[MediaWiki-commits] [Gerrit] operations/puppet[production]: Remove access credentials for laner
Muehlenhoff has uploaded a new change for review. ( https://gerrit.wikimedia.org/r/330891 ) Change subject: Remove access credentials for laner .. Remove access credentials for laner Bug: T152957 Change-Id: I62cbf408c2973c65f9ace612cb9efcc8c6931346 --- M modules/admin/data/data.yaml 1 file changed, 5 insertions(+), 5 deletions(-) git pull ssh://gerrit.wikimedia.org:29418/operations/puppet refs/changes/91/330891/1 diff --git a/modules/admin/data/data.yaml b/modules/admin/data/data.yaml index a89f37a..b16b07c 100644 --- a/modules/admin/data/data.yaml +++ b/modules/admin/data/data.yaml @@ -5,7 +5,8 @@ handrade, howief, jdouglas, jgonera, jsahleen, mah, maryana, mglaser, mvolz, mwalker, nimishg, rainman, ssmith, swalling, sumanah, werdna, rmoen, johnflewis, marc, jkrauska, akumar, mnoushad, spage, tnegrin, msyed, kleduc, - manybubbles, haithams, jzerebecki, ashwinpp, ironholds, robla, asherman] + manybubbles, haithams, jzerebecki, ashwinpp, ironholds, robla, asherman, + laner] wikidev: gid: 500 description: container group for primary user groups. @@ -18,7 +19,7 @@ ops: gid: 700 description: include everywhere ops folks -members: _members [filippo, jgreen, bblack, andrew, faidon, rush, oblivian, laner, yuvipanda, +members: _members [filippo, jgreen, bblack, andrew, faidon, rush, oblivian, yuvipanda, dzahn, akosiaris, springle, mark, ariel, cmjohnson, otto, robh, tstarling, ori, midom, jmm, jynus, aaron, ema, elukey, gehel, volans, madhuvishy, marostegui] privileges: ['ALL = (ALL) NOPASSWD: ALL'] @@ -1385,12 +1386,11 @@ uid: 4816 # T109521 laner: -ensure: present +ensure: absent gid: 500 name: laner realname: Ryan Lane -ssh_keys: [ssh-rsa B3NzaC1yc2EDAQABAAABAQDRsK78adkRJfbYrsZznpbwldoSpQyyQXrXG6WzrJEBAVIAKz5gPSM8zmJ/kj89QygYRaKRPWAcuF5GZhSho15dwDXm5M0ZTva4/m/Hu4H3j7oxx3PKjZKBiygP7mSu/32TJs7FynPGAFVl/B766Snn9Ll/xwrx4lg3v9ZNEpNMJZ0DQTFZ1xXD2Ns08JvxW1csAEoNrpqH6tTdXdHmhurXdKQq1G/JmKR3/KVWbB1MNvUwCY0mQbN1icuy+JsOXbvXEftumigXRV16reLvX3q4sNmYSFfOGOMMW7K9d+nDc4TRNrUjm8R0AEZ6BxTJsvpahDi1gCOfZnGmpGKUEWgZ -laner@Free-Public-Wifi.local] +ssh_keys: [] uid: 553 midom: ensure: present -- To view, visit https://gerrit.wikimedia.org/r/330891 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: I62cbf408c2973c65f9ace612cb9efcc8c6931346 Gerrit-PatchSet: 1 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: Muehlenhoff___ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
[MediaWiki-commits] [Gerrit] operations/puppet[production]: Remove access credentials for asherman
Muehlenhoff has submitted this change and it was merged. ( https://gerrit.wikimedia.org/r/330885 ) Change subject: Remove access credentials for asherman .. Remove access credentials for asherman Bug: T152957 Change-Id: I23a663f791641b27fa02a264639b557c994c1bcf --- M modules/admin/data/data.yaml 1 file changed, 4 insertions(+), 4 deletions(-) Approvals: Muehlenhoff: Looks good to me, approved jenkins-bot: Verified diff --git a/modules/admin/data/data.yaml b/modules/admin/data/data.yaml index 15505cb..a89f37a 100644 --- a/modules/admin/data/data.yaml +++ b/modules/admin/data/data.yaml @@ -5,7 +5,7 @@ handrade, howief, jdouglas, jgonera, jsahleen, mah, maryana, mglaser, mvolz, mwalker, nimishg, rainman, ssmith, swalling, sumanah, werdna, rmoen, johnflewis, marc, jkrauska, akumar, mnoushad, spage, tnegrin, msyed, kleduc, - manybubbles, haithams, jzerebecki, ashwinpp, ironholds, robla] + manybubbles, haithams, jzerebecki, ashwinpp, ironholds, robla, asherman] wikidev: gid: 500 description: container group for primary user groups. @@ -109,7 +109,7 @@ mforns, jdlrobson, dr0ptp4kt, tgr, marktraceur, jhernandez, joal, daisy, tomasz, mholloway-shell, madhuvishy, ebernhardson, niedzielski, neilpquinn-wmf, tbayer, moushira, dbrant, maxsem, srijan, - jminor, asherman, etonkovidova, sbisson, addshore, matmarex, elukey, + jminor, etonkovidova, sbisson, addshore, matmarex, elukey, nikerabbit, nschaaf, dstrine, joewalsh, mpany, hjiang, jsamra, bcohn, jdittrich, chelsyx, ovasileva, mtizzoni, panisson, paolotti, ciro, debt, samwalton9, zareen, fdans] @@ -1821,11 +1821,11 @@ ssh_keys: [ssh-rsa B3NzaC1yc2EDAQABAAABAQDKBIRu2KwmxKyLk2zOtpvzJzLwckzIdsAcB7ajJZQnVhaMGlQlelKL3X85lmuHuL2Pb+jqJ+wfufl+XZHAQy8ZmHIpHpGujfFAv0uNsm4MmnGTjlhpjfuXqVx3QKy58KnuuhEhN3+JCgHhD5D5z40wXZVYjEvdYp75wtxbBLlFCVYjo/tpcU+RcrATMrZab+TQ9DxaqqOtR5AzcBicmsVptZLxBSibDnDFFcNn2SSn0PNwO0Bbv1GppVL+e0J81vEXLxUeeQl3TzxYJyeqcGfQJfSdC8V5ekP3WoVCHF8ap7EOlt5h9/CLqLP2cIfKsE2ciYfJVpSEVEng+9oVMweH junikow...@wmf485.corp.wikimedia.org] uid: 13018 asherman: -ensure: present +ensure: absent gid: 500 name: asherman realname: Andrew Sherman -ssh_keys: [ssh-rsa B3NzaC1yc2EDAQABAAABAQCoNjOK45S7G5ZyAFFE4lLfNvcW+67JMyLPhivnXIYPckEKdA08FW3GNNuvLqfeSseKvhLGHwBEVeK3osA1ZFwbsKUyRPxHxL2iIaCj7JUp/3QoHjxUa4pFCRM408mrlEnhMYMJwjQ5irXkO7LHyE/89v3Jv2ext6S3vOGSdVDrQcAlS6zZnuWtlMeIh/oj0+0HrW6e6HoMeYqbb9t0tUr/X18emh9K9jQ3bKmbnEv4iVEKBBImJ6MVpXaDAX7zwAcAXGgtfXp1oNIR7z21uM1RuxlcP1Sj60x/RNPc3dbD+xi25ddaIfVC4mO6VoHcBsxwSHHWVVsyqHalRP666kK7 Andrew@Andrews-MBP-2] +ssh_keys: [] uid: 12989 pt1979: ensure: present -- To view, visit https://gerrit.wikimedia.org/r/330885 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: merged Gerrit-Change-Id: I23a663f791641b27fa02a264639b557c994c1bcf Gerrit-PatchSet: 1 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: MuehlenhoffGerrit-Reviewer: Muehlenhoff Gerrit-Reviewer: jenkins-bot <> ___ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
[MediaWiki-commits] [Gerrit] operations/puppet[production]: Remove access credentials for asherman
Muehlenhoff has uploaded a new change for review. ( https://gerrit.wikimedia.org/r/330885 ) Change subject: Remove access credentials for asherman .. Remove access credentials for asherman Bug: T152957 Change-Id: I23a663f791641b27fa02a264639b557c994c1bcf --- M modules/admin/data/data.yaml 1 file changed, 4 insertions(+), 4 deletions(-) git pull ssh://gerrit.wikimedia.org:29418/operations/puppet refs/changes/85/330885/1 diff --git a/modules/admin/data/data.yaml b/modules/admin/data/data.yaml index 15505cb..a89f37a 100644 --- a/modules/admin/data/data.yaml +++ b/modules/admin/data/data.yaml @@ -5,7 +5,7 @@ handrade, howief, jdouglas, jgonera, jsahleen, mah, maryana, mglaser, mvolz, mwalker, nimishg, rainman, ssmith, swalling, sumanah, werdna, rmoen, johnflewis, marc, jkrauska, akumar, mnoushad, spage, tnegrin, msyed, kleduc, - manybubbles, haithams, jzerebecki, ashwinpp, ironholds, robla] + manybubbles, haithams, jzerebecki, ashwinpp, ironholds, robla, asherman] wikidev: gid: 500 description: container group for primary user groups. @@ -109,7 +109,7 @@ mforns, jdlrobson, dr0ptp4kt, tgr, marktraceur, jhernandez, joal, daisy, tomasz, mholloway-shell, madhuvishy, ebernhardson, niedzielski, neilpquinn-wmf, tbayer, moushira, dbrant, maxsem, srijan, - jminor, asherman, etonkovidova, sbisson, addshore, matmarex, elukey, + jminor, etonkovidova, sbisson, addshore, matmarex, elukey, nikerabbit, nschaaf, dstrine, joewalsh, mpany, hjiang, jsamra, bcohn, jdittrich, chelsyx, ovasileva, mtizzoni, panisson, paolotti, ciro, debt, samwalton9, zareen, fdans] @@ -1821,11 +1821,11 @@ ssh_keys: [ssh-rsa B3NzaC1yc2EDAQABAAABAQDKBIRu2KwmxKyLk2zOtpvzJzLwckzIdsAcB7ajJZQnVhaMGlQlelKL3X85lmuHuL2Pb+jqJ+wfufl+XZHAQy8ZmHIpHpGujfFAv0uNsm4MmnGTjlhpjfuXqVx3QKy58KnuuhEhN3+JCgHhD5D5z40wXZVYjEvdYp75wtxbBLlFCVYjo/tpcU+RcrATMrZab+TQ9DxaqqOtR5AzcBicmsVptZLxBSibDnDFFcNn2SSn0PNwO0Bbv1GppVL+e0J81vEXLxUeeQl3TzxYJyeqcGfQJfSdC8V5ekP3WoVCHF8ap7EOlt5h9/CLqLP2cIfKsE2ciYfJVpSEVEng+9oVMweH junikow...@wmf485.corp.wikimedia.org] uid: 13018 asherman: -ensure: present +ensure: absent gid: 500 name: asherman realname: Andrew Sherman -ssh_keys: [ssh-rsa B3NzaC1yc2EDAQABAAABAQCoNjOK45S7G5ZyAFFE4lLfNvcW+67JMyLPhivnXIYPckEKdA08FW3GNNuvLqfeSseKvhLGHwBEVeK3osA1ZFwbsKUyRPxHxL2iIaCj7JUp/3QoHjxUa4pFCRM408mrlEnhMYMJwjQ5irXkO7LHyE/89v3Jv2ext6S3vOGSdVDrQcAlS6zZnuWtlMeIh/oj0+0HrW6e6HoMeYqbb9t0tUr/X18emh9K9jQ3bKmbnEv4iVEKBBImJ6MVpXaDAX7zwAcAXGgtfXp1oNIR7z21uM1RuxlcP1Sj60x/RNPc3dbD+xi25ddaIfVC4mO6VoHcBsxwSHHWVVsyqHalRP666kK7 Andrew@Andrews-MBP-2] +ssh_keys: [] uid: 12989 pt1979: ensure: present -- To view, visit https://gerrit.wikimedia.org/r/330885 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: I23a663f791641b27fa02a264639b557c994c1bcf Gerrit-PatchSet: 1 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: Muehlenhoff___ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
[MediaWiki-commits] [Gerrit] operations/puppet[production]: Switch cache servers in ulsfo to timesyncd
Muehlenhoff has uploaded a new change for review. ( https://gerrit.wikimedia.org/r/330865 ) Change subject: Switch cache servers in ulsfo to timesyncd .. Switch cache servers in ulsfo to timesyncd Testdrive systemd-timesyncd on the varnish servers in ulsfo; they're all jessie. Bug: T150257 Change-Id: Icfbde45a23d1a2b39c1a653d154f7fec6ccd4c97 --- M hieradata/role/ulsfo/cache/maps.yaml M hieradata/role/ulsfo/cache/misc.yaml M hieradata/role/ulsfo/cache/text.yaml M hieradata/role/ulsfo/cache/upload.yaml 4 files changed, 4 insertions(+), 0 deletions(-) git pull ssh://gerrit.wikimedia.org:29418/operations/puppet refs/changes/65/330865/1 diff --git a/hieradata/role/ulsfo/cache/maps.yaml b/hieradata/role/ulsfo/cache/maps.yaml index 48da31a..5447792 100644 --- a/hieradata/role/ulsfo/cache/maps.yaml +++ b/hieradata/role/ulsfo/cache/maps.yaml @@ -1,3 +1,4 @@ debdeploy::grains: debdeploy-cp-ulsfo-maps: value: standard +use_timesyncd: true diff --git a/hieradata/role/ulsfo/cache/misc.yaml b/hieradata/role/ulsfo/cache/misc.yaml index 8e8cb74..e7941db 100644 --- a/hieradata/role/ulsfo/cache/misc.yaml +++ b/hieradata/role/ulsfo/cache/misc.yaml @@ -1,3 +1,4 @@ debdeploy::grains: debdeploy-cp-ulsfo-misc: value: standard +use_timesyncd: true diff --git a/hieradata/role/ulsfo/cache/text.yaml b/hieradata/role/ulsfo/cache/text.yaml index fcaa704..915c946 100644 --- a/hieradata/role/ulsfo/cache/text.yaml +++ b/hieradata/role/ulsfo/cache/text.yaml @@ -1,3 +1,4 @@ debdeploy::grains: debdeploy-cp-ulsfo-text: value: standard +use_timesyncd: true diff --git a/hieradata/role/ulsfo/cache/upload.yaml b/hieradata/role/ulsfo/cache/upload.yaml index 4ee386e..6d2b150 100644 --- a/hieradata/role/ulsfo/cache/upload.yaml +++ b/hieradata/role/ulsfo/cache/upload.yaml @@ -1,3 +1,4 @@ debdeploy::grains: debdeploy-cp-ulsfo-upload: value: standard +use_timesyncd: true -- To view, visit https://gerrit.wikimedia.org/r/330865 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: Icfbde45a23d1a2b39c1a653d154f7fec6ccd4c97 Gerrit-PatchSet: 1 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: Muehlenhoff___ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
[MediaWiki-commits] [Gerrit] operations/puppet[production]: Add NRPE check to monitor timesyncd
Muehlenhoff has submitted this change and it was merged. ( https://gerrit.wikimedia.org/r/330854 ) Change subject: Add NRPE check to monitor timesyncd .. Add NRPE check to monitor timesyncd This reuses an existing Nagios check implemented by Peter Palfrader of the Debian DSA team. Bug: T150257 Change-Id: Ia86161e0a57a7670da5787ef50a8e4f8e4ae1998 --- A modules/base/files/check_timedatectl M modules/standard/manifests/ntp/timesyncd.pp 2 files changed, 76 insertions(+), 1 deletion(-) Approvals: Ema: Looks good to me, but someone else must approve Muehlenhoff: Looks good to me, approved jenkins-bot: Verified diff --git a/modules/base/files/check_timedatectl b/modules/base/files/check_timedatectl new file mode 100755 index 000..700d857 --- /dev/null +++ b/modules/base/files/check_timedatectl @@ -0,0 +1,61 @@ +#!/bin/bash + +# Copyright 2016 Peter Palfrader +# +# Permission is hereby granted, free of charge, to any person obtaining +# a copy of this software and associated documentation files (the +# "Software"), to deal in the Software without restriction, including +# without limitation the rights to use, copy, modify, merge, publish, +# distribute, sublicense, and/or sell copies of the Software, and to +# permit persons to whom the Software is furnished to do so, subject to +# the following conditions: +# +# The above copyright notice and this permission notice shall be +# included in all copies or substantial portions of the Software. +# +# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, +# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF +# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND +# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE +# LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION +# OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION +# WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. + + +set -e +set -u + +MAX=2 + +temp="$(mktemp)" +trap "rm -f '$temp'" EXIT + +timedatectl > "$temp" +ut=$(sed '/Universal time:/ { s/^[^:]*: *//; p}; d' "$temp") +rtc=$(sed '/RTC time:/ { s/^[^:]*: *//; p}; d' "$temp") + +uts=$(date -d "$ut" +%s) +rtcs=$(date -d "$rtc" +%s) + +d=$((uts - rtcs)) + +if [ "$d" -lt "-$MAX" ] || + [ "$d" -gt "$MAX" ]; then + echo "Warning: time desync $d: RTC vs. system time: $rtc vs. $ut" + exit 1 +fi + + +bool=$(sed '/NTP enabled:/ { s/^[^:]*: *//; p}; d' "$temp") +if [ "$bool" != "yes" ]; then + echo "Warning: NTP not enabled!" + exit 1 +fi + +bool=$(sed '/NTP synchronized:/ { s/^[^:]*: *//; p}; d' "$temp") +if [ "$bool" != "yes" ]; then + echo "Warning: not synced with NTP (but clock is OK for now)." + exit 1 +fi + +echo "OK: synced at $ut." diff --git a/modules/standard/manifests/ntp/timesyncd.pp b/modules/standard/manifests/ntp/timesyncd.pp index 50b3958..3044f35 100644 --- a/modules/standard/manifests/ntp/timesyncd.pp +++ b/modules/standard/manifests/ntp/timesyncd.pp @@ -32,5 +32,19 @@ provider => systemd, enable => true, } -} +file { '/usr/lib/nagios/plugins/check_timedatectl': +source => 'puppet:///modules/base/check_timedatectl', +owner => 'root', +group => 'root', +mode => '0555', +} + +nrpe::monitor_service { 'timesynd_ntp_status': +ensure=> 'present', +description => 'Check the NTP synchronisation status of timesyncd', +nrpe_command => '/usr/lib/nagios/plugins/check_timedatectl', +require => File['/usr/lib/nagios/plugins/check_timedatectl'], +contact_group => 'admins', +} +} -- To view, visit https://gerrit.wikimedia.org/r/330854 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: merged Gerrit-Change-Id: Ia86161e0a57a7670da5787ef50a8e4f8e4ae1998 Gerrit-PatchSet: 3 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: MuehlenhoffGerrit-Reviewer: Ema Gerrit-Reviewer: Muehlenhoff Gerrit-Reviewer: jenkins-bot <> ___ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
[MediaWiki-commits] [Gerrit] operations/puppet[production]: Drop reference to the manpage (not available on jessie)
Muehlenhoff has submitted this change and it was merged. ( https://gerrit.wikimedia.org/r/330860 ) Change subject: Drop reference to the manpage (not available on jessie) .. Drop reference to the manpage (not available on jessie) The timesyncd.conf manpage is only installed into the systemd binary packages after jessie, so drop it for now to minimise confusion. Change-Id: Ic57d1cb0d5709dac1cca6b0d958236a8564c50f1 --- M modules/base/templates/timesyncd.conf.erb 1 file changed, 0 insertions(+), 2 deletions(-) Approvals: Muehlenhoff: Looks good to me, approved jenkins-bot: Verified diff --git a/modules/base/templates/timesyncd.conf.erb b/modules/base/templates/timesyncd.conf.erb index 2cd2fab..6f3c9a2 100644 --- a/modules/base/templates/timesyncd.conf.erb +++ b/modules/base/templates/timesyncd.conf.erb @@ -1,6 +1,4 @@ ## THIS FILE IS MANAGED BY PUPPET -# -# See timesyncd.conf(5) for details. [Time] NTP=<%@ntp_servers[@site].sort.each do |ntpserver| -%> <%= ntpserver -%> -- To view, visit https://gerrit.wikimedia.org/r/330860 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: merged Gerrit-Change-Id: Ic57d1cb0d5709dac1cca6b0d958236a8564c50f1 Gerrit-PatchSet: 1 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: MuehlenhoffGerrit-Reviewer: Muehlenhoff Gerrit-Reviewer: jenkins-bot <> ___ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
[MediaWiki-commits] [Gerrit] operations/puppet[production]: Drop reference to the manpage (not available on jessie)
Muehlenhoff has uploaded a new change for review. ( https://gerrit.wikimedia.org/r/330860 ) Change subject: Drop reference to the manpage (not available on jessie) .. Drop reference to the manpage (not available on jessie) The timesyncd.conf manpage is only installed into the systemd binary packages after jessie, so drop it for now to minimise confusion. Change-Id: Ic57d1cb0d5709dac1cca6b0d958236a8564c50f1 --- M modules/base/templates/timesyncd.conf.erb 1 file changed, 0 insertions(+), 2 deletions(-) git pull ssh://gerrit.wikimedia.org:29418/operations/puppet refs/changes/60/330860/1 diff --git a/modules/base/templates/timesyncd.conf.erb b/modules/base/templates/timesyncd.conf.erb index 2cd2fab..6f3c9a2 100644 --- a/modules/base/templates/timesyncd.conf.erb +++ b/modules/base/templates/timesyncd.conf.erb @@ -1,6 +1,4 @@ ## THIS FILE IS MANAGED BY PUPPET -# -# See timesyncd.conf(5) for details. [Time] NTP=<%@ntp_servers[@site].sort.each do |ntpserver| -%> <%= ntpserver -%> -- To view, visit https://gerrit.wikimedia.org/r/330860 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: Ic57d1cb0d5709dac1cca6b0d958236a8564c50f1 Gerrit-PatchSet: 1 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: Muehlenhoff___ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
[MediaWiki-commits] [Gerrit] operations/puppet[production]: Add NRPE check to monitor timesyncd
Muehlenhoff has uploaded a new change for review. ( https://gerrit.wikimedia.org/r/330854 ) Change subject: Add NRPE check to monitor timesyncd .. Add NRPE check to monitor timesyncd This reuses an existing Nagios check implemented by Peter Palfrader of the Debian DSA team. Bug: T150257 Change-Id: Ia86161e0a57a7670da5787ef50a8e4f8e4ae1998 --- A modules/base/files/check_timedatectl M modules/standard/manifests/ntp/timesyncd.pp 2 files changed, 76 insertions(+), 1 deletion(-) git pull ssh://gerrit.wikimedia.org:29418/operations/puppet refs/changes/54/330854/1 diff --git a/modules/base/files/check_timedatectl b/modules/base/files/check_timedatectl new file mode 100755 index 000..700d857 --- /dev/null +++ b/modules/base/files/check_timedatectl @@ -0,0 +1,61 @@ +#!/bin/bash + +# Copyright 2016 Peter Palfrader +# +# Permission is hereby granted, free of charge, to any person obtaining +# a copy of this software and associated documentation files (the +# "Software"), to deal in the Software without restriction, including +# without limitation the rights to use, copy, modify, merge, publish, +# distribute, sublicense, and/or sell copies of the Software, and to +# permit persons to whom the Software is furnished to do so, subject to +# the following conditions: +# +# The above copyright notice and this permission notice shall be +# included in all copies or substantial portions of the Software. +# +# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, +# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF +# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND +# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE +# LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION +# OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION +# WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. + + +set -e +set -u + +MAX=2 + +temp="$(mktemp)" +trap "rm -f '$temp'" EXIT + +timedatectl > "$temp" +ut=$(sed '/Universal time:/ { s/^[^:]*: *//; p}; d' "$temp") +rtc=$(sed '/RTC time:/ { s/^[^:]*: *//; p}; d' "$temp") + +uts=$(date -d "$ut" +%s) +rtcs=$(date -d "$rtc" +%s) + +d=$((uts - rtcs)) + +if [ "$d" -lt "-$MAX" ] || + [ "$d" -gt "$MAX" ]; then + echo "Warning: time desync $d: RTC vs. system time: $rtc vs. $ut" + exit 1 +fi + + +bool=$(sed '/NTP enabled:/ { s/^[^:]*: *//; p}; d' "$temp") +if [ "$bool" != "yes" ]; then + echo "Warning: NTP not enabled!" + exit 1 +fi + +bool=$(sed '/NTP synchronized:/ { s/^[^:]*: *//; p}; d' "$temp") +if [ "$bool" != "yes" ]; then + echo "Warning: not synced with NTP (but clock is OK for now)." + exit 1 +fi + +echo "OK: synced at $ut." diff --git a/modules/standard/manifests/ntp/timesyncd.pp b/modules/standard/manifests/ntp/timesyncd.pp index 50b3958..38cfc1b 100644 --- a/modules/standard/manifests/ntp/timesyncd.pp +++ b/modules/standard/manifests/ntp/timesyncd.pp @@ -32,5 +32,19 @@ provider => systemd, enable => true, } -} +file { '/usr/lib/nagios/plugins/check_timedatectl': +source => 'puppet:///modules/base/firewall/check_timedatectl', +owner => 'root', +group => 'root', +mode => '0555', +} + +nrpe::monitor_service { 'timesynd_ntp_status': +ensure=> 'present', +description => 'Check the NTP synchronisation status of timesyncd', +nrpe_command => '/usr/lib/nagios/plugins/check_timedatectl', +require => File['/usr/lib/nagios/plugins/check_timedatectl'], +contact_group => 'admins', +} +} -- To view, visit https://gerrit.wikimedia.org/r/330854 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: Ia86161e0a57a7670da5787ef50a8e4f8e4ae1998 Gerrit-PatchSet: 1 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: Muehlenhoff___ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
[MediaWiki-commits] [Gerrit] operations/puppet[production]: Also exclude time servers when using timesyncd
Muehlenhoff has submitted this change and it was merged. ( https://gerrit.wikimedia.org/r/330660 ) Change subject: Also exclude time servers when using timesyncd .. Also exclude time servers when using timesyncd These are not used in the initial test sets, but let's use the same check for consistency. Change-Id: I3996336805d681cd17adbd20bdf0187ae46d1924 --- M modules/standard/manifests/init.pp 1 file changed, 3 insertions(+), 1 deletion(-) Approvals: Muehlenhoff: Looks good to me, approved jenkins-bot: Verified diff --git a/modules/standard/manifests/init.pp b/modules/standard/manifests/init.pp index 98ec8ff..992c89f 100644 --- a/modules/standard/manifests/init.pp +++ b/modules/standard/manifests/init.pp @@ -10,7 +10,9 @@ include ::standard::ntp if hiera('use_timesyncd', false) { -include standard::ntp::timesyncd +unless $::fqdn in $::standard::ntp::wmf_peers[$::site] { +include standard::ntp::timesyncd +} } else { -- To view, visit https://gerrit.wikimedia.org/r/330660 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: merged Gerrit-Change-Id: I3996336805d681cd17adbd20bdf0187ae46d1924 Gerrit-PatchSet: 2 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: MuehlenhoffGerrit-Reviewer: Ema Gerrit-Reviewer: Muehlenhoff Gerrit-Reviewer: jenkins-bot <> ___ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
[MediaWiki-commits] [Gerrit] operations/puppet[production]: Enable enhanced sandbox privilege separation for sshd
Muehlenhoff has submitted this change and it was merged. ( https://gerrit.wikimedia.org/r/330227 ) Change subject: Enable enhanced sandbox privilege separation for sshd .. Enable enhanced sandbox privilege separation for sshd If 'UsePrivilegeSeparation' is set to "sandbox", it additonally enables a seccomp-based restriction for the (unprivileged) pre-auth process. This feature has been introduced in openssh 5.9, so even precise supports it (but we're using a trusty backport in precise-wikimedia anyway) Change-Id: Ie08eaa561325848d311f81cf9583ef48b055c72a --- M modules/ssh/templates/sshd_config.erb 1 file changed, 1 insertion(+), 1 deletion(-) Approvals: Muehlenhoff: Looks good to me, approved Alexandros Kosiaris: Looks good to me, but someone else must approve jenkins-bot: Verified Filippo Giunchedi: Looks good to me, but someone else must approve diff --git a/modules/ssh/templates/sshd_config.erb b/modules/ssh/templates/sshd_config.erb index 184523d..1a6ba21 100644 --- a/modules/ssh/templates/sshd_config.erb +++ b/modules/ssh/templates/sshd_config.erb @@ -18,7 +18,7 @@ HostKey /etc/ssh/ssh_host_ecdsa_key HostKey /etc/ssh/ssh_host_ed25519_key #Privilege Separation is turned on for security -UsePrivilegeSeparation yes +UsePrivilegeSeparation sandbox <%- if @disable_nist_kex -%> KexAlgorithms curve25519-sha...@libssh.org,diffie-hellman-group-exchange-sha256 -- To view, visit https://gerrit.wikimedia.org/r/330227 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: merged Gerrit-Change-Id: Ie08eaa561325848d311f81cf9583ef48b055c72a Gerrit-PatchSet: 3 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: MuehlenhoffGerrit-Reviewer: Alexandros Kosiaris Gerrit-Reviewer: BBlack Gerrit-Reviewer: Ema Gerrit-Reviewer: Faidon Liambotis Gerrit-Reviewer: Filippo Giunchedi Gerrit-Reviewer: Muehlenhoff Gerrit-Reviewer: jenkins-bot <> ___ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
[MediaWiki-commits] [Gerrit] operations/puppet[production]: Also exclude time servers when using timesyncd
Muehlenhoff has uploaded a new change for review. ( https://gerrit.wikimedia.org/r/330660 ) Change subject: Also exclude time servers when using timesyncd .. Also exclude time servers when using timesyncd These are not used in the initial test sets, but let's use the same check for consistency. Change-Id: I3996336805d681cd17adbd20bdf0187ae46d1924 --- M modules/standard/manifests/init.pp 1 file changed, 3 insertions(+), 1 deletion(-) git pull ssh://gerrit.wikimedia.org:29418/operations/puppet refs/changes/60/330660/1 diff --git a/modules/standard/manifests/init.pp b/modules/standard/manifests/init.pp index 98ec8ff..992c89f 100644 --- a/modules/standard/manifests/init.pp +++ b/modules/standard/manifests/init.pp @@ -10,7 +10,9 @@ include ::standard::ntp if hiera('use_timesyncd', false) { -include standard::ntp::timesyncd +unless $::fqdn in $::standard::ntp::wmf_peers[$::site] { +include standard::ntp::timesyncd +} } else { -- To view, visit https://gerrit.wikimedia.org/r/330660 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: I3996336805d681cd17adbd20bdf0187ae46d1924 Gerrit-PatchSet: 1 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: Muehlenhoff___ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
[MediaWiki-commits] [Gerrit] operations/puppet[production]: Move another host to timesyncd
