Compilation results for cp2043.codfw.wmnet: System changes detected

Catalog differences

Summary

Resources modified

• Class[Haproxy]

  Parameters differences:

  --- Class[Haproxy].orig
  +++ Class[Haproxy]
  
  @@
  -    systemd_content => [Unit]
  Description=HAProxy Load Balancer
  Documentation=man:haproxy(1)
  Documentation=file:/usr/share/doc/haproxy/configuration.txt.gz
  After=network-online.target syslog.service
  Wants=network-online.target syslog.service
  
  [Service]
  Environment="CONFIG=/etc/haproxy/haproxy.cfg" "PIDFILE=/run/haproxy/haproxy.pid"
  EnvironmentFile=-/etc/default/haproxy
  ExecStartPre=/usr/local/sbin/tls-check /etc/haproxy-tls-check.cfg
  ExecStartPre=/usr/sbin/haproxy -f ${CONFIG} -c -q $EXTRAOPTS
  ExecStart=/usr/sbin/haproxy -Ws -f ${CONFIG} -p $PIDFILE $EXTRAOPTS
  ExecReload=/usr/sbin/haproxy -f ${CONFIG} -c -q $EXTRAOPTS
  ExecReload=/bin/kill -USR2 $MAINPID
  KillMode=mixed
  Restart=always
  SuccessExitStatus=143
  Type=notify
  LimitNOFILE=500000
  LimitCORE=infinity
  
  # haproxy systemd hardening.
  NoNewPrivileges=true
  PrivateDevices=true
  ProtectHome=true
  ProtectSystem=strict
  ProtectKernelTunables=true
  ProtectKernelModules=true
  ProtectControlGroups=true
  RestrictNamespaces=true
  RestrictRealtime=true
  SystemCallArchitectures=native
  RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
  SystemCallFilter=~@clock @cpu-emulation @keyring @module @obsolete @raw-io @reboot @swap
  CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_DAC_OVERRIDE CAP_KILL
  
  # Since we set ProtectSystem=strict, allow access to the below paths.
  ReadWritePaths=/run/haproxy
  ReadWritePaths=/var/lib/haproxy
  ReadWritePaths=/var/tmp/core
  
  [Install]
  WantedBy=multi-user.target
  
  +    systemd_content => [Unit]
  Description=HAProxy Load Balancer
  Documentation=man:haproxy(1)
  Documentation=file:/usr/share/doc/haproxy/configuration.txt.gz
  After=network-online.target syslog.service
  Wants=network-online.target syslog.service
  
  [Service]
  Environment="CONFIG=/etc/haproxy/haproxy.cfg" "PIDFILE=/run/haproxy/haproxy.pid"
  EnvironmentFile=-/etc/default/haproxy
  ExecStartPre=/usr/local/sbin/tls-check /etc/haproxy-tls-check.cfg
  ExecStartPre=/usr/sbin/haproxy -f ${CONFIG} -c -q $EXTRAOPTS
  ExecStart=/usr/sbin/haproxy -Ws -f ${CONFIG} -p $PIDFILE $EXTRAOPTS
  ExecReload=/usr/sbin/haproxy -f ${CONFIG} -c -q $EXTRAOPTS
  ExecReload=/bin/kill -USR2 $MAINPID
  KillMode=mixed
  Restart=always
  SuccessExitStatus=143
  Type=notify
  LimitNOFILE=500000
  LimitCORE=infinity
  LimitMEMLOCK=infinity
  
  # haproxy systemd hardening.
  NoNewPrivileges=true
  PrivateDevices=true
  ProtectHome=true
  ProtectSystem=strict
  ProtectKernelTunables=true
  ProtectKernelModules=true
  ProtectControlGroups=true
  RestrictNamespaces=true
  RestrictRealtime=true
  SystemCallArchitectures=native
  RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
  SystemCallFilter=~@clock @cpu-emulation @keyring @module @obsolete @raw-io @reboot @swap
  CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_DAC_OVERRIDE CAP_KILL
  
  # Since we set ProtectSystem=strict, allow access to the below paths.
  ReadWritePaths=/run/haproxy
  ReadWritePaths=/var/lib/haproxy
  ReadWritePaths=/var/tmp/core
  
  [Install]
  WantedBy=multi-user.target
  
  

• Systemd::Unit[haproxy]

• Class[Profile::Cache::Haproxy]

  Parameters differences:

  --- Class[Profile::Cache::Haproxy].orig
  +++ Class[Profile::Cache::Haproxy]
  
  @@
  -    enable_mlock => False
  +    enable_mlock => True
  

• File[/lib/systemd/system/haproxy.service]

  Content differences:

  --- /lib/systemd/system/haproxy.service.orig
  +++ /lib/systemd/system/haproxy.service
  @@ -19,6 +19,7 @@
   Type=notify
   LimitNOFILE=500000
   LimitCORE=infinity
  +LimitMEMLOCK=infinity
   
   # haproxy systemd hardening.
   NoNewPrivileges=true

• Systemd::Service[haproxy]

Relevant files

• Production catalog
• Change catalog
• Production errors/warnings
• Change errors/warnings
• Core Diff
• Full Diff