Skip to main content

Browse the archive

https://github.com/wikimedia/operations-puppet
12 April 2024, 10:39:33 UTC
sort by:
Revision Author Date Message Commit Date
c70d745 Dzahn 01 September 2016, 01:42:52 UTC Revert "archiva: migration class to rsync data to new host" This reverts commit 582caa3e4aa7eded13df604eea58c93f2d029c42. This is a reminder to me that i should revert this and also manually cleanup the rsyncd and config on the new host, after we have shutdown the old host. Bug: T123725 Change-Id: I90e3b04c4f1baaa6c6d3d980f00f8cd401c701df 14 September 2016, 00:48:49 UTC
582caa3 Daniel Zahn 30 August 2016, 18:59:32 UTC archiva: migration class to rsync data to new host Add temporary rsync setup and ferm rule to copy data from titanium to meitnerium to replace archiva with a jessie server. Copy directly from and into /var/lib/archiva. Applied on target server. So this allows pushing to the new server and does not influence the old server. Bug:T123725 Change-Id: I5cae60e20f2f92e3af5ee55c99f4a207dd22c5ca 30 August 2016, 19:09:52 UTC
c5f4cb5 cpettet 30 August 2016, 15:49:09 UTC nodepool: bump up ready states, max, and rate T143938#2594772 In theory we have test runtimes that would allow us to squeeze a bit more out of our current pool of nodes. Our time to node spinup may be bumping up against our ready state count along with our instruction rate. We saw an influx of jobs and a bit of wait on trusty for some recently added work indicating it may benefit us to have more ready trusty nodes on hand. I am bumping up the max-servers a bit to accommodate a constant workload for jessie even w/ the possible reserved 4 for trusty and so max-servers at 12. Bug: T143938 Change-Id: Ia8826ab29b70db02138668b43a85f1974220b738 30 August 2016, 18:11:17 UTC
98589f0 Paladox 30 August 2016, 00:53:34 UTC phabricator: Set logoImagePHID and wordmarkText in fixed_settings.yaml This is for the new phabricator update and is required for the update otherwise we loose the wikimedia logo. https://phabricator.wikimedia.org/F4414835 Change-Id: Id0e3059704420d978ac94b1a7c41f73d73b71392 30 August 2016, 17:47:41 UTC
edc9e0b Marko Obrovac 30 August 2016, 17:19:03 UTC Revert "Change-Prop: Rerender summary on wikidata item update" This reverts commit 0fbd8b41ad08c5c7ff9965a7af97fa7574a2fb0c. Change-Id: Ic7d69236cffcc15d5f9b6a6d030bca2093f996af 30 August 2016, 17:19:21 UTC
21f4290 Andrew Otto 30 August 2016, 17:11:29 UTC Don't page if druid-eqiad zookeeper cluster has a server down Bug: T138263 Change-Id: Ia753dc262a5e1b9421ccee28a7bf036c2780b43a 30 August 2016, 17:12:25 UTC
b366e8b Andrew Otto 30 August 2016, 16:51:46 UTC Add druid zk host specific hiera configuration Bug: T138263 Change-Id: Ia89f3645080f71170cb4cc2c099b4ee0ef9b0a4c 30 August 2016, 16:52:57 UTC
dbf8fed Antoine Musso 28 August 2016, 18:28:42 UTC contint: stop including arcanist on Precise It is not available there, and probably will never be. Change-Id: I05409a645b800f0c47becd18eb8a652286b8f87f 30 August 2016, 16:39:57 UTC
480ac86 Antoine Musso 09 March 2016, 21:53:17 UTC hiera_lookup: recognize labs project and site We failed to extract the labs project name which is required by modules/puppetmaster/files/labs.hiera.yaml . Extract the project from the FQDN having the form <hostname>.<project>.<site>.wmflabs While at it extract the proper site, previously hardcoded to 'eqiad'. We would abort asking for --site only when site is 'wikimedia'. Also abort when site is 'nil'. Update usage doc to mention the labs FQDN format. Add an example usage for a real world labs project: $ ./hiera_lookup --fqdn=host.tools.eqiad.wmflabs classes role::aptly::client Bug: T129092 Change-Id: I69be054f03477d58de367dd259ffeca9a7a41816 30 August 2016, 16:34:37 UTC
2eabe62 Antoine Musso 19 May 2016, 11:52:23 UTC contint: bump pip 7.0.1 -> 8.1.2 Changelog: https://pip.pypa.io/en/stable/news/ 8.x has a bunch of backward incompatibility but that should be fine. Change-Id: I00be046ad56acb86c0f493b84f861c8d4b6d6574 30 August 2016, 16:26:31 UTC
