Skip to main content

Browse the archive

https://github.com/wikimedia/operations-puppet
12 April 2024, 10:39:33 UTC
sort by:
Revision Author Date Message Commit Date
f10dffe dzahn 01 July 2015, 22:32:53 UTC switch static-bugzilla to backend bromine Move static-bugzilla from zirconium to new backend bromine, a ganeti VM. Bug:T101734 Change-Id: I529d658eb578f4cb2c2a8815def207d07a0e10ce 06 July 2015, 20:32:38 UTC
bd6bc51 YuviPanda 06 July 2015, 20:30:13 UTC ores: Fix conflict on including ores::base Change-Id: I98543886a7e6e37299cafac5a78b9eb70587f4f8 06 July 2015, 20:30:52 UTC
5d7e146 dzahn 03 July 2015, 19:16:25 UTC static-bugzilla: update Apache config for 2.4 Bug:T101734 Change-Id: I91b8d3d9e604fabcecb092b7352c3330f466a722 06 July 2015, 20:28:07 UTC
5085eb2 YuviPanda 06 July 2015, 20:23:31 UTC uwsgi: Do not setup nrpe monitor in labs Change-Id: Ia257354914892516dbf184c58a48a9c66ffe7dd2 06 July 2015, 20:23:31 UTC
888d4f9 YuviPanda 05 July 2015, 15:50:00 UTC ores: worker role to do celery processing Change-Id: Ia8dd63709cb8aaf097881bc7f825683cf1b51ae4 06 July 2015, 20:02:18 UTC
dd8a03f dzahn 06 July 2015, 18:14:43 UTC static-bugzilla: remove role from zirconium Bug:T101734 Change-Id: I48c25926b172740acb0c2a28ab700397b2f4121c 06 July 2015, 19:58:35 UTC
b7cc506 YuviPanda 06 July 2015, 19:54:08 UTC labstore: Remove NFS from puppet3-diffs project Bug: T103760 Change-Id: I58ae88b23098487db9a5067259a3b4d8793d5614 06 July 2015, 19:55:59 UTC
1d4e49e Negative24 06 July 2015, 19:07:48 UTC Revert "hiera: phab-pup-testing ssh on port 222" This reverts commit cb23e9f14c8bba72741fdccb302d0e3dfe54dcf6. Change-Id: Ib79deaa3e246743cb8f5446744ef48772e316fc6 06 July 2015, 19:14:28 UTC
7a93e8e Moritz Mühlenhoff 03 July 2015, 11:19:30 UTC Limit LDAP access to internal Note that the current ldap::firewall rules are not yet activated, they're only defined, but ferm is not enabled on neptunium or nembus Bug: T102481 Change-Id: Idb3bfed0f3677bbfaf2a47e6e4fef4df0523085c 06 July 2015, 19:12:31 UTC
cb23e9f Jamison Lofthouse 06 July 2015, 19:03:35 UTC hiera: phab-pup-testing ssh on port 222 Change-Id: I6d2345903b4b377481e6e7a1261253bf422751da 06 July 2015, 19:03:35 UTC
0e56d5e YuviPanda 06 July 2015, 18:06:24 UTC labstore: Remove nfs from dwl project Bug: T103864 Change-Id: Ia8860946d12df42f4aab57270b8301c55c836b46 06 July 2015, 18:06:51 UTC
d5026a8 cmjohnson 06 July 2015, 16:50:21 UTC Adding labnet1002 to netboot.cfg Change-Id: I7fe35c31043a2d598124f9ce17f45500da8f9ded 06 July 2015, 16:54:36 UTC
ee9f662 Chmarkine 06 July 2015, 16:27:49 UTC HSTS preload for Mediawiki and Wikimediafoundation All subdomains of mediawiki.org and wikimediafoundation.org are covered by the TLS certificate now (If010437c). So they are ready to be preloaded. Bug: T104244 Change-Id: Icb98ddb75a46b7c6d170ec5c4e6eb0c1032d22db 06 July 2015, 16:27:49 UTC
abd1164 Brandon Black 06 July 2015, 16:19:01 UTC Remove dead donate hostnames from redirects This matches up with If010437cc on the DNS side. Bug: T102827 Change-Id: Iad132dd143ad022f6d31fe3a570d70d0b4d42a14 06 July 2015, 16:20:10 UTC
12f4aa5 Giuseppe Lavagetto 06 July 2015, 14:12:28 UTC varnish: enable dynamic directors in ulsfo Bug: T97029 Change-Id: I0d7a6dc3c5d79817a90fbf3761310ee0beee771b 06 July 2015, 15:12:14 UTC
ad629e1 YuviPanda 06 July 2015, 14:19:59 UTC labstore: Remove NFS from cephtest project Bug: T102381 Change-Id: Id701e39000db0de6b41221f8ed27bf791296d642 06 July 2015, 14:20:59 UTC
f52b54c YuviPanda 06 July 2015, 14:12:54 UTC labstore: Delete unneeded exports.d files Change-Id: I1ceb68cbd6ebd4c08cc6efac127ed0e76f3ead29 06 July 2015, 14:17:40 UTC
