--- Class[Adduser].orig
+++ Class[Adduser]
@@
- before => ['Package[puppet]', 'Package[facter]', 'Package[augeas-tools]', 'Package[virt-what]', 'Package[puppet-module-puppetlabs-augeas-core]', 'Package[python3-prometheus-client]', 'Package[python3-yaml]', 'Package[ruby-net-ssh]', 'Package[openssl]', 'Package[ssl-cert]', 'Package[ca-certificates]', 'Package[wmf-certificates]', 'Package[ntp]', 'Package[systemd-timesyncd]', 'Package[exim4-config]', 'Package[exim4-daemon-light]', 'Package[logrotate]', 'Package[prometheus-node-exporter]', 'Package[rsyslog]', 'Package[rsyslog-openssl]', 'Package[cadvisor]', 'Package[acct]', 'Package[byobu]', 'Package[colordiff]', 'Package[curl]', 'Package[debian-goodies]', 'Package[ethtool]', 'Package[gdb]', 'Package[gdisk]', 'Package[git]', 'Package[htop]', 'Package[httpry]', 'Package[iotop]', 'Package[iperf]', 'Package[jq]', 'Package[libtemplate-perl]', 'Package[lldpd]', 'Package[lshw]', 'Package[molly-guard]', 'Package[moreutils]', 'Package[net-tools]', 'Package[numactl]', 'Package[ncdu]', 'Package[ngrep]', 'Package[pigz]', 'Package[psmisc]', 'Package[pv]', 'Package[python3]', 'Package[screen]', 'Package[strace]', 'Package[sysstat]', 'Package[tcpdump]', 'Package[tmux]', 'Package[tree]', 'Package[vim]', 'Package[vim-addon-manager]', 'Package[vim-scripts]', 'Package[wipe]', 'Package[xfsprogs]', 'Package[zsh]', 'Package[icdiff]', 'Package[linux-perf]', 'Package[bsd-mailx]', 'Package[ack]', 'Package[netcat-openbsd]', 'Package[tshark]', 'Package[fzf]', 'Package[ripgrep]', 'Package[fd-find]', 'Package[kitty-terminfo]', 'Package[mtr-tiny]', 'Package[bat]', 'Package[efibootmgr]', 'Package[bind9-dnsutils]', 'Package[tzdata]', 'Package[python3-wmflib]', 'Package[ruby-sorted-set]', 'Package[btop]', 'Package[dstat]', 'Package[apport]', 'Package[command-not-found]', 'Package[command-not-found-data]', 'Package[ecryptfs-utils]', 'Package[mlocate]', 'Package[os-prober]', 'Package[python3-apport]', 'Package[wpasupplicant]', 'Package[apt-listchanges]', 'Package[isc-dhcp-client]', 'Package[libicu67]', 'Package[libwsutil12]', 'Package[libwireshark14]', 'Package[libopencsd0]', 'Package[libwiretap11]', 'Package[ruby2.7]', 'Package[python3.9-minimal]', 'Package[python3.9]', 'Package[perl-modules-5.32]', 'Package[libpython3.9]', 'Package[libperl5.32]', 'Package[libpython3.9-minimal]', 'Package[libpython3.9-stdlib]', 'Package[libidn11]', 'Package[libldap-2.4-2]', 'Package[liburing1]', 'Package[libwebp6]', 'Package[libcbor0]', 'Package[libusb-0.1-4]', 'Package[telnet]', 'Package[libruby2.7]', 'Package[libdns-export1110]', 'Package[libisc-export1105]', 'Package[libbpf0]', 'Package[eject]', 'Package[openssh-client]', 'Package[openssh-server]', 'Package[debdeploy-client]', 'Package[python3-dateutil]', 'Package[sudo]', 'Package[golang-cfssl]', 'Package[debmonitor-client]', 'Package[nagios-nrpe-server]', 'Package[monitoring-plugins]', 'Package[monitoring-plugins-basic]', 'Package[monitoring-plugins-standard]', 'Package[liburiparser1]', 'Package[rsyslog-kafka]', 'Package[emacs-nox]', 'Package[libnet-dns-perl]', 'Package[iptables]', 'Package[ferm]', 'Package[ulogd2]', 'Package[conntrack]', 'Package[confd]', 'Package[python3-toml]', 'Package[etcd-client]', 'Package[crictl]', 'Package[containerd]', 'Package[nerdctl]', 'Package[rsyslog-kubernetes]', 'Package[apparmor]', 'Package[socat]', 'Package[wikimedia-lvs-realserver]', 'Package[python3-conftool]', 'Package[python3-poolcounter]', 'Package[prometheus-rsyslog-exporter]', 'Package[initramfs-tools]', 'Package[python3-click]', 'Package[python3-box]', 'Package[kubernetes-client131]', 'Package[kubernetes-master]', 'Package[kubernetes-node]', 'Package[calicoctl]', 'Package[calico-cni]', 'Package[istio-cni]']
