Compilation results for cp1111.eqiad.wmnet: System changes detected
You can retrieve this result from host.json.Catalog differences
Summary
| Total Resources: | 3981 |
|---|---|
| Resources added: | 0 |
| Resources removed: | 0 |
| Resources modified: | 6 |
| Change percentage: | 0.15% |
Resources modified
- Class[Haproxy]
- Parameters differences:
--- Class[Haproxy].orig +++ Class[Haproxy] @@ - config_content => # Note: This file is managed by puppet. global user haproxy group haproxy stats socket /run/haproxy/haproxy.sock mode 600 expose-fd listeners level admin log /var/lib/haproxy/dev/log local0 info log /var/run/haproxykafka/haproxykafka.sock len 8192 format rfc5424 local0 info tune.http.logurilen 2048 # do not keep old processes longer than 1m after a reload hard-stop-after 1m set-dumpable nbthread 48 warn-blocked-traffic-after 500ms # NB: mapping too many cores (>~60) will cause HAProxy to complain about # too long of a line and fail to start cpu-map 1/1- 0 48 2 50 4 52 6 54 8 56 10 58 12 60 14 62 16 64 18 66 20 68 22 70 24 72 26 74 28 76 30 78 32 80 34 82 36 84 38 86 40 88 42 90 44 92 46 94 tune.lua.bool-sample-conversion pre-3.1-bug lua-prepend-path /etc/haproxy/lua/private/?.lua lua-load-per-thread /etc/haproxy/lua/private/main.lua lua-load-per-thread /etc/haproxy/lua/maxmind-lookup.lua tune.ssl.capture-buffer-size 96 lua-load-per-thread /etc/haproxy/lua/ja3n.lua lua-load-per-thread /etc/haproxy/lua/ja4h.lua lua-load-per-thread /etc/haproxy/lua/utf8ps.lua lua-load-per-thread /etc/haproxy/lua/contact_info.lua lua-load-per-thread /etc/haproxy/lua/cidergrinder_mmdb.lua /usr/share/CIDERGRINDER/anonymous-residential.cider.mmdb lua-load-per-thread /etc/haproxy/lua/cidergrinder_bloom.lua /usr/share/CIDERGRINDER/anonymous-residential.cider.bloom ssl-default-bind-options ssl-min-ver TLSv1.2 ssl-max-ver TLSv1.3 ssl-default-bind-ciphers -ALL:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256 ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384 ssl-dh-param-file /etc/ssl/dhparam.pem tune.ssl.cachesize 512000 tune.ssl.lifetime 86400 maxconn 200000 tune.h2.header-table-size 4096 tune.h2.max-concurrent-streams 100 defaults mode http log-format "%rt %Tr %Tw %Tc %ST {%[capture.req.hdr(0)]} {%[capture.res.hdr(0)]} %ts" log-format-sd %{+E}o\ [haproxykafka@0\ server_pid=\"%pid\"\ ip=\"%ci\"\ sequence=\"%rt\"\ dt=\"%tr\"\ time_backend_response=\"%Tr\"\ http_status=\"%ST\"\ response_size=\"%B\"\ termination_state=\"%ts\"\ uri_host=\"%[capture.req.hdr(0),lua.utf8ps]\"\ referer=\"%[capture.req.hdr(1),lua.utf8ps]\"\ user_agent=\"%[capture.req.hdr(2),lua.utf8ps]\"\ accept_language=\"%[capture.req.hdr(3),lua.utf8ps]\"\ range=\"%[capture.req.hdr(4),lua.utf8ps]\"\ accept=\"%[capture.req.hdr(5),lua.utf8ps]\"\ tls=\"%[var(txn.tls)]\"\ cache_status=\"%[var(txn.x_cache_status)]\"\ content_type=\"%[var(txn.content_type)]\"\ x_analytics=\"%[var(txn.x_analytics)]\"\ x_cache=\"%[var(txn.x_cache)]\"\ backend=\"%[var(txn.server)]\"\ http_method=\"%HM\"\ uri_path=\"%HPO\"\ uri_query=\"%HQ\"] option dontlognull option accept-unsafe-violations-in-http-request option accept-unsafe-violations-in-http-response option http-ignore-probes retries 1 timeout connect 50000 timeout client 500000 timeout server 500000 + config_content => # Note: This file is managed by puppet. global user haproxy group haproxy stats socket /run/haproxy/haproxy.sock mode 600 expose-fd listeners level admin log /var/lib/haproxy/dev/log