{"host": "cp1111.eqiad.wmnet", "state": "core_diff", "description": "Differences to core resources", "diff": {"full": {"total": 3981, "only_in_self": [], "only_in_other": [], "resource_diffs": [{"resource": "Confd::File[/etc/haproxy/conf.d/tls.cfg]"}, {"resource": "File[/etc/confd/templates/_etc_haproxy_conf.d_tls.cfg.tmpl]", "content": "--- /etc/confd/templates/_etc_haproxy_conf.d_tls.cfg.tmpl.orig\n+++ /etc/confd/templates/_etc_haproxy_conf.d_tls.cfg.tmpl\n@@ -168,37 +168,37 @@\n     # A for net=wikimedia_trust|internal\n     # F for abuse=\n     # E otherwise\n-    http-request set-var(req.provenance,ifnotexists) str('net=wikimedia-trust') if wikimedia_trust\n+    http-request set-var(txn.provenance,ifnotexists) str('net=wikimedia-trust') if wikimedia_trust\n     acl is_private_network src 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 127.0.0.0/8 ::1\n-    http-request set-var(req.provenance,ifnotexists) str('net=internal') if is_private_network\n+    http-request set-var(txn.provenance,ifnotexists) str('net=internal') if is_private_network\n     # AWS Elastic IPs used by the Wikimedia Enterprise project reported in the following tasks over time:\n     # T255524 T294798 T370294\n     acl is_wme_client src 3.23.12.83/32 3.211.48.168/32 44.206.140.241/32 35.168.168.219/32 35.172.30.169/32 3.222.74.115/32\n-    http-request set-var(req.provenance,ifnotexists) str('net=wme') if is_wme_client\n-    http-request set-var(req.trusted_request) str(A) if { var(req.provenance) -m found }\n+    http-request set-var(txn.provenance,ifnotexists) str('net=wme') if is_wme_client\n+    http-request set-var(req.trusted_request) str(A) if { var(txn.provenance) -m found }\n     # check if the IP is included in one of our ipblocks\n-    http-request set-var(req.provenance,ifnotexists,ifnotempty) src,map_ip(/etc/haproxy/ipblocks.d/all.map)\n+    http-request set-var(txn.provenance,ifnotexists,ifnotempty) src,map_ip(/etc/haproxy/ipblocks.d/all.map)\n     # ensure that WMCS is marked as trusted.\n-    http-request set-var(req.trusted_request,ifnotexists) str(A) if { var(req.provenance) -m sub \"cloud=wmcs\" }\n-    http-request set-var(req.trusted_request,ifnotexists) str(F) if { var(req.provenance) -m beg \"abuse=\" }\n+    http-request set-var(req.trusted_request,ifnotexists) str(A) if { var(txn.provenance) -m sub \"cloud=wmcs\" }\n+    http-request set-var(req.trusted_request,ifnotexists) str(F) if { var(txn.provenance) -m beg \"abuse=\" }\n     # If everything else failed, find an isp in maxmind\n-    http-request set-var(req.provenance,ifnotexists,ifnotempty) lua.fetch_isp,lower,bytes(0,64)\n+    http-request set-var(txn.provenance,ifnotexists,ifnotempty) lua.fetch_isp,lower,bytes(0,64)\n \n     # lookup failed\n-    http-request set-var(req.provenance,ifnotset) str('net=unknown')\n+    http-request set-var(txn.provenance,ifnotset) str('net=unknown')\n \n     http-request set-var(req.ip_reputation,ifnotexists,ifnotempty) src,map_ip_key(/etc/haproxy/ip-reputation.d/top_10000_ips_requestctl_webrequest_text_7days.map)\n     http-request set-var(req.ip_reputation,ifnotexists,ifnotempty) src,map_ip_key(/etc/haproxy/ip-reputation.d/top_10000_ips_requestctl_webrequest_upload_7days.map)\n-    http-request set-var(req.provenance) var(req.provenance),add_item(\";\",,\"top_historical_webrequest=true\") if { var(req.ip_reputation) -m found }\n+    http-request set-var(txn.provenance) var(txn.provenance),add_item(\";\",,\"top_historical_webrequest=true\") if { var(req.ip_reputation) -m found }\n     # Check if the request originates from a known datacenter.