9b96084 Giuseppe Lavagetto 06 July 2015, 14:08:06 UTC varnish: enable dynamic directors for a subset of ulsfo hosts Bug: T97029 Change-Id: I38588ed362a6545e70228755d37973246a3b7547 06 July 2015, 14:11:23 UTC
7fdad2b YuviPanda 06 July 2015, 12:47:36 UTC labstore: Consolidate NFS exporting into daemon - Rename nfs-projects-daemon to nfs-exports-daemon - Handles public *and* private exports - Simplify puppet setup to reflect new reality Change-Id: Ib5d55e784daa603812a97815b4ef44d9906eb2a1 06 July 2015, 13:55:14 UTC
631377f Antoine Musso 03 July 2015, 13:34:31 UTC Remove Gerrit replication to lanthanum.eqiad.wmnet The host should no more run any slave, and definitely does not run any job still relying on the Gerrit replication. Remove Gerrit replication to lanthanum.eqiad.wmnet. Bug: T86658 Bug: T86661 Change-Id: I63727298916faaded2b5e38c737eb50479669345 06 July 2015, 13:34:36 UTC
8ce752f Antoine Musso 11 June 2015, 10:24:32 UTC contint: do not install zuul on light slaves There is no zuul package for Jessie yet thus applying role::ci::slave::labs::light fails puppet. Move the zuul install out of the common class to the more specific classes. Bug: T94836 Change-Id: I849fa59683f09a99e2a5a5cd058bf9e60faeadce 06 July 2015, 13:30:51 UTC
3e91574 Antoine Musso 11 June 2015, 09:28:09 UTC contint: authdns::lint on light Jessie slave DNS servers migrated to Jessie, we need to switch operations-dns-lint to Jessie. Include authdns::lint on the light slaves. Bug: T98003 Bug: T98737 Change-Id: I8aab9f7905efc0d771de402ee817819f18bc7006 06 July 2015, 13:30:50 UTC
266825a Antoine Musso 11 June 2015, 09:26:20 UTC contint: role::ci::slave::labs::light A light CI labs slave intended to be used for Jessie. We can't yet make them full CI slaves since puppet does not pass (T94836) but this class will let us migrate some specific jobs. Bug: T94836 Change-Id: Ic356b0b694216b1edac627b1462989a858db400a 06 July 2015, 13:30:50 UTC
a43d478 YuviPanda 06 July 2015, 12:21:08 UTC labstore: Fix stupid typo GrumblGrumbl python-jedi autocomplete Change-Id: I64e68a5ba22a69218e48721b9f2a39886025f9f8 06 July 2015, 12:21:08 UTC
f34cfbf YuviPanda 03 July 2015, 19:09:24 UTC labstore: Minor code cleanup of the exports daemon Change-Id: I5f39013beaceee39d2a05fdc1ed43ac92e5ad79e 06 July 2015, 12:15:40 UTC
91f6b8a Ori Livneh 06 July 2015, 05:40:30 UTC misc-varnish: allow HTTP DELETE (for deleting dashboards in tessera) Change-Id: I682a1dadba4b1d0f0f12aafafb6eb2e8091c578e 06 July 2015, 05:42:23 UTC
bff07a3 Brandon Black 04 July 2015, 19:02:08 UTC tlsproxy: add negotiated cipher to conn props The C= parameter would contain one of several different fixed strings, the set of which will evolve over time via ssl_ciphersuites.rb, e.g. "ECDHE-RSA-AES128-GCM-SHA256". This will be interesting to easily sample which ciphers are in use by which clients when looking at varnish logs, and perhaps we could even graph which are in use at all and in what varying percentages. Should be helpful for narrowing down which non-forward-secret options we can eliminate down the road. Change-Id: I85bb78e1435a645cfe9741faf79955bbc3bc5ba0 05 July 2015, 22:17:46 UTC
fd66616 Ori Livneh 05 July 2015, 22:16:23 UTC varnishxcps: transform 'C' key to 'ssl_cipher' Teach varnishxcps about the 'C' key, added by Brandon in I85bb78e143. Change-Id: I5f3fcf87a87a9ca9c37efacf1069b643764e1ac3 05 July 2015, 22:17:46 UTC
d435252 Alex Monk 05 July 2015, 01:39:15 UTC Remove bastion1 and bastion2 from labs bastion hosts list https://wikitech.wikimedia.org/wiki/Special:Diff/163822 Change-Id: I2e4603ddf9a735ef17d685a66b3a46fc21fa09b4 05 July 2015, 15:38:59 UTC
3c2d1f8 YuviPanda 05 July 2015, 15:24:27 UTC ores: Fix scoping issue with src/venv/config paths Change-Id: I8617e36b2d0a3dcda0c1d4c5fd232ceec04f06e0 05 July 2015, 15:24:27 UTC
