{"host": "cp1100.eqiad.wmnet", "state": "core_diff", "description": "Differences to core resources", "diff": {"full": {"total": 4092, "only_in_self": [], "only_in_other": [], "resource_diffs": [{"resource": "Systemd::Unit[haproxy]"}, {"resource": "File[/lib/systemd/system/haproxy.service]", "content": "--- /lib/systemd/system/haproxy.service.orig\n+++ /lib/systemd/system/haproxy.service\n@@ -19,6 +19,7 @@\n Type=notify\n LimitNOFILE=500000\n LimitCORE=infinity\n+LimitMEMLOCK=infinity\n \n # haproxy systemd hardening.\n NoNewPrivileges=true"}, {"resource": "Systemd::Service[haproxy]"}, {"resource": "Class[Profile::Cache::Haproxy]", "parameters": "--- Class[Profile::Cache::Haproxy].orig\n+++ Class[Profile::Cache::Haproxy]\n\n@@\n-    enable_mlock => False\n+    enable_mlock => True\n"}, {"resource": "Class[Haproxy]", "parameters": "--- Class[Haproxy].orig\n+++ Class[Haproxy]\n\n@@\n-    systemd_content => [Unit]\nDescription=HAProxy Load Balancer\nDocumentation=man:haproxy(1)\nDocumentation=file:/usr/share/doc/haproxy/configuration.txt.gz\nAfter=network-online.target syslog.service\nWants=network-online.target syslog.service\n\n[Service]\nEnvironment=\"CONFIG=/etc/haproxy/haproxy.cfg\" \"PIDFILE=/run/haproxy/haproxy.pid\"\nEnvironmentFile=-/etc/default/haproxy\nExecStartPre=/usr/local/sbin/tls-check /etc/haproxy-tls-check.cfg\nExecStartPre=/usr/sbin/haproxy -f ${CONFIG} -c -q $EXTRAOPTS\nExecStart=/usr/sbin/haproxy -Ws -f ${CONFIG} -p $PIDFILE $EXTRAOPTS\nExecReload=/usr/sbin/haproxy -f ${CONFIG} -c -q $EXTRAOPTS\nExecReload=/bin/kill -USR2 $MAINPID\nKillMode=mixed\nRestart=always\nSuccessExitStatus=143\nType=notify\nLimitNOFILE=500000\nLimitCORE=infinity\n\n# haproxy systemd hardening.\nNoNewPrivileges=true\nPrivateDevices=true\nProtectHome=true\nProtectSystem=strict\nProtectKernelTunables=true\nProtectKernelModules=true\nProtectControlGroups=true\nRestrictNamespaces=true\nRestrictRealtime=true\nSystemCallArchitectures=native\nRestrictAddressFamilies=AF_UNIX AF_INET AF_INET6\nSystemCallFilter=~@clock @cpu-emulation @keyring @module @obsolete @raw-io @reboot @swap\nCapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_DAC_OVERRIDE CAP_KILL\n\n# Since we set ProtectSystem=strict, allow access to the below paths.\nReadWritePaths=/run/haproxy\nReadWritePaths=/var/lib/haproxy\nReadWritePaths=/var/tmp/core\n\n[Install]\nWantedBy=multi-user.target\n\n+    systemd_content => [Unit]\nDescription=HAProxy Load Balancer\nDocumentation=man:haproxy(1)\nDocumentation=file:/usr/share/doc/haproxy/configuration.txt.gz\nAfter=network-online.target syslog.service\nWants=network-online.target syslog.service\n\n[Service]\nEnvironment=\"CONFIG=/etc/haproxy/haproxy.cfg\" \"PIDFILE=/run/haproxy/haproxy.pid\"\nEnvironmentFile=-/etc/default/haproxy\nExecStartPre=/usr/local/sbin/tls-check /etc/haproxy-tls-check.cfg\nExecStartPre=/usr/sbin/haproxy -f ${CONFIG} -c -q $EXTRAOPTS\nExecStart=/usr/sbin/haproxy -Ws -f ${CONFIG} -p $PIDFILE $EXTRAOPTS\nExecReload=/usr/sbin/haproxy -f ${CONFIG} -c -q $EXTRAOPTS\nExecReload=/bin/kill -USR2 $MAINPID\nKillMode=mixed\nRestart=always\nSuccessExitStatus=143\nType=notify\nLimitNOFILE=500000\nLimitCORE=infinity\nLimitMEMLOCK=infinity\n\n# haproxy systemd hardening.\nNoNewPrivileges=true\nPrivateDevices=true\nProtectHome=true\nProtectSystem=strict\nProtectKernelTunables=true\nProtectKernelModules=true\nProtectControlGroups=true\nRestrictNamespaces=true\nRestrictRealtime=true\nSystemCallArchitectures=native\nRestrictAddressFamilies=AF_UNIX AF_INET AF_INET6\nSystemCallFilter=~@clock @cpu-emulation @keyring @module @obsolete @raw-io @reboot @swap\nCapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_DAC_OVERRIDE CAP_KILL\n\n# Since we set ProtectSystem=strict, allow access to the below paths.\nReadWritePaths=/run/haproxy\nReadWritePaths=/var/lib/haproxy\nReadWritePaths=/var/tmp/core\n\n[Install]\nWantedBy=multi-user.target\n\n"}], "perc_changed": "0.12%"}, "core": {"total": 4092, "only_in_self": [], "only_in_other": [], "resource_diffs": [{"resource": "File[/lib/systemd/system/haproxy.service]", "content": "--- /lib/systemd/system/haproxy.service.orig\n+++ /lib/systemd/system/haproxy.service\n@@ -19,6 +19,7 @@\n Type=notify\n LimitNOFILE=500000\n LimitCORE=infinity\n+LimitMEMLOCK=infinity\n \n # haproxy systemd hardening.