--- Prometheus::Alert::Rule[check_check_security_group_ssh-from-restricted-bastion_to_project_trove_status_00e32ad470e657aff39db13cbd480c20].orig
+++ Prometheus::Alert::Rule[check_check_security_group_ssh-from-restricted-bastion_to_project_trove_status_00e32ad470e657aff39db13cbd480c20]
+ severity => info
+ def_label_whitelst => ['team', 'severity']
+ site => eqiad
+ team => observability
+ for => 11m
+ instance => ops
+ expr => (nagios_nrpe_check_result{alert_rule_hash="00e32ad470e657aff39db13cbd480c20",check_name="check_check_security_group_ssh-from-restricted-bastion_to_project_trove_status", status=~"(WARNING|CRITICAL)", severity=~"(warning|critical)"} > 0) * on (instance) group_left (team) role_owner
+ logs => https://logstash.wikimedia.org/app/dashboards#/view/2d343ac0-6df8-11f0-8e08-7fab0da52b33?_g=(filters:!((query:(match_phrase:(event.module:check_check_security_group_ssh-from-restricted-bastion_to_project_trove_status))),(query:(match_phrase:(host.name:{{$labels.instance|stripPort}})))))
+ dashboard => TODO
+ description => NRPE CHECK: Check unit status of security_group_ssh-from-restricted-bastion_to_project_trove
+ summary => NRPE CHECK: Check unit status of security_group_ssh-from-restricted-bastion_to_project_trove
+ runbook => https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state
+ alert_name => nrpe_Check_unit_status_of_security_group_ssh_from_restricted_bastion_to_project_trove
+ group => nrpechecks
+ ensure => absent
Systemd::Monitor[security_group_ssh-from-restricted-bastion_to_project_trove]
- Parameters differences:
--- Systemd::Monitor[security_group_ssh-from-restricted-bastion_to_project_trove].orig
+++ Systemd::Monitor[security_group_ssh-from-restricted-bastion_to_project_trove]
+ check_interval => 10
+ contact_group => admins
+ critical => False
+ notes_url => https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state
+ migration_task => T407130
+ ensure => present
+ retries => 2
- Service[security_group_ssh-from-restricted-bastion_to_project_trove.timer]
- Parameters differences:
--- Service[security_group_ssh-from-restricted-bastion_to_project_trove.timer].orig
+++ Service[security_group_ssh-from-restricted-bastion_to_project_trove.timer]
+ ensure => running
+ enable => True
+ provider => systemd
- Systemd::Unit[nrpe2nodexp-check_security_group_ssh-from-restricted-bastion_to_project_trove_status.service]
- Parameters differences:
--- Systemd::Unit[nrpe2nodexp-check_security_group_ssh-from-restricted-bastion_to_project_trove_status.service].orig
+++ Systemd::Unit[nrpe2nodexp-check_security_group_ssh-from-restricted-bastion_to_project_trove_status.service]
+ unit => nrpe2nodexp-check_security_group_ssh-from-restricted-bastion_to_project_trove_status.service
+ override_filename => puppet-override.conf
+ ensure => absent
+ require => ['Class[Systemd]']
+ restart => False
+ override => False
- File[/lib/systemd/system/security_group_ssh-from-restricted-bastion_to_project_trove.timer]
- Parameters differences:
--- File[/lib/systemd/system/security_group_ssh-from-restricted-bastion_to_project_trove.timer].orig
+++ File[/lib/systemd/system/security_group_ssh-from-restricted-bastion_to_project_trove.timer]
+ mode => 0444
+ notify => Exec[systemd daemon-reload for security_group_ssh-from-restricted-bastion_to_project_trove.timer (security_group_ssh-from-restricted-bastion_to_project_trove.timer)]
+ group => root
+ ensure => present
+ owner => root
- Content differences:
--- /lib/systemd/system/security_group_ssh-from-restricted-bastion_to_project_trove.timer.orig
