Compilation results for cp3080.esams.wmnet: System changes detected

You can retrieve this result from host.json.

Catalog differences

Summary

Total Resources:	3961
Resources added:	0
Resources removed:	4
Resources modified:	12
Change percentage:	0.40%

Resources only in the old catalog

File[/etc/haproxy/lua/cidergrinder_bloom.lua]
File[/usr/share/CIDERGRINDER]
File[/etc/haproxy/lua/cidergrinder_mmdb.lua]
Package[lua5.4-ciderbloom]

Resources modified

File[/etc/confd/templates/_etc_haproxy_conf.d_tls.cfg.tmpl]

Content differences:

--- /etc/confd/templates/_etc_haproxy_conf.d_tls.cfg.tmpl.orig
+++ /etc/confd/templates/_etc_haproxy_conf.d_tls.cfg.tmpl
@@ -190,10 +190,6 @@
     # Check if the request originates from a known datacenter.
     http-request lua.is_datacenter
     http-request set-var(req.provenance) var(req.provenance),add_item(";",,"datacenter=true") if { var(txn.is_datacenter) -m bool }
-    http-request lua.cidergrinder_mmdb_lookup unless { var(sess.cidergrinder_mmdb_result) -m found }
-    http-request set-var(sess.prehashed) src,ipmask(32,64),xxh3 unless { var(sess.cidergrinder_mmdb_result) -m found } || { var(sess.prehashed) -m found }
-    http-request lua.bloom_lookup unless { var(sess.cidergrinder_mmdb_result) -m bool }
-    http-request set-var(req.provenance) var(req.provenance),add_item(";",,"likely_resiproxy=true") if { var(sess.cidergrinder_mmdb_result) -m bool } || { var(sess.bloom_result) -m bool }
     http-request lua.res_proxy  # sets var txn.res_proxy to `proxy=foo` (or, doesn't)
     http-request set-var(req.provenance) var(req.provenance),add_item(";",txn.res_proxy,"") if { var(txn.res_proxy) -m found }

Class[Adduser]

Parameters differences:

--- Class[Adduser].orig
+++ Class[Adduser]

