometheus::Node_lvs_realserver_mss[lvs_clamped_ipport]", "Rsyslog::Conf[nrpe2nodexp-check_tcp-mss-clamper_status]", "Rsyslog::Conf[prometheus_ferm_mss]", "Rsyslog::Conf[prometheus_lvs_realserver_mss]", "Rsyslog::Conf[wmf_auto_restart_haproxy]", "Service[haproxy]", "Service[nrpe2nodexp-check_tcp-mss-clamper_status.timer]", "Service[prometheus_ferm_mss.timer]", "Service[prometheus_lvs_realserver_mss.timer]", "Service[tcp-mss-clamper]", "Service[wmf_auto_restart_haproxy.timer]", "Sudo::User[nrpe-check_check_tcp-mss-clamper_status]", "Systemd::Monitor[tcp-mss-clamper]", "Systemd::Service[nrpe2nodexp-check_tcp-mss-clamper_status]", "Systemd::Service[prometheus_ferm_mss]", "Systemd::Service[prometheus_lvs_realserver_mss]", "Systemd::Service[tcp-mss-clamper]", "Systemd::Service[wmf_auto_restart_haproxy]", "Systemd::Syslog[prometheus_ferm_mss]", "Systemd::Syslog[prometheus_lvs_realserver_mss]", "Systemd::Syslog[wmf_auto_restart_haproxy]", "Systemd::Timer::Job[nrpe2nodexp-check_tcp-mss-clamper_status]", "Systemd::Timer::Job[prometheus_ferm_mss]", "Systemd::Timer::Job[prometheus_lvs_realserver_mss]", "Systemd::Timer::Job[wmf_auto_restart_haproxy]", "Systemd::Timer[nrpe2nodexp-check_tcp-mss-clamper_status]", "Systemd::Timer[prometheus_ferm_mss]", "Systemd::Timer[prometheus_lvs_realserver_mss]", "Systemd::Timer[wmf_auto_restart_haproxy]", "Systemd::Unit[nrpe2nodexp-check_tcp-mss-clamper_status.service]", "Systemd::Unit[nrpe2nodexp-check_tcp-mss-clamper_status.timer]", "Systemd::Unit[prometheus_ferm_mss.service]", "Systemd::Unit[prometheus_ferm_mss.timer]", "Systemd::Unit[prometheus_lvs_realserver_mss.service]", "Systemd::Unit[prometheus_lvs_realserver_mss.timer]", "Systemd::Unit[tcp-mss-clamper]", "Systemd::Unit[wmf_auto_restart_haproxy.service]", "Systemd::Unit[wmf_auto_restart_haproxy.timer]"], "resource_diffs": [{"resource": "Monitoring::Exported_nagios_host[tcp-proxy5004]", "parameters": "--- Monitoring::Exported_nagios_host[tcp-proxy5004].orig\n+++ Monitoring::Exported_nagios_host[tcp-proxy5004]\n\n@@\n- hostgroups => insetup_eqsin\n+ hostgroups => misc_eqsin\n@@\n- notifications_enabled => 0\n+ notifications_enabled => 1\n"}, {"resource": "File[/etc/sysctl.d/51-ubuntu-defaults.conf]", "content": "--- /etc/sysctl.d/51-ubuntu-defaults.conf.orig\n+++ /etc/sysctl.d/51-ubuntu-defaults.conf\n@@ -4,7 +4,7 @@\n kernel.kptr_restrict = 1\n kernel.printk = 4 4 1 7\n kernel.yama.ptrace_scope = 1\n-net.ipv4.conf.all.rp_filter = 1\n-net.ipv4.conf.default.rp_filter = 1\n+net.ipv4.conf.all.rp_filter = 0\n+net.ipv4.conf.default.rp_filter = 0\n net.ipv4.tcp_syncookies = 1\n vm.mmap_min_addr = 65536"}, {"resource": "Sysctl::Conffile[ubuntu defaults]"}, {"resource": "Class[Profile::Base]", "parameters": "--- Class[Profile::Base].orig\n+++ Class[Profile::Base]\n\n@@\n- cluster => insetup\n+ cluster => misc\n@@\n- rp_filter => True\n+ rp_filter => False\n"}, {"resource": "Concat_fragment[main contacts]", "content": "--- main contacts.orig\n+++ main contacts\n@@ -1,3 +1,2 @@\n ---\n-role::insetup::infrastructure_foundations_ferm:\n-- Infrastructure Foundations\n+role::tcpproxy: []"}, {"resource": "Class[Base::Sysctl]", "parameters": "--- Class[Base::Sysctl].orig\n+++ Class[Base::Sysctl]\n\n@@\n- default_rp_filter => 1\n+ default_rp_filter => 0\n@@\n- all_rp_filter => 1\n+ all_rp_filter => 0\n"}, {"resource": "Class[Profile::Contacts]", "parameters": "--- Class[Profile::Contacts].orig\n+++ Class[Profile::Contacts]\n\n@@\n- role_contacts => ['Infrastructure Foundations']\n+ role_contacts => []\n@@\n- cluster => insetup\n+ cluster => misc\n"}, {"resource": "Class[Monitoring]", "parameters": "--- Class[Monitoring].orig\n+++ Class[Monitoring]\n\n@@\n- notifications_enabled => False\n+ notifications_enabled => True\n@@\n- nagios_group => insetup_eqsin\n+ nagios_group => misc_eqsin\n@@\n- cluster => insetup\n+ cluster => misc\n"}, {"resource": "Monitoring::Exported_nagios_service[tcp-proxy5004 disk_space]", "parameters": "--- Monitoring::Exported_nagios_service[tcp-proxy5004 disk_space].orig\n+++ Monitoring::Exported_nagios_service[tcp-proxy5004 disk_space]\n\n@@\n- notifications_enabled => 0\n+ notifications_enabled => 1\n@@\n- servicegroups => insetup_eqsin\n+ servicegroups => misc_eqsin\n"}, {"resource": "Class[Profile::Apt]", "parameters": "--- Class[Profile::Apt].orig\n+++ Class[Profile::Apt]\n\n@@\n- before => ['Package[puppet]', 'Package[facter]', 'Package[augeas-tools]', 'Package[virt-what]', 'Package[puppet-module-puppetlabs-augeas-core]', 'Package[python3-prometheus-client]', 'Package[python3-yaml]', 'Package[ruby-net-ssh]', 'Package[openssl]', 'Package[ssl-cert]', 'Package[ca-certificates]', 'Package[wmf-certificates]', 'Package[ntp]', 'Package[systemd-timesyncd]', 'Package[exim4-config]', 'Package[exim4-daemon-light]', 'Package[logrotate]', 'Package[prometheus-node-exporter]', 'Package[rsyslog]', 'Package[rsyslog-openssl]', 'Package[cadvisor]', 'Package[acct]', 'Package[byobu]', 'Package[colordiff]', 'Package[curl]', 'Package[debian-goodies]', 'Package[ethtool]', 'Package[gdb]', 'Package[gdisk]', 'Package[git]', 'Package[htop]', 'Package[httpry]', 'Package[iotop]', 'Package[iperf]', 'Package[jq]', 'Package[libtemplate-perl]', 'Package[lldpd]', 'Package[lshw]', 'Package[molly-guard]', 'Package[moreutils]', 'Package[net-tools]', 'Package[numactl]', 'Package[ncdu]', 'Package[ngrep]', 'Package[pigz]', 'Package[psmisc]', 'Package[pv]', 'Package[python3]', 'Package[screen]', 'Package[strace]', 'Package[sysstat]', 'Package[tcpdump]', 'Package[tmux]', 'Package[tree]', 'Package[vim]', 'Package[vim-addon-manager]', 'Package[vim-scripts]', 'Package[wipe]', 'Package[xfsprogs]', 'Package[zsh]', 'Package[icdiff]', 'Package[linux-perf]', 'Package[bsd-mailx]', 'Package[ack]', 'Package[netcat-openbsd]', 'Package[tshark]', 'Package[fzf]', 'Package[ripgrep]', 'Package[fd-find]', 'Package[kitty-terminfo]', 'Package[mtr-tiny]', 'Package[bat]', 'Package[efibootmgr]', 'Package[bind9-dnsutils]', 'Package[tzdata]', 'Package[python3-wmflib]', 'Package[starship]', 'Package[ruby-sorted-set]', 'Package[btop]', 'Package[linux-sysctl-defaults]', 'Package[apport]', 'Package[command-not-found]', 'Package[command-not-found-data]', 'Package[ecryptfs-utils]', 'Package[mlocate]', 'Package[os-prober]', 'Package[python3-apport]', 'Package[wpasupplicant]', 