| d05bb80 | RobH | 03 November 2016, 00:04:17 UTC | new labstore partman recipe this should create a / outside the LVM, and then create an empty LVM, where puppet can later create partitions within it as nessasary. Bug: T149870 Change-Id: I27128c10850ddb4f3ac9898061c796a1ba1c2773 | 03 November 2016, 04:17:41 UTC |
| 0137239 | YuviPanda | 03 November 2016, 01:53:48 UTC | jupyterhub: Call parent coroutine properly Change-Id: I93b75099cb061b42a5a98ca77a02eb3aaf0b05a5 | 03 November 2016, 01:53:48 UTC |
| e9f9f02 | YuviPanda | 03 November 2016, 01:46:34 UTC | jupyterhub: Add additional protections against arbitrary user login Bug: T149543 Change-Id: I40cdbdda6127bc6315adf407b800b79bb32010f3 | 03 November 2016, 01:47:25 UTC |
| 1fb1dd1 | Andre Klapper | 29 October 2016, 19:18:08 UTC | phabricator: Fix empty "parentProject" when new project is a milestone The query worked for created subprojects but not for milestones as we only checked for "project:parent" but not for "project:milestone" Followup to https://gerrit.wikimedia.org/r/#/c/317321 Change-Id: I30fa4ce4968693c70c3d9ddaab1a4258110707e8 | 03 November 2016, 01:42:25 UTC |
| 0139e14 | YuviPanda | 03 November 2016, 01:25:43 UTC | jupyterhub: widen group of users who can log in Bug: T149543 Change-Id: Ic68c16041b103c35e6e23e4460ae762ee5c71801 | 03 November 2016, 01:31:59 UTC |
| 147bf0f | YuviPanda | 03 November 2016, 00:30:52 UTC | jupyterhub: Fix typo Bug: T149543 Change-Id: If1221c8e8aa3048e0fe8293f716e5a82d05fd8c4 | 03 November 2016, 00:31:41 UTC |
| 959792b | YuviPanda | 03 November 2016, 00:26:15 UTC | jupyterhub: Do not use proxying when talking to localhost This prevents the hub and spawned notebooks from talking to each other! Bug: T149543 Change-Id: Id292f6177c39d68a6851732eb89ce7cb5b57e093 | 03 November 2016, 00:27:01 UTC |
| cf20dcb | YuviPanda | 03 November 2016, 00:11:50 UTC | jupyterhub: Don't set HTTP_PROXY on jupyterhub itself This means it tries to use the proxy to talk to *everything*, including the spawned pods! This doesn't work at all. Bug: T149543 Change-Id: I70cab045f9913e109816721ee85c64f00281cf2b | 03 November 2016, 00:13:59 UTC |
| 3b4af69 | YuviPanda | 02 November 2016, 23:13:35 UTC | jupyterhub: Setup HTTP Proxy for each spawned node Since in prod there's no direct internet access, we set this so users can install things from the internet easily. Bug: T149543 Change-Id: Ieca73621582fe90ad952ac0a657c70c006f75a6e | 02 November 2016, 23:29:58 UTC |
| 6190928 | Daniel Zahn | 02 November 2016, 22:47:12 UTC | mgmt: fix-up grep regex in getmgmtips Change the grep regex to include names with a "-" dash character in them. Always delete the tmp files on startup. Change-Id: Ib4a710e17163f9318d2f367aeb2d762d3a634d85 | 02 November 2016, 22:57:50 UTC |
| df27c96 | Emanuele Rocca | 02 November 2016, 10:59:01 UTC | prometheus: add varnish_exporter to all varnishes Bug: T147424 Change-Id: I69dd07393b05eb51a8124a700e7b434f93176464 | 02 November 2016, 22:48:34 UTC |
| a83a934 | YuviPanda | 02 November 2016, 22:34:38 UTC | paws_internal: Provision research users on notebook node Bug: T149543 Change-Id: I36c4e6cfabfe005e595426eb5e100a939d06554f | 02 November 2016, 22:35:06 UTC |
| 610c631 | YuviPanda | 02 November 2016, 22:20:19 UTC | roles: Kill the 'notebook' roles Is in paws_internal now Change-Id: Idd577034a634c5c8049149d0d14c5efe401f5b81 | 02 November 2016, 22:27:05 UTC |
| dd9c794 | YuviPanda | 02 November 2016, 22:11:21 UTC | paws_internal: Add mysql reseach creds to notebook1001 Bug: T149543 Change-Id: I76b37074668ec5740a4f356a7e0c7dcb232666da | 02 November 2016, 22:27:05 UTC |