+++ /lib/systemd/system/security_group_ssh-from-restricted-bastion_to_project_trove.timer
@@ -0,0 +1,12 @@
+[Unit]
+Description=Periodic execution of security_group_ssh-from-restricted-bastion_to_project_trove.service
+
+[Timer]
+Unit=security_group_ssh-from-restricted-bastion_to_project_trove.service
+# Accuracy sets the maximum time interval around the execution time we want to allow
+AccuracySec=15sec
+OnCalendar=*-*-* *:00/30:00
+RandomizedDelaySec=0
+
+[Install]
+WantedBy=multi-user.target
- Nrpe::Monitor_service[check_security_group_ssh-from-restricted-bastion_to_project_trove_status]
- Parameters differences:
--- Nrpe::Monitor_service[check_security_group_ssh-from-restricted-bastion_to_project_trove_status].orig
+++ Nrpe::Monitor_service[check_security_group_ssh-from-restricted-bastion_to_project_trove_status]
+ check_interval => 10
+ contact_group => admins
+ critical => False
+ timeout => 10
+ migration_task => T407130
+ alertmanager_team => observability
+ retries => 2
+ description => Check unit status of security_group_ssh-from-restricted-bastion_to_project_trove
+ notes_url => https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state
+ enable_nrpe2nodexp => False
+ retry_interval => 1
+ ensure => present
+ enable_icinga_check => True
+ nrpe_command => /usr/local/lib/nagios/plugins/check_systemd_unit_status security_group_ssh-from-restricted-bastion_to_project_trove
+ nrpe2nodexp_parse_perf_data => False
- Systemd::Unit[security_group_ssh-from-restricted-bastion_to_project_trove.timer]
- Parameters differences:
--- Systemd::Unit[security_group_ssh-from-restricted-bastion_to_project_trove.timer].orig
+++ Systemd::Unit[security_group_ssh-from-restricted-bastion_to_project_trove.timer]
+ unit => security_group_ssh-from-restricted-bastion_to_project_trove.timer
+ override_filename => puppet-override.conf
+ ensure => present
+ require => ['Class[Systemd]']
+ restart => False
+ override => False
- Class[Openstack::Apply_security_groups]
- Parameters differences:
--- Class[Openstack::Apply_security_groups].orig
+++ Class[Openstack::Apply_security_groups]
+ ensure => present
+ project_and_security_group => {'trove': 'ssh-from-restricted-bastion'}
- Exec[systemd daemon-reload for nrpe2nodexp-check_security_group_ssh-from-restricted-bastion_to_project_trove_status.service (nrpe2nodexp-check_security_group_ssh-from-restricted-bastion_to_project_trove_status.service)]
- Parameters differences:
--- Exec[systemd daemon-reload for nrpe2nodexp-check_security_group_ssh-from-restricted-bastion_to_project_trove_status.service (nrpe2nodexp-check_security_group_ssh-from-restricted-bastion_to_project_trove_status.service)].orig
+++ Exec[systemd daemon-reload for nrpe2nodexp-check_security_group_ssh-from-restricted-bastion_to_project_trove_status.service (nrpe2nodexp-check_security_group_ssh-from-restricted-bastion_to_project_trove_status.service)]
+ refreshonly => True
+ command => /bin/systemctl daemon-reload
- File[/etc/rsyslog.d/40-security-group-ssh-from-restricted-bastion-to-project-trove.conf]
- Parameters differences:
--- File[/etc/rsyslog.d/40-security-group-ssh-from-restricted-bastion-to-project-trove.conf].orig
+++ File[/etc/rsyslog.d/40-security-group-ssh-from-restricted-bastion-to-project-trove.conf]
+ mode => 0444
+ notify => Service[rsyslog]
+ group => root
+ ensure => present
+ owner => root
- Content differences:
--- /etc/rsyslog.d/40-security-group-ssh-from-restricted-bastion-to-project-trove.conf.orig
+++ /etc/rsyslog.d/40-security-group-ssh-from-restricted-bastion-to-project-trove.conf
@@ -0,0 +1,10 @@
+# rsyslog.conf(5) configuration file for services.