@@
-    before => ['Package[puppet]', 'Package[facter]', 'Package[augeas-tools]', 'Package[virt-what]', 'Package[puppet-module-puppetlabs-augeas-core]', 'Package[python3-prometheus-client]', 'Package[python3-yaml]', 'Package[ruby-net-ssh]', 'Package[openssl]', 'Package[ssl-cert]', 'Package[ca-certificates]', 'Package[wmf-certificates]', 'Package[ntp]', 'Package[systemd-timesyncd]', 'Package[exim4-config]', 'Package[exim4-daemon-light]', 'Package[logrotate]', 'Package[prometheus-node-exporter]', 'Package[bsdutils]', 'Package[smartmontools]', 'Package[rsyslog]', 'Package[rsyslog-openssl]', 'Package[cadvisor]', 'Package[acct]', 'Package[byobu]', 'Package[colordiff]', 'Package[curl]', 'Package[debian-goodies]', 'Package[ethtool]', 'Package[gdb]', 'Package[gdisk]', 'Package[git]', 'Package[htop]', 'Package[httpry]', 'Package[iotop]', 'Package[iperf]', 'Package[jq]', 'Package[libtemplate-perl]', 'Package[lldpd]', 'Package[lshw]', 'Package[molly-guard]', 'Package[moreutils]', 'Package[net-tools]', 'Package[numactl]', 'Package[ncdu]', 'Package[ngrep]', 'Package[pigz]', 'Package[psmisc]', 'Package[pv]', 'Package[python3]', 'Package[screen]', 'Package[strace]', 'Package[sysstat]', 'Package[tcpdump]', 'Package[tmux]', 'Package[tree]', 'Package[vim]', 'Package[vim-addon-manager]', 'Package[vim-scripts]', 'Package[wipe]', 'Package[xfsprogs]', 'Package[zsh]', 'Package[icdiff]', 'Package[linux-perf]', 'Package[bsd-mailx]', 'Package[ack]', 'Package[netcat-openbsd]', 'Package[tshark]', 'Package[fzf]', 'Package[ripgrep]', 'Package[fd-find]', 'Package[kitty-terminfo]', 'Package[mtr-tiny]', 'Package[bat]', 'Package[efibootmgr]', 'Package[bind9-dnsutils]', 'Package[tzdata]', 'Package[python3-wmflib]', 'Package[starship]', 'Package[ruby-sorted-set]', 'Package[btop]', 'Package[linux-sysctl-defaults]', 'Package[apport]', 'Package[command-not-found]', 'Package[command-not-found-data]', 'Package[ecryptfs-utils]', 'Package[mlocate]', 'Package[os-prober]', 'Package[python3-apport]', 'Package[wpasupplicant]', 'Package[apt-listchanges]', 'Package[isc-dhcp-client]', 'Package[rasdaemon]', 'Package[openssh-client]', 'Package[openssh-server]', 'Package[debdeploy-client]', 'Package[python3-dateutil]', 'Package[sudo]', 'Package[golang-cfssl]', 'Package[debmonitor-client]', 'Package[perccli]', 'Package[nagios-nrpe-server]', 'Package[monitoring-plugins]', 'Package[monitoring-plugins-basic]', 'Package[monitoring-plugins-standard]', 'Package[liburiparser1]', 'Package[python3-attr]', 'Package[iucode-tool]', 'Package[freeipmi-tools]', 'Package[freeipmi-ipmiseld]', 'Package[rsyslog-kafka]', 'Package[emacs-nox]', 'Package[prometheus-ipmi-exporter]', 'Package[python3-conftool]', 'Package[purged]', 'Package[linux-cpupower]', 'Package[geoip-bin]', 'Package[mmdb-bin]', 'Package[libgeoip-dev]', 'Package[libmaxminddb-dev]', 'Package[python3-logstash]', 'Package[socat]', 'Package[haproxy]', 'Package[python3-pystemd]', 'Package[benthos]', 'Package[lua5.4-maxminddb]', 'Package[lua5.4-ciderbloom]', 'Package[wikimedia-lvs-realserver]', 'Package[python3-poolcounter]', 'Package[python3-jsonschema]', 'Package[python3-requests]', 'Package[libvmod-netmapper]', 'Package[libvmod-querysort]', 'Package[libvmod-wmfuniq]', 'Package[varnish]', 'Package[varnish-modules]', 'Package[varnish-re2]', 'Package[tcp-mss-clamper]', 'Package[haproxykafka]', 'Package[ruby-concurrent]', 'Package[ruby]', 'Package[libruby]', 'Package[puppet-agent]', 'Package[prometheus-rsyslog-exporter]', 'Package[initramfs-tools]', 'Package[python3-click]', 'Package[python3-box]', 'Package[confd]', 'Package[python3-toml]', 'Package[mtail]', 'Package[prometheus-varnish-exporter]', 'Package[trafficserver]', 'Package[trafficserver-experimental-plugins]', 'Package[sysfsutils]', 'Package[lua-busted]', 'Package[prometheus-trafficserver-exporter]', 'Package[fifo-log-demux]']
+    before => ['Package[puppet]', 'Package[facter]', 'Package[augeas-tools]', 'Package[virt-what]', 'Package[puppet-module-puppetlabs-augeas-core]', 'Package[python3-prometheus-client]', 'Package[python3-yaml]', 'Package[ruby-net-ssh]', 'Package[openssl]', 'Package[ssl-cert]', 'Package[ca-certificates]', 'Package[wmf-certificates]', 'Package[ntp]', 'Package[systemd-timesyncd]', 'Package[exim4-config]', 'Package[exim4-daemon-light]', 'Package[logrotate]', 'Package[prometheus-node-exporter]', 'Package[bsdutils]', 'Package[smartmontools]', 'Package[rsyslog]', 'Package[rsyslog-openssl]', 'Package[cadvisor]', 'Package[acct]', 'Package[byobu]', 'Package[colordiff]', 'Package[curl]', 'Package[debian-goodies]', 'Package[ethtool]', 'Package[gdb]', 'Package[gdisk]', 'Package[git]', 'Package[htop]', 'Package[httpry]', 'Package[iotop]', 'Package[iperf]', 'Package[jq]', 'Package[libtemplate-perl]', 'Package[lldpd]', 'Package[lshw]', 'Package[molly-guard]', 'Package[moreutils]', 'Package[net-tools]', 'Package[numactl]', 'Package[ncdu]', 'Package[ngrep]', 'Package[pigz]', 'Package[psmisc]', 'Package[pv]', 'Package[python3]', 'Package[screen]', 'Package[strace]', 'Package[sysstat]', 'Package[tcpdump]', 'Package[tmux]', 'Package[tree]', 'Package[vim]', 'Package[vim-addon-manager]', 'Package[vim-scripts]', 'Package[wipe]', 'Package[xfsprogs]', 'Package[zsh]', 'Package[icdiff]', 'Package[linux-perf]', 'Package[bsd-mailx]', 'Package[ack]', 'Package[netcat-openbsd]', 'Package[tshark]', 'Package[fzf]', 'Package[ripgrep]', 'Package[fd-find]', 'Package[kitty-terminfo]', 'Package[mtr-tiny]', 'Package[bat]', 'Package[efibootmgr]', 'Package[bind9-dnsutils]', 'Package[tzdata]', 'Package[python3-wmflib]', 'Package[starship]', 'Package[ruby-sorted-set]', 'Package[btop]', 'Package[linux-sysctl-defaults]', 'Package[apport]', 'Package[command-not-found]', 'Package[command-not-found-data]', 'Package[ecryptfs-utils]', 'Package[mlocate]', 'Package[os-prober]', 'Package[python3-apport]', 'Package[wpasupplicant]', 'Package[apt-listchanges]', 'Package[isc-dhcp-client]', 'Package[rasdaemon]', 'Package[openssh-client]', 'Package[openssh-server]', 'Package[debdeploy-client]', 'Package[python3-dateutil]', 'Package[sudo]', 'Package[golang-cfssl]', 'Package[debmonitor-client]', 'Package[perccli]', 'Package[nagios-nrpe-server]', 'Package[monitoring-plugins]', 'Package[monitoring-plugins-basic]', 'Package[monitoring-plugins-standard]', 'Package[liburiparser1]', 'Package[python3-attr]', 'Package[iucode-tool]', 'Package[freeipmi-tools]', 'Package[freeipmi-ipmiseld]', 'Package[rsyslog-kafka]', 'Package[emacs-nox]', 'Package[prometheus-ipmi-exporter]', 'Package[python3-conftool]', 'Package[purged]', 'Package[linux-cpupower]', 'Package[geoip-bin]', 'Package[mmdb-bin]', 'Package[libgeoip-dev]', 'Package[libmaxminddb-dev]', 'Package[python3-logstash]', 'Package[socat]', 'Package[haproxy]', 'Package[python3-pystemd]', 'Package[benthos]', 'Package[lua5.4-maxminddb]', 'Package[wikimedia-lvs-realserver]', 'Package[python3-poolcounter]', 'Package[python3-jsonschema]', 'Package[python3-requests]', 'Package[libvmod-netmapper]', 'Package[libvmod-querysort]', 'Package[libvmod-wmfuniq]', 'Package[varnish]', 'Package[varnish-modules]', 'Package[varnish-re2]', 'Package[tcp-mss-clamper]', 'Package[haproxykafka]', 'Package[ruby-concurrent]', 'Package[ruby]', 'Package[libruby]', 'Package[puppet-agent]', 'Package[prometheus-rsyslog-exporter]', 'Package[initramfs-tools]', 'Package[python3-click]', 'Package[python3-box]', 'Package[confd]', 'Package[python3-toml]', 'Package[mtail]', 'Package[prometheus-varnish-exporter]', 'Package[trafficserver]', 'Package[trafficserver-experimental-plugins]', 'Package[sysfsutils]', 'Package[lua-busted]', 'Package[prometheus-trafficserver-exporter]', 'Package[fifo-log-demux]']