| 0863061 | Brandon Black | 02 November 2016, 21:50:01 UTC | network::constants: remove /64 from icinga hosts These shouldn't have netmask suffixes here (nothing else does), and it was breaking NTP configs as well. Change-Id: I67506afba05292a30ebddd515f9db9b8dccfccd7 | 02 November 2016, 22:07:20 UTC |
| 84dd1b4 | YuviPanda | 02 November 2016, 21:36:44 UTC | statistics: Separate research mysql cluster credentials into define Change-Id: Icc01e77e941046fdeec39b65415fbbeb89ad0ddd | 02 November 2016, 22:00:22 UTC |
| c75a491 | Faidon Liambotis | 02 November 2016, 19:40:36 UTC | mirrors: serve ubuntu over rsync as well Change-Id: I5b0248eefc1c3d89b46e3f4ea67a17c886696356 | 02 November 2016, 19:41:31 UTC |
| d22659d | Daniel Zahn | 02 November 2016, 19:19:52 UTC | mgmt: follow-up fix to getmgmtips script Change-Id: I50fe24b6a2b2ff7ce62e8dbd5657c42d8aacdcc3 | 02 November 2016, 19:21:22 UTC |
| 7112ffb | cpettet | 02 November 2016, 19:07:57 UTC | labstore: apply labs::db::views * take testing labsdb::views role and standardize on role::labs::db::$thing pattern * Apply to 1001-1003 labsdb* server block * This doesn't do anything actively, but sets up the ecosystem to be run Change-Id: I53f509540eac6ccedca5a8be32ba48a012a0414c | 02 November 2016, 19:09:46 UTC |
| fd9f3b2 | Daniel Zahn | 02 November 2016, 19:00:00 UTC | mgmt: script to extract mgmt IPs from DNS This extracts all the usable mgmt IPs from DNS templates and removes the non-resolvable ones and duplicates, then writes the remaining ones to a list. That list can then be fed into the changepw command to change passwords. Bug: T147074 Change-Id: I2d512946c606d993def1cbe5ea6e9ea8b63fb78b | 02 November 2016, 19:05:35 UTC |
| 5f975e9 | cpettet | 02 November 2016, 18:59:14 UTC | labsdb: update to match private for maintainviews Change-Id: I0a2d847a80885dde2341788f303b23ff77146cfe | 02 November 2016, 19:02:07 UTC |
| 4ec2bb7 | cpettet | 02 November 2016, 18:37:00 UTC | labsdb: maintain-views use control socket not host Change-Id: I84a004b5ce90c0346fdf18efeb463da57f5cc90f | 02 November 2016, 18:51:19 UTC |
| f01b6b9 | Faidon Liambotis | 02 November 2016, 18:35:32 UTC | mirrors: workaround a ferm @resolve bug with v4/v6 @resolve doesn't do per-domain resolving of A/AAAA (I actually had code somewhere to fix that…). syncproxy.cna.debian.org is dual-stacked, so a firewall rule that @resolves that is actually v4-only. Hardcode IP addresses for now, unfortunately, but leave a comment to explain why. Change-Id: I3db4b607d761487e4e4ec239c9cfe6eee67e3b1d | 02 November 2016, 18:35:32 UTC |
| 18eaf6c | Faidon Liambotis | 02 November 2016, 18:28:51 UTC | mirrrors: set up push mirroring for Debian Allow the Debian syncproxy to trigger ftpsync runs over ssh, with a forced command. This replaces the previously cron-triggered mirror runs. Change-Id: Iea47d1a6df5aa46ef586eb35a81de53091e85734 | 02 November 2016, 18:28:51 UTC |
| b7ebdcc | Faidon Liambotis | 02 November 2016, 18:04:45 UTC | mirrors: config ftpsync for mirroring from debian.org Pull directly from a Debian syncproxy, rather than a secondary third-party hosted mirror. First step towards becoming a push mirror. Change-Id: I8b97ff5cd2698d0e557311811f08acd9090dc787 | 02 November 2016, 18:11:17 UTC |
| 4075cec | Faidon Liambotis | 02 November 2016, 17:57:58 UTC | mirrors: allow public rsync access to Debian Be nice and let any potential downstream to pull from us :) Change-Id: I60aeeb1265e69e5e762790c9da8d76ab90092821 | 02 November 2016, 18:08:09 UTC |
| d9681e7 | Faidon Liambotis | 02 November 2016, 17:46:10 UTC | mirrors: add rsync for Debian's push mirroring Change-Id: Ia27139c2b6998ff234c06814ca64d20a6f47330f | 02 November 2016, 17:49:09 UTC |
| 202bb10 | Jaime Crespo | 02 November 2016, 11:46:43 UTC | tendril+dbtree: Explicitly disable automatic pulls from HEAD Bug: T149340 Change-Id: Id8226b70784f748c158e53417cdd894e9540b171 | 02 November 2016, 17:30:23 UTC |