Muehlenhoff has submitted this change and it was merged. ( https://gerrit.wikimedia.org/r/330649 ) Change subject: Move another host to timesyncd .. Move another host to timesyncd Just a quick test whether service deactivation now works out properly. Change-Id: I9ab66cb13b24393658c3706173940cb9df37266e --- A hieradata/hosts/stat1001.yaml 1 file changed, 1 insertion(+), 0 deletions(-) Approvals: Muehlenhoff: Looks good to me, approved jenkins-bot: Verified diff --git a/hieradata/hosts/stat1001.yaml b/hieradata/hosts/stat1001.yaml new file mode 100644 index 000..832a86c --- /dev/null +++ b/hieradata/hosts/stat1001.yaml @@ -0,0 +1 @@ +use_timesyncd: true -- To view, visit https://gerrit.wikimedia.org/r/330649 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: merged Gerrit-Change-Id: I9ab66cb13b24393658c3706173940cb9df37266e Gerrit-PatchSet: 1 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: MuehlenhoffGerrit-Reviewer: Muehlenhoff Gerrit-Reviewer: jenkins-bot <> ___ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
[MediaWiki-commits] [Gerrit] operations/puppet[production]: Move another host to timesyncd
Muehlenhoff has uploaded a new change for review. ( https://gerrit.wikimedia.org/r/330649 ) Change subject: Move another host to timesyncd .. Move another host to timesyncd Just a quick test whether service deactivation now works out properly. Change-Id: I9ab66cb13b24393658c3706173940cb9df37266e --- A hieradata/hosts/stat1001.yaml 1 file changed, 1 insertion(+), 0 deletions(-) git pull ssh://gerrit.wikimedia.org:29418/operations/puppet refs/changes/49/330649/1 diff --git a/hieradata/hosts/stat1001.yaml b/hieradata/hosts/stat1001.yaml new file mode 100644 index 000..832a86c --- /dev/null +++ b/hieradata/hosts/stat1001.yaml @@ -0,0 +1 @@ +use_timesyncd: true -- To view, visit https://gerrit.wikimedia.org/r/330649 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: I9ab66cb13b24393658c3706173940cb9df37266e Gerrit-PatchSet: 1 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: Muehlenhoff___ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
[MediaWiki-commits] [Gerrit] operations/puppet[production]: Don't apply NTP Icinga check to standard::ntp::timesyncd
Muehlenhoff has submitted this change and it was merged. ( https://gerrit.wikimedia.org/r/330411 ) Change subject: Don't apply NTP Icinga check to standard::ntp::timesyncd .. Don't apply NTP Icinga check to standard::ntp::timesyncd "check_ntp_time" uses the Icinga plugin check_ntp_peer which queries a full-blown NTP server. Remove it for now, it will be replaced by a custom check which monitors the output of "timedatectl status". Change-Id: I1d78fc44087af0d6280f84c13e2f1f163afb97e8 --- M modules/standard/manifests/ntp/timesyncd.pp 1 file changed, 0 insertions(+), 8 deletions(-) Approvals: Muehlenhoff: Looks good to me, approved jenkins-bot: Verified diff --git a/modules/standard/manifests/ntp/timesyncd.pp b/modules/standard/manifests/ntp/timesyncd.pp index 9bf4a6b..50b3958 100644 --- a/modules/standard/manifests/ntp/timesyncd.pp +++ b/modules/standard/manifests/ntp/timesyncd.pp @@ -32,13 +32,5 @@ provider => systemd, enable => true, } - -monitoring::service { 'ntp': -description=> 'NTP', -check_command => 'check_ntp_time!0.5!1', -check_interval => 30, -retry_interval => 15, -} - } -- To view, visit https://gerrit.wikimedia.org/r/330411 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: merged Gerrit-Change-Id: I1d78fc44087af0d6280f84c13e2f1f163afb97e8 Gerrit-PatchSet: 2 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: MuehlenhoffGerrit-Reviewer: Alexandros Kosiaris Gerrit-Reviewer: Muehlenhoff Gerrit-Reviewer: jenkins-bot <> ___ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
[MediaWiki-commits] [Gerrit] operations/puppet[production]: Don't apply NTP Icinga check to standard::ntp::timesyncd
Muehlenhoff has uploaded a new change for review. ( https://gerrit.wikimedia.org/r/330411 ) Change subject: Don't apply NTP Icinga check to standard::ntp::timesyncd .. Don't apply NTP Icinga check to standard::ntp::timesyncd "check_ntp_time" uses the Icinga plugin check_ntp_peer which queries a full-blown NTP server. Remove it for now, it will be replaced by a custom check which monitors the output of "timedatectl status". Change-Id: I1d78fc44087af0d6280f84c13e2f1f163afb97e8 --- M modules/standard/manifests/ntp/timesyncd.pp 1 file changed, 0 insertions(+), 8 deletions(-) git pull ssh://gerrit.wikimedia.org:29418/operations/puppet refs/changes/11/330411/1 diff --git a/modules/standard/manifests/ntp/timesyncd.pp b/modules/standard/manifests/ntp/timesyncd.pp index 9bf4a6b..50b3958 100644 --- a/modules/standard/manifests/ntp/timesyncd.pp +++ b/modules/standard/manifests/ntp/timesyncd.pp @@ -32,13 +32,5 @@ provider => systemd, enable => true, } - -monitoring::service { 'ntp': -description=> 'NTP', -check_command => 'check_ntp_time!0.5!1', -check_interval => 30, -retry_interval => 15, -} - } -- To view, visit https://gerrit.wikimedia.org/r/330411 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: I1d78fc44087af0d6280f84c13e2f1f163afb97e8 Gerrit-PatchSet: 1 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: Muehlenhoff___ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
[MediaWiki-commits] [Gerrit] operations/puppet[production]: Purge ntp package when using systemd-timesyncd
Muehlenhoff has submitted this change and it was merged. ( https://gerrit.wikimedia.org/r/330402 ) Change subject: Purge ntp package when using systemd-timesyncd .. Purge ntp package when using systemd-timesyncd Only removing the package with "absent" leaves various conffiles around, which is irritating and will lead to cron spam: jmm@multatuli:~$ dpkg -l ntp (..) rc ntp 1:4.2.6.p5+dfsg-7+deb8u amd64 Network Time Protocol daemon and utility programs jmm@multatuli:~$ dpkg -L ntp /etc /etc/dhcp /etc/dhcp/dhclient-exit-hooks.d /etc/dhcp/dhclient-exit-hooks.d/ntp /etc/ntp.conf /etc/cron.daily /etc/cron.daily/ntp /etc/init.d /etc/init.d/ntp /etc/default /etc/default/ntp /var /var/lib /var/lib/ntp Change-Id: I73a7fa31159238ae3488ce0632ee99bd5f7ada01 --- M modules/standard/manifests/ntp/timesyncd.pp 1 file changed, 1 insertion(+), 1 deletion(-) Approvals: Muehlenhoff: Looks good to me, approved Alexandros Kosiaris: Looks good to me, but someone else must approve jenkins-bot: Verified diff --git a/modules/standard/manifests/ntp/timesyncd.pp b/modules/standard/manifests/ntp/timesyncd.pp index 9d20ff1..9bf4a6b 100644 --- a/modules/standard/manifests/ntp/timesyncd.pp +++ b/modules/standard/manifests/ntp/timesyncd.pp @@ -6,7 +6,7 @@ require standard::ntp package { 'ntp': -ensure => absent, +ensure => purged, } $wmf_peers = $::standard::ntp::wmf_peers -- To view, visit https://gerrit.wikimedia.org/r/330402 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: merged Gerrit-Change-Id: I73a7fa31159238ae3488ce0632ee99bd5f7ada01 Gerrit-PatchSet: 1 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: MuehlenhoffGerrit-Reviewer: Alexandros Kosiaris Gerrit-Reviewer: Ema Gerrit-Reviewer: Filippo Giunchedi Gerrit-Reviewer: Muehlenhoff Gerrit-Reviewer: jenkins-bot <> ___ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
[MediaWiki-commits] [Gerrit] operations/puppet[production]: Switch swift in esams to systemd-timesyncd
Muehlenhoff has uploaded a new change for review. ( https://gerrit.wikimedia.org/r/330404 ) Change subject: Switch swift in esams to systemd-timesyncd .. Switch swift in esams to systemd-timesyncd Test-drive systemd-timesyncd on some selected servers; the swift servers in esams are all jessie and non-critical. Bug: T150257 Change-Id: I40fa61da2e5048c8e4ba015011604ffa914c5b45 --- M hieradata/esams/swift/proxy.yaml A hieradata/esams/swift/storage.yaml 2 files changed, 2 insertions(+), 0 deletions(-) git pull ssh://gerrit.wikimedia.org:29418/operations/puppet refs/changes/04/330404/1 diff --git a/hieradata/esams/swift/proxy.yaml b/hieradata/esams/swift/proxy.yaml index eb7ef99..9e2d4f8 100644 --- a/hieradata/esams/swift/proxy.yaml +++ b/hieradata/esams/swift/proxy.yaml @@ -4,3 +4,4 @@ 'ms-fe3002.esams.wmnet:11211' # no trailing comma! ] +use_timesyncd: true diff --git a/hieradata/esams/swift/storage.yaml b/hieradata/esams/swift/storage.yaml new file mode 100644 index 000..832a86c --- /dev/null +++ b/hieradata/esams/swift/storage.yaml @@ -0,0 +1 @@ +use_timesyncd: true -- To view, visit https://gerrit.wikimedia.org/r/330404 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: I40fa61da2e5048c8e4ba015011604ffa914c5b45 Gerrit-PatchSet: 1 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: Muehlenhoff___ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
[MediaWiki-commits] [Gerrit] operations/puppet[production]: Purge ntp package when using systemd-timesyncd
Muehlenhoff has uploaded a new change for review. ( https://gerrit.wikimedia.org/r/330402 ) Change subject: Purge ntp package when using systemd-timesyncd .. Purge ntp package when using systemd-timesyncd Only removing the package with "absent" leaves various conffiles around, which is irritating and will lead to cron spam: jmm@multatuli:~$ dpkg -l ntp (..) rc ntp 1:4.2.6.p5+dfsg-7+deb8u amd64 Network Time Protocol daemon and utility programs jmm@multatuli:~$ dpkg -L ntp /etc /etc/dhcp /etc/dhcp/dhclient-exit-hooks.d /etc/dhcp/dhclient-exit-hooks.d/ntp /etc/ntp.conf /etc/cron.daily /etc/cron.daily/ntp /etc/init.d /etc/init.d/ntp /etc/default /etc/default/ntp /var /var/lib /var/lib/ntp Change-Id: I73a7fa31159238ae3488ce0632ee99bd5f7ada01 --- M modules/standard/manifests/ntp/timesyncd.pp 1 file changed, 1 insertion(+), 1 deletion(-) git pull ssh://gerrit.wikimedia.org:29418/operations/puppet refs/changes/02/330402/1 diff --git a/modules/standard/manifests/ntp/timesyncd.pp b/modules/standard/manifests/ntp/timesyncd.pp index 9d20ff1..9bf4a6b 100644 --- a/modules/standard/manifests/ntp/timesyncd.pp +++ b/modules/standard/manifests/ntp/timesyncd.pp @@ -6,7 +6,7 @@ require standard::ntp package { 'ntp': -ensure => absent, +ensure => purged, } $wmf_peers = $::standard::ntp::wmf_peers -- To view, visit https://gerrit.wikimedia.org/r/330402 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: I73a7fa31159238ae3488ce0632ee99bd5f7ada01 Gerrit-PatchSet: 1 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: Muehlenhoff___ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
[MediaWiki-commits] [Gerrit] operations/puppet[production]: Enable systemd-timesyncd on multatuli
Muehlenhoff has submitted this change and it was merged. ( https://gerrit.wikimedia.org/r/330400 ) Change subject: Enable systemd-timesyncd on multatuli .. Enable systemd-timesyncd on multatuli Change-Id: I5928caaa5e2632e99a4a71129f7297dc7e3bcfff --- A hieradata/hosts/multatuli.yaml 1 file changed, 1 insertion(+), 0 deletions(-) Approvals: Muehlenhoff: Looks good to me, approved jenkins-bot: Verified diff --git a/hieradata/hosts/multatuli.yaml b/hieradata/hosts/multatuli.yaml new file mode 100644 index 000..832a86c --- /dev/null +++ b/hieradata/hosts/multatuli.yaml @@ -0,0 +1 @@ +use_timesyncd: true -- To view, visit https://gerrit.wikimedia.org/r/330400 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: merged Gerrit-Change-Id: I5928caaa5e2632e99a4a71129f7297dc7e3bcfff Gerrit-PatchSet: 1 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: MuehlenhoffGerrit-Reviewer: Muehlenhoff Gerrit-Reviewer: jenkins-bot <> ___ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
[MediaWiki-commits] [Gerrit] operations/puppet[production]: Enable systemd-timesyncd on multatuli
Muehlenhoff has uploaded a new change for review. ( https://gerrit.wikimedia.org/r/330400 ) Change subject: Enable systemd-timesyncd on multatuli .. Enable systemd-timesyncd on multatuli Change-Id: I5928caaa5e2632e99a4a71129f7297dc7e3bcfff --- A hieradata/hosts/multatuli.yaml 1 file changed, 1 insertion(+), 0 deletions(-) git pull ssh://gerrit.wikimedia.org:29418/operations/puppet refs/changes/00/330400/1 diff --git a/hieradata/hosts/multatuli.yaml b/hieradata/hosts/multatuli.yaml new file mode 100644 index 000..832a86c --- /dev/null +++ b/hieradata/hosts/multatuli.yaml @@ -0,0 +1 @@ +use_timesyncd: true -- To view, visit https://gerrit.wikimedia.org/r/330400 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: I5928caaa5e2632e99a4a71129f7297dc7e3bcfff Gerrit-PatchSet: 1 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: Muehlenhoff___ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
[MediaWiki-commits] [Gerrit] operations/puppet[production]: Make systemd-timesyncd available as an alternative time sync...
Muehlenhoff has submitted this change and it was merged. ( https://gerrit.wikimedia.org/r/322279 ) Change subject: Make systemd-timesyncd available as an alternative time synchronisation provider .. Make systemd-timesyncd available as an alternative time synchronisation provider We don't need any of ntp's advanced features on the clients and we've run into a fair share of runtime bugs (like failing to restart properly or various cases where ntp failed to start after a reboot (it gets stuck in interface activation/XFAC). This patch adds a Hiera-configurable class to use systemd-timesyncd instead. systemd-timesyncd is shipped as part the standard systemd package. It is configured via the timedatectl tool. We can then enable this for a subset of jessie servers and if it proves to be more reliable than ntpd in practice, move all jessie systems to it. Bug: T150257 Change-Id: Ie4c9ab7f82f590817f2b92d19f09cbbdda25fb95 --- A modules/base/templates/timesyncd.conf.erb M modules/standard/manifests/init.pp A modules/standard/manifests/ntp/timesyncd.pp 3 files changed, 59 insertions(+), 2 deletions(-) Approvals: Muehlenhoff: Looks good to me, approved Alexandros Kosiaris: Looks good to me, but someone else must approve jenkins-bot: Verified Filippo Giunchedi: Looks good to me, but someone else must approve diff --git a/modules/base/templates/timesyncd.conf.erb b/modules/base/templates/timesyncd.conf.erb new file mode 100644 index 000..2cd2fab --- /dev/null +++ b/modules/base/templates/timesyncd.conf.erb @@ -0,0 +1,7 @@ +## THIS FILE IS MANAGED BY PUPPET +# +# See timesyncd.conf(5) for details. + +[Time] +NTP=<%@ntp_servers[@site].sort.each do |ntpserver| -%> <%= ntpserver -%> +<% end %> diff --git a/modules/standard/manifests/init.pp b/modules/standard/manifests/init.pp index c03d90e..98ec8ff 100644 --- a/modules/standard/manifests/init.pp +++ b/modules/standard/manifests/init.pp @@ -9,8 +9,14 @@ include ::base include ::standard::ntp -unless $::fqdn in $::standard::ntp::wmf_peers[$::site] { -include standard::ntp::client +if hiera('use_timesyncd', false) { +include standard::ntp::timesyncd +} +else +{ +unless $::fqdn in $::standard::ntp::wmf_peers[$::site] { +include standard::ntp::client +} } include ::standard::diamond diff --git a/modules/standard/manifests/ntp/timesyncd.pp b/modules/standard/manifests/ntp/timesyncd.pp new file mode 100644 index 000..9d20ff1 --- /dev/null +++ b/modules/standard/manifests/ntp/timesyncd.pp @@ -0,0 +1,44 @@ +# == Class standard::ntp::timesyncd +# +# Setup clock synchronisation using systemd-timesyncd +class standard::ntp::timesyncd () { +requires_os('debian >= jessie') +require standard::ntp + +package { 'ntp': +ensure => absent, +} + +$wmf_peers = $::standard::ntp::wmf_peers +# This maps the servers that regular clients use +$ntp_servers = { +eqiad => concat($wmf_peers['eqiad'], $wmf_peers['codfw']), +codfw => concat($wmf_peers['eqiad'], $wmf_peers['codfw']), +esams => concat($wmf_peers['esams'], $wmf_peers['eqiad']), +ulsfo => concat($wmf_peers['eqiad'], $wmf_peers['codfw']), +} + +file { '/etc/systemd/timesyncd.conf': +ensure => present, +mode=> '0444', +owner => 'root', +group => 'root', +content => template('base/timesyncd.conf.erb'), +notify => Service['systemd-timesyncd'], +} + +service { 'systemd-timesyncd': +ensure => running, +provider => systemd, +enable => true, +} + +monitoring::service { 'ntp': +description=> 'NTP', +check_command => 'check_ntp_time!0.5!1', +check_interval => 30, +retry_interval => 15, +} + +} + -- To view, visit https://gerrit.wikimedia.org/r/322279 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: merged Gerrit-Change-Id: Ie4c9ab7f82f590817f2b92d19f09cbbdda25fb95 Gerrit-PatchSet: 7 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: MuehlenhoffGerrit-Reviewer: Alexandros Kosiaris Gerrit-Reviewer: BBlack Gerrit-Reviewer: Ema Gerrit-Reviewer: Faidon Liambotis Gerrit-Reviewer: Filippo Giunchedi Gerrit-Reviewer: Gehel Gerrit-Reviewer: Muehlenhoff Gerrit-Reviewer: jenkins-bot <> ___ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
[MediaWiki-commits] [Gerrit] operations/puppet[production]: role::mediawiki::jobrunner: Restrict to domain networks
Muehlenhoff has submitted this change and it was merged. ( https://gerrit.wikimedia.org/r/320549 ) Change subject: role::mediawiki::jobrunner: Restrict to domain networks .. role::mediawiki::jobrunner: Restrict to domain networks We're getting rid of $INTERNAL, since it's needlessly broad. Use $DOMAIN_NETWORKS to restrict access in production to production networks, while still allowing using it in labs. Change-Id: I9921adc40c5fc0247f0d32c54fff2c59927b786b --- M modules/role/manifests/mediawiki/jobrunner.pp 1 file changed, 1 insertion(+), 1 deletion(-) Approvals: Muehlenhoff: Looks good to me, approved Elukey: Looks good to me, but someone else must approve jenkins-bot: Verified diff --git a/modules/role/manifests/mediawiki/jobrunner.pp b/modules/role/manifests/mediawiki/jobrunner.pp index e637bd6..09729bd 100644 --- a/modules/role/manifests/mediawiki/jobrunner.pp +++ b/modules/role/manifests/mediawiki/jobrunner.pp @@ -26,6 +26,6 @@ proto => 'tcp', port=> $::mediawiki::jobrunner::port, notrack => true, -srange => '$INTERNAL', +srange => '$DOMAIN_NETWORKS', } } -- To view, visit https://gerrit.wikimedia.org/r/320549 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: merged Gerrit-Change-Id: I9921adc40c5fc0247f0d32c54fff2c59927b786b Gerrit-PatchSet: 2 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: MuehlenhoffGerrit-Reviewer: Elukey Gerrit-Reviewer: Giuseppe Lavagetto Gerrit-Reviewer: Muehlenhoff Gerrit-Reviewer: jenkins-bot <> ___ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
[MediaWiki-commits] [Gerrit] operations/puppet[production]: Enable enhanced sandbox privilege separation for sshd
Muehlenhoff has uploaded a new change for review. ( https://gerrit.wikimedia.org/r/330227 ) Change subject: Enable enhanced sandbox privilege separation for sshd .. Enable enhanced sandbox privilege separation for sshd If 'UsePrivilegeSeparation' is set to "sandbox", it additonally enables a seccomp-based restriction for the (unprivileged) pre-auth process. This feature has been introduced in openssh 5.9, so even trusty supports it (but we're using a trusty backport in precise-wikimedia anyway) Change-Id: Ie08eaa561325848d311f81cf9583ef48b055c72a --- M modules/ssh/templates/sshd_config.erb 1 file changed, 1 insertion(+), 1 deletion(-) git pull ssh://gerrit.wikimedia.org:29418/operations/puppet refs/changes/27/330227/1 diff --git a/modules/ssh/templates/sshd_config.erb b/modules/ssh/templates/sshd_config.erb index 184523d..1a6ba21 100644 --- a/modules/ssh/templates/sshd_config.erb +++ b/modules/ssh/templates/sshd_config.erb @@ -18,7 +18,7 @@ HostKey /etc/ssh/ssh_host_ecdsa_key HostKey /etc/ssh/ssh_host_ed25519_key #Privilege Separation is turned on for security -UsePrivilegeSeparation yes +UsePrivilegeSeparation sandbox <%- if @disable_nist_kex -%> KexAlgorithms curve25519-sha...@libssh.org,diffie-hellman-group-exchange-sha256 -- To view, visit https://gerrit.wikimedia.org/r/330227 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: Ie08eaa561325848d311f81cf9583ef48b055c72a Gerrit-PatchSet: 1 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: Muehlenhoff___ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
[MediaWiki-commits] [Gerrit] operations/puppet[production]: eventbus: Restrict to domain networks
Muehlenhoff has submitted this change and it was merged. ( https://gerrit.wikimedia.org/r/328665 ) Change subject: eventbus: Restrict to domain networks .. eventbus: Restrict to domain networks We're getting rid of $INTERNAL, which is needlessly broad. Restrict eventbus to $DOMAIN_NETWORKS, so that when running in production access is restriced to production networks and when running in labs to labs networks. Change-Id: Ie9bcce8f47d1aac93e1c49684bddc67b88d29f88 --- M modules/role/manifests/eventbus/eventbus.pp 1 file changed, 1 insertion(+), 1 deletion(-) Approvals: Muehlenhoff: Looks good to me, approved Ottomata: Looks good to me, but someone else must approve jenkins-bot: Verified diff --git a/modules/role/manifests/eventbus/eventbus.pp b/modules/role/manifests/eventbus/eventbus.pp index f96116c..1d1cc0a 100644 --- a/modules/role/manifests/eventbus/eventbus.pp +++ b/modules/role/manifests/eventbus/eventbus.pp @@ -107,7 +107,7 @@ ferm::service { 'eventlogging-service-eventbus': proto => 'tcp', port => '8085', -srange => '$INTERNAL', +srange => '$DOMAIN_NETWORKS', } } -- To view, visit https://gerrit.wikimedia.org/r/328665 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: merged Gerrit-Change-Id: Ie9bcce8f47d1aac93e1c49684bddc67b88d29f88 Gerrit-PatchSet: 2 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: MuehlenhoffGerrit-Reviewer: Elukey Gerrit-Reviewer: Muehlenhoff Gerrit-Reviewer: Ottomata Gerrit-Reviewer: jenkins-bot <> ___ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
[MediaWiki-commits] [Gerrit] operations/puppet[production]: Rename ferm service in role::labs::db::replica
Muehlenhoff has uploaded a new change for review. ( https://gerrit.wikimedia.org/r/328683 ) Change subject: Rename ferm service in role::labs::db::replica .. Rename ferm service in role::labs::db::replica Currently the ferm service uses the same name as the standard mariadb_internal ferm service, but uses a different source range. This is confusing when doing cluster-wide checks via salt on ferm config settings, so rename it to mariadb_db_replica. Change-Id: Ibd632ad0acb2702d52c56c4a342f335bacc20b4f --- M modules/role/manifests/labs/db/replica.pp 1 file changed, 1 insertion(+), 1 deletion(-) git pull ssh://gerrit.wikimedia.org:29418/operations/puppet refs/changes/83/328683/1 diff --git a/modules/role/manifests/labs/db/replica.pp b/modules/role/manifests/labs/db/replica.pp index 4408d3e..58b6713 100644 --- a/modules/role/manifests/labs/db/replica.pp +++ b/modules/role/manifests/labs/db/replica.pp @@ -14,7 +14,7 @@ include role::mariadb::monitor include base::firewall -ferm::service{ 'mariadb_internal': +ferm::service{ 'mariadb_db_replica': proto => 'tcp', port=> '3306', notrack => true, -- To view, visit https://gerrit.wikimedia.org/r/328683 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: Ibd632ad0acb2702d52c56c4a342f335bacc20b4f Gerrit-PatchSet: 1 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: Muehlenhoff___ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
[MediaWiki-commits] [Gerrit] operations/puppet[production]: eventbus: Restrict to domain networks
Muehlenhoff has uploaded a new change for review. ( https://gerrit.wikimedia.org/r/328665 ) Change subject: eventbus: Restrict to domain networks .. eventbus: Restrict to domain networks We're getting rid of $INTERNAL, which is needlessly broad. Restrict eventbus to $DOMAIN_NETWORKS, so that when running in production access is restriced to production networks and when running in labs to labs networks. Change-Id: Ie9bcce8f47d1aac93e1c49684bddc67b88d29f88 --- M modules/role/manifests/eventbus/eventbus.pp 1 file changed, 1 insertion(+), 1 deletion(-) git pull ssh://gerrit.wikimedia.org:29418/operations/puppet refs/changes/65/328665/1 diff --git a/modules/role/manifests/eventbus/eventbus.pp b/modules/role/manifests/eventbus/eventbus.pp index f96116c..1d1cc0a 100644 --- a/modules/role/manifests/eventbus/eventbus.pp +++ b/modules/role/manifests/eventbus/eventbus.pp @@ -107,7 +107,7 @@ ferm::service { 'eventlogging-service-eventbus': proto => 'tcp', port => '8085', -srange => '$INTERNAL', +srange => '$DOMAIN_NETWORKS', } } -- To view, visit https://gerrit.wikimedia.org/r/328665 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: Ie9bcce8f47d1aac93e1c49684bddc67b88d29f88 Gerrit-PatchSet: 1 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: Muehlenhoff___ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
[MediaWiki-commits] [Gerrit] operations/puppet[production]: hive/metastore: Restrict to analytics networks
Muehlenhoff has uploaded a new change for review. ( https://gerrit.wikimedia.org/r/328664 ) Change subject: hive/metastore: Restrict to analytics networks .. hive/metastore: Restrict to analytics networks We're getting rid of $INTERNAL, which is needlessly broad. Restrict to the analytics networks instead. Change-Id: I4aa19b599452d7577a72fe733263fe56a3a90c11 --- M modules/role/manifests/analytics_cluster/hive/metastore.pp 1 file changed, 1 insertion(+), 1 deletion(-) git pull ssh://gerrit.wikimedia.org:29418/operations/puppet refs/changes/64/328664/1 diff --git a/modules/role/manifests/analytics_cluster/hive/metastore.pp b/modules/role/manifests/analytics_cluster/hive/metastore.pp index 9ba7b3c..475ef88 100644 --- a/modules/role/manifests/analytics_cluster/hive/metastore.pp +++ b/modules/role/manifests/analytics_cluster/hive/metastore.pp @@ -13,7 +13,7 @@ ferm::service{ 'hive_metastore': proto => 'tcp', port => '9083', -srange => '$INTERNAL', +srange => '$ANALYTICS_NETWORKS', } # Include icinga alerts if production realm. -- To view, visit https://gerrit.wikimedia.org/r/328664 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: I4aa19b599452d7577a72fe733263fe56a3a90c11 Gerrit-PatchSet: 1 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: Muehlenhoff___ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
[MediaWiki-commits] [Gerrit] operations/puppet[production]: yarn web ui: Restrict to analytics networks
