{"host": "dse-k8s-wdqs-test2001.codfw.wmnet", "state": "core_diff", "description": "Differences to core resources", "diff": {"full": {"total": 2845, "only_in_self": ["Class[Role::Insetup::Data_platform_ferm]", "File[/etc/update-motd.d/05-insetup--data-platform-ferm]", "Motd::Message[insetup::data_platform_ferm]", "Motd::Script[insetup::data_platform_ferm]"], "only_in_other": ["Apt::Package_from_bpo[linux-6.12-bookworm]", "Apt::Package_from_component[calico329]", "Apt::Package_from_component[istio115]", "Apt::Package_from_component[kubernetes131]", "Apt::Pin[apt_pin_linux-6.12-bookworm_bookworm-bpo]", "Apt::Repository[component-calico329-apt.wikimedia.org-wikimedia-bookworm-wikimedia]", "Apt::Repository[component-istio115-apt.wikimedia.org-wikimedia-bookworm-wikimedia]", "Apt::Repository[component-kubernetes131-apt.wikimedia.org-wikimedia-bookworm-wikimedia]", "Augeas[ipip0_127.0.0.42/32]", "Augeas[ipip0_add_up]", "Augeas[ipip0_manual]", "Augeas[ipip0_set_up]", "Augeas[ipip60_add_up]", "Augeas[ipip60_manual]", "Augeas[ipip60_set_up]", "Cfssl::Cert[dse__calico-cni]", "Cfssl::Cert[dse__calicoctl]", "Cfssl::Cert[dse__istio-cni]", "Cfssl::Cert[dse__kubelet_server]", "Cfssl::Cert[dse__rsyslog]", "Cfssl::Cert[dse__system_kube-proxy]", "Cfssl::Cert[dse__system_node_dse-k8s-wdqs-test2001_codfw_wmnet]", "Cfssl::Csr[/etc/cfssl/csr/dse__calico-cni.csr]", "Cfssl::Csr[/etc/cfssl/csr/dse__calicoctl.csr]", "Cfssl::Csr[/etc/cfssl/csr/dse__istio-cni.csr]", "Cfssl::Csr[/etc/cfssl/csr/dse__kubelet_server.csr]", "Cfssl::Csr[/etc/cfssl/csr/dse__rsyslog.csr]", "Cfssl::Csr[/etc/cfssl/csr/dse__system_kube-proxy.csr]", "Cfssl::Csr[/etc/cfssl/csr/dse__system_node_dse-k8s-wdqs-test2001_codfw_wmnet.csr]", "Class[Apparmor]", "Class[Base::Sysctl::Inotify]", "Class[Calico]", "Class[Containerd::Configuration]", "Class[Containerd::Nerdctl]", "Class[Containerd]", "Class[Cpufrequtils]", "Class[Geoip::Bin]", "Class[Geoip::Data::Puppet]", "Class[Geoip]", "Class[K8s::Base_dirs]", "Class[K8s::Clusters]", "Class[K8s::Kubelet::Cni::Base]", "Class[K8s::Kubelet]", "Class[K8s::Proxy]", "Class[Lvm]", "Class[Lvs::Realserver]", "Class[Profile::Amd_gpu]", "Class[Profile::Analytics::Geoip]", "Class[Profile::Calico::Kubernetes]", "Class[Profile::Containerd]", "Class[Profile::Kubernetes::Container_runtime]", "Class[Profile::Kubernetes::Node::Dse_k8s::Wdqs]", "Class[Profile::Kubernetes::Node::Dse_k8s]", "Class[Profile::Kubernetes::Node]", "Class[Profile::Lvs::Configuration]", "Class[Profile::Lvs::Realserver::Ipip]", "Class[Profile::Lvs::Realserver]", "Class[Profile::Rsyslog::Kubernetes]", "Class[Profile::Rsyslog::Shellbox]", "Class[Role::Dse_k8s::Worker::Wdqs]", "Class[Role::Dse_k8s::Worker]", "Class[Toil::Rsyslog_imfile_remedy]", "Class[Wmflib::Service::Catalog]", "Concat::Fragment[component-calico329-apt.wikimedia.org-wikimedia-bookworm-wikimedia-header]", "Concat::Fragment[component-calico329-apt.wikimedia.org-wikimedia-bookworm-wikimedia]", "Concat::Fragment[component-istio115-apt.wikimedia.org-wikimedia-bookworm-wikimedia-header]", "Concat::Fragment[component-istio115-apt.wikimedia.org-wikimedia-bookworm-wikimedia]", "Concat::Fragment[component-kubernetes131-apt.wikimedia.org-wikimedia-bookworm-wikimedia-header]", "Concat::Fragment[component-kubernetes131-apt.wikimedia.org-wikimedia-bookworm-wikimedia]", "Concat[/etc/apt/sources.list.d/component-calico329-apt.wikimedia.org-wikimedia-bookworm-wikimedia.sources]", "Concat[/etc/apt/sources.list.d/component-istio115-apt.wikimedia.org-wikimedia-bookworm-wikimedia.sources]", "Concat[/etc/apt/sources.list.d/component-kubernetes131-apt.wikimedia.org-wikimedia-bookworm-wikimedia.sources]", "Concat_file[/etc/apt/sources.list.d/component-calico329-apt.wikimedia.org-wikimedia-bookworm-wikimedia.sources]", "Concat_file[/etc/apt/sources.list.d/component-istio115-apt.wikimedia.org-wikimedia-bookworm-wikimedia.sources]", "Concat_file[/etc/apt/sources.list.d/component-kubernetes131-apt.wikimedia.org-wikimedia-bookworm-wikimedia.sources]", "Concat_fragment[component-calico329-apt.wikimedia.org-wikimedia-bookworm-wikimedia-header]", "Concat_fragment[component-calico329-apt.wikimedia.org-wikimedia-bookworm-wikimedia]", "Concat_fragment[component-istio115-apt.wikimedia.org-wikimedia-bookworm-wikimedia-header]", "Concat_fragment[component-istio115-apt.wikimedia.org-wikimedia-bookworm-wikimedia]", "Concat_fragment[component-kubernetes131-apt.wikimedia.org-wikimedia-bookworm-wikimedia-header]", "Concat_fragment[component-kubernetes131-apt.wikimedia.org-wikimedia-bookworm-wikimedia]", "Exec[/sbin/modprobe overlay]", "Exec[/usr/sbin/dpkg-reconfigure -p critical -f noninteractive wikimedia-lvs-realserver]", "Exec[/usr/sbin/tc qdisc del dev ens2f0np0 clsact]", "Exec[/usr/sbin/tc qdisc del dev lo clsact]", "Exec[Generate cert dse__calico-cni refresh on intermediate ca change]", "Exec[Generate cert dse__calico-cni refresh]", "Exec[Generate cert dse__calico-cni]", "Exec[Generate cert dse__calicoctl refresh on intermediate ca change]", "Exec[Generate cert dse__calicoctl refresh]", "Exec[Generate cert dse__calicoctl]", "Exec[Generate cert dse__kubelet_server refresh on intermediate ca change]", "Exec[Generate cert dse__kubelet_server refresh]", "Exec[Generate cert dse__kubelet_server]", "Exec[Generate cert dse__rsyslog refresh on intermediate ca change]", "Exec[Generate cert dse__rsyslog refresh]", "Exec[Generate cert dse__rsyslog]", "Exec[Generate cert dse__system_kube-proxy refresh on intermediate ca change]", "Exec[Generate cert dse__system_kube-proxy refresh]", "Exec[Generate cert dse__system_kube-proxy]", "Exec[Generate cert dse__system_node_dse-k8s-wdqs-test2001_codfw_wmnet refresh on intermediate ca change]", "Exec[Generate cert dse__system_node_dse-k8s-wdqs-test2001_codfw_wmnet refresh]", "Exec[Generate cert dse__system_node_dse-k8s-wdqs-test2001_codfw_wmnet]", "Exec[apt_package_from_component_calico329]", "Exec[apt_package_from_component_istio115]", "Exec[apt_package_from_component_kubernetes131]", "Exec[apt_pin_apt_pin_linux-6.12-bookworm_bookworm-bpo]", "Exec[apt_repository_component-calico329-apt.wikimedia.org-wikimedia-bookworm-wikimedia]", "Exec[apt_repository_component-istio115-apt.wikimedia.org-wikimedia-bookworm-wikimedia]", "Exec[apt_repository_component-kubernetes131-apt.wikimedia.org-wikimedia-bookworm-wikimedia]", "Exec[cpufrequtils_reload]", "Exec[create chained cert /etc/cfssl/ssl/dse__rsyslog/dse__rsyslog.chain.pem]", "Exec[create chained cert /etc/kubernetes/pki/dse__calico-cni.chain.pem]", "Exec[create chained cert /etc/kubernetes/pki/dse__calicoctl.chain.pem]", "Exec[create chained cert /etc/kubernetes/pki/dse__kubelet_server.chain.pem]", "Exec[create chained cert /etc/kubernetes/pki/dse__system_kube-proxy.chain.pem]", "Exec[create chained cert /etc/kubernetes/pki/dse__system_node_dse-k8s-wdqs-test2001_codfw_wmnet.chain.pem]", "Exec[disable-rp-filter-ens2f0np0]", "Exec[disable-rp-filter-ipip0]", "Exec[disable-rp-filter-ipip60]", "Exec[ensure mountpoint '/srv' exists]", "Exec[exec-apt-get-update-linux-6.12-bookworm_bookworm-bpo]", "Exec[ip addr add 127.0.0.42/32 dev ipip0]", "Exec[ip link add name ipip0 type ipip external]", "Exec[ip link add name ipip60 type ip6tnl external]", "Exec[ip link set up dev ipip0]", "Exec[ip link set up dev ipip60]", "Exec[renew certificate - dse__calico-cni]", "Exec[renew certificate - dse__calicoctl]", "Exec[renew certificate - dse__kubelet_server]", "Exec[renew certificate - dse__rsyslog]", "Exec[renew certificate - dse__system_kube-proxy]", "Exec[renew certificate - dse__system_node_dse-k8s-wdqs-test2001_codfw_wmnet]", "Exec[rmmod-r440_wdat_wdt]", "Exec[systemd daemon-reload for ferm.service (ferm-ferm-service-auto-restart)]", "Exec[systemd daemon-reload for kube-proxy.service (kube-proxy)]", "Exec[systemd daemon-reload for kubelet.service (kubelet-container-runtime)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_tcp-mss-clamper_status.service (nrpe2nodexp-check_tcp-mss-clamper_status.service)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_tcp-mss-clamper_status.timer (nrpe2nodexp-check_tcp-mss-clamper_status.timer)]", "Exec[systemd daemon-reload for prometheus_ferm_mss.service (prometheus_ferm_mss.service)]", "Exec[systemd daemon-reload for prometheus_ferm_mss.timer (prometheus_ferm_mss.timer)]", "Exec[systemd daemon-reload for prometheus_lvs_realserver_mss.service (prometheus_lvs_realserver_mss.service)]", "Exec[systemd daemon-reload for prometheus_lvs_realserver_mss.timer (prometheus_lvs_realserver_mss.timer)]", "Exec[systemd daemon-reload for rsyslog-imfile-remedy.service (rsyslog-imfile-remedy.service)]", "Exec[systemd daemon-reload for rsyslog-imfile-remedy.timer (rsyslog-imfile-remedy.timer)]", "Exec[systemd daemon-reload for rsyslog-release-deleted-inotify-watches.service (rsyslog-release-deleted-inotify-watches.service)]", "Exec[systemd daemon-reload for rsyslog-release-deleted-inotify-watches.timer (rsyslog-release-deleted-inotify-watches.timer)]", "Exec[systemd daemon-reload for set-rbd-readahead.service (set-rbd-readahead.service)]", "Exec[systemd daemon-reload for set-rbd-readahead.timer (set-rbd-readahead.timer)]", "Exec[systemd daemon-reload for tcp-mss-clamper.service (tcp-mss-clamper)]", "Ferm::Rule[clamp-mss-ipv4]", "Ferm::Rule[clamp-mss-ipv6]", "Ferm::Rule[ip6ip6]", "Ferm::Rule[ipip]", "Ferm::Service[calico-bird]", "Ferm::Service[calico_typha]", "Ferm::Service[kubelet-http]", "File[/etc/apparmor.d/abstractions]", "File[/etc/apt/preferences.d/apt_pin_linux_6_12_bookworm_bookworm_bpo.pref]", "File[/etc/apt/sources.list.d/component-calico329-apt.wikimedia.org-wikimedia-bookworm-wikimedia.list]", "File[/etc/apt/sources.list.d/component-istio115-apt.wikimedia.org-wikimedia-bookworm-wikimedia.list]", "File[/etc/apt/sources.list.d/component-kubernetes131-apt.wikimedia.org-wikimedia-bookworm-wikimedia.list]", "File[/etc/calico/calicoctl-kubeconfig]", "File[/etc/calico/calicoctl.cfg]", "File[/etc/calico/pki]", "File[/etc/calico]", "File[/etc/cfssl/csr/dse__calico-cni.csr]", "File[/etc/cfssl/csr/dse__calicoctl.csr]", "File[/etc/cfssl/csr/dse__istio-cni.csr]", "File[/etc/cfssl/csr/dse__kubelet_server.csr]", "File[/etc/cfssl/csr/dse__rsyslog.csr]", "File[/etc/cfssl/csr/dse__system_kube-proxy.csr]", "File[/etc/cfssl/csr/dse__system_node_dse-k8s-wdqs-test2001_codfw_wmnet.csr]", "File[/etc/cfssl/ssl/dse__rsyslog/dse__rsyslog-key.pem]", "File[/etc/cfssl/ssl/dse__rsyslog/dse__rsyslog.chain.pem]", "File[/etc/cfssl/ssl/dse__rsyslog/dse__rsyslog.chained.pem]", "File[/etc/cfssl/ssl/dse__rsyslog/dse__rsyslog.csr]", "File[/etc/cfssl/ssl/dse__rsyslog/dse__rsyslog.pem]", "File[/etc/cfssl/ssl/dse__rsyslog]", "File[/etc/cni/net.d/10-calico.conflist]", "File[/etc/cni/net.d/calico-kubeconfig]", "File[/etc/cni/net.d/istio-kubeconfig]", "File[/etc/cni/net.d]", "File[/etc/cni]", "File[/etc/containerd/config.toml]", "File[/etc/containerd]", "File[/etc/default/cpufrequtils]", "File[/etc/default/kube-proxy]", "File[/etc/default/kubelet]", "File[/etc/default/wikimedia-lvs-realserver]", "File[/etc/ferm/conf.d/10_calico-bird]", "File[/etc/ferm/conf.d/10_calico_typha]", "File[/etc/ferm/conf.d/10_clamp-mss-ipv4]", "File[/etc/ferm/conf.d/10_clamp-mss-ipv6]", "File[/etc/ferm/conf.d/10_ip6ip6]", "File[/etc/ferm/conf.d/10_ipip]", "File[/etc/ferm/conf.d/10_kubelet-http]", "File[/etc/kubernetes/kube-proxy-config.yaml]", "File[/etc/kubernetes/kubelet-config.yaml]", "File[/etc/kubernetes/kubelet.conf]", "File[/etc/kubernetes/pki/dse__calico-cni-key.pem]", "File[/etc/kubernetes/pki/dse__calico-cni.chain.pem]", "File[/etc/kubernetes/pki/dse__calico-cni.chained.pem]", "File[/etc/kubernetes/pki/dse__calico-cni.csr]", "File[/etc/kubernetes/pki/dse__calico-cni.pem]", "File[/etc/kubernetes/pki/dse__calicoctl-key.pem]", "File[/etc/kubernetes/pki/dse__calicoctl.chain.pem]", "File[/etc/kubernetes/pki/dse__calicoctl.chained.pem]", "File[/etc/kubernetes/pki/dse__calicoctl.csr]", "File[/etc/kubernetes/pki/dse__calicoctl.pem]", "File[/etc/kubernetes/pki/dse__istio-cni-key.pem]", "File[/etc/kubernetes/pki/dse__istio-cni.chain.pem]", "File[/etc/kubernetes/pki/dse__istio-cni.chained.pem]", "File[/etc/kubernetes/pki/dse__istio-cni.csr]", "File[/etc/kubernetes/pki/dse__istio-cni.pem]", "File[/etc/kubernetes/pki/dse__kubelet_server-key.pem]", "File[/etc/kubernetes/pki/dse__kubelet_server.chain.pem]", "File[/etc/kubernetes/pki/dse__kubelet_server.chained.pem]", "File[/etc/kubernetes/pki/dse__kubelet_server.csr]", "File[/etc/kubernetes/pki/dse__kubelet_server.pem]", "File[/etc/kubernetes/pki/dse__system_kube-proxy-key.pem]", "File[/etc/kubernetes/pki/dse__system_kube-proxy.chain.pem]", "File[/etc/kubernetes/pki/dse__system_kube-proxy.chained.pem]", "File[/etc/kubernetes/pki/dse__system_kube-proxy.csr]", "File[/etc/kubernetes/pki/dse__system_kube-proxy.pem]", "File[/etc/kubernetes/pki/dse__system_node_dse-k8s-wdqs-test2001_codfw_wmnet-key.pem]", "File[/etc/kubernetes/pki/dse__system_node_dse-k8s-wdqs-test2001_codfw_wmnet.chain.pem]", "File[/etc/kubernetes/pki/dse__system_node_dse-k8s-wdqs-test2001_codfw_wmnet.chained.pem]", "File[/etc/kubernetes/pki/dse__system_node_dse-k8s-wdqs-test2001_codfw_wmnet.csr]", "File[/etc/kubernetes/pki/dse__system_node_dse-k8s-wdqs-test2001_codfw_wmnet.pem]", "File[/etc/kubernetes/pki]", "File[/etc/kubernetes/proxy.conf]", "File[/etc/kubernetes]", "File[/etc/logrotate.d/prometheus_ferm_mss]", "File[/etc/logrotate.d/prometheus_lvs_realserver_mss]", "File[/etc/logrotate.d/rsyslog-release-deleted-inotify-watches]", "File[/etc/logrotate.d/set-rbd-readahead]", "File[/etc/modprobe.d/blacklist-r440_wdat_wdt.conf]", "File[/etc/modules-load.d/overlay.conf]", "File[/etc/nagios/nrpe.d/check_check_tcp-mss-clamper_status.cfg]", "File[/etc/nerdctl/nerdctl.toml]", "File[/etc/nerdctl]", "File[/etc/rsyslog.d/00-imfile.conf]", "File[/etc/rsyslog.d/08-input-file-kubernetes-json.conf]", "File[/etc/rsyslog.d/09-kubernetes.conf]", "File[/etc/rsyslog.d/10-kubernetes-node-filters.conf]", "File[/etc/rsyslog.d/20-shellbox.conf]", "File[/etc/rsyslog.d/25-nrpe2nodexp-check-tcp-mss-clamper-status.conf]", "File[/etc/rsyslog.d/35-output-kafka-k8s.conf]", "File[/etc/rsyslog.d/40-prometheus-ferm-mss.conf]", "File[/etc/rsyslog.d/40-prometheus-lvs-realserver-mss.conf]", "File[/etc/rsyslog.d/40-rsyslog-release-deleted-inotify-watches.conf]", "File[/etc/rsyslog.d/40-set-rbd-readahead.conf]", "File[/etc/sudoers.d/nrpe-check_check_tcp-mss-clamper_status]", "File[/etc/sysctl.d/70-increase_inotify_limits.conf]", "File[/etc/sysctl.d/70-ipv6-fowarding-accept-ra.conf]", "File[/etc/sysctl.d/70-opensearch.conf]", "File[/etc/sysctl.d/75-kube_proxy_conntrack.conf]", "File[/etc/sysctl.d/75-kube_proxy_icmp.conf]", "File[/etc/systemd/system/ferm.service.d/ferm-service-auto-restart.conf]", "File[/etc/systemd/system/kube-proxy.service.d/puppet-override.conf]", "File[/etc/systemd/system/kube-proxy.service.d]", "File[/etc/systemd/system/kubelet.service.d/container-runtime.conf]", "File[/etc/systemd/system/kubelet.service.d]", "File[/etc/udev/rules.d/75-kube_proxy_conntrack.rules]", "File[/etc/update-motd.d/05-dse-k8s--worker--wdqs]", "File[/lib/systemd/system/nrpe2nodexp-check_tcp-mss-clamper_status.service]", "File[/lib/systemd/system/nrpe2nodexp-check_tcp-mss-clamper_status.timer]", "File[/lib/systemd/system/prometheus_ferm_mss.service]", "File[/lib/systemd/system/prometheus_ferm_mss.timer]", "File[/lib/systemd/system/prometheus_lvs_realserver_mss.service]", "File[/lib/systemd/system/prometheus_lvs_realserver_mss.timer]", "File[/lib/systemd/system/rsyslog-imfile-remedy.service]", "File[/lib/systemd/system/rsyslog-imfile-remedy.timer]", "File[/lib/systemd/system/rsyslog-release-deleted-inotify-watches.service]", "File[/lib/systemd/system/rsyslog-release-deleted-inotify-watches.timer]", "File[/lib/systemd/system/set-rbd-readahead.service]", "File[/lib/systemd/system/set-rbd-readahead.timer]", "File[/lib/systemd/system/tcp-mss-clamper.service]", "File[/srv/spark]", "File[/usr/local/bin/prometheus-ferm-mss]", "File[/usr/local/bin/prometheus-lvs-realserver-mss]", "File[/usr/local/lib/nagios/plugins/check_systemd_unit_status]", "File[/usr/local/sbin/rsyslog-release-deleted-inotify-watches]", "File[/usr/local/sbin/set-rbd-readahead.py]", "File[/usr/share/GeoIP]", "File[/var/lib/kubelet]", "File[/var/lib/prometheus/node.d/check_check_tcp-mss-clamper_status.prom]", "File[/var/log/prometheus_ferm_mss]", "File[/var/log/prometheus_lvs_realserver_mss]", "File[/var/log/rsyslog-release-deleted-inotify-watches]", "File[/var/log/set-rbd-readahead]", "File[/var/run/kubernetes]", "File_line[rm_post-up_ens2f0np0_clsact_ens2f0np0]", "File_line[rm_post-up_lo_clsact_lo]", "Filesystem[/dev/vg_raid0/srv]", "Firewall::Service[calico-typha]", "Group[kube]", "Interface::Clsact[clsact_ens2f0np0]", "Interface::Clsact[clsact_lo]", "Interface::Ip[ipip_ipv4 ipv4]", "Interface::Ipip[ipip_ipv4]", "Interface::Ipip[ipip_ipv6]", "Interface::Manual[ipip_ipv4]", "Interface::Manual[ipip_ipv6]", "Interface::Post_up_command[clsact_ens2f0np0]", "Interface::Post_up_command[clsact_lo]", "K8s::Kubeconfig[/etc/calico/calicoctl-kubeconfig]", "K8s::Kubeconfig[/etc/cni/net.d/calico-kubeconfig]", "K8s::Kubeconfig[/etc/cni/net.d/istio-kubeconfig]", "K8s::Kubeconfig[/etc/kubernetes/kubelet.conf]", "K8s::Kubeconfig[/etc/kubernetes/proxy.conf]", "K8s::Kubelet::Cni[calico]", "K8s::Package[kubelet]", "K8s::Package[proxy]", "Kmod::Blacklist[r440_wdat_wdt]", "Kmod::Module[overlay]", "Logical_volume[srv]", "Logrotate::Conf[prometheus_ferm_mss]", "Logrotate::Conf[prometheus_lvs_realserver_mss]", "Logrotate::Conf[rsyslog-release-deleted-inotify-watches]", "Logrotate::Conf[set-rbd-readahead]", "Lvm::Logical_volume[srv]", "Lvm::Physical_volume[/dev/md1]", "Lvm::Volume_group[vg_raid0]", "Monitoring::Exported_nagios_service[dse-k8s-wdqs-test2001 check_tcp-mss-clamper_status]", "Monitoring::Service[check_tcp-mss-clamper_status]", "Motd::Message[dse_k8s::worker::wdqs]", "Motd::Script[dse_k8s::worker::wdqs]", "Mount[/srv]", "Nrpe::Check[check_check_tcp-mss-clamper_status]", "Nrpe::Monitor_service[check_tcp-mss-clamper_status]", "Nrpe::Plugin[check_systemd_unit_status]", "Package[apparmor]", "Package[calico-cni]", "Package[calicoctl]", "Package[containerd]", "Package[cpufrequtils]", "Package[crictl]", "Package[geoip-bin]", "Package[istio-cni]", "Package[kubernetes-node]", "Package[linux-base]", "Package[linux-image-6.12.88+deb12-amd64]", "Package[mmdb-bin]", "Package[nerdctl]", "Package[rsyslog-kubernetes]", "Package[socat]", "Package[tcp-mss-clamper]", "Package[wikimedia-lvs-realserver]", "Physical_volume[/dev/md1]", "Prometheus::Alert::Rule[check_check_tcp-mss-clamper_status_295d6d5dd0a784bb9ba1d5983fd1894f]", "Prometheus::Node_ferm_mss[ferm_clamped_ipport]", "Prometheus::Node_lvs_realserver_mss[lvs_clamped_ipport]", "Rsyslog::Conf[imfile]", "Rsyslog::Conf[input-file-kubernetes-json]", "Rsyslog::Conf[kubernetes-node-filters]", "Rsyslog::Conf[kubernetes]", "Rsyslog::Conf[nrpe2nodexp-check_tcp-mss-clamper_status]", "Rsyslog::Conf[output_kafka_k8s]", "Rsyslog::Conf[prometheus_ferm_mss]", "Rsyslog::Conf[prometheus_lvs_realserver_mss]", "Rsyslog::Conf[rsyslog-release-deleted-inotify-watches]", "Rsyslog::Conf[set-rbd-readahead]", "Rsyslog::Conf[shellbox]", "Rsyslog::Input::File[kubernetes-json]", "Service[apparmor]", "Service[containerd]", "Service[cpufrequtils]", "Service[kube-proxy]", "Service[kubelet]", "Service[nrpe2nodexp-check_tcp-mss-clamper_status.timer]", "Service[prometheus_ferm_mss.timer]", "Service[prometheus_lvs_realserver_mss.timer]", "Service[rsyslog-imfile-remedy.timer]", "Service[rsyslog-release-deleted-inotify-watches.timer]", "Service[set-rbd-readahead.timer]", "Service[tcp-mss-clamper]", "Sudo::User[nrpe-check_check_tcp-mss-clamper_status]", "Sysctl::Conffile[increase_inotify_limits]", "Sysctl::Conffile[ipv6-fowarding-accept-ra]", "Sysctl::Conffile[kube_proxy_conntrack]", "Sysctl::Conffile[kube_proxy_icmp]", "Sysctl::Conffile[opensearch]", "Sysctl::Parameters[increase_inotify_limits]", "Sysctl::Parameters[ipv6-fowarding-accept-ra]", "Sysctl::Parameters[kube_proxy_conntrack]", "Sysctl::Parameters[kube_proxy_icmp]", "Sysctl::Parameters[opensearch]", "Systemd::Monitor[tcp-mss-clamper]", "Systemd::Override[container-runtime]", "Systemd::Override[ferm-service-auto-restart]", "Systemd::Service[kube-proxy]", "Systemd::Service[nrpe2nodexp-check_tcp-mss-clamper_status]", "Systemd::Service[prometheus_ferm_mss]", "Systemd::Service[prometheus_lvs_realserver_mss]", "Systemd::Service[rsyslog-imfile-remedy]", "Systemd::Service[rsyslog-release-deleted-inotify-watches]", "Systemd::Service[set-rbd-readahead]", "Systemd::Service[tcp-mss-clamper]", "Systemd::Syslog[prometheus_ferm_mss]", "Systemd::Syslog[prometheus_lvs_realserver_mss]", "Systemd::Syslog[rsyslog-release-deleted-inotify-watches]", "Systemd::Syslog[set-rbd-readahead]", "Systemd::Timer::Job[nrpe2nodexp-check_tcp-mss-clamper_status]", "Systemd::Timer::Job[prometheus_ferm_mss]", "Systemd::Timer::Job[prometheus_lvs_realserver_mss]", "Systemd::Timer::Job[rsyslog-imfile-remedy]", "Systemd::Timer::Job[rsyslog-release-deleted-inotify-watches]", "Systemd::Timer::Job[set-rbd-readahead]", "Systemd::Timer[nrpe2nodexp-check_tcp-mss-clamper_status]", "Systemd::Timer[prometheus_ferm_mss]", "Systemd::Timer[prometheus_lvs_realserver_mss]", "Systemd::Timer[rsyslog-imfile-remedy]", "Systemd::Timer[rsyslog-release-deleted-inotify-watches]", "Systemd::Timer[set-rbd-readahead]", "Systemd::Unit[ferm-ferm-service-auto-restart]", "Systemd::Unit[kube-proxy]", "Systemd::Unit[kubelet-container-runtime]", "Systemd::Unit[nrpe2nodexp-check_tcp-mss-clamper_status.service]", "Systemd::Unit[nrpe2nodexp-check_tcp-mss-clamper_status.timer]", "Systemd::Unit[prometheus_ferm_mss.service]", "Systemd::Unit[prometheus_ferm_mss.timer]", "Systemd::Unit[prometheus_lvs_realserver_mss.service]", "Systemd::Unit[prometheus_lvs_realserver_mss.timer]", "Systemd::Unit[rsyslog-imfile-remedy.service]", "Systemd::Unit[rsyslog-imfile-remedy.timer]", "Systemd::Unit[rsyslog-release-deleted-inotify-watches.service]", "Systemd::Unit[rsyslog-release-deleted-inotify-watches.timer]", "Systemd::Unit[set-rbd-readahead.service]", "Systemd::Unit[set-rbd-readahead.timer]", "Systemd::Unit[tcp-mss-clamper]", "Udev::Rule[kube_proxy_conntrack]", "User[kube]", "Volume_group[vg_raid0]"], "resource_diffs": [{"resource": "Rsyslog::Conf[kubernetes-node-filters]", "parameters": "--- Rsyslog::Conf[kubernetes-node-filters].orig\n+++ Rsyslog::Conf[kubernetes-node-filters]\n\n+ mode => 0444\n+ source => puppet:///modules/profile/kubernetes/node/kubernetes-node-filters.rsyslog.conf\n+ ensure => present\n+ priority => 10\n"}, {"resource": "Rsyslog::Conf[output_kafka_k8s]", "parameters": "--- Rsyslog::Conf[output_kafka_k8s].orig\n+++ Rsyslog::Conf[output_kafka_k8s]\n\n+ mode => 0444\n+ ensure => present\n+ priority => 35\n"}, {"resource": "File[/etc/kubernetes/pki/dse__kubelet_server.chained.pem]", "parameters": "--- File[/etc/kubernetes/pki/dse__kubelet_server.chained.pem].orig\n+++ File[/etc/kubernetes/pki/dse__kubelet_server.chained.pem]\n\n+ ensure => file\n+ group => root\n+ require => Exec[create chained cert /etc/kubernetes/pki/dse__kubelet_server.chain.pem]\n+ owner => kube\n"}, {"resource": "Rsyslog::Conf[input-file-kubernetes-json]", "parameters": "--- Rsyslog::Conf[input-file-kubernetes-json].orig\n+++ Rsyslog::Conf[input-file-kubernetes-json]\n\n+ mode => 0444\n+ ensure => present\n+ require => Rsyslog::Conf[imfile]\n+ priority => 8\n"}, {"resource": "File[/etc/kubernetes/pki/dse__system_node_dse-k8s-wdqs-test2001_codfw_wmnet.chain.pem]", "parameters": "--- File[/etc/kubernetes/pki/dse__system_node_dse-k8s-wdqs-test2001_codfw_wmnet.chain.pem].orig\n+++ File[/etc/kubernetes/pki/dse__system_node_dse-k8s-wdqs-test2001_codfw_wmnet.chain.pem]\n\n+ mode => 0440\n+ group => root\n+ owner => kube\n+ source => puppet:///modules/profile/pki/intermediates/dse-cert.pem\n+ ensure => file\n"}, {"resource": "Concat_fragment[component-istio115-apt.wikimedia.org-wikimedia-bookworm-wikimedia]", "content": "--- component-istio115-apt.wikimedia.org-wikimedia-bookworm-wikimedia.orig\n+++ component-istio115-apt.wikimedia.org-wikimedia-bookworm-wikimedia\n@@ -0,0 +1,5 @@\n+Types: deb deb-src\n+URIs: http://apt.wikimedia.org/wikimedia\n+Suites: bookworm-wikimedia\n+Components: component/istio115\n+Signed-By: /etc/apt/keyrings/wikimedia-archive-keyring.gpg", "parameters": "--- Concat_fragment[component-istio115-apt.wikimedia.org-wikimedia-bookworm-wikimedia].orig\n+++ Concat_fragment[component-istio115-apt.wikimedia.org-wikimedia-bookworm-wikimedia]\n\n+ tag => _etc_apt_sources.list.d_component-istio115-apt.wikimedia.org-wikimedia-bookworm-wikimedia.sources\n+ order => 10\n+ target => /etc/apt/sources.list.d/component-istio115-apt.wikimedia.org-wikimedia-bookworm-wikimedia.sources\n"}, {"resource": "File[/etc/kubernetes/kube-proxy-config.yaml]", "content": "--- /etc/kubernetes/kube-proxy-config.yaml.orig\n+++ /etc/kubernetes/kube-proxy-config.yaml\n@@ -0,0 +1,12 @@\n+---\n+apiVersion: kubeproxy.config.k8s.io/v1alpha1\n+kind: KubeProxyConfiguration\n+hostnameOverride: dse-k8s-wdqs-test2001.codfw.wmnet\n+clientConnection:\n+ kubeconfig: \"/etc/kubernetes/proxy.conf\"\n+clusterCIDR: 10.192.96.0/21\n+mode: iptables\n+metricsBindAddress: 0.0.0.0\n+nodePortAddresses:\n+- 0.0.0.0/0\n+- \"::/0\"", "parameters": "--- File[/etc/kubernetes/kube-proxy-config.yaml].orig\n+++ File[/etc/kubernetes/kube-proxy-config.yaml]\n\n+ mode => 0400\n+ notify => Service[kube-proxy]\n+ group => kube\n+ require => K8s::Package[proxy]\n+ owner => kube\n+ ensure => file\n"}, {"resource": "Rsyslog::Conf[rsyslog-release-deleted-inotify-watches]", "parameters": "--- Rsyslog::Conf[rsyslog-release-deleted-inotify-watches].orig\n+++ Rsyslog::Conf[rsyslog-release-deleted-inotify-watches]\n\n+ mode => 0444\n+ ensure => absent\n+ require => File[/var/log/rsyslog-release-deleted-inotify-watches]\n+ priority => 40\n"}, {"resource": "File[/etc/kubernetes/pki/dse__system_node_dse-k8s-wdqs-test2001_codfw_wmnet.csr]", "parameters": "--- File[/etc/kubernetes/pki/dse__system_node_dse-k8s-wdqs-test2001_codfw_wmnet.csr].orig\n+++ File[/etc/kubernetes/pki/dse__system_node_dse-k8s-wdqs-test2001_codfw_wmnet.csr]\n\n+ mode => 0440\n+ ensure => file\n+ group => root\n+ owner => kube\n"}, {"resource": "Exec[apt_package_from_component_istio115]", "parameters": "--- Exec[apt_package_from_component_istio115].orig\n+++ Exec[apt_package_from_component_istio115]\n\n+ before => ['Package[istio-cni]']\n+ command => /usr/bin/apt-get update\n+ subscribe => Apt::Repository[component-istio115-apt.wikimedia.org-wikimedia-bookworm-wikimedia]\n+ refreshonly => True\n"}, {"resource": "K8s::Package[proxy]", "parameters": "--- K8s::Package[proxy].orig\n+++ K8s::Package[proxy]\n\n+ uri => http://apt.wikimedia.org/wikimedia\n+ version => 1.31\n+ require => ['Class[K8s::Base_dirs]']\n+ distro => bookworm-wikimedia\n+ ensure_packages => True\n+ package => node\n+ priority => 1001\n"}, {"resource": "Motd::Message[insetup::data_platform_ferm]", "parameters": "--- Motd::Message[insetup::data_platform_ferm].orig\n+++ Motd::Message[insetup::data_platform_ferm]\n\n- message => dse-k8s-wdqs-test2001 is a Host being setup by Data Platform SREs (insetup::data_platform_ferm)\n- ensure => present\n- priority => 5\n"}, {"resource": "Systemd::Unit[nrpe2nodexp-check_tcp-mss-clamper_status.timer]", "parameters": "--- Systemd::Unit[nrpe2nodexp-check_tcp-mss-clamper_status.timer].orig\n+++ Systemd::Unit[nrpe2nodexp-check_tcp-mss-clamper_status.timer]\n\n+ require => ['Class[Systemd]']\n+ override => False\n+ ensure => absent\n+ override_filename => puppet-override.conf\n+ restart => False\n+ unit => nrpe2nodexp-check_tcp-mss-clamper_status.timer\n"}, {"resource": "Apt::Repository[component-calico329-apt.wikimedia.org-wikimedia-bookworm-wikimedia]", "parameters": "--- Apt::Repository[component-calico329-apt.wikimedia.org-wikimedia-bookworm-wikimedia].orig\n+++ Apt::Repository[component-calico329-apt.wikimedia.org-wikimedia-bookworm-wikimedia]\n\n+ uri => http://apt.wikimedia.org/wikimedia\n+ trust_repo => False\n+ allow_releaseinfo_change => False\n+ keyfile => puppet:///modules/install_server/autoinstall/keyring/wikimedia-archive-keyring.gpg\n+ bin => True\n+ ensure => present\n+ source => True\n+ dist => bookworm-wikimedia\n+ components => component/calico329\n"}, {"resource": "File[/etc/kubernetes/pki/dse__calico-cni.csr]", "parameters": "--- File[/etc/kubernetes/pki/dse__calico-cni.csr].orig\n+++ File[/etc/kubernetes/pki/dse__calico-cni.csr]\n\n+ mode => 0440\n+ ensure => file\n+ group => root\n+ owner => root\n"}, {"resource": "File[/etc/default/kubelet]", "content": "--- /etc/default/kubelet.orig\n+++ /etc/default/kubelet\n@@ -0,0 +1,11 @@\n+###\n+# kubernetes kubelet (minion) config\n+\n+DAEMON_ARGS=\"--config=/etc/kubernetes/kubelet-config.yaml \\\n+ --hostname-override=dse-k8s-wdqs-test2001.codfw.wmnet \\\n+ --kubeconfig=/etc/kubernetes/kubelet.conf \\\n+ --node-ip=10.192.9.26 \\\n+ --node-labels=dedicated=wdqs,node.kubernetes.io/disk-type=ssd,topology.kubernetes.io/region=codfw,topology.kubernetes.io/zone=row-a7 \\\n+ --register-schedulable=false \\\n+ --system-reserved=cpu=2.6,memory=9.17Gi \\\n+ --v=0\"", "parameters": "--- File[/etc/default/kubelet].orig\n+++ File[/etc/default/kubelet]\n\n+ mode => 0644\n+ notify => Service[kubelet]\n+ group => root\n+ owner => root\n+ ensure => file\n"}, {"resource": "File[/etc/cfssl/ssl/dse__rsyslog/dse__rsyslog.csr]", "parameters": "--- File[/etc/cfssl/ssl/dse__rsyslog/dse__rsyslog.csr].orig\n+++ File[/etc/cfssl/ssl/dse__rsyslog/dse__rsyslog.csr]\n\n+ mode => 0440\n+ ensure => file\n+ group => root\n+ owner => root\n"}, {"resource": "File[/etc/kubernetes]", "parameters": "--- File[/etc/kubernetes].orig\n+++ File[/etc/kubernetes]\n\n+ mode => 0755\n+ ensure => directory\n+ group => root\n+ owner => root\n"}, {"resource": "Systemd::Syslog[prometheus_ferm_mss]", "parameters": "--- Systemd::Syslog[prometheus_ferm_mss].orig\n+++ Systemd::Syslog[prometheus_ferm_mss]\n\n+ group => root\n+ force_stop => True\n+ log_filename => syslog.log\n+ owner => root\n+ ensure => absent\n+ base_dir => /var/log\n+ readable_by => all\n+ programname_comparison => startswith\n"}, {"resource": "Exec[renew certificate - dse__kubelet_server]", "parameters": "--- Exec[renew certificate - dse__kubelet_server].orig\n+++ Exec[renew certificate - dse__kubelet_server]\n\n+ unless => /usr/bin/openssl x509 -in /etc/kubernetes/pki/dse__kubelet_server.pem -checkend 952200\n+ environment => ['GODEBUG=x509ignoreCN=0']\n+ notify => ['Service[kubelet]']\n+ require => Exec[Generate cert dse__kubelet_server]\n+ command => /usr/bin/cfssl sign -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/dse-k8s-wdqs-test2001.codfw.wmnet.pem -label dse -profile server /etc/kubernetes/pki/dse__kubelet_server.csr | /usr/bin/cfssljson -bare /etc/kubernetes/pki/dse__kubelet_server\n\n"}, {"resource": "Service[rsyslog-release-deleted-inotify-watches.timer]", "parameters": "--- Service[rsyslog-release-deleted-inotify-watches.timer].orig\n+++ Service[rsyslog-release-deleted-inotify-watches.timer]\n\n+ before => ['Exec[systemd daemon-reload for rsyslog-release-deleted-inotify-watches.timer (rsyslog-release-deleted-inotify-watches.timer)]']\n+ ensure => stopped\n+ enable => False\n+ provider => systemd\n"}, {"resource": "File[/etc/cni]", "parameters": "--- File[/etc/cni].orig\n+++ File[/etc/cni]\n\n+ mode => 0755\n+ ensure => directory\n+ group => root\n+ owner => root\n"}, {"resource": "Sysctl::Conffile[opensearch]", "parameters": "--- Sysctl::Conffile[opensearch].orig\n+++ Sysctl::Conffile[opensearch]\n\n+ no_priority_prefix => False\n+ ensure => present\n+ priority => 70\n"}, {"resource": "Concat_fragment[component-kubernetes131-apt.wikimedia.org-wikimedia-bookworm-wikimedia]", "content": "--- component-kubernetes131-apt.wikimedia.org-wikimedia-bookworm-wikimedia.orig\n+++ component-kubernetes131-apt.wikimedia.org-wikimedia-bookworm-wikimedia\n@@ -0,0 +1,5 @@\n+Types: deb deb-src\n+URIs: http://apt.wikimedia.org/wikimedia\n+Suites: bookworm-wikimedia\n+Components: component/kubernetes131\n+Signed-By: /etc/apt/keyrings/wikimedia-archive-keyring.gpg", "parameters": "--- Concat_fragment[component-kubernetes131-apt.wikimedia.org-wikimedia-bookworm-wikimedia].orig\n+++ Concat_fragment[component-kubernetes131-apt.wikimedia.org-wikimedia-bookworm-wikimedia]\n\n+ tag => _etc_apt_sources.list.d_component-kubernetes131-apt.wikimedia.org-wikimedia-bookworm-wikimedia.sources\n+ order => 10\n+ target => /etc/apt/sources.list.d/component-kubernetes131-apt.wikimedia.org-wikimedia-bookworm-wikimedia.sources\n"}, {"resource": "File[/etc/kubernetes/pki/dse__calicoctl.pem]", "parameters": "--- File[/etc/kubernetes/pki/dse__calicoctl.pem].orig\n+++ File[/etc/kubernetes/pki/dse__calicoctl.pem]\n\n+ mode => 0440\n+ ensure => file\n+ group => root\n+ owner => root\n"}, {"resource": "File[/etc/kubernetes/pki/dse__calico-cni-key.pem]", "parameters": "--- File[/etc/kubernetes/pki/dse__calico-cni-key.pem].orig\n+++ File[/etc/kubernetes/pki/dse__calico-cni-key.pem]\n\n+ mode => 0440\n+ group => root\n+ show_diff => False\n+ owner => root\n+ backup => False\n+ ensure => file\n"}, {"resource": "Service[tcp-mss-clamper]", "parameters": "--- Service[tcp-mss-clamper].orig\n+++ Service[tcp-mss-clamper]\n\n+ before => ['Exec[systemd daemon-reload for tcp-mss-clamper.service (tcp-mss-clamper)]']\n+ ensure => stopped\n+ enable => False\n"}, {"resource": "File[/etc/systemd/system/kube-proxy.service.d/puppet-override.conf]", "content": "--- /etc/systemd/system/kube-proxy.service.d/puppet-override.conf.orig\n+++ /etc/systemd/system/kube-proxy.service.d/puppet-override.conf\n@@ -0,0 +1,2 @@\n+[Unit]\n+After = ferm.service", "parameters": "--- File[/etc/systemd/system/kube-proxy.service.d/puppet-override.conf].orig\n+++ File[/etc/systemd/system/kube-proxy.service.d/puppet-override.conf]\n\n+ mode => 0444\n+ notify => Exec[systemd daemon-reload for kube-proxy.service (kube-proxy)]\n+ group => root\n+ owner => root\n+ ensure => present\n"}, {"resource": "Sudo::User[nrpe-check_check_tcp-mss-clamper_status]", "parameters": "--- Sudo::User[nrpe-check_check_tcp-mss-clamper_status].orig\n+++ Sudo::User[nrpe-check_check_tcp-mss-clamper_status]\n\n+ require => ['Class[Sudo]']\n+ privileges => []\n+ user => nagios\n+ ensure => absent\n+ tag => nrpe::check\n"}, {"resource": "File[/etc/kubernetes/pki/dse__system_kube-proxy.csr]", "parameters": "--- File[/etc/kubernetes/pki/dse__system_kube-proxy.csr].orig\n+++ File[/etc/kubernetes/pki/dse__system_kube-proxy.csr]\n\n+ mode => 0440\n+ ensure => file\n+ group => root\n+ owner => kube\n"}, {"resource": "Ferm::Service[kubelet-http]", "parameters": "--- Ferm::Service[kubelet-http].orig\n+++ Ferm::Service[kubelet-http]\n\n+ ensure => present\n+ srange => (@resolve((dse-k8s-ctrl2001.codfw.wmnet dse-k8s-ctrl2002.codfw.wmnet)) @resolve((dse-k8s-ctrl2001.codfw.wmnet dse-k8s-ctrl2002.codfw.wmnet), AAAA))\n+ notrack => False\n+ prio => 10\n+ desc => \n+ proto => tcp\n+ unrestricted_access => False\n+ port => 10250\n"}, {"resource": "File[/etc/ferm/conf.d/10_ip6ip6]", "content": "--- /etc/ferm/conf.d/10_ip6ip6.orig\n+++ /etc/ferm/conf.d/10_ip6ip6\n@@ -0,0 +1,11 @@\n+# Autogenerated by puppet. DO NOT EDIT BY HAND!\n+#\n+# 10_ip6ip6: \n+\n+domain (ip6) {\n+\ttable filter {\n+\t\tchain INPUT {\n+\t\t\tsaddr 0100::/64 proto ipv6 ACCEPT;\n+\t\t}\n+\t}\n+}", "parameters": "--- File[/etc/ferm/conf.d/10_ip6ip6].orig\n+++ File[/etc/ferm/conf.d/10_ip6ip6]\n\n+ mode => 0400\n+ group => root\n+ require => File[/etc/ferm/conf.d]\n+ notify => Service[ferm]\n+ owner => root\n+ ensure => present\n+ tag => ferm\n"}, {"resource": "File[/etc/rsyslog.d/35-output-kafka-k8s.conf]", "content": "--- /etc/rsyslog.d/35-output-kafka-k8s.conf.orig\n+++ /etc/rsyslog.d/35-output-kafka-k8s.conf\n@@ -0,0 +1,24 @@\n+\n+\n+if ( $.log_outputs contains \"k8s\" ) then {\n+ action(type=\"mmjsonparse\" name=\"mmjsonparse_kafka_k8s\")\n+\n+ action(type=\"omkafka\"\n+ name=\"omkafka_k8s\"\n+ broker=[\"kafka-logging1001.eqiad.wmnet:9093\",\"kafka-logging1002.eqiad.wmnet:9093\",\"kafka-logging1003.eqiad.wmnet:9093\",\"kafka-logging1004.eqiad.wmnet:9093\",\"kafka-logging1005.eqiad.wmnet:9093\"]\n+ topic=\"k8s-dse-k8s-codfw\"\n+ partitions.auto=\"on\"\n+ template=\"syslog_cee\"\n+ queue.type=\"LinkedList\" queue.size=\"10000\" queue.filename=\"output_kafka_k8s\"\n+ queue.highWatermark=\"7000\" queue.lowWatermark=\"6000\"\n+ queue.checkpointInterval=\"5\"\n+ queue.maxDiskSpace=\"40960000\"\n+ confParam=[ \"security.protocol=ssl\",\n+ \"ssl.ca.location=/etc/ssl/certs/wmf-ca-certificates.crt\",\n+ \"compression.codec=snappy\",\n+ \"socket.timeout.ms=10000\",\n+ \"socket.keepalive.enable=true\",\n+ \"queue.buffering.max.ms=50\",\n+ \"batch.num.messages=1000\" ]\n+ )\n+}", "parameters": "--- File[/etc/rsyslog.d/35-output-kafka-k8s.conf].orig\n+++ File[/etc/rsyslog.d/35-output-kafka-k8s.conf]\n\n+ mode => 0444\n+ notify => Service[rsyslog]\n+ group => root\n+ owner => root\n+ ensure => present\n"}, {"resource": "Package[calico-cni]", "parameters": "--- Package[calico-cni].orig\n+++ Package[calico-cni]\n\n+ ensure => >=3.29 <3.30\n+ provider => apt\n"}, {"resource": "File[/etc/rsyslog.d/09-kubernetes.conf]", "content": "--- /etc/rsyslog.d/09-kubernetes.conf.orig\n+++ /etc/rsyslog.d/09-kubernetes.conf\n@@ -0,0 +1,9 @@\n+module(load=\"mmkubernetes\"\n+ KubernetesURL=\"https://dse-k8s-ctrl.svc.codfw.wmnet:6443\"\n+ tls.mycert=\"/etc/cfssl/ssl/dse__rsyslog/dse__rsyslog.pem\"\n+ tls.myprivkey=\"/etc/cfssl/ssl/dse__rsyslog/dse__rsyslog-key.pem\")\n+action(type=\"mmkubernetes\"\n+ name=\"mmkubernetes\"\n+ action.resumeRetryCount=\"-1\"\n+ action.resumeIntervalMax=\"300\"\n+ action.reportSuspensionContinuation=\"on\")", "parameters": "--- File[/etc/rsyslog.d/09-kubernetes.conf].orig\n+++ File[/etc/rsyslog.d/09-kubernetes.conf]\n\n+ mode => 0444\n+ notify => Service[rsyslog]\n+ group => root\n+ owner => root\n+ ensure => present\n"}, {"resource": "Augeas[ipip0_manual]", "parameters": "--- Augeas[ipip0_manual].orig\n+++ Augeas[ipip0_manual]\n\n+ lens => Interfaces.lns\n+ incl => /etc/network/interfaces\n+ context => /files/etc/network/interfaces\n+ changes => [\"set auto[./1 = 'ipip0']/1 'ipip0'\", \"set iface[. = 'ipip0'] 'ipip0'\", \"set iface[. = 'ipip0']/family 'inet'\", \"set iface[. = 'ipip0']/method 'manual'\"]\n"}, {"resource": "File[/var/log/prometheus_lvs_realserver_mss]", "parameters": "--- File[/var/log/prometheus_lvs_realserver_mss].orig\n+++ File[/var/log/prometheus_lvs_realserver_mss]\n\n+ mode => 0755\n+ group => root\n+ force => True\n+ owner => root\n+ backup => False\n+ ensure => absent\n"}, {"resource": "File[/etc/apparmor.d/abstractions]", "parameters": "--- File[/etc/apparmor.d/abstractions].orig\n+++ File[/etc/apparmor.d/abstractions]\n\n+ mode => 0755\n+ group => root\n+ require => Package[apparmor]\n+ owner => root\n+ ensure => directory\n"}, {"resource": "Class[Containerd::Nerdctl]", "parameters": "--- Class[Containerd::Nerdctl].orig\n+++ Class[Containerd::Nerdctl]\n\n+ ensure => present\n+ namespace => k8s.io\n"}, {"resource": "File[/etc/sysctl.d/75-kube_proxy_conntrack.conf]", "content": "--- /etc/sysctl.d/75-kube_proxy_conntrack.conf.orig\n+++ /etc/sysctl.d/75-kube_proxy_conntrack.conf\n@@ -0,0 +1,2 @@\n+# sysctl parameters managed by Puppet.