local0 info log /var/run/haproxykafka/haproxykafka.sock len 8192 format rfc5424 local0 info tune.http.logurilen 2048 # do not keep old processes longer than 1m after a reload hard-stop-after 1m set-dumpable nbthread 48 warn-blocked-traffic-after 500ms # NB: mapping too many cores (>~60) will cause HAProxy to complain about # too long of a line and fail to start cpu-map 1/1- 0 48 2 50 4 52 6 54 8 56 10 58 12 60 14 62 16 64 18 66 20 68 22 70 24 72 26 74 28 76 30 78 32 80 34 82 36 84 38 86 40 88 42 90 44 92 46 94 tune.lua.bool-sample-conversion pre-3.1-bug lua-prepend-path /etc/haproxy/lua/private/?.lua lua-load-per-thread /etc/haproxy/lua/private/main.lua lua-load-per-thread /etc/haproxy/lua/maxmind-lookup.lua tune.ssl.capture-buffer-size 96 lua-load-per-thread /etc/haproxy/lua/ja3n.lua lua-load-per-thread /etc/haproxy/lua/ja4h.lua lua-load-per-thread /etc/haproxy/lua/utf8ps.lua lua-load-per-thread /etc/haproxy/lua/contact_info.lua lua-load-per-thread /etc/haproxy/lua/cidergrinder_mmdb.lua /usr/share/CIDERGRINDER/anonymous-residential.cider.mmdb lua-load-per-thread /etc/haproxy/lua/cidergrinder_bloom.lua /usr/share/CIDERGRINDER/anonymous-residential.cider.bloom ssl-default-bind-options ssl-min-ver TLSv1.2 ssl-max-ver TLSv1.3 ssl-default-bind-ciphers -ALL:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256 ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384 ssl-dh-param-file /etc/ssl/dhparam.pem tune.ssl.cachesize 512000 tune.ssl.lifetime 86400 maxconn 200000 tune.h2.header-table-size 4096 tune.h2.max-concurrent-streams 100 defaults mode http log-format "%rt %Tr %Tw %Tc %ST {%[capture.req.hdr(0)]} {%[capture.res.hdr(0)]} %ts" log-format-sd %{+E}o\ [haproxykafka@0\ server_pid=\"%pid\"\ ip=\"%ci\"\ sequence=\"%rt\"\ dt=\"%tr\"\ time_backend_response=\"%Tr\"\ http_status=\"%ST\"\ response_size=\"%B\"\ termination_state=\"%ts\"\ uri_host=\"%[capture.req.hdr(0),lua.utf8ps]\"\ referer=\"%[capture.req.hdr(1),lua.utf8ps]\"\ user_agent=\"%[capture.req.hdr(2),lua.utf8ps]\"\ accept_language=\"%[capture.req.hdr(3),lua.utf8ps]\"\ range=\"%[capture.req.hdr(4),lua.utf8ps]\"\ accept=\"%[capture.req.hdr(5),lua.utf8ps]\"\ tls=\"%[var(txn.tls)]\"\ cache_status=\"%[var(txn.x_cache_status)]\"\ content_type=\"%[var(txn.content_type)]\"\ x_analytics=\"%[var(txn.x_analytics)]\"\ x_cache=\"%[var(txn.x_cache)]\"\ provenance=\"%[var(txn.provenance)]\"\ backend=\"%[var(txn.server)]\"\ http_method=\"%HM\"\ uri_path=\"%HPO\"\ uri_query=\"%HQ\"] option dontlognull option accept-unsafe-violations-in-http-request option accept-unsafe-violations-in-http-response option http-ignore-probes retries 1 timeout connect 50000 timeout client 500000 timeout server 500000- Class[Profile::Cache::Haproxy]
- Parameters differences:
--- Class[Profile::Cache::Haproxy].orig +++ Class[Profile::Cache::Haproxy] - set_x_provenance => True
- Confd::File[/etc/haproxy/conf.d/tls.cfg]
- File[/etc/haproxy/haproxy.cfg]
- Content differences:
--- /etc/haproxy/haproxy.cfg.orig +++ /etc/haproxy/haproxy.cfg @@ -43,7 +43,7 @@ defaults mode http log-format "%rt %Tr %Tw %Tc %ST {%[capture.req.hdr(0)]} {%[capture.res.hdr(0)]} %ts" - log-format-sd %{+E}o\ [haproxykafka@0\ server_pid=\"%pid\"\ ip=\"%ci\"\ sequence=\"%rt\"\ dt=\"%tr\"\ time_backend_response=\"%Tr\"\ http_status=\"%ST\"\ response_size=\"%B\"\ termination_state=\"%ts\"\ uri_host=\"%[capture.req.hdr(0),lua.utf8ps]\"\ referer=\"%[capture.req.hdr(1),lua.utf8ps]\"\ user_agent=\"%[capture.req.hdr(2),lua.utf8ps]\"\ accept_language=\"%[capture.req.hdr(3),lua.utf8ps]\"\ range=\"%[capture.req.hdr(4),lua.utf8ps]\"\ accept=\"%[capture.req.hdr(5),lua.utf8ps]\"\ tls=\"%[var(txn.tls)]\"\ cache_status=\"%[var(txn.x_cache_status)]\"\ content_type=\"%[var(txn.content_type)]\"\ x_analytics=\"%[var(txn.x_analytics)]\"\ x_cache=\"%[var(txn.x_cache)]\"\ backend=\"%[var(txn.server)]\"\ http_method=\"%HM\"\ uri_path=\"%HPO\"\ uri_query=\"%HQ\"] + log-format-sd %{+E}o\ [haproxykafka@0\ server_pid=\"%pid\"\ ip=\"%ci\"\ sequence=\"%rt\"\ dt=\"%tr\"\ time_backend_response=\"%Tr\"\ http_status=\"%ST\"\ response_size=\"%B\"\ termination_state=\"%ts\"\ uri_host=\"%[capture.req.hdr(0),lua.utf8ps]\"\ referer=\"%[capture.req.hdr(1),lua.utf8ps]\"\ user_agent=\"%[capture.req.hdr(2),lua.utf8ps]\"\ accept_language=\"%[capture.req.hdr(3),lua.utf8ps]\"\ range=\"%[capture.req.hdr(4),lua.utf8ps]\"\ accept=\"%[capture.req.hdr(5),lua.utf8ps]\"\ tls=\"%[var(txn.tls)]\"\ cache_status=\"%[var(txn.x_cache_status)]\"\ content_type=\"%[var(txn.content_type)]\"\ x_analytics=\"%[var(txn.x_analytics)]\"\ x_cache=\"%[var(txn.x_cache)]\"\ provenance=\"%[var(txn.provenance)]\"\ backend=\"%[var(txn.server)]\"\ http_method=\"%HM\"\ uri_path=\"%HPO\"\ uri_query=\"%HQ\"] option dontlognull option accept-unsafe-violations-in-http-request
- File[/etc/confd/templates/_etc_haproxy_conf.d_tls.cfg.tmpl]
- Content differences:
--- /etc/confd/templates/_etc_haproxy_conf.d_tls.cfg.tmpl.orig +++ /etc/confd/templates/_etc_haproxy_conf.d_tls.cfg.tmpl @@ -168,37 +168,37 @@ # A for net=wikimedia_trust|internal # F for abuse= # E otherwise - http-request set-var(req.provenance,ifnotexists) str('net=wikimedia-trust') if wikimedia_trust + http-request set-var(txn.provenance,ifnotexists) str('net=wikimedia-trust') if wikimedia_trust acl is_private_network src 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 127.0.0.0/8 ::1 - http-request set-var(req.provenance,ifnotexists) str('net=internal') if is_private_network + http-request set-var(txn.provenance,ifnotexists) str('net=internal') if is_private_network # AWS Elastic IPs used by the Wikimedia Enterprise project reported in the following tasks over time: # T255524 T294798 T370294 acl is_wme_client src 3.23.12.83/32 3.211.48.168/32 44.206.140.241/32 35.168.168.219/32 35.172.30.169/32 3.222.74.115/32 - http-request set-var(req.provenance,ifnotexists) str('net=wme') if is_wme_client - http-request set-var(req.trusted_request) str(A) if { var(req.provenance) -m found } + http-request set-var(txn.provenance,ifnotexists) str('net=wme') if is_wme_client + http-request set-var(req.trusted_request) str(A) if { var(txn.provenance) -m found } # check if the IP is included in one of our ipblocks - http-request set-var(req.provenance,ifnotexists,ifnotempty) src,map_ip(/etc/haproxy/ipblocks.d/all.map) + http-request set-var(txn.provenance,ifnotexists,ifnotempty) src,map_ip(/etc/haproxy/ipblocks.d/all.map) # ensure that WMCS is marked as trusted. - http-request set-var(req.trusted_request,ifnotexists) str(A) if { var(req.provenance) -m sub "cloud=wmcs" } - http-request set-var(req.trusted_request,ifnotexists) str(F) if { var(req.provenance) -m beg "abuse=" } + http-request set-var(req.trusted_request,ifnotexists) str(A) if { var(txn.provenance) -m sub "cloud=wmcs" } + http-request set-var(req.trusted_request,ifnotexists) str(F) if { var(txn.provenance) -m beg "abuse=" } # If everything else