+ before => ['Package[puppet]', 'Package[facter]', 'Package[augeas-tools]', 'Package[virt-what]', 'Package[puppet-module-puppetlabs-augeas-core]', 'Package[python3-prometheus-client]', 'Package[python3-yaml]', 'Package[ruby-net-ssh]', 'Package[openssl]', 'Package[ssl-cert]', 'Package[ca-certificates]', 'Package[wmf-certificates]', 'Package[ntp]', 'Package[systemd-timesyncd]', 'Package[exim4-config]', 'Package[exim4-daemon-light]', 'Package[logrotate]', 'Package[prometheus-node-exporter]', 'Package[rsyslog]', 'Package[rsyslog-openssl]', 'Package[cadvisor]', 'Package[acct]', 'Package[byobu]', 'Package[colordiff]', 'Package[curl]', 'Package[debian-goodies]', 'Package[ethtool]', 'Package[gdb]', 'Package[gdisk]', 'Package[git]', 'Package[htop]', 'Package[httpry]', 'Package[iotop]', 'Package[iperf]', 'Package[jq]', 'Package[libtemplate-perl]', 'Package[lldpd]', 'Package[lshw]', 'Package[molly-guard]', 'Package[moreutils]', 'Package[net-tools]', 'Package[numactl]', 'Package[ncdu]', 'Package[ngrep]', 'Package[pigz]', 'Package[psmisc]', 'Package[pv]', 'Package[python3]', 'Package[screen]', 'Package[strace]', 'Package[sysstat]', 'Package[tcpdump]', 'Package[tmux]', 'Package[tree]', 'Package[vim]', 'Package[vim-addon-manager]', 'Package[vim-scripts]', 'Package[wipe]', 'Package[xfsprogs]', 'Package[zsh]', 'Package[icdiff]', 'Package[linux-perf]', 'Package[bsd-mailx]', 'Package[ack]', 'Package[netcat-openbsd]', 'Package[tshark]', 'Package[fzf]', 'Package[ripgrep]', 'Package[fd-find]', 'Package[kitty-terminfo]', 'Package[mtr-tiny]', 'Package[bat]', 'Package[efibootmgr]', 'Package[bind9-dnsutils]', 'Package[tzdata]', 'Package[python3-wmflib]', 'Package[ruby-sorted-set]', 'Package[btop]', 'Package[dstat]', 'Package[apport]', 'Package[command-not-found]', 'Package[command-not-found-data]', 'Package[ecryptfs-utils]', 'Package[mlocate]', 'Package[os-prober]', 'Package[python3-apport]', 'Package[wpasupplicant]', 'Package[apt-listchanges]', 'Package[isc-dhcp-client]', 'Package[libicu67]', 'Package[libwsutil12]', 'Package[libwireshark14]', 'Package[libopencsd0]', 'Package[libwiretap11]', 'Package[ruby2.7]', 'Package[python3.9-minimal]', 'Package[python3.9]', 'Package[perl-modules-5.32]', 'Package[libpython3.9]', 'Package[libperl5.32]', 'Package[libpython3.9-minimal]', 'Package[libpython3.9-stdlib]', 'Package[libidn11]', 'Package[libldap-2.4-2]', 'Package[liburing1]', 'Package[libwebp6]', 'Package[libcbor0]', 'Package[libusb-0.1-4]', 'Package[telnet]', 'Package[libruby2.7]', 'Package[libdns-export1110]', 'Package[libisc-export1105]', 'Package[libbpf0]', 'Package[eject]', 'Package[openssh-client]', 'Package[openssh-server]', 'Package[debdeploy-client]', 'Package[python3-dateutil]', 'Package[sudo]', 'Package[golang-cfssl]', 'Package[debmonitor-client]', 'Package[nagios-nrpe-server]', 'Package[monitoring-plugins]', 'Package[monitoring-plugins-basic]', 'Package[monitoring-plugins-standard]', 'Package[liburiparser1]', 'Package[rsyslog-kafka]', 'Package[emacs-nox]', 'Package[libnet-dns-perl]', 'Package[iptables]', 'Package[ferm]', 'Package[ulogd2]', 'Package[conntrack]', 'Package[confd]', 'Package[python3-toml]', 'Package[etcd-client]', 'Package[crictl]', 'Package[containerd]', 'Package[nerdctl]', 'Package[rsyslog-kubernetes]', 'Package[apparmor]', 'Package[socat]', 'Package[wikimedia-lvs-realserver]', 'Package[python3-conftool]', 'Package[python3-poolcounter]', 'Package[tcp-mss-clamper]', 'Package[prometheus-rsyslog-exporter]', 'Package[initramfs-tools]', 'Package[python3-click]', 'Package[python3-box]', 'Package[kubernetes-client131]', 'Package[kubernetes-master]', 'Package[kubernetes-node]', 'Package[calicoctl]', 'Package[calico-cni]', 'Package[istio-cni]']
Package[tcp-mss-clamper]
- Parameters differences:
--- Package[tcp-mss-clamper].orig
+++ Package[tcp-mss-clamper]
+ provider => apt
+ ensure => absent
- File[/etc/ferm/conf.d/10_ipip]
- Parameters differences:
--- File[/etc/ferm/conf.d/10_ipip].orig
+++ File[/etc/ferm/conf.d/10_ipip]
+ mode => 0400
+ notify => Service[ferm]
+ owner => root
+ group => root
+ require => File[/etc/ferm/conf.d]
+ ensure => present
+ tag => ferm
- Content differences:
--- /etc/ferm/conf.d/10_ipip.orig
+++ /etc/ferm/conf.d/10_ipip
@@ -0,0 +1,11 @@
+# Autogenerated by puppet. DO NOT EDIT BY HAND!