\n+net.netfilter.nf_conntrack_max = 1048576", "parameters": "--- File[/etc/sysctl.d/75-kube_proxy_conntrack.conf].orig\n+++ File[/etc/sysctl.d/75-kube_proxy_conntrack.conf]\n\n+ group => root\n+ ensure => present\n+ notify => Exec[update_sysctl]\n+ owner => root\n"}, {"resource": "File[/etc/systemd/system/kube-proxy.service.d]", "parameters": "--- File[/etc/systemd/system/kube-proxy.service.d].orig\n+++ File[/etc/systemd/system/kube-proxy.service.d]\n\n+ mode => 0555\n+ ensure => directory\n+ group => root\n+ owner => root\n"}, {"resource": "Exec[systemd daemon-reload for prometheus_ferm_mss.timer (prometheus_ferm_mss.timer)]", "parameters": "--- Exec[systemd daemon-reload for prometheus_ferm_mss.timer (prometheus_ferm_mss.timer)].orig\n+++ Exec[systemd daemon-reload for prometheus_ferm_mss.timer (prometheus_ferm_mss.timer)]\n\n+ command => /bin/systemctl daemon-reload\n+ refreshonly => True\n"}, {"resource": "Augeas[ipip60_set_up]", "parameters": "--- Augeas[ipip60_set_up].orig\n+++ Augeas[ipip60_set_up]\n\n+ lens => Interfaces.lns\n+ onlyif => match up[. = 'ip link set up dev ipip60'] size == 0\n+ require => Augeas[ipip60_add_up]\n+ context => /files/etc/network/interfaces/*[. = 'ipip60' and ./family = 'inet6']\n+ incl => /etc/network/interfaces\n+ changes => set up[last()+1] 'ip link set up dev ipip60'\n"}, {"resource": "Concat_fragment[main contacts]", "content": "--- main contacts.orig\n+++ main contacts\n@@ -1,3 +1,3 @@\n ---\n-role::insetup::data_platform_ferm:\n+role::dse_k8s::worker::wdqs:\n - Data Platform"}, {"resource": "File[/etc/rsyslog.d/10-kubernetes-node-filters.conf]", "parameters": "--- File[/etc/rsyslog.d/10-kubernetes-node-filters.conf].orig\n+++ File[/etc/rsyslog.d/10-kubernetes-node-filters.conf]\n\n+ mode => 0444\n+ group => root\n+ notify => Service[rsyslog]\n+ owner => root\n+ source => puppet:///modules/profile/kubernetes/node/kubernetes-node-filters.rsyslog.conf\n+ ensure => present\n"}, {"resource": "Nrpe::Monitor_service[check_tcp-mss-clamper_status]", "parameters": "--- Nrpe::Monitor_service[check_tcp-mss-clamper_status].orig\n+++ Nrpe::Monitor_service[check_tcp-mss-clamper_status]\n\n+ retries => 2\n+ contact_group => admins\n+ retry_interval => 1\n+ ensure => absent\n+ timeout => 10\n+ nrpe_command => /usr/local/lib/nagios/plugins/check_systemd_unit_status tcp-mss-clamper\n+ alertmanager_team => observability\n+ notes_url => https://wikitech.wikimedia.org/wiki/LVS#IPIP_encapsulation_experiments\n+ enable_nrpe2nodexp => False\n+ enable_icinga_check => True\n+ nrpe2nodexp_parse_perf_data => False\n+ critical => False\n+ migration_task => T407130\n+ description => Check unit status of tcp-mss-clamper\n+ check_interval => 10\n"}, {"resource": "Service[cpufrequtils]", "parameters": "--- Service[cpufrequtils].orig\n+++ Service[cpufrequtils]\n\n+ ensure => running\n+ enable => True\n"}, {"resource": "File[/etc/cfssl/ssl/dse__rsyslog/dse__rsyslog.chained.pem]", "parameters": "--- File[/etc/cfssl/ssl/dse__rsyslog/dse__rsyslog.chained.pem].orig\n+++ File[/etc/cfssl/ssl/dse__rsyslog/dse__rsyslog.chained.pem]\n\n+ ensure => file\n+ group => root\n+ require => Exec[create chained cert /etc/cfssl/ssl/dse__rsyslog/dse__rsyslog.chain.pem]\n+ owner => root\n"}, {"resource": "Interface::Ipip[ipip_ipv4]", "parameters": "--- Interface::Ipip[ipip_ipv4].orig\n+++ Interface::Ipip[ipip_ipv4]\n\n+ ensure => present\n+ address => 127.0.0.42\n+ interface => ipip0\n+ family => inet\n"}, {"resource": "File[/lib/systemd/system/nrpe2nodexp-check_tcp-mss-clamper_status.service]", "content": "--- /lib/systemd/system/nrpe2nodexp-check_tcp-mss-clamper_status.service.orig\n+++ /lib/systemd/system/nrpe2nodexp-check_tcp-mss-clamper_status.service\n@@ -0,0 +1,11 @@\n+[Unit]\n+Description=execution of nrpe2nodexp for the check_check_tcp-mss-clamper_status command.\n+Documentation=https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n+\n+[Service]\n+Type=oneshot\n+User=nagios\n+\n+Group=prometheus-node-exporter\n+SyslogIdentifier=nrpe2nodexp-check_tcp-mss-clamper_status\n+ExecStart=-/usr/local/bin/nrpe2nodexp --alert-rule-hash \"295d6d5dd0a784bb9ba1d5983fd1894f\" --timeout 10 --check-command \"check_check_tcp-mss-clamper_status\"", "parameters": "--- File[/lib/systemd/system/nrpe2nodexp-check_tcp-mss-clamper_status.service].orig\n+++ File[/lib/systemd/system/nrpe2nodexp-check_tcp-mss-clamper_status.service]\n\n+ mode => 0444\n+ notify => Exec[systemd daemon-reload for nrpe2nodexp-check_tcp-mss-clamper_status.service (nrpe2nodexp-check_tcp-mss-clamper_status.service)]\n+ group => root\n+ owner => root\n+ ensure => absent\n"}, {"resource": "Prometheus::Node_ferm_mss[ferm_clamped_ipport]", "parameters": "--- Prometheus::Node_ferm_mss[ferm_clamped_ipport].orig\n+++ Prometheus::Node_ferm_mss[ferm_clamped_ipport]\n\n+ ensure => absent\n+ clamped_ipport => ['10.2.1.91:30443']\n+ outfile => /var/lib/prometheus/node.d/ferm-mss.prom\n"}, {"resource": "Motd::Script[dse_k8s::worker::wdqs]", "parameters": "--- Motd::Script[dse_k8s::worker::wdqs].orig\n+++ Motd::Script[dse_k8s::worker::wdqs]\n\n+ ensure => present\n+ priority => 5\n"}, {"resource": "File[/usr/share/GeoIP]", "parameters": "--- File[/usr/share/GeoIP].orig\n+++ File[/usr/share/GeoIP]\n\n+ mode => 0644\n+ group => root\n+ owner => root\n+ source => puppet:///volatile/GeoIP\n+ ensure => directory\n+ show_diff => False\n+ backup => False\n+ recurse => True\n"}, {"resource": "Ferm::Rule[ip6ip6]", "parameters": "--- Ferm::Rule[ip6ip6].orig\n+++ Ferm::Rule[ip6ip6]\n\n+ table => filter\n+ prio => 10\n+ domain => (ip6)\n+ desc => \n+ ensure => present\n+ chain => INPUT\n+ rule => saddr 0100::/64 proto ipv6 ACCEPT;\n"}, {"resource": "Interface::Post_up_command[clsact_lo]", "parameters": "--- Interface::Post_up_command[clsact_lo].orig\n+++ Interface::Post_up_command[clsact_lo]\n\n+ command => /usr/sbin/tc qdisc add dev lo clsact\n+ ensure => absent\n+ interface => lo\n"}, {"resource": "Prometheus::Alert::Rule[check_check_tcp-mss-clamper_status_295d6d5dd0a784bb9ba1d5983fd1894f]", "parameters": "--- Prometheus::Alert::Rule[check_check_tcp-mss-clamper_status_295d6d5dd0a784bb9ba1d5983fd1894f].orig\n+++ Prometheus::Alert::Rule[check_check_tcp-mss-clamper_status_295d6d5dd0a784bb9ba1d5983fd1894f]\n\n+ team => observability\n+ group => nrpechecks\n+ alert_name => nrpe_Check_unit_status_of_tcp_mss_clamper\n+ instance => ops\n+ ensure => absent\n+ dashboard => TODO\n+ summary => NRPE CHECK: Check unit status of tcp-mss-clamper\n+ severity => info\n+ logs => https://logstash.wikimedia.org/app/dashboards#/view/2d343ac0-6df8-11f0-8e08-7fab0da52b33?_g=(filters:!((query:(match_phrase:(event.module:check_check_tcp-mss-clamper_status))),(query:(match_phrase:(host.name:{{$labels.instance|stripPort}})))))\n+ site => codfw\n+ description => NRPE CHECK: Check unit status of tcp-mss-clamper\n+ def_label_whitelst => ['team', 'severity']\n+ for => 11m\n+ expr => (nagios_nrpe_check_result{alert_rule_hash=\"295d6d5dd0a784bb9ba1d5983fd1894f\",check_name=\"check_check_tcp-mss-clamper_status\", status=~\"(WARNING|CRITICAL)\", severity=~\"(warning|critical)\"} > 0) * on (instance) group_left (team) role_owner\n+ runbook => https://wikitech.wikimedia.org/wiki/LVS#IPIP_encapsulation_experiments\n"}, {"resource": "Systemd::Override[container-runtime]", "parameters": "--- Systemd::Override[container-runtime].orig\n+++ Systemd::Override[container-runtime]\n\n+ ensure => present\n+ restart => True\n+ unit => kubelet\n"}, {"resource": "Systemd::Service[kube-proxy]", "parameters": "--- Systemd::Service[kube-proxy].orig\n+++ Systemd::Service[kube-proxy]\n\n+ unit_type => service\n+ service_params => {}\n+ monitoring_contact_group => admins\n+ subscribe => File[/etc/kubernetes/proxy.conf]\n+ ensure => present\n+ restart => True\n+ migration_task => T407130\n+ monitoring_critical => False\n+ monitoring_enabled => False\n+ override => True\n"}, {"resource": "Sysctl::Conffile[increase_inotify_limits]", "parameters": "--- Sysctl::Conffile[increase_inotify_limits].orig\n+++ Sysctl::Conffile[increase_inotify_limits]\n\n+ no_priority_prefix => False\n+ ensure => present\n+ priority => 70\n"}, {"resource": "File[/etc/sysctl.d/70-opensearch.conf]", "content": "--- /etc/sysctl.d/70-opensearch.conf.orig\n+++ /etc/sysctl.d/70-opensearch.conf\n@@ -0,0 +1,2 @@\n+# sysctl parameters managed by Puppet.\n+vm.max_map_count = 1048576", "parameters": "--- File[/etc/sysctl.d/70-opensearch.conf].orig\n+++ File[/etc/sysctl.d/70-opensearch.conf]\n\n+ group => root\n+ ensure => present\n+ notify => Exec[update_sysctl]\n+ owner => root\n"}, {"resource": "Class[Profile::Base::Production]", "parameters": "--- Class[Profile::Base::Production].orig\n+++ Class[Profile::Base::Production]\n\n@@\n- role_description => Host being setup by Data Platform SREs\n+ role_description => DSE Kubernetes worker node - dedicated to wdqs\n"}, {"resource": "Concat[/etc/apt/sources.list.d/component-istio115-apt.wikimedia.org-wikimedia-bookworm-wikimedia.sources]", "parameters": "--- Concat[/etc/apt/sources.list.d/component-istio115-apt.wikimedia.org-wikimedia-bookworm-wikimedia.sources].orig\n+++ Concat[/etc/apt/sources.list.d/component-istio115-apt.wikimedia.org-wikimedia-bookworm-wikimedia.sources]\n\n+ mode => 0444\n+ notify => Exec[apt_repository_component-istio115-apt.wikimedia.org-wikimedia-bookworm-wikimedia]\n+ group => root\n+ ensure_newline => False\n+ owner => root\n+ ensure => present\n+ warn => False\n+ path => /etc/apt/sources.list.d/component-istio115-apt.wikimedia.org-wikimedia-bookworm-wikimedia.sources\n+ format => plain\n+ show_diff => True\n+ force => False\n+ backup => puppet\n+ replace => True\n+ order => alpha\n"}, {"resource": "Exec[Generate cert dse__system_kube-proxy]", "parameters": "--- Exec[Generate cert dse__system_kube-proxy].orig\n+++ Exec[Generate cert dse__system_kube-proxy]\n\n+ unless => /usr/bin/test \"$(/usr/bin/openssl x509 -in /etc/kubernetes/pki/dse__system_kube-proxy.pem -noout -pubkey 2>&1)\" == \"$(/usr/bin/openssl pkey -pubout -in /etc/kubernetes/pki/dse__system_kube-proxy-key.pem 2>&1)\"\n\n+ environment => ['GODEBUG=x509ignoreCN=0']\n+ notify => ['Service[kube-proxy]']\n+ require => Cfssl::Csr[/etc/cfssl/csr/dse__system_kube-proxy.csr]\n+ command => /usr/bin/cfssl gencert -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/dse-k8s-wdqs-test2001.codfw.wmnet.pem -label dse /etc/cfssl/csr/dse__system_kube-proxy.csr | /usr/bin/cfssljson -bare /etc/kubernetes/pki/dse__system_kube-proxy\n\n"}, {"resource": "File[/usr/local/sbin/rsyslog-release-deleted-inotify-watches]", "parameters": "--- File[/usr/local/sbin/rsyslog-release-deleted-inotify-watches].orig\n+++ File[/usr/local/sbin/rsyslog-release-deleted-inotify-watches]\n\n+ mode => 0544\n+ ensure => absent\n+ group => root\n+ owner => root\n"}, {"resource": "File[/etc/sysctl.d/51-ubuntu-defaults.conf]", "content": "--- /etc/sysctl.d/51-ubuntu-defaults.conf.orig\n+++ /etc/sysctl.d/51-ubuntu-defaults.conf\n@@ -4,7 +4,7 @@\n kernel.kptr_restrict = 1\n kernel.printk = 4 4 1 7\n kernel.yama.ptrace_scope = 1\n-net.ipv4.conf.all.rp_filter = 1\n+net.ipv4.conf.all.rp_filter = 0\n net.ipv4.conf.default.rp_filter = 1\n net.ipv4.tcp_syncookies = 1\n vm.mmap_min_addr = 65536"}, {"resource": "File[/usr/local/lib/nagios/plugins/check_systemd_unit_status]", "parameters": "--- File[/usr/local/lib/nagios/plugins/check_systemd_unit_status].orig\n+++ File[/usr/local/lib/nagios/plugins/check_systemd_unit_status]\n\n+ mode => 0555\n+ group => root\n+ require => File[/usr/local/lib/nagios/plugins/]\n+ owner => root\n+ source => puppet:///modules/systemd/check_systemd_unit_status\n+ ensure => file\n+ tag => nrpe::plugin\n"}, {"resource": "Exec[Generate cert dse__rsyslog]", "parameters": "--- Exec[Generate cert dse__rsyslog].orig\n+++ Exec[Generate cert dse__rsyslog]\n\n+ unless => /usr/bin/test \"$(/usr/bin/openssl x509 -in /etc/cfssl/ssl/dse__rsyslog/dse__rsyslog.pem -noout -pubkey 2>&1)\" == \"$(/usr/bin/openssl pkey -pubout -in /etc/cfssl/ssl/dse__rsyslog/dse__rsyslog-key.pem 2>&1)\"\n\n+ environment => ['GODEBUG=x509ignoreCN=0']\n+ notify => ['Service[rsyslog]']\n+ require => Cfssl::Csr[/etc/cfssl/csr/dse__rsyslog.csr]\n+ command => /usr/bin/cfssl gencert -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/dse-k8s-wdqs-test2001.codfw.wmnet.pem -label dse /etc/cfssl/csr/dse__rsyslog.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/dse__rsyslog/dse__rsyslog\n\n"}, {"resource": "Exec[create chained cert /etc/kubernetes/pki/dse__system_node_dse-k8s-wdqs-test2001_codfw_wmnet.chain.pem]", "parameters": "--- Exec[create chained cert /etc/kubernetes/pki/dse__system_node_dse-k8s-wdqs-test2001_codfw_wmnet.chain.pem].orig\n+++ Exec[create chained cert /etc/kubernetes/pki/dse__system_node_dse-k8s-wdqs-test2001_codfw_wmnet.chain.pem]\n\n+ unless => /usr/bin/test \"$(/bin/cat /etc/kubernetes/pki/dse__system_node_dse-k8s-wdqs-test2001_codfw_wmnet.pem /etc/kubernetes/pki/dse__system_node_dse-k8s-wdqs-test2001_codfw_wmnet.chain.pem | sha512sum)\" == \"$(/bin/cat /etc/kubernetes/pki/dse__system_node_dse-k8s-wdqs-test2001_codfw_wmnet.chained.pem | sha512sum)\"\n\n+ notify => ['Service[kubelet]']\n+ require => Exec[Generate cert dse__system_node_dse-k8s-wdqs-test2001_codfw_wmnet refresh on intermediate ca change]\n+ subscribe => ['Exec[renew certificate - dse__system_node_dse-k8s-wdqs-test2001_codfw_wmnet]', 'File[/etc/kubernetes/pki/dse__system_node_dse-k8s-wdqs-test2001_codfw_wmnet.chain.pem]', 'File[/etc/kubernetes/pki/dse__system_node_dse-k8s-wdqs-test2001_codfw_wmnet.pem]']\n+ command => /bin/cat /etc/kubernetes/pki/dse__system_node_dse-k8s-wdqs-test2001_codfw_wmnet.pem /etc/kubernetes/pki/dse__system_node_dse-k8s-wdqs-test2001_codfw_wmnet.chain.pem > /etc/kubernetes/pki/dse__system_node_dse-k8s-wdqs-test2001_codfw_wmnet.chained.pem\n"}, {"resource": "K8s::Kubeconfig[/etc/kubernetes/kubelet.conf]", "parameters": "--- K8s::Kubeconfig[/etc/kubernetes/kubelet.conf].orig\n+++ K8s::Kubeconfig[/etc/kubernetes/kubelet.conf]\n\n+ mode => 0400\n+ group => kube\n+ require => ['Class[K8s::Base_dirs]']\n+ owner => kube\n+ username => default-auth\n+ ensure => present\n+ auth_cert => {'cert': '/etc/kubernetes/pki/dse__system_node_dse-k8s-wdqs-test2001_codfw_wmnet.pem', 'key': '/etc/kubernetes/pki/dse__system_node_dse-k8s-wdqs-test2001_codfw_wmnet-key.pem', 'chain': '/etc/kubernetes/pki/dse__system_node_dse-k8s-wdqs-test2001_codfw_wmnet.chain.pem', 'chained': '/etc/kubernetes/pki/dse__system_node_dse-k8s-wdqs-test2001_codfw_wmnet.chained.pem'}\n+ master_host => dse-k8s-ctrl.svc.codfw.wmnet\n"}, {"resource": "Systemd::Override[ferm-service-auto-restart]", "parameters": "--- Systemd::Override[ferm-service-auto-restart].orig\n+++ Systemd::Override[ferm-service-auto-restart]\n\n+ source => puppet:///modules/profile/kubernetes/node/ferm_systemd_override\n+ ensure => present\n+ restart => False\n+ unit => ferm\n"}, {"resource": "File[/etc/sudoers.d/nrpe-check_check_tcp-mss-clamper_status]", "parameters": "--- File[/etc/sudoers.d/nrpe-check_check_tcp-mss-clamper_status].orig\n+++ File[/etc/sudoers.d/nrpe-check_check_tcp-mss-clamper_status]\n\n+ ensure => absent\n+ group => root\n+ require => Package[nagios-nrpe-server]\n+ owner => root\n"}, {"resource": "Kmod::Module[overlay]", "parameters": "--- Kmod::Module[overlay].orig\n+++ Kmod::Module[overlay]\n\n+ ensure => present\n"}, {"resource": "Exec[apt_pin_apt_pin_linux-6.12-bookworm_bookworm-bpo]", "parameters": "--- Exec[apt_pin_apt_pin_linux-6.12-bookworm_bookworm-bpo].orig\n+++ Exec[apt_pin_apt_pin_linux-6.12-bookworm_bookworm-bpo]\n\n+ command => /usr/bin/apt-get update\n+ refreshonly => True\n"}, {"resource": "Exec[create chained cert /etc/kubernetes/pki/dse__system_kube-proxy.chain.pem]", "parameters": "--- Exec[create chained cert /etc/kubernetes/pki/dse__system_kube-proxy.chain.pem].orig\n+++ Exec[create chained cert /etc/kubernetes/pki/dse__system_kube-proxy.chain.pem]\n\n+ unless => /usr/bin/test \"$(/bin/cat /etc/kubernetes/pki/dse__system_kube-proxy.pem /etc/kubernetes/pki/dse__system_kube-proxy.chain.pem | sha512sum)\" == \"$(/bin/cat /etc/kubernetes/pki/dse__system_kube-proxy.chained.pem | sha512sum)\"\n\n+ notify => ['Service[kube-proxy]']\n+ require => Exec[Generate cert dse__system_kube-proxy refresh on intermediate ca change]\n+ subscribe => ['Exec[renew certificate - dse__system_kube-proxy]', 'File[/etc/kubernetes/pki/dse__system_kube-proxy.chain.pem]', 'File[/etc/kubernetes/pki/dse__system_kube-proxy.pem]']\n+ command => /bin/cat /etc/kubernetes/pki/dse__system_kube-proxy.pem /etc/kubernetes/pki/dse__system_kube-proxy.chain.pem > /etc/kubernetes/pki/dse__system_kube-proxy.chained.pem\n"}, {"resource": "Systemd::Timer[nrpe2nodexp-check_tcp-mss-clamper_status]", "parameters": "--- Systemd::Timer[nrpe2nodexp-check_tcp-mss-clamper_status].orig\n+++ Systemd::Timer[nrpe2nodexp-check_tcp-mss-clamper_status]\n\n+ splay => 300\n+ accuracy => 15sec\n+ unit_name => nrpe2nodexp-check_tcp-mss-clamper_status.service\n+ fixed_random_delay => True\n+ ensure => absent\n+ timer_intervals => [{'start': 'OnUnitInactiveSec', 'interval': '5min'}, {'interval': '1s', 'start': 'OnActiveSec'}]\n"}, {"resource": "Exec[systemd daemon-reload for tcp-mss-clamper.service (tcp-mss-clamper)]", "parameters": "--- Exec[systemd daemon-reload for tcp-mss-clamper.service (tcp-mss-clamper)].orig\n+++ Exec[systemd daemon-reload for tcp-mss-clamper.service (tcp-mss-clamper)]\n\n+ command => /bin/systemctl daemon-reload\n+ refreshonly => True\n"}, {"resource": "Class[Profile::Cumin::Target]", "parameters": "--- Class[Profile::Cumin::Target].orig\n+++ Class[Profile::Cumin::Target]\n\n@@\n- cluster => insetup\n+ cluster => dse_k8s\n"}, {"resource": "Logrotate::Conf[prometheus_ferm_mss]", "parameters": "--- Logrotate::Conf[prometheus_ferm_mss].orig\n+++ Logrotate::Conf[prometheus_ferm_mss]\n\n+ ensure => absent\n"}, {"resource": "Exec[systemd daemon-reload for nrpe2nodexp-check_tcp-mss-clamper_status.timer (nrpe2nodexp-check_tcp-mss-clamper_status.timer)]", "parameters": "--- Exec[systemd daemon-reload for nrpe2nodexp-check_tcp-mss-clamper_status.timer (nrpe2nodexp-check_tcp-mss-clamper_status.timer)].orig\n+++ Exec[systemd daemon-reload for nrpe2nodexp-check_tcp-mss-clamper_status.timer (nrpe2nodexp-check_tcp-mss-clamper_status.timer)]\n\n+ command => /bin/systemctl daemon-reload\n+ refreshonly => True\n"}, {"resource": "File[/etc/rsyslog.d/20-shellbox.conf]", "parameters": "--- File[/etc/rsyslog.d/20-shellbox.conf].orig\n+++ File[/etc/rsyslog.d/20-shellbox.conf]\n\n+ mode => 0444\n+ group => root\n+ notify => Service[rsyslog]\n+ owner => root\n+ source => puppet:///modules/profile/rsyslog/shellbox.rsyslog.conf\n+ ensure => present\n"}, {"resource": "File[/etc/cfssl/csr/dse__system_node_dse-k8s-wdqs-test2001_codfw_wmnet.csr]", "content": "--- /etc/cfssl/csr/dse__system_node_dse-k8s-wdqs-test2001_codfw_wmnet.csr.orig\n+++ /etc/cfssl/csr/dse__system_node_dse-k8s-wdqs-test2001_codfw_wmnet.csr\n@@ -0,0 +1,19 @@\n+{\n+ \"CN\": \"system:node:dse-k8s-wdqs-test2001.codfw.wmnet\",\n+ \"hosts\": [\n+ \"system:node:dse-k8s-wdqs-test2001.codfw.wmnet\"\n+ ],\n+ \"key\": {\n+ \"algo\": \"ecdsa\",\n+ \"size\": 256\n+ },\n+ \"names\": [\n+ {\n+ \"C\": null,\n+ \"L\": null,\n+ \"O\": \"system:nodes\",\n+ \"OU\": null,\n+ \"S\": null\n+ }\n+ ]\n+}", "parameters": "--- File[/etc/cfssl/csr/dse__system_node_dse-k8s-wdqs-test2001_codfw_wmnet.csr].orig\n+++ File[/etc/cfssl/csr/dse__system_node_dse-k8s-wdqs-test2001_codfw_wmnet.csr]\n\n+ mode => 0400\n+ ensure => file\n+ group => root\n+ owner => root\n"}, {"resource": "Rsyslog::Conf[prometheus_lvs_realserver_mss]", "parameters": "--- Rsyslog::Conf[prometheus_lvs_realserver_mss].orig\n+++ Rsyslog::Conf[prometheus_lvs_realserver_mss]\n\n+ mode => 0444\n+ ensure => absent\n+ require => File[/var/log/prometheus_lvs_realserver_mss]\n+ priority => 40\n"}, {"resource": "File[/etc/cfssl/ssl/dse__rsyslog/dse__rsyslog.chain.pem]", "parameters": "--- File[/etc/cfssl/ssl/dse__rsyslog/dse__rsyslog.chain.pem].orig\n+++ File[/etc/cfssl/ssl/dse__rsyslog/dse__rsyslog.chain.pem]\n\n+ mode => 0440\n+ group => root\n+ owner => root\n+ source => puppet:///modules/profile/pki/intermediates/dse-cert.pem\n+ ensure => file\n"}, {"resource": "Exec[Generate cert dse__calicoctl refresh]", "parameters": "--- Exec[Generate cert dse__calicoctl refresh].orig\n+++ Exec[Generate cert dse__calicoctl refresh]\n\n+ subscribe => File[/etc/cfssl/csr/dse__calicoctl.csr]\n+ command => /usr/bin/cfssl gencert -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/dse-k8s-wdqs-test2001.codfw.wmnet.pem -label dse /etc/cfssl/csr/dse__calicoctl.csr | /usr/bin/cfssljson -bare /etc/kubernetes/pki/dse__calicoctl\n\n+ environment => ['GODEBUG=x509ignoreCN=0']\n+ refreshonly => True\n"}, {"resource": "File[/etc/ferm/conf.d/10_ipip]", "content": "--- /etc/ferm/conf.d/10_ipip.orig\n+++ /etc/ferm/conf.d/10_ipip\n@@ -0,0 +1,11 @@\n+# Autogenerated by puppet. DO NOT EDIT BY HAND!\n+#\n+# 10_ipip: \n+\n+domain (ip) {\n+\ttable filter {\n+\t\tchain INPUT {\n+\t\t\tsaddr 172.16.0.0/12 proto ipencap ACCEPT;\n+\t\t}\n+\t}\n+}", "parameters": "--- File[/etc/ferm/conf.d/10_ipip].orig\n+++ File[/etc/ferm/conf.d/10_ipip]\n\n+ mode => 0400\n+ group => root\n+ require => File[/etc/ferm/conf.d]\n+ notify => Service[ferm]\n+ owner => root\n+ ensure => present\n+ tag => ferm\n"}, {"resource": "File[/var/log/prometheus_ferm_mss]", "parameters": "--- File[/var/log/prometheus_ferm_mss].orig\n+++ File[/var/log/prometheus_ferm_mss]\n\n+ mode => 0755\n+ group => root\n+ force => True\n+ owner => root\n+ backup => False\n+ ensure => absent\n"}, {"resource": "Class[Cumin::Selector]", "parameters": "--- Class[Cumin::Selector].orig\n+++ Class[Cumin::Selector]\n\n@@\n- cluster => insetup\n+ cluster => dse_k8s\n"}, {"resource": "Sysctl::Parameters[opensearch]", "parameters": "--- Sysctl::Parameters[opensearch].orig\n+++ Sysctl::Parameters[opensearch]\n\n+ no_priority_prefix => False\n+ ensure => present\n+ values => {'vm.max_map_count': 1048576}\n+ priority => 70\n"}, {"resource": "File[/etc/kubernetes/pki/dse__system_kube-proxy.chain.pem]", "parameters": "--- File[/etc/kubernetes/pki/dse__system_kube-proxy.chain.pem].orig\n+++ File[/etc/kubernetes/pki/dse__system_kube-proxy.chain.pem]\n\n+ mode => 0440\n+ group => root\n+ owner => kube\n+ source => puppet:///modules/profile/pki/intermediates/dse-cert.pem\n+ ensure => file\n"}, {"resource": "File[/etc/kubernetes/pki/dse__system_kube-proxy.chained.pem]", "parameters": "--- File[/etc/kubernetes/pki/dse__system_kube-proxy.chained.pem].orig\n+++ File[/etc/kubernetes/pki/dse__system_kube-proxy.chained.pem]\n\n+ ensure => file\n+ group => root\n+ require => Exec[create chained cert /etc/kubernetes/pki/dse__system_kube-proxy.chain.pem]\n+ owner => kube\n"}, {"resource": "Cfssl::Csr[/etc/cfssl/csr/dse__calico-cni.csr]", "parameters": "--- Cfssl::Csr[/etc/cfssl/csr/dse__calico-cni.csr].orig\n+++ Cfssl::Csr[/etc/cfssl/csr/dse__calico-cni.csr]\n\n+ hosts => []\n+ names => []\n+ ensure => present\n+ key => {'algo': 'ecdsa', 'size': 256}\n+ common_name => calico-cni\n"}, {"resource": "Exec[exec-apt-get-update-linux-6.12-bookworm_bookworm-bpo]", "parameters": "--- Exec[exec-apt-get-update-linux-6.12-bookworm_bookworm-bpo].orig\n+++ Exec[exec-apt-get-update-linux-6.12-bookworm_bookworm-bpo]\n\n+ command => /usr/bin/apt-get update\n+ refreshonly => True\n"}, {"resource": "Rsyslog::Conf[kubernetes]", "parameters": "--- Rsyslog::Conf[kubernetes].orig\n+++ Rsyslog::Conf[kubernetes]\n\n+ mode => 0444\n+ ensure => present\n+ priority => 9\n"}, {"resource": "Rsyslog::Conf[nrpe2nodexp-check_tcp-mss-clamper_status]", "parameters": "--- Rsyslog::Conf[nrpe2nodexp-check_tcp-mss-clamper_status].orig\n+++ Rsyslog::Conf[nrpe2nodexp-check_tcp-mss-clamper_status]\n\n+ mode => 0444\n+ ensure => absent\n+ priority => 25\n"}, {"resource": "Systemd::Timer::Job[prometheus_ferm_mss]", "parameters": "--- Systemd::Timer::Job[prometheus_ferm_mss].orig\n+++ Systemd::Timer::Job[prometheus_ferm_mss]\n\n+ fixed_random_delay => False\n+ private_tmp => False\n+ ensure => absent\n+ logging_enabled => True\n+ syslog_force_stop => True\n+ environment => {}\n+ monitoring_notes_url => https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n+ send_mail_only_on_error => True\n+ send_mail_to => root@dse-k8s-wdqs-test2001.codfw.wmnet\n+ user => root\n+ description => Regular job to collect MSS values of ferm-based hosts\n+ syslog_match_startswith => True\n+ logfile_basedir => /var/log\n+ monitoring_contact_groups => admins\n+ logfile_group => root\n+ interval => {'start': 'OnCalendar', 'interval': 'minutely'}\n+ command => /usr/local/bin/prometheus-ferm-mss -o /var/lib/prometheus/node.d/ferm-mss.prom -e 10.2.1.91:30443\n+ send_mail => False\n+ ignore_errors => False\n+ logfile_perms => all\n+ logfile_name => syslog.log\n+ monitoring_enabled => False\n+ success_exit_status => []\n"}, {"resource": "File[/etc/calico/calicoctl.cfg]", "content": "--- /etc/calico/calicoctl.cfg.orig\n+++ /etc/calico/calicoctl.cfg\n@@ -0,0 +1,10 @@\n+# This configures calicoctl to use the kubernetes datastore.\n+# The user referenced in the kubeconfig file probably needs broad permissions, see:\n+# https://docs.projectcalico.org/getting-started/clis/calicoctl/configure/overview\n+# https://docs.projectcalico.org/getting-started/kubernetes/hardway/end-user-rbac\n+apiVersion: projectcalico.org/v3\n+kind: CalicoAPIConfig\n+metadata:\n+spec:\n+ datastoreType: \"kubernetes\"\n+ kubeconfig: \"/etc/calico/calicoctl-kubeconfig\"", "parameters": "--- File[/etc/calico/calicoctl.cfg].orig\n+++ File[/etc/calico/calicoctl.cfg]\n\n+ mode => 0444\n+ ensure => file\n+ group => root\n+ owner => root\n"}, {"resource": "Nrpe::Check[check_disk_space]", "parameters": "--- Nrpe::Check[check_disk_space].orig\n+++ Nrpe::Check[check_disk_space]\n\n@@\n- command => /usr/lib/nagios/plugins/check_disk -w 6% -c 3% -W 6% -K 3% -l -e -A -i \"/srv/sd[a-b][1-3]\" -i \"/srv/nvme[0-9]n[0-9]p[0-9]\" --exclude-type=fuse --exclude-type=fuse.fuse_dfs --exclude-type=tracefs\n+ command => /usr/lib/nagios/plugins/check_disk -w 10% -c 5% -W 6% -K 3% -l -e -A -i '/(var/lib|run)/(kubelet|containerd)/*' --exclude-type=tracefs\n"}, {"resource": "File[/var/log/rsyslog-release-deleted-inotify-watches]", "parameters": "--- File[/var/log/rsyslog-release-deleted-inotify-watches].orig\n+++ File[/var/log/rsyslog-release-deleted-inotify-watches]\n\n+ mode => 0755\n+ group => root\n+ force => True\n+ owner => root\n+ backup => False\n+ ensure => absent\n"}, {"resource": "Apt::Pin[apt_pin_linux-6.12-bookworm_bookworm-bpo]", "parameters": "--- Apt::Pin[apt_pin_linux-6.12-bookworm_bookworm-bpo].orig\n+++ Apt::Pin[apt_pin_linux-6.12-bookworm_bookworm-bpo]\n\n+ pin => release a=bookworm-backports\n+ notify => Exec[exec-apt-get-update-linux-6.12-bookworm_bookworm-bpo]\n+ before => ['Package[linux-base]', 'Package[linux-image-6.12.88+deb12-amd64]']\n+ ensure => present\n+ package => linux-base linux-image-6.12.88+deb12-amd64\n+ priority => 1001\n"}, {"resource": "Exec[apt_repository_component-kubernetes131-apt.wikimedia.org-wikimedia-bookworm-wikimedia]", "parameters": "--- Exec[apt_repository_component-kubernetes131-apt.wikimedia.org-wikimedia-bookworm-wikimedia].orig\n+++ Exec[apt_repository_component-kubernetes131-apt.wikimedia.org-wikimedia-bookworm-wikimedia]\n\n+ command => /usr/bin/apt-get update \n+ refreshonly => True\n"}, {"resource": "Class[Base::Sysctl::Inotify]", "parameters": "--- Class[Base::Sysctl::Inotify].orig\n+++ Class[Base::Sysctl::Inotify]\n\n+ max_user_instances => 512\n+ max_user_watches => 32768\n"}, {"resource": "File[/etc/sysctl.d/70-increase_inotify_limits.conf]", "content": "--- /etc/sysctl.d/70-increase_inotify_limits.conf.orig\n+++ /etc/sysctl.d/70-increase_inotify_limits.conf\n@@ -0,0 +1,3 @@\n+# sysctl parameters managed by Puppet.\n+fs.inotify.max_user_instances = 512\n+fs.inotify.max_user_watches = 32768", "parameters": "--- File[/etc/sysctl.d/70-increase_inotify_limits.conf].orig\n+++ File[/etc/sysctl.d/70-increase_inotify_limits.conf]\n\n+ group => root\n+ ensure => present\n+ notify => Exec[update_sysctl]\n+ owner => root\n"}, {"resource": "Service[apparmor]", "parameters": "--- Service[apparmor].orig\n+++ Service[apparmor]\n\n+ hasstatus => True\n+ ensure => running\n+ require => Package[apparmor]\n+ hasrestart => True\n"}, {"resource": "Systemd::Timer[set-rbd-readahead]", "parameters": "--- Systemd::Timer[set-rbd-readahead].orig\n+++ Systemd::Timer[set-rbd-readahead]\n\n+ splay => 0\n+ accuracy => 15sec\n+ unit_name => set-rbd-readahead.service\n+ fixed_random_delay => False\n+ ensure => absent\n+ timer_intervals => [{'start': 'OnCalendar', 'interval': '*:0/5'}]\n"}, {"resource": "Exec[systemd daemon-reload for rsyslog-release-deleted-inotify-watches.service (rsyslog-release-deleted-inotify-watches.service)]", "parameters": "--- Exec[systemd daemon-reload for rsyslog-release-deleted-inotify-watches.service (rsyslog-release-deleted-inotify-watches.service)].orig\n+++ Exec[systemd daemon-reload for rsyslog-release-deleted-inotify-watches.service (rsyslog-release-deleted-inotify-watches.service)]\n\n+ command => /bin/systemctl daemon-reload\n+ refreshonly => True\n"}, {"resource": "Exec[ip link set up dev ipip0]", "parameters": "--- Exec[ip link set up dev ipip0].orig\n+++ Exec[ip link set up dev ipip0]\n\n+ path => /bin:/usr/bin\n+ unless => ip link show ipip0 | grep -q UP\n+ returns => [0, 2]\n"}, {"resource": "Exec[ip addr add 127.0.0.42/32 dev ipip0]", "parameters": "--- Exec[ip addr add 127.0.0.42/32 dev ipip0].orig\n+++ Exec[ip addr add 127.0.0.42/32 dev ipip0]\n\n+ path => /bin:/usr/bin\n+ unless => ip address show ipip0 | grep -q 127.0.0.42/32\n+ returns => [0, 2]\n"}, {"resource": "Class[Profile::Lvs::Realserver]", "parameters": "--- Class[Profile::Lvs::Realserver].orig\n+++ Class[Profile::Lvs::Realserver]\n\n+ poolcounter_backends => [{'label': 'pc1', 'fqdn': 'poolcounter2005.codfw.wmnet'}, {'label': 'pc2', 'fqdn': 'poolcounter2006.codfw.wmnet'}]\n+ pools => {'k8s-ingress-dse': {}, 'k8s-ingress-dse-aa': {}}\n+ use_conftool => False\n"}, {"resource": "Class[Profile::Lvs::Realserver::Ipip]", "parameters": "--- Class[Profile::Lvs::Realserver::Ipip].orig\n+++ Class[Profile::Lvs::Realserver::Ipip]\n\n+ firewall_provider => ferm\n+ ipv4_mss => 1440\n+ ipv6_mss => 1400\n+ enabled => True\n+ interfaces => ['ens2f0np0', 'lo']\n+ clamping_enabled => False\n+ pools => {'k8s-ingress-dse': {}, 'k8s-ingress-dse-aa': {}}\n"}, {"resource": "Concat_file[/etc/apt/sources.list.d/component-kubernetes131-apt.wikimedia.org-wikimedia-bookworm-wikimedia.sources]", "parameters": "--- Concat_file[/etc/apt/sources.list.d/component-kubernetes131-apt.wikimedia.org-wikimedia-bookworm-wikimedia.sources].orig\n+++ Concat_file[/etc/apt/sources.list.d/component-kubernetes131-apt.wikimedia.org-wikimedia-bookworm-wikimedia.sources]\n\n+ mode => 0444\n+ group => root\n+ ensure_newline => False\n+ owner => root\n+ tag => _etc_apt_sources.list.d_component-kubernetes131-apt.wikimedia.org-wikimedia-bookworm-wikimedia.sources\n+ format => plain\n+ show_diff => True\n+ force => False\n+ backup => puppet\n+ replace => True\n+ order => alpha\n"}, {"resource": "Systemd::Unit[prometheus_lvs_realserver_mss.timer]", "parameters": "--- Systemd::Unit[prometheus_lvs_realserver_mss.timer].orig\n+++ Systemd::Unit[prometheus_lvs_realserver_mss.timer]\n\n+ require => ['Class[Systemd]']\n+ override => False\n+ ensure => absent\n+ override_filename => puppet-override.conf\n+ restart => False\n+ unit => prometheus_lvs_realserver_mss.timer\n"}, {"resource": "Class[Cpufrequtils]", "parameters": "--- Class[Cpufrequtils].orig\n+++ Class[Cpufrequtils]\n\n+ ensure => present\n+ governor => performance\n"}, {"resource": "Exec[systemd daemon-reload for kube-proxy.service (kube-proxy)]", "parameters": "--- Exec[systemd daemon-reload for kube-proxy.service (kube-proxy)].orig\n+++ Exec[systemd daemon-reload for kube-proxy.service (kube-proxy)]\n\n+ command => /bin/systemctl daemon-reload\n+ notify => ['Service[kube-proxy]']\n+ refreshonly => True\n"}, {"resource": "Volume_group[vg_raid0]", "parameters": "--- Volume_group[vg_raid0].orig\n+++ Volume_group[vg_raid0]\n\n+ createonly => True\n+ ensure => present\n+ followsymlinks => False\n+ physical_volumes => {'/dev/md1': {'unless_vg': 'vg_raid0'}}\n"}, {"resource": "Class[Containerd::Configuration]", "parameters": "--- Class[Containerd::Configuration].orig\n+++ Class[Containerd::Configuration]\n\n+ dragonfly_enabled => False\n+ registry_username => kubernetes\n+ ensure => present\n+ sandbox_image => docker-registry.discovery.wmnet/pause:3.6-1\n"}, {"resource": "Sysctl::Parameters[kube_proxy_icmp]", "parameters": "--- Sysctl::Parameters[kube_proxy_icmp].orig\n+++ Sysctl::Parameters[kube_proxy_icmp]\n\n+ no_priority_prefix => False\n+ ensure => present\n+ values => {'net.ipv4.conf.all.send_redirects': 0, 'net.ipv4.conf.default.send_redirects': 0, 'net.ipv4.conf.ens2f0np0.send_redirects': 0}\n+ priority => 75\n"}, {"resource": "File[/etc/rsyslog.d/40-prometheus-ferm-mss.conf]", "content": "--- /etc/rsyslog.d/40-prometheus-ferm-mss.conf.orig\n+++ /etc/rsyslog.d/40-prometheus-ferm-mss.conf\n@@ -0,0 +1,10 @@\n+# rsyslog.conf(5) configuration file for services.\n+# This file is managed by Puppet.\n+if $programname startswith \"prometheus_ferm_mss\" then {\n+ action(\n+ type=\"omfile\" file=\"/var/log/prometheus_ferm_mss/syslog.log\"\n+ fileOwner=\"root\" fileGroup=\"root\"\n+ fileCreateMode=\"0644\"\n+ )\n+ & stop\n+}", "parameters": "--- File[/etc/rsyslog.d/40-prometheus-ferm-mss.conf].orig\n+++ File[/etc/rsyslog.d/40-prometheus-ferm-mss.conf]\n\n+ mode => 0444\n+ notify => Service[rsyslog]\n+ group => root\n+ owner => root\n+ ensure => absent\n"}, {"resource": "Rsyslog::Conf[set-rbd-readahead]", "parameters": "--- Rsyslog::Conf[set-rbd-readahead].orig\n+++ Rsyslog::Conf[set-rbd-readahead]\n\n+ mode => 0444\n+ ensure => absent\n+ require => File[/var/log/set-rbd-readahead]\n+ priority => 40\n"}, {"resource": "File[/etc/udev/rules.d/75-kube_proxy_conntrack.rules]", "content": "--- /etc/udev/rules.d/75-kube_proxy_conntrack.rules.orig\n+++ /etc/udev/rules.d/75-kube_proxy_conntrack.rules\n@@ -0,0 +1,2 @@\n+ACTION==\"add\", SUBSYSTEM==\"module\", KERNEL==\"nf_conntrack\", \\\n+ RUN+=\"/usr/lib/systemd/systemd-sysctl --prefix net.netfilter.nf_conntrack_max\"", "parameters": "--- File[/etc/udev/rules.d/75-kube_proxy_conntrack.rules].orig\n+++ File[/etc/udev/rules.d/75-kube_proxy_conntrack.rules]\n\n+ mode => 0444\n+ notify => Exec[udev_reload]\n+ group => root\n+ owner => root\n+ ensure => present\n"}, {"resource": "File[/lib/systemd/system/rsyslog-release-deleted-inotify-watches.timer]", "content": "--- /lib/systemd/system/rsyslog-release-deleted-inotify-watches.timer.orig\n+++ /lib/systemd/system/rsyslog-release-deleted-inotify-watches.timer\n@@ -0,0 +1,12 @@\n+[Unit]\n+Description=Periodic execution of rsyslog-release-deleted-inotify-watches.service\n+\n+[Timer]\n+Unit=rsyslog-release-deleted-inotify-watches.service\n+# Accuracy sets the maximum time interval around the execution time we want to allow\n+AccuracySec=15sec\n+OnCalendar=*-*-* *:37:00\n+RandomizedDelaySec=0\n+\n+[Install]\n+WantedBy=multi-user.target", "parameters": "--- File[/lib/systemd/system/rsyslog-release-deleted-inotify-watches.timer].orig\n+++ File[/lib/systemd/system/rsyslog-release-deleted-inotify-watches.timer]\n\n+ mode => 0444\n+ notify => Exec[systemd daemon-reload for rsyslog-release-deleted-inotify-watches.timer (rsyslog-release-deleted-inotify-watches.timer)]\n+ group => root\n+ owner => root\n+ ensure => absent\n"}, {"resource": "File[/etc/sysctl.d/75-kube_proxy_icmp.conf]", "content": "--- /etc/sysctl.d/75-kube_proxy_icmp.conf.orig\n+++ /etc/sysctl.d/75-kube_proxy_icmp.conf\n@@ -0,0 +1,4 @@\n+# sysctl parameters managed by Puppet.