\n     http-request lua.is_datacenter\n-    http-request set-var(req.provenance) var(req.provenance),add_item(\";\",,\"datacenter=true\") if { var(txn.is_datacenter) -m bool }\n+    http-request set-var(txn.provenance) var(txn.provenance),add_item(\";\",,\"datacenter=true\") if { var(txn.is_datacenter) -m bool }\n     http-request lua.cidergrinder_mmdb_lookup unless { var(sess.cidergrinder_mmdb_result) -m found }\n     http-request set-var(sess.prehashed) src,ipmask(32,64),xxh3 unless { var(sess.cidergrinder_mmdb_result) -m found } || { var(sess.prehashed) -m found }\n     http-request lua.bloom_lookup unless { var(sess.cidergrinder_mmdb_result) -m bool }\n-    http-request set-var(req.provenance) var(req.provenance),add_item(\";\",,\"likely_resiproxy=true\") if { var(sess.cidergrinder_mmdb_result) -m bool } || { var(sess.bloom_result) -m bool }\n+    http-request set-var(txn.provenance) var(txn.provenance),add_item(\";\",,\"likely_resiproxy=true\") if { var(sess.cidergrinder_mmdb_result) -m bool } || { var(sess.bloom_result) -m bool }\n     http-request lua.res_proxy  # sets var txn.res_proxy to `proxy=foo` (or, doesn't)\n-    http-request set-var(req.provenance) var(req.provenance),add_item(\";\",txn.res_proxy,\"\") if { var(txn.res_proxy) -m found }\n+    http-request set-var(txn.provenance) var(txn.provenance),add_item(\";\",txn.res_proxy,\"\") if { var(txn.res_proxy) -m found }\n \n     # txn.x_requestctl gets populated by matching requestctl rules. Here, we prepare to log it via\n     # txn.x_analytics. The ifnotexists here is purely defensive.\n@@ -247,7 +247,7 @@\n     {{- end }}\n \n     # Requestctl known-client identification rules are enabled.\n-    # NOTE: known-client rules fetch req.provenance and may set both req.provenance and req.trusted_request.\n+    # NOTE: known-client rules fetch txn.provenance and may set both txn.provenance and req.trusted_request.\n \n     {{- $path := \"/request-haproxy-known-client-dsl/common/eqiad\" -}}\n     {{- if not (exists $path) }}\n@@ -260,7 +260,7 @@\n     {{- end }}\n \n     # Set X-Provenance to its final authoritative value, if available.\n-    http-request set-header X-Provenance %[var(req.provenance)] if { var(req.provenance) -m found }\n+    http-request set-header X-Provenance %[var(txn.provenance)] if { var(txn.provenance) -m found }\n \n     # Image provenance.\n     # Set image link generator, possible values are defined by MediaWiki, See:"}, {"resource": "Haproxy::Confd_site[tls]"}, {"resource": "Class[Profile::Cache::Haproxy]", "parameters": "--- Class[Profile::Cache::Haproxy].orig\n+++ Class[Profile::Cache::Haproxy]\n\n-    set_x_provenance => True\n"}], "perc_changed": "0.10%"}, "core": {"total": 3981, "only_in_self": [], "only_in_other": [], "resource_diffs": [{"resource": "File[/etc/confd/templates/_etc_haproxy_conf.d_tls.cfg.tmpl]", "content": "--- /etc/confd/templates/_etc_haproxy_conf.d_tls.cfg.tmpl.orig\n+++ /etc/confd/templates/_etc_haproxy_conf.d_tls.cfg.tmpl\n@@ -168,37 +168,37 @@\n     # A for net=wikimedia_trust|internal\n     # F for abuse=\n     # E otherwise\n-    http-request set-var(req.provenance,ifnotexists) str('net=wikimedia-trust') if wikimedia_trust\n+    http-request set-var(txn.provenance,ifnotexists) str('net=wikimedia-trust') if wikimedia_trust\n     acl is_private_network src 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 127.0.0.0/8 ::1\n-    http-request set-var(req.provenance,ifnotexists) str('net=internal') if is_private_network\n+    http-request set-var(txn.provenance,ifnotexists) str('net=internal') if is_private_network\n     # AWS Elastic IPs used by the Wikimedia Enterprise project reported in the following tasks over time:\n     # T255524 T294798 T370294\n     acl is_wme_client