| 127281d | Emanuele Rocca | 02 November 2016, 10:53:35 UTC | prometheus: extend Varnish targets generation to text/upload Bug: T147424 Change-Id: Ic4791ca393bdc60a474344232cba04b2c4e3bad0 | 02 November 2016, 17:25:23 UTC |
| 2ac1eac | cpettet | 02 November 2016, 17:22:16 UTC | labstore: 2003/2004 hiera additons to allow labstore backup key Change-Id: I1f45862c271e2d92851dee89c021f592d6c5eb5d | 02 November 2016, 17:24:18 UTC |
| 4c60a9b | Emanuele Rocca | 02 November 2016, 10:41:15 UTC | site: add varnish_exporter to esams/eqiad maps/misc Bug: T147424 Change-Id: I00508b0cc6b32799c84e1271fc89cdb2fef9051f | 02 November 2016, 17:21:28 UTC |
| 96627c2 | cpettet | 02 November 2016, 16:17:50 UTC | labstore: 2003/2004 add backup key Change-Id: I1d47b85483b9253df41226a0559617a9e1b7814b | 02 November 2016, 16:20:14 UTC |
| cff4f31 | Guillaume Lederrey | 01 November 2016, 09:48:33 UTC | elasticsearch: /etc/elasticsearch/scripts is not used anymore Change-Id: I307fd824beb354b3edb4ad086bef7792342a804b | 02 November 2016, 16:01:57 UTC |
| 96fb631 | Riccardo Coccioli | 31 October 2016, 14:58:52 UTC | keyholder: add support for SHA256 key fingerprints The SHA256 key digest, as defined and recommended in RFC 6668, is the default fingerprint hash for OpenSSH >= 6.8. This change add support for it to keyholder while maintaining backward compatibility with MD5 fingerprints. Bug: T148273 Change-Id: I11fef8e5fb7173729e3be352246a0a95a66099ad | 02 November 2016, 15:38:31 UTC |
| 978b5c9 | Riccardo Coccioli | 31 October 2016, 14:57:37 UTC | keyholder: fix flake8 Bug: T148273 Change-Id: I51b332d2cfe9925807b7bcd97b40e1f95290ee3b | 02 November 2016, 15:37:09 UTC |
| 1aaed3b | Riccardo Coccioli | 31 October 2016, 14:51:48 UTC | keyholder: be systemd compatible Bug: T148273 Change-Id: I9e40b85781fca7d8abb56af614eab19517605eeb | 02 November 2016, 15:35:28 UTC |
| cb7675c | Antoine Musso | 02 November 2016, 15:09:31 UTC | nodepool: rebalance trusty vs jessie min instances I have build a dashboard to track percent of builds occuring on each flavor. More than 60% are now done on Jessie and the jobs using Trusty are being transitioned. It is now better to have slightly more Jessie instances available (min-ready) and, when the pool is full, there is not much point in having Trusty instances idling when we could have a Jessie one instead. Board: https://grafana.wikimedia.org/dashboard/db/continuous-integration?panelId=8&fullscreen Change min-ready from a 50/50% ratio to a ~33/~66% ratio. That gives us one less squatting trusty instances and two more jessie instances ready to be immediately consumed. Change-Id: I62f1b26967ae6b3ed3f09d052c8fcf74e80ab731 | 02 November 2016, 15:10:06 UTC |
| df52378 | Daniel Zahn | 16 August 2016, 20:39:27 UTC | realm: add 'projectcom' to private wiki list A new private wiki called 'projectcom' is requested on T143138. The docs at https://wikitech.wikimedia.org/wiki/Add_a_wiki#Start say as very first step, even before adding to DNS, to tell Ops DBAs and add a new private wiki to this file. Bug: T143138 Change-Id: Id133dd2570582b3d0617452d8a56228b870e97e6 | 02 November 2016, 14:44:49 UTC |
| 3fb655a | Daniel Zahn | 27 October 2016, 22:50:11 UTC | osm: move files/osm/tuning.conf to role module Change-Id: Ia8eddcacbea0c61baef39905b3b3457aea035eb3 | 02 November 2016, 13:35:39 UTC |
| 6b9c3d0 | Emanuele Rocca | 02 November 2016, 09:46:45 UTC | cache_: enable varnish-be weekly cron restart for all clusters Install /etc/cron.d/varnish-backend-restart in r::c::base. All clusters need it. Use hiera('cache::cluster') to get the proper list of nodes according to the cluster name, and for cron_splay(). Bug: T149784 Change-Id: Ib0f7d25a2606d5bfefff57f4d53b2bf8f64eaacf | 02 November 2016, 11:49:44 UTC |