'Package[atop]', 'Package[apt-listchanges]', 'Package[isc-dhcp-client]', 'Package[eject]', 'Package[openssh-client]', 'Package[openssh-server]', 'Package[debdeploy-client]', 'Package[python3-dateutil]', 'Package[sudo]', 'Package[golang-cfssl]', 'Package[debmonitor-client]', 'Package[nagios-nrpe-server]', 'Package[monitoring-plugins]', 'Package[monitoring-plugins-basic]', 'Package[monitoring-plugins-standard]', 'Package[liburiparser1]', 'Package[rsyslog-kafka]', 'Package[emacs-nox]', 'Package[libnet-dns-perl]', 'Package[iptables]', 'Package[ferm]', 'Package[ulogd2]', 'Package[conntrack]', 'Package[ruby-concurrent]', 'Package[ruby]', 'Package[libruby]', 'Package[puppet-agent]', 'Package[prometheus-rsyslog-exporter]', 'Package[initramfs-tools]', 'Package[python3-click]', 'Package[python3-box]', 'Package[confd]', 'Package[python3-toml]']\n+ before => ['Package[puppet]', 'Package[facter]', 'Package[augeas-tools]', 'Package[virt-what]', 'Package[puppet-module-puppetlabs-augeas-core]', 'Package[python3-prometheus-client]', 'Package[python3-yaml]', 'Package[ruby-net-ssh]', 'Package[openssl]', 'Package[ssl-cert]', 'Package[ca-certificates]', 'Package[wmf-certificates]', 'Package[ntp]', 'Package[systemd-timesyncd]', 'Package[exim4-config]', 'Package[exim4-daemon-light]', 'Package[logrotate]', 'Package[prometheus-node-exporter]', 'Package[rsyslog]', 'Package[rsyslog-openssl]', 'Package[cadvisor]', 'Package[acct]', 'Package[byobu]', 'Package[colordiff]', 'Package[curl]', 'Package[debian-goodies]', 'Package[ethtool]', 'Package[gdb]', 'Package[gdisk]', 'Package[git]', 'Package[htop]', 'Package[httpry]', 'Package[iotop]', 'Package[iperf]', 'Package[jq]', 'Package[libtemplate-perl]', 'Package[lldpd]', 'Package[lshw]', 'Package[molly-guard]', 'Package[moreutils]', 'Package[net-tools]', 'Package[numactl]', 'Package[ncdu]', 'Package[ngrep]', 'Package[pigz]', 'Package[psmisc]', 'Package[pv]', 'Package[python3]', 'Package[screen]', 'Package[strace]', 'Package[sysstat]', 'Package[tcpdump]', 'Package[tmux]', 'Package[tree]', 'Package[vim]', 'Package[vim-addon-manager]', 'Package[vim-scripts]', 'Package[wipe]', 'Package[xfsprogs]', 'Package[zsh]', 'Package[icdiff]', 'Package[linux-perf]', 'Package[bsd-mailx]', 'Package[ack]', 'Package[netcat-openbsd]', 'Package[tshark]', 'Package[fzf]', 'Package[ripgrep]', 'Package[fd-find]', 'Package[kitty-terminfo]', 'Package[mtr-tiny]', 'Package[bat]', 'Package[efibootmgr]', 'Package[bind9-dnsutils]', 'Package[tzdata]', 'Package[python3-wmflib]', 'Package[starship]', 'Package[ruby-sorted-set]', 'Package[btop]', 'Package[linux-sysctl-defaults]', 'Package[apport]', 'Package[command-not-found]', 'Package[command-not-found-data]', 'Package[ecryptfs-utils]', 'Package[mlocate]', 'Package[os-prober]', 'Package[python3-apport]', 'Package[wpasupplicant]', 'Package[atop]', 'Package[apt-listchanges]', 'Package[isc-dhcp-client]', 'Package[eject]', 'Package[openssh-client]', 'Package[openssh-server]', 'Package[debdeploy-client]', 'Package[python3-dateutil]', 'Package[sudo]', 'Package[golang-cfssl]', 'Package[debmonitor-client]', 'Package[nagios-nrpe-server]', 'Package[monitoring-plugins]', 