{"host": "registry1004.eqiad.wmnet", "state": "core_diff", "description": "Differences to core resources", "diff": {"full": {"total": 2930, "only_in_self": [], "only_in_other": ["File[/etc/nginx/registry-nginx-common-catalog-settings.conf]", "File[/etc/nginx/registry-nginx-common-proxy-settings.conf]"], "resource_diffs": [{"resource": "File[/etc/nginx/registry-nginx-common-catalog-settings.conf]", "parameters": "--- File[/etc/nginx/registry-nginx-common-catalog-settings.conf].orig\n+++ File[/etc/nginx/registry-nginx-common-catalog-settings.conf]\n\n+    before  => Service[nginx]\n+    mode    => 0444\n+    require => Package[nginx]\n+    group   => root\n+    ensure  => present\n+    source  => puppet:///modules/docker_registry/registry-nginx-common-catalog-settings.conf\n+    owner   => root\n"}, {"resource": "File[/etc/nginx/sites-available/registry]", "content": "--- /etc/nginx/sites-available/registry.orig\n+++ /etc/nginx/sites-available/registry\n@@ -733,20 +733,7 @@\n       auth_basic_user_file /etc/nginx/restricted-read.htpasswd;\n \n       proxy_pass http://registry-restricted;\n-      proxy_redirect off;\n-      proxy_buffering off;\n-      proxy_http_version 1.1;\n-      proxy_set_header Upgrade $http_upgrade;\n-      proxy_set_header Connection $connection_upgrade;\n-      proxy_set_header Proxy-Connection \"Keep-Alive\";\n-      proxy_set_header X-Real-IP $remote_addr;\n-      proxy_set_header X-Forwarded-Proto $scheme;\n-      proxy_set_header Host $host;\n-\n-      proxy_connect_timeout       180;\n-      proxy_send_timeout          180;\n-      proxy_read_timeout          180;\n-      send_timeout                180;\n+      include /etc/nginx/registry-nginx-common-proxy-settings.conf;\n \n     }\n \n@@ -758,20 +745,7 @@\n       deny all;\n \n       proxy_pass http://registry-restricted;\n-      proxy_redirect off;\n-      proxy_buffering off;\n-      proxy_http_version 1.1;\n-      proxy_set_header Upgrade $http_upgrade;\n-      proxy_set_header Connection $connection_upgrade;\n-      proxy_set_header Proxy-Connection \"Keep-Alive\";\n-      proxy_set_header X-Real-IP $remote_addr;\n-      proxy_set_header X-Forwarded-Proto $scheme;\n-      proxy_set_header Host $host;\n-\n-      proxy_connect_timeout       180;\n-      proxy_send_timeout          180;\n-      proxy_read_timeout          180;\n-      send_timeout                180;\n+      include /etc/nginx/registry-nginx-common-proxy-settings.conf;\n     }\n \n     location ~ ^/v2/ml/.* {\n@@ -787,20 +761,7 @@\n       # This covers GET/HEAD requests to /v2/ml/\n \n       proxy_pass http://registry-ml;\n-      proxy_redirect off;\n-      proxy_buffering off;\n-      proxy_http_version 1.1;\n-      proxy_set_header Upgrade $http_upgrade;\n-      proxy_set_header Connection $connection_upgrade;\n-      proxy_set_header Proxy-Connection \"Keep-Alive\";\n-      proxy_set_header X-Real-IP $remote_addr;\n-      proxy_set_header X-Forwarded-Proto $scheme;\n-      proxy_set_header Host $host;\n-\n-      proxy_connect_timeout       180;\n-      proxy_send_timeout          180;\n-      proxy_read_timeout          180;\n-      send_timeout                180;\n+      include /etc/nginx/registry-nginx-common-proxy-settings.conf;\n \n     }\n \n@@ -812,20 +773,7 @@\n       deny all;\n \n       proxy_pass http://registry-ml;\n-      proxy_redirect off;\n-      proxy_buffering off;\n-      proxy_http_version 1.1;\n-      proxy_set_header Upgrade $http_upgrade;\n-      proxy_set_header Connection $connection_upgrade;\n-      proxy_set_header Proxy-Connection \"Keep-Alive\";\n-      proxy_set_header X-Real-IP $remote_addr;\n-      proxy_set_header X-Forwarded-Proto $scheme;\n-      