+# This file is managed by Puppet.
+if $programname startswith "security_group_ssh-from-restricted-bastion_to_project_trove" then {
+ action(
+ type="omfile" file="/var/log/security_group_ssh-from-restricted-bastion_to_project_trove/syslog.log"
+ fileOwner="root" fileGroup="root"
+ fileCreateMode="0644"
+ )
+ & stop
+}
- File[/lib/systemd/system/nrpe2nodexp-check_security_group_ssh-from-restricted-bastion_to_project_trove_status.service]
- Parameters differences:
--- File[/lib/systemd/system/nrpe2nodexp-check_security_group_ssh-from-restricted-bastion_to_project_trove_status.service].orig
+++ File[/lib/systemd/system/nrpe2nodexp-check_security_group_ssh-from-restricted-bastion_to_project_trove_status.service]
+ mode => 0444
+ notify => Exec[systemd daemon-reload for nrpe2nodexp-check_security_group_ssh-from-restricted-bastion_to_project_trove_status.service (nrpe2nodexp-check_security_group_ssh-from-restricted-bastion_to_project_trove_status.service)]
+ group => root
+ ensure => absent
+ owner => root
- Content differences:
--- /lib/systemd/system/nrpe2nodexp-check_security_group_ssh-from-restricted-bastion_to_project_trove_status.service.orig
+++ /lib/systemd/system/nrpe2nodexp-check_security_group_ssh-from-restricted-bastion_to_project_trove_status.service
@@ -0,0 +1,11 @@
+[Unit]
+Description=execution of nrpe2nodexp for the check_check_security_group_ssh-from-restricted-bastion_to_project_trove_status command.
+Documentation=https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state
+
+[Service]
+Type=oneshot
+User=nagios
+
+Group=prometheus-node-exporter
+SyslogIdentifier=nrpe2nodexp-check_security_group_ssh-from-restricted-bastion_to_project_trove_status
+ExecStart=-/usr/local/bin/nrpe2nodexp --alert-rule-hash "00e32ad470e657aff39db13cbd480c20" --timeout 10 --check-command "check_check_security_group_ssh-from-restricted-bastion_to_project_trove_status"
- Service[nrpe2nodexp-check_security_group_ssh-from-restricted-bastion_to_project_trove_status.timer]
- Parameters differences:
--- Service[nrpe2nodexp-check_security_group_ssh-from-restricted-bastion_to_project_trove_status.timer].orig
+++ Service[nrpe2nodexp-check_security_group_ssh-from-restricted-bastion_to_project_trove_status.timer]
+ ensure => stopped
+ enable => False
+ provider => systemd
+ before => ['Exec[systemd daemon-reload for nrpe2nodexp-check_security_group_ssh-from-restricted-bastion_to_project_trove_status.timer (nrpe2nodexp-check_security_group_ssh-from-restricted-bastion_to_project_trove_status.timer)]']
- Systemd::Timer[security_group_ssh-from-restricted-bastion_to_project_trove]
- Parameters differences:
--- Systemd::Timer[security_group_ssh-from-restricted-bastion_to_project_trove].orig
+++ Systemd::Timer[security_group_ssh-from-restricted-bastion_to_project_trove]
+ unit_name => security_group_ssh-from-restricted-bastion_to_project_trove.service
+ timer_intervals => [{'start': 'OnCalendar', 'interval': '*-*-* *:00/30:00'}]
+ splay => 0
+ ensure => present
+ fixed_random_delay => False
+ accuracy => 15sec
- Class[Profile::Openstack::Base::Cumin_access]
- Parameters differences:
--- Class[Profile::Openstack::Base::Cumin_access].orig
+++ Class[Profile::Openstack::Base::Cumin_access]