+#
+# 10_ipip:
+
+domain (ip) {
+ table filter {
+ chain INPUT {
+ saddr 172.16.0.0/12 proto ipencap ACCEPT;
+ }
+ }
+}
- Systemd::Unit[tcp-mss-clamper]
- Parameters differences:
--- Systemd::Unit[tcp-mss-clamper].orig
+++ Systemd::Unit[tcp-mss-clamper]
+ override => False
+ require => ['Class[Systemd]']
+ override_filename => puppet-override.conf
+ ensure => absent
+ unit => tcp-mss-clamper
+ restart => False
- Systemd::Timer::Job[prometheus_lvs_realserver_mss]
- Parameters differences:
--- Systemd::Timer::Job[prometheus_lvs_realserver_mss].orig
+++ Systemd::Timer::Job[prometheus_lvs_realserver_mss]
+ logfile_basedir => /var/log
+ fixed_random_delay => False
+ send_mail_only_on_error => True
+ description => Regular job to collect MSS values of realserver endpoints
+ monitoring_enabled => False
+ success_exit_status => []
+ interval => {'start': 'OnCalendar', 'interval': 'minutely'}
+ syslog_match_startswith => True
+ syslog_force_stop => True
+ user => root
+ send_mail => False
+ command => /usr/local/bin/prometheus-lvs-realserver-mss -o /var/lib/prometheus/node.d/lvs-realserver-mss.prom -e
+ ignore_errors => False
+ logfile_name => syslog.log
+ monitoring_contact_groups => admins
+ send_mail_to => root@ml-staging-ctrl2001.codfw.wmnet
+ monitoring_notes_url => https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state
+ environment => {}
+ logging_enabled => True
+ ensure => absent
+ logfile_group => root
+ logfile_perms => all
+ private_tmp => False
- Systemd::Timer[prometheus_lvs_realserver_mss]
- Parameters differences:
--- Systemd::Timer[prometheus_lvs_realserver_mss].orig
+++ Systemd::Timer[prometheus_lvs_realserver_mss]
+ fixed_random_delay => False
+ ensure => absent
+ unit_name => prometheus_lvs_realserver_mss.service
+ timer_intervals => [{'start': 'OnCalendar', 'interval': 'minutely'}]
+ splay => 0
+ accuracy => 15sec
- Exec[/usr/sbin/tc qdisc del dev lo clsact]
- Parameters differences:
--- Exec[/usr/sbin/tc qdisc del dev lo clsact].orig
+++ Exec[/usr/sbin/tc qdisc del dev lo clsact]
+ onlyif => /usr/sbin/tc qdisc show dev lo | grep -q clsact
- Monitoring::Service[check_tcp-mss-clamper_status]
- Parameters differences:
--- Monitoring::Service[check_tcp-mss-clamper_status].orig
+++ Monitoring::Service[check_tcp-mss-clamper_status]
+ host => ml-staging-ctrl2001
+ config_dir => /etc/nagios
+ check_command => nrpe_check!check_check_tcp-mss-clamper_status!10
+ description => Check unit status of tcp-mss-clamper
+ migration_task => T407130
+ retry_interval => 1
+ check_interval => 10
+ contact_group => admins
+ critical => False
+ notes_url => https://wikitech.wikimedia.org/wiki/LVS#IPIP_encapsulation_experiments
+ retries => 2
+ ensure => absent
+ freshness => 36000
+ passive => False
- File[/etc/nagios/nrpe.d/check_check_tcp-mss-clamper_status.cfg]
- Parameters differences:
--- File[/etc/nagios/nrpe.d/check_check_tcp-mss-clamper_status.cfg].orig
+++ File[/etc/nagios/nrpe.d/check_check_tcp-mss-clamper_status.cfg]
+ mode => 0444
+ notify => Service[nagios-nrpe-server]
+ owner => root
+ group => root
+ ensure => absent
+ require => Package[nagios-nrpe-server]
+ tag => nrpe::check
- Content differences:
--- /etc/nagios/nrpe.d/check_check_tcp-mss-clamper_status.cfg.orig
+++ /etc/nagios/nrpe.d/check_check_tcp-mss-clamper_status.cfg
@@ -0,0 +1,2 @@
+# File generated by puppet. DO NOT edit by hand
+command[check_check_tcp-mss-clamper_status]=/usr/local/lib/nagios/plugins/check_systemd_unit_status tcp-mss-clamper
- Exec[systemd daemon-reload for prometheus_lvs_realserver_mss.timer (prometheus_lvs_realserver_mss.timer)]
- Parameters differences:
--- Exec[systemd daemon-reload for prometheus_lvs_realserver_mss.timer (prometheus_lvs_realserver_mss.timer)].orig
+++ Exec[systemd daemon-reload for prometheus_lvs_realserver_mss.timer (prometheus_lvs_realserver_mss.timer)]
+ command => /bin/systemctl daemon-reload
+ refreshonly => True
- Systemd::Syslog[prometheus_lvs_realserver_mss]
- Parameters differences:
--- Systemd::Syslog[prometheus_lvs_realserver_mss].orig
+++ Systemd::Syslog[prometheus_lvs_realserver_mss]
+ base_dir => /var/log
+ force_stop => True
+ owner => root
+ log_filename => syslog.log
+ programname_comparison => startswith
+ group => root
+ ensure => absent
+ readable_by => all
- Systemd::Unit[prometheus_ferm_mss.service]
- Parameters differences:
--- Systemd::Unit[prometheus_ferm_mss.service].orig
+++ Systemd::Unit[prometheus_ferm_mss.service]
+ override => False
+ require => ['Class[Systemd]']
+ override_filename => puppet-override.conf
+ ensure => absent
+ unit => prometheus_ferm_mss.service
+ restart => False
- File[/var/lib/prometheus/node.d/check_check_tcp-mss-clamper_status.prom]
- Parameters differences:
--- File[/var/lib/prometheus/node.d/check_check_tcp-mss-clamper_status.prom].orig
+++ File[/var/lib/prometheus/node.d/check_check_tcp-mss-clamper_status.prom]
+ owner => root
+ group => root
+ ensure => absent
- File[/etc/ferm/conf.d/10_clamp-mss-ipv6]
- Parameters differences:
--- File[/etc/ferm/conf.d/10_clamp-mss-ipv6].orig
+++ File[/etc/ferm/conf.d/10_clamp-mss-ipv6]
+ mode => 0400
+ notify => Service[ferm]
+ owner => root
+ group => root
+ require => File[/etc/ferm/conf.d]
+ ensure => absent
+ tag => ferm
- Content differences:
--- /etc/ferm/conf.d/10_clamp-mss-ipv6.orig
+++ /etc/ferm/conf.d/10_clamp-mss-ipv6
@@ -0,0 +1,11 @@
+# Autogenerated by puppet. DO NOT EDIT BY HAND!
