Skip to main content

Browse the archive

https://github.com/wikimedia/operations-puppet
12 April 2024, 10:39:33 UTC
sort by:
Revision Author Date Message Commit Date
8016f3a Ariel T. Glenn 19 May 2016, 17:51:56 UTC remove cron job on snapshots that generates list of media upload dirs this is no longer used or needed by anything Change-Id: I63acf5241608520fe25d36a42ebba93e4868bb83 19 May 2016, 18:03:41 UTC
5dfdb4e Brandon Black 19 May 2016, 02:39:01 UTC VCL: v4 deliver+synth refactoring This ensures certain cluster-shared vcl_deliver functionality for important functional/debug/analytics headers (X-Carrier, X-Client-IP, X-Analytics, X-Cache, X-Connection-Properties, Via, X-Varnish, HSTS) is also invoked in vcl_synth under varnish4, as some classes of request flow skip vcl_deliver in varnish4 in favor of vcl_synth, but these are all still applicable in that case. Bug: T135696 Change-Id: I337beaf35b72d0f16cb2b05c23767eb4e6c39402 19 May 2016, 16:07:28 UTC
d8b993d BBlack 19 May 2016, 15:11:35 UTC Revert "cache_misc: remove all CL-sensitive stream/pass logic" This reverts commit 3e49e2656838fded74c3cfebd250251cec793f2b. Change-Id: Ia54ea984489b2b995f074eb424b952c844e9d6a1 19 May 2016, 15:11:40 UTC
46ed5b2 Alex Monk 25 April 2016, 21:42:24 UTC Point dynamicproxy to IPs instead of hostnames Checked in labtest, result in labtestproject's testingT133554.wmflabs.org entry pointing to http://10.196.16.17:80 (which is the IP assigned in labtest for the 'control' instance) Bug: T133554 Change-Id: Ie8589110f05023dbe6bcba37b1a5c13cf02b21bd 19 May 2016, 14:55:38 UTC
f6950b5 Giuseppe Lavagetto 19 May 2016, 14:08:37 UTC admin: add jzerebecki and legoktm to labnet-users Bug: T133992 Change-Id: Ieb72d9b42567f3a6d25dec31f6ba7ddd0009bdf8 19 May 2016, 14:08:37 UTC
520573e Alexandros Kosiaris 18 May 2016, 21:30:46 UTC maps: Specify cassandra graphite host Default is localhost, we might want to push maps cassandra metrics into graphite Change-Id: Ibe598c5c670ce89a4950aaf8e57dfb0be22b4958 19 May 2016, 13:58:52 UTC
ef108ea Giuseppe Lavagetto 18 May 2016, 09:18:00 UTC admin: add the releng team to labnet-users Bug: T133992 Change-Id: If9a336a28d2827a8aac26718bf5f730a70b4150a 19 May 2016, 13:46:59 UTC
38524ea Giuseppe Lavagetto 18 May 2016, 09:13:30 UTC openstack::nova::api: allow users to access api logs This also fixes the path of the hiera file, as the role has "labs" in its name Bug: T133992 Change-Id: If3b5a0f7e5f8b46ce176a800e9f1cb789ff80353 19 May 2016, 13:42:41 UTC
10bd005 Giuseppe Lavagetto 18 May 2016, 08:30:27 UTC openstack: allow unprivileged users to access nova logs We now allow to grant a specific group of users to own the log directory /var/log/nova instead of 'adm', which we do not need anyways as we do not set use_syslog=True in nova confgurations. Bug: T133992 Change-Id: I5fe5575c5f57ebc5590ba7f756f9efd48d24d531 19 May 2016, 13:38:58 UTC
a62e1ef Brandon Black 19 May 2016, 12:52:10 UTC cp104[34] role spare for decom - T133614 Change-Id: I7b2a4a5b7f84e1ac911a3ab3a85a0bccde1cf72a 19 May 2016, 12:52:10 UTC
05016ed Moritz Muehlenhoff 19 May 2016, 11:45:07 UTC Mark old esams caches as to-be-decommed Use "role spare" for the old esams caches which are in the process of being decomissioned. Using that role until they are removed from the racks ensures that the systems use base::firewall and are covered by fleet-wide software updates (since debdeploy adresses systems baed on roles). Change-Id: I89d4d102de302a45be607ee4cda31206a2e1a60e 19 May 2016, 12:47:50 UTC
b9f3e45 Moritz Muehlenhoff 19 May 2016, 11:42:09 UTC Update server groups for debdeploy Change-Id: I2ab939fd31b042edc684a64db98b09ea5ce92217 19 May 2016, 11:51:57 UTC
adfccc9 Riccardo Coccioli 19 May 2016, 10:38:43 UTC MariaDB: Reimage db1029 to Jessie and MariaDB 10 Bug: T112079 Change-Id: I58b06fed34ff939b5a8d3065d14491e3af3c3058 19 May 2016, 11:20:01 UTC
a9f0a9c Jaime Crespo 19 May 2016, 11:10:02 UTC Upgrade db1033 to jessie and mariadb10 Bug: T134555 Change-Id: Iab1337f26748354be7d79ae65abc42ea285d1c1e 19 May 2016, 11:10:02 UTC
5c0a293 Giuseppe Lavagetto 19 May 2016, 10:28:53 UTC monitoring: add the two new clusters labs and labvirt Fixup for I654eb47cad184b Change-Id: I021829da43b6896afe8cbeb2953adf0604553016 19 May 2016, 10:33:19 UTC
af47a41 Moritz Muehlenhoff 06 May 2016, 08:38:16 UTC Add fonts-smc (Malayalam) to image/video scalers This provides improved versions of Malayalam fonts. fonts-smc replaces ttf-malayalam-fonts, so drop this it for trusty servers (it wasn't added for jessie to begin with since jessie no longer has these fonts) Bug: T33950 Change-Id: I05f5088bdb4421d2ca29ae34cde1b431045b3e57 19 May 2016, 06:48:42 UTC
3b902cd Alexandros Kosiaris 18 May 2016, 21:34:31 UTC base::service_unit: Remove old cruft As the subject says, remove old cruft that ensure absent an older approach to shipping unit files by us Change-Id: I2131110abea8a06720b5d92ac70c3e140bfa5a88 18 May 2016, 22:06:12 UTC
2a386c6 andrewbogott 15 May 2016, 13:31:38 UTC Organize Ganglia cluster names for labs Previously we had some, but not all, labs hosts grouped into the 'Virtualization cluster.' That was inconsistent and also not very useful for auditing VM capacity. Now we have two clusters: 'labvirt' aka 'Labs virt hosts' which contains only the compute nodes 'labs' aka 'Labs services' which contains all other Labs-related hosts, excluding the compute nodes. Change-Id: I654eb47cad184bf972db5e237b620771e8aafec8 18 May 2016, 21:24:56 UTC
e217d07 Alexandros Kosiaris 18 May 2016, 21:10:40 UTC cassandra::metrics: Refresh the collector on a unit file change There is no reason to not refresh the collector when we update the unit file, since it holds not state or data. Hence removing the refresh parameter and setting it to the default Change-Id: Iacbe2db95b54c24dfb6a87bc4c35dd0db3cc0d8e 18 May 2016, 21:16:58 UTC
979e1c2 cpettet 18 May 2016, 18:20:31 UTC labs nfs client instance refactor Change-Id: I426a0311b641901241f259241a6371f1ece92994 18 May 2016, 20:42:57 UTC
585f295 Eric Evans 18 April 2016, 20:54:15 UTC Cassandra 2.2.6 config This introduces a new variable, cassandra::target_version. Valid values for cassandra::target_version are '2.1' and '2.2' (defaults to '2.1'). The values correspond with Cassandra minor versions (2.1.x and 2.2.x respectively), and result in a version appropriate configuration. For systems that are (and should continue to be) Cassandra 2.1, this changeset should be a no-op. Bug: T126629 Change-Id: I24a19f5bae00696d5223327501e615723081c6f3 18 May 2016, 19:59:00 UTC
5bdedaa Daniel Zahn 18 May 2016, 19:32:27 UTC toolserver.org: send 410 Gone for ~cmarqu URLs requests to ~cmarqu are like 95% of all 404s on the instance that gets toolserver.org traffic, made by a 3rd party android app it looks. There is no new URL known, so a 410 GONE is appropriate to tell clients to stop even trying. If you are interested in the old tool, please contact: http://wiki.openstreetmap.org/wiki/User:Colin_Marquardt Bug:T85167 Change-Id: Id126991bace04503c414c6a1c6d0c8db4bf712fa 18 May 2016, 19:40:07 UTC
f56e71f YuviPanda 14 May 2016, 23:43:53 UTC tools: Enable HostPathEnforcer admission controller Bug: T112718 Change-Id: Ieb33db64277748be6dee875ace4d77527d08dfd3 18 May 2016, 19:37:21 UTC
91498b8 Daniel Zahn 18 May 2016, 00:47:40 UTC toolserver: add wiki. and stable. LE certs 'wiki' has been requested for T62220 and on T134798. I added the Apache server alias in Ic4b78967545de0f14. To make it match the server aliases i'm adding stable. as well, it existed before, but only in the *:80 vhost. Bug:T62220 Bug:T134798 Change-Id: I4fcdb516f3af3714033b5fc49e9d5d41fab1ba4b 18 May 2016, 18:57:37 UTC
4c9b205 Daniel Zahn 18 May 2016, 18:07:18 UTC toolserver.org: same ServerAliases for https, add wiki. alias Have the same ServerAliases for :80 and :443. Add the requested wiki.toolserver.org alias. Bug:T62220 Bug:T134798 Change-Id: Ic4b78967545de0f146a0cee2e9e7eda3b3438fb5 18 May 2016, 18:40:12 UTC
a43a3e0 YuviPanda 14 May 2016, 13:48:29 UTC tools: Enable host automounts Bug: T134748 Change-Id: Ie5537263629d421a889c24fc37c3c8b182603c69 18 May 2016, 18:12:58 UTC
0d7eacb amir 18 May 2016, 17:01:10 UTC ores: Make non-SSL redirects permanent (302 -> 301) Change-Id: Ice1a84be2f31b92dd753ea0c471739715dcf69b9 18 May 2016, 17:57:00 UTC
3f8eef7 Daniel Zahn 17 May 2016, 04:59:08 UTC ssl: remove toolserver.org cert, uses letsencrypt now after T134798 this is now using letsencrypt.org and we don't have to pay a 3rd party for this anymore! yay! but the key in private repo also needs to be removed with this Bug:T134798 Change-Id: I1daa633aeeb832f1588f9e88d20e9baeee17b77a 18 May 2016, 17:43:31 UTC
6dadc51 Daniel Zahn 18 May 2016, 17:10:33 UTC mw_rc_irc: remove upstart, pre-jessie support Removes all the upstart and pre-jessie things as suggested by Faidon. Simplifies it quite a bit and the labs instances i know of are also jessie. http://puppet-compiler.wmflabs.org/2845/ Change-Id: I0bfb7246e9903050054a2654fc7ade402d52d3dc 18 May 2016, 17:32:21 UTC
a25da36 Daniel Zahn 18 May 2016, 05:37:02 UTC rm files/misc/scripts/rotate_fundraising_logs In the comment it says this is puppetized, but then it seems like no puppet class is actually using it. This is rather old, i think before FR switched to their own puppet master. I assume it's just cruft in this repo. But, Jeff Green, what do you say? Change-Id: Idda8966735f2adf080701bdb4c85bbd3248ec48d 18 May 2016, 17:30:50 UTC
95c34fe Brandon Black 18 May 2016, 17:26:42 UTC varnishxcache: always emit zeros If we don't emit zeros for all stats, we get into strange cases with wildcarding in grafana across sites that may never have a non-zero value for certain things. Obvious example is that currently, eqiad-text will never have non-zero stats for hit-remote. Change-Id: I6fe2c28200a85767c713e9e2f6f111e6f9604cf0 18 May 2016, 17:28:11 UTC
2a0407b Riccardo Coccioli 12 May 2016, 09:03:24 UTC MariaDB: remove special SSL option multiple-ca It was needed only for codfw s2 master to be able to replicate with SSL with eqiad s2 master before the codfw switchover. Not needed anymore. Bug: T111654 Change-Id: I0179dd84e102bdda0c0eec19e3a6294b934501ff 18 May 2016, 17:16:32 UTC
cae0310 amir 18 May 2016, 16:18:34 UTC ores: rewrite http requests to SSL in nginx Change-Id: Ibbf54ce0aa162e72662e6906b04884283ded41ce 18 May 2016, 16:46:40 UTC
134cca3 BBlack 18 May 2016, 16:39:31 UTC Revert "varnisxcache: initial temporary limit to cp1065" This reverts commit 02c6ab6b50247946871e1deaa1d6c3252e666e45. Change-Id: Ic2c1fd852fff48f0f4552483d92f73bc5d45de63 18 May 2016, 16:39:31 UTC
02c6ab6 Brandon Black 18 May 2016, 16:13:43 UTC varnisxcache: initial temporary limit to cp1065 Change-Id: I635770a021a12da79d42f0274647167e53c2d671 18 May 2016, 16:32:19 UTC
2465c77 Tyler Cipriani 16 March 2016, 00:35:04 UTC Use scap subcommands Updates all scap paths to use the new scap subcommand syntax Change-Id: If5d588671d4af1171367da67c6b63b1503c7dc33 18 May 2016, 16:32:03 UTC
cb4c0bf Brandon Black 16 May 2016, 21:30:45 UTC varnishxcache - new monitoring script for hit/miss stuff Change-Id: Ia8d5366b1fb0c2a82dc9fa340fdeddbf98f02fd8 18 May 2016, 16:31:08 UTC
1e6e859 Jaime Crespo 18 May 2016, 16:09:05 UTC Remove unneeded $heartbeat_enabled variables As per Volans suggestion. Bug: T133337 Change-Id: If4cfaebc92904e7b14d6428b489b1af813a58c37 18 May 2016, 16:10:30 UTC
677ca5a Brandon Black 18 May 2016, 15:28:17 UTC X-Cache-Int refactor This moves our common-VCL X-Cache-building-code to using X-Cache-Int to build up the string through the layers (and also temporarily imports existing X-Cache from cache entries or un-puppted hosts for the transition). Then on the frontends only, we copy X-Cache-Int to X-Cache and unset X-Cache-Int. The net effect for client output should be a no-op, but with varnish4 shm logs this prevents seeing a double-set of X-Cache: which can be very confusing for stats scripts and difficult to otherwise deal with. Change-Id: Ie7a3f2ee10ca99f1fbcffac0ce84a89624e13b24 18 May 2016, 15:30:25 UTC
4e1b2e2 Brandon Black 18 May 2016, 15:06:49 UTC varnishxcps: misc nits Only important thing here is puppet-level depend on varnish-frontend Change-Id: I98e45401906b7e9f5ca43fcb3c746ae9f3374e59 18 May 2016, 15:12:56 UTC
fa4eca5 elukey 18 May 2016, 14:56:15 UTC Fix typo in IP address settings for aqs1005.eqiad.wmnet Bug: T135145 Change-Id: Ibf63771b1d07ea11f1149e0c713b0feba2eb287b 18 May 2016, 14:57:35 UTC
93a6287 Moritz Muehlenhoff 18 May 2016, 10:59:36 UTC Blacklist asn1_decoder kernel module Blacklist the in-kernel ASN1 decoder. ASN1 decoders are tricky business in general, but having them run in kernel level opens a whole new can of worms (such as CVE-2016-0758) This feature is not in use in the WMF cluster since we neither use signed kernel packages nor ecryptfs at the moment (if we decide to use it at some point we can re-evaluate the blacklist). The check is limited to >= 4.4 since our 3.19 kernels have the option entirely disabled and Ubuntu trusty kernels have it enabled statically (IOW not loaded as a kernel module). The precise kernel doesn't have the code at all. Change-Id: I768dad2c6f67e527782d396721a7d6ffe17b293c 18 May 2016, 14:49:38 UTC
d6ad60a Brandon Black 18 May 2016, 12:46:53 UTC varnishxcps: use send interval, def 30s Previous behavior sends whenever 10,000 sum counts are in the stat set. On high-traffic clusters/nodes this happens every few seconds. On low-traffic clusters/nodes there could be a very long time between sends, making the stats unecessarily spiky. With this patch, stats are sent every 30s (CLI-overrideable). The only exception would be if 30s+ passed without a single vsl_callback for a log line. Change-Id: Ie301d46c28e8126005ba8740e84b98090d17784c 18 May 2016, 14:39:57 UTC
a4ede40 Alexandros Kosiaris 18 May 2016, 14:06:07 UTC service::uwsgi: log dir owned by www-data Instead of $title, since uwsgi always runs as www-data in our case Change-Id: I442b80ca0c987afb72fa1c5ba46139af354e756d 18 May 2016, 14:11:35 UTC
8f0ef32 cmjohnson 18 May 2016, 14:01:37 UTC Adding mac addressed for mw1305/1306 to dhcpd file Change-Id: I03870cc34c1fc283a9074afb02766e50aaaad35e 18 May 2016, 14:01:37 UTC
203579b Jaime Crespo 17 May 2016, 11:42:20 UTC Enable heartbeat on all masters, even on the pasive datacenter The idea is setting heartbeat as enabled on all masters, at half the previous rate, independently if passive or active, to prevent a "monitoring failover". This will also allow (eventually) detect link loss between datacenters. Bug: T133337 Change-Id: I80f5e2726e78999752b7fb2ff38296371cd4bf64 18 May 2016, 13:56:32 UTC
5b99302 Alexandros Kosiaris 18 May 2016, 13:50:46 UTC service::uwsgi: Use Uwsgi::App I 've managed to not upload that, despite having fixed it. Upload it now Change-Id: I9d631382d38571d3edd91fc6c73d6e1493036724 18 May 2016, 13:50:46 UTC
36091f5 Jaime Crespo 18 May 2016, 09:44:22 UTC Install parallel package on mariadb::client(s) Needed to do some mysql tasks with bash faster. Change-Id: I81b3c435347ecef4befca7b69192ae5d0d10eebd 18 May 2016, 13:11:22 UTC
197cfcc Ariel T. Glenn 18 May 2016, 12:28:00 UTC fix link removal for cirrus cearch dumps cleanup also add a -f to an rm command to reduce cronspam Change-Id: I6c0a83c67744efc1fb32a3dbd4f30bedf0864c22 18 May 2016, 12:28:00 UTC
9a4f05a Ariel T. Glenn 18 May 2016, 11:20:54 UTC filter out rsync warnings about vanishing files, for kiwix rsync another step in reducing cronspam Change-Id: Ia11ed945adaea49dc4e359e089d04036373d069e 18 May 2016, 11:21:38 UTC
e7feebb Alexandros Kosiaris 14 April 2016, 17:46:38 UTC Introduce service::uwsgi A service:: namespaced class to implement all our basic service handling. Implemented in the spirit of service::node Change-Id: Id7867f376b33a700f986966652dfb52d30642a10 18 May 2016, 10:15:31 UTC
616383a Eric Evans 28 April 2016, 19:10:04 UTC descriptors should be world readable Most Cassandra config is 0444, there is no reason these files should be more restrictive (quite the opposite); Having them more restrictive requires that dependant tooling be run with elevated privs. Change-Id: Icb42d859d93c147a7401169f7356278e2f11ee6e 18 May 2016, 10:08:37 UTC
a7f2010 Marko Obrovac 18 May 2016, 09:25:03 UTC service::update: Fix: Correct the she-bang for check-${title} Change-Id: I00a1a900c6f2141b87554eca3ac7c5c3540805b6 18 May 2016, 09:26:32 UTC
390284f Antoine Musso 27 January 2016, 09:36:39 UTC sysfs: puppet always restarted the sysfsutils service Whenever using sysf::parameters() or sysfs::conffile() puppet ends up attempting to start the service over and over again: Debug: Executing '/etc/init.d/sysfsutils status' Debug: Executing '/etc/init.d/sysfsutils start' Notice: /Stage[main]/Sysfs/Service[sysfsutils]/ensure: ensure changed 'stopped' to 'running' The reason is the sysfsutils service does not have any permanent process, it merely applies settings based on configuration files. Additionally the init script lacks a status command. sysfs::conffile() does notify the 'sysfsutils' service which is sufficient to have it restart. sysfs::parameters() relies on sysfs::conffile() Service lacks a status command, and it is meaningless. Override it with /bin/true to skip it entirely. Have the service start on boot (enabled). Optimize restart when notified by setting 'hasrestart'. Puppet will then invokes 'restart' instead of 'stop' and then 'start'. Change-Id: I8006166ba0e31f666d2790af9afc4d556ae4b4fd 18 May 2016, 09:18:17 UTC
f783e19 Alexandros Kosiaris 13 May 2016, 15:17:30 UTC keyholder: ops into trusted groups unconditionally ops should be able to deploy code for any repo at any point in time in order to fix problems. Provide the entire group with that functionality for all currently scap provisioning keyholder keys by changing the define to implicitly and unconditionally include ops Change-Id: I3b5253f3fcccb4b14623fb8dd5c09c21ebfaa164 18 May 2016, 08:50:04 UTC
b6db1dd Marko Obrovac 18 May 2016, 07:13:40 UTC service::node: Add a wrapper script for service_checker Also move tail-log from /usr/bin to /usr/local/bin. Change-Id: I16b4cf9df06d7cc92a174be74d9e5c15c79787c8 18 May 2016, 08:16:44 UTC
b893d36 Daniel Zahn 18 May 2016, 00:04:09 UTC admin: add new group labnet-users Adds a new admin group "labnet-users" for unprivileged access to labnet servers. Adds that group in hiera to role/common/openstack/nova/api.yaml so that it gets applied wherever that role is used. This would currently mean labnet1001/1002 and labtestnet1001/1002. (compare site.pp) If we think it makes sense to use the role for it, otherwise we could use just match labnet in regex.yaml. Bug:T133992 Change-Id: I46a6eee8094bcfe4f5725dc3ada73212c4ce1432 18 May 2016, 07:58:49 UTC
4a74ecd Daniel Zahn 16 May 2016, 18:50:35 UTC notebook: add debdeploy grains This should ensure that security package upgrades are installed on the notebook servers. Bug:T134716 Change-Id: I40fdc5b06c6d75665143a158c6e2848ae1e68649 18 May 2016, 07:48:09 UTC
d1605b2 Tyler Cipriani 17 May 2016, 23:17:47 UTC Remove scap::clean now that scap is clean Now that scap::clean has removed old scap code, scap::clean can be removed. Change-Id: I2c167cba9525fb59189dbb5f2cdcf60631e6c98b 18 May 2016, 07:27:23 UTC
9d2393a Moritz Muehlenhoff 11 May 2016, 07:11:43 UTC Remove access credentials for kleduc Change-Id: I82dc04353df6272c524f104604b3df357f64d7c2 18 May 2016, 06:29:22 UTC
75ffc4d Daniel Zahn 18 May 2016, 01:20:50 UTC toolserver: redirect some old tool URLs that still get 404s Redirect the following over to their counterpart on wmflabs.org, these still showed up in toolserver.org logs with 404 and exist on tools.wmflabs.org. enwp10 geohack mathbot render stewardbots vvv wikifeeds Bug:T85167 Change-Id: I546fe7c97cf16e0047e2e7196239fa8913413570 18 May 2016, 01:32:47 UTC
bc2db84 Daniel Zahn 17 May 2016, 23:57:52 UTC planet: only run updates when in active datacenter Add a parameter to set the active datacenter, then only actively run feed updates in the active dc. We don't want to run them in both places for no reason. Bug:T134507 Change-Id: Ib9f1cc485e08f22e3d1c2d5bb2bf1a963e3c3f76 18 May 2016, 00:37:21 UTC
0632533 Brandon Black 17 May 2016, 18:47:57 UTC V4 XFF Fixup 3/3 This moves varnish3 set_xff above fe_ip_processing, so that v3 and v4 cases are identical on entry (XFF has already been created or appended-to), and then re-factors the logic within to handle the fact that XFF has already been locally appended-to. Change-Id: I1572c9d30b54ba7315b90a794f1a825c07078b77 17 May 2016, 20:46:51 UTC
dbfc414 Eric Evans 17 May 2016, 19:51:58 UTC add CQL interface and port to descriptors Bug: T132958 Change-Id: Iaf845ad9923c52193a499e0017868a2ab663c940 17 May 2016, 20:37:27 UTC
cb79297 Brandon Black 17 May 2016, 18:28:56 UTC V4 XFF Fixup 2/3 set_xff: Move the req.restarts==0 part out to the caller Change-Id: Ief13871d7fee35de28da8b38f50567f9749041ef 17 May 2016, 18:50:44 UTC
b29a4c0 Brandon Black 17 May 2016, 18:24:43 UTC V4 XFF Fixup 1/3 This separates XFF-setting from common_recv_early, and omits it on Varnish4 (which does XFF-setting before vcl_recv inside varnish code itself). Change-Id: Ib00294c93367532672dd7a333f2738015400ab63 17 May 2016, 18:50:44 UTC
5adee4a Faidon Liambotis 17 May 2016, 17:48:33 UTC horizon: make the "Totp token" field a little more clear TOTP is a technicality most users don't know or should be concerned about. Having the form's label being called like that is not great for UX, as it might confuse even the technical users who might not be aware of the exact mechanics of 2FA. I personally prefer "2-Step Verification code", but I've renamed it to "Two-factor authentication code" to make it consistent with what we expose to Wikitech's userprefs. I'm not feeling strong about any of our options, as long as it's something not /too/ technical :) While at it, I cleared up a couple of descriptions under keystoneclient as well. Change-Id: I13c0ebaf46d982fa7d850b7fdb6e841dce259dd2 17 May 2016, 17:51:30 UTC
78364c5 Daniel Zahn 17 May 2016, 16:37:36 UTC dhcp: add MAC for planet2001 Bug:T134507 Change-Id: Iab646b08062a51db3e1c021af3f8682f897dc2f9 17 May 2016, 16:39:05 UTC
551ab75 Daniel Zahn 16 May 2016, 23:32:42 UTC planet: node regex to cover 2001 in codfw as well In preparation of installing the equivalent of planet1001 in codfw, planet2001, adjust which nodes are covered in site.pp. Same for the installserver setting and hiera cluster. Bug:T134507 Change-Id: I1b738883505e27c4fbee184b55db0cb779e9e2f4 17 May 2016, 16:32:07 UTC
41b2eab Tyler Cipriani 17 May 2016, 16:21:50 UTC Use force to clean scap directory Change-Id: If36c10ced68d4d76d1e76a01a806c81a8d0ee3f9 17 May 2016, 16:21:50 UTC
94f3e8e Tyler Cipriani 13 May 2016, 16:19:26 UTC Clean old scap code Removes old binstubs and the old /srv/deployment/scap directory. Bug: T128386 Bug: T135206 Change-Id: Id33fbb510b1c9b6561a770810e9a611cea2129c6 17 May 2016, 16:08:11 UTC
01b6602 Brandon Black 17 May 2016, 15:37:57 UTC Revert "Revert "cache_misc: do not deliver expired cached objects"" This reverts commit e5e43a3a3a7cd594856da4bac79b5d4c78bcf16b. Change-Id: Ib0cf50f44fc689cde352e2c39aa3384f463f7738 17 May 2016, 15:38:42 UTC
d7abf7f Faidon Liambotis 17 May 2016, 15:24:34 UTC mirrors: mirror Tails as well Change-Id: I7d7f4e0a645c2168436bd01c2ac4c53f4f025b87 17 May 2016, 15:25:01 UTC
562b92d Giuseppe Lavagetto 17 May 2016, 15:18:38 UTC install-server: fix dhcp file Change-Id: Ib074cca494b3d655f6b3d6041d85e998a3bd33c0 17 May 2016, 15:18:38 UTC
5c490c1 andrewbogott 15 May 2016, 02:24:13 UTC Exchange labs-recursor0 and labs-recursor1 This is for consistency. After this change, one system is labservices1001 labs-ns0 labs-recursor0 and another is holmium (soon to be labservices1002) labs-ns1 labs-recursor1 Bug: T135447 Depends-on: I6cf7666d4c95fe413d0fd5a0b6dfcdfbcaf245c6 Change-Id: I9ce414930ddb8e62aa959e7d0fd80c17f8dbf9a5 17 May 2016, 15:08:12 UTC
d67ec34 Brandon Black 17 May 2016, 14:58:48 UTC caches: refactor around cache::cluster This adds a new per-cache-cluster-role hiera key 'cache::cluster', which is the short cache cluster name (e.g. 'text' for 'cache_text'), and then moves the common code for system::role, webrequest, and reqstats out of the per-cluster roles and into role::cache::base using the new hieradata (since all clusters share these, and they only differ on the cluster name's use in strings). Change-Id: Ib9539891069c8f667d94922d6fb81da19bbddd7b 17 May 2016, 15:01:26 UTC
a8508ca elukey 12 May 2016, 11:40:53 UTC Add a new AQS testing environment to play with Cassandra settings before production. Not sure if this is the best way to do it but the idea is to use the aqs role for aqs100[456] and to override the cassandra/restbase hieradata settings with host level specific ones. This should allow a testing replica of AQS without affecting the existing cluster. Bug: T124314 Change-Id: I504a9536c28ee839ea9a11f2f5950f0742bb94b0 17 May 2016, 14:37:33 UTC
129c314 Brandon Black 17 May 2016, 14:05:11 UTC VCL: minor syntax bugfix error made in 3c9d1008 Change-Id: Ied05318883d1281e0f457b395d7575f02b8e2385 17 May 2016, 14:07:02 UTC
33db686 andrewbogott 15 May 2016, 07:51:28 UTC Glance backup: Omit directory timestamps Rsync is throwing an error about failing to set times on "/srv/glance/images/." I don't know why it can't set them, but adding -O stops it from trying, and we don't need it. Bug: T135463 Change-Id: I9a0687c7dd456a0d2a621ae60b4ab482a8b9a8bf 17 May 2016, 14:03:22 UTC
58ddd28 cmjohnson 17 May 2016, 13:57:36 UTC Adding mac address for mw1284-1304 to dhcpd file Change-Id: Iee351404d23bbd3514e9dd9fa1c688e5a88e7f10 17 May 2016, 14:01:30 UTC
1012fdb Brandon Black 16 May 2016, 20:18:39 UTC VCL: No X-Cache for PURGE in Varnish3 Change-Id: I326d7b8e764fcc572e0f17282cd17eddf0f2e233 17 May 2016, 13:59:26 UTC
3c9d100 Brandon Black 16 May 2016, 19:19:41 UTC VCL: X-Cache simplification 1. Remove the stacked foo+bar states. Only the final one matters for most analysis or stats, the rest was about debugging and understanding varnish behaviors, and we have better ways to do that without involving runtime headers. This includes removing the text-specific "+chfp". Each layer now only records one of four possible states: hit, miss, pass, or int. 2. Remove the hit-counter from non-hit states (it's always zero). 3. Re-format hit-counter as "hit/N" rather than "hit (N)" 4. Remove logic/output for "frontend" (the right-most is always "frontend", so it's redundant). With this change, interpretation and accounting for statistical purposes is greatly simplified. Change-Id: Ic597afd159b76d70b993437c4fb7ffb53b069b62 17 May 2016, 13:58:46 UTC
f60a716 Brandon Black 17 May 2016, 13:24:46 UTC frontend VCL: secure_post now affects most methods Before: Insecure GET/HEAD on canonical domains: 301->HTTPS Insecure GET/HEAD on non-canonical domains: Allowed Insecure PURGE on any: Allowed (from local host) Insecure POST on any: 403 After: Insecure GET/HEAD on canonical domains: 301->HTTPS Insecure GET/HEAD on non-canonical domains: Allowed Insecure PURGE on any: Allowed (from local host) Insecure (anything but GET/HEAD/PURGE) on any: 403 Change-Id: I012ea99a3d373c5897e80f6de9644d4e4a0f3b46 17 May 2016, 13:50:21 UTC
fb997a0 amir 17 May 2016, 10:24:56 UTC ores: install aspell-sv Bug: T131450 Change-Id: I8f4c455e8cd83087a4ec7e097f94e6f756b5672b 17 May 2016, 13:33:09 UTC
a6770d1 Antoine Musso 17 May 2016, 10:47:03 UTC jenkins: allow unsafe parameters Jenkins 1.651.2 is a security release that prevents it from setting environment variables for build parameters unless they are explicitly defined in the job configuration. That feature break the Gearman plugin which receives arbitrary parameters emitted by Zuul (such as $ZUUL_PROJECT) which would totally break our jobs. We also inject a wild range of parameters which would be troublesome to whitelist or accurately keep a list of all. On our setup: * manually triggered jobs are run by people in the LDAP groups wmf/nda/wmde. * Browser tests jobs inject parameters from a YAML file in the developer repositories but that is on changes that got merged. Disable the parameters stripping by passing to Jenkins the system parameter: hudson.model.ParametersAction.keepUndefinedParameters=true That will let us upgrade Jenkins to 1.651.2. Will work with OpenStack to have the Gearman plugin to automatically whitelist parameters it receivees from Zuul. References: * Jenkins SECURITY-170 and CVE-2016-3721 * https://jenkins.io/blog/2016/05/11/security-update/ * https://wiki.jenkins-ci.org/display/JENKINS/Plugins+affected+by+fix+for+SECURITY-170 * https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-05-11 Bug: T133737 Change-Id: Iafd5ccc1a8bb7938cd7dbbd04714baad1ced1916 17 May 2016, 13:21:07 UTC
c4c5a4d elukey 16 May 2016, 14:25:26 UTC Add new suggested memcached settings to mc1009 as part of perf experiment. mc1009 runs memcached 1.4.25 that offers a new set of features to increase performance. The ones that this change adds are the minimum suggested block by the memcached devs. Bug: T129963 Change-Id: I6c5e99159cee3102b95878dca3cd14c71de1fb95 17 May 2016, 13:03:55 UTC
9d7f0eb Jaime Crespo 16 May 2016, 14:06:23 UTC Remove (almost) all references to db1027 on production puppet Bug: T135253 Change-Id: I1e1de9c8f4938d2f134016ec67e6938cb399bbf5 17 May 2016, 10:56:35 UTC
883d115 elukey 17 May 2016, 09:05:45 UTC Reduce root rad10 in aqs-cassandra-8ssd-2srv.cfg after chat with Rob. Bug: T133785 Change-Id: Ie32b4ad5c0d3f85dbb038ed66d89205819698b5f 17 May 2016, 09:05:45 UTC
f6c51e2 Giuseppe Lavagetto 17 May 2016, 08:55:16 UTC lvs::monitor_services: fix restbase path Change-Id: I46f31679d895a2e3fa3ce66061ae08a099455f7d 17 May 2016, 08:56:25 UTC
f958476 Giuseppe Lavagetto 17 May 2016, 08:22:26 UTC lvs::monitor: monitor all services via service_checker Bug: T134551 Change-Id: I4c902c94244275dd692a16dd9e84f6c6285ecf24 17 May 2016, 08:39:39 UTC
62eb822 Emanuele Rocca 17 May 2016, 07:32:29 UTC Revert "cache_misc: downgrade almost all to varnish3" This reverts commit 8622176856ff0c859f860bb2803261c968c71bc0. We identified varnish commit 8b7cb51b76ad616143040ee955f1f6d9306251b9 as the cause of T134989 and provided an updated package (4.1.2-1wm5). Let's upgrade cache_misc to varnish4 again. Bug: T134989 Bug: T131501 Change-Id: I34d5f4f4d50b5c9363060682e31911736bc03141 Ref: https://gerrit.wikimedia.org/r/#/c/288817/ Ref: https://github.com/varnishcache/varnish-cache/commit/8b7cb51b76ad616143040ee955f1f6d9306251b9 17 May 2016, 07:33:18 UTC
156aae8 amir 16 May 2016, 20:40:12 UTC ores: precaching goes down sometimes, making it more verbose Bug: T135444 Change-Id: I0a26314a1b8058b3546a4c195768a8bf819e8bd9 17 May 2016, 07:06:47 UTC
03f566c Brandon Black 16 May 2016, 21:23:44 UTC varnishxcps: prevent junk injection With the previous regex, unrelated and unfiltered client-sent headers could infect statsd keys. Bug: T135227 Change-Id: I5fbefb75c2d5ba8ad838df237b08d35e3893e186 17 May 2016, 02:06:52 UTC
ba0724b Daniel Zahn 16 May 2016, 22:12:21 UTC toolserver: incl acme-challenge in :443 virtual host acme-setup would fail on this host because it could not download the challenge file. It got 404's for ./well-knwon/acme-challenge/foo URLs, because this only existed on http. Bug:T134798 Change-Id: I93915e408a765d11b764bdcdcf35a2399680beaa 16 May 2016, 22:15:46 UTC
a706440 Daniel Zahn 16 May 2016, 21:45:13 UTC toolserver.org: break puppet dependency cycle Error: Could not apply complete catalog: Found 1 dependency cycle: (Exec[acme-setup-acme-toolserver] => Letsencrypt::Cert::Integrated[toolserver] => Apache::Site[www.toolserver.org] => Apache::Conf[www.toolserver.org] => File[/etc/apache2/sites-available/50-www-toolserver-org.conf] => Service[apache2] => Exec[acme-setup-acme-toolserver]) Bug:T134798 Change-Id: Iafd0da512b2bee7a70b128b3da459e91e5673d12 16 May 2016, 21:45:13 UTC
17a0bce Daniel Zahn 16 May 2016, 21:33:52 UTC toolserver.org: adjust puppet dependencies for cert change after I7d18024b7f1470: Could not find dependency Sslcert::Certificate[toolserver.org] Bug:T134798 Change-Id: Ieb532940a37f587f712d6977bd621ae078e124c7 16 May 2016, 21:38:08 UTC
c54ec2f andrewbogott 15 May 2016, 01:57:36 UTC /srv/glance should be owned by glance. This should make the backup cron happy. It's currently complaining about permissions. Change-Id: I9df8b15a12fb0215fadee7880161ee25fdd7a538 15 May 2016, 02:00:26 UTC
04e02af Daniel Zahn 13 May 2016, 21:34:21 UTC add Letsencrypt cert/config for (www.)toolserver.org The current toolserver.org cert will expire soon. We would like to use Letsencrypt for this instead of spending money on a new cert. This is modeled after the setup in the RT role and module which was used as the initial test case. Bug:T134798 Change-Id: I7d18024b7f1470dfd256aade4ec7caf8e8e9f782 16 May 2016, 21:25:34 UTC
f8a0a02 andrewbogott 12 May 2016, 10:27:28 UTC Remove a couple of unused settings from ldap config Change-Id: I72b374f8fb9c47f31b442dd435a9040db44e0798 16 May 2016, 20:54:31 UTC
b4aa03a andrewbogott 15 May 2016, 00:50:43 UTC Set labs_tld: "labtest" for labtest instances. Change-Id: I5c03333780ae1327580aff10357b5f3f4f0f2692 15 May 2016, 00:50:59 UTC
back to top