+ openstack_control_nodes => [{'host_fqdn': 'cloudcontrol1006.eqiad.wmnet', 'cloud_private_fqdn': 'cloudcontrol1006.private.eqiad.wikimedia.cloud'}, {'host_fqdn': 'cloudcontrol1007.eqiad.wmnet', 'cloud_private_fqdn': 'cloudcontrol1007.private.eqiad.wikimedia.cloud'}, {'host_fqdn': 'cloudcontrol1011.eqiad.wmnet', 'cloud_private_fqdn': 'cloudcontrol1011.private.eqiad.wikimedia.cloud'}]
+ project_and_security_group_for_cumin_access => {'trove': 'ssh-from-restricted-bastion'}
- Exec[systemd daemon-reload for security_group_ssh-from-restricted-bastion_to_project_trove.timer (security_group_ssh-from-restricted-bastion_to_project_trove.timer)]
- Parameters differences:
--- Exec[systemd daemon-reload for security_group_ssh-from-restricted-bastion_to_project_trove.timer (security_group_ssh-from-restricted-bastion_to_project_trove.timer)].orig
+++ Exec[systemd daemon-reload for security_group_ssh-from-restricted-bastion_to_project_trove.timer (security_group_ssh-from-restricted-bastion_to_project_trove.timer)]
+ refreshonly => True
+ command => /bin/systemctl daemon-reload
+ before => ['Service[security_group_ssh-from-restricted-bastion_to_project_trove.timer]']
- Systemd::Service[security_group_ssh-from-restricted-bastion_to_project_trove]
- Parameters differences:
--- Systemd::Service[security_group_ssh-from-restricted-bastion_to_project_trove].orig
+++ Systemd::Service[security_group_ssh-from-restricted-bastion_to_project_trove]
+ migration_task => T407130
+ monitoring_enabled => False
+ monitoring_critical => False
+ require => Systemd::Unit[security_group_ssh-from-restricted-bastion_to_project_trove.service]
+ restart => False
+ override => False
+ monitoring_contact_group => admins
+ service_params => {}
+ unit_type => timer
+ ensure => present
- Systemd::Timer::Job[security_group_ssh-from-restricted-bastion_to_project_trove]
- Parameters differences:
--- Systemd::Timer::Job[security_group_ssh-from-restricted-bastion_to_project_trove].orig
+++ Systemd::Timer::Job[security_group_ssh-from-restricted-bastion_to_project_trove]
+ send_mail => False
+ monitoring_contact_groups => admins
+ send_mail_only_on_error => True
+ logfile_name => syslog.log
+ description => Apply security group ssh-from-restricted-bastion to project trove
+ logging_enabled => True
+ logfile_group => root
+ environment => {}
+ logfile_perms => all
+ monitoring_notes_url => https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state
+ max_runtime_seconds => 890
+ logfile_basedir => /var/log
+ monitoring_enabled => True
+ require => ['File[/usr/local/sbin/add-security-group-to-project]']
+ syslog_match_startswith => True
+ success_exit_status => []
+ command => /usr/local/sbin/add-security-group-to-project --os-cloud novadmin --security-group-name ssh-from-restricted-bastion --project-id trove
+ user => root
+ syslog_force_stop => True
+ ignore_errors => False
+ private_tmp => False
+ ensure => present
+ interval => {'start': 'OnCalendar', 'interval': '*-*-* *:00/30:00'}
+ send_mail_to => root@cloudcontrol1006.eqiad.wmnet
+ fixed_random_delay => False
- Systemd::Service[nrpe2nodexp-check_security_group_ssh-from-restricted-bastion_to_project_trove_status]
- Parameters differences:
--- Systemd::Service[nrpe2nodexp-check_security_group_ssh-from-restricted-bastion_to_project_trove_status].orig
+++ Systemd::Service[nrpe2nodexp-check_security_group_ssh-from-restricted-bastion_to_project_trove_status]