Muehlenhoff has uploaded a new change for review. ( https://gerrit.wikimedia.org/r/328654 ) Change subject: yarn web ui: Restrict to analytics networks .. yarn web ui: Restrict to analytics networks $INTERNAL is too broad and scheduled for removal, restrict to the analytics networks. Change-Id: Ieb6590d5e2d7f24f14c1218ac6aa0094575bcb93 --- M modules/role/manifests/analytics_cluster/hadoop/ferm/resourcemanager.pp 1 file changed, 1 insertion(+), 1 deletion(-) git pull ssh://gerrit.wikimedia.org:29418/operations/puppet refs/changes/54/328654/1 diff --git a/modules/role/manifests/analytics_cluster/hadoop/ferm/resourcemanager.pp b/modules/role/manifests/analytics_cluster/hadoop/ferm/resourcemanager.pp index 9b191a2..e69f758 100644 --- a/modules/role/manifests/analytics_cluster/hadoop/ferm/resourcemanager.pp +++ b/modules/role/manifests/analytics_cluster/hadoop/ferm/resourcemanager.pp @@ -29,7 +29,7 @@ ferm::service{ 'hadoop-yarn-resourcemanager-http-ui': proto => 'tcp', port => '8088', -srange => '$INTERNAL', +srange => '$ANALYTICS_NETWORKS', } ferm::service{ 'hadoop-mapreduce-historyserver': -- To view, visit https://gerrit.wikimedia.org/r/328654 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: Ieb6590d5e2d7f24f14c1218ac6aa0094575bcb93 Gerrit-PatchSet: 1 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: Muehlenhoff___ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
[MediaWiki-commits] [Gerrit] operations...linux44[master]: Update date in changelog for build
Muehlenhoff has submitted this change and it was merged. ( https://gerrit.wikimedia.org/r/328650 ) Change subject: Update date in changelog for build .. Update date in changelog for build Change-Id: I4dd5cb66818a28ee21d02ed446e21ef99391d0cd --- M debian/changelog 1 file changed, 1 insertion(+), 1 deletion(-) Approvals: Muehlenhoff: Looks good to me, approved jenkins-bot: Verified diff --git a/debian/changelog b/debian/changelog index f22bea7..4dbf400 100644 --- a/debian/changelog +++ b/debian/changelog @@ -42,7 +42,7 @@ * Update to 4.4.39: https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.39 - -- Moritz MuehlenhoffTue, 15 Nov 2016 14:42:40 +0100 + -- Moritz Muehlenhoff Tue, 22 Dec 2016 11:51:45 +0100 linux (4.4.2-3+wmf7) jessie-wikimedia; urgency=medium -- To view, visit https://gerrit.wikimedia.org/r/328650 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: merged Gerrit-Change-Id: I4dd5cb66818a28ee21d02ed446e21ef99391d0cd Gerrit-PatchSet: 1 Gerrit-Project: operations/debs/linux44 Gerrit-Branch: master Gerrit-Owner: Muehlenhoff Gerrit-Reviewer: Muehlenhoff Gerrit-Reviewer: jenkins-bot <> ___ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
[MediaWiki-commits] [Gerrit] operations...linux44[master]: Update date in changelog for build
Muehlenhoff has uploaded a new change for review. ( https://gerrit.wikimedia.org/r/328650 ) Change subject: Update date in changelog for build .. Update date in changelog for build Change-Id: I4dd5cb66818a28ee21d02ed446e21ef99391d0cd --- M debian/changelog 1 file changed, 1 insertion(+), 1 deletion(-) git pull ssh://gerrit.wikimedia.org:29418/operations/debs/linux44 refs/changes/50/328650/1 diff --git a/debian/changelog b/debian/changelog index f22bea7..4dbf400 100644 --- a/debian/changelog +++ b/debian/changelog @@ -42,7 +42,7 @@ * Update to 4.4.39: https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.39 - -- Moritz MuehlenhoffTue, 15 Nov 2016 14:42:40 +0100 + -- Moritz Muehlenhoff Tue, 22 Dec 2016 11:51:45 +0100 linux (4.4.2-3+wmf7) jessie-wikimedia; urgency=medium -- To view, visit https://gerrit.wikimedia.org/r/328650 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: I4dd5cb66818a28ee21d02ed446e21ef99391d0cd Gerrit-PatchSet: 1 Gerrit-Project: operations/debs/linux44 Gerrit-Branch: master Gerrit-Owner: Muehlenhoff ___ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
[MediaWiki-commits] [Gerrit] operations...linux44[master]: Update to 4.4.39
Muehlenhoff has submitted this change and it was merged. ( https://gerrit.wikimedia.org/r/328649 ) Change subject: Update to 4.4.39 .. Update to 4.4.39 Change-Id: Ice952e652eec0d3d4616fddb7ffe6e23c32e3e11 --- M debian/changelog A debian/patches/bugfix/all/stable-4.4.37.patch A debian/patches/bugfix/all/stable-4.4.38.patch A debian/patches/bugfix/all/stable-4.4.39.patch M debian/patches/series 5 files changed, 1,909 insertions(+), 0 deletions(-) Approvals: Muehlenhoff: Looks good to me, approved jenkins-bot: Verified diff --git a/debian/changelog b/debian/changelog index e6e59bc..f22bea7 100644 --- a/debian/changelog +++ b/debian/changelog @@ -39,6 +39,8 @@ - CVE-2016-8655 [84ac7260236a49c79eede91617700174c2c19b0c] - CVE-2016-9576 [a0ac402cfcdc904f9772e1762b3fda112dcc56a0] - CVE-2016-9793 [b98b0bc8c431e3ceb4b26b0dfc8db509518fb290] + * Update to 4.4.39: +https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.39 -- Moritz MuehlenhoffTue, 15 Nov 2016 14:42:40 +0100 diff --git a/debian/patches/bugfix/all/stable-4.4.37.patch b/debian/patches/bugfix/all/stable-4.4.37.patch new file mode 100644 index 000..c41e2df --- /dev/null +++ b/debian/patches/bugfix/all/stable-4.4.37.patch @@ -0,0 +1,377 @@ +diff --git a/Makefile b/Makefile +index 705eb9e38fce..b57ec79b4941 100644 +--- a/Makefile b/Makefile +@@ -1,6 +1,6 @@ + VERSION = 4 + PATCHLEVEL = 4 +-SUBLEVEL = 36 ++SUBLEVEL = 37 + EXTRAVERSION = + NAME = Blurry Fish Butt + +diff --git a/arch/arc/include/asm/delay.h b/arch/arc/include/asm/delay.h +index 08e7e2a16ac1..a36e8601114d 100644 +--- a/arch/arc/include/asm/delay.h b/arch/arc/include/asm/delay.h +@@ -22,10 +22,11 @@ + static inline void __delay(unsigned long loops) + { + __asm__ __volatile__( +- " lp 1f \n" +- " nop \n" +- "1: \n" +- : "+l"(loops)); ++ " mov lp_count, %0\n" ++ " lp 1f \n" ++ " nop \n" ++ "1: \n" ++ : : "r"(loops)); + } + + extern void __bad_udelay(void); +diff --git a/arch/arm64/include/asm/cpufeature.h b/arch/arm64/include/asm/cpufeature.h +index 8136afc9df0d..8884b5d5f48c 100644 +--- a/arch/arm64/include/asm/cpufeature.h b/arch/arm64/include/asm/cpufeature.h +@@ -77,7 +77,7 @@ struct arm64_cpu_capabilities { + const char *desc; + u16 capability; + bool (*matches)(const struct arm64_cpu_capabilities *); +- void (*enable)(void *); /* Called on all active CPUs */ ++ int (*enable)(void *); /* Called on all active CPUs */ + union { + struct {/* To be used for erratum handling only */ + u32 midr_model; +diff --git a/arch/arm64/include/asm/processor.h b/arch/arm64/include/asm/processor.h +index 4acb7ca94fcd..d08559528927 100644 +--- a/arch/arm64/include/asm/processor.h b/arch/arm64/include/asm/processor.h +@@ -186,6 +186,6 @@ static inline void spin_lock_prefetch(const void *x) + + #endif + +-void cpu_enable_pan(void *__unused); ++int cpu_enable_pan(void *__unused); + + #endif /* __ASM_PROCESSOR_H */ +diff --git a/arch/arm64/kernel/cpufeature.c b/arch/arm64/kernel/cpufeature.c +index 0669c63281ea..2735bf814592 100644 +--- a/arch/arm64/kernel/cpufeature.c b/arch/arm64/kernel/cpufeature.c +@@ -19,7 +19,9 @@ + #define pr_fmt(fmt) "CPU features: " fmt + + #include ++#include + #include ++#include + #include + #include + #include +@@ -764,7 +766,13 @@ static void enable_cpu_capabilities(const struct arm64_cpu_capabilities *caps) + + for (i = 0; caps[i].desc; i++) + if (caps[i].enable && cpus_have_cap(caps[i].capability)) +- on_each_cpu(caps[i].enable, NULL, true); ++ /* ++ * Use stop_machine() as it schedules the work allowing ++ * us to modify PSTATE, instead of on_each_cpu() which ++ * uses an IPI, giving us a PSTATE that disappears when ++ * we return. ++ */ ++ stop_machine(caps[i].enable, NULL, cpu_online_mask); + } + + #ifdef CONFIG_HOTPLUG_CPU +diff --git a/arch/arm64/kernel/suspend.c b/arch/arm64/kernel/suspend.c +index 1095aa483a1c..00c1372bf57b 100644 +--- a/arch/arm64/kernel/suspend.c b/arch/arm64/kernel/suspend.c +@@ -1,7 +1,9 @@ + #include + #include + #include ++#include + #include ++#include + #include + #include + #include +@@ -111,6 +113,13 @@ int cpu_suspend(unsigned long arg, int (*fn)(unsigned long)) + set_my_cpu_offset(per_cpu_offset(smp_processor_id())); + + /* ++ * PSTATE was not saved over suspend/resume, re-enable any ++ * detected features that might not have been set
[MediaWiki-commits] [Gerrit] operations...linux44[master]: Update to 4.4.39
Muehlenhoff has uploaded a new change for review. ( https://gerrit.wikimedia.org/r/328649 ) Change subject: Update to 4.4.39 .. Update to 4.4.39 Change-Id: Ice952e652eec0d3d4616fddb7ffe6e23c32e3e11 --- M debian/changelog A debian/patches/bugfix/all/stable-4.4.37.patch A debian/patches/bugfix/all/stable-4.4.38.patch A debian/patches/bugfix/all/stable-4.4.39.patch M debian/patches/series 5 files changed, 1,909 insertions(+), 0 deletions(-) git pull ssh://gerrit.wikimedia.org:29418/operations/debs/linux44 refs/changes/49/328649/1 diff --git a/debian/changelog b/debian/changelog index e6e59bc..f22bea7 100644 --- a/debian/changelog +++ b/debian/changelog @@ -39,6 +39,8 @@ - CVE-2016-8655 [84ac7260236a49c79eede91617700174c2c19b0c] - CVE-2016-9576 [a0ac402cfcdc904f9772e1762b3fda112dcc56a0] - CVE-2016-9793 [b98b0bc8c431e3ceb4b26b0dfc8db509518fb290] + * Update to 4.4.39: +https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.39 -- Moritz MuehlenhoffTue, 15 Nov 2016 14:42:40 +0100 diff --git a/debian/patches/bugfix/all/stable-4.4.37.patch b/debian/patches/bugfix/all/stable-4.4.37.patch new file mode 100644 index 000..c41e2df --- /dev/null +++ b/debian/patches/bugfix/all/stable-4.4.37.patch @@ -0,0 +1,377 @@ +diff --git a/Makefile b/Makefile +index 705eb9e38fce..b57ec79b4941 100644 +--- a/Makefile b/Makefile +@@ -1,6 +1,6 @@ + VERSION = 4 + PATCHLEVEL = 4 +-SUBLEVEL = 36 ++SUBLEVEL = 37 + EXTRAVERSION = + NAME = Blurry Fish Butt + +diff --git a/arch/arc/include/asm/delay.h b/arch/arc/include/asm/delay.h +index 08e7e2a16ac1..a36e8601114d 100644 +--- a/arch/arc/include/asm/delay.h b/arch/arc/include/asm/delay.h +@@ -22,10 +22,11 @@ + static inline void __delay(unsigned long loops) + { + __asm__ __volatile__( +- " lp 1f \n" +- " nop \n" +- "1: \n" +- : "+l"(loops)); ++ " mov lp_count, %0\n" ++ " lp 1f \n" ++ " nop \n" ++ "1: \n" ++ : : "r"(loops)); + } + + extern void __bad_udelay(void); +diff --git a/arch/arm64/include/asm/cpufeature.h b/arch/arm64/include/asm/cpufeature.h +index 8136afc9df0d..8884b5d5f48c 100644 +--- a/arch/arm64/include/asm/cpufeature.h b/arch/arm64/include/asm/cpufeature.h +@@ -77,7 +77,7 @@ struct arm64_cpu_capabilities { + const char *desc; + u16 capability; + bool (*matches)(const struct arm64_cpu_capabilities *); +- void (*enable)(void *); /* Called on all active CPUs */ ++ int (*enable)(void *); /* Called on all active CPUs */ + union { + struct {/* To be used for erratum handling only */ + u32 midr_model; +diff --git a/arch/arm64/include/asm/processor.h b/arch/arm64/include/asm/processor.h +index 4acb7ca94fcd..d08559528927 100644 +--- a/arch/arm64/include/asm/processor.h b/arch/arm64/include/asm/processor.h +@@ -186,6 +186,6 @@ static inline void spin_lock_prefetch(const void *x) + + #endif + +-void cpu_enable_pan(void *__unused); ++int cpu_enable_pan(void *__unused); + + #endif /* __ASM_PROCESSOR_H */ +diff --git a/arch/arm64/kernel/cpufeature.c b/arch/arm64/kernel/cpufeature.c +index 0669c63281ea..2735bf814592 100644 +--- a/arch/arm64/kernel/cpufeature.c b/arch/arm64/kernel/cpufeature.c +@@ -19,7 +19,9 @@ + #define pr_fmt(fmt) "CPU features: " fmt + + #include ++#include + #include ++#include + #include + #include + #include +@@ -764,7 +766,13 @@ static void enable_cpu_capabilities(const struct arm64_cpu_capabilities *caps) + + for (i = 0; caps[i].desc; i++) + if (caps[i].enable && cpus_have_cap(caps[i].capability)) +- on_each_cpu(caps[i].enable, NULL, true); ++ /* ++ * Use stop_machine() as it schedules the work allowing ++ * us to modify PSTATE, instead of on_each_cpu() which ++ * uses an IPI, giving us a PSTATE that disappears when ++ * we return. ++ */ ++ stop_machine(caps[i].enable, NULL, cpu_online_mask); + } + + #ifdef CONFIG_HOTPLUG_CPU +diff --git a/arch/arm64/kernel/suspend.c b/arch/arm64/kernel/suspend.c +index 1095aa483a1c..00c1372bf57b 100644 +--- a/arch/arm64/kernel/suspend.c b/arch/arm64/kernel/suspend.c +@@ -1,7 +1,9 @@ + #include + #include + #include ++#include + #include ++#include + #include + #include + #include +@@ -111,6 +113,13 @@ int cpu_suspend(unsigned long arg, int (*fn)(unsigned long)) + set_my_cpu_offset(per_cpu_offset(smp_processor_id())); + + /* ++ * PSTATE was not saved over suspend/resume, re-enable any ++ * detected features that might not have been
[MediaWiki-commits] [Gerrit] operations...linux44[master]: Update to 4.4.38
Muehlenhoff has submitted this change and it was merged. ( https://gerrit.wikimedia.org/r/328634 ) Change subject: Update to 4.4.38 .. Update to 4.4.38 Change-Id: I21adc193c92284928a6d3ea1eef846343c425fd8 --- M debian/changelog M debian/patches/series 2 files changed, 7 insertions(+), 0 deletions(-) Approvals: Muehlenhoff: Looks good to me, approved jenkins-bot: Verified diff --git a/debian/changelog b/debian/changelog index a59f197..e6e59bc 100644 --- a/debian/changelog +++ b/debian/changelog @@ -33,6 +33,12 @@ * Update to 4.4.37: https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.37 - CVE-2016-9794 [3aa02cb664c5fb1042958c8d1aa8c35055a2ebc4] + * Update to 4.4.38: +https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.38 +- CVE-2016-8399 [0eab121ef8750a5c8637d51534d5e9143fb0633f] +- CVE-2016-8655 [84ac7260236a49c79eede91617700174c2c19b0c] +- CVE-2016-9576 [a0ac402cfcdc904f9772e1762b3fda112dcc56a0] +- CVE-2016-9793 [b98b0bc8c431e3ceb4b26b0dfc8db509518fb290] -- Moritz MuehlenhoffTue, 15 Nov 2016 14:42:40 +0100 diff --git a/debian/patches/series b/debian/patches/series index 02a82f7..6af421a 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -138,3 +138,4 @@ bugfix/all/stable-4.4.35.patch bugfix/all/stable-4.4.36.patch bugfix/all/stable-4.4.37.patch +bugfix/all/stable-4.4.38.patch -- To view, visit https://gerrit.wikimedia.org/r/328634 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: merged Gerrit-Change-Id: I21adc193c92284928a6d3ea1eef846343c425fd8 Gerrit-PatchSet: 1 Gerrit-Project: operations/debs/linux44 Gerrit-Branch: master Gerrit-Owner: Muehlenhoff Gerrit-Reviewer: Muehlenhoff Gerrit-Reviewer: jenkins-bot <> ___ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
[MediaWiki-commits] [Gerrit] operations...linux44[master]: Update to 4.4.38
Muehlenhoff has uploaded a new change for review. ( https://gerrit.wikimedia.org/r/328634 ) Change subject: Update to 4.4.38 .. Update to 4.4.38 Change-Id: I21adc193c92284928a6d3ea1eef846343c425fd8 --- M debian/changelog M debian/patches/series 2 files changed, 7 insertions(+), 0 deletions(-) git pull ssh://gerrit.wikimedia.org:29418/operations/debs/linux44 refs/changes/34/328634/1 diff --git a/debian/changelog b/debian/changelog index a59f197..e6e59bc 100644 --- a/debian/changelog +++ b/debian/changelog @@ -33,6 +33,12 @@ * Update to 4.4.37: https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.37 - CVE-2016-9794 [3aa02cb664c5fb1042958c8d1aa8c35055a2ebc4] + * Update to 4.4.38: +https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.38 +- CVE-2016-8399 [0eab121ef8750a5c8637d51534d5e9143fb0633f] +- CVE-2016-8655 [84ac7260236a49c79eede91617700174c2c19b0c] +- CVE-2016-9576 [a0ac402cfcdc904f9772e1762b3fda112dcc56a0] +- CVE-2016-9793 [b98b0bc8c431e3ceb4b26b0dfc8db509518fb290] -- Moritz MuehlenhoffTue, 15 Nov 2016 14:42:40 +0100 diff --git a/debian/patches/series b/debian/patches/series index 02a82f7..6af421a 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -138,3 +138,4 @@ bugfix/all/stable-4.4.35.patch bugfix/all/stable-4.4.36.patch bugfix/all/stable-4.4.37.patch +bugfix/all/stable-4.4.38.patch -- To view, visit https://gerrit.wikimedia.org/r/328634 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: I21adc193c92284928a6d3ea1eef846343c425fd8 Gerrit-PatchSet: 1 Gerrit-Project: operations/debs/linux44 Gerrit-Branch: master Gerrit-Owner: Muehlenhoff ___ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
[MediaWiki-commits] [Gerrit] operations...linux44[master]: Update to 4.4.37
Muehlenhoff has submitted this change and it was merged. ( https://gerrit.wikimedia.org/r/328633 ) Change subject: Update to 4.4.37 .. Update to 4.4.37 Change-Id: I78d2581a5b53f54d1e32eb3a1f5c48ae3ca364f6 --- M debian/changelog M debian/patches/series 2 files changed, 5 insertions(+), 1 deletion(-) Approvals: Muehlenhoff: Looks good to me, approved jenkins-bot: Verified diff --git a/debian/changelog b/debian/changelog index 8ff6384..a59f197 100644 --- a/debian/changelog +++ b/debian/changelog @@ -27,9 +27,12 @@ * Update to 4.4.35: https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.35 * Update to 4.4.36: -https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.35 +https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.36 - CVE-2016-8650 [f5527f3f002b0a6b376163613b82f69de073] - CVE-2016-9756 [2117d5398c81554fbf803f5fd1dc55eb78216c0c] + * Update to 4.4.37: +https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.37 +- CVE-2016-9794 [3aa02cb664c5fb1042958c8d1aa8c35055a2ebc4] -- Moritz MuehlenhoffTue, 15 Nov 2016 14:42:40 +0100 diff --git a/debian/patches/series b/debian/patches/series index d8b7463..02a82f7 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -137,3 +137,4 @@ bugfix/all/stable-4.4.34.patch bugfix/all/stable-4.4.35.patch bugfix/all/stable-4.4.36.patch +bugfix/all/stable-4.4.37.patch -- To view, visit https://gerrit.wikimedia.org/r/328633 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: merged Gerrit-Change-Id: I78d2581a5b53f54d1e32eb3a1f5c48ae3ca364f6 Gerrit-PatchSet: 1 Gerrit-Project: operations/debs/linux44 Gerrit-Branch: master Gerrit-Owner: Muehlenhoff Gerrit-Reviewer: Muehlenhoff Gerrit-Reviewer: jenkins-bot <> ___ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
[MediaWiki-commits] [Gerrit] operations...linux44[master]: Update to 4.4.37
Muehlenhoff has uploaded a new change for review. ( https://gerrit.wikimedia.org/r/328633 ) Change subject: Update to 4.4.37 .. Update to 4.4.37 Change-Id: I78d2581a5b53f54d1e32eb3a1f5c48ae3ca364f6 --- M debian/changelog M debian/patches/series 2 files changed, 5 insertions(+), 1 deletion(-) git pull ssh://gerrit.wikimedia.org:29418/operations/debs/linux44 refs/changes/33/328633/1 diff --git a/debian/changelog b/debian/changelog index 8ff6384..a59f197 100644 --- a/debian/changelog +++ b/debian/changelog @@ -27,9 +27,12 @@ * Update to 4.4.35: https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.35 * Update to 4.4.36: -https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.35 +https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.36 - CVE-2016-8650 [f5527f3f002b0a6b376163613b82f69de073] - CVE-2016-9756 [2117d5398c81554fbf803f5fd1dc55eb78216c0c] + * Update to 4.4.37: +https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.37 +- CVE-2016-9794 [3aa02cb664c5fb1042958c8d1aa8c35055a2ebc4] -- Moritz MuehlenhoffTue, 15 Nov 2016 14:42:40 +0100 diff --git a/debian/patches/series b/debian/patches/series index d8b7463..02a82f7 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -137,3 +137,4 @@ bugfix/all/stable-4.4.34.patch bugfix/all/stable-4.4.35.patch bugfix/all/stable-4.4.36.patch +bugfix/all/stable-4.4.37.patch -- To view, visit https://gerrit.wikimedia.org/r/328633 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: I78d2581a5b53f54d1e32eb3a1f5c48ae3ca364f6 Gerrit-PatchSet: 1 Gerrit-Project: operations/debs/linux44 Gerrit-Branch: master Gerrit-Owner: Muehlenhoff ___ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
[MediaWiki-commits] [Gerrit] operations...linux44[master]: Update to 4.4.36
Muehlenhoff has submitted this change and it was merged. ( https://gerrit.wikimedia.org/r/328546 ) Change subject: Update to 4.4.36 .. Update to 4.4.36 Change-Id: I03efd5d914cc2624723b3a906284ec9b55b3f58b --- M debian/changelog A debian/patches/bugfix/all/stable-4.4.36.patch M debian/patches/series 3 files changed, 919 insertions(+), 0 deletions(-) Approvals: Muehlenhoff: Looks good to me, approved jenkins-bot: Verified diff --git a/debian/changelog b/debian/changelog index 9028944..8ff6384 100644 --- a/debian/changelog +++ b/debian/changelog @@ -26,6 +26,10 @@ - CVE-2015-8964 [dd42bf1197144ede075a9d4793123f7689e164bc] * Update to 4.4.35: https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.35 + * Update to 4.4.36: +https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.35 +- CVE-2016-8650 [f5527f3f002b0a6b376163613b82f69de073] +- CVE-2016-9756 [2117d5398c81554fbf803f5fd1dc55eb78216c0c] -- Moritz MuehlenhoffTue, 15 Nov 2016 14:42:40 +0100 diff --git a/debian/patches/bugfix/all/stable-4.4.36.patch b/debian/patches/bugfix/all/stable-4.4.36.patch new file mode 100644 index 000..0db6e38 --- /dev/null +++ b/debian/patches/bugfix/all/stable-4.4.36.patch @@ -0,0 +1,914 @@ +diff --git a/Makefile b/Makefile +index f88830af1533..705eb9e38fce 100644 +--- a/Makefile b/Makefile +@@ -1,6 +1,6 @@ + VERSION = 4 + PATCHLEVEL = 4 +-SUBLEVEL = 35 ++SUBLEVEL = 36 + EXTRAVERSION = + NAME = Blurry Fish Butt + +diff --git a/arch/parisc/kernel/cache.c b/arch/parisc/kernel/cache.c +index cda6dbbe9842..fd5979f28ada 100644 +--- a/arch/parisc/kernel/cache.c b/arch/parisc/kernel/cache.c +@@ -351,6 +351,7 @@ void __init parisc_setup_cache_timing(void) + { + unsigned long rangetime, alltime; + unsigned long size, start; ++ unsigned long threshold; + + alltime = mfctl(16); + flush_data_cache(); +@@ -364,17 +365,12 @@ void __init parisc_setup_cache_timing(void) + printk(KERN_DEBUG "Whole cache flush %lu cycles, flushing %lu bytes %lu cycles\n", + alltime, size, rangetime); + +- /* Racy, but if we see an intermediate value, it's ok too... */ +- parisc_cache_flush_threshold = size * alltime / rangetime; +- +- parisc_cache_flush_threshold = L1_CACHE_ALIGN(parisc_cache_flush_threshold); +- if (!parisc_cache_flush_threshold) +- parisc_cache_flush_threshold = FLUSH_THRESHOLD; +- +- if (parisc_cache_flush_threshold > cache_info.dc_size) +- parisc_cache_flush_threshold = cache_info.dc_size; +- +- printk(KERN_INFO "Setting cache flush threshold to %lu kB\n", ++ threshold = L1_CACHE_ALIGN(size * alltime / rangetime); ++ if (threshold > cache_info.dc_size) ++ threshold = cache_info.dc_size; ++ if (threshold) ++ parisc_cache_flush_threshold = threshold; ++ printk(KERN_INFO "Cache flush threshold set to %lu KiB\n", + parisc_cache_flush_threshold/1024); + + /* calculate TLB flush threshold */ +@@ -383,7 +379,7 @@ void __init parisc_setup_cache_timing(void) + flush_tlb_all(); + alltime = mfctl(16) - alltime; + +- size = PAGE_SIZE; ++ size = 0; + start = (unsigned long) _text; + rangetime = mfctl(16); + while (start < (unsigned long) _end) { +@@ -396,13 +392,10 @@ void __init parisc_setup_cache_timing(void) + printk(KERN_DEBUG "Whole TLB flush %lu cycles, flushing %lu bytes %lu cycles\n", + alltime, size, rangetime); + +- parisc_tlb_flush_threshold = size * alltime / rangetime; +- parisc_tlb_flush_threshold *= num_online_cpus(); +- parisc_tlb_flush_threshold = PAGE_ALIGN(parisc_tlb_flush_threshold); +- if (!parisc_tlb_flush_threshold) +- parisc_tlb_flush_threshold = FLUSH_TLB_THRESHOLD; +- +- printk(KERN_INFO "Setting TLB flush threshold to %lu kB\n", ++ threshold = PAGE_ALIGN(num_online_cpus() * size * alltime / rangetime); ++ if (threshold) ++ parisc_tlb_flush_threshold = threshold; ++ printk(KERN_INFO "TLB flush threshold set to %lu KiB\n", + parisc_tlb_flush_threshold/1024); + } + +diff --git a/arch/parisc/kernel/pacache.S b/arch/parisc/kernel/pacache.S +index b743a80eaba0..675521919229 100644 +--- a/arch/parisc/kernel/pacache.S b/arch/parisc/kernel/pacache.S +@@ -96,7 +96,7 @@ fitmanyloop: /* Loop if LOOP >= 2 */ + + fitmanymiddle:/* Loop if LOOP >= 2 */ + addib,COND(>) -1, %r31, fitmanymiddle /* Adjusted inner loop decr */ +- pitlbe 0(%sr1, %r28) ++ pitlbe %r0(%sr1, %r28) + pitlbe,m%arg1(%sr1, %r28) /* Last pitlbe and addr adjust */ + addib,COND(>) -1, %r29, fitmanymiddle /* Middle loop decr */ +
[MediaWiki-commits] [Gerrit] operations...linux44[master]: Update to 4.4.36
Muehlenhoff has uploaded a new change for review. ( https://gerrit.wikimedia.org/r/328546 ) Change subject: Update to 4.4.36 .. Update to 4.4.36 Change-Id: I03efd5d914cc2624723b3a906284ec9b55b3f58b --- M debian/changelog A debian/patches/bugfix/all/stable-4.4.36.patch M debian/patches/series 3 files changed, 919 insertions(+), 0 deletions(-) git pull ssh://gerrit.wikimedia.org:29418/operations/debs/linux44 refs/changes/46/328546/1 diff --git a/debian/changelog b/debian/changelog index 9028944..8ff6384 100644 --- a/debian/changelog +++ b/debian/changelog @@ -26,6 +26,10 @@ - CVE-2015-8964 [dd42bf1197144ede075a9d4793123f7689e164bc] * Update to 4.4.35: https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.35 + * Update to 4.4.36: +https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.35 +- CVE-2016-8650 [f5527f3f002b0a6b376163613b82f69de073] +- CVE-2016-9756 [2117d5398c81554fbf803f5fd1dc55eb78216c0c] -- Moritz MuehlenhoffTue, 15 Nov 2016 14:42:40 +0100 diff --git a/debian/patches/bugfix/all/stable-4.4.36.patch b/debian/patches/bugfix/all/stable-4.4.36.patch new file mode 100644 index 000..0db6e38 --- /dev/null +++ b/debian/patches/bugfix/all/stable-4.4.36.patch @@ -0,0 +1,914 @@ +diff --git a/Makefile b/Makefile +index f88830af1533..705eb9e38fce 100644 +--- a/Makefile b/Makefile +@@ -1,6 +1,6 @@ + VERSION = 4 + PATCHLEVEL = 4 +-SUBLEVEL = 35 ++SUBLEVEL = 36 + EXTRAVERSION = + NAME = Blurry Fish Butt + +diff --git a/arch/parisc/kernel/cache.c b/arch/parisc/kernel/cache.c +index cda6dbbe9842..fd5979f28ada 100644 +--- a/arch/parisc/kernel/cache.c b/arch/parisc/kernel/cache.c +@@ -351,6 +351,7 @@ void __init parisc_setup_cache_timing(void) + { + unsigned long rangetime, alltime; + unsigned long size, start; ++ unsigned long threshold; + + alltime = mfctl(16); + flush_data_cache(); +@@ -364,17 +365,12 @@ void __init parisc_setup_cache_timing(void) + printk(KERN_DEBUG "Whole cache flush %lu cycles, flushing %lu bytes %lu cycles\n", + alltime, size, rangetime); + +- /* Racy, but if we see an intermediate value, it's ok too... */ +- parisc_cache_flush_threshold = size * alltime / rangetime; +- +- parisc_cache_flush_threshold = L1_CACHE_ALIGN(parisc_cache_flush_threshold); +- if (!parisc_cache_flush_threshold) +- parisc_cache_flush_threshold = FLUSH_THRESHOLD; +- +- if (parisc_cache_flush_threshold > cache_info.dc_size) +- parisc_cache_flush_threshold = cache_info.dc_size; +- +- printk(KERN_INFO "Setting cache flush threshold to %lu kB\n", ++ threshold = L1_CACHE_ALIGN(size * alltime / rangetime); ++ if (threshold > cache_info.dc_size) ++ threshold = cache_info.dc_size; ++ if (threshold) ++ parisc_cache_flush_threshold = threshold; ++ printk(KERN_INFO "Cache flush threshold set to %lu KiB\n", + parisc_cache_flush_threshold/1024); + + /* calculate TLB flush threshold */ +@@ -383,7 +379,7 @@ void __init parisc_setup_cache_timing(void) + flush_tlb_all(); + alltime = mfctl(16) - alltime; + +- size = PAGE_SIZE; ++ size = 0; + start = (unsigned long) _text; + rangetime = mfctl(16); + while (start < (unsigned long) _end) { +@@ -396,13 +392,10 @@ void __init parisc_setup_cache_timing(void) + printk(KERN_DEBUG "Whole TLB flush %lu cycles, flushing %lu bytes %lu cycles\n", + alltime, size, rangetime); + +- parisc_tlb_flush_threshold = size * alltime / rangetime; +- parisc_tlb_flush_threshold *= num_online_cpus(); +- parisc_tlb_flush_threshold = PAGE_ALIGN(parisc_tlb_flush_threshold); +- if (!parisc_tlb_flush_threshold) +- parisc_tlb_flush_threshold = FLUSH_TLB_THRESHOLD; +- +- printk(KERN_INFO "Setting TLB flush threshold to %lu kB\n", ++ threshold = PAGE_ALIGN(num_online_cpus() * size * alltime / rangetime); ++ if (threshold) ++ parisc_tlb_flush_threshold = threshold; ++ printk(KERN_INFO "TLB flush threshold set to %lu KiB\n", + parisc_tlb_flush_threshold/1024); + } + +diff --git a/arch/parisc/kernel/pacache.S b/arch/parisc/kernel/pacache.S +index b743a80eaba0..675521919229 100644 +--- a/arch/parisc/kernel/pacache.S b/arch/parisc/kernel/pacache.S +@@ -96,7 +96,7 @@ fitmanyloop: /* Loop if LOOP >= 2 */ + + fitmanymiddle:/* Loop if LOOP >= 2 */ + addib,COND(>) -1, %r31, fitmanymiddle /* Adjusted inner loop decr */ +- pitlbe 0(%sr1, %r28) ++ pitlbe %r0(%sr1, %r28) + pitlbe,m%arg1(%sr1, %r28) /* Last pitlbe and addr adjust */ + addib,COND(>) -1, %r29, fitmanymiddle /* Middle loop decr */ +
