Skip to main content

Browse the archive

https://github.com/wikimedia/operations-puppet
12 April 2024, 10:39:33 UTC
sort by:
Revision Author Date Message Commit Date
3e91574 Antoine Musso 11 June 2015, 09:28:09 UTC contint: authdns::lint on light Jessie slave DNS servers migrated to Jessie, we need to switch operations-dns-lint to Jessie. Include authdns::lint on the light slaves. Bug: T98003 Bug: T98737 Change-Id: I8aab9f7905efc0d771de402ee817819f18bc7006 06 July 2015, 13:30:50 UTC
266825a Antoine Musso 11 June 2015, 09:26:20 UTC contint: role::ci::slave::labs::light A light CI labs slave intended to be used for Jessie. We can't yet make them full CI slaves since puppet does not pass (T94836) but this class will let us migrate some specific jobs. Bug: T94836 Change-Id: Ic356b0b694216b1edac627b1462989a858db400a 06 July 2015, 13:30:50 UTC
a43d478 YuviPanda 06 July 2015, 12:21:08 UTC labstore: Fix stupid typo GrumblGrumbl python-jedi autocomplete Change-Id: I64e68a5ba22a69218e48721b9f2a39886025f9f8 06 July 2015, 12:21:08 UTC
f34cfbf YuviPanda 03 July 2015, 19:09:24 UTC labstore: Minor code cleanup of the exports daemon Change-Id: I5f39013beaceee39d2a05fdc1ed43ac92e5ad79e 06 July 2015, 12:15:40 UTC
91f6b8a Ori Livneh 06 July 2015, 05:40:30 UTC misc-varnish: allow HTTP DELETE (for deleting dashboards in tessera) Change-Id: I682a1dadba4b1d0f0f12aafafb6eb2e8091c578e 06 July 2015, 05:42:23 UTC
bff07a3 Brandon Black 04 July 2015, 19:02:08 UTC tlsproxy: add negotiated cipher to conn props The C= parameter would contain one of several different fixed strings, the set of which will evolve over time via ssl_ciphersuites.rb, e.g. "ECDHE-RSA-AES128-GCM-SHA256". This will be interesting to easily sample which ciphers are in use by which clients when looking at varnish logs, and perhaps we could even graph which are in use at all and in what varying percentages. Should be helpful for narrowing down which non-forward-secret options we can eliminate down the road. Change-Id: I85bb78e1435a645cfe9741faf79955bbc3bc5ba0 05 July 2015, 22:17:46 UTC
fd66616 Ori Livneh 05 July 2015, 22:16:23 UTC varnishxcps: transform 'C' key to 'ssl_cipher' Teach varnishxcps about the 'C' key, added by Brandon in I85bb78e143. Change-Id: I5f3fcf87a87a9ca9c37efacf1069b643764e1ac3 05 July 2015, 22:17:46 UTC
d435252 Alex Monk 05 July 2015, 01:39:15 UTC Remove bastion1 and bastion2 from labs bastion hosts list https://wikitech.wikimedia.org/wiki/Special:Diff/163822 Change-Id: I2e4603ddf9a735ef17d685a66b3a46fc21fa09b4 05 July 2015, 15:38:59 UTC
3c2d1f8 YuviPanda 05 July 2015, 15:24:27 UTC ores: Fix scoping issue with src/venv/config paths Change-Id: I8617e36b2d0a3dcda0c1d4c5fd232ceec04f06e0 05 July 2015, 15:24:27 UTC
bb7cf73 YuviPanda 05 July 2015, 15:12:59 UTC ores: Move ores initial install setup into a base class Change-Id: If3d159f187a98240a01148d437e8ca3f6c2fd25e 05 July 2015, 15:12:59 UTC
3586de4 YuviPanda 05 July 2015, 15:09:11 UTC celery: Create simple module for celery workers Only supports debian atm Change-Id: I96133b0f61ff30e3d8e5a10bc773d4e82152db8a 05 July 2015, 15:09:11 UTC
ee5fce3 Giuseppe Lavagetto 05 July 2015, 12:45:28 UTC cassandra: raise heap size to 16Gb Supposedly this should help mitigate a bit the current crazyness. Change-Id: I6142f9b0a1137e05861b96d2f6e11a7accc930df 05 July 2015, 12:45:28 UTC
3007c7b Brandon Black 05 July 2015, 08:14:28 UTC filter S:RI from wm2015register T45250 Change-Id: Ib20e75a6d34f15d119f574c5ea08a7a1232c4e70 05 July 2015, 08:15:15 UTC
1d44c44 Brandon Black 04 July 2015, 20:15:55 UTC update "strong" desc for accuracy Change-Id: I846c826caef403bd8b4c681d57108ce9d343012b 04 July 2015, 20:16:15 UTC
99b3068 Nemo bis 04 July 2015, 12:45:20 UTC planet: Add Josve05a to English Planet Commons comms-aholic guy. https://commons.wikimedia.org/wiki/User:Josve05a Change-Id: I943f8763d0c806ded7ef164d1cd3fe03d259f4ae 04 July 2015, 12:51:18 UTC
82aac94 Moritz Mühlenhoff 22 June 2015, 08:03:51 UTC Blacklist kernel modules Maintain a list of kernel modules blacklisted from autoloading through udev or other automated loading mechanisms. Initially only blacklist overlayfs, but more to follow in a later commit. Bug: T102600 Change-Id: I3325cf131e9e18078bcdf657e14aab0b4ba27872 03 July 2015, 14:36:24 UTC
e862510 Brandon Black 03 July 2015, 12:22:20 UTC ciperhsuites: add 'mid', changes to strong This should be a no-op for live production, as nothing is currently using 'strong'. This creates a new option 'mid', which is the same list that 'strong' had previously, but allows TLSv1.0. The compatibility of such a setup is surprisingly decent, and is kind of an aiming point for where the compat options eventually want to get to. 'strong' is updated to be stronger: TLSv1.2 + ECHDE-based AEAD ciphersuites only. This is the best we have available today in real browsers and servers. If a service really requires that security trumps all things, and is willing to reject insufficiently secure clients that are common in the world, this is your choice. This also limits apache2.2 to 'compat' only (which probably should've been done back when compate-dhe was added). Change-Id: I2960135f17af71eef1785a1d7104755f98f6bbda 03 July 2015, 12:57:28 UTC
b705e3a jcrespo 03 July 2015, 10:39:34 UTC Change replication filters on dbstore hosts to use one per line As it says on the MariaDB documentation, https://mariadb.com/kb/en/mariadb/replication-and-binary-log-server-system-variables/#replicate_wild_do_table "The directive does not accept a comma-delimited list, and needs to be used multiple times to specify multiple wildcard patterns". To be fair, the option is displayed as a comma-separated list, and it is one of the options (if not the only one family of options) where duplicating options do not get overriden by the last one. This mistake caused data loss on some replicas, now fixed. Adding the missing dump/load buffer pool options, as decided on T101009. Bug: T104471 Change-Id: I4216e5905b2241cb20902a80b236c8c08bbb5ae1 03 July 2015, 10:49:26 UTC
5a526d5 dzahn 03 July 2015, 01:11:56 UTC bromine: add standard And this case showed again, do not apply roles to hosts before you finished the initial run that sets up users and SSH keys. Do apply standard first. Then everything else. Change-Id: Ia868223297e06a94b3bfdba78073b35bc514f1de 03 July 2015, 01:48:09 UTC
c156847 Ori Livneh 03 July 2015, 01:38:08 UTC Fix-up for Ia481719de: include 're' Change-Id: I156fb3432d4d62590e85d670ad19f0de9e7d16be 03 July 2015, 01:38:42 UTC
2a90767 Ori Livneh 03 July 2015, 01:23:24 UTC varnishrls: include cache hit / miss stats from X-Cache header Change-Id: Ia481719de23d63c56c8f6bb9d8d89698911846ef 03 July 2015, 01:33:53 UTC
bcbbf32 Ori Livneh 02 July 2015, 23:23:03 UTC varnishlog: allow passing NULL parameter to VCL_Arg() VCL args like '-c' or '-b' don't take a value. Change-Id: I52df58aa519b9683d58ca285456468d67bd68a67 03 July 2015, 00:45:08 UTC
1bdecc1 dzahn 03 July 2015, 00:05:17 UTC static-bugzilla: ensure /srv/org/wikimedia exists Can't just ensure /srv/org/wikimedia/static-bugzilla exists, also need to ensure /srv/org/wikimedia and /srv/org. Puppet will do the right thing though without having to specificy requires. http://www.puppetcookbook.com/posts/creating-a-directory-tree.html Bug:T101734 Change-Id: If5657cc3287ef8a78bdffe2d56f58af092a586fe 03 July 2015, 00:30:56 UTC
da9e336 Marko Obrovac 02 July 2015, 23:23:13 UTC Add the Services team to the contact list for RESTBase HTTP checks Bug: T104656 Change-Id: I1d66a6f0b3f0a08f11b9c9286c6c356f0565a2b4 02 July 2015, 23:24:12 UTC
8f97c58 Ori Livneh 02 July 2015, 21:10:31 UTC add varnish::logging::rls to remaining 2layer varnishes Follows I83e27c954, which added the resource to cp1066. Change-Id: I608385831496f2e8f411a2a15fcb999578951e6c 02 July 2015, 21:10:31 UTC
767dc10 Ori Livneh 02 July 2015, 18:34:20 UTC Add varnish stats reporter for ResourceLoader requests This patch adds an additional Python Varnish log tailer / stats reporter script. Both the script and the Puppetization are nearly identical to the X-Connection-Properties logger script, except the purpose of this one is to log stats about browser cache hit ratio and total request volume for ResourceLoader requests (/w/load.php). Frequently Anticipated Questions: * Why add a new daemon rather than extend varnishxcps to capture these metrics as well? These scripts attain low resource utilisation by using the varnishlog API to subscribe to a tiny subset of the total volume of log records generated by varnish. Combining use-cases requires moving the filtering logic to Python code, which makes CPU utilisation explode. (By comparison, this script uses 1-3% of a single CPU core on cp1066). * Are we going to keep adding such scripts to the Varnishes willy-nily? No. load.php requests are special because (a) they are critical to front-end performance, (b) their performance profile is poorly understood, (c) they are the subject of ongoing research and work by the performance team (Timo, specifically). This patch applies it only on cp1066. Bug: T104277 Change-Id: I83e27c954ff1b490374dcfc202f1499e4fb0e48c 02 July 2015, 20:43:06 UTC
c2c7111 andrewbogott 01 July 2015, 07:13:14 UTC Fix an erb typo Change-Id: I8bb319809abe9c3b2622b3537f11cd7b043bbed5 01 July 2015, 07:13:14 UTC
7ebc10e andrewbogott 23 June 2015, 11:21:45 UTC Switch on salt auto_accept for labs. Rename puppetsigner.py certcleaner.py and remove signing function. Bug: T102504 Change-Id: I2d2e7911d0d3f8cedf7f03b59e86f3855b65e68c 02 July 2015, 20:23:21 UTC
7654a51 YuviPanda 15 June 2015, 16:48:35 UTC puppetmaster: Enable autosigning puppet certs for labs Bug: T102504 Change-Id: I3e121cb4cd034f37393b244c56ac34c4dfd0a98a 02 July 2015, 20:22:44 UTC
1acdb19 Andrew Otto 02 July 2015, 20:17:34 UTC Use new ganglia IPs and Ports for analytics clusters Change-Id: I36d180f3cf29958352cea770841849aa59e7b3c8 02 July 2015, 20:17:34 UTC
8a31987 YuviPanda 02 July 2015, 19:47:17 UTC tools: Dark launch new webserice-new webservices WHEEEEEE! Change-Id: I3660af95612f814df843e1649e589205ac32d98f 02 July 2015, 19:47:47 UTC
28c5b0a cmjohnson 02 July 2015, 19:35:18 UTC Updating mac for labnet1002 in dhcp file Change-Id: I14236c84f1a31ed6075ab5f3076bf64dca5895bc 02 July 2015, 19:35:18 UTC
116b725 YuviPanda 02 July 2015, 18:45:10 UTC labstore: Run exportfs on every run of the daemon - Runs after every daemon run (about once every minute). Hopefully that's not too terrible - This does not support new projects yet - Adds sudo rule for nfsmanager to be able to run exportfs Change-Id: I9fb2df2ccc5e9043c120dda878a2e10422c005b4 02 July 2015, 18:57:40 UTC
2745d77 YuviPanda 02 July 2015, 18:56:08 UTC labstore: Restart nfs projects daemon when source changes Change-Id: I9fa3b41bc53f0d0deab432e73eabf2d03ba81b3f 02 July 2015, 18:57:40 UTC
4005a8d YuviPanda 02 July 2015, 17:18:13 UTC labstore: Do not use tempfils for exports Doesn't give us anything since exportfs reads everything in /etc/exports.d, and we need to explicitly run exportfs anyway Change-Id: I8237f6d1a9f2e54770558e27a4c87f3b6b3feb0c 02 July 2015, 18:24:59 UTC
bf613cd YuviPanda 02 July 2015, 18:10:42 UTC labstore: Enable /home for wikidata-query project Is being used for 'code and data storage' according to Stas. Investigate alternatives later Change-Id: I8786420983188ae6fa004b70f8e5bfa5db97b712 02 July 2015, 18:11:27 UTC
a51fc38 dzahn 01 July 2015, 22:36:16 UTC add new node bromine, add bz-static role Add new node "bromine", a ganeti VM for static misc. services. Apply the bugzilla-static role and base::firewall. Bug:T101734 Change-Id: I4731b5a5551d966d59ac03073c0f16cb093978b0 02 July 2015, 18:03:33 UTC
3755152 YuviPanda 02 July 2015, 17:28:58 UTC labstore: Remove NFS from 'wildcat' project Doesn't seem to have had NFS enabled at any time Change-Id: I71ee6861a07e1052f376792d1e086662085b9445 02 July 2015, 17:28:58 UTC
468f1f7 Ariel T. Glenn 02 July 2015, 16:15:43 UTC iridium: add ipv6 addr Change-Id: I4123e277d0d3f618cc7dd6d31642e48d02cc5aeb 02 July 2015, 16:15:43 UTC
368309d Merlijn van Deen 22 April 2015, 19:04:27 UTC Tools: Simplify and fix mail setup Currently, Puppet tries to install both exim-daemon-light (as part of class standard) and exim4-daemon-heavy (as part of class toollabs::mailrelay). This produces race conditions where /usr/sbin/exim4 does not exist at all, leading to transient errors. In addition, the whole mail setup is complicated and centered around the idea that there can only be one mail relay for the project. At the moment the single mail relay writes its host name to a file on NFS which is then read by the clients. This means that all changes can require two subsequent Puppet runs to take effect, and pointing some instances to another mail relay for testing or load balancing is impossible. This change simplifies the setup and makes it configurable by hiera: For all instances with the class parameter toollabs::is_mail_relay set to the default value of false, toollabs::active_mail_relay points to the relay a client should forward all mail to. In addition, this change adds the toollabs::external_ip and toollabs::external_hostname parameters. Mail hosts should identify with their external hostname when connecting, and we can only provide this information via Hiera at the moment. After merging, ${toollabs::store}/mail-relay should be removed manually Co-Author: Tim Landscheidt <tim@tim-landscheidt.de> Bug: T74867 Change-Id: Icd967c0d8f93427d42a479a4756a6e38f5c1aba0 02 July 2015, 16:13:27 UTC
61c6ac6 Brandon Black 02 July 2015, 16:02:13 UTC Revert "depool cp1065 for thermal stuff: T103226" This reverts commit c5a7e4411fdb8a2dfb31b0f343aa0f1e2e95ee55. Change-Id: Ia37cec6217a30c0bd1b7e20961ec3da515da9c4f 02 July 2015, 16:02:34 UTC
808bd80 Ariel T. Glenn 02 July 2015, 15:59:00 UTC phab dumps rsync using ipv4 client addr Change-Id: Ibad99fc32589a6953a628473c17882d2863273b5 02 July 2015, 15:59:00 UTC
ef430df Ariel T. Glenn 29 June 2015, 16:41:25 UTC rsync of phab dumps from iridium to dataset1001 Bug: T103028 Change-Id: I626acd383cef5515c963468491a0fecdaea7dc49 02 July 2015, 15:44:31 UTC
a26ff49 Brandon Black 02 July 2015, 14:27:46 UTC HSTS: increase to 1y, do not allow applayer override Some applayer things were setting HSTS=1y before, and we were allowing applayer overrides regardless of header value, which is dangerous (especially in the case of includeSubdomains). This moves everything to 1y and always forces varnish override of any applayer HSTS header. Bug: T40516 Change-Id: Ie3f53f99fb9b4dbffff2f02bbc8f5402644f519f 02 July 2015, 15:38:50 UTC
c5a7e44 Brandon Black 02 July 2015, 15:15:58 UTC depool cp1065 for thermal stuff: T103226 Change-Id: I5feaff008055927d36b7d8cc8648b5a712de9baf 02 July 2015, 15:16:14 UTC
0d92028 Merlijn van Deen 02 July 2015, 15:09:15 UTC labstore: enable NFS mounts for toolsbeta to keep config in sync with tools Change-Id: Iab705df55504a99817fa75f1a2ade6d02b37832e 02 July 2015, 15:11:17 UTC
f038395 YuviPanda 02 July 2015, 14:54:27 UTC labstore: Fix implicit cyclic dependency group => implies a dependency and bam cycle! Change-Id: I69cea9ea42b5ea4f93eaad03ad81daac708d19be 02 July 2015, 14:54:27 UTC
a90f47d YuviPanda 02 July 2015, 14:41:09 UTC labstore: Rename and sacrifice to Lord Puppet Change-Id: I8e2260ffe157f358b6c1d0a1401d1e99edb257b6 02 July 2015, 14:41:09 UTC
1d0686b Faidon Liambotis 02 July 2015, 14:36:47 UTC contint: remove doc.mediawiki.org Apache vhost doc.mediawiki.org is pointed to the main cluster and handled in redirects.dat/conf separately. This VirtualHost was unused cruft. Change-Id: I49858e9cc1005d466cc576dd386bc59d65e1b29a 02 July 2015, 14:38:14 UTC
e2b31cf Faidon Liambotis 02 July 2015, 14:28:51 UTC mediawiki: remove HSTS from donate's Apache config Superseded by our site-wide Varnish config; confusing to also have it here. Change-Id: I18292070bace394a41009f5c8b3ea1a864adf026 02 July 2015, 14:38:14 UTC
1c8d27f YuviPanda 30 June 2015, 16:08:34 UTC labstore: Rewrite of manage-nfs-volumes-daemon Functionality required for this deamon: - ALlow instances in projects with NFS enabled to be able to mount the volumes enabled, explicitly via whitelisting their IPs. - Make sure that IP reuse does not leak NFS exports from one project to another To do so, this has to: - Gather list of projects with NFS enabled - Generate entries in exports.d with appropriate IP whitelist (and appropriate gid set) This version does not depend on LDAP at all, using a YAML file to figure out list of projects with NFS enabled and a wikitech API call to find list of instances. Switches to python3, since that is available in jessie and gives us ipaddress package for free. Also refactor the priavte / public exports into separate classes. This allows working NFS for currently existing projects. A follow up commit is required to: - Make sure that doing this for brand new projects works - might require understanding what sync-exports does - Clean up exports entries for projects that do not have NFS enabled anymore. Bug: T102782 Change-Id: I294a0cb31d7f5f7c598761b905b6c6c62acdcb8e 02 July 2015, 14:31:15 UTC
76b5f31 Chmarkine 02 July 2015, 10:13:13 UTC Wikidata - HSTS include subdomains and preload wikidata.org only has four subdomains, all of which don't have certificate issues. So I believe it's safe to add "includeSubDomains" and "preload" tokens so that it can be preloaded. Bug: T104244 Change-Id: Iab425da3cf2d6c68ed313eec0993584374701349 02 July 2015, 14:24:06 UTC
352b4b7 YuviPanda 30 June 2015, 13:31:22 UTC labstore: Simplify (and expand!) projects-config.yaml - Simplify by dropping all projects that have NFS fully disabled - Expand by adding gids for all projects that do have some form of NFS enabled. This will be used in a future commit to do the NFS exports. Change-Id: I037133c947418fc82a147a768c6a139c071fdafb 02 July 2015, 14:17:19 UTC
aab6ecc andrewbogott 01 July 2015, 00:50:17 UTC Change privs for pdns.conf pdns can still read this file, no problems. Change-Id: If57bbea5fd9592b15a4adf96409c9cd21b724602 01 July 2015, 00:50:17 UTC
5085d81 Filippo Giunchedi 01 July 2015, 22:35:05 UTC cassandra: add team-services for cql failure Bug: T104467 Change-Id: I149d6c601f3e15b5d4025fb2cba5caca278d4a56 02 July 2015, 11:09:49 UTC
00ad36a Giuseppe Lavagetto 02 July 2015, 10:50:34 UTC restbase: check http connections We actually don't have any monitoring on restbase locally, so we at least add monitoring of the pybal's ProxyFetch url. Change-Id: Ie12baad900404faf977f14b6599d9129dca89e07 02 July 2015, 10:54:22 UTC
027447f Moritz Muehlenhoff 18 June 2015, 15:00:12 UTC Allow optional firejail containment for nodejs services. This has been initially tested with mathoid and after we flip the services one-by-one, the firejail conditional can be dropped, making firejail the default for all future node services. The current configuration runs every nodefs service an isolated Linux namespace with - read-only system directories (like /usr or /lib) - private PID space - private /tmp (using tmpfs) - /root and /home/* blacklisted - reduced capabilities: CAP_SYS_MODULE, CAP_SYS_RAWIO, CAP_SYS_BOOT, CAP_SYS_NICE, CAP_SYS_TTY_CONFIG, CAP_SYSLOG, CAP_MKNOD, CAP_SYS_ADMIN - filtered syscalls: mount, umount2, ptrace, kexec_load, open_by_handle_at, init_module, finit_module, delete_module, iopl,ioperm, swapon, swapoff, mknode, syslog, process_vm_readv and process_vm_writev, sysfs,_sysctl, adjtimex, clock_adjtime, lookup_dcookie, perf_event_open, fanotify_init kcmp Bug: T101870 Change-Id: I7e9c8d1c3f7d6655bba598938eba885210c9e9d6 02 July 2015, 07:38:11 UTC
ef118be Giuseppe Lavagetto 02 July 2015, 06:12:23 UTC conftool: update etcd hosts list Change-Id: I1228135cc335bb3b39baedd6cb3b6100fb62a2a2 02 July 2015, 06:12:23 UTC
2b06db2 Brandon Black 02 July 2015, 04:40:20 UTC Replace static-hash with hostname normalization This gets rid of the vcl_hash hack to ignore hostnames in requests for /static paths, and replaces it with hostname-normalization to "www.wikimedia.org" in vcl_recv (before hashing occurs). Critically, this must be after redirect-rewrites such as mobile_redirect. Bug: T104532 Change-Id: Ie3ef27739edc7471e77b58364d50ee36c49b7543 02 July 2015, 04:56:18 UTC
7ffb854 BBlack 02 July 2015, 04:29:19 UTC Revert "Fix /static hashing by forcing www.wm.o hostname" This reverts commit 7ae5a4b9fb46ad11329e62ec77310130d4c1d895. Change-Id: I9e3e42996ca571554d86f4cf0226a52fe883f4fd 02 July 2015, 04:29:19 UTC
7ae5a4b Brandon Black 02 July 2015, 03:38:58 UTC Fix /static hashing by forcing www.wm.o hostname Bug: T104532 Change-Id: I055365fd7f4f413b81e37df63a3f93c88b7833f3 02 July 2015, 04:13:05 UTC
e0a1ea2 Brandon Black 02 July 2015, 04:07:17 UTC add (depooled, hwfail) cp3011.esams to conftool-data Change-Id: I23688c059291fb48d7c755b3421b19c72f287558 02 July 2015, 04:07:40 UTC
22a2be7 Ricordisamoa 26 June 2015, 07:58:45 UTC Redirect dartar's cite-o-meter to Tool Labs Change-Id: I6d7d9b2f48baac24b45350122727e7dc605fed23 02 July 2015, 04:04:59 UTC
dfe52e5 dzahn 02 July 2015, 01:48:34 UTC Make relic Toolserver files valid HTML5 follow-up to Id9dfde2a08b3f68 remove the remaining errors to make it valid - declare character encoding at document level - add alt attributes for img elements - remove xmlns attribute before: invalid, 3 errors each after: This document was successfully checked as HTML5! Change-Id: I7467cb034772332eb293db33774fbf15c6dc11f2 02 July 2015, 03:35:11 UTC
cc9679d Ricordisamoa 26 June 2015, 08:12:31 UTC Make relic Toolserver files HTML5 Newer and better liked by the W3C Validator! Change-Id: Id9dfde2a08b3f683356862757535de11d184fcc3 02 July 2015, 01:34:53 UTC
24c1514 Ori Livneh 01 July 2015, 23:38:50 UTC Set `uWSGIForceWSGIScheme https` for all mod_uwsgi webapps Change-Id: Iab5819b50512b57929963d4e724f72dd880cfd2f 02 July 2015, 00:47:16 UTC
356e5a5 dzahn 01 July 2015, 18:11:02 UTC switch analytics and analytics_kafka to ganglia_new Change-Id: Ia2972064d46e1dea74014873f1c6f64da9f9e18f 02 July 2015, 00:41:03 UTC
ab19ecb Glaisher 30 June 2015, 16:45:16 UTC Redirect wikipedia.is to is.wikipedia.org I1ef55365ec13ef failed to due a weird bug. It has now been fixed with I5e2d936ed7ed6e5b2b65319f49893c38c8f9e65b Bug: T103915 Change-Id: Ieb0679029a40ea75ff7b3ea1a821c3c188ee14ab 02 July 2015, 00:26:53 UTC
7594f1f dzahn 01 July 2015, 22:30:11 UTC add bromine as a misc-web backend bromine is a new ganeti VM for misc. services. add it as a backend in for misc-web varnish. Bug:T101734 Change-Id: Ie66625bb8d4d7c7169efde2ec3e34979dfa56ba5 02 July 2015, 00:12:51 UTC
c412c82 Brandon Black 01 July 2015, 23:48:20 UTC bugfixes for b13b9157 (dependencies) Change-Id: I4f50b376a5addfeb2d6f004863963bcc29aac94a 01 July 2015, 23:48:20 UTC
76a5132 Ori Livneh 30 June 2015, 22:32:30 UTC Make Coal's whisper files accessible to Graphite front-ends. Coal exists because I wanted more control over how client-side performance numbers were aggregated than I could get from Graphite and StatSite. There is no reason, though, to limit the visualization of the data to coal-web. So add a symlink. Change-Id: Ic0f17d9889622a96980d747fa924a8562e4fbe91 01 July 2015, 23:40:16 UTC
b13b915 Brandon Black 01 July 2015, 07:13:38 UTC sslcert: replace install_certificate with sslcert::std_cert Change-Id: Ibfe8de42878e6f2ea707fcf4f13dedf106919f68 01 July 2015, 23:38:46 UTC
78a27c1 Filippo Giunchedi 01 July 2015, 23:05:45 UTC tessera: force uwsgi scheme to https let uwsgi know that we're using https to correct links will be generated Bug: T104424 Change-Id: I7b48e96987fafd5d3f8515d2f40bdf1f08472575 01 July 2015, 23:36:03 UTC
b9a36c7 Brandon Black 30 June 2015, 22:30:12 UTC ciphersuites: refactor further, add compat-dhe option Change-Id: Ia0f74cf6cf3d96f13c9c5c8b7c845e826e2da888 01 July 2015, 23:12:18 UTC
1fa3780 Brandon Black 30 June 2015, 21:48:57 UTC tlsproxy: add 2048-bit dhparam file to nginx This was uniquely, securely generated with openssl on production hardware by me. Note that this won't actually get used until we enable a DHE-based cipher. Change-Id: I697c60b18b085c472f3c630bf611f5bf1325005c 01 July 2015, 22:47:48 UTC
2c9b741 Eric Evans 01 July 2015, 21:17:10 UTC increase size of key cache to 400MB The key cache hit rate at 100MB is: * 0.342 restbase1001 * 0.344 restbase1002 * 0.404 restbase1003 * 0.261 restbase1004 * 0.226 restbase1005 * 0.364 restbase1006 Thus, the additional 300MB should be well spent in savings on index reads. Change-Id: I8d15c8618d83a94f5defd31f0639f61de54a717f 01 July 2015, 22:35:36 UTC
9e46090 Matanya Moses 25 June 2015, 22:18:04 UTC access: grant Jdouglas access toanalytics-privatedata-users group bug: T103872 Change-Id: Ia691aeb807d4333660f50f4367340aedcf64c861 01 July 2015, 22:20:15 UTC
4a4f10f Mukunda Modell 01 July 2015, 21:57:54 UTC Bump phabricator release tags refs T104047 Bug: T104047 Change-Id: I9c853d18053e320354ded582045802fcf4990693 01 July 2015, 21:59:48 UTC
56d5591 John F. Lewis 01 July 2015, 19:42:02 UTC add bromine to dhcp bromine is a vm in ganeti which will host static-bugzilla.wm.o Bug:T103604 Change-Id: Idb0e10a2a00ca7b1203b0eceb08ebf25d9299eb9 01 July 2015, 21:58:28 UTC
6bd23fd Gage 01 July 2015, 20:37:03 UTC Revert "puppetmaster: fix puppet.conf for new CA cert" Decided we need CN=puppet after all to support our load balanced puppetmasters. This reverts commit 7c17d4e1eea2064dd8af6c7232c4f557baf1a155. Change-Id: I55ae89209803051e6dde17db7dc6a10ba2ce5632 01 July 2015, 20:37:03 UTC
7c17d4e gage 01 July 2015, 18:08:11 UTC puppetmaster: fix puppet.conf for new CA cert certname now takes the default value and X509v3 Subject Alternative Name becomes DNS:puppet, therefore hostcert and hostprivkey use default values and do not need explicit definitions ref: step #18, https://wikitech.wikimedia.org/wiki/Puppet_CA_replacement#Procedure Change-Id: I515804c0477f14c9fd911537b4c959275163ddfe 01 July 2015, 18:10:52 UTC
b74bc76 YuviPanda 01 July 2015, 16:49:04 UTC labstore: Fix typo Change-Id: I1ff314da365341333052181b512c656efb837d64 01 July 2015, 16:49:53 UTC
6ca0f85 andrewbogott 30 June 2015, 14:59:25 UTC Make ferm list into an actual list. Change-Id: I9b0ce893a20e8f18dcf46bedf679a8e4f3c56801 01 July 2015, 16:46:48 UTC
0a0408e YuviPanda 01 July 2015, 16:42:59 UTC labstore: Move replica_addusers into its own puppet class And install the perl package it requires Change-Id: I587d8c531f0bbd0bf5821058961ac7a95d0be5cc 01 July 2015, 16:43:41 UTC
eff251a andrewbogott 27 May 2015, 16:57:32 UTC Tidy up firewall rules for puppetmaster and salt Change-Id: Ie02f0941e9827b7b05e1a1385b0492e513ea9435 30 June 2015, 14:52:32 UTC
8d94015 Alexandros Kosiaris 09 June 2015, 13:20:33 UTC Add new_wmf_service.py and examples Automate the new WMF service process as much as possible via a shell helper script that will get some basic info from the user and then create git patches to be submitted for review. Done: * Create puppet module * Create puppet role * Assign role to cluster machines * Update deployment configuration * Allow service owner access to cluster * Assign sudo rights * Make the YAML output more human friendly * pep8 compliance aside from E501(line too long) * Adding LVS IP to cluster * git commit Not implemented in this patch: * Update restbase configuration * Update varnish configuration Bug: T97036 Change-Id: Ie4df5c3eb7ece911021c745fcfdfe515b55ae359 01 July 2015, 16:34:37 UTC
63c490c Moritz Mühlenhoff 01 July 2015, 15:17:43 UTC Reenable ntp by default The following hosts have been tested in advance by starting ntpd manually: analytics1011 neon cp1044 db1007 es1006 ganeti1003 labvirt1007 mc1012 lvs3003 mw1015 mw1019 mw1114 mw1154 mw1189 ocg1003 snapshot1004 virt1003 wtp1013 Change-Id: I1c7e887e3afa5de3f8cdfb8f296688736780510a 01 July 2015, 16:05:23 UTC
3adbccf Coren 17 June 2015, 12:33:21 UTC Labs: small race condition fix in replica-addusers.pl Bug: T92561 Change-Id: I4a3dfe953962e18fdd418ab63a6af6c79259f9a7 01 July 2015, 15:46:47 UTC
6fdeb1e cpettet 30 June 2015, 23:40:08 UTC confd: track per template run error state files Change-Id: I9fd8f0df98e8067db1f215e2ca16fc1d8dea7c40 01 July 2015, 15:19:24 UTC
721fc85 joal 01 July 2015, 15:15:41 UTC Correct error in wikimetrics projectview simlink Link was set to /srv/aggregator-projectview-data/projectcounts/daily instead of /srv/aggregator-projectview-data/projectview/daily Change-Id: I8ff2b8b4eee2f977a4055ca45ee1fbb4efbf1cf5 01 July 2015, 15:18:50 UTC
5dc9e48 Giuseppe Lavagetto 01 July 2015, 14:04:23 UTC varnish: always generate the dynamic directors lists We just don't include them into the varnish configuration if varnish::dynamic_directors is true. This way, we can control their generation and correctness across the cluster. Also: remove spurious inclusion of role::cache::base and fix the definition of $directors_list for backend instances. Change-Id: Ic177d31f3661a2adfc2c165e7232314e1e420dac 01 July 2015, 15:10:54 UTC
3e1e2f0 Brandon Black 30 June 2015, 20:26:03 UTC protoproxy/tlsproxy: big refactor commit This is a squish of 13x original refactor patches, should be no-op other than whitespace changes in config files and such, confirmed in compiler. Old descriptive patch titles: tlsproxy: rename protoproxy to tlsproxy globally tlsproxy: fold ssl::beta::common into ssl::beta tlsproxy: move role::tlsproxy::ssl::common to auto-required tlsproxy::instance tlsproxy: move sslcert stuff inside of tlsproxy::localssl tlsproxy: remove unused ganglia/localhost stuff tlsproxy: rename beta-only things to betassl for clarity tlsproxy: remove remaining ipv6 hacks from beta tlsproxy: gut esams cases from beta-only template tlsproxy: move template into module (only user) tlsproxy: move logrotate into module (only user) tlsproxy: remove pointless use_ssl + jessie conditionals tlsproxy: remove dead udplog comments tlsproxy: kill $ssl_protos var Change-Id: I34745efe05bde40bfa9f1f69db8cc9fd22d93769 01 July 2015, 14:58:39 UTC
3890f0c joal 29 June 2015, 13:10:20 UTC Add Pageviews/LegacyPageviews to metrics website Modify aggregator-data setup to be aggregator-projectcounts-data using LegacyPageviews public folder. Add projectview git repo cloning and linking under aggregator-projectview-data name using Pageviews public folder. Bug:T104003 Change-Id: I9e0fe5c73fe592b426dd324ee2e788eee0c6bcaa 01 July 2015, 14:55:28 UTC
85ea91a Alexandros Kosiaris 01 July 2015, 14:12:26 UTC Enable ntpd on ulsfo and esams Use hiera to enable ntp again after the leap second on esams and ulsfo Change-Id: Ie6be81f2b4daac51300f5f58ec1e255dab4d3680 01 July 2015, 14:12:26 UTC
b62db22 Alexandros Kosiaris 01 July 2015, 11:58:23 UTC Add lvs::configuration::service_ips to beta Adding lvs::configuration::service_ips to beta. This is not because beta has LVS but because that Puppet Hash structure is being used in role::cache::configuration in a non realm abstracted way, so the manifest fails to compile. Bug: T104076 Change-Id: If0054bb1f77dad5bbe6543ec968632c51cd16919 01 July 2015, 13:12:56 UTC
a37dbeb Brandon Black 01 July 2015, 12:38:38 UTC Add backports and thirdparty to jessie-wikimedia udebcomponents Change-Id: I770169bf27407d7ef89294a24aeeb499d8f9a78d 01 July 2015, 12:38:46 UTC
ce669b3 Giuseppe Lavagetto 01 July 2015, 12:31:01 UTC etcd::ssl: do not restart the server upon changes Restarts of etcd should be limited to cases where we change disruptively the configuration - a change of the underlying certificates isn't (etcd will still serve the same data from the same cluster) and automatic restarts are scary to say the least. Disable them from now on, until we use intra-cluster SSL certificates. Change-Id: Ib1a9cc9efe81ff7a8da66adfa5f5c4075226cf11 01 July 2015, 12:31:01 UTC
e7380cf YuviPanda 01 July 2015, 11:55:13 UTC math: Enable /data/project and /data/scratch Change-Id: I81b3dc8db18177ade5367ec57e1260e2cb209091 01 July 2015, 11:55:34 UTC
4558904 KartikMistry 01 July 2015, 11:37:41 UTC Revert "Beta: Test Restbase in ContentTranslation" This reverts commit 6f2c25b412eb1c4527dbd8ca169014ad7d5b7b9c. Change-Id: I31b7fcb4555c5c2fc6e8ab55957f8aaad8173b97 01 July 2015, 11:37:41 UTC
6f2c25b Kartik Mistry 01 July 2015, 09:11:13 UTC Beta: Test Restbase in ContentTranslation Change-Id: I0a6d41abc8aa66fcd38baead776cdf51bf9cd855 01 July 2015, 09:11:13 UTC
back to top