0fbd8b4 Petr Pchelko 26 August 2016, 01:04:56 UTC Change-Prop: Rerender summary on wikidata item update Reading team requires wikidata description inside the summary responce. This rule will purge summary endpoint whenever wikidata item is updated. Change-Id: Iaded5c5f6b03ee7b5e37712bd753bb93db900657 30 August 2016, 16:18:47 UTC
1a92f11 Alex Monk 19 August 2016, 16:21:07 UTC logging: remove reference to deployment-fluoride Hasn't existed for a while. not quite sure where it went, but I don't think that we really need it. Change-Id: I54eeebb5f2c2b29388e2b41d1be6c147cd9e027f 30 August 2016, 16:06:08 UTC
55e49d1 Andrew Otto 30 August 2016, 15:38:57 UTC Update cdh module with zookeeper package on namenodes Change-Id: I6cf6e5899723bc9dfe6f6c75269338f0258c2d9d 30 August 2016, 15:39:30 UTC
bbfc303 Filippo Giunchedi 30 August 2016, 14:57:55 UTC prometheus: return 200 for / Even though it isn't technically correct, ProxyFetch likes 200s more than 204s. Change-Id: I1e4889b8dd84b248572a5bc11decb9674adca339 30 August 2016, 14:57:55 UTC
10d0755 Andrew Otto 30 August 2016, 14:53:09 UTC cdh submodule update with zookeeper package change Bug: T138263 Change-Id: I340668104e74dad56036957a5f1f63a41e7865cd 30 August 2016, 14:53:09 UTC
d2897fc Andrew Otto 23 August 2016, 13:09:39 UTC Set up Zookeeper cluster for Druid Druid (in test mode) was originally configured to use the production Zookeeper clusters. We would prefer to isolate those clusters from this more analytics type usage, so this patch installs a Zookeeper cluster on each of the 3 druid nodes. This cluster is colocated with the other Druid services. Bug: T138263 Change-Id: I7970af9664222287e1aa86ce00cb1d7b554c5908 30 August 2016, 14:40:53 UTC
76d891d Jcrespo 30 August 2016, 13:03:28 UTC prometheus mysqld exporter: add all pending database instances This soon will be deprecated for a script; adding it statically to identify issues with monitoring easily and validate the later script. Bug: T126757 Change-Id: Iba0c3b95b801f430c111fc6c8d755a41eed468d1 30 August 2016, 14:31:37 UTC
c4b0398 Filippo Giunchedi 25 August 2016, 15:07:12 UTC prometheus: add to LVS Also deploy service ip on prometheus eqiad/codfw. Note that lvs::realserver is applied to the hosts individually, not the "prometheus server" role. Many such roles can coexist on the same host, irrespectively of LVS, also not every prometheus server is behind LVS. Bug: T126785 Change-Id: Ibf89504a06a69aca62af3f200d93dc4615e05023 30 August 2016, 14:26:27 UTC
92b6130 Guillaume Lederrey 30 August 2016, 11:59:07 UTC reclaim nobelium - remove hiera host configuration Hiera host configuration for nobelium was left during clean up. Bug: T142581 Change-Id: Ic78d0a4fd14ef3bbde0916d08b73b881ef9fbc12 30 August 2016, 13:41:06 UTC
da19dee Andrew Otto 30 August 2016, 12:48:25 UTC Rsync pageviews to labs nfs hosts Bug: T142671 Change-Id: I0ba59b078170fb8782797fcdeba5120b9135832b 30 August 2016, 12:54:00 UTC
297085b Brandon Black 30 August 2016, 12:40:05 UTC upload VCL: workaround borked client Range: headers Change-Id: I8b93542a1a0e77eb580e9ef6dcfb7bc18e2958f0 30 August 2016, 12:41:10 UTC
52d8ce8 Jcrespo 30 August 2016, 10:39:41 UTC labsdb: Add firewall to new labsdb databases Add base::firewall to labsdb1009, labsdb1010 and labsdb1011. Older dbs have a different, deprecated class. Change-Id: I9ea32d963bf00269e586acd7c0dc1a44120a9a14 30 August 2016, 10:43:50 UTC
c38c86e elukey 30 August 2016, 08:50:24 UTC Raise the Varnishkafka maximum timeout for incomplete records to 1500 Background: during the upload migration to Varnish 4 we discovered occurrences of the VSL store overflow error, namely more than 1000 (default) incomplete log transactions waiting for a End tag. We raised the 1000 limit to 5000, but now occurrences of the VSL timeout issue appeared again. The store overflow errors were probably hiding them triggering beforehand. Change-Id: Ie289e1ee7d3538b5a7d2bc4f538deb4d216a0bcd 30 August 2016, 08:50:24 UTC