'Package[monitoring-plugins-basic]', 'Package[monitoring-plugins-standard]', 'Package[liburiparser1]', 'Package[rsyslog-kafka]', 'Package[emacs-nox]', 'Package[libnet-dns-perl]', 'Package[iptables]', 'Package[ferm]', 'Package[ulogd2]', 'Package[conntrack]', 'Package[haproxy]', 'Package[wikimedia-lvs-realserver]', 'Package[python3-conftool]', 'Package[python3-poolcounter]', 'Package[tcp-mss-clamper]', 'Package[ruby-concurrent]', 'Package[ruby]', 'Package[libruby]', 'Package[puppet-agent]', 'Package[prometheus-rsyslog-exporter]', 'Package[initramfs-tools]', 'Package[python3-click]', 'Package[python3-box]', 'Package[confd]', 'Package[python3-toml]']\n"}, {"resource": "Class[Profile::Monitoring]", "parameters": "--- Class[Profile::Monitoring].orig\n+++ Class[Profile::Monitoring]\n\n@@\n- notifications_enabled => False\n+ notifications_enabled => True\n@@\n- nagios_group => insetup_eqsin\n+ nagios_group => misc_eqsin\n@@\n- cluster => insetup\n+ cluster => misc\n"}, {"resource": "Concat::Fragment[main contacts]"}, {"resource": "Monitoring::Exported_nagios_service[tcp-proxy5004 ferm_active]", "parameters": "--- Monitoring::Exported_nagios_service[tcp-proxy5004 ferm_active].orig\n+++ Monitoring::Exported_nagios_service[tcp-proxy5004 ferm_active]\n\n@@\n- notifications_enabled => 0\n+ notifications_enabled => 1\n@@\n- servicegroups => insetup_eqsin\n+ servicegroups => misc_eqsin\n"}, {"resource": "Class[Profile::Base::Production]", "parameters": "--- Class[Profile::Base::Production].orig\n+++ Class[Profile::Base::Production]\n\n- role_description => Host being setup by Infrastructure Foundations SREs with ferm\n"}, {"resource": "File[/var/lib/prometheus/node.d/role_owner.prom]", "content": "--- /var/lib/prometheus/node.d/role_owner.prom.orig\n+++ /var/lib/prometheus/node.d/role_owner.prom\n@@ -1,3 +1,3 @@\n # HELP role_owner The team owner of the server role\n # TYPE role_owner gauge\n-role_owner{team=\"infrastructure-foundations\",role=\"insetup::infrastructure_foundations_ferm\",cluster=\"insetup\"} 1.0\n+role_owner{team=\"unknown\",role=\"tcpproxy\",cluster=\"misc\"} 1.0"}, {"resource": "Monitoring::Exported_nagios_service[tcp-proxy5004 ssh]", "parameters": "--- Monitoring::Exported_nagios_service[tcp-proxy5004 ssh].orig\n+++ Monitoring::Exported_nagios_service[tcp-proxy5004 ssh]\n\n@@\n- notifications_enabled => 0\n+ notifications_enabled => 1\n@@\n- servicegroups => insetup_eqsin\n+ servicegroups => misc_eqsin\n"}, {"resource": "Sysctl::Parameters[ubuntu defaults]", "parameters": "--- Sysctl::Parameters[ubuntu defaults].orig\n+++ Sysctl::Parameters[ubuntu defaults]\n\n@@\n- values => {'kernel.printk': [4, 4, 1, 7], 'kernel.kptr_restrict': 1, 'net.ipv4.conf.default.rp_filter': 1, 'net.ipv4.conf.all.rp_filter': 1, 'net.ipv4.tcp_syncookies': 1, 'kernel.yama.ptrace_scope': 1, 'fs.protected_hardlinks': 1, 'fs.protected_symlinks': 1, 'vm.mmap_min_addr': 65536}\n+ values => {'kernel.printk': [4, 4, 1, 7], 'kernel.kptr_restrict': 1, 'net.ipv4.conf.default.rp_filter': 0, 'net.ipv4.conf.all.rp_filter': 0, 'net.ipv4.tcp_syncookies': 1, 'kernel.yama.ptrace_scope': 1, 'fs.protected_hardlinks': 1, 