| a06f9c0 | Moritz Muehlenhoff | 16 September 2016, 14:37:49 UTC | zookeeper: Retrict to domain networks INTERNAL is needlessly broad and in the process of being removed. Use DOMAIN_NETWORKS to limit traffic to the production networks, while still allowing to use the role in labs. This applies to conf* and druid* Change-Id: Ic59d9f7b39db36942063ff981b6a6f459eadb951 | 02 November 2016, 11:37:53 UTC |
| 1b14423 | Alexandros Kosiaris | 02 November 2016, 11:07:30 UTC | Revert "tendril: Supply a robots.txt disallow all robots" Per the comments in I120ed8102950372e6400 This reverts commit eb7b48c3e33dd99fef6365a6d10df8504cc14ae8. Bug: T149340 Change-Id: Ide48243048331c2c4225cd9b6ea1f707f9b9c9ca | 02 November 2016, 11:08:29 UTC |
| 1c0a103 | Giuseppe Lavagetto | 02 November 2016, 09:01:52 UTC | profile::docker::registry: allow overriding the swift password Change-Id: I145f2d7af09e17989f465a7e3cf0416ba08c1b22 | 02 November 2016, 09:01:52 UTC |
| d9a6206 | Daniel Zahn | 27 October 2016, 21:48:23 UTC | icinga: move files/icinga/ into module Move the remaining scripts from ./files/icinga/ into the icinga module along with the other check scripts. check_iostat and check_mailman_queue are used on the list server. check_job_queue and check_subdir_limit appear to be unused (?). Also removes some lint-ignore's. Bug: T110893 Change-Id: I8417070a632244589ad633d8c67e6e7b5496568d | 02 November 2016, 08:22:44 UTC |
| 0cb13f1 | Giuseppe Lavagetto | 31 October 2016, 11:13:05 UTC | thumbor: use restart:always instead of on-failure Thumbor does exit with exit code 0 (I don't know if this is due to the interaction with firejail or not) when failing in certain situations. Thus systemd won't restart it; change the restart policy to Restart=always to make sure it gets respawned even in such cases. Change-Id: Ia3a6959c455f52c8f3b085d9509eababa898d213 | 02 November 2016, 07:49:50 UTC |
| 45cc1ee | Daniel Zahn | 02 November 2016, 05:48:18 UTC | aptrepo: fix typo in template that broke release uploads this stupid typo was a good part of the problems with uploading the latest release to releases.wm, before we even got to varnish.. no-op on carbon. fixes and sets distro to jessie per compiler: http://puppet-compiler.wmflabs.org/4514/ which is exactly the manual fix that we applied on bromine. we can now enable puppet on bromine again. .. Change-Id: I8157e055df004fbfa6865f8e0d6a2246e1592302 | 02 November 2016, 05:56:50 UTC |
| 20c3c25 | Antoine Musso | 08 September 2016, 12:42:02 UTC | zuul: migrate server only settings out of merger The url_pattern and status_url settings are solely for the Zuul server. Stop populating them for both merger and server. Change-Id: I97c1c702be1f44bcdc647517567cb6169d3100f4 | 02 November 2016, 02:35:09 UTC |
| 9789b54 | Faidon Liambotis | 01 November 2016, 15:51:34 UTC | netops (etc.): add asw2-d-eqiad Change-Id: I779561919640298473be8f72b41e36e5cf637b40 | 02 November 2016, 00:34:05 UTC |
| 558735e | Daniel Zahn | 15 October 2016, 00:45:29 UTC | add mapped IPv6 address for contint1001 Let's give it a proper IPv6 address and DNS records right from the beginning since this is in the middle of being setup. Change-Id: Ia04f192fb6daf6a65a18a0c1d91b07c56e8ba946 | 01 November 2016, 23:35:09 UTC |
| dcf7882 | Alex Monk | 01 November 2016, 23:27:45 UTC | deployment-prep: Fix deployment access.conf rules to allow all deployment servers Not just tin. Also simplifies things. Change-Id: I76bc9348453e19617e48e464712e26370932bc4d | 01 November 2016, 23:31:33 UTC |