src 3.23.12.83/32 3.211.48.168/32 44.206.140.241/32 35.168.168.219/32 35.172.30.169/32 3.222.74.115/32\n-    http-request set-var(req.provenance,ifnotexists) str('net=wme') if is_wme_client\n-    http-request set-var(req.trusted_request) str(A) if { var(req.provenance) -m found }\n+    http-request set-var(txn.provenance,ifnotexists) str('net=wme') if is_wme_client\n+    http-request set-var(req.trusted_request) str(A) if { var(txn.provenance) -m found }\n     # check if the IP is included in one of our ipblocks\n-    http-request set-var(req.provenance,ifnotexists,ifnotempty) src,map_ip(/etc/haproxy/ipblocks.d/all.map)\n+    http-request set-var(txn.provenance,ifnotexists,ifnotempty) src,map_ip(/etc/haproxy/ipblocks.d/all.map)\n     # ensure that WMCS is marked as trusted.\n-    http-request set-var(req.trusted_request,ifnotexists) str(A) if { var(req.provenance) -m sub \"cloud=wmcs\" }\n-    http-request set-var(req.trusted_request,ifnotexists) str(F) if { var(req.provenance) -m beg \"abuse=\" }\n+    http-request set-var(req.trusted_request,ifnotexists) str(A) if { var(txn.provenance) -m sub \"cloud=wmcs\" }\n+    http-request set-var(req.trusted_request,ifnotexists) str(F) if { var(txn.provenance) -m beg \"abuse=\" }\n     # If everything else failed, find an isp in maxmind\n-    http-request set-var(req.provenance,ifnotexists,ifnotempty) lua.fetch_isp,lower,bytes(0,64)\n+    http-request set-var(txn.provenance,ifnotexists,ifnotempty) lua.fetch_isp,lower,bytes(0,64)\n \n     # lookup failed\n-    http-request set-var(req.provenance,ifnotset) str('net=unknown')\n+    http-request set-var(txn.provenance,ifnotset) str('net=unknown')\n \n     http-request set-var(req.ip_reputation,ifnotexists,ifnotempty) src,map_ip_key(/etc/haproxy/ip-reputation.d/top_10000_ips_requestctl_webrequest_text_7days.map)\n     http-request set-var(req.ip_reputation,ifnotexists,ifnotempty) src,map_ip_key(/etc/haproxy/ip-reputation.d/top_10000_ips_requestctl_webrequest_upload_7days.map)\n-    http-request set-var(req.provenance) var(req.provenance),add_item(\";\",,\"top_historical_webrequest=true\") if { var(req.ip_reputation) -m found }\n+    http-request set-var(txn.provenance) var(txn.provenance),add_item(\";\",,\"top_historical_webrequest=true\") if { var(req.ip_reputation) -m found }\n     # Check if the request originates from a known datacenter.\n     http-request lua.is_datacenter\n-    http-request set-var(req.provenance) var(req.provenance),add_item(\";\",,\"datacenter=true\") if { var(txn.is_datacenter) -m bool }\n+    http-request set-var(txn.provenance) var(txn.provenance),add_item(\";\",,\"datacenter=true\") if { var(txn.is_datacenter) -m bool }\n     http-request lua.cidergrinder_mmdb_lookup unless { var(sess.cidergrinder_mmdb_result) -m found }\n     http-request set-var(sess.prehashed) src,ipmask(32,64),xxh3 unless { var(sess.cidergrinder_mmdb_result) -m found } || { var(sess.prehashed) -m found }\n     http-request lua.bloom_lookup unless { var(sess.cidergrinder_mmdb_result) -m bool }\n-    http-request set-var(req.provenance) var(req.provenance),add_item(\";\",,\"likely_resiproxy=true\") if { var(sess.cidergrinder_mmdb_result) -m bool } || { var(sess.bloom_result) -m bool }\n+    http-request set-var(txn.provenance) var(txn.provenance),add_item(\";\",,\"likely_resiproxy=true\") if { var(sess.cidergrinder_mmdb_result) -m bool } || { var(sess.bloom_result) -m bool }\n     http-request lua.res_proxy  # sets var txn.res_proxy to `proxy=foo` (or, doesn't)\n-    http-request set-var(req.provenance) var(req.provenance),add_item(\";\",txn.res_proxy,\"\") if { var(txn.res_proxy) -m found }\n+    http-request set-var(txn.provenance) var(txn.provenance),add_item(\";\",txn.res_proxy,\"\") if { var(txn.res_proxy) -m found }\n \n     # txn.x_requestctl gets populated by matching requestctl rules. Here, we prepare to log it via\n     # txn.x_analytics. The ifnotexists here is purely defensive.