219d1d1 Jcrespo 30 August 2016, 08:22:47 UTC prometheus mysqld exporter: add a bunch of selected slaves from core Bug: T126757 Change-Id: I2379b41355c7c257b3d4b71dd9ccaadf741d1bce 30 August 2016, 08:22:47 UTC
541c9f5 Alexandros Kosiaris 29 August 2016, 13:47:11 UTC ganglia: Use ferm::service instead of ferm::rule ferm::service is more explicit in stating the required rule and avoids exposing the user to the syntax of ferm which should not be a requirement for writing a rule. Those 2 rules are simple enough to warrant writing them in ferm::service parlance instead of ferm::rule Change-Id: I4bda8b6e3802a2cc5a1c785b31b4125f76fa34b5 30 August 2016, 08:01:13 UTC
ffc7303 Alexandros Kosiaris 29 August 2016, 13:39:55 UTC site.pp: Remove $ganglia_aggregator node scope variables $ganglia_aggregator is an old and now redundant node scope variable that was used to differentiate a ganglia node from a ganglia aggregator. Since this now happens explicitly via the ganglia::monitor::aggregator class, remove the last remnants of the old construct Change-Id: I9b7ed30fe92d83323e6ba61ab2880d07a1f77cce 30 August 2016, 08:00:33 UTC
0ec7ad8 Moritz Muehlenhoff 29 August 2016, 11:04:26 UTC Provide a systemd override unit for hhvm The default service file shipped by the HHVM Debian package needs to be extended with a few site-specific changes. Previously these were overwritten entirely, but that led to problems when upgrading the HHVM package: After an update it was running with incorrect settings until the next Puppet run. This patch provides an override file with our customisations. A few vendor settings need to be overwritten entirely, which is done with an initial blank config line like "ExecStart=". The settings can be displayed with "systemctl cat hhvm.service". This doesn't fully display the effective settings, though. That's still TBD on upstream's side: https://github.com/systemd/systemd/issues/2654 (This change is identical to 4353f287136f5db78ed2fe9558168de9cdb80d93, which I reverted in b8a8f51fe23a264f5dfdc5c2e4b9ddac62d0da5f; during the merge of the patch on the trusty hosts I noticed an apparent regression (which turned out to be a benign difference between the upstart and systemd jobs)). Bug: T143210 Change-Id: I2e58d21373fc098ccd5e31b8c1ad42383b04cceb 30 August 2016, 07:47:40 UTC
9070ae1 Guillaume Lederrey 18 August 2016, 15:25:38 UTC elasticsearch - check shards via the service, not via each individual node Checking cluster state on each node is redundant and generate a lot of noise. Cluster wide checks are now done on the service only. The logstash cluster is left unchanged as it does not have LVS. The relforge cluster is at the moment left unmonitored. This will be fixed once a cleanup of the different elasticsearch roles is done (see https://gerrit.wikimedia.org/r/#/c/304067/). Bug: T133844 Change-Id: Ica721152c10d777003726e80fa03ed82c69c8a10 30 August 2016, 07:45:17 UTC
2bc52ab Merlijn van Deen 15 August 2016, 07:34:31 UTC toollabs: install pdf2djvu Bug: T130138 Change-Id: Ib75973e95b59c3ab5794563a1dbeaf7ffb55f6d0 30 August 2016, 05:52:12 UTC
188a69d Filippo Giunchedi 29 August 2016, 09:57:44 UTC cassandra: add ssl monitoring only for ssl-enabled hosts Bug: T120662 Change-Id: Ib9fcf8ce260b08d44585c570138232eb71c88fb2 30 August 2016, 01:41:46 UTC
7f39a31 Daniel Zahn 25 August 2016, 18:19:14 UTC installserver: put aptrepo role also on install2001 Let install2001 also use the role that sets up the APT repo, so it's like install1001, which is going to replace carbon. As T132757 says we'll want them to match and possibly make APT HA later. Change-Id: Ia86aa856c8fb004067991395d5527ba9f66bf10e 30 August 2016, 01:15:33 UTC
31fc089 cpettet 29 August 2016, 21:31:50 UTC rabbitmq: add rabbitmqadmin for control via mgmt plugin Change-Id: I49f48fccb48ff27b802f166678f749d85dd10d81 29 August 2016, 21:38:15 UTC
3053cc8 cpettet 29 August 2016, 20:42:56 UTC openstack: remove old OpenDJ log file parser Change-Id: If28dd377db05ef0cabb8957ad31d3446a5bceaf4 29 August 2016, 21:36:39 UTC
9fcb5be andrewbogott 25 August 2016, 20:23:47 UTC Install openstack::horizon::puppetpanel on labtestweb2001 Change-Id: Icf6f1a8ea76ed651249761386b6d8d44f155bc0e 25 August 2016, 20:27:48 UTC
ee1a81c Andrew Bogott 14 June 2016, 15:52:09 UTC Horizon tab for modifying instance puppet config - Display available roles with docs and params - Display applied roles with params - Display miscellaneous hiera settings - Edit miscellaneous hiera settings - Apply/Removes puppet roles Bug: T91990 Change-Id: I7f064073ba93ffb53369117f30db14772b0ab2de 29 August 2016, 20:35:28 UTC
aa9f851 Alex Monk 03 August 2016, 21:45:23 UTC labnet: Merge site_address and network_public_ip in novaconfig Change-Id: Ib47441e39cff0c57cc55cb88b0e815bcc14e50c8 29 August 2016, 20:30:35 UTC
120b943 Jcrespo 26 August 2016, 15:20:53 UTC es2001-4: add node exporter to this standalones hosts These are not really databases, but they are still part of the mysql cluster, until they are decommed in aproximately 1 year. Bug: T126757 Change-Id: I110ad51ad4c33901ead7ddee52f027411a014aed 29 August 2016, 18:12:32 UTC
3d29466 Guillaume Lederrey 25 August 2016, 19:26:34 UTC maps - grant privileges on sequences to all known users While we already grant privileges on all tables in the gis database, we do not yet grant privileges to sequences. There is at the moment a single sequence (water_polygons_gid_seq). Change-Id: I3109d8fc18caeec2ff5001460f9f602c110a87f2 29 August 2016, 18:04:35 UTC
34a7843 cmjohnson 29 August 2016, 16:29:44 UTC Adding users flemmerich and psinger to analytics-privatedata-users group. Change-Id: I5eac09dc27fd0d425d5ae059e682794f413ad5b9 29 August 2016, 18:02:09 UTC
f8bb73b Madhumitha Viswanathan 29 August 2016, 17:55:30 UTC toollabs: Set timeout 0 on cdnjs git clone exec Bug: T134896 Change-Id: I75227927261359cef8e58ff9de1f4a41e4385304 29 August 2016, 17:55:53 UTC
cabfcf3 Madhumitha Viswanathan 29 August 2016, 17:35:56 UTC toollabs: Remove puppet dependencies on git clone cdnjs Bug: T134896 Change-Id: I9f182f55db42b177e2fbadcd45a8888a603f3f6d 29 August 2016, 17:37:39 UTC
c0365e7 Madhumitha Viswanathan 26 August 2016, 17:50:48 UTC toollabs: Convert puppet clone of cdnjs to cron Bug: T143637 Change-Id: Iacaac250f9f641b5981ca366c90f731802170eec 29 August 2016, 17:15:42 UTC
046ec69 cpettet 29 August 2016, 16:33:18 UTC phab: ip bans for sockpuppet accounts Change-Id: If019712152fdf708da01d4f98729b834c1fe8609 29 August 2016, 16:34:28 UTC
d07daac RobH 29 August 2016, 15:04:55 UTC Revert "robh on vacation next week, remove from paging" Rob is back to work. This reverts commit 7b053196599c2b72722ffd58f3c0b1e174f7fb59. Change-Id: I0967f9ba5632ceec2d1085ee290ba00f4b8022b8 29 August 2016, 15:05:02 UTC
324294a Alexandros Kosiaris 29 August 2016, 12:13:32 UTC nrpe: remove redundant ferm::rule We have a redundant ferm::rule for nrpe connections from monitoring hosts. The rule is redundant cause all monitoring hosts get full access anyway by being whitelisted in a allow all rule. So, remove the redundant NRPE specific rule Change-Id: I013d8a6070b30c4506914cb4409208d1b4f3737b 29 August 2016, 15:04:16 UTC
d83678b Alexandros Kosiaris 29 August 2016, 12:10:37 UTC logging::mediawiki: Remove redundant NRPE ferm::rule The ferm rule to allow NRPE in logging::mediawiki is redundant since the one in the nrpe module takes anyway precedence and is the exact same rule Change-Id: I04588960e781b857c3eff4c58de63cc3fe130416 29 August 2016, 15:03:53 UTC
1f85abd Tyler Cipriani 26 August 2016, 23:15:27 UTC Bump scap version to 3.2.4-1 Change-Id: I39b6bbc2abd519fdef7e1254ac230c09a79f766f 29 August 2016, 14:59:40 UTC
a0fd883 Jcrespo 29 August 2016, 14:46:14 UTC prometheus mysqld exporter: disable labsdb1005 because "precise" Bug: T126757 Change-Id: I805183b0d918ffee63fc4b46a297c57b4c0efe89 29 August 2016, 14:55:37 UTC
0fb5aac Jcrespo 29 August 2016, 14:31:55 UTC prometheus mysqld exporter: Add dbstore-eqiad hosts Bug: T126757 Change-Id: I688924097a2feb84f0e1488a582f4bf8dcb2a45c 29 August 2016, 14:53:51 UTC
3d2240d Jcrespo 29 August 2016, 10:06:05 UTC prometheus: add misc eqiad hosts to mysqld exporter Bug: T126757 Change-Id: I80304f9ab76cc7e7cc6dbefa2bbaf1f834562a18 29 August 2016, 14:48:30 UTC
c808d96 Alex Monk 14 August 2016, 23:26:55 UTC openstack: Delete old juno files from the repository Change-Id: Ie02b2b7eebcfc9a24860e589355b500829b98b0e 29 August 2016, 14:44:32 UTC
6f2862f Jcrespo 29 August 2016, 13:10:53 UTC prometheus exporter: avoid still existing precise hosts We do not need precise support; the hosts that are still on precise will be deprecated soon. Bug: T126757 Change-Id: I592ac63f86dab412e2268b638ecec58c5221085d 29 August 2016, 14:03:13 UTC
9c173fe andrewbogott 07 August 2016, 16:02:26 UTC Nova: update api-paste.ini.erb to conform with Liberty defaults This is a straight dump of api-paste.ini.dpkg-dist from a Liberty package, plus our customized keystone auth bits at the end. This should be a no-op but will allow us to adopt the 2.1 API once it is in place. Change-Id: I982593e83d95558b6a059f075e2b1ff98e540956 29 August 2016, 13:49:23 UTC
54c4870 Filippo Giunchedi 25 August 2016, 14:58:18 UTC prometheus: return 204 on / No reason to try and list root Change-Id: I7fe93cabb22c2bf979efd3e0c8c93e5d3d877480 29 August 2016, 13:05:51 UTC
550bab7 Filippo Giunchedi 29 August 2016, 12:44:28 UTC hieradata: add prometheus_nodes for ulsfo/esams For firewalling purposes, even though the hosts are not actually polled. Change-Id: If231c43ad6a7a4709d0a123c69ed9d01c1dfada5 29 August 2016, 12:57:23 UTC
43b91a1 Antoine Musso 28 October 2015, 20:06:30 UTC cache: vary statsd_server with hiera On the beta cluster the Varnish caches have a few process that reference the prodution statsd host: /usr/local/bin/varnishstatsd --statsd-server=statsd.eqiad.wmnet \ --key-prefix=varnish.eqiad.backends /usr/local/bin/varnishxcps --statsd-server=statsd.eqiad.wmnet /usr/local/bin/varnishrls --statsd-server=statsd.eqiad.wmnet Update the role::cache::* classes to use the generic hiera key 'statsd' which is defined with: hieradata/labs.yaml:# Labs statsd instance hieradata/labs.yaml:statsd: labmon1001.eqiad.wmnet:8125 hieradata/common.yaml:# Main statsd instance hieradata/common.yaml:statsd: statsd.eqiad.wmnet:8125 The three python scripts are in modules/varnish/files they recognize the 'host:port' format and default the port to 8125. The change for production would be: - --statsd-server=statsd.eqiad.wmnet + --statsd-server=statsd.eqiad.wmnet:8125 Such a change could have impacted an Icinga check_proc commands that are defined in modules/varnish/manifests/logging/ , but they are invoked with '-a' and the name of the process, eg they don't look at the extra arguments. Bug: T116898 Change-Id: I51c754fbec577a73e258922d4fc2054e9b1a854a 29 August 2016, 12:50:26 UTC
9f13729 Emanuele Rocca 29 August 2016, 11:45:00 UTC Upgrade upload ulsfo to Varnish 4 Bug: T131502 Change-Id: I8e3ce213b43c735cdf1567dad4412c57837a2505 29 August 2016, 11:45:00 UTC
b8a8f51 Moritz Muehlenhoff 29 August 2016, 10:28:26 UTC Revert "Provide a systemd override unit for hhvm" This reverts commit 4353f287136f5db78ed2fe9558168de9cdb80d93. Change-Id: Ic05e8ae8fe8e57b3648a2b7c17d5e63a5d929bc0 29 August 2016, 10:29:13 UTC
4353f28 Moritz Muehlenhoff 23 August 2016, 15:06:53 UTC Provide a systemd override unit for hhvm The default service file shipped by the HHVM Debian package needs to be extended with a few site-specific changes. Previously these were overwritten entirely, but that led to problems when upgrading the HHVM package: After an update it was running with incorrect settings until the next Puppet run. This patch provides an override file with our customisations. A few vendor settings need to be overwritten entirely, which is done with an initial blank config line like "ExecStart=". The settings can be displayed with "systemctl cat hhvm.service". This doesn't fully display the effective settings, though. That's still TBD on upstream's side: https://github.com/systemd/systemd/issues/2654 Bug: T143210 Change-Id: I7c9dab14b96682a6947882730143da56b63c3db1 29 August 2016, 10:20:52 UTC
c025c85 Jcrespo 29 August 2016, 09:48:10 UTC prometheus: Add parsercaches on eqiad (and fix the ones on codfw) Bug: T126757 Change-Id: I3f4f7a11014d7d5cd26e4172a7ed23b94784ab5c 29 August 2016, 09:48:10 UTC
cb9a1c3 Jcrespo 29 August 2016, 09:45:31 UTC prometheus: add labsdb eqiad hosts to monitoring It includes production replicas, labs-support replicas, and tools hosts. Bug: T126757 Change-Id: Ib37d05e60580fb5b64febc2f74ca89bb9a46d695 29 August 2016, 09:45:31 UTC
9521857 Jcrespo 11 August 2016, 11:58:46 UTC Remove unused accounts from unneeded functionalities with large uid * dbmon: monitoring utility decomissioned Change-Id: I38d768da0c532cd8bf3aa3a6a195b67d3872a907 29 August 2016, 09:36:47 UTC
218385d Jcrespo 26 July 2016, 10:37:29 UTC Update regex to include new labsdb and proxy machines Change-Id: Ie722aceeb0c0fd530d0eaa83b442fb9c6a30a4b9 29 August 2016, 09:35:51 UTC
3f80f1c Emanuele Rocca 29 August 2016, 09:15:06 UTC Upgrade cp4007 (ulsfo cache_upload) to Varnish 4 Bug: T131502 Change-Id: I9edc17ae2e812a789855e03829fd387571427d4e 29 August 2016, 09:30:08 UTC
a0b3aaf Jcrespo 26 August 2016, 13:35:44 UTC mysql: Clean up puppet code related to code databases * Move all firewall setups for mariadb::core to the role (It was finally applied to all core databases.) * Remove iron exception as it is no longer in use. * Firewall is only pending on some misc systems. Change-Id: I8ff6b8e67c8cecf1b0759a1844335825b2b8c7ee 29 August 2016, 09:07:54 UTC
da28852 elukey 29 August 2016, 08:32:47 UTC Raise the Varnishkafka maximum incomplete transactions to 5000 Varnishkafka's VSL query can keep, by default, up to 1000 incomplete records in memory (i.e. the ones without a Begin tag but not a End one). We have raised the maximum timeout with -T to 700 seconds a while ago to overcome timeouts in misc, but upload's traffic requires more tuning. Change-Id: Idb3c76980c31d03aaf93888c48d479e3bc309dd1 29 August 2016, 08:52:28 UTC
897ef7e Jcrespo 26 August 2016, 15:02:18 UTC Labsdb: include labs salt groups and prometheus monitoring for dbs Bug: T126757 Change-Id: Ibec339faeff2b44eae89b7fbe5e50ab1b6ed8be0 29 August 2016, 08:48:50 UTC
566d6e7 amir 25 August 2016, 23:10:26 UTC ores: Define extra config for ores Bug: T143567 Change-Id: Ic1f4b4936d95c77e2bfbba65bad1994524515ba1 29 August 2016, 08:36:35 UTC
3d63967 Moritz Muehlenhoff 26 August 2016, 11:57:35 UTC Disable unprivileged user namespaces on labvirt nodes running 4.4 HWE kernels By default trusty allows the creation of user namespaces by unprivileged users (Debian defaulted to disallowing these since the feature was introduced for security reasons) Unprivileged user namespaces are not something we need in general (and especially not in trusty where support for namespaces is incomplete) and was the source for several local privilege escalation vulnerabilities. The 4.4 HWE kernel for trusty contains a backport of the Debian patch allowing to disable the creation of user namespaces via a sysctl, so disable to limit the attack footprint Bug: T142567 Change-Id: Ib7fe25db280b12744aec5b0cf3bbd523ef5155a2 29 August 2016, 08:09:09 UTC
247db01 Moritz Muehlenhoff 26 August 2016, 11:06:41 UTC Ship a script to rewrite group memberships after enabling the memberof overlay The memberof overlay annotates group memberships on the respective user objects in "memberOf" attributes. This is useful to query group memberships of a user without parsing the members attribute of a group. Enabling the overlay does not amend existing attributes. This script provides a tool which retrieves the membership information of a group, empties the group and readds all users, thus adding the memberOf attribute for all members. Bug: T142817 Change-Id: I4832e6c11c59a64d6a4fb1d46451833767a44563 29 August 2016, 06:47:23 UTC
fdc799b Andrew Bogott 27 August 2016, 02:34:22 UTC Forward horizon settings to mitaka, for LabTest Change-Id: Ie21af8fbd47ec76865bd718d6e835bbd801c5d89 27 August 2016, 02:37:47 UTC
cc4a6f1 Andrew Bogott 27 August 2016, 02:24:56 UTC Specify a path for the django compression exec Change-Id: I36ae5e8212f4cb981395b24cbc5de4c83a19a332 27 August 2016, 02:25:16 UTC
7f77824 Andrew Bogott 27 August 2016, 01:59:04 UTC Compress static content for Horizon This is a modest config change, but also requires us to refresh and recompress the cache any time something is changed or a new component installed. Change-Id: Ie99f029624d96998ee32e358d99525705cd25292 27 August 2016, 02:19:48 UTC
41ba78a YuviPanda 26 August 2016, 23:57:38 UTC clush: Put clush config in correct location Change-Id: I94d69d4454cb4012e34812eccb15927bd56c9fc5 26 August 2016, 23:57:38 UTC
766218b YuviPanda 26 August 2016, 22:14:43 UTC tools: Add a wrapper script to enforce clush access Make sure we log accesses to a log file, and that people are running it as their own users rather than as root interactively. Note that this isn't foolproof - but can't really foolproof against people with root! Change-Id: I57156bb99dbc4a7e42c05efe06156ff001c1216b 26 August 2016, 23:24:36 UTC
0b5232b andrewbogott 25 August 2016, 02:44:01 UTC Added filtertags to labs role descriptions. This is an experiment to spruce up role filtering for the new labs puppet GUI Bug: T91990 Change-Id: Ic25662a110068969240083f6f4f9986628388898 25 August 2016, 03:06:41 UTC
d8fea15 Brandon Black 26 August 2016, 15:06:05 UTC text VCL: limited redirect for awful TLS negotiations Change-Id: Ib3319aa2338f2bf91c0b6ea93d96a952d8f4d805 26 August 2016, 19:32:14 UTC
7959306 YuviPanda 26 August 2016, 17:39:41 UTC clush: Fixup missing dependency + secret Not entirely sure how they got lost. Also enforce use only in labs. Running this in production has a lot of other challenges. Change-Id: Ia39f7b9672b90c462bb4312b1facfdefda46e098 26 August 2016, 17:58:57 UTC
c4e4ddc YuviPanda 20 August 2016, 18:59:36 UTC Introduce 'clush' module and toollabs role Change-Id: I6f3ffa16b759ddb4c2fd6bf5753b82796d84c6d8 26 August 2016, 16:54:49 UTC
a65a6e6 Ariel T. Glenn 26 August 2016, 10:55:44 UTC add max_allowed_packet to xml/sql dump config so mysqldump doesn't whine the default value was 24M, the servers had 32M, and this finally caused a dump of the commons image table to break Change-Id: I52e0c6e0ebefe2520b0b159d3c68090368819436 26 August 2016, 15:56:18 UTC
6c5a64d Giuseppe Lavagetto 25 August 2016, 22:00:34 UTC puppetmaster::frontend: get workers from hiera Also fill in the values for eqiad and codfw Bug: T143869 Change-Id: Id11e82f7deee9dcabd4c2ea6e74960032f1b9ceb 26 August 2016, 14:21:33 UTC
7c68121 Jcrespo 26 August 2016, 14:16:41 UTC prometheus: Test mysqld-exporter on s6 slaves to check load impact Bug: T126757 Change-Id: I2c23fe957f863aada8b2df9fe8487fa62c25613c 26 August 2016, 14:16:41 UTC
25a1c97 Giuseppe Lavagetto 26 August 2016, 13:52:45 UTC puppetmaster::frontend: raise priority of the 'puppet' vhost Else, palladium itself would fail its puppet run. Change-Id: I3596116c6d8d0adc8b948536bf6595c32340eb17 26 August 2016, 13:53:50 UTC
a9cede3 Filippo Giunchedi 23 August 2016, 10:39:56 UTC mariadb: install node/mysql exporters in eqiad too Bug: T126757 Change-Id: If5ce9aa11f1b518efce3326ac4d64be8ac1d62b3 26 August 2016, 13:14:47 UTC
15fe996 Giuseppe Lavagetto 26 August 2016, 13:09:06 UTC puppetmaster::web_frontend: remove unnecessary require Change-Id: Ibbc3b29d3e3d9aa82ae2537172f1804f6cb89754 26 August 2016, 13:13:12 UTC
13be7c6 Filippo Giunchedi 26 August 2016, 10:49:15 UTC prometheus: restrict node_exporter to $prometheus_nodes Explictly exclude labs though, a sane default is hard to provide in hieradata/labs.yaml since it requires a list of hostnames allowed to poll for metrics. Change-Id: Ifd568c496e4a89671dbf198efd556ea9b32f94cb 26 August 2016, 13:04:46 UTC
83e8d56 Giuseppe Lavagetto 25 August 2016, 21:53:35 UTC puppetmaster::frontend: add vhost for FQDN This will be used by clients using SRV records; also only install the old 'puppet' virtualhost on the primary frontend (the one that will be managing the CA too). Bug: T143869 Change-Id: I8bc3e46c83171f461a5b8c059be1b70fbd52134b 26 August 2016, 13:03:08 UTC
caaa767 Moritz Muehlenhoff 26 August 2016, 09:21:33 UTC Remove $ALL_NETWORKS ferm definition This is unnessary broad, all existing occurrances have been refactored to use $LABS_NETWORKS, $PRODUCTION_NETWORKS and $DOMAIN_NETWORKS. Change-Id: Ib5f6500c646a5ab2942694b9a1c5f3a2ee5c526c 26 August 2016, 13:01:47 UTC
8c38ba9 Faidon Liambotis 26 August 2016, 11:54:19 UTC nagios: add no-SNI mode to check_sslxNN This adds one more check in non-SNI mode, in cases where we might have served a different certificate to non-SNI clients. Note that this does NOT verify that all the domains we care for are valid against the non-SNI certificate. Change-Id: I866fed9778cb31ccf18300d97a435483396ba628 26 August 2016, 12:56:33 UTC
7e3709c Faidon Liambotis 26 August 2016, 01:58:19 UTC nagios: fix check_ssl with a newer IO::Socket::SSL Pass SSL_verifycn_name in --no-sni mode. Fixes "Cannot determine hostname of peer for verification. [...]" errors with newer versions of IO::Socket::SSL. (also fix a couple of linting issues while at it) Change-Id: Ia1f95ae1e800b7efce4fb63dadd603ce2adbea61 26 August 2016, 12:56:33 UTC
24d7444 Faidon Liambotis 26 August 2016, 02:24:09 UTC nagios: make check_sslxNN multithreaded Run check_ssl (a native import, not a fork/exec) against each cn in a different thread. This speeds the whole check considerably and makes the check run under a second (e.g. from ~20s) even in extreme cases of latency, not seen in our network. This has not been tested with ePN and is potentially broken with it. ePN is disabled in production nowadays, so it does not matter much. Change-Id: Ib4b72f0cb431d59fde20324468078ac42c054335 26 August 2016, 12:56:33 UTC
5285777 Jcrespo 26 August 2016, 12:35:10 UTC Reimage db1042 as jessie Preparing to wipe content, although the server may end up being decomissioned. Change-Id: I0dbc3270ddbb3eede2f3f6cb4e829e3f5ea2a38e 26 August 2016, 12:42:24 UTC
d75d878 Giuseppe Lavagetto 25 August 2016, 21:46:02 UTC puppetmaster::frontend: move vhost to role Also, use puppetmaster::web_frontend to define the main vhost. Bug: T143869 Change-Id: I77b40c30a0977a1da5edaac88735f96d7bf10b64 26 August 2016, 12:34:41 UTC
7677051 Jcrespo 26 August 2016, 11:25:13 UTC Fix puppet issues generating empty files for mysql configuration Bug: T126757 Change-Id: I5ff554ef41472a8a964e2ecae20ef852ba05b910 26 August 2016, 11:25:13 UTC
a1c44a8 Giuseppe Lavagetto 25 August 2016, 21:38:14 UTC puppetmaster: move vhost from passenger class Bug: T143869 Change-Id: I2589cd53c31df50a6639c53ebbd12d108e905ca3 26 August 2016, 10:10:33 UTC
8ba7d81 Jcrespo 25 August 2016, 15:15:11 UTC Puppetize static configuration for prometheus-mysqld-exporter This is only a temporary measure until puppetdb is ready and we can generate those dynamically. There is no labs hosts on codfw. Bug: T126757 Change-Id: Ic68ed2fa8bd007bd9d8d609740744f31aeefaf5d 26 August 2016, 10:04:34 UTC
b418fba Giuseppe Lavagetto 25 August 2016, 21:34:44 UTC puppetmaster: split backend and frontend vhosts Bug: T143869 Change-Id: I0dd87849245aa82085bc7623fa2fca31089f47bf 26 August 2016, 09:32:11 UTC
1a5a8b1 Emanuele Rocca 26 August 2016, 09:16:59 UTC Upgrade cp4006 (ulsfo cache_upload) to Varnish 4 Bug: T131502 Change-Id: Iae874e9cb26c6028ae3fa9a0000beb75fb7d5c5c 26 August 2016, 09:17:03 UTC
2379fb9 Moritz Muehlenhoff 05 August 2016, 16:02:32 UTC openldap_labs: Limit to production networks and labs networks Needs to be accessed from both. Change-Id: Ie8219d7e016ef3d235405d71b41c642ab04fd9a3 26 August 2016, 09:06:16 UTC
7203684 Giuseppe Lavagetto 25 August 2016, 21:16:24 UTC puppetmaster: add ca and ca_server settings to frontend Also, get the address of the ca_server from hiera if available. This allows to have secundary frontends. Bug: T143869 Change-Id: I0c8a5efd48f547693c4da86ddfcda30213d0c670 26 August 2016, 08:26:10 UTC
back to top