| 328dfe8 | Alex Monk | 20 October 2016, 20:32:37 UTC | shinkengen: Ensure consistent ordering of hostgroups Otherwise --test-if-up-to-date is rarely (if ever) going to work properly Change-Id: Ic5515e36c1c6616a7eb90df5300886ffa0c557d3 | 01 November 2016, 23:28:11 UTC |
| 8ad6943 | root | 01 November 2016, 22:50:45 UTC | Remove extra non-ASCII character in role::cache::text that was causing issues A 0xC2 character caused clients to think the class could not be found Change-Id: I9ca0a1a0265fd8056b65e1171e382e7762752f95 | 01 November 2016, 22:55:15 UTC |
| 7dea7c5 | YuviPanda | 01 November 2016, 22:06:13 UTC | quarry: Explicitly add python2 plugin Quarry is still python2 Change-Id: I9e11dc727977e8262936c36c5ffe02b18a896110 | 01 November 2016, 22:06:49 UTC |
| 9b99c87 | Filippo Giunchedi | 01 November 2016, 21:18:23 UTC | mtail: introduce systemd unit Allow mtail to ran as mtail:root. mtail requires being able to read log files in /srv/syslog (duh!) and therefore either running as user root or group root. The former is unnecessary for obvious reasons, and the latter isn't straightforward without changing the sysv init script shipped with mtail. Bug: T147923 Change-Id: I4cacc9d95dbf94ff3288408ef5b67138908e6709 | 01 November 2016, 21:18:25 UTC |
| 9e6fa48 | Daniel Zahn | 21 October 2016, 19:56:03 UTC | add mapped IPv6 address for eventlog1001 This would be nice because then we can do things like Ia611b075d18a91630fd and have rules for v4 and v6 without needing a special case for this host. Because other hosts like deployment and maintenance already have v6 but this does not. Change-Id: I3f5d90a66d5f9c205d80f73f4dc15b99442512f1 | 01 November 2016, 20:06:27 UTC |
| 8e7a124 | Filippo Giunchedi | 18 October 2016, 11:09:47 UTC | centralserver: add mtail for kernel messages Bug: T147923 Change-Id: Id4cecbeba4b72f1449ad8f73364f5254c96b4b89 | 01 November 2016, 19:03:26 UTC |
| 8ec2656 | Filippo Giunchedi | 18 October 2016, 11:06:03 UTC | Introduce mtail module The idea is to extract metrics from (sys)logs and report the results as time series to graphite/statsd/prometheus Bug: T147923 Change-Id: I7fbde97762decbac4cb1ec1984eb987f63ec60e6 | 01 November 2016, 19:01:30 UTC |
| f443c8e | Ariel T. Glenn | 31 October 2016, 10:10:04 UTC | mgmt/changepw: clean up indentation, formatting and comments Change-Id: I9aa575e1a1223548d10fd38249fae8bb2442d751 | 01 November 2016, 18:58:42 UTC |
| 07e9883 | Filippo Giunchedi | 01 November 2016, 18:42:34 UTC | prometheus: swap varnish_exporter ports fe/be Change-Id: I3bd9f4220472af6826500c49a04105a7fa89b6c4 | 01 November 2016, 18:45:19 UTC |
| 9da08c7 | Daniel Zahn | 01 November 2016, 17:32:52 UTC | admin: add datacenter-ops on iron Let datacenter-ops use iron to run some nmap scans of the mgmt network. Bug: T147074 Change-Id: I1cdde348e0640a3000ba5ebfc1d8e9dd38690cd1 | 01 November 2016, 18:26:06 UTC |
| a01acba | Madhumitha Viswanathan | 01 November 2016, 17:59:54 UTC | Remove nfs backup role from labstore200[3-4] in site.pp Change-Id: I32710fdc58101cb553cf8abbd1cfd3dc4e1f77d7 | 01 November 2016, 17:59:54 UTC |
| d0aad20 | Madhumitha Viswanathan | 01 November 2016, 17:28:41 UTC | nfs backup: Fix requires paths on mount definitions Change-Id: Icf040eef28cca8c486b73c60dd8579350ed8be7b | 01 November 2016, 17:28:49 UTC |
| d11731e | Madhumitha Viswanathan | 01 November 2016, 17:17:46 UTC | nfs backup: Add mount definitions for backup volumes Change-Id: I8a91f3f02bb0d472fa1f5f34bb46a38d72d113aa | 01 November 2016, 17:18:01 UTC |
| cf73efa | Moritz Muehlenhoff | 18 October 2016, 11:25:17 UTC | Also provide imagemagick wrapper in openstack::nova::manager On app servers and image scalers, convert(1) from imagemagick is contained in a firejail profile. Silver receives the same setting in wmf-config/CommonSettings.php via $wgImageMagickConvertCommand and since we also need to scale graphics on wikitech, provide them in openstack::nova::manager as well. Bug: T145811 Change-Id: I58bf3b925d84c2c92668ec31378c40c840678da0 | 01 November 2016, 16:52:55 UTC |