proxy_set_header Host $host;\n-\n-      proxy_connect_timeout       180;\n-      proxy_send_timeout          180;\n-      proxy_read_timeout          180;\n-      send_timeout                180;\n+      include /etc/nginx/registry-nginx-common-proxy-settings.conf;\n     }\n \n     # Capture the original request path here so we can pass it to\n@@ -854,46 +802,11 @@\n       }\n \n       proxy_pass http://registry-swift;\n-      proxy_redirect off;\n-      proxy_buffering off;\n-      proxy_http_version 1.1;\n-      proxy_set_header Upgrade $http_upgrade;\n-      proxy_set_header Connection $connection_upgrade;\n-      proxy_set_header Proxy-Connection \"Keep-Alive\";\n-      proxy_set_header X-Real-IP $remote_addr;\n-      proxy_set_header X-Forwarded-Proto $scheme;\n-      proxy_set_header Host $host;\n-\n-      proxy_connect_timeout       180;\n-      proxy_send_timeout          180;\n-      proxy_read_timeout          180;\n-      send_timeout                180;\n-\n-      # But cache the _catalog endpoint for a few mins as it's pretty expensive\n+      include /etc/nginx/registry-nginx-common-proxy-settings.conf;\n+\n       location ~ ^/v2/_catalog$ {\n-        add_header 'Cache-Control' 'public,s-maxage=600,max-age=600' always;\n-        add_header 'Vary' 'Accept' always;\n         proxy_pass http://registry-swift;\n-\n-        # Limit the calls to the catalog to internal IPs only, to prevent\n-        # abuse from the outside Internet. Fetching the catalog ends up\n-        # in a datastore scan to find the available repositories\n-        # (at the time of writing, through LIST commands to Swift).\n-        #\n-        # The set_real_ip_from directives are used to list from\n-        # what ranges of IPs we trust to override $remote_addr.\n-        set_real_ip_from 10.0.0.0/8;\n-        set_real_ip_from 2620:0:860::/46;\n-        # The real_ip_header specifies what is the HTTP request header\n-        # containing the IP address that overrides (if any) $remote_addr\n-        real_ip_header X-Client-Ip;\n-        # We then trust only internal IPv4 addresses, or IPv6 addresses\n-        # that are global but belonging to the Wikimedia subnet.\n-        allow 10.0.0.0/8;\n-        allow 2620:0:860::/46;\n-        allow ::1/128;\n-        allow 127.0.0.1/32;\n-        deny all;\n+        include /etc/nginx/registry-nginx-common-catalog-settings.conf;\n       }\n \n     }"}, {"resource": "File[/etc/nginx/registry-nginx-common-proxy-settings.conf]", "parameters": "--- File[/etc/nginx/registry-nginx-common-proxy-settings.conf].orig\n+++ File[/etc/nginx/registry-nginx-common-proxy-settings.conf]\n\n+    before  => Service[nginx]\n+    mode    => 0444\n+    require => Package[nginx]\n+    group   => root\n+    ensure  => present\n+    source  => puppet:///modules/docker_registry/registry-nginx-common-proxy-settings.conf\n+    owner   => root\n"}, {"resource": "File[/etc/nginx/registry-nginx-cache.conf]", "parameters": "--- File[/etc/nginx/registry-nginx-cache.conf].orig\n+++ File[/etc/nginx/registry-nginx-cache.conf]\n\n@@\n-    mode => 0744\n+    mode => 0444\n"}, {"resource": "Nginx::Site[registry]"}], "perc_changed": "0.24%"}, "core": {"total": 2930, "only_in_self": [], "only_in_other": ["File[/etc/nginx/registry-nginx-common-catalog-settings.conf]", "File[/etc/nginx/registry-nginx-common-proxy-settings.conf]"], "resource_diffs": [{"resource": "File[/etc/nginx/registry-nginx-cache.conf]", "parameters": "--- File[/etc/nginx/registry-nginx-cache.conf].orig\n+++ File[/etc/nginx/registry-nginx-cache.conf]\n\n@@\n-    mode => 0744\n+    mode => 0444\n"}, {"resource": "File[/etc/nginx/sites-available/registry]", "content": "--- /etc/nginx/sites-available/registry.orig\n+++ /etc/nginx/sites-available/registry\n@@ -733,20 +733,7 @@\n       auth_basic_user_file /etc/nginx/restricted-read.htpasswd;\n \n       proxy_pass http://registry-restricted;\n-      proxy_redirect off;\n-      proxy_buffering off;\n-      proxy_http_version 1.1;\n-      proxy_set_header Upgrade $http_upgrade;\n-      proxy_set_header Connection $connection_upgrade;\n-      proxy_set_header Proxy-Connection \"Keep-Alive\";\n-      proxy_set_header X-Real-IP $remote_addr;\n-      proxy_set_header X-Forwarded-Proto $scheme;\n-      proxy_set_header Host $host;\n-\n-      proxy_connect_timeout       180;\n-      proxy_send_timeout          180;\n-      proxy_read_timeout          180;\n-      send_timeout                180;\n+      include /etc/nginx/registry-nginx-common-proxy-settings.conf;\n \n     }\n \n@@ -758,20 +745,7 @@\n       deny all;\n \n       proxy_pass http://registry-restricted;\n-      proxy_redirect off;\n-      proxy_buffering off;\n-      proxy_http_version 1.1;\n-      proxy_set_header Upgrade $http_upgrade;\n-      proxy_set_header Connection $connection_upgrade;\n-      proxy_set_header Proxy-Connection \"Keep-Alive\";\n-      proxy_set_header X-Real-IP $remote_addr;\n-      proxy_set_header X-Forwarded-Proto $scheme;\n-      proxy_set_header Host $host;\n-\n-      proxy_connect_timeout       180;\n-      proxy_send_timeout          180;\n-      proxy_read_timeout          180;\n-      send_timeout                180;\n+      include /etc/nginx/registry-nginx-common-proxy-settings.conf;\n     }\n \n     location ~ ^/v2/ml/.* {\n@@ -787,20 +761,7 @@\n       # This covers GET/HEAD requests to /v2/ml/\n \n       proxy_pass http://registry-ml;\n-      proxy_redirect off;\n-      proxy_buffering off;\n-      proxy_http_version 1.1;\n-      proxy_set_header Upgrade $http_upgrade;\n-      proxy_set_header Connection $connection_upgrade;\n-      proxy_set_header Proxy-Connection \"Keep-Alive\";\n-      proxy_set_header X-Real-IP $remote_addr;\n-      proxy_set_header X-Forwarded-Proto $scheme;\n-      proxy_set_header Host $host;\n-\n-      proxy_connect_timeout       180;\n-      proxy_send_timeout          180;\n-      proxy_read_timeout          180;\n-      send_timeout                180;\n+      include /etc/nginx/registry-nginx-common-proxy-settings.conf;\n \n     }\n \n@@ -812,20 +773,7 @@\n       deny all;\n \n       proxy_pass http://registry-ml;\n-      proxy_redirect off;\n-      proxy_buffering off;\n-      proxy_http_version 1.1;\n-      proxy_set_header Upgrade $http_upgrade;\n-      proxy_set_header Connection $connection_upgrade;\n-      proxy_set_header Proxy-Connection \"Keep-Alive\";\n-      proxy_set_header X-Real-IP $remote_addr;\n-      proxy_set_header X-Forwarded-Proto $scheme;\n-      proxy_set_header Host $host;\n-\n-      proxy_connect_timeout       180;\n-      proxy_send_timeout          180;\n-      proxy_read_timeout          180;\n-      send_timeout                180;\n+      include /etc/nginx/registry-nginx-common-proxy-settings.conf;\n     }\n \n     # Capture the original request path here so we can pass it to\n@@ -854,46 +802,11 @@\n       }\n \n       proxy_pass http://registry-swift;\n-      proxy_redirect off;\n-      proxy_buffering off;\n-      proxy_http_version 1.1;\n-      proxy_set_header Upgrade $http_upgrade;\n-      proxy_set_header Connection $connection_upgrade;\n-      proxy_set_header Proxy-Connection \"Keep-Alive\";\n-      proxy_set_header X-Real-IP $remote_addr;\n-      proxy_set_header X-Forwarded-Proto $scheme;\n-      proxy_set_header Host $host;\n-\n-      proxy_connect_timeout       180;\n-      