+#
+# 10_clamp-mss-ipv6:
+
+domain (ip6) {
+ table filter {
+ chain OUTPUT {
+ outerface (ens13 lo) saddr @ipfilter(()) proto tcp sport () tcp-flags (SYN) SYN TCPMSS set-mss 1400;
+ }
+ }
+}
- Systemd::Timer::Job[nrpe2nodexp-check_tcp-mss-clamper_status]
- Parameters differences:
--- Systemd::Timer::Job[nrpe2nodexp-check_tcp-mss-clamper_status].orig
+++ Systemd::Timer::Job[nrpe2nodexp-check_tcp-mss-clamper_status]
+ logfile_basedir => /var/log
+ fixed_random_delay => True
+ send_mail_only_on_error => True
+ description => execution of nrpe2nodexp for the check_check_tcp-mss-clamper_status command.
+ monitoring_enabled => False
+ syslog_identifier => nrpe2nodexp-check_tcp-mss-clamper_status
+ success_exit_status => []
+ group => prometheus-node-exporter
+ interval => [{'start': 'OnUnitInactiveSec', 'interval': '5min'}]
+ syslog_match_startswith => True
+ syslog_force_stop => True
+ splay => 300
+ user => nagios
+ send_mail => False
+ command => /usr/local/bin/nrpe2nodexp --alert-rule-hash "295d6d5dd0a784bb9ba1d5983fd1894f" --timeout 10 --check-command "check_check_tcp-mss-clamper_status"
+ ignore_errors => True
+ logfile_name => syslog.log
+ monitoring_contact_groups => admins
+ send_mail_to => root@ml-staging-ctrl2001.codfw.wmnet
+ monitoring_notes_url => https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state
+ environment => {}
+ logging_enabled => False
+ ensure => absent
+ logfile_group => root
+ logfile_perms => all
+ private_tmp => False
- Systemd::Unit[prometheus_ferm_mss.timer]
- Parameters differences:
--- Systemd::Unit[prometheus_ferm_mss.timer].orig
+++ Systemd::Unit[prometheus_ferm_mss.timer]
+ override => False
+ require => ['Class[Systemd]']
+ override_filename => puppet-override.conf
+ ensure => absent
+ unit => prometheus_ferm_mss.timer
+ restart => False
- File[/lib/systemd/system/prometheus_lvs_realserver_mss.service]
- Parameters differences:
--- File[/lib/systemd/system/prometheus_lvs_realserver_mss.service].orig
+++ File[/lib/systemd/system/prometheus_lvs_realserver_mss.service]
+ mode => 0444
+ notify => Exec[systemd daemon-reload for prometheus_lvs_realserver_mss.service (prometheus_lvs_realserver_mss.service)]
+ owner => root
+ group => root
+ ensure => absent
- Content differences:
--- /lib/systemd/system/prometheus_lvs_realserver_mss.service.orig
+++ /lib/systemd/system/prometheus_lvs_realserver_mss.service
@@ -0,0 +1,8 @@
+[Unit]
+Description=Regular job to collect MSS values of realserver endpoints
+Documentation=https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state
+
+[Service]
+Type=oneshot
+User=root
+ExecStart=/usr/local/bin/prometheus-lvs-realserver-mss -o /var/lib/prometheus/node.d/lvs-realserver-mss.prom -e
- Prometheus::Alert::Rule[check_check_tcp-mss-clamper_status_295d6d5dd0a784bb9ba1d5983fd1894f]
- Parameters differences:
--- Prometheus::Alert::Rule[check_check_tcp-mss-clamper_status_295d6d5dd0a784bb9ba1d5983fd1894f].orig
+++ Prometheus::Alert::Rule[check_check_tcp-mss-clamper_status_295d6d5dd0a784bb9ba1d5983fd1894f]
+ logs => https://logstash.wikimedia.org/app/dashboards#/view/2d343ac0-6df8-11f0-8e08-7fab0da52b33?_g=(filters:!((query:(match_phrase:(event.module:check_check_tcp-mss-clamper_status))),(query:(match_phrase:(host.name:{{$labels.instance|stripPort}})))))
+ site => codfw
+ instance => ops
+ description => NRPE CHECK: Check unit status of tcp-mss-clamper
+ expr => (nagios_nrpe_check_result{alert_rule_hash="295d6d5dd0a784bb9ba1d5983fd1894f",check_name="check_check_tcp-mss-clamper_status", status=~"(WARNING|CRITICAL)", severity=~"(warning|critical)"} > 0) * on (instance) group_left (team) role_owner
+ alert_name => nrpe_Check_unit_status_of_tcp_mss_clamper
+ for => 11m
+ runbook => https://wikitech.wikimedia.org/wiki/LVS#IPIP_encapsulation_experiments
+ dashboard => TODO
+ def_label_whitelst => ['team', 'severity']
+ group => nrpechecks
+ ensure => absent
+ summary => NRPE CHECK: Check unit status of tcp-mss-clamper
+ severity => info
+ team => observability
- File[/lib/systemd/system/nrpe2nodexp-check_tcp-mss-clamper_status.service]
- Parameters differences:
--- File[/lib/systemd/system/nrpe2nodexp-check_tcp-mss-clamper_status.service].orig
+++ File[/lib/systemd/system/nrpe2nodexp-check_tcp-mss-clamper_status.service]
+ mode => 0444
+ notify => Exec[systemd daemon-reload for nrpe2nodexp-check_tcp-mss-clamper_status.service (nrpe2nodexp-check_tcp-mss-clamper_status.service)]
+ owner => root
+ group => root
+ ensure => absent
- Content differences:
--- /lib/systemd/system/nrpe2nodexp-check_tcp-mss-clamper_status.service.orig
+++ /lib/systemd/system/nrpe2nodexp-check_tcp-mss-clamper_status.service
@@ -0,0 +1,11 @@
+[Unit]
+Description=execution of nrpe2nodexp for the check_check_tcp-mss-clamper_status command.