\n+net.ipv4.conf.all.send_redirects = 0\n+net.ipv4.conf.default.send_redirects = 0\n+net.ipv4.conf.ens2f0np0.send_redirects = 0", "parameters": "--- File[/etc/sysctl.d/75-kube_proxy_icmp.conf].orig\n+++ File[/etc/sysctl.d/75-kube_proxy_icmp.conf]\n\n+ group => root\n+ ensure => present\n+ notify => Exec[update_sysctl]\n+ owner => root\n"}, {"resource": "Exec[systemd daemon-reload for prometheus_lvs_realserver_mss.timer (prometheus_lvs_realserver_mss.timer)]", "parameters": "--- Exec[systemd daemon-reload for prometheus_lvs_realserver_mss.timer (prometheus_lvs_realserver_mss.timer)].orig\n+++ Exec[systemd daemon-reload for prometheus_lvs_realserver_mss.timer (prometheus_lvs_realserver_mss.timer)]\n\n+ command => /bin/systemctl daemon-reload\n+ refreshonly => True\n"}, {"resource": "File_line[rm_post-up_ens2f0np0_clsact_ens2f0np0]", "parameters": "--- File_line[rm_post-up_ens2f0np0_clsact_ens2f0np0].orig\n+++ File_line[rm_post-up_ens2f0np0_clsact_ens2f0np0]\n\n+ path => /etc/network/interfaces\n+ match_for_absence => True\n+ ensure => absent\n+ match => post-up /usr/sbin/tc qdisc add dev ens2f0np0 clsact\n"}, {"resource": "Exec[cpufrequtils_reload]", "parameters": "--- Exec[cpufrequtils_reload].orig\n+++ Exec[cpufrequtils_reload]\n\n+ unless => /usr/bin/cpufreq-info -p | /bin/grep -wq performance\n+ command => /usr/bin/systemctl reload cpufrequtils\n+ require => File[/etc/default/cpufrequtils]\n"}, {"resource": "Cfssl::Cert[dse__istio-cni]", "parameters": "--- Cfssl::Cert[dse__istio-cni].orig\n+++ Cfssl::Cert[dse__istio-cni]\n\n+ mode => 0740\n+ group => root\n+ provide_chain => True\n+ owner => root\n+ ensure => absent\n+ hosts => []\n+ environment => ['GODEBUG=x509ignoreCN=0']\n+ names => []\n+ label => dse\n+ auto_renew => True\n+ notify_services => []\n+ renew_seconds => 952200\n+ key => {'algo': 'ecdsa', 'size': 256}\n+ before_services => []\n+ outdir => /etc/kubernetes/pki\n+ common_name => istio-cni\n"}, {"resource": "Exec[systemd daemon-reload for rsyslog-imfile-remedy.service (rsyslog-imfile-remedy.service)]", "parameters": "--- Exec[systemd daemon-reload for rsyslog-imfile-remedy.service (rsyslog-imfile-remedy.service)].orig\n+++ Exec[systemd daemon-reload for rsyslog-imfile-remedy.service (rsyslog-imfile-remedy.service)]\n\n+ command => /bin/systemctl daemon-reload\n+ refreshonly => True\n"}, {"resource": "Exec[create chained cert /etc/kubernetes/pki/dse__calico-cni.chain.pem]", "parameters": "--- Exec[create chained cert /etc/kubernetes/pki/dse__calico-cni.chain.pem].orig\n+++ Exec[create chained cert /etc/kubernetes/pki/dse__calico-cni.chain.pem]\n\n+ unless => /usr/bin/test \"$(/bin/cat /etc/kubernetes/pki/dse__calico-cni.pem /etc/kubernetes/pki/dse__calico-cni.chain.pem | sha512sum)\" == \"$(/bin/cat /etc/kubernetes/pki/dse__calico-cni.chained.pem | sha512sum)\"\n\n+ command => /bin/cat /etc/kubernetes/pki/dse__calico-cni.pem /etc/kubernetes/pki/dse__calico-cni.chain.pem > /etc/kubernetes/pki/dse__calico-cni.chained.pem\n+ require => Exec[Generate cert dse__calico-cni refresh on intermediate ca change]\n+ subscribe => ['Exec[renew certificate - dse__calico-cni]', 'File[/etc/kubernetes/pki/dse__calico-cni.chain.pem]', 'File[/etc/kubernetes/pki/dse__calico-cni.pem]']\n"}, {"resource": "Sysctl::Parameters[kube_proxy_conntrack]", "parameters": "--- Sysctl::Parameters[kube_proxy_conntrack].orig\n+++ Sysctl::Parameters[kube_proxy_conntrack]\n\n+ values => {'net.netfilter.nf_conntrack_max': 1048576}\n+ no_priority_prefix => False\n+ ensure => present\n+ module => nf_conntrack\n+ priority => 75\n"}, {"resource": "Systemd::Timer[rsyslog-release-deleted-inotify-watches]", "parameters": "--- Systemd::Timer[rsyslog-release-deleted-inotify-watches].orig\n+++ Systemd::Timer[rsyslog-release-deleted-inotify-watches]\n\n+ splay => 0\n+ accuracy => 15sec\n+ unit_name => rsyslog-release-deleted-inotify-watches.service\n+ fixed_random_delay => False\n+ ensure => absent\n+ timer_intervals => [{'start': 'OnCalendar', 'interval': '*-*-* *:37:00'}]\n"}, {"resource": "Rsyslog::Conf[prometheus_ferm_mss]", "parameters": "--- Rsyslog::Conf[prometheus_ferm_mss].orig\n+++ Rsyslog::Conf[prometheus_ferm_mss]\n\n+ mode => 0444\n+ ensure => absent\n+ require => File[/var/log/prometheus_ferm_mss]\n+ priority => 40\n"}, {"resource": "Class[Geoip::Data::Puppet]", "parameters": "--- Class[Geoip::Data::Puppet].orig\n+++ Class[Geoip::Data::Puppet]\n\n+ data_directory => /usr/share/GeoIP\n+ data_directory_ipinfo => /usr/share/GeoIPInfo\n+ source => puppet:///volatile/GeoIP\n+ fetch_ipinfo_dbs => False\n+ source_ipinfo => puppet:///volatile/GeoIPInfo\n"}, {"resource": "Systemd::Service[prometheus_ferm_mss]", "parameters": "--- Systemd::Service[prometheus_ferm_mss].orig\n+++ Systemd::Service[prometheus_ferm_mss]\n\n+ unit_type => timer\n+ service_params => {}\n+ require => Systemd::Unit[prometheus_ferm_mss.service]\n+ monitoring_contact_group => admins\n+ ensure => absent\n+ restart => False\n+ migration_task => T407130\n+ monitoring_critical => False\n+ monitoring_enabled => False\n+ override => False\n"}, {"resource": "Augeas[ipip60_add_up]", "parameters": "--- Augeas[ipip60_add_up].orig\n+++ Augeas[ipip60_add_up]\n\n+ lens => Interfaces.lns\n+ onlyif => match up[. = 'ip link add name ipip60 type ip6tnl external'] size == 0\n+ require => Interface::Manual[ipip_ipv6]\n+ context => /files/etc/network/interfaces/*[. = 'ipip60' and ./family = 'inet6']\n+ incl => /etc/network/interfaces\n+ changes => set up[last()+1] 'ip link add name ipip60 type ip6tnl external'\n"}, {"resource": "File[/etc/cfssl/csr/dse__istio-cni.csr]", "content": "--- /etc/cfssl/csr/dse__istio-cni.csr.orig\n+++ /etc/cfssl/csr/dse__istio-cni.csr\n@@ -0,0 +1,13 @@\n+{\n+ \"CN\": \"istio-cni\",\n+ \"hosts\": [\n+ \"istio-cni\"\n+ ],\n+ \"key\": {\n+ \"algo\": \"ecdsa\",\n+ \"size\": 256\n+ },\n+ \"names\": [\n+\n+ ]\n+}", "parameters": "--- File[/etc/cfssl/csr/dse__istio-cni.csr].orig\n+++ File[/etc/cfssl/csr/dse__istio-cni.csr]\n\n+ mode => 0400\n+ ensure => file\n+ group => root\n+ owner => root\n"}, {"resource": "File[/lib/systemd/system/set-rbd-readahead.service]", "content": "--- /lib/systemd/system/set-rbd-readahead.service.orig\n+++ /lib/systemd/system/set-rbd-readahead.service\n@@ -0,0 +1,8 @@\n+[Unit]\n+Description=Set readahead for OpenSearch pod RBDs (block devices)\n+Documentation=https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n+\n+[Service]\n+Type=oneshot\n+User=root\n+ExecStart=/usr/local/sbin/set-rbd-readahead.py", "parameters": "--- File[/lib/systemd/system/set-rbd-readahead.service].orig\n+++ File[/lib/systemd/system/set-rbd-readahead.service]\n\n+ mode => 0444\n+ notify => Exec[systemd daemon-reload for set-rbd-readahead.service (set-rbd-readahead.service)]\n+ group => root\n+ owner => root\n+ ensure => absent\n"}, {"resource": "File[/etc/kubernetes/kubelet.conf]", "content": "--- /etc/kubernetes/kubelet.conf.orig\n+++ /etc/kubernetes/kubelet.conf\n@@ -0,0 +1,18 @@\n+apiVersion: v1\n+kind: Config\n+preferences: {}\n+current-context: default-system\n+contexts:\n+- name: default-system\n+ context:\n+ cluster: default-cluster\n+ user: default-auth\n+clusters:\n+- name: default-cluster\n+ cluster:\n+ server: https://dse-k8s-ctrl.svc.codfw.wmnet:6443\n+users:\n+- name: default-auth\n+ user:\n+ client-certificate: /etc/kubernetes/pki/dse__system_node_dse-k8s-wdqs-test2001_codfw_wmnet.pem\n+ client-key: /etc/kubernetes/pki/dse__system_node_dse-k8s-wdqs-test2001_codfw_wmnet-key.pem", "parameters": "--- File[/etc/kubernetes/kubelet.conf].orig\n+++ File[/etc/kubernetes/kubelet.conf]\n\n+ mode => 0400\n+ ensure => present\n+ group => kube\n+ owner => kube\n"}, {"resource": "Interface::Manual[ipip_ipv4]", "parameters": "--- Interface::Manual[ipip_ipv4].orig\n+++ Interface::Manual[ipip_ipv4]\n\n+ interface => ipip0\n+ ensure => present\n+ hotplug => False\n+ family => inet\n"}, {"resource": "Sysctl::Conffile[ubuntu defaults]"}, {"resource": "Udev::Rule[kube_proxy_conntrack]", "parameters": "--- Udev::Rule[kube_proxy_conntrack].orig\n+++ Udev::Rule[kube_proxy_conntrack]\n\n+ ensure => present\n+ priority => 75\n"}, {"resource": "Systemd::Timer::Job[nrpe2nodexp-check_tcp-mss-clamper_status]", "parameters": "--- Systemd::Timer::Job[nrpe2nodexp-check_tcp-mss-clamper_status].orig\n+++ Systemd::Timer::Job[nrpe2nodexp-check_tcp-mss-clamper_status]\n\n+ group => prometheus-node-exporter\n+ fixed_random_delay => True\n+ private_tmp => False\n+ ensure => absent\n+ logging_enabled => False\n+ splay => 300\n+ syslog_identifier => nrpe2nodexp-check_tcp-mss-clamper_status\n+ environment => {}\n+ syslog_force_stop => True\n+ monitoring_notes_url => https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n+ send_mail_only_on_error => True\n+ send_mail_to => root@dse-k8s-wdqs-test2001.codfw.wmnet\n+ user => nagios\n+ description => execution of nrpe2nodexp for the check_check_tcp-mss-clamper_status command.\n+ syslog_match_startswith => True\n+ logfile_basedir => /var/log\n+ monitoring_contact_groups => admins\n+ logfile_group => root\n+ interval => [{'start': 'OnUnitInactiveSec', 'interval': '5min'}]\n+ command => /usr/local/bin/nrpe2nodexp --alert-rule-hash \"295d6d5dd0a784bb9ba1d5983fd1894f\" --timeout 10 --check-command \"check_check_tcp-mss-clamper_status\"\n+ ignore_errors => True\n+ send_mail => False\n+ logfile_perms => all\n+ logfile_name => syslog.log\n+ monitoring_enabled => False\n+ success_exit_status => []\n"}, {"resource": "Interface::Clsact[clsact_ens2f0np0]", "parameters": "--- Interface::Clsact[clsact_ens2f0np0].orig\n+++ Interface::Clsact[clsact_ens2f0np0]\n\n+ ensure => absent\n+ interface => ens2f0np0\n"}, {"resource": "Exec[renew certificate - dse__rsyslog]", "parameters": "--- Exec[renew certificate - dse__rsyslog].orig\n+++ Exec[renew certificate - dse__rsyslog]\n\n+ unless => /usr/bin/openssl x509 -in /etc/cfssl/ssl/dse__rsyslog/dse__rsyslog.pem -checkend 952200\n+ environment => ['GODEBUG=x509ignoreCN=0']\n+ notify => ['Service[rsyslog]']\n+ require => Exec[Generate cert dse__rsyslog]\n+ command => /usr/bin/cfssl sign -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/dse-k8s-wdqs-test2001.codfw.wmnet.pem -label dse /etc/cfssl/ssl/dse__rsyslog/dse__rsyslog.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/dse__rsyslog/dse__rsyslog\n\n"}, {"resource": "Exec[systemd daemon-reload for prometheus_ferm_mss.service (prometheus_ferm_mss.service)]", "parameters": "--- Exec[systemd daemon-reload for prometheus_ferm_mss.service (prometheus_ferm_mss.service)].orig\n+++ Exec[systemd daemon-reload for prometheus_ferm_mss.service (prometheus_ferm_mss.service)]\n\n+ command => /bin/systemctl daemon-reload\n+ refreshonly => True\n"}, {"resource": "File[/etc/rsyslog.d/40-prometheus-lvs-realserver-mss.conf]", "content": "--- /etc/rsyslog.d/40-prometheus-lvs-realserver-mss.conf.orig\n+++ /etc/rsyslog.d/40-prometheus-lvs-realserver-mss.conf\n@@ -0,0 +1,10 @@\n+# rsyslog.conf(5) configuration file for services.\n+# This file is managed by Puppet.\n+if $programname startswith \"prometheus_lvs_realserver_mss\" then {\n+ action(\n+ type=\"omfile\" file=\"/var/log/prometheus_lvs_realserver_mss/syslog.log\"\n+ fileOwner=\"root\" fileGroup=\"root\"\n+ fileCreateMode=\"0644\"\n+ )\n+ & stop\n+}", "parameters": "--- File[/etc/rsyslog.d/40-prometheus-lvs-realserver-mss.conf].orig\n+++ File[/etc/rsyslog.d/40-prometheus-lvs-realserver-mss.conf]\n\n+ mode => 0444\n+ notify => Service[rsyslog]\n+ group => root\n+ owner => root\n+ ensure => absent\n"}, {"resource": "Service[kubelet]", "parameters": "--- Service[kubelet].orig\n+++ Service[kubelet]\n\n+ subscribe => ['File[/etc/kubernetes/kubelet.conf]']\n+ ensure => running\n+ enable => True\n"}, {"resource": "Physical_volume[/dev/md1]", "parameters": "--- Physical_volume[/dev/md1].orig\n+++ Physical_volume[/dev/md1]\n\n+ unless_vg => vg_raid0\n+ ensure => present\n+ force => False\n"}, {"resource": "File_line[rm_post-up_lo_clsact_lo]", "parameters": "--- File_line[rm_post-up_lo_clsact_lo].orig\n+++ File_line[rm_post-up_lo_clsact_lo]\n\n+ path => /etc/network/interfaces\n+ match_for_absence => True\n+ ensure => absent\n+ match => post-up /usr/sbin/tc qdisc add dev lo clsact\n"}, {"resource": "Systemd::Unit[prometheus_ferm_mss.service]", "parameters": "--- Systemd::Unit[prometheus_ferm_mss.service].orig\n+++ Systemd::Unit[prometheus_ferm_mss.service]\n\n+ require => ['Class[Systemd]']\n+ override => False\n+ ensure => absent\n+ override_filename => puppet-override.conf\n+ restart => False\n+ unit => prometheus_ferm_mss.service\n"}, {"resource": "Exec[apt_package_from_component_kubernetes131]", "parameters": "--- Exec[apt_package_from_component_kubernetes131].orig\n+++ Exec[apt_package_from_component_kubernetes131]\n\n+ before => []\n+ command => /usr/bin/apt-get update\n+ subscribe => Apt::Repository[component-kubernetes131-apt.wikimedia.org-wikimedia-bookworm-wikimedia]\n+ refreshonly => True\n"}, {"resource": "Class[K8s::Kubelet]", "parameters": "--- Class[K8s::Kubelet].orig\n+++ Class[K8s::Kubelet]\n\n+ cni_conf_dir => /etc/cni/net.d\n+ node_taints => [{'key': 'dedicated', 'value': 'wdqs', 'effect': 'NoExecute'}, {'key': 'dedicated', 'value': 'wdqs', 'effect': 'NoSchedule'}]\n+ cluster_domain => cluster.local\n+ cni_bin_dir => /opt/cni/bin\n+ node_labels => ['dedicated=wdqs', 'topology.kubernetes.io/region=codfw', 'topology.kubernetes.io/zone=row-a7', 'node.kubernetes.io/disk-type=ssd']\n+ ipv6dualstack => False\n+ version => 1.31\n+ system_reserved => {'cpu': '2.6', 'memory': '9.17Gi'}\n+ kubelet_cert => {'cert': '/etc/kubernetes/pki/dse__kubelet_server.pem', 'key': '/etc/kubernetes/pki/dse__kubelet_server-key.pem', 'chain': '/etc/kubernetes/pki/dse__kubelet_server.chain.pem', 'chained': '/etc/kubernetes/pki/dse__kubelet_server.chained.pem'}\n+ cluster_dns => ['10.192.80.3']\n+ pod_infra_container_image => docker-registry.discovery.wmnet/pause:3.6-1\n+ v_log_level => 0\n+ kubeconfig => /etc/kubernetes/kubelet.conf\n"}, {"resource": "Interface::Ip[ipip_ipv4 ipv4]", "parameters": "--- Interface::Ip[ipip_ipv4 ipv4].orig\n+++ Interface::Ip[ipip_ipv4 ipv4]\n\n+ require => Augeas[ipip0_set_up]\n+ interface => ipip0\n+ address => 127.0.0.42\n+ prefixlen => 32\n+ ensure => present\n"}, {"resource": "File[/etc/kubernetes/pki/dse__system_node_dse-k8s-wdqs-test2001_codfw_wmnet-key.pem]", "parameters": "--- File[/etc/kubernetes/pki/dse__system_node_dse-k8s-wdqs-test2001_codfw_wmnet-key.pem].orig\n+++ File[/etc/kubernetes/pki/dse__system_node_dse-k8s-wdqs-test2001_codfw_wmnet-key.pem]\n\n+ mode => 0440\n+ group => root\n+ show_diff => False\n+ owner => kube\n+ backup => False\n+ ensure => file\n"}, {"resource": "Systemd::Unit[set-rbd-readahead.timer]", "parameters": "--- Systemd::Unit[set-rbd-readahead.timer].orig\n+++ Systemd::Unit[set-rbd-readahead.timer]\n\n+ require => ['Class[Systemd]']\n+ override => False\n+ ensure => absent\n+ override_filename => puppet-override.conf\n+ restart => False\n+ unit => set-rbd-readahead.timer\n"}, {"resource": "Sysctl::Conffile[ipv6-fowarding-accept-ra]", "parameters": "--- Sysctl::Conffile[ipv6-fowarding-accept-ra].orig\n+++ Sysctl::Conffile[ipv6-fowarding-accept-ra]\n\n+ no_priority_prefix => False\n+ ensure => present\n+ priority => 70\n"}, {"resource": "File[/etc/cfssl/csr/dse__system_kube-proxy.csr]", "content": "--- /etc/cfssl/csr/dse__system_kube-proxy.csr.orig\n+++ /etc/cfssl/csr/dse__system_kube-proxy.csr\n@@ -0,0 +1,19 @@\n+{\n+ \"CN\": \"system:kube-proxy\",\n+ \"hosts\": [\n+ \"system:kube-proxy\"\n+ ],\n+ \"key\": {\n+ \"algo\": \"ecdsa\",\n+ \"size\": 256\n+ },\n+ \"names\": [\n+ {\n+ \"C\": null,\n+ \"L\": null,\n+ \"O\": \"system:node-proxier\",\n+ \"OU\": null,\n+ \"S\": null\n+ }\n+ ]\n+}", "parameters": "--- File[/etc/cfssl/csr/dse__system_kube-proxy.csr].orig\n+++ File[/etc/cfssl/csr/dse__system_kube-proxy.csr]\n\n+ mode => 0400\n+ ensure => file\n+ group => root\n+ owner => root\n"}, {"resource": "Package[linux-base]", "parameters": "--- Package[linux-base].orig\n+++ Package[linux-base]\n\n+ ensure => 4.12.1~bpo12+1\n+ provider => apt\n"}, {"resource": "File[/etc/cni/net.d/istio-kubeconfig]", "content": "--- /etc/cni/net.d/istio-kubeconfig.orig\n+++ /etc/cni/net.d/istio-kubeconfig\n@@ -0,0 +1,18 @@\n+apiVersion: v1\n+kind: Config\n+preferences: {}\n+current-context: default-system\n+contexts:\n+- name: default-system\n+ context:\n+ cluster: default-cluster\n+ user: istio-cni\n+clusters:\n+- name: default-cluster\n+ cluster:\n+ server: https://dse-k8s-ctrl.svc.codfw.wmnet:6443\n+users:\n+- name: istio-cni\n+ user:\n+ client-certificate: /etc/kubernetes/pki/dse__istio-cni.pem\n+ client-key: /etc/kubernetes/pki/dse__istio-cni-key.pem", "parameters": "--- File[/etc/cni/net.d/istio-kubeconfig].orig\n+++ File[/etc/cni/net.d/istio-kubeconfig]\n\n+ mode => 0400\n+ ensure => absent\n+ group => root\n+ owner => root\n"}, {"resource": "File[/etc/kubernetes/pki/dse__system_kube-proxy.pem]", "parameters": "--- File[/etc/kubernetes/pki/dse__system_kube-proxy.pem].orig\n+++ File[/etc/kubernetes/pki/dse__system_kube-proxy.pem]\n\n+ mode => 0440\n+ ensure => file\n+ group => root\n+ owner => kube\n"}, {"resource": "Class[Prometheus::Node_exporter]", "parameters": "--- Class[Prometheus::Node_exporter].orig\n+++ Class[Prometheus::Node_exporter]\n\n@@\n- collectors_extra => []\n+ collectors_extra => ['processes']\n"}, {"resource": "Cfssl::Csr[/etc/cfssl/csr/dse__calicoctl.csr]", "parameters": "--- Cfssl::Csr[/etc/cfssl/csr/dse__calicoctl.csr].orig\n+++ Cfssl::Csr[/etc/cfssl/csr/dse__calicoctl.csr]\n\n+ hosts => []\n+ names => []\n+ ensure => present\n+ key => {'algo': 'ecdsa', 'size': 256}\n+ common_name => calicoctl\n"}, {"resource": "File[/etc/kubernetes/pki/dse__istio-cni.chain.pem]", "parameters": "--- File[/etc/kubernetes/pki/dse__istio-cni.chain.pem].orig\n+++ File[/etc/kubernetes/pki/dse__istio-cni.chain.pem]\n\n+ mode => 0440\n+ group => root\n+ owner => root\n+ source => puppet:///modules/profile/pki/intermediates/dse-cert.pem\n+ ensure => absent\n"}, {"resource": "File[/var/lib/prometheus/node.d/check_check_tcp-mss-clamper_status.prom]", "parameters": "--- File[/var/lib/prometheus/node.d/check_check_tcp-mss-clamper_status.prom].orig\n+++ File[/var/lib/prometheus/node.d/check_check_tcp-mss-clamper_status.prom]\n\n+ ensure => absent\n+ group => root\n+ owner => root\n"}, {"resource": "Sysctl::Conffile[kube_proxy_icmp]", "parameters": "--- Sysctl::Conffile[kube_proxy_icmp].orig\n+++ Sysctl::Conffile[kube_proxy_icmp]\n\n+ no_priority_prefix => False\n+ ensure => present\n+ priority => 75\n"}, {"resource": "File[/etc/kubernetes/kubelet-config.yaml]", "content": "--- /etc/kubernetes/kubelet-config.yaml.orig\n+++ /etc/kubernetes/kubelet-config.yaml\n@@ -0,0 +1,32 @@\n+---\n+apiVersion: kubelet.config.k8s.io/v1beta1\n+kind: KubeletConfiguration\n+tlsPrivateKeyFile: \"/etc/kubernetes/pki/dse__kubelet_server-key.pem\"\n+tlsCertFile: \"/etc/kubernetes/pki/dse__kubelet_server.chained.pem\"\n+clusterDomain: cluster.local\n+clusterDNS:\n+- 10.192.80.3\n+containerRuntimeEndpoint: unix:///run/containerd/containerd.sock\n+authentication:\n+ anonymous:\n+ enabled: false\n+ webhook:\n+ enabled: true\n+ x509:\n+ clientCAFile: \"/etc/kubernetes/pki/dse__kubelet_server.chain.pem\"\n+authorization:\n+ mode: Webhook\n+registerWithTaints:\n+- key: dedicated\n+ value: wdqs\n+ effect: NoExecute\n+- key: dedicated\n+ value: wdqs\n+ effect: NoSchedule\n+seccompDefault: true\n+cgroupDriver: systemd\n+evictionHard:\n+ imagefs.available: 15%\n+ memory.available: 300M\n+ nodefs.available: 10%\n+ nodefs.inodesFree: 5%", "parameters": "--- File[/etc/kubernetes/kubelet-config.yaml].orig\n+++ File[/etc/kubernetes/kubelet-config.yaml]\n\n+ mode => 0400\n+ notify => Service[kubelet]\n+ group => kube\n+ require => K8s::Package[kubelet]\n+ owner => kube\n+ ensure => file\n"}, {"resource": "Systemd::Timer::Job[prometheus_lvs_realserver_mss]", "parameters": "--- Systemd::Timer::Job[prometheus_lvs_realserver_mss].orig\n+++ Systemd::Timer::Job[prometheus_lvs_realserver_mss]\n\n+ fixed_random_delay => False\n+ private_tmp => False\n+ ensure => absent\n+ logging_enabled => True\n+ syslog_force_stop => True\n+ environment => {}\n+ monitoring_notes_url => https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n+ send_mail_only_on_error => True\n+ send_mail_to => root@dse-k8s-wdqs-test2001.codfw.wmnet\n+ user => root\n+ description => Regular job to collect MSS values of realserver endpoints\n+ syslog_match_startswith => True\n+ logfile_basedir => /var/log\n+ monitoring_contact_groups => admins\n+ logfile_group => root\n+ interval => {'start': 'OnCalendar', 'interval': 'minutely'}\n+ command => /usr/local/bin/prometheus-lvs-realserver-mss -o /var/lib/prometheus/node.d/lvs-realserver-mss.prom -e 10.2.1.91:30443\n+ send_mail => False\n+ ignore_errors => False\n+ logfile_perms => all\n+ logfile_name => syslog.log\n+ monitoring_enabled => False\n+ success_exit_status => []\n"}, {"resource": "Systemd::Unit[rsyslog-imfile-remedy.service]", "parameters": "--- Systemd::Unit[rsyslog-imfile-remedy.service].orig\n+++ Systemd::Unit[rsyslog-imfile-remedy.service]\n\n+ require => ['Class[Systemd]']\n+ override => False\n+ ensure => present\n+ override_filename => puppet-override.conf\n+ restart => False\n+ unit => rsyslog-imfile-remedy.service\n"}, {"resource": "Class[Profile::Kubernetes::Node::Dse_k8s]", "parameters": "--- Class[Profile::Kubernetes::Node::Dse_k8s].orig\n+++ Class[Profile::Kubernetes::Node::Dse_k8s]\n\n+ set_rbd_readahead => False\n"}, {"resource": "Lvm::Physical_volume[/dev/md1]", "parameters": "--- Lvm::Physical_volume[/dev/md1].orig\n+++ Lvm::Physical_volume[/dev/md1]\n\n+ unless_vg => vg_raid0\n+ ensure => present\n+ force => False\n"}, {"resource": "Package[mmdb-bin]", "parameters": "--- Package[mmdb-bin].orig\n+++ Package[mmdb-bin]\n\n+ ensure => present\n+ provider => apt\n"}, {"resource": "Class[Profile::Apt]", "parameters": "--- Class[Profile::Apt].orig\n+++ Class[Profile::Apt]\n\n@@\n- before => ['Package[puppet]', 'Package[facter]', 'Package[augeas-tools]', 'Package[virt-what]', 'Package[puppet-module-puppetlabs-augeas-core]', 'Package[python3-prometheus-client]', 'Package[python3-yaml]', 'Package[ruby-net-ssh]', 'Package[openssl]', 'Package[ssl-cert]', 'Package[ca-certificates]', 'Package[wmf-certificates]', 'Package[ntp]', 'Package[systemd-timesyncd]', 'Package[exim4-config]', 'Package[exim4-daemon-light]', 'Package[logrotate]', 'Package[prometheus-node-exporter]', 'Package[bsdutils]', 'Package[smartmontools]', 'Package[rsyslog]', 'Package[rsyslog-openssl]', 'Package[cadvisor]', 'Package[prometheus-ethtool-exporter]', 'Package[acct]', 'Package[byobu]', 'Package[colordiff]', 'Package[curl]', 'Package[debian-goodies]', 'Package[ethtool]', 'Package[gdb]', 'Package[gdisk]', 'Package[git]', 'Package[htop]', 'Package[httpry]', 'Package[iotop]', 'Package[iperf]', 'Package[jq]', 'Package[libtemplate-perl]', 'Package[lldpd]', 'Package[lshw]', 'Package[molly-guard]', 'Package[moreutils]', 'Package[net-tools]', 'Package[numactl]', 'Package[ncdu]', 'Package[ngrep]', 'Package[pigz]', 'Package[psmisc]', 'Package[pv]', 'Package[python3]', 'Package[screen]', 'Package[strace]', 'Package[sysstat]', 'Package[tcpdump]', 'Package[tmux]', 'Package[tree]', 'Package[vim]', 'Package[vim-addon-manager]', 'Package[vim-scripts]', 'Package[wipe]', 'Package[xfsprogs]', 'Package[zsh]', 'Package[icdiff]', 'Package[linux-perf]', 'Package[bsd-mailx]', 'Package[ack]', 'Package[netcat-openbsd]', 'Package[tshark]', 'Package[fzf]', 'Package[ripgrep]', 'Package[fd-find]', 'Package[kitty-terminfo]', 'Package[mtr-tiny]', 'Package[bat]', 'Package[efibootmgr]', 'Package[bind9-dnsutils]', 'Package[tzdata]', 'Package[python3-wmflib]', 'Package[ruby-sorted-set]', 'Package[btop]', 'Package[dstat]', 'Package[apport]', 'Package[command-not-found]', 'Package[command-not-found-data]', 'Package[ecryptfs-utils]', 'Package[mlocate]', 'Package[os-prober]', 'Package[python3-apport]', 'Package[wpasupplicant]', 'Package[apt-listchanges]', 'Package[isc-dhcp-client]', 'Package[rasdaemon]', 'Package[libicu67]', 'Package[libwsutil12]', 'Package[libwireshark14]', 'Package[libopencsd0]', 'Package[libwiretap11]', 'Package[ruby2.7]', 'Package[python3.9-minimal]', 'Package[python3.9]', 'Package[perl-modules-5.32]', 'Package[libpython3.9]', 'Package[libperl5.32]', 'Package[libpython3.9-minimal]', 'Package[libpython3.9-stdlib]', 'Package[libidn11]', 'Package[libldap-2.4-2]', 'Package[liburing1]', 'Package[libwebp6]', 'Package[libcbor0]', 'Package[libusb-0.1-4]', 'Package[telnet]', 'Package[libruby2.7]', 'Package[libdns-export1110]', 'Package[libisc-export1105]', 'Package[libbpf0]', 'Package[openssh-client]', 'Package[openssh-server]', 'Package[debdeploy-client]', 'Package[python3-dateutil]', 'Package[sudo]', 'Package[golang-cfssl]', 'Package[debmonitor-client]', 'Package[nagios-nrpe-server]', 'Package[monitoring-plugins]', 'Package[monitoring-plugins-basic]', 'Package[monitoring-plugins-standard]', 'Package[liburiparser1]', 'Package[python3-attr]', 'Package[iucode-tool]', 'Package[freeipmi-tools]', 'Package[freeipmi-ipmiseld]', 'Package[rsyslog-kafka]', 'Package[emacs-nox]', 'Package[prometheus-ipmi-exporter]', 'Package[libnet-dns-perl]', 'Package[iptables]', 'Package[ferm]', 'Package[ulogd2]', 'Package[conntrack]', 'Package[prometheus-rsyslog-exporter]', 'Package[initramfs-tools]', 'Package[python3-click]', 'Package[python3-box]', 'Package[confd]', 'Package[python3-toml]']\n+ before => ['Package[puppet]', 'Package[facter]', 'Package[augeas-tools]', 'Package[virt-what]', 'Package[puppet-module-puppetlabs-augeas-core]', 'Package[python3-prometheus-client]', 'Package[python3-yaml]', 'Package[ruby-net-ssh]', 'Package[openssl]', 'Package[ssl-cert]', 'Package[ca-certificates]', 'Package[wmf-certificates]', 'Package[ntp]', 'Package[systemd-timesyncd]', 'Package[exim4-config]', 'Package[exim4-daemon-light]', 'Package[logrotate]', 'Package[prometheus-node-exporter]', 'Package[bsdutils]', 'Package[smartmontools]', 'Package[rsyslog]', 'Package[rsyslog-openssl]', 'Package[cadvisor]', 'Package[prometheus-ethtool-exporter]', 'Package[acct]', 'Package[byobu]', 'Package[colordiff]', 'Package[curl]', 'Package[debian-goodies]', 'Package[ethtool]', 'Package[gdb]', 'Package[gdisk]', 'Package[git]', 'Package[htop]', 'Package[httpry]', 'Package[iotop]', 'Package[iperf]', 'Package[jq]', 'Package[libtemplate-perl]', 'Package[lldpd]', 'Package[lshw]', 'Package[molly-guard]', 'Package[moreutils]', 'Package[net-tools]', 'Package[numactl]', 'Package[ncdu]', 'Package[ngrep]', 'Package[pigz]', 'Package[psmisc]', 'Package[pv]', 'Package[python3]', 'Package[screen]', 'Package[strace]', 'Package[sysstat]', 'Package[tcpdump]', 'Package[tmux]', 'Package[tree]', 'Package[vim]', 'Package[vim-addon-manager]', 'Package[vim-scripts]', 'Package[wipe]', 'Package[xfsprogs]', 'Package[zsh]', 'Package[icdiff]', 'Package[linux-perf]', 'Package[bsd-mailx]', 'Package[ack]', 'Package[netcat-openbsd]', 'Package[tshark]', 'Package[fzf]', 'Package[ripgrep]', 'Package[fd-find]', 'Package[kitty-terminfo]', 'Package[mtr-tiny]', 'Package[bat]', 'Package[efibootmgr]', 'Package[bind9-dnsutils]', 'Package[tzdata]', 'Package[python3-wmflib]', 'Package[ruby-sorted-set]', 'Package[btop]', 'Package[dstat]', 'Package[apport]', 'Package[command-not-found]', 'Package[command-not-found-data]', 'Package[ecryptfs-utils]', 'Package[mlocate]', 'Package[os-prober]', 'Package[python3-apport]', 'Package[wpasupplicant]', 'Package[apt-listchanges]', 'Package[isc-dhcp-client]', 'Package[rasdaemon]', 'Package[libicu67]', 'Package[libwsutil12]', 'Package[libwireshark14]', 'Package[libopencsd0]', 'Package[libwiretap11]', 'Package[ruby2.7]', 'Package[python3.9-minimal]', 'Package[python3.9]', 'Package[perl-modules-5.32]', 'Package[libpython3.9]', 'Package[libperl5.32]', 'Package[libpython3.9-minimal]', 'Package[libpython3.9-stdlib]', 'Package[libidn11]', 'Package[libldap-2.4-2]', 'Package[liburing1]', 'Package[libwebp6]', 'Package[libcbor0]', 'Package[libusb-0.1-4]', 'Package[telnet]', 'Package[libruby2.7]', 'Package[libdns-export1110]', 'Package[libisc-export1105]', 'Package[libbpf0]', 'Package[openssh-client]', 'Package[openssh-server]', 'Package[debdeploy-client]', 'Package[python3-dateutil]', 'Package[sudo]', 'Package[golang-cfssl]', 'Package[debmonitor-client]', 'Package[nagios-nrpe-server]', 'Package[monitoring-plugins]', 'Package[monitoring-plugins-basic]', 'Package[monitoring-plugins-standard]', 'Package[liburiparser1]', 'Package[python3-attr]', 'Package[iucode-tool]', 'Package[freeipmi-tools]', 'Package[freeipmi-ipmiseld]', 'Package[rsyslog-kafka]', 'Package[emacs-nox]', 'Package[prometheus-ipmi-exporter]', 'Package[libnet-dns-perl]', 'Package[iptables]', 'Package[ferm]', 'Package[ulogd2]', 'Package[conntrack]', 'Package[crictl]', 'Package[containerd]', 'Package[nerdctl]', 'Package[rsyslog-kubernetes]', 'Package[cpufrequtils]', 'Package[apparmor]', 'Package[socat]', 'Package[geoip-bin]', 'Package[mmdb-bin]', 'Package[wikimedia-lvs-realserver]', 'Package[tcp-mss-clamper]', 'Package[linux-base]', 'Package[linux-image-6.12.88+deb12-amd64]', 'Package[prometheus-rsyslog-exporter]', 'Package[initramfs-tools]', 'Package[python3-click]', 'Package[python3-box]', 'Package[confd]', 'Package[python3-toml]', 'Package[kubernetes-node]', 'Package[calicoctl]', 'Package[calico-cni]', 'Package[istio-cni]']\n"}, {"resource": "Service[prometheus_lvs_realserver_mss.timer]", "parameters": "--- Service[prometheus_lvs_realserver_mss.timer].orig\n+++ Service[prometheus_lvs_realserver_mss.timer]\n\n+ before => ['Exec[systemd daemon-reload for prometheus_lvs_realserver_mss.timer (prometheus_lvs_realserver_mss.timer)]']\n+ ensure => stopped\n+ enable => False\n+ provider => systemd\n"}, {"resource": "Logical_volume[srv]", "parameters": "--- Logical_volume[srv].orig\n+++ Logical_volume[srv]\n\n+ volume_group => vg_raid0\n+ thinpool => False\n+ size => 10G\n+ before => ['Filesystem[/dev/vg_raid0/srv]']\n+ ensure => present\n"}, {"resource": "Class[Base::Sysctl]", "parameters": "--- Class[Base::Sysctl].orig\n+++ Class[Base::Sysctl]\n\n@@\n- all_rp_filter => 1\n+ all_rp_filter => 0\n"}, {"resource": "Apt::Package_from_bpo[linux-6.12-bookworm]", "parameters": "--- Apt::Package_from_bpo[linux-6.12-bookworm].orig\n+++ Apt::Package_from_bpo[linux-6.12-bookworm]\n\n+ ensure_packages => True\n+ priority => 1001\n+ packages => {'linux-base': '4.12.1~bpo12+1', 'linux-image-6.12.88+deb12-amd64': 'present'}\n+ distro => bookworm\n"}, {"resource": "Exec[Generate cert dse__rsyslog refresh]", "parameters": "--- Exec[Generate cert dse__rsyslog refresh].orig\n+++ Exec[Generate cert dse__rsyslog refresh]\n\n+ environment => ['GODEBUG=x509ignoreCN=0']\n+ notify => ['Service[rsyslog]']\n+ refreshonly => True\n+ subscribe => File[/etc/cfssl/csr/dse__rsyslog.csr]\n+ command => /usr/bin/cfssl gencert -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/dse-k8s-wdqs-test2001.codfw.wmnet.pem -label dse /etc/cfssl/csr/dse__rsyslog.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/dse__rsyslog/dse__rsyslog\n\n"}, {"resource": "File[/etc/logrotate.d/rsyslog-release-deleted-inotify-watches]", "content": "--- /etc/logrotate.d/rsyslog-release-deleted-inotify-watches.orig\n+++ /etc/logrotate.d/rsyslog-release-deleted-inotify-watches\n@@ -0,0 +1,12 @@\n+# logrotate(8) config for rsyslog-release-deleted-inotify-watches\n+\n+/var/log/rsyslog-release-deleted-inotify-watches/*.log {\n+ daily\n+ copytruncate\n+ missingok\n+ compress\n+ delaycompress\n+ notifempty\n+ rotate 15\n+ size 256M\n+}", "parameters": "--- File[/etc/logrotate.d/rsyslog-release-deleted-inotify-watches].orig\n+++ File[/etc/logrotate.d/rsyslog-release-deleted-inotify-watches]\n\n+ mode => 0444\n+ ensure => absent\n+ group => root\n+ owner => root\n"}, {"resource": "File[/etc/cni/net.d]", "parameters": "--- File[/etc/cni/net.d].orig\n+++ File[/etc/cni/net.d]\n\n+ mode => 0755\n+ ensure => directory\n+ group => root\n+ owner => root\n"}, {"resource": "Service[kube-proxy]", "parameters": "--- Service[kube-proxy].orig\n+++ Service[kube-proxy]\n\n+ ensure => running\n+ enable => True\n"}, {"resource": "Cfssl::Cert[dse__system_kube-proxy]", "parameters": "--- Cfssl::Cert[dse__system_kube-proxy].orig\n+++ Cfssl::Cert[dse__system_kube-proxy]\n\n+ mode => 0740\n+ group => root\n+ provide_chain => True\n+ owner => kube\n+ ensure => present\n+ hosts => []\n+ environment => ['GODEBUG=x509ignoreCN=0']\n+ names => [{'organisation': 'system:node-proxier'}]\n+ label => dse\n+ auto_renew => True\n+ notify_services => ['kube-proxy']\n+ renew_seconds => 952200\n+ key => {'algo': 'ecdsa', 'size': 256}\n+ before_services => []\n+ outdir => /etc/kubernetes/pki\n+ common_name => system:kube-proxy\n"}, {"resource": "File[/etc/kubernetes/pki/dse__calicoctl.csr]", "parameters": "--- File[/etc/kubernetes/pki/dse__calicoctl.csr].orig\n+++ File[/etc/kubernetes/pki/dse__calicoctl.csr]\n\n+ mode => 0440\n+ ensure => file\n+ group => root\n+ owner => root\n"}, {"resource": "File[/etc/rsyslog.d/25-nrpe2nodexp-check-tcp-mss-clamper-status.conf]", "content": "--- /etc/rsyslog.d/25-nrpe2nodexp-check-tcp-mss-clamper-status.conf.orig\n+++ /etc/rsyslog.d/25-nrpe2nodexp-check-tcp-mss-clamper-status.conf\n@@ -0,0 +1,10 @@\n+# SPDX-License-Identifier: Apache-2.0\n+if $programname contains \"nrpe2nodexp-check_tcp-mss-clamper_status\" then {\n+ if ($msg contains \"\\\"ecs.version\\\": \\\"1.7.0\\\"\") then {\n+ # Send logs to kafka\n+ set $.log_outputs = \"kafka ecs_170 local\";\n+ } else {\n+ # Filter out non-relevant nrpe2nodexp messages\n+ stop\n+ }\n+}", "parameters": "--- File[/etc/rsyslog.d/25-nrpe2nodexp-check-tcp-mss-clamper-status.conf].orig\n+++ File[/etc/rsyslog.d/25-nrpe2nodexp-check-tcp-mss-clamper-status.conf]\n\n+ mode => 0444\n+ notify => Service[rsyslog]\n+ group => root\n+ owner => root\n+ ensure => absent\n"}, {"resource": "Service[set-rbd-readahead.timer]", "parameters": "--- Service[set-rbd-readahead.timer].orig\n+++ Service[set-rbd-readahead.timer]\n\n+ before => ['Exec[systemd daemon-reload for set-rbd-readahead.timer (set-rbd-readahead.timer)]']\n+ ensure => stopped\n+ enable => False\n+ provider => systemd\n"}, {"resource": "Class[Profile::Contacts]", "parameters": "--- Class[Profile::Contacts].orig\n+++ Class[Profile::Contacts]\n\n@@\n- cluster => insetup\n+ cluster => dse_k8s\n"}, {"resource": "Monitoring::Exported_nagios_service[dse-k8s-wdqs-test2001 check_tcp-mss-clamper_status]", "parameters": "--- Monitoring::Exported_nagios_service[dse-k8s-wdqs-test2001 check_tcp-mss-clamper_status].orig\n+++ Monitoring::Exported_nagios_service[dse-k8s-wdqs-test2001 check_tcp-mss-clamper_status]\n\n+ contact_groups => admins\n+ ensure => absent\n+ check_period => 24x7\n+ service_description => Check unit status of tcp-mss-clamper\n+ notification_options => c,r,f\n+ servicegroups => dse_k8s_codfw\n+ host_name => dse-k8s-wdqs-test2001\n+ check_command => nrpe_check!check_check_tcp-mss-clamper_status!10\n+ check_freshness => 0\n+ is_volatile => 0\n+ retry_interval => 1\n+ notifications_enabled => 1\n+ max_check_attempts => 2\n+ active_checks_enabled => 1\n+ notes_url => https://wikitech.wikimedia.org/wiki/LVS#IPIP_encapsulation_experiments\n+ passive_checks_enabled => 1\n+ notification_period => 24x7\n+ notification_interval => 0\n+ check_interval => 10\n"}, {"resource": "Systemd::Unit[kube-proxy]", "parameters": "--- Systemd::Unit[kube-proxy].orig\n+++ Systemd::Unit[kube-proxy]\n\n+ require => ['Class[Systemd]']\n+ override => True\n+ ensure => present\n+ override_filename => puppet-override.conf\n+ restart => True\n+ unit => kube-proxy\n"}, {"resource": "User[kube]", "parameters": "--- User[kube].orig\n+++ User[kube]\n\n+ system => True\n+ gid => kube\n+ shell => /usr/sbin/nologin\n+ ensure => present\n+ home => /nonexistent\n"}, {"resource": "Systemd::Unit[set-rbd-readahead.service]", "parameters": "--- Systemd::Unit[set-rbd-readahead.service].orig\n+++ Systemd::Unit[set-rbd-readahead.service]\n\n+ require => ['Class[Systemd]']\n+ override => False\n+ ensure => absent\n+ override_filename => puppet-override.conf\n+ restart => False\n+ unit => set-rbd-readahead.service\n"}, {"resource": "Filesystem[/dev/vg_raid0/srv]", "parameters": "--- Filesystem[/dev/vg_raid0/srv].orig\n+++ Filesystem[/dev/vg_raid0/srv]\n\n+ before => ['Mount[/srv]']\n+ ensure => present\n+ fs_type => ext4\n"}, {"resource": "Cfssl::Csr[/etc/cfssl/csr/dse__istio-cni.csr]", "parameters": "--- Cfssl::Csr[/etc/cfssl/csr/dse__istio-cni.csr].orig\n+++ Cfssl::Csr[/etc/cfssl/csr/dse__istio-cni.csr]\n\n+ hosts => []\n+ names => []\n+ ensure => present\n+ key => {'algo': 'ecdsa', 'size': 256}\n+ common_name => istio-cni\n"}, {"resource": "Exec[/usr/sbin/tc qdisc del dev ens2f0np0 clsact]", "parameters": "--- Exec[/usr/sbin/tc qdisc del dev ens2f0np0 clsact].orig\n+++ Exec[/usr/sbin/tc qdisc del dev ens2f0np0 clsact]\n\n+ onlyif => /usr/sbin/tc qdisc show dev ens2f0np0 | grep -q clsact\n"}, {"resource": "File[/etc/modprobe.d/blacklist-r440_wdat_wdt.conf]", "content": "--- /etc/modprobe.d/blacklist-r440_wdat_wdt.conf.orig\n+++ /etc/modprobe.d/blacklist-r440_wdat_wdt.conf\n@@ -0,0 +1,5 @@\n+# r440_wdat_wdt - blacklisted kernel modules\n+# This file is managed by Puppet\n+#\n+blacklist wdat_wdt\n+install wdat_wdt /bin/true", "parameters": "--- File[/etc/modprobe.d/blacklist-r440_wdat_wdt.conf].orig\n+++ File[/etc/modprobe.d/blacklist-r440_wdat_wdt.conf]\n\n+ mode => 0444\n+ notify => ['Exec[update-initramfs]', 'Exec[rmmod-r440_wdat_wdt]']\n+ group => root\n+ owner => root\n+ ensure => present\n"}, {"resource": "Rsyslog::Conf[imfile]", "parameters": "--- Rsyslog::Conf[imfile].orig\n+++ Rsyslog::Conf[imfile]\n\n+ mode => 0444\n+ ensure => present\n+ priority => 0\n"}, {"resource": "Class[Geoip]", "parameters": "--- Class[Geoip].orig\n+++ Class[Geoip]\n\n+ load_data_from_puppetserver => True\n+ fetch_ipinfo_dbs => False\n"}, {"resource": "Systemd::Service[rsyslog-imfile-remedy]", "parameters": "--- Systemd::Service[rsyslog-imfile-remedy].orig\n+++ Systemd::Service[rsyslog-imfile-remedy]\n\n+ unit_type => timer\n+ service_params => {}\n+ require => Systemd::Unit[rsyslog-imfile-remedy.service]\n+ monitoring_contact_group => admins\n+ ensure => present\n+ restart => False\n+ migration_task => T407130\n+ monitoring_critical => False\n+ monitoring_enabled => False\n+ override => False\n"}, {"resource": "Concat::Fragment[component-calico329-apt.wikimedia.org-wikimedia-bookworm-wikimedia]", "parameters": "--- Concat::Fragment[component-calico329-apt.wikimedia.org-wikimedia-bookworm-wikimedia].orig\n+++ Concat::Fragment[component-calico329-apt.wikimedia.org-wikimedia-bookworm-wikimedia]\n\n+ order => 10\n+ target => /etc/apt/sources.list.d/component-calico329-apt.wikimedia.org-wikimedia-bookworm-wikimedia.sources\n"}, {"resource": "Service[containerd]", "parameters": "--- Service[containerd].orig\n+++ Service[containerd]\n\n+ ensure => running\n"}, {"resource": "Cfssl::Csr[/etc/cfssl/csr/dse__kubelet_server.csr]", "parameters": "--- Cfssl::Csr[/etc/cfssl/csr/dse__kubelet_server.csr].orig\n+++ Cfssl::Csr[/etc/cfssl/csr/dse__kubelet_server.csr]\n\n+ hosts => ['dse-k8s-wdqs-test2001', 'dse-k8s-wdqs-test2001.codfw.wmnet', '10.192.9.26', '2620:0:860:10a:10:192:9:26']\n+ names => []\n+ ensure => present\n+ key => {'algo': 'ecdsa', 'size': 256}\n+ common_name => kubelet\n"}, {"resource": "Systemd::Unit[rsyslog-release-deleted-inotify-watches.service]", "parameters": "--- Systemd::Unit[rsyslog-release-deleted-inotify-watches.service].orig\n+++ Systemd::Unit[rsyslog-release-deleted-inotify-watches.service]\n\n+ require => ['Class[Systemd]']\n+ override => False\n+ ensure => absent\n+ override_filename => puppet-override.conf\n+ restart => False\n+ unit => rsyslog-release-deleted-inotify-watches.service\n"}, {"resource": "Package[cpufrequtils]", "parameters": "--- Package[cpufrequtils].orig\n+++ Package[cpufrequtils]\n\n+ ensure => installed\n+ provider => apt\n"}, {"resource": "Package[wikimedia-lvs-realserver]", "parameters": "--- Package[wikimedia-lvs-realserver].orig\n+++ Package[wikimedia-lvs-realserver]\n\n+ ensure => present\n+ require => File[/etc/default/wikimedia-lvs-realserver]\n+ provider => apt\n"}, {"resource": "File[/var/log/set-rbd-readahead]", "parameters": "--- File[/var/log/set-rbd-readahead].orig\n+++ File[/var/log/set-rbd-readahead]\n\n+ mode => 0755\n+ group => root\n+ force => True\n+ owner => root\n+ backup => False\n+ ensure => absent\n"}, {"resource": "Exec[systemd daemon-reload for kubelet.service (kubelet-container-runtime)]", "parameters": "--- Exec[systemd daemon-reload for kubelet.service (kubelet-container-runtime)].orig\n+++ Exec[systemd daemon-reload for kubelet.service (kubelet-container-runtime)]\n\n+ command => /bin/systemctl daemon-reload\n+ notify => ['Service[kubelet]']\n+ refreshonly => True\n"}, {"resource": "Augeas[ipip0_set_up]", "parameters": "--- Augeas[ipip0_set_up].orig\n+++ Augeas[ipip0_set_up]\n\n+ lens => Interfaces.lns\n+ onlyif => match up[. = 'ip link set up dev ipip0'] size == 0\n+ require => Augeas[ipip0_add_up]\n+ context => /files/etc/network/interfaces/*[. = 'ipip0' and ./family = 'inet']\n+ incl => /etc/network/interfaces\n+ changes => set up[last()+1] 'ip link set up dev ipip0'\n"}, {"resource": "File[/etc/logrotate.d/prometheus_ferm_mss]", "content": "--- /etc/logrotate.d/prometheus_ferm_mss.orig\n+++ /etc/logrotate.d/prometheus_ferm_mss\n@@ -0,0 +1,12 @@\n+# logrotate(8) config for prometheus_ferm_mss\n+\n+/var/log/prometheus_ferm_mss/*.log {\n+ daily\n+ copytruncate\n+ missingok\n+ compress\n+ delaycompress\n+ notifempty\n+ rotate 15\n+ size 256M\n+}", "parameters": "--- File[/etc/logrotate.d/prometheus_ferm_mss].orig\n+++ File[/etc/logrotate.d/prometheus_ferm_mss]\n\n+ mode => 0444\n+ ensure => absent\n+ group => root\n+ owner => root\n"}, {"resource": "Exec[apt_repository_component-istio115-apt.wikimedia.org-wikimedia-bookworm-wikimedia]", "parameters": "--- Exec[apt_repository_component-istio115-apt.wikimedia.org-wikimedia-bookworm-wikimedia].orig\n+++ Exec[apt_repository_component-istio115-apt.wikimedia.org-wikimedia-bookworm-wikimedia]\n\n+ command => /usr/bin/apt-get update \n+ refreshonly => True\n"}, {"resource": "File[/etc/systemd/system/kubelet.service.d]", "parameters": "--- File[/etc/systemd/system/kubelet.service.d].orig\n+++ File[/etc/systemd/system/kubelet.service.d]\n\n+ mode => 0555\n+ ensure => directory\n+ group => root\n+ owner => root\n"}, {"resource": "Exec[systemd daemon-reload for rsyslog-release-deleted-inotify-watches.timer (rsyslog-release-deleted-inotify-watches.timer)]", "parameters": "--- Exec[systemd daemon-reload for rsyslog-release-deleted-inotify-watches.timer (rsyslog-release-deleted-inotify-watches.timer)].orig\n+++ Exec[systemd daemon-reload for rsyslog-release-deleted-inotify-watches.timer (rsyslog-release-deleted-inotify-watches.timer)]\n\n+ command => /bin/systemctl daemon-reload\n+ refreshonly => True\n"}, {"resource": "File[/etc/nagios/nrpe.d/check_check_tcp-mss-clamper_status.cfg]", "content": "--- /etc/nagios/nrpe.d/check_check_tcp-mss-clamper_status.cfg.orig\n+++ /etc/nagios/nrpe.d/check_check_tcp-mss-clamper_status.cfg\n@@ -0,0 +1,2 @@\n+# File generated by puppet. DO NOT edit by hand\n+command[check_check_tcp-mss-clamper_status]=/usr/local/lib/nagios/plugins/check_systemd_unit_status tcp-mss-clamper", "parameters": "--- File[/etc/nagios/nrpe.d/check_check_tcp-mss-clamper_status.cfg].orig\n+++ File[/etc/nagios/nrpe.d/check_check_tcp-mss-clamper_status.cfg]\n\n+ mode => 0444\n+ notify => Service[nagios-nrpe-server]\n+ group => root\n+ require => Package[nagios-nrpe-server]\n+ owner => root\n+ ensure => absent\n+ tag => nrpe::check\n"}, {"resource": "Exec[systemd daemon-reload for set-rbd-readahead.timer (set-rbd-readahead.timer)]", "parameters": "--- Exec[systemd daemon-reload for set-rbd-readahead.timer (set-rbd-readahead.timer)].orig\n+++ Exec[systemd daemon-reload for set-rbd-readahead.timer (set-rbd-readahead.timer)]\n\n+ command => /bin/systemctl daemon-reload\n+ refreshonly => True\n"}, {"resource": "File[/etc/apt/preferences.d/apt_pin_linux_6_12_bookworm_bookworm_bpo.pref]", "content": "--- /etc/apt/preferences.d/apt_pin_linux_6_12_bookworm_bookworm_bpo.pref.orig\n+++ /etc/apt/preferences.d/apt_pin_linux_6_12_bookworm_bookworm_bpo.pref\n@@ -0,0 +1,3 @@\n+Package: linux-base linux-image-6.12.88+deb12-amd64\n+Pin: release a=bookworm-backports\n+Pin-Priority: 1001", "parameters": "--- File[/etc/apt/preferences.d/apt_pin_linux_6_12_bookworm_bookworm_bpo.pref].orig\n+++ File[/etc/apt/preferences.d/apt_pin_linux_6_12_bookworm_bookworm_bpo.pref]\n\n+ mode => 0444\n+ notify => Exec[exec-apt-get-update-linux-6.12-bookworm_bookworm-bpo]\n+ group => root\n+ owner => root\n+ ensure => present\n"}, {"resource": "Apt::Package_from_component[calico329]", "parameters": "--- Apt::Package_from_component[calico329].orig\n+++ Apt::Package_from_component[calico329]\n\n+ uri => http://apt.wikimedia.org/wikimedia\n+ packages => {'calicoctl': '>=3.29 <3.30', 'calico-cni': '>=3.29 <3.30'}\n+ distro => bookworm-wikimedia\n+ component => component/calico329\n+ ensure => present\n+ ensure_packages => True\n+ priority => 1001\n"}, {"resource": "Exec[create chained cert /etc/cfssl/ssl/dse__rsyslog/dse__rsyslog.chain.pem]", "parameters": "--- Exec[create chained cert /etc/cfssl/ssl/dse__rsyslog/dse__rsyslog.chain.pem].orig\n+++ Exec[create chained cert /etc/cfssl/ssl/dse__rsyslog/dse__rsyslog.chain.pem]\n\n+ unless => /usr/bin/test \"$(/bin/cat /etc/cfssl/ssl/dse__rsyslog/dse__rsyslog.pem /etc/cfssl/ssl/dse__rsyslog/dse__rsyslog.chain.pem | sha512sum)\" == \"$(/bin/cat /etc/cfssl/ssl/dse__rsyslog/dse__rsyslog.chained.pem | sha512sum)\"\n\n+ notify => ['Service[rsyslog]']\n+ require => Exec[Generate cert dse__rsyslog refresh on intermediate ca change]\n+ subscribe => ['Exec[renew certificate - dse__rsyslog]', 'File[/etc/cfssl/ssl/dse__rsyslog/dse__rsyslog.chain.pem]', 'File[/etc/cfssl/ssl/dse__rsyslog/dse__rsyslog.pem]']\n+ command => /bin/cat /etc/cfssl/ssl/dse__rsyslog/dse__rsyslog.pem /etc/cfssl/ssl/dse__rsyslog/dse__rsyslog.chain.pem > /etc/cfssl/ssl/dse__rsyslog/dse__rsyslog.chained.pem\n"}, {"resource": "Exec[renew certificate - dse__calico-cni]", "parameters": "--- Exec[renew certificate - dse__calico-cni].orig\n+++ Exec[renew certificate - dse__calico-cni]\n\n+ unless => /usr/bin/openssl x509 -in /etc/kubernetes/pki/dse__calico-cni.pem -checkend 952200\n+ command => /usr/bin/cfssl sign -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/dse-k8s-wdqs-test2001.codfw.wmnet.pem -label dse /etc/kubernetes/pki/dse__calico-cni.csr | /usr/bin/cfssljson -bare /etc/kubernetes/pki/dse__calico-cni\n\n+ environment => ['GODEBUG=x509ignoreCN=0']\n+ require => Exec[Generate cert dse__calico-cni]\n"}, {"resource": "Prometheus::Node_lvs_realserver_mss[lvs_clamped_ipport]", "parameters": "--- Prometheus::Node_lvs_realserver_mss[lvs_clamped_ipport].orig\n+++ Prometheus::Node_lvs_realserver_mss[lvs_clamped_ipport]\n\n+ ensure => absent\n+ clamped_ipport => ['10.2.1.91:30443']\n+ outfile => /var/lib/prometheus/node.d/lvs-realserver-mss.prom\n"}, {"resource": "File[/etc/logrotate.d/prometheus_lvs_realserver_mss]", "content": "--- /etc/logrotate.d/prometheus_lvs_realserver_mss.orig\n+++ /etc/logrotate.d/prometheus_lvs_realserver_mss\n@@ -0,0 +1,12 @@\n+# logrotate(8) config for prometheus_lvs_realserver_mss\n+\n+/var/log/prometheus_lvs_realserver_mss/*.log {\n+ daily\n+ copytruncate\n+ missingok\n+ compress\n+ delaycompress\n+ notifempty\n+ rotate 15\n+ size 256M\n+}", "parameters": "--- File[/etc/logrotate.d/prometheus_lvs_realserver_mss].orig\n+++ File[/etc/logrotate.d/prometheus_lvs_realserver_mss]\n\n+ mode => 0444\n+ ensure => absent\n+ group => root\n+ owner => root\n"}, {"resource": "Logrotate::Conf[set-rbd-readahead]", "parameters": "--- Logrotate::Conf[set-rbd-readahead].orig\n+++ Logrotate::Conf[set-rbd-readahead]\n\n+ ensure => absent\n"}, {"resource": "Exec[systemd daemon-reload for rsyslog-imfile-remedy.timer (rsyslog-imfile-remedy.timer)]", "parameters": "--- Exec[systemd daemon-reload for rsyslog-imfile-remedy.timer (rsyslog-imfile-remedy.timer)].orig\n+++ Exec[systemd daemon-reload for rsyslog-imfile-remedy.timer (rsyslog-imfile-remedy.timer)]\n\n+ before => ['Service[rsyslog-imfile-remedy.timer]']\n+ command => /bin/systemctl daemon-reload\n+ refreshonly => True\n"}, {"resource": "Class[Monitoring]", "parameters": "--- Class[Monitoring].orig\n+++ Class[Monitoring]\n\n@@\n- nagios_group => insetup_codfw\n+ nagios_group => dse_k8s_codfw\n@@\n- notifications_enabled => False\n+ notifications_enabled => True\n@@\n- cluster => insetup\n+ cluster => dse_k8s\n"}, {"resource": "File[/lib/systemd/system/rsyslog-imfile-remedy.service]", "content": "--- /lib/systemd/system/rsyslog-imfile-remedy.service.orig\n+++ /lib/systemd/system/rsyslog-imfile-remedy.service\n@@ -0,0 +1,8 @@\n+[Unit]\n+Description=Restart rsyslog T357616\n+Documentation=https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n+\n+[Service]\n+Type=oneshot\n+User=root\n+ExecStart=/usr/bin/systemctl try-restart rsyslog", "parameters": "--- File[/lib/systemd/system/rsyslog-imfile-remedy.service].orig\n+++ File[/lib/systemd/system/rsyslog-imfile-remedy.service]\n\n+ mode => 0444\n+ notify => Exec[systemd daemon-reload for rsyslog-imfile-remedy.service (rsyslog-imfile-remedy.service)]\n+ group => root\n+ owner => root\n+ ensure => present\n"}, {"resource": "Lvm::Logical_volume[srv]", "parameters": "--- Lvm::Logical_volume[srv].orig\n+++ Lvm::Logical_volume[srv]\n\n+ mountpath => /srv\n+ mountpath_require => False\n+ mounted => True\n+ size => 10G\n+ ensure => present\n+ dump => 0\n+ volume_group => vg_raid0\n+ fs_type => ext4\n+ options => defaults\n+ pass => 2\n+ createfs => True\n+ thinpool => False\n"}, {"resource": "Rsyslog::Conf[shellbox]", "parameters": "--- Rsyslog::Conf[shellbox].orig\n+++ Rsyslog::Conf[shellbox]\n\n+ mode => 0444\n+ source => puppet:///modules/profile/rsyslog/shellbox.rsyslog.conf\n+ ensure => present\n+ priority => 20\n"}, {"resource": "K8s::Kubelet::Cni[calico]", "parameters": "--- K8s::Kubelet::Cni[calico].orig\n+++ K8s::Kubelet::Cni[calico]\n\n+ config => {'name': 'k8s-pod-network', 'cniVersion': '0.3.1', 'plugins': [{'type': 'calico', 'log_level': 'info', 'datastore_type': 'kubernetes', 'mtu': 1460, 'ipam': {'type': 'calico-ipam', 'assign_ipv4': 'true', 'assign_ipv6': 'true'}, 'policy': {'type': 'k8s'}, 'kubernetes': {'kubeconfig': '/etc/cni/net.d/calico-kubeconfig'}}]}\n+ require => ['Class[K8s::Kubelet::Cni::Base]']\n+ priority => 10\n"}, {"resource": "Systemd::Timer[prometheus_ferm_mss]", "parameters": "--- Systemd::Timer[prometheus_ferm_mss].orig\n+++ Systemd::Timer[prometheus_ferm_mss]\n\n+ splay => 0\n+ accuracy => 15sec\n+ unit_name => prometheus_ferm_mss.service\n+ fixed_random_delay => False\n+ ensure => absent\n+ timer_intervals => [{'start': 'OnCalendar', 'interval': 'minutely'}]\n"}, {"resource": "Cfssl::Csr[/etc/cfssl/csr/dse__system_kube-proxy.csr]", "parameters": "--- Cfssl::Csr[/etc/cfssl/csr/dse__system_kube-proxy.csr].orig\n+++ Cfssl::Csr[/etc/cfssl/csr/dse__system_kube-proxy.csr]\n\n+ hosts => []\n+ names => [{'organisation': 'system:node-proxier'}]\n+ ensure => present\n+ key => {'algo': 'ecdsa', 'size': 256}\n+ common_name => system:kube-proxy\n"}, {"resource": "Systemd::Service[nrpe2nodexp-check_tcp-mss-clamper_status]", "parameters": "--- Systemd::Service[nrpe2nodexp-check_tcp-mss-clamper_status].orig\n+++ Systemd::Service[nrpe2nodexp-check_tcp-mss-clamper_status]\n\n+ unit_type => timer\n+ service_params => {}\n+ require => Systemd::Unit[nrpe2nodexp-check_tcp-mss-clamper_status.service]\n+ monitoring_contact_group => admins\n+ ensure => absent\n+ restart => False\n+ migration_task => T407130\n+ monitoring_critical => False\n+ monitoring_enabled => False\n+ override => False\n"}, {"resource": "File[/srv/spark]", "parameters": "--- File[/srv/spark].orig\n+++ File[/srv/spark]\n\n+ ensure => directory\n+ group => root\n+ owner => root\n"}, {"resource": "Package[istio-cni]", "parameters": "--- Package[istio-cni].orig\n+++ Package[istio-cni]\n\n+ ensure => absent\n+ provider => apt\n"}, {"resource": "Concat::Fragment[component-kubernetes131-apt.wikimedia.org-wikimedia-bookworm-wikimedia-header]", "parameters": "--- Concat::Fragment[component-kubernetes131-apt.wikimedia.org-wikimedia-bookworm-wikimedia-header].orig\n+++ Concat::Fragment[component-kubernetes131-apt.wikimedia.org-wikimedia-bookworm-wikimedia-header]\n\n+ source => puppet:///modules/apt/sources-deb822-header.txt\n+ order => 01\n+ target => /etc/apt/sources.list.d/component-kubernetes131-apt.wikimedia.org-wikimedia-bookworm-wikimedia.sources\n"}, {"resource": "Concat::Fragment[component-kubernetes131-apt.wikimedia.org-wikimedia-bookworm-wikimedia]", "parameters": "--- Concat::Fragment[component-kubernetes131-apt.wikimedia.org-wikimedia-bookworm-wikimedia].orig\n+++ Concat::Fragment[component-kubernetes131-apt.wikimedia.org-wikimedia-bookworm-wikimedia]\n\n+ order => 10\n+ target => /etc/apt/sources.list.d/component-kubernetes131-apt.wikimedia.org-wikimedia-bookworm-wikimedia.sources\n"}, {"resource": "Package[calicoctl]", "parameters": "--- Package[calicoctl].orig\n+++ Package[calicoctl]\n\n+ ensure => >=3.29 <3.30\n+ provider => apt\n"}, {"resource": "Systemd::Timer::Job[rsyslog-release-deleted-inotify-watches]", "parameters": "--- Systemd::Timer::Job[rsyslog-release-deleted-inotify-watches].orig\n+++ Systemd::Timer::Job[rsyslog-release-deleted-inotify-watches]\n\n+ fixed_random_delay => False\n+ private_tmp => False\n+ ensure => absent\n+ logging_enabled => True\n+ syslog_force_stop => True\n+ environment => {}\n+ monitoring_notes_url => https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n+ send_mail_only_on_error => True\n+ send_mail_to => root@dse-k8s-wdqs-test2001.codfw.wmnet\n+ user => root\n+ description => Restart rsyslog to release inotify watches of deleted container logs\n+ syslog_match_startswith => True\n+ logfile_basedir => /var/log\n+ monitoring_contact_groups => admins\n+ logfile_group => root\n+ interval => {'start': 'OnCalendar', 'interval': '*-*-* *:37:00'}\n+ command => /usr/local/sbin/rsyslog-release-deleted-inotify-watches\n+ send_mail => False\n+ ignore_errors => False\n+ logfile_perms => all\n+ logfile_name => syslog.log\n+ monitoring_enabled => False\n+ success_exit_status => []\n"}, {"resource": "Systemd::Timer[rsyslog-imfile-remedy]", "parameters": "--- Systemd::Timer[rsyslog-imfile-remedy].orig\n+++ Systemd::Timer[rsyslog-imfile-remedy]\n\n+ splay => 30\n+ accuracy => 15sec\n+ unit_name => rsyslog-imfile-remedy.service\n+ fixed_random_delay => False\n+ ensure => present\n+ timer_intervals => [{'start': 'OnCalendar', 'interval': '*-*-* 00/3:10:00'}]\n"}, {"resource": "File[/lib/systemd/system/prometheus_lvs_realserver_mss.timer]", "content": "--- /lib/systemd/system/prometheus_lvs_realserver_mss.timer.orig\n+++ /lib/systemd/system/prometheus_lvs_realserver_mss.timer\n@@ -0,0 +1,12 @@\n+[Unit]\n+Description=Periodic execution of prometheus_lvs_realserver_mss.service\n+\n+[Timer]\n+Unit=prometheus_lvs_realserver_mss.service\n+# Accuracy sets the maximum time interval around the execution time we want to allow\n+AccuracySec=15sec\n+OnCalendar=minutely\n+RandomizedDelaySec=0\n+\n+[Install]\n+WantedBy=multi-user.target", "parameters": "--- File[/lib/systemd/system/prometheus_lvs_realserver_mss.timer].orig\n+++ File[/lib/systemd/system/prometheus_lvs_realserver_mss.timer]\n\n+ mode => 0444\n+ notify => Exec[systemd daemon-reload for prometheus_lvs_realserver_mss.timer (prometheus_lvs_realserver_mss.timer)]\n+ group => root\n+ owner => root\n+ ensure => absent\n"}, {"resource": "File[/etc/logrotate.d/set-rbd-readahead]", "content": "--- /etc/logrotate.d/set-rbd-readahead.orig\n+++ /etc/logrotate.d/set-rbd-readahead\n@@ -0,0 +1,12 @@\n+# logrotate(8) config for set-rbd-readahead\n+\n+/var/log/set-rbd-readahead/*.log {\n+ daily\n+ copytruncate\n+ missingok\n+ compress\n+ delaycompress\n+ notifempty\n+ rotate 15\n+ size 256M\n+}", "parameters": "--- File[/etc/logrotate.d/set-rbd-readahead].orig\n+++ File[/etc/logrotate.d/set-rbd-readahead]\n\n+ mode => 0444\n+ ensure => absent\n+ group => root\n+ owner => root\n"}, {"resource": "Monitoring::Service[check_tcp-mss-clamper_status]", "parameters": "--- Monitoring::Service[check_tcp-mss-clamper_status].orig\n+++ Monitoring::Service[check_tcp-mss-clamper_status]\n\n+ check_command => nrpe_check!check_check_tcp-mss-clamper_status!10\n+ retries => 2\n+ contact_group => admins\n+ retry_interval => 1\n+ ensure => absent\n+ notes_url => https://wikitech.wikimedia.org/wiki/LVS#IPIP_encapsulation_experiments\n+ config_dir => /etc/nagios\n+ passive => False\n+ host => dse-k8s-wdqs-test2001\n+ critical => False\n+ migration_task => T407130\n+ description => Check unit status of tcp-mss-clamper\n+ check_interval => 10\n+ freshness => 36000\n"}, {"resource": "K8s::Kubeconfig[/etc/cni/net.d/calico-kubeconfig]", "parameters": "--- K8s::Kubeconfig[/etc/cni/net.d/calico-kubeconfig].orig\n+++ K8s::Kubeconfig[/etc/cni/net.d/calico-kubeconfig]\n\n+ mode => 0400\n+ group => root\n+ require => ['File[/etc/cni/net.d]', 'Class[K8s::Base_dirs]']\n+ owner => root\n+ username => calico-cni\n+ ensure => present\n+ auth_cert => {'cert': '/etc/kubernetes/pki/dse__calico-cni.pem', 'key': '/etc/kubernetes/pki/dse__calico-cni-key.pem', 'chain': '/etc/kubernetes/pki/dse__calico-cni.chain.pem', 'chained': '/etc/kubernetes/pki/dse__calico-cni.chained.pem'}\n+ master_host => dse-k8s-ctrl.svc.codfw.wmnet\n"}, {"resource": "Systemd::Unit[tcp-mss-clamper]", "parameters": "--- Systemd::Unit[tcp-mss-clamper].orig\n+++ Systemd::Unit[tcp-mss-clamper]\n\n+ require => ['Class[Systemd]']\n+ override => False\n+ ensure => absent\n+ override_filename => puppet-override.conf\n+ restart => False\n+ unit => tcp-mss-clamper\n"}, {"resource": "Class[K8s::Proxy]", "parameters": "--- Class[K8s::Proxy].orig\n+++ Class[K8s::Proxy]\n\n+ ipv6dualstack => False\n+ version => 1.31\n+ cluster_cidr => {'v4': '10.192.96.0/21', 'v6': '2620:0:860:308::/64'}\n+ v_log_level => 0\n+ proxy_mode => iptables\n+ kubeconfig => /etc/kubernetes/proxy.conf\n"}, {"resource": "Firewall::Service[calico-typha]", "parameters": "--- Firewall::Service[calico-typha].orig\n+++ Firewall::Service[calico-typha]\n\n+ src_sets => ['DOMAIN_NETWORKS']\n+ ensure => present\n+ notrack => False\n+ prio => 10\n+ desc => \n+ proto => tcp\n+ unrestricted_access => False\n+ port => 5473\n"}, {"resource": "Package[linux-image-6.12.88+deb12-amd64]", "parameters": "--- Package[linux-image-6.12.88+deb12-amd64].orig\n+++ Package[linux-image-6.12.88+deb12-amd64]\n\n+ ensure => installed\n+ provider => apt\n"}, {"resource": "Class[Profile::Containerd]", "parameters": "--- Class[Profile::Containerd].orig\n+++ Class[Profile::Containerd]\n\n+ kubernetes_cluster_name => dse-k8s-codfw\n+ ensure => present\n+ registry_username => kubernetes\n"}, {"resource": "Package[kubernetes-node]", "parameters": "--- Package[kubernetes-node].orig\n+++ Package[kubernetes-node]\n\n+ ensure => >=1.31 <1.32\n+ require => Apt::Package_from_component[kubernetes131]\n+ provider => apt\n"}, {"resource": "File[/lib/systemd/system/tcp-mss-clamper.service]", "content": "--- /lib/systemd/system/tcp-mss-clamper.service.orig\n+++ /lib/systemd/system/tcp-mss-clamper.service\n@@ -0,0 +1,11 @@\n+[Unit]\n+Description=eBPF based TCP MSS clamper\n+After=network.target\n+\n+[Install]\n+WantedBy=multi-user.target\n+\n+[Service]\n+LimitMEMLOCK=infinity\n+ExecStart=/usr/bin/tcp-mss-clamper --ipv4-mss 1440 --ipv6-mss 1400 -p :2200 -s \"10.2.1.91:30443\" -i ens2f0np0,lo\n+Restart=on-failure", "parameters": "--- File[/lib/systemd/system/tcp-mss-clamper.service].orig\n+++ File[/lib/systemd/system/tcp-mss-clamper.service]\n\n+ mode => 0444\n+ notify => Exec[systemd daemon-reload for tcp-mss-clamper.service (tcp-mss-clamper)]\n+ group => root\n+ owner => root\n+ ensure => absent\n"}, {"resource": "K8s::Kubeconfig[/etc/calico/calicoctl-kubeconfig]", "parameters": "--- K8s::Kubeconfig[/etc/calico/calicoctl-kubeconfig].orig\n+++ K8s::Kubeconfig[/etc/calico/calicoctl-kubeconfig]\n\n+ mode => 0400\n+ group => root\n+ require => ['Class[K8s::Base_dirs]']\n+ owner => root\n+ username => calicoctl\n+ ensure => present\n+ auth_cert => {'cert': '/etc/kubernetes/pki/dse__calicoctl.pem', 'key': '/etc/kubernetes/pki/dse__calicoctl-key.pem', 'chain': '/etc/kubernetes/pki/dse__calicoctl.chain.pem', 'chained': '/etc/kubernetes/pki/dse__calicoctl.chained.pem'}\n+ master_host => dse-k8s-ctrl.svc.codfw.wmnet\n"}, {"resource": "Concat::Fragment[main contacts]"}, {"resource": "Package[crictl]", "parameters": "--- Package[crictl].orig\n+++ Package[crictl]\n\n+ ensure => installed\n+ provider => apt\n"}, {"resource": "Ferm::Rule[clamp-mss-ipv4]", "parameters": "--- Ferm::Rule[clamp-mss-ipv4].orig\n+++ Ferm::Rule[clamp-mss-ipv4]\n\n+ table => filter\n+ prio => 10\n+ domain => (ip)\n+ desc => \n+ ensure => absent\n+ chain => OUTPUT\n+ rule => outerface (ens2f0np0 lo) saddr @ipfilter(10.2.1.91) proto tcp sport (30443) tcp-flags (SYN) SYN TCPMSS set-mss 1440;\n"}, {"resource": "Concat::Fragment[component-calico329-apt.wikimedia.org-wikimedia-bookworm-wikimedia-header]", "parameters": "--- Concat::Fragment[component-calico329-apt.wikimedia.org-wikimedia-bookworm-wikimedia-header].orig\n+++ Concat::Fragment[component-calico329-apt.wikimedia.org-wikimedia-bookworm-wikimedia-header]\n\n+ source => puppet:///modules/apt/sources-deb822-header.txt\n+ order => 01\n+ target => /etc/apt/sources.list.d/component-calico329-apt.wikimedia.org-wikimedia-bookworm-wikimedia.sources\n"}, {"resource": "Systemd::Monitor[tcp-mss-clamper]", "parameters": "--- Systemd::Monitor[tcp-mss-clamper].orig\n+++ Systemd::Monitor[tcp-mss-clamper]\n\n+ notes_url => https://wikitech.wikimedia.org/wiki/LVS#IPIP_encapsulation_experiments\n+ retries => 2\n+ contact_group => admins\n+ migration_task => T407130\n+ critical => False\n+ ensure => absent\n+ check_interval => 10\n"}, {"resource": "Package[socat]", "parameters": "--- Package[socat].orig\n+++ Package[socat]\n\n+ ensure => installed\n+ provider => apt\n"}, {"resource": "Systemd::Unit[nrpe2nodexp-check_tcp-mss-clamper_status.service]", "parameters": "--- Systemd::Unit[nrpe2nodexp-check_tcp-mss-clamper_status.service].orig\n+++ Systemd::Unit[nrpe2nodexp-check_tcp-mss-clamper_status.service]\n\n+ require => ['Class[Systemd]']\n+ override => False\n+ ensure => absent\n+ override_filename => puppet-override.conf\n+ restart => False\n+ unit => nrpe2nodexp-check_tcp-mss-clamper_status.service\n"}, {"resource": "Exec[Generate cert dse__system_node_dse-k8s-wdqs-test2001_codfw_wmnet refresh]", "parameters": "--- Exec[Generate cert dse__system_node_dse-k8s-wdqs-test2001_codfw_wmnet refresh].orig\n+++ Exec[Generate cert dse__system_node_dse-k8s-wdqs-test2001_codfw_wmnet refresh]\n\n+ environment => ['GODEBUG=x509ignoreCN=0']\n+ notify => ['Service[kubelet]']\n+ refreshonly => True\n+ subscribe => File[/etc/cfssl/csr/dse__system_node_dse-k8s-wdqs-test2001_codfw_wmnet.csr]\n+ command => /usr/bin/cfssl gencert -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/dse-k8s-wdqs-test2001.codfw.wmnet.pem -label dse /etc/cfssl/csr/dse__system_node_dse-k8s-wdqs-test2001_codfw_wmnet.csr | /usr/bin/cfssljson -bare /etc/kubernetes/pki/dse__system_node_dse-k8s-wdqs-test2001_codfw_wmnet\n\n"}, {"resource": "Motd::Script[insetup::data_platform_ferm]", "parameters": "--- Motd::Script[insetup::data_platform_ferm].orig\n+++ Motd::Script[insetup::data_platform_ferm]\n\n- ensure => present\n- priority => 5\n"}, {"resource": "Class[Lvs::Realserver]", "parameters": "--- Class[Lvs::Realserver].orig\n+++ Class[Lvs::Realserver]\n\n+ realserver_ips => ['10.2.1.91']\n"}, {"resource": "Package[geoip-bin]", "parameters": "--- Package[geoip-bin].orig\n+++ Package[geoip-bin]\n\n+ ensure => present\n+ provider => apt\n"}, {"resource": "Exec[Generate cert dse__system_kube-proxy refresh on intermediate ca change]", "parameters": "--- Exec[Generate cert dse__system_kube-proxy refresh on intermediate ca change].orig\n+++ Exec[Generate cert dse__system_kube-proxy refresh on intermediate ca change]\n\n+ environment => ['GODEBUG=x509ignoreCN=0']\n+ notify => ['Service[kube-proxy]']\n+ require => Cfssl::Csr[/etc/cfssl/csr/dse__system_kube-proxy.csr]\n+ refreshonly => True\n+ subscribe => File[/etc/kubernetes/pki/dse__system_kube-proxy.chain.pem]\n+ command => /usr/bin/cfssl gencert -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/dse-k8s-wdqs-test2001.codfw.wmnet.pem -label dse /etc/cfssl/csr/dse__system_kube-proxy.csr | /usr/bin/cfssljson -bare /etc/kubernetes/pki/dse__system_kube-proxy\n\n"}, {"resource": "File[/etc/kubernetes/pki/dse__kubelet_server.pem]", "parameters": "--- File[/etc/kubernetes/pki/dse__kubelet_server.pem].orig\n+++ File[/etc/kubernetes/pki/dse__kubelet_server.pem]\n\n+ mode => 0440\n+ ensure => file\n+ group => root\n+ owner => kube\n"}, {"resource": "File[/etc/cni/net.d/10-calico.conflist]", "content": "--- /etc/cni/net.d/10-calico.conflist.orig\n+++ /etc/cni/net.d/10-calico.conflist\n@@ -0,0 +1,23 @@\n+{\n+ \"name\": \"k8s-pod-network\",\n+ \"cniVersion\": \"0.3.1\",\n+ \"plugins\": [\n+ {\n+ \"type\": \"calico\",\n+ \"log_level\": \"info\",\n+ \"datastore_type\": \"kubernetes\",\n+ \"mtu\": 1460,\n+ \"ipam\": {\n+ \"type\": \"calico-ipam\",\n+ \"assign_ipv4\": \"true\",\n+ \"assign_ipv6\": \"true\"\n+ },\n+ \"policy\": {\n+ \"type\": \"k8s\"\n+ },\n+ \"kubernetes\": {\n+ \"kubeconfig\": \"/etc/cni/net.d/calico-kubeconfig\"\n+ }\n+ }\n+ ]\n+}", "parameters": "--- File[/etc/cni/net.d/10-calico.conflist].orig\n+++ File[/etc/cni/net.d/10-calico.conflist]\n\n+ mode => 0755\n+ group => root\n+ owner => root\n"}, {"resource": "Cfssl::Cert[dse__calico-cni]", "parameters": "--- Cfssl::Cert[dse__calico-cni].orig\n+++ Cfssl::Cert[dse__calico-cni]\n\n+ mode => 0740\n+ group => root\n+ provide_chain => True\n+ owner => root\n+ ensure => present\n+ hosts => []\n+ environment => ['GODEBUG=x509ignoreCN=0']\n+ names => []\n+ label => dse\n+ auto_renew => True\n+ notify_services => []\n+ renew_seconds => 952200\n+ key => {'algo': 'ecdsa', 'size': 256}\n+ before_services => []\n+ outdir => /etc/kubernetes/pki\n+ common_name => calico-cni\n"}, {"resource": "File[/etc/rsyslog.d/40-set-rbd-readahead.conf]", "content": "--- /etc/rsyslog.d/40-set-rbd-readahead.conf.orig\n+++ /etc/rsyslog.d/40-set-rbd-readahead.conf\n@@ -0,0 +1,9 @@\n+# rsyslog.conf(5) configuration file for services.\n+# This file is managed by Puppet.\n+if $programname startswith \"set-rbd-readahead\" then {\n+ action(\n+ type=\"omfile\" file=\"/var/log/set-rbd-readahead/syslog.log\"\n+ fileOwner=\"root\" fileGroup=\"root\"\n+ fileCreateMode=\"0644\"\n+ )\n+}", "parameters": "--- File[/etc/rsyslog.d/40-set-rbd-readahead.conf].orig\n+++ File[/etc/rsyslog.d/40-set-rbd-readahead.conf]\n\n+ mode => 0444\n+ notify => Service[rsyslog]\n+ group => root\n+ owner => root\n+ ensure => absent\n"}, {"resource": "Exec[Generate cert dse__calico-cni refresh on intermediate ca change]", "parameters": "--- Exec[Generate cert dse__calico-cni refresh on intermediate ca change].orig\n+++ Exec[Generate cert dse__calico-cni refresh on intermediate ca change]\n\n+ environment => ['GODEBUG=x509ignoreCN=0']\n+ require => Cfssl::Csr[/etc/cfssl/csr/dse__calico-cni.csr]\n+ refreshonly => True\n+ subscribe => File[/etc/kubernetes/pki/dse__calico-cni.chain.pem]\n+ command => /usr/bin/cfssl gencert -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/dse-k8s-wdqs-test2001.codfw.wmnet.pem -label dse /etc/cfssl/csr/dse__calico-cni.csr | /usr/bin/cfssljson -bare /etc/kubernetes/pki/dse__calico-cni\n\n"}, {"resource": "Package[containerd]", "parameters": "--- Package[containerd].orig\n+++ Package[containerd]\n\n+ ensure => installed\n+ provider => apt\n"}, {"resource": "Kmod::Blacklist[r440_wdat_wdt]", "parameters": "--- Kmod::Blacklist[r440_wdat_wdt].orig\n+++ Kmod::Blacklist[r440_wdat_wdt]\n\n+ modules => ['wdat_wdt']\n+ ensure => present\n+ rmmod => True\n"}, {"resource": "File[/etc/containerd]", "parameters": "--- File[/etc/containerd].orig\n+++ File[/etc/containerd]\n\n+ mode => 0755\n+ ensure => directory\n+ group => root\n+ owner => root\n"}, {"resource": "Systemd::Service[tcp-mss-clamper]", "parameters": "--- Systemd::Service[tcp-mss-clamper].orig\n+++ Systemd::Service[tcp-mss-clamper]\n\n+ unit_type => service\n+ service_params => {}\n+ monitoring_contact_group => admins\n+ ensure => absent\n+ restart => False\n+ monitoring_notes_url => https://wikitech.wikimedia.org/wiki/LVS#IPIP_encapsulation_experiments\n+ migration_task => T407130\n+ monitoring_critical => False\n+ monitoring_enabled => True\n+ override => False\n"}, {"resource": "Exec[Generate cert dse__kubelet_server]", "parameters": "--- Exec[Generate cert dse__kubelet_server].orig\n+++ Exec[Generate cert dse__kubelet_server]\n\n+ unless => /usr/bin/test \"$(/usr/bin/openssl x509 -in /etc/kubernetes/pki/dse__kubelet_server.pem -noout -pubkey 2>&1)\" == \"$(/usr/bin/openssl pkey -pubout -in /etc/kubernetes/pki/dse__kubelet_server-key.pem 2>&1)\"\n\n+ environment => ['GODEBUG=x509ignoreCN=0']\n+ notify => ['Service[kubelet]']\n+ require => Cfssl::Csr[/etc/cfssl/csr/dse__kubelet_server.csr]\n+ command => /usr/bin/cfssl gencert -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/dse-k8s-wdqs-test2001.codfw.wmnet.pem -label dse -profile server /etc/cfssl/csr/dse__kubelet_server.csr | /usr/bin/cfssljson -bare /etc/kubernetes/pki/dse__kubelet_server\n\n"}, {"resource": "File[/etc/cfssl/csr/dse__rsyslog.csr]", "content": "--- /etc/cfssl/csr/dse__rsyslog.csr.orig\n+++ /etc/cfssl/csr/dse__rsyslog.csr\n@@ -0,0 +1,19 @@\n+{\n+ \"CN\": \"rsyslog\",\n+ \"hosts\": [\n+ \"rsyslog\"\n+ ],\n+ \"key\": {\n+ \"algo\": \"ecdsa\",\n+ \"size\": 256\n+ },\n+ \"names\": [\n+ {\n+ \"C\": null,\n+ \"L\": null,\n+ \"O\": \"view\",\n+ \"OU\": null,\n+ \"S\": null\n+ }\n+ ]\n+}", "parameters": "--- File[/etc/cfssl/csr/dse__rsyslog.csr].orig\n+++ File[/etc/cfssl/csr/dse__rsyslog.csr]\n\n+ mode => 0400\n+ ensure => file\n+ group => root\n+ owner => root\n"}, {"resource": "Exec[systemd daemon-reload for ferm.service (ferm-ferm-service-auto-restart)]", "parameters": "--- Exec[systemd daemon-reload for ferm.service (ferm-ferm-service-auto-restart)].orig\n+++ Exec[systemd daemon-reload for ferm.service (ferm-ferm-service-auto-restart)]\n\n+ before => ['Service[ferm]']\n+ command => /bin/systemctl daemon-reload\n+ refreshonly => True\n"}, {"resource": "Exec[rmmod-r440_wdat_wdt]", "parameters": "--- Exec[rmmod-r440_wdat_wdt].orig\n+++ Exec[rmmod-r440_wdat_wdt]\n\n+ command => /sbin/modprobe -r wdat_wdt\n+ refreshonly => True\n"}, {"resource": "Rsyslog::Input::File[kubernetes-json]", "parameters": "--- Rsyslog::Input::File[kubernetes-json].orig\n+++ Rsyslog::Input::File[kubernetes-json]\n\n+ reopen_on_truncate => on\n+ ensure => present\n+ addmetadata => on\n+ priority => 8\n+ path => /var/log/containers/*.log\n+ syslog_tag_prefix => input-file\n+ addceetag => on\n+ syslog_tag => kubernetes\n"}, {"resource": "File[/etc/default/prometheus-node-exporter]", "content": "--- /etc/default/prometheus-node-exporter.orig\n+++ /etc/default/prometheus-node-exporter\n@@ -15,6 +15,7 @@\n --collector.netdev \\\n --collector.netstat \\\n --collector.netstat.fields=^(.*) \\\n+ --collector.processes \\\n --collector.sockstat \\\n --collector.stat \\\n --collector.systemd.enable-restarts-metrics \\"}, {"resource": "Exec[Generate cert dse__system_node_dse-k8s-wdqs-test2001_codfw_wmnet refresh on intermediate ca change]", "parameters": "--- Exec[Generate cert dse__system_node_dse-k8s-wdqs-test2001_codfw_wmnet refresh on intermediate ca change].orig\n+++ Exec[Generate cert dse__system_node_dse-k8s-wdqs-test2001_codfw_wmnet refresh on intermediate ca change]\n\n+ environment => ['GODEBUG=x509ignoreCN=0']\n+ notify => ['Service[kubelet]']\n+ require => Cfssl::Csr[/etc/cfssl/csr/dse__system_node_dse-k8s-wdqs-test2001_codfw_wmnet.csr]\n+ refreshonly => True\n+ subscribe => File[/etc/kubernetes/pki/dse__system_node_dse-k8s-wdqs-test2001_codfw_wmnet.chain.pem]\n+ command => /usr/bin/cfssl gencert -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/dse-k8s-wdqs-test2001.codfw.wmnet.pem -label dse /etc/cfssl/csr/dse__system_node_dse-k8s-wdqs-test2001_codfw_wmnet.csr | /usr/bin/cfssljson -bare /etc/kubernetes/pki/dse__system_node_dse-k8s-wdqs-test2001_codfw_wmnet\n\n"}, {"resource": "K8s::Package[kubelet]", "parameters": "--- K8s::Package[kubelet].orig\n+++ K8s::Package[kubelet]\n\n+ uri => http://apt.wikimedia.org/wikimedia\n+ version => 1.31\n+ require => ['Class[K8s::Base_dirs]']\n+ distro => bookworm-wikimedia\n+ ensure_packages => True\n+ package => node\n+ priority => 1001\n"}, {"resource": "Exec[ensure mountpoint '/srv' exists]", "parameters": "--- Exec[ensure mountpoint '/srv' exists].orig\n+++ Exec[ensure mountpoint '/srv' exists]\n\n+ path => ['/bin', '/usr/bin']\n+ command => mkdir -p /srv\n+ before => Mount[/srv]\n+ unless => test -d /srv\n"}, {"resource": "File[/etc/cfssl/ssl/dse__rsyslog]", "parameters": "--- File[/etc/cfssl/ssl/dse__rsyslog].orig\n+++ File[/etc/cfssl/ssl/dse__rsyslog]\n\n+ mode => 0740\n+ group => root\n+ owner => root\n+ ensure => directory\n+ recurse => True\n"}, {"resource": "Class[Profile::Kubernetes::Node]", "parameters": "--- Class[Profile::Kubernetes::Node].orig\n+++ Class[Profile::Kubernetes::Node]\n\n+ feature_flags => {}\n+ require => ['Class[Profile::Rsyslog::Kubernetes]', 'Class[Profile::Netbox::Host]']\n+ kubelet_node_labels => ['dedicated=wdqs']\n+ kubernetes_cluster_name => dse-k8s-codfw\n+ kubelet_node_taints => [{'key': 'dedicated', 'value': 'wdqs', 'effect': 'NoExecute'}, {'key': 'dedicated', 'value': 'wdqs', 'effect': 'NoSchedule'}]\n"}, {"resource": "Package[rsyslog-kubernetes]", "parameters": "--- Package[rsyslog-kubernetes].orig\n+++ Package[rsyslog-kubernetes]\n\n+ ensure => installed\n+ provider => apt\n"}, {"resource": "Class[Containerd]", "parameters": "--- Class[Containerd].orig\n+++ Class[Containerd]\n\n+ ensure => present\n+ require => ['Class[Containerd::Configuration]']\n"}, {"resource": "File[/etc/kubernetes/pki]", "parameters": "--- File[/etc/kubernetes/pki].orig\n+++ File[/etc/kubernetes/pki]\n\n+ mode => 0755\n+ ensure => directory\n+ group => root\n+ owner => root\n"}, {"resource": "Systemd::Timer::Job[rsyslog-imfile-remedy]", "parameters": "--- Systemd::Timer::Job[rsyslog-imfile-remedy].orig\n+++ Systemd::Timer::Job[rsyslog-imfile-remedy]\n\n+ fixed_random_delay => False\n+ private_tmp => False\n+ ensure => present\n+ logging_enabled => False\n+ splay => 30\n+ environment => {}\n+ syslog_force_stop => True\n+ monitoring_notes_url => https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n+ send_mail_only_on_error => True\n+ send_mail_to => root@dse-k8s-wdqs-test2001.codfw.wmnet\n+ user => root\n+ description => Restart rsyslog T357616\n+ syslog_match_startswith => True\n+ logfile_basedir => /var/log\n+ monitoring_contact_groups => admins\n+ logfile_group => root\n+ interval => {'start': 'OnCalendar', 'interval': '*-*-* 00/3:10:00'}\n+ command => /usr/bin/systemctl try-restart rsyslog\n+ send_mail => False\n+ ignore_errors => False\n+ logfile_perms => all\n+ logfile_name => syslog.log\n+ monitoring_enabled => False\n+ success_exit_status => []\n"}, {"resource": "Exec[Generate cert dse__calico-cni]", "parameters": "--- Exec[Generate cert dse__calico-cni].orig\n+++ Exec[Generate cert dse__calico-cni]\n\n+ unless => /usr/bin/test \"$(/usr/bin/openssl x509 -in /etc/kubernetes/pki/dse__calico-cni.pem -noout -pubkey 2>&1)\" == \"$(/usr/bin/openssl pkey -pubout -in /etc/kubernetes/pki/dse__calico-cni-key.pem 2>&1)\"\n\n+ command => /usr/bin/cfssl gencert -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/dse-k8s-wdqs-test2001.codfw.wmnet.pem -label dse /etc/cfssl/csr/dse__calico-cni.csr | /usr/bin/cfssljson -bare /etc/kubernetes/pki/dse__calico-cni\n\n+ environment => ['GODEBUG=x509ignoreCN=0']\n+ require => Cfssl::Csr[/etc/cfssl/csr/dse__calico-cni.csr]\n"}, {"resource": "File[/etc/kubernetes/pki/dse__istio-cni.chained.pem]", "parameters": "--- File[/etc/kubernetes/pki/dse__istio-cni.chained.pem].orig\n+++ File[/etc/kubernetes/pki/dse__istio-cni.chained.pem]\n\n+ ensure => absent\n+ group => root\n+ owner => root\n"}, {"resource": "Exec[Generate cert dse__system_node_dse-k8s-wdqs-test2001_codfw_wmnet]", "parameters": "--- Exec[Generate cert dse__system_node_dse-k8s-wdqs-test2001_codfw_wmnet].orig\n+++ Exec[Generate cert dse__system_node_dse-k8s-wdqs-test2001_codfw_wmnet]\n\n+ unless => /usr/bin/test \"$(/usr/bin/openssl x509 -in /etc/kubernetes/pki/dse__system_node_dse-k8s-wdqs-test2001_codfw_wmnet.pem -noout -pubkey 2>&1)\" == \"$(/usr/bin/openssl pkey -pubout -in /etc/kubernetes/pki/dse__system_node_dse-k8s-wdqs-test2001_codfw_wmnet-key.pem 2>&1)\"\n\n+ environment => ['GODEBUG=x509ignoreCN=0']\n+ notify => ['Service[kubelet]']\n+ require => Cfssl::Csr[/etc/cfssl/csr/dse__system_node_dse-k8s-wdqs-test2001_codfw_wmnet.csr]\n+ command => /usr/bin/cfssl gencert -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/dse-k8s-wdqs-test2001.codfw.wmnet.pem -label dse /etc/cfssl/csr/dse__system_node_dse-k8s-wdqs-test2001_codfw_wmnet.csr | /usr/bin/cfssljson -bare /etc/kubernetes/pki/dse__system_node_dse-k8s-wdqs-test2001_codfw_wmnet\n\n"}, {"resource": "Exec[Generate cert dse__calico-cni refresh]", "parameters": "--- Exec[Generate cert dse__calico-cni refresh].orig\n+++ Exec[Generate cert dse__calico-cni refresh]\n\n+ subscribe => File[/etc/cfssl/csr/dse__calico-cni.csr]\n+ command => /usr/bin/cfssl gencert -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/dse-k8s-wdqs-test2001.codfw.wmnet.pem -label dse /etc/cfssl/csr/dse__calico-cni.csr | /usr/bin/cfssljson -bare /etc/kubernetes/pki/dse__calico-cni\n\n+ environment => ['GODEBUG=x509ignoreCN=0']\n+ refreshonly => True\n"}, {"resource": "File[/etc/default/wikimedia-lvs-realserver]", "content": "--- /etc/default/wikimedia-lvs-realserver.orig\n+++ /etc/default/wikimedia-lvs-realserver\n@@ -0,0 +1,10 @@\n+# This file is managed by puppet!