Class[Profile::Cache::Haproxy]

Parameters differences:

--- Class[Profile::Cache::Haproxy].orig
+++ Class[Profile::Cache::Haproxy]

@@
-    use_cidergrinder => True
+    use_cidergrinder => False

File[/etc/haproxy/haproxy.cfg]

Content differences:

--- /etc/haproxy/haproxy.cfg.orig
+++ /etc/haproxy/haproxy.cfg
@@ -23,8 +23,6 @@
     lua-load-per-thread /etc/haproxy/lua/ja4h.lua
     lua-load-per-thread /etc/haproxy/lua/utf8ps.lua
     lua-load-per-thread /etc/haproxy/lua/contact_info.lua
-    lua-load-per-thread /etc/haproxy/lua/cidergrinder_mmdb.lua /usr/share/CIDERGRINDER/anonymous-residential.cider.mmdb
-    lua-load-per-thread /etc/haproxy/lua/cidergrinder_bloom.lua /usr/share/CIDERGRINDER/anonymous-residential.cider.bloom
 
     ssl-default-bind-options ssl-min-ver TLSv1.2 ssl-max-ver TLSv1.3
     ssl-default-bind-ciphers -ALL:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256

File[/usr/share/CIDERGRINDER]

Parameters differences:

--- File[/usr/share/CIDERGRINDER].orig
+++ File[/usr/share/CIDERGRINDER]

-    ensure  => directory
-    recurse => True
-    owner   => root
-    group   => root
-    notify  => Service[haproxy]
-    source  => puppet:///volatile/CIDERGRINDER
-    before  => Service[haproxy]

Class[Profile::Apt]

Parameters differences:

--- Class[Profile::Apt].orig
+++ Class[Profile::Apt]