[MediaWiki-commits] [Gerrit] operations...linux44[master]: Update to 4.4.35
Muehlenhoff has submitted this change and it was merged. ( https://gerrit.wikimedia.org/r/328531 ) Change subject: Update to 4.4.35 .. Update to 4.4.35 Change-Id: I5479b68674df862526c0b0787d0f7ef4adc8a59b --- M debian/changelog A debian/patches/bugfix/all/stable-4.4.35.patch M debian/patches/series 3 files changed, 1,170 insertions(+), 0 deletions(-) Approvals: Muehlenhoff: Looks good to me, approved jenkins-bot: Verified diff --git a/debian/changelog b/debian/changelog index c159072..9028944 100644 --- a/debian/changelog +++ b/debian/changelog @@ -24,6 +24,8 @@ https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.34 - CVE-2016-8645 [ac6e780070e30e4c35bd395acfe9191e6268bdd3] - CVE-2015-8964 [dd42bf1197144ede075a9d4793123f7689e164bc] + * Update to 4.4.35: +https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.35 -- Moritz MuehlenhoffTue, 15 Nov 2016 14:42:40 +0100 diff --git a/debian/patches/bugfix/all/stable-4.4.35.patch b/debian/patches/bugfix/all/stable-4.4.35.patch new file mode 100644 index 000..f5839b2 --- /dev/null +++ b/debian/patches/bugfix/all/stable-4.4.35.patch @@ -0,0 +1,1167 @@ +diff --git a/Makefile b/Makefile +index 30924aabf1b4..f88830af1533 100644 +--- a/Makefile b/Makefile +@@ -1,6 +1,6 @@ + VERSION = 4 + PATCHLEVEL = 4 +-SUBLEVEL = 34 ++SUBLEVEL = 35 + EXTRAVERSION = + NAME = Blurry Fish Butt + +@@ -395,11 +395,12 @@ KBUILD_CFLAGS := -Wall -Wundef -Wstrict-prototypes -Wno-trigraphs \ + -fno-strict-aliasing -fno-common \ + -Werror-implicit-function-declaration \ + -Wno-format-security \ +- -std=gnu89 ++ -std=gnu89 $(call cc-option,-fno-PIE) ++ + + KBUILD_AFLAGS_KERNEL := + KBUILD_CFLAGS_KERNEL := +-KBUILD_AFLAGS := -D__ASSEMBLY__ ++KBUILD_AFLAGS := -D__ASSEMBLY__ $(call cc-option,-fno-PIE) + KBUILD_AFLAGS_MODULE := -DMODULE + KBUILD_CFLAGS_MODULE := -DMODULE + KBUILD_LDFLAGS_MODULE := -T $(srctree)/scripts/module-common.lds +diff --git a/arch/x86/kernel/cpu/amd.c b/arch/x86/kernel/cpu/amd.c +index 6cb5834062a3..e2defc7593a4 100644 +--- a/arch/x86/kernel/cpu/amd.c b/arch/x86/kernel/cpu/amd.c +@@ -352,7 +352,6 @@ static void amd_detect_cmp(struct cpuinfo_x86 *c) + #ifdef CONFIG_SMP + unsigned bits; + int cpu = smp_processor_id(); +- unsigned int socket_id, core_complex_id; + + bits = c->x86_coreid_bits; + /* Low order bits define the core id (index of core in socket) */ +@@ -370,10 +369,7 @@ static void amd_detect_cmp(struct cpuinfo_x86 *c) +if (c->x86 != 0x17 || !cpuid_edx(0x8006)) + return; + +- socket_id = (c->apicid >> bits) - 1; +- core_complex_id = (c->apicid & ((1 << bits) - 1)) >> 3; +- +- per_cpu(cpu_llc_id, cpu) = (socket_id << 3) | core_complex_id; ++ per_cpu(cpu_llc_id, cpu) = c->apicid >> 3; + #endif + } + +diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c +index 685ef431a41d..7429d481a311 100644 +--- a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c +@@ -199,7 +199,18 @@ static void kvm_on_user_return(struct user_return_notifier *urn) + struct kvm_shared_msrs *locals + = container_of(urn, struct kvm_shared_msrs, urn); + struct kvm_shared_msr_values *values; ++ unsigned long flags; + ++ /* ++ * Disabling irqs at this point since the following code could be ++ * interrupted and executed through kvm_arch_hardware_disable() ++ */ ++ local_irq_save(flags); ++ if (locals->registered) { ++ locals->registered = false; ++ user_return_notifier_unregister(urn); ++ } ++ local_irq_restore(flags); + for (slot = 0; slot < shared_msrs_global.nr; ++slot) { + values = >values[slot]; + if (values->host != values->curr) { +@@ -207,8 +218,6 @@ static void kvm_on_user_return(struct user_return_notifier *urn) + values->curr = values->host; + } + } +- locals->registered = false; +- user_return_notifier_unregister(urn); + } + + static void shared_msr_update(unsigned slot, u32 msr) +@@ -3317,6 +3326,7 @@ long kvm_arch_vcpu_ioctl(struct file *filp, + }; + case KVM_SET_VAPIC_ADDR: { + struct kvm_vapic_addr va; ++ int idx; + + r = -EINVAL; + if (!lapic_in_kernel(vcpu)) +@@ -3324,7 +3334,9 @@ long kvm_arch_vcpu_ioctl(struct file *filp, + r = -EFAULT; + if (copy_from_user(, argp, sizeof va)) + goto out; ++ idx = srcu_read_lock(>kvm->srcu); + r = kvm_lapic_set_vapic_addr(vcpu, va.vapic_addr); ++ srcu_read_unlock(>kvm->srcu, idx); + break; + } + case KVM_X86_SETUP_MCE: { +diff --git
[MediaWiki-commits] [Gerrit] operations...linux44[master]: Update to 4.4.35
Muehlenhoff has uploaded a new change for review. ( https://gerrit.wikimedia.org/r/328531 ) Change subject: Update to 4.4.35 .. Update to 4.4.35 Change-Id: I5479b68674df862526c0b0787d0f7ef4adc8a59b --- M debian/changelog A debian/patches/bugfix/all/stable-4.4.35.patch M debian/patches/series 3 files changed, 1,170 insertions(+), 0 deletions(-) git pull ssh://gerrit.wikimedia.org:29418/operations/debs/linux44 refs/changes/31/328531/1 diff --git a/debian/changelog b/debian/changelog index c159072..9028944 100644 --- a/debian/changelog +++ b/debian/changelog @@ -24,6 +24,8 @@ https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.34 - CVE-2016-8645 [ac6e780070e30e4c35bd395acfe9191e6268bdd3] - CVE-2015-8964 [dd42bf1197144ede075a9d4793123f7689e164bc] + * Update to 4.4.35: +https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.35 -- Moritz MuehlenhoffTue, 15 Nov 2016 14:42:40 +0100 diff --git a/debian/patches/bugfix/all/stable-4.4.35.patch b/debian/patches/bugfix/all/stable-4.4.35.patch new file mode 100644 index 000..f5839b2 --- /dev/null +++ b/debian/patches/bugfix/all/stable-4.4.35.patch @@ -0,0 +1,1167 @@ +diff --git a/Makefile b/Makefile +index 30924aabf1b4..f88830af1533 100644 +--- a/Makefile b/Makefile +@@ -1,6 +1,6 @@ + VERSION = 4 + PATCHLEVEL = 4 +-SUBLEVEL = 34 ++SUBLEVEL = 35 + EXTRAVERSION = + NAME = Blurry Fish Butt + +@@ -395,11 +395,12 @@ KBUILD_CFLAGS := -Wall -Wundef -Wstrict-prototypes -Wno-trigraphs \ + -fno-strict-aliasing -fno-common \ + -Werror-implicit-function-declaration \ + -Wno-format-security \ +- -std=gnu89 ++ -std=gnu89 $(call cc-option,-fno-PIE) ++ + + KBUILD_AFLAGS_KERNEL := + KBUILD_CFLAGS_KERNEL := +-KBUILD_AFLAGS := -D__ASSEMBLY__ ++KBUILD_AFLAGS := -D__ASSEMBLY__ $(call cc-option,-fno-PIE) + KBUILD_AFLAGS_MODULE := -DMODULE + KBUILD_CFLAGS_MODULE := -DMODULE + KBUILD_LDFLAGS_MODULE := -T $(srctree)/scripts/module-common.lds +diff --git a/arch/x86/kernel/cpu/amd.c b/arch/x86/kernel/cpu/amd.c +index 6cb5834062a3..e2defc7593a4 100644 +--- a/arch/x86/kernel/cpu/amd.c b/arch/x86/kernel/cpu/amd.c +@@ -352,7 +352,6 @@ static void amd_detect_cmp(struct cpuinfo_x86 *c) + #ifdef CONFIG_SMP + unsigned bits; + int cpu = smp_processor_id(); +- unsigned int socket_id, core_complex_id; + + bits = c->x86_coreid_bits; + /* Low order bits define the core id (index of core in socket) */ +@@ -370,10 +369,7 @@ static void amd_detect_cmp(struct cpuinfo_x86 *c) +if (c->x86 != 0x17 || !cpuid_edx(0x8006)) + return; + +- socket_id = (c->apicid >> bits) - 1; +- core_complex_id = (c->apicid & ((1 << bits) - 1)) >> 3; +- +- per_cpu(cpu_llc_id, cpu) = (socket_id << 3) | core_complex_id; ++ per_cpu(cpu_llc_id, cpu) = c->apicid >> 3; + #endif + } + +diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c +index 685ef431a41d..7429d481a311 100644 +--- a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c +@@ -199,7 +199,18 @@ static void kvm_on_user_return(struct user_return_notifier *urn) + struct kvm_shared_msrs *locals + = container_of(urn, struct kvm_shared_msrs, urn); + struct kvm_shared_msr_values *values; ++ unsigned long flags; + ++ /* ++ * Disabling irqs at this point since the following code could be ++ * interrupted and executed through kvm_arch_hardware_disable() ++ */ ++ local_irq_save(flags); ++ if (locals->registered) { ++ locals->registered = false; ++ user_return_notifier_unregister(urn); ++ } ++ local_irq_restore(flags); + for (slot = 0; slot < shared_msrs_global.nr; ++slot) { + values = >values[slot]; + if (values->host != values->curr) { +@@ -207,8 +218,6 @@ static void kvm_on_user_return(struct user_return_notifier *urn) + values->curr = values->host; + } + } +- locals->registered = false; +- user_return_notifier_unregister(urn); + } + + static void shared_msr_update(unsigned slot, u32 msr) +@@ -3317,6 +3326,7 @@ long kvm_arch_vcpu_ioctl(struct file *filp, + }; + case KVM_SET_VAPIC_ADDR: { + struct kvm_vapic_addr va; ++ int idx; + + r = -EINVAL; + if (!lapic_in_kernel(vcpu)) +@@ -3324,7 +3334,9 @@ long kvm_arch_vcpu_ioctl(struct file *filp, + r = -EFAULT; + if (copy_from_user(, argp, sizeof va)) + goto out; ++ idx = srcu_read_lock(>kvm->srcu); + r = kvm_lapic_set_vapic_addr(vcpu, va.vapic_addr); ++ srcu_read_unlock(>kvm->srcu, idx); + break; + } + case KVM_X86_SETUP_MCE: { +diff --git
[MediaWiki-commits] [Gerrit] operations/puppet[production]: Add snapshot::testbed to standard snapshot debdeploy group
Muehlenhoff has submitted this change and it was merged. ( https://gerrit.wikimedia.org/r/328523 ) Change subject: Add snapshot::testbed to standard snapshot debdeploy group .. Add snapshot::testbed to standard snapshot debdeploy group Change-Id: I1069a2cc266c247a101289b1e530f5e87e76ef9b --- A hieradata/role/common/snapshot/testbed.yaml 1 file changed, 3 insertions(+), 0 deletions(-) Approvals: Muehlenhoff: Looks good to me, approved jenkins-bot: Verified diff --git a/hieradata/role/common/snapshot/testbed.yaml b/hieradata/role/common/snapshot/testbed.yaml new file mode 100644 index 000..6ad3b6d --- /dev/null +++ b/hieradata/role/common/snapshot/testbed.yaml @@ -0,0 +1,3 @@ +debdeploy::grains: + debdeploy-snapshot: +value: standard -- To view, visit https://gerrit.wikimedia.org/r/328523 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: merged Gerrit-Change-Id: I1069a2cc266c247a101289b1e530f5e87e76ef9b Gerrit-PatchSet: 1 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: MuehlenhoffGerrit-Reviewer: Muehlenhoff Gerrit-Reviewer: jenkins-bot <> ___ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
[MediaWiki-commits] [Gerrit] operations/puppet[production]: Add snapshot::testbed to standard snapshot debdeploy group
Muehlenhoff has uploaded a new change for review. ( https://gerrit.wikimedia.org/r/328523 ) Change subject: Add snapshot::testbed to standard snapshot debdeploy group .. Add snapshot::testbed to standard snapshot debdeploy group Change-Id: I1069a2cc266c247a101289b1e530f5e87e76ef9b --- A hieradata/role/common/snapshot/testbed.yaml 1 file changed, 3 insertions(+), 0 deletions(-) git pull ssh://gerrit.wikimedia.org:29418/operations/puppet refs/changes/23/328523/1 diff --git a/hieradata/role/common/snapshot/testbed.yaml b/hieradata/role/common/snapshot/testbed.yaml new file mode 100644 index 000..6ad3b6d --- /dev/null +++ b/hieradata/role/common/snapshot/testbed.yaml @@ -0,0 +1,3 @@ +debdeploy::grains: + debdeploy-snapshot: +value: standard -- To view, visit https://gerrit.wikimedia.org/r/328523 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: I1069a2cc266c247a101289b1e530f5e87e76ef9b Gerrit-PatchSet: 1 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: Muehlenhoff___ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
[MediaWiki-commits] [Gerrit] operations/puppet[production]: Also follow stat1001 rename in debdeploy grains
Muehlenhoff has submitted this change and it was merged. ( https://gerrit.wikimedia.org/r/328478 ) Change subject: Also follow stat1001 rename in debdeploy grains .. Also follow stat1001 rename in debdeploy grains Change-Id: I54bf76dd0b67782e37f9b5f9fb76e5447face7ad --- M hieradata/role/common/statistics/web.yaml M modules/debdeploy/templates/debdeploy.erb 2 files changed, 2 insertions(+), 2 deletions(-) Approvals: Muehlenhoff: Looks good to me, approved jenkins-bot: Verified diff --git a/hieradata/role/common/statistics/web.yaml b/hieradata/role/common/statistics/web.yaml index 4b08b5b..a247771 100644 --- a/hieradata/role/common/statistics/web.yaml +++ b/hieradata/role/common/statistics/web.yaml @@ -3,5 +3,5 @@ - statistics-web-users - statistics-admins debdeploy::grains: - debdeploy-stat: + debdeploy-analytics-web: value: standard diff --git a/modules/debdeploy/templates/debdeploy.erb b/modules/debdeploy/templates/debdeploy.erb index c47914b..4d7ebd9 100644 --- a/modules/debdeploy/templates/debdeploy.erb +++ b/modules/debdeploy/templates/debdeploy.erb @@ -9,7 +9,7 @@ misc-external-services = debdeploy-tor:standard, debdeploy-etherpad:standard, debdeploy-lists:standard, debdeploy-planet:standard, debdeploy-otrs:standard, debdeploy-ipv6relay:standard, debdeploy-people:standard, debdeploy-mysql-analytics:standard, debdeploy-nova-api:standard, debdeploy-impala:standard misc-monitoring = debdeploy-grafana:standard, debdeploy-syslog:standard, debdeploy-ganglia:standard, debdeploy-graphite:standard, debdeploy-labmon:standard, debdeploy-icinga:standard, debdeploy-prometheus:standard misc-virt = debdeploy-nova-control:standard, debdeploy-horizon:standard, debdeploy-nova-manager:standard, debdeploy-nova-api:standard, debdeploy-labsdns:standard, debdeploy-nodepool:standard -misc-analytics = debdeploy-kafkatee:standard, debdeploy-hue:standard, debdeploy-xenon:standard, debdeploy-mysql-analytics:standard, debdeploy-impala:standard, debdeploy-spark-worker:standard, debdeploy-stat:standard, debdeploy-stat:canary, debdeploy-notebook:standard, debdeploy-druid:standard +misc-analytics = debdeploy-kafkatee:standard, debdeploy-hue:standard, debdeploy-xenon:standard, debdeploy-mysql-analytics:standard, debdeploy-impala:standard, debdeploy-spark-worker:standard, debdeploy-stat:standard, debdeploy-stat:canary, debdeploy-notebook:standard, debdeploy-druid:standard, debdeploy-analytics-web:standard all-analytics = debdeploy-kafkatee:standard, debdeploy-hue:standard, debdeploy-xenon:standard, debdeploy-mysql-analytics:standard, debdeploy-impala:standard, debdeploy-spark-worker:standard, debdeploy-hadoop-worker:standard, debdeploy-hadoop-master:standard, debdeploy-hadoop-standby:standard, debdeploy-hadoop-worker:canary misc-others = debdeploy-spare:standard, debdeploy-testsystem:standard, debdeploy-labtest:standard, debdeploy-sectools:standard misc-devel = debdeploy-bugzilla:standard, debdeploy-ci:standard, debdeploy-releases:standard, debdeploy-ve:standard, debdeploy-irc:standard, debdeploy-phabricator:standard, debdeploy-gerrit:standard, debdeploy-archiva:standard, debdeploy-rcstream:standard, debdeploy-eventlogging:standard, debdeploy-deployment:standard, debdeploy-piwik:standard, debdeploy-zuulmerger:standard, debdeploy-debugproxy:standard, debdeploy-webperf:standard, debdeploy-oresrdb:standard -- To view, visit https://gerrit.wikimedia.org/r/328478 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: merged Gerrit-Change-Id: I54bf76dd0b67782e37f9b5f9fb76e5447face7ad Gerrit-PatchSet: 2 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: MuehlenhoffGerrit-Reviewer: Muehlenhoff Gerrit-Reviewer: jenkins-bot <> ___ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
[MediaWiki-commits] [Gerrit] operations...linux44[master]: Update to 4.4.33
Muehlenhoff has submitted this change and it was merged. ( https://gerrit.wikimedia.org/r/328510 ) Change subject: Update to 4.4.33 .. Update to 4.4.33 Change-Id: Icb8e84716a7466674d261a9f45c705c79683d374 --- M debian/changelog A debian/patches/bugfix/all/stable-4.4.33.patch M debian/patches/series 3 files changed, 1,110 insertions(+), 1 deletion(-) Approvals: Muehlenhoff: Looks good to me, approved jenkins-bot: Verified diff --git a/debian/changelog b/debian/changelog index 9f0ee81..fd0014a 100644 --- a/debian/changelog +++ b/debian/changelog @@ -12,9 +12,14 @@ only needed for recent GGC releases and clashes with Debian-specific patches * Update to 4.4.32: -https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.31 +https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.32 - CVE-2016-7039 [fcd91dd449867c6bfe56a81cabba76b829fd05cd] - CVE-2016-9555 [bf911e985d6bbaa328c20c3e05f4eb03de11fdd6] + * Update to 4.4.33: +https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.33 +- Drop fff40ee4d224965d3fc61fa1040d7c77c20d60cc, the Intel + DRM changes are irrelevant to us and fixing up the patches + isn't really worth the trouble -- Moritz MuehlenhoffTue, 15 Nov 2016 14:42:40 +0100 diff --git a/debian/patches/bugfix/all/stable-4.4.33.patch b/debian/patches/bugfix/all/stable-4.4.33.patch new file mode 100644 index 000..63d5789 --- /dev/null +++ b/debian/patches/bugfix/all/stable-4.4.33.patch @@ -0,0 +1,1103 @@ +diff --git a/Makefile b/Makefile +index fba9b09a1330..a513c045c8de 100644 +--- a/Makefile b/Makefile +@@ -1,6 +1,6 @@ + VERSION = 4 + PATCHLEVEL = 4 +-SUBLEVEL = 32 ++SUBLEVEL = 33 + EXTRAVERSION = + NAME = Blurry Fish Butt + +diff --git a/arch/arc/kernel/time.c b/arch/arc/kernel/time.c +index dfad287f1db1..dbedc576e4ca 100644 +--- a/arch/arc/kernel/time.c b/arch/arc/kernel/time.c +@@ -130,14 +130,17 @@ static cycle_t arc_counter_read(struct clocksource *cs) + cycle_t full; + } stamp; + +- +- __asm__ __volatile( +- "1: \n" +- " lr %0, [AUX_RTC_LOW] \n" +- " lr %1, [AUX_RTC_HIGH] \n" +- " lr %2, [AUX_RTC_CTRL] \n" +- " bbit0.nt%2, 31, 1b \n" +- : "=r" (stamp.low), "=r" (stamp.high), "=r" (status)); ++ /* ++ * hardware has an internal state machine which tracks readout of ++ * low/high and updates the CTRL.status if ++ * - interrupt/exception taken between the two reads ++ * - high increments after low has been read ++ */ ++ do { ++ stamp.low = read_aux_reg(AUX_RTC_LOW); ++ stamp.high = read_aux_reg(AUX_RTC_HIGH); ++ status = read_aux_reg(AUX_RTC_CTRL); ++ } while (!(status & _BITUL(31))); + + return stamp.full; + } +diff --git a/arch/mips/include/asm/kvm_host.h b/arch/mips/include/asm/kvm_host.h +index dd7cee795709..c8c04a1f1c9f 100644 +--- a/arch/mips/include/asm/kvm_host.h b/arch/mips/include/asm/kvm_host.h +@@ -400,7 +400,10 @@ struct kvm_vcpu_arch { + /* Host KSEG0 address of the EI/DI offset */ + void *kseg0_commpage; + +- u32 io_gpr; /* GPR used as IO source/target */ ++ /* Resume PC after MMIO completion */ ++ unsigned long io_pc; ++ /* GPR used as IO source/target */ ++ u32 io_gpr; + + struct hrtimer comparecount_timer; + /* Count timer control KVM register */ +@@ -422,8 +425,6 @@ struct kvm_vcpu_arch { + /* Bitmask of pending exceptions to be cleared */ + unsigned long pending_exceptions_clr; + +- unsigned long pending_load_cause; +- + /* Save/Restore the entryhi register when are are preempted/scheduled back in */ + unsigned long preempt_entryhi; + +diff --git a/arch/mips/kvm/emulate.c b/arch/mips/kvm/emulate.c +index 4298aeb1e20f..4c85ab808f99 100644 +--- a/arch/mips/kvm/emulate.c b/arch/mips/kvm/emulate.c +@@ -1473,6 +1473,7 @@ enum emulation_result kvm_mips_emulate_load(uint32_t inst, uint32_t cause, + struct kvm_vcpu *vcpu) + { + enum emulation_result er = EMULATE_DO_MMIO; ++ unsigned long curr_pc; + int32_t op, base, rt, offset; + uint32_t bytes; + +@@ -1481,7 +1482,18 @@ enum emulation_result kvm_mips_emulate_load(uint32_t inst, uint32_t cause, + offset = inst & 0x; + op = (inst >> 26) & 0x3f; + +- vcpu->arch.pending_load_cause = cause; ++ /* ++ * Find the resume PC now while we have safe and easy access to the ++ * prior branch instruction, and save it for ++ * kvm_mips_complete_mmio_load() to restore later. ++ */ ++ curr_pc = vcpu->arch.pc; ++ er = update_pc(vcpu, cause); ++
[MediaWiki-commits] [Gerrit] operations...linux44[master]: Fix CVE ID for exception table privilege escalation
Muehlenhoff has submitted this change and it was merged. ( https://gerrit.wikimedia.org/r/328507 ) Change subject: Fix CVE ID for exception table privilege escalation .. Fix CVE ID for exception table privilege escalation CVE-2016-9644 is for the incomplete backport which was fixed by the revert in 4.4.30. CVE-2016-9178 is for the stable-only patch by Linus Torvalds which ended up in 4.4.31. Also add a reference to CVE-2016-9555, which was also fixed in 4.4.32. Change-Id: Iedbf7dc22a95182673aacae3d0c1b2ec9bd3f1be --- M debian/changelog 1 file changed, 2 insertions(+), 1 deletion(-) Approvals: Muehlenhoff: Looks good to me, approved jenkins-bot: Verified diff --git a/debian/changelog b/debian/changelog index cb6c994..9f0ee81 100644 --- a/debian/changelog +++ b/debian/changelog @@ -14,6 +14,7 @@ * Update to 4.4.32: https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.31 - CVE-2016-7039 [fcd91dd449867c6bfe56a81cabba76b829fd05cd] +- CVE-2016-9555 [bf911e985d6bbaa328c20c3e05f4eb03de11fdd6] -- Moritz MuehlenhoffTue, 15 Nov 2016 14:42:40 +0100 @@ -35,7 +36,7 @@ - CVE-2016-8666 [fac8e0f579695a3ecbc4d3cac369139d7f819971] * Update to 4.4.30: https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.30 -- CVE-2016-9178 [1c109fabbd51863475cd12ac206bdd249aee35af] +- CVE-2016-9644 [1c109fabbd51863475cd12ac206bdd249aee35af] -- Moritz Muehlenhoff Thu, 04 Nov 2016 10:02:03 +0200 -- To view, visit https://gerrit.wikimedia.org/r/328507 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: merged Gerrit-Change-Id: Iedbf7dc22a95182673aacae3d0c1b2ec9bd3f1be Gerrit-PatchSet: 1 Gerrit-Project: operations/debs/linux44 Gerrit-Branch: master Gerrit-Owner: Muehlenhoff Gerrit-Reviewer: Muehlenhoff Gerrit-Reviewer: jenkins-bot <> ___ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
[MediaWiki-commits] [Gerrit] operations...linux44[master]: Update to 4.4.33
Muehlenhoff has uploaded a new change for review. ( https://gerrit.wikimedia.org/r/328510 ) Change subject: Update to 4.4.33 .. Update to 4.4.33 Change-Id: Icb8e84716a7466674d261a9f45c705c79683d374 --- M debian/changelog A debian/patches/bugfix/all/stable-4.4.33.patch M debian/patches/series 3 files changed, 1,234 insertions(+), 1 deletion(-) git pull ssh://gerrit.wikimedia.org:29418/operations/debs/linux44 refs/changes/10/328510/1 diff --git a/debian/changelog b/debian/changelog index 9f0ee81..ba5841e 100644 --- a/debian/changelog +++ b/debian/changelog @@ -12,9 +12,11 @@ only needed for recent GGC releases and clashes with Debian-specific patches * Update to 4.4.32: -https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.31 +https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.32 - CVE-2016-7039 [fcd91dd449867c6bfe56a81cabba76b829fd05cd] - CVE-2016-9555 [bf911e985d6bbaa328c20c3e05f4eb03de11fdd6] + * Update to 4.4.33: +https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.33 -- Moritz MuehlenhoffTue, 15 Nov 2016 14:42:40 +0100 diff --git a/debian/patches/bugfix/all/stable-4.4.33.patch b/debian/patches/bugfix/all/stable-4.4.33.patch new file mode 100644 index 000..4a02c80 --- /dev/null +++ b/debian/patches/bugfix/all/stable-4.4.33.patch @@ -0,0 +1,1230 @@ +diff --git a/Makefile b/Makefile +index fba9b09a1330..a513c045c8de 100644 +--- a/Makefile b/Makefile +@@ -1,6 +1,6 @@ + VERSION = 4 + PATCHLEVEL = 4 +-SUBLEVEL = 32 ++SUBLEVEL = 33 + EXTRAVERSION = + NAME = Blurry Fish Butt + +diff --git a/arch/arc/kernel/time.c b/arch/arc/kernel/time.c +index dfad287f1db1..dbedc576e4ca 100644 +--- a/arch/arc/kernel/time.c b/arch/arc/kernel/time.c +@@ -130,14 +130,17 @@ static cycle_t arc_counter_read(struct clocksource *cs) + cycle_t full; + } stamp; + +- +- __asm__ __volatile( +- "1: \n" +- " lr %0, [AUX_RTC_LOW] \n" +- " lr %1, [AUX_RTC_HIGH] \n" +- " lr %2, [AUX_RTC_CTRL] \n" +- " bbit0.nt%2, 31, 1b \n" +- : "=r" (stamp.low), "=r" (stamp.high), "=r" (status)); ++ /* ++ * hardware has an internal state machine which tracks readout of ++ * low/high and updates the CTRL.status if ++ * - interrupt/exception taken between the two reads ++ * - high increments after low has been read ++ */ ++ do { ++ stamp.low = read_aux_reg(AUX_RTC_LOW); ++ stamp.high = read_aux_reg(AUX_RTC_HIGH); ++ status = read_aux_reg(AUX_RTC_CTRL); ++ } while (!(status & _BITUL(31))); + + return stamp.full; + } +diff --git a/arch/mips/include/asm/kvm_host.h b/arch/mips/include/asm/kvm_host.h +index dd7cee795709..c8c04a1f1c9f 100644 +--- a/arch/mips/include/asm/kvm_host.h b/arch/mips/include/asm/kvm_host.h +@@ -400,7 +400,10 @@ struct kvm_vcpu_arch { + /* Host KSEG0 address of the EI/DI offset */ + void *kseg0_commpage; + +- u32 io_gpr; /* GPR used as IO source/target */ ++ /* Resume PC after MMIO completion */ ++ unsigned long io_pc; ++ /* GPR used as IO source/target */ ++ u32 io_gpr; + + struct hrtimer comparecount_timer; + /* Count timer control KVM register */ +@@ -422,8 +425,6 @@ struct kvm_vcpu_arch { + /* Bitmask of pending exceptions to be cleared */ + unsigned long pending_exceptions_clr; + +- unsigned long pending_load_cause; +- + /* Save/Restore the entryhi register when are are preempted/scheduled back in */ + unsigned long preempt_entryhi; + +diff --git a/arch/mips/kvm/emulate.c b/arch/mips/kvm/emulate.c +index 4298aeb1e20f..4c85ab808f99 100644 +--- a/arch/mips/kvm/emulate.c b/arch/mips/kvm/emulate.c +@@ -1473,6 +1473,7 @@ enum emulation_result kvm_mips_emulate_load(uint32_t inst, uint32_t cause, + struct kvm_vcpu *vcpu) + { + enum emulation_result er = EMULATE_DO_MMIO; ++ unsigned long curr_pc; + int32_t op, base, rt, offset; + uint32_t bytes; + +@@ -1481,7 +1482,18 @@ enum emulation_result kvm_mips_emulate_load(uint32_t inst, uint32_t cause, + offset = inst & 0x; + op = (inst >> 26) & 0x3f; + +- vcpu->arch.pending_load_cause = cause; ++ /* ++ * Find the resume PC now while we have safe and easy access to the ++ * prior branch instruction, and save it for ++ * kvm_mips_complete_mmio_load() to restore later. ++ */ ++ curr_pc = vcpu->arch.pc; ++ er = update_pc(vcpu, cause); ++ if (er == EMULATE_FAIL) ++ return er; ++ vcpu->arch.io_pc = vcpu->arch.pc; ++ vcpu->arch.pc = curr_pc; ++ + vcpu->arch.io_gpr =