+ migration_task => T407130
+ monitoring_enabled => False
+ monitoring_critical => False
+ require => Systemd::Unit[nrpe2nodexp-check_security_group_ssh-from-restricted-bastion_to_project_trove_status.service]
+ restart => False
+ override => False
+ monitoring_contact_group => admins
+ service_params => {}
+ unit_type => timer
+ ensure => absent
- File[/var/lib/prometheus/node.d/check_check_security_group_ssh-from-restricted-bastion_to_project_trove_status.prom]
- Parameters differences:
--- File[/var/lib/prometheus/node.d/check_check_security_group_ssh-from-restricted-bastion_to_project_trove_status.prom].orig
+++ File[/var/lib/prometheus/node.d/check_check_security_group_ssh-from-restricted-bastion_to_project_trove_status.prom]
+ ensure => absent
+ owner => root
+ group => root
- File[/etc/nagios/nrpe.d/check_check_security_group_ssh-from-restricted-bastion_to_project_trove_status.cfg]
- Parameters differences:
--- File[/etc/nagios/nrpe.d/check_check_security_group_ssh-from-restricted-bastion_to_project_trove_status.cfg].orig
+++ File[/etc/nagios/nrpe.d/check_check_security_group_ssh-from-restricted-bastion_to_project_trove_status.cfg]
+ tag => nrpe::check
+ mode => 0444
+ notify => Service[nagios-nrpe-server]
+ group => root
+ ensure => present
+ require => Package[nagios-nrpe-server]
+ owner => root
- Content differences:
--- /etc/nagios/nrpe.d/check_check_security_group_ssh-from-restricted-bastion_to_project_trove_status.cfg.orig
+++ /etc/nagios/nrpe.d/check_check_security_group_ssh-from-restricted-bastion_to_project_trove_status.cfg
@@ -0,0 +1,2 @@
+# File generated by puppet. DO NOT edit by hand
+command[check_check_security_group_ssh-from-restricted-bastion_to_project_trove_status]=/usr/local/lib/nagios/plugins/check_systemd_unit_status security_group_ssh-from-restricted-bastion_to_project_trove
- File[/etc/rsyslog.d/25-nrpe2nodexp-check-security-group-ssh-from-restricted-bastion-to-project-trove-status.conf]
- Parameters differences:
--- File[/etc/rsyslog.d/25-nrpe2nodexp-check-security-group-ssh-from-restricted-bastion-to-project-trove-status.conf].orig
+++ File[/etc/rsyslog.d/25-nrpe2nodexp-check-security-group-ssh-from-restricted-bastion-to-project-trove-status.conf]
+ mode => 0444
+ notify => Service[rsyslog]
+ group => root
+ ensure => absent
+ owner => root
- Content differences:
--- /etc/rsyslog.d/25-nrpe2nodexp-check-security-group-ssh-from-restricted-bastion-to-project-trove-status.conf.orig
+++ /etc/rsyslog.d/25-nrpe2nodexp-check-security-group-ssh-from-restricted-bastion-to-project-trove-status.conf
@@ -0,0 +1,10 @@
+# SPDX-License-Identifier: Apache-2.0
+if $programname contains "nrpe2nodexp-check_security_group_ssh-from-restricted-bastion_to_project_trove_status" then {
+ if ($msg contains "\"ecs.version\": \"1.7.0\"") then {
+ # Send logs to kafka
+ set $.log_outputs = "kafka ecs_170 local";
+ } else {
+ # Filter out non-relevant nrpe2nodexp messages
+ stop
+ }
+}
- Logrotate::Conf[security_group_ssh-from-restricted-bastion_to_project_trove]
- Parameters differences:
--- Logrotate::Conf[security_group_ssh-from-restricted-bastion_to_project_trove].orig
+++ Logrotate::Conf[security_group_ssh-from-restricted-bastion_to_project_trove]
+ ensure => present
- Exec[systemd daemon-reload for security_group_ssh-from-restricted-bastion_to_project_trove.service (security_group_ssh-from-restricted-bastion_to_project_trove.service)]