+Documentation=https://wikitech.wikimedia.org/wiki/Monitoring/systemd_unit_state
+
+[Service]
+Type=oneshot
+User=nagios
+
+Group=prometheus-node-exporter
+SyslogIdentifier=nrpe2nodexp-check_tcp-mss-clamper_status
+ExecStart=-/usr/local/bin/nrpe2nodexp --alert-rule-hash "295d6d5dd0a784bb9ba1d5983fd1894f" --timeout 10 --check-command "check_check_tcp-mss-clamper_status"
- File[/etc/ferm/conf.d/10_ip6ip6]
- Parameters differences:
--- File[/etc/ferm/conf.d/10_ip6ip6].orig
+++ File[/etc/ferm/conf.d/10_ip6ip6]
+ mode => 0400
+ notify => Service[ferm]
+ owner => root
+ group => root
+ require => File[/etc/ferm/conf.d]
+ ensure => present
+ tag => ferm
- Content differences:
--- /etc/ferm/conf.d/10_ip6ip6.orig
+++ /etc/ferm/conf.d/10_ip6ip6
@@ -0,0 +1,11 @@
+# Autogenerated by puppet. DO NOT EDIT BY HAND!
+#
+# 10_ip6ip6:
+
+domain (ip6) {
+ table filter {
+ chain INPUT {
+ saddr 0100::/64 proto ipv6 ACCEPT;
+ }
+ }
+}
- Service[tcp-mss-clamper]
- Parameters differences:
--- Service[tcp-mss-clamper].orig
+++ Service[tcp-mss-clamper]
+ before => ['Exec[systemd daemon-reload for tcp-mss-clamper.service (tcp-mss-clamper)]']
+ enable => False
+ ensure => stopped
- Exec[disable-rp-filter-ens13]
- Parameters differences:
--- Exec[disable-rp-filter-ens13].orig
+++ Exec[disable-rp-filter-ens13]
+ command => /usr/sbin/sysctl -q net.ipv4.conf.ens13.rp_filter=0
+ unless => /usr/sbin/sysctl -n net.ipv4.conf.ens13.rp_filter |grep -- '0'
- File[/lib/systemd/system/tcp-mss-clamper.service]
- Parameters differences:
--- File[/lib/systemd/system/tcp-mss-clamper.service].orig
+++ File[/lib/systemd/system/tcp-mss-clamper.service]
+ mode => 0444
+ notify => Exec[systemd daemon-reload for tcp-mss-clamper.service (tcp-mss-clamper)]
+ owner => root
+ group => root
+ ensure => absent
- Content differences:
--- /lib/systemd/system/tcp-mss-clamper.service.orig
+++ /lib/systemd/system/tcp-mss-clamper.service
@@ -0,0 +1,11 @@
+[Unit]
+Description=eBPF based TCP MSS clamper
+After=network.target
+
+[Install]
+WantedBy=multi-user.target
+
+[Service]
+LimitMEMLOCK=infinity
+ExecStart=/usr/bin/tcp-mss-clamper --ipv4-mss 1440 --ipv6-mss 1400 -p :2200 -s "" -i ens13,lo
+Restart=on-failure
- File_line[rm_post-up_ens13_clsact_ens13]
- Parameters differences:
--- File_line[rm_post-up_ens13_clsact_ens13].orig
+++ File_line[rm_post-up_ens13_clsact_ens13]
+ match => post-up /usr/sbin/tc qdisc add dev ens13 clsact
+ match_for_absence => True
+ path => /etc/network/interfaces
+ ensure => absent
- Ferm::Rule[clamp-mss-ipv4]
- Parameters differences:
--- Ferm::Rule[clamp-mss-ipv4].orig
+++ Ferm::Rule[clamp-mss-ipv4]
+ domain => (ip)
+ desc =>
+ ensure => absent
+ prio => 10
+ rule => outerface (ens13 lo) saddr @ipfilter(()) proto tcp sport () tcp-flags (SYN) SYN TCPMSS set-mss 1440;
+ table => filter
+ chain => OUTPUT
- Augeas[ipip0_set_up]
- Parameters differences:
--- Augeas[ipip0_set_up].orig
+++ Augeas[ipip0_set_up]
+ lens => Interfaces.lns
+ require => Augeas[ipip0_add_up]
+ changes => set up[last()+1] 'ip link set up dev ipip0'
+ incl => /etc/network/interfaces
+ context => /files/etc/network/interfaces/*[. = 'ipip0' and ./family = 'inet']
+ onlyif => match up[. = 'ip link set up dev ipip0'] size == 0
- Exec[/usr/sbin/tc qdisc del dev ens13 clsact]
- Parameters differences:
--- Exec[/usr/sbin/tc qdisc del dev ens13 clsact].orig
+++ Exec[/usr/sbin/tc qdisc del dev ens13 clsact]
+ onlyif => /usr/sbin/tc qdisc show dev ens13 | grep -q clsact
- Augeas[ipip60_add_up]
- Parameters differences:
--- Augeas[ipip60_add_up].orig
+++ Augeas[ipip60_add_up]
+ lens => Interfaces.lns
+ require => Interface::Manual[ipip_ipv6]
+ changes => set up[last()+1] 'ip link add name ipip60 type ip6tnl external'
+ incl => /etc/network/interfaces
+ context => /files/etc/network/interfaces/*[. = 'ipip60' and ./family = 'inet6']
+ onlyif => match up[. = 'ip link add name ipip60 type ip6tnl external'] size == 0
- Class[Profile::Apt]