'fs.protected_symlinks': 1, 'vm.mmap_min_addr': 65536}\n"}, {"resource": "Class[Cumin::Selector]", "parameters": "--- Class[Cumin::Selector].orig\n+++ Class[Cumin::Selector]\n\n@@\n- cluster => insetup\n+ cluster => misc\n"}, {"resource": "Class[Adduser]", "parameters": "--- Class[Adduser].orig\n+++ Class[Adduser]\n\n@@\n- before => ['Package[puppet]', 'Package[facter]', 'Package[augeas-tools]', 'Package[virt-what]', 'Package[puppet-module-puppetlabs-augeas-core]', 'Package[python3-prometheus-client]', 'Package[python3-yaml]', 'Package[ruby-net-ssh]', 'Package[openssl]', 'Package[ssl-cert]', 'Package[ca-certificates]', 'Package[wmf-certificates]', 'Package[ntp]', 'Package[systemd-timesyncd]', 'Package[exim4-config]', 'Package[exim4-daemon-light]', 'Package[logrotate]', 'Package[prometheus-node-exporter]', 'Package[rsyslog]', 'Package[rsyslog-openssl]', 'Package[cadvisor]', 'Package[acct]', 'Package[byobu]', 'Package[colordiff]', 'Package[curl]', 'Package[debian-goodies]', 'Package[ethtool]', 'Package[gdb]', 'Package[gdisk]', 'Package[git]', 'Package[htop]', 'Package[httpry]', 'Package[iotop]', 'Package[iperf]', 'Package[jq]', 'Package[libtemplate-perl]', 'Package[lldpd]', 'Package[lshw]', 'Package[molly-guard]', 'Package[moreutils]', 'Package[net-tools]', 'Package[numactl]', 'Package[ncdu]', 'Package[ngrep]', 'Package[pigz]', 'Package[psmisc]', 'Package[pv]', 'Package[python3]', 'Package[screen]', 'Package[strace]', 'Package[sysstat]', 'Package[tcpdump]', 'Package[tmux]', 'Package[tree]', 'Package[vim]', 'Package[vim-addon-manager]', 'Package[vim-scripts]', 'Package[wipe]', 'Package[xfsprogs]', 'Package[zsh]', 'Package[icdiff]', 'Package[linux-perf]', 'Package[bsd-mailx]', 'Package[ack]', 'Package[netcat-openbsd]', 'Package[tshark]', 'Package[fzf]', 'Package[ripgrep]', 'Package[fd-find]', 'Package[kitty-terminfo]', 'Package[mtr-tiny]', 'Package[bat]', 'Package[efibootmgr]', 'Package[bind9-dnsutils]', 'Package[tzdata]', 'Package[python3-wmflib]', 'Package[starship]', 'Package[ruby-sorted-set]', 'Package[btop]', 'Package[linux-sysctl-defaults]', 'Package[apport]', 'Package[command-not-found]', 'Package[command-not-found-data]', 'Package[ecryptfs-utils]', 'Package[mlocate]', 'Package[os-prober]', 'Package[python3-apport]', 'Package[wpasupplicant]', 'Package[atop]', 'Package[apt-listchanges]', 'Package[isc-dhcp-client]', 'Package[eject]', 'Package[openssh-client]', 'Package[openssh-server]', 'Package[debdeploy-client]', 'Package[python3-dateutil]', 'Package[sudo]', 'Package[golang-cfssl]', 'Package[debmonitor-client]', 'Package[nagios-nrpe-server]', 'Package[monitoring-plugins]', 'Package[monitoring-plugins-basic]', 'Package[monitoring-plugins-standard]', 'Package[liburiparser1]', 'Package[rsyslog-kafka]', 'Package[emacs-nox]', 'Package[libnet-dns-perl]', 'Package[iptables]', 'Package[ferm]', 'Package[ulogd2]', 'Package[conntrack]', 'Package[ruby-concurrent]', 'Package[ruby]', 'Package[libruby]', 'Package[puppet-agent]', 'Package[prometheus-rsyslog-exporter]', 'Package[initramfs-tools]', 'Package[python3-click]', 'Package[python3-box]', 'Package[confd]', 'Package[python3-toml]']\n+ before => ['Package[puppet]', 