- Parameters differences:
--- Exec[systemd daemon-reload for security_group_ssh-from-restricted-bastion_to_project_trove.service (security_group_ssh-from-restricted-bastion_to_project_trove.service)].orig
+++ Exec[systemd daemon-reload for security_group_ssh-from-restricted-bastion_to_project_trove.service (security_group_ssh-from-restricted-bastion_to_project_trove.service)]
+ refreshonly => True
+ command => /bin/systemctl daemon-reload
- File[/var/log/security_group_ssh-from-restricted-bastion_to_project_trove]
- Parameters differences:
--- File[/var/log/security_group_ssh-from-restricted-bastion_to_project_trove].orig
+++ File[/var/log/security_group_ssh-from-restricted-bastion_to_project_trove]
+ force => True
+ mode => 0755
+ backup => False
+ group => root
+ ensure => directory
+ owner => root
- Systemd::Timer::Job[nrpe2nodexp-check_security_group_ssh-from-restricted-bastion_to_project_trove_status]
- Parameters differences:
--- Systemd::Timer::Job[nrpe2nodexp-check_security_group_ssh-from-restricted-bastion_to_project_trove_status].orig
+++ Systemd::Timer::Job[nrpe2nodexp-check_security_group_ssh-from-restricted-bastion_to_project_trove_status]
+ syslog_identifier => nrpe2nodexp-check_security_group_ssh-from-restricted-bastion_to_project_trove_status
+ monitoring_contact_groups => admins
+ send_mail => False
+ send_mail_only_on_error => True
+ logfile_name => syslog.log
+ description => execution of nrpe2nodexp for the check_check_security_group_ssh-from-restricted-bastion_to_project_trove_status command.
+ splay => 300
+ group => prometheus-node-exporter
+ logging_enabled => False
+ logfile_group => root
+ environment => {}
+ logfile_perms => all
+ monitoring_notes_url => https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state
+ logfile_basedir => /var/log
+ monitoring_enabled => False
+ success_exit_status => []
+ syslog_match_startswith => True
+ command => /usr/local/bin/nrpe2nodexp --alert-rule-hash "00e32ad470e657aff39db13cbd480c20" --timeout 10 --check-command "check_check_security_group_ssh-from-restricted-bastion_to_project_trove_status"
+ user => nagios
+ syslog_force_stop => True
+ ignore_errors => True
+ private_tmp => False
+ ensure => absent
+ interval => [{'start': 'OnUnitInactiveSec', 'interval': '5min'}]
+ send_mail_to => root@cloudcontrol1006.eqiad.wmnet
+ fixed_random_delay => True
- Monitoring::Service[check_security_group_ssh-from-restricted-bastion_to_project_trove_status]
- Parameters differences:
--- Monitoring::Service[check_security_group_ssh-from-restricted-bastion_to_project_trove_status].orig
+++ Monitoring::Service[check_security_group_ssh-from-restricted-bastion_to_project_trove_status]
+ contact_group => admins
+ check_interval => 10
+ critical => False
+ migration_task => T407130
+ check_command => nrpe_check!check_check_security_group_ssh-from-restricted-bastion_to_project_trove_status!10
+ freshness => 36000
+ host => cloudcontrol1006
+ config_dir => /etc/nagios
+ retries => 2
+ description => Check unit status of security_group_ssh-from-restricted-bastion_to_project_trove
+ notes_url => https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state
+ passive => False
+ retry_interval => 1
+ ensure => present