- Parameters differences:
--- Class[Profile::Apt].orig
+++ Class[Profile::Apt]
@@
- before => ['Package[puppet]', 'Package[facter]', 'Package[augeas-tools]', 'Package[virt-what]', 'Package[puppet-module-puppetlabs-augeas-core]', 'Package[python3-prometheus-client]', 'Package[python3-yaml]', 'Package[ruby-net-ssh]', 'Package[openssl]', 'Package[ssl-cert]', 'Package[ca-certificates]', 'Package[wmf-certificates]', 'Package[ntp]', 'Package[systemd-timesyncd]', 'Package[exim4-config]', 'Package[exim4-daemon-light]', 'Package[logrotate]', 'Package[prometheus-node-exporter]', 'Package[rsyslog]', 'Package[rsyslog-openssl]', 'Package[cadvisor]', 'Package[acct]', 'Package[byobu]', 'Package[colordiff]', 'Package[curl]', 'Package[debian-goodies]', 'Package[ethtool]', 'Package[gdb]', 'Package[gdisk]', 'Package[git]', 'Package[htop]', 'Package[httpry]', 'Package[iotop]', 'Package[iperf]', 'Package[jq]', 'Package[libtemplate-perl]', 'Package[lldpd]', 'Package[lshw]', 'Package[molly-guard]', 'Package[moreutils]', 'Package[net-tools]', 'Package[numactl]', 'Package[ncdu]', 'Package[ngrep]', 'Package[pigz]', 'Package[psmisc]', 'Package[pv]', 'Package[python3]', 'Package[screen]', 'Package[strace]', 'Package[sysstat]', 'Package[tcpdump]', 'Package[tmux]', 'Package[tree]', 'Package[vim]', 'Package[vim-addon-manager]', 'Package[vim-scripts]', 'Package[wipe]', 'Package[xfsprogs]', 'Package[zsh]', 'Package[icdiff]', 'Package[linux-perf]', 'Package[bsd-mailx]', 'Package[ack]', 'Package[netcat-openbsd]', 'Package[tshark]', 'Package[fzf]', 'Package[ripgrep]', 'Package[fd-find]', 'Package[kitty-terminfo]', 'Package[mtr-tiny]', 'Package[bat]', 'Package[efibootmgr]', 'Package[bind9-dnsutils]', 'Package[tzdata]', 'Package[python3-wmflib]', 'Package[ruby-sorted-set]', 'Package[btop]', 'Package[dstat]', 'Package[apport]', 'Package[command-not-found]', 'Package[command-not-found-data]', 'Package[ecryptfs-utils]', 'Package[mlocate]', 'Package[os-prober]', 'Package[python3-apport]', 'Package[wpasupplicant]', 'Package[apt-listchanges]', 'Package[isc-dhcp-client]', 'Package[libicu67]', 'Package[libwsutil12]', 'Package[libwireshark14]', 'Package[libopencsd0]', 'Package[libwiretap11]', 'Package[ruby2.7]', 'Package[python3.9-minimal]', 'Package[python3.9]', 'Package[perl-modules-5.32]', 'Package[libpython3.9]', 'Package[libperl5.32]', 'Package[libpython3.9-minimal]', 'Package[libpython3.9-stdlib]', 'Package[libidn11]', 'Package[libldap-2.4-2]', 'Package[liburing1]', 'Package[libwebp6]', 'Package[libcbor0]', 'Package[libusb-0.1-4]', 'Package[telnet]', 'Package[libruby2.7]', 'Package[libdns-export1110]', 'Package[libisc-export1105]', 'Package[libbpf0]', 'Package[eject]', 'Package[openssh-client]', 'Package[openssh-server]', 'Package[debdeploy-client]', 'Package[python3-dateutil]', 'Package[sudo]', 'Package[golang-cfssl]', 'Package[debmonitor-client]', 'Package[nagios-nrpe-server]', 'Package[monitoring-plugins]', 'Package[monitoring-plugins-basic]', 'Package[monitoring-plugins-standard]', 'Package[liburiparser1]', 'Package[rsyslog-kafka]', 'Package[emacs-nox]', 'Package[libnet-dns-perl]', 'Package[iptables]', 'Package[ferm]', 'Package[ulogd2]', 'Package[conntrack]', 'Package[confd]', 'Package[python3-toml]', 'Package[etcd-client]', 'Package[crictl]', 'Package[containerd]', 'Package[nerdctl]', 'Package[rsyslog-kubernetes]', 'Package[apparmor]', 'Package[socat]', 'Package[wikimedia-lvs-realserver]', 'Package[python3-conftool]', 'Package[python3-poolcounter]', 'Package[prometheus-rsyslog-exporter]', 'Package[initramfs-tools]', 'Package[python3-click]', 'Package[python3-box]', 'Package[kubernetes-client131]', 'Package[kubernetes-master]', 'Package[kubernetes-node]', 'Package[calicoctl]', 'Package[calico-cni]', 'Package[istio-cni]']