@@
-    before => ['Package[puppet]', 'Package[facter]', 'Package[augeas-tools]', 'Package[virt-what]', 'Package[puppet-module-puppetlabs-augeas-core]', 'Package[python3-prometheus-client]', 'Package[python3-yaml]', 'Package[ruby-net-ssh]', 'Package[openssl]', 'Package[ssl-cert]', 'Package[ca-certificates]', 'Package[wmf-certificates]', 'Package[ntp]', 'Package[systemd-timesyncd]', 'Package[exim4-config]', 'Package[exim4-daemon-light]', 'Package[logrotate]', 'Package[prometheus-node-exporter]', 'Package[bsdutils]', 'Package[smartmontools]', 'Package[rsyslog]', 'Package[rsyslog-openssl]', 'Package[cadvisor]', 'Package[acct]', 'Package[byobu]', 'Package[colordiff]', 'Package[curl]', 'Package[debian-goodies]', 'Package[ethtool]', 'Package[gdb]', 'Package[gdisk]', 'Package[git]', 'Package[htop]', 'Package[httpry]', 'Package[iotop]', 'Package[iperf]', 'Package[jq]', 'Package[libtemplate-perl]', 'Package[lldpd]', 'Package[lshw]', 'Package[molly-guard]', 'Package[moreutils]', 'Package[net-tools]', 'Package[numactl]', 'Package[ncdu]', 'Package[ngrep]', 'Package[pigz]', 'Package[psmisc]', 'Package[pv]', 'Package[python3]', 'Package[screen]', 'Package[strace]', 'Package[sysstat]', 'Package[tcpdump]', 'Package[tmux]', 'Package[tree]', 'Package[vim]', 'Package[vim-addon-manager]', 'Package[vim-scripts]', 'Package[wipe]', 'Package[xfsprogs]', 'Package[zsh]', 'Package[icdiff]', 'Package[linux-perf]', 'Package[bsd-mailx]', 'Package[ack]', 'Package[netcat-openbsd]', 'Package[tshark]', 'Package[fzf]', 'Package[ripgrep]', 'Package[fd-find]', 'Package[kitty-terminfo]', 'Package[mtr-tiny]', 'Package[bat]', 'Package[efibootmgr]', 'Package[bind9-dnsutils]', 'Package[tzdata]', 'Package[python3-wmflib]', 'Package[starship]', 'Package[ruby-sorted-set]', 'Package[btop]', 'Package[linux-sysctl-defaults]', 'Package[apport]', 'Package[command-not-found]', 'Package[command-not-found-data]', 'Package[ecryptfs-utils]', 'Package[mlocate]', 'Package[os-prober]', 'Package[python3-apport]', 'Package[wpasupplicant]', 'Package[apt-listchanges]', 'Package[isc-dhcp-client]', 'Package[rasdaemon]', 'Package[openssh-client]', 'Package[openssh-server]', 'Package[debdeploy-client]', 'Package[python3-dateutil]', 'Package[sudo]', 'Package[golang-cfssl]', 'Package[debmonitor-client]', 'Package[perccli]', 'Package[nagios-nrpe-server]', 'Package[monitoring-plugins]', 'Package[monitoring-plugins-basic]', 'Package[monitoring-plugins-standard]', 'Package[liburiparser1]', 'Package[python3-attr]', 'Package[iucode-tool]', 'Package[freeipmi-tools]', 'Package[freeipmi-ipmiseld]', 'Package[rsyslog-kafka]', 'Package[emacs-nox]', 'Package[prometheus-ipmi-exporter]', 'Package[python3-conftool]', 'Package[purged]', 'Package[linux-cpupower]', 'Package[geoip-bin]', 'Package[mmdb-bin]', 'Package[libgeoip-dev]', 'Package[libmaxminddb-dev]', 'Package[python3-logstash]', 'Package[socat]', 'Package[haproxy]', 'Package[python3-pystemd]', 'Package[benthos]', 'Package[lua5.4-maxminddb]', 'Package[lua5.4-ciderbloom]', 'Package[wikimedia-lvs-realserver]', 'Package[python3-poolcounter]', 'Package[python3-jsonschema]', 'Package[python3-requests]', 'Package[libvmod-netmapper]', 'Package[libvmod-querysort]', 'Package[libvmod-wmfuniq]', 'Package[varnish]', 'Package[varnish-modules]', 'Package[varnish-re2]', 'Package[tcp-mss-clamper]', 'Package[haproxykafka]', 'Package[ruby-concurrent]', 'Package[ruby]', 'Package[libruby]', 'Package[puppet-agent]', 'Package[prometheus-rsyslog-exporter]', 'Package[initramfs-tools]', 'Package[python3-click]', 'Package[python3-box]', 'Package[confd]', 'Package[python3-toml]', 'Package[mtail]', 'Package[prometheus-varnish-exporter]', 'Package[trafficserver]', 'Package[trafficserver-experimental-plugins]', 'Package[sysfsutils]', 'Package[lua-busted]', 'Package[prometheus-trafficserver-exporter]', 'Package[fifo-log-demux]']