\n@@ -247,7 +247,7 @@\n     {{- end }}\n \n     # Requestctl known-client identification rules are enabled.\n-    # NOTE: known-client rules fetch req.provenance and may set both req.provenance and req.trusted_request.\n+    # NOTE: known-client rules fetch txn.provenance and may set both txn.provenance and req.trusted_request.\n \n     {{- $path := \"/request-haproxy-known-client-dsl/common/eqiad\" -}}\n     {{- if not (exists $path) }}\n@@ -260,7 +260,7 @@\n     {{- end }}\n \n     # Set X-Provenance to its final authoritative value, if available.\n-    http-request set-header X-Provenance %[var(req.provenance)] if { var(req.provenance) -m found }\n+    http-request set-header X-Provenance %[var(txn.provenance)] if { var(txn.provenance) -m found }\n \n     # Image provenance.\n     # Set image link generator, possible values are defined by MediaWiki, See:"}], "perc_changed": "0.03%"}, "main": {"total": 3981, "only_in_self": [], "only_in_other": [], "resource_diffs": [{"resource": "Haproxy::Confd_site[tls]"}, {"resource": "Confd::File[/etc/haproxy/conf.d/tls.cfg]"}, {"resource": "Class[Profile::Cache::Haproxy]", "parameters": "--- Class[Profile::Cache::Haproxy].orig\n+++ Class[Profile::Cache::Haproxy]\n\n-    set_x_provenance => True\n"}, {"resource": "File[/etc/confd/templates/_etc_haproxy_conf.d_tls.cfg.tmpl]", "content": "--- /etc/confd/templates/_etc_haproxy_conf.d_tls.cfg.tmpl.orig\n+++ /etc/confd/templates/_etc_haproxy_conf.d_tls.cfg.tmpl\n@@ -168,37 +168,37 @@\n     # A for net=wikimedia_trust|internal\n     # F for abuse=\n     # E otherwise\n-    http-request set-var(req.provenance,ifnotexists) str('net=wikimedia-trust') if wikimedia_trust\n+    http-request set-var(txn.provenance,ifnotexists) str('net=wikimedia-trust') if wikimedia_trust\n     acl is_private_network src 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 127.0.0.0/8 ::1\n-    http-request set-var(req.provenance,ifnotexists) str('net=internal') if is_private_network\n+    http-request set-var(txn.provenance,ifnotexists) str('net=internal') if is_private_network\n     # AWS Elastic IPs used by the Wikimedia Enterprise project reported in the following tasks over time:\n     # T255524 T294798 T370294\n     acl is_wme_client src 3.23.12.83/32 3.211.48.168/32 44.206.140.241/32 35.168.168.219/32 35.172.30.169/32 3.222.74.115/32\n-    http-request set-var(req.provenance,ifnotexists) str('net=wme') if is_wme_client\n-    http-request set-var(req.trusted_request) str(A) if { var(req.provenance) -m found }\n+    http-request set-var(txn.provenance,ifnotexists) str('net=wme') if is_wme_client\n+    http-request set-var(req.trusted_request) str(A) if { var(txn.provenance) -m found }\n     # check if the IP is included in one of our ipblocks\n-    http-request set-var(req.provenance,ifnotexists,ifnotempty) src,map_ip(/etc/haproxy/ipblocks.d/all.map)\n+    http-request set-var(txn.provenance,ifnotexists,ifnotempty) src,map_ip(/etc/haproxy/ipblocks.d/all.map)\n     # ensure that WMCS is marked as trusted.