'Package[facter]', 'Package[augeas-tools]', 'Package[virt-what]', 'Package[puppet-module-puppetlabs-augeas-core]', 'Package[python3-prometheus-client]', 'Package[python3-yaml]', 'Package[ruby-net-ssh]', 'Package[openssl]', 'Package[ssl-cert]', 'Package[ca-certificates]', 'Package[wmf-certificates]', 'Package[ntp]', 'Package[systemd-timesyncd]', 'Package[exim4-config]', 'Package[exim4-daemon-light]', 'Package[logrotate]', 'Package[prometheus-node-exporter]', 'Package[rsyslog]', 'Package[rsyslog-openssl]', 'Package[cadvisor]', 'Package[acct]', 'Package[byobu]', 'Package[colordiff]', 'Package[curl]', 'Package[debian-goodies]', 'Package[ethtool]', 'Package[gdb]', 'Package[gdisk]', 'Package[git]', 'Package[htop]', 'Package[httpry]', 'Package[iotop]', 'Package[iperf]', 'Package[jq]', 'Package[libtemplate-perl]', 'Package[lldpd]', 'Package[lshw]', 'Package[molly-guard]', 'Package[moreutils]', 'Package[net-tools]', 'Package[numactl]', 'Package[ncdu]', 'Package[ngrep]', 'Package[pigz]', 'Package[psmisc]', 'Package[pv]', 'Package[python3]', 'Package[screen]', 'Package[strace]', 'Package[sysstat]', 'Package[tcpdump]', 'Package[tmux]', 'Package[tree]', 'Package[vim]', 'Package[vim-addon-manager]', 'Package[vim-scripts]', 'Package[wipe]', 'Package[xfsprogs]', 'Package[zsh]', 'Package[icdiff]', 'Package[linux-perf]', 'Package[bsd-mailx]', 'Package[ack]', 'Package[netcat-openbsd]', 'Package[tshark]', 'Package[fzf]', 'Package[ripgrep]', 'Package[fd-find]', 'Package[kitty-terminfo]', 'Package[mtr-tiny]', 'Package[bat]', 'Package[efibootmgr]', 'Package[bind9-dnsutils]', 'Package[tzdata]', 'Package[python3-wmflib]', 'Package[starship]', 'Package[ruby-sorted-set]', 'Package[btop]', 'Package[linux-sysctl-defaults]', 'Package[apport]', 'Package[command-not-found]', 'Package[command-not-found-data]', 'Package[ecryptfs-utils]', 'Package[mlocate]', 'Package[os-prober]', 'Package[python3-apport]', 'Package[wpasupplicant]', 'Package[atop]', 'Package[apt-listchanges]', 'Package[isc-dhcp-client]', 'Package[eject]', 'Package[openssh-client]', 'Package[openssh-server]', 'Package[debdeploy-client]', 'Package[python3-dateutil]', 'Package[sudo]', 'Package[golang-cfssl]', 'Package[debmonitor-client]', 'Package[nagios-nrpe-server]', 'Package[monitoring-plugins]', 'Package[monitoring-plugins-basic]', 'Package[monitoring-plugins-standard]', 'Package[liburiparser1]', 'Package[rsyslog-kafka]', 'Package[emacs-nox]', 'Package[libnet-dns-perl]', 'Package[iptables]', 'Package[ferm]', 'Package[ulogd2]', 'Package[conntrack]', 'Package[haproxy]', 'Package[wikimedia-lvs-realserver]', 'Package[python3-conftool]', 'Package[python3-poolcounter]', 'Package[tcp-mss-clamper]', 'Package[ruby-concurrent]', 'Package[ruby]', 'Package[libruby]', 'Package[puppet-agent]', 'Package[prometheus-rsyslog-exporter]', 'Package[initramfs-tools]', 'Package[python3-click]', 'Package[python3-box]', 'Package[confd]', 'Package[python3-toml]']\n"}, {"resource": "Class[Profile::Cumin::Target]", "parameters": "--- Class[Profile::Cumin::Target].orig\n+++ Class[Profile::Cumin::Target]\n\n@@\n- cluster => insetup\n+ cluster => misc\n"}], "perc_changed": "7.59%"}}}