\n+\n+\n+\n+# Location of the sysctl file containing LVS ARP settings\n+SYSCTLFILE=/usr/share/wikimedia-lvs-realserver/sysctl.conf\n+\n+# LVS service IPs to be bound to the loopback interface,\n+# separate using spaces\n+LVS_SERVICE_IPS=\"10.2.1.91\"", "parameters": "--- File[/etc/default/wikimedia-lvs-realserver].orig\n+++ File[/etc/default/wikimedia-lvs-realserver]\n\n+ mode => 0444\n+ ensure => present\n+ group => root\n+ owner => root\n"}, {"resource": "File[/etc/systemd/system/kubelet.service.d/container-runtime.conf]", "content": "--- /etc/systemd/system/kubelet.service.d/container-runtime.conf.orig\n+++ /etc/systemd/system/kubelet.service.d/container-runtime.conf\n@@ -0,0 +1,3 @@\n+[Unit]\n+After=containerd.service\n+Requires=containerd.service", "parameters": "--- File[/etc/systemd/system/kubelet.service.d/container-runtime.conf].orig\n+++ File[/etc/systemd/system/kubelet.service.d/container-runtime.conf]\n\n+ mode => 0444\n+ notify => Exec[systemd daemon-reload for kubelet.service (kubelet-container-runtime)]\n+ group => root\n+ owner => root\n+ ensure => present\n"}, {"resource": "File[/etc/modprobe.d/blacklist-wmf_overlay.conf]", "content": "--- /etc/modprobe.d/blacklist-wmf_overlay.conf.orig\n+++ /etc/modprobe.d/blacklist-wmf_overlay.conf\n@@ -1,7 +1,3 @@\n # wmf_overlay - blacklisted kernel modules\n # This file is managed by Puppet\n #\n-blacklist overlay\n-install overlay /bin/true\n-blacklist overlayfs\n-install overlayfs /bin/true", "parameters": "--- File[/etc/modprobe.d/blacklist-wmf_overlay.conf].orig\n+++ File[/etc/modprobe.d/blacklist-wmf_overlay.conf]\n\n@@\n- ensure => present\n+ ensure => absent\n"}, {"resource": "File[/etc/kubernetes/proxy.conf]", "content": "--- /etc/kubernetes/proxy.conf.orig\n+++ /etc/kubernetes/proxy.conf\n@@ -0,0 +1,18 @@\n+apiVersion: v1\n+kind: Config\n+preferences: {}\n+current-context: default-system\n+contexts:\n+- name: default-system\n+ context:\n+ cluster: default-cluster\n+ user: default-proxy\n+clusters:\n+- name: default-cluster\n+ cluster:\n+ server: https://dse-k8s-ctrl.svc.codfw.wmnet:6443\n+users:\n+- name: default-proxy\n+ user:\n+ client-certificate: /etc/kubernetes/pki/dse__system_kube-proxy.pem\n+ client-key: /etc/kubernetes/pki/dse__system_kube-proxy-key.pem", "parameters": "--- File[/etc/kubernetes/proxy.conf].orig\n+++ File[/etc/kubernetes/proxy.conf]\n\n+ mode => 0400\n+ ensure => present\n+ group => kube\n+ owner => kube\n"}, {"resource": "Interface::Manual[ipip_ipv6]", "parameters": "--- Interface::Manual[ipip_ipv6].orig\n+++ Interface::Manual[ipip_ipv6]\n\n+ interface => ipip60\n+ ensure => present\n+ hotplug => False\n+ family => inet6\n"}, {"resource": "Nrpe::Plugin[check_systemd_unit_status]", "parameters": "--- Nrpe::Plugin[check_systemd_unit_status].orig\n+++ Nrpe::Plugin[check_systemd_unit_status]\n\n+ source => puppet:///modules/systemd/check_systemd_unit_status\n+ ensure => present\n"}, {"resource": "Ferm::Service[calico-bird]", "parameters": "--- Ferm::Service[calico-bird].orig\n+++ Ferm::Service[calico-bird]\n\n+ ensure => present\n+ srange => ($NETWORK_INFRA 10.192.9.1)\n+ notrack => False\n+ prio => 10\n+ desc => \n+ proto => tcp\n+ unrestricted_access => False\n+ port => 179\n"}, {"resource": "Exec[renew certificate - dse__calicoctl]", "parameters": "--- Exec[renew certificate - dse__calicoctl].orig\n+++ Exec[renew certificate - dse__calicoctl]\n\n+ unless => /usr/bin/openssl x509 -in /etc/kubernetes/pki/dse__calicoctl.pem -checkend 952200\n+ command => /usr/bin/cfssl sign -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/dse-k8s-wdqs-test2001.codfw.wmnet.pem -label dse /etc/kubernetes/pki/dse__calicoctl.csr | /usr/bin/cfssljson -bare /etc/kubernetes/pki/dse__calicoctl\n\n+ environment => ['GODEBUG=x509ignoreCN=0']\n+ require => Exec[Generate cert dse__calicoctl]\n"}, {"resource": "File[/var/run/kubernetes]", "parameters": "--- File[/var/run/kubernetes].orig\n+++ File[/var/run/kubernetes]\n\n+ mode => 0700\n+ ensure => directory\n+ group => root\n+ owner => root\n"}, {"resource": "Exec[Generate cert dse__kubelet_server refresh on intermediate ca change]", "parameters": "--- Exec[Generate cert dse__kubelet_server refresh on intermediate ca change].orig\n+++ Exec[Generate cert dse__kubelet_server refresh on intermediate ca change]\n\n+ environment => ['GODEBUG=x509ignoreCN=0']\n+ notify => ['Service[kubelet]']\n+ require => Cfssl::Csr[/etc/cfssl/csr/dse__kubelet_server.csr]\n+ refreshonly => True\n+ subscribe => File[/etc/kubernetes/pki/dse__kubelet_server.chain.pem]\n+ command => /usr/bin/cfssl gencert -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/dse-k8s-wdqs-test2001.codfw.wmnet.pem -label dse -profile server /etc/cfssl/csr/dse__kubelet_server.csr | /usr/bin/cfssljson -bare /etc/kubernetes/pki/dse__kubelet_server\n\n"}, {"resource": "File[/etc/sysctl.d/70-ipv6-fowarding-accept-ra.conf]", "content": "--- /etc/sysctl.d/70-ipv6-fowarding-accept-ra.conf.orig\n+++ /etc/sysctl.d/70-ipv6-fowarding-accept-ra.conf\n@@ -0,0 +1,3 @@\n+# sysctl parameters managed by Puppet.\n+net.ipv6.conf.all.forwarding = 1\n+net.ipv6.conf.ens2f0np0.accept_ra = 2", "parameters": "--- File[/etc/sysctl.d/70-ipv6-fowarding-accept-ra.conf].orig\n+++ File[/etc/sysctl.d/70-ipv6-fowarding-accept-ra.conf]\n\n+ group => root\n+ ensure => present\n+ notify => Exec[update_sysctl]\n+ owner => root\n"}, {"resource": "Concat::Fragment[component-istio115-apt.wikimedia.org-wikimedia-bookworm-wikimedia]", "parameters": "--- Concat::Fragment[component-istio115-apt.wikimedia.org-wikimedia-bookworm-wikimedia].orig\n+++ Concat::Fragment[component-istio115-apt.wikimedia.org-wikimedia-bookworm-wikimedia]\n\n+ order => 10\n+ target => /etc/apt/sources.list.d/component-istio115-apt.wikimedia.org-wikimedia-bookworm-wikimedia.sources\n"}, {"resource": "Concat_file[/etc/apt/sources.list.d/component-istio115-apt.wikimedia.org-wikimedia-bookworm-wikimedia.sources]", "parameters": "--- Concat_file[/etc/apt/sources.list.d/component-istio115-apt.wikimedia.org-wikimedia-bookworm-wikimedia.sources].orig\n+++ Concat_file[/etc/apt/sources.list.d/component-istio115-apt.wikimedia.org-wikimedia-bookworm-wikimedia.sources]\n\n+ mode => 0444\n+ group => root\n+ ensure_newline => False\n+ owner => root\n+ tag => _etc_apt_sources.list.d_component-istio115-apt.wikimedia.org-wikimedia-bookworm-wikimedia.sources\n+ format => plain\n+ show_diff => True\n+ force => False\n+ backup => puppet\n+ replace => True\n+ order => alpha\n"}, {"resource": "Systemd::Timer::Job[set-rbd-readahead]", "parameters": "--- Systemd::Timer::Job[set-rbd-readahead].orig\n+++ Systemd::Timer::Job[set-rbd-readahead]\n\n+ require => File[/usr/local/sbin/set-rbd-readahead.py]\n+ fixed_random_delay => False\n+ private_tmp => False\n+ ensure => absent\n+ logging_enabled => True\n+ syslog_force_stop => False\n+ environment => {}\n+ logfile_name => syslog.log\n+ monitoring_notes_url => https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n+ send_mail_only_on_error => True\n+ send_mail_to => root@dse-k8s-wdqs-test2001.codfw.wmnet\n+ user => root\n+ description => Set readahead for OpenSearch pod RBDs (block devices)\n+ syslog_match_startswith => True\n+ logfile_basedir => /var/log\n+ monitoring_contact_groups => admins\n+ logfile_group => root\n+ interval => {'start': 'OnCalendar', 'interval': '*:0/5'}\n+ send_mail => False\n+ ignore_errors => False\n+ logfile_perms => all\n+ command => /usr/local/sbin/set-rbd-readahead.py\n+ monitoring_enabled => False\n+ success_exit_status => []\n"}, {"resource": "Systemd::Unit[ferm-ferm-service-auto-restart]", "parameters": "--- Systemd::Unit[ferm-ferm-service-auto-restart].orig\n+++ Systemd::Unit[ferm-ferm-service-auto-restart]\n\n+ require => ['Class[Systemd]']\n+ override => True\n+ source => puppet:///modules/profile/kubernetes/node/ferm_systemd_override\n+ ensure => present\n+ override_filename => ferm-service-auto-restart\n+ restart => False\n+ unit => ferm\n"}, {"resource": "File[/lib/systemd/system/prometheus_ferm_mss.timer]", "content": "--- /lib/systemd/system/prometheus_ferm_mss.timer.orig\n+++ /lib/systemd/system/prometheus_ferm_mss.timer\n@@ -0,0 +1,12 @@\n+[Unit]\n+Description=Periodic execution of prometheus_ferm_mss.service\n+\n+[Timer]\n+Unit=prometheus_ferm_mss.service\n+# Accuracy sets the maximum time interval around the execution time we want to allow\n+AccuracySec=15sec\n+OnCalendar=minutely\n+RandomizedDelaySec=0\n+\n+[Install]\n+WantedBy=multi-user.target", "parameters": "--- File[/lib/systemd/system/prometheus_ferm_mss.timer].orig\n+++ File[/lib/systemd/system/prometheus_ferm_mss.timer]\n\n+ mode => 0444\n+ notify => Exec[systemd daemon-reload for prometheus_ferm_mss.timer (prometheus_ferm_mss.timer)]\n+ group => root\n+ owner => root\n+ ensure => absent\n"}, {"resource": "Systemd::Unit[prometheus_lvs_realserver_mss.service]", "parameters": "--- Systemd::Unit[prometheus_lvs_realserver_mss.service].orig\n+++ Systemd::Unit[prometheus_lvs_realserver_mss.service]\n\n+ require => ['Class[Systemd]']\n+ override => False\n+ ensure => absent\n+ override_filename => puppet-override.conf\n+ restart => False\n+ unit => prometheus_lvs_realserver_mss.service\n"}, {"resource": "K8s::Kubeconfig[/etc/cni/net.d/istio-kubeconfig]", "parameters": "--- K8s::Kubeconfig[/etc/cni/net.d/istio-kubeconfig].orig\n+++ K8s::Kubeconfig[/etc/cni/net.d/istio-kubeconfig]\n\n+ mode => 0400\n+ group => root\n+ require => ['File[/etc/cni/net.d]', 'Class[K8s::Base_dirs]']\n+ username => istio-cni\n+ owner => root\n+ ensure => absent\n+ auth_cert => {'cert': '/etc/kubernetes/pki/dse__istio-cni.pem', 'key': '/etc/kubernetes/pki/dse__istio-cni-key.pem', 'chain': '/etc/kubernetes/pki/dse__istio-cni.chain.pem', 'chained': '/etc/kubernetes/pki/dse__istio-cni.chained.pem'}\n+ master_host => dse-k8s-ctrl.svc.codfw.wmnet\n"}, {"resource": "File[/etc/rsyslog.d/00-imfile.conf]", "content": "--- /etc/rsyslog.d/00-imfile.conf.orig\n+++ /etc/rsyslog.d/00-imfile.conf\n@@ -0,0 +1 @@\n+module(load=\"imfile\")", "parameters": "--- File[/etc/rsyslog.d/00-imfile.conf].orig\n+++ File[/etc/rsyslog.d/00-imfile.conf]\n\n+ mode => 0444\n+ notify => Service[rsyslog]\n+ group => root\n+ owner => root\n+ ensure => present\n"}, {"resource": "Class[Lvm]", "parameters": "--- Class[Lvm].orig\n+++ Class[Lvm]\n\n+ volume_groups => {'vg_raid0': {'createonly': True, 'physical_volumes': {'/dev/md1': {'unless_vg': 'vg_raid0'}}, 'logical_volumes': {'srv': {'size': '10G', 'fs_type': 'ext4', 'mountpath': '/srv'}}}}\n+ package_ensure => installed\n+ manage_pkg => False\n"}, {"resource": "File[/etc/ferm/conf.d/10_clamp-mss-ipv4]", "content": "--- /etc/ferm/conf.d/10_clamp-mss-ipv4.orig\n+++ /etc/ferm/conf.d/10_clamp-mss-ipv4\n@@ -0,0 +1,11 @@\n+# Autogenerated by puppet. DO NOT EDIT BY HAND!\n+#\n+# 10_clamp-mss-ipv4: \n+\n+domain (ip) {\n+\ttable filter {\n+\t\tchain OUTPUT {\n+\t\t\touterface (ens2f0np0 lo) saddr @ipfilter(10.2.1.91) proto tcp sport (30443) tcp-flags (SYN) SYN TCPMSS set-mss 1440;\n+\t\t}\n+\t}\n+}", "parameters": "--- File[/etc/ferm/conf.d/10_clamp-mss-ipv4].orig\n+++ File[/etc/ferm/conf.d/10_clamp-mss-ipv4]\n\n+ mode => 0400\n+ group => root\n+ require => File[/etc/ferm/conf.d]\n+ notify => Service[ferm]\n+ owner => root\n+ ensure => absent\n+ tag => ferm\n"}, {"resource": "File[/etc/kubernetes/pki/dse__system_node_dse-k8s-wdqs-test2001_codfw_wmnet.pem]", "parameters": "--- File[/etc/kubernetes/pki/dse__system_node_dse-k8s-wdqs-test2001_codfw_wmnet.pem].orig\n+++ File[/etc/kubernetes/pki/dse__system_node_dse-k8s-wdqs-test2001_codfw_wmnet.pem]\n\n+ mode => 0440\n+ ensure => file\n+ group => root\n+ owner => kube\n"}, {"resource": "Apt::Repository[component-istio115-apt.wikimedia.org-wikimedia-bookworm-wikimedia]", "parameters": "--- Apt::Repository[component-istio115-apt.wikimedia.org-wikimedia-bookworm-wikimedia].orig\n+++ Apt::Repository[component-istio115-apt.wikimedia.org-wikimedia-bookworm-wikimedia]\n\n+ uri => http://apt.wikimedia.org/wikimedia\n+ trust_repo => False\n+ allow_releaseinfo_change => False\n+ keyfile => puppet:///modules/install_server/autoinstall/keyring/wikimedia-archive-keyring.gpg\n+ bin => True\n+ ensure => present\n+ source => True\n+ dist => bookworm-wikimedia\n+ components => component/istio115\n"}, {"resource": "Exec[disable-rp-filter-ipip0]", "parameters": "--- Exec[disable-rp-filter-ipip0].orig\n+++ Exec[disable-rp-filter-ipip0]\n\n+ unless => /usr/sbin/sysctl -n net.ipv4.conf.ipip0.rp_filter |grep -- '0'\n+ command => /usr/sbin/sysctl -q net.ipv4.conf.ipip0.rp_filter=0\n+ require => Interface::Ipip[ipip_ipv4]\n"}, {"resource": "File[/etc/cfssl/csr/dse__calicoctl.csr]", "content": "--- /etc/cfssl/csr/dse__calicoctl.csr.orig\n+++ /etc/cfssl/csr/dse__calicoctl.csr\n@@ -0,0 +1,13 @@\n+{\n+ \"CN\": \"calicoctl\",\n+ \"hosts\": [\n+ \"calicoctl\"\n+ ],\n+ \"key\": {\n+ \"algo\": \"ecdsa\",\n+ \"size\": 256\n+ },\n+ \"names\": [\n+\n+ ]\n+}", "parameters": "--- File[/etc/cfssl/csr/dse__calicoctl.csr].orig\n+++ File[/etc/cfssl/csr/dse__calicoctl.csr]\n\n+ mode => 0400\n+ ensure => file\n+ group => root\n+ owner => root\n"}, {"resource": "Concat_file[/etc/apt/sources.list.d/component-calico329-apt.wikimedia.org-wikimedia-bookworm-wikimedia.sources]", "parameters": "--- Concat_file[/etc/apt/sources.list.d/component-calico329-apt.wikimedia.org-wikimedia-bookworm-wikimedia.sources].orig\n+++ Concat_file[/etc/apt/sources.list.d/component-calico329-apt.wikimedia.org-wikimedia-bookworm-wikimedia.sources]\n\n+ mode => 0444\n+ group => root\n+ ensure_newline => False\n+ owner => root\n+ tag => _etc_apt_sources.list.d_component-calico329-apt.wikimedia.org-wikimedia-bookworm-wikimedia.sources\n+ format => plain\n+ show_diff => True\n+ force => False\n+ backup => puppet\n+ replace => True\n+ order => alpha\n"}, {"resource": "File[/etc/containerd/config.toml]", "content": "--- /etc/containerd/config.toml.orig\n+++ /etc/containerd/config.toml\n@@ -0,0 +1,43 @@\n+# SPDX-License-Identifier: Apache-2.0\n+# This is based on the config shipped with the containerd package in Debian (1.6.20~ds1-1+b1)\n+#\n+# All possible config values including their defaults can be found by running:\n+# containerd config default\n+version = 2\n+\n+[plugins]\n+ [plugins.\"io.containerd.grpc.v1.cri\"]\n+ # Define our sandbox image\n+ sandbox_image = \"docker-registry.discovery.wmnet/pause:3.6-1\"\n+ # max_container_log_line_size is the maximum log line size in bytes for a container.\n+ # Log line longer than the limit will be split into multiple lines. -1 means no\n+ # limit.\n+ max_container_log_line_size = -1\n+ # By default docker does set net.ipv4.ip_unprivileged_port_start=0 allowing containers to bind to ports\n+ # below 1024 without explicit NET_BIND_SERVICE capability.\n+ # It also sets net.ipv4.ping_group_range=\"0 2147483647\", allowing ICMP sockets without CAP_NET_RAW.\n+ # The following two options ensure compatibility with current workloads.\n+ #\n+ # enable_unprivileged_ports configures net.ipv4.ip_unprivileged_port_start=0\n+ # for all containers which are not using host network and if it is not overwritten by PodSandboxConfig\n+ # Note that currently default is set to disabled but target change it in future, see:\n+ # https://github.com/kubernetes/kubernetes/issues/102612\n+ enable_unprivileged_ports = true\n+ # enable_unprivileged_icmp configures net.ipv4.ping_group_range=\"0 2147483647\"\n+ # for all containers which are not using host network, are not running in user namespace and if it is not\n+ # overwritten by PodSandboxConfig.\n+ # Note that currently default is set to disabled but target change it in future together with enable_unprivileged_ports\n+ enable_unprivileged_icmp = true\n+ [plugins.\"io.containerd.grpc.v1.cri\".containerd.runtimes.runc]\n+ # Re-define the runtime type as defining runc.options would shadow the default setting.\n+ # Without this kubelet will fail to run containers with the following error:\n+ # failed to create containerd container: create container failed validation: container.Runtime.Name must be set: invalid argument\n+ runtime_type = \"io.containerd.runc.v2\"\n+ [plugins.\"io.containerd.grpc.v1.cri\".containerd.runtimes.runc.options]\n+ # With cgroup v2 we need to use the systemd cgroup driver\n+ SystemdCgroup = true\n+ # If dragonfly is enabled, configure the local dfget as registry mirror\n+ # https://d7y.io/docs/v2.0.2/setup/runtime/containerd/mirror\n+ [plugins.\"io.containerd.internal.v1.opt\"]\n+ # Debian overrides path from /opt/containerd\n+ path = \"/var/lib/containerd/opt\"", "parameters": "--- File[/etc/containerd/config.toml].orig\n+++ File[/etc/containerd/config.toml]\n\n+ mode => 0440\n+ notify => Service[containerd]\n+ group => root\n+ owner => root\n+ ensure => file\n"}, {"resource": "File[/etc/kubernetes/pki/dse__calicoctl.chain.pem]", "parameters": "--- File[/etc/kubernetes/pki/dse__calicoctl.chain.pem].orig\n+++ File[/etc/kubernetes/pki/dse__calicoctl.chain.pem]\n\n+ mode => 0440\n+ group => root\n+ owner => root\n+ source => puppet:///modules/profile/pki/intermediates/dse-cert.pem\n+ ensure => file\n"}, {"resource": "File[/usr/local/bin/prometheus-lvs-realserver-mss]", "parameters": "--- File[/usr/local/bin/prometheus-lvs-realserver-mss].orig\n+++ File[/usr/local/bin/prometheus-lvs-realserver-mss]\n\n+ mode => 0555\n+ group => root\n+ owner => root\n+ source => puppet:///modules/prometheus/usr/local/bin/prometheus-lvs-realserver-mss.py\n+ ensure => absent\n"}, {"resource": "Nrpe::Check[check_check_tcp-mss-clamper_status]", "parameters": "--- Nrpe::Check[check_check_tcp-mss-clamper_status].orig\n+++ Nrpe::Check[check_check_tcp-mss-clamper_status]\n\n+ before => Monitoring::Service[check_tcp-mss-clamper_status]\n+ ensure => absent\n+ command => /usr/local/lib/nagios/plugins/check_systemd_unit_status tcp-mss-clamper\n"}, {"resource": "File[/etc/apt/sources.list.d/component-calico329-apt.wikimedia.org-wikimedia-bookworm-wikimedia.list]", "parameters": "--- File[/etc/apt/sources.list.d/component-calico329-apt.wikimedia.org-wikimedia-bookworm-wikimedia.list].orig\n+++ File[/etc/apt/sources.list.d/component-calico329-apt.wikimedia.org-wikimedia-bookworm-wikimedia.list]\n\n+ ensure => absent\n+ group => root\n+ owner => root\n"}, {"resource": "Class[Toil::Rsyslog_imfile_remedy]", "parameters": "--- Class[Toil::Rsyslog_imfile_remedy].orig\n+++ Class[Toil::Rsyslog_imfile_remedy]\n\n+ period_hours => 3\n+ ensure => present\n"}, {"resource": "Interface::Post_up_command[clsact_ens2f0np0]", "parameters": "--- Interface::Post_up_command[clsact_ens2f0np0].orig\n+++ Interface::Post_up_command[clsact_ens2f0np0]\n\n+ command => /usr/sbin/tc qdisc add dev ens2f0np0 clsact\n+ ensure => absent\n+ interface => ens2f0np0\n"}, {"resource": "File[/etc/calico/calicoctl-kubeconfig]", "content": "--- /etc/calico/calicoctl-kubeconfig.orig\n+++ /etc/calico/calicoctl-kubeconfig\n@@ -0,0 +1,18 @@\n+apiVersion: v1\n+kind: Config\n+preferences: {}\n+current-context: default-system\n+contexts:\n+- name: default-system\n+ context:\n+ cluster: default-cluster\n+ user: calicoctl\n+clusters:\n+- name: default-cluster\n+ cluster:\n+ server: https://dse-k8s-ctrl.svc.codfw.wmnet:6443\n+users:\n+- name: calicoctl\n+ user:\n+ client-certificate: /etc/kubernetes/pki/dse__calicoctl.pem\n+ client-key: /etc/kubernetes/pki/dse__calicoctl-key.pem", "parameters": "--- File[/etc/calico/calicoctl-kubeconfig].orig\n+++ File[/etc/calico/calicoctl-kubeconfig]\n\n+ mode => 0400\n+ ensure => present\n+ group => root\n+ owner => root\n"}, {"resource": "Nrpe::Monitor_service[disk_space]", "parameters": "--- Nrpe::Monitor_service[disk_space].orig\n+++ Nrpe::Monitor_service[disk_space]\n\n@@\n- nrpe_command => /usr/lib/nagios/plugins/check_disk -w 6% -c 3% -W 6% -K 3% -l -e -A -i \"/srv/sd[a-b][1-3]\" -i \"/srv/nvme[0-9]n[0-9]p[0-9]\" --exclude-type=fuse --exclude-type=fuse.fuse_dfs --exclude-type=tracefs\n+ nrpe_command => /usr/lib/nagios/plugins/check_disk -w 10% -c 5% -W 6% -K 3% -l -e -A -i '/(var/lib|run)/(kubelet|containerd)/*' --exclude-type=tracefs\n"}, {"resource": "File[/etc/kubernetes/pki/dse__system_kube-proxy-key.pem]", "parameters": "--- File[/etc/kubernetes/pki/dse__system_kube-proxy-key.pem].orig\n+++ File[/etc/kubernetes/pki/dse__system_kube-proxy-key.pem]\n\n+ mode => 0440\n+ group => root\n+ show_diff => False\n+ owner => kube\n+ backup => False\n+ ensure => file\n"}, {"resource": "File[/usr/local/sbin/set-rbd-readahead.py]", "parameters": "--- File[/usr/local/sbin/set-rbd-readahead.py].orig\n+++ File[/usr/local/sbin/set-rbd-readahead.py]\n\n+ mode => 0755\n+ group => root\n+ owner => root\n+ source => puppet:///modules/profile/kubernetes/node/dse_k8s/set-rbd-readahead.py\n+ ensure => absent\n"}, {"resource": "Logrotate::Conf[rsyslog-release-deleted-inotify-watches]", "parameters": "--- Logrotate::Conf[rsyslog-release-deleted-inotify-watches].orig\n+++ Logrotate::Conf[rsyslog-release-deleted-inotify-watches]\n\n+ ensure => absent\n"}, {"resource": "File[/etc/nerdctl]", "parameters": "--- File[/etc/nerdctl].orig\n+++ File[/etc/nerdctl]\n\n+ mode => 0755\n+ ensure => directory\n+ group => root\n+ owner => root\n"}, {"resource": "Exec[ip link add name ipip60 type ip6tnl external]", "parameters": "--- Exec[ip link add name ipip60 type ip6tnl external].orig\n+++ Exec[ip link add name ipip60 type ip6tnl external]\n\n+ path => /bin:/usr/bin\n+ unless => ip link show ipip60\n+ returns => [0, 2]\n"}, {"resource": "Systemd::Timer[prometheus_lvs_realserver_mss]", "parameters": "--- Systemd::Timer[prometheus_lvs_realserver_mss].orig\n+++ Systemd::Timer[prometheus_lvs_realserver_mss]\n\n+ splay => 0\n+ accuracy => 15sec\n+ unit_name => prometheus_lvs_realserver_mss.service\n+ fixed_random_delay => False\n+ ensure => absent\n+ timer_intervals => [{'start': 'OnCalendar', 'interval': 'minutely'}]\n"}, {"resource": "Concat[/etc/apt/sources.list.d/component-calico329-apt.wikimedia.org-wikimedia-bookworm-wikimedia.sources]", "parameters": "--- Concat[/etc/apt/sources.list.d/component-calico329-apt.wikimedia.org-wikimedia-bookworm-wikimedia.sources].orig\n+++ Concat[/etc/apt/sources.list.d/component-calico329-apt.wikimedia.org-wikimedia-bookworm-wikimedia.sources]\n\n+ mode => 0444\n+ notify => Exec[apt_repository_component-calico329-apt.wikimedia.org-wikimedia-bookworm-wikimedia]\n+ group => root\n+ ensure_newline => False\n+ owner => root\n+ ensure => present\n+ warn => False\n+ path => /etc/apt/sources.list.d/component-calico329-apt.wikimedia.org-wikimedia-bookworm-wikimedia.sources\n+ format => plain\n+ show_diff => True\n+ force => False\n+ backup => puppet\n+ replace => True\n+ order => alpha\n"}, {"resource": "Apt::Package_from_component[istio115]", "parameters": "--- Apt::Package_from_component[istio115].orig\n+++ Apt::Package_from_component[istio115]\n\n+ uri => http://apt.wikimedia.org/wikimedia\n+ packages => {'istio-cni': 'absent'}\n+ distro => bookworm-wikimedia\n+ component => component/istio115\n+ ensure => present\n+ ensure_packages => True\n+ priority => 1001\n"}, {"resource": "Cfssl::Csr[/etc/cfssl/csr/dse__system_node_dse-k8s-wdqs-test2001_codfw_wmnet.csr]", "parameters": "--- Cfssl::Csr[/etc/cfssl/csr/dse__system_node_dse-k8s-wdqs-test2001_codfw_wmnet.csr].orig\n+++ Cfssl::Csr[/etc/cfssl/csr/dse__system_node_dse-k8s-wdqs-test2001_codfw_wmnet.csr]\n\n+ hosts => []\n+ names => [{'organisation': 'system:nodes'}]\n+ ensure => present\n+ key => {'algo': 'ecdsa', 'size': 256}\n+ common_name => system:node:dse-k8s-wdqs-test2001.codfw.wmnet\n"}, {"resource": "Package[nerdctl]", "parameters": "--- Package[nerdctl].orig\n+++ Package[nerdctl]\n\n+ ensure => installed\n+ provider => apt\n"}, {"resource": "File[/etc/ferm/conf.d/10_clamp-mss-ipv6]", "content": "--- /etc/ferm/conf.d/10_clamp-mss-ipv6.orig\n+++ /etc/ferm/conf.d/10_clamp-mss-ipv6\n@@ -0,0 +1,11 @@\n+# Autogenerated by puppet. DO NOT EDIT BY HAND!\n+#\n+# 10_clamp-mss-ipv6: \n+\n+domain (ip6) {\n+\ttable filter {\n+\t\tchain OUTPUT {\n+\t\t\touterface (ens2f0np0 lo) saddr @ipfilter(10.2.1.91) proto tcp sport (30443) tcp-flags (SYN) SYN TCPMSS set-mss 1400;\n+\t\t}\n+\t}\n+}", "parameters": "--- File[/etc/ferm/conf.d/10_clamp-mss-ipv6].orig\n+++ File[/etc/ferm/conf.d/10_clamp-mss-ipv6]\n\n+ mode => 0400\n+ group => root\n+ require => File[/etc/ferm/conf.d]\n+ notify => Service[ferm]\n+ owner => root\n+ ensure => absent\n+ tag => ferm\n"}, {"resource": "Exec[/usr/sbin/tc qdisc del dev lo clsact]", "parameters": "--- Exec[/usr/sbin/tc qdisc del dev lo clsact].orig\n+++ Exec[/usr/sbin/tc qdisc del dev lo clsact]\n\n+ onlyif => /usr/sbin/tc qdisc show dev lo | grep -q clsact\n"}, {"resource": "Group[kube]", "parameters": "--- Group[kube].orig\n+++ Group[kube]\n\n+ ensure => present\n+ system => True\n"}, {"resource": "Cfssl::Cert[dse__calicoctl]", "parameters": "--- Cfssl::Cert[dse__calicoctl].orig\n+++ Cfssl::Cert[dse__calicoctl]\n\n+ mode => 0740\n+ group => root\n+ provide_chain => True\n+ owner => root\n+ ensure => present\n+ hosts => []\n+ environment => ['GODEBUG=x509ignoreCN=0']\n+ names => []\n+ label => dse\n+ auto_renew => True\n+ notify_services => []\n+ renew_seconds => 952200\n+ key => {'algo': 'ecdsa', 'size': 256}\n+ before_services => []\n+ outdir => /etc/kubernetes/pki\n+ common_name => calicoctl\n"}, {"resource": "Exec[ip link set up dev ipip60]", "parameters": "--- Exec[ip link set up dev ipip60].orig\n+++ Exec[ip link set up dev ipip60]\n\n+ path => /bin:/usr/bin\n+ unless => ip link show ipip60 | grep -q UP\n+ returns => [0, 2]\n"}, {"resource": "Package[tcp-mss-clamper]", "parameters": "--- Package[tcp-mss-clamper].orig\n+++ Package[tcp-mss-clamper]\n\n+ ensure => absent\n+ provider => apt\n"}, {"resource": "Monitoring::Exported_nagios_host[dse-k8s-wdqs-test2001]", "parameters": "--- Monitoring::Exported_nagios_host[dse-k8s-wdqs-test2001].orig\n+++ Monitoring::Exported_nagios_host[dse-k8s-wdqs-test2001]\n\n@@\n- notifications_enabled => 0\n+ notifications_enabled => 1\n@@\n- hostgroups => insetup_codfw,lsw1-a7-codfw\n+ hostgroups => dse_k8s_codfw,lsw1-a7-codfw\n"}, {"resource": "Ferm::Service[calico_typha]", "parameters": "--- Ferm::Service[calico_typha].orig\n+++ Ferm::Service[calico_typha]\n\n+ src_sets => ['DOMAIN_NETWORKS']\n+ ensure => present\n+ notrack => False\n+ prio => 10\n+ desc => \n+ proto => tcp\n+ unrestricted_access => False\n+ port => 5473\n"}, {"resource": "File[/lib/systemd/system/prometheus_ferm_mss.service]", "content": "--- /lib/systemd/system/prometheus_ferm_mss.service.orig\n+++ /lib/systemd/system/prometheus_ferm_mss.service\n@@ -0,0 +1,8 @@\n+[Unit]\n+Description=Regular job to collect MSS values of ferm-based hosts\n+Documentation=https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n+\n+[Service]\n+Type=oneshot\n+User=root\n+ExecStart=/usr/local/bin/prometheus-ferm-mss -o /var/lib/prometheus/node.d/ferm-mss.prom -e 10.2.1.91:30443", "parameters": "--- File[/lib/systemd/system/prometheus_ferm_mss.service].orig\n+++ File[/lib/systemd/system/prometheus_ferm_mss.service]\n\n+ mode => 0444\n+ notify => Exec[systemd daemon-reload for prometheus_ferm_mss.service (prometheus_ferm_mss.service)]\n+ group => root\n+ owner => root\n+ ensure => absent\n"}, {"resource": "Exec[apt_repository_component-calico329-apt.wikimedia.org-wikimedia-bookworm-wikimedia]", "parameters": "--- Exec[apt_repository_component-calico329-apt.wikimedia.org-wikimedia-bookworm-wikimedia].orig\n+++ Exec[apt_repository_component-calico329-apt.wikimedia.org-wikimedia-bookworm-wikimedia]\n\n+ command => /usr/bin/apt-get update \n+ refreshonly => True\n"}, {"resource": "Sysctl::Parameters[ipv6-fowarding-accept-ra]", "parameters": "--- Sysctl::Parameters[ipv6-fowarding-accept-ra].orig\n+++ Sysctl::Parameters[ipv6-fowarding-accept-ra]\n\n+ no_priority_prefix => False\n+ ensure => present\n+ values => {'net.ipv6.conf.all.forwarding': 1, 'net.ipv6.conf.ens2f0np0.accept_ra': 2}\n+ priority => 70\n"}, {"resource": "Kmod::Blacklist[wmf_overlay]", "parameters": "--- Kmod::Blacklist[wmf_overlay].orig\n+++ Kmod::Blacklist[wmf_overlay]\n\n@@\n- modules => ['overlayfs', 'overlay']\n+ modules => []\n@@\n- ensure => present\n+ ensure => absent\n"}, {"resource": "Concat_fragment[component-calico329-apt.wikimedia.org-wikimedia-bookworm-wikimedia-header]", "parameters": "--- Concat_fragment[component-calico329-apt.wikimedia.org-wikimedia-bookworm-wikimedia-header].orig\n+++ Concat_fragment[component-calico329-apt.wikimedia.org-wikimedia-bookworm-wikimedia-header]\n\n+ source => puppet:///modules/apt/sources-deb822-header.txt\n+ tag => _etc_apt_sources.list.d_component-calico329-apt.wikimedia.org-wikimedia-bookworm-wikimedia.sources\n+ order => 01\n+ target => /etc/apt/sources.list.d/component-calico329-apt.wikimedia.org-wikimedia-bookworm-wikimedia.sources\n"}, {"resource": "Systemd::Syslog[set-rbd-readahead]", "parameters": "--- Systemd::Syslog[set-rbd-readahead].orig\n+++ Systemd::Syslog[set-rbd-readahead]\n\n+ group => root\n+ force_stop => False\n+ log_filename => syslog.log\n+ owner => root\n+ ensure => absent\n+ base_dir => /var/log\n+ readable_by => all\n+ programname_comparison => startswith\n"}, {"resource": "Concat[/etc/apt/sources.list.d/component-kubernetes131-apt.wikimedia.org-wikimedia-bookworm-wikimedia.sources]", "parameters": "--- Concat[/etc/apt/sources.list.d/component-kubernetes131-apt.wikimedia.org-wikimedia-bookworm-wikimedia.sources].orig\n+++ Concat[/etc/apt/sources.list.d/component-kubernetes131-apt.wikimedia.org-wikimedia-bookworm-wikimedia.sources]\n\n+ mode => 0444\n+ notify => Exec[apt_repository_component-kubernetes131-apt.wikimedia.org-wikimedia-bookworm-wikimedia]\n+ group => root\n+ ensure_newline => False\n+ owner => root\n+ ensure => present\n+ warn => False\n+ path => /etc/apt/sources.list.d/component-kubernetes131-apt.wikimedia.org-wikimedia-bookworm-wikimedia.sources\n+ format => plain\n+ show_diff => True\n+ force => False\n+ backup => puppet\n+ replace => True\n+ order => alpha\n"}, {"resource": "File[/etc/nagios/nrpe.d/check_disk_space.cfg]", "content": "--- /etc/nagios/nrpe.d/check_disk_space.cfg.orig\n+++ /etc/nagios/nrpe.d/check_disk_space.cfg\n@@ -1,2 +1,2 @@\n # File generated by puppet. DO NOT edit by hand\n-command[check_disk_space]=/usr/lib/nagios/plugins/check_disk -w 6% -c 3% -W 6% -K 3% -l -e -A -i \"/srv/sd[a-b][1-3]\" -i \"/srv/nvme[0-9]n[0-9]p[0-9]\" --exclude-type=fuse --exclude-type=fuse.fuse_dfs --exclude-type=tracefs\n+command[check_disk_space]=/usr/lib/nagios/plugins/check_disk -w 10% -c 5% -W 6% -K 3% -l -e -A -i '/(var/lib|run)/(kubelet|containerd)/*' --exclude-type=tracefs"}, {"resource": "Apt::Repository[component-kubernetes131-apt.wikimedia.org-wikimedia-bookworm-wikimedia]", "parameters": "--- Apt::Repository[component-kubernetes131-apt.wikimedia.org-wikimedia-bookworm-wikimedia].orig\n+++ Apt::Repository[component-kubernetes131-apt.wikimedia.org-wikimedia-bookworm-wikimedia]\n\n+ uri => http://apt.wikimedia.org/wikimedia\n+ trust_repo => False\n+ allow_releaseinfo_change => False\n+ keyfile => puppet:///modules/install_server/autoinstall/keyring/wikimedia-archive-keyring.gpg\n+ bin => True\n+ ensure => present\n+ source => True\n+ dist => bookworm-wikimedia\n+ components => component/kubernetes131\n"}, {"resource": "Ferm::Rule[ipip]", "parameters": "--- Ferm::Rule[ipip].orig\n+++ Ferm::Rule[ipip]\n\n+ table => filter\n+ prio => 10\n+ domain => (ip)\n+ desc => \n+ ensure => present\n+ chain => INPUT\n+ rule => saddr 172.16.0.0/12 proto ipencap ACCEPT;\n"}, {"resource": "File[/etc/nerdctl/nerdctl.toml]", "content": "--- /etc/nerdctl/nerdctl.toml.orig\n+++ /etc/nerdctl/nerdctl.toml\n@@ -0,0 +1,5 @@\n+# SPDX-License-Identifier: Apache-2.0\n+#\n+# For documentation of the available options, see:\n+# https://github.com/containerd/nerdctl/blob/main/docs/config.md\n+namespace = \"k8s.io\"", "parameters": "--- File[/etc/nerdctl/nerdctl.toml].orig\n+++ File[/etc/nerdctl/nerdctl.toml]\n\n+ mode => 0644\n+ ensure => file\n+ group => root\n+ owner => root\n"}, {"resource": "Systemd::Unit[rsyslog-imfile-remedy.timer]", "parameters": "--- Systemd::Unit[rsyslog-imfile-remedy.timer].orig\n+++ Systemd::Unit[rsyslog-imfile-remedy.timer]\n\n+ require => ['Class[Systemd]']\n+ override => False\n+ ensure => present\n+ override_filename => puppet-override.conf\n+ restart => False\n+ unit => rsyslog-imfile-remedy.timer\n"}, {"resource": "File[/etc/cfssl/csr/dse__kubelet_server.csr]", "content": "--- /etc/cfssl/csr/dse__kubelet_server.csr.orig\n+++ /etc/cfssl/csr/dse__kubelet_server.csr\n@@ -0,0 +1,17 @@\n+{\n+ \"CN\": \"kubelet\",\n+ \"hosts\": [\n+ \"dse-k8s-wdqs-test2001\",\n+ \"dse-k8s-wdqs-test2001.codfw.wmnet\",\n+ \"10.192.9.26\",\n+ \"2620:0:860:10a:10:192:9:26\",\n+ \"kubelet\"\n+ ],\n+ \"key\": {\n+ \"algo\": \"ecdsa\",\n+ \"size\": 256\n+ },\n+ \"names\": [\n+\n+ ]\n+}", "parameters": "--- File[/etc/cfssl/csr/dse__kubelet_server.csr].orig\n+++ File[/etc/cfssl/csr/dse__kubelet_server.csr]\n\n+ mode => 0400\n+ ensure => file\n+ group => root\n+ owner => root\n"}, {"resource": "Exec[create chained cert /etc/kubernetes/pki/dse__calicoctl.chain.pem]", "parameters": "--- Exec[create chained cert /etc/kubernetes/pki/dse__calicoctl.chain.pem].orig\n+++ Exec[create chained cert /etc/kubernetes/pki/dse__calicoctl.chain.pem]\n\n+ unless => /usr/bin/test \"$(/bin/cat /etc/kubernetes/pki/dse__calicoctl.pem /etc/kubernetes/pki/dse__calicoctl.chain.pem | sha512sum)\" == \"$(/bin/cat /etc/kubernetes/pki/dse__calicoctl.chained.pem | sha512sum)\"\n\n+ command => /bin/cat /etc/kubernetes/pki/dse__calicoctl.pem /etc/kubernetes/pki/dse__calicoctl.chain.pem > /etc/kubernetes/pki/dse__calicoctl.chained.pem\n+ require => Exec[Generate cert dse__calicoctl refresh on intermediate ca change]\n+ subscribe => ['Exec[renew certificate - dse__calicoctl]', 'File[/etc/kubernetes/pki/dse__calicoctl.chain.pem]', 'File[/etc/kubernetes/pki/dse__calicoctl.pem]']\n"}, {"resource": "Class[Profile::Base]", "parameters": "--- Class[Profile::Base].orig\n+++ Class[Profile::Base]\n\n@@\n- overlayfs => False\n+ overlayfs => True\n@@\n- use_linux612_on_bookworm => False\n+ use_linux612_on_bookworm => True\n@@\n- rp_filter => True\n+ rp_filter => {'all_rp_filter': 0, 'default_rp_filter': 1}\n@@\n- cluster => insetup\n+ cluster => dse_k8s\n"}, {"resource": "File[/etc/apt/sources.list.d/component-kubernetes131-apt.wikimedia.org-wikimedia-bookworm-wikimedia.list]", "parameters": "--- File[/etc/apt/sources.list.d/component-kubernetes131-apt.wikimedia.org-wikimedia-bookworm-wikimedia.list].orig\n+++ File[/etc/apt/sources.list.d/component-kubernetes131-apt.wikimedia.org-wikimedia-bookworm-wikimedia.list]\n\n+ ensure => absent\n+ group => root\n+ owner => root\n"}, {"resource": "Service[rsyslog-imfile-remedy.timer]", "parameters": "--- Service[rsyslog-imfile-remedy.timer].orig\n+++ Service[rsyslog-imfile-remedy.timer]\n\n+ ensure => running\n+ enable => True\n+ provider => systemd\n"}, {"resource": "File[/etc/cfssl/ssl/dse__rsyslog/dse__rsyslog.pem]", "parameters": "--- File[/etc/cfssl/ssl/dse__rsyslog/dse__rsyslog.pem].orig\n+++ File[/etc/cfssl/ssl/dse__rsyslog/dse__rsyslog.pem]\n\n+ mode => 0440\n+ ensure => file\n+ group => root\n+ owner => root\n"}, {"resource": "File[/lib/systemd/system/nrpe2nodexp-check_tcp-mss-clamper_status.timer]", "content": "--- /lib/systemd/system/nrpe2nodexp-check_tcp-mss-clamper_status.timer.orig\n+++ /lib/systemd/system/nrpe2nodexp-check_tcp-mss-clamper_status.timer\n@@ -0,0 +1,14 @@\n+[Unit]\n+Description=Periodic execution of nrpe2nodexp-check_tcp-mss-clamper_status.service\n+\n+[Timer]\n+Unit=nrpe2nodexp-check_tcp-mss-clamper_status.service\n+# Accuracy sets the maximum time interval around the execution time we want to allow\n+AccuracySec=15sec\n+OnUnitInactiveSec=5min\n+OnActiveSec=1s\n+RandomizedDelaySec=300\n+FixedRandomDelay=true\n+\n+[Install]\n+WantedBy=multi-user.target", "parameters": "--- File[/lib/systemd/system/nrpe2nodexp-check_tcp-mss-clamper_status.timer].orig\n+++ File[/lib/systemd/system/nrpe2nodexp-check_tcp-mss-clamper_status.timer]\n\n+ mode => 0444\n+ notify => Exec[systemd daemon-reload for nrpe2nodexp-check_tcp-mss-clamper_status.timer (nrpe2nodexp-check_tcp-mss-clamper_status.timer)]\n+ group => root\n+ owner => root\n+ ensure => absent\n"}, {"resource": "Motd::Message[dse_k8s::worker::wdqs]", "parameters": "--- Motd::Message[dse_k8s::worker::wdqs].orig\n+++ Motd::Message[dse_k8s::worker::wdqs]\n\n+ message => dse-k8s-wdqs-test2001 is a DSE Kubernetes worker node - dedicated to wdqs (dse_k8s::worker::wdqs)\n+ ensure => present\n+ priority => 5\n"}, {"resource": "File[/etc/kubernetes/pki/dse__calico-cni.chain.pem]", "parameters": "--- File[/etc/kubernetes/pki/dse__calico-cni.chain.pem].orig\n+++ File[/etc/kubernetes/pki/dse__calico-cni.chain.pem]\n\n+ mode => 0440\n+ group => root\n+ owner => root\n+ source => puppet:///modules/profile/pki/intermediates/dse-cert.pem\n+ ensure => file\n"}, {"resource": "File[/etc/kubernetes/pki/dse__calicoctl-key.pem]", "parameters": "--- File[/etc/kubernetes/pki/dse__calicoctl-key.pem].orig\n+++ File[/etc/kubernetes/pki/dse__calicoctl-key.pem]\n\n+ mode => 0440\n+ group => root\n+ show_diff => False\n+ owner => root\n+ backup => False\n+ ensure => file\n"}, {"resource": "File[/etc/ferm/conf.d/10_calico_typha]", "content": "--- /etc/ferm/conf.d/10_calico_typha.orig\n+++ /etc/ferm/conf.d/10_calico_typha\n@@ -0,0 +1,6 @@\n+# Autogenerated by puppet. DO NOT EDIT BY HAND!\n+#\n+# \n+&R_SERVICE(tcp, 5473, $DOMAIN_NETWORKS);\n+\n+", "parameters": "--- File[/etc/ferm/conf.d/10_calico_typha].orig\n+++ File[/etc/ferm/conf.d/10_calico_typha]\n\n+ mode => 0400\n+ group => root\n+ require => File[/etc/ferm/conf.d]\n+ notify => Service[ferm]\n+ owner => root\n+ ensure => present\n+ tag => ferm\n"}, {"resource": "File[/etc/update-motd.d/05-insetup--data-platform-ferm]", "content": "--- /etc/update-motd.d/05-insetup--data-platform-ferm.orig\n+++ /etc/update-motd.d/05-insetup--data-platform-ferm\n@@ -1,2 +0,0 @@\n-#!