+ before => ['Package[puppet]', 'Package[facter]', 'Package[augeas-tools]', 'Package[virt-what]', 'Package[puppet-module-puppetlabs-augeas-core]', 'Package[python3-prometheus-client]', 'Package[python3-yaml]', 'Package[ruby-net-ssh]', 'Package[openssl]', 'Package[ssl-cert]', 'Package[ca-certificates]', 'Package[wmf-certificates]', 'Package[ntp]', 'Package[systemd-timesyncd]', 'Package[exim4-config]', 'Package[exim4-daemon-light]', 'Package[logrotate]', 'Package[prometheus-node-exporter]', 'Package[rsyslog]', 'Package[rsyslog-openssl]', 'Package[cadvisor]', 'Package[acct]', 'Package[byobu]', 'Package[colordiff]', 'Package[curl]', 'Package[debian-goodies]', 'Package[ethtool]', 'Package[gdb]', 'Package[gdisk]', 'Package[git]', 'Package[htop]', 'Package[httpry]', 'Package[iotop]', 'Package[iperf]', 'Package[jq]', 'Package[libtemplate-perl]', 'Package[lldpd]', 'Package[lshw]', 'Package[molly-guard]', 'Package[moreutils]', 'Package[net-tools]', 'Package[numactl]', 'Package[ncdu]', 'Package[ngrep]', 'Package[pigz]', 'Package[psmisc]', 'Package[pv]', 'Package[python3]', 'Package[screen]', 'Package[strace]', 'Package[sysstat]', 'Package[tcpdump]', 'Package[tmux]', 'Package[tree]', 'Package[vim]', 'Package[vim-addon-manager]', 'Package[vim-scripts]', 'Package[wipe]', 'Package[xfsprogs]', 'Package[zsh]', 'Package[icdiff]', 'Package[linux-perf]', 'Package[bsd-mailx]', 'Package[ack]', 'Package[netcat-openbsd]', 'Package[tshark]', 'Package[fzf]', 'Package[ripgrep]', 'Package[fd-find]', 'Package[kitty-terminfo]', 'Package[mtr-tiny]', 'Package[bat]', 'Package[efibootmgr]', 'Package[bind9-dnsutils]', 'Package[tzdata]', 'Package[python3-wmflib]', 'Package[ruby-sorted-set]', 'Package[btop]', 'Package[dstat]', 'Package[apport]', 'Package[command-not-found]', 'Package[command-not-found-data]', 'Package[ecryptfs-utils]', 'Package[mlocate]', 'Package[os-prober]', 'Package[python3-apport]', 'Package[wpasupplicant]', 'Package[apt-listchanges]', 'Package[isc-dhcp-client]', 'Package[libicu67]', 'Package[libwsutil12]', 'Package[libwireshark14]', 'Package[libopencsd0]', 'Package[libwiretap11]', 'Package[ruby2.7]', 'Package[python3.9-minimal]', 'Package[python3.9]', 'Package[perl-modules-5.32]', 'Package[libpython3.9]', 'Package[libperl5.32]', 'Package[libpython3.9-minimal]', 'Package[libpython3.9-stdlib]', 'Package[libidn11]', 'Package[libldap-2.4-2]', 'Package[liburing1]', 'Package[libwebp6]', 'Package[libcbor0]', 'Package[libusb-0.1-4]', 'Package[telnet]', 'Package[libruby2.7]', 'Package[libdns-export1110]', 'Package[libisc-export1105]', 'Package[libbpf0]', 'Package[eject]', 'Package[openssh-client]', 'Package[openssh-server]', 'Package[debdeploy-client]', 'Package[python3-dateutil]', 'Package[sudo]', 'Package[golang-cfssl]', 'Package[debmonitor-client]', 'Package[nagios-nrpe-server]', 'Package[monitoring-plugins]', 'Package[monitoring-plugins-basic]', 'Package[monitoring-plugins-standard]', 'Package[liburiparser1]', 'Package[rsyslog-kafka]', 'Package[emacs-nox]', 'Package[libnet-dns-perl]', 'Package[iptables]', 'Package[ferm]', 'Package[ulogd2]', 'Package[conntrack]', 'Package[confd]', 'Package[python3-toml]', 'Package[etcd-client]', 'Package[crictl]', 'Package[containerd]', 'Package[nerdctl]', 'Package[rsyslog-kubernetes]', 'Package[apparmor]', 'Package[socat]', 'Package[wikimedia-lvs-realserver]', 'Package[python3-conftool]', 'Package[python3-poolcounter]', 'Package[tcp-mss-clamper]', 'Package[prometheus-rsyslog-exporter]', 'Package[initramfs-tools]', 'Package[python3-click]', 'Package[python3-box]', 'Package[kubernetes-client131]', 'Package[kubernetes-master]', 'Package[kubernetes-node]', 'Package[calicoctl]', 'Package[calico-cni]', 'Package[istio-cni]']
- Exec[systemd daemon-reload for prometheus_ferm_mss.timer (prometheus_ferm_mss.timer)]
- Parameters differences:
--- Exec[systemd daemon-reload for prometheus_ferm_mss.timer (prometheus_ferm_mss.timer)].orig
+++ Exec[systemd daemon-reload for prometheus_ferm_mss.timer (prometheus_ferm_mss.timer)]
+ command => /bin/systemctl daemon-reload
+ refreshonly => True
- Interface::Ipip[ipip_ipv4]