- File[/lib/systemd/system/nrpe2nodexp-check_security_group_ssh-from-restricted-bastion_to_project_trove_status.timer]
- Parameters differences:
--- File[/lib/systemd/system/nrpe2nodexp-check_security_group_ssh-from-restricted-bastion_to_project_trove_status.timer].orig
+++ File[/lib/systemd/system/nrpe2nodexp-check_security_group_ssh-from-restricted-bastion_to_project_trove_status.timer]
+ mode => 0444
+ notify => Exec[systemd daemon-reload for nrpe2nodexp-check_security_group_ssh-from-restricted-bastion_to_project_trove_status.timer (nrpe2nodexp-check_security_group_ssh-from-restricted-bastion_to_project_trove_status.timer)]
+ group => root
+ ensure => absent
+ owner => root
- Content differences:
--- /lib/systemd/system/nrpe2nodexp-check_security_group_ssh-from-restricted-bastion_to_project_trove_status.timer.orig
+++ /lib/systemd/system/nrpe2nodexp-check_security_group_ssh-from-restricted-bastion_to_project_trove_status.timer
@@ -0,0 +1,14 @@
+[Unit]
+Description=Periodic execution of nrpe2nodexp-check_security_group_ssh-from-restricted-bastion_to_project_trove_status.service
+
+[Timer]
+Unit=nrpe2nodexp-check_security_group_ssh-from-restricted-bastion_to_project_trove_status.service
+# Accuracy sets the maximum time interval around the execution time we want to allow
+AccuracySec=15sec
+OnUnitInactiveSec=5min
+OnActiveSec=1s
+RandomizedDelaySec=300
+FixedRandomDelay=true
+
+[Install]
+WantedBy=multi-user.target
- File[/etc/logrotate.d/security_group_ssh-from-restricted-bastion_to_project_trove]
- Parameters differences:
--- File[/etc/logrotate.d/security_group_ssh-from-restricted-bastion_to_project_trove].orig
+++ File[/etc/logrotate.d/security_group_ssh-from-restricted-bastion_to_project_trove]
+ ensure => present
+ mode => 0444
+ owner => root
+ group => root
- Content differences:
--- /etc/logrotate.d/security_group_ssh-from-restricted-bastion_to_project_trove.orig
+++ /etc/logrotate.d/security_group_ssh-from-restricted-bastion_to_project_trove
@@ -0,0 +1,12 @@
+# logrotate(8) config for security_group_ssh-from-restricted-bastion_to_project_trove
+
+/var/log/security_group_ssh-from-restricted-bastion_to_project_trove/*.log {
+ daily
+ copytruncate
+ missingok
+ compress
+ delaycompress
+ notifempty
+ rotate 15
+ size 256M
+}
- Systemd::Syslog[security_group_ssh-from-restricted-bastion_to_project_trove]
- Parameters differences:
--- Systemd::Syslog[security_group_ssh-from-restricted-bastion_to_project_trove].orig
+++ Systemd::Syslog[security_group_ssh-from-restricted-bastion_to_project_trove]
+ readable_by => all
+ log_filename => syslog.log
+ owner => root
+ programname_comparison => startswith
+ group => root
+ base_dir => /var/log
+ ensure => present
+ force_stop => True
- Exec[systemd daemon-reload for nrpe2nodexp-check_security_group_ssh-from-restricted-bastion_to_project_trove_status.timer (nrpe2nodexp-check_security_group_ssh-from-restricted-bastion_to_project_trove_status.timer)]
- Parameters differences:
--- Exec[systemd daemon-reload for nrpe2nodexp-check_security_group_ssh-from-restricted-bastion_to_project_trove_status.timer (nrpe2nodexp-check_security_group_ssh-from-restricted-bastion_to_project_trove_status.timer)].orig
+++ Exec[systemd daemon-reload for nrpe2nodexp-check_security_group_ssh-from-restricted-bastion_to_project_trove_status.timer (nrpe2nodexp-check_security_group_ssh-from-restricted-bastion_to_project_trove_status.timer)]