/bin/sh\n-printf \"%s\\n\" \"dse-k8s-wdqs-test2001 is a Host being setup by Data Platform SREs (insetup::data_platform_ferm)\"", "parameters": "--- File[/etc/update-motd.d/05-insetup--data-platform-ferm].orig\n+++ File[/etc/update-motd.d/05-insetup--data-platform-ferm]\n\n- mode => 0555\n- ensure => present\n- group => root\n- owner => root\n"}, {"resource": "File[/etc/apt/sources.list.d/component-istio115-apt.wikimedia.org-wikimedia-bookworm-wikimedia.list]", "parameters": "--- File[/etc/apt/sources.list.d/component-istio115-apt.wikimedia.org-wikimedia-bookworm-wikimedia.list].orig\n+++ File[/etc/apt/sources.list.d/component-istio115-apt.wikimedia.org-wikimedia-bookworm-wikimedia.list]\n\n+ ensure => absent\n+ group => root\n+ owner => root\n"}, {"resource": "Systemd::Unit[kubelet-container-runtime]", "parameters": "--- Systemd::Unit[kubelet-container-runtime].orig\n+++ Systemd::Unit[kubelet-container-runtime]\n\n+ require => ['Class[Systemd]']\n+ override => True\n+ ensure => present\n+ override_filename => container-runtime\n+ restart => True\n+ unit => kubelet\n"}, {"resource": "Mount[/srv]", "parameters": "--- Mount[/srv].orig\n+++ Mount[/srv]\n\n+ atboot => True\n+ options => defaults\n+ pass => 2\n+ fstype => ext4\n+ ensure => mounted\n+ device => /dev/vg_raid0/srv\n+ dump => 0\n"}, {"resource": "File[/var/lib/prometheus/node.d/role_owner.prom]", "content": "--- /var/lib/prometheus/node.d/role_owner.prom.orig\n+++ /var/lib/prometheus/node.d/role_owner.prom\n@@ -1,3 +1,3 @@\n # HELP role_owner The team owner of the server role\n # TYPE role_owner gauge\n-role_owner{team=\"data-platform\",role=\"insetup::data_platform_ferm\",cluster=\"insetup\"} 1.0\n+role_owner{team=\"data-platform\",role=\"dse_k8s::worker::wdqs\",cluster=\"dse_k8s\"} 1.0"}, {"resource": "Concat_fragment[component-calico329-apt.wikimedia.org-wikimedia-bookworm-wikimedia]", "content": "--- component-calico329-apt.wikimedia.org-wikimedia-bookworm-wikimedia.orig\n+++ component-calico329-apt.wikimedia.org-wikimedia-bookworm-wikimedia\n@@ -0,0 +1,5 @@\n+Types: deb deb-src\n+URIs: http://apt.wikimedia.org/wikimedia\n+Suites: bookworm-wikimedia\n+Components: component/calico329\n+Signed-By: /etc/apt/keyrings/wikimedia-archive-keyring.gpg", "parameters": "--- Concat_fragment[component-calico329-apt.wikimedia.org-wikimedia-bookworm-wikimedia].orig\n+++ Concat_fragment[component-calico329-apt.wikimedia.org-wikimedia-bookworm-wikimedia]\n\n+ tag => _etc_apt_sources.list.d_component-calico329-apt.wikimedia.org-wikimedia-bookworm-wikimedia.sources\n+ order => 10\n+ target => /etc/apt/sources.list.d/component-calico329-apt.wikimedia.org-wikimedia-bookworm-wikimedia.sources\n"}, {"resource": "Interface::Ipip[ipip_ipv6]", "parameters": "--- Interface::Ipip[ipip_ipv6].orig\n+++ Interface::Ipip[ipip_ipv6]\n\n+ ensure => present\n+ interface => ipip60\n+ family => inet6\n"}, {"resource": "File[/etc/rsyslog.d/40-rsyslog-release-deleted-inotify-watches.conf]", "content": "--- /etc/rsyslog.d/40-rsyslog-release-deleted-inotify-watches.conf.orig\n+++ /etc/rsyslog.d/40-rsyslog-release-deleted-inotify-watches.conf\n@@ -0,0 +1,10 @@\n+# rsyslog.conf(5) configuration file for services.\n+# This file is managed by Puppet.\n+if $programname startswith \"rsyslog-release-deleted-inotify-watches\" then {\n+ action(\n+ type=\"omfile\" file=\"/var/log/rsyslog-release-deleted-inotify-watches/syslog.log\"\n+ fileOwner=\"root\" fileGroup=\"root\"\n+ fileCreateMode=\"0644\"\n+ )\n+ & stop\n+}", "parameters": "--- File[/etc/rsyslog.d/40-rsyslog-release-deleted-inotify-watches.conf].orig\n+++ File[/etc/rsyslog.d/40-rsyslog-release-deleted-inotify-watches.conf]\n\n+ mode => 0444\n+ notify => Service[rsyslog]\n+ group => root\n+ owner => root\n+ ensure => absent\n"}, {"resource": "Systemd::Unit[prometheus_ferm_mss.timer]", "parameters": "--- Systemd::Unit[prometheus_ferm_mss.timer].orig\n+++ Systemd::Unit[prometheus_ferm_mss.timer]\n\n+ require => ['Class[Systemd]']\n+ override => False\n+ ensure => absent\n+ override_filename => puppet-override.conf\n+ restart => False\n+ unit => prometheus_ferm_mss.timer\n"}, {"resource": "File[/etc/kubernetes/pki/dse__calicoctl.chained.pem]", "parameters": "--- File[/etc/kubernetes/pki/dse__calicoctl.chained.pem].orig\n+++ File[/etc/kubernetes/pki/dse__calicoctl.chained.pem]\n\n+ ensure => file\n+ group => root\n+ require => Exec[create chained cert /etc/kubernetes/pki/dse__calicoctl.chain.pem]\n+ owner => root\n"}, {"resource": "Concat_fragment[component-istio115-apt.wikimedia.org-wikimedia-bookworm-wikimedia-header]", "parameters": "--- Concat_fragment[component-istio115-apt.wikimedia.org-wikimedia-bookworm-wikimedia-header].orig\n+++ Concat_fragment[component-istio115-apt.wikimedia.org-wikimedia-bookworm-wikimedia-header]\n\n+ source => puppet:///modules/apt/sources-deb822-header.txt\n+ tag => _etc_apt_sources.list.d_component-istio115-apt.wikimedia.org-wikimedia-bookworm-wikimedia.sources\n+ order => 01\n+ target => /etc/apt/sources.list.d/component-istio115-apt.wikimedia.org-wikimedia-bookworm-wikimedia.sources\n"}, {"resource": "Exec[systemd daemon-reload for set-rbd-readahead.service (set-rbd-readahead.service)]", "parameters": "--- Exec[systemd daemon-reload for set-rbd-readahead.service (set-rbd-readahead.service)].orig\n+++ Exec[systemd daemon-reload for set-rbd-readahead.service (set-rbd-readahead.service)]\n\n+ command => /bin/systemctl daemon-reload\n+ refreshonly => True\n"}, {"resource": "Sysctl::Conffile[kube_proxy_conntrack]", "parameters": "--- Sysctl::Conffile[kube_proxy_conntrack].orig\n+++ Sysctl::Conffile[kube_proxy_conntrack]\n\n+ no_priority_prefix => False\n+ ensure => present\n+ priority => 75\n"}, {"resource": "K8s::Kubeconfig[/etc/kubernetes/proxy.conf]", "parameters": "--- K8s::Kubeconfig[/etc/kubernetes/proxy.conf].orig\n+++ K8s::Kubeconfig[/etc/kubernetes/proxy.conf]\n\n+ mode => 0400\n+ group => kube\n+ require => ['Class[K8s::Base_dirs]']\n+ owner => kube\n+ username => default-proxy\n+ ensure => present\n+ auth_cert => {'cert': '/etc/kubernetes/pki/dse__system_kube-proxy.pem', 'key': '/etc/kubernetes/pki/dse__system_kube-proxy-key.pem', 'chain': '/etc/kubernetes/pki/dse__system_kube-proxy.chain.pem', 'chained': '/etc/kubernetes/pki/dse__system_kube-proxy.chained.pem'}\n+ master_host => dse-k8s-ctrl.svc.codfw.wmnet\n"}, {"resource": "File[/var/lib/kubelet]", "parameters": "--- File[/var/lib/kubelet].orig\n+++ File[/var/lib/kubelet]\n\n+ mode => 0700\n+ ensure => directory\n+ group => root\n+ owner => root\n"}, {"resource": "Exec[disable-rp-filter-ipip60]", "parameters": "--- Exec[disable-rp-filter-ipip60].orig\n+++ Exec[disable-rp-filter-ipip60]\n\n+ unless => /usr/sbin/sysctl -n net.ipv4.conf.ipip60.rp_filter |grep -- '0'\n+ command => /usr/sbin/sysctl -q net.ipv4.conf.ipip60.rp_filter=0\n+ require => Interface::Ipip[ipip_ipv6]\n"}, {"resource": "Systemd::Service[rsyslog-release-deleted-inotify-watches]", "parameters": "--- Systemd::Service[rsyslog-release-deleted-inotify-watches].orig\n+++ Systemd::Service[rsyslog-release-deleted-inotify-watches]\n\n+ unit_type => timer\n+ service_params => {}\n+ require => Systemd::Unit[rsyslog-release-deleted-inotify-watches.service]\n+ monitoring_contact_group => admins\n+ ensure => absent\n+ restart => False\n+ migration_task => T407130\n+ monitoring_critical => False\n+ monitoring_enabled => False\n+ override => False\n"}, {"resource": "Class[Profile::Rsyslog::Kubernetes]", "parameters": "--- Class[Profile::Rsyslog::Kubernetes].orig\n+++ Class[Profile::Rsyslog::Kubernetes]\n\n+ kubernetes_cluster_name => dse-k8s-codfw\n+ kafka_brokers => ['kafka-logging1001.eqiad.wmnet:9093', 'kafka-logging1002.eqiad.wmnet:9093', 'kafka-logging1003.eqiad.wmnet:9093', 'kafka-logging1004.eqiad.wmnet:9093', 'kafka-logging1005.eqiad.wmnet:9093']\n+ enable => True\n"}, {"resource": "Monitoring::Exported_nagios_service[dse-k8s-wdqs-test2001 ssh]", "parameters": "--- Monitoring::Exported_nagios_service[dse-k8s-wdqs-test2001 ssh].orig\n+++ Monitoring::Exported_nagios_service[dse-k8s-wdqs-test2001 ssh]\n\n@@\n- servicegroups => insetup_codfw\n+ servicegroups => dse_k8s_codfw\n@@\n- notifications_enabled => 0\n+ notifications_enabled => 1\n"}, {"resource": "Cfssl::Cert[dse__system_node_dse-k8s-wdqs-test2001_codfw_wmnet]", "parameters": "--- Cfssl::Cert[dse__system_node_dse-k8s-wdqs-test2001_codfw_wmnet].orig\n+++ Cfssl::Cert[dse__system_node_dse-k8s-wdqs-test2001_codfw_wmnet]\n\n+ mode => 0740\n+ group => root\n+ provide_chain => True\n+ owner => kube\n+ ensure => present\n+ hosts => []\n+ environment => ['GODEBUG=x509ignoreCN=0']\n+ names => [{'organisation': 'system:nodes'}]\n+ label => dse\n+ auto_renew => True\n+ notify_services => ['kubelet']\n+ renew_seconds => 952200\n+ key => {'algo': 'ecdsa', 'size': 256}\n+ before_services => []\n+ outdir => /etc/kubernetes/pki\n+ common_name => system:node:dse-k8s-wdqs-test2001.codfw.wmnet\n"}, {"resource": "File[/etc/kubernetes/pki/dse__istio-cni.pem]", "parameters": "--- File[/etc/kubernetes/pki/dse__istio-cni.pem].orig\n+++ File[/etc/kubernetes/pki/dse__istio-cni.pem]\n\n+ mode => 0440\n+ ensure => absent\n+ group => root\n+ owner => root\n"}, {"resource": "File[/etc/rsyslog.d/08-input-file-kubernetes-json.conf]", "content": "--- /etc/rsyslog.d/08-input-file-kubernetes-json.conf.orig\n+++ /etc/rsyslog.d/08-input-file-kubernetes-json.conf\n@@ -0,0 +1,8 @@\n+# This file managed by puppet rsyslog::input::file\n+\n+input(type=\"imfile\"\n+ File=\"/var/log/containers/*.log\"\n+ reopenOnTruncate=\"on\"\n+ addMetadata=\"on\"\n+ addCeeTag=\"on\"\n+ Tag=\"input-file-kubernetes\")", "parameters": "--- File[/etc/rsyslog.d/08-input-file-kubernetes-json.conf].orig\n+++ File[/etc/rsyslog.d/08-input-file-kubernetes-json.conf]\n\n+ mode => 0444\n+ notify => Service[rsyslog]\n+ group => root\n+ owner => root\n+ ensure => present\n"}, {"resource": "Cfssl::Csr[/etc/cfssl/csr/dse__rsyslog.csr]", "parameters": "--- Cfssl::Csr[/etc/cfssl/csr/dse__rsyslog.csr].orig\n+++ Cfssl::Csr[/etc/cfssl/csr/dse__rsyslog.csr]\n\n+ hosts => []\n+ names => [{'organisation': 'view'}]\n+ ensure => present\n+ key => {'algo': 'ecdsa', 'size': 256}\n+ common_name => rsyslog\n"}, {"resource": "Systemd::Syslog[rsyslog-release-deleted-inotify-watches]", "parameters": "--- Systemd::Syslog[rsyslog-release-deleted-inotify-watches].orig\n+++ Systemd::Syslog[rsyslog-release-deleted-inotify-watches]\n\n+ group => root\n+ force_stop => True\n+ log_filename => syslog.log\n+ owner => root\n+ ensure => absent\n+ base_dir => /var/log\n+ readable_by => all\n+ programname_comparison => startswith\n"}, {"resource": "File[/etc/kubernetes/pki/dse__istio-cni-key.pem]", "parameters": "--- File[/etc/kubernetes/pki/dse__istio-cni-key.pem].orig\n+++ File[/etc/kubernetes/pki/dse__istio-cni-key.pem]\n\n+ mode => 0440\n+ group => root\n+ show_diff => False\n+ owner => root\n+ backup => False\n+ ensure => absent\n"}, {"resource": "Cfssl::Cert[dse__kubelet_server]", "parameters": "--- Cfssl::Cert[dse__kubelet_server].orig\n+++ Cfssl::Cert[dse__kubelet_server]\n\n+ mode => 0740\n+ group => root\n+ provide_chain => True\n+ owner => kube\n+ hosts => ['dse-k8s-wdqs-test2001', 'dse-k8s-wdqs-test2001.codfw.wmnet', '10.192.9.26', '2620:0:860:10a:10:192:9:26']\n+ ensure => present\n+ environment => ['GODEBUG=x509ignoreCN=0']\n+ names => []\n+ label => dse\n+ auto_renew => True\n+ profile => server\n+ notify_services => ['kubelet']\n+ renew_seconds => 952200\n+ key => {'algo': 'ecdsa', 'size': 256}\n+ before_services => []\n+ outdir => /etc/kubernetes/pki\n+ common_name => kubelet\n"}, {"resource": "Class[Profile::Calico::Kubernetes]", "parameters": "--- Class[Profile::Calico::Kubernetes].orig\n+++ Class[Profile::Calico::Kubernetes]\n\n+ kubernetes_cluster_name => dse-k8s-codfw\n"}, {"resource": "File[/etc/update-motd.d/05-dse-k8s--worker--wdqs]", "content": "--- /etc/update-motd.d/05-dse-k8s--worker--wdqs.orig\n+++ /etc/update-motd.d/05-dse-k8s--worker--wdqs\n@@ -0,0 +1,2 @@\n+#!/bin/sh\n+printf \"%s\\n\" \"dse-k8s-wdqs-test2001 is a DSE Kubernetes worker node - dedicated to wdqs (dse_k8s::worker::wdqs)\"", "parameters": "--- File[/etc/update-motd.d/05-dse-k8s--worker--wdqs].orig\n+++ File[/etc/update-motd.d/05-dse-k8s--worker--wdqs]\n\n+ mode => 0555\n+ ensure => present\n+ group => root\n+ owner => root\n"}, {"resource": "Exec[renew certificate - dse__system_kube-proxy]", "parameters": "--- Exec[renew certificate - dse__system_kube-proxy].orig\n+++ Exec[renew certificate - dse__system_kube-proxy]\n\n+ unless => /usr/bin/openssl x509 -in /etc/kubernetes/pki/dse__system_kube-proxy.pem -checkend 952200\n+ environment => ['GODEBUG=x509ignoreCN=0']\n+ notify => ['Service[kube-proxy]']\n+ require => Exec[Generate cert dse__system_kube-proxy]\n+ command => /usr/bin/cfssl sign -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/dse-k8s-wdqs-test2001.codfw.wmnet.pem -label dse /etc/kubernetes/pki/dse__system_kube-proxy.csr | /usr/bin/cfssljson -bare /etc/kubernetes/pki/dse__system_kube-proxy\n\n"}, {"resource": "Exec[renew certificate - dse__system_node_dse-k8s-wdqs-test2001_codfw_wmnet]", "parameters": "--- Exec[renew certificate - dse__system_node_dse-k8s-wdqs-test2001_codfw_wmnet].orig\n+++ Exec[renew certificate - dse__system_node_dse-k8s-wdqs-test2001_codfw_wmnet]\n\n+ unless => /usr/bin/openssl x509 -in /etc/kubernetes/pki/dse__system_node_dse-k8s-wdqs-test2001_codfw_wmnet.pem -checkend 952200\n+ environment => ['GODEBUG=x509ignoreCN=0']\n+ notify => ['Service[kubelet]']\n+ require => Exec[Generate cert dse__system_node_dse-k8s-wdqs-test2001_codfw_wmnet]\n+ command => /usr/bin/cfssl sign -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/dse-k8s-wdqs-test2001.codfw.wmnet.pem -label dse /etc/kubernetes/pki/dse__system_node_dse-k8s-wdqs-test2001_codfw_wmnet.csr | /usr/bin/cfssljson -bare /etc/kubernetes/pki/dse__system_node_dse-k8s-wdqs-test2001_codfw_wmnet\n\n"}, {"resource": "File[/usr/local/bin/prometheus-ferm-mss]", "parameters": "--- File[/usr/local/bin/prometheus-ferm-mss].orig\n+++ File[/usr/local/bin/prometheus-ferm-mss]\n\n+ mode => 0555\n+ group => root\n+ owner => root\n+ source => puppet:///modules/prometheus/usr/local/bin/prometheus-ferm-mss.py\n+ ensure => absent\n"}, {"resource": "Exec[Generate cert dse__system_kube-proxy refresh]", "parameters": "--- Exec[Generate cert dse__system_kube-proxy refresh].orig\n+++ Exec[Generate cert dse__system_kube-proxy refresh]\n\n+ environment => ['GODEBUG=x509ignoreCN=0']\n+ notify => ['Service[kube-proxy]']\n+ refreshonly => True\n+ subscribe => File[/etc/cfssl/csr/dse__system_kube-proxy.csr]\n+ command => /usr/bin/cfssl gencert -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/dse-k8s-wdqs-test2001.codfw.wmnet.pem -label dse /etc/cfssl/csr/dse__system_kube-proxy.csr | /usr/bin/cfssljson -bare /etc/kubernetes/pki/dse__system_kube-proxy\n\n"}, {"resource": "Lvm::Volume_group[vg_raid0]", "parameters": "--- Lvm::Volume_group[vg_raid0].orig\n+++ Lvm::Volume_group[vg_raid0]\n\n+ followsymlinks => False\n+ physical_volumes => {'/dev/md1': {'unless_vg': 'vg_raid0'}}\n+ logical_volumes => {'srv': {'size': '10G', 'fs_type': 'ext4', 'mountpath': '/srv'}}\n+ createonly => True\n+ ensure => present\n"}, {"resource": "Sysctl::Parameters[increase_inotify_limits]", "parameters": "--- Sysctl::Parameters[increase_inotify_limits].orig\n+++ Sysctl::Parameters[increase_inotify_limits]\n\n+ no_priority_prefix => False\n+ ensure => present\n+ values => {'fs.inotify.max_user_watches': 32768, 'fs.inotify.max_user_instances': 512}\n+ priority => 70\n"}, {"resource": "File[/etc/kubernetes/pki/dse__kubelet_server.csr]", "parameters": "--- File[/etc/kubernetes/pki/dse__kubelet_server.csr].orig\n+++ File[/etc/kubernetes/pki/dse__kubelet_server.csr]\n\n+ mode => 0440\n+ ensure => file\n+ group => root\n+ owner => kube\n"}, {"resource": "Concat_fragment[component-kubernetes131-apt.wikimedia.org-wikimedia-bookworm-wikimedia-header]", "parameters": "--- Concat_fragment[component-kubernetes131-apt.wikimedia.org-wikimedia-bookworm-wikimedia-header].orig\n+++ Concat_fragment[component-kubernetes131-apt.wikimedia.org-wikimedia-bookworm-wikimedia-header]\n\n+ source => puppet:///modules/apt/sources-deb822-header.txt\n+ tag => _etc_apt_sources.list.d_component-kubernetes131-apt.wikimedia.org-wikimedia-bookworm-wikimedia.sources\n+ order => 01\n+ target => /etc/apt/sources.list.d/component-kubernetes131-apt.wikimedia.org-wikimedia-bookworm-wikimedia.sources\n"}, {"resource": "Exec[disable-rp-filter-ens2f0np0]", "parameters": "--- Exec[disable-rp-filter-ens2f0np0].orig\n+++ Exec[disable-rp-filter-ens2f0np0]\n\n+ unless => /usr/sbin/sysctl -n net.ipv4.conf.ens2f0np0.rp_filter |grep -- '0'\n+ command => /usr/sbin/sysctl -q net.ipv4.conf.ens2f0np0.rp_filter=0\n"}, {"resource": "Exec[create chained cert /etc/kubernetes/pki/dse__kubelet_server.chain.pem]", "parameters": "--- Exec[create chained cert /etc/kubernetes/pki/dse__kubelet_server.chain.pem].orig\n+++ Exec[create chained cert /etc/kubernetes/pki/dse__kubelet_server.chain.pem]\n\n+ unless => /usr/bin/test \"$(/bin/cat /etc/kubernetes/pki/dse__kubelet_server.pem /etc/kubernetes/pki/dse__kubelet_server.chain.pem | sha512sum)\" == \"$(/bin/cat /etc/kubernetes/pki/dse__kubelet_server.chained.pem | sha512sum)\"\n\n+ notify => ['Service[kubelet]']\n+ require => Exec[Generate cert dse__kubelet_server refresh on intermediate ca change]\n+ subscribe => ['Exec[renew certificate - dse__kubelet_server]', 'File[/etc/kubernetes/pki/dse__kubelet_server.chain.pem]', 'File[/etc/kubernetes/pki/dse__kubelet_server.pem]']\n+ command => /bin/cat /etc/kubernetes/pki/dse__kubelet_server.pem /etc/kubernetes/pki/dse__kubelet_server.chain.pem > /etc/kubernetes/pki/dse__kubelet_server.chained.pem\n"}, {"resource": "Class[Calico]", "parameters": "--- Class[Calico].orig\n+++ Class[Calico]\n\n+ calicoctl_username => calicoctl\n+ master_fqdn => dse-k8s-ctrl.svc.codfw.wmnet\n+ version => 3.29\n+ auth_cert => {'cert': '/etc/kubernetes/pki/dse__calicoctl.pem', 'key': '/etc/kubernetes/pki/dse__calicoctl-key.pem', 'chain': '/etc/kubernetes/pki/dse__calicoctl.chain.pem', 'chained': '/etc/kubernetes/pki/dse__calicoctl.chained.pem'}\n"}, {"resource": "Exec[ip link add name ipip0 type ipip external]", "parameters": "--- Exec[ip link add name ipip0 type ipip external].orig\n+++ Exec[ip link add name ipip0 type ipip external]\n\n+ path => /bin:/usr/bin\n+ unless => ip link show ipip0\n+ returns => [0, 2]\n"}, {"resource": "Systemd::Service[prometheus_lvs_realserver_mss]", "parameters": "--- Systemd::Service[prometheus_lvs_realserver_mss].orig\n+++ Systemd::Service[prometheus_lvs_realserver_mss]\n\n+ unit_type => timer\n+ service_params => {}\n+ require => Systemd::Unit[prometheus_lvs_realserver_mss.service]\n+ monitoring_contact_group => admins\n+ ensure => absent\n+ restart => False\n+ migration_task => T407130\n+ monitoring_critical => False\n+ monitoring_enabled => False\n+ override => False\n"}, {"resource": "Class[Profile::Amd_gpu]", "parameters": "--- Class[Profile::Amd_gpu].orig\n+++ Class[Profile::Amd_gpu]\n\n+ kubernetes_cluster_name => dse-k8s-codfw\n+ enable_opt_rocm_env => False\n+ is_basic_gpu_node => False\n+ firmwares_from_bpo => False\n+ use_rocm_amd_smi => False\n+ is_kubernetes_node => False\n"}, {"resource": "File[/etc/kubernetes/pki/dse__kubelet_server-key.pem]", "parameters": "--- File[/etc/kubernetes/pki/dse__kubelet_server-key.pem].orig\n+++ File[/etc/kubernetes/pki/dse__kubelet_server-key.pem]\n\n+ mode => 0440\n+ group => root\n+ show_diff => False\n+ owner => kube\n+ backup => False\n+ ensure => file\n"}, {"resource": "File[/lib/systemd/system/rsyslog-release-deleted-inotify-watches.service]", "content": "--- /lib/systemd/system/rsyslog-release-deleted-inotify-watches.service.orig\n+++ /lib/systemd/system/rsyslog-release-deleted-inotify-watches.service\n@@ -0,0 +1,8 @@\n+[Unit]\n+Description=Restart rsyslog to release inotify watches of deleted container logs\n+Documentation=https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n+\n+[Service]\n+Type=oneshot\n+User=root\n+ExecStart=/usr/local/sbin/rsyslog-release-deleted-inotify-watches", "parameters": "--- File[/lib/systemd/system/rsyslog-release-deleted-inotify-watches.service].orig\n+++ File[/lib/systemd/system/rsyslog-release-deleted-inotify-watches.service]\n\n+ mode => 0444\n+ notify => Exec[systemd daemon-reload for rsyslog-release-deleted-inotify-watches.service (rsyslog-release-deleted-inotify-watches.service)]\n+ group => root\n+ owner => root\n+ ensure => absent\n"}, {"resource": "Exec[Generate cert dse__calicoctl]", "parameters": "--- Exec[Generate cert dse__calicoctl].orig\n+++ Exec[Generate cert dse__calicoctl]\n\n+ unless => /usr/bin/test \"$(/usr/bin/openssl x509 -in /etc/kubernetes/pki/dse__calicoctl.pem -noout -pubkey 2>&1)\" == \"$(/usr/bin/openssl pkey -pubout -in /etc/kubernetes/pki/dse__calicoctl-key.pem 2>&1)\"\n\n+ command => /usr/bin/cfssl gencert -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/dse-k8s-wdqs-test2001.codfw.wmnet.pem -label dse /etc/cfssl/csr/dse__calicoctl.csr | /usr/bin/cfssljson -bare /etc/kubernetes/pki/dse__calicoctl\n\n+ environment => ['GODEBUG=x509ignoreCN=0']\n+ require => Cfssl::Csr[/etc/cfssl/csr/dse__calicoctl.csr]\n"}, {"resource": "File[/etc/systemd/system/ferm.service.d/ferm-service-auto-restart.conf]", "parameters": "--- File[/etc/systemd/system/ferm.service.d/ferm-service-auto-restart.conf].orig\n+++ File[/etc/systemd/system/ferm.service.d/ferm-service-auto-restart.conf]\n\n+ mode => 0444\n+ group => root\n+ notify => Exec[systemd daemon-reload for ferm.service (ferm-ferm-service-auto-restart)]\n+ owner => root\n+ source => puppet:///modules/profile/kubernetes/node/ferm_systemd_override\n+ ensure => present\n"}, {"resource": "File[/etc/kubernetes/pki/dse__system_node_dse-k8s-wdqs-test2001_codfw_wmnet.chained.pem]", "parameters": "--- File[/etc/kubernetes/pki/dse__system_node_dse-k8s-wdqs-test2001_codfw_wmnet.chained.pem].orig\n+++ File[/etc/kubernetes/pki/dse__system_node_dse-k8s-wdqs-test2001_codfw_wmnet.chained.pem]\n\n+ ensure => file\n+ group => root\n+ require => Exec[create chained cert /etc/kubernetes/pki/dse__system_node_dse-k8s-wdqs-test2001_codfw_wmnet.chain.pem]\n+ owner => kube\n"}, {"resource": "File[/etc/calico/pki]", "parameters": "--- File[/etc/calico/pki].orig\n+++ File[/etc/calico/pki]\n\n+ mode => 0755\n+ ensure => absent\n+ group => root\n+ owner => root\n"}, {"resource": "Apt::Package_from_component[kubernetes131]", "parameters": "--- Apt::Package_from_component[kubernetes131].orig\n+++ Apt::Package_from_component[kubernetes131]\n\n+ uri => http://apt.wikimedia.org/wikimedia\n+ packages => []\n+ distro => bookworm-wikimedia\n+ component => component/kubernetes131\n+ ensure => present\n+ ensure_packages => True\n+ priority => 1001\n"}, {"resource": "Exec[Generate cert dse__rsyslog refresh on intermediate ca change]", "parameters": "--- Exec[Generate cert dse__rsyslog refresh on intermediate ca change].orig\n+++ Exec[Generate cert dse__rsyslog refresh on intermediate ca change]\n\n+ environment => ['GODEBUG=x509ignoreCN=0']\n+ notify => ['Service[rsyslog]']\n+ require => Cfssl::Csr[/etc/cfssl/csr/dse__rsyslog.csr]\n+ refreshonly => True\n+ subscribe => File[/etc/cfssl/ssl/dse__rsyslog/dse__rsyslog.chain.pem]\n+ command => /usr/bin/cfssl gencert -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/dse-k8s-wdqs-test2001.codfw.wmnet.pem -label dse /etc/cfssl/csr/dse__rsyslog.csr | /usr/bin/cfssljson -bare /etc/cfssl/ssl/dse__rsyslog/dse__rsyslog\n\n"}, {"resource": "Systemd::Syslog[prometheus_lvs_realserver_mss]", "parameters": "--- Systemd::Syslog[prometheus_lvs_realserver_mss].orig\n+++ Systemd::Syslog[prometheus_lvs_realserver_mss]\n\n+ group => root\n+ force_stop => True\n+ log_filename => syslog.log\n+ owner => root\n+ ensure => absent\n+ base_dir => /var/log\n+ readable_by => all\n+ programname_comparison => startswith\n"}, {"resource": "Class[Base::Kernel]", "parameters": "--- Class[Base::Kernel].orig\n+++ Class[Base::Kernel]\n\n@@\n- overlayfs => False\n+ overlayfs => True\n"}, {"resource": "Exec[Generate cert dse__kubelet_server refresh]", "parameters": "--- Exec[Generate cert dse__kubelet_server refresh].orig\n+++ Exec[Generate cert dse__kubelet_server refresh]\n\n+ environment => ['GODEBUG=x509ignoreCN=0']\n+ notify => ['Service[kubelet]']\n+ refreshonly => True\n+ subscribe => File[/etc/cfssl/csr/dse__kubelet_server.csr]\n+ command => /usr/bin/cfssl gencert -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/dse-k8s-wdqs-test2001.codfw.wmnet.pem -label dse -profile server /etc/cfssl/csr/dse__kubelet_server.csr | /usr/bin/cfssljson -bare /etc/kubernetes/pki/dse__kubelet_server\n\n"}, {"resource": "File[/lib/systemd/system/rsyslog-imfile-remedy.timer]", "content": "--- /lib/systemd/system/rsyslog-imfile-remedy.timer.orig\n+++ /lib/systemd/system/rsyslog-imfile-remedy.timer\n@@ -0,0 +1,12 @@\n+[Unit]\n+Description=Periodic execution of rsyslog-imfile-remedy.service\n+\n+[Timer]\n+Unit=rsyslog-imfile-remedy.service\n+# Accuracy sets the maximum time interval around the execution time we want to allow\n+AccuracySec=15sec\n+OnCalendar=*-*-* 00/3:10:00\n+RandomizedDelaySec=30\n+\n+[Install]\n+WantedBy=multi-user.target", "parameters": "--- File[/lib/systemd/system/rsyslog-imfile-remedy.timer].orig\n+++ File[/lib/systemd/system/rsyslog-imfile-remedy.timer]\n\n+ mode => 0444\n+ notify => Exec[systemd daemon-reload for rsyslog-imfile-remedy.timer (rsyslog-imfile-remedy.timer)]\n+ group => root\n+ owner => root\n+ ensure => present\n"}, {"resource": "Sysctl::Parameters[ubuntu defaults]", "parameters": "--- Sysctl::Parameters[ubuntu defaults].orig\n+++ Sysctl::Parameters[ubuntu defaults]\n\n@@\n- values => {'kernel.printk': [4, 4, 1, 7], 'kernel.kptr_restrict': 1, 'net.ipv4.conf.default.rp_filter': 1, 'net.ipv4.conf.all.rp_filter': 1, 'net.ipv4.tcp_syncookies': 1, 'kernel.yama.ptrace_scope': 1, 'fs.protected_hardlinks': 1, 'fs.protected_symlinks': 1, 'vm.mmap_min_addr': 65536}\n+ values => {'kernel.printk': [4, 4, 1, 7], 'kernel.kptr_restrict': 1, 'net.ipv4.conf.default.rp_filter': 1, 'net.ipv4.conf.all.rp_filter': 0, 'net.ipv4.tcp_syncookies': 1, 'kernel.yama.ptrace_scope': 1, 'fs.protected_hardlinks': 1, 'fs.protected_symlinks': 1, 'vm.mmap_min_addr': 65536}\n"}, {"resource": "Monitoring::Exported_nagios_service[dse-k8s-wdqs-test2001 raid_md]", "parameters": "--- Monitoring::Exported_nagios_service[dse-k8s-wdqs-test2001 raid_md].orig\n+++ Monitoring::Exported_nagios_service[dse-k8s-wdqs-test2001 raid_md]\n\n@@\n- servicegroups => insetup_codfw\n+ servicegroups => dse_k8s_codfw\n@@\n- notifications_enabled => 0\n+ notifications_enabled => 1\n"}, {"resource": "File[/etc/calico]", "parameters": "--- File[/etc/calico].orig\n+++ File[/etc/calico]\n\n+ mode => 0755\n+ ensure => directory\n+ group => root\n+ owner => root\n"}, {"resource": "Systemd::Service[set-rbd-readahead]", "parameters": "--- Systemd::Service[set-rbd-readahead].orig\n+++ Systemd::Service[set-rbd-readahead]\n\n+ unit_type => timer\n+ service_params => {}\n+ require => Systemd::Unit[set-rbd-readahead.service]\n+ monitoring_contact_group => admins\n+ ensure => absent\n+ restart => False\n+ migration_task => T407130\n+ monitoring_critical => False\n+ monitoring_enabled => False\n+ override => False\n"}, {"resource": "Monitoring::Exported_nagios_service[dse-k8s-wdqs-test2001 disk_space]", "parameters": "--- Monitoring::Exported_nagios_service[dse-k8s-wdqs-test2001 disk_space].orig\n+++ Monitoring::Exported_nagios_service[dse-k8s-wdqs-test2001 disk_space]\n\n@@\n- servicegroups => insetup_codfw\n+ servicegroups => dse_k8s_codfw\n@@\n- notifications_enabled => 0\n+ notifications_enabled => 1\n"}, {"resource": "Augeas[ipip0_add_up]", "parameters": "--- Augeas[ipip0_add_up].orig\n+++ Augeas[ipip0_add_up]\n\n+ lens => Interfaces.lns\n+ onlyif => match up[. = 'ip link add name ipip0 type ipip external'] size == 0\n+ require => Interface::Manual[ipip_ipv4]\n+ context => /files/etc/network/interfaces/*[. = 'ipip0' and ./family = 'inet']\n+ incl => /etc/network/interfaces\n+ changes => set up[last()+1] 'ip link add name ipip0 type ipip external'\n"}, {"resource": "File[/etc/cfssl/ssl/dse__rsyslog/dse__rsyslog-key.pem]", "parameters": "--- File[/etc/cfssl/ssl/dse__rsyslog/dse__rsyslog-key.pem].orig\n+++ File[/etc/cfssl/ssl/dse__rsyslog/dse__rsyslog-key.pem]\n\n+ mode => 0440\n+ group => root\n+ show_diff => False\n+ owner => root\n+ backup => False\n+ ensure => file\n"}, {"resource": "File[/etc/kubernetes/pki/dse__istio-cni.csr]", "parameters": "--- File[/etc/kubernetes/pki/dse__istio-cni.csr].orig\n+++ File[/etc/kubernetes/pki/dse__istio-cni.csr]\n\n+ mode => 0440\n+ ensure => absent\n+ group => root\n+ owner => root\n"}, {"resource": "File[/etc/ferm/conf.d/10_kubelet-http]", "content": "--- /etc/ferm/conf.d/10_kubelet-http.orig\n+++ /etc/ferm/conf.d/10_kubelet-http\n@@ -0,0 +1,6 @@\n+# Autogenerated by puppet. DO NOT EDIT BY HAND!\n+#\n+# \n+&R_SERVICE(tcp, 10250, (@resolve((dse-k8s-ctrl2001.codfw.wmnet dse-k8s-ctrl2002.codfw.wmnet)) @resolve((dse-k8s-ctrl2001.codfw.wmnet dse-k8s-ctrl2002.codfw.wmnet), AAAA)));\n+\n+", "parameters": "--- File[/etc/ferm/conf.d/10_kubelet-http].orig\n+++ File[/etc/ferm/conf.d/10_kubelet-http]\n\n+ mode => 0400\n+ group => root\n+ require => File[/etc/ferm/conf.d]\n+ notify => Service[ferm]\n+ owner => root\n+ ensure => present\n+ tag => ferm\n"}, {"resource": "Exec[systemd daemon-reload for prometheus_lvs_realserver_mss.service (prometheus_lvs_realserver_mss.service)]", "parameters": "--- Exec[systemd daemon-reload for prometheus_lvs_realserver_mss.service (prometheus_lvs_realserver_mss.service)].orig\n+++ Exec[systemd daemon-reload for prometheus_lvs_realserver_mss.service (prometheus_lvs_realserver_mss.service)]\n\n+ command => /bin/systemctl daemon-reload\n+ refreshonly => True\n"}, {"resource": "File[/etc/default/cpufrequtils]", "content": "--- /etc/default/cpufrequtils.orig\n+++ /etc/default/cpufrequtils\n@@ -0,0 +1 @@\n+GOVERNOR=performance", "parameters": "--- File[/etc/default/cpufrequtils].orig\n+++ File[/etc/default/cpufrequtils]\n\n+ group => root\n+ require => Package[cpufrequtils]\n+ owner => root\n"}, {"resource": "File[/etc/cfssl/csr/dse__calico-cni.csr]", "content": "--- /etc/cfssl/csr/dse__calico-cni.csr.orig\n+++ /etc/cfssl/csr/dse__calico-cni.csr\n@@ -0,0 +1,13 @@\n+{\n+ \"CN\": \"calico-cni\",\n+ \"hosts\": [\n+ \"calico-cni\"\n+ ],\n+ \"key\": {\n+ \"algo\": \"ecdsa\",\n+ \"size\": 256\n+ },\n+ \"names\": [\n+\n+ ]\n+}", "parameters": "--- File[/etc/cfssl/csr/dse__calico-cni.csr].orig\n+++ File[/etc/cfssl/csr/dse__calico-cni.csr]\n\n+ mode => 0400\n+ ensure => file\n+ group => root\n+ owner => root\n"}, {"resource": "Ferm::Rule[clamp-mss-ipv6]", "parameters": "--- Ferm::Rule[clamp-mss-ipv6].orig\n+++ Ferm::Rule[clamp-mss-ipv6]\n\n+ table => filter\n+ prio => 10\n+ domain => (ip6)\n+ desc => \n+ ensure => absent\n+ chain => OUTPUT\n+ rule => outerface (ens2f0np0 lo) saddr @ipfilter(10.2.1.91) proto tcp sport (30443) tcp-flags (SYN) SYN TCPMSS set-mss 1400;\n"}, {"resource": "File[/etc/kubernetes/pki/dse__kubelet_server.chain.pem]", "parameters": "--- File[/etc/kubernetes/pki/dse__kubelet_server.chain.pem].orig\n+++ File[/etc/kubernetes/pki/dse__kubelet_server.chain.pem]\n\n+ mode => 0440\n+ group => root\n+ owner => kube\n+ source => puppet:///modules/profile/pki/intermediates/dse-cert.pem\n+ ensure => file\n"}, {"resource": "Class[Adduser]", "parameters": "--- Class[Adduser].orig\n+++ Class[Adduser]\n\n@@\n- before => ['Package[puppet]', 'Package[facter]', 'Package[augeas-tools]', 'Package[virt-what]', 'Package[puppet-module-puppetlabs-augeas-core]', 'Package[python3-prometheus-client]', 'Package[python3-yaml]', 'Package[ruby-net-ssh]', 'Package[openssl]', 'Package[ssl-cert]', 'Package[ca-certificates]', 'Package[wmf-certificates]', 'Package[ntp]', 'Package[systemd-timesyncd]', 'Package[exim4-config]', 'Package[exim4-daemon-light]', 'Package[logrotate]', 'Package[prometheus-node-exporter]', 'Package[bsdutils]', 'Package[smartmontools]', 'Package[rsyslog]', 'Package[rsyslog-openssl]', 'Package[cadvisor]', 'Package[prometheus-ethtool-exporter]', 'Package[acct]', 'Package[byobu]', 'Package[colordiff]', 'Package[curl]', 'Package[debian-goodies]', 'Package[ethtool]', 'Package[gdb]', 'Package[gdisk]', 'Package[git]', 'Package[htop]', 'Package[httpry]', 'Package[iotop]', 'Package[iperf]', 'Package[jq]', 'Package[libtemplate-perl]', 'Package[lldpd]', 'Package[lshw]', 'Package[molly-guard]', 'Package[moreutils]', 'Package[net-tools]', 'Package[numactl]', 'Package[ncdu]', 'Package[ngrep]', 'Package[pigz]', 'Package[psmisc]', 'Package[pv]', 'Package[python3]', 'Package[screen]', 'Package[strace]', 'Package[sysstat]', 'Package[tcpdump]', 'Package[tmux]', 'Package[tree]', 'Package[vim]', 'Package[vim-addon-manager]', 'Package[vim-scripts]', 'Package[wipe]', 'Package[xfsprogs]', 'Package[zsh]', 'Package[icdiff]', 'Package[linux-perf]', 'Package[bsd-mailx]', 'Package[ack]', 'Package[netcat-openbsd]', 'Package[tshark]', 'Package[fzf]', 'Package[ripgrep]', 'Package[fd-find]', 'Package[kitty-terminfo]', 'Package[mtr-tiny]', 'Package[bat]', 'Package[efibootmgr]', 'Package[bind9-dnsutils]', 'Package[tzdata]', 'Package[python3-wmflib]', 'Package[ruby-sorted-set]', 'Package[btop]', 'Package[dstat]', 'Package[apport]', 'Package[command-not-found]', 'Package[command-not-found-data]', 'Package[ecryptfs-utils]', 'Package[mlocate]', 'Package[os-prober]', 'Package[python3-apport]', 'Package[wpasupplicant]', 'Package[apt-listchanges]', 'Package[isc-dhcp-client]', 'Package[rasdaemon]', 'Package[libicu67]', 'Package[libwsutil12]', 'Package[libwireshark14]', 'Package[libopencsd0]', 'Package[libwiretap11]', 'Package[ruby2.7]', 'Package[python3.9-minimal]', 'Package[python3.9]', 'Package[perl-modules-5.32]', 'Package[libpython3.9]', 'Package[libperl5.32]', 'Package[libpython3.9-minimal]', 'Package[libpython3.9-stdlib]', 'Package[libidn11]', 'Package[libldap-2.4-2]', 'Package[liburing1]', 'Package[libwebp6]', 'Package[libcbor0]', 'Package[libusb-0.1-4]', 'Package[telnet]', 'Package[libruby2.7]', 'Package[libdns-export1110]', 'Package[libisc-export1105]', 'Package[libbpf0]', 'Package[openssh-client]', 'Package[openssh-server]', 'Package[debdeploy-client]', 'Package[python3-dateutil]', 'Package[sudo]', 'Package[golang-cfssl]', 'Package[debmonitor-client]', 'Package[nagios-nrpe-server]', 'Package[monitoring-plugins]', 'Package[monitoring-plugins-basic]', 'Package[monitoring-plugins-standard]', 'Package[liburiparser1]', 'Package[python3-attr]', 'Package[iucode-tool]', 'Package[freeipmi-tools]', 'Package[freeipmi-ipmiseld]', 'Package[rsyslog-kafka]', 'Package[emacs-nox]', 'Package[prometheus-ipmi-exporter]', 'Package[libnet-dns-perl]', 'Package[iptables]', 'Package[ferm]', 'Package[ulogd2]', 'Package[conntrack]', 'Package[prometheus-rsyslog-exporter]', 'Package[initramfs-tools]', 'Package[python3-click]', 'Package[python3-box]', 'Package[confd]', 'Package[python3-toml]']\n+ before => ['Package[puppet]', 'Package[facter]', 'Package[augeas-tools]', 'Package[virt-what]', 'Package[puppet-module-puppetlabs-augeas-core]', 'Package[python3-prometheus-client]', 'Package[python3-yaml]', 'Package[ruby-net-ssh]', 'Package[openssl]', 'Package[ssl-cert]', 'Package[ca-certificates]', 'Package[wmf-certificates]', 'Package[ntp]', 'Package[systemd-timesyncd]', 'Package[exim4-config]', 'Package[exim4-daemon-light]', 'Package[logrotate]', 'Package[prometheus-node-exporter]', 'Package[bsdutils]', 'Package[smartmontools]', 'Package[rsyslog]', 'Package[rsyslog-openssl]', 'Package[cadvisor]', 'Package[prometheus-ethtool-exporter]', 'Package[acct]', 'Package[byobu]', 'Package[colordiff]', 'Package[curl]', 'Package[debian-goodies]', 'Package[ethtool]', 'Package[gdb]', 'Package[gdisk]', 'Package[git]', 'Package[htop]', 'Package[httpry]', 'Package[iotop]', 'Package[iperf]', 'Package[jq]', 'Package[libtemplate-perl]', 'Package[lldpd]', 'Package[lshw]', 'Package[molly-guard]', 'Package[moreutils]', 'Package[net-tools]', 'Package[numactl]', 'Package[ncdu]', 'Package[ngrep]', 'Package[pigz]', 'Package[psmisc]', 'Package[pv]', 'Package[python3]', 'Package[screen]', 'Package[strace]', 'Package[sysstat]', 'Package[tcpdump]', 'Package[tmux]', 'Package[tree]', 'Package[vim]', 'Package[vim-addon-manager]', 'Package[vim-scripts]', 'Package[wipe]', 'Package[xfsprogs]', 'Package[zsh]', 'Package[icdiff]', 'Package[linux-perf]', 'Package[bsd-mailx]', 'Package[ack]', 'Package[netcat-openbsd]', 'Package[tshark]', 'Package[fzf]', 'Package[ripgrep]', 'Package[fd-find]', 'Package[kitty-terminfo]', 'Package[mtr-tiny]', 'Package[bat]', 'Package[efibootmgr]', 'Package[bind9-dnsutils]', 'Package[tzdata]', 'Package[python3-wmflib]', 'Package[ruby-sorted-set]', 'Package[btop]', 'Package[dstat]', 'Package[apport]', 'Package[command-not-found]', 'Package[command-not-found-data]', 'Package[ecryptfs-utils]', 'Package[mlocate]', 'Package[os-prober]', 'Package[python3-apport]', 'Package[wpasupplicant]', 'Package[apt-listchanges]', 'Package[isc-dhcp-client]', 'Package[rasdaemon]', 'Package[libicu67]', 'Package[libwsutil12]', 'Package[libwireshark14]', 'Package[libopencsd0]', 'Package[libwiretap11]', 'Package[ruby2.7]', 'Package[python3.9-minimal]', 'Package[python3.9]', 'Package[perl-modules-5.32]', 'Package[libpython3.9]', 'Package[libperl5.32]', 'Package[libpython3.9-minimal]', 'Package[libpython3.9-stdlib]', 'Package[libidn11]', 'Package[libldap-2.4-2]', 'Package[liburing1]', 'Package[libwebp6]', 'Package[libcbor0]', 'Package[libusb-0.1-4]', 'Package[telnet]', 'Package[libruby2.7]', 'Package[libdns-export1110]', 'Package[libisc-export1105]', 'Package[libbpf0]', 'Package[openssh-client]', 'Package[openssh-server]', 'Package[debdeploy-client]', 'Package[python3-dateutil]', 'Package[sudo]', 'Package[golang-cfssl]', 'Package[debmonitor-client]', 'Package[nagios-nrpe-server]', 'Package[monitoring-plugins]', 'Package[monitoring-plugins-basic]', 'Package[monitoring-plugins-standard]', 'Package[liburiparser1]', 'Package[python3-attr]', 'Package[iucode-tool]', 'Package[freeipmi-tools]', 'Package[freeipmi-ipmiseld]', 'Package[rsyslog-kafka]', 'Package[emacs-nox]', 'Package[prometheus-ipmi-exporter]', 'Package[libnet-dns-perl]', 'Package[iptables]', 'Package[ferm]', 'Package[ulogd2]', 'Package[conntrack]', 'Package[crictl]', 'Package[containerd]', 'Package[nerdctl]', 'Package[rsyslog-kubernetes]', 'Package[cpufrequtils]', 'Package[apparmor]', 'Package[socat]', 'Package[geoip-bin]', 'Package[mmdb-bin]', 'Package[wikimedia-lvs-realserver]', 'Package[tcp-mss-clamper]', 'Package[linux-base]', 'Package[linux-image-6.12.88+deb12-amd64]', 'Package[prometheus-rsyslog-exporter]', 'Package[initramfs-tools]', 'Package[python3-click]', 'Package[python3-box]', 'Package[confd]', 'Package[python3-toml]', 'Package[kubernetes-node]', 'Package[calicoctl]', 'Package[calico-cni]', 'Package[istio-cni]']\n"}, {"resource": "Interface::Clsact[clsact_lo]", "parameters": "--- Interface::Clsact[clsact_lo].orig\n+++ Interface::Clsact[clsact_lo]\n\n+ ensure => absent\n+ interface => lo\n"}, {"resource": "Concat::Fragment[component-istio115-apt.wikimedia.org-wikimedia-bookworm-wikimedia-header]", "parameters": "--- Concat::Fragment[component-istio115-apt.wikimedia.org-wikimedia-bookworm-wikimedia-header].orig\n+++ Concat::Fragment[component-istio115-apt.wikimedia.org-wikimedia-bookworm-wikimedia-header]\n\n+ source => puppet:///modules/apt/sources-deb822-header.txt\n+ order => 01\n+ target => /etc/apt/sources.list.d/component-istio115-apt.wikimedia.org-wikimedia-bookworm-wikimedia.sources\n"}, {"resource": "Augeas[ipip0_127.0.0.42/32]", "parameters": "--- Augeas[ipip0_127.0.0.42/32].orig\n+++ Augeas[ipip0_127.0.0.42/32]\n\n+ lens => Interfaces.lns\n+ onlyif => match up[. = 'ip addr add 127.0.0.42/32 dev ipip0'] size == 0\n+ context => /files/etc/network/interfaces/*[. = 'ipip0' and ./family = 'inet']\n+ incl => /etc/network/interfaces\n+ changes => set up[last()+1] 'ip addr add 127.0.0.42/32 dev ipip0'\n"}, {"resource": "File[/etc/cni/net.d/calico-kubeconfig]", "content": "--- /etc/cni/net.d/calico-kubeconfig.orig\n+++ /etc/cni/net.d/calico-kubeconfig\n@@ -0,0 +1,18 @@\n+apiVersion: v1\n+kind: Config\n+preferences: {}\n+current-context: default-system\n+contexts:\n+- name: default-system\n+ context:\n+ cluster: default-cluster\n+ user: calico-cni\n+clusters:\n+- name: default-cluster\n+ cluster:\n+ server: https://dse-k8s-ctrl.svc.codfw.wmnet:6443\n+users:\n+- name: calico-cni\n+ user:\n+ client-certificate: /etc/kubernetes/pki/dse__calico-cni.pem\n+ client-key: /etc/kubernetes/pki/dse__calico-cni-key.pem", "parameters": "--- File[/etc/cni/net.d/calico-kubeconfig].orig\n+++ File[/etc/cni/net.d/calico-kubeconfig]\n\n+ mode => 0400\n+ ensure => present\n+ group => root\n+ owner => root\n"}, {"resource": "File[/etc/default/kube-proxy]", "content": "--- /etc/default/kube-proxy.orig\n+++ /etc/default/kube-proxy\n@@ -0,0 +1,7 @@\n+###\n+# Kubernetes proxy config.