\n-    http-request set-var(req.trusted_request,ifnotexists) str(A) if { var(req.provenance) -m sub \"cloud=wmcs\" }\n-    http-request set-var(req.trusted_request,ifnotexists) str(F) if { var(req.provenance) -m beg \"abuse=\" }\n+    http-request set-var(req.trusted_request,ifnotexists) str(A) if { var(txn.provenance) -m sub \"cloud=wmcs\" }\n+    http-request set-var(req.trusted_request,ifnotexists) str(F) if { var(txn.provenance) -m beg \"abuse=\" }\n     # If everything else failed, find an isp in maxmind\n-    http-request set-var(req.provenance,ifnotexists,ifnotempty) lua.fetch_isp,lower,bytes(0,64)\n+    http-request set-var(txn.provenance,ifnotexists,ifnotempty) lua.fetch_isp,lower,bytes(0,64)\n \n     # lookup failed\n-    http-request set-var(req.provenance,ifnotset) str('net=unknown')\n+    http-request set-var(txn.provenance,ifnotset) str('net=unknown')\n \n     http-request set-var(req.ip_reputation,ifnotexists,ifnotempty) src,map_ip_key(/etc/haproxy/ip-reputation.d/top_10000_ips_requestctl_webrequest_text_7days.map)\n     http-request set-var(req.ip_reputation,ifnotexists,ifnotempty) src,map_ip_key(/etc/haproxy/ip-reputation.d/top_10000_ips_requestctl_webrequest_upload_7days.map)\n-    http-request set-var(req.provenance) var(req.provenance),add_item(\";\",,\"top_historical_webrequest=true\") if { var(req.ip_reputation) -m found }\n+    http-request set-var(txn.provenance) var(txn.provenance),add_item(\";\",,\"top_historical_webrequest=true\") if { var(req.ip_reputation) -m found }\n     # Check if the request originates from a known datacenter.\n     http-request lua.is_datacenter\n-    http-request set-var(req.provenance) var(req.provenance),add_item(\";\",,\"datacenter=true\") if { var(txn.is_datacenter) -m bool }\n+    http-request set-var(txn.provenance) var(txn.provenance),add_item(\";\",,\"datacenter=true\") if { var(txn.is_datacenter) -m bool }\n     http-request lua.cidergrinder_mmdb_lookup unless { var(sess.cidergrinder_mmdb_result) -m found }\n     http-request set-var(sess.prehashed) src,ipmask(32,64),xxh3 unless { var(sess.cidergrinder_mmdb_result) -m found } || { var(sess.prehashed) -m found }\n     http-request lua.bloom_lookup unless { var(sess.cidergrinder_mmdb_result) -m bool }\n-    http-request set-var(req.provenance) var(req.provenance),add_item(\";\",,\"likely_resiproxy=true\") if { var(sess.cidergrinder_mmdb_result) -m bool } || { var(sess.bloom_result) -m bool }\n+    http-request set-var(txn.provenance) var(txn.provenance),add_item(\";\",,\"likely_resiproxy=true\") if { var(sess.cidergrinder_mmdb_result) -m bool } || { var(sess.bloom_result) -m bool }\n     http-request lua.res_proxy  # sets var txn.res_proxy to `proxy=foo` (or, doesn't)\n-    http-request set-var(req.provenance) var(req.provenance),add_item(\";\",txn.res_proxy,\"\") if { var(txn.res_proxy) -m found }\n+    http-request set-var(txn.provenance) var(txn.provenance),add_item(\";\",txn.res_proxy,\"\") if { var(txn.res_proxy) -m found }\n \n     # txn.x_requestctl gets populated by matching requestctl rules. Here, we prepare to log it via\n     # txn.x_analytics. The ifnotexists here is purely defensive.\n@@ -247,7 +247,7 @@\n     {{- end }}\n \n     # Requestctl known-client identification rules are enabled.\n-    # NOTE: known-client rules fetch req.provenance and may set both req.provenance and req.trusted_request.\n+    # NOTE: known-client rules fetch txn.provenance and may set both txn.provenance and req.trusted_request.\n \n     {{- $path := \"/request-haproxy-known-client-dsl/common/eqiad\" -}}\n     {{- if not (exists $path) }}\n@@ -260,7 +260,7 @@\n     {{- end }}\n \n     # Set X-Provenance to its final authoritative value, if available.\n-    http-request set-header X-Provenance %[var(req.provenance)] if { var(req.provenance) -m found }\n+    http-request set-header X-Provenance %[var(txn.provenance)] if { var(txn.provenance) -m found }\n \n     # Image provenance.\n     # Set image link generator, possible values are defined by MediaWiki, See:"}], "perc_changed": "0.10%"}}}