bb7cf73 YuviPanda 05 July 2015, 15:12:59 UTC ores: Move ores initial install setup into a base class Change-Id: If3d159f187a98240a01148d437e8ca3f6c2fd25e 05 July 2015, 15:12:59 UTC
3586de4 YuviPanda 05 July 2015, 15:09:11 UTC celery: Create simple module for celery workers Only supports debian atm Change-Id: I96133b0f61ff30e3d8e5a10bc773d4e82152db8a 05 July 2015, 15:09:11 UTC
ee5fce3 Giuseppe Lavagetto 05 July 2015, 12:45:28 UTC cassandra: raise heap size to 16Gb Supposedly this should help mitigate a bit the current crazyness. Change-Id: I6142f9b0a1137e05861b96d2f6e11a7accc930df 05 July 2015, 12:45:28 UTC
3007c7b Brandon Black 05 July 2015, 08:14:28 UTC filter S:RI from wm2015register T45250 Change-Id: Ib20e75a6d34f15d119f574c5ea08a7a1232c4e70 05 July 2015, 08:15:15 UTC
1d44c44 Brandon Black 04 July 2015, 20:15:55 UTC update "strong" desc for accuracy Change-Id: I846c826caef403bd8b4c681d57108ce9d343012b 04 July 2015, 20:16:15 UTC
99b3068 Nemo bis 04 July 2015, 12:45:20 UTC planet: Add Josve05a to English Planet Commons comms-aholic guy. https://commons.wikimedia.org/wiki/User:Josve05a Change-Id: I943f8763d0c806ded7ef164d1cd3fe03d259f4ae 04 July 2015, 12:51:18 UTC
82aac94 Moritz Mühlenhoff 22 June 2015, 08:03:51 UTC Blacklist kernel modules Maintain a list of kernel modules blacklisted from autoloading through udev or other automated loading mechanisms. Initially only blacklist overlayfs, but more to follow in a later commit. Bug: T102600 Change-Id: I3325cf131e9e18078bcdf657e14aab0b4ba27872 03 July 2015, 14:36:24 UTC
e862510 Brandon Black 03 July 2015, 12:22:20 UTC ciperhsuites: add 'mid', changes to strong This should be a no-op for live production, as nothing is currently using 'strong'. This creates a new option 'mid', which is the same list that 'strong' had previously, but allows TLSv1.0. The compatibility of such a setup is surprisingly decent, and is kind of an aiming point for where the compat options eventually want to get to. 'strong' is updated to be stronger: TLSv1.2 + ECHDE-based AEAD ciphersuites only. This is the best we have available today in real browsers and servers. If a service really requires that security trumps all things, and is willing to reject insufficiently secure clients that are common in the world, this is your choice. This also limits apache2.2 to 'compat' only (which probably should've been done back when compate-dhe was added). Change-Id: I2960135f17af71eef1785a1d7104755f98f6bbda 03 July 2015, 12:57:28 UTC
b705e3a jcrespo 03 July 2015, 10:39:34 UTC Change replication filters on dbstore hosts to use one per line As it says on the MariaDB documentation, https://mariadb.com/kb/en/mariadb/replication-and-binary-log-server-system-variables/#replicate_wild_do_table "The directive does not accept a comma-delimited list, and needs to be used multiple times to specify multiple wildcard patterns". To be fair, the option is displayed as a comma-separated list, and it is one of the options (if not the only one family of options) where duplicating options do not get overriden by the last one. This mistake caused data loss on some replicas, now fixed. Adding the missing dump/load buffer pool options, as decided on T101009. Bug: T104471 Change-Id: I4216e5905b2241cb20902a80b236c8c08bbb5ae1 03 July 2015, 10:49:26 UTC
5a526d5 dzahn 03 July 2015, 01:11:56 UTC bromine: add standard And this case showed again, do not apply roles to hosts before you finished the initial run that sets up users and SSH keys. Do apply standard first. Then everything else. Change-Id: Ia868223297e06a94b3bfdba78073b35bc514f1de 03 July 2015, 01:48:09 UTC
c156847 Ori Livneh 03 July 2015, 01:38:08 UTC Fix-up for Ia481719de: include 're' Change-Id: I156fb3432d4d62590e85d670ad19f0de9e7d16be 03 July 2015, 01:38:42 UTC