\n+\n+# default config should be adequate\n+\n+DAEMON_ARGS=\"--config=/etc/kubernetes/kube-proxy-config.yaml \\\n+ --v=0\"", "parameters": "--- File[/etc/default/kube-proxy].orig\n+++ File[/etc/default/kube-proxy]\n\n+ mode => 0644\n+ notify => Service[kube-proxy]\n+ group => root\n+ owner => root\n+ ensure => file\n"}, {"resource": "Exec[systemd daemon-reload for nrpe2nodexp-check_tcp-mss-clamper_status.service (nrpe2nodexp-check_tcp-mss-clamper_status.service)]", "parameters": "--- Exec[systemd daemon-reload for nrpe2nodexp-check_tcp-mss-clamper_status.service (nrpe2nodexp-check_tcp-mss-clamper_status.service)].orig\n+++ Exec[systemd daemon-reload for nrpe2nodexp-check_tcp-mss-clamper_status.service (nrpe2nodexp-check_tcp-mss-clamper_status.service)]\n\n+ command => /bin/systemctl daemon-reload\n+ refreshonly => True\n"}, {"resource": "Cfssl::Cert[dse__rsyslog]", "parameters": "--- Cfssl::Cert[dse__rsyslog].orig\n+++ Cfssl::Cert[dse__rsyslog]\n\n+ mode => 0740\n+ label => dse\n+ provide_chain => True\n+ group => root\n+ auto_renew => True\n+ owner => root\n+ notify_services => ['rsyslog']\n+ ensure => present\n+ hosts => []\n+ renew_seconds => 952200\n+ environment => ['GODEBUG=x509ignoreCN=0']\n+ key => {'algo': 'ecdsa', 'size': 256}\n+ before_services => []\n+ names => [{'organisation': 'view'}]\n+ common_name => rsyslog\n"}, {"resource": "Augeas[ipip60_manual]", "parameters": "--- Augeas[ipip60_manual].orig\n+++ Augeas[ipip60_manual]\n\n+ lens => Interfaces.lns\n+ incl => /etc/network/interfaces\n+ context => /files/etc/network/interfaces\n+ changes => [\"set auto[./1 = 'ipip60']/1 'ipip60'\", \"set iface[. = 'ipip60'] 'ipip60'\", \"set iface[. = 'ipip60']/family 'inet6'\", \"set iface[. = 'ipip60']/method 'manual'\"]\n"}, {"resource": "Service[prometheus_ferm_mss.timer]", "parameters": "--- Service[prometheus_ferm_mss.timer].orig\n+++ Service[prometheus_ferm_mss.timer]\n\n+ before => ['Exec[systemd daemon-reload for prometheus_ferm_mss.timer (prometheus_ferm_mss.timer)]']\n+ ensure => stopped\n+ enable => False\n+ provider => systemd\n"}, {"resource": "File[/lib/systemd/system/prometheus_lvs_realserver_mss.service]", "content": "--- /lib/systemd/system/prometheus_lvs_realserver_mss.service.orig\n+++ /lib/systemd/system/prometheus_lvs_realserver_mss.service\n@@ -0,0 +1,8 @@\n+[Unit]\n+Description=Regular job to collect MSS values of realserver endpoints\n+Documentation=https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state\n+\n+[Service]\n+Type=oneshot\n+User=root\n+ExecStart=/usr/local/bin/prometheus-lvs-realserver-mss -o /var/lib/prometheus/node.d/lvs-realserver-mss.prom -e 10.2.1.91:30443", "parameters": "--- File[/lib/systemd/system/prometheus_lvs_realserver_mss.service].orig\n+++ File[/lib/systemd/system/prometheus_lvs_realserver_mss.service]\n\n+ mode => 0444\n+ notify => Exec[systemd daemon-reload for prometheus_lvs_realserver_mss.service (prometheus_lvs_realserver_mss.service)]\n+ group => root\n+ owner => root\n+ ensure => absent\n"}, {"resource": "File[/etc/kubernetes/pki/dse__calico-cni.chained.pem]", "parameters": "--- File[/etc/kubernetes/pki/dse__calico-cni.chained.pem].orig\n+++ File[/etc/kubernetes/pki/dse__calico-cni.chained.pem]\n\n+ ensure => file\n+ group => root\n+ require => Exec[create chained cert /etc/kubernetes/pki/dse__calico-cni.chain.pem]\n+ owner => root\n"}, {"resource": "Class[Profile::Monitoring]", "parameters": "--- Class[Profile::Monitoring].orig\n+++ Class[Profile::Monitoring]\n\n@@\n- nagios_group => insetup_codfw\n+ nagios_group => dse_k8s_codfw\n@@\n- notifications_enabled => False\n+ notifications_enabled => True\n@@\n- nrpe_check_disk_options => -w 6% -c 3% -W 6% -K 3% -l -e -A -i \"/srv/sd[a-b][1-3]\" -i \"/srv/nvme[0-9]n[0-9]p[0-9]\" --exclude-type=fuse --exclude-type=fuse.fuse_dfs --exclude-type=tracefs\n+ nrpe_check_disk_options => -w 10% -c 5% -W 6% -K 3% -l -e -A -i '/(var/lib|run)/(kubelet|containerd)/*' --exclude-type=tracefs\n@@\n- cluster => insetup\n+ cluster => dse_k8s\n"}, {"resource": "Package[apparmor]", "parameters": "--- Package[apparmor].orig\n+++ Package[apparmor]\n\n+ ensure => installed\n+ provider => apt\n"}, {"resource": "Logrotate::Conf[prometheus_lvs_realserver_mss]", "parameters": "--- Logrotate::Conf[prometheus_lvs_realserver_mss].orig\n+++ Logrotate::Conf[prometheus_lvs_realserver_mss]\n\n+ ensure => absent\n"}, {"resource": "File[/etc/ferm/conf.d/10_calico-bird]", "content": "--- /etc/ferm/conf.d/10_calico-bird.orig\n+++ /etc/ferm/conf.d/10_calico-bird\n@@ -0,0 +1,6 @@\n+# Autogenerated by puppet. DO NOT EDIT BY HAND!\n+#\n+# \n+&R_SERVICE(tcp, 179, ($NETWORK_INFRA 10.192.9.1));\n+\n+", "parameters": "--- File[/etc/ferm/conf.d/10_calico-bird].orig\n+++ File[/etc/ferm/conf.d/10_calico-bird]\n\n+ mode => 0400\n+ group => root\n+ require => File[/etc/ferm/conf.d]\n+ notify => Service[ferm]\n+ owner => root\n+ ensure => present\n+ tag => ferm\n"}, {"resource": "Exec[/sbin/modprobe overlay]", "parameters": "--- Exec[/sbin/modprobe overlay].orig\n+++ Exec[/sbin/modprobe overlay]\n\n+ unless => /bin/lsmod | /bin/grep -q '^overlay '\n+ refreshonly => True\n"}, {"resource": "Systemd::Unit[rsyslog-release-deleted-inotify-watches.timer]", "parameters": "--- Systemd::Unit[rsyslog-release-deleted-inotify-watches.timer].orig\n+++ Systemd::Unit[rsyslog-release-deleted-inotify-watches.timer]\n\n+ require => ['Class[Systemd]']\n+ override => False\n+ ensure => absent\n+ override_filename => puppet-override.conf\n+ restart => False\n+ unit => rsyslog-release-deleted-inotify-watches.timer\n"}, {"resource": "Exec[Generate cert dse__calicoctl refresh on intermediate ca change]", "parameters": "--- Exec[Generate cert dse__calicoctl refresh on intermediate ca change].orig\n+++ Exec[Generate cert dse__calicoctl refresh on intermediate ca change]\n\n+ environment => ['GODEBUG=x509ignoreCN=0']\n+ require => Cfssl::Csr[/etc/cfssl/csr/dse__calicoctl.csr]\n+ refreshonly => True\n+ subscribe => File[/etc/kubernetes/pki/dse__calicoctl.chain.pem]\n+ command => /usr/bin/cfssl gencert -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/certs/wmf-ca-certificates.crt -mutual-tls-client-cert /etc/cfssl/mutual_tls_client_cert.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/dse-k8s-wdqs-test2001.codfw.wmnet.pem -label dse /etc/cfssl/csr/dse__calicoctl.csr | /usr/bin/cfssljson -bare /etc/kubernetes/pki/dse__calicoctl\n\n"}, {"resource": "File[/lib/systemd/system/set-rbd-readahead.timer]", "content": "--- /lib/systemd/system/set-rbd-readahead.timer.orig\n+++ /lib/systemd/system/set-rbd-readahead.timer\n@@ -0,0 +1,12 @@\n+[Unit]\n+Description=Periodic execution of set-rbd-readahead.service\n+\n+[Timer]\n+Unit=set-rbd-readahead.service\n+# Accuracy sets the maximum time interval around the execution time we want to allow\n+AccuracySec=15sec\n+OnCalendar=*:0/5\n+RandomizedDelaySec=0\n+\n+[Install]\n+WantedBy=multi-user.target", "parameters": "--- File[/lib/systemd/system/set-rbd-readahead.timer].orig\n+++ File[/lib/systemd/system/set-rbd-readahead.timer]\n\n+ mode => 0444\n+ notify => Exec[systemd daemon-reload for set-rbd-readahead.timer (set-rbd-readahead.timer)]\n+ group => root\n+ owner => root\n+ ensure => absent\n"}, {"resource": "Monitoring::Exported_nagios_service[dse-k8s-wdqs-test2001 ferm_active]", "parameters": "--- Monitoring::Exported_nagios_service[dse-k8s-wdqs-test2001 ferm_active].orig\n+++ Monitoring::Exported_nagios_service[dse-k8s-wdqs-test2001 ferm_active]\n\n@@\n- servicegroups => insetup_codfw\n+ servicegroups => dse_k8s_codfw\n@@\n- notifications_enabled => 0\n+ notifications_enabled => 1\n"}, {"resource": "File[/etc/kubernetes/pki/dse__calico-cni.pem]", "parameters": "--- File[/etc/kubernetes/pki/dse__calico-cni.pem].orig\n+++ File[/etc/kubernetes/pki/dse__calico-cni.pem]\n\n+ mode => 0440\n+ ensure => file\n+ group => root\n+ owner => root\n"}, {"resource": "Exec[/usr/sbin/dpkg-reconfigure -p critical -f noninteractive wikimedia-lvs-realserver]", "parameters": "--- Exec[/usr/sbin/dpkg-reconfigure -p critical -f noninteractive wikimedia-lvs-realserver].orig\n+++ Exec[/usr/sbin/dpkg-reconfigure -p critical -f noninteractive wikimedia-lvs-realserver]\n\n+ path => /bin:/sbin:/usr/bin:/usr/sbin\n+ subscribe => File[/etc/default/wikimedia-lvs-realserver]\n+ require => Package[wikimedia-lvs-realserver]\n+ refreshonly => True\n"}, {"resource": "Exec[apt_package_from_component_calico329]", "parameters": "--- Exec[apt_package_from_component_calico329].orig\n+++ Exec[apt_package_from_component_calico329]\n\n+ before => ['Package[calicoctl]', 'Package[calico-cni]']\n+ command => /usr/bin/apt-get update\n+ subscribe => Apt::Repository[component-calico329-apt.wikimedia.org-wikimedia-bookworm-wikimedia]\n+ refreshonly => True\n"}, {"resource": "Service[nrpe2nodexp-check_tcp-mss-clamper_status.timer]", "parameters": "--- Service[nrpe2nodexp-check_tcp-mss-clamper_status.timer].orig\n+++ Service[nrpe2nodexp-check_tcp-mss-clamper_status.timer]\n\n+ before => ['Exec[systemd daemon-reload for nrpe2nodexp-check_tcp-mss-clamper_status.timer (nrpe2nodexp-check_tcp-mss-clamper_status.timer)]']\n+ ensure => stopped\n+ enable => False\n+ provider => systemd\n"}, {"resource": "File[/etc/modules-load.d/overlay.conf]", "content": "--- /etc/modules-load.d/overlay.conf.orig\n+++ /etc/modules-load.d/overlay.conf\n@@ -0,0 +1 @@\n+overlay", "parameters": "--- File[/etc/modules-load.d/overlay.conf].orig\n+++ File[/etc/modules-load.d/overlay.conf]\n\n+ mode => 0444\n+ notify => Exec[/sbin/modprobe overlay]\n+ group => root\n+ owner => root\n+ ensure => present\n"}], "perc_changed": "31.39%"}, "core": {"total": 2845, "only_in_self": ["File[/etc/update-motd.d/05-insetup--data-platform-ferm]"], "only_in_other": ["Augeas[ipip0_127.0.0.42/32]", "Augeas[ipip0_add_up]", "Augeas[ipip0_manual]", "Augeas[ipip0_set_up]", "Augeas[ipip60_add_up]", "Augeas[ipip60_manual]", "Augeas[ipip60_set_up]", "Concat[/etc/apt/sources.list.d/component-calico329-apt.wikimedia.org-wikimedia-bookworm-wikimedia.sources]", "Concat[/etc/apt/sources.list.d/component-istio115-apt.wikimedia.org-wikimedia-bookworm-wikimedia.sources]", "Concat[/etc/apt/sources.list.d/component-kubernetes131-apt.wikimedia.org-wikimedia-bookworm-wikimedia.sources]", "Concat_file[/etc/apt/sources.list.d/component-calico329-apt.wikimedia.org-wikimedia-bookworm-wikimedia.sources]", "Concat_file[/etc/apt/sources.list.d/component-istio115-apt.wikimedia.org-wikimedia-bookworm-wikimedia.sources]", "Concat_file[/etc/apt/sources.list.d/component-kubernetes131-apt.wikimedia.org-wikimedia-bookworm-wikimedia.sources]", "Concat_fragment[component-calico329-apt.wikimedia.org-wikimedia-bookworm-wikimedia-header]", "Concat_fragment[component-calico329-apt.wikimedia.org-wikimedia-bookworm-wikimedia]", "Concat_fragment[component-istio115-apt.wikimedia.org-wikimedia-bookworm-wikimedia-header]", "Concat_fragment[component-istio115-apt.wikimedia.org-wikimedia-bookworm-wikimedia]", "Concat_fragment[component-kubernetes131-apt.wikimedia.org-wikimedia-bookworm-wikimedia-header]", "Concat_fragment[component-kubernetes131-apt.wikimedia.org-wikimedia-bookworm-wikimedia]", "Exec[/sbin/modprobe overlay]", "Exec[/usr/sbin/dpkg-reconfigure -p critical -f noninteractive wikimedia-lvs-realserver]", "Exec[/usr/sbin/tc qdisc del dev ens2f0np0 clsact]", "Exec[/usr/sbin/tc qdisc del dev lo clsact]", "Exec[Generate cert dse__calico-cni refresh on intermediate ca change]", "Exec[Generate cert dse__calico-cni refresh]", "Exec[Generate cert dse__calico-cni]", "Exec[Generate cert dse__calicoctl refresh on intermediate ca change]", "Exec[Generate cert dse__calicoctl refresh]", "Exec[Generate cert dse__calicoctl]", "Exec[Generate cert dse__kubelet_server refresh on intermediate ca change]", "Exec[Generate cert dse__kubelet_server refresh]", "Exec[Generate cert dse__kubelet_server]", "Exec[Generate cert dse__rsyslog refresh on intermediate ca change]", "Exec[Generate cert dse__rsyslog refresh]", "Exec[Generate cert dse__rsyslog]", "Exec[Generate cert dse__system_kube-proxy refresh on intermediate ca change]", "Exec[Generate cert dse__system_kube-proxy refresh]", "Exec[Generate cert dse__system_kube-proxy]", "Exec[Generate cert dse__system_node_dse-k8s-wdqs-test2001_codfw_wmnet refresh on intermediate ca change]", "Exec[Generate cert dse__system_node_dse-k8s-wdqs-test2001_codfw_wmnet refresh]", "Exec[Generate cert dse__system_node_dse-k8s-wdqs-test2001_codfw_wmnet]", "Exec[apt_package_from_component_calico329]", "Exec[apt_package_from_component_istio115]", "Exec[apt_package_from_component_kubernetes131]", "Exec[apt_pin_apt_pin_linux-6.12-bookworm_bookworm-bpo]", "Exec[apt_repository_component-calico329-apt.wikimedia.org-wikimedia-bookworm-wikimedia]", "Exec[apt_repository_component-istio115-apt.wikimedia.org-wikimedia-bookworm-wikimedia]", "Exec[apt_repository_component-kubernetes131-apt.wikimedia.org-wikimedia-bookworm-wikimedia]", "Exec[cpufrequtils_reload]", "Exec[create chained cert /etc/cfssl/ssl/dse__rsyslog/dse__rsyslog.chain.pem]", "Exec[create chained cert /etc/kubernetes/pki/dse__calico-cni.chain.pem]", "Exec[create chained cert /etc/kubernetes/pki/dse__calicoctl.chain.pem]", "Exec[create chained cert /etc/kubernetes/pki/dse__kubelet_server.chain.pem]", "Exec[create chained cert /etc/kubernetes/pki/dse__system_kube-proxy.chain.pem]", "Exec[create chained cert /etc/kubernetes/pki/dse__system_node_dse-k8s-wdqs-test2001_codfw_wmnet.chain.pem]", "Exec[disable-rp-filter-ens2f0np0]", "Exec[disable-rp-filter-ipip0]", "Exec[disable-rp-filter-ipip60]", "Exec[ensure mountpoint '/srv' exists]", "Exec[exec-apt-get-update-linux-6.12-bookworm_bookworm-bpo]", "Exec[ip addr add 127.0.0.42/32 dev ipip0]", "Exec[ip link add name ipip0 type ipip external]", "Exec[ip link add name ipip60 type ip6tnl external]", "Exec[ip link set up dev ipip0]", "Exec[ip link set up dev ipip60]", "Exec[renew certificate - dse__calico-cni]", "Exec[renew certificate - dse__calicoctl]", "Exec[renew certificate - dse__kubelet_server]", "Exec[renew certificate - dse__rsyslog]", "Exec[renew certificate - dse__system_kube-proxy]", "Exec[renew certificate - dse__system_node_dse-k8s-wdqs-test2001_codfw_wmnet]", "Exec[rmmod-r440_wdat_wdt]", "Exec[systemd daemon-reload for ferm.service (ferm-ferm-service-auto-restart)]", "Exec[systemd daemon-reload for kube-proxy.service (kube-proxy)]", "Exec[systemd daemon-reload for kubelet.service (kubelet-container-runtime)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_tcp-mss-clamper_status.service (nrpe2nodexp-check_tcp-mss-clamper_status.service)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_tcp-mss-clamper_status.timer (nrpe2nodexp-check_tcp-mss-clamper_status.timer)]", "Exec[systemd daemon-reload for prometheus_ferm_mss.service (prometheus_ferm_mss.service)]", "Exec[systemd daemon-reload for prometheus_ferm_mss.timer (prometheus_ferm_mss.timer)]", "Exec[systemd daemon-reload for prometheus_lvs_realserver_mss.service (prometheus_lvs_realserver_mss.service)]", "Exec[systemd daemon-reload for prometheus_lvs_realserver_mss.timer (prometheus_lvs_realserver_mss.timer)]", "Exec[systemd daemon-reload for rsyslog-imfile-remedy.service (rsyslog-imfile-remedy.service)]", "Exec[systemd daemon-reload for rsyslog-imfile-remedy.timer (rsyslog-imfile-remedy.timer)]", "Exec[systemd daemon-reload for rsyslog-release-deleted-inotify-watches.service (rsyslog-release-deleted-inotify-watches.service)]", "Exec[systemd daemon-reload for rsyslog-release-deleted-inotify-watches.timer (rsyslog-release-deleted-inotify-watches.timer)]", "Exec[systemd daemon-reload for set-rbd-readahead.service (set-rbd-readahead.service)]", "Exec[systemd daemon-reload for set-rbd-readahead.timer (set-rbd-readahead.timer)]", "Exec[systemd daemon-reload for tcp-mss-clamper.service (tcp-mss-clamper)]", "File[/etc/apparmor.d/abstractions]", "File[/etc/apt/preferences.d/apt_pin_linux_6_12_bookworm_bookworm_bpo.pref]", "File[/etc/apt/sources.list.d/component-calico329-apt.wikimedia.org-wikimedia-bookworm-wikimedia.list]", "File[/etc/apt/sources.list.d/component-istio115-apt.wikimedia.org-wikimedia-bookworm-wikimedia.list]", "File[/etc/apt/sources.list.d/component-kubernetes131-apt.wikimedia.org-wikimedia-bookworm-wikimedia.list]", "File[/etc/calico/calicoctl-kubeconfig]", "File[/etc/calico/calicoctl.cfg]", "File[/etc/calico/pki]", "File[/etc/calico]", "File[/etc/cfssl/csr/dse__calico-cni.csr]", "File[/etc/cfssl/csr/dse__calicoctl.csr]", "File[/etc/cfssl/csr/dse__istio-cni.csr]", "File[/etc/cfssl/csr/dse__kubelet_server.csr]", "File[/etc/cfssl/csr/dse__rsyslog.csr]", "File[/etc/cfssl/csr/dse__system_kube-proxy.csr]", "File[/etc/cfssl/csr/dse__system_node_dse-k8s-wdqs-test2001_codfw_wmnet.csr]", "File[/etc/cfssl/ssl/dse__rsyslog/dse__rsyslog-key.pem]", "File[/etc/cfssl/ssl/dse__rsyslog/dse__rsyslog.chain.pem]", "File[/etc/cfssl/ssl/dse__rsyslog/dse__rsyslog.chained.pem]", "File[/etc/cfssl/ssl/dse__rsyslog/dse__rsyslog.csr]", "File[/etc/cfssl/ssl/dse__rsyslog/dse__rsyslog.pem]", "File[/etc/cfssl/ssl/dse__rsyslog]", "File[/etc/cni/net.d/10-calico.conflist]", "File[/etc/cni/net.d/calico-kubeconfig]", "File[/etc/cni/net.d/istio-kubeconfig]", "File[/etc/cni/net.d]", "File[/etc/cni]", "File[/etc/containerd/config.toml]", "File[/etc/containerd]", "File[/etc/default/cpufrequtils]", "File[/etc/default/kube-proxy]", "File[/etc/default/kubelet]", "File[/etc/default/wikimedia-lvs-realserver]", "File[/etc/ferm/conf.d/10_calico-bird]", "File[/etc/ferm/conf.d/10_calico_typha]", "File[/etc/ferm/conf.d/10_clamp-mss-ipv4]", "File[/etc/ferm/conf.d/10_clamp-mss-ipv6]", "File[/etc/ferm/conf.d/10_ip6ip6]", "File[/etc/ferm/conf.d/10_ipip]", "File[/etc/ferm/conf.d/10_kubelet-http]", "File[/etc/kubernetes/kube-proxy-config.yaml]", "File[/etc/kubernetes/kubelet-config.yaml]", "File[/etc/kubernetes/kubelet.conf]", "File[/etc/kubernetes/pki/dse__calico-cni-key.pem]", "File[/etc/kubernetes/pki/dse__calico-cni.chain.pem]", "File[/etc/kubernetes/pki/dse__calico-cni.chained.pem]", "File[/etc/kubernetes/pki/dse__calico-cni.csr]", "File[/etc/kubernetes/pki/dse__calico-cni.pem]", "File[/etc/kubernetes/pki/dse__calicoctl-key.pem]", "File[/etc/kubernetes/pki/dse__calicoctl.chain.pem]", "File[/etc/kubernetes/pki/dse__calicoctl.chained.pem]", "File[/etc/kubernetes/pki/dse__calicoctl.csr]", "File[/etc/kubernetes/pki/dse__calicoctl.pem]", "File[/etc/kubernetes/pki/dse__istio-cni-key.pem]", "File[/etc/kubernetes/pki/dse__istio-cni.chain.pem]", "File[/etc/kubernetes/pki/dse__istio-cni.chained.pem]", "File[/etc/kubernetes/pki/dse__istio-cni.csr]", "File[/etc/kubernetes/pki/dse__istio-cni.pem]", "File[/etc/kubernetes/pki/dse__kubelet_server-key.pem]", "File[/etc/kubernetes/pki/dse__kubelet_server.chain.pem]", "File[/etc/kubernetes/pki/dse__kubelet_server.chained.pem]", "File[/etc/kubernetes/pki/dse__kubelet_server.csr]", "File[/etc/kubernetes/pki/dse__kubelet_server.pem]", "File[/etc/kubernetes/pki/dse__system_kube-proxy-key.pem]", "File[/etc/kubernetes/pki/dse__system_kube-proxy.chain.pem]", "File[/etc/kubernetes/pki/dse__system_kube-proxy.chained.pem]", "File[/etc/kubernetes/pki/dse__system_kube-proxy.csr]", "File[/etc/kubernetes/pki/dse__system_kube-proxy.pem]", "File[/etc/kubernetes/pki/dse__system_node_dse-k8s-wdqs-test2001_codfw_wmnet-key.pem]", "File[/etc/kubernetes/pki/dse__system_node_dse-k8s-wdqs-test2001_codfw_wmnet.chain.pem]", "File[/etc/kubernetes/pki/dse__system_node_dse-k8s-wdqs-test2001_codfw_wmnet.chained.pem]", "File[/etc/kubernetes/pki/dse__system_node_dse-k8s-wdqs-test2001_codfw_wmnet.csr]", "File[/etc/kubernetes/pki/dse__system_node_dse-k8s-wdqs-test2001_codfw_wmnet.pem]", "File[/etc/kubernetes/pki]", "File[/etc/kubernetes/proxy.conf]", "File[/etc/kubernetes]", "File[/etc/logrotate.d/prometheus_ferm_mss]", "File[/etc/logrotate.d/prometheus_lvs_realserver_mss]", "File[/etc/logrotate.d/rsyslog-release-deleted-inotify-watches]", "File[/etc/logrotate.d/set-rbd-readahead]", "File[/etc/modprobe.d/blacklist-r440_wdat_wdt.conf]", "File[/etc/modules-load.d/overlay.conf]", "File[/etc/nagios/nrpe.d/check_check_tcp-mss-clamper_status.cfg]", "File[/etc/nerdctl/nerdctl.toml]", "File[/etc/nerdctl]", "File[/etc/rsyslog.d/00-imfile.conf]", "File[/etc/rsyslog.d/08-input-file-kubernetes-json.conf]", "File[/etc/rsyslog.d/09-kubernetes.conf]", "File[/etc/rsyslog.d/10-kubernetes-node-filters.conf]", "File[/etc/rsyslog.d/20-shellbox.conf]", "File[/etc/rsyslog.d/25-nrpe2nodexp-check-tcp-mss-clamper-status.conf]", "File[/etc/rsyslog.d/35-output-kafka-k8s.conf]", "File[/etc/rsyslog.d/40-prometheus-ferm-mss.conf]", "File[/etc/rsyslog.d/40-prometheus-lvs-realserver-mss.conf]", "File[/etc/rsyslog.d/40-rsyslog-release-deleted-inotify-watches.conf]", "File[/etc/rsyslog.d/40-set-rbd-readahead.conf]", "File[/etc/sudoers.d/nrpe-check_check_tcp-mss-clamper_status]", "File[/etc/sysctl.d/70-increase_inotify_limits.conf]", "File[/etc/sysctl.d/70-ipv6-fowarding-accept-ra.conf]", "File[/etc/sysctl.d/70-opensearch.conf]", "File[/etc/sysctl.d/75-kube_proxy_conntrack.conf]", "File[/etc/sysctl.d/75-kube_proxy_icmp.conf]", "File[/etc/systemd/system/ferm.service.d/ferm-service-auto-restart.conf]", "File[/etc/systemd/system/kube-proxy.service.d/puppet-override.conf]", "File[/etc/systemd/system/kube-proxy.service.d]", "File[/etc/systemd/system/kubelet.service.d/container-runtime.conf]", "File[/etc/systemd/system/kubelet.service.d]", "File[/etc/udev/rules.d/75-kube_proxy_conntrack.rules]", "File[/etc/update-motd.d/05-dse-k8s--worker--wdqs]", "File[/lib/systemd/system/nrpe2nodexp-check_tcp-mss-clamper_status.service]", "File[/lib/systemd/system/nrpe2nodexp-check_tcp-mss-clamper_status.timer]", "File[/lib/systemd/system/prometheus_ferm_mss.service]", "File[/lib/systemd/system/prometheus_ferm_mss.timer]", "File[/lib/systemd/system/prometheus_lvs_realserver_mss.service]", "File[/lib/systemd/system/prometheus_lvs_realserver_mss.timer]", "File[/lib/systemd/system/rsyslog-imfile-remedy.service]", "File[/lib/systemd/system/rsyslog-imfile-remedy.timer]", "File[/lib/systemd/system/rsyslog-release-deleted-inotify-watches.service]", "File[/lib/systemd/system/rsyslog-release-deleted-inotify-watches.timer]", "File[/lib/systemd/system/set-rbd-readahead.service]", "File[/lib/systemd/system/set-rbd-readahead.timer]", "File[/lib/systemd/system/tcp-mss-clamper.service]", "File[/srv/spark]", "File[/usr/local/bin/prometheus-ferm-mss]", "File[/usr/local/bin/prometheus-lvs-realserver-mss]", "File[/usr/local/lib/nagios/plugins/check_systemd_unit_status]", "File[/usr/local/sbin/rsyslog-release-deleted-inotify-watches]", "File[/usr/local/sbin/set-rbd-readahead.py]", "File[/usr/share/GeoIP]", "File[/var/lib/kubelet]", "File[/var/lib/prometheus/node.d/check_check_tcp-mss-clamper_status.prom]", "File[/var/log/prometheus_ferm_mss]", "File[/var/log/prometheus_lvs_realserver_mss]", "File[/var/log/rsyslog-release-deleted-inotify-watches]", "File[/var/log/set-rbd-readahead]", "File[/var/run/kubernetes]", "File_line[rm_post-up_ens2f0np0_clsact_ens2f0np0]", "File_line[rm_post-up_lo_clsact_lo]", "Filesystem[/dev/vg_raid0/srv]", "Group[kube]", "Logical_volume[srv]", "Mount[/srv]", "Package[apparmor]", "Package[calico-cni]", "Package[calicoctl]", "Package[containerd]", "Package[cpufrequtils]", "Package[crictl]", "Package[geoip-bin]", "Package[istio-cni]", "Package[kubernetes-node]", "Package[linux-base]", "Package[linux-image-6.12.88+deb12-amd64]", "Package[mmdb-bin]", "Package[nerdctl]", "Package[rsyslog-kubernetes]", "Package[socat]", "Package[tcp-mss-clamper]", "Package[wikimedia-lvs-realserver]", "Physical_volume[/dev/md1]", "Service[apparmor]", "Service[containerd]", "Service[cpufrequtils]", "Service[kube-proxy]", "Service[kubelet]", "Service[nrpe2nodexp-check_tcp-mss-clamper_status.timer]", "Service[prometheus_ferm_mss.timer]", "Service[prometheus_lvs_realserver_mss.timer]", "Service[rsyslog-imfile-remedy.timer]", "Service[rsyslog-release-deleted-inotify-watches.timer]", "Service[set-rbd-readahead.timer]", "Service[tcp-mss-clamper]", "User[kube]", "Volume_group[vg_raid0]"], "resource_diffs": [{"resource": "File[/etc/default/prometheus-node-exporter]", "content": "--- /etc/default/prometheus-node-exporter.orig\n+++ /etc/default/prometheus-node-exporter\n@@ -15,6 +15,7 @@\n --collector.netdev \\\n --collector.netstat \\\n --collector.netstat.fields=^(.*) \\\n+ --collector.processes \\\n --collector.sockstat \\\n --collector.stat \\\n --collector.systemd.enable-restarts-metrics \\"}, {"resource": "Concat_fragment[main contacts]", "content": "--- main contacts.orig\n+++ main contacts\n@@ -1,3 +1,3 @@\n ---\n-role::insetup::data_platform_ferm:\n+role::dse_k8s::worker::wdqs:\n - Data Platform"}, {"resource": "File[/etc/modprobe.d/blacklist-wmf_overlay.conf]", "content": "--- /etc/modprobe.d/blacklist-wmf_overlay.conf.orig\n+++ /etc/modprobe.d/blacklist-wmf_overlay.conf\n@@ -1,7 +1,3 @@\n # wmf_overlay - blacklisted kernel modules\n # This file is managed by Puppet\n #\n-blacklist overlay\n-install overlay /bin/true\n-blacklist overlayfs\n-install overlayfs /bin/true", "parameters": "--- File[/etc/modprobe.d/blacklist-wmf_overlay.conf].orig\n+++ File[/etc/modprobe.d/blacklist-wmf_overlay.conf]\n\n@@\n- ensure => present\n+ ensure => absent\n"}, {"resource": "File[/etc/sysctl.d/51-ubuntu-defaults.conf]", "content": "--- /etc/sysctl.d/51-ubuntu-defaults.conf.orig\n+++ /etc/sysctl.d/51-ubuntu-defaults.conf\n@@ -4,7 +4,7 @@\n kernel.kptr_restrict = 1\n kernel.printk = 4 4 1 7\n kernel.yama.ptrace_scope = 1\n-net.ipv4.conf.all.rp_filter = 1\n+net.ipv4.conf.all.rp_filter = 0\n net.ipv4.conf.default.rp_filter = 1\n net.ipv4.tcp_syncookies = 1\n vm.mmap_min_addr = 65536"}, {"resource": "File[/etc/nagios/nrpe.d/check_disk_space.cfg]", "content": "--- /etc/nagios/nrpe.d/check_disk_space.cfg.orig\n+++ /etc/nagios/nrpe.d/check_disk_space.cfg\n@@ -1,2 +1,2 @@\n # File generated by puppet. DO NOT edit by hand\n-command[check_disk_space]=/usr/lib/nagios/plugins/check_disk -w 6% -c 3% -W 6% -K 3% -l -e -A -i \"/srv/sd[a-b][1-3]\" -i \"/srv/nvme[0-9]n[0-9]p[0-9]\" --exclude-type=fuse --exclude-type=fuse.fuse_dfs --exclude-type=tracefs\n+command[check_disk_space]=/usr/lib/nagios/plugins/check_disk -w 10% -c 5% -W 6% -K 3% -l -e -A -i '/(var/lib|run)/(kubelet|containerd)/*' --exclude-type=tracefs"}, {"resource": "File[/var/lib/prometheus/node.d/role_owner.prom]", "content": "--- /var/lib/prometheus/node.d/role_owner.prom.orig\n+++ /var/lib/prometheus/node.d/role_owner.prom\n@@ -1,3 +1,3 @@\n # HELP role_owner The team owner of the server role\n # TYPE role_owner gauge\n-role_owner{team=\"data-platform\",role=\"insetup::data_platform_ferm\",cluster=\"insetup\"} 1.0\n+role_owner{team=\"data-platform\",role=\"dse_k8s::worker::wdqs\",cluster=\"dse_k8s\"} 1.0"}], "perc_changed": "9.46%"}, "main": {"total": 2845, "only_in_self": ["Class[Role::Insetup::Data_platform_ferm]", "File[/etc/update-motd.d/05-insetup--data-platform-ferm]", "Motd::Message[insetup::data_platform_ferm]", "Motd::Script[insetup::data_platform_ferm]"], "only_in_other": ["Apt::Package_from_bpo[linux-6.12-bookworm]", "Apt::Package_from_component[calico329]", "Apt::Package_from_component[istio115]", "Apt::Package_from_component[kubernetes131]", "Apt::Pin[apt_pin_linux-6.12-bookworm_bookworm-bpo]", "Apt::Repository[component-calico329-apt.wikimedia.org-wikimedia-bookworm-wikimedia]", "Apt::Repository[component-istio115-apt.wikimedia.org-wikimedia-bookworm-wikimedia]", "Apt::Repository[component-kubernetes131-apt.wikimedia.org-wikimedia-bookworm-wikimedia]", "Augeas[ipip0_127.0.0.42/32]", "Augeas[ipip0_add_up]", "Augeas[ipip0_manual]", "Augeas[ipip0_set_up]", "Augeas[ipip60_add_up]", "Augeas[ipip60_manual]", "Augeas[ipip60_set_up]", "Cfssl::Cert[dse__calico-cni]", "Cfssl::Cert[dse__calicoctl]", "Cfssl::Cert[dse__istio-cni]", "Cfssl::Cert[dse__kubelet_server]", "Cfssl::Cert[dse__rsyslog]", "Cfssl::Cert[dse__system_kube-proxy]", "Cfssl::Cert[dse__system_node_dse-k8s-wdqs-test2001_codfw_wmnet]", "Cfssl::Csr[/etc/cfssl/csr/dse__calico-cni.csr]", "Cfssl::Csr[/etc/cfssl/csr/dse__calicoctl.csr]", "Cfssl::Csr[/etc/cfssl/csr/dse__istio-cni.csr]", "Cfssl::Csr[/etc/cfssl/csr/dse__kubelet_server.csr]", "Cfssl::Csr[/etc/cfssl/csr/dse__rsyslog.csr]", "Cfssl::Csr[/etc/cfssl/csr/dse__system_kube-proxy.csr]", "Cfssl::Csr[/etc/cfssl/csr/dse__system_node_dse-k8s-wdqs-test2001_codfw_wmnet.csr]", "Class[Apparmor]", "Class[Base::Sysctl::Inotify]", "Class[Calico]", "Class[Containerd::Configuration]", "Class[Containerd::Nerdctl]", "Class[Containerd]", "Class[Cpufrequtils]", "Class[Geoip::Bin]", "Class[Geoip::Data::Puppet]", "Class[Geoip]", "Class[K8s::Base_dirs]", "Class[K8s::Clusters]", "Class[K8s::Kubelet::Cni::Base]", "Class[K8s::Kubelet]", "Class[K8s::Proxy]", "Class[Lvm]", "Class[Lvs::Realserver]", "Class[Profile::Amd_gpu]", "Class[Profile::Analytics::Geoip]", "Class[Profile::Calico::Kubernetes]", "Class[Profile::Containerd]", "Class[Profile::Kubernetes::Container_runtime]", "Class[Profile::Kubernetes::Node::Dse_k8s::Wdqs]", "Class[Profile::Kubernetes::Node::Dse_k8s]", "Class[Profile::Kubernetes::Node]", "Class[Profile::Lvs::Configuration]", "Class[Profile::Lvs::Realserver::Ipip]", "Class[Profile::Lvs::Realserver]", "Class[Profile::Rsyslog::Kubernetes]", "Class[Profile::Rsyslog::Shellbox]", "Class[Role::Dse_k8s::Worker::Wdqs]", "Class[Role::Dse_k8s::Worker]", "Class[Toil::Rsyslog_imfile_remedy]", "Class[Wmflib::Service::Catalog]", "Concat::Fragment[component-calico329-apt.wikimedia.org-wikimedia-bookworm-wikimedia-header]", "Concat::Fragment[component-calico329-apt.wikimedia.org-wikimedia-bookworm-wikimedia]", "Concat::Fragment[component-istio115-apt.wikimedia.org-wikimedia-bookworm-wikimedia-header]", "Concat::Fragment[component-istio115-apt.wikimedia.org-wikimedia-bookworm-wikimedia]", "Concat::Fragment[component-kubernetes131-apt.wikimedia.org-wikimedia-bookworm-wikimedia-header]", "Concat::Fragment[component-kubernetes131-apt.wikimedia.org-wikimedia-bookworm-wikimedia]", "Concat[/etc/apt/sources.list.d/component-calico329-apt.wikimedia.org-wikimedia-bookworm-wikimedia.sources]", "Concat[/etc/apt/sources.list.d/component-istio115-apt.wikimedia.org-wikimedia-bookworm-wikimedia.sources]", "Concat[/etc/apt/sources.list.d/component-kubernetes131-apt.wikimedia.org-wikimedia-bookworm-wikimedia.sources]", "Concat_file[/etc/apt/sources.list.d/component-calico329-apt.wikimedia.org-wikimedia-bookworm-wikimedia.sources]", "Concat_file[/etc/apt/sources.list.d/component-istio115-apt.wikimedia.org-wikimedia-bookworm-wikimedia.sources]", "Concat_file[/etc/apt/sources.list.d/component-kubernetes131-apt.wikimedia.org-wikimedia-bookworm-wikimedia.sources]", "Concat_fragment[component-calico329-apt.wikimedia.org-wikimedia-bookworm-wikimedia-header]", "Concat_fragment[component-calico329-apt.wikimedia.org-wikimedia-bookworm-wikimedia]", "Concat_fragment[component-istio115-apt.wikimedia.org-wikimedia-bookworm-wikimedia-header]", "Concat_fragment[component-istio115-apt.wikimedia.org-wikimedia-bookworm-wikimedia]", "Concat_fragment[component-kubernetes131-apt.wikimedia.org-wikimedia-bookworm-wikimedia-header]", "Concat_fragment[component-kubernetes131-apt.wikimedia.org-wikimedia-bookworm-wikimedia]", "Exec[/sbin/modprobe overlay]", "Exec[/usr/sbin/dpkg-reconfigure -p critical -f noninteractive wikimedia-lvs-realserver]", "Exec[/usr/sbin/tc qdisc del dev ens2f0np0 clsact]", "Exec[/usr/sbin/tc qdisc del dev lo clsact]", "Exec[Generate cert dse__calico-cni refresh on intermediate ca change]", "Exec[Generate cert dse__calico-cni refresh]", "Exec[Generate cert dse__calico-cni]", "Exec[Generate cert dse__calicoctl refresh on intermediate ca change]", "Exec[Generate cert dse__calicoctl refresh]", "Exec[Generate cert dse__calicoctl]", "Exec[Generate cert dse__kubelet_server refresh on intermediate ca change]", "Exec[Generate cert dse__kubelet_server refresh]", "Exec[Generate cert dse__kubelet_server]", "Exec[Generate cert dse__rsyslog refresh on intermediate ca change]", "Exec[Generate cert dse__rsyslog refresh]", "Exec[Generate cert dse__rsyslog]", "Exec[Generate cert dse__system_kube-proxy refresh on intermediate ca change]", "Exec[Generate cert dse__system_kube-proxy refresh]", "Exec[Generate cert dse__system_kube-proxy]", "Exec[Generate cert dse__system_node_dse-k8s-wdqs-test2001_codfw_wmnet refresh on intermediate ca change]", "Exec[Generate cert dse__system_node_dse-k8s-wdqs-test2001_codfw_wmnet refresh]", "Exec[Generate cert dse__system_node_dse-k8s-wdqs-test2001_codfw_wmnet]", "Exec[apt_package_from_component_calico329]", "Exec[apt_package_from_component_istio115]", "Exec[apt_package_from_component_kubernetes131]", "Exec[apt_pin_apt_pin_linux-6.12-bookworm_bookworm-bpo]", "Exec[apt_repository_component-calico329-apt.wikimedia.org-wikimedia-bookworm-wikimedia]", "Exec[apt_repository_component-istio115-apt.wikimedia.org-wikimedia-bookworm-wikimedia]", "Exec[apt_repository_component-kubernetes131-apt.wikimedia.org-wikimedia-bookworm-wikimedia]", "Exec[cpufrequtils_reload]", "Exec[create chained cert /etc/cfssl/ssl/dse__rsyslog/dse__rsyslog.chain.pem]", "Exec[create chained cert /etc/kubernetes/pki/dse__calico-cni.chain.pem]", "Exec[create chained cert /etc/kubernetes/pki/dse__calicoctl.chain.pem]", "Exec[create chained cert /etc/kubernetes/pki/dse__kubelet_server.chain.pem]", "Exec[create chained cert /etc/kubernetes/pki/dse__system_kube-proxy.chain.pem]", "Exec[create chained cert /etc/kubernetes/pki/dse__system_node_dse-k8s-wdqs-test2001_codfw_wmnet.chain.pem]", "Exec[disable-rp-filter-ens2f0np0]", "Exec[disable-rp-filter-ipip0]", "Exec[disable-rp-filter-ipip60]", "Exec[ensure mountpoint '/srv' exists]", "Exec[exec-apt-get-update-linux-6.12-bookworm_bookworm-bpo]", "Exec[ip addr add 127.0.0.42/32 dev ipip0]", "Exec[ip link add name ipip0 type ipip external]", "Exec[ip link add name ipip60 type ip6tnl external]", "Exec[ip link set up dev ipip0]", "Exec[ip link set up dev ipip60]", "Exec[renew certificate - dse__calico-cni]", "Exec[renew certificate - dse__calicoctl]", "Exec[renew certificate - dse__kubelet_server]", "Exec[renew certificate - dse__rsyslog]", "Exec[renew certificate - dse__system_kube-proxy]", "Exec[renew certificate - dse__system_node_dse-k8s-wdqs-test2001_codfw_wmnet]", "Exec[rmmod-r440_wdat_wdt]", "Exec[systemd daemon-reload for ferm.service (ferm-ferm-service-auto-restart)]", "Exec[systemd daemon-reload for kube-proxy.service (kube-proxy)]", "Exec[systemd daemon-reload for kubelet.service (kubelet-container-runtime)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_tcp-mss-clamper_status.service (nrpe2nodexp-check_tcp-mss-clamper_status.service)]", "Exec[systemd daemon-reload for nrpe2nodexp-check_tcp-mss-clamper_status.timer (nrpe2nodexp-check_tcp-mss-clamper_status.timer)]", "Exec[systemd daemon-reload for prometheus_ferm_mss.service (prometheus_ferm_mss.service)]", "Exec[systemd daemon-reload for prometheus_ferm_mss.timer (prometheus_ferm_mss.timer)]", "Exec[systemd daemon-reload for prometheus_lvs_realserver_mss.service (prometheus_lvs_realserver_mss.service)]", "Exec[systemd daemon-reload for prometheus_lvs_realserver_mss.timer (prometheus_lvs_realserver_mss.timer)]", "Exec[systemd daemon-reload for