[MediaWiki-commits] [Gerrit] operations...linux44[master]: Fix CVE ID for exception table privilege escalation
Muehlenhoff has uploaded a new change for review. ( https://gerrit.wikimedia.org/r/328507 ) Change subject: Fix CVE ID for exception table privilege escalation .. Fix CVE ID for exception table privilege escalation CVE-2016-9644 is for the incomplete backport which was fixed by the revert in 4.4.30. CVE-2016-9178 is for the stable-only patch by Linus Torvalds which ended up in 4.4.31. Also add a reference to CVE-2016-9555, which was also fixed in 4.4.32. Change-Id: Iedbf7dc22a95182673aacae3d0c1b2ec9bd3f1be --- M debian/changelog 1 file changed, 2 insertions(+), 1 deletion(-) git pull ssh://gerrit.wikimedia.org:29418/operations/debs/linux44 refs/changes/07/328507/1 diff --git a/debian/changelog b/debian/changelog index cb6c994..9f0ee81 100644 --- a/debian/changelog +++ b/debian/changelog @@ -14,6 +14,7 @@ * Update to 4.4.32: https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.31 - CVE-2016-7039 [fcd91dd449867c6bfe56a81cabba76b829fd05cd] +- CVE-2016-9555 [bf911e985d6bbaa328c20c3e05f4eb03de11fdd6] -- Moritz MuehlenhoffTue, 15 Nov 2016 14:42:40 +0100 @@ -35,7 +36,7 @@ - CVE-2016-8666 [fac8e0f579695a3ecbc4d3cac369139d7f819971] * Update to 4.4.30: https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.30 -- CVE-2016-9178 [1c109fabbd51863475cd12ac206bdd249aee35af] +- CVE-2016-9644 [1c109fabbd51863475cd12ac206bdd249aee35af] -- Moritz Muehlenhoff Thu, 04 Nov 2016 10:02:03 +0200 -- To view, visit https://gerrit.wikimedia.org/r/328507 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: Iedbf7dc22a95182673aacae3d0c1b2ec9bd3f1be Gerrit-PatchSet: 1 Gerrit-Project: operations/debs/linux44 Gerrit-Branch: master Gerrit-Owner: Muehlenhoff ___ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
[MediaWiki-commits] [Gerrit] operations...linux44[master]: Another retroactive CVE assignment
Muehlenhoff has submitted this change and it was merged. ( https://gerrit.wikimedia.org/r/328503 ) Change subject: Another retroactive CVE assignment .. Another retroactive CVE assignment Change-Id: I3c6e865b8a3c7360f294f996dac9c7bbb57a2aeb --- M debian/changelog 1 file changed, 1 insertion(+), 0 deletions(-) Approvals: Muehlenhoff: Looks good to me, approved jenkins-bot: Verified diff --git a/debian/changelog b/debian/changelog index 3d27772..cb6c994 100644 --- a/debian/changelog +++ b/debian/changelog @@ -126,6 +126,7 @@ 7ed2abddd20cf8f6bd27f65bd218f26fa5bf7f44, 13631bfc604161a9d69cd68991dff8603edd66f9, b7eba0f3515fca3296b8881d583f7c1042f5226] +- CVE-2016-9806 [92964c79b357efd980812c4de5c1fd2ec8bb5520] * Update to 4.4.15: https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.15 * Update to 4.4.16: -- To view, visit https://gerrit.wikimedia.org/r/328503 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: merged Gerrit-Change-Id: I3c6e865b8a3c7360f294f996dac9c7bbb57a2aeb Gerrit-PatchSet: 1 Gerrit-Project: operations/debs/linux44 Gerrit-Branch: master Gerrit-Owner: MuehlenhoffGerrit-Reviewer: Muehlenhoff Gerrit-Reviewer: jenkins-bot <> ___ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
[MediaWiki-commits] [Gerrit] operations...linux44[master]: Another retroactive CVE assignment
Muehlenhoff has uploaded a new change for review. ( https://gerrit.wikimedia.org/r/328503 ) Change subject: Another retroactive CVE assignment .. Another retroactive CVE assignment Change-Id: I3c6e865b8a3c7360f294f996dac9c7bbb57a2aeb --- M debian/changelog 1 file changed, 1 insertion(+), 0 deletions(-) git pull ssh://gerrit.wikimedia.org:29418/operations/debs/linux44 refs/changes/03/328503/1 diff --git a/debian/changelog b/debian/changelog index 3d27772..cb6c994 100644 --- a/debian/changelog +++ b/debian/changelog @@ -126,6 +126,7 @@ 7ed2abddd20cf8f6bd27f65bd218f26fa5bf7f44, 13631bfc604161a9d69cd68991dff8603edd66f9, b7eba0f3515fca3296b8881d583f7c1042f5226] +- CVE-2016-9806 [92964c79b357efd980812c4de5c1fd2ec8bb5520] * Update to 4.4.15: https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.15 * Update to 4.4.16: -- To view, visit https://gerrit.wikimedia.org/r/328503 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: I3c6e865b8a3c7360f294f996dac9c7bbb57a2aeb Gerrit-PatchSet: 1 Gerrit-Project: operations/debs/linux44 Gerrit-Branch: master Gerrit-Owner: Muehlenhoff___ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
[MediaWiki-commits] [Gerrit] operations...linux44[master]: Add retroactively assigned CVE ID
Muehlenhoff has submitted this change and it was merged. ( https://gerrit.wikimedia.org/r/328498 ) Change subject: Add retroactively assigned CVE ID .. Add retroactively assigned CVE ID Change-Id: I13496527d0afeffdaf847aef20bb799bda81d49a --- M debian/changelog 1 file changed, 1 insertion(+), 0 deletions(-) Approvals: Muehlenhoff: Looks good to me, approved jenkins-bot: Verified diff --git a/debian/changelog b/debian/changelog index aac9540..3d27772 100644 --- a/debian/changelog +++ b/debian/changelog @@ -169,6 +169,7 @@ - CVE-2016-3157 [b7a584598aea7ca73140cb87b40319944dd3393f] - CVE-2016-3138 [8835ba4a39cf53f705417b3b3a94eb067673f2c9] - CVE-2016-6327 [51093254bf879bc9ce96590400a87897c7498463] +- CVE-2016-9685 [2e83b79b2d6c78bf1b4aa227938a214dcbddc83f] * Update to 4.4.8: https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.8 - CVE-2016-3156 [fbd40ea0180a2d328c5adc61414dc8bab9335ce2] -- To view, visit https://gerrit.wikimedia.org/r/328498 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: merged Gerrit-Change-Id: I13496527d0afeffdaf847aef20bb799bda81d49a Gerrit-PatchSet: 1 Gerrit-Project: operations/debs/linux44 Gerrit-Branch: master Gerrit-Owner: MuehlenhoffGerrit-Reviewer: Muehlenhoff Gerrit-Reviewer: jenkins-bot <> ___ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
[MediaWiki-commits] [Gerrit] operations...linux44[master]: Add retroactively assigned CVE ID
Muehlenhoff has uploaded a new change for review. ( https://gerrit.wikimedia.org/r/328498 ) Change subject: Add retroactively assigned CVE ID .. Add retroactively assigned CVE ID Change-Id: I13496527d0afeffdaf847aef20bb799bda81d49a --- M debian/changelog 1 file changed, 1 insertion(+), 0 deletions(-) git pull ssh://gerrit.wikimedia.org:29418/operations/debs/linux44 refs/changes/98/328498/1 diff --git a/debian/changelog b/debian/changelog index aac9540..3d27772 100644 --- a/debian/changelog +++ b/debian/changelog @@ -169,6 +169,7 @@ - CVE-2016-3157 [b7a584598aea7ca73140cb87b40319944dd3393f] - CVE-2016-3138 [8835ba4a39cf53f705417b3b3a94eb067673f2c9] - CVE-2016-6327 [51093254bf879bc9ce96590400a87897c7498463] +- CVE-2016-9685 [2e83b79b2d6c78bf1b4aa227938a214dcbddc83f] * Update to 4.4.8: https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.8 - CVE-2016-3156 [fbd40ea0180a2d328c5adc61414dc8bab9335ce2] -- To view, visit https://gerrit.wikimedia.org/r/328498 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: I13496527d0afeffdaf847aef20bb799bda81d49a Gerrit-PatchSet: 1 Gerrit-Project: operations/debs/linux44 Gerrit-Branch: master Gerrit-Owner: Muehlenhoff___ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
[MediaWiki-commits] [Gerrit] operations/puppet[production]: Also follow stat1001 rename in debdeploy grains
Muehlenhoff has uploaded a new change for review. ( https://gerrit.wikimedia.org/r/328478 ) Change subject: Also follow stat1001 rename in debdeploy grains .. Also follow stat1001 rename in debdeploy grains Change-Id: I54bf76dd0b67782e37f9b5f9fb76e5447face7ad --- M hieradata/role/common/statistics/web.yaml M modules/debdeploy/templates/debdeploy.erb 2 files changed, 2 insertions(+), 2 deletions(-) git pull ssh://gerrit.wikimedia.org:29418/operations/puppet refs/changes/78/328478/1 diff --git a/hieradata/role/common/statistics/web.yaml b/hieradata/role/common/statistics/web.yaml index 4b08b5b..a247771 100644 --- a/hieradata/role/common/statistics/web.yaml +++ b/hieradata/role/common/statistics/web.yaml @@ -3,5 +3,5 @@ - statistics-web-users - statistics-admins debdeploy::grains: - debdeploy-stat: + debdeploy-analytics-web: value: standard diff --git a/modules/debdeploy/templates/debdeploy.erb b/modules/debdeploy/templates/debdeploy.erb index c47914b..4d7ebd9 100644 --- a/modules/debdeploy/templates/debdeploy.erb +++ b/modules/debdeploy/templates/debdeploy.erb @@ -9,7 +9,7 @@ misc-external-services = debdeploy-tor:standard, debdeploy-etherpad:standard, debdeploy-lists:standard, debdeploy-planet:standard, debdeploy-otrs:standard, debdeploy-ipv6relay:standard, debdeploy-people:standard, debdeploy-mysql-analytics:standard, debdeploy-nova-api:standard, debdeploy-impala:standard misc-monitoring = debdeploy-grafana:standard, debdeploy-syslog:standard, debdeploy-ganglia:standard, debdeploy-graphite:standard, debdeploy-labmon:standard, debdeploy-icinga:standard, debdeploy-prometheus:standard misc-virt = debdeploy-nova-control:standard, debdeploy-horizon:standard, debdeploy-nova-manager:standard, debdeploy-nova-api:standard, debdeploy-labsdns:standard, debdeploy-nodepool:standard -misc-analytics = debdeploy-kafkatee:standard, debdeploy-hue:standard, debdeploy-xenon:standard, debdeploy-mysql-analytics:standard, debdeploy-impala:standard, debdeploy-spark-worker:standard, debdeploy-stat:standard, debdeploy-stat:canary, debdeploy-notebook:standard, debdeploy-druid:standard +misc-analytics = debdeploy-kafkatee:standard, debdeploy-hue:standard, debdeploy-xenon:standard, debdeploy-mysql-analytics:standard, debdeploy-impala:standard, debdeploy-spark-worker:standard, debdeploy-stat:standard, debdeploy-stat:canary, debdeploy-notebook:standard, debdeploy-druid:standard, debdeploy-analytics-web:standard all-analytics = debdeploy-kafkatee:standard, debdeploy-hue:standard, debdeploy-xenon:standard, debdeploy-mysql-analytics:standard, debdeploy-impala:standard, debdeploy-spark-worker:standard, debdeploy-hadoop-worker:standard, debdeploy-hadoop-master:standard, debdeploy-hadoop-standby:standard, debdeploy-hadoop-worker:canary misc-others = debdeploy-spare:standard, debdeploy-testsystem:standard, debdeploy-labtest:standard, debdeploy-sectools:standard misc-devel = debdeploy-bugzilla:standard, debdeploy-ci:standard, debdeploy-releases:standard, debdeploy-ve:standard, debdeploy-irc:standard, debdeploy-phabricator:standard, debdeploy-gerrit:standard, debdeploy-archiva:standard, debdeploy-rcstream:standard, debdeploy-eventlogging:standard, debdeploy-deployment:standard, debdeploy-piwik:standard, debdeploy-zuulmerger:standard, debdeploy-debugproxy:standard, debdeploy-webperf:standard, debdeploy-oresrdb:standard -- To view, visit https://gerrit.wikimedia.org/r/328478 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: I54bf76dd0b67782e37f9b5f9fb76e5447face7ad Gerrit-PatchSet: 1 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: Muehlenhoff___ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
[MediaWiki-commits] [Gerrit] operations/puppet[production]: Make systemd-timesyncd available as an alternative time sync...
Muehlenhoff has uploaded a new change for review. https://gerrit.wikimedia.org/r/322279 Change subject: Make systemd-timesyncd available as an alternative time synchronisation provide (WIP) .. Make systemd-timesyncd available as an alternative time synchronisation provide (WIP) We don't need any of ntp's advanced features on the clients and we've run into a fair share of runtime bugs (like failing to restart properly or various cases where ntp failed to start after a reboot (it gets stuck in interface activation/XFAC). This patch adds a Hiera-configurable class to use systemd-timesyncd instead. systemd-timesyncd is shipped as part the standard systemd package. It is configured via the timedatectl tool. We can enable this for a subset of jessie servers and if it proves to be more reliable than ntp in practice, move all jessie systems to it. Bug: T150527 Change-Id: Ie4c9ab7f82f590817f2b92d19f09cbbdda25fb95 --- A modules/base/templates/timesyncd.conf.erb M modules/standard/manifests/init.pp A modules/standard/manifests/ntp/timesyncd.pp 3 files changed, 59 insertions(+), 2 deletions(-) git pull ssh://gerrit.wikimedia.org:29418/operations/puppet refs/changes/79/322279/1 diff --git a/modules/base/templates/timesyncd.conf.erb b/modules/base/templates/timesyncd.conf.erb new file mode 100644 index 000..2cd2fab --- /dev/null +++ b/modules/base/templates/timesyncd.conf.erb @@ -0,0 +1,7 @@ +## THIS FILE IS MANAGED BY PUPPET +# +# See timesyncd.conf(5) for details. + +[Time] +NTP=<%@ntp_servers[@site].sort.each do |ntpserver| -%> <%= ntpserver -%> +<% end %> diff --git a/modules/standard/manifests/init.pp b/modules/standard/manifests/init.pp index c03d90e..98ec8ff 100644 --- a/modules/standard/manifests/init.pp +++ b/modules/standard/manifests/init.pp @@ -9,8 +9,14 @@ include ::base include ::standard::ntp -unless $::fqdn in $::standard::ntp::wmf_peers[$::site] { -include standard::ntp::client +if hiera('use_timesyncd', false) { +include standard::ntp::timesyncd +} +else +{ +unless $::fqdn in $::standard::ntp::wmf_peers[$::site] { +include standard::ntp::client +} } include ::standard::diamond diff --git a/modules/standard/manifests/ntp/timesyncd.pp b/modules/standard/manifests/ntp/timesyncd.pp new file mode 100644 index 000..973651e --- /dev/null +++ b/modules/standard/manifests/ntp/timesyncd.pp @@ -0,0 +1,44 @@ +# == Class standard::ntp::timesyncd +# +# Setup clock synchronisation using systemd-timesyncd +class standard::ntp::timesyncd () { +requires_os('debian >= jessie') +require standard::ntp + +package { 'ntp': +ensure => absent, +} + +$wmf_peers = $::standard::ntp::wmf_peers +# This maps the servers that regular clients use +$ntp_servers = { +eqiad => concat($wmf_peers['eqiad'], $wmf_peers['codfw']), +codfw => concat($wmf_peers['eqiad'], $wmf_peers['codfw']), +esams => concat($wmf_peers['esams'], $wmf_peers['eqiad']), +ulsfo => concat($wmf_peers['eqiad'], $wmf_peers['codfw']), +} + +file { '/etc/systemd/timesyncd.conf': +ensure => present, +mode=> '0444', +owner => 'root', +group => 'root', +content => template('base/timesyncd.conf.erb'), +notify => Service['systemd-timesyncd'], +} + +service { 'systemd-timesyncd': +provider => systemd, +ensure => running, +enable => true, +} + +monitoring::service { 'ntp': +description=> 'NTP', +check_command => 'check_ntp_time!0.5!1', +check_interval => 30, +retry_interval => 15, +} + +} + -- To view, visit https://gerrit.wikimedia.org/r/322279 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: Ie4c9ab7f82f590817f2b92d19f09cbbdda25fb95 Gerrit-PatchSet: 1 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: Muehlenhoff___ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
[MediaWiki-commits] [Gerrit] operations...linux44[master]: Add further retroactively assigned CVE IDs
Muehlenhoff has submitted this change and it was merged. Change subject: Add further retroactively assigned CVE IDs .. Add further retroactively assigned CVE IDs There are all part of the latest Android bulletin, but had been fixed in earlier 4.4.x stable kernels already. Change-Id: I82024b3254b1c31c8abd95626751ea093fd5ae00 --- M debian/changelog 1 file changed, 5 insertions(+), 0 deletions(-) Approvals: Muehlenhoff: Looks good to me, approved jenkins-bot: Verified diff --git a/debian/changelog b/debian/changelog index e075cf2..aac9540 100644 --- a/debian/changelog +++ b/debian/changelog @@ -49,6 +49,7 @@ - CVE-2016-0758 [23c8a812dc3c621009e4f0e5342aa4e2ede1ceaa] - CVE-2016-5244 [4116def2337991b39919f3b448326e21c40e0dbb] - CVE-2016-5243 [5d2be1422e02ccd697ccfcd45c85b4a26e6178e2] +- CVE-2016-7915 [50220dead1650609206efe91f0cc116132d59b3f] * Update to 4.4.22: https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.22 * Update to 4.4.23: @@ -143,10 +144,12 @@ - CVE-2016-4578 [9a47e9cff994f37f7f0dbd9ae23740d0f64f9fe6, e4ec8cc8039a7063e24204299b462bd1383184a5] - CVE-2016-4569 [cec8f96e49d9be372fdb0c3836dcf31ec71e457e] + - CVE-2016-7911 [8ba8682107ee2ca3347354e018865d8e1967c5f4] * Update to 4.4.18: https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.18 - CVE-2016-5696 [75ff39ccc1bd5d3c455b6822ab09e533c551f758] - CVE-2016-3672 [8b8addf891de8a00e4d39fc32f93f7c5eb8feceb] + - CVE-2016-7910 [77da160530dd1dc94f6ae15a981f24e5f0021e84] -- Moritz MuehlenhoffThu, 28 Jul 2016 10:03:12 +0200 @@ -186,6 +189,8 @@ - CVE-2016-4565 [e6bd18f57aad1a2d1ef40e646d03ed0f2515c9e3] - CVE-2016-4568 [2c1f6951a8a82e6de0d82b1158b5e493fc6c54ab] - CVE-2016-3961 [103f6112f253017d7062cd74d17f4a514ed4485c] +- CVE-2016-7914 [8d4a2ec1e0b41b0cf9a0c5cd4511da7f8e4f3de2] +- CVE-2016-7912 [38740a5b87d53ceb89eb2c970150f6e94e00373a] Remove misc-bmp085-Enable-building-as-a-module.patch which is merged in 4.4.9 * Cherrypick 8358b02bf67d3a5d8a825070e1aa73f25fb2e4c7 to address -- To view, visit https://gerrit.wikimedia.org/r/322131 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: merged Gerrit-Change-Id: I82024b3254b1c31c8abd95626751ea093fd5ae00 Gerrit-PatchSet: 1 Gerrit-Project: operations/debs/linux44 Gerrit-Branch: master Gerrit-Owner: Muehlenhoff Gerrit-Reviewer: Muehlenhoff Gerrit-Reviewer: jenkins-bot <> ___ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
[MediaWiki-commits] [Gerrit] operations...linux44[master]: Add further retroactively assigned CVE IDs
Muehlenhoff has uploaded a new change for review. https://gerrit.wikimedia.org/r/322131 Change subject: Add further retroactively assigned CVE IDs .. Add further retroactively assigned CVE IDs There are all part of the latest Android bulletin, but had been fixed in earlier 4.4.x stable kernels already. Change-Id: I82024b3254b1c31c8abd95626751ea093fd5ae00 --- M debian/changelog 1 file changed, 5 insertions(+), 0 deletions(-) git pull ssh://gerrit.wikimedia.org:29418/operations/debs/linux44 refs/changes/31/322131/1 diff --git a/debian/changelog b/debian/changelog index e075cf2..aac9540 100644 --- a/debian/changelog +++ b/debian/changelog @@ -49,6 +49,7 @@ - CVE-2016-0758 [23c8a812dc3c621009e4f0e5342aa4e2ede1ceaa] - CVE-2016-5244 [4116def2337991b39919f3b448326e21c40e0dbb] - CVE-2016-5243 [5d2be1422e02ccd697ccfcd45c85b4a26e6178e2] +- CVE-2016-7915 [50220dead1650609206efe91f0cc116132d59b3f] * Update to 4.4.22: https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.22 * Update to 4.4.23: @@ -143,10 +144,12 @@ - CVE-2016-4578 [9a47e9cff994f37f7f0dbd9ae23740d0f64f9fe6, e4ec8cc8039a7063e24204299b462bd1383184a5] - CVE-2016-4569 [cec8f96e49d9be372fdb0c3836dcf31ec71e457e] + - CVE-2016-7911 [8ba8682107ee2ca3347354e018865d8e1967c5f4] * Update to 4.4.18: https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.18 - CVE-2016-5696 [75ff39ccc1bd5d3c455b6822ab09e533c551f758] - CVE-2016-3672 [8b8addf891de8a00e4d39fc32f93f7c5eb8feceb] + - CVE-2016-7910 [77da160530dd1dc94f6ae15a981f24e5f0021e84] -- Moritz MuehlenhoffThu, 28 Jul 2016 10:03:12 +0200 @@ -186,6 +189,8 @@ - CVE-2016-4565 [e6bd18f57aad1a2d1ef40e646d03ed0f2515c9e3] - CVE-2016-4568 [2c1f6951a8a82e6de0d82b1158b5e493fc6c54ab] - CVE-2016-3961 [103f6112f253017d7062cd74d17f4a514ed4485c] +- CVE-2016-7914 [8d4a2ec1e0b41b0cf9a0c5cd4511da7f8e4f3de2] +- CVE-2016-7912 [38740a5b87d53ceb89eb2c970150f6e94e00373a] Remove misc-bmp085-Enable-building-as-a-module.patch which is merged in 4.4.9 * Cherrypick 8358b02bf67d3a5d8a825070e1aa73f25fb2e4c7 to address -- To view, visit https://gerrit.wikimedia.org/r/322131 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: I82024b3254b1c31c8abd95626751ea093fd5ae00 Gerrit-PatchSet: 1 Gerrit-Project: operations/debs/linux44 Gerrit-Branch: master Gerrit-Owner: Muehlenhoff ___ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
[MediaWiki-commits] [Gerrit] operations/puppet[production]: Assign debdeploy grains for analytics zookeeper cluster
Muehlenhoff has submitted this change and it was merged. Change subject: Assign debdeploy grains for analytics zookeeper cluster .. Assign debdeploy grains for analytics zookeeper cluster Change-Id: If6216967e9357efcde4c2aa8fa86bd91cb904882 --- A hieradata/role/codfw/zookeeper/server.yaml A hieradata/role/eqiad/zookeeper/server.yaml M modules/debdeploy/templates/debdeploy.erb 3 files changed, 9 insertions(+), 0 deletions(-) Approvals: Muehlenhoff: Looks good to me, approved jenkins-bot: Verified diff --git a/hieradata/role/codfw/zookeeper/server.yaml b/hieradata/role/codfw/zookeeper/server.yaml new file mode 100644 index 000..b90d653 --- /dev/null +++ b/hieradata/role/codfw/zookeeper/server.yaml @@ -0,0 +1,3 @@ +debdeploy::grains: + debdeploy-zookeeper-codfw: +value: standard diff --git a/hieradata/role/eqiad/zookeeper/server.yaml b/hieradata/role/eqiad/zookeeper/server.yaml new file mode 100644 index 000..c4f6dc9 --- /dev/null +++ b/hieradata/role/eqiad/zookeeper/server.yaml @@ -0,0 +1,3 @@ +debdeploy::grains: + debdeploy-zookeeper-eqiad: +value: standard diff --git a/modules/debdeploy/templates/debdeploy.erb b/modules/debdeploy/templates/debdeploy.erb index f60b9fb..c47914b 100644 --- a/modules/debdeploy/templates/debdeploy.erb +++ b/modules/debdeploy/templates/debdeploy.erb @@ -156,6 +156,9 @@ redis-codfw = debdeploy-redis-codfw:standard redis-canary = debdeploy-redis-eqiad:canary redis = debdeploy-redis-eqiad:standard, debdeploy-redis-codfw:standard, debdeploy-redis-eqiad:canary +zookeeper-codfw = debdeploy-zookeeper-codfw:standard +zookeeper-eqiad = debdeploy-zookeeper-eqiad:standard +zookeeper = debdeploy-zookeeper-codfw:standard, debdeploy-zookeeper-eqiad:standard labs-nfs = debdeploy-labsnfs:standard graphite = debdeploy-graphite:standard yubiauth = debdeploy-yubiauth:standard -- To view, visit https://gerrit.wikimedia.org/r/322113 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: merged Gerrit-Change-Id: If6216967e9357efcde4c2aa8fa86bd91cb904882 Gerrit-PatchSet: 1 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: MuehlenhoffGerrit-Reviewer: Muehlenhoff Gerrit-Reviewer: jenkins-bot <> ___ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
[MediaWiki-commits] [Gerrit] operations/puppet[production]: Assign debdeploy grains for analytics zookeeper cluster
Muehlenhoff has uploaded a new change for review. https://gerrit.wikimedia.org/r/322113 Change subject: Assign debdeploy grains for analytics zookeeper cluster .. Assign debdeploy grains for analytics zookeeper cluster Change-Id: If6216967e9357efcde4c2aa8fa86bd91cb904882 --- A hieradata/role/codfw/zookeeper/server.yaml A hieradata/role/eqiad/zookeeper/server.yaml M modules/debdeploy/templates/debdeploy.erb 3 files changed, 9 insertions(+), 0 deletions(-) git pull ssh://gerrit.wikimedia.org:29418/operations/puppet refs/changes/13/322113/1 diff --git a/hieradata/role/codfw/zookeeper/server.yaml b/hieradata/role/codfw/zookeeper/server.yaml new file mode 100644 index 000..b90d653 --- /dev/null +++ b/hieradata/role/codfw/zookeeper/server.yaml @@ -0,0 +1,3 @@ +debdeploy::grains: + debdeploy-zookeeper-codfw: +value: standard diff --git a/hieradata/role/eqiad/zookeeper/server.yaml b/hieradata/role/eqiad/zookeeper/server.yaml new file mode 100644 index 000..c4f6dc9 --- /dev/null +++ b/hieradata/role/eqiad/zookeeper/server.yaml @@ -0,0 +1,3 @@ +debdeploy::grains: + debdeploy-zookeeper-eqiad: +value: standard diff --git a/modules/debdeploy/templates/debdeploy.erb b/modules/debdeploy/templates/debdeploy.erb index f60b9fb..c47914b 100644 --- a/modules/debdeploy/templates/debdeploy.erb +++ b/modules/debdeploy/templates/debdeploy.erb @@ -156,6 +156,9 @@ redis-codfw = debdeploy-redis-codfw:standard redis-canary = debdeploy-redis-eqiad:canary redis = debdeploy-redis-eqiad:standard, debdeploy-redis-codfw:standard, debdeploy-redis-eqiad:canary +zookeeper-codfw = debdeploy-zookeeper-codfw:standard +zookeeper-eqiad = debdeploy-zookeeper-eqiad:standard +zookeeper = debdeploy-zookeeper-codfw:standard, debdeploy-zookeeper-eqiad:standard labs-nfs = debdeploy-labsnfs:standard graphite = debdeploy-graphite:standard yubiauth = debdeploy-yubiauth:standard -- To view, visit https://gerrit.wikimedia.org/r/322113 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: If6216967e9357efcde4c2aa8fa86bd91cb904882 Gerrit-PatchSet: 1 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: Muehlenhoff___ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
[MediaWiki-commits] [Gerrit] operations/puppet[production]: Rename hiera file so that the debdeploy grain is assigned to...
Muehlenhoff has submitted this change and it was merged. Change subject: Rename hiera file so that the debdeploy grain is assigned to the new role name .. Rename hiera file so that the debdeploy grain is assigned to the new role name Labvirt nodes used to use role::nova::compute, but are now using role::labs::openstack::nova::compute, so rename the Hiera YAML file accordingly. Change-Id: I255110bc6ec936a7133a1ba55577cc2ee7559ba1 --- R hieradata/role/common/labs/openstack/nova/compute.yaml 1 file changed, 0 insertions(+), 0 deletions(-) Approvals: Muehlenhoff: Looks good to me, approved jenkins-bot: Verified diff --git a/hieradata/role/common/nova/compute.yaml b/hieradata/role/common/labs/openstack/nova/compute.yaml similarity index 100% rename from hieradata/role/common/nova/compute.yaml rename to hieradata/role/common/labs/openstack/nova/compute.yaml -- To view, visit https://gerrit.wikimedia.org/r/322105 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: merged Gerrit-Change-Id: I255110bc6ec936a7133a1ba55577cc2ee7559ba1 Gerrit-PatchSet: 2 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: MuehlenhoffGerrit-Reviewer: Muehlenhoff Gerrit-Reviewer: jenkins-bot <> ___ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
[MediaWiki-commits] [Gerrit] operations/puppet[production]: Rename hiera file so that the debdeploy grain is assigned to...