+    before => ['Package[puppet]', 'Package[facter]', 'Package[augeas-tools]', 'Package[virt-what]', 'Package[puppet-module-puppetlabs-augeas-core]', 'Package[python3-prometheus-client]', 'Package[python3-yaml]', 'Package[ruby-net-ssh]', 'Package[openssl]', 'Package[ssl-cert]', 'Package[ca-certificates]', 'Package[wmf-certificates]', 'Package[ntp]', 'Package[systemd-timesyncd]', 'Package[exim4-config]', 'Package[exim4-daemon-light]', 'Package[logrotate]', 'Package[prometheus-node-exporter]', 'Package[bsdutils]', 'Package[smartmontools]', 'Package[rsyslog]', 'Package[rsyslog-openssl]', 'Package[cadvisor]', 'Package[acct]', 'Package[byobu]', 'Package[colordiff]', 'Package[curl]', 'Package[debian-goodies]', 'Package[ethtool]', 'Package[gdb]', 'Package[gdisk]', 'Package[git]', 'Package[htop]', 'Package[httpry]', 'Package[iotop]', 'Package[iperf]', 'Package[jq]', 'Package[libtemplate-perl]', 'Package[lldpd]', 'Package[lshw]', 'Package[molly-guard]', 'Package[moreutils]', 'Package[net-tools]', 'Package[numactl]', 'Package[ncdu]', 'Package[ngrep]', 'Package[pigz]', 'Package[psmisc]', 'Package[pv]', 'Package[python3]', 'Package[screen]', 'Package[strace]', 'Package[sysstat]', 'Package[tcpdump]', 'Package[tmux]', 'Package[tree]', 'Package[vim]', 'Package[vim-addon-manager]', 'Package[vim-scripts]', 'Package[wipe]', 'Package[xfsprogs]', 'Package[zsh]', 'Package[icdiff]', 'Package[linux-perf]', 'Package[bsd-mailx]', 'Package[ack]', 'Package[netcat-openbsd]', 'Package[tshark]', 'Package[fzf]', 'Package[ripgrep]', 'Package[fd-find]', 'Package[kitty-terminfo]', 'Package[mtr-tiny]', 'Package[bat]', 'Package[efibootmgr]', 'Package[bind9-dnsutils]', 'Package[tzdata]', 'Package[python3-wmflib]', 'Package[starship]', 'Package[ruby-sorted-set]', 'Package[btop]', 'Package[linux-sysctl-defaults]', 'Package[apport]', 'Package[command-not-found]', 'Package[command-not-found-data]', 'Package[ecryptfs-utils]', 'Package[mlocate]', 'Package[os-prober]', 'Package[python3-apport]', 'Package[wpasupplicant]', 'Package[apt-listchanges]', 'Package[isc-dhcp-client]', 'Package[rasdaemon]', 'Package[openssh-client]', 'Package[openssh-server]', 'Package[debdeploy-client]', 'Package[python3-dateutil]', 'Package[sudo]', 'Package[golang-cfssl]', 'Package[debmonitor-client]', 'Package[perccli]', 'Package[nagios-nrpe-server]', 'Package[monitoring-plugins]', 'Package[monitoring-plugins-basic]', 'Package[monitoring-plugins-standard]', 'Package[liburiparser1]', 'Package[python3-attr]', 'Package[iucode-tool]', 'Package[freeipmi-tools]', 'Package[freeipmi-ipmiseld]', 'Package[rsyslog-kafka]', 'Package[emacs-nox]', 'Package[prometheus-ipmi-exporter]', 'Package[python3-conftool]', 'Package[purged]', 'Package[linux-cpupower]', 'Package[geoip-bin]', 'Package[mmdb-bin]', 'Package[libgeoip-dev]', 'Package[libmaxminddb-dev]', 'Package[python3-logstash]', 'Package[socat]', 'Package[haproxy]', 'Package[python3-pystemd]', 'Package[benthos]', 'Package[lua5.4-maxminddb]', 'Package[wikimedia-lvs-realserver]', 'Package[python3-poolcounter]', 'Package[python3-jsonschema]', 'Package[python3-requests]', 'Package[libvmod-netmapper]', 'Package[libvmod-querysort]', 'Package[libvmod-wmfuniq]', 'Package[varnish]', 'Package[varnish-modules]', 'Package[varnish-re2]', 'Package[tcp-mss-clamper]', 'Package[haproxykafka]', 'Package[ruby-concurrent]', 'Package[ruby]', 'Package[libruby]', 'Package[puppet-agent]', 'Package[prometheus-rsyslog-exporter]', 'Package[initramfs-tools]', 'Package[python3-click]', 'Package[python3-box]', 'Package[confd]', 'Package[python3-toml]', 'Package[mtail]', 'Package[prometheus-varnish-exporter]', 'Package[trafficserver]', 'Package[trafficserver-experimental-plugins]', 'Package[sysfsutils]', 'Package[lua-busted]', 'Package[prometheus-trafficserver-exporter]', 'Package[fifo-log-demux]']