rsyslog-imfile-remedy.service (rsyslog-imfile-remedy.service)]", "Exec[systemd daemon-reload for rsyslog-imfile-remedy.timer (rsyslog-imfile-remedy.timer)]", "Exec[systemd daemon-reload for rsyslog-release-deleted-inotify-watches.service (rsyslog-release-deleted-inotify-watches.service)]", "Exec[systemd daemon-reload for rsyslog-release-deleted-inotify-watches.timer (rsyslog-release-deleted-inotify-watches.timer)]", "Exec[systemd daemon-reload for set-rbd-readahead.service (set-rbd-readahead.service)]", "Exec[systemd daemon-reload for set-rbd-readahead.timer (set-rbd-readahead.timer)]", "Exec[systemd daemon-reload for tcp-mss-clamper.service (tcp-mss-clamper)]", "Ferm::Rule[clamp-mss-ipv4]", "Ferm::Rule[clamp-mss-ipv6]", "Ferm::Rule[ip6ip6]", "Ferm::Rule[ipip]", "Ferm::Service[calico-bird]", "Ferm::Service[calico_typha]", "Ferm::Service[kubelet-http]", "File[/etc/apparmor.d/abstractions]", "File[/etc/apt/preferences.d/apt_pin_linux_6_12_bookworm_bookworm_bpo.pref]", "File[/etc/apt/sources.list.d/component-calico329-apt.wikimedia.org-wikimedia-bookworm-wikimedia.list]", "File[/etc/apt/sources.list.d/component-istio115-apt.wikimedia.org-wikimedia-bookworm-wikimedia.list]", "File[/etc/apt/sources.list.d/component-kubernetes131-apt.wikimedia.org-wikimedia-bookworm-wikimedia.list]", "File[/etc/calico/calicoctl-kubeconfig]", "File[/etc/calico/calicoctl.cfg]", "File[/etc/calico/pki]", "File[/etc/calico]", "File[/etc/cfssl/csr/dse__calico-cni.csr]", "File[/etc/cfssl/csr/dse__calicoctl.csr]", "File[/etc/cfssl/csr/dse__istio-cni.csr]", "File[/etc/cfssl/csr/dse__kubelet_server.csr]", "File[/etc/cfssl/csr/dse__rsyslog.csr]", "File[/etc/cfssl/csr/dse__system_kube-proxy.csr]", "File[/etc/cfssl/csr/dse__system_node_dse-k8s-wdqs-test2001_codfw_wmnet.csr]", "File[/etc/cfssl/ssl/dse__rsyslog/dse__rsyslog-key.pem]", "File[/etc/cfssl/ssl/dse__rsyslog/dse__rsyslog.chain.pem]", "File[/etc/cfssl/ssl/dse__rsyslog/dse__rsyslog.chained.pem]", "File[/etc/cfssl/ssl/dse__rsyslog/dse__rsyslog.csr]", "File[/etc/cfssl/ssl/dse__rsyslog/dse__rsyslog.pem]", "File[/etc/cfssl/ssl/dse__rsyslog]", "File[/etc/cni/net.d/10-calico.conflist]", "File[/etc/cni/net.d/calico-kubeconfig]", "File[/etc/cni/net.d/istio-kubeconfig]", "File[/etc/cni/net.d]", "File[/etc/cni]", "File[/etc/containerd/config.toml]", "File[/etc/containerd]", "File[/etc/default/cpufrequtils]", "File[/etc/default/kube-proxy]", "File[/etc/default/kubelet]", "File[/etc/default/wikimedia-lvs-realserver]", "File[/etc/ferm/conf.d/10_calico-bird]", "File[/etc/ferm/conf.d/10_calico_typha]", "File[/etc/ferm/conf.d/10_clamp-mss-ipv4]", "File[/etc/ferm/conf.d/10_clamp-mss-ipv6]", "File[/etc/ferm/conf.d/10_ip6ip6]", "File[/etc/ferm/conf.d/10_ipip]", "File[/etc/ferm/conf.d/10_kubelet-http]", "File[/etc/kubernetes/kube-proxy-config.yaml]", "File[/etc/kubernetes/kubelet-config.yaml]", "File[/etc/kubernetes/kubelet.conf]", "File[/etc/kubernetes/pki/dse__calico-cni-key.pem]", "File[/etc/kubernetes/pki/dse__calico-cni.chain.pem]", "File[/etc/kubernetes/pki/dse__calico-cni.chained.pem]", "File[/etc/kubernetes/pki/dse__calico-cni.csr]", "File[/etc/kubernetes/pki/dse__calico-cni.pem]", "File[/etc/kubernetes/pki/dse__calicoctl-key.pem]", "File[/etc/kubernetes/pki/dse__calicoctl.chain.pem]", "File[/etc/kubernetes/pki/dse__calicoctl.chained.pem]", "File[/etc/kubernetes/pki/dse__calicoctl.csr]", "File[/etc/kubernetes/pki/dse__calicoctl.pem]", "File[/etc/kubernetes/pki/dse__istio-cni-key.pem]", "File[/etc/kubernetes/pki/dse__istio-cni.chain.pem]", "File[/etc/kubernetes/pki/dse__istio-cni.chained.pem]", "File[/etc/kubernetes/pki/dse__istio-cni.csr]", "File[/etc/kubernetes/pki/dse__istio-cni.pem]", "File[/etc/kubernetes/pki/dse__kubelet_server-key.pem]", "File[/etc/kubernetes/pki/dse__kubelet_server.chain.pem]", "File[/etc/kubernetes/pki/dse__kubelet_server.chained.pem]", "File[/etc/kubernetes/pki/dse__kubelet_server.csr]", "File[/etc/kubernetes/pki/dse__kubelet_server.pem]", "File[/etc/kubernetes/pki/dse__system_kube-proxy-key.pem]", "File[/etc/kubernetes/pki/dse__system_kube-proxy.chain.pem]", "File[/etc/kubernetes/pki/dse__system_kube-proxy.chained.pem]", "File[/etc/kubernetes/pki/dse__system_kube-proxy.csr]", "File[/etc/kubernetes/pki/dse__system_kube-proxy.pem]", "File[/etc/kubernetes/pki/dse__system_node_dse-k8s-wdqs-test2001_codfw_wmnet-key.pem]", "File[/etc/kubernetes/pki/dse__system_node_dse-k8s-wdqs-test2001_codfw_wmnet.chain.pem]", "File[/etc/kubernetes/pki/dse__system_node_dse-k8s-wdqs-test2001_codfw_wmnet.chained.pem]", "File[/etc/kubernetes/pki/dse__system_node_dse-k8s-wdqs-test2001_codfw_wmnet.csr]", "File[/etc/kubernetes/pki/dse__system_node_dse-k8s-wdqs-test2001_codfw_wmnet.pem]", "File[/etc/kubernetes/pki]", "File[/etc/kubernetes/proxy.conf]", "File[/etc/kubernetes]", "File[/etc/logrotate.d/prometheus_ferm_mss]", "File[/etc/logrotate.d/prometheus_lvs_realserver_mss]", "File[/etc/logrotate.d/rsyslog-release-deleted-inotify-watches]", "File[/etc/logrotate.d/set-rbd-readahead]", "File[/etc/modprobe.d/blacklist-r440_wdat_wdt.conf]", "File[/etc/modules-load.d/overlay.conf]", "File[/etc/nagios/nrpe.d/check_check_tcp-mss-clamper_status.cfg]", "File[/etc/nerdctl/nerdctl.toml]", "File[/etc/nerdctl]", "File[/etc/rsyslog.d/00-imfile.conf]", "File[/etc/rsyslog.d/08-input-file-kubernetes-json.conf]", "File[/etc/rsyslog.d/09-kubernetes.conf]", "File[/etc/rsyslog.d/10-kubernetes-node-filters.conf]", "File[/etc/rsyslog.d/20-shellbox.conf]", "File[/etc/rsyslog.d/25-nrpe2nodexp-check-tcp-mss-clamper-status.conf]", "File[/etc/rsyslog.d/35-output-kafka-k8s.conf]", "File[/etc/rsyslog.d/40-prometheus-ferm-mss.conf]", "File[/etc/rsyslog.d/40-prometheus-lvs-realserver-mss.conf]", "File[/etc/rsyslog.d/40-rsyslog-release-deleted-inotify-watches.conf]", "File[/etc/rsyslog.d/40-set-rbd-readahead.conf]", "File[/etc/sudoers.d/nrpe-check_check_tcp-mss-clamper_status]", "File[/etc/sysctl.d/70-increase_inotify_limits.conf]", "File[/etc/sysctl.d/70-ipv6-fowarding-accept-ra.conf]", "File[/etc/sysctl.d/70-opensearch.conf]", "File[/etc/sysctl.d/75-kube_proxy_conntrack.conf]", "File[/etc/sysctl.d/75-kube_proxy_icmp.conf]", "File[/etc/systemd/system/ferm.service.d/ferm-service-auto-restart.conf]", "File[/etc/systemd/system/kube-proxy.service.d/puppet-override.conf]", "File[/etc/systemd/system/kube-proxy.service.d]", "File[/etc/systemd/system/kubelet.service.d/container-runtime.conf]", "File[/etc/systemd/system/kubelet.service.d]", "File[/etc/udev/rules.d/75-kube_proxy_conntrack.rules]", "File[/etc/update-motd.d/05-dse-k8s--worker--wdqs]", "File[/lib/systemd/system/nrpe2nodexp-check_tcp-mss-clamper_status.service]", "File[/lib/systemd/system/nrpe2nodexp-check_tcp-mss-clamper_status.timer]", "File[/lib/systemd/system/prometheus_ferm_mss.service]", "File[/lib/systemd/system/prometheus_ferm_mss.timer]", "File[/lib/systemd/system/prometheus_lvs_realserver_mss.service]", "File[/lib/systemd/system/prometheus_lvs_realserver_mss.timer]", "File[/lib/systemd/system/rsyslog-imfile-remedy.service]", "File[/lib/systemd/system/rsyslog-imfile-remedy.timer]", "File[/lib/systemd/system/rsyslog-release-deleted-inotify-watches.service]", "File[/lib/systemd/system/rsyslog-release-deleted-inotify-watches.timer]", "File[/lib/systemd/system/set-rbd-readahead.service]", "File[/lib/systemd/system/set-rbd-readahead.timer]", "File[/lib/systemd/system/tcp-mss-clamper.service]", "File[/srv/spark]", "File[/usr/local/bin/prometheus-ferm-mss]", "File[/usr/local/bin/prometheus-lvs-realserver-mss]", "File[/usr/local/lib/nagios/plugins/check_systemd_unit_status]", "File[/usr/local/sbin/rsyslog-release-deleted-inotify-watches]", "File[/usr/local/sbin/set-rbd-readahead.py]", "File[/usr/share/GeoIP]", "File[/var/lib/kubelet]", "File[/var/lib/prometheus/node.d/check_check_tcp-mss-clamper_status.prom]", "File[/var/log/prometheus_ferm_mss]", "File[/var/log/prometheus_lvs_realserver_mss]", "File[/var/log/rsyslog-release-deleted-inotify-watches]", "File[/var/log/set-rbd-readahead]", "File[/var/run/kubernetes]", "File_line[rm_post-up_ens2f0np0_clsact_ens2f0np0]", "File_line[rm_post-up_lo_clsact_lo]", "Filesystem[/dev/vg_raid0/srv]", "Firewall::Service[calico-typha]", "Group[kube]", "Interface::Clsact[clsact_ens2f0np0]", "Interface::Clsact[clsact_lo]", "Interface::Ip[ipip_ipv4 ipv4]", "Interface::Ipip[ipip_ipv4]", "Interface::Ipip[ipip_ipv6]", "Interface::Manual[ipip_ipv4]", "Interface::Manual[ipip_ipv6]", "Interface::Post_up_command[clsact_ens2f0np0]", "Interface::Post_up_command[clsact_lo]", "K8s::Kubeconfig[/etc/calico/calicoctl-kubeconfig]", "K8s::Kubeconfig[/etc/cni/net.d/calico-kubeconfig]", "K8s::Kubeconfig[/etc/cni/net.d/istio-kubeconfig]", "K8s::Kubeconfig[/etc/kubernetes/kubelet.conf]", "K8s::Kubeconfig[/etc/kubernetes/proxy.conf]", "K8s::Kubelet::Cni[calico]", "K8s::Package[kubelet]", "K8s::Package[proxy]", "Kmod::Blacklist[r440_wdat_wdt]", "Kmod::Module[overlay]", "Logical_volume[srv]", "Logrotate::Conf[prometheus_ferm_mss]", "Logrotate::Conf[prometheus_lvs_realserver_mss]", "Logrotate::Conf[rsyslog-release-deleted-inotify-watches]", "Logrotate::Conf[set-rbd-readahead]", "Lvm::Logical_volume[srv]", "Lvm::Physical_volume[/dev/md1]", "Lvm::Volume_group[vg_raid0]", "Monitoring::Exported_nagios_service[dse-k8s-wdqs-test2001 check_tcp-mss-clamper_status]", "Monitoring::Service[check_tcp-mss-clamper_status]", "Motd::Message[dse_k8s::worker::wdqs]", "Motd::Script[dse_k8s::worker::wdqs]", "Mount[/srv]", "Nrpe::Check[check_check_tcp-mss-clamper_status]", "Nrpe::Monitor_service[check_tcp-mss-clamper_status]", "Nrpe::Plugin[check_systemd_unit_status]", "Package[apparmor]", "Package[calico-cni]", "Package[calicoctl]", "Package[containerd]", "Package[cpufrequtils]", "Package[crictl]", "Package[geoip-bin]", "Package[istio-cni]", "Package[kubernetes-node]", "Package[linux-base]", "Package[linux-image-6.12.88+deb12-amd64]", "Package[mmdb-bin]", "Package[nerdctl]", "Package[rsyslog-kubernetes]", "Package[socat]", "Package[tcp-mss-clamper]", "Package[wikimedia-lvs-realserver]", "Physical_volume[/dev/md1]", "Prometheus::Alert::Rule[check_check_tcp-mss-clamper_status_295d6d5dd0a784bb9ba1d5983fd1894f]", "Prometheus::Node_ferm_mss[ferm_clamped_ipport]", "Prometheus::Node_lvs_realserver_mss[lvs_clamped_ipport]", "Rsyslog::Conf[imfile]", "Rsyslog::Conf[input-file-kubernetes-json]", "Rsyslog::Conf[kubernetes-node-filters]", "Rsyslog::Conf[kubernetes]", "Rsyslog::Conf[nrpe2nodexp-check_tcp-mss-clamper_status]", "Rsyslog::Conf[output_kafka_k8s]", "Rsyslog::Conf[prometheus_ferm_mss]", "Rsyslog::Conf[prometheus_lvs_realserver_mss]", "Rsyslog::Conf[rsyslog-release-deleted-inotify-watches]", "Rsyslog::Conf[set-rbd-readahead]", "Rsyslog::Conf[shellbox]", "Rsyslog::Input::File[kubernetes-json]", "Service[apparmor]", "Service[containerd]", "Service[cpufrequtils]", "Service[kube-proxy]", "Service[kubelet]", "Service[nrpe2nodexp-check_tcp-mss-clamper_status.timer]", "Service[prometheus_ferm_mss.timer]", "Service[prometheus_lvs_realserver_mss.timer]", "Service[rsyslog-imfile-remedy.timer]", "Service[rsyslog-release-deleted-inotify-watches.timer]", "Service[set-rbd-readahead.timer]", "Service[tcp-mss-clamper]", "Sudo::User[nrpe-check_check_tcp-mss-clamper_status]", "Sysctl::Conffile[increase_inotify_limits]", "Sysctl::Conffile[ipv6-fowarding-accept-ra]", "Sysctl::Conffile[kube_proxy_conntrack]", "Sysctl::Conffile[kube_proxy_icmp]", "Sysctl::Conffile[opensearch]", "Sysctl::Parameters[increase_inotify_limits]", "Sysctl::Parameters[ipv6-fowarding-accept-ra]", "Sysctl::Parameters[kube_proxy_conntrack]", "Sysctl::Parameters[kube_proxy_icmp]", "Sysctl::Parameters[opensearch]", "Systemd::Monitor[tcp-mss-clamper]", "Systemd::Override[container-runtime]", "Systemd::Override[ferm-service-auto-restart]", "Systemd::Service[kube-proxy]", "Systemd::Service[nrpe2nodexp-check_tcp-mss-clamper_status]", "Systemd::Service[prometheus_ferm_mss]", "Systemd::Service[prometheus_lvs_realserver_mss]", "Systemd::Service[rsyslog-imfile-remedy]", "Systemd::Service[rsyslog-release-deleted-inotify-watches]", "Systemd::Service[set-rbd-readahead]", "Systemd::Service[tcp-mss-clamper]", "Systemd::Syslog[prometheus_ferm_mss]", "Systemd::Syslog[prometheus_lvs_realserver_mss]", "Systemd::Syslog[rsyslog-release-deleted-inotify-watches]", "Systemd::Syslog[set-rbd-readahead]", "Systemd::Timer::Job[nrpe2nodexp-check_tcp-mss-clamper_status]", "Systemd::Timer::Job[prometheus_ferm_mss]", "Systemd::Timer::Job[prometheus_lvs_realserver_mss]", "Systemd::Timer::Job[rsyslog-imfile-remedy]", "Systemd::Timer::Job[rsyslog-release-deleted-inotify-watches]", "Systemd::Timer::Job[set-rbd-readahead]", "Systemd::Timer[nrpe2nodexp-check_tcp-mss-clamper_status]", "Systemd::Timer[prometheus_ferm_mss]", "Systemd::Timer[prometheus_lvs_realserver_mss]", "Systemd::Timer[rsyslog-imfile-remedy]", "Systemd::Timer[rsyslog-release-deleted-inotify-watches]", "Systemd::Timer[set-rbd-readahead]", "Systemd::Unit[ferm-ferm-service-auto-restart]", "Systemd::Unit[kube-proxy]", "Systemd::Unit[kubelet-container-runtime]", "Systemd::Unit[nrpe2nodexp-check_tcp-mss-clamper_status.service]", "Systemd::Unit[nrpe2nodexp-check_tcp-mss-clamper_status.timer]", "Systemd::Unit[prometheus_ferm_mss.service]", "Systemd::Unit[prometheus_ferm_mss.timer]", "Systemd::Unit[prometheus_lvs_realserver_mss.service]", "Systemd::Unit[prometheus_lvs_realserver_mss.timer]", "Systemd::Unit[rsyslog-imfile-remedy.service]", "Systemd::Unit[rsyslog-imfile-remedy.timer]", "Systemd::Unit[rsyslog-release-deleted-inotify-watches.service]", "Systemd::Unit[rsyslog-release-deleted-inotify-watches.timer]", "Systemd::Unit[set-rbd-readahead.service]", "Systemd::Unit[set-rbd-readahead.timer]", "Systemd::Unit[tcp-mss-clamper]", "Udev::Rule[kube_proxy_conntrack]", "User[kube]", "Volume_group[vg_raid0]"], "resource_diffs": [{"resource": "Class[Monitoring]", "parameters": "--- Class[Monitoring].orig\n+++ Class[Monitoring]\n\n@@\n- nagios_group => insetup_codfw\n+ nagios_group => dse_k8s_codfw\n@@\n- notifications_enabled => False\n+ notifications_enabled => True\n@@\n- cluster => insetup\n+ cluster => dse_k8s\n"}, {"resource": "Concat::Fragment[main contacts]"}, {"resource": "File[/etc/default/prometheus-node-exporter]", "content": "--- /etc/default/prometheus-node-exporter.orig\n+++ /etc/default/prometheus-node-exporter\n@@ -15,6 +15,7 @@\n --collector.netdev \\\n --collector.netstat \\\n --collector.netstat.fields=^(.*) \\\n+ --collector.processes \\\n --collector.sockstat \\\n --collector.stat \\\n --collector.systemd.enable-restarts-metrics \\"}, {"resource": "Concat_fragment[main contacts]", "content": "--- main contacts.orig\n+++ main contacts\n@@ -1,3 +1,3 @@\n ---\n-role::insetup::data_platform_ferm:\n+role::dse_k8s::worker::wdqs:\n - Data Platform"}, {"resource": "File[/etc/modprobe.d/blacklist-wmf_overlay.conf]", "content": "--- /etc/modprobe.d/blacklist-wmf_overlay.conf.orig\n+++ /etc/modprobe.d/blacklist-wmf_overlay.conf\n@@ -1,7 +1,3 @@\n # wmf_overlay - blacklisted kernel modules\n # This file is managed by Puppet\n #\n-blacklist overlay\n-install overlay /bin/true\n-blacklist overlayfs\n-install overlayfs /bin/true", "parameters": "--- File[/etc/modprobe.d/blacklist-wmf_overlay.conf].orig\n+++ File[/etc/modprobe.d/blacklist-wmf_overlay.conf]\n\n@@\n- ensure => present\n+ ensure => absent\n"}, {"resource": "Class[Profile::Base::Production]", "parameters": "--- Class[Profile::Base::Production].orig\n+++ Class[Profile::Base::Production]\n\n@@\n- role_description => Host being setup by Data Platform SREs\n+ role_description => DSE Kubernetes worker node - dedicated to wdqs\n"}, {"resource": "File[/etc/sysctl.d/51-ubuntu-defaults.conf]", "content": "--- /etc/sysctl.d/51-ubuntu-defaults.conf.orig\n+++ /etc/sysctl.d/51-ubuntu-defaults.conf\n@@ -4,7 +4,7 @@\n kernel.kptr_restrict = 1\n kernel.printk = 4 4 1 7\n kernel.yama.ptrace_scope = 1\n-net.ipv4.conf.all.rp_filter = 1\n+net.ipv4.conf.all.rp_filter = 0\n net.ipv4.conf.default.rp_filter = 1\n net.ipv4.tcp_syncookies = 1\n vm.mmap_min_addr = 65536"}, {"resource": "Nrpe::Monitor_service[disk_space]", "parameters": "--- Nrpe::Monitor_service[disk_space].orig\n+++ Nrpe::Monitor_service[disk_space]\n\n@@\n- nrpe_command => /usr/lib/nagios/plugins/check_disk -w 6% -c 3% -W 6% -K 3% -l -e -A -i \"/srv/sd[a-b][1-3]\" -i \"/srv/nvme[0-9]n[0-9]p[0-9]\" --exclude-type=fuse --exclude-type=fuse.fuse_dfs --exclude-type=tracefs\n+ nrpe_command => /usr/lib/nagios/plugins/check_disk -w 10% -c 5% -W 6% -K 3% -l -e -A -i '/(var/lib|run)/(kubelet|containerd)/*' --exclude-type=tracefs\n"}, {"resource": "Class[Profile::Cumin::Target]", "parameters": "--- Class[Profile::Cumin::Target].orig\n+++ Class[Profile::Cumin::Target]\n\n@@\n- cluster => insetup\n+ cluster => dse_k8s\n"}, {"resource": "Class[Cumin::Selector]", "parameters": "--- Class[Cumin::Selector].orig\n+++ Class[Cumin::Selector]\n\n@@\n- cluster => insetup\n+ cluster => dse_k8s\n"}, {"resource": "Monitoring::Exported_nagios_host[dse-k8s-wdqs-test2001]", "parameters": "--- Monitoring::Exported_nagios_host[dse-k8s-wdqs-test2001].orig\n+++ Monitoring::Exported_nagios_host[dse-k8s-wdqs-test2001]\n\n@@\n- notifications_enabled => 0\n+ notifications_enabled => 1\n@@\n- hostgroups => insetup_codfw,lsw1-a7-codfw\n+ hostgroups => dse_k8s_codfw,lsw1-a7-codfw\n"}, {"resource": "Nrpe::Check[check_disk_space]", "parameters": "--- Nrpe::Check[check_disk_space].orig\n+++ Nrpe::Check[check_disk_space]\n\n@@\n- command => /usr/lib/nagios/plugins/check_disk -w 6% -c 3% -W 6% -K 3% -l -e -A -i \"/srv/sd[a-b][1-3]\" -i \"/srv/nvme[0-9]n[0-9]p[0-9]\" --exclude-type=fuse --exclude-type=fuse.fuse_dfs --exclude-type=tracefs\n+ command => /usr/lib/nagios/plugins/check_disk -w 10% -c 5% -W 6% -K 3% -l -e -A -i '/(var/lib|run)/(kubelet|containerd)/*' --exclude-type=tracefs\n"}, {"resource": "Kmod::Blacklist[wmf_overlay]", "parameters": "--- Kmod::Blacklist[wmf_overlay].orig\n+++ Kmod::Blacklist[wmf_overlay]\n\n@@\n- modules => ['overlayfs', 'overlay']\n+ modules => []\n@@\n- ensure => present\n+ ensure => absent\n"}, {"resource": "File[/etc/nagios/nrpe.d/check_disk_space.cfg]", "content": "--- /etc/nagios/nrpe.d/check_disk_space.cfg.orig\n+++ /etc/nagios/nrpe.d/check_disk_space.cfg\n@@ -1,2 +1,2 @@\n # File generated by puppet. DO NOT edit by hand\n-command[check_disk_space]=/usr/lib/nagios/plugins/check_disk -w 6% -c 3% -W 6% -K 3% -l -e -A -i \"/srv/sd[a-b][1-3]\" -i \"/srv/nvme[0-9]n[0-9]p[0-9]\" --exclude-type=fuse --exclude-type=fuse.fuse_dfs --exclude-type=tracefs\n+command[check_disk_space]=/usr/lib/nagios/plugins/check_disk -w 10% -c 5% -W 6% -K 3% -l -e -A -i '/(var/lib|run)/(kubelet|containerd)/*' --exclude-type=tracefs"}, {"resource": "Class[Profile::Base]", "parameters": "--- Class[Profile::Base].orig\n+++ Class[Profile::Base]\n\n@@\n- overlayfs => False\n+ overlayfs => True\n@@\n- use_linux612_on_bookworm => False\n+ use_linux612_on_bookworm => True\n@@\n- rp_filter => True\n+ rp_filter => {'all_rp_filter': 0, 'default_rp_filter': 1}\n@@\n- cluster => insetup\n+ cluster => dse_k8s\n"}, {"resource": "File[/var/lib/prometheus/node.d/role_owner.prom]", "content": "--- /var/lib/prometheus/node.d/role_owner.prom.orig\n+++ /var/lib/prometheus/node.d/role_owner.prom\n@@ -1,3 +1,3 @@\n # HELP role_owner The team owner of the server role\n # TYPE role_owner gauge\n-role_owner{team=\"data-platform\",role=\"insetup::data_platform_ferm\",cluster=\"insetup\"} 1.0\n+role_owner{team=\"data-platform\",role=\"dse_k8s::worker::wdqs\",cluster=\"dse_k8s\"} 1.0"}, {"resource": "Monitoring::Exported_nagios_service[dse-k8s-wdqs-test2001 ssh]", "parameters": "--- Monitoring::Exported_nagios_service[dse-k8s-wdqs-test2001 ssh].orig\n+++ Monitoring::Exported_nagios_service[dse-k8s-wdqs-test2001 ssh]\n\n@@\n- servicegroups => insetup_codfw\n+ servicegroups => dse_k8s_codfw\n@@\n- notifications_enabled => 0\n+ notifications_enabled => 1\n"}, {"resource": "Sysctl::Conffile[ubuntu defaults]"}, {"resource": "Class[Prometheus::Node_exporter]", "parameters": "--- Class[Prometheus::Node_exporter].orig\n+++ Class[Prometheus::Node_exporter]\n\n@@\n- collectors_extra => []\n+ collectors_extra => ['processes']\n"}, {"resource": "Class[Profile::Apt]", "parameters": "--- Class[Profile::Apt].orig\n+++ Class[Profile::Apt]\n\n@@\n- before => ['Package[puppet]', 'Package[facter]', 'Package[augeas-tools]', 'Package[virt-what]', 'Package[puppet-module-puppetlabs-augeas-core]', 'Package[python3-prometheus-client]', 'Package[python3-yaml]', 'Package[ruby-net-ssh]', 'Package[openssl]', 'Package[ssl-cert]', 'Package[ca-certificates]', 'Package[wmf-certificates]', 'Package[ntp]', 'Package[systemd-timesyncd]', 'Package[exim4-config]', 'Package[exim4-daemon-light]', 'Package[logrotate]', 'Package[prometheus-node-exporter]', 'Package[bsdutils]', 'Package[smartmontools]', 'Package[rsyslog]', 'Package[rsyslog-openssl]', 'Package[cadvisor]', 'Package[prometheus-ethtool-exporter]', 'Package[acct]', 'Package[byobu]', 'Package[colordiff]', 'Package[curl]', 'Package[debian-goodies]', 'Package[ethtool]', 'Package[gdb]', 'Package[gdisk]', 'Package[git]', 'Package[htop]', 'Package[httpry]', 'Package[iotop]', 'Package[iperf]', 'Package[jq]', 'Package[libtemplate-perl]', 'Package[lldpd]', 'Package[lshw]', 'Package[molly-guard]', 'Package[moreutils]', 'Package[net-tools]', 'Package[numactl]', 'Package[ncdu]', 'Package[ngrep]', 'Package[pigz]', 'Package[psmisc]', 'Package[pv]', 'Package[python3]', 'Package[screen]', 'Package[strace]', 'Package[sysstat]', 'Package[tcpdump]', 'Package[tmux]', 'Package[tree]', 'Package[vim]', 'Package[vim-addon-manager]', 'Package[vim-scripts]', 'Package[wipe]', 'Package[xfsprogs]', 'Package[zsh]', 'Package[icdiff]', 'Package[linux-perf]', 'Package[bsd-mailx]', 'Package[ack]', 'Package[netcat-openbsd]', 'Package[tshark]', 'Package[fzf]', 'Package[ripgrep]', 'Package[fd-find]', 'Package[kitty-terminfo]', 'Package[mtr-tiny]', 'Package[bat]', 'Package[efibootmgr]', 'Package[bind9-dnsutils]', 'Package[tzdata]', 'Package[python3-wmflib]', 'Package[ruby-sorted-set]', 'Package[btop]', 'Package[dstat]', 'Package[apport]', 'Package[command-not-found]', 'Package[command-not-found-data]', 'Package[ecryptfs-utils]', 'Package[mlocate]', 'Package[os-prober]', 'Package[python3-apport]', 'Package[wpasupplicant]', 'Package[apt-listchanges]', 'Package[isc-dhcp-client]', 'Package[rasdaemon]', 'Package[libicu67]', 'Package[libwsutil12]', 'Package[libwireshark14]', 'Package[libopencsd0]', 'Package[libwiretap11]', 'Package[ruby2.7]', 'Package[python3.9-minimal]', 'Package[python3.9]', 'Package[perl-modules-5.32]', 'Package[libpython3.9]', 'Package[libperl5.32]', 'Package[libpython3.9-minimal]', 'Package[libpython3.9-stdlib]', 'Package[libidn11]', 'Package[libldap-2.4-2]', 'Package[liburing1]', 'Package[libwebp6]', 'Package[libcbor0]', 'Package[libusb-0.1-4]', 'Package[telnet]', 'Package[libruby2.7]', 'Package[libdns-export1110]', 'Package[libisc-export1105]', 'Package[libbpf0]', 'Package[openssh-client]', 'Package[openssh-server]', 'Package[debdeploy-client]', 'Package[python3-dateutil]', 'Package[sudo]', 'Package[golang-cfssl]', 'Package[debmonitor-client]', 'Package[nagios-nrpe-server]', 'Package[monitoring-plugins]', 'Package[monitoring-plugins-basic]', 'Package[monitoring-plugins-standard]', 'Package[liburiparser1]', 'Package[python3-attr]', 'Package[iucode-tool]', 'Package[freeipmi-tools]', 'Package[freeipmi-ipmiseld]', 'Package[rsyslog-kafka]', 'Package[emacs-nox]', 'Package[prometheus-ipmi-exporter]', 'Package[libnet-dns-perl]', 'Package[iptables]', 'Package[ferm]', 'Package[ulogd2]', 'Package[conntrack]', 'Package[prometheus-rsyslog-exporter]', 'Package[initramfs-tools]', 'Package[python3-click]', 'Package[python3-box]', 'Package[confd]', 'Package[python3-toml]']\n+ before => ['Package[puppet]', 'Package[facter]', 'Package[augeas-tools]', 'Package[virt-what]', 'Package[puppet-module-puppetlabs-augeas-core]', 'Package[python3-prometheus-client]', 'Package[python3-yaml]', 'Package[ruby-net-ssh]', 'Package[openssl]', 'Package[ssl-cert]', 'Package[ca-certificates]', 'Package[wmf-certificates]', 'Package[ntp]', 'Package[systemd-timesyncd]', 'Package[exim4-config]', 'Package[exim4-daemon-light]', 'Package[logrotate]', 'Package[prometheus-node-exporter]', 'Package[bsdutils]', 'Package[smartmontools]', 'Package[rsyslog]', 'Package[rsyslog-openssl]', 'Package[cadvisor]', 'Package[prometheus-ethtool-exporter]', 'Package[acct]', 'Package[byobu]', 'Package[colordiff]', 'Package[curl]', 'Package[debian-goodies]', 'Package[ethtool]', 'Package[gdb]', 'Package[gdisk]', 'Package[git]', 'Package[htop]', 'Package[httpry]', 'Package[iotop]', 'Package[iperf]', 'Package[jq]', 'Package[libtemplate-perl]', 'Package[lldpd]', 'Package[lshw]', 'Package[molly-guard]', 'Package[moreutils]', 'Package[net-tools]', 'Package[numactl]', 'Package[ncdu]', 'Package[ngrep]', 'Package[pigz]', 'Package[psmisc]', 'Package[pv]', 'Package[python3]', 'Package[screen]', 'Package[strace]', 'Package[sysstat]', 'Package[tcpdump]', 'Package[tmux]', 'Package[tree]', 'Package[vim]', 'Package[vim-addon-manager]', 'Package[vim-scripts]', 'Package[wipe]', 'Package[xfsprogs]', 'Package[zsh]', 'Package[icdiff]', 'Package[linux-perf]', 'Package[bsd-mailx]', 'Package[ack]', 'Package[netcat-openbsd]', 'Package[tshark]', 'Package[fzf]', 'Package[ripgrep]', 'Package[fd-find]', 'Package[kitty-terminfo]', 'Package[mtr-tiny]', 'Package[bat]', 'Package[efibootmgr]', 'Package[bind9-dnsutils]', 'Package[tzdata]', 'Package[python3-wmflib]', 'Package[ruby-sorted-set]', 'Package[btop]', 'Package[dstat]', 'Package[apport]', 'Package[command-not-found]', 'Package[command-not-found-data]', 'Package[ecryptfs-utils]', 'Package[mlocate]', 'Package[os-prober]', 'Package[python3-apport]', 'Package[wpasupplicant]', 'Package[apt-listchanges]', 'Package[isc-dhcp-client]', 'Package[rasdaemon]', 'Package[libicu67]', 'Package[libwsutil12]', 'Package[libwireshark14]', 'Package[libopencsd0]', 'Package[libwiretap11]', 'Package[ruby2.7]', 'Package[python3.9-minimal]', 'Package[python3.9]', 'Package[perl-modules-5.32]', 'Package[libpython3.9]', 'Package[libperl5.32]', 'Package[libpython3.9-minimal]', 'Package[libpython3.9-stdlib]', 'Package[libidn11]', 'Package[libldap-2.4-2]', 'Package[liburing1]', 'Package[libwebp6]', 'Package[libcbor0]', 'Package[libusb-0.1-4]', 'Package[telnet]', 'Package[libruby2.7]', 'Package[libdns-export1110]', 'Package[libisc-export1105]', 'Package[libbpf0]', 'Package[openssh-client]', 'Package[openssh-server]', 'Package[debdeploy-client]', 'Package[python3-dateutil]', 'Package[sudo]', 'Package[golang-cfssl]', 'Package[debmonitor-client]', 'Package[nagios-nrpe-server]', 'Package[monitoring-plugins]', 'Package[monitoring-plugins-basic]', 'Package[monitoring-plugins-standard]', 'Package[liburiparser1]', 'Package[python3-attr]', 'Package[iucode-tool]', 'Package[freeipmi-tools]', 'Package[freeipmi-ipmiseld]', 'Package[rsyslog-kafka]', 'Package[emacs-nox]', 'Package[prometheus-ipmi-exporter]', 'Package[libnet-dns-perl]', 'Package[iptables]', 'Package[ferm]', 'Package[ulogd2]', 'Package[conntrack]', 'Package[crictl]', 'Package[containerd]', 'Package[nerdctl]', 'Package[rsyslog-kubernetes]', 'Package[cpufrequtils]', 'Package[apparmor]', 'Package[socat]', 'Package[geoip-bin]', 'Package[mmdb-bin]', 'Package[wikimedia-lvs-realserver]', 'Package[tcp-mss-clamper]', 'Package[linux-base]', 'Package[linux-image-6.12.88+deb12-amd64]', 'Package[prometheus-rsyslog-exporter]', 'Package[initramfs-tools]', 'Package[python3-click]', 'Package[python3-box]', 'Package[confd]', 'Package[python3-toml]', 'Package[kubernetes-node]', 'Package[calicoctl]', 'Package[calico-cni]', 'Package[istio-cni]']\n"}, {"resource": "Class[Base::Sysctl]", "parameters": "--- Class[Base::Sysctl].orig\n+++ Class[Base::Sysctl]\n\n@@\n- all_rp_filter => 1\n+ all_rp_filter => 0\n"}, {"resource": "Class[Base::Kernel]", "parameters": "--- Class[Base::Kernel].orig\n+++ Class[Base::Kernel]\n\n@@\n- overlayfs => False\n+ overlayfs => True\n"}, {"resource": "Class[Profile::Contacts]", "parameters": "--- Class[Profile::Contacts].orig\n+++ Class[Profile::Contacts]\n\n@@\n- cluster => insetup\n+ cluster => dse_k8s\n"}, {"resource": "Sysctl::Parameters[ubuntu defaults]", "parameters": "--- Sysctl::Parameters[ubuntu defaults].orig\n+++ Sysctl::Parameters[ubuntu defaults]\n\n@@\n- values => {'kernel.printk': [4, 4, 1, 7], 'kernel.kptr_restrict': 1, 'net.ipv4.conf.default.rp_filter': 1, 'net.ipv4.conf.all.rp_filter': 1, 'net.ipv4.tcp_syncookies': 1, 'kernel.yama.ptrace_scope': 1, 'fs.protected_hardlinks': 1, 'fs.protected_symlinks': 1, 'vm.mmap_min_addr': 65536}\n+ values => {'kernel.printk': [4, 4, 1, 7], 'kernel.kptr_restrict': 1, 'net.ipv4.conf.default.rp_filter': 1, 'net.ipv4.conf.all.rp_filter': 0, 'net.ipv4.tcp_syncookies': 1, 'kernel.yama.ptrace_scope': 1, 'fs.protected_hardlinks': 1, 'fs.protected_symlinks': 1, 'vm.mmap_min_addr': 65536}\n"}, {"resource": "Monitoring::Exported_nagios_service[dse-k8s-wdqs-test2001 raid_md]", "parameters": "--- Monitoring::Exported_nagios_service[dse-k8s-wdqs-test2001 raid_md].orig\n+++ Monitoring::Exported_nagios_service[dse-k8s-wdqs-test2001 raid_md]\n\n@@\n- servicegroups => insetup_codfw\n+ servicegroups => dse_k8s_codfw\n@@\n- notifications_enabled => 0\n+ notifications_enabled => 1\n"}, {"resource": "Monitoring::Exported_nagios_service[dse-k8s-wdqs-test2001 disk_space]", "parameters": "--- Monitoring::Exported_nagios_service[dse-k8s-wdqs-test2001 disk_space].orig\n+++ Monitoring::Exported_nagios_service[dse-k8s-wdqs-test2001 disk_space]\n\n@@\n- servicegroups => insetup_codfw\n+ servicegroups => dse_k8s_codfw\n@@\n- notifications_enabled => 0\n+ notifications_enabled => 1\n"}, {"resource": "Class[Adduser]", "parameters": "--- Class[Adduser].orig\n+++ Class[Adduser]\n\n@@\n- before => ['Package[puppet]', 'Package[facter]', 'Package[augeas-tools]', 'Package[virt-what]', 'Package[puppet-module-puppetlabs-augeas-core]', 'Package[python3-prometheus-client]', 'Package[python3-yaml]', 'Package[ruby-net-ssh]', 'Package[openssl]', 'Package[ssl-cert]', 'Package[ca-certificates]', 'Package[wmf-certificates]', 'Package[ntp]', 'Package[systemd-timesyncd]', 'Package[exim4-config]', 'Package[exim4-daemon-light]', 'Package[logrotate]', 'Package[prometheus-node-exporter]', 'Package[bsdutils]', 'Package[smartmontools]', 'Package[rsyslog]', 'Package[rsyslog-openssl]', 'Package[cadvisor]', 'Package[prometheus-ethtool-exporter]', 'Package[acct]', 'Package[byobu]', 'Package[colordiff]', 'Package[curl]', 'Package[debian-goodies]', 'Package[ethtool]', 'Package[gdb]', 'Package[gdisk]', 'Package[git]', 'Package[htop]', 'Package[httpry]', 'Package[iotop]', 'Package[iperf]', 'Package[jq]', 'Package[libtemplate-perl]', 'Package[lldpd]', 'Package[lshw]', 'Package[molly-guard]', 'Package[moreutils]', 'Package[net-tools]', 'Package[numactl]', 'Package[ncdu]', 'Package[ngrep]', 'Package[pigz]', 'Package[psmisc]', 'Package[pv]', 'Package[python3]', 'Package[screen]', 'Package[strace]', 'Package[sysstat]', 'Package[tcpdump]', 'Package[tmux]', 'Package[tree]', 'Package[vim]', 'Package[vim-addon-manager]', 'Package[vim-scripts]', 'Package[wipe]', 'Package[xfsprogs]', 'Package[zsh]', 'Package[icdiff]', 'Package[linux-perf]', 'Package[bsd-mailx]', 'Package[ack]', 'Package[netcat-openbsd]', 'Package[tshark]', 'Package[fzf]', 'Package[ripgrep]', 'Package[fd-find]', 'Package[kitty-terminfo]', 'Package[mtr-tiny]', 'Package[bat]', 'Package[efibootmgr]', 'Package[bind9-dnsutils]', 'Package[tzdata]', 'Package[python3-wmflib]', 'Package[ruby-sorted-set]', 'Package[btop]', 'Package[dstat]', 'Package[apport]', 'Package[command-not-found]', 'Package[command-not-found-data]', 'Package[ecryptfs-utils]', 'Package[mlocate]', 'Package[os-prober]', 'Package[python3-apport]', 'Package[wpasupplicant]', 'Package[apt-listchanges]', 'Package[isc-dhcp-client]', 'Package[rasdaemon]', 'Package[libicu67]', 'Package[libwsutil12]', 'Package[libwireshark14]', 'Package[libopencsd0]', 'Package[libwiretap11]', 'Package[ruby2.7]', 'Package[python3.9-minimal]', 'Package[python3.9]', 'Package[perl-modules-5.32]', 'Package[libpython3.9]', 'Package[libperl5.32]', 'Package[libpython3.9-minimal]', 'Package[libpython3.9-stdlib]', 'Package[libidn11]', 'Package[libldap-2.4-2]', 'Package[liburing1]', 'Package[libwebp6]', 'Package[libcbor0]', 'Package[libusb-0.1-4]', 'Package[telnet]', 'Package[libruby2.7]', 'Package[libdns-export1110]', 'Package[libisc-export1105]', 'Package[libbpf0]', 'Package[openssh-client]', 'Package[openssh-server]', 'Package[debdeploy-client]', 'Package[python3-dateutil]', 'Package[sudo]', 'Package[golang-cfssl]', 'Package[debmonitor-client]', 'Package[nagios-nrpe-server]', 'Package[monitoring-plugins]', 'Package[monitoring-plugins-basic]', 'Package[monitoring-plugins-standard]', 'Package[liburiparser1]', 'Package[python3-attr]', 'Package[iucode-tool]', 'Package[freeipmi-tools]', 'Package[freeipmi-ipmiseld]', 'Package[rsyslog-kafka]', 'Package[emacs-nox]', 'Package[prometheus-ipmi-exporter]', 'Package[libnet-dns-perl]', 'Package[iptables]', 'Package[ferm]', 'Package[ulogd2]', 'Package[conntrack]', 'Package[prometheus-rsyslog-exporter]', 'Package[initramfs-tools]', 'Package[python3-click]', 'Package[python3-box]', 'Package[confd]', 'Package[python3-toml]']\n+ before => ['Package[puppet]', 'Package[facter]', 'Package[augeas-tools]', 'Package[virt-what]', 'Package[puppet-module-puppetlabs-augeas-core]', 'Package[python3-prometheus-client]', 'Package[python3-yaml]', 'Package[ruby-net-ssh]', 'Package[openssl]', 'Package[ssl-cert]', 'Package[ca-certificates]', 'Package[wmf-certificates]', 'Package[ntp]', 'Package[systemd-timesyncd]', 'Package[exim4-config]', 'Package[exim4-daemon-light]', 'Package[logrotate]', 'Package[prometheus-node-exporter]', 'Package[bsdutils]', 'Package[smartmontools]', 'Package[rsyslog]', 'Package[rsyslog-openssl]', 'Package[cadvisor]', 'Package[prometheus-ethtool-exporter]', 'Package[acct]', 'Package[byobu]', 'Package[colordiff]', 'Package[curl]', 'Package[debian-goodies]', 'Package[ethtool]', 'Package[gdb]', 'Package[gdisk]', 'Package[git]', 'Package[htop]', 'Package[httpry]', 'Package[iotop]', 'Package[iperf]', 'Package[jq]', 'Package[libtemplate-perl]', 'Package[lldpd]', 'Package[lshw]', 'Package[molly-guard]', 'Package[moreutils]', 'Package[net-tools]', 'Package[numactl]', 'Package[ncdu]', 'Package[ngrep]', 'Package[pigz]', 'Package[psmisc]', 'Package[pv]', 'Package[python3]', 'Package[screen]', 'Package[strace]', 'Package[sysstat]', 'Package[tcpdump]', 'Package[tmux]', 'Package[tree]', 'Package[vim]', 'Package[vim-addon-manager]', 'Package[vim-scripts]', 'Package[wipe]', 'Package[xfsprogs]', 'Package[zsh]', 'Package[icdiff]', 'Package[linux-perf]', 'Package[bsd-mailx]', 'Package[ack]', 'Package[netcat-openbsd]', 'Package[tshark]', 'Package[fzf]', 'Package[ripgrep]', 'Package[fd-find]', 'Package[kitty-terminfo]', 'Package[mtr-tiny]', 'Package[bat]', 'Package[efibootmgr]', 'Package[bind9-dnsutils]', 'Package[tzdata]', 'Package[python3-wmflib]', 'Package[ruby-sorted-set]', 'Package[btop]', 'Package[dstat]', 'Package[apport]', 'Package[command-not-found]', 'Package[command-not-found-data]', 'Package[ecryptfs-utils]', 'Package[mlocate]', 'Package[os-prober]', 'Package[python3-apport]', 'Package[wpasupplicant]', 'Package[apt-listchanges]', 'Package[isc-dhcp-client]', 'Package[rasdaemon]', 'Package[libicu67]', 'Package[libwsutil12]', 'Package[libwireshark14]', 'Package[libopencsd0]', 'Package[libwiretap11]', 'Package[ruby2.7]', 'Package[python3.9-minimal]', 'Package[python3.9]', 'Package[perl-modules-5.32]', 'Package[libpython3.9]', 'Package[libperl5.32]', 'Package[libpython3.9-minimal]', 'Package[libpython3.9-stdlib]', 'Package[libidn11]', 'Package[libldap-2.4-2]', 'Package[liburing1]', 'Package[libwebp6]', 'Package[libcbor0]', 'Package[libusb-0.1-4]', 'Package[telnet]', 'Package[libruby2.7]', 'Package[libdns-export1110]', 'Package[libisc-export1105]', 'Package[libbpf0]', 'Package[openssh-client]', 'Package[openssh-server]', 'Package[debdeploy-client]', 'Package[python3-dateutil]', 'Package[sudo]', 'Package[golang-cfssl]', 'Package[debmonitor-client]', 'Package[nagios-nrpe-server]', 'Package[monitoring-plugins]', 'Package[monitoring-plugins-basic]', 'Package[monitoring-plugins-standard]', 'Package[liburiparser1]', 'Package[python3-attr]', 'Package[iucode-tool]', 'Package[freeipmi-tools]', 'Package[freeipmi-ipmiseld]', 'Package[rsyslog-kafka]', 'Package[emacs-nox]', 'Package[prometheus-ipmi-exporter]', 'Package[libnet-dns-perl]', 'Package[iptables]', 'Package[ferm]', 'Package[ulogd2]', 'Package[conntrack]', 'Package[crictl]', 'Package[containerd]', 'Package[nerdctl]', 'Package[rsyslog-kubernetes]', 'Package[cpufrequtils]', 'Package[apparmor]', 'Package[socat]', 'Package[geoip-bin]', 'Package[mmdb-bin]', 'Package[wikimedia-lvs-realserver]', 'Package[tcp-mss-clamper]', 'Package[linux-base]', 'Package[linux-image-6.12.88+deb12-amd64]', 'Package[prometheus-rsyslog-exporter]', 'Package[initramfs-tools]', 'Package[python3-click]', 'Package[python3-box]', 'Package[confd]', 'Package[python3-toml]', 'Package[kubernetes-node]', 'Package[calicoctl]', 'Package[calico-cni]', 'Package[istio-cni]']\n"}, {"resource": "Class[Profile::Monitoring]", "parameters": "--- Class[Profile::Monitoring].orig\n+++ Class[Profile::Monitoring]\n\n@@\n- nagios_group => insetup_codfw\n+ nagios_group => dse_k8s_codfw\n@@\n- notifications_enabled => False\n+ notifications_enabled => True\n@@\n- nrpe_check_disk_options => -w 6% -c 3% -W 6% -K 3% -l -e -A -i \"/srv/sd[a-b][1-3]\" -i \"/srv/nvme[0-9]n[0-9]p[0-9]\" --exclude-type=fuse --exclude-type=fuse.fuse_dfs --exclude-type=tracefs\n+ nrpe_check_disk_options => -w 10% -c 5% -W 6% -K 3% -l -e -A -i '/(var/lib|run)/(kubelet|containerd)/*' --exclude-type=tracefs\n@@\n- cluster => insetup\n+ cluster => dse_k8s\n"}, {"resource": "Monitoring::Exported_nagios_service[dse-k8s-wdqs-test2001 ferm_active]", "parameters": "--- Monitoring::Exported_nagios_service[dse-k8s-wdqs-test2001 ferm_active].orig\n+++ Monitoring::Exported_nagios_service[dse-k8s-wdqs-test2001 ferm_active]\n\n@@\n- servicegroups => insetup_codfw\n+ servicegroups => dse_k8s_codfw\n@@\n- notifications_enabled => 0\n+ notifications_enabled => 1\n"}], "perc_changed": "16.45%"}}}