+ refreshonly => True
+ command => /bin/systemctl daemon-reload
- Nrpe::Plugin[check_systemd_unit_status]
- Parameters differences:
--- Nrpe::Plugin[check_systemd_unit_status].orig
+++ Nrpe::Plugin[check_systemd_unit_status]
+ source => puppet:///modules/systemd/check_systemd_unit_status
+ ensure => present
- File[/usr/local/sbin/add-security-group-to-project]
- Parameters differences:
--- File[/usr/local/sbin/add-security-group-to-project].orig
+++ File[/usr/local/sbin/add-security-group-to-project]
+ source => puppet:///modules/openstack/nova/add-security-group-to-project.py
+ mode => 0755
+ group => root
+ ensure => present
+ owner => root
- File[/etc/sudoers.d/nrpe-check_check_security_group_ssh-from-restricted-bastion_to_project_trove_status]
- Parameters differences:
--- File[/etc/sudoers.d/nrpe-check_check_security_group_ssh-from-restricted-bastion_to_project_trove_status].orig
+++ File[/etc/sudoers.d/nrpe-check_check_security_group_ssh-from-restricted-bastion_to_project_trove_status]
+ ensure => absent
+ require => Package[nagios-nrpe-server]
+ owner => root
+ group => root
- Systemd::Unit[nrpe2nodexp-check_security_group_ssh-from-restricted-bastion_to_project_trove_status.timer]
- Parameters differences:
--- Systemd::Unit[nrpe2nodexp-check_security_group_ssh-from-restricted-bastion_to_project_trove_status.timer].orig
+++ Systemd::Unit[nrpe2nodexp-check_security_group_ssh-from-restricted-bastion_to_project_trove_status.timer]
+ unit => nrpe2nodexp-check_security_group_ssh-from-restricted-bastion_to_project_trove_status.timer
+ override_filename => puppet-override.conf
+ ensure => absent
+ require => ['Class[Systemd]']
+ restart => False
+ override => False
- Systemd::Unit[security_group_ssh-from-restricted-bastion_to_project_trove.service]
- Parameters differences:
--- Systemd::Unit[security_group_ssh-from-restricted-bastion_to_project_trove.service].orig
+++ Systemd::Unit[security_group_ssh-from-restricted-bastion_to_project_trove.service]
+ unit => security_group_ssh-from-restricted-bastion_to_project_trove.service
+ override_filename => puppet-override.conf
+ ensure => present
+ require => ['Class[Systemd]']
+ restart => False
+ override => False
- Class[Profile::Openstack::Eqiad1::Cumin_access]
- Parameters differences:
--- Class[Profile::Openstack::Eqiad1::Cumin_access].orig
+++ Class[Profile::Openstack::Eqiad1::Cumin_access]
+ openstack_control_nodes => [{'host_fqdn': 'cloudcontrol1006.eqiad.wmnet', 'cloud_private_fqdn': 'cloudcontrol1006.private.eqiad.wikimedia.cloud'}, {'host_fqdn': 'cloudcontrol1007.eqiad.wmnet', 'cloud_private_fqdn': 'cloudcontrol1007.private.eqiad.wikimedia.cloud'}, {'host_fqdn': 'cloudcontrol1011.eqiad.wmnet', 'cloud_private_fqdn': 'cloudcontrol1011.private.eqiad.wikimedia.cloud'}]
+ project_and_security_group_for_cumin_access => {'trove': 'ssh-from-restricted-bastion'}
- Rsyslog::Conf[security_group_ssh-from-restricted-bastion_to_project_trove]
- Parameters differences:
--- Rsyslog::Conf[security_group_ssh-from-restricted-bastion_to_project_trove].orig
+++ Rsyslog::Conf[security_group_ssh-from-restricted-bastion_to_project_trove]
+ mode => 0444
+ ensure => present
+ require => File[/var/log/security_group_ssh-from-restricted-bastion_to_project_trove]
+ priority => 40