Haproxy::Confd_site[tls]
Confd::File[/etc/haproxy/conf.d/tls.cfg]

File[/etc/haproxy/lua/cidergrinder_mmdb.lua]

Parameters differences:

--- File[/etc/haproxy/lua/cidergrinder_mmdb.lua].orig
+++ File[/etc/haproxy/lua/cidergrinder_mmdb.lua]

-    ensure  => file
-    owner   => haproxy
-    mode    => 0644
-    require => ['File[/etc/haproxy/lua]', 'Package[lua5.4-maxminddb]']
-    notify  => Service[haproxy]
-    group   => haproxy
-    before  => Service[haproxy]

Content differences:

--- /etc/haproxy/lua/cidergrinder_mmdb.lua.orig
+++ /etc/haproxy/lua/cidergrinder_mmdb.lua
@@ -1,51 +0,0 @@
--- MMDB file lookup action for HAProxy
--- This module is part of the CIDERGRINDER project: https://gitlab.wikimedia.org/repos/sre/CIDERGRINDER
--- SPDX-License-Identifier: GPL-3.0-or-later
--- Copyright (C) 2026 Chris Danis & the Wikimedia Foundation
-
-local maxminddb = require("maxminddb")
-
-local args = table.pack(...)
-
-local cider_mmdb = nil
-
--- lua-load-per-thread mmdb_action.lua /path/to/file.mmdb
-core.register_init(function()
-    if #args < 1 then
-        core.Alert("MMDB file name not provided")
-        return
-    end
-
-    local fname = args[1]
-    local err
-    -- TODO: this seems to throw an error from the C library instead of returning nil + error string.
-    --       we should pcall instead?
-    cider_mmdb, err = maxminddb.open(fname)
-    if not cider_mmdb then
-        core.Alert("Failed to load MMDB file: " .. tostring(err))
-        return
-    end
-
-    core.Info("Successfully loaded MMDB file: " .. fname)
-end)
-
--- http-request lua.cidergrinder_mmdb_lookup
--- Sets the variable "sess.cidergrinder_mmdb_result" to the value of the
--- "proxy" field in the MMDB record for the client IP, if it exists.
--- Otherwise leaves it unset.
-core.register_action("cidergrinder_mmdb_lookup", { "http-req", "tcp-req" }, function(txn)
-    if not cider_mmdb then
-        return
-    end
-
-    local ip = txn.f:src()
-    local ok, result, status = pcall(cider_mmdb.lookup, cider_mmdb, ip)
-    if not ok then
-        return
-    end
-
-    local ok, result = pcall(cider_mmdb.get, result, "proxy")
-    if ok and result then
-        txn:set_var("sess.cidergrinder_mmdb_result", result)
-    end
-end)

Package[lua5.4-ciderbloom]

Parameters differences:

--- Package[lua5.4-ciderbloom].orig
+++ Package[lua5.4-ciderbloom]

-    ensure   => installed
-    provider => apt

File[/etc/haproxy/lua/cidergrinder_bloom.lua]

Parameters differences:

--- File[/etc/haproxy/lua/cidergrinder_bloom.lua].orig
+++ File[/etc/haproxy/lua/cidergrinder_bloom.lua]

-    ensure  => file
-    owner   => haproxy
-    mode    => 0644
-    require => ['File[/etc/haproxy/lua]', 'Package[lua5.4-ciderbloom]']
-    notify  => Service[haproxy]
-    group   => haproxy
-    before  => Service[haproxy]

Content differences:

--- /etc/haproxy/lua/cidergrinder_bloom.lua.orig
+++ /etc/haproxy/lua/cidergrinder_bloom.lua
@@ -1,123 +0,0 @@
--- Bloom filter lookup action for HAProxy
--- This module is part of the CIDERGRINDER project: https://gitlab.wikimedia.org/repos/sre/CIDERGRINDER
--- SPDX-License-Identifier: GPL-3.0-or-later
--- Copyright (C) 2026 Chris Danis & the Wikimedia Foundation
-
-local Bloom = require("bloom")  -- our C library
-
--- Global bloom filter instance
-local bloom_filter = nil
-local expected_payload_hash = nil
-
-local args = table.pack(...)
-
-core.register_init(function()
-    if #args < 1 then
-        core.Alert("Bloom filter file name not provided")
-        return
-    end
-
-    local fname = args[1]
-    local file = io.open(fname, "rb")  -- file io allowed in init context
-    if not file then
-        core.Alert("Failed to open bloom filter file: " .. fname)
-        return
-    end
-
-    -- Parse the headers, make note of the checksum
-    -- Example file contents:
-    -- PUT /spur.bloom CIDERBLOOM/0.1\r\n
-    -- Bits: 1234567\r\n
-    -- Hashes: 13\r\n
-    -- Payload-Xxhash3: abcdef1234567890\r\n
-    -- Other-user-defined-metadata: value\r\n
-    -- \r\n[binary data begins]
-
-    -- check the header line, should contain "CIDERBLOOM/0.1"
-    local header = file:read("*l")
-    if not header or not header:match("CIDERBLOOM/0%.1") then
-        core.Alert("Invalid bloom filter file header: " .. tostring(header))
-        file:close()
-        return
-    end
-
-    local hdrs = {}
-    -- parse key: value lines until we hit an empty line
-    -- (keys will never contain whitespace or colons)
-    while true do
-        local line = file:read("*l")
-        if not line or line == "" or line == "\r" then
-            break
-        end
-        local key, value = line:match("^(.-):%s*(.-)%s*$")
-        if key and value then
-            key = key:lower()
-            hdrs[key] = value
-        end
-    end
-
-    if not hdrs["bits"] or not hdrs["hashes"] then
-        core.Alert("Unable to load Bloom filter -- missing required metadata")
-        file:close()
-        return
-    end
-
-    if hdrs["payload-xxhash3"] then
-        local hash = tonumber(hdrs["payload-xxhash3"], 16)
-        expected_payload_hash = hash
-    end
-
--- TODO: we could take an expected granularity as an arg from the config file and
---       crosscheck that against the x-granularity header.
-
-    local bits = tonumber(hdrs["bits"])
-    local hashes = tonumber(hdrs["hashes"])
-    if not bits or not hashes then
-        core.Alert("Invalid bloom filter header values")
-        file:close()
-        return
-    end
-
-    core.Debug("File payload offset: " .. file:seek("cur", 0))
-
-    local ok, bf_or_err = pcall(Bloom.open, file, bits, hashes)
-    -- Safe to close the file on error or success; mmap() has our back.
-    file:close()
-    if not ok then
-        core.Alert("Failed to initialize bloom filter from file: " .. fname .. " (" .. tostring(bf_or_err) .. ")")
-        bloom_filter = nil
-        return
-    end
-    bloom_filter = bf_or_err
-
-    if expected_payload_hash then
-        local hash = bloom_filter:checksum()
-        if hash ~= expected_payload_hash then
-            core.Alert(string.format("Unloading the Bloom filter! checksum mismatch: expected %016x, got %016x", expected_payload_hash, hash))
-            bloom_filter = nil
-        else
-            core.Debug(string.format("Bloom filter checksum matches expected value: %016x", hash))
-        end
-    else
-        core.Warning("Bloom filter metadata lacks payload-xxhash3; skipping integrity check")
-    end
-
-    core.Info(string.format("Bloom filter %s loaded OK! parameters: bits=%d, hashes=%d", fname, bits, hashes))
-end)
-
--- `http-request lua.bloom_lookup`
--- expects var(sess.prehashed) to be set to a hash value to check against the bloom filter
--- sets var(sess.bloom_result) to true or false based on the lookup
-core.register_action("bloom_lookup", { "http-req", "tcp-req" }, function(txn)
-    if not bloom_filter then
-        return
-    end
-
-    local h = txn:get_var("sess.prehashed")
-    if h then
-        local r = bloom_filter:contains_hashval(h)
-        txn:set_var("sess.bloom_result", r)
-    end
-end)
-
-core.Info("Bloom filter action registered")

Class[Haproxy]

Parameters differences:

--- Class[Haproxy].orig
+++ Class[Haproxy]

@@
-    config_content => # Note: This file is managed by puppet.
global
    user haproxy
    group haproxy
    stats socket /run/haproxy/haproxy.sock mode 600 expose-fd listeners level admin
    log /var/lib/haproxy/dev/log local0 info
    log /var/run/haproxykafka/haproxykafka.sock len 8192 format rfc5424 local0 info
    tune.http.logurilen 2048
    # do not keep old processes longer than 1m after a reload
    hard-stop-after 1m
    set-dumpable
    nbthread 48
    # NB: mapping too many cores (>~60) will cause HAProxy to complain about
    # too long of a line and fail to start
    cpu-map 1/1- 0 48 2 50 4 52 6 54 8 56 10 58 12 60 14 62 16 64 18 66 20 68 22 70 24 72 26 74 28 76 30 78 32 80 34 82 36 84 38 86 40 88 42 90 44 92 46 94

    tune.lua.bool-sample-conversion pre-3.1-bug
    lua-prepend-path /etc/haproxy/lua/private/?.lua
    lua-load-per-thread /etc/haproxy/lua/private/main.lua
    lua-load-per-thread /etc/haproxy/lua/maxmind-lookup.lua
    tune.ssl.capture-buffer-size 96
    lua-load-per-thread /etc/haproxy/lua/ja3n.lua
    lua-load-per-thread /etc/haproxy/lua/ja4h.lua
    lua-load-per-thread /etc/haproxy/lua/utf8ps.lua
    lua-load-per-thread /etc/haproxy/lua/contact_info.lua
    lua-load-per-thread /etc/haproxy/lua/cidergrinder_mmdb.lua /usr/share/CIDERGRINDER/anonymous-residential.cider.mmdb
    lua-load-per-thread /etc/haproxy/lua/cidergrinder_bloom.lua /usr/share/CIDERGRINDER/anonymous-residential.cider.bloom

    ssl-default-bind-options ssl-min-ver TLSv1.2 ssl-max-ver TLSv1.3
    ssl-default-bind-ciphers -ALL:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256
    ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384
    ssl-dh-param-file /etc/ssl/dhparam.pem
    tune.ssl.cachesize 512000
    tune.ssl.lifetime 86400
    maxconn 200000