- Parameters differences:
--- Interface::Ipip[ipip_ipv4].orig
+++ Interface::Ipip[ipip_ipv4]
+ address => 127.0.0.42
+ interface => ipip0
+ family => inet
+ ensure => present
- File[/lib/systemd/system/prometheus_lvs_realserver_mss.timer]
- Parameters differences:
--- File[/lib/systemd/system/prometheus_lvs_realserver_mss.timer].orig
+++ File[/lib/systemd/system/prometheus_lvs_realserver_mss.timer]
+ mode => 0444
+ notify => Exec[systemd daemon-reload for prometheus_lvs_realserver_mss.timer (prometheus_lvs_realserver_mss.timer)]
+ owner => root
+ group => root
+ ensure => absent
- Content differences:
--- /lib/systemd/system/prometheus_lvs_realserver_mss.timer.orig
+++ /lib/systemd/system/prometheus_lvs_realserver_mss.timer
@@ -0,0 +1,12 @@
+[Unit]
+Description=Periodic execution of prometheus_lvs_realserver_mss.service
+
+[Timer]
+Unit=prometheus_lvs_realserver_mss.service
+# Accuracy sets the maximum time interval around the execution time we want to allow
+AccuracySec=15sec
+OnCalendar=minutely
+RandomizedDelaySec=0
+
+[Install]
+WantedBy=multi-user.target
- Rsyslog::Conf[prometheus_ferm_mss]
- Parameters differences:
--- Rsyslog::Conf[prometheus_ferm_mss].orig
+++ Rsyslog::Conf[prometheus_ferm_mss]
+ priority => 40
+ require => File[/var/log/prometheus_ferm_mss]
+ ensure => absent
+ mode => 0444
- Prometheus::Node_lvs_realserver_mss[lvs_clamped_ipport]
- Parameters differences:
--- Prometheus::Node_lvs_realserver_mss[lvs_clamped_ipport].orig
+++ Prometheus::Node_lvs_realserver_mss[lvs_clamped_ipport]
+ ensure => absent
+ clamped_ipport => []
+ outfile => /var/lib/prometheus/node.d/lvs-realserver-mss.prom
- File[/var/log/prometheus_ferm_mss]
- Parameters differences:
--- File[/var/log/prometheus_ferm_mss].orig
+++ File[/var/log/prometheus_ferm_mss]
+ mode => 0755
+ owner => root
+ group => root
+ ensure => absent
+ force => True
+ backup => False
- Interface::Clsact[clsact_lo]
- Parameters differences:
--- Interface::Clsact[clsact_lo].orig
+++ Interface::Clsact[clsact_lo]
+ interface => lo
+ ensure => absent
- Exec[systemd daemon-reload for nrpe2nodexp-check_tcp-mss-clamper_status.service (nrpe2nodexp-check_tcp-mss-clamper_status.service)]
- Parameters differences:
--- Exec[systemd daemon-reload for nrpe2nodexp-check_tcp-mss-clamper_status.service (nrpe2nodexp-check_tcp-mss-clamper_status.service)].orig
+++ Exec[systemd daemon-reload for nrpe2nodexp-check_tcp-mss-clamper_status.service (nrpe2nodexp-check_tcp-mss-clamper_status.service)]
+ command => /bin/systemctl daemon-reload
+ refreshonly => True
- File[/etc/rsyslog.d/40-prometheus-lvs-realserver-mss.conf]
- Parameters differences:
--- File[/etc/rsyslog.d/40-prometheus-lvs-realserver-mss.conf].orig
+++ File[/etc/rsyslog.d/40-prometheus-lvs-realserver-mss.conf]
+ mode => 0444
+ notify => Service[rsyslog]
+ owner => root
+ group => root
+ ensure => absent
- Content differences:
--- /etc/rsyslog.d/40-prometheus-lvs-realserver-mss.conf.orig
+++ /etc/rsyslog.d/40-prometheus-lvs-realserver-mss.conf
@@ -0,0 +1,10 @@
+# rsyslog.conf(5) configuration file for services.
+# This file is managed by Puppet.
+if $programname startswith "prometheus_lvs_realserver_mss" then {
+ action(
+ type="omfile" file="/var/log/prometheus_lvs_realserver_mss/syslog.log"
+ fileOwner="root" fileGroup="root"
+ fileCreateMode="0644"
+ )
+ & stop
+}
- Rsyslog::Conf[prometheus_lvs_realserver_mss]
- Parameters differences:
--- Rsyslog::Conf[prometheus_lvs_realserver_mss].orig
+++ Rsyslog::Conf[prometheus_lvs_realserver_mss]
+ priority => 40
+ require => File[/var/log/prometheus_lvs_realserver_mss]
+ ensure => absent
+ mode => 0444
- Interface::Post_up_command[clsact_lo]
- Parameters differences:
--- Interface::Post_up_command[clsact_lo].orig
+++ Interface::Post_up_command[clsact_lo]
+ interface => lo
+ command => /usr/sbin/tc qdisc add dev lo clsact
+ ensure => absent
- Prometheus::Node_ferm_mss[ferm_clamped_ipport]