\n NoNewPrivileges=true"}], "perc_changed": "0.02%"}, "main": {"total": 4092, "only_in_self": [], "only_in_other": [], "resource_diffs": [{"resource": "File[/lib/systemd/system/haproxy.service]", "content": "--- /lib/systemd/system/haproxy.service.orig\n+++ /lib/systemd/system/haproxy.service\n@@ -19,6 +19,7 @@\n Type=notify\n LimitNOFILE=500000\n LimitCORE=infinity\n+LimitMEMLOCK=infinity\n \n # haproxy systemd hardening.\n NoNewPrivileges=true"}, {"resource": "Systemd::Unit[haproxy]"}, {"resource": "Systemd::Service[haproxy]"}, {"resource": "Class[Profile::Cache::Haproxy]", "parameters": "--- Class[Profile::Cache::Haproxy].orig\n+++ Class[Profile::Cache::Haproxy]\n\n@@\n-    enable_mlock => False\n+    enable_mlock => True\n"}, {"resource": "Class[Haproxy]", "parameters": "--- Class[Haproxy].orig\n+++ Class[Haproxy]\n\n@@\n-    systemd_content => [Unit]\nDescription=HAProxy Load Balancer\nDocumentation=man:haproxy(1)\nDocumentation=file:/usr/share/doc/haproxy/configuration.txt.gz\nAfter=network-online.target syslog.service\nWants=network-online.target syslog.service\n\n[Service]\nEnvironment=\"CONFIG=/etc/haproxy/haproxy.cfg\" \"PIDFILE=/run/haproxy/haproxy.pid\"\nEnvironmentFile=-/etc/default/haproxy\nExecStartPre=/usr/local/sbin/tls-check /etc/haproxy-tls-check.cfg\nExecStartPre=/usr/sbin/haproxy -f ${CONFIG} -c -q $EXTRAOPTS\nExecStart=/usr/sbin/haproxy -Ws -f ${CONFIG} -p $PIDFILE $EXTRAOPTS\nExecReload=/usr/sbin/haproxy -f ${CONFIG} -c -q $EXTRAOPTS\nExecReload=/bin/kill -USR2 $MAINPID\nKillMode=mixed\nRestart=always\nSuccessExitStatus=143\nType=notify\nLimitNOFILE=500000\nLimitCORE=infinity\n\n# haproxy systemd hardening.\nNoNewPrivileges=true\nPrivateDevices=true\nProtectHome=true\nProtectSystem=strict\nProtectKernelTunables=true\nProtectKernelModules=true\nProtectControlGroups=true\nRestrictNamespaces=true\nRestrictRealtime=true\nSystemCallArchitectures=native\nRestrictAddressFamilies=AF_UNIX AF_INET AF_INET6\nSystemCallFilter=~@clock @cpu-emulation @keyring @module @obsolete @raw-io @reboot @swap\nCapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_DAC_OVERRIDE CAP_KILL\n\n# Since we set ProtectSystem=strict, allow access to the below paths.\nReadWritePaths=/run/haproxy\nReadWritePaths=/var/lib/haproxy\nReadWritePaths=/var/tmp/core\n\n[Install]\nWantedBy=multi-user.target\n\n+    systemd_content => [Unit]\nDescription=HAProxy Load Balancer\nDocumentation=man:haproxy(1)\nDocumentation=file:/usr/share/doc/haproxy/configuration.txt.gz\nAfter=network-online.target syslog.service\nWants=network-online.target syslog.service\n\n[Service]\nEnvironment=\"CONFIG=/etc/haproxy/haproxy.cfg\" \"PIDFILE=/run/haproxy/haproxy.pid\"\nEnvironmentFile=-/etc/default/haproxy\nExecStartPre=/usr/local/sbin/tls-check /etc/haproxy-tls-check.cfg\nExecStartPre=/usr/sbin/haproxy -f ${CONFIG} -c -q $EXTRAOPTS\nExecStart=/usr/sbin/haproxy -Ws -f ${CONFIG} -p $PIDFILE $EXTRAOPTS\nExecReload=/usr/sbin/haproxy -f ${CONFIG} -c -q $EXTRAOPTS\nExecReload=/bin/kill -USR2 $MAINPID\nKillMode=mixed\nRestart=always\nSuccessExitStatus=143\nType=notify\nLimitNOFILE=500000\nLimitCORE=infinity\nLimitMEMLOCK=infinity\n\n# haproxy systemd hardening.\nNoNewPrivileges=true\nPrivateDevices=true\nProtectHome=true\nProtectSystem=strict\nProtectKernelTunables=true\nProtectKernelModules=true\nProtectControlGroups=true\nRestrictNamespaces=true\nRestrictRealtime=true\nSystemCallArchitectures=native\nRestrictAddressFamilies=AF_UNIX AF_INET AF_INET6\nSystemCallFilter=~@clock @cpu-emulation @keyring @module @obsolete @raw-io @reboot @swap\nCapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_DAC_OVERRIDE CAP_KILL\n\n# Since we set ProtectSystem=strict, allow access to the below paths.\nReadWritePaths=/run/haproxy\nReadWritePaths=/var/lib/haproxy\nReadWritePaths=/var/tmp/core\n\n[Install]\nWantedBy=multi-user.target\n\n"}], "perc_changed": "0.12%"}}}