Muehlenhoff has uploaded a new change for review. https://gerrit.wikimedia.org/r/322105 Change subject: Rename hiera file so that the debdeploy grain is assigned to the new role name .. Rename hiera file so that the debdeploy grain is assigned to the new role name Labvirt nodes used to use role::nova::compute, but are now using role::labs::openstack::nova::compute, so rename the Hiera YAML file accordingly. Change-Id: I255110bc6ec936a7133a1ba55577cc2ee7559ba1 --- R hieradata/role/common/labs/openstack/nova/compute.yaml 1 file changed, 0 insertions(+), 0 deletions(-) git pull ssh://gerrit.wikimedia.org:29418/operations/puppet refs/changes/05/322105/1 diff --git a/hieradata/role/common/nova/compute.yaml b/hieradata/role/common/labs/openstack/nova/compute.yaml similarity index 100% rename from hieradata/role/common/nova/compute.yaml rename to hieradata/role/common/labs/openstack/nova/compute.yaml -- To view, visit https://gerrit.wikimedia.org/r/322105 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: I255110bc6ec936a7133a1ba55577cc2ee7559ba1 Gerrit-PatchSet: 1 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: Muehlenhoff___ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
[MediaWiki-commits] [Gerrit] operations...linux44[master]: Add recently assigned CVE ID to fix already merged via older...
Muehlenhoff has uploaded a new change for review. https://gerrit.wikimedia.org/r/322097 Change subject: Add recently assigned CVE ID to fix already merged via older 4.4.10 .. Add recently assigned CVE ID to fix already merged via older 4.4.10 Change-Id: If6a4805d95f268587dfff17e62c23185dd978f13 --- M debian/changelog 1 file changed, 1 insertion(+), 0 deletions(-) git pull ssh://gerrit.wikimedia.org:29418/operations/debs/linux44 refs/changes/97/322097/1 diff --git a/debian/changelog b/debian/changelog index 56ba20e..e075cf2 100644 --- a/debian/changelog +++ b/debian/changelog @@ -87,6 +87,7 @@ * Update to 4.4.10: https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.10 - CVE-2016-4581 [5ec0811d30378ae104f250bfc9b3640242d81e3f] +- CVE-2016-7916 [8148a73c9901a8794a50f950083c00ccf97d43b3] * Update to 4.4.11: https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.11 - CVE-2016-4485 [b8670c09f37bdf2847cc44f36511a53afc6161fd] -- To view, visit https://gerrit.wikimedia.org/r/322097 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: If6a4805d95f268587dfff17e62c23185dd978f13 Gerrit-PatchSet: 1 Gerrit-Project: operations/debs/linux44 Gerrit-Branch: master Gerrit-Owner: Muehlenhoff___ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
[MediaWiki-commits] [Gerrit] operations...linux44[master]: Add recently assigned CVE ID to fix already merged via older...
Muehlenhoff has submitted this change and it was merged. Change subject: Add recently assigned CVE ID to fix already merged via older 4.4.10 .. Add recently assigned CVE ID to fix already merged via older 4.4.10 Change-Id: If6a4805d95f268587dfff17e62c23185dd978f13 --- M debian/changelog 1 file changed, 1 insertion(+), 0 deletions(-) Approvals: Muehlenhoff: Looks good to me, approved jenkins-bot: Verified diff --git a/debian/changelog b/debian/changelog index 56ba20e..e075cf2 100644 --- a/debian/changelog +++ b/debian/changelog @@ -87,6 +87,7 @@ * Update to 4.4.10: https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.10 - CVE-2016-4581 [5ec0811d30378ae104f250bfc9b3640242d81e3f] +- CVE-2016-7916 [8148a73c9901a8794a50f950083c00ccf97d43b3] * Update to 4.4.11: https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.11 - CVE-2016-4485 [b8670c09f37bdf2847cc44f36511a53afc6161fd] -- To view, visit https://gerrit.wikimedia.org/r/322097 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: merged Gerrit-Change-Id: If6a4805d95f268587dfff17e62c23185dd978f13 Gerrit-PatchSet: 1 Gerrit-Project: operations/debs/linux44 Gerrit-Branch: master Gerrit-Owner: MuehlenhoffGerrit-Reviewer: Muehlenhoff Gerrit-Reviewer: jenkins-bot <> ___ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
[MediaWiki-commits] [Gerrit] operations/puppet[production]: elasticsearch::https: Restrict to domain networks
Muehlenhoff has submitted this change and it was merged. Change subject: elasticsearch::https: Restrict to domain networks .. elasticsearch::https: Restrict to domain networks We're getting rid of $INTERNAL, since it's needlessly broad. Restrict to DOMAIN_NETWORKS, which restricts access to the production networks in production, while still allowing tests in labs. A similar change has been made for the elastic-http ferm service. Change-Id: I64c591205a3ed6834bbc7731495817a4046876a6 --- M modules/elasticsearch/manifests/https.pp 1 file changed, 1 insertion(+), 1 deletion(-) Approvals: Gehel: Looks good to me, but someone else must approve Muehlenhoff: Looks good to me, approved jenkins-bot: Verified diff --git a/modules/elasticsearch/manifests/https.pp b/modules/elasticsearch/manifests/https.pp index 1de60f5..6ac9617 100644 --- a/modules/elasticsearch/manifests/https.pp +++ b/modules/elasticsearch/manifests/https.pp @@ -47,7 +47,7 @@ ensure => $ensure, proto => 'tcp', port => '9243', -srange => '$INTERNAL', +srange => '$DOMAIN_NETWORKS', } } -- To view, visit https://gerrit.wikimedia.org/r/319875 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: merged Gerrit-Change-Id: I64c591205a3ed6834bbc7731495817a4046876a6 Gerrit-PatchSet: 2 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: MuehlenhoffGerrit-Reviewer: Gehel Gerrit-Reviewer: Muehlenhoff Gerrit-Reviewer: jenkins-bot <> ___ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
[MediaWiki-commits] [Gerrit] operations/puppet[production]: Drop poolcounter role from helium
Muehlenhoff has submitted this change and it was merged. Change subject: Drop poolcounter role from helium .. Drop poolcounter role from helium It is no longer an active pool counter (poolcounter100[12] are). Change-Id: I7db5c9a55a534e7c4c4d922fa757b060d6c110c3 --- M manifests/site.pp 1 file changed, 1 insertion(+), 1 deletion(-) Approvals: Filippo Giunchedi: Looks good to me, but someone else must approve Muehlenhoff: Looks good to me, approved Alexandros Kosiaris: Looks good to me, but someone else must approve jenkins-bot: Verified diff --git a/manifests/site.pp b/manifests/site.pp index 1d2079f..1edc369 100644 --- a/manifests/site.pp +++ b/manifests/site.pp @@ -1141,7 +1141,7 @@ } node 'helium.eqiad.wmnet' { -role(poolcounter::server, backup::director, backup::storage) +role(backup::director, backup::storage) include standard interface::add_ip6_mapped { 'main': -- To view, visit https://gerrit.wikimedia.org/r/321902 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: merged Gerrit-Change-Id: I7db5c9a55a534e7c4c4d922fa757b060d6c110c3 Gerrit-PatchSet: 2 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: MuehlenhoffGerrit-Reviewer: Alexandros Kosiaris Gerrit-Reviewer: Filippo Giunchedi Gerrit-Reviewer: Muehlenhoff Gerrit-Reviewer: jenkins-bot <> ___ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
[MediaWiki-commits] [Gerrit] operations/puppet[production]: Add debdeploy salt grain for labs::db::proxy
Muehlenhoff has submitted this change and it was merged. Change subject: Add debdeploy salt grain for labs::db::proxy .. Add debdeploy salt grain for labs::db::proxy Change-Id: Ibb11e2ba2b288a59a9e9c9a89a795b527185 --- A hieradata/role/common/labs/db/proxy.yaml 1 file changed, 3 insertions(+), 0 deletions(-) Approvals: Muehlenhoff: Looks good to me, approved jenkins-bot: Verified diff --git a/hieradata/role/common/labs/db/proxy.yaml b/hieradata/role/common/labs/db/proxy.yaml new file mode 100644 index 000..47802e8 --- /dev/null +++ b/hieradata/role/common/labs/db/proxy.yaml @@ -0,0 +1,3 @@ +debdeploy::grains: + debdeploy-labsdb: +value: standard -- To view, visit https://gerrit.wikimedia.org/r/321846 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: merged Gerrit-Change-Id: Ibb11e2ba2b288a59a9e9c9a89a795b527185 Gerrit-PatchSet: 3 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: MuehlenhoffGerrit-Reviewer: Muehlenhoff Gerrit-Reviewer: jenkins-bot <> ___ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
[MediaWiki-commits] [Gerrit] operations/puppet[production]: package_builder: Add subversion to list of installed packages
Muehlenhoff has submitted this change and it was merged. Change subject: package_builder: Add subversion to list of installed packages .. package_builder: Add subversion to list of installed packages The build of imagemagick failed to execute svnversion(1) multiple times in the source package generation stage of pdebuild (i.e. before the build dependencies are installed n the pbuilder chroot). svnversion is provided by the subversion package. Change-Id: I27adb439f4e0cf0b5cbbbc662bde0cddffc4648d --- M modules/package_builder/manifests/init.pp 1 file changed, 1 insertion(+), 0 deletions(-) Approvals: Muehlenhoff: Looks good to me, approved jenkins-bot: Verified diff --git a/modules/package_builder/manifests/init.pp b/modules/package_builder/manifests/init.pp index 71e4d07..66a5e31 100644 --- a/modules/package_builder/manifests/init.pp +++ b/modules/package_builder/manifests/init.pp @@ -46,6 +46,7 @@ 'kernel-wedge', 'javahelper', 'pkg-kde-tools', +'subversion', ]) if $::operatingsystem == 'Ubuntu' { -- To view, visit https://gerrit.wikimedia.org/r/321880 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: merged Gerrit-Change-Id: I27adb439f4e0cf0b5cbbbc662bde0cddffc4648d Gerrit-PatchSet: 1 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: MuehlenhoffGerrit-Reviewer: Alexandros Kosiaris Gerrit-Reviewer: Muehlenhoff Gerrit-Reviewer: jenkins-bot <> ___ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
[MediaWiki-commits] [Gerrit] operations/puppet[production]: package_builder: Add pkg-kde-tools to list of installed pack...
Muehlenhoff has uploaded a new change for review. https://gerrit.wikimedia.org/r/321876 Change subject: package_builder: Add pkg-kde-tools to list of installed packages .. package_builder: Add pkg-kde-tools to list of installed packages The build of imagemagick failed in the source package generation stage of pdebuild (i.e. before the build dependencies are installed in the pbuilder chroot): Build imagemagick version 8:6.8.9.9-5+deb8u5+wmf1 for quantum Q16 if test "BUG#703261" = "SOLVED"; then \ dh clean --parallel --with autoreconf --with pkgkde_symbolshelper; \ else \ dh clean --with autoreconf --with pkgkde_symbolshelper; \ fi; dh: unable to load addon pkgkde_symbolshelper: Can't locate Debian/Debhelper/Sequence/pkgkde_symbolshelper.pm in @INC (you may need to install the Debian::Debhelper::Sequence::pkgkde_symbolshelper module) (@INC contains: /etc/perl /usr/local/lib/x86_64-linux-gnu/perl/5.20.2 /usr/local/share/perl/5.20.2 /usr/lib/x86_64-linux-gnu/perl5/5.20 /usr/share/perl5 /usr/lib/x86_64-linux-gnu/perl/5.20 /usr/share/perl/5.20 /usr/local/lib/site_perl .) at (eval 12) line 2. BEGIN failed--compilation aborted at (eval 12) line 2. debian/rules:109: recipe for target 'clean' failed The debhelper addon is provided by pkg-kde-tools Change-Id: Ifba775179b9efb31b6feb130602198e0f8bd9933 --- M modules/package_builder/manifests/init.pp 1 file changed, 1 insertion(+), 0 deletions(-) git pull ssh://gerrit.wikimedia.org:29418/operations/puppet refs/changes/76/321876/1 diff --git a/modules/package_builder/manifests/init.pp b/modules/package_builder/manifests/init.pp index 37ade9c..71e4d07 100644 --- a/modules/package_builder/manifests/init.pp +++ b/modules/package_builder/manifests/init.pp @@ -45,6 +45,7 @@ 'php5-dev', 'kernel-wedge', 'javahelper', +'pkg-kde-tools', ]) if $::operatingsystem == 'Ubuntu' { -- To view, visit https://gerrit.wikimedia.org/r/321876 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: Ifba775179b9efb31b6feb130602198e0f8bd9933 Gerrit-PatchSet: 1 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: Muehlenhoff___ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
[MediaWiki-commits] [Gerrit] operations/puppet[production]: Add debdeploy salt grain for labs::db::proxy
Muehlenhoff has uploaded a new change for review. https://gerrit.wikimedia.org/r/321846 Change subject: Add debdeploy salt grain for labs::db::proxy .. Add debdeploy salt grain for labs::db::proxy Change-Id: Ibb11e2ba2b288a59a9e9c9a89a795b527185 --- A hieradata/role/common/labs/db/proxy.yaml 1 file changed, 3 insertions(+), 0 deletions(-) git pull ssh://gerrit.wikimedia.org:29418/operations/puppet refs/changes/46/321846/1 diff --git a/hieradata/role/common/labs/db/proxy.yaml b/hieradata/role/common/labs/db/proxy.yaml new file mode 100644 index 000..47802e8 --- /dev/null +++ b/hieradata/role/common/labs/db/proxy.yaml @@ -0,0 +1,3 @@ +debdeploy::grains: + debdeploy-labsdb: +value: standard -- To view, visit https://gerrit.wikimedia.org/r/321846 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: Ibb11e2ba2b288a59a9e9c9a89a795b527185 Gerrit-PatchSet: 1 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: Muehlenhoff___ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
[MediaWiki-commits] [Gerrit] operations/puppet[production]: Add debdeploy grains for puppetdb hosts
Muehlenhoff has submitted this change and it was merged. Change subject: Add debdeploy grains for puppetdb hosts .. Add debdeploy grains for puppetdb hosts Change-Id: I643e3c34a62b510df3aae980ed1cff991ae46df9 --- A hieradata/role/common/puppetmaster/puppetdb.yaml M modules/debdeploy/templates/debdeploy.erb 2 files changed, 4 insertions(+), 0 deletions(-) Approvals: Muehlenhoff: Looks good to me, approved jenkins-bot: Verified diff --git a/hieradata/role/common/puppetmaster/puppetdb.yaml b/hieradata/role/common/puppetmaster/puppetdb.yaml new file mode 100644 index 000..f4c7139 --- /dev/null +++ b/hieradata/role/common/puppetmaster/puppetdb.yaml @@ -0,0 +1,3 @@ +debdeploy::grains: + debdeploy-puppetmaster-puppetdb: +value: standard diff --git a/modules/debdeploy/templates/debdeploy.erb b/modules/debdeploy/templates/debdeploy.erb index 7f66459..f60b9fb 100644 --- a/modules/debdeploy/templates/debdeploy.erb +++ b/modules/debdeploy/templates/debdeploy.erb @@ -98,6 +98,7 @@ puppetmaster-backend = debdeploy-puppetmaster-backend:standard puppetmaster-frontend = debdeploy-puppetmaster-frontend:standard puppetmaster = debdeploy-puppetmaster-backend:standard, debdeploy-puppetmaster-frontend:standard +puppetdb = debdeploy-puppetmaster-puppetdb:standard snapshot = debdeploy-snapshot:standard, debdeploy-snapshot:canary snapshot-canary = debdeploy-snapshot:canary parsoid = debdeploy-parsoid-eqiad:standard, debdeploy-parsoid-codfw:standard, debdeploy-parsoid-eqiad:canary, debdeploy-parsoid-codfw:canary -- To view, visit https://gerrit.wikimedia.org/r/321659 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: merged Gerrit-Change-Id: I643e3c34a62b510df3aae980ed1cff991ae46df9 Gerrit-PatchSet: 1 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: MuehlenhoffGerrit-Reviewer: Muehlenhoff Gerrit-Reviewer: jenkins-bot <> ___ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
[MediaWiki-commits] [Gerrit] operations/puppet[production]: Add debdeploy grains for puppetdb hosts
Muehlenhoff has uploaded a new change for review. https://gerrit.wikimedia.org/r/321659 Change subject: Add debdeploy grains for puppetdb hosts .. Add debdeploy grains for puppetdb hosts Change-Id: I643e3c34a62b510df3aae980ed1cff991ae46df9 --- A hieradata/role/common/puppetmaster/puppetdb.yaml M modules/debdeploy/templates/debdeploy.erb 2 files changed, 4 insertions(+), 0 deletions(-) git pull ssh://gerrit.wikimedia.org:29418/operations/puppet refs/changes/59/321659/1 diff --git a/hieradata/role/common/puppetmaster/puppetdb.yaml b/hieradata/role/common/puppetmaster/puppetdb.yaml new file mode 100644 index 000..f4c7139 --- /dev/null +++ b/hieradata/role/common/puppetmaster/puppetdb.yaml @@ -0,0 +1,3 @@ +debdeploy::grains: + debdeploy-puppetmaster-puppetdb: +value: standard diff --git a/modules/debdeploy/templates/debdeploy.erb b/modules/debdeploy/templates/debdeploy.erb index 7f66459..f60b9fb 100644 --- a/modules/debdeploy/templates/debdeploy.erb +++ b/modules/debdeploy/templates/debdeploy.erb @@ -98,6 +98,7 @@ puppetmaster-backend = debdeploy-puppetmaster-backend:standard puppetmaster-frontend = debdeploy-puppetmaster-frontend:standard puppetmaster = debdeploy-puppetmaster-backend:standard, debdeploy-puppetmaster-frontend:standard +puppetdb = debdeploy-puppetmaster-puppetdb:standard snapshot = debdeploy-snapshot:standard, debdeploy-snapshot:canary snapshot-canary = debdeploy-snapshot:canary parsoid = debdeploy-parsoid-eqiad:standard, debdeploy-parsoid-codfw:standard, debdeploy-parsoid-eqiad:canary, debdeploy-parsoid-codfw:canary -- To view, visit https://gerrit.wikimedia.org/r/321659 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: I643e3c34a62b510df3aae980ed1cff991ae46df9 Gerrit-PatchSet: 1 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: Muehlenhoff___ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
[MediaWiki-commits] [Gerrit] operations...linux44[master]: Update to 4.4.32
Muehlenhoff has submitted this change and it was merged. Change subject: Update to 4.4.32 .. Update to 4.4.32 Change-Id: Ic4221758647cf45e5a24f3d75a4455a965370afb --- M debian/changelog A debian/patches/bugfix/all/stable-4.4.32.patch M debian/patches/series 3 files changed, 1,387 insertions(+), 1 deletion(-) Approvals: Muehlenhoff: Looks good to me, approved jenkins-bot: Verified diff --git a/debian/changelog b/debian/changelog index e37446f..56ba20e 100644 --- a/debian/changelog +++ b/debian/changelog @@ -11,8 +11,11 @@ - Drop 1d79b67c4a8a98247407dc245ba7cad2692da3c2, which is only needed for recent GGC releases and clashes with Debian-specific patches + * Update to 4.4.32: +https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.31 +- CVE-2016-7039 [fcd91dd449867c6bfe56a81cabba76b829fd05cd] - -- Moritz MuehlenhoffFri, 11 Nov 2016 15:57:32 +0100 + -- Moritz Muehlenhoff Tue, 15 Nov 2016 14:42:40 +0100 linux (4.4.2-3+wmf7) jessie-wikimedia; urgency=medium diff --git a/debian/patches/bugfix/all/stable-4.4.32.patch b/debian/patches/bugfix/all/stable-4.4.32.patch new file mode 100644 index 000..7b16c50 --- /dev/null +++ b/debian/patches/bugfix/all/stable-4.4.32.patch @@ -0,0 +1,1382 @@ +diff --git a/Makefile b/Makefile +index 7c6f28e7a2f6..fba9b09a1330 100644 +--- a/Makefile b/Makefile +@@ -1,6 +1,6 @@ + VERSION = 4 + PATCHLEVEL = 4 +-SUBLEVEL = 31 ++SUBLEVEL = 32 + EXTRAVERSION = + NAME = Blurry Fish Butt + +diff --git a/arch/mips/kvm/emulate.c b/arch/mips/kvm/emulate.c +index bbe56871245c..4298aeb1e20f 100644 +--- a/arch/mips/kvm/emulate.c b/arch/mips/kvm/emulate.c +@@ -822,7 +822,7 @@ static void kvm_mips_invalidate_guest_tlb(struct kvm_vcpu *vcpu, + bool user; + + /* No need to flush for entries which are already invalid */ +- if (!((tlb->tlb_lo[0] | tlb->tlb_lo[1]) & ENTRYLO_V)) ++ if (!((tlb->tlb_lo0 | tlb->tlb_lo1) & MIPS3_PG_V)) + return; + /* User address space doesn't need flushing for KSeg2/3 changes */ + user = tlb->tlb_hi < KVM_GUEST_KSEG0; +diff --git a/drivers/gpu/drm/amd/amdgpu/atombios_dp.c b/drivers/gpu/drm/amd/amdgpu/atombios_dp.c +index 21aacc1f45c1..7f85c2c1d681 100644 +--- a/drivers/gpu/drm/amd/amdgpu/atombios_dp.c b/drivers/gpu/drm/amd/amdgpu/atombios_dp.c +@@ -265,15 +265,27 @@ static int amdgpu_atombios_dp_get_dp_link_config(struct drm_connector *connector + unsigned max_lane_num = drm_dp_max_lane_count(dpcd); + unsigned lane_num, i, max_pix_clock; + +- for (lane_num = 1; lane_num <= max_lane_num; lane_num <<= 1) { +- for (i = 0; i < ARRAY_SIZE(link_rates) && link_rates[i] <= max_link_rate; i++) { +- max_pix_clock = (lane_num * link_rates[i] * 8) / bpp; ++ if (amdgpu_connector_encoder_get_dp_bridge_encoder_id(connector) == ++ ENCODER_OBJECT_ID_NUTMEG) { ++ for (lane_num = 1; lane_num <= max_lane_num; lane_num <<= 1) { ++ max_pix_clock = (lane_num * 27 * 8) / bpp; + if (max_pix_clock >= pix_clock) { + *dp_lanes = lane_num; +- *dp_rate = link_rates[i]; ++ *dp_rate = 27; + return 0; + } + } ++ } else { ++ for (i = 0; i < ARRAY_SIZE(link_rates) && link_rates[i] <= max_link_rate; i++) { ++ for (lane_num = 1; lane_num <= max_lane_num; lane_num <<= 1) { ++ max_pix_clock = (lane_num * link_rates[i] * 8) / bpp; ++ if (max_pix_clock >= pix_clock) { ++ *dp_lanes = lane_num; ++ *dp_rate = link_rates[i]; ++ return 0; ++ } ++ } ++ } + } + + return -EINVAL; +diff --git a/drivers/gpu/drm/radeon/atombios_dp.c b/drivers/gpu/drm/radeon/atombios_dp.c +index 44ee72e04df9..b5760851195c 100644 +--- a/drivers/gpu/drm/radeon/atombios_dp.c b/drivers/gpu/drm/radeon/atombios_dp.c +@@ -315,15 +315,27 @@ int radeon_dp_get_dp_link_config(struct drm_connector *connector, + unsigned max_lane_num = drm_dp_max_lane_count(dpcd); + unsigned lane_num, i, max_pix_clock; + +- for (lane_num = 1; lane_num <= max_lane_num; lane_num <<= 1) { +- for (i = 0; i < ARRAY_SIZE(link_rates) && link_rates[i] <= max_link_rate; i++) { +- max_pix_clock = (lane_num * link_rates[i] * 8) / bpp; ++ if (radeon_connector_encoder_get_dp_bridge_encoder_id(connector) == ++ ENCODER_OBJECT_ID_NUTMEG) { ++ for (lane_num = 1; lane_num <= max_lane_num;
[MediaWiki-commits] [Gerrit] operations...linux44[master]: Update to 4.4.32
Muehlenhoff has uploaded a new change for review. https://gerrit.wikimedia.org/r/321653 Change subject: Update to 4.4.32 .. Update to 4.4.32 Change-Id: Ic4221758647cf45e5a24f3d75a4455a965370afb --- M debian/changelog A debian/patches/bugfix/all/stable-4.4.32.patch M debian/patches/series 3 files changed, 1,387 insertions(+), 1 deletion(-) git pull ssh://gerrit.wikimedia.org:29418/operations/debs/linux44 refs/changes/53/321653/1 diff --git a/debian/changelog b/debian/changelog index e37446f..56ba20e 100644 --- a/debian/changelog +++ b/debian/changelog @@ -11,8 +11,11 @@ - Drop 1d79b67c4a8a98247407dc245ba7cad2692da3c2, which is only needed for recent GGC releases and clashes with Debian-specific patches + * Update to 4.4.32: +https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.31 +- CVE-2016-7039 [fcd91dd449867c6bfe56a81cabba76b829fd05cd] - -- Moritz MuehlenhoffFri, 11 Nov 2016 15:57:32 +0100 + -- Moritz Muehlenhoff Tue, 15 Nov 2016 14:42:40 +0100 linux (4.4.2-3+wmf7) jessie-wikimedia; urgency=medium diff --git a/debian/patches/bugfix/all/stable-4.4.32.patch b/debian/patches/bugfix/all/stable-4.4.32.patch new file mode 100644 index 000..7b16c50 --- /dev/null +++ b/debian/patches/bugfix/all/stable-4.4.32.patch @@ -0,0 +1,1382 @@ +diff --git a/Makefile b/Makefile +index 7c6f28e7a2f6..fba9b09a1330 100644 +--- a/Makefile b/Makefile +@@ -1,6 +1,6 @@ + VERSION = 4 + PATCHLEVEL = 4 +-SUBLEVEL = 31 ++SUBLEVEL = 32 + EXTRAVERSION = + NAME = Blurry Fish Butt + +diff --git a/arch/mips/kvm/emulate.c b/arch/mips/kvm/emulate.c +index bbe56871245c..4298aeb1e20f 100644 +--- a/arch/mips/kvm/emulate.c b/arch/mips/kvm/emulate.c +@@ -822,7 +822,7 @@ static void kvm_mips_invalidate_guest_tlb(struct kvm_vcpu *vcpu, + bool user; + + /* No need to flush for entries which are already invalid */ +- if (!((tlb->tlb_lo[0] | tlb->tlb_lo[1]) & ENTRYLO_V)) ++ if (!((tlb->tlb_lo0 | tlb->tlb_lo1) & MIPS3_PG_V)) + return; + /* User address space doesn't need flushing for KSeg2/3 changes */ + user = tlb->tlb_hi < KVM_GUEST_KSEG0; +diff --git a/drivers/gpu/drm/amd/amdgpu/atombios_dp.c b/drivers/gpu/drm/amd/amdgpu/atombios_dp.c +index 21aacc1f45c1..7f85c2c1d681 100644 +--- a/drivers/gpu/drm/amd/amdgpu/atombios_dp.c b/drivers/gpu/drm/amd/amdgpu/atombios_dp.c +@@ -265,15 +265,27 @@ static int amdgpu_atombios_dp_get_dp_link_config(struct drm_connector *connector + unsigned max_lane_num = drm_dp_max_lane_count(dpcd); + unsigned lane_num, i, max_pix_clock; + +- for (lane_num = 1; lane_num <= max_lane_num; lane_num <<= 1) { +- for (i = 0; i < ARRAY_SIZE(link_rates) && link_rates[i] <= max_link_rate; i++) { +- max_pix_clock = (lane_num * link_rates[i] * 8) / bpp; ++ if (amdgpu_connector_encoder_get_dp_bridge_encoder_id(connector) == ++ ENCODER_OBJECT_ID_NUTMEG) { ++ for (lane_num = 1; lane_num <= max_lane_num; lane_num <<= 1) { ++ max_pix_clock = (lane_num * 27 * 8) / bpp; + if (max_pix_clock >= pix_clock) { + *dp_lanes = lane_num; +- *dp_rate = link_rates[i]; ++ *dp_rate = 27; + return 0; + } + } ++ } else { ++ for (i = 0; i < ARRAY_SIZE(link_rates) && link_rates[i] <= max_link_rate; i++) { ++ for (lane_num = 1; lane_num <= max_lane_num; lane_num <<= 1) { ++ max_pix_clock = (lane_num * link_rates[i] * 8) / bpp; ++ if (max_pix_clock >= pix_clock) { ++ *dp_lanes = lane_num; ++ *dp_rate = link_rates[i]; ++ return 0; ++ } ++ } ++ } + } + + return -EINVAL; +diff --git a/drivers/gpu/drm/radeon/atombios_dp.c b/drivers/gpu/drm/radeon/atombios_dp.c +index 44ee72e04df9..b5760851195c 100644 +--- a/drivers/gpu/drm/radeon/atombios_dp.c b/drivers/gpu/drm/radeon/atombios_dp.c +@@ -315,15 +315,27 @@ int radeon_dp_get_dp_link_config(struct drm_connector *connector, + unsigned max_lane_num = drm_dp_max_lane_count(dpcd); + unsigned lane_num, i, max_pix_clock; + +- for (lane_num = 1; lane_num <= max_lane_num; lane_num <<= 1) { +- for (i = 0; i < ARRAY_SIZE(link_rates) && link_rates[i] <= max_link_rate; i++) { +- max_pix_clock = (lane_num * link_rates[i] * 8) / bpp; ++ if (radeon_connector_encoder_get_dp_bridge_encoder_id(connector) == ++ ENCODER_OBJECT_ID_NUTMEG) { ++ for
[MediaWiki-commits] [Gerrit] operations/puppet[production]: Use different host as canary host for debdeploy
Muehlenhoff has submitted this change and it was merged. Change subject: Use different host as canary host for debdeploy .. Use different host as canary host for debdeploy mw1001 was decommed quite a while ago, use mw1161 instead. Change-Id: I206bb2397d1c77b00336768a0d65bbb401188461 --- R hieradata/hosts/mw1161.yaml 1 file changed, 0 insertions(+), 0 deletions(-) Approvals: Muehlenhoff: Looks good to me, approved jenkins-bot: Verified diff --git a/hieradata/hosts/mw1001.yaml b/hieradata/hosts/mw1161.yaml similarity index 100% rename from hieradata/hosts/mw1001.yaml rename to hieradata/hosts/mw1161.yaml -- To view, visit https://gerrit.wikimedia.org/r/321627 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: merged Gerrit-Change-Id: I206bb2397d1c77b00336768a0d65bbb401188461 Gerrit-PatchSet: 2 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: MuehlenhoffGerrit-Reviewer: Muehlenhoff Gerrit-Reviewer: jenkins-bot <> ___ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
[MediaWiki-commits] [Gerrit] operations/puppet[production]: Use different host as canary host for debdeploy
Muehlenhoff has uploaded a new change for review. https://gerrit.wikimedia.org/r/321627 Change subject: Use different host as canary host for debdeploy .. Use different host as canary host for debdeploy mw1001 was decommed quite a while ago, use mw1161 instead. Change-Id: I206bb2397d1c77b00336768a0d65bbb401188461 --- R hieradata/hosts/mw1161.yaml 1 file changed, 0 insertions(+), 0 deletions(-) git pull ssh://gerrit.wikimedia.org:29418/operations/puppet refs/changes/27/321627/1 diff --git a/hieradata/hosts/mw1001.yaml b/hieradata/hosts/mw1161.yaml similarity index 100% rename from hieradata/hosts/mw1001.yaml rename to hieradata/hosts/mw1161.yaml -- To view, visit https://gerrit.wikimedia.org/r/321627 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: I206bb2397d1c77b00336768a0d65bbb401188461 Gerrit-PatchSet: 1 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: Muehlenhoff___ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
[MediaWiki-commits] [Gerrit] operations/puppet[production]: Check whether ferm has been correctly started