    tune.h2.header-table-size 4096
    tune.h2.max-concurrent-streams 100


defaults
    mode       http
    log-format "%rt %Tr %Tw %Tc %ST {%[capture.req.hdr(0)]} {%[capture.res.hdr(0)]} %ts"
    log-format-sd %{+E}o\ [haproxykafka@0\ server_pid=\"%pid\"\ ip=\"%ci\"\ sequence=\"%rt\"\ dt=\"%tr\"\ time_backend_response=\"%Tr\"\ http_status=\"%ST\"\ response_size=\"%B\"\ termination_state=\"%ts\"\ uri_host=\"%[capture.req.hdr(0),lua.utf8ps]\"\ referer=\"%[capture.req.hdr(1),lua.utf8ps]\"\ user_agent=\"%[capture.req.hdr(2),lua.utf8ps]\"\ accept_language=\"%[capture.req.hdr(3),lua.utf8ps]\"\ range=\"%[capture.req.hdr(4),lua.utf8ps]\"\ accept=\"%[capture.req.hdr(5),lua.utf8ps]\"\ tls=\"%[var(txn.tls)]\"\ cache_status=\"%[var(txn.x_cache_status)]\"\ content_type=\"%[var(txn.content_type)]\"\ x_analytics=\"%[var(txn.x_analytics)]\"\ x_cache=\"%[var(txn.x_cache)]\"\ backend=\"%[var(txn.server)]\"\ http_method=\"%HM\"\ uri_path=\"%HPO\"\ uri_query=\"%HQ\"]

    option     dontlognull
    option     accept-unsafe-violations-in-http-request
    option     accept-unsafe-violations-in-http-response
    option     http-ignore-probes
    retries    1
    timeout    connect 50000
    timeout    client 500000
    timeout    server 500000

+    config_content => # Note: This file is managed by puppet.
global
    user haproxy
    group haproxy
    stats socket /run/haproxy/haproxy.sock mode 600 expose-fd listeners level admin
    log /var/lib/haproxy/dev/log local0 info
    log /var/run/haproxykafka/haproxykafka.sock len 8192 format rfc5424 local0 info
    tune.http.logurilen 2048
    # do not keep old processes longer than 1m after a reload
    hard-stop-after 1m
    set-dumpable
    nbthread 48
    # NB: mapping too many cores (>~60) will cause HAProxy to complain about
    # too long of a line and fail to start
    cpu-map 1/1- 0 48 2 50 4 52 6 54 8 56 10 58 12 60 14 62 16 64 18 66 20 68 22 70 24 72 26 74 28 76 30 78 32 80 34 82 36 84 38 86 40 88 42 90 44 92 46 94

    tune.lua.bool-sample-conversion pre-3.1-bug
    lua-prepend-path /etc/haproxy/lua/private/?.lua
    lua-load-per-thread /etc/haproxy/lua/private/main.lua
    lua-load-per-thread /etc/haproxy/lua/maxmind-lookup.lua
    tune.ssl.capture-buffer-size 96
    lua-load-per-thread /etc/haproxy/lua/ja3n.lua
    lua-load-per-thread /etc/haproxy/lua/ja4h.lua
    lua-load-per-thread /etc/haproxy/lua/utf8ps.lua
    lua-load-per-thread /etc/haproxy/lua/contact_info.lua

    ssl-default-bind-options ssl-min-ver TLSv1.2 ssl-max-ver TLSv1.3
    ssl-default-bind-ciphers -ALL:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256
    ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384
    ssl-dh-param-file /etc/ssl/dhparam.pem
    tune.ssl.cachesize 512000
    tune.ssl.lifetime 86400
    maxconn 200000


    tune.h2.header-table-size 4096
    tune.h2.max-concurrent-streams 100


defaults
    mode       http
    log-format "%rt %Tr %Tw %Tc %ST {%[capture.req.hdr(0)]} {%[capture.res.hdr(0)]} %ts"
    log-format-sd %{+E}o\ [haproxykafka@0\ server_pid=\"%pid\"\ ip=\"%ci\"\ sequence=\"%rt\"\ dt=\"%tr\"\ time_backend_response=\"%Tr\"\ http_status=\"%ST\"\ response_size=\"%B\"\ termination_state=\"%ts\"\ uri_host=\"%[capture.req.hdr(0),lua.utf8ps]\"\ referer=\"%[capture.req.hdr(1),lua.utf8ps]\"\ user_agent=\"%[capture.req.hdr(2),lua.utf8ps]\"\ accept_language=\"%[capture.req.hdr(3),lua.utf8ps]\"\ range=\"%[capture.req.hdr(4),lua.utf8ps]\"\ accept=\"%[capture.req.hdr(5),lua.utf8ps]\"\ tls=\"%[var(txn.tls)]\"\ cache_status=\"%[var(txn.x_cache_status)]\"\ content_type=\"%[var(txn.content_type)]\"\ x_analytics=\"%[var(txn.x_analytics)]\"\ x_cache=\"%[var(txn.x_cache)]\"\ backend=\"%[var(txn.server)]\"\ http_method=\"%HM\"\ uri_path=\"%HPO\"\ uri_query=\"%HQ\"]

    option     dontlognull
    option     accept-unsafe-violations-in-http-request
    option     accept-unsafe-violations-in-http-response
    option     http-ignore-probes
    retries    1
    timeout    connect 50000
    timeout    client 500000
    timeout    server 500000

Compilation results for cp3080.esams.wmnet: System changes detected

Catalog differences

Summary

Resources only in the old catalog

Resources modified

Relevant files