| d73f82e | Filippo Giunchedi | 01 November 2016, 16:10:42 UTC | graphite: s/avg/average/ for aggregationMethod Change-Id: I855384a2ae4d35ad2ee4c6d7d3f7be5b3803126d | 01 November 2016, 16:10:42 UTC |
| 8f55063 | Filippo Giunchedi | 19 October 2016, 14:53:07 UTC | graphite: change Cassandra '.count' metrics aggregation Also clarify in comments why the default aggregation schema comes last with 'zzddefault'. Bug: T121789 Change-Id: I43fbb699a6643ebb74fee63d40bc9ca2d211170b | 01 November 2016, 15:59:45 UTC |
| 3a17a20 | andrewbogott | 31 October 2016, 02:20:54 UTC | nova_fixed_multi: Change a bunch of debug messages to warnings Making this noisier by default should help us track creation/deletion of records. I don't want to switch all of designate logging to 'debug' because that will flood me with other info we don't care about. Bug: T115194 Change-Id: Ic0906527e7821d489751762064adf81f41fbf873 | 31 October 2016, 02:27:40 UTC |
| 240c5be | Alexandros Kosiaris | 25 October 2016, 08:07:27 UTC | icinga: Increase max_concurrent_checks tegmen and einstenium are expected to be able to withstand a bit more pressure. Increase the number of max_concurrent_checks by 10% Change-Id: Ic73ca67ed66e1a9d5451d202aa32a6870a755504 | 01 November 2016, 14:20:47 UTC |
| bbb8fbc | Alexandros Kosiaris | 01 November 2016, 14:16:17 UTC | Use icinga.wikimedia.org instead of einsteinium.wikimedia.org Since it's possible to now have multiple icinga servers it's quite possible we will be switching the active one between servers. Use the icinga.wikimedia.org name instead of the host name for tcpircbot configuration Change-Id: I24900275abbf882e1acbc683d7c7a16ffc9b24b5 | 01 November 2016, 14:20:27 UTC |
| 633763b | cpettet | 01 November 2016, 14:15:49 UTC | labstore: keep nfs-kernel-server management in nfs-manage Change-Id: Ia3e9cb32ed79b4e42df57d45c620675cef0f4b50 | 01 November 2016, 14:16:43 UTC |
| 07f8361 | Faidon Liambotis | 26 August 2016, 12:16:14 UTC | nagios: do both RSA/ECDSA checks in check_sslxNN Until now, check_sslxNN was checking the certificate that was served to it during the TLS negotiation. This may have been one of the two serving the domain (either RSA or ECDSA), leaving the other one unchecked. Check both, effectively doubling the number of check_ssl checks done by this check. Change-Id: I4b41b478eaf7bf828424c1097a40e0a085732cb7 | 01 November 2016, 13:32:39 UTC |
| 1939c6d | Brandon Black | 01 November 2016, 13:14:23 UTC | check_ssl: don't report full SAN list on success Change-Id: I2c8bfbe4a81396a0edc50046f015c0e60f2c6fe4 | 01 November 2016, 13:15:08 UTC |
| 977ee55 | cpettet | 01 November 2016, 12:53:08 UTC | labstore: 'other' is really misc-project Change-Id: I99680097a48573bf9bbe74f89b65ff2dffcaf3bb | 01 November 2016, 13:03:36 UTC |
| 991dea7 | Brandon Black | 31 October 2016, 17:57:48 UTC | Replace check_sslxNN with check_ssl_unified This is just a config rather than a separate script, and connects only once per authalg while validating OCSP and the full unified SAN list. Change-Id: Ie09fc1ac3e0de63110a3c6c0307b75a41fb18e1c | 01 November 2016, 12:55:00 UTC |
| 3ac7043 | cpettet | 01 November 2016, 12:29:46 UTC | labstore: tc-setup new classes * throttle to write to labstore1003 where scratch is temporarily * throttle write to new service ip for tools NFS Change-Id: I5e1adaeb478d920cd01edc831153e4aa53b67041 | 01 November 2016, 12:31:33 UTC |