Muehlenhoff has submitted this change and it was merged. Change subject: Check whether ferm has been correctly started .. Check whether ferm has been correctly started There have been a few cases where ferm failed to start on some hosts since it could not resolve a DNS name used in one of it's rules. Provide an Icinga check which checks whether the input policy is configured to DROP (which is setup by ferm, so if it's not present ferm has either been stopped or wasn't started at all). Bug: T148986 Change-Id: I576e7373a1e9c2d9f7b441b6d03ac6d8bbb40866 --- A modules/base/files/firewall/check_ferm M modules/base/manifests/firewall.pp 2 files changed, 39 insertions(+), 0 deletions(-) Approvals: Muehlenhoff: Looks good to me, approved Faidon Liambotis: Looks good to me, but someone else must approve jenkins-bot: Verified diff --git a/modules/base/files/firewall/check_ferm b/modules/base/files/firewall/check_ferm new file mode 100644 index 000..7296fab --- /dev/null +++ b/modules/base/files/firewall/check_ferm @@ -0,0 +1,17 @@ +#!/bin/bash +# This plugin tests whether ferm has been started on a host by querying +# the policy for the INPUT chain + +if [ ! -x /sbin/iptables ]; then +echo "WARNING iptables not installed" +exit 1 +fi + +input_policy=$(iptables -nL INPUT | sed -nr 's/^Chain INPUT \(policy (.*)\)$/\1/p') +if [ $input_policy = "DROP" ]; then +echo "OK ferm input default policy is set" +exit 0 +else +echo "ERROR ferm input drop default policy not set, ferm might not have been started correctly" +exit 2 +fi diff --git a/modules/base/manifests/firewall.pp b/modules/base/manifests/firewall.pp index 680b3ba..69b5b5e 100644 --- a/modules/base/manifests/firewall.pp +++ b/modules/base/manifests/firewall.pp @@ -59,4 +59,26 @@ require => File['/usr/lib/nagios/plugins/check_conntrack'], contact_group => 'admins', } + +sudo::user { 'nagios_check_ferm': +ensure => 'present', +user => 'nagios', +privileges => [ 'ALL = NOPASSWD: /usr/lib/nagios/plugins/check_ferm' ], +require=> File['/usr/lib/nagios/plugins/check_ferm'], +} + +file { '/usr/lib/nagios/plugins/check_ferm': +source => 'puppet:///modules/base/firewall/check_ferm', +owner => 'root', +group => 'root', +mode => '0555', +} + +nrpe::monitor_service { 'ferm_active': +ensure=> 'present', +description => 'Check whether ferm is active by checking the default input chain', +nrpe_command => '/usr/bin/sudo /usr/lib/nagios/plugins/check_ferm', +require => [File['/usr/lib/nagios/plugins/check_ferm'], Sudo::User['nagios_check_ferm']], +contact_group => 'admins', +} } -- To view, visit https://gerrit.wikimedia.org/r/318527 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: merged Gerrit-Change-Id: I576e7373a1e9c2d9f7b441b6d03ac6d8bbb40866 Gerrit-PatchSet: 9 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: MuehlenhoffGerrit-Reviewer: Alexandros Kosiaris Gerrit-Reviewer: Faidon Liambotis Gerrit-Reviewer: Gehel Gerrit-Reviewer: Muehlenhoff Gerrit-Reviewer: jenkins-bot <> ___ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
[MediaWiki-commits] [Gerrit] operations...linux44[master]: Update to 4.4.31
Muehlenhoff has submitted this change and it was merged. Change subject: Update to 4.4.31 .. Update to 4.4.31 Change-Id: I712b74c843ab9e7bbcb346899d9510e14d67e007 --- M debian/changelog D debian/patches/bugfix/all/CVE-2016-7042.patch A debian/patches/bugfix/all/stable-4.4.31.patch M debian/patches/series 4 files changed, 1,725 insertions(+), 59 deletions(-) Approvals: Muehlenhoff: Looks good to me, approved jenkins-bot: Verified diff --git a/debian/changelog b/debian/changelog index b2caccc..e37446f 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,19 @@ +linux (4.4.2-3+wmf8) jessie-wikimedia; urgency=medium + + * Update to 4.4.31: +https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.31 +- CVE-2016-7042 [03dab869b7b239c4e013ec82aea22e181e441cfc] + (drop previously locally applied CVE-2016-7042.patch) +- CVE-2016-8630 [d9092f52d7e61dd1557f2db2400ddb430e85937e] +- CVE-2016-8633 [667121ace9dbafb368618dbabcf07901c962ddac] +- CVE-2016-9178 [different fix upstream, in stable as + dc1555e670c373bfa4ca2e1e2f839d5fe2b4501a] +- Drop 1d79b67c4a8a98247407dc245ba7cad2692da3c2, which is + only needed for recent GGC releases and clashes with + Debian-specific patches + + -- Moritz MuehlenhoffFri, 11 Nov 2016 15:57:32 +0100 + linux (4.4.2-3+wmf7) jessie-wikimedia; urgency=medium * Bump the kernel ABI to 3 (caused by posix ACL changes in 4.4.29) diff --git a/debian/patches/bugfix/all/CVE-2016-7042.patch b/debian/patches/bugfix/all/CVE-2016-7042.patch deleted file mode 100644 index 5257ea9..000 --- a/debian/patches/bugfix/all/CVE-2016-7042.patch +++ /dev/null @@ -1,58 +0,0 @@ -KEYS: Fix short sprintf buffer in /proc/keys show function - -Fix a short sprintf buffer in proc_keys_show(). If the gcc stack protector -is turned on, this can cause a panic due to stack corruption. - -The problem is that xbuf[] is not big enough to hold a 64-bit timeout -rendered as weeks: - - (gdb) p 0xULL/(60*60*24*7) - $2 = 30500568904943 - -That's 14 chars plus NUL, not 11 chars plus NUL. - -Expand the buffer to 16 chars. - -I think the unpatched code apparently works if the stack-protector is not -enabled because on a 32-bit machine the buffer won't be overflowed and on a -64-bit machine there's a 64-bit aligned pointer at one side and an int that -isn't checked again on the other side. - -The panic incurred looks something like: - -Kernel panic - not syncing: stack-protector: Kernel stack is corrupted in: 81352ebe -CPU: 0 PID: 1692 Comm: reproducer Not tainted 4.7.2-201.fc24.x86_64 #1 -Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011 - 0086 fbbd2679 8800a044bc00 813d941f - 81a28d58 8800a044bc98 8800a044bc88 811b2cb6 - 8810 8800a044bc98 8800a044bc30 fbbd2679 -Call Trace: - [] dump_stack+0x63/0x84 - [] panic+0xde/0x22a - [] ? proc_keys_show+0x3ce/0x3d0 - [] __stack_chk_fail+0x19/0x30 - [] proc_keys_show+0x3ce/0x3d0 - [] ? key_validate+0x50/0x50 - [] ? key_default_cmp+0x20/0x20 - [] seq_read+0x2cc/0x390 - [] proc_reg_read+0x42/0x70 - [] __vfs_read+0x37/0x150 - [] ? security_file_permission+0xa0/0xc0 - [] vfs_read+0x96/0x130 - [] SyS_read+0x55/0xc0 - [] entry_SYSCALL_64_fastpath+0x1a/0xa4 - -Reported-by: Ondrej Kozina -Signed-off-by: David Howells -Tested-by: Ondrej Kozina a/security/keys/proc.c -+++ a/security/keys/proc.c -@@ -181,7 +181,7 @@ static int proc_keys_show(struct seq_file *m, void *v) - struct timespec now; - unsigned long timo; - key_ref_t key_ref, skey_ref; -- char xbuf[12]; -+ char xbuf[16]; - int rc; - - struct keyring_search_context ctx = { diff --git a/debian/patches/bugfix/all/stable-4.4.31.patch b/debian/patches/bugfix/all/stable-4.4.31.patch new file mode 100644 index 000..2c6363f --- /dev/null +++ b/debian/patches/bugfix/all/stable-4.4.31.patch @@ -0,0 +1,1708 @@ +diff --git a/Makefile b/Makefile +index 98239d56924c..7c6f28e7a2f6 100644 +--- a/Makefile b/Makefile +@@ -1,6 +1,6 @@ + VERSION = 4 + PATCHLEVEL = 4 +-SUBLEVEL = 30 ++SUBLEVEL = 31 + EXTRAVERSION = + NAME = Blurry Fish Butt + +diff --git a/arch/arm/include/asm/floppy.h b/arch/arm/include/asm/floppy.h +index f4882553fbb0..85a34cc8316a 100644 +--- a/arch/arm/include/asm/floppy.h b/arch/arm/include/asm/floppy.h +@@ -17,7 +17,7 @@ + + #define fd_outb(val,port) \ + do {\ +- if ((port) == FD_DOR) \ ++ if ((port) == (u32)FD_DOR) \ +
[MediaWiki-commits] [Gerrit] operations...openssl11[master]: Cope with new libssl1.1 symbols introduced in 1.1.0c
Muehlenhoff has submitted this change and it was merged. Change subject: Cope with new libssl1.1 symbols introduced in 1.1.0c .. Cope with new libssl1.1 symbols introduced in 1.1.0c Otherwise the build fails since new symbols are available: dpkg-gensymbols -Pdebian/libssl1.1/ -plibssl1.1 -c4 dpkg-gensymbols: warning: some new symbols appeared in the symbols file: see diff output below dpkg-gensymbols: warning: debian/libssl1.1/DEBIAN/symbols doesn't match completely debian/libssl1.1.symbols --- debian/libssl1.1.symbols (libssl1.1_1.1.0c-1+wmf1_amd64) +++ dpkg-gensymbols40IYit 2016-11-10 18:06:04.270220379 + @@ -1,5 +1,8 @@ libcrypto.so.1.1 libssl1.1 #MINVER# + DSO_dsobyaddr@OPENSSL_1_1_0c 1.1.0c-1+wmf1 + DSO_pathbyaddr@OPENSSL_1_1_0c 1.1.0c-1+wmf1 (symver|optional)OPENSSL_1_1_0 1.1.0 (symver|optional)OPENSSL_1_1_0a 1.1.0a + OPENSSL_1_1_0c@OPENSSL_1_1_0c 1.1.0c-1+wmf1 libssl.so.1.1 libssl1.1 #MINVER# (symver|optional)OPENSSL_1_1_0 1.1.0 debian/rules:139: recipe for target 'binary-arch' failed make: *** [binary-arch] Error 2 Change-Id: I5b5d90ee8e22b4d0c7be003dc66d4d69b955b7f5 --- M debian/changelog M debian/libssl1.1.symbols 2 files changed, 2 insertions(+), 0 deletions(-) Approvals: Muehlenhoff: Verified; Looks good to me, approved diff --git a/debian/changelog b/debian/changelog index d1ff8cd..00dce1a 100644 --- a/debian/changelog +++ b/debian/changelog @@ -9,6 +9,7 @@ * Drop no-rpath.patch, merged in 1.1.0c in https://git.openssl.org/?p=openssl.git;a=commit;h=68f3b899105b5709b8d73265549c93a78e0f6e72 * Refresh debian/d2i-tests.tar + * Cope with new libssl1.1 symbols introduced in 1.1.0c -- Moritz MuehlenhoffThu, 10 Nov 2016 16:42:36 +0100 diff --git a/debian/libssl1.1.symbols b/debian/libssl1.1.symbols index f86fd6c..237c473 100644 --- a/debian/libssl1.1.symbols +++ b/debian/libssl1.1.symbols @@ -1,5 +1,6 @@ libcrypto.so.1.1 libssl1.1 #MINVER# *@OPENSSL_1_1_0 1.1.0 *@OPENSSL_1_1_0a 1.1.0a + *@OPENSSL_1_1_0c 1.1.0c libssl.so.1.1 libssl1.1 #MINVER# *@OPENSSL_1_1_0 1.1.0 -- To view, visit https://gerrit.wikimedia.org/r/320814 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: merged Gerrit-Change-Id: I5b5d90ee8e22b4d0c7be003dc66d4d69b955b7f5 Gerrit-PatchSet: 1 Gerrit-Project: operations/debs/openssl11 Gerrit-Branch: master Gerrit-Owner: Muehlenhoff Gerrit-Reviewer: Muehlenhoff ___ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
[MediaWiki-commits] [Gerrit] operations...openssl11[master]: Cope with new libssl1.1 symbols introduced in 1.1.0c
Muehlenhoff has uploaded a new change for review. https://gerrit.wikimedia.org/r/320814 Change subject: Cope with new libssl1.1 symbols introduced in 1.1.0c .. Cope with new libssl1.1 symbols introduced in 1.1.0c Otherwise the build fails since new symbols are available: dpkg-gensymbols -Pdebian/libssl1.1/ -plibssl1.1 -c4 dpkg-gensymbols: warning: some new symbols appeared in the symbols file: see diff output below dpkg-gensymbols: warning: debian/libssl1.1/DEBIAN/symbols doesn't match completely debian/libssl1.1.symbols --- debian/libssl1.1.symbols (libssl1.1_1.1.0c-1+wmf1_amd64) +++ dpkg-gensymbols40IYit 2016-11-10 18:06:04.270220379 + @@ -1,5 +1,8 @@ libcrypto.so.1.1 libssl1.1 #MINVER# + DSO_dsobyaddr@OPENSSL_1_1_0c 1.1.0c-1+wmf1 + DSO_pathbyaddr@OPENSSL_1_1_0c 1.1.0c-1+wmf1 (symver|optional)OPENSSL_1_1_0 1.1.0 (symver|optional)OPENSSL_1_1_0a 1.1.0a + OPENSSL_1_1_0c@OPENSSL_1_1_0c 1.1.0c-1+wmf1 libssl.so.1.1 libssl1.1 #MINVER# (symver|optional)OPENSSL_1_1_0 1.1.0 debian/rules:139: recipe for target 'binary-arch' failed make: *** [binary-arch] Error 2 Change-Id: I5b5d90ee8e22b4d0c7be003dc66d4d69b955b7f5 --- M debian/changelog M debian/libssl1.1.symbols 2 files changed, 2 insertions(+), 0 deletions(-) git pull ssh://gerrit.wikimedia.org:29418/operations/debs/openssl11 refs/changes/14/320814/1 diff --git a/debian/changelog b/debian/changelog index d1ff8cd..00dce1a 100644 --- a/debian/changelog +++ b/debian/changelog @@ -9,6 +9,7 @@ * Drop no-rpath.patch, merged in 1.1.0c in https://git.openssl.org/?p=openssl.git;a=commit;h=68f3b899105b5709b8d73265549c93a78e0f6e72 * Refresh debian/d2i-tests.tar + * Cope with new libssl1.1 symbols introduced in 1.1.0c -- Moritz MuehlenhoffThu, 10 Nov 2016 16:42:36 +0100 diff --git a/debian/libssl1.1.symbols b/debian/libssl1.1.symbols index f86fd6c..237c473 100644 --- a/debian/libssl1.1.symbols +++ b/debian/libssl1.1.symbols @@ -1,5 +1,6 @@ libcrypto.so.1.1 libssl1.1 #MINVER# *@OPENSSL_1_1_0 1.1.0 *@OPENSSL_1_1_0a 1.1.0a + *@OPENSSL_1_1_0c 1.1.0c libssl.so.1.1 libssl1.1 #MINVER# *@OPENSSL_1_1_0 1.1.0 -- To view, visit https://gerrit.wikimedia.org/r/320814 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: I5b5d90ee8e22b4d0c7be003dc66d4d69b955b7f5 Gerrit-PatchSet: 1 Gerrit-Project: operations/debs/openssl11 Gerrit-Branch: master Gerrit-Owner: Muehlenhoff ___ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
[MediaWiki-commits] [Gerrit] operations...openssl11[master]: Fix build failure by updating d2i-tests.tar
Muehlenhoff has submitted this change and it was merged. Change subject: Fix build failure by updating d2i-tests.tar .. Fix build failure by updating d2i-tests.tar The openssl build and when investigating the error I realised that there's a d2i-tests.tar in the debian directory, which replaces the tests/d2i-tests during build time. This might be a historic leftover, I don't know why that's done... This patch refreshes the tarball with the new bad-cms.der test file, which was added to test CVE-2016-7053 Change-Id: I3c87193952dfd732e61d0f2406dc91682c62ef98 --- M debian/changelog M debian/d2i-tests.tar 2 files changed, 1 insertion(+), 0 deletions(-) Approvals: Muehlenhoff: Verified; Looks good to me, approved diff --git a/debian/changelog b/debian/changelog index 82880eb..d1ff8cd 100644 --- a/debian/changelog +++ b/debian/changelog @@ -8,6 +8,7 @@ https://git.openssl.org/?p=openssl.git;a=commit;h=0f6c9d73cb1e1027c67d993a669719e351c25cfc * Drop no-rpath.patch, merged in 1.1.0c in https://git.openssl.org/?p=openssl.git;a=commit;h=68f3b899105b5709b8d73265549c93a78e0f6e72 + * Refresh debian/d2i-tests.tar -- Moritz MuehlenhoffThu, 10 Nov 2016 16:42:36 +0100 diff --git a/debian/d2i-tests.tar b/debian/d2i-tests.tar index df9c514..034bb32 100644 --- a/debian/d2i-tests.tar +++ b/debian/d2i-tests.tar Binary files differ -- To view, visit https://gerrit.wikimedia.org/r/320808 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: merged Gerrit-Change-Id: I3c87193952dfd732e61d0f2406dc91682c62ef98 Gerrit-PatchSet: 1 Gerrit-Project: operations/debs/openssl11 Gerrit-Branch: master Gerrit-Owner: Muehlenhoff Gerrit-Reviewer: Muehlenhoff ___ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
[MediaWiki-commits] [Gerrit] operations...openssl11[master]: Fix build failure by updating d2i-tests.tar
Muehlenhoff has uploaded a new change for review. https://gerrit.wikimedia.org/r/320808 Change subject: Fix build failure by updating d2i-tests.tar .. Fix build failure by updating d2i-tests.tar The openssl build and when investigating the error I realised that there's a d2i-tests.tar in the debian directory, which replaces the tests/d2i-tests during build time. This might be a historic leftover, I don't know why that's done... This patch refreshes the tarball with the new bad-cms.der test file, which was added to test CVE-2016-7053 Change-Id: I3c87193952dfd732e61d0f2406dc91682c62ef98 --- M debian/changelog M debian/d2i-tests.tar 2 files changed, 1 insertion(+), 0 deletions(-) git pull ssh://gerrit.wikimedia.org:29418/operations/debs/openssl11 refs/changes/08/320808/1 diff --git a/debian/changelog b/debian/changelog index 82880eb..d1ff8cd 100644 --- a/debian/changelog +++ b/debian/changelog @@ -8,6 +8,7 @@ https://git.openssl.org/?p=openssl.git;a=commit;h=0f6c9d73cb1e1027c67d993a669719e351c25cfc * Drop no-rpath.patch, merged in 1.1.0c in https://git.openssl.org/?p=openssl.git;a=commit;h=68f3b899105b5709b8d73265549c93a78e0f6e72 + * Refresh debian/d2i-tests.tar -- Moritz MuehlenhoffThu, 10 Nov 2016 16:42:36 +0100 diff --git a/debian/d2i-tests.tar b/debian/d2i-tests.tar index df9c514..034bb32 100644 --- a/debian/d2i-tests.tar +++ b/debian/d2i-tests.tar Binary files differ -- To view, visit https://gerrit.wikimedia.org/r/320808 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: I3c87193952dfd732e61d0f2406dc91682c62ef98 Gerrit-PatchSet: 1 Gerrit-Project: operations/debs/openssl11 Gerrit-Branch: master Gerrit-Owner: Muehlenhoff ___ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
[MediaWiki-commits] [Gerrit] operations...openssl11[master]: Update to 1.1.0c and drop two merged patches
Muehlenhoff has submitted this change and it was merged. Change subject: Update to 1.1.0c and drop two merged patches .. Update to 1.1.0c and drop two merged patches Change-Id: Iff74c299e35ef36b3727e4b5f9961053f18a5d77 --- M debian/changelog D debian/patches/fix-read-ahead.patch D debian/patches/no-rpath.patch M debian/patches/series 4 files changed, 13 insertions(+), 87 deletions(-) Approvals: Muehlenhoff: Verified; Looks good to me, approved diff --git a/debian/changelog b/debian/changelog index 21a23af..82880eb 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,16 @@ +openssl (1.1.0c-1+wmf1) jessie-wikimedia; urgency=medium + + * New upstream release +- Fix CVE-2016-7054 +- Fix CVE-2016-7053 +- Fix CVE-2016-7055 + * Drop fix-read-ahead.patch, merged in 1.1.0c in + https://git.openssl.org/?p=openssl.git;a=commit;h=0f6c9d73cb1e1027c67d993a669719e351c25cfc + * Drop no-rpath.patch, merged in 1.1.0c in + https://git.openssl.org/?p=openssl.git;a=commit;h=68f3b899105b5709b8d73265549c93a78e0f6e72 + + -- Moritz MuehlenhoffThu, 10 Nov 2016 16:42:36 +0100 + openssl (1.1.0b-1+wmf2) jessie-wikimedia; urgency=medium * Cherrypick 0f6c9d73cb1e1027c67d993a669719e351c25cfc from the diff --git a/debian/patches/fix-read-ahead.patch b/debian/patches/fix-read-ahead.patch deleted file mode 100644 index 436bd0a..000 --- a/debian/patches/fix-read-ahead.patch +++ /dev/null @@ -1,70 +0,0 @@ -From 0f6c9d73cb1e1027c67d993a669719e351c25cfc Mon Sep 17 00:00:00 2001 -From: Matt Caswell -Date: Wed, 2 Nov 2016 10:34:12 + -Subject: [PATCH] Fix read_ahead - -The function ssl3_read_n() takes a parameter |clearold| which, if set, -causes any old data in the read buffer to be forgotten, and any unread data -to be moved to the start of the buffer. This is supposed to happen when we -first read the record header. - -However, the data move was only taking place if there was not already -sufficient data in the buffer to satisfy the request. If read_ahead is set -then the record header could be in the buffer already from when we read the -preceding record. So with read_ahead we can get into a situation where even -though |clearold| is set, the data does not get moved to the start of the -read buffer when we read the record header. This means there is insufficient -room in the read buffer to consume the rest of the record body, resulting in -an internal error. - -This commit moves the |clearold| processing to earlier in ssl3_read_n() -to ensure that it always takes place. - -Reviewed-by: Richard Levitte -(cherry picked from commit a7faa6da317887e14e8e28254a83555983ed6ca7) - ssl/record/rec_layer_s3.c | 24 - 1 file changed, 12 insertions(+), 12 deletions(-) - -diff --git a/ssl/record/rec_layer_s3.c b/ssl/record/rec_layer_s3.c -index 9c8c23c..4535f89 100644 a/ssl/record/rec_layer_s3.c -+++ b/ssl/record/rec_layer_s3.c -@@ -241,6 +241,18 @@ int ssl3_read_n(SSL *s, int n, int max, int extend, int clearold) - /* ... now we can act as if 'extend' was set */ - } - -+len = s->rlayer.packet_length; -+pkt = rb->buf + align; -+/* -+ * Move any available bytes to front of buffer: 'len' bytes already -+ * pointed to by 'packet', 'left' extra ones at the end -+ */ -+if (s->rlayer.packet != pkt && clearold == 1) { -+memmove(pkt, s->rlayer.packet, len + left); -+s->rlayer.packet = pkt; -+rb->offset = len + align; -+} -+ - /* - * For DTLS/UDP reads should not span multiple packets because the read - * operation returns the whole packet at once (as long as it fits into -@@ -263,18 +275,6 @@ int ssl3_read_n(SSL *s, int n, int max, int extend, int clearold) - - /* else we need to read more data */ - --len = s->rlayer.packet_length; --pkt = rb->buf + align; --/* -- * Move any available bytes to front of buffer: 'len' bytes already -- * pointed to by 'packet', 'left' extra ones at the end -- */ --if (s->rlayer.packet != pkt && clearold == 1) { /* len > 0 */ --memmove(pkt, s->rlayer.packet, len + left); --s->rlayer.packet = pkt; --rb->offset = len + align; --} -- - if (n > (int)(rb->len - rb->offset)) { /* does not happen */ - SSLerr(SSL_F_SSL3_READ_N, ERR_R_INTERNAL_ERROR); - return -1; diff --git a/debian/patches/no-rpath.patch b/debian/patches/no-rpath.patch deleted file mode 100644 index 4b30b1a..000 --- a/debian/patches/no-rpath.patch +++ /dev/null @@ -1,15 +0,0 @@ - Makefile.shared |2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - a/Makefile.shared -+++ b/Makefile.shared -@@ -176,7 +176,7 @@ DO_GNU_SO=\ - ALLSYMSFLAGS='-Wl,--whole-archive'; \ - NOALLSYMSFLAGS='-Wl,--no-whole-archive'; \ - $(DO_GNU_SO_COMMON)
[MediaWiki-commits] [Gerrit] operations...openssl11[master]: Update to 1.1.0c and drop merged fix-read-ahead.patch
Muehlenhoff has uploaded a new change for review. https://gerrit.wikimedia.org/r/320789 Change subject: Update to 1.1.0c and drop merged fix-read-ahead.patch .. Update to 1.1.0c and drop merged fix-read-ahead.patch Change-Id: Iff74c299e35ef36b3727e4b5f9961053f18a5d77 --- M debian/changelog D debian/patches/fix-read-ahead.patch M debian/patches/series 3 files changed, 10 insertions(+), 71 deletions(-) git pull ssh://gerrit.wikimedia.org:29418/operations/debs/openssl11 refs/changes/89/320789/1 diff --git a/debian/changelog b/debian/changelog index 21a23af..603c1b6 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,13 @@ +openssl (1.1.0c-1+wmf1) jessie-wikimedia; urgency=medium + + * New upstream release +- Fix CVE-2016-7054 +- Fix CVE-2016-7053 +- Fix CVE-2016-7055 + * Drop fix-read-ahead.patch, merged in 1.1.0c + + -- Moritz MuehlenhoffThu, 10 Nov 2016 16:42:36 +0100 + openssl (1.1.0b-1+wmf2) jessie-wikimedia; urgency=medium * Cherrypick 0f6c9d73cb1e1027c67d993a669719e351c25cfc from the diff --git a/debian/patches/fix-read-ahead.patch b/debian/patches/fix-read-ahead.patch deleted file mode 100644 index 436bd0a..000 --- a/debian/patches/fix-read-ahead.patch +++ /dev/null @@ -1,70 +0,0 @@ -From 0f6c9d73cb1e1027c67d993a669719e351c25cfc Mon Sep 17 00:00:00 2001 -From: Matt Caswell -Date: Wed, 2 Nov 2016 10:34:12 + -Subject: [PATCH] Fix read_ahead - -The function ssl3_read_n() takes a parameter |clearold| which, if set, -causes any old data in the read buffer to be forgotten, and any unread data -to be moved to the start of the buffer. This is supposed to happen when we -first read the record header. - -However, the data move was only taking place if there was not already -sufficient data in the buffer to satisfy the request. If read_ahead is set -then the record header could be in the buffer already from when we read the -preceding record. So with read_ahead we can get into a situation where even -though |clearold| is set, the data does not get moved to the start of the -read buffer when we read the record header. This means there is insufficient -room in the read buffer to consume the rest of the record body, resulting in -an internal error. - -This commit moves the |clearold| processing to earlier in ssl3_read_n() -to ensure that it always takes place. - -Reviewed-by: Richard Levitte -(cherry picked from commit a7faa6da317887e14e8e28254a83555983ed6ca7) - ssl/record/rec_layer_s3.c | 24 - 1 file changed, 12 insertions(+), 12 deletions(-) - -diff --git a/ssl/record/rec_layer_s3.c b/ssl/record/rec_layer_s3.c -index 9c8c23c..4535f89 100644 a/ssl/record/rec_layer_s3.c -+++ b/ssl/record/rec_layer_s3.c -@@ -241,6 +241,18 @@ int ssl3_read_n(SSL *s, int n, int max, int extend, int clearold) - /* ... now we can act as if 'extend' was set */ - } - -+len = s->rlayer.packet_length; -+pkt = rb->buf + align; -+/* -+ * Move any available bytes to front of buffer: 'len' bytes already -+ * pointed to by 'packet', 'left' extra ones at the end -+ */ -+if (s->rlayer.packet != pkt && clearold == 1) { -+memmove(pkt, s->rlayer.packet, len + left); -+s->rlayer.packet = pkt; -+rb->offset = len + align; -+} -+ - /* - * For DTLS/UDP reads should not span multiple packets because the read - * operation returns the whole packet at once (as long as it fits into -@@ -263,18 +275,6 @@ int ssl3_read_n(SSL *s, int n, int max, int extend, int clearold) - - /* else we need to read more data */ - --len = s->rlayer.packet_length; --pkt = rb->buf + align; --/* -- * Move any available bytes to front of buffer: 'len' bytes already -- * pointed to by 'packet', 'left' extra ones at the end -- */ --if (s->rlayer.packet != pkt && clearold == 1) { /* len > 0 */ --memmove(pkt, s->rlayer.packet, len + left); --s->rlayer.packet = pkt; --rb->offset = len + align; --} -- - if (n > (int)(rb->len - rb->offset)) { /* does not happen */ - SSLerr(SSL_F_SSL3_READ_N, ERR_R_INTERNAL_ERROR); - return -1; diff --git a/debian/patches/series b/debian/patches/series index 145ae81..5b5a83d 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -5,4 +5,3 @@ pic.patch c_rehash-compat.patch #padlock_conf.patch -fix-read-ahead.patch -- To view, visit https://gerrit.wikimedia.org/r/320789 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: Iff74c299e35ef36b3727e4b5f9961053f18a5d77 Gerrit-PatchSet: 1 Gerrit-Project: operations/debs/openssl11 Gerrit-Branch: master Gerrit-Owner: Muehlenhoff ___ MediaWiki-commits mailing list
[MediaWiki-commits] [Gerrit] operations/puppet[production]: Disable connection tracking for kafka broker
Muehlenhoff has uploaded a new change for review. https://gerrit.wikimedia.org/r/320758 Change subject: Disable connection tracking for kafka broker .. Disable connection tracking for kafka broker During several traffic peaks we've run into exhausting the connection tracking table in the past and rather than bumping the size further, let's disable connection tracking as we already do for other high volume services. Change-Id: If26b300e0cae4d8adf26b1516d18a80d08b4f3de --- M modules/role/manifests/kafka/main/broker.pp 1 file changed, 4 insertions(+), 3 deletions(-) git pull ssh://gerrit.wikimedia.org:29418/operations/puppet refs/changes/58/320758/1 diff --git a/modules/role/manifests/kafka/main/broker.pp b/modules/role/manifests/kafka/main/broker.pp index 02ca720..a2d940e 100644 --- a/modules/role/manifests/kafka/main/broker.pp +++ b/modules/role/manifests/kafka/main/broker.pp @@ -65,11 +65,12 @@ # firewall Kafka Broker. ferm::service { 'kafka-broker': -proto => 'tcp', +proto => 'tcp', # TODO: $::confluent::kafka::broker::port doesn't # seem to work as expected. Hardcoding this for now. -port => 9092, -srange => '$PRODUCTION_NETWORKS', +port=> 9092, +notrack => true, +srange => '$PRODUCTION_NETWORKS', } -- To view, visit https://gerrit.wikimedia.org/r/320758 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: If26b300e0cae4d8adf26b1516d18a80d08b4f3de Gerrit-PatchSet: 1 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: Muehlenhoff___ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
[MediaWiki-commits] [Gerrit] operations/puppet[production]: Restrict access to Hive server