2a90767 Ori Livneh 03 July 2015, 01:23:24 UTC varnishrls: include cache hit / miss stats from X-Cache header Change-Id: Ia481719de23d63c56c8f6bb9d8d89698911846ef 03 July 2015, 01:33:53 UTC
bcbbf32 Ori Livneh 02 July 2015, 23:23:03 UTC varnishlog: allow passing NULL parameter to VCL_Arg() VCL args like '-c' or '-b' don't take a value. Change-Id: I52df58aa519b9683d58ca285456468d67bd68a67 03 July 2015, 00:45:08 UTC
1bdecc1 dzahn 03 July 2015, 00:05:17 UTC static-bugzilla: ensure /srv/org/wikimedia exists Can't just ensure /srv/org/wikimedia/static-bugzilla exists, also need to ensure /srv/org/wikimedia and /srv/org. Puppet will do the right thing though without having to specificy requires. http://www.puppetcookbook.com/posts/creating-a-directory-tree.html Bug:T101734 Change-Id: If5657cc3287ef8a78bdffe2d56f58af092a586fe 03 July 2015, 00:30:56 UTC
da9e336 Marko Obrovac 02 July 2015, 23:23:13 UTC Add the Services team to the contact list for RESTBase HTTP checks Bug: T104656 Change-Id: I1d66a6f0b3f0a08f11b9c9286c6c356f0565a2b4 02 July 2015, 23:24:12 UTC
8f97c58 Ori Livneh 02 July 2015, 21:10:31 UTC add varnish::logging::rls to remaining 2layer varnishes Follows I83e27c954, which added the resource to cp1066. Change-Id: I608385831496f2e8f411a2a15fcb999578951e6c 02 July 2015, 21:10:31 UTC
767dc10 Ori Livneh 02 July 2015, 18:34:20 UTC Add varnish stats reporter for ResourceLoader requests This patch adds an additional Python Varnish log tailer / stats reporter script. Both the script and the Puppetization are nearly identical to the X-Connection-Properties logger script, except the purpose of this one is to log stats about browser cache hit ratio and total request volume for ResourceLoader requests (/w/load.php). Frequently Anticipated Questions: * Why add a new daemon rather than extend varnishxcps to capture these metrics as well? These scripts attain low resource utilisation by using the varnishlog API to subscribe to a tiny subset of the total volume of log records generated by varnish. Combining use-cases requires moving the filtering logic to Python code, which makes CPU utilisation explode. (By comparison, this script uses 1-3% of a single CPU core on cp1066). * Are we going to keep adding such scripts to the Varnishes willy-nily? No. load.php requests are special because (a) they are critical to front-end performance, (b) their performance profile is poorly understood, (c) they are the subject of ongoing research and work by the performance team (Timo, specifically). This patch applies it only on cp1066. Bug: T104277 Change-Id: I83e27c954ff1b490374dcfc202f1499e4fb0e48c 02 July 2015, 20:43:06 UTC
c2c7111 andrewbogott 01 July 2015, 07:13:14 UTC Fix an erb typo Change-Id: I8bb319809abe9c3b2622b3537f11cd7b043bbed5 01 July 2015, 07:13:14 UTC
7ebc10e andrewbogott 23 June 2015, 11:21:45 UTC Switch on salt auto_accept for labs. Rename puppetsigner.py certcleaner.py and remove signing function. Bug: T102504 Change-Id: I2d2e7911d0d3f8cedf7f03b59e86f3855b65e68c 02 July 2015, 20:23:21 UTC
7654a51 YuviPanda 15 June 2015, 16:48:35 UTC puppetmaster: Enable autosigning puppet certs for labs Bug: T102504 Change-Id: I3e121cb4cd034f37393b244c56ac34c4dfd0a98a 02 July 2015, 20:22:44 UTC
1acdb19 Andrew Otto 02 July 2015, 20:17:34 UTC Use new ganglia IPs and Ports for analytics clusters Change-Id: I36d180f3cf29958352cea770841849aa59e7b3c8 02 July 2015, 20:17:34 UTC
8a31987 YuviPanda 02 July 2015, 19:47:17 UTC tools: Dark launch new webserice-new webservices WHEEEEEE! Change-Id: I3660af95612f814df843e1649e589205ac32d98f 02 July 2015, 19:47:47 UTC
28c5b0a cmjohnson 02 July 2015, 19:35:18 UTC Updating mac for labnet1002 in dhcp file Change-Id: I14236c84f1a31ed6075ab5f3076bf64dca5895bc 02 July 2015, 19:35:18 UTC
116b725 YuviPanda 02 July 2015, 18:45:10 UTC labstore: Run exportfs on every run of the daemon - Runs after every daemon run (about once every minute). Hopefully that's not too terrible - This does not support new projects yet - Adds sudo rule for nfsmanager to be able to run exportfs Change-Id: I9fb2df2ccc5e9043c120dda878a2e10422c005b4 02 July 2015, 18:57:40 UTC
2745d77 YuviPanda 02 July 2015, 18:56:08 UTC labstore: Restart nfs projects daemon when source changes Change-Id: I9fa3b41bc53f0d0deab432e73eabf2d03ba81b3f 02 July 2015, 18:57:40 UTC
4005a8d YuviPanda 02 July 2015, 17:18:13 UTC labstore: Do not use tempfils for exports Doesn't give us anything since exportfs reads everything in /etc/exports.d, and we need to explicitly run exportfs anyway Change-Id: I8237f6d1a9f2e54770558e27a4c87f3b6b3feb0c 02 July 2015, 18:24:59 UTC
bf613cd YuviPanda 02 July 2015, 18:10:42 UTC labstore: Enable /home for wikidata-query project Is being used for 'code and data storage' according to Stas. Investigate alternatives later Change-Id: I8786420983188ae6fa004b70f8e5bfa5db97b712 02 July 2015, 18:11:27 UTC
a51fc38 dzahn 01 July 2015, 22:36:16 UTC add new node bromine, add bz-static role Add new node "bromine", a ganeti VM for static misc. services. Apply the bugzilla-static role and base::firewall. Bug:T101734 Change-Id: I4731b5a5551d966d59ac03073c0f16cb093978b0 02 July 2015, 18:03:33 UTC
3755152 YuviPanda 02 July 2015, 17:28:58 UTC labstore: Remove NFS from 'wildcat' project Doesn't seem to have had NFS enabled at any time Change-Id: I71ee6861a07e1052f376792d1e086662085b9445 02 July 2015, 17:28:58 UTC
468f1f7 Ariel T. Glenn 02 July 2015, 16:15:43 UTC iridium: add ipv6 addr Change-Id: I4123e277d0d3f618cc7dd6d31642e48d02cc5aeb 02 July 2015, 16:15:43 UTC
368309d Merlijn van Deen 22 April 2015, 19:04:27 UTC Tools: Simplify and fix mail setup Currently, Puppet tries to install both exim-daemon-light (as part of class standard) and exim4-daemon-heavy (as part of class toollabs::mailrelay). This produces race conditions where /usr/sbin/exim4 does not exist at all, leading to transient errors. In addition, the whole mail setup is complicated and centered around the idea that there can only be one mail relay for the project. At the moment the single mail relay writes its host name to a file on NFS which is then read by the clients. This means that all changes can require two subsequent Puppet runs to take effect, and pointing some instances to another mail relay for testing or load balancing is impossible. This change simplifies the setup and makes it configurable by hiera: For all instances with the class parameter toollabs::is_mail_relay set to the default value of false, toollabs::active_mail_relay points to the relay a client should forward all mail to. In addition, this change adds the toollabs::external_ip and toollabs::external_hostname parameters. Mail hosts should identify with their external hostname when connecting, and we can only provide this information via Hiera at the moment. After merging, ${toollabs::store}/mail-relay should be removed manually Co-Author: Tim Landscheidt <tim@tim-landscheidt.de> Bug: T74867 Change-Id: Icd967c0d8f93427d42a479a4756a6e38f5c1aba0 02 July 2015, 16:13:27 UTC
61c6ac6 Brandon Black 02 July 2015, 16:02:13 UTC Revert "depool cp1065 for thermal stuff: T103226" This reverts commit c5a7e4411fdb8a2dfb31b0f343aa0f1e2e95ee55. Change-Id: Ia37cec6217a30c0bd1b7e20961ec3da515da9c4f 02 July 2015, 16:02:34 UTC
808bd80 Ariel T. Glenn 02 July 2015, 15:59:00 UTC phab dumps rsync using ipv4 client addr Change-Id: Ibad99fc32589a6953a628473c17882d2863273b5 02 July 2015, 15:59:00 UTC
ef430df Ariel T. Glenn 29 June 2015, 16:41:25 UTC rsync of phab dumps from iridium to dataset1001 Bug: T103028 Change-Id: I626acd383cef5515c963468491a0fecdaea7dc49 02 July 2015, 15:44:31 UTC
a26ff49 Brandon Black 02 July 2015, 14:27:46 UTC HSTS: increase to 1y, do not allow applayer override Some applayer things were setting HSTS=1y before, and we were allowing applayer overrides regardless of header value, which is dangerous (especially in the case of includeSubdomains). This moves everything to 1y and always forces varnish override of any applayer HSTS header. Bug: T40516 Change-Id: Ie3f53f99fb9b4dbffff2f02bbc8f5402644f519f 02 July 2015, 15:38:50 UTC
c5a7e44 Brandon Black 02 July 2015, 15:15:58 UTC depool cp1065 for thermal stuff: T103226 Change-Id: I5feaff008055927d36b7d8cc8648b5a712de9baf 02 July 2015, 15:16:14 UTC
0d92028 Merlijn van Deen 02 July 2015, 15:09:15 UTC labstore: enable NFS mounts for toolsbeta to keep config in sync with tools Change-Id: Iab705df55504a99817fa75f1a2ade6d02b37832e 02 July 2015, 15:11:17 UTC
f038395 YuviPanda 02 July 2015, 14:54:27 UTC labstore: Fix implicit cyclic dependency group => implies a dependency and bam cycle! Change-Id: I69cea9ea42b5ea4f93eaad03ad81daac708d19be 02 July 2015, 14:54:27 UTC
a90f47d YuviPanda 02 July 2015, 14:41:09 UTC labstore: Rename and sacrifice to Lord Puppet Change-Id: I8e2260ffe157f358b6c1d0a1401d1e99edb257b6 02 July 2015, 14:41:09 UTC
1d0686b Faidon Liambotis 02 July 2015, 14:36:47 UTC contint: remove doc.mediawiki.org Apache vhost doc.mediawiki.org is pointed to the main cluster and handled in redirects.dat/conf separately. This VirtualHost was unused cruft. Change-Id: I49858e9cc1005d466cc576dd386bc59d65e1b29a 02 July 2015, 14:38:14 UTC
e2b31cf Faidon Liambotis 02 July 2015, 14:28:51 UTC mediawiki: remove HSTS from donate's Apache config Superseded by our site-wide Varnish config; confusing to also have it here. Change-Id: I18292070bace394a41009f5c8b3ea1a864adf026 02 July 2015, 14:38:14 UTC
1c8d27f YuviPanda 30 June 2015, 16:08:34 UTC labstore: Rewrite of manage-nfs-volumes-daemon Functionality required for this deamon: - ALlow instances in projects with NFS enabled to be able to mount the volumes enabled, explicitly via whitelisting their IPs. - Make sure that IP reuse does not leak NFS exports from one project to another To do so, this has to: - Gather list of projects with NFS enabled - Generate entries in exports.d with appropriate IP whitelist (and appropriate gid set) This version does not depend on LDAP at all, using a YAML file to figure out list of projects with NFS enabled and a wikitech API call to find list of instances. Switches to python3, since that is available in jessie and gives us ipaddress package for free. Also refactor the priavte / public exports into separate classes. This allows working NFS for currently existing projects. A follow up commit is required to: - Make sure that doing this for brand new projects works - might require understanding what sync-exports does - Clean up exports entries for projects that do not have NFS enabled anymore. Bug: T102782 Change-Id: I294a0cb31d7f5f7c598761b905b6c6c62acdcb8e 02 July 2015, 14:31:15 UTC
76b5f31 Chmarkine 02 July 2015, 10:13:13 UTC Wikidata - HSTS include subdomains and preload wikidata.org only has four subdomains, all of which don't have certificate issues. So I believe it's safe to add "includeSubDomains" and "preload" tokens so that it can be preloaded. Bug: T104244 Change-Id: Iab425da3cf2d6c68ed313eec0993584374701349 02 July 2015, 14:24:06 UTC
352b4b7 YuviPanda 30 June 2015, 13:31:22 UTC labstore: Simplify (and expand!) projects-config.yaml - Simplify by dropping all projects that have NFS fully disabled - Expand by adding gids for all projects that do have some form of NFS enabled. This will be used in a future commit to do the NFS exports. Change-Id: I037133c947418fc82a147a768c6a139c071fdafb 02 July 2015, 14:17:19 UTC
aab6ecc andrewbogott 01 July 2015, 00:50:17 UTC Change privs for pdns.conf pdns can still read this file, no problems. Change-Id: If57bbea5fd9592b15a4adf96409c9cd21b724602 01 July 2015, 00:50:17 UTC
5085d81 Filippo Giunchedi 01 July 2015, 22:35:05 UTC cassandra: add team-services for cql failure Bug: T104467 Change-Id: I149d6c601f3e15b5d4025fb2cba5caca278d4a56 02 July 2015, 11:09:49 UTC
00ad36a Giuseppe Lavagetto 02 July 2015, 10:50:34 UTC restbase: check http connections We actually don't have any monitoring on restbase locally, so we at least add monitoring of the pybal's ProxyFetch url. Change-Id: Ie12baad900404faf977f14b6599d9129dca89e07 02 July 2015, 10:54:22 UTC
027447f Moritz Muehlenhoff 18 June 2015, 15:00:12 UTC Allow optional firejail containment for nodejs services. This has been initially tested with mathoid and after we flip the services one-by-one, the firejail conditional can be dropped, making firejail the default for all future node services. The current configuration runs every nodefs service an isolated Linux namespace with - read-only system directories (like /usr or /lib) - private PID space - private /tmp (using tmpfs) - /root and /home/* blacklisted - reduced capabilities: CAP_SYS_MODULE, CAP_SYS_RAWIO, CAP_SYS_BOOT, CAP_SYS_NICE, CAP_SYS_TTY_CONFIG, CAP_SYSLOG, CAP_MKNOD, CAP_SYS_ADMIN - filtered syscalls: mount, umount2, ptrace, kexec_load, open_by_handle_at, init_module, finit_module, delete_module, iopl,ioperm, swapon, swapoff, mknode, syslog, process_vm_readv and process_vm_writev, sysfs,_sysctl, adjtimex, clock_adjtime, lookup_dcookie, perf_event_open, fanotify_init kcmp Bug: T101870 Change-Id: I7e9c8d1c3f7d6655bba598938eba885210c9e9d6 02 July 2015, 07:38:11 UTC
ef118be Giuseppe Lavagetto 02 July 2015, 06:12:23 UTC conftool: update etcd hosts list Change-Id: I1228135cc335bb3b39baedd6cb3b6100fb62a2a2 02 July 2015, 06:12:23 UTC
2b06db2 Brandon Black 02 July 2015, 04:40:20 UTC Replace static-hash with hostname normalization This gets rid of the vcl_hash hack to ignore hostnames in requests for /static paths, and replaces it with hostname-normalization to "www.wikimedia.org" in vcl_recv (before hashing occurs). Critically, this must be after redirect-rewrites such as mobile_redirect. Bug: T104532 Change-Id: Ie3ef27739edc7471e77b58364d50ee36c49b7543 02 July 2015, 04:56:18 UTC
7ffb854 BBlack 02 July 2015, 04:29:19 UTC Revert "Fix /static hashing by forcing www.wm.o hostname" This reverts commit 7ae5a4b9fb46ad11329e62ec77310130d4c1d895. Change-Id: I9e3e42996ca571554d86f4cf0226a52fe883f4fd 02 July 2015, 04:29:19 UTC
7ae5a4b Brandon Black 02 July 2015, 03:38:58 UTC Fix /static hashing by forcing www.wm.o hostname Bug: T104532 Change-Id: I055365fd7f4f413b81e37df63a3f93c88b7833f3 02 July 2015, 04:13:05 UTC
e0a1ea2 Brandon Black 02 July 2015, 04:07:17 UTC add (depooled, hwfail) cp3011.esams to conftool-data Change-Id: I23688c059291fb48d7c755b3421b19c72f287558 02 July 2015, 04:07:40 UTC
22a2be7 Ricordisamoa 26 June 2015, 07:58:45 UTC Redirect dartar's cite-o-meter to Tool Labs Change-Id: I6d7d9b2f48baac24b45350122727e7dc605fed23 02 July 2015, 04:04:59 UTC
dfe52e5 dzahn 02 July 2015, 01:48:34 UTC Make relic Toolserver files valid HTML5 follow-up to Id9dfde2a08b3f68 remove the remaining errors to make it valid - declare character encoding at document level - add alt attributes for img elements - remove xmlns attribute before: invalid, 3 errors each after: This document was successfully checked as HTML5! Change-Id: I7467cb034772332eb293db33774fbf15c6dc11f2 02 July 2015, 03:35:11 UTC