| b5d57a7 | cpettet | 01 November 2016, 11:23:03 UTC | labstore: nfs-manage patches * Tries to use block device as a mount path for another block device at the moment. * A few command paths need updating * Adjust ruby in template whitespace output * Make 'help' match case statements * Add mount_path to drbd/resource.pp for use in config array Change-Id: I878cc2bb1ddb430a331c73774ecdff8cac19747d | 01 November 2016, 11:25:47 UTC |
| 8a1072d | Brandon Black | 01 November 2016, 10:56:39 UTC | sort nagios command lists Change-Id: Ied74f184fc304e15c3cc529abb498c16f70b29e7 | 01 November 2016, 10:57:39 UTC |
| 3297ef2 | Emanuele Rocca | 31 October 2016, 15:28:32 UTC | cache_text varnishtest: beacon and CP Add tests for beacon endpoints and 'Connection Properties' cookie. Bug: T131503 Change-Id: I92942de0be016e3eb8a015b3a5abc79c058c7dd2 | 01 November 2016, 10:02:53 UTC |
| 3dac0d7 | Alexandros Kosiaris | 01 November 2016, 09:34:12 UTC | icinga: switch tegmen and einsteinium roles Let's test switching icinga servers works fine. Change-Id: If45ad202bbc0de65a9c3a198e29b29ef0f1056fb | 01 November 2016, 09:37:18 UTC |
| af36422 | Alexandros Kosiaris | 01 November 2016, 09:21:18 UTC | icinga: Always display all results in web interface No point in only displaying 50 entries, always display everything Change-Id: Icdd53fce8d64c9e0141da67e5dc98d7d5ef02386 | 01 November 2016, 09:36:35 UTC |
| 4aefbe1 | Guillaume Lederrey | 27 October 2016, 19:19:30 UTC | elasticsearch - enable GC logs by default Bug: T134853 Change-Id: I23ebf07a11116913faf1497032757fab43bdbb6c | 01 November 2016, 09:21:37 UTC |
| 8aa9562 | Guillaume Lederrey | 01 November 2016, 09:16:39 UTC | Revert "cirrus - disable the rebuild of completion indices" This reverts commit f113cefa345acb5c97c8d03ad2a7e8cf858292d1. Change-Id: I80811dd630df7dc9f2949321391630c3f48574a1 | 01 November 2016, 09:17:07 UTC |
| eb7b48c | Alexandros Kosiaris | 31 October 2016, 10:41:27 UTC | tendril: Supply a robots.txt disallow all robots While the site is protected behind LDAP authentication, it makes no sense for (well-behaved) robots to try and access it in case something changes. Bug: T149340 Change-Id: I120ed8102950372e640086f91f7eaf4729cfae62 | 01 November 2016, 09:07:01 UTC |
| 5d5d0a7 | Alexandros Kosiaris | 31 October 2016, 16:21:21 UTC | icinga: Add comments about paging infrastructure update Add a few comments so that when we move the primary icinga host to new hosts we will not forget to update paging infrastructure whitelists Change-Id: Ibaba6209d2b8c51bfde83523d1933f1413ceb31e | 01 November 2016, 09:06:34 UTC |
| d05a6cb | Madhumitha Viswanathan | 01 November 2016, 07:56:43 UTC | nfs-manage: Fix space trimming in template Change-Id: Iff010bfc18b3fb2b394e6d06008ed62fdef27998 | 01 November 2016, 07:56:43 UTC |
| 30979cd | Madhumitha Viswanathan | 01 November 2016, 07:12:04 UTC | nfs: Fix drbd resource definition Change-Id: I3dbbfe37fcbb51c9d35976c2f3e0b4718624f8be | 01 November 2016, 07:28:53 UTC |
| 49f711d | Madhumitha Viswanathan | 01 November 2016, 03:50:12 UTC | nfs: Move labstore secondary cluster hiera config to eqiad.yaml Need move this to a dedicated hiera file along with all other drbd config soon Change-Id: I65b64befe8183817d94c86385316f3564563e71b | 01 November 2016, 03:50:15 UTC |
| 644391e | Madhumitha Viswanathan | 31 October 2016, 23:32:08 UTC | nfs: Fix hiera variable access for drbd config Change-Id: I6343688a575cb671fd4139470ea65496c8c8ff48 | 31 October 2016, 23:32:08 UTC |
| 7b785a8 | Madhumitha Viswanathan | 31 October 2016, 23:10:32 UTC | nfs: Move drbd resource config to hiera Change-Id: I709edf75763aea07c38f50106cd58a3b5076ff82 | 31 October 2016, 23:13:37 UTC |
| 41e6e1b | Madhumitha Viswanathan | 31 October 2016, 17:09:23 UTC | nfs: Add script to manage NFS server on labstore secondary cluster Change-Id: I395d2e487459c0aa6ddf315b88db0450b1e1c43d | 31 October 2016, 22:00:52 UTC |