proxy_send_timeout          180;\n-      proxy_read_timeout          180;\n-      send_timeout                180;\n-\n-      # But cache the _catalog endpoint for a few mins as it's pretty expensive\n+      include /etc/nginx/registry-nginx-common-proxy-settings.conf;\n+\n       location ~ ^/v2/_catalog$ {\n-        add_header 'Cache-Control' 'public,s-maxage=600,max-age=600' always;\n-        add_header 'Vary' 'Accept' always;\n         proxy_pass http://registry-swift;\n-\n-        # Limit the calls to the catalog to internal IPs only, to prevent\n-        # abuse from the outside Internet. Fetching the catalog ends up\n-        # in a datastore scan to find the available repositories\n-        # (at the time of writing, through LIST commands to Swift).\n-        #\n-        # The set_real_ip_from directives are used to list from\n-        # what ranges of IPs we trust to override $remote_addr.\n-        set_real_ip_from 10.0.0.0/8;\n-        set_real_ip_from 2620:0:860::/46;\n-        # The real_ip_header specifies what is the HTTP request header\n-        # containing the IP address that overrides (if any) $remote_addr\n-        real_ip_header X-Client-Ip;\n-        # We then trust only internal IPv4 addresses, or IPv6 addresses\n-        # that are global but belonging to the Wikimedia subnet.\n-        allow 10.0.0.0/8;\n-        allow 2620:0:860::/46;\n-        allow ::1/128;\n-        allow 127.0.0.1/32;\n-        deny all;\n+        include /etc/nginx/registry-nginx-common-catalog-settings.conf;\n       }\n \n     }"}], "perc_changed": "0.14%"}, "main": {"total": 2930, "only_in_self": [], "only_in_other": ["File[/etc/nginx/registry-nginx-common-catalog-settings.conf]", "File[/etc/nginx/registry-nginx-common-proxy-settings.conf]"], "resource_diffs": [{"resource": "File[/etc/nginx/registry-nginx-cache.conf]", "parameters": "--- File[/etc/nginx/registry-nginx-cache.conf].orig\n+++ File[/etc/nginx/registry-nginx-cache.conf]\n\n@@\n-    mode => 0744\n+    mode => 0444\n"}, {"resource": "Nginx::Site[registry]"}, {"resource": "File[/etc/nginx/sites-available/registry]", "content": "--- /etc/nginx/sites-available/registry.orig\n+++ /etc/nginx/sites-available/registry\n@@ -733,20 +733,7 @@\n       auth_basic_user_file /etc/nginx/restricted-read.htpasswd;\n \n       proxy_pass http://registry-restricted;\n-      proxy_redirect off;\n-      proxy_buffering off;\n-      proxy_http_version 1.1;\n-      proxy_set_header Upgrade $http_upgrade;\n-      proxy_set_header Connection $connection_upgrade;\n-      proxy_set_header Proxy-Connection \"Keep-Alive\";\n-      proxy_set_header X-Real-IP $remote_addr;\n-      proxy_set_header X-Forwarded-Proto $scheme;\n-      proxy_set_header Host $host;\n-\n-      proxy_connect_timeout       180;\n-      proxy_send_timeout          180;\n-      proxy_read_timeout          180;\n-      send_timeout                180;\n+      include /etc/nginx/registry-nginx-common-proxy-settings.conf;\n \n     }\n \n@@ -758,20 +745,7 @@\n       deny all;\n \n       proxy_pass http://registry-restricted;\n-      proxy_redirect off;\n-      proxy_buffering off;\n-      proxy_http_version 1.1;\n-      proxy_set_header Upgrade $http_upgrade;\n-      proxy_set_header Connection $connection_upgrade;\n-      proxy_set_header Proxy-Connection \"Keep-Alive\";\n-      proxy_set_header X-Real-IP $remote_addr;\n-      proxy_set_header X-Forwarded-Proto $scheme;\n-      proxy_set_header Host $host;\n-\n-      proxy_connect_timeout       180;\n-      proxy_send_timeout          180;\n-      proxy_read_timeout          180;\n-      send_timeout                180;\n+      include /etc/nginx/registry-nginx-common-proxy-settings.conf;\n     }\n \n     location ~ ^/v2/ml/.