Muehlenhoff has submitted this change and it was merged. Change subject: Restrict access to Hive server .. Restrict access to Hive server We're getting rid of $INTERNAL, since it's needlessly broad. The Hive server is accessed from stat100[24] and Spark masters, so restrict access analytics networks. Change-Id: I09b03524d927962491349448ef6a3128a8144a42 --- M modules/role/manifests/analytics_cluster/hive/server.pp 1 file changed, 1 insertion(+), 1 deletion(-) Approvals: Ottomata: Looks good to me, but someone else must approve Muehlenhoff: Looks good to me, approved jenkins-bot: Verified diff --git a/modules/role/manifests/analytics_cluster/hive/server.pp b/modules/role/manifests/analytics_cluster/hive/server.pp index 2894ccc..48f9a5c 100644 --- a/modules/role/manifests/analytics_cluster/hive/server.pp +++ b/modules/role/manifests/analytics_cluster/hive/server.pp @@ -13,7 +13,7 @@ ferm::service{ 'hive_server': proto => 'tcp', port => '1', -srange => '$INTERNAL', +srange => '$ANALYTICS_NETWORKS', } # Include icinga alerts if production realm. -- To view, visit https://gerrit.wikimedia.org/r/320574 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: merged Gerrit-Change-Id: I09b03524d927962491349448ef6a3128a8144a42 Gerrit-PatchSet: 3 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: MuehlenhoffGerrit-Reviewer: Elukey Gerrit-Reviewer: Muehlenhoff Gerrit-Reviewer: Ottomata Gerrit-Reviewer: jenkins-bot <> ___ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
[MediaWiki-commits] [Gerrit] operations/puppet[production]: Configure connection tracking sysctl settings in ferm
Muehlenhoff has uploaded a new change for review. https://gerrit.wikimedia.org/r/320590 Change subject: Configure connection tracking sysctl settings in ferm .. Configure connection tracking sysctl settings in ferm Connection tracking parameters cannot be set via the default /etc/sysctl.d hierarchy; it needs to be ensured that these are set after ferm is started (which loads the connection tracking kernel modules which configure the respective sysctl options). Provide a ferm configuration file which runs the sysctl commands after setting up all the rules and services. Bug: T136094 Change-Id: I9d1be6387fae30e15207d2047b1e25a717d6bfa6 --- A modules/base/files/firewall/conntrack-sysctl.conf M modules/base/manifests/firewall.pp 2 files changed, 8 insertions(+), 0 deletions(-) git pull ssh://gerrit.wikimedia.org:29418/operations/puppet refs/changes/90/320590/1 diff --git a/modules/base/files/firewall/conntrack-sysctl.conf b/modules/base/files/firewall/conntrack-sysctl.conf new file mode 100644 index 000..23cedc3 --- /dev/null +++ b/modules/base/files/firewall/conntrack-sysctl.conf @@ -0,0 +1,2 @@ +@def $SYSCTL_SET_CONNTRACK_MAX = `/sbin/sysctl -q -w net.netfilter.nf_conntrack_max=262144`; +@def $SYSCTL_SET_CONNTRACK_TIMEOUT = `/sbin/sysctl -q -w net.netfilter.nf_conntrack_tcp_timeout_time_wait=65`; diff --git a/modules/base/manifests/firewall.pp b/modules/base/manifests/firewall.pp index 680b3ba..96c3a7b 100644 --- a/modules/base/manifests/firewall.pp +++ b/modules/base/manifests/firewall.pp @@ -37,6 +37,12 @@ source => 'puppet:///modules/base/firewall/main-input-default-drop.conf', } +ferm::conf { 'sysctl': +ensure => $ensure, +prio => '99', +source => 'puppet:///modules/base/firewall/conntrack-sysctl.conf', +} + ferm::rule { 'bastion-ssh': ensure => $ensure, rule => 'proto tcp dport ssh saddr $BASTION_HOSTS ACCEPT;', -- To view, visit https://gerrit.wikimedia.org/r/320590 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: I9d1be6387fae30e15207d2047b1e25a717d6bfa6 Gerrit-PatchSet: 1 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: Muehlenhoff___ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
[MediaWiki-commits] [Gerrit] operations/puppet[production]: Restrict access to Hive server
Muehlenhoff has uploaded a new change for review. https://gerrit.wikimedia.org/r/320574 Change subject: Restrict access to Hive server .. Restrict access to Hive server We're getting rid of $INTERNAL, since it's needlessly broad. The Hive server is only accessed from stat100[24], so restrict access to those. Change-Id: I09b03524d927962491349448ef6a3128a8144a42 --- M modules/role/manifests/analytics_cluster/hive/server.pp 1 file changed, 1 insertion(+), 1 deletion(-) git pull ssh://gerrit.wikimedia.org:29418/operations/puppet refs/changes/74/320574/1 diff --git a/modules/role/manifests/analytics_cluster/hive/server.pp b/modules/role/manifests/analytics_cluster/hive/server.pp index 2894ccc..5e58ab9 100644 --- a/modules/role/manifests/analytics_cluster/hive/server.pp +++ b/modules/role/manifests/analytics_cluster/hive/server.pp @@ -13,7 +13,7 @@ ferm::service{ 'hive_server': proto => 'tcp', port => '1', -srange => '$INTERNAL', +srange => '@resolve((stat1002.eqiad.wmnet stat1004.eqiad.wmnet))', } # Include icinga alerts if production realm. -- To view, visit https://gerrit.wikimedia.org/r/320574 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: I09b03524d927962491349448ef6a3128a8144a42 Gerrit-PatchSet: 1 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: Muehlenhoff___ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
[MediaWiki-commits] [Gerrit] operations/puppet[production]: ssh_pybal: Restrict to production networks
Muehlenhoff has uploaded a new change for review. https://gerrit.wikimedia.org/r/320556 Change subject: ssh_pybal: Restrict to production networks .. ssh_pybal: Restrict to production networks SSH health checks are only coming from production hosts, restrict to production networks. Change-Id: I439c36f001df4a785aac73635349c2c8a77fb749 --- M modules/role/manifests/mediawiki/common.pp 1 file changed, 1 insertion(+), 1 deletion(-) git pull ssh://gerrit.wikimedia.org:29418/operations/puppet refs/changes/56/320556/1 diff --git a/modules/role/manifests/mediawiki/common.pp b/modules/role/manifests/mediawiki/common.pp index 26dec47..10f46c1 100644 --- a/modules/role/manifests/mediawiki/common.pp +++ b/modules/role/manifests/mediawiki/common.pp @@ -22,7 +22,7 @@ ferm::service{ 'ssh_pybal': proto => 'tcp', port => '22', -srange => '$INTERNAL', +srange => '$PRODUCTION_NETWORKS', desc => 'Allow incoming SSH for pybal health checks', } -- To view, visit https://gerrit.wikimedia.org/r/320556 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: I439c36f001df4a785aac73635349c2c8a77fb749 Gerrit-PatchSet: 1 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: Muehlenhoff___ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
[MediaWiki-commits] [Gerrit] operations/puppet[production]: role::mediawiki::jobrunner: Restrict to domain networks
Muehlenhoff has uploaded a new change for review. https://gerrit.wikimedia.org/r/320549 Change subject: role::mediawiki::jobrunner: Restrict to domain networks .. role::mediawiki::jobrunner: Restrict to domain networks We're getting rid of $INTERNAL, since it's needlessly broad. Use $DOMAIN_NETWORKS to restrict access in production to production networks, while still allowing using it in labs. Change-Id: I9921adc40c5fc0247f0d32c54fff2c59927b786b --- M modules/role/manifests/mediawiki/jobrunner.pp 1 file changed, 1 insertion(+), 1 deletion(-) git pull ssh://gerrit.wikimedia.org:29418/operations/puppet refs/changes/49/320549/1 diff --git a/modules/role/manifests/mediawiki/jobrunner.pp b/modules/role/manifests/mediawiki/jobrunner.pp index 74f6c44..686a09e 100644 --- a/modules/role/manifests/mediawiki/jobrunner.pp +++ b/modules/role/manifests/mediawiki/jobrunner.pp @@ -24,6 +24,6 @@ proto => 'tcp', port=> $::mediawiki::jobrunner::port, notrack => true, -srange => '$INTERNAL', +srange => '$DOMAIN_NETWORKS', } } -- To view, visit https://gerrit.wikimedia.org/r/320549 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: I9921adc40c5fc0247f0d32c54fff2c59927b786b Gerrit-PatchSet: 1 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: Muehlenhoff___ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
[MediaWiki-commits] [Gerrit] operations/puppet[production]: role::jsbench: Restrict to production networks
Muehlenhoff has uploaded a new change for review. https://gerrit.wikimedia.org/r/320547 Change subject: role::jsbench: Restrict to production networks .. role::jsbench: Restrict to production networks We're getting rid of $INTERNAL, since it's needlessly broad. xvfb is only accessed from production hosts for debugging, so restrict it to production networks. Change-Id: I0a209f803b21d666c8f378c38aa9501a48952230 --- M modules/role/manifests/jsbench.pp 1 file changed, 1 insertion(+), 1 deletion(-) git pull ssh://gerrit.wikimedia.org:29418/operations/puppet refs/changes/47/320547/1 diff --git a/modules/role/manifests/jsbench.pp b/modules/role/manifests/jsbench.pp index 5dbd87d..5a67a90 100644 --- a/modules/role/manifests/jsbench.pp +++ b/modules/role/manifests/jsbench.pp @@ -30,7 +30,7 @@ ferm::service { 've-xvfb': proto => 'tcp', port => '6099', -srange => '$INTERNAL', +srange => '$PRODUCTION_NETWORKS', } user { 'jsbench': -- To view, visit https://gerrit.wikimedia.org/r/320547 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: I0a209f803b21d666c8f378c38aa9501a48952230 Gerrit-PatchSet: 1 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: Muehlenhoff___ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
[MediaWiki-commits] [Gerrit] operations/puppet[production]: role::mariadb::sanitarium: Restrict to production networks
Muehlenhoff has uploaded a new change for review. https://gerrit.wikimedia.org/r/320545 Change subject: role::mariadb::sanitarium: Restrict to production networks .. role::mariadb::sanitarium: Restrict to production networks We're getting rid of $INTERNAL, since it's needlessly broad. Restrict to production networks instead. Change-Id: Ie00990d7a28cab0afb9d89c79ee625a7ac937655 --- M modules/role/manifests/mariadb.pp 1 file changed, 3 insertions(+), 3 deletions(-) git pull ssh://gerrit.wikimedia.org:29418/operations/puppet refs/changes/45/320545/1 diff --git a/modules/role/manifests/mariadb.pp b/modules/role/manifests/mariadb.pp index 766e100..c6596b5 100644 --- a/modules/role/manifests/mariadb.pp +++ b/modules/role/manifests/mariadb.pp @@ -713,19 +713,19 @@ ferm::service { 'mysqld_sanitarium': proto => 'tcp', port => '3311:3317', -srange => '$INTERNAL', +srange => '$PRODUCTION_NETWORKS', } ferm::service { 'gmond_udp': proto => 'udp', port => '8649', -srange => '$INTERNAL', +srange => '$PRODUCTION_NETWORKS', } ferm::service { 'gmond_tcp': proto => 'tcp', port => '8649', -srange => '$INTERNAL', +srange => '$PRODUCTION_NETWORKS', } # One instance per shard using mysqld_multi. -- To view, visit https://gerrit.wikimedia.org/r/320545 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: Ie00990d7a28cab0afb9d89c79ee625a7ac937655 Gerrit-PatchSet: 1 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: Muehlenhoff___ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
[MediaWiki-commits] [Gerrit] operations/puppet[production]: Only install python-pygeoip on Ubuntu
Muehlenhoff has submitted this change and it was merged. Change subject: Only install python-pygeoip on Ubuntu .. Only install python-pygeoip on Ubuntu Not available on jessie and provenance unknown, skip installing for now to restore puppet runs on notebook*. Bug: T150003 Change-Id: Icca0a454ea2fd833664ba99a90b1a4acb77a8e67 --- M modules/statistics/manifests/packages.pp 1 file changed, 7 insertions(+), 1 deletion(-) Approvals: Ottomata: Looks good to me, but someone else must approve Muehlenhoff: Looks good to me, approved jenkins-bot: Verified diff --git a/modules/statistics/manifests/packages.pp b/modules/statistics/manifests/packages.pp index adb2e65..510a07e 100644 --- a/modules/statistics/manifests/packages.pp +++ b/modules/statistics/manifests/packages.pp @@ -55,7 +55,6 @@ 'python-pandas',# Pivot tables processing 'python-requests', # Simple lib to make API calls 'python-unidecode', # Unicode simplification - converts everything to latin set -'python-pygeoip', # For geo-encoding IP addresses 'python-ua-parser', # For parsing User Agents 'python-matplotlib', # For generating plots of data 'python-netaddr', @@ -67,6 +66,13 @@ 'python-pymysql', ]) +# This is a custom package and currently not available on jessie, don't install on jessie for now +if os_version('ubuntu >= trusty') { +ensure_packages([ +'python-pygeoip', # For geo-encoding IP addresses +]) +} + # FORTRAN packages (T89414) ensure_packages([ 'gfortran',# GNU Fortran 95 compiler -- To view, visit https://gerrit.wikimedia.org/r/320410 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: merged Gerrit-Change-Id: Icca0a454ea2fd833664ba99a90b1a4acb77a8e67 Gerrit-PatchSet: 1 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: MuehlenhoffGerrit-Reviewer: Muehlenhoff Gerrit-Reviewer: Ottomata Gerrit-Reviewer: jenkins-bot <> ___ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
[MediaWiki-commits] [Gerrit] operations/puppet[production]: Only install python-pygeoip on Ubuntu
Muehlenhoff has uploaded a new change for review. https://gerrit.wikimedia.org/r/320410 Change subject: Only install python-pygeoip on Ubuntu .. Only install python-pygeoip on Ubuntu Not available on jessie and provenance unknown, skip installing for now to restore puppet runs on notebook*. Bug: T150003 Change-Id: Icca0a454ea2fd833664ba99a90b1a4acb77a8e67 --- M modules/statistics/manifests/packages.pp 1 file changed, 7 insertions(+), 1 deletion(-) git pull ssh://gerrit.wikimedia.org:29418/operations/puppet refs/changes/10/320410/1 diff --git a/modules/statistics/manifests/packages.pp b/modules/statistics/manifests/packages.pp index adb2e65..510a07e 100644 --- a/modules/statistics/manifests/packages.pp +++ b/modules/statistics/manifests/packages.pp @@ -55,7 +55,6 @@ 'python-pandas',# Pivot tables processing 'python-requests', # Simple lib to make API calls 'python-unidecode', # Unicode simplification - converts everything to latin set -'python-pygeoip', # For geo-encoding IP addresses 'python-ua-parser', # For parsing User Agents 'python-matplotlib', # For generating plots of data 'python-netaddr', @@ -67,6 +66,13 @@ 'python-pymysql', ]) +# This is a custom package and currently not available on jessie, don't install on jessie for now +if os_version('ubuntu >= trusty') { +ensure_packages([ +'python-pygeoip', # For geo-encoding IP addresses +]) +} + # FORTRAN packages (T89414) ensure_packages([ 'gfortran',# GNU Fortran 95 compiler -- To view, visit https://gerrit.wikimedia.org/r/320410 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: Icca0a454ea2fd833664ba99a90b1a4acb77a8e67 Gerrit-PatchSet: 1 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: Muehlenhoff___ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
[MediaWiki-commits] [Gerrit] operations/puppet[production]: statistics::packages: Remove zpubsub
Muehlenhoff has submitted this change and it was merged. Change subject: statistics::packages: Remove zpubsub .. statistics::packages: Remove zpubsub This was only needed when eventlogging was still using zeromq and obsolete since it now uses kafka. Bug: T150003 Change-Id: I36469e8de53ea6261204f88ca113ecdab0e0eb18 --- M modules/statistics/manifests/packages.pp 1 file changed, 0 insertions(+), 1 deletion(-) Approvals: Ottomata: Looks good to me, but someone else must approve Muehlenhoff: Looks good to me, approved jenkins-bot: Verified diff --git a/modules/statistics/manifests/packages.pp b/modules/statistics/manifests/packages.pp index 906d805..adb2e65 100644 --- a/modules/statistics/manifests/packages.pp +++ b/modules/statistics/manifests/packages.pp @@ -17,7 +17,6 @@ 'tofrodos', 'git-review', 'make', # halfak wants make to manage dependencies -'zpubsub', # For checking up on eventlogging 'libwww-perl', # For wikistats stuff 'php5-cli', 'php5-curl', -- To view, visit https://gerrit.wikimedia.org/r/320227 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: merged Gerrit-Change-Id: I36469e8de53ea6261204f88ca113ecdab0e0eb18 Gerrit-PatchSet: 1 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: MuehlenhoffGerrit-Reviewer: Elukey Gerrit-Reviewer: Muehlenhoff Gerrit-Reviewer: Ottomata Gerrit-Reviewer: jenkins-bot <> ___ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
[MediaWiki-commits] [Gerrit] operations/puppet[production]: statistics::packages: Remove zpubsub
Muehlenhoff has uploaded a new change for review. https://gerrit.wikimedia.org/r/320227 Change subject: statistics::packages: Remove zpubsub .. statistics::packages: Remove zpubsub This was only needed when eventlogging was still using zeromq and obsolete since it now uses kafka. Bug: T150003 Change-Id: I36469e8de53ea6261204f88ca113ecdab0e0eb18 --- M modules/statistics/manifests/packages.pp 1 file changed, 0 insertions(+), 1 deletion(-) git pull ssh://gerrit.wikimedia.org:29418/operations/puppet refs/changes/27/320227/1 diff --git a/modules/statistics/manifests/packages.pp b/modules/statistics/manifests/packages.pp index 906d805..adb2e65 100644 --- a/modules/statistics/manifests/packages.pp +++ b/modules/statistics/manifests/packages.pp @@ -17,7 +17,6 @@ 'tofrodos', 'git-review', 'make', # halfak wants make to manage dependencies -'zpubsub', # For checking up on eventlogging 'libwww-perl', # For wikistats stuff 'php5-cli', 'php5-curl', -- To view, visit https://gerrit.wikimedia.org/r/320227 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: I36469e8de53ea6261204f88ca113ecdab0e0eb18 Gerrit-PatchSet: 1 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: Muehlenhoff___ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
[MediaWiki-commits] [Gerrit] operations/puppet[production]: Load connection tracking sysctl values via a separate system...
Muehlenhoff has uploaded a new change for review. https://gerrit.wikimedia.org/r/320197 Change subject: Load connection tracking sysctl values via a separate systemd unit .. Load connection tracking sysctl values via a separate systemd unit Connection tracking parameters cannot be set via the default /etc/sysctl.d hierarchy; it needs to be ensured that these are set after ferm is started (which loads the connection tracking kernel modules which configure the respective sysctl options) Provide a separate systemd unit ferm-sysctl.service which gets started after ferm. Bug: T136094 Change-Id: Icdac447b8ab3528cca652901779eeb4d7ea6fc5a --- A modules/base/files/firewall/ferm-sysctl.service M modules/base/manifests/firewall.pp 2 files changed, 25 insertions(+), 0 deletions(-) git pull ssh://gerrit.wikimedia.org:29418/operations/puppet refs/changes/97/320197/1 diff --git a/modules/base/files/firewall/ferm-sysctl.service b/modules/base/files/firewall/ferm-sysctl.service new file mode 100644 index 000..e6a7c4b --- /dev/null +++ b/modules/base/files/firewall/ferm-sysctl.service @@ -0,0 +1,13 @@ +[Unit] +Description=Apply connection tracking sysctl settings for ferm +After=ferm.service +ConditionPathIsReadWrite=/proc/sys/ +ConditionPathExists=/etc/ferm/conntrack-sysctl.conf + +[Service] +Type=oneshot +RemainAfterExit=yes +ExecStart=/sbin/sysctl -q --load=/etc/ferm/conntrack-sysctl.conf + +[Install] +WantedBy=multi-user.target diff --git a/modules/base/manifests/firewall.pp b/modules/base/manifests/firewall.pp index 680b3ba..9c24117 100644 --- a/modules/base/manifests/firewall.pp +++ b/modules/base/manifests/firewall.pp @@ -24,6 +24,18 @@ }, } +# Connection tracking parameters cannot be set via the default /etc/sysctl.d +# hierarchy; it needs to be ensured that these are set after ferm is started +# (which loads the connection tracking kernel modules which configure the +# respective sysctl options) +file { '/lib/systemd/system/ferm-sysctl.service': +ensure => $ensure, +mode=> '0644', +owner => 'root', +group => 'root', +source => 'puppet:///modules/base/firewall/ferm-sysctl.service', +} + # The sysctl value net.netfilter.nf_conntrack_buckets is read-only. It is configured # via a modprobe parameter, bump it manually for running systems exec { 'bump nf_conntrack hash table size': -- To view, visit https://gerrit.wikimedia.org/r/320197 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: Icdac447b8ab3528cca652901779eeb4d7ea6fc5a Gerrit-PatchSet: 1 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: Muehlenhoff___ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
[MediaWiki-commits] [Gerrit] operations...linux-meta[master]: Bump changelog
Muehlenhoff has submitted this change and it was merged. Change subject: Bump changelog .. Bump changelog Change-Id: Id3271791fa4fb1d0b4ce0d3fcc48cb8b6d7d489d --- M debian/changelog 1 file changed, 6 insertions(+), 0 deletions(-) Approvals: Muehlenhoff: Verified; Looks good to me, approved diff --git a/debian/changelog b/debian/changelog index 39c7db2..f3f5b21 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +linux-meta (1.11) jessie-wikimedia; urgency=medium + + * Update to new linux package with ABI 3 + + -- Moritz MuehlenhoffMon, 07 Nov 2016 09:09:01 +0100 + linux-meta (1.10) jessie-wikimedia; urgency=medium * Update to new linux package with ABI 2 -- To view, visit https://gerrit.wikimedia.org/r/320167 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: merged Gerrit-Change-Id: Id3271791fa4fb1d0b4ce0d3fcc48cb8b6d7d489d Gerrit-PatchSet: 1 Gerrit-Project: operations/debs/linux-meta Gerrit-Branch: master Gerrit-Owner: Muehlenhoff Gerrit-Reviewer: Muehlenhoff ___ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
[MediaWiki-commits] [Gerrit] operations...linux-meta[master]: Bump changelog
Muehlenhoff has uploaded a new change for review. https://gerrit.wikimedia.org/r/320167 Change subject: Bump changelog .. Bump changelog Change-Id: Id3271791fa4fb1d0b4ce0d3fcc48cb8b6d7d489d --- M debian/changelog 1 file changed, 6 insertions(+), 0 deletions(-) git pull ssh://gerrit.wikimedia.org:29418/operations/debs/linux-meta refs/changes/67/320167/1 diff --git a/debian/changelog b/debian/changelog index 39c7db2..f3f5b21 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +linux-meta (1.11) jessie-wikimedia; urgency=medium + + * Update to new linux package with ABI 3 + + -- Moritz MuehlenhoffMon, 07 Nov 2016 09:09:01 +0100 + linux-meta (1.10) jessie-wikimedia; urgency=medium * Update to new linux package with ABI 2 -- To view, visit https://gerrit.wikimedia.org/r/320167 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: Id3271791fa4fb1d0b4ce0d3fcc48cb8b6d7d489d Gerrit-PatchSet: 1 Gerrit-Project: operations/debs/linux-meta Gerrit-Branch: master Gerrit-Owner: Muehlenhoff ___ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
[MediaWiki-commits] [Gerrit] operations...linux-meta[master]: Depend on new ABI name
Muehlenhoff has submitted this change and it was merged. Change subject: Depend on new ABI name .. Depend on new ABI name Change-Id: Icb7a83ca36ceca78532ff46c68a712db37d3da4b --- M debian/control 1 file changed, 1 insertion(+), 1 deletion(-) Approvals: Muehlenhoff: Looks good to me, approved jenkins-bot: Verified diff --git a/debian/control b/debian/control index 4897122..23e3a7f 100644 --- a/debian/control +++ b/debian/control @@ -15,7 +15,7 @@ Package: linux-meta-4.4 Architecture: any -Depends: linux-image-4.4.0-2-amd64 [amd64], initramfs-tools, grub2-common, firmware-bnx2x (>= 20151018-2~wmf1) +Depends: linux-image-4.4.0-3-amd64 [amd64], initramfs-tools, grub2-common, firmware-bnx2x (>= 20151018-2~wmf1) Description: Meta package for 4.4 kernel images This package depends on the latest Linux kernel used in the WMF environment. It can also serve to depend on firmware packages not part of the stock Linux -- To view, visit https://gerrit.wikimedia.org/r/319870 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: merged Gerrit-Change-Id: Icb7a83ca36ceca78532ff46c68a712db37d3da4b Gerrit-PatchSet: 1 Gerrit-Project: operations/debs/linux-meta Gerrit-Branch: master Gerrit-Owner: MuehlenhoffGerrit-Reviewer: Muehlenhoff Gerrit-Reviewer: jenkins-bot <> ___ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
[MediaWiki-commits] [Gerrit] operations/puppet[production]: carbon_pickled: Restrict to production networks
Muehlenhoff has submitted this change and it was merged. Change subject: carbon_pickled: Restrict to production networks .. carbon_pickled: Restrict to production networks We're getting rid of $INTERNAL, since it's needlessly broad. Restrict access to production networks as for the other ferm services. Change-Id: I905da6072ec71cb32fe7e85e6caaf35f248ca045 --- M modules/role/manifests/graphite/production.pp 1 file changed, 1 insertion(+), 1 deletion(-) Approvals: Filippo Giunchedi: Looks good to me, approved jenkins-bot: Verified diff --git a/modules/role/manifests/graphite/production.pp b/modules/role/manifests/graphite/production.pp index ab7661e..7d9e4f6 100644 --- a/modules/role/manifests/graphite/production.pp +++ b/modules/role/manifests/graphite/production.pp @@ -75,7 +75,7 @@ ferm::service { 'carbon_pickled': proto => 'tcp', port => '2004', -srange => '$INTERNAL', +srange => '$PRODUCTION_NETWORKS', } } -- To view, visit https://gerrit.wikimedia.org/r/319878 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: merged Gerrit-Change-Id: I905da6072ec71cb32fe7e85e6caaf35f248ca045 Gerrit-PatchSet: 2 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: MuehlenhoffGerrit-Reviewer: Filippo Giunchedi Gerrit-Reviewer: Muehlenhoff Gerrit-Reviewer: jenkins-bot <> ___ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
[MediaWiki-commits] [Gerrit] operations/puppet[production]: carbon_pickled: Restrict to production networks
Muehlenhoff has uploaded a new change for review. https://gerrit.wikimedia.org/r/319878 Change subject: carbon_pickled: Restrict to production networks .. carbon_pickled: Restrict to production networks We're getting rid of $INTERNAL, since it's needlessly broad. Restrict access to production networks as for the other ferm services. Change-Id: I905da6072ec71cb32fe7e85e6caaf35f248ca045 --- M modules/role/manifests/graphite/production.pp 1 file changed, 1 insertion(+), 1 deletion(-) git pull ssh://gerrit.wikimedia.org:29418/operations/puppet refs/changes/78/319878/1 diff --git a/modules/role/manifests/graphite/production.pp b/modules/role/manifests/graphite/production.pp index ab7661e..7d9e4f6 100644 --- a/modules/role/manifests/graphite/production.pp +++ b/modules/role/manifests/graphite/production.pp @@ -75,7 +75,7 @@ ferm::service { 'carbon_pickled': proto => 'tcp', port => '2004', -srange => '$INTERNAL', +srange => '$PRODUCTION_NETWORKS', } } -- To view, visit https://gerrit.wikimedia.org/r/319878 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: I905da6072ec71cb32fe7e85e6caaf35f248ca045 Gerrit-PatchSet: 1 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: Muehlenhoff___ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
[MediaWiki-commits] [Gerrit] operations/puppet[production]: elasticsearch::https: Restrict to domain networks
Muehlenhoff has uploaded a new change for review. https://gerrit.wikimedia.org/r/319875 Change subject: elasticsearch::https: Restrict to domain networks .. elasticsearch::https: Restrict to domain networks We're getting rid of $INTERNAL, since it's needlessly broad. Restrict to DOMAIN_NETWORKS, which restricts access to the production networks in production, while still allowing tests in labs. A similar change has been made for the elastic-http ferm service. Change-Id: I64c591205a3ed6834bbc7731495817a4046876a6 --- M modules/elasticsearch/manifests/https.pp 1 file changed, 1 insertion(+), 1 deletion(-) git pull ssh://gerrit.wikimedia.org:29418/operations/puppet refs/changes/75/319875/1 diff --git a/modules/elasticsearch/manifests/https.pp b/modules/elasticsearch/manifests/https.pp index 1de60f5..6ac9617 100644 --- a/modules/elasticsearch/manifests/https.pp +++ b/modules/elasticsearch/manifests/https.pp @@ -47,7 +47,7 @@ ensure => $ensure, proto => 'tcp', port => '9243', -srange => '$INTERNAL', +srange => '$DOMAIN_NETWORKS', } } -- To view, visit https://gerrit.wikimedia.org/r/319875 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: I64c591205a3ed6834bbc7731495817a4046876a6 Gerrit-PatchSet: 1 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: Muehlenhoff___ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits