Skip to main content

Browse the archive

https://github.com/wikimedia/operations-puppet
12 April 2024, 10:39:33 UTC
sort by:
Revision Author Date Message Commit Date
e49b796 andrewbogott 10 December 2015, 10:16:35 UTC Fix installation of sudo-ldap on labs instances. Bug: T120262 Change-Id: Id9e89ff92cb9c3292c6c49fd809179293c168e4f 10 December 2015, 10:16:35 UTC
e20e003 cmjohnson 10 December 2015, 22:48:28 UTC Adding dhcp entries and add setting uprdb105/6 to intall mw.cfg bug: task# T119543 Change-Id: I2e6e1a26ec8b07c8218c12325dd631b86eef2382 10 December 2015, 22:48:28 UTC
7bce67f Gabriel Wicke 10 December 2015, 22:30:03 UTC Minor / restbase config: Explicitly set the return status for robots.txt Change-Id: Id9ec0918a1b1015cc74ad4745218609d73ec6048 10 December 2015, 22:30:03 UTC
803c1c0 dzahn 10 December 2015, 22:05:09 UTC site: add technetium.eqiad.wmnet Adds new ganeti VM as technetium.eqiad.wmnet with role spare which includes standard and base firewall and makes sure we use the role keyword for debdeploy. Bug:T118763 Change-Id: I2b939596a1ad53cf4641f9f5af036a65ce86b89e 10 December 2015, 22:07:18 UTC
eed8d56 Brandon Black 04 November 2015, 22:47:22 UTC ssl_ciphersuite: add DHE+3DES option only for "mid" This is similar in nature to I0dd877c3 aka 96e1b2d9 where we added ECDHE+3DES options. There's also a DHE+3DES option which is confusingly named EDH by OpenSSL. This should be roughly similar to e.g. DHE-RSA-AES128-SHA in security terms (forward secret, reasonable data cipher), and in our ClientHello data samples there are clients for which this is the only "mid" or higher cipher they support at all. However, such clients are probably more likely than most to have DHE >1024-bit compatibility issues, so we don't want to include this in the full "compat" final list, as it might increase handshake failures vs getting a compat option that works at all. For that reason the "mid-only-tail" category is created so that this is only included at the end for servers using the "mid" output option, not "compat". Change-Id: I07715405b20e5021e5a1b0c2f4b842cefc25f78c 10 December 2015, 20:24:02 UTC
4fcbb9d Andrew Otto 10 December 2015, 20:22:06 UTC Update kafka submodule with fix for nagios_servicegroup puppet error Change-Id: I60ca0fefe9e6d32eeb967c1b9a30d01524b8a92c 10 December 2015, 20:22:44 UTC
6c81f3c Andrew Otto 10 December 2015, 20:13:53 UTC Update kafka submodule, use kafka::server::monitoring class from it in role::analytics::kafka::* Bug: T120957 Change-Id: I746d71f1b54eb4b913904c57248675a29d9fb417 10 December 2015, 20:19:32 UTC
590f077 Brandon Black 10 December 2015, 20:03:52 UTC Text VCL: same no-article-cache for mobile as desktop Bug: T109286 Change-Id: I98e23e2a5d42a7fbe7742cb24c5ac3f9dca150d2 10 December 2015, 20:18:56 UTC
460289f dzahn 05 December 2015, 00:07:57 UTC zuul: move roles into role module Move the classes from manifests/role/ to the role module in the proper autoload layout. Change-Id: I3238035ee75b5e14ecae105d73d84ba921b32b26 10 December 2015, 20:13:05 UTC
c9aa102 andrewbogott 10 December 2015, 09:04:20 UTC Replace use of $::is_virtual with $::virtual == kvm Why doesn't the former work? It does on the commandline but not for puppet. Change-Id: Id6fa54b0337a95595cc6b2c8ef039c83082dbf1e 10 December 2015, 09:04:20 UTC
6aa7864 andrewbogott 10 December 2015, 07:54:58 UTC Disable everything NFS-related on baremental labs boxes. If/when we move baremetal nodes into the labs-VM subnet this is worth revisiting. For now anything NFS-related is just going to upset puppet. Change-Id: Ib10e0541d39c79fd482e5d1b16bf868bc58803fa 10 December 2015, 08:17:18 UTC
19e8500 andrewbogott 10 December 2015, 07:58:39 UTC Change labs public dns recheck interval to 1 minute. I want it to be 0 but apparently 0 is not an allowed value. Change-Id: Ifca6e0fdf1c32d11d29406e6f3ec9bb176be8f64 10 December 2015, 07:58:39 UTC
7cef325 Coren 10 December 2015, 16:37:23 UTC Labs: Add a timeout check to getent (via ldap) on labstore Reading the group database via LDAP is the functionality NFS relies on from the rest of the labs infrastructure. This tests that it works and returns in reasonable (subsecond) time and raises an alert otherwise. Change-Id: Ia0d41eb39ff43cd94b5261875445d7832694f647 10 December 2015, 17:52:03 UTC
7cea9dd andrewbogott 10 December 2015, 05:29:30 UTC Change the icinga settings for labs public dns monitoring - In case of failure, retry immediately - Only give it one more chance Change-Id: I78a13a9fc54d01e471c42cde7b18107e95eb62b6 10 December 2015, 17:42:54 UTC
f8b7477 Brandon Black 10 December 2015, 16:14:35 UTC VCL: clear XFF if empty Change-Id: Ic606db2bef6f7fba5c66c8849652ce121e49a7ce 10 December 2015, 16:14:52 UTC
08c6942 Jaime Crespo 10 December 2015, 16:03:09 UTC Reconfiguring es1014 (ferm, binlog_format, p_s, ssl) Change-Id: Ia2509ce0612c92af85034ddedef08cb6c4ea5bcd References: T120122 10 December 2015, 16:03:09 UTC
95ca06b Brandon Black 10 December 2015, 15:36:53 UTC VCL: explicitly clear XRIP to prevent spoofing to applayer Change-Id: I04258f5e3d47a57cf00bc5396848fb912ec252f6 10 December 2015, 15:37:08 UTC
7ce3a37 Brandon Black 10 December 2015, 13:35:08 UTC tlsproxy: stop sending XRIP Change-Id: I98439d1768e757033367ab59eafbb23bdd23a195 10 December 2015, 15:33:28 UTC
2eb136a Brandon Black 10 December 2015, 13:34:59 UTC VCL: switch nginx IP data from XRIP to XCIP Change-Id: I43e5f47d562d55c8ff8dece65fa6afd451aaaa6a 10 December 2015, 14:32:32 UTC
24b7b76 Jaime Crespo 10 December 2015, 14:02:23 UTC Applying configuration changes on es1011 Change-Id: Ie3c7375d42e32e57cc7bf9ecb778e235d5516208 References: T120122 10 December 2015, 14:04:12 UTC
e9c19fb Brandon Black 10 December 2015, 13:34:19 UTC tlsproxy: also set XCIP to same value as XRIP Change-Id: Ic865a974317b424be087b0b20091d60c604dbeca 10 December 2015, 13:34:19 UTC
075347a Brandon Black 10 December 2015, 13:28:45 UTC VCL: do not expose X-Real-IP to applayer Change-Id: I550bcaf31de54a20181bcce54ddf9e69997ec959 10 December 2015, 13:28:45 UTC
b859e72 Brandon Black 10 December 2015, 13:21:20 UTC VCL: tighten up XFF regex slightly Change-Id: Ia8dfd4d1b3d857dacf5a054dd73b3a08ec7f4f27 10 December 2015, 13:21:20 UTC
664ad58 Brandon Black 09 December 2015, 20:26:42 UTC varnish: sanitize XFF better Bug: T118769 Change-Id: I493fc7af7c2e99b81fb87b47d0e4bdd3a640a3df 10 December 2015, 13:08:48 UTC
e1762d2 Moritz Muehlenhoff 09 December 2015, 12:50:13 UTC Further updates to LDAP indices From the logs on seaborgium: Dec 9 11:30:02 seaborgium slapd[4659]: <= bdb_substring_candidates: (dc) not indexed Dec 9 11:30:02 seaborgium slapd[4659]: <= bdb_equality_candidates: (puppetClass) not indexed Change-Id: If48cb1a039d8734d6efb36559d1a756c878e262c 10 December 2015, 13:00:36 UTC
6e5dad9 Jaime Crespo 10 December 2015, 09:16:50 UTC Fix typo s/off/ROW/g for binlog_format on ES codfw Change-Id: If656d1effebf8651733024335128d8d5a6df50c9 10 December 2015, 09:18:32 UTC
4836a1f Jaime Crespo 09 December 2015, 18:16:52 UTC Reconfiguration of External Storage servers in codfw Previous to rolling restart Change-Id: I5bf4a4fda58ef5655e08f257bba1036a722acd92 References: T120122 10 December 2015, 08:59:02 UTC
caf2fac dzahn 10 December 2015, 00:43:16 UTC dhcp: add install server config for technetium.eqiad Bug:T118763 Change-Id: I5da6f4786f682e1a986d0120fe6928a6383754d4 10 December 2015, 00:51:44 UTC
213574e andrewbogott 09 December 2015, 23:58:49 UTC Add direct hostname lookup to labs hiera Change-Id: Ibabae85a22a6bf240ac72d9321446a60fe6512cd 09 December 2015, 23:59:09 UTC
6840237 andrewbogott 09 December 2015, 22:40:02 UTC Allow hiera to override $::labsproject Previously $::labsproject came directly from a fact. Now we check hiera first, and if it's undefined fall back on a fact, now named $::labsprojectfrommetadata Bug: T95185 Change-Id: I2811d2ba6a7263ac2b380c6f2bc355501f753fcc 09 December 2015, 23:18:01 UTC
22e4fc7 dzahn 09 December 2015, 22:12:54 UTC statistics: package hunspell-vi conflicts with myspell-da For unknown reasons the package hunspell-vi has: Conflicts: .. myspell-da .. But Vietnames and Danish are obviously different languages. If we try to install both then puppet will attempt to change this on every single run and the results will appear randomly changing. Bug:T121011 Change-Id: Ic8fefc95bbc2d87323db3bdc188b198ba5f7e5cb 09 December 2015, 22:16:35 UTC
61cb657 dzahn 09 December 2015, 21:56:40 UTC statistics: remove package myspell-de-de-oldspell This package conflicts with myspell-de-de, we can only install one of them at a time. Bug:T99030 Change-Id: I7bb7bc3f91ad243e474b6e5e757ae85e3495c18c 09 December 2015, 21:58:34 UTC
8206601 dzahn 09 December 2015, 21:40:57 UTC statistics: add aspell-id, hunspell-vi As requested on T121011 add these dictionary packages to stat1002/stat1003 for research / vandalism detection. Bug:T121011 Change-Id: Iff100ecb3bee32818ed57169ec4b24a3ac604e4f 09 December 2015, 21:44:42 UTC
81afcc3 dzahn 09 December 2015, 21:35:28 UTC statistics: don't install myspell-fr-gut package We were trying to install both myspell-fr and myspell-fr-gut but the packages actually conflict with lead to confusing results. As confirmed by Aaron Halfaker we prefer the regular myspell-fr. Bug:T121011 Change-Id: I8aee22bc0498c01d1b08498264f871aa572d0040 09 December 2015, 21:42:38 UTC
3a5eb53 dzahn 06 October 2015, 02:17:11 UTC lint: re-enable double quoted strings check All 'double quoted string containing no variables'-warnings have been fixed across the repo. So we can (re)-enable this lint check option again. Bug:T93645 Change-Id: Ic4084cb2b9e16c3699b0255b820e1e42e35f0374 09 December 2015, 21:37:17 UTC
65f902c pt1979 09 December 2015, 21:13:55 UTC Fixed MAC info for auth2001 Bug:T120263 Change-Id: I30745369af62ff625f583a8bbef1097b52190e20 09 December 2015, 21:13:55 UTC
36d29bf dzahn 09 December 2015, 20:41:44 UTC openstack: fix quoting in nova role One last "double quoted string" warning that snuck in again. Change-Id: I7d95acfc9bae260f87d6810ab4afad1572e0d78f 09 December 2015, 20:41:44 UTC
0a24c67 dzahn 09 December 2015, 20:10:08 UTC wikimetrics: submodule update submodule update for I501a790cd39a66cd Change-Id: I5f88a3835243529034f1cc0d8c9a36c49890a8bc 09 December 2015, 20:13:35 UTC
4b78fff Antoine Musso 09 October 2015, 20:00:53 UTC contint: install npm/grunt-cli with npm We require very specific versions of npm and grunt-cli on the CI slaves which are not matched by Precise/Trusty/Jessie Debian packages. Puppetize the installation described: https://wikitech.wikimedia.org/wiki/Nova_Resource:Integration/Setup Basically get npm from the distribution and use it to install pinned versions of npm/grunt-cli. nodejs-legacy has to happen before the pinning. Override the /usr/bin/npm link to point to the newly installed version. Bug: T113903 Change-Id: I0d58b643ac677cba4b8000fbdaa936ee378263df 09 December 2015, 20:01:58 UTC
0bb7a62 Gabriel Wicke 09 December 2015, 18:53:05 UTC Fix the api URI template for labs Change-Id: I8330084ae8352c675d0ae71dc27d2e1d965124f3 09 December 2015, 19:52:59 UTC
64b3338 Gabriel Wicke 09 December 2015, 16:43:31 UTC Add a robots.txt to disallow indexing of API content But, make some limited effort to get the docs indexed. Bug: T119786 Change-Id: I338a15398cb6583d417e6869acfe428f9fa3aa5e 09 December 2015, 19:49:59 UTC
10235ed Timo Tijhof 09 December 2015, 19:48:25 UTC contint: Change redis memory from 128Gb back to 128Mb These are tiny VMs with 4-8G memory at most. Follows-up 293d814. Change-Id: I0fc689e6713ac48b097cd3a5dae2ca3298e8078a 09 December 2015, 19:48:25 UTC
3f28a03 dzahn 09 December 2015, 19:25:53 UTC dhcp: fix config syntax error A missing semicolon, follow-up to Ib910ce0f431d6 lead to a syntax error so the DHCP service would not restart which caused puppet failure which triggered monitoring. Change-Id: I712c977cb5ac820a06151ebc1251caaefae06c7f 09 December 2015, 19:29:37 UTC
62b33c0 Brandon Black 09 December 2015, 16:27:28 UTC VCL: move geoip code to text VCL (only consumer) Change-Id: I995ea2cc92933477775b093093ad4ecbfb908215 09 December 2015, 18:52:35 UTC
3aded0f Brandon Black 09 December 2015, 16:25:16 UTC text VCL: move layer-common vcl_hash to text-common Change-Id: If69ef96902810eef63282e51fdfd93a2aa7b2fc6 09 December 2015, 18:52:10 UTC
669cb4c Brandon Black 08 December 2015, 23:21:07 UTC text VCL: remove hiera mobile/text conditionals This removes the hiera conditionals for cache_(text|mobile) by explicitly setting (or clearing) X-Subdomain for both cases in vcl_recv and then keying off of X-Subdomain as a runtime conditional for other cases that might matter. Some of the X-Subdomain conditionals can probably be removed later as well with more testing and research. Note also a new hash_data() in the mobile-only (X-Subdomain-only) path which keeps mobile and desktop hash entries separate. At this point, text and mobile are running identical runtime VCL code files, and differ only in the hostnames->IPs mapped to them and the separation of their cache data pools, and we should be able to begin some manual testing of actual mobile requests through the text cluster to compare with the real mobile cluster. Bug: T109286 Change-Id: I8b7b57c34d536c981efefcb00fc13eea4eaf891d 09 December 2015, 18:41:00 UTC
87e21ed YuviPanda 09 December 2015, 18:38:03 UTC wdq_mm: Kill 'labs' part in lb role Change-Id: I0fbfbd567eb57926f5d7993a4c1c722ed4453fec 09 December 2015, 18:38:45 UTC
dea6587 Alexandros Kosiaris 25 November 2015, 16:13:13 UTC Have misc-web talk directly to etherpad-lite Move misc-web to talking directly to the etherpad-lite nodejs process instead of going via the apache2 reverse proxy layer sitting on etherpad1001. While this removes some minimal latency, the main driving factor is uniformity across the infrastructure and removal of a moving part Change-Id: Iaefd3d1fa6873e0d9877429412d12b325334defc 09 December 2015, 18:34:00 UTC
13da4fb YuviPanda 09 December 2015, 18:20:46 UTC quarry: Don't install python-pymqsl Breaks puppet for now, ugh Change-Id: I9a4a75812e2178f003f7441fe6ff082586d488c0 09 December 2015, 18:22:17 UTC
10164ef pt1979 09 December 2015, 17:16:26 UTC Add MAC entries for auth2001 Bug:T120263 Change-Id: Ib910ce0f431d6912dd401f34cb424f78b1b533e3 09 December 2015, 17:53:47 UTC
db1ee04 Alexandros Kosiaris 09 December 2015, 17:39:43 UTC etherpad: Drop trustProxy, use log_x_client_ip Drop trustProxy and use the WMF created log_x_client_ip patch to log the IP of the client Change-Id: I8eff337666eea3474c4c51d2f261e0c3127bd685 09 December 2015, 17:39:43 UTC
f70b87c pt1979 08 December 2015, 17:17:17 UTC Add auth2001 partitioning entries Bug:T120263 Change-Id: I84cb105992a00789e8c017ecb17f8e1f2cdfe1e8 09 December 2015, 17:08:52 UTC
fbe40a0 Brandon Black 08 December 2015, 21:09:14 UTC varnish: use same VCL files for text+mobile Note this adds some $cluster conditionals for the few remaining true diffs for now, while merging up the majority common code. Bug: T109286 Change-Id: I4d0727654dbe85ce2e8e1d4f904fb68625986d1a 09 December 2015, 16:19:50 UTC
dae4ce3 Giuseppe Lavagetto 09 December 2015, 15:58:03 UTC Contint: add python-etcd to the latest version (for conftool) Change-Id: I1f47d5c5ce3635ca5b4eeebee950f49f07561f12 09 December 2015, 15:58:03 UTC
6e074f8 Brandon Black 08 December 2015, 15:44:03 UTC varnish: always use backend_random for pass/hfp In all varnish instances *except* tier-one backends (where we choose real applayer req.backends), the only backends configured are "backend" and "backend_random", and they're configured for all clusters except the legacy/strange parsoid cache. For all except tier-one backends, this change replaces all instances of the pattern: set req.backend = backend_random return (pass); ... with setting backend_random in vcl_pass unconditionally. This will also apply backend random to all "pass" traffic, including other "return (pass)" statements and hit-for-pass hits, which means we'll only chash for potentially-cacheable requests, never requests which are known to be explicitly "pass" or are temporarily cached as hit-for-pass. Bug: T96847 Change-Id: Ia9104a5de0969316dcdff80d7e3bf1b4579c5aed 09 December 2015, 15:07:25 UTC
25d259f Alexandros Kosiaris 25 November 2015, 16:04:15 UTC Trust the upstream proxy to have the correct client IP This enables express.js "trust proxy" feature that makes express consider the left most IP in the X-Forwaded-For header as the client IP. Change-Id: Ie4f669b735eddfa1ca59eae7096e49567bf41c38 09 December 2015, 13:50:09 UTC
494bade Moritz Muehlenhoff 09 December 2015, 11:50:26 UTC Enable deref overlay There are plenty of slap_global_control: unrecognized control: 1.3.6.1.4.1.4203.666.5.16 entries logged on seaborgium and serpens. These are caused by LDAP clients using the LDAP dereference control as described in https://tools.ietf.org/html/draft-masarati-ldap-deref-00. This can reproduced with e.g. ldapsearch (...) -E deref=uniqueMember:uid cn="Directory Managers" The available controls can be shown with ldapsearch -xLLL -b "" -s base supportedControl The configure script in the openldap package in Debian is wrong; the deref overlay _is_ build as a module by default, explicitly passing --enable-deref to the configure script is not needed. I've tested this in vagrant and the overlay works fine. Change-Id: I22bb5945c717cd64780edf131965ae0a10a2e3c6 09 December 2015, 13:46:06 UTC
4e40950 Alexandros Kosiaris 09 December 2015, 13:27:54 UTC etherpad: ferm rules for the etherpad service port Allow port 9001 Change-Id: I4d268591e5fef3f11684c24d8eb4a94c2cfcc0e9 09 December 2015, 13:27:54 UTC
c1495d4 Alexandros Kosiaris 09 December 2015, 11:36:10 UTC ldap-labs: Issue new 2048bit certificates Turns out 4096bit certificates mean too much CPU usage on the slapd server. Reissue keys and certificates as 2048 as it seems we will get a 4x-7x performance improvement at the cost of a little bit less security Change-Id: I9424e29c6ff203cb631d160393a4e8ce857f90ec 09 December 2015, 11:36:10 UTC
7fb98d0 Alexandros Kosiaris 08 December 2015, 21:25:07 UTC openldap: Notify slapd on acls.conf and indices.conf changes Have slapd restart on indices.conf and acls.conf changes Change-Id: If842435bb8cc1b22a4df74cce338ae7597e4b3f5 09 December 2015, 11:10:00 UTC
5901090 Filippo Giunchedi 09 December 2015, 10:24:02 UTC diamond: fix StreamHandler module path differently than others StreamHandler, FileHandler and NullHandler are in logging, not logging.handlers Change-Id: I47b291651de70186956331c9e0643da4e6732e63 09 December 2015, 11:09:19 UTC
6182f66 Alexandros Kosiaris 08 December 2015, 20:22:57 UTC openldap: Allow to specify cleartext hashing scheme Allow the caller to specify the cleartext password hashing scheme. Then override it for production LDAP servers. Change-Id: I5e28ab7cab0467bea71abdf265085cb7e202b1ff 09 December 2015, 11:08:36 UTC
7636c9e Brandon Black 01 December 2015, 00:40:32 UTC puppet-run: do not let apt failures block agent Change-Id: I7e3673ccfebdaad0a82848e3bb78b803cdd8e4d7 09 December 2015, 10:00:45 UTC
c12c1f3 Faidon Liambotis 09 December 2015, 08:21:07 UTC apt: add a trailing slash to backports' uri Follow-up to cdd58af -- helps with comment_old taking effect. Change-Id: Iae453fe068beaec9625ba4ac29d2bea0f7ea1e48 09 December 2015, 08:22:27 UTC
8680ddf Moritz Muehlenhoff 08 December 2015, 20:13:17 UTC Extend LDAP indices for labs with puppetVar, roleOccupant and aAAARecord Change-Id: Ia3c7bfd30bcb3e9674b3217796e0300a0d48d73d 09 December 2015, 08:17:48 UTC
cdd58af Faidon Liambotis 09 December 2015, 08:15:24 UTC apt: swap backport repository's components Use "main contrib non-free" instead of "main non-free contrib" as this is how d-i uses this and hence how some it is provisioned on some systems' sources.list (those installed with early versions of jessie's d-i). Change-Id: I0880db6796cb846d3e22483e02faf344d4d3e48e 09 December 2015, 08:15:24 UTC
5cd1eaa Faidon Liambotis 09 December 2015, 08:15:16 UTC snapshot: fix logrotate.d syntax Change-Id: I40cae016387902a12f35c36e8a6ea15c102acfe9 09 December 2015, 08:15:16 UTC
647a0fe Brandon Black 08 December 2015, 15:25:01 UTC add backend_random to maps and upload clusters config Bug: T96847 Change-Id: I0527274b7f72413a211b92295ebd99825bfb14ea 09 December 2015, 02:46:00 UTC
0c1a81c Brandon Black 08 December 2015, 15:24:44 UTC add backend_random to maps and upload clusters in conftool-data Bug: T96847 Change-Id: I0c64965f40a6b7e6034e83e01b5c73bc555ba4d5 09 December 2015, 02:46:00 UTC
78ba106 Brandon Black 08 December 2015, 15:13:11 UTC cache_upload: remove unused "rendering" backend Bug: T96847 Change-Id: Icea46bd013c3441311b6cd23bcf43b515d945041 09 December 2015, 02:46:00 UTC
f787d1b Brandon Black 08 December 2015, 16:04:57 UTC varnish: security_audit backend explicitly tier-one-only This is a no-op, but makes the logic clearer for later commits... Bug: T96847 Change-Id: Ic197ac5e4db9294cb5a2029f1dd35f75790d09ee 09 December 2015, 02:43:11 UTC
66e6d1a Brandon Black 08 December 2015, 15:47:44 UTC varnish: cache /api/rest_v1/ in backends We're currently caching it by normal rules (app header control) in the frontends, and then doing backend_random+pass to avoid caching in the backend instances. From an "edge layer as one black box" perspective, this doesn't change anything functionally for RB URL behavior. There's no reason not to cache at both layers if we're caching at the front already, and this gets our pass/hfp behavior better aligned between layers (which is a general goal of current refactors). Bug: T96847 Change-Id: I8904db9f8175e79ba2391ccbf5e2045f9938dd50 09 December 2015, 02:40:21 UTC
c3664cf andrewbogott 08 December 2015, 09:55:33 UTC Allow access to the labs puppetmaster from labs metal hosts. Bug: T95185 Change-Id: Icc57ebb65e6ff94bedd7ad44e64e0f9b2f4254f1 08 December 2015, 09:56:29 UTC
bfbeba7 andrewbogott 08 December 2015, 09:29:14 UTC Add labs_baremetal_servers hiera item. This is a list of IPs which will allow us to open firewalls appropriately for labs bare metal servers. Bug: T120262 Change-Id: Ib45203c49f51555e0be833978ec19ecf84428343 09 December 2015, 00:58:24 UTC
9cf2e06 Gabriel Wicke 08 December 2015, 21:33:51 UTC Reinstate separate labs config Sadly, sharing the config between labs & production is complicated by the difference in domains configured being large. We'll have to discuss whether storing this in hiera is appropriate or not. In the meantime, this patch aims to fix restbase in labs by updating the list of domains in place until a better solution can be found. Other changes per mobrovac: - Use only a single storage group. - Use a labs-specific User-Agent for request. Change-Id: I8b637dd887f501d89cf7db1093070ff9d2461598 08 December 2015, 23:27:12 UTC
2ff3b0a Alexandros Kosiaris 08 December 2015, 20:31:46 UTC openldap: Prepend extra ACLs to base ACLs Since base ACLs are more generic than the per domain ACLs, the latter should appear first. Amend those so that the right we want per domain are granted to respective users without breaking the rest of the tree Change-Id: I84abf3f9391239a52b6d7b2b78b37468c24b3aaf 08 December 2015, 20:57:54 UTC
ee2252d Alexandros Kosiaris 08 December 2015, 19:42:46 UTC openldap: rename loglevel parameter loglevel is a metaparameter, rename it to logging and add and some documentation while at it Change-Id: Iafca6a9048eb713459467a2b75859dc6101029f7 08 December 2015, 19:44:38 UTC
251533c Antoine Musso 08 December 2015, 15:14:38 UTC ldap-yaml-enc: tolerate empty 'puppetClass' The default classes have been moved from LDAP to hiera, hence the 'puppetClass' key might well be empty. Tolerate it being unset and default to an empty list. Bug: T120817 Change-Id: I907445840793d5498703c6a5091da429a10650a8 08 December 2015, 19:36:33 UTC
b85e600 Alexandros Kosiaris 08 December 2015, 19:32:15 UTC openldap: Parameterize loglevel Allow loglevel to be supplied as a parameter. Then override it for seaborgium and serpens to ease their logging rates Change-Id: If27bab5039296227b49b943006ceb9505a36710d 08 December 2015, 19:32:15 UTC
81acc57 Moritz Muehlenhoff 08 December 2015, 19:21:05 UTC Bump fd/connection limit for slapd Change-Id: I6c8dc60940e4fd1a5739bcc54d2c958cd53612ee 08 December 2015, 19:21:05 UTC
265e631 cmjohnson 08 December 2015, 19:00:51 UTC Adding dhcp entry for promethium bug: task T95185 Change-Id: I37e28c25133d1f15bc5e62228fcee5d163b13cf3 08 December 2015, 19:04:09 UTC
aefd936 Moritz Muehlenhoff 08 December 2015, 18:52:43 UTC Extend LDAP indices for cNAMERecord and dc Change-Id: Ib1bc80b5c0a3185b498d421600fcfecac5e02bf7 08 December 2015, 18:54:38 UTC
08f1868 Faidon Liambotis 08 December 2015, 18:50:49 UTC openldap: enable ldaps:/// for openldap::labs A few services, such as Gerrit, still depend on it. Change-Id: I21f7383e39b4a3d1bb75d2895faa825b00f0405b 08 December 2015, 18:50:49 UTC
d71839b andrewbogott 08 December 2015, 03:47:10 UTC Move labs instances to the new ldap servers. Change-Id: Ia24f548da3ddf28ba669512a3560cad0dc7192ff 08 December 2015, 18:26:21 UTC
b0c41c9 andrewbogott 01 December 2015, 12:09:46 UTC Switch everything to the new openldap ldap servers. Bug: T101299 Change-Id: I5d5b20ac2ba857df12f448ba4060d50fcf077ba6 08 December 2015, 17:29:26 UTC
eb0e382 Andrew Otto 08 December 2015, 17:20:52 UTC Update eventlogging topic parameter to use new format Change-Id: I8aebb02ec91e659833c3e7082758fe66941108fa 08 December 2015, 17:21:20 UTC
f267835 Brandon Black 08 December 2015, 13:56:22 UTC varnish: move IMS check above common pass-checks Change-Id: I6495750f1fe8a5896a352ca13cc9dda1ae499285 08 December 2015, 15:05:37 UTC
e40bb66 Brandon Black 08 December 2015, 13:52:42 UTC varnish: remove hash_ignore_busy on pass req.hash_ignore_busy is redundant/pointless when doing an explicit "return (pass)", as pass uses an anonymous unique per-request object. Change-Id: I290734e9825c1b75bfccd431d667625f7fdcaa11 08 December 2015, 15:03:05 UTC
df22948 Faidon Liambotis 07 December 2015, 18:44:19 UTC varnish: don't store hit-for-pass objects for logged-in users Change-Id: I3617ffa67eccb230626b9cb6c699a1a25487fa4e 08 December 2015, 14:55:10 UTC
fb05fdc Ori Livneh 07 December 2015, 22:38:19 UTC Improve handling of mobile variant cookies The mobile web site allows anonymous users to customize their view of the site via a set of toggleable preferences, each of which causes a cookie to be set. The way these cookies are currently handled is inefficient, because it prevents anonymous users which have the preference set from sharing the same cache. We can improve this by omitting them from the cookie stash / unstash code and instead update the hash in vcl_hash whenever they are set. Since these cookies are now handled in vcl_hash, the regex in the mobile and desktop versions of evaluate_cookie are the same, so we can unify them. Bug: T119798 Change-Id: I686de38fee182d0298082cf8bc988a9c97f72a7e 08 December 2015, 14:52:39 UTC
9bc9f15 Brandon Black 08 December 2015, 14:43:12 UTC sslcert: newly-regenerated dhparam contents This should be regenerated once in a while "just in case" (on the order of a year or so), to restart the clock on any long-term computation on it. With a related mild warning about dh params in the list of sec bugfixes in openssl-1.0.2e, this seems like a good time to regenerate. The caches are already running the new openssl prior to this merge. Change-Id: Ia08fcee2374add8854d0e222a5c2d842f0340605 08 December 2015, 14:46:08 UTC
b24c99d Andrew Otto 08 December 2015, 14:42:35 UTC Temporarily disable https etcd in labs eventlogging Seeing SSL error there, not sure why. Change-Id: I545bf294d78117a7075a13f50432439b17435a61 08 December 2015, 14:43:15 UTC
c5893be Faidon Liambotis 08 December 2015, 14:38:27 UTC librenms: add new cronjobs, remove stale settings * New alerts.php cronjob is needed for alerts. * Email configuration was moved into the Web UI/database, remove from our config. Change-Id: Ibb1877b250c50aa1876696154bd8005159e2df28 08 December 2015, 14:39:37 UTC
5d15531 Antoine Musso 08 December 2015, 14:34:01 UTC nodepool: drop domain from instance hostnames 'contintcloud.eqiad.wmflabs.' is inserted twice because Nodepool uses a fqdn for the hostname: ci-jessie-wikimedia-11345.contintcloud.eqiad.wmflabs.contintcloud.eqiad.wmflabs. Drop the domain from Jenkins targets hostname/subnode-hostname. Bug: T120792 Change-Id: I8e7df490ae8605f88faed788f597920f31ff8328 08 December 2015, 14:35:20 UTC
a0e06c6 Coren 07 December 2015, 21:03:41 UTC Add stable.toolserver.org to legacy redirects And, specifically, allow redirection of /geohack/ Bug: T120526 Change-Id: Id5abbec06ad8294ace14843605b077c09cc6e388 08 December 2015, 13:30:09 UTC
ad107ac Filippo Giunchedi 08 December 2015, 09:52:52 UTC cassandra: add restbase1008-a instance Change-Id: Idbaddc9191ed831861fe66840bebfe2d855fc9cb 08 December 2015, 09:52:52 UTC
eee3b61 Marko Obrovac 07 December 2015, 19:55:53 UTC AQS: Configure Cassandra for AQS in BetaCluster We have made an attempt at deploying AQS in deployment-prep using Scap3 onto deployment-aqs01.deployment-prep.eqiad.wmflabs. One of the reasons the deployment went awry was that the general RB-Cassandra configuration was used, causing Cassandra on deployment-aqs01 to try to join RESTBase's cluster (which is not permitted as per FW rules). This patch makes it set the list of seeds only to itself. Bug: T116206 Change-Id: I42f8b932b569eb880b6a875f70acc7aad654c205 08 December 2015, 07:45:15 UTC
fcc313f Tyler Cipriani 01 December 2015, 17:40:00 UTC Update hieradata for trebuchet module trebuchet was recently moved from a role to a module. This update is needed so that labs gets the correct `trebuchet_master` grain which is needed by the puppet trebuchet provider. Bug: T119988 Change-Id: I87f919ff6b666ec4969aa95e5db079661f3f2d59 08 December 2015, 07:42:11 UTC
347750f Chad Horohoe 08 December 2015, 03:03:14 UTC gitblit: use mw/vendor as the icinga check instead of mw/core Smaller repo -> faster response and less load on antimony. Change-Id: Ie5a57117ee29702d90ef5d76ebbd1498d4e0ec7b 08 December 2015, 03:03:14 UTC
32e0002 Ori Livneh 08 December 2015, 02:18:38 UTC Fixup for I6fe4b05b922 Change-Id: I3ac2e01bf69f9f17e006425957d7f7d92f41ccc2 08 December 2015, 02:18:38 UTC
back to top