* {\n@@ -787,20 +761,7 @@\n       # This covers GET/HEAD requests to /v2/ml/\n \n       proxy_pass http://registry-ml;\n-      proxy_redirect off;\n-      proxy_buffering off;\n-      proxy_http_version 1.1;\n-      proxy_set_header Upgrade $http_upgrade;\n-      proxy_set_header Connection $connection_upgrade;\n-      proxy_set_header Proxy-Connection \"Keep-Alive\";\n-      proxy_set_header X-Real-IP $remote_addr;\n-      proxy_set_header X-Forwarded-Proto $scheme;\n-      proxy_set_header Host $host;\n-\n-      proxy_connect_timeout       180;\n-      proxy_send_timeout          180;\n-      proxy_read_timeout          180;\n-      send_timeout                180;\n+      include /etc/nginx/registry-nginx-common-proxy-settings.conf;\n \n     }\n \n@@ -812,20 +773,7 @@\n       deny all;\n \n       proxy_pass http://registry-ml;\n-      proxy_redirect off;\n-      proxy_buffering off;\n-      proxy_http_version 1.1;\n-      proxy_set_header Upgrade $http_upgrade;\n-      proxy_set_header Connection $connection_upgrade;\n-      proxy_set_header Proxy-Connection \"Keep-Alive\";\n-      proxy_set_header X-Real-IP $remote_addr;\n-      proxy_set_header X-Forwarded-Proto $scheme;\n-      proxy_set_header Host $host;\n-\n-      proxy_connect_timeout       180;\n-      proxy_send_timeout          180;\n-      proxy_read_timeout          180;\n-      send_timeout                180;\n+      include /etc/nginx/registry-nginx-common-proxy-settings.conf;\n     }\n \n     # Capture the original request path here so we can pass it to\n@@ -854,46 +802,11 @@\n       }\n \n       proxy_pass http://registry-swift;\n-      proxy_redirect off;\n-      proxy_buffering off;\n-      proxy_http_version 1.1;\n-      proxy_set_header Upgrade $http_upgrade;\n-      proxy_set_header Connection $connection_upgrade;\n-      proxy_set_header Proxy-Connection \"Keep-Alive\";\n-      proxy_set_header X-Real-IP $remote_addr;\n-      proxy_set_header X-Forwarded-Proto $scheme;\n-      proxy_set_header Host $host;\n-\n-      proxy_connect_timeout       180;\n-      proxy_send_timeout          180;\n-      proxy_read_timeout          180;\n-      send_timeout                180;\n-\n-      # But cache the _catalog endpoint for a few mins as it's pretty expensive\n+      include /etc/nginx/registry-nginx-common-proxy-settings.conf;\n+\n       location ~ ^/v2/_catalog$ {\n-        add_header 'Cache-Control' 'public,s-maxage=600,max-age=600' always;\n-        add_header 'Vary' 'Accept' always;\n         proxy_pass http://registry-swift;\n-\n-        # Limit the calls to the catalog to internal IPs only, to prevent\n-        # abuse from the outside Internet. Fetching the catalog ends up\n-        # in a datastore scan to find the available repositories\n-        # (at the time of writing, through LIST commands to Swift).\n-        #\n-        # The set_real_ip_from directives are used to list from\n-        # what ranges of IPs we trust to override $remote_addr.\n-        set_real_ip_from 10.0.0.0/8;\n-        set_real_ip_from 2620:0:860::/46;\n-        # The real_ip_header specifies what is the HTTP request header\n-        # containing the IP address that overrides (if any) $remote_addr\n-        real_ip_header X-Client-Ip;\n-        # We then trust only internal IPv4 addresses, or IPv6 addresses\n-        # that are global but belonging to the Wikimedia subnet.\n-        allow 10.0.0.0/8;\n-        allow 2620:0:860::/46;\n-        allow ::1/128;\n-        allow 127.0.0.1/32;\n-        deny all;\n+        include /etc/nginx/registry-nginx-common-catalog-settings.conf;\n       }\n \n     }"}], "perc_changed": "0.17%"}}}