| 8dc92fc | cpettet | 31 October 2016, 21:15:28 UTC | labstore: nfs-manage-binds add option to list bind mounts This prints active bind mounts under the root of the /exp tree which may be using the filesystem. Change-Id: I945296c950c83fedce0c2ac2f191b732de9b18d3 | 31 October 2016, 21:42:54 UTC |
| e36762b | Daniel Zahn | 31 October 2016, 21:26:17 UTC | admin: add zareen to *-privatedata-users, researchers quote: "Zareen needs access to event logging and weblogs. She also needs to be able two write hadoop jobs against the weblogs or transfer event logs to hadoop for larger operations." Bug: T149211 Change-Id: I6c6ab9f57cfbeaa06618803204c531917367179b | 31 October 2016, 21:36:54 UTC |
| 55a4633 | Faidon Liambotis | 26 August 2016, 12:16:14 UTC | check_ssl: append (RSA|ECDSA) to name if authalg specified Change-Id: I13ebd5ae73480f9c4ede2d645d2cf9467a3035d5 | 31 October 2016, 19:59:07 UTC |
| 0f827bc | Brandon Black | 31 October 2016, 14:49:46 UTC | check_ssl: support OCSP Stapling New option "-o off|valid|must-staple" (default off) valid: Actually check OCSP and fail hard if it's not valid (may check externally over the network if not stapled? not sure) must-staple: As above, but require stapling off: Do not ask for stapling or verify OCSP (default) Time remaining to the stapling nextUpdate stamp are also checked with the default warning at 3 days out and the default critical at 1 day out. (Our current vendor serves 4-day responses). Bug: T148490 Change-Id: I02ab77d2bbc2f0966a2b49c3c6982898fa7755c1 | 31 October 2016, 19:58:48 UTC |
| 3611d8b | Brandon Black | 31 October 2016, 17:38:48 UTC | check_ssl: add --sans argument This adds an optional verification step which takes a list of comma-separated SAN elements as --sans, and checks that the server's certificate SAN list contains all of them. Change-Id: I920a1fe55dc97ebd5c7682a141e056b1403e95d3 | 31 October 2016, 19:42:26 UTC |
| 018f3e3 | Brandon Black | 31 October 2016, 17:31:10 UTC | check_ssl: clean up ssl_verify/_subject_matches ssl_subject_matches was giving incorrect verbose output for the SAN list (only showing the final element of the SAN list), because it lacked the transformation already done on the same data in ssl_verify above it. Fix this up by merging the two functions (which are called sequentially anyways) and having them share common correct data for SAN and names arrays and strings. Change-Id: I3af922b63b42a57d91d6f9adad014765b562c53c | 31 October 2016, 19:42:26 UTC |
| 983a7d8 | YuviPanda | 31 October 2016, 16:38:36 UTC | nfs: Wait 10s between nfs-exportsd restarts To help recover from 'transient' wikitech outages Change-Id: Ic2bf9ab901d2ca4dae88e2d9ee571bb67a131ed6 | 31 October 2016, 19:10:43 UTC |
| 7aef3ee | YuviPanda | 13 October 2016, 19:04:49 UTC | tools: Grant clush user complete sudo rights for everything Also include toollabs::infrastructure explicitly, to deny non root / non-admin users access. SCARY Change-Id: I99b067b2a76feb0281ac881d7052cceefd790a37 | 31 October 2016, 18:56:38 UTC |
| 097302d | Daniel Zahn | 31 October 2016, 18:44:09 UTC | fix permissions on changepw script, let all users run it Any user (on salt masters) should be able to run this script, avoiding the need for sudo rules for this. It doesnt allow anything more than the existing access, since you still need to know the mgmt password to do anything. (just like when you'd SSH to it directly) Change-Id: I9b98f1eeee8a2121dabd4248a09c85bf226c4cf2 | 31 October 2016, 18:52:22 UTC |
| 13dd711 | cpettet | 31 October 2016, 18:26:53 UTC | labstore: secondary cluster setup eth1 using interface::manual sets interface to come up on boot Change-Id: I50df27749c7e83823c2192da119fa64536cb40b4 | 31 October 2016, 18:48:39 UTC |