cc9679d Ricordisamoa 26 June 2015, 08:12:31 UTC Make relic Toolserver files HTML5 Newer and better liked by the W3C Validator! Change-Id: Id9dfde2a08b3f683356862757535de11d184fcc3 02 July 2015, 01:34:53 UTC
24c1514 Ori Livneh 01 July 2015, 23:38:50 UTC Set `uWSGIForceWSGIScheme https` for all mod_uwsgi webapps Change-Id: Iab5819b50512b57929963d4e724f72dd880cfd2f 02 July 2015, 00:47:16 UTC
356e5a5 dzahn 01 July 2015, 18:11:02 UTC switch analytics and analytics_kafka to ganglia_new Change-Id: Ia2972064d46e1dea74014873f1c6f64da9f9e18f 02 July 2015, 00:41:03 UTC
ab19ecb Glaisher 30 June 2015, 16:45:16 UTC Redirect wikipedia.is to is.wikipedia.org I1ef55365ec13ef failed to due a weird bug. It has now been fixed with I5e2d936ed7ed6e5b2b65319f49893c38c8f9e65b Bug: T103915 Change-Id: Ieb0679029a40ea75ff7b3ea1a821c3c188ee14ab 02 July 2015, 00:26:53 UTC
7594f1f dzahn 01 July 2015, 22:30:11 UTC add bromine as a misc-web backend bromine is a new ganeti VM for misc. services. add it as a backend in for misc-web varnish. Bug:T101734 Change-Id: Ie66625bb8d4d7c7169efde2ec3e34979dfa56ba5 02 July 2015, 00:12:51 UTC
c412c82 Brandon Black 01 July 2015, 23:48:20 UTC bugfixes for b13b9157 (dependencies) Change-Id: I4f50b376a5addfeb2d6f004863963bcc29aac94a 01 July 2015, 23:48:20 UTC
76a5132 Ori Livneh 30 June 2015, 22:32:30 UTC Make Coal's whisper files accessible to Graphite front-ends. Coal exists because I wanted more control over how client-side performance numbers were aggregated than I could get from Graphite and StatSite. There is no reason, though, to limit the visualization of the data to coal-web. So add a symlink. Change-Id: Ic0f17d9889622a96980d747fa924a8562e4fbe91 01 July 2015, 23:40:16 UTC
b13b915 Brandon Black 01 July 2015, 07:13:38 UTC sslcert: replace install_certificate with sslcert::std_cert Change-Id: Ibfe8de42878e6f2ea707fcf4f13dedf106919f68 01 July 2015, 23:38:46 UTC
78a27c1 Filippo Giunchedi 01 July 2015, 23:05:45 UTC tessera: force uwsgi scheme to https let uwsgi know that we're using https to correct links will be generated Bug: T104424 Change-Id: I7b48e96987fafd5d3f8515d2f40bdf1f08472575 01 July 2015, 23:36:03 UTC
b9a36c7 Brandon Black 30 June 2015, 22:30:12 UTC ciphersuites: refactor further, add compat-dhe option Change-Id: Ia0f74cf6cf3d96f13c9c5c8b7c845e826e2da888 01 July 2015, 23:12:18 UTC
1fa3780 Brandon Black 30 June 2015, 21:48:57 UTC tlsproxy: add 2048-bit dhparam file to nginx This was uniquely, securely generated with openssl on production hardware by me. Note that this won't actually get used until we enable a DHE-based cipher. Change-Id: I697c60b18b085c472f3c630bf611f5bf1325005c 01 July 2015, 22:47:48 UTC
2c9b741 Eric Evans 01 July 2015, 21:17:10 UTC increase size of key cache to 400MB The key cache hit rate at 100MB is: * 0.342 restbase1001 * 0.344 restbase1002 * 0.404 restbase1003 * 0.261 restbase1004 * 0.226 restbase1005 * 0.364 restbase1006 Thus, the additional 300MB should be well spent in savings on index reads. Change-Id: I8d15c8618d83a94f5defd31f0639f61de54a717f 01 July 2015, 22:35:36 UTC
9e46090 Matanya Moses 25 June 2015, 22:18:04 UTC access: grant Jdouglas access toanalytics-privatedata-users group bug: T103872 Change-Id: Ia691aeb807d4333660f50f4367340aedcf64c861 01 July 2015, 22:20:15 UTC
4a4f10f Mukunda Modell 01 July 2015, 21:57:54 UTC Bump phabricator release tags refs T104047 Bug: T104047 Change-Id: I9c853d18053e320354ded582045802fcf4990693 01 July 2015, 21:59:48 UTC
56d5591 John F. Lewis 01 July 2015, 19:42:02 UTC add bromine to dhcp bromine is a vm in ganeti which will host static-bugzilla.wm.o Bug:T103604 Change-Id: Idb0e10a2a00ca7b1203b0eceb08ebf25d9299eb9 01 July 2015, 21:58:28 UTC
back to top