failed, find an isp in maxmind - http-request set-var(req.provenance,ifnotexists,ifnotempty) lua.fetch_isp,lower,bytes(0,64) + http-request set-var(txn.provenance,ifnotexists,ifnotempty) lua.fetch_isp,lower,bytes(0,64) # lookup failed - http-request set-var(req.provenance,ifnotset) str('net=unknown') + http-request set-var(txn.provenance,ifnotset) str('net=unknown') http-request set-var(req.ip_reputation,ifnotexists,ifnotempty) src,map_ip_key(/etc/haproxy/ip-reputation.d/top_10000_ips_requestctl_webrequest_text_7days.map) http-request set-var(req.ip_reputation,ifnotexists,ifnotempty) src,map_ip_key(/etc/haproxy/ip-reputation.d/top_10000_ips_requestctl_webrequest_upload_7days.map) - http-request set-var(req.provenance) var(req.provenance),add_item(";",,"top_historical_webrequest=true") if { var(req.ip_reputation) -m found } + http-request set-var(txn.provenance) var(txn.provenance),add_item(";",,"top_historical_webrequest=true") if { var(req.ip_reputation) -m found } # Check if the request originates from a known datacenter. http-request lua.is_datacenter - http-request set-var(req.provenance) var(req.provenance),add_item(";",,"datacenter=true") if { var(txn.is_datacenter) -m bool } + http-request set-var(txn.provenance) var(txn.provenance),add_item(";",,"datacenter=true") if { var(txn.is_datacenter) -m bool } http-request lua.cidergrinder_mmdb_lookup unless { var(sess.cidergrinder_mmdb_result) -m found } http-request set-var(sess.prehashed) src,ipmask(32,64),xxh3 unless { var(sess.cidergrinder_mmdb_result) -m found } || { var(sess.prehashed) -m found } http-request lua.bloom_lookup unless { var(sess.cidergrinder_mmdb_result) -m bool } - http-request set-var(req.provenance) var(req.provenance),add_item(";",,"likely_resiproxy=true") if { var(sess.cidergrinder_mmdb_result) -m bool } || { var(sess.bloom_result) -m bool } + http-request set-var(txn.provenance) var(txn.provenance),add_item(";",,"likely_resiproxy=true") if { var(sess.cidergrinder_mmdb_result) -m bool } || { var(sess.bloom_result) -m bool } http-request lua.res_proxy # sets var txn.res_proxy to `proxy=foo` (or, doesn't) - http-request set-var(req.provenance) var(req.provenance),add_item(";",txn.res_proxy,"") if { var(txn.res_proxy) -m found } + http-request set-var(txn.provenance) var(txn.provenance),add_item(";",txn.res_proxy,"") if { var(txn.res_proxy) -m found } # txn.x_requestctl gets populated by matching requestctl rules. Here, we prepare to log it via # txn.x_analytics. The ifnotexists here is purely defensive. @@ -247,7 +247,7 @@ {{- end }} # Requestctl known-client identification rules are enabled. - # NOTE: known-client rules fetch req.provenance and may set both req.provenance and req.trusted_request. + # NOTE: known-client rules fetch txn.provenance and may set both txn.provenance and req.trusted_request. {{- $path := "/request-haproxy-known-client-dsl/common/eqiad" -}} {{- if not (exists $path) }} @@ -260,7 +260,7 @@ {{- end }} # Set X-Provenance to its final authoritative value, if available. - http-request set-header X-Provenance %[var(req.provenance)] if { var(req.provenance) -m found } + http-request set-header X-Provenance %[var(txn.provenance)] if { var(txn.provenance) -m found } # Image provenance. # Set image link generator, possible values are defined by MediaWiki, See:
- Haproxy::Confd_site[tls]
Relevant files
- Confd::File[/etc/haproxy/conf.d/tls.cfg]
- Class[Profile::Cache::Haproxy]
- Parameters differences: