[MediaWiki-commits] [Gerrit] operations/puppet[production]: Remove access credentials for laner

[Muehlenhoff (Code Review)]

Muehlenhoff has uploaded a new change for review. ( 
https://gerrit.wikimedia.org/r/330891 )

Change subject: Remove access credentials for laner
..

Remove access credentials for laner

Bug: T152957
Change-Id: I62cbf408c2973c65f9ace612cb9efcc8c6931346
---
M modules/admin/data/data.yaml
1 file changed, 5 insertions(+), 5 deletions(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/puppet 
refs/changes/91/330891/1

diff --git a/modules/admin/data/data.yaml b/modules/admin/data/data.yaml
index a89f37a..b16b07c 100644
--- a/modules/admin/data/data.yaml
+++ b/modules/admin/data/data.yaml
@@ -5,7 +5,8 @@
   handrade, howief, jdouglas, jgonera, jsahleen, mah, maryana, 
mglaser, mvolz,
   mwalker, nimishg, rainman, ssmith, swalling, sumanah, werdna, 
rmoen,
   johnflewis, marc, jkrauska, akumar, mnoushad, spage, tnegrin, 
msyed, kleduc,
-  manybubbles, haithams, jzerebecki, ashwinpp, ironholds, robla, 
asherman]
+  manybubbles, haithams, jzerebecki, ashwinpp, ironholds, robla, 
asherman,
+  laner]
   wikidev:
 gid: 500
 description: container group for primary user groups.
@@ -18,7 +19,7 @@
   ops:
 gid: 700
 description: include everywhere ops folks
-members: _members [filippo, jgreen, bblack, andrew, faidon, rush, 
oblivian, laner, yuvipanda,
+members: _members [filippo, jgreen, bblack, andrew, faidon, rush, 
oblivian, yuvipanda,
   dzahn, akosiaris, springle, mark, ariel, cmjohnson, otto, robh, 
tstarling,
   ori, midom, jmm, jynus, aaron, ema, elukey, gehel, volans, 
madhuvishy, marostegui]
 privileges: ['ALL = (ALL) NOPASSWD: ALL']
@@ -1385,12 +1386,11 @@
 uid: 4816
 # T109521
   laner:
-ensure: present
+ensure: absent
 gid: 500
 name: laner
 realname: Ryan Lane
-ssh_keys: [ssh-rsa 
B3NzaC1yc2EDAQABAAABAQDRsK78adkRJfbYrsZznpbwldoSpQyyQXrXG6WzrJEBAVIAKz5gPSM8zmJ/kj89QygYRaKRPWAcuF5GZhSho15dwDXm5M0ZTva4/m/Hu4H3j7oxx3PKjZKBiygP7mSu/32TJs7FynPGAFVl/B766Snn9Ll/xwrx4lg3v9ZNEpNMJZ0DQTFZ1xXD2Ns08JvxW1csAEoNrpqH6tTdXdHmhurXdKQq1G/JmKR3/KVWbB1MNvUwCY0mQbN1icuy+JsOXbvXEftumigXRV16reLvX3q4sNmYSFfOGOMMW7K9d+nDc4TRNrUjm8R0AEZ6BxTJsvpahDi1gCOfZnGmpGKUEWgZ
-laner@Free-Public-Wifi.local]
+ssh_keys: []
 uid: 553
   midom:
 ensure: present

-- 
To view, visit https://gerrit.wikimedia.org/r/330891
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I62cbf408c2973c65f9ace612cb9efcc8c6931346
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Muehlenhoff 

___
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

[MediaWiki-commits] [Gerrit] operations/puppet[production]: Remove access credentials for asherman

[Muehlenhoff (Code Review)]

Muehlenhoff has submitted this change and it was merged. ( 
https://gerrit.wikimedia.org/r/330885 )

Change subject: Remove access credentials for asherman
..


Remove access credentials for asherman

Bug: T152957

Change-Id: I23a663f791641b27fa02a264639b557c994c1bcf
---
M modules/admin/data/data.yaml
1 file changed, 4 insertions(+), 4 deletions(-)

Approvals:
  Muehlenhoff: Looks good to me, approved
  jenkins-bot: Verified



diff --git a/modules/admin/data/data.yaml b/modules/admin/data/data.yaml
index 15505cb..a89f37a 100644
--- a/modules/admin/data/data.yaml
+++ b/modules/admin/data/data.yaml
@@ -5,7 +5,7 @@
   handrade, howief, jdouglas, jgonera, jsahleen, mah, maryana, 
mglaser, mvolz,
   mwalker, nimishg, rainman, ssmith, swalling, sumanah, werdna, 
rmoen,
   johnflewis, marc, jkrauska, akumar, mnoushad, spage, tnegrin, 
msyed, kleduc,
-  manybubbles, haithams, jzerebecki, ashwinpp, ironholds, robla]
+  manybubbles, haithams, jzerebecki, ashwinpp, ironholds, robla, 
asherman]
   wikidev:
 gid: 500
 description: container group for primary user groups.
@@ -109,7 +109,7 @@
   mforns, jdlrobson, dr0ptp4kt, tgr, marktraceur, jhernandez, joal,
   daisy, tomasz, mholloway-shell, madhuvishy, ebernhardson, 
niedzielski,
   neilpquinn-wmf, tbayer, moushira, dbrant, maxsem, srijan,
-  jminor, asherman, etonkovidova, sbisson, addshore, matmarex, 
elukey,
+  jminor, etonkovidova, sbisson, addshore, matmarex, elukey,
   nikerabbit, nschaaf, dstrine, joewalsh, mpany, hjiang, jsamra, 
bcohn,
   jdittrich, chelsyx, ovasileva, mtizzoni, panisson, paolotti, 
ciro, debt,
   samwalton9, zareen, fdans]
@@ -1821,11 +1821,11 @@
 ssh_keys: [ssh-rsa 
B3NzaC1yc2EDAQABAAABAQDKBIRu2KwmxKyLk2zOtpvzJzLwckzIdsAcB7ajJZQnVhaMGlQlelKL3X85lmuHuL2Pb+jqJ+wfufl+XZHAQy8ZmHIpHpGujfFAv0uNsm4MmnGTjlhpjfuXqVx3QKy58KnuuhEhN3+JCgHhD5D5z40wXZVYjEvdYp75wtxbBLlFCVYjo/tpcU+RcrATMrZab+TQ9DxaqqOtR5AzcBicmsVptZLxBSibDnDFFcNn2SSn0PNwO0Bbv1GppVL+e0J81vEXLxUeeQl3TzxYJyeqcGfQJfSdC8V5ekP3WoVCHF8ap7EOlt5h9/CLqLP2cIfKsE2ciYfJVpSEVEng+9oVMweH
 junikow...@wmf485.corp.wikimedia.org]
 uid: 13018
   asherman:
-ensure: present
+ensure: absent
 gid: 500
 name: asherman
 realname: Andrew Sherman
-ssh_keys: [ssh-rsa 
B3NzaC1yc2EDAQABAAABAQCoNjOK45S7G5ZyAFFE4lLfNvcW+67JMyLPhivnXIYPckEKdA08FW3GNNuvLqfeSseKvhLGHwBEVeK3osA1ZFwbsKUyRPxHxL2iIaCj7JUp/3QoHjxUa4pFCRM408mrlEnhMYMJwjQ5irXkO7LHyE/89v3Jv2ext6S3vOGSdVDrQcAlS6zZnuWtlMeIh/oj0+0HrW6e6HoMeYqbb9t0tUr/X18emh9K9jQ3bKmbnEv4iVEKBBImJ6MVpXaDAX7zwAcAXGgtfXp1oNIR7z21uM1RuxlcP1Sj60x/RNPc3dbD+xi25ddaIfVC4mO6VoHcBsxwSHHWVVsyqHalRP666kK7
 Andrew@Andrews-MBP-2]
+ssh_keys: []
 uid: 12989
   pt1979:
 ensure: present

-- 
To view, visit https://gerrit.wikimedia.org/r/330885
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: merged
Gerrit-Change-Id: I23a663f791641b27fa02a264639b557c994c1bcf
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Muehlenhoff 
Gerrit-Reviewer: Muehlenhoff 
Gerrit-Reviewer: jenkins-bot <>

___
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

[MediaWiki-commits] [Gerrit] operations/puppet[production]: Remove access credentials for asherman

[Muehlenhoff (Code Review)]

Muehlenhoff has uploaded a new change for review. ( 
https://gerrit.wikimedia.org/r/330885 )

Change subject: Remove access credentials for asherman
..

Remove access credentials for asherman

Bug: T152957

Change-Id: I23a663f791641b27fa02a264639b557c994c1bcf
---
M modules/admin/data/data.yaml
1 file changed, 4 insertions(+), 4 deletions(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/puppet 
refs/changes/85/330885/1

diff --git a/modules/admin/data/data.yaml b/modules/admin/data/data.yaml
index 15505cb..a89f37a 100644
--- a/modules/admin/data/data.yaml
+++ b/modules/admin/data/data.yaml
@@ -5,7 +5,7 @@
   handrade, howief, jdouglas, jgonera, jsahleen, mah, maryana, 
mglaser, mvolz,
   mwalker, nimishg, rainman, ssmith, swalling, sumanah, werdna, 
rmoen,
   johnflewis, marc, jkrauska, akumar, mnoushad, spage, tnegrin, 
msyed, kleduc,
-  manybubbles, haithams, jzerebecki, ashwinpp, ironholds, robla]
+  manybubbles, haithams, jzerebecki, ashwinpp, ironholds, robla, 
asherman]
   wikidev:
 gid: 500
 description: container group for primary user groups.
@@ -109,7 +109,7 @@
   mforns, jdlrobson, dr0ptp4kt, tgr, marktraceur, jhernandez, joal,
   daisy, tomasz, mholloway-shell, madhuvishy, ebernhardson, 
niedzielski,
   neilpquinn-wmf, tbayer, moushira, dbrant, maxsem, srijan,
-  jminor, asherman, etonkovidova, sbisson, addshore, matmarex, 
elukey,
+  jminor, etonkovidova, sbisson, addshore, matmarex, elukey,
   nikerabbit, nschaaf, dstrine, joewalsh, mpany, hjiang, jsamra, 
bcohn,
   jdittrich, chelsyx, ovasileva, mtizzoni, panisson, paolotti, 
ciro, debt,
   samwalton9, zareen, fdans]
@@ -1821,11 +1821,11 @@
 ssh_keys: [ssh-rsa 
B3NzaC1yc2EDAQABAAABAQDKBIRu2KwmxKyLk2zOtpvzJzLwckzIdsAcB7ajJZQnVhaMGlQlelKL3X85lmuHuL2Pb+jqJ+wfufl+XZHAQy8ZmHIpHpGujfFAv0uNsm4MmnGTjlhpjfuXqVx3QKy58KnuuhEhN3+JCgHhD5D5z40wXZVYjEvdYp75wtxbBLlFCVYjo/tpcU+RcrATMrZab+TQ9DxaqqOtR5AzcBicmsVptZLxBSibDnDFFcNn2SSn0PNwO0Bbv1GppVL+e0J81vEXLxUeeQl3TzxYJyeqcGfQJfSdC8V5ekP3WoVCHF8ap7EOlt5h9/CLqLP2cIfKsE2ciYfJVpSEVEng+9oVMweH
 junikow...@wmf485.corp.wikimedia.org]
 uid: 13018
   asherman:
-ensure: present
+ensure: absent
 gid: 500
 name: asherman
 realname: Andrew Sherman
-ssh_keys: [ssh-rsa 
B3NzaC1yc2EDAQABAAABAQCoNjOK45S7G5ZyAFFE4lLfNvcW+67JMyLPhivnXIYPckEKdA08FW3GNNuvLqfeSseKvhLGHwBEVeK3osA1ZFwbsKUyRPxHxL2iIaCj7JUp/3QoHjxUa4pFCRM408mrlEnhMYMJwjQ5irXkO7LHyE/89v3Jv2ext6S3vOGSdVDrQcAlS6zZnuWtlMeIh/oj0+0HrW6e6HoMeYqbb9t0tUr/X18emh9K9jQ3bKmbnEv4iVEKBBImJ6MVpXaDAX7zwAcAXGgtfXp1oNIR7z21uM1RuxlcP1Sj60x/RNPc3dbD+xi25ddaIfVC4mO6VoHcBsxwSHHWVVsyqHalRP666kK7
 Andrew@Andrews-MBP-2]
+ssh_keys: []
 uid: 12989
   pt1979:
 ensure: present

-- 
To view, visit https://gerrit.wikimedia.org/r/330885
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I23a663f791641b27fa02a264639b557c994c1bcf
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Muehlenhoff 

___
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

[MediaWiki-commits] [Gerrit] operations/puppet[production]: Switch cache servers in ulsfo to timesyncd

[Muehlenhoff (Code Review)]

Muehlenhoff has uploaded a new change for review. ( 
https://gerrit.wikimedia.org/r/330865 )

Change subject: Switch cache servers in ulsfo to timesyncd
..

Switch cache servers in ulsfo to timesyncd

Testdrive systemd-timesyncd on the varnish servers in ulsfo; they're all
jessie.

Bug: T150257
Change-Id: Icfbde45a23d1a2b39c1a653d154f7fec6ccd4c97
---
M hieradata/role/ulsfo/cache/maps.yaml
M hieradata/role/ulsfo/cache/misc.yaml
M hieradata/role/ulsfo/cache/text.yaml
M hieradata/role/ulsfo/cache/upload.yaml
4 files changed, 4 insertions(+), 0 deletions(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/puppet 
refs/changes/65/330865/1

diff --git a/hieradata/role/ulsfo/cache/maps.yaml 
b/hieradata/role/ulsfo/cache/maps.yaml
index 48da31a..5447792 100644
--- a/hieradata/role/ulsfo/cache/maps.yaml
+++ b/hieradata/role/ulsfo/cache/maps.yaml
@@ -1,3 +1,4 @@
 debdeploy::grains:
   debdeploy-cp-ulsfo-maps:
 value: standard
+use_timesyncd: true
diff --git a/hieradata/role/ulsfo/cache/misc.yaml 
b/hieradata/role/ulsfo/cache/misc.yaml
index 8e8cb74..e7941db 100644
--- a/hieradata/role/ulsfo/cache/misc.yaml
+++ b/hieradata/role/ulsfo/cache/misc.yaml
@@ -1,3 +1,4 @@
 debdeploy::grains:
   debdeploy-cp-ulsfo-misc:
 value: standard
+use_timesyncd: true
diff --git a/hieradata/role/ulsfo/cache/text.yaml 
b/hieradata/role/ulsfo/cache/text.yaml
index fcaa704..915c946 100644
--- a/hieradata/role/ulsfo/cache/text.yaml
+++ b/hieradata/role/ulsfo/cache/text.yaml
@@ -1,3 +1,4 @@
 debdeploy::grains:
   debdeploy-cp-ulsfo-text:
 value: standard
+use_timesyncd: true
diff --git a/hieradata/role/ulsfo/cache/upload.yaml 
b/hieradata/role/ulsfo/cache/upload.yaml
index 4ee386e..6d2b150 100644
--- a/hieradata/role/ulsfo/cache/upload.yaml
+++ b/hieradata/role/ulsfo/cache/upload.yaml
@@ -1,3 +1,4 @@
 debdeploy::grains:
   debdeploy-cp-ulsfo-upload:
 value: standard
+use_timesyncd: true

-- 
To view, visit https://gerrit.wikimedia.org/r/330865
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: Icfbde45a23d1a2b39c1a653d154f7fec6ccd4c97
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Muehlenhoff 

___
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

[MediaWiki-commits] [Gerrit] operations/puppet[production]: Add NRPE check to monitor timesyncd

[Muehlenhoff (Code Review)]

Muehlenhoff has submitted this change and it was merged. ( 
https://gerrit.wikimedia.org/r/330854 )

Change subject: Add NRPE check to monitor timesyncd
..


Add NRPE check to monitor timesyncd

This reuses an existing Nagios check implemented by Peter Palfrader of the
Debian DSA team.

Bug: T150257
Change-Id: Ia86161e0a57a7670da5787ef50a8e4f8e4ae1998
---
A modules/base/files/check_timedatectl
M modules/standard/manifests/ntp/timesyncd.pp
2 files changed, 76 insertions(+), 1 deletion(-)

Approvals:
  Ema: Looks good to me, but someone else must approve
  Muehlenhoff: Looks good to me, approved
  jenkins-bot: Verified



diff --git a/modules/base/files/check_timedatectl 
b/modules/base/files/check_timedatectl
new file mode 100755
index 000..700d857
--- /dev/null
+++ b/modules/base/files/check_timedatectl
@@ -0,0 +1,61 @@
+#!/bin/bash
+
+# Copyright 2016 Peter Palfrader
+#
+# Permission is hereby granted, free of charge, to any person obtaining
+# a copy of this software and associated documentation files (the
+# "Software"), to deal in the Software without restriction, including
+# without limitation the rights to use, copy, modify, merge, publish,
+# distribute, sublicense, and/or sell copies of the Software, and to
+# permit persons to whom the Software is furnished to do so, subject to
+# the following conditions:
+#
+# The above copyright notice and this permission notice shall be
+# included in all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+# LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+# OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+# WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+
+set -e
+set -u
+
+MAX=2
+
+temp="$(mktemp)"
+trap "rm -f '$temp'" EXIT
+
+timedatectl > "$temp"
+ut=$(sed '/Universal time:/ { s/^[^:]*: *//; p}; d' "$temp")
+rtc=$(sed '/RTC time:/ { s/^[^:]*: *//; p}; d' "$temp")
+
+uts=$(date -d "$ut" +%s)
+rtcs=$(date -d "$rtc" +%s)
+
+d=$((uts - rtcs))
+
+if [ "$d" -lt "-$MAX" ] ||
+   [ "$d" -gt "$MAX" ]; then
+   echo "Warning: time desync $d: RTC vs. system time: $rtc vs. $ut"
+   exit 1
+fi
+
+
+bool=$(sed '/NTP enabled:/ { s/^[^:]*: *//; p}; d' "$temp")
+if [ "$bool" != "yes" ]; then
+   echo "Warning: NTP not enabled!"
+   exit 1
+fi
+
+bool=$(sed '/NTP synchronized:/ { s/^[^:]*: *//; p}; d' "$temp")
+if [ "$bool" != "yes" ]; then
+   echo "Warning: not synced with NTP (but clock is OK for now)."
+   exit 1
+fi
+
+echo "OK: synced at $ut."
diff --git a/modules/standard/manifests/ntp/timesyncd.pp 
b/modules/standard/manifests/ntp/timesyncd.pp
index 50b3958..3044f35 100644
--- a/modules/standard/manifests/ntp/timesyncd.pp
+++ b/modules/standard/manifests/ntp/timesyncd.pp
@@ -32,5 +32,19 @@
 provider => systemd,
 enable   => true,
 }
-}
 
+file { '/usr/lib/nagios/plugins/check_timedatectl':
+source => 'puppet:///modules/base/check_timedatectl',
+owner  => 'root',
+group  => 'root',
+mode   => '0555',
+}
+
+nrpe::monitor_service { 'timesynd_ntp_status':
+ensure=> 'present',
+description   => 'Check the NTP synchronisation status of timesyncd',
+nrpe_command  => '/usr/lib/nagios/plugins/check_timedatectl',
+require   => File['/usr/lib/nagios/plugins/check_timedatectl'],
+contact_group => 'admins',
+}
+}

-- 
To view, visit https://gerrit.wikimedia.org/r/330854
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: merged
Gerrit-Change-Id: Ia86161e0a57a7670da5787ef50a8e4f8e4ae1998
Gerrit-PatchSet: 3
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Muehlenhoff 
Gerrit-Reviewer: Ema 
Gerrit-Reviewer: Muehlenhoff 
Gerrit-Reviewer: jenkins-bot <>

___
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

[MediaWiki-commits] [Gerrit] operations/puppet[production]: Drop reference to the manpage (not available on jessie)

[Muehlenhoff (Code Review)]

Muehlenhoff has submitted this change and it was merged. ( 
https://gerrit.wikimedia.org/r/330860 )

Change subject: Drop reference to the manpage (not available on jessie)
..


Drop reference to the manpage (not available on jessie)

The timesyncd.conf manpage is only installed into the systemd binary
packages after jessie, so drop it for now to minimise confusion.

Change-Id: Ic57d1cb0d5709dac1cca6b0d958236a8564c50f1
---
M modules/base/templates/timesyncd.conf.erb
1 file changed, 0 insertions(+), 2 deletions(-)

Approvals:
  Muehlenhoff: Looks good to me, approved
  jenkins-bot: Verified



diff --git a/modules/base/templates/timesyncd.conf.erb 
b/modules/base/templates/timesyncd.conf.erb
index 2cd2fab..6f3c9a2 100644
--- a/modules/base/templates/timesyncd.conf.erb
+++ b/modules/base/templates/timesyncd.conf.erb
@@ -1,6 +1,4 @@
 ## THIS FILE IS MANAGED BY PUPPET
-#
-# See timesyncd.conf(5) for details.
 
 [Time]
 NTP=<%@ntp_servers[@site].sort.each do |ntpserver| -%> <%= ntpserver -%>

-- 
To view, visit https://gerrit.wikimedia.org/r/330860
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: merged
Gerrit-Change-Id: Ic57d1cb0d5709dac1cca6b0d958236a8564c50f1
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Muehlenhoff 
Gerrit-Reviewer: Muehlenhoff 
Gerrit-Reviewer: jenkins-bot <>

___
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

[MediaWiki-commits] [Gerrit] operations/puppet[production]: Drop reference to the manpage (not available on jessie)

[Muehlenhoff (Code Review)]

Muehlenhoff has uploaded a new change for review. ( 
https://gerrit.wikimedia.org/r/330860 )

Change subject: Drop reference to the manpage (not available on jessie)
..

Drop reference to the manpage (not available on jessie)

The timesyncd.conf manpage is only installed into the systemd binary
packages after jessie, so drop it for now to minimise confusion.

Change-Id: Ic57d1cb0d5709dac1cca6b0d958236a8564c50f1
---
M modules/base/templates/timesyncd.conf.erb
1 file changed, 0 insertions(+), 2 deletions(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/puppet 
refs/changes/60/330860/1

diff --git a/modules/base/templates/timesyncd.conf.erb 
b/modules/base/templates/timesyncd.conf.erb
index 2cd2fab..6f3c9a2 100644
--- a/modules/base/templates/timesyncd.conf.erb
+++ b/modules/base/templates/timesyncd.conf.erb
@@ -1,6 +1,4 @@
 ## THIS FILE IS MANAGED BY PUPPET
-#
-# See timesyncd.conf(5) for details.
 
 [Time]
 NTP=<%@ntp_servers[@site].sort.each do |ntpserver| -%> <%= ntpserver -%>

-- 
To view, visit https://gerrit.wikimedia.org/r/330860
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: Ic57d1cb0d5709dac1cca6b0d958236a8564c50f1
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Muehlenhoff 

___
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

[MediaWiki-commits] [Gerrit] operations/puppet[production]: Add NRPE check to monitor timesyncd

[Muehlenhoff (Code Review)]

Muehlenhoff has uploaded a new change for review. ( 
https://gerrit.wikimedia.org/r/330854 )

Change subject: Add NRPE check to monitor timesyncd
..

Add NRPE check to monitor timesyncd

This reuses an existing Nagios check implemented by Peter Palfrader of the
Debian DSA team.

Bug: T150257
Change-Id: Ia86161e0a57a7670da5787ef50a8e4f8e4ae1998
---
A modules/base/files/check_timedatectl
M modules/standard/manifests/ntp/timesyncd.pp
2 files changed, 76 insertions(+), 1 deletion(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/puppet 
refs/changes/54/330854/1

diff --git a/modules/base/files/check_timedatectl 
b/modules/base/files/check_timedatectl
new file mode 100755
index 000..700d857
--- /dev/null
+++ b/modules/base/files/check_timedatectl
@@ -0,0 +1,61 @@
+#!/bin/bash
+
+# Copyright 2016 Peter Palfrader
+#
+# Permission is hereby granted, free of charge, to any person obtaining
+# a copy of this software and associated documentation files (the
+# "Software"), to deal in the Software without restriction, including
+# without limitation the rights to use, copy, modify, merge, publish,
+# distribute, sublicense, and/or sell copies of the Software, and to
+# permit persons to whom the Software is furnished to do so, subject to
+# the following conditions:
+#
+# The above copyright notice and this permission notice shall be
+# included in all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+# LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+# OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+# WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+
+set -e
+set -u
+
+MAX=2
+
+temp="$(mktemp)"
+trap "rm -f '$temp'" EXIT
+
+timedatectl > "$temp"
+ut=$(sed '/Universal time:/ { s/^[^:]*: *//; p}; d' "$temp")
+rtc=$(sed '/RTC time:/ { s/^[^:]*: *//; p}; d' "$temp")
+
+uts=$(date -d "$ut" +%s)
+rtcs=$(date -d "$rtc" +%s)
+
+d=$((uts - rtcs))
+
+if [ "$d" -lt "-$MAX" ] ||
+   [ "$d" -gt "$MAX" ]; then
+   echo "Warning: time desync $d: RTC vs. system time: $rtc vs. $ut"
+   exit 1
+fi
+
+
+bool=$(sed '/NTP enabled:/ { s/^[^:]*: *//; p}; d' "$temp")
+if [ "$bool" != "yes" ]; then
+   echo "Warning: NTP not enabled!"
+   exit 1
+fi
+
+bool=$(sed '/NTP synchronized:/ { s/^[^:]*: *//; p}; d' "$temp")
+if [ "$bool" != "yes" ]; then
+   echo "Warning: not synced with NTP (but clock is OK for now)."
+   exit 1
+fi
+
+echo "OK: synced at $ut."
diff --git a/modules/standard/manifests/ntp/timesyncd.pp 
b/modules/standard/manifests/ntp/timesyncd.pp
index 50b3958..38cfc1b 100644
--- a/modules/standard/manifests/ntp/timesyncd.pp
+++ b/modules/standard/manifests/ntp/timesyncd.pp
@@ -32,5 +32,19 @@
 provider => systemd,
 enable   => true,
 }
-}
 
+file { '/usr/lib/nagios/plugins/check_timedatectl':
+source => 'puppet:///modules/base/firewall/check_timedatectl',
+owner  => 'root',
+group  => 'root',
+mode   => '0555',
+}
+
+nrpe::monitor_service { 'timesynd_ntp_status':
+ensure=> 'present',
+description   => 'Check the NTP synchronisation status of timesyncd',
+nrpe_command  => '/usr/lib/nagios/plugins/check_timedatectl',
+require   => File['/usr/lib/nagios/plugins/check_timedatectl'],
+contact_group => 'admins',
+}
+}

-- 
To view, visit https://gerrit.wikimedia.org/r/330854
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: Ia86161e0a57a7670da5787ef50a8e4f8e4ae1998
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Muehlenhoff 

___
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

[MediaWiki-commits] [Gerrit] operations/puppet[production]: Also exclude time servers when using timesyncd

[Muehlenhoff (Code Review)]

Muehlenhoff has submitted this change and it was merged. ( 
https://gerrit.wikimedia.org/r/330660 )

Change subject: Also exclude time servers when using timesyncd
..


Also exclude time servers when using timesyncd

These are not used in the initial test sets, but let's use the same
check for consistency.

Change-Id: I3996336805d681cd17adbd20bdf0187ae46d1924
---
M modules/standard/manifests/init.pp
1 file changed, 3 insertions(+), 1 deletion(-)

Approvals:
  Muehlenhoff: Looks good to me, approved
  jenkins-bot: Verified



diff --git a/modules/standard/manifests/init.pp 
b/modules/standard/manifests/init.pp
index 98ec8ff..992c89f 100644
--- a/modules/standard/manifests/init.pp
+++ b/modules/standard/manifests/init.pp
@@ -10,7 +10,9 @@
 include ::standard::ntp
 
 if hiera('use_timesyncd', false) {
-include standard::ntp::timesyncd
+unless $::fqdn in $::standard::ntp::wmf_peers[$::site] {
+include standard::ntp::timesyncd
+}
 }
 else
 {

-- 
To view, visit https://gerrit.wikimedia.org/r/330660
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: merged
Gerrit-Change-Id: I3996336805d681cd17adbd20bdf0187ae46d1924
Gerrit-PatchSet: 2
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Muehlenhoff 
Gerrit-Reviewer: Ema 
Gerrit-Reviewer: Muehlenhoff 
Gerrit-Reviewer: jenkins-bot <>

___
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

[MediaWiki-commits] [Gerrit] operations/puppet[production]: Enable enhanced sandbox privilege separation for sshd

[Muehlenhoff (Code Review)]

Muehlenhoff has submitted this change and it was merged. ( 
https://gerrit.wikimedia.org/r/330227 )

Change subject: Enable enhanced sandbox privilege separation for sshd
..


Enable enhanced sandbox privilege separation for sshd

If 'UsePrivilegeSeparation' is set to "sandbox", it additonally
enables a seccomp-based restriction for the (unprivileged)
pre-auth process.

This feature has been introduced in openssh 5.9, so even precise
supports it (but we're using a trusty backport in precise-wikimedia
anyway)

Change-Id: Ie08eaa561325848d311f81cf9583ef48b055c72a
---
M modules/ssh/templates/sshd_config.erb
1 file changed, 1 insertion(+), 1 deletion(-)

Approvals:
  Muehlenhoff: Looks good to me, approved
  Alexandros Kosiaris: Looks good to me, but someone else must approve
  jenkins-bot: Verified
  Filippo Giunchedi: Looks good to me, but someone else must approve



diff --git a/modules/ssh/templates/sshd_config.erb 
b/modules/ssh/templates/sshd_config.erb
index 184523d..1a6ba21 100644
--- a/modules/ssh/templates/sshd_config.erb
+++ b/modules/ssh/templates/sshd_config.erb
@@ -18,7 +18,7 @@
 HostKey /etc/ssh/ssh_host_ecdsa_key
 HostKey /etc/ssh/ssh_host_ed25519_key
 #Privilege Separation is turned on for security
-UsePrivilegeSeparation yes
+UsePrivilegeSeparation sandbox
 
 <%- if @disable_nist_kex -%>
 KexAlgorithms curve25519-sha...@libssh.org,diffie-hellman-group-exchange-sha256

-- 
To view, visit https://gerrit.wikimedia.org/r/330227
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: merged
Gerrit-Change-Id: Ie08eaa561325848d311f81cf9583ef48b055c72a
Gerrit-PatchSet: 3
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Muehlenhoff 
Gerrit-Reviewer: Alexandros Kosiaris 
Gerrit-Reviewer: BBlack 
Gerrit-Reviewer: Ema 
Gerrit-Reviewer: Faidon Liambotis 
Gerrit-Reviewer: Filippo Giunchedi 
Gerrit-Reviewer: Muehlenhoff 
Gerrit-Reviewer: jenkins-bot <>

___
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

[MediaWiki-commits] [Gerrit] operations/puppet[production]: Also exclude time servers when using timesyncd

[Muehlenhoff (Code Review)]

Muehlenhoff has uploaded a new change for review. ( 
https://gerrit.wikimedia.org/r/330660 )

Change subject: Also exclude time servers when using timesyncd
..

Also exclude time servers when using timesyncd

These are not used in the initial test sets, but let's use the same
check for consistency.

Change-Id: I3996336805d681cd17adbd20bdf0187ae46d1924
---
M modules/standard/manifests/init.pp
1 file changed, 3 insertions(+), 1 deletion(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/puppet 
refs/changes/60/330660/1

diff --git a/modules/standard/manifests/init.pp 
b/modules/standard/manifests/init.pp
index 98ec8ff..992c89f 100644
--- a/modules/standard/manifests/init.pp
+++ b/modules/standard/manifests/init.pp
@@ -10,7 +10,9 @@
 include ::standard::ntp
 
 if hiera('use_timesyncd', false) {
-include standard::ntp::timesyncd
+unless $::fqdn in $::standard::ntp::wmf_peers[$::site] {
+include standard::ntp::timesyncd
+}
 }
 else
 {

-- 
To view, visit https://gerrit.wikimedia.org/r/330660
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I3996336805d681cd17adbd20bdf0187ae46d1924
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Muehlenhoff 

___
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

[MediaWiki-commits] [Gerrit] operations/puppet[production]: Move another host to timesyncd

[Muehlenhoff (Code Review)]

Muehlenhoff has submitted this change and it was merged. ( 
https://gerrit.wikimedia.org/r/330649 )

Change subject: Move another host to timesyncd
..


Move another host to timesyncd

Just a quick test whether service deactivation now works out properly.

Change-Id: I9ab66cb13b24393658c3706173940cb9df37266e
---
A hieradata/hosts/stat1001.yaml
1 file changed, 1 insertion(+), 0 deletions(-)

Approvals:
  Muehlenhoff: Looks good to me, approved
  jenkins-bot: Verified



diff --git a/hieradata/hosts/stat1001.yaml b/hieradata/hosts/stat1001.yaml
new file mode 100644
index 000..832a86c
--- /dev/null
+++ b/hieradata/hosts/stat1001.yaml
@@ -0,0 +1 @@
+use_timesyncd: true

-- 
To view, visit https://gerrit.wikimedia.org/r/330649
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: merged
Gerrit-Change-Id: I9ab66cb13b24393658c3706173940cb9df37266e
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Muehlenhoff 
Gerrit-Reviewer: Muehlenhoff 
Gerrit-Reviewer: jenkins-bot <>

___
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

[MediaWiki-commits] [Gerrit] operations/puppet[production]: Move another host to timesyncd

[Muehlenhoff (Code Review)]

Muehlenhoff has uploaded a new change for review. ( 
https://gerrit.wikimedia.org/r/330649 )

Change subject: Move another host to timesyncd
..

Move another host to timesyncd

Just a quick test whether service deactivation now works out properly.

Change-Id: I9ab66cb13b24393658c3706173940cb9df37266e
---
A hieradata/hosts/stat1001.yaml
1 file changed, 1 insertion(+), 0 deletions(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/puppet 
refs/changes/49/330649/1

diff --git a/hieradata/hosts/stat1001.yaml b/hieradata/hosts/stat1001.yaml
new file mode 100644
index 000..832a86c
--- /dev/null
+++ b/hieradata/hosts/stat1001.yaml
@@ -0,0 +1 @@
+use_timesyncd: true

-- 
To view, visit https://gerrit.wikimedia.org/r/330649
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I9ab66cb13b24393658c3706173940cb9df37266e
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Muehlenhoff 

___
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

[MediaWiki-commits] [Gerrit] operations/puppet[production]: Don't apply NTP Icinga check to standard::ntp::timesyncd

[Muehlenhoff (Code Review)]

Muehlenhoff has submitted this change and it was merged. ( 
https://gerrit.wikimedia.org/r/330411 )

Change subject: Don't apply NTP Icinga check to standard::ntp::timesyncd
..


Don't apply NTP Icinga check to standard::ntp::timesyncd

"check_ntp_time" uses the Icinga plugin check_ntp_peer which queries a
full-blown NTP server. Remove it for now, it will be replaced by
a custom check which monitors the output of "timedatectl status".

Change-Id: I1d78fc44087af0d6280f84c13e2f1f163afb97e8
---
M modules/standard/manifests/ntp/timesyncd.pp
1 file changed, 0 insertions(+), 8 deletions(-)

Approvals:
  Muehlenhoff: Looks good to me, approved
  jenkins-bot: Verified



diff --git a/modules/standard/manifests/ntp/timesyncd.pp 
b/modules/standard/manifests/ntp/timesyncd.pp
index 9bf4a6b..50b3958 100644
--- a/modules/standard/manifests/ntp/timesyncd.pp
+++ b/modules/standard/manifests/ntp/timesyncd.pp
@@ -32,13 +32,5 @@
 provider => systemd,
 enable   => true,
 }
-
-monitoring::service { 'ntp':
-description=> 'NTP',
-check_command  => 'check_ntp_time!0.5!1',
-check_interval => 30,
-retry_interval => 15,
-}
-
 }
 

-- 
To view, visit https://gerrit.wikimedia.org/r/330411
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: merged
Gerrit-Change-Id: I1d78fc44087af0d6280f84c13e2f1f163afb97e8
Gerrit-PatchSet: 2
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Muehlenhoff 
Gerrit-Reviewer: Alexandros Kosiaris 
Gerrit-Reviewer: Muehlenhoff 
Gerrit-Reviewer: jenkins-bot <>

___
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

[MediaWiki-commits] [Gerrit] operations/puppet[production]: Don't apply NTP Icinga check to standard::ntp::timesyncd

[Muehlenhoff (Code Review)]

Muehlenhoff has uploaded a new change for review. ( 
https://gerrit.wikimedia.org/r/330411 )

Change subject: Don't apply NTP Icinga check to standard::ntp::timesyncd
..

Don't apply NTP Icinga check to standard::ntp::timesyncd

"check_ntp_time" uses the Icinga plugin check_ntp_peer which queries a
full-blown NTP server. Remove it for now, it will be replaced by
a custom check which monitors the output of "timedatectl status".

Change-Id: I1d78fc44087af0d6280f84c13e2f1f163afb97e8
---
M modules/standard/manifests/ntp/timesyncd.pp
1 file changed, 0 insertions(+), 8 deletions(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/puppet 
refs/changes/11/330411/1

diff --git a/modules/standard/manifests/ntp/timesyncd.pp 
b/modules/standard/manifests/ntp/timesyncd.pp
index 9bf4a6b..50b3958 100644
--- a/modules/standard/manifests/ntp/timesyncd.pp
+++ b/modules/standard/manifests/ntp/timesyncd.pp
@@ -32,13 +32,5 @@
 provider => systemd,
 enable   => true,
 }
-
-monitoring::service { 'ntp':
-description=> 'NTP',
-check_command  => 'check_ntp_time!0.5!1',
-check_interval => 30,
-retry_interval => 15,
-}
-
 }
 

-- 
To view, visit https://gerrit.wikimedia.org/r/330411
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I1d78fc44087af0d6280f84c13e2f1f163afb97e8
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Muehlenhoff 

___
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

[MediaWiki-commits] [Gerrit] operations/puppet[production]: Purge ntp package when using systemd-timesyncd

[Muehlenhoff (Code Review)]

Muehlenhoff has submitted this change and it was merged. ( 
https://gerrit.wikimedia.org/r/330402 )

Change subject: Purge ntp package when using systemd-timesyncd
..


Purge ntp package when using systemd-timesyncd

Only removing the package with "absent" leaves various conffiles around,
which is irritating and will lead to cron spam:

jmm@multatuli:~$ dpkg -l ntp
(..)
rc  ntp  1:4.2.6.p5+dfsg-7+deb8u amd64  
 Network Time Protocol daemon and utility programs

jmm@multatuli:~$ dpkg -L ntp
/etc
/etc/dhcp
/etc/dhcp/dhclient-exit-hooks.d
/etc/dhcp/dhclient-exit-hooks.d/ntp
/etc/ntp.conf
/etc/cron.daily
/etc/cron.daily/ntp
/etc/init.d
/etc/init.d/ntp
/etc/default
/etc/default/ntp
/var
/var/lib
/var/lib/ntp

Change-Id: I73a7fa31159238ae3488ce0632ee99bd5f7ada01
---
M modules/standard/manifests/ntp/timesyncd.pp
1 file changed, 1 insertion(+), 1 deletion(-)

Approvals:
  Muehlenhoff: Looks good to me, approved
  Alexandros Kosiaris: Looks good to me, but someone else must approve
  jenkins-bot: Verified



diff --git a/modules/standard/manifests/ntp/timesyncd.pp 
b/modules/standard/manifests/ntp/timesyncd.pp
index 9d20ff1..9bf4a6b 100644
--- a/modules/standard/manifests/ntp/timesyncd.pp
+++ b/modules/standard/manifests/ntp/timesyncd.pp
@@ -6,7 +6,7 @@
 require standard::ntp
 
 package { 'ntp':
-ensure => absent,
+ensure => purged,
 }
 
 $wmf_peers = $::standard::ntp::wmf_peers

-- 
To view, visit https://gerrit.wikimedia.org/r/330402
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: merged
Gerrit-Change-Id: I73a7fa31159238ae3488ce0632ee99bd5f7ada01
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Muehlenhoff 
Gerrit-Reviewer: Alexandros Kosiaris 
Gerrit-Reviewer: Ema 
Gerrit-Reviewer: Filippo Giunchedi 
Gerrit-Reviewer: Muehlenhoff 
Gerrit-Reviewer: jenkins-bot <>

___
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

[MediaWiki-commits] [Gerrit] operations/puppet[production]: Switch swift in esams to systemd-timesyncd

[Muehlenhoff (Code Review)]

Muehlenhoff has uploaded a new change for review. ( 
https://gerrit.wikimedia.org/r/330404 )

Change subject: Switch swift in esams to systemd-timesyncd
..

Switch swift in esams to systemd-timesyncd

Test-drive systemd-timesyncd on some selected servers; the swift
servers in esams are all jessie and non-critical.

Bug: T150257

Change-Id: I40fa61da2e5048c8e4ba015011604ffa914c5b45
---
M hieradata/esams/swift/proxy.yaml
A hieradata/esams/swift/storage.yaml
2 files changed, 2 insertions(+), 0 deletions(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/puppet 
refs/changes/04/330404/1

diff --git a/hieradata/esams/swift/proxy.yaml b/hieradata/esams/swift/proxy.yaml
index eb7ef99..9e2d4f8 100644
--- a/hieradata/esams/swift/proxy.yaml
+++ b/hieradata/esams/swift/proxy.yaml
@@ -4,3 +4,4 @@
   'ms-fe3002.esams.wmnet:11211'
 # no trailing comma!
 ]
+use_timesyncd: true
diff --git a/hieradata/esams/swift/storage.yaml 
b/hieradata/esams/swift/storage.yaml
new file mode 100644
index 000..832a86c
--- /dev/null
+++ b/hieradata/esams/swift/storage.yaml
@@ -0,0 +1 @@
+use_timesyncd: true

-- 
To view, visit https://gerrit.wikimedia.org/r/330404
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I40fa61da2e5048c8e4ba015011604ffa914c5b45
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Muehlenhoff 

___
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

[MediaWiki-commits] [Gerrit] operations/puppet[production]: Purge ntp package when using systemd-timesyncd

[Muehlenhoff (Code Review)]

Muehlenhoff has uploaded a new change for review. ( 
https://gerrit.wikimedia.org/r/330402 )

Change subject: Purge ntp package when using systemd-timesyncd
..

Purge ntp package when using systemd-timesyncd

Only removing the package with "absent" leaves various conffiles around,
which is irritating and will lead to cron spam:

jmm@multatuli:~$ dpkg -l ntp
(..)
rc  ntp  1:4.2.6.p5+dfsg-7+deb8u amd64  
 Network Time Protocol daemon and utility programs

jmm@multatuli:~$ dpkg -L ntp
/etc
/etc/dhcp
/etc/dhcp/dhclient-exit-hooks.d
/etc/dhcp/dhclient-exit-hooks.d/ntp
/etc/ntp.conf
/etc/cron.daily
/etc/cron.daily/ntp
/etc/init.d
/etc/init.d/ntp
/etc/default
/etc/default/ntp
/var
/var/lib
/var/lib/ntp

Change-Id: I73a7fa31159238ae3488ce0632ee99bd5f7ada01
---
M modules/standard/manifests/ntp/timesyncd.pp
1 file changed, 1 insertion(+), 1 deletion(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/puppet 
refs/changes/02/330402/1

diff --git a/modules/standard/manifests/ntp/timesyncd.pp 
b/modules/standard/manifests/ntp/timesyncd.pp
index 9d20ff1..9bf4a6b 100644
--- a/modules/standard/manifests/ntp/timesyncd.pp
+++ b/modules/standard/manifests/ntp/timesyncd.pp
@@ -6,7 +6,7 @@
 require standard::ntp
 
 package { 'ntp':
-ensure => absent,
+ensure => purged,
 }
 
 $wmf_peers = $::standard::ntp::wmf_peers

-- 
To view, visit https://gerrit.wikimedia.org/r/330402
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I73a7fa31159238ae3488ce0632ee99bd5f7ada01
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Muehlenhoff 

___
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

[MediaWiki-commits] [Gerrit] operations/puppet[production]: Enable systemd-timesyncd on multatuli

[Muehlenhoff (Code Review)]

Muehlenhoff has submitted this change and it was merged. ( 
https://gerrit.wikimedia.org/r/330400 )

Change subject: Enable systemd-timesyncd on multatuli
..


Enable systemd-timesyncd on multatuli

Change-Id: I5928caaa5e2632e99a4a71129f7297dc7e3bcfff
---
A hieradata/hosts/multatuli.yaml
1 file changed, 1 insertion(+), 0 deletions(-)

Approvals:
  Muehlenhoff: Looks good to me, approved
  jenkins-bot: Verified



diff --git a/hieradata/hosts/multatuli.yaml b/hieradata/hosts/multatuli.yaml
new file mode 100644
index 000..832a86c
--- /dev/null
+++ b/hieradata/hosts/multatuli.yaml
@@ -0,0 +1 @@
+use_timesyncd: true

-- 
To view, visit https://gerrit.wikimedia.org/r/330400
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: merged
Gerrit-Change-Id: I5928caaa5e2632e99a4a71129f7297dc7e3bcfff
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Muehlenhoff 
Gerrit-Reviewer: Muehlenhoff 
Gerrit-Reviewer: jenkins-bot <>

___
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

[MediaWiki-commits] [Gerrit] operations/puppet[production]: Enable systemd-timesyncd on multatuli

[Muehlenhoff (Code Review)]

Muehlenhoff has uploaded a new change for review. ( 
https://gerrit.wikimedia.org/r/330400 )

Change subject: Enable systemd-timesyncd on multatuli
..

Enable systemd-timesyncd on multatuli

Change-Id: I5928caaa5e2632e99a4a71129f7297dc7e3bcfff
---
A hieradata/hosts/multatuli.yaml
1 file changed, 1 insertion(+), 0 deletions(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/puppet 
refs/changes/00/330400/1

diff --git a/hieradata/hosts/multatuli.yaml b/hieradata/hosts/multatuli.yaml
new file mode 100644
index 000..832a86c
--- /dev/null
+++ b/hieradata/hosts/multatuli.yaml
@@ -0,0 +1 @@
+use_timesyncd: true

-- 
To view, visit https://gerrit.wikimedia.org/r/330400
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I5928caaa5e2632e99a4a71129f7297dc7e3bcfff
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Muehlenhoff 

___
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

[MediaWiki-commits] [Gerrit] operations/puppet[production]: Make systemd-timesyncd available as an alternative time sync...

[Muehlenhoff (Code Review)]

Muehlenhoff has submitted this change and it was merged. ( 
https://gerrit.wikimedia.org/r/322279 )

Change subject: Make systemd-timesyncd available as an alternative time 
synchronisation provider
..


Make systemd-timesyncd available as an alternative time synchronisation provider

We don't need any of ntp's advanced features on the clients and we've
run into a fair share of runtime bugs (like failing to restart properly
or various cases where ntp failed to start after a reboot (it gets
stuck in interface activation/XFAC).

This patch adds a Hiera-configurable class to use systemd-timesyncd
instead. systemd-timesyncd is shipped as part the standard systemd
package. It is configured via the timedatectl tool.

We can then enable this for a subset of jessie servers and if it proves to
be more reliable than ntpd in practice, move all jessie systems to it.

Bug: T150257
Change-Id: Ie4c9ab7f82f590817f2b92d19f09cbbdda25fb95
---
A modules/base/templates/timesyncd.conf.erb
M modules/standard/manifests/init.pp
A modules/standard/manifests/ntp/timesyncd.pp
3 files changed, 59 insertions(+), 2 deletions(-)

Approvals:
  Muehlenhoff: Looks good to me, approved
  Alexandros Kosiaris: Looks good to me, but someone else must approve
  jenkins-bot: Verified
  Filippo Giunchedi: Looks good to me, but someone else must approve



diff --git a/modules/base/templates/timesyncd.conf.erb 
b/modules/base/templates/timesyncd.conf.erb
new file mode 100644
index 000..2cd2fab
--- /dev/null
+++ b/modules/base/templates/timesyncd.conf.erb
@@ -0,0 +1,7 @@
+## THIS FILE IS MANAGED BY PUPPET
+#
+# See timesyncd.conf(5) for details.
+
+[Time]
+NTP=<%@ntp_servers[@site].sort.each do |ntpserver| -%> <%= ntpserver -%>
+<% end %>
diff --git a/modules/standard/manifests/init.pp 
b/modules/standard/manifests/init.pp
index c03d90e..98ec8ff 100644
--- a/modules/standard/manifests/init.pp
+++ b/modules/standard/manifests/init.pp
@@ -9,8 +9,14 @@
 include ::base
 include ::standard::ntp
 
-unless $::fqdn in $::standard::ntp::wmf_peers[$::site] {
-include standard::ntp::client
+if hiera('use_timesyncd', false) {
+include standard::ntp::timesyncd
+}
+else
+{
+unless $::fqdn in $::standard::ntp::wmf_peers[$::site] {
+include standard::ntp::client
+}
 }
 
 include ::standard::diamond
diff --git a/modules/standard/manifests/ntp/timesyncd.pp 
b/modules/standard/manifests/ntp/timesyncd.pp
new file mode 100644
index 000..9d20ff1
--- /dev/null
+++ b/modules/standard/manifests/ntp/timesyncd.pp
@@ -0,0 +1,44 @@
+# == Class standard::ntp::timesyncd
+#
+# Setup clock synchronisation using systemd-timesyncd
+class standard::ntp::timesyncd () {
+requires_os('debian >= jessie')
+require standard::ntp
+
+package { 'ntp':
+ensure => absent,
+}
+
+$wmf_peers = $::standard::ntp::wmf_peers
+# This maps the servers that regular clients use
+$ntp_servers = {
+eqiad => concat($wmf_peers['eqiad'], $wmf_peers['codfw']),
+codfw => concat($wmf_peers['eqiad'], $wmf_peers['codfw']),
+esams => concat($wmf_peers['esams'], $wmf_peers['eqiad']),
+ulsfo => concat($wmf_peers['eqiad'], $wmf_peers['codfw']),
+}
+
+file { '/etc/systemd/timesyncd.conf':
+ensure  => present,
+mode=> '0444',
+owner   => 'root',
+group   => 'root',
+content => template('base/timesyncd.conf.erb'),
+notify  => Service['systemd-timesyncd'],
+}
+
+service { 'systemd-timesyncd':
+ensure   => running,
+provider => systemd,
+enable   => true,
+}
+
+monitoring::service { 'ntp':
+description=> 'NTP',
+check_command  => 'check_ntp_time!0.5!1',
+check_interval => 30,
+retry_interval => 15,
+}
+
+}
+

-- 
To view, visit https://gerrit.wikimedia.org/r/322279
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: merged
Gerrit-Change-Id: Ie4c9ab7f82f590817f2b92d19f09cbbdda25fb95
Gerrit-PatchSet: 7
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Muehlenhoff 
Gerrit-Reviewer: Alexandros Kosiaris 
Gerrit-Reviewer: BBlack 
Gerrit-Reviewer: Ema 
Gerrit-Reviewer: Faidon Liambotis 
Gerrit-Reviewer: Filippo Giunchedi 
Gerrit-Reviewer: Gehel 
Gerrit-Reviewer: Muehlenhoff 
Gerrit-Reviewer: jenkins-bot <>

___
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

[MediaWiki-commits] [Gerrit] operations/puppet[production]: role::mediawiki::jobrunner: Restrict to domain networks

[Muehlenhoff (Code Review)]

Muehlenhoff has submitted this change and it was merged. ( 
https://gerrit.wikimedia.org/r/320549 )

Change subject: role::mediawiki::jobrunner: Restrict to domain networks
..


role::mediawiki::jobrunner: Restrict to domain networks

We're getting rid of $INTERNAL, since it's needlessly broad. Use
$DOMAIN_NETWORKS to restrict access in production to production networks,
while still allowing using it in labs.

Change-Id: I9921adc40c5fc0247f0d32c54fff2c59927b786b
---
M modules/role/manifests/mediawiki/jobrunner.pp
1 file changed, 1 insertion(+), 1 deletion(-)

Approvals:
  Muehlenhoff: Looks good to me, approved
  Elukey: Looks good to me, but someone else must approve
  jenkins-bot: Verified



diff --git a/modules/role/manifests/mediawiki/jobrunner.pp 
b/modules/role/manifests/mediawiki/jobrunner.pp
index e637bd6..09729bd 100644
--- a/modules/role/manifests/mediawiki/jobrunner.pp
+++ b/modules/role/manifests/mediawiki/jobrunner.pp
@@ -26,6 +26,6 @@
 proto   => 'tcp',
 port=> $::mediawiki::jobrunner::port,
 notrack => true,
-srange  => '$INTERNAL',
+srange  => '$DOMAIN_NETWORKS',
 }
 }

-- 
To view, visit https://gerrit.wikimedia.org/r/320549
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: merged
Gerrit-Change-Id: I9921adc40c5fc0247f0d32c54fff2c59927b786b
Gerrit-PatchSet: 2
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Muehlenhoff 
Gerrit-Reviewer: Elukey 
Gerrit-Reviewer: Giuseppe Lavagetto 
Gerrit-Reviewer: Muehlenhoff 
Gerrit-Reviewer: jenkins-bot <>

___
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

[MediaWiki-commits] [Gerrit] operations/puppet[production]: Enable enhanced sandbox privilege separation for sshd

[Muehlenhoff (Code Review)]

Muehlenhoff has uploaded a new change for review. ( 
https://gerrit.wikimedia.org/r/330227 )

Change subject: Enable enhanced sandbox privilege separation for sshd
..

Enable enhanced sandbox privilege separation for sshd

If 'UsePrivilegeSeparation' is set to "sandbox", it additonally
enables a seccomp-based restriction for the (unprivileged)
pre-auth process.

This feature has been introduced in openssh 5.9, so even trusty
supports it (but we're using a trusty backport in precise-wikimedia
anyway)

Change-Id: Ie08eaa561325848d311f81cf9583ef48b055c72a
---
M modules/ssh/templates/sshd_config.erb
1 file changed, 1 insertion(+), 1 deletion(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/puppet 
refs/changes/27/330227/1

diff --git a/modules/ssh/templates/sshd_config.erb 
b/modules/ssh/templates/sshd_config.erb
index 184523d..1a6ba21 100644
--- a/modules/ssh/templates/sshd_config.erb
+++ b/modules/ssh/templates/sshd_config.erb
@@ -18,7 +18,7 @@
 HostKey /etc/ssh/ssh_host_ecdsa_key
 HostKey /etc/ssh/ssh_host_ed25519_key
 #Privilege Separation is turned on for security
-UsePrivilegeSeparation yes
+UsePrivilegeSeparation sandbox
 
 <%- if @disable_nist_kex -%>
 KexAlgorithms curve25519-sha...@libssh.org,diffie-hellman-group-exchange-sha256

-- 
To view, visit https://gerrit.wikimedia.org/r/330227
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: Ie08eaa561325848d311f81cf9583ef48b055c72a
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Muehlenhoff 

___
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

[MediaWiki-commits] [Gerrit] operations/puppet[production]: eventbus: Restrict to domain networks

[Muehlenhoff (Code Review)]

Muehlenhoff has submitted this change and it was merged. ( 
https://gerrit.wikimedia.org/r/328665 )

Change subject: eventbus: Restrict to domain networks
..


eventbus: Restrict to domain networks

We're getting rid of $INTERNAL, which is needlessly broad. Restrict
eventbus to $DOMAIN_NETWORKS, so that when running in production
access is restriced to production networks and when running in labs
to labs networks.

Change-Id: Ie9bcce8f47d1aac93e1c49684bddc67b88d29f88
---
M modules/role/manifests/eventbus/eventbus.pp
1 file changed, 1 insertion(+), 1 deletion(-)

Approvals:
  Muehlenhoff: Looks good to me, approved
  Ottomata: Looks good to me, but someone else must approve
  jenkins-bot: Verified



diff --git a/modules/role/manifests/eventbus/eventbus.pp 
b/modules/role/manifests/eventbus/eventbus.pp
index f96116c..1d1cc0a 100644
--- a/modules/role/manifests/eventbus/eventbus.pp
+++ b/modules/role/manifests/eventbus/eventbus.pp
@@ -107,7 +107,7 @@
 ferm::service { 'eventlogging-service-eventbus':
 proto  => 'tcp',
 port   => '8085',
-srange => '$INTERNAL',
+srange => '$DOMAIN_NETWORKS',
 }
 
 }

-- 
To view, visit https://gerrit.wikimedia.org/r/328665
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: merged
Gerrit-Change-Id: Ie9bcce8f47d1aac93e1c49684bddc67b88d29f88
Gerrit-PatchSet: 2
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Muehlenhoff 
Gerrit-Reviewer: Elukey 
Gerrit-Reviewer: Muehlenhoff 
Gerrit-Reviewer: Ottomata 
Gerrit-Reviewer: jenkins-bot <>

___
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

[MediaWiki-commits] [Gerrit] operations/puppet[production]: Rename ferm service in role::labs::db::replica

[Muehlenhoff (Code Review)]

Muehlenhoff has uploaded a new change for review. ( 
https://gerrit.wikimedia.org/r/328683 )

Change subject: Rename ferm service in role::labs::db::replica
..

Rename ferm service in role::labs::db::replica

Currently the ferm service uses the same name as the standard
mariadb_internal ferm service, but uses a different source
range. This is confusing when doing cluster-wide checks via
salt on ferm config settings, so rename it to mariadb_db_replica.

Change-Id: Ibd632ad0acb2702d52c56c4a342f335bacc20b4f
---
M modules/role/manifests/labs/db/replica.pp
1 file changed, 1 insertion(+), 1 deletion(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/puppet 
refs/changes/83/328683/1

diff --git a/modules/role/manifests/labs/db/replica.pp 
b/modules/role/manifests/labs/db/replica.pp
index 4408d3e..58b6713 100644
--- a/modules/role/manifests/labs/db/replica.pp
+++ b/modules/role/manifests/labs/db/replica.pp
@@ -14,7 +14,7 @@
 include role::mariadb::monitor
 include base::firewall
 
-ferm::service{ 'mariadb_internal':
+ferm::service{ 'mariadb_db_replica':
 proto   => 'tcp',
 port=> '3306',
 notrack => true,

-- 
To view, visit https://gerrit.wikimedia.org/r/328683
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: Ibd632ad0acb2702d52c56c4a342f335bacc20b4f
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Muehlenhoff 

___
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

[MediaWiki-commits] [Gerrit] operations/puppet[production]: eventbus: Restrict to domain networks

[Muehlenhoff (Code Review)]

Muehlenhoff has uploaded a new change for review. ( 
https://gerrit.wikimedia.org/r/328665 )

Change subject: eventbus: Restrict to domain networks
..

eventbus: Restrict to domain networks

We're getting rid of $INTERNAL, which is needlessly broad. Restrict
eventbus to $DOMAIN_NETWORKS, so that when running in production
access is restriced to production networks and when running in labs
to labs networks.

Change-Id: Ie9bcce8f47d1aac93e1c49684bddc67b88d29f88
---
M modules/role/manifests/eventbus/eventbus.pp
1 file changed, 1 insertion(+), 1 deletion(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/puppet 
refs/changes/65/328665/1

diff --git a/modules/role/manifests/eventbus/eventbus.pp 
b/modules/role/manifests/eventbus/eventbus.pp
index f96116c..1d1cc0a 100644
--- a/modules/role/manifests/eventbus/eventbus.pp
+++ b/modules/role/manifests/eventbus/eventbus.pp
@@ -107,7 +107,7 @@
 ferm::service { 'eventlogging-service-eventbus':
 proto  => 'tcp',
 port   => '8085',
-srange => '$INTERNAL',
+srange => '$DOMAIN_NETWORKS',
 }
 
 }

-- 
To view, visit https://gerrit.wikimedia.org/r/328665
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: Ie9bcce8f47d1aac93e1c49684bddc67b88d29f88
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Muehlenhoff 

___
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

[MediaWiki-commits] [Gerrit] operations/puppet[production]: hive/metastore: Restrict to analytics networks

[Muehlenhoff (Code Review)]

Muehlenhoff has uploaded a new change for review. ( 
https://gerrit.wikimedia.org/r/328664 )

Change subject: hive/metastore: Restrict to analytics networks
..

hive/metastore: Restrict to analytics networks

We're getting rid of $INTERNAL, which is needlessly broad. Restrict to the
analytics networks instead.

Change-Id: I4aa19b599452d7577a72fe733263fe56a3a90c11
---
M modules/role/manifests/analytics_cluster/hive/metastore.pp
1 file changed, 1 insertion(+), 1 deletion(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/puppet 
refs/changes/64/328664/1

diff --git a/modules/role/manifests/analytics_cluster/hive/metastore.pp 
b/modules/role/manifests/analytics_cluster/hive/metastore.pp
index 9ba7b3c..475ef88 100644
--- a/modules/role/manifests/analytics_cluster/hive/metastore.pp
+++ b/modules/role/manifests/analytics_cluster/hive/metastore.pp
@@ -13,7 +13,7 @@
 ferm::service{ 'hive_metastore':
 proto  => 'tcp',
 port   => '9083',
-srange => '$INTERNAL',
+srange => '$ANALYTICS_NETWORKS',
 }
 
 # Include icinga alerts if production realm.

-- 
To view, visit https://gerrit.wikimedia.org/r/328664
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I4aa19b599452d7577a72fe733263fe56a3a90c11
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Muehlenhoff 

___
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

[MediaWiki-commits] [Gerrit] operations/puppet[production]: yarn web ui: Restrict to analytics networks

[Muehlenhoff (Code Review)]

Muehlenhoff has uploaded a new change for review. ( 
https://gerrit.wikimedia.org/r/328654 )

Change subject: yarn web ui: Restrict to analytics networks
..

yarn web ui: Restrict to analytics networks

$INTERNAL is too broad and scheduled for removal, restrict to the
analytics networks.

Change-Id: Ieb6590d5e2d7f24f14c1218ac6aa0094575bcb93
---
M modules/role/manifests/analytics_cluster/hadoop/ferm/resourcemanager.pp
1 file changed, 1 insertion(+), 1 deletion(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/puppet 
refs/changes/54/328654/1

diff --git 
a/modules/role/manifests/analytics_cluster/hadoop/ferm/resourcemanager.pp 
b/modules/role/manifests/analytics_cluster/hadoop/ferm/resourcemanager.pp
index 9b191a2..e69f758 100644
--- a/modules/role/manifests/analytics_cluster/hadoop/ferm/resourcemanager.pp
+++ b/modules/role/manifests/analytics_cluster/hadoop/ferm/resourcemanager.pp
@@ -29,7 +29,7 @@
 ferm::service{ 'hadoop-yarn-resourcemanager-http-ui':
 proto  => 'tcp',
 port   => '8088',
-srange => '$INTERNAL',
+srange => '$ANALYTICS_NETWORKS',
 }
 
 ferm::service{ 'hadoop-mapreduce-historyserver':

-- 
To view, visit https://gerrit.wikimedia.org/r/328654
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: Ieb6590d5e2d7f24f14c1218ac6aa0094575bcb93
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Muehlenhoff 

___
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

[MediaWiki-commits] [Gerrit] operations...linux44[master]: Update date in changelog for build

[Muehlenhoff (Code Review)]

Muehlenhoff has submitted this change and it was merged. ( 
https://gerrit.wikimedia.org/r/328650 )

Change subject: Update date in changelog for build
..


Update date in changelog for build

Change-Id: I4dd5cb66818a28ee21d02ed446e21ef99391d0cd
---
M debian/changelog
1 file changed, 1 insertion(+), 1 deletion(-)

Approvals:
  Muehlenhoff: Looks good to me, approved
  jenkins-bot: Verified



diff --git a/debian/changelog b/debian/changelog
index f22bea7..4dbf400 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -42,7 +42,7 @@
   * Update to 4.4.39:
 https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.39
 
- -- Moritz Muehlenhoff   Tue, 15 Nov 2016 14:42:40 
+0100
+ -- Moritz Muehlenhoff   Tue, 22 Dec 2016 11:51:45 
+0100
 
 linux (4.4.2-3+wmf7) jessie-wikimedia; urgency=medium
 

-- 
To view, visit https://gerrit.wikimedia.org/r/328650
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: merged
Gerrit-Change-Id: I4dd5cb66818a28ee21d02ed446e21ef99391d0cd
Gerrit-PatchSet: 1
Gerrit-Project: operations/debs/linux44
Gerrit-Branch: master
Gerrit-Owner: Muehlenhoff 
Gerrit-Reviewer: Muehlenhoff 
Gerrit-Reviewer: jenkins-bot <>

___
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

[MediaWiki-commits] [Gerrit] operations...linux44[master]: Update date in changelog for build

[Muehlenhoff (Code Review)]

Muehlenhoff has uploaded a new change for review. ( 
https://gerrit.wikimedia.org/r/328650 )

Change subject: Update date in changelog for build
..

Update date in changelog for build

Change-Id: I4dd5cb66818a28ee21d02ed446e21ef99391d0cd
---
M debian/changelog
1 file changed, 1 insertion(+), 1 deletion(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/debs/linux44 
refs/changes/50/328650/1

diff --git a/debian/changelog b/debian/changelog
index f22bea7..4dbf400 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -42,7 +42,7 @@
   * Update to 4.4.39:
 https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.39
 
- -- Moritz Muehlenhoff   Tue, 15 Nov 2016 14:42:40 
+0100
+ -- Moritz Muehlenhoff   Tue, 22 Dec 2016 11:51:45 
+0100
 
 linux (4.4.2-3+wmf7) jessie-wikimedia; urgency=medium
 

-- 
To view, visit https://gerrit.wikimedia.org/r/328650
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I4dd5cb66818a28ee21d02ed446e21ef99391d0cd
Gerrit-PatchSet: 1
Gerrit-Project: operations/debs/linux44
Gerrit-Branch: master
Gerrit-Owner: Muehlenhoff 

___
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

[MediaWiki-commits] [Gerrit] operations...linux44[master]: Update to 4.4.39

[Muehlenhoff (Code Review)]

Muehlenhoff has submitted this change and it was merged. ( 
https://gerrit.wikimedia.org/r/328649 )

Change subject: Update to 4.4.39
..


Update to 4.4.39

Change-Id: Ice952e652eec0d3d4616fddb7ffe6e23c32e3e11
---
M debian/changelog
A debian/patches/bugfix/all/stable-4.4.37.patch
A debian/patches/bugfix/all/stable-4.4.38.patch
A debian/patches/bugfix/all/stable-4.4.39.patch
M debian/patches/series
5 files changed, 1,909 insertions(+), 0 deletions(-)

Approvals:
  Muehlenhoff: Looks good to me, approved
  jenkins-bot: Verified



diff --git a/debian/changelog b/debian/changelog
index e6e59bc..f22bea7 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -39,6 +39,8 @@
 - CVE-2016-8655 [84ac7260236a49c79eede91617700174c2c19b0c]
 - CVE-2016-9576 [a0ac402cfcdc904f9772e1762b3fda112dcc56a0]
 - CVE-2016-9793 [b98b0bc8c431e3ceb4b26b0dfc8db509518fb290]
+  * Update to 4.4.39:
+https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.39
 
  -- Moritz Muehlenhoff   Tue, 15 Nov 2016 14:42:40 
+0100
 
diff --git a/debian/patches/bugfix/all/stable-4.4.37.patch 
b/debian/patches/bugfix/all/stable-4.4.37.patch
new file mode 100644
index 000..c41e2df
--- /dev/null
+++ b/debian/patches/bugfix/all/stable-4.4.37.patch
@@ -0,0 +1,377 @@
+diff --git a/Makefile b/Makefile
+index 705eb9e38fce..b57ec79b4941 100644
+--- a/Makefile
 b/Makefile
+@@ -1,6 +1,6 @@
+ VERSION = 4
+ PATCHLEVEL = 4
+-SUBLEVEL = 36
++SUBLEVEL = 37
+ EXTRAVERSION =
+ NAME = Blurry Fish Butt
+ 
+diff --git a/arch/arc/include/asm/delay.h b/arch/arc/include/asm/delay.h
+index 08e7e2a16ac1..a36e8601114d 100644
+--- a/arch/arc/include/asm/delay.h
 b/arch/arc/include/asm/delay.h
+@@ -22,10 +22,11 @@
+ static inline void __delay(unsigned long loops)
+ {
+   __asm__ __volatile__(
+-  "   lp  1f  \n"
+-  "   nop \n"
+-  "1: \n"
+-  : "+l"(loops));
++  "   mov lp_count, %0\n"
++  "   lp  1f  \n"
++  "   nop \n"
++  "1: \n"
++  : : "r"(loops));
+ }
+ 
+ extern void __bad_udelay(void);
+diff --git a/arch/arm64/include/asm/cpufeature.h 
b/arch/arm64/include/asm/cpufeature.h
+index 8136afc9df0d..8884b5d5f48c 100644
+--- a/arch/arm64/include/asm/cpufeature.h
 b/arch/arm64/include/asm/cpufeature.h
+@@ -77,7 +77,7 @@ struct arm64_cpu_capabilities {
+   const char *desc;
+   u16 capability;
+   bool (*matches)(const struct arm64_cpu_capabilities *);
+-  void (*enable)(void *); /* Called on all active CPUs */
++  int (*enable)(void *);  /* Called on all active CPUs */
+   union {
+   struct {/* To be used for erratum handling only */
+   u32 midr_model;
+diff --git a/arch/arm64/include/asm/processor.h 
b/arch/arm64/include/asm/processor.h
+index 4acb7ca94fcd..d08559528927 100644
+--- a/arch/arm64/include/asm/processor.h
 b/arch/arm64/include/asm/processor.h
+@@ -186,6 +186,6 @@ static inline void spin_lock_prefetch(const void *x)
+ 
+ #endif
+ 
+-void cpu_enable_pan(void *__unused);
++int cpu_enable_pan(void *__unused);
+ 
+ #endif /* __ASM_PROCESSOR_H */
+diff --git a/arch/arm64/kernel/cpufeature.c b/arch/arm64/kernel/cpufeature.c
+index 0669c63281ea..2735bf814592 100644
+--- a/arch/arm64/kernel/cpufeature.c
 b/arch/arm64/kernel/cpufeature.c
+@@ -19,7 +19,9 @@
+ #define pr_fmt(fmt) "CPU features: " fmt
+ 
+ #include 
++#include 
+ #include 
++#include 
+ #include 
+ #include 
+ #include 
+@@ -764,7 +766,13 @@ static void enable_cpu_capabilities(const struct 
arm64_cpu_capabilities *caps)
+ 
+   for (i = 0; caps[i].desc; i++)
+   if (caps[i].enable && cpus_have_cap(caps[i].capability))
+-  on_each_cpu(caps[i].enable, NULL, true);
++  /*
++   * Use stop_machine() as it schedules the work allowing
++   * us to modify PSTATE, instead of on_each_cpu() which
++   * uses an IPI, giving us a PSTATE that disappears when
++   * we return.
++   */
++  stop_machine(caps[i].enable, NULL, cpu_online_mask);
+ }
+ 
+ #ifdef CONFIG_HOTPLUG_CPU
+diff --git a/arch/arm64/kernel/suspend.c b/arch/arm64/kernel/suspend.c
+index 1095aa483a1c..00c1372bf57b 100644
+--- a/arch/arm64/kernel/suspend.c
 b/arch/arm64/kernel/suspend.c
+@@ -1,7 +1,9 @@
+ #include 
+ #include 
+ #include 
++#include 
+ #include 
++#include 
+ #include 
+ #include 
+ #include 
+@@ -111,6 +113,13 @@ int cpu_suspend(unsigned long arg, int (*fn)(unsigned 
long))
+   set_my_cpu_offset(per_cpu_offset(smp_processor_id()));
+ 
+   /*
++   * PSTATE was not saved over suspend/resume, re-enable any
++   * detected features that might not have been set 

[MediaWiki-commits] [Gerrit] operations...linux44[master]: Update to 4.4.39

[Muehlenhoff (Code Review)]

Muehlenhoff has uploaded a new change for review. ( 
https://gerrit.wikimedia.org/r/328649 )

Change subject: Update to 4.4.39
..

Update to 4.4.39

Change-Id: Ice952e652eec0d3d4616fddb7ffe6e23c32e3e11
---
M debian/changelog
A debian/patches/bugfix/all/stable-4.4.37.patch
A debian/patches/bugfix/all/stable-4.4.38.patch
A debian/patches/bugfix/all/stable-4.4.39.patch
M debian/patches/series
5 files changed, 1,909 insertions(+), 0 deletions(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/debs/linux44 
refs/changes/49/328649/1

diff --git a/debian/changelog b/debian/changelog
index e6e59bc..f22bea7 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -39,6 +39,8 @@
 - CVE-2016-8655 [84ac7260236a49c79eede91617700174c2c19b0c]
 - CVE-2016-9576 [a0ac402cfcdc904f9772e1762b3fda112dcc56a0]
 - CVE-2016-9793 [b98b0bc8c431e3ceb4b26b0dfc8db509518fb290]
+  * Update to 4.4.39:
+https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.39
 
  -- Moritz Muehlenhoff   Tue, 15 Nov 2016 14:42:40 
+0100
 
diff --git a/debian/patches/bugfix/all/stable-4.4.37.patch 
b/debian/patches/bugfix/all/stable-4.4.37.patch
new file mode 100644
index 000..c41e2df
--- /dev/null
+++ b/debian/patches/bugfix/all/stable-4.4.37.patch
@@ -0,0 +1,377 @@
+diff --git a/Makefile b/Makefile
+index 705eb9e38fce..b57ec79b4941 100644
+--- a/Makefile
 b/Makefile
+@@ -1,6 +1,6 @@
+ VERSION = 4
+ PATCHLEVEL = 4
+-SUBLEVEL = 36
++SUBLEVEL = 37
+ EXTRAVERSION =
+ NAME = Blurry Fish Butt
+ 
+diff --git a/arch/arc/include/asm/delay.h b/arch/arc/include/asm/delay.h
+index 08e7e2a16ac1..a36e8601114d 100644
+--- a/arch/arc/include/asm/delay.h
 b/arch/arc/include/asm/delay.h
+@@ -22,10 +22,11 @@
+ static inline void __delay(unsigned long loops)
+ {
+   __asm__ __volatile__(
+-  "   lp  1f  \n"
+-  "   nop \n"
+-  "1: \n"
+-  : "+l"(loops));
++  "   mov lp_count, %0\n"
++  "   lp  1f  \n"
++  "   nop \n"
++  "1: \n"
++  : : "r"(loops));
+ }
+ 
+ extern void __bad_udelay(void);
+diff --git a/arch/arm64/include/asm/cpufeature.h 
b/arch/arm64/include/asm/cpufeature.h
+index 8136afc9df0d..8884b5d5f48c 100644
+--- a/arch/arm64/include/asm/cpufeature.h
 b/arch/arm64/include/asm/cpufeature.h
+@@ -77,7 +77,7 @@ struct arm64_cpu_capabilities {
+   const char *desc;
+   u16 capability;
+   bool (*matches)(const struct arm64_cpu_capabilities *);
+-  void (*enable)(void *); /* Called on all active CPUs */
++  int (*enable)(void *);  /* Called on all active CPUs */
+   union {
+   struct {/* To be used for erratum handling only */
+   u32 midr_model;
+diff --git a/arch/arm64/include/asm/processor.h 
b/arch/arm64/include/asm/processor.h
+index 4acb7ca94fcd..d08559528927 100644
+--- a/arch/arm64/include/asm/processor.h
 b/arch/arm64/include/asm/processor.h
+@@ -186,6 +186,6 @@ static inline void spin_lock_prefetch(const void *x)
+ 
+ #endif
+ 
+-void cpu_enable_pan(void *__unused);
++int cpu_enable_pan(void *__unused);
+ 
+ #endif /* __ASM_PROCESSOR_H */
+diff --git a/arch/arm64/kernel/cpufeature.c b/arch/arm64/kernel/cpufeature.c
+index 0669c63281ea..2735bf814592 100644
+--- a/arch/arm64/kernel/cpufeature.c
 b/arch/arm64/kernel/cpufeature.c
+@@ -19,7 +19,9 @@
+ #define pr_fmt(fmt) "CPU features: " fmt
+ 
+ #include 
++#include 
+ #include 
++#include 
+ #include 
+ #include 
+ #include 
+@@ -764,7 +766,13 @@ static void enable_cpu_capabilities(const struct 
arm64_cpu_capabilities *caps)
+ 
+   for (i = 0; caps[i].desc; i++)
+   if (caps[i].enable && cpus_have_cap(caps[i].capability))
+-  on_each_cpu(caps[i].enable, NULL, true);
++  /*
++   * Use stop_machine() as it schedules the work allowing
++   * us to modify PSTATE, instead of on_each_cpu() which
++   * uses an IPI, giving us a PSTATE that disappears when
++   * we return.
++   */
++  stop_machine(caps[i].enable, NULL, cpu_online_mask);
+ }
+ 
+ #ifdef CONFIG_HOTPLUG_CPU
+diff --git a/arch/arm64/kernel/suspend.c b/arch/arm64/kernel/suspend.c
+index 1095aa483a1c..00c1372bf57b 100644
+--- a/arch/arm64/kernel/suspend.c
 b/arch/arm64/kernel/suspend.c
+@@ -1,7 +1,9 @@
+ #include 
+ #include 
+ #include 
++#include 
+ #include 
++#include 
+ #include 
+ #include 
+ #include 
+@@ -111,6 +113,13 @@ int cpu_suspend(unsigned long arg, int (*fn)(unsigned 
long))
+   set_my_cpu_offset(per_cpu_offset(smp_processor_id()));
+ 
+   /*
++   * PSTATE was not saved over suspend/resume, re-enable any
++   * detected features that might not have been 

[MediaWiki-commits] [Gerrit] operations...linux44[master]: Update to 4.4.38

[Muehlenhoff (Code Review)]

Muehlenhoff has submitted this change and it was merged. ( 
https://gerrit.wikimedia.org/r/328634 )

Change subject: Update to 4.4.38
..


Update to 4.4.38

Change-Id: I21adc193c92284928a6d3ea1eef846343c425fd8
---
M debian/changelog
M debian/patches/series
2 files changed, 7 insertions(+), 0 deletions(-)

Approvals:
  Muehlenhoff: Looks good to me, approved
  jenkins-bot: Verified



diff --git a/debian/changelog b/debian/changelog
index a59f197..e6e59bc 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -33,6 +33,12 @@
   * Update to 4.4.37:
 https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.37
 - CVE-2016-9794 [3aa02cb664c5fb1042958c8d1aa8c35055a2ebc4]
+  * Update to 4.4.38:
+https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.38
+- CVE-2016-8399 [0eab121ef8750a5c8637d51534d5e9143fb0633f]
+- CVE-2016-8655 [84ac7260236a49c79eede91617700174c2c19b0c]
+- CVE-2016-9576 [a0ac402cfcdc904f9772e1762b3fda112dcc56a0]
+- CVE-2016-9793 [b98b0bc8c431e3ceb4b26b0dfc8db509518fb290]
 
  -- Moritz Muehlenhoff   Tue, 15 Nov 2016 14:42:40 
+0100
 
diff --git a/debian/patches/series b/debian/patches/series
index 02a82f7..6af421a 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -138,3 +138,4 @@
 bugfix/all/stable-4.4.35.patch
 bugfix/all/stable-4.4.36.patch
 bugfix/all/stable-4.4.37.patch
+bugfix/all/stable-4.4.38.patch

-- 
To view, visit https://gerrit.wikimedia.org/r/328634
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: merged
Gerrit-Change-Id: I21adc193c92284928a6d3ea1eef846343c425fd8
Gerrit-PatchSet: 1
Gerrit-Project: operations/debs/linux44
Gerrit-Branch: master
Gerrit-Owner: Muehlenhoff 
Gerrit-Reviewer: Muehlenhoff 
Gerrit-Reviewer: jenkins-bot <>

___
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

[MediaWiki-commits] [Gerrit] operations...linux44[master]: Update to 4.4.38

[Muehlenhoff (Code Review)]

Muehlenhoff has uploaded a new change for review. ( 
https://gerrit.wikimedia.org/r/328634 )

Change subject: Update to 4.4.38
..

Update to 4.4.38

Change-Id: I21adc193c92284928a6d3ea1eef846343c425fd8
---
M debian/changelog
M debian/patches/series
2 files changed, 7 insertions(+), 0 deletions(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/debs/linux44 
refs/changes/34/328634/1

diff --git a/debian/changelog b/debian/changelog
index a59f197..e6e59bc 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -33,6 +33,12 @@
   * Update to 4.4.37:
 https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.37
 - CVE-2016-9794 [3aa02cb664c5fb1042958c8d1aa8c35055a2ebc4]
+  * Update to 4.4.38:
+https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.38
+- CVE-2016-8399 [0eab121ef8750a5c8637d51534d5e9143fb0633f]
+- CVE-2016-8655 [84ac7260236a49c79eede91617700174c2c19b0c]
+- CVE-2016-9576 [a0ac402cfcdc904f9772e1762b3fda112dcc56a0]
+- CVE-2016-9793 [b98b0bc8c431e3ceb4b26b0dfc8db509518fb290]
 
  -- Moritz Muehlenhoff   Tue, 15 Nov 2016 14:42:40 
+0100
 
diff --git a/debian/patches/series b/debian/patches/series
index 02a82f7..6af421a 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -138,3 +138,4 @@
 bugfix/all/stable-4.4.35.patch
 bugfix/all/stable-4.4.36.patch
 bugfix/all/stable-4.4.37.patch
+bugfix/all/stable-4.4.38.patch

-- 
To view, visit https://gerrit.wikimedia.org/r/328634
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I21adc193c92284928a6d3ea1eef846343c425fd8
Gerrit-PatchSet: 1
Gerrit-Project: operations/debs/linux44
Gerrit-Branch: master
Gerrit-Owner: Muehlenhoff 

___
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

[MediaWiki-commits] [Gerrit] operations...linux44[master]: Update to 4.4.37

[Muehlenhoff (Code Review)]

Muehlenhoff has submitted this change and it was merged. ( 
https://gerrit.wikimedia.org/r/328633 )

Change subject: Update to 4.4.37
..


Update to 4.4.37

Change-Id: I78d2581a5b53f54d1e32eb3a1f5c48ae3ca364f6
---
M debian/changelog
M debian/patches/series
2 files changed, 5 insertions(+), 1 deletion(-)

Approvals:
  Muehlenhoff: Looks good to me, approved
  jenkins-bot: Verified



diff --git a/debian/changelog b/debian/changelog
index 8ff6384..a59f197 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -27,9 +27,12 @@
   * Update to 4.4.35:
 https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.35
   * Update to 4.4.36:
-https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.35
+https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.36
 - CVE-2016-8650 [f5527f3f002b0a6b376163613b82f69de073]
 - CVE-2016-9756 [2117d5398c81554fbf803f5fd1dc55eb78216c0c]
+  * Update to 4.4.37:
+https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.37
+- CVE-2016-9794 [3aa02cb664c5fb1042958c8d1aa8c35055a2ebc4]
 
  -- Moritz Muehlenhoff   Tue, 15 Nov 2016 14:42:40 
+0100
 
diff --git a/debian/patches/series b/debian/patches/series
index d8b7463..02a82f7 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -137,3 +137,4 @@
 bugfix/all/stable-4.4.34.patch
 bugfix/all/stable-4.4.35.patch
 bugfix/all/stable-4.4.36.patch
+bugfix/all/stable-4.4.37.patch

-- 
To view, visit https://gerrit.wikimedia.org/r/328633
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: merged
Gerrit-Change-Id: I78d2581a5b53f54d1e32eb3a1f5c48ae3ca364f6
Gerrit-PatchSet: 1
Gerrit-Project: operations/debs/linux44
Gerrit-Branch: master
Gerrit-Owner: Muehlenhoff 
Gerrit-Reviewer: Muehlenhoff 
Gerrit-Reviewer: jenkins-bot <>

___
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

[MediaWiki-commits] [Gerrit] operations...linux44[master]: Update to 4.4.37

[Muehlenhoff (Code Review)]

Muehlenhoff has uploaded a new change for review. ( 
https://gerrit.wikimedia.org/r/328633 )

Change subject: Update to 4.4.37
..

Update to 4.4.37

Change-Id: I78d2581a5b53f54d1e32eb3a1f5c48ae3ca364f6
---
M debian/changelog
M debian/patches/series
2 files changed, 5 insertions(+), 1 deletion(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/debs/linux44 
refs/changes/33/328633/1

diff --git a/debian/changelog b/debian/changelog
index 8ff6384..a59f197 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -27,9 +27,12 @@
   * Update to 4.4.35:
 https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.35
   * Update to 4.4.36:
-https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.35
+https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.36
 - CVE-2016-8650 [f5527f3f002b0a6b376163613b82f69de073]
 - CVE-2016-9756 [2117d5398c81554fbf803f5fd1dc55eb78216c0c]
+  * Update to 4.4.37:
+https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.37
+- CVE-2016-9794 [3aa02cb664c5fb1042958c8d1aa8c35055a2ebc4]
 
  -- Moritz Muehlenhoff   Tue, 15 Nov 2016 14:42:40 
+0100
 
diff --git a/debian/patches/series b/debian/patches/series
index d8b7463..02a82f7 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -137,3 +137,4 @@
 bugfix/all/stable-4.4.34.patch
 bugfix/all/stable-4.4.35.patch
 bugfix/all/stable-4.4.36.patch
+bugfix/all/stable-4.4.37.patch

-- 
To view, visit https://gerrit.wikimedia.org/r/328633
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I78d2581a5b53f54d1e32eb3a1f5c48ae3ca364f6
Gerrit-PatchSet: 1
Gerrit-Project: operations/debs/linux44
Gerrit-Branch: master
Gerrit-Owner: Muehlenhoff 

___
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

[MediaWiki-commits] [Gerrit] operations...linux44[master]: Update to 4.4.36

[Muehlenhoff (Code Review)]

Muehlenhoff has submitted this change and it was merged. ( 
https://gerrit.wikimedia.org/r/328546 )

Change subject: Update to 4.4.36
..


Update to 4.4.36

Change-Id: I03efd5d914cc2624723b3a906284ec9b55b3f58b
---
M debian/changelog
A debian/patches/bugfix/all/stable-4.4.36.patch
M debian/patches/series
3 files changed, 919 insertions(+), 0 deletions(-)

Approvals:
  Muehlenhoff: Looks good to me, approved
  jenkins-bot: Verified



diff --git a/debian/changelog b/debian/changelog
index 9028944..8ff6384 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -26,6 +26,10 @@
 - CVE-2015-8964 [dd42bf1197144ede075a9d4793123f7689e164bc]
   * Update to 4.4.35:
 https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.35
+  * Update to 4.4.36:
+https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.35
+- CVE-2016-8650 [f5527f3f002b0a6b376163613b82f69de073]
+- CVE-2016-9756 [2117d5398c81554fbf803f5fd1dc55eb78216c0c]
 
  -- Moritz Muehlenhoff   Tue, 15 Nov 2016 14:42:40 
+0100
 
diff --git a/debian/patches/bugfix/all/stable-4.4.36.patch 
b/debian/patches/bugfix/all/stable-4.4.36.patch
new file mode 100644
index 000..0db6e38
--- /dev/null
+++ b/debian/patches/bugfix/all/stable-4.4.36.patch
@@ -0,0 +1,914 @@
+diff --git a/Makefile b/Makefile
+index f88830af1533..705eb9e38fce 100644
+--- a/Makefile
 b/Makefile
+@@ -1,6 +1,6 @@
+ VERSION = 4
+ PATCHLEVEL = 4
+-SUBLEVEL = 35
++SUBLEVEL = 36
+ EXTRAVERSION =
+ NAME = Blurry Fish Butt
+ 
+diff --git a/arch/parisc/kernel/cache.c b/arch/parisc/kernel/cache.c
+index cda6dbbe9842..fd5979f28ada 100644
+--- a/arch/parisc/kernel/cache.c
 b/arch/parisc/kernel/cache.c
+@@ -351,6 +351,7 @@ void __init parisc_setup_cache_timing(void)
+ {
+   unsigned long rangetime, alltime;
+   unsigned long size, start;
++  unsigned long threshold;
+ 
+   alltime = mfctl(16);
+   flush_data_cache();
+@@ -364,17 +365,12 @@ void __init parisc_setup_cache_timing(void)
+   printk(KERN_DEBUG "Whole cache flush %lu cycles, flushing %lu bytes %lu 
cycles\n",
+   alltime, size, rangetime);
+ 
+-  /* Racy, but if we see an intermediate value, it's ok too... */
+-  parisc_cache_flush_threshold = size * alltime / rangetime;
+-
+-  parisc_cache_flush_threshold = 
L1_CACHE_ALIGN(parisc_cache_flush_threshold);
+-  if (!parisc_cache_flush_threshold)
+-  parisc_cache_flush_threshold = FLUSH_THRESHOLD;
+-
+-  if (parisc_cache_flush_threshold > cache_info.dc_size)
+-  parisc_cache_flush_threshold = cache_info.dc_size;
+-
+-  printk(KERN_INFO "Setting cache flush threshold to %lu kB\n",
++  threshold = L1_CACHE_ALIGN(size * alltime / rangetime);
++  if (threshold > cache_info.dc_size)
++  threshold = cache_info.dc_size;
++  if (threshold)
++  parisc_cache_flush_threshold = threshold;
++  printk(KERN_INFO "Cache flush threshold set to %lu KiB\n",
+   parisc_cache_flush_threshold/1024);
+ 
+   /* calculate TLB flush threshold */
+@@ -383,7 +379,7 @@ void __init parisc_setup_cache_timing(void)
+   flush_tlb_all();
+   alltime = mfctl(16) - alltime;
+ 
+-  size = PAGE_SIZE;
++  size = 0;
+   start = (unsigned long) _text;
+   rangetime = mfctl(16);
+   while (start < (unsigned long) _end) {
+@@ -396,13 +392,10 @@ void __init parisc_setup_cache_timing(void)
+   printk(KERN_DEBUG "Whole TLB flush %lu cycles, flushing %lu bytes %lu 
cycles\n",
+   alltime, size, rangetime);
+ 
+-  parisc_tlb_flush_threshold = size * alltime / rangetime;
+-  parisc_tlb_flush_threshold *= num_online_cpus();
+-  parisc_tlb_flush_threshold = PAGE_ALIGN(parisc_tlb_flush_threshold);
+-  if (!parisc_tlb_flush_threshold)
+-  parisc_tlb_flush_threshold = FLUSH_TLB_THRESHOLD;
+-
+-  printk(KERN_INFO "Setting TLB flush threshold to %lu kB\n",
++  threshold = PAGE_ALIGN(num_online_cpus() * size * alltime / rangetime);
++  if (threshold)
++  parisc_tlb_flush_threshold = threshold;
++  printk(KERN_INFO "TLB flush threshold set to %lu KiB\n",
+   parisc_tlb_flush_threshold/1024);
+ }
+ 
+diff --git a/arch/parisc/kernel/pacache.S b/arch/parisc/kernel/pacache.S
+index b743a80eaba0..675521919229 100644
+--- a/arch/parisc/kernel/pacache.S
 b/arch/parisc/kernel/pacache.S
+@@ -96,7 +96,7 @@ fitmanyloop: /* Loop if LOOP 
>= 2 */
+ 
+ fitmanymiddle:/* Loop if LOOP >= 2 */
+   addib,COND(>)   -1, %r31, fitmanymiddle /* Adjusted inner loop 
decr */
+-  pitlbe  0(%sr1, %r28)
++  pitlbe  %r0(%sr1, %r28)
+   pitlbe,m%arg1(%sr1, %r28)   /* Last pitlbe and addr adjust 
*/
+   addib,COND(>)   -1, %r29, fitmanymiddle /* Middle loop decr */
+   

[MediaWiki-commits] [Gerrit] operations...linux44[master]: Update to 4.4.36

[Muehlenhoff (Code Review)]

Muehlenhoff has uploaded a new change for review. ( 
https://gerrit.wikimedia.org/r/328546 )

Change subject: Update to 4.4.36
..

Update to 4.4.36

Change-Id: I03efd5d914cc2624723b3a906284ec9b55b3f58b
---
M debian/changelog
A debian/patches/bugfix/all/stable-4.4.36.patch
M debian/patches/series
3 files changed, 919 insertions(+), 0 deletions(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/debs/linux44 
refs/changes/46/328546/1

diff --git a/debian/changelog b/debian/changelog
index 9028944..8ff6384 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -26,6 +26,10 @@
 - CVE-2015-8964 [dd42bf1197144ede075a9d4793123f7689e164bc]
   * Update to 4.4.35:
 https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.35
+  * Update to 4.4.36:
+https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.35
+- CVE-2016-8650 [f5527f3f002b0a6b376163613b82f69de073]
+- CVE-2016-9756 [2117d5398c81554fbf803f5fd1dc55eb78216c0c]
 
  -- Moritz Muehlenhoff   Tue, 15 Nov 2016 14:42:40 
+0100
 
diff --git a/debian/patches/bugfix/all/stable-4.4.36.patch 
b/debian/patches/bugfix/all/stable-4.4.36.patch
new file mode 100644
index 000..0db6e38
--- /dev/null
+++ b/debian/patches/bugfix/all/stable-4.4.36.patch
@@ -0,0 +1,914 @@
+diff --git a/Makefile b/Makefile
+index f88830af1533..705eb9e38fce 100644
+--- a/Makefile
 b/Makefile
+@@ -1,6 +1,6 @@
+ VERSION = 4
+ PATCHLEVEL = 4
+-SUBLEVEL = 35
++SUBLEVEL = 36
+ EXTRAVERSION =
+ NAME = Blurry Fish Butt
+ 
+diff --git a/arch/parisc/kernel/cache.c b/arch/parisc/kernel/cache.c
+index cda6dbbe9842..fd5979f28ada 100644
+--- a/arch/parisc/kernel/cache.c
 b/arch/parisc/kernel/cache.c
+@@ -351,6 +351,7 @@ void __init parisc_setup_cache_timing(void)
+ {
+   unsigned long rangetime, alltime;
+   unsigned long size, start;
++  unsigned long threshold;
+ 
+   alltime = mfctl(16);
+   flush_data_cache();
+@@ -364,17 +365,12 @@ void __init parisc_setup_cache_timing(void)
+   printk(KERN_DEBUG "Whole cache flush %lu cycles, flushing %lu bytes %lu 
cycles\n",
+   alltime, size, rangetime);
+ 
+-  /* Racy, but if we see an intermediate value, it's ok too... */
+-  parisc_cache_flush_threshold = size * alltime / rangetime;
+-
+-  parisc_cache_flush_threshold = 
L1_CACHE_ALIGN(parisc_cache_flush_threshold);
+-  if (!parisc_cache_flush_threshold)
+-  parisc_cache_flush_threshold = FLUSH_THRESHOLD;
+-
+-  if (parisc_cache_flush_threshold > cache_info.dc_size)
+-  parisc_cache_flush_threshold = cache_info.dc_size;
+-
+-  printk(KERN_INFO "Setting cache flush threshold to %lu kB\n",
++  threshold = L1_CACHE_ALIGN(size * alltime / rangetime);
++  if (threshold > cache_info.dc_size)
++  threshold = cache_info.dc_size;
++  if (threshold)
++  parisc_cache_flush_threshold = threshold;
++  printk(KERN_INFO "Cache flush threshold set to %lu KiB\n",
+   parisc_cache_flush_threshold/1024);
+ 
+   /* calculate TLB flush threshold */
+@@ -383,7 +379,7 @@ void __init parisc_setup_cache_timing(void)
+   flush_tlb_all();
+   alltime = mfctl(16) - alltime;
+ 
+-  size = PAGE_SIZE;
++  size = 0;
+   start = (unsigned long) _text;
+   rangetime = mfctl(16);
+   while (start < (unsigned long) _end) {
+@@ -396,13 +392,10 @@ void __init parisc_setup_cache_timing(void)
+   printk(KERN_DEBUG "Whole TLB flush %lu cycles, flushing %lu bytes %lu 
cycles\n",
+   alltime, size, rangetime);
+ 
+-  parisc_tlb_flush_threshold = size * alltime / rangetime;
+-  parisc_tlb_flush_threshold *= num_online_cpus();
+-  parisc_tlb_flush_threshold = PAGE_ALIGN(parisc_tlb_flush_threshold);
+-  if (!parisc_tlb_flush_threshold)
+-  parisc_tlb_flush_threshold = FLUSH_TLB_THRESHOLD;
+-
+-  printk(KERN_INFO "Setting TLB flush threshold to %lu kB\n",
++  threshold = PAGE_ALIGN(num_online_cpus() * size * alltime / rangetime);
++  if (threshold)
++  parisc_tlb_flush_threshold = threshold;
++  printk(KERN_INFO "TLB flush threshold set to %lu KiB\n",
+   parisc_tlb_flush_threshold/1024);
+ }
+ 
+diff --git a/arch/parisc/kernel/pacache.S b/arch/parisc/kernel/pacache.S
+index b743a80eaba0..675521919229 100644
+--- a/arch/parisc/kernel/pacache.S
 b/arch/parisc/kernel/pacache.S
+@@ -96,7 +96,7 @@ fitmanyloop: /* Loop if LOOP 
>= 2 */
+ 
+ fitmanymiddle:/* Loop if LOOP >= 2 */
+   addib,COND(>)   -1, %r31, fitmanymiddle /* Adjusted inner loop 
decr */
+-  pitlbe  0(%sr1, %r28)
++  pitlbe  %r0(%sr1, %r28)
+   pitlbe,m%arg1(%sr1, %r28)   /* Last pitlbe and addr adjust 
*/
+   addib,COND(>)   -1, %r29, fitmanymiddle /* Middle loop decr */
+  

[MediaWiki-commits] [Gerrit] operations...linux44[master]: Update to 4.4.35

[Muehlenhoff (Code Review)]

Muehlenhoff has submitted this change and it was merged. ( 
https://gerrit.wikimedia.org/r/328531 )

Change subject: Update to 4.4.35
..


Update to 4.4.35

Change-Id: I5479b68674df862526c0b0787d0f7ef4adc8a59b
---
M debian/changelog
A debian/patches/bugfix/all/stable-4.4.35.patch
M debian/patches/series
3 files changed, 1,170 insertions(+), 0 deletions(-)

Approvals:
  Muehlenhoff: Looks good to me, approved
  jenkins-bot: Verified



diff --git a/debian/changelog b/debian/changelog
index c159072..9028944 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -24,6 +24,8 @@
 https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.34
 - CVE-2016-8645 [ac6e780070e30e4c35bd395acfe9191e6268bdd3]
 - CVE-2015-8964 [dd42bf1197144ede075a9d4793123f7689e164bc]
+  * Update to 4.4.35:
+https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.35
 
  -- Moritz Muehlenhoff   Tue, 15 Nov 2016 14:42:40 
+0100
 
diff --git a/debian/patches/bugfix/all/stable-4.4.35.patch 
b/debian/patches/bugfix/all/stable-4.4.35.patch
new file mode 100644
index 000..f5839b2
--- /dev/null
+++ b/debian/patches/bugfix/all/stable-4.4.35.patch
@@ -0,0 +1,1167 @@
+diff --git a/Makefile b/Makefile
+index 30924aabf1b4..f88830af1533 100644
+--- a/Makefile
 b/Makefile
+@@ -1,6 +1,6 @@
+ VERSION = 4
+ PATCHLEVEL = 4
+-SUBLEVEL = 34
++SUBLEVEL = 35
+ EXTRAVERSION =
+ NAME = Blurry Fish Butt
+ 
+@@ -395,11 +395,12 @@ KBUILD_CFLAGS   := -Wall -Wundef -Wstrict-prototypes 
-Wno-trigraphs \
+  -fno-strict-aliasing -fno-common \
+  -Werror-implicit-function-declaration \
+  -Wno-format-security \
+- -std=gnu89
++ -std=gnu89 $(call cc-option,-fno-PIE)
++
+ 
+ KBUILD_AFLAGS_KERNEL :=
+ KBUILD_CFLAGS_KERNEL :=
+-KBUILD_AFLAGS   := -D__ASSEMBLY__
++KBUILD_AFLAGS   := -D__ASSEMBLY__ $(call cc-option,-fno-PIE)
+ KBUILD_AFLAGS_MODULE  := -DMODULE
+ KBUILD_CFLAGS_MODULE  := -DMODULE
+ KBUILD_LDFLAGS_MODULE := -T $(srctree)/scripts/module-common.lds
+diff --git a/arch/x86/kernel/cpu/amd.c b/arch/x86/kernel/cpu/amd.c
+index 6cb5834062a3..e2defc7593a4 100644
+--- a/arch/x86/kernel/cpu/amd.c
 b/arch/x86/kernel/cpu/amd.c
+@@ -352,7 +352,6 @@ static void amd_detect_cmp(struct cpuinfo_x86 *c)
+ #ifdef CONFIG_SMP
+   unsigned bits;
+   int cpu = smp_processor_id();
+-  unsigned int socket_id, core_complex_id;
+ 
+   bits = c->x86_coreid_bits;
+   /* Low order bits define the core id (index of core in socket) */
+@@ -370,10 +369,7 @@ static void amd_detect_cmp(struct cpuinfo_x86 *c)
+if (c->x86 != 0x17 || !cpuid_edx(0x8006))
+   return;
+ 
+-  socket_id   = (c->apicid >> bits) - 1;
+-  core_complex_id = (c->apicid & ((1 << bits) - 1)) >> 3;
+-
+-  per_cpu(cpu_llc_id, cpu) = (socket_id << 3) | core_complex_id;
++  per_cpu(cpu_llc_id, cpu) = c->apicid >> 3;
+ #endif
+ }
+ 
+diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
+index 685ef431a41d..7429d481a311 100644
+--- a/arch/x86/kvm/x86.c
 b/arch/x86/kvm/x86.c
+@@ -199,7 +199,18 @@ static void kvm_on_user_return(struct 
user_return_notifier *urn)
+   struct kvm_shared_msrs *locals
+   = container_of(urn, struct kvm_shared_msrs, urn);
+   struct kvm_shared_msr_values *values;
++  unsigned long flags;
+ 
++  /*
++   * Disabling irqs at this point since the following code could be
++   * interrupted and executed through kvm_arch_hardware_disable()
++   */
++  local_irq_save(flags);
++  if (locals->registered) {
++  locals->registered = false;
++  user_return_notifier_unregister(urn);
++  }
++  local_irq_restore(flags);
+   for (slot = 0; slot < shared_msrs_global.nr; ++slot) {
+   values = >values[slot];
+   if (values->host != values->curr) {
+@@ -207,8 +218,6 @@ static void kvm_on_user_return(struct user_return_notifier 
*urn)
+   values->curr = values->host;
+   }
+   }
+-  locals->registered = false;
+-  user_return_notifier_unregister(urn);
+ }
+ 
+ static void shared_msr_update(unsigned slot, u32 msr)
+@@ -3317,6 +3326,7 @@ long kvm_arch_vcpu_ioctl(struct file *filp,
+   };
+   case KVM_SET_VAPIC_ADDR: {
+   struct kvm_vapic_addr va;
++  int idx;
+ 
+   r = -EINVAL;
+   if (!lapic_in_kernel(vcpu))
+@@ -3324,7 +3334,9 @@ long kvm_arch_vcpu_ioctl(struct file *filp,
+   r = -EFAULT;
+   if (copy_from_user(, argp, sizeof va))
+   goto out;
++  idx = srcu_read_lock(>kvm->srcu);
+   r = kvm_lapic_set_vapic_addr(vcpu, va.vapic_addr);
++  srcu_read_unlock(>kvm->srcu, idx);
+   break;
+   }
+   case KVM_X86_SETUP_MCE: {
+diff --git 

[MediaWiki-commits] [Gerrit] operations...linux44[master]: Update to 4.4.35

[Muehlenhoff (Code Review)]

Muehlenhoff has uploaded a new change for review. ( 
https://gerrit.wikimedia.org/r/328531 )

Change subject: Update to 4.4.35
..

Update to 4.4.35

Change-Id: I5479b68674df862526c0b0787d0f7ef4adc8a59b
---
M debian/changelog
A debian/patches/bugfix/all/stable-4.4.35.patch
M debian/patches/series
3 files changed, 1,170 insertions(+), 0 deletions(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/debs/linux44 
refs/changes/31/328531/1

diff --git a/debian/changelog b/debian/changelog
index c159072..9028944 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -24,6 +24,8 @@
 https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.34
 - CVE-2016-8645 [ac6e780070e30e4c35bd395acfe9191e6268bdd3]
 - CVE-2015-8964 [dd42bf1197144ede075a9d4793123f7689e164bc]
+  * Update to 4.4.35:
+https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.35
 
  -- Moritz Muehlenhoff   Tue, 15 Nov 2016 14:42:40 
+0100
 
diff --git a/debian/patches/bugfix/all/stable-4.4.35.patch 
b/debian/patches/bugfix/all/stable-4.4.35.patch
new file mode 100644
index 000..f5839b2
--- /dev/null
+++ b/debian/patches/bugfix/all/stable-4.4.35.patch
@@ -0,0 +1,1167 @@
+diff --git a/Makefile b/Makefile
+index 30924aabf1b4..f88830af1533 100644
+--- a/Makefile
 b/Makefile
+@@ -1,6 +1,6 @@
+ VERSION = 4
+ PATCHLEVEL = 4
+-SUBLEVEL = 34
++SUBLEVEL = 35
+ EXTRAVERSION =
+ NAME = Blurry Fish Butt
+ 
+@@ -395,11 +395,12 @@ KBUILD_CFLAGS   := -Wall -Wundef -Wstrict-prototypes 
-Wno-trigraphs \
+  -fno-strict-aliasing -fno-common \
+  -Werror-implicit-function-declaration \
+  -Wno-format-security \
+- -std=gnu89
++ -std=gnu89 $(call cc-option,-fno-PIE)
++
+ 
+ KBUILD_AFLAGS_KERNEL :=
+ KBUILD_CFLAGS_KERNEL :=
+-KBUILD_AFLAGS   := -D__ASSEMBLY__
++KBUILD_AFLAGS   := -D__ASSEMBLY__ $(call cc-option,-fno-PIE)
+ KBUILD_AFLAGS_MODULE  := -DMODULE
+ KBUILD_CFLAGS_MODULE  := -DMODULE
+ KBUILD_LDFLAGS_MODULE := -T $(srctree)/scripts/module-common.lds
+diff --git a/arch/x86/kernel/cpu/amd.c b/arch/x86/kernel/cpu/amd.c
+index 6cb5834062a3..e2defc7593a4 100644
+--- a/arch/x86/kernel/cpu/amd.c
 b/arch/x86/kernel/cpu/amd.c
+@@ -352,7 +352,6 @@ static void amd_detect_cmp(struct cpuinfo_x86 *c)
+ #ifdef CONFIG_SMP
+   unsigned bits;
+   int cpu = smp_processor_id();
+-  unsigned int socket_id, core_complex_id;
+ 
+   bits = c->x86_coreid_bits;
+   /* Low order bits define the core id (index of core in socket) */
+@@ -370,10 +369,7 @@ static void amd_detect_cmp(struct cpuinfo_x86 *c)
+if (c->x86 != 0x17 || !cpuid_edx(0x8006))
+   return;
+ 
+-  socket_id   = (c->apicid >> bits) - 1;
+-  core_complex_id = (c->apicid & ((1 << bits) - 1)) >> 3;
+-
+-  per_cpu(cpu_llc_id, cpu) = (socket_id << 3) | core_complex_id;
++  per_cpu(cpu_llc_id, cpu) = c->apicid >> 3;
+ #endif
+ }
+ 
+diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
+index 685ef431a41d..7429d481a311 100644
+--- a/arch/x86/kvm/x86.c
 b/arch/x86/kvm/x86.c
+@@ -199,7 +199,18 @@ static void kvm_on_user_return(struct 
user_return_notifier *urn)
+   struct kvm_shared_msrs *locals
+   = container_of(urn, struct kvm_shared_msrs, urn);
+   struct kvm_shared_msr_values *values;
++  unsigned long flags;
+ 
++  /*
++   * Disabling irqs at this point since the following code could be
++   * interrupted and executed through kvm_arch_hardware_disable()
++   */
++  local_irq_save(flags);
++  if (locals->registered) {
++  locals->registered = false;
++  user_return_notifier_unregister(urn);
++  }
++  local_irq_restore(flags);
+   for (slot = 0; slot < shared_msrs_global.nr; ++slot) {
+   values = >values[slot];
+   if (values->host != values->curr) {
+@@ -207,8 +218,6 @@ static void kvm_on_user_return(struct user_return_notifier 
*urn)
+   values->curr = values->host;
+   }
+   }
+-  locals->registered = false;
+-  user_return_notifier_unregister(urn);
+ }
+ 
+ static void shared_msr_update(unsigned slot, u32 msr)
+@@ -3317,6 +3326,7 @@ long kvm_arch_vcpu_ioctl(struct file *filp,
+   };
+   case KVM_SET_VAPIC_ADDR: {
+   struct kvm_vapic_addr va;
++  int idx;
+ 
+   r = -EINVAL;
+   if (!lapic_in_kernel(vcpu))
+@@ -3324,7 +3334,9 @@ long kvm_arch_vcpu_ioctl(struct file *filp,
+   r = -EFAULT;
+   if (copy_from_user(, argp, sizeof va))
+   goto out;
++  idx = srcu_read_lock(>kvm->srcu);
+   r = kvm_lapic_set_vapic_addr(vcpu, va.vapic_addr);
++  srcu_read_unlock(>kvm->srcu, idx);
+   break;
+   }
+   case KVM_X86_SETUP_MCE: {
+diff --git 

[MediaWiki-commits] [Gerrit] operations/puppet[production]: Add snapshot::testbed to standard snapshot debdeploy group

[Muehlenhoff (Code Review)]

Muehlenhoff has submitted this change and it was merged. ( 
https://gerrit.wikimedia.org/r/328523 )

Change subject: Add snapshot::testbed to standard snapshot debdeploy group
..


Add snapshot::testbed to standard snapshot debdeploy group

Change-Id: I1069a2cc266c247a101289b1e530f5e87e76ef9b
---
A hieradata/role/common/snapshot/testbed.yaml
1 file changed, 3 insertions(+), 0 deletions(-)

Approvals:
  Muehlenhoff: Looks good to me, approved
  jenkins-bot: Verified



diff --git a/hieradata/role/common/snapshot/testbed.yaml 
b/hieradata/role/common/snapshot/testbed.yaml
new file mode 100644
index 000..6ad3b6d
--- /dev/null
+++ b/hieradata/role/common/snapshot/testbed.yaml
@@ -0,0 +1,3 @@
+debdeploy::grains:
+  debdeploy-snapshot:
+value: standard

-- 
To view, visit https://gerrit.wikimedia.org/r/328523
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: merged
Gerrit-Change-Id: I1069a2cc266c247a101289b1e530f5e87e76ef9b
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Muehlenhoff 
Gerrit-Reviewer: Muehlenhoff 
Gerrit-Reviewer: jenkins-bot <>

___
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

[MediaWiki-commits] [Gerrit] operations/puppet[production]: Add snapshot::testbed to standard snapshot debdeploy group

[Muehlenhoff (Code Review)]

Muehlenhoff has uploaded a new change for review. ( 
https://gerrit.wikimedia.org/r/328523 )

Change subject: Add snapshot::testbed to standard snapshot debdeploy group
..

Add snapshot::testbed to standard snapshot debdeploy group

Change-Id: I1069a2cc266c247a101289b1e530f5e87e76ef9b
---
A hieradata/role/common/snapshot/testbed.yaml
1 file changed, 3 insertions(+), 0 deletions(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/puppet 
refs/changes/23/328523/1

diff --git a/hieradata/role/common/snapshot/testbed.yaml 
b/hieradata/role/common/snapshot/testbed.yaml
new file mode 100644
index 000..6ad3b6d
--- /dev/null
+++ b/hieradata/role/common/snapshot/testbed.yaml
@@ -0,0 +1,3 @@
+debdeploy::grains:
+  debdeploy-snapshot:
+value: standard

-- 
To view, visit https://gerrit.wikimedia.org/r/328523
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I1069a2cc266c247a101289b1e530f5e87e76ef9b
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Muehlenhoff 

___
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

[MediaWiki-commits] [Gerrit] operations/puppet[production]: Also follow stat1001 rename in debdeploy grains

[Muehlenhoff (Code Review)]

Muehlenhoff has submitted this change and it was merged. ( 
https://gerrit.wikimedia.org/r/328478 )

Change subject: Also follow stat1001 rename in debdeploy grains
..


Also follow stat1001 rename in debdeploy grains

Change-Id: I54bf76dd0b67782e37f9b5f9fb76e5447face7ad
---
M hieradata/role/common/statistics/web.yaml
M modules/debdeploy/templates/debdeploy.erb
2 files changed, 2 insertions(+), 2 deletions(-)

Approvals:
  Muehlenhoff: Looks good to me, approved
  jenkins-bot: Verified



diff --git a/hieradata/role/common/statistics/web.yaml 
b/hieradata/role/common/statistics/web.yaml
index 4b08b5b..a247771 100644
--- a/hieradata/role/common/statistics/web.yaml
+++ b/hieradata/role/common/statistics/web.yaml
@@ -3,5 +3,5 @@
   - statistics-web-users
   - statistics-admins
 debdeploy::grains:
-  debdeploy-stat:
+  debdeploy-analytics-web:
 value: standard
diff --git a/modules/debdeploy/templates/debdeploy.erb 
b/modules/debdeploy/templates/debdeploy.erb
index c47914b..4d7ebd9 100644
--- a/modules/debdeploy/templates/debdeploy.erb
+++ b/modules/debdeploy/templates/debdeploy.erb
@@ -9,7 +9,7 @@
 misc-external-services = debdeploy-tor:standard, debdeploy-etherpad:standard, 
debdeploy-lists:standard, debdeploy-planet:standard, debdeploy-otrs:standard, 
debdeploy-ipv6relay:standard, debdeploy-people:standard, 
debdeploy-mysql-analytics:standard, debdeploy-nova-api:standard, 
debdeploy-impala:standard
 misc-monitoring = debdeploy-grafana:standard, debdeploy-syslog:standard, 
debdeploy-ganglia:standard, debdeploy-graphite:standard, 
debdeploy-labmon:standard, debdeploy-icinga:standard, 
debdeploy-prometheus:standard
 misc-virt = debdeploy-nova-control:standard, debdeploy-horizon:standard, 
debdeploy-nova-manager:standard, debdeploy-nova-api:standard, 
debdeploy-labsdns:standard, debdeploy-nodepool:standard
-misc-analytics = debdeploy-kafkatee:standard, debdeploy-hue:standard, 
debdeploy-xenon:standard, debdeploy-mysql-analytics:standard, 
debdeploy-impala:standard, debdeploy-spark-worker:standard, 
debdeploy-stat:standard, debdeploy-stat:canary, debdeploy-notebook:standard, 
debdeploy-druid:standard
+misc-analytics = debdeploy-kafkatee:standard, debdeploy-hue:standard, 
debdeploy-xenon:standard, debdeploy-mysql-analytics:standard, 
debdeploy-impala:standard, debdeploy-spark-worker:standard, 
debdeploy-stat:standard, debdeploy-stat:canary, debdeploy-notebook:standard, 
debdeploy-druid:standard, debdeploy-analytics-web:standard
 all-analytics = debdeploy-kafkatee:standard, debdeploy-hue:standard, 
debdeploy-xenon:standard, debdeploy-mysql-analytics:standard, 
debdeploy-impala:standard, debdeploy-spark-worker:standard, 
debdeploy-hadoop-worker:standard, debdeploy-hadoop-master:standard, 
debdeploy-hadoop-standby:standard, debdeploy-hadoop-worker:canary
 misc-others = debdeploy-spare:standard, debdeploy-testsystem:standard, 
debdeploy-labtest:standard, debdeploy-sectools:standard
 misc-devel = debdeploy-bugzilla:standard, debdeploy-ci:standard, 
debdeploy-releases:standard, debdeploy-ve:standard, debdeploy-irc:standard, 
debdeploy-phabricator:standard, debdeploy-gerrit:standard, 
debdeploy-archiva:standard, debdeploy-rcstream:standard, 
debdeploy-eventlogging:standard, debdeploy-deployment:standard, 
debdeploy-piwik:standard, debdeploy-zuulmerger:standard, 
debdeploy-debugproxy:standard, debdeploy-webperf:standard, 
debdeploy-oresrdb:standard

-- 
To view, visit https://gerrit.wikimedia.org/r/328478
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: merged
Gerrit-Change-Id: I54bf76dd0b67782e37f9b5f9fb76e5447face7ad
Gerrit-PatchSet: 2
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Muehlenhoff 
Gerrit-Reviewer: Muehlenhoff 
Gerrit-Reviewer: jenkins-bot <>

___
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

[MediaWiki-commits] [Gerrit] operations...linux44[master]: Update to 4.4.33

[Muehlenhoff (Code Review)]

Muehlenhoff has submitted this change and it was merged. ( 
https://gerrit.wikimedia.org/r/328510 )

Change subject: Update to 4.4.33
..


Update to 4.4.33

Change-Id: Icb8e84716a7466674d261a9f45c705c79683d374
---
M debian/changelog
A debian/patches/bugfix/all/stable-4.4.33.patch
M debian/patches/series
3 files changed, 1,110 insertions(+), 1 deletion(-)

Approvals:
  Muehlenhoff: Looks good to me, approved
  jenkins-bot: Verified



diff --git a/debian/changelog b/debian/changelog
index 9f0ee81..fd0014a 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -12,9 +12,14 @@
   only needed for recent GGC releases and clashes with
   Debian-specific patches
   * Update to 4.4.32:
-https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.31
+https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.32
 - CVE-2016-7039 [fcd91dd449867c6bfe56a81cabba76b829fd05cd]
 - CVE-2016-9555 [bf911e985d6bbaa328c20c3e05f4eb03de11fdd6]
+  * Update to 4.4.33:
+https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.33
+- Drop fff40ee4d224965d3fc61fa1040d7c77c20d60cc, the Intel
+  DRM changes are irrelevant to us and fixing up the patches
+  isn't really worth the trouble
 
  -- Moritz Muehlenhoff   Tue, 15 Nov 2016 14:42:40 
+0100
 
diff --git a/debian/patches/bugfix/all/stable-4.4.33.patch 
b/debian/patches/bugfix/all/stable-4.4.33.patch
new file mode 100644
index 000..63d5789
--- /dev/null
+++ b/debian/patches/bugfix/all/stable-4.4.33.patch
@@ -0,0 +1,1103 @@
+diff --git a/Makefile b/Makefile
+index fba9b09a1330..a513c045c8de 100644
+--- a/Makefile
 b/Makefile
+@@ -1,6 +1,6 @@
+ VERSION = 4
+ PATCHLEVEL = 4
+-SUBLEVEL = 32
++SUBLEVEL = 33
+ EXTRAVERSION =
+ NAME = Blurry Fish Butt
+ 
+diff --git a/arch/arc/kernel/time.c b/arch/arc/kernel/time.c
+index dfad287f1db1..dbedc576e4ca 100644
+--- a/arch/arc/kernel/time.c
 b/arch/arc/kernel/time.c
+@@ -130,14 +130,17 @@ static cycle_t arc_counter_read(struct clocksource *cs)
+   cycle_t  full;
+   } stamp;
+ 
+-
+-  __asm__ __volatile(
+-  "1: \n"
+-  "   lr  %0, [AUX_RTC_LOW]   \n"
+-  "   lr  %1, [AUX_RTC_HIGH]  \n"
+-  "   lr  %2, [AUX_RTC_CTRL]  \n"
+-  "   bbit0.nt%2, 31, 1b  \n"
+-  : "=r" (stamp.low), "=r" (stamp.high), "=r" (status));
++  /*
++   * hardware has an internal state machine which tracks readout of
++   * low/high and updates the CTRL.status if
++   *  - interrupt/exception taken between the two reads
++   *  - high increments after low has been read
++   */
++  do {
++  stamp.low = read_aux_reg(AUX_RTC_LOW);
++  stamp.high = read_aux_reg(AUX_RTC_HIGH);
++  status = read_aux_reg(AUX_RTC_CTRL);
++  } while (!(status & _BITUL(31)));
+ 
+   return stamp.full;
+ }
+diff --git a/arch/mips/include/asm/kvm_host.h 
b/arch/mips/include/asm/kvm_host.h
+index dd7cee795709..c8c04a1f1c9f 100644
+--- a/arch/mips/include/asm/kvm_host.h
 b/arch/mips/include/asm/kvm_host.h
+@@ -400,7 +400,10 @@ struct kvm_vcpu_arch {
+   /* Host KSEG0 address of the EI/DI offset */
+   void *kseg0_commpage;
+ 
+-  u32 io_gpr; /* GPR used as IO source/target */
++  /* Resume PC after MMIO completion */
++  unsigned long io_pc;
++  /* GPR used as IO source/target */
++  u32 io_gpr;
+ 
+   struct hrtimer comparecount_timer;
+   /* Count timer control KVM register */
+@@ -422,8 +425,6 @@ struct kvm_vcpu_arch {
+   /* Bitmask of pending exceptions to be cleared */
+   unsigned long pending_exceptions_clr;
+ 
+-  unsigned long pending_load_cause;
+-
+   /* Save/Restore the entryhi register when are are preempted/scheduled 
back in */
+   unsigned long preempt_entryhi;
+ 
+diff --git a/arch/mips/kvm/emulate.c b/arch/mips/kvm/emulate.c
+index 4298aeb1e20f..4c85ab808f99 100644
+--- a/arch/mips/kvm/emulate.c
 b/arch/mips/kvm/emulate.c
+@@ -1473,6 +1473,7 @@ enum emulation_result kvm_mips_emulate_load(uint32_t 
inst, uint32_t cause,
+   struct kvm_vcpu *vcpu)
+ {
+   enum emulation_result er = EMULATE_DO_MMIO;
++  unsigned long curr_pc;
+   int32_t op, base, rt, offset;
+   uint32_t bytes;
+ 
+@@ -1481,7 +1482,18 @@ enum emulation_result kvm_mips_emulate_load(uint32_t 
inst, uint32_t cause,
+   offset = inst & 0x;
+   op = (inst >> 26) & 0x3f;
+ 
+-  vcpu->arch.pending_load_cause = cause;
++  /*
++   * Find the resume PC now while we have safe and easy access to the
++   * prior branch instruction, and save it for
++   * kvm_mips_complete_mmio_load() to restore later.
++   */
++  curr_pc = vcpu->arch.pc;
++  er = update_pc(vcpu, cause);
++ 

[MediaWiki-commits] [Gerrit] operations...linux44[master]: Fix CVE ID for exception table privilege escalation

[Muehlenhoff (Code Review)]

Muehlenhoff has submitted this change and it was merged. ( 
https://gerrit.wikimedia.org/r/328507 )

Change subject: Fix CVE ID for exception table privilege escalation
..


Fix CVE ID for exception table privilege escalation

CVE-2016-9644 is for the incomplete backport which was fixed by the revert
in 4.4.30. CVE-2016-9178 is for the stable-only patch by Linus Torvalds
which ended up in 4.4.31.

Also add a reference to CVE-2016-9555, which was also fixed in 4.4.32.

Change-Id: Iedbf7dc22a95182673aacae3d0c1b2ec9bd3f1be
---
M debian/changelog
1 file changed, 2 insertions(+), 1 deletion(-)

Approvals:
  Muehlenhoff: Looks good to me, approved
  jenkins-bot: Verified



diff --git a/debian/changelog b/debian/changelog
index cb6c994..9f0ee81 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -14,6 +14,7 @@
   * Update to 4.4.32:
 https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.31
 - CVE-2016-7039 [fcd91dd449867c6bfe56a81cabba76b829fd05cd]
+- CVE-2016-9555 [bf911e985d6bbaa328c20c3e05f4eb03de11fdd6]
 
  -- Moritz Muehlenhoff   Tue, 15 Nov 2016 14:42:40 
+0100
 
@@ -35,7 +36,7 @@
 - CVE-2016-8666 [fac8e0f579695a3ecbc4d3cac369139d7f819971]
   * Update to 4.4.30:
 https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.30
-- CVE-2016-9178 [1c109fabbd51863475cd12ac206bdd249aee35af]
+- CVE-2016-9644 [1c109fabbd51863475cd12ac206bdd249aee35af]
 
  -- Moritz Muehlenhoff   Thu, 04 Nov 2016 10:02:03 
+0200
 

-- 
To view, visit https://gerrit.wikimedia.org/r/328507
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: merged
Gerrit-Change-Id: Iedbf7dc22a95182673aacae3d0c1b2ec9bd3f1be
Gerrit-PatchSet: 1
Gerrit-Project: operations/debs/linux44
Gerrit-Branch: master
Gerrit-Owner: Muehlenhoff 
Gerrit-Reviewer: Muehlenhoff 
Gerrit-Reviewer: jenkins-bot <>

___
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

[MediaWiki-commits] [Gerrit] operations...linux44[master]: Update to 4.4.33

[Muehlenhoff (Code Review)]

Muehlenhoff has uploaded a new change for review. ( 
https://gerrit.wikimedia.org/r/328510 )

Change subject: Update to 4.4.33
..

Update to 4.4.33

Change-Id: Icb8e84716a7466674d261a9f45c705c79683d374
---
M debian/changelog
A debian/patches/bugfix/all/stable-4.4.33.patch
M debian/patches/series
3 files changed, 1,234 insertions(+), 1 deletion(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/debs/linux44 
refs/changes/10/328510/1

diff --git a/debian/changelog b/debian/changelog
index 9f0ee81..ba5841e 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -12,9 +12,11 @@
   only needed for recent GGC releases and clashes with
   Debian-specific patches
   * Update to 4.4.32:
-https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.31
+https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.32
 - CVE-2016-7039 [fcd91dd449867c6bfe56a81cabba76b829fd05cd]
 - CVE-2016-9555 [bf911e985d6bbaa328c20c3e05f4eb03de11fdd6]
+  * Update to 4.4.33:
+https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.33
 
  -- Moritz Muehlenhoff   Tue, 15 Nov 2016 14:42:40 
+0100
 
diff --git a/debian/patches/bugfix/all/stable-4.4.33.patch 
b/debian/patches/bugfix/all/stable-4.4.33.patch
new file mode 100644
index 000..4a02c80
--- /dev/null
+++ b/debian/patches/bugfix/all/stable-4.4.33.patch
@@ -0,0 +1,1230 @@
+diff --git a/Makefile b/Makefile
+index fba9b09a1330..a513c045c8de 100644
+--- a/Makefile
 b/Makefile
+@@ -1,6 +1,6 @@
+ VERSION = 4
+ PATCHLEVEL = 4
+-SUBLEVEL = 32
++SUBLEVEL = 33
+ EXTRAVERSION =
+ NAME = Blurry Fish Butt
+ 
+diff --git a/arch/arc/kernel/time.c b/arch/arc/kernel/time.c
+index dfad287f1db1..dbedc576e4ca 100644
+--- a/arch/arc/kernel/time.c
 b/arch/arc/kernel/time.c
+@@ -130,14 +130,17 @@ static cycle_t arc_counter_read(struct clocksource *cs)
+   cycle_t  full;
+   } stamp;
+ 
+-
+-  __asm__ __volatile(
+-  "1: \n"
+-  "   lr  %0, [AUX_RTC_LOW]   \n"
+-  "   lr  %1, [AUX_RTC_HIGH]  \n"
+-  "   lr  %2, [AUX_RTC_CTRL]  \n"
+-  "   bbit0.nt%2, 31, 1b  \n"
+-  : "=r" (stamp.low), "=r" (stamp.high), "=r" (status));
++  /*
++   * hardware has an internal state machine which tracks readout of
++   * low/high and updates the CTRL.status if
++   *  - interrupt/exception taken between the two reads
++   *  - high increments after low has been read
++   */
++  do {
++  stamp.low = read_aux_reg(AUX_RTC_LOW);
++  stamp.high = read_aux_reg(AUX_RTC_HIGH);
++  status = read_aux_reg(AUX_RTC_CTRL);
++  } while (!(status & _BITUL(31)));
+ 
+   return stamp.full;
+ }
+diff --git a/arch/mips/include/asm/kvm_host.h 
b/arch/mips/include/asm/kvm_host.h
+index dd7cee795709..c8c04a1f1c9f 100644
+--- a/arch/mips/include/asm/kvm_host.h
 b/arch/mips/include/asm/kvm_host.h
+@@ -400,7 +400,10 @@ struct kvm_vcpu_arch {
+   /* Host KSEG0 address of the EI/DI offset */
+   void *kseg0_commpage;
+ 
+-  u32 io_gpr; /* GPR used as IO source/target */
++  /* Resume PC after MMIO completion */
++  unsigned long io_pc;
++  /* GPR used as IO source/target */
++  u32 io_gpr;
+ 
+   struct hrtimer comparecount_timer;
+   /* Count timer control KVM register */
+@@ -422,8 +425,6 @@ struct kvm_vcpu_arch {
+   /* Bitmask of pending exceptions to be cleared */
+   unsigned long pending_exceptions_clr;
+ 
+-  unsigned long pending_load_cause;
+-
+   /* Save/Restore the entryhi register when are are preempted/scheduled 
back in */
+   unsigned long preempt_entryhi;
+ 
+diff --git a/arch/mips/kvm/emulate.c b/arch/mips/kvm/emulate.c
+index 4298aeb1e20f..4c85ab808f99 100644
+--- a/arch/mips/kvm/emulate.c
 b/arch/mips/kvm/emulate.c
+@@ -1473,6 +1473,7 @@ enum emulation_result kvm_mips_emulate_load(uint32_t 
inst, uint32_t cause,
+   struct kvm_vcpu *vcpu)
+ {
+   enum emulation_result er = EMULATE_DO_MMIO;
++  unsigned long curr_pc;
+   int32_t op, base, rt, offset;
+   uint32_t bytes;
+ 
+@@ -1481,7 +1482,18 @@ enum emulation_result kvm_mips_emulate_load(uint32_t 
inst, uint32_t cause,
+   offset = inst & 0x;
+   op = (inst >> 26) & 0x3f;
+ 
+-  vcpu->arch.pending_load_cause = cause;
++  /*
++   * Find the resume PC now while we have safe and easy access to the
++   * prior branch instruction, and save it for
++   * kvm_mips_complete_mmio_load() to restore later.
++   */
++  curr_pc = vcpu->arch.pc;
++  er = update_pc(vcpu, cause);
++  if (er == EMULATE_FAIL)
++  return er;
++  vcpu->arch.io_pc = vcpu->arch.pc;
++  vcpu->arch.pc = curr_pc;
++
+   vcpu->arch.io_gpr = 

[MediaWiki-commits] [Gerrit] operations...linux44[master]: Fix CVE ID for exception table privilege escalation

[Muehlenhoff (Code Review)]

Muehlenhoff has uploaded a new change for review. ( 
https://gerrit.wikimedia.org/r/328507 )

Change subject: Fix CVE ID for exception table privilege escalation
..

Fix CVE ID for exception table privilege escalation

CVE-2016-9644 is for the incomplete backport which was fixed by the revert
in 4.4.30. CVE-2016-9178 is for the stable-only patch by Linus Torvalds
which ended up in 4.4.31.

Also add a reference to CVE-2016-9555, which was also fixed in 4.4.32.

Change-Id: Iedbf7dc22a95182673aacae3d0c1b2ec9bd3f1be
---
M debian/changelog
1 file changed, 2 insertions(+), 1 deletion(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/debs/linux44 
refs/changes/07/328507/1

diff --git a/debian/changelog b/debian/changelog
index cb6c994..9f0ee81 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -14,6 +14,7 @@
   * Update to 4.4.32:
 https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.31
 - CVE-2016-7039 [fcd91dd449867c6bfe56a81cabba76b829fd05cd]
+- CVE-2016-9555 [bf911e985d6bbaa328c20c3e05f4eb03de11fdd6]
 
  -- Moritz Muehlenhoff   Tue, 15 Nov 2016 14:42:40 
+0100
 
@@ -35,7 +36,7 @@
 - CVE-2016-8666 [fac8e0f579695a3ecbc4d3cac369139d7f819971]
   * Update to 4.4.30:
 https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.30
-- CVE-2016-9178 [1c109fabbd51863475cd12ac206bdd249aee35af]
+- CVE-2016-9644 [1c109fabbd51863475cd12ac206bdd249aee35af]
 
  -- Moritz Muehlenhoff   Thu, 04 Nov 2016 10:02:03 
+0200
 

-- 
To view, visit https://gerrit.wikimedia.org/r/328507
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: Iedbf7dc22a95182673aacae3d0c1b2ec9bd3f1be
Gerrit-PatchSet: 1
Gerrit-Project: operations/debs/linux44
Gerrit-Branch: master
Gerrit-Owner: Muehlenhoff 

___
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

[MediaWiki-commits] [Gerrit] operations...linux44[master]: Another retroactive CVE assignment

[Muehlenhoff (Code Review)]

Muehlenhoff has submitted this change and it was merged. ( 
https://gerrit.wikimedia.org/r/328503 )

Change subject: Another retroactive CVE assignment
..


Another retroactive CVE assignment

Change-Id: I3c6e865b8a3c7360f294f996dac9c7bbb57a2aeb
---
M debian/changelog
1 file changed, 1 insertion(+), 0 deletions(-)

Approvals:
  Muehlenhoff: Looks good to me, approved
  jenkins-bot: Verified



diff --git a/debian/changelog b/debian/changelog
index 3d27772..cb6c994 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -126,6 +126,7 @@
  7ed2abddd20cf8f6bd27f65bd218f26fa5bf7f44,
  13631bfc604161a9d69cd68991dff8603edd66f9,
  b7eba0f3515fca3296b8881d583f7c1042f5226]
+- CVE-2016-9806 [92964c79b357efd980812c4de5c1fd2ec8bb5520]
   * Update to 4.4.15:
 https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.15
   * Update to 4.4.16:

-- 
To view, visit https://gerrit.wikimedia.org/r/328503
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: merged
Gerrit-Change-Id: I3c6e865b8a3c7360f294f996dac9c7bbb57a2aeb
Gerrit-PatchSet: 1
Gerrit-Project: operations/debs/linux44
Gerrit-Branch: master
Gerrit-Owner: Muehlenhoff 
Gerrit-Reviewer: Muehlenhoff 
Gerrit-Reviewer: jenkins-bot <>

___
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

[MediaWiki-commits] [Gerrit] operations...linux44[master]: Another retroactive CVE assignment

[Muehlenhoff (Code Review)]

Muehlenhoff has uploaded a new change for review. ( 
https://gerrit.wikimedia.org/r/328503 )

Change subject: Another retroactive CVE assignment
..

Another retroactive CVE assignment

Change-Id: I3c6e865b8a3c7360f294f996dac9c7bbb57a2aeb
---
M debian/changelog
1 file changed, 1 insertion(+), 0 deletions(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/debs/linux44 
refs/changes/03/328503/1

diff --git a/debian/changelog b/debian/changelog
index 3d27772..cb6c994 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -126,6 +126,7 @@
  7ed2abddd20cf8f6bd27f65bd218f26fa5bf7f44,
  13631bfc604161a9d69cd68991dff8603edd66f9,
  b7eba0f3515fca3296b8881d583f7c1042f5226]
+- CVE-2016-9806 [92964c79b357efd980812c4de5c1fd2ec8bb5520]
   * Update to 4.4.15:
 https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.15
   * Update to 4.4.16:

-- 
To view, visit https://gerrit.wikimedia.org/r/328503
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I3c6e865b8a3c7360f294f996dac9c7bbb57a2aeb
Gerrit-PatchSet: 1
Gerrit-Project: operations/debs/linux44
Gerrit-Branch: master
Gerrit-Owner: Muehlenhoff 

___
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

[MediaWiki-commits] [Gerrit] operations...linux44[master]: Add retroactively assigned CVE ID

[Muehlenhoff (Code Review)]

Muehlenhoff has submitted this change and it was merged. ( 
https://gerrit.wikimedia.org/r/328498 )

Change subject: Add retroactively assigned CVE ID
..


Add retroactively assigned CVE ID

Change-Id: I13496527d0afeffdaf847aef20bb799bda81d49a
---
M debian/changelog
1 file changed, 1 insertion(+), 0 deletions(-)

Approvals:
  Muehlenhoff: Looks good to me, approved
  jenkins-bot: Verified



diff --git a/debian/changelog b/debian/changelog
index aac9540..3d27772 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -169,6 +169,7 @@
 - CVE-2016-3157 [b7a584598aea7ca73140cb87b40319944dd3393f]
 - CVE-2016-3138 [8835ba4a39cf53f705417b3b3a94eb067673f2c9]
 - CVE-2016-6327 [51093254bf879bc9ce96590400a87897c7498463]
+- CVE-2016-9685 [2e83b79b2d6c78bf1b4aa227938a214dcbddc83f]
   * Update to 4.4.8:
 https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.8
 - CVE-2016-3156 [fbd40ea0180a2d328c5adc61414dc8bab9335ce2]

-- 
To view, visit https://gerrit.wikimedia.org/r/328498
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: merged
Gerrit-Change-Id: I13496527d0afeffdaf847aef20bb799bda81d49a
Gerrit-PatchSet: 1
Gerrit-Project: operations/debs/linux44
Gerrit-Branch: master
Gerrit-Owner: Muehlenhoff 
Gerrit-Reviewer: Muehlenhoff 
Gerrit-Reviewer: jenkins-bot <>

___
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

[MediaWiki-commits] [Gerrit] operations...linux44[master]: Add retroactively assigned CVE ID

[Muehlenhoff (Code Review)]

Muehlenhoff has uploaded a new change for review. ( 
https://gerrit.wikimedia.org/r/328498 )

Change subject: Add retroactively assigned CVE ID
..

Add retroactively assigned CVE ID

Change-Id: I13496527d0afeffdaf847aef20bb799bda81d49a
---
M debian/changelog
1 file changed, 1 insertion(+), 0 deletions(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/debs/linux44 
refs/changes/98/328498/1

diff --git a/debian/changelog b/debian/changelog
index aac9540..3d27772 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -169,6 +169,7 @@
 - CVE-2016-3157 [b7a584598aea7ca73140cb87b40319944dd3393f]
 - CVE-2016-3138 [8835ba4a39cf53f705417b3b3a94eb067673f2c9]
 - CVE-2016-6327 [51093254bf879bc9ce96590400a87897c7498463]
+- CVE-2016-9685 [2e83b79b2d6c78bf1b4aa227938a214dcbddc83f]
   * Update to 4.4.8:
 https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.8
 - CVE-2016-3156 [fbd40ea0180a2d328c5adc61414dc8bab9335ce2]

-- 
To view, visit https://gerrit.wikimedia.org/r/328498
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I13496527d0afeffdaf847aef20bb799bda81d49a
Gerrit-PatchSet: 1
Gerrit-Project: operations/debs/linux44
Gerrit-Branch: master
Gerrit-Owner: Muehlenhoff 

___
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

[MediaWiki-commits] [Gerrit] operations/puppet[production]: Also follow stat1001 rename in debdeploy grains

[Muehlenhoff (Code Review)]

Muehlenhoff has uploaded a new change for review. ( 
https://gerrit.wikimedia.org/r/328478 )

Change subject: Also follow stat1001 rename in debdeploy grains
..

Also follow stat1001 rename in debdeploy grains

Change-Id: I54bf76dd0b67782e37f9b5f9fb76e5447face7ad
---
M hieradata/role/common/statistics/web.yaml
M modules/debdeploy/templates/debdeploy.erb
2 files changed, 2 insertions(+), 2 deletions(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/puppet 
refs/changes/78/328478/1

diff --git a/hieradata/role/common/statistics/web.yaml 
b/hieradata/role/common/statistics/web.yaml
index 4b08b5b..a247771 100644
--- a/hieradata/role/common/statistics/web.yaml
+++ b/hieradata/role/common/statistics/web.yaml
@@ -3,5 +3,5 @@
   - statistics-web-users
   - statistics-admins
 debdeploy::grains:
-  debdeploy-stat:
+  debdeploy-analytics-web:
 value: standard
diff --git a/modules/debdeploy/templates/debdeploy.erb 
b/modules/debdeploy/templates/debdeploy.erb
index c47914b..4d7ebd9 100644
--- a/modules/debdeploy/templates/debdeploy.erb
+++ b/modules/debdeploy/templates/debdeploy.erb
@@ -9,7 +9,7 @@
 misc-external-services = debdeploy-tor:standard, debdeploy-etherpad:standard, 
debdeploy-lists:standard, debdeploy-planet:standard, debdeploy-otrs:standard, 
debdeploy-ipv6relay:standard, debdeploy-people:standard, 
debdeploy-mysql-analytics:standard, debdeploy-nova-api:standard, 
debdeploy-impala:standard
 misc-monitoring = debdeploy-grafana:standard, debdeploy-syslog:standard, 
debdeploy-ganglia:standard, debdeploy-graphite:standard, 
debdeploy-labmon:standard, debdeploy-icinga:standard, 
debdeploy-prometheus:standard
 misc-virt = debdeploy-nova-control:standard, debdeploy-horizon:standard, 
debdeploy-nova-manager:standard, debdeploy-nova-api:standard, 
debdeploy-labsdns:standard, debdeploy-nodepool:standard
-misc-analytics = debdeploy-kafkatee:standard, debdeploy-hue:standard, 
debdeploy-xenon:standard, debdeploy-mysql-analytics:standard, 
debdeploy-impala:standard, debdeploy-spark-worker:standard, 
debdeploy-stat:standard, debdeploy-stat:canary, debdeploy-notebook:standard, 
debdeploy-druid:standard
+misc-analytics = debdeploy-kafkatee:standard, debdeploy-hue:standard, 
debdeploy-xenon:standard, debdeploy-mysql-analytics:standard, 
debdeploy-impala:standard, debdeploy-spark-worker:standard, 
debdeploy-stat:standard, debdeploy-stat:canary, debdeploy-notebook:standard, 
debdeploy-druid:standard, debdeploy-analytics-web:standard
 all-analytics = debdeploy-kafkatee:standard, debdeploy-hue:standard, 
debdeploy-xenon:standard, debdeploy-mysql-analytics:standard, 
debdeploy-impala:standard, debdeploy-spark-worker:standard, 
debdeploy-hadoop-worker:standard, debdeploy-hadoop-master:standard, 
debdeploy-hadoop-standby:standard, debdeploy-hadoop-worker:canary
 misc-others = debdeploy-spare:standard, debdeploy-testsystem:standard, 
debdeploy-labtest:standard, debdeploy-sectools:standard
 misc-devel = debdeploy-bugzilla:standard, debdeploy-ci:standard, 
debdeploy-releases:standard, debdeploy-ve:standard, debdeploy-irc:standard, 
debdeploy-phabricator:standard, debdeploy-gerrit:standard, 
debdeploy-archiva:standard, debdeploy-rcstream:standard, 
debdeploy-eventlogging:standard, debdeploy-deployment:standard, 
debdeploy-piwik:standard, debdeploy-zuulmerger:standard, 
debdeploy-debugproxy:standard, debdeploy-webperf:standard, 
debdeploy-oresrdb:standard

-- 
To view, visit https://gerrit.wikimedia.org/r/328478
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I54bf76dd0b67782e37f9b5f9fb76e5447face7ad
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Muehlenhoff 

___
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

[MediaWiki-commits] [Gerrit] operations/puppet[production]: Make systemd-timesyncd available as an alternative time sync...

[Muehlenhoff (Code Review)]

Muehlenhoff has uploaded a new change for review.

  https://gerrit.wikimedia.org/r/322279

Change subject: Make systemd-timesyncd available as an alternative time 
synchronisation provide (WIP)
..

Make systemd-timesyncd available as an alternative time synchronisation provide 
(WIP)

We don't need any of ntp's advanced features on the clients and we've
run into a fair share of runtime bugs (like failing to restart properly
or various cases where ntp failed to start after a reboot (it gets
stuck in interface activation/XFAC).

This patch adds a Hiera-configurable class to use systemd-timesyncd
instead. systemd-timesyncd is shipped as part the standard systemd
package. It is configured via the timedatectl tool.

We can enable this for a subset of jessie servers and if it proves to
be more reliable than ntp in practice, move all jessie systems to it.

Bug: T150527
Change-Id: Ie4c9ab7f82f590817f2b92d19f09cbbdda25fb95
---
A modules/base/templates/timesyncd.conf.erb
M modules/standard/manifests/init.pp
A modules/standard/manifests/ntp/timesyncd.pp
3 files changed, 59 insertions(+), 2 deletions(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/puppet 
refs/changes/79/322279/1

diff --git a/modules/base/templates/timesyncd.conf.erb 
b/modules/base/templates/timesyncd.conf.erb
new file mode 100644
index 000..2cd2fab
--- /dev/null
+++ b/modules/base/templates/timesyncd.conf.erb
@@ -0,0 +1,7 @@
+## THIS FILE IS MANAGED BY PUPPET
+#
+# See timesyncd.conf(5) for details.
+
+[Time]
+NTP=<%@ntp_servers[@site].sort.each do |ntpserver| -%> <%= ntpserver -%>
+<% end %>
diff --git a/modules/standard/manifests/init.pp 
b/modules/standard/manifests/init.pp
index c03d90e..98ec8ff 100644
--- a/modules/standard/manifests/init.pp
+++ b/modules/standard/manifests/init.pp
@@ -9,8 +9,14 @@
 include ::base
 include ::standard::ntp
 
-unless $::fqdn in $::standard::ntp::wmf_peers[$::site] {
-include standard::ntp::client
+if hiera('use_timesyncd', false) {
+include standard::ntp::timesyncd
+}
+else
+{
+unless $::fqdn in $::standard::ntp::wmf_peers[$::site] {
+include standard::ntp::client
+}
 }
 
 include ::standard::diamond
diff --git a/modules/standard/manifests/ntp/timesyncd.pp 
b/modules/standard/manifests/ntp/timesyncd.pp
new file mode 100644
index 000..973651e
--- /dev/null
+++ b/modules/standard/manifests/ntp/timesyncd.pp
@@ -0,0 +1,44 @@
+# == Class standard::ntp::timesyncd
+#
+# Setup clock synchronisation using systemd-timesyncd
+class standard::ntp::timesyncd () {
+requires_os('debian >= jessie')
+require standard::ntp
+
+package { 'ntp':
+ensure => absent,
+}
+
+$wmf_peers = $::standard::ntp::wmf_peers
+# This maps the servers that regular clients use
+$ntp_servers = {
+eqiad => concat($wmf_peers['eqiad'], $wmf_peers['codfw']),
+codfw => concat($wmf_peers['eqiad'], $wmf_peers['codfw']),
+esams => concat($wmf_peers['esams'], $wmf_peers['eqiad']),
+ulsfo => concat($wmf_peers['eqiad'], $wmf_peers['codfw']),
+}
+
+file { '/etc/systemd/timesyncd.conf':
+ensure  => present,
+mode=> '0444',
+owner   => 'root',
+group   => 'root',
+content => template('base/timesyncd.conf.erb'),
+notify  => Service['systemd-timesyncd'],
+}
+
+service { 'systemd-timesyncd':
+provider => systemd,
+ensure   => running,
+enable   => true,
+}
+
+monitoring::service { 'ntp':
+description=> 'NTP',
+check_command  => 'check_ntp_time!0.5!1',
+check_interval => 30,
+retry_interval => 15,
+}
+
+}
+

-- 
To view, visit https://gerrit.wikimedia.org/r/322279
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: Ie4c9ab7f82f590817f2b92d19f09cbbdda25fb95
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Muehlenhoff 

___
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

[MediaWiki-commits] [Gerrit] operations...linux44[master]: Add further retroactively assigned CVE IDs

[Muehlenhoff (Code Review)]

Muehlenhoff has submitted this change and it was merged.

Change subject: Add further retroactively assigned CVE IDs
..


Add further retroactively assigned CVE IDs

There are all part of the latest Android bulletin, but had been fixed
in earlier 4.4.x stable kernels already.

Change-Id: I82024b3254b1c31c8abd95626751ea093fd5ae00
---
M debian/changelog
1 file changed, 5 insertions(+), 0 deletions(-)

Approvals:
  Muehlenhoff: Looks good to me, approved
  jenkins-bot: Verified



diff --git a/debian/changelog b/debian/changelog
index e075cf2..aac9540 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -49,6 +49,7 @@
 - CVE-2016-0758 [23c8a812dc3c621009e4f0e5342aa4e2ede1ceaa]
 - CVE-2016-5244 [4116def2337991b39919f3b448326e21c40e0dbb]
 - CVE-2016-5243 [5d2be1422e02ccd697ccfcd45c85b4a26e6178e2]
+- CVE-2016-7915 [50220dead1650609206efe91f0cc116132d59b3f]
   * Update to 4.4.22:
 https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.22
   * Update to 4.4.23:
@@ -143,10 +144,12 @@
- CVE-2016-4578 [9a47e9cff994f37f7f0dbd9ae23740d0f64f9fe6,
 e4ec8cc8039a7063e24204299b462bd1383184a5]
- CVE-2016-4569 [cec8f96e49d9be372fdb0c3836dcf31ec71e457e]
+   - CVE-2016-7911 [8ba8682107ee2ca3347354e018865d8e1967c5f4]
   * Update to 4.4.18:
 https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.18
- CVE-2016-5696 [75ff39ccc1bd5d3c455b6822ab09e533c551f758]
- CVE-2016-3672 [8b8addf891de8a00e4d39fc32f93f7c5eb8feceb]
+   - CVE-2016-7910 [77da160530dd1dc94f6ae15a981f24e5f0021e84]
 
  -- Moritz Muehlenhoff   Thu, 28 Jul 2016 10:03:12 
+0200
 
@@ -186,6 +189,8 @@
 - CVE-2016-4565 [e6bd18f57aad1a2d1ef40e646d03ed0f2515c9e3]
 - CVE-2016-4568 [2c1f6951a8a82e6de0d82b1158b5e493fc6c54ab]
 - CVE-2016-3961 [103f6112f253017d7062cd74d17f4a514ed4485c]
+- CVE-2016-7914 [8d4a2ec1e0b41b0cf9a0c5cd4511da7f8e4f3de2]
+- CVE-2016-7912 [38740a5b87d53ceb89eb2c970150f6e94e00373a]
 Remove misc-bmp085-Enable-building-as-a-module.patch which is
 merged in 4.4.9
   * Cherrypick 8358b02bf67d3a5d8a825070e1aa73f25fb2e4c7 to address

-- 
To view, visit https://gerrit.wikimedia.org/r/322131
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: merged
Gerrit-Change-Id: I82024b3254b1c31c8abd95626751ea093fd5ae00
Gerrit-PatchSet: 1
Gerrit-Project: operations/debs/linux44
Gerrit-Branch: master
Gerrit-Owner: Muehlenhoff 
Gerrit-Reviewer: Muehlenhoff 
Gerrit-Reviewer: jenkins-bot <>

___
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

[MediaWiki-commits] [Gerrit] operations...linux44[master]: Add further retroactively assigned CVE IDs

[Muehlenhoff (Code Review)]

Muehlenhoff has uploaded a new change for review.

  https://gerrit.wikimedia.org/r/322131

Change subject: Add further retroactively assigned CVE IDs
..

Add further retroactively assigned CVE IDs

There are all part of the latest Android bulletin, but had been fixed
in earlier 4.4.x stable kernels already.

Change-Id: I82024b3254b1c31c8abd95626751ea093fd5ae00
---
M debian/changelog
1 file changed, 5 insertions(+), 0 deletions(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/debs/linux44 
refs/changes/31/322131/1

diff --git a/debian/changelog b/debian/changelog
index e075cf2..aac9540 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -49,6 +49,7 @@
 - CVE-2016-0758 [23c8a812dc3c621009e4f0e5342aa4e2ede1ceaa]
 - CVE-2016-5244 [4116def2337991b39919f3b448326e21c40e0dbb]
 - CVE-2016-5243 [5d2be1422e02ccd697ccfcd45c85b4a26e6178e2]
+- CVE-2016-7915 [50220dead1650609206efe91f0cc116132d59b3f]
   * Update to 4.4.22:
 https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.22
   * Update to 4.4.23:
@@ -143,10 +144,12 @@
- CVE-2016-4578 [9a47e9cff994f37f7f0dbd9ae23740d0f64f9fe6,
 e4ec8cc8039a7063e24204299b462bd1383184a5]
- CVE-2016-4569 [cec8f96e49d9be372fdb0c3836dcf31ec71e457e]
+   - CVE-2016-7911 [8ba8682107ee2ca3347354e018865d8e1967c5f4]
   * Update to 4.4.18:
 https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.18
- CVE-2016-5696 [75ff39ccc1bd5d3c455b6822ab09e533c551f758]
- CVE-2016-3672 [8b8addf891de8a00e4d39fc32f93f7c5eb8feceb]
+   - CVE-2016-7910 [77da160530dd1dc94f6ae15a981f24e5f0021e84]
 
  -- Moritz Muehlenhoff   Thu, 28 Jul 2016 10:03:12 
+0200
 
@@ -186,6 +189,8 @@
 - CVE-2016-4565 [e6bd18f57aad1a2d1ef40e646d03ed0f2515c9e3]
 - CVE-2016-4568 [2c1f6951a8a82e6de0d82b1158b5e493fc6c54ab]
 - CVE-2016-3961 [103f6112f253017d7062cd74d17f4a514ed4485c]
+- CVE-2016-7914 [8d4a2ec1e0b41b0cf9a0c5cd4511da7f8e4f3de2]
+- CVE-2016-7912 [38740a5b87d53ceb89eb2c970150f6e94e00373a]
 Remove misc-bmp085-Enable-building-as-a-module.patch which is
 merged in 4.4.9
   * Cherrypick 8358b02bf67d3a5d8a825070e1aa73f25fb2e4c7 to address

-- 
To view, visit https://gerrit.wikimedia.org/r/322131
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I82024b3254b1c31c8abd95626751ea093fd5ae00
Gerrit-PatchSet: 1
Gerrit-Project: operations/debs/linux44
Gerrit-Branch: master
Gerrit-Owner: Muehlenhoff 

___
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

[MediaWiki-commits] [Gerrit] operations/puppet[production]: Assign debdeploy grains for analytics zookeeper cluster

[Muehlenhoff (Code Review)]

Muehlenhoff has submitted this change and it was merged.

Change subject: Assign debdeploy grains for analytics zookeeper cluster
..


Assign debdeploy grains for analytics zookeeper cluster

Change-Id: If6216967e9357efcde4c2aa8fa86bd91cb904882
---
A hieradata/role/codfw/zookeeper/server.yaml
A hieradata/role/eqiad/zookeeper/server.yaml
M modules/debdeploy/templates/debdeploy.erb
3 files changed, 9 insertions(+), 0 deletions(-)

Approvals:
  Muehlenhoff: Looks good to me, approved
  jenkins-bot: Verified



diff --git a/hieradata/role/codfw/zookeeper/server.yaml 
b/hieradata/role/codfw/zookeeper/server.yaml
new file mode 100644
index 000..b90d653
--- /dev/null
+++ b/hieradata/role/codfw/zookeeper/server.yaml
@@ -0,0 +1,3 @@
+debdeploy::grains:
+  debdeploy-zookeeper-codfw:
+value: standard
diff --git a/hieradata/role/eqiad/zookeeper/server.yaml 
b/hieradata/role/eqiad/zookeeper/server.yaml
new file mode 100644
index 000..c4f6dc9
--- /dev/null
+++ b/hieradata/role/eqiad/zookeeper/server.yaml
@@ -0,0 +1,3 @@
+debdeploy::grains:
+  debdeploy-zookeeper-eqiad:
+value: standard
diff --git a/modules/debdeploy/templates/debdeploy.erb 
b/modules/debdeploy/templates/debdeploy.erb
index f60b9fb..c47914b 100644
--- a/modules/debdeploy/templates/debdeploy.erb
+++ b/modules/debdeploy/templates/debdeploy.erb
@@ -156,6 +156,9 @@
 redis-codfw = debdeploy-redis-codfw:standard
 redis-canary = debdeploy-redis-eqiad:canary
 redis = debdeploy-redis-eqiad:standard, debdeploy-redis-codfw:standard, 
debdeploy-redis-eqiad:canary
+zookeeper-codfw = debdeploy-zookeeper-codfw:standard
+zookeeper-eqiad = debdeploy-zookeeper-eqiad:standard
+zookeeper = debdeploy-zookeeper-codfw:standard, 
debdeploy-zookeeper-eqiad:standard
 labs-nfs = debdeploy-labsnfs:standard
 graphite = debdeploy-graphite:standard
 yubiauth = debdeploy-yubiauth:standard

-- 
To view, visit https://gerrit.wikimedia.org/r/322113
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: merged
Gerrit-Change-Id: If6216967e9357efcde4c2aa8fa86bd91cb904882
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Muehlenhoff 
Gerrit-Reviewer: Muehlenhoff 
Gerrit-Reviewer: jenkins-bot <>

___
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

[MediaWiki-commits] [Gerrit] operations/puppet[production]: Assign debdeploy grains for analytics zookeeper cluster

[Muehlenhoff (Code Review)]

Muehlenhoff has uploaded a new change for review.

  https://gerrit.wikimedia.org/r/322113

Change subject: Assign debdeploy grains for analytics zookeeper cluster
..

Assign debdeploy grains for analytics zookeeper cluster

Change-Id: If6216967e9357efcde4c2aa8fa86bd91cb904882
---
A hieradata/role/codfw/zookeeper/server.yaml
A hieradata/role/eqiad/zookeeper/server.yaml
M modules/debdeploy/templates/debdeploy.erb
3 files changed, 9 insertions(+), 0 deletions(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/puppet 
refs/changes/13/322113/1

diff --git a/hieradata/role/codfw/zookeeper/server.yaml 
b/hieradata/role/codfw/zookeeper/server.yaml
new file mode 100644
index 000..b90d653
--- /dev/null
+++ b/hieradata/role/codfw/zookeeper/server.yaml
@@ -0,0 +1,3 @@
+debdeploy::grains:
+  debdeploy-zookeeper-codfw:
+value: standard
diff --git a/hieradata/role/eqiad/zookeeper/server.yaml 
b/hieradata/role/eqiad/zookeeper/server.yaml
new file mode 100644
index 000..c4f6dc9
--- /dev/null
+++ b/hieradata/role/eqiad/zookeeper/server.yaml
@@ -0,0 +1,3 @@
+debdeploy::grains:
+  debdeploy-zookeeper-eqiad:
+value: standard
diff --git a/modules/debdeploy/templates/debdeploy.erb 
b/modules/debdeploy/templates/debdeploy.erb
index f60b9fb..c47914b 100644
--- a/modules/debdeploy/templates/debdeploy.erb
+++ b/modules/debdeploy/templates/debdeploy.erb
@@ -156,6 +156,9 @@
 redis-codfw = debdeploy-redis-codfw:standard
 redis-canary = debdeploy-redis-eqiad:canary
 redis = debdeploy-redis-eqiad:standard, debdeploy-redis-codfw:standard, 
debdeploy-redis-eqiad:canary
+zookeeper-codfw = debdeploy-zookeeper-codfw:standard
+zookeeper-eqiad = debdeploy-zookeeper-eqiad:standard
+zookeeper = debdeploy-zookeeper-codfw:standard, 
debdeploy-zookeeper-eqiad:standard
 labs-nfs = debdeploy-labsnfs:standard
 graphite = debdeploy-graphite:standard
 yubiauth = debdeploy-yubiauth:standard

-- 
To view, visit https://gerrit.wikimedia.org/r/322113
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: If6216967e9357efcde4c2aa8fa86bd91cb904882
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Muehlenhoff 

___
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

[MediaWiki-commits] [Gerrit] operations/puppet[production]: Rename hiera file so that the debdeploy grain is assigned to...

[Muehlenhoff (Code Review)]

Muehlenhoff has submitted this change and it was merged.

Change subject: Rename hiera file so that the debdeploy grain is assigned to 
the new role name
..


Rename hiera file so that the debdeploy grain is assigned to the new role name

Labvirt nodes used to use role::nova::compute, but are now using
role::labs::openstack::nova::compute, so rename the Hiera YAML file accordingly.

Change-Id: I255110bc6ec936a7133a1ba55577cc2ee7559ba1
---
R hieradata/role/common/labs/openstack/nova/compute.yaml
1 file changed, 0 insertions(+), 0 deletions(-)

Approvals:
  Muehlenhoff: Looks good to me, approved
  jenkins-bot: Verified



diff --git a/hieradata/role/common/nova/compute.yaml 
b/hieradata/role/common/labs/openstack/nova/compute.yaml
similarity index 100%
rename from hieradata/role/common/nova/compute.yaml
rename to hieradata/role/common/labs/openstack/nova/compute.yaml

-- 
To view, visit https://gerrit.wikimedia.org/r/322105
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: merged
Gerrit-Change-Id: I255110bc6ec936a7133a1ba55577cc2ee7559ba1
Gerrit-PatchSet: 2
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Muehlenhoff 
Gerrit-Reviewer: Muehlenhoff 
Gerrit-Reviewer: jenkins-bot <>

___
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

[MediaWiki-commits] [Gerrit] operations/puppet[production]: Rename hiera file so that the debdeploy grain is assigned to...

[Muehlenhoff (Code Review)]

Muehlenhoff has uploaded a new change for review.

  https://gerrit.wikimedia.org/r/322105

Change subject: Rename hiera file so that the debdeploy grain is assigned to 
the new role name
..

Rename hiera file so that the debdeploy grain is assigned to the new role name

Labvirt nodes used to use role::nova::compute, but are now using
role::labs::openstack::nova::compute, so rename the Hiera YAML file accordingly.

Change-Id: I255110bc6ec936a7133a1ba55577cc2ee7559ba1
---
R hieradata/role/common/labs/openstack/nova/compute.yaml
1 file changed, 0 insertions(+), 0 deletions(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/puppet 
refs/changes/05/322105/1

diff --git a/hieradata/role/common/nova/compute.yaml 
b/hieradata/role/common/labs/openstack/nova/compute.yaml
similarity index 100%
rename from hieradata/role/common/nova/compute.yaml
rename to hieradata/role/common/labs/openstack/nova/compute.yaml

-- 
To view, visit https://gerrit.wikimedia.org/r/322105
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I255110bc6ec936a7133a1ba55577cc2ee7559ba1
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Muehlenhoff 

___
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

[MediaWiki-commits] [Gerrit] operations...linux44[master]: Add recently assigned CVE ID to fix already merged via older...

[Muehlenhoff (Code Review)]

Muehlenhoff has uploaded a new change for review.

  https://gerrit.wikimedia.org/r/322097

Change subject: Add recently assigned CVE ID to fix already merged via older 
4.4.10
..

Add recently assigned CVE ID to fix already merged via older 4.4.10

Change-Id: If6a4805d95f268587dfff17e62c23185dd978f13
---
M debian/changelog
1 file changed, 1 insertion(+), 0 deletions(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/debs/linux44 
refs/changes/97/322097/1

diff --git a/debian/changelog b/debian/changelog
index 56ba20e..e075cf2 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -87,6 +87,7 @@
   * Update to 4.4.10:
 https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.10
 - CVE-2016-4581 [5ec0811d30378ae104f250bfc9b3640242d81e3f]
+- CVE-2016-7916 [8148a73c9901a8794a50f950083c00ccf97d43b3]
   * Update to 4.4.11:
 https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.11
 - CVE-2016-4485 [b8670c09f37bdf2847cc44f36511a53afc6161fd]

-- 
To view, visit https://gerrit.wikimedia.org/r/322097
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: If6a4805d95f268587dfff17e62c23185dd978f13
Gerrit-PatchSet: 1
Gerrit-Project: operations/debs/linux44
Gerrit-Branch: master
Gerrit-Owner: Muehlenhoff 

___
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

[MediaWiki-commits] [Gerrit] operations...linux44[master]: Add recently assigned CVE ID to fix already merged via older...

[Muehlenhoff (Code Review)]

Muehlenhoff has submitted this change and it was merged.

Change subject: Add recently assigned CVE ID to fix already merged via older 
4.4.10
..


Add recently assigned CVE ID to fix already merged via older 4.4.10

Change-Id: If6a4805d95f268587dfff17e62c23185dd978f13
---
M debian/changelog
1 file changed, 1 insertion(+), 0 deletions(-)

Approvals:
  Muehlenhoff: Looks good to me, approved
  jenkins-bot: Verified



diff --git a/debian/changelog b/debian/changelog
index 56ba20e..e075cf2 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -87,6 +87,7 @@
   * Update to 4.4.10:
 https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.10
 - CVE-2016-4581 [5ec0811d30378ae104f250bfc9b3640242d81e3f]
+- CVE-2016-7916 [8148a73c9901a8794a50f950083c00ccf97d43b3]
   * Update to 4.4.11:
 https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.11
 - CVE-2016-4485 [b8670c09f37bdf2847cc44f36511a53afc6161fd]

-- 
To view, visit https://gerrit.wikimedia.org/r/322097
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: merged
Gerrit-Change-Id: If6a4805d95f268587dfff17e62c23185dd978f13
Gerrit-PatchSet: 1
Gerrit-Project: operations/debs/linux44
Gerrit-Branch: master
Gerrit-Owner: Muehlenhoff 
Gerrit-Reviewer: Muehlenhoff 
Gerrit-Reviewer: jenkins-bot <>

___
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

[MediaWiki-commits] [Gerrit] operations/puppet[production]: elasticsearch::https: Restrict to domain networks

[Muehlenhoff (Code Review)]

Muehlenhoff has submitted this change and it was merged.

Change subject: elasticsearch::https: Restrict to domain networks
..


elasticsearch::https: Restrict to domain networks

We're getting rid of $INTERNAL, since it's needlessly broad. Restrict
to DOMAIN_NETWORKS, which restricts access to the production networks
in production, while still allowing tests in labs.

A similar change has been made for the elastic-http ferm service.

Change-Id: I64c591205a3ed6834bbc7731495817a4046876a6
---
M modules/elasticsearch/manifests/https.pp
1 file changed, 1 insertion(+), 1 deletion(-)

Approvals:
  Gehel: Looks good to me, but someone else must approve
  Muehlenhoff: Looks good to me, approved
  jenkins-bot: Verified



diff --git a/modules/elasticsearch/manifests/https.pp 
b/modules/elasticsearch/manifests/https.pp
index 1de60f5..6ac9617 100644
--- a/modules/elasticsearch/manifests/https.pp
+++ b/modules/elasticsearch/manifests/https.pp
@@ -47,7 +47,7 @@
 ensure => $ensure,
 proto  => 'tcp',
 port   => '9243',
-srange => '$INTERNAL',
+srange => '$DOMAIN_NETWORKS',
 }
 
 }

-- 
To view, visit https://gerrit.wikimedia.org/r/319875
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: merged
Gerrit-Change-Id: I64c591205a3ed6834bbc7731495817a4046876a6
Gerrit-PatchSet: 2
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Muehlenhoff 
Gerrit-Reviewer: Gehel 
Gerrit-Reviewer: Muehlenhoff 
Gerrit-Reviewer: jenkins-bot <>

___
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

[MediaWiki-commits] [Gerrit] operations/puppet[production]: Drop poolcounter role from helium

[Muehlenhoff (Code Review)]

Muehlenhoff has submitted this change and it was merged.

Change subject: Drop poolcounter role from helium
..


Drop poolcounter role from helium

It is no longer an active pool counter (poolcounter100[12] are).

Change-Id: I7db5c9a55a534e7c4c4d922fa757b060d6c110c3
---
M manifests/site.pp
1 file changed, 1 insertion(+), 1 deletion(-)

Approvals:
  Filippo Giunchedi: Looks good to me, but someone else must approve
  Muehlenhoff: Looks good to me, approved
  Alexandros Kosiaris: Looks good to me, but someone else must approve
  jenkins-bot: Verified



diff --git a/manifests/site.pp b/manifests/site.pp
index 1d2079f..1edc369 100644
--- a/manifests/site.pp
+++ b/manifests/site.pp
@@ -1141,7 +1141,7 @@
 }
 
 node 'helium.eqiad.wmnet' {
-role(poolcounter::server, backup::director, backup::storage)
+role(backup::director, backup::storage)
 
 include standard
 interface::add_ip6_mapped { 'main':

-- 
To view, visit https://gerrit.wikimedia.org/r/321902
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: merged
Gerrit-Change-Id: I7db5c9a55a534e7c4c4d922fa757b060d6c110c3
Gerrit-PatchSet: 2
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Muehlenhoff 
Gerrit-Reviewer: Alexandros Kosiaris 
Gerrit-Reviewer: Filippo Giunchedi 
Gerrit-Reviewer: Muehlenhoff 
Gerrit-Reviewer: jenkins-bot <>

___
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

[MediaWiki-commits] [Gerrit] operations/puppet[production]: Add debdeploy salt grain for labs::db::proxy

[Muehlenhoff (Code Review)]

Muehlenhoff has submitted this change and it was merged.

Change subject: Add debdeploy salt grain for labs::db::proxy
..


Add debdeploy salt grain for labs::db::proxy

Change-Id: Ibb11e2ba2b288a59a9e9c9a89a795b527185
---
A hieradata/role/common/labs/db/proxy.yaml
1 file changed, 3 insertions(+), 0 deletions(-)

Approvals:
  Muehlenhoff: Looks good to me, approved
  jenkins-bot: Verified



diff --git a/hieradata/role/common/labs/db/proxy.yaml 
b/hieradata/role/common/labs/db/proxy.yaml
new file mode 100644
index 000..47802e8
--- /dev/null
+++ b/hieradata/role/common/labs/db/proxy.yaml
@@ -0,0 +1,3 @@
+debdeploy::grains:
+  debdeploy-labsdb:
+value: standard

-- 
To view, visit https://gerrit.wikimedia.org/r/321846
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: merged
Gerrit-Change-Id: Ibb11e2ba2b288a59a9e9c9a89a795b527185
Gerrit-PatchSet: 3
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Muehlenhoff 
Gerrit-Reviewer: Muehlenhoff 
Gerrit-Reviewer: jenkins-bot <>

___
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

[MediaWiki-commits] [Gerrit] operations/puppet[production]: package_builder: Add subversion to list of installed packages

[Muehlenhoff (Code Review)]

Muehlenhoff has submitted this change and it was merged.

Change subject: package_builder: Add subversion to list of installed packages
..


package_builder: Add subversion to list of installed packages

The build of imagemagick failed to execute svnversion(1) multiple
times in the source package generation stage of pdebuild (i.e.
before the build dependencies are installed n the pbuilder
chroot).

svnversion is provided by the subversion package.

Change-Id: I27adb439f4e0cf0b5cbbbc662bde0cddffc4648d
---
M modules/package_builder/manifests/init.pp
1 file changed, 1 insertion(+), 0 deletions(-)

Approvals:
  Muehlenhoff: Looks good to me, approved
  jenkins-bot: Verified



diff --git a/modules/package_builder/manifests/init.pp 
b/modules/package_builder/manifests/init.pp
index 71e4d07..66a5e31 100644
--- a/modules/package_builder/manifests/init.pp
+++ b/modules/package_builder/manifests/init.pp
@@ -46,6 +46,7 @@
 'kernel-wedge',
 'javahelper',
 'pkg-kde-tools',
+'subversion',
 ])
 
 if $::operatingsystem == 'Ubuntu' {

-- 
To view, visit https://gerrit.wikimedia.org/r/321880
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: merged
Gerrit-Change-Id: I27adb439f4e0cf0b5cbbbc662bde0cddffc4648d
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Muehlenhoff 
Gerrit-Reviewer: Alexandros Kosiaris 
Gerrit-Reviewer: Muehlenhoff 
Gerrit-Reviewer: jenkins-bot <>

___
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

[MediaWiki-commits] [Gerrit] operations/puppet[production]: package_builder: Add pkg-kde-tools to list of installed pack...

[Muehlenhoff (Code Review)]

Muehlenhoff has uploaded a new change for review.

  https://gerrit.wikimedia.org/r/321876

Change subject: package_builder: Add pkg-kde-tools to list of installed packages
..

package_builder: Add pkg-kde-tools to list of installed packages

The build of imagemagick failed in the source package generation
stage of pdebuild (i.e. before the build dependencies are installed
in the pbuilder chroot):

 Build imagemagick version 8:6.8.9.9-5+deb8u5+wmf1 for quantum Q16
 if test "BUG#703261" = "SOLVED"; then \
 dh clean --parallel --with autoreconf --with pkgkde_symbolshelper; \
 else \
 dh clean --with autoreconf --with pkgkde_symbolshelper; \
 fi;
 dh: unable to load addon pkgkde_symbolshelper: Can't locate 
Debian/Debhelper/Sequence/pkgkde_symbolshelper.pm in @INC (you may need to 
install the Debian::Debhelper::Sequence::pkgkde_symbolshelper module) (@INC 
contains: /etc/perl /usr/local/lib/x86_64-linux-gnu/perl/5.20.2 
/usr/local/share/perl/5.20.2 /usr/lib/x86_64-linux-gnu/perl5/5.20 
/usr/share/perl5 /usr/lib/x86_64-linux-gnu/perl/5.20 /usr/share/perl/5.20 
/usr/local/lib/site_perl .) at (eval 12) line 2.
 BEGIN failed--compilation aborted at (eval 12) line 2.

debian/rules:109: recipe for target 'clean' failed

The debhelper addon is provided by pkg-kde-tools

Change-Id: Ifba775179b9efb31b6feb130602198e0f8bd9933
---
M modules/package_builder/manifests/init.pp
1 file changed, 1 insertion(+), 0 deletions(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/puppet 
refs/changes/76/321876/1

diff --git a/modules/package_builder/manifests/init.pp 
b/modules/package_builder/manifests/init.pp
index 37ade9c..71e4d07 100644
--- a/modules/package_builder/manifests/init.pp
+++ b/modules/package_builder/manifests/init.pp
@@ -45,6 +45,7 @@
 'php5-dev',
 'kernel-wedge',
 'javahelper',
+'pkg-kde-tools',
 ])
 
 if $::operatingsystem == 'Ubuntu' {

-- 
To view, visit https://gerrit.wikimedia.org/r/321876
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: Ifba775179b9efb31b6feb130602198e0f8bd9933
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Muehlenhoff 

___
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

[MediaWiki-commits] [Gerrit] operations/puppet[production]: Add debdeploy salt grain for labs::db::proxy

[Muehlenhoff (Code Review)]

Muehlenhoff has uploaded a new change for review.

  https://gerrit.wikimedia.org/r/321846

Change subject: Add debdeploy salt grain for labs::db::proxy
..

Add debdeploy salt grain for labs::db::proxy

Change-Id: Ibb11e2ba2b288a59a9e9c9a89a795b527185
---
A hieradata/role/common/labs/db/proxy.yaml
1 file changed, 3 insertions(+), 0 deletions(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/puppet 
refs/changes/46/321846/1

diff --git a/hieradata/role/common/labs/db/proxy.yaml 
b/hieradata/role/common/labs/db/proxy.yaml
new file mode 100644
index 000..47802e8
--- /dev/null
+++ b/hieradata/role/common/labs/db/proxy.yaml
@@ -0,0 +1,3 @@
+debdeploy::grains:
+  debdeploy-labsdb:
+value: standard

-- 
To view, visit https://gerrit.wikimedia.org/r/321846
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: Ibb11e2ba2b288a59a9e9c9a89a795b527185
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Muehlenhoff 

___
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

[MediaWiki-commits] [Gerrit] operations/puppet[production]: Add debdeploy grains for puppetdb hosts

[Muehlenhoff (Code Review)]

Muehlenhoff has submitted this change and it was merged.

Change subject: Add debdeploy grains for puppetdb hosts
..


Add debdeploy grains for puppetdb hosts

Change-Id: I643e3c34a62b510df3aae980ed1cff991ae46df9
---
A hieradata/role/common/puppetmaster/puppetdb.yaml
M modules/debdeploy/templates/debdeploy.erb
2 files changed, 4 insertions(+), 0 deletions(-)

Approvals:
  Muehlenhoff: Looks good to me, approved
  jenkins-bot: Verified



diff --git a/hieradata/role/common/puppetmaster/puppetdb.yaml 
b/hieradata/role/common/puppetmaster/puppetdb.yaml
new file mode 100644
index 000..f4c7139
--- /dev/null
+++ b/hieradata/role/common/puppetmaster/puppetdb.yaml
@@ -0,0 +1,3 @@
+debdeploy::grains:
+  debdeploy-puppetmaster-puppetdb:
+value: standard
diff --git a/modules/debdeploy/templates/debdeploy.erb 
b/modules/debdeploy/templates/debdeploy.erb
index 7f66459..f60b9fb 100644
--- a/modules/debdeploy/templates/debdeploy.erb
+++ b/modules/debdeploy/templates/debdeploy.erb
@@ -98,6 +98,7 @@
 puppetmaster-backend = debdeploy-puppetmaster-backend:standard
 puppetmaster-frontend = debdeploy-puppetmaster-frontend:standard
 puppetmaster = debdeploy-puppetmaster-backend:standard, 
debdeploy-puppetmaster-frontend:standard
+puppetdb = debdeploy-puppetmaster-puppetdb:standard
 snapshot = debdeploy-snapshot:standard, debdeploy-snapshot:canary
 snapshot-canary = debdeploy-snapshot:canary
 parsoid = debdeploy-parsoid-eqiad:standard, debdeploy-parsoid-codfw:standard, 
debdeploy-parsoid-eqiad:canary, debdeploy-parsoid-codfw:canary

-- 
To view, visit https://gerrit.wikimedia.org/r/321659
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: merged
Gerrit-Change-Id: I643e3c34a62b510df3aae980ed1cff991ae46df9
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Muehlenhoff 
Gerrit-Reviewer: Muehlenhoff 
Gerrit-Reviewer: jenkins-bot <>

___
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

[MediaWiki-commits] [Gerrit] operations/puppet[production]: Add debdeploy grains for puppetdb hosts

[Muehlenhoff (Code Review)]

Muehlenhoff has uploaded a new change for review.

  https://gerrit.wikimedia.org/r/321659

Change subject: Add debdeploy grains for puppetdb hosts
..

Add debdeploy grains for puppetdb hosts

Change-Id: I643e3c34a62b510df3aae980ed1cff991ae46df9
---
A hieradata/role/common/puppetmaster/puppetdb.yaml
M modules/debdeploy/templates/debdeploy.erb
2 files changed, 4 insertions(+), 0 deletions(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/puppet 
refs/changes/59/321659/1

diff --git a/hieradata/role/common/puppetmaster/puppetdb.yaml 
b/hieradata/role/common/puppetmaster/puppetdb.yaml
new file mode 100644
index 000..f4c7139
--- /dev/null
+++ b/hieradata/role/common/puppetmaster/puppetdb.yaml
@@ -0,0 +1,3 @@
+debdeploy::grains:
+  debdeploy-puppetmaster-puppetdb:
+value: standard
diff --git a/modules/debdeploy/templates/debdeploy.erb 
b/modules/debdeploy/templates/debdeploy.erb
index 7f66459..f60b9fb 100644
--- a/modules/debdeploy/templates/debdeploy.erb
+++ b/modules/debdeploy/templates/debdeploy.erb
@@ -98,6 +98,7 @@
 puppetmaster-backend = debdeploy-puppetmaster-backend:standard
 puppetmaster-frontend = debdeploy-puppetmaster-frontend:standard
 puppetmaster = debdeploy-puppetmaster-backend:standard, 
debdeploy-puppetmaster-frontend:standard
+puppetdb = debdeploy-puppetmaster-puppetdb:standard
 snapshot = debdeploy-snapshot:standard, debdeploy-snapshot:canary
 snapshot-canary = debdeploy-snapshot:canary
 parsoid = debdeploy-parsoid-eqiad:standard, debdeploy-parsoid-codfw:standard, 
debdeploy-parsoid-eqiad:canary, debdeploy-parsoid-codfw:canary

-- 
To view, visit https://gerrit.wikimedia.org/r/321659
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I643e3c34a62b510df3aae980ed1cff991ae46df9
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Muehlenhoff 

___
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

[MediaWiki-commits] [Gerrit] operations...linux44[master]: Update to 4.4.32

[Muehlenhoff (Code Review)]

Muehlenhoff has submitted this change and it was merged.

Change subject: Update to 4.4.32
..


Update to 4.4.32

Change-Id: Ic4221758647cf45e5a24f3d75a4455a965370afb
---
M debian/changelog
A debian/patches/bugfix/all/stable-4.4.32.patch
M debian/patches/series
3 files changed, 1,387 insertions(+), 1 deletion(-)

Approvals:
  Muehlenhoff: Looks good to me, approved
  jenkins-bot: Verified



diff --git a/debian/changelog b/debian/changelog
index e37446f..56ba20e 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -11,8 +11,11 @@
 - Drop 1d79b67c4a8a98247407dc245ba7cad2692da3c2, which is
   only needed for recent GGC releases and clashes with
   Debian-specific patches
+  * Update to 4.4.32:
+https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.31
+- CVE-2016-7039 [fcd91dd449867c6bfe56a81cabba76b829fd05cd]
 
- -- Moritz Muehlenhoff   Fri, 11 Nov 2016 15:57:32 
+0100
+ -- Moritz Muehlenhoff   Tue, 15 Nov 2016 14:42:40 
+0100
 
 linux (4.4.2-3+wmf7) jessie-wikimedia; urgency=medium
 
diff --git a/debian/patches/bugfix/all/stable-4.4.32.patch 
b/debian/patches/bugfix/all/stable-4.4.32.patch
new file mode 100644
index 000..7b16c50
--- /dev/null
+++ b/debian/patches/bugfix/all/stable-4.4.32.patch
@@ -0,0 +1,1382 @@
+diff --git a/Makefile b/Makefile
+index 7c6f28e7a2f6..fba9b09a1330 100644
+--- a/Makefile
 b/Makefile
+@@ -1,6 +1,6 @@
+ VERSION = 4
+ PATCHLEVEL = 4
+-SUBLEVEL = 31
++SUBLEVEL = 32
+ EXTRAVERSION =
+ NAME = Blurry Fish Butt
+ 
+diff --git a/arch/mips/kvm/emulate.c b/arch/mips/kvm/emulate.c
+index bbe56871245c..4298aeb1e20f 100644
+--- a/arch/mips/kvm/emulate.c
 b/arch/mips/kvm/emulate.c
+@@ -822,7 +822,7 @@ static void kvm_mips_invalidate_guest_tlb(struct kvm_vcpu 
*vcpu,
+   bool user;
+ 
+   /* No need to flush for entries which are already invalid */
+-  if (!((tlb->tlb_lo[0] | tlb->tlb_lo[1]) & ENTRYLO_V))
++  if (!((tlb->tlb_lo0 | tlb->tlb_lo1) & MIPS3_PG_V))
+   return;
+   /* User address space doesn't need flushing for KSeg2/3 changes */
+   user = tlb->tlb_hi < KVM_GUEST_KSEG0;
+diff --git a/drivers/gpu/drm/amd/amdgpu/atombios_dp.c 
b/drivers/gpu/drm/amd/amdgpu/atombios_dp.c
+index 21aacc1f45c1..7f85c2c1d681 100644
+--- a/drivers/gpu/drm/amd/amdgpu/atombios_dp.c
 b/drivers/gpu/drm/amd/amdgpu/atombios_dp.c
+@@ -265,15 +265,27 @@ static int amdgpu_atombios_dp_get_dp_link_config(struct 
drm_connector *connector
+   unsigned max_lane_num = drm_dp_max_lane_count(dpcd);
+   unsigned lane_num, i, max_pix_clock;
+ 
+-  for (lane_num = 1; lane_num <= max_lane_num; lane_num <<= 1) {
+-  for (i = 0; i < ARRAY_SIZE(link_rates) && link_rates[i] <= 
max_link_rate; i++) {
+-  max_pix_clock = (lane_num * link_rates[i] * 8) / bpp;
++  if (amdgpu_connector_encoder_get_dp_bridge_encoder_id(connector) ==
++  ENCODER_OBJECT_ID_NUTMEG) {
++  for (lane_num = 1; lane_num <= max_lane_num; lane_num <<= 1) {
++  max_pix_clock = (lane_num * 27 * 8) / bpp;
+   if (max_pix_clock >= pix_clock) {
+   *dp_lanes = lane_num;
+-  *dp_rate = link_rates[i];
++  *dp_rate = 27;
+   return 0;
+   }
+   }
++  } else {
++  for (i = 0; i < ARRAY_SIZE(link_rates) && link_rates[i] <= 
max_link_rate; i++) {
++  for (lane_num = 1; lane_num <= max_lane_num; lane_num 
<<= 1) {
++  max_pix_clock = (lane_num * link_rates[i] * 8) 
/ bpp;
++  if (max_pix_clock >= pix_clock) {
++  *dp_lanes = lane_num;
++  *dp_rate = link_rates[i];
++  return 0;
++  }
++  }
++  }
+   }
+ 
+   return -EINVAL;
+diff --git a/drivers/gpu/drm/radeon/atombios_dp.c 
b/drivers/gpu/drm/radeon/atombios_dp.c
+index 44ee72e04df9..b5760851195c 100644
+--- a/drivers/gpu/drm/radeon/atombios_dp.c
 b/drivers/gpu/drm/radeon/atombios_dp.c
+@@ -315,15 +315,27 @@ int radeon_dp_get_dp_link_config(struct drm_connector 
*connector,
+   unsigned max_lane_num = drm_dp_max_lane_count(dpcd);
+   unsigned lane_num, i, max_pix_clock;
+ 
+-  for (lane_num = 1; lane_num <= max_lane_num; lane_num <<= 1) {
+-  for (i = 0; i < ARRAY_SIZE(link_rates) && link_rates[i] <= 
max_link_rate; i++) {
+-  max_pix_clock = (lane_num * link_rates[i] * 8) / bpp;
++  if (radeon_connector_encoder_get_dp_bridge_encoder_id(connector) ==
++  ENCODER_OBJECT_ID_NUTMEG) {
++  for (lane_num = 1; lane_num <= max_lane_num; 

[MediaWiki-commits] [Gerrit] operations...linux44[master]: Update to 4.4.32

[Muehlenhoff (Code Review)]

Muehlenhoff has uploaded a new change for review.

  https://gerrit.wikimedia.org/r/321653

Change subject: Update to 4.4.32
..

Update to 4.4.32

Change-Id: Ic4221758647cf45e5a24f3d75a4455a965370afb
---
M debian/changelog
A debian/patches/bugfix/all/stable-4.4.32.patch
M debian/patches/series
3 files changed, 1,387 insertions(+), 1 deletion(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/debs/linux44 
refs/changes/53/321653/1

diff --git a/debian/changelog b/debian/changelog
index e37446f..56ba20e 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -11,8 +11,11 @@
 - Drop 1d79b67c4a8a98247407dc245ba7cad2692da3c2, which is
   only needed for recent GGC releases and clashes with
   Debian-specific patches
+  * Update to 4.4.32:
+https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.31
+- CVE-2016-7039 [fcd91dd449867c6bfe56a81cabba76b829fd05cd]
 
- -- Moritz Muehlenhoff   Fri, 11 Nov 2016 15:57:32 
+0100
+ -- Moritz Muehlenhoff   Tue, 15 Nov 2016 14:42:40 
+0100
 
 linux (4.4.2-3+wmf7) jessie-wikimedia; urgency=medium
 
diff --git a/debian/patches/bugfix/all/stable-4.4.32.patch 
b/debian/patches/bugfix/all/stable-4.4.32.patch
new file mode 100644
index 000..7b16c50
--- /dev/null
+++ b/debian/patches/bugfix/all/stable-4.4.32.patch
@@ -0,0 +1,1382 @@
+diff --git a/Makefile b/Makefile
+index 7c6f28e7a2f6..fba9b09a1330 100644
+--- a/Makefile
 b/Makefile
+@@ -1,6 +1,6 @@
+ VERSION = 4
+ PATCHLEVEL = 4
+-SUBLEVEL = 31
++SUBLEVEL = 32
+ EXTRAVERSION =
+ NAME = Blurry Fish Butt
+ 
+diff --git a/arch/mips/kvm/emulate.c b/arch/mips/kvm/emulate.c
+index bbe56871245c..4298aeb1e20f 100644
+--- a/arch/mips/kvm/emulate.c
 b/arch/mips/kvm/emulate.c
+@@ -822,7 +822,7 @@ static void kvm_mips_invalidate_guest_tlb(struct kvm_vcpu 
*vcpu,
+   bool user;
+ 
+   /* No need to flush for entries which are already invalid */
+-  if (!((tlb->tlb_lo[0] | tlb->tlb_lo[1]) & ENTRYLO_V))
++  if (!((tlb->tlb_lo0 | tlb->tlb_lo1) & MIPS3_PG_V))
+   return;
+   /* User address space doesn't need flushing for KSeg2/3 changes */
+   user = tlb->tlb_hi < KVM_GUEST_KSEG0;
+diff --git a/drivers/gpu/drm/amd/amdgpu/atombios_dp.c 
b/drivers/gpu/drm/amd/amdgpu/atombios_dp.c
+index 21aacc1f45c1..7f85c2c1d681 100644
+--- a/drivers/gpu/drm/amd/amdgpu/atombios_dp.c
 b/drivers/gpu/drm/amd/amdgpu/atombios_dp.c
+@@ -265,15 +265,27 @@ static int amdgpu_atombios_dp_get_dp_link_config(struct 
drm_connector *connector
+   unsigned max_lane_num = drm_dp_max_lane_count(dpcd);
+   unsigned lane_num, i, max_pix_clock;
+ 
+-  for (lane_num = 1; lane_num <= max_lane_num; lane_num <<= 1) {
+-  for (i = 0; i < ARRAY_SIZE(link_rates) && link_rates[i] <= 
max_link_rate; i++) {
+-  max_pix_clock = (lane_num * link_rates[i] * 8) / bpp;
++  if (amdgpu_connector_encoder_get_dp_bridge_encoder_id(connector) ==
++  ENCODER_OBJECT_ID_NUTMEG) {
++  for (lane_num = 1; lane_num <= max_lane_num; lane_num <<= 1) {
++  max_pix_clock = (lane_num * 27 * 8) / bpp;
+   if (max_pix_clock >= pix_clock) {
+   *dp_lanes = lane_num;
+-  *dp_rate = link_rates[i];
++  *dp_rate = 27;
+   return 0;
+   }
+   }
++  } else {
++  for (i = 0; i < ARRAY_SIZE(link_rates) && link_rates[i] <= 
max_link_rate; i++) {
++  for (lane_num = 1; lane_num <= max_lane_num; lane_num 
<<= 1) {
++  max_pix_clock = (lane_num * link_rates[i] * 8) 
/ bpp;
++  if (max_pix_clock >= pix_clock) {
++  *dp_lanes = lane_num;
++  *dp_rate = link_rates[i];
++  return 0;
++  }
++  }
++  }
+   }
+ 
+   return -EINVAL;
+diff --git a/drivers/gpu/drm/radeon/atombios_dp.c 
b/drivers/gpu/drm/radeon/atombios_dp.c
+index 44ee72e04df9..b5760851195c 100644
+--- a/drivers/gpu/drm/radeon/atombios_dp.c
 b/drivers/gpu/drm/radeon/atombios_dp.c
+@@ -315,15 +315,27 @@ int radeon_dp_get_dp_link_config(struct drm_connector 
*connector,
+   unsigned max_lane_num = drm_dp_max_lane_count(dpcd);
+   unsigned lane_num, i, max_pix_clock;
+ 
+-  for (lane_num = 1; lane_num <= max_lane_num; lane_num <<= 1) {
+-  for (i = 0; i < ARRAY_SIZE(link_rates) && link_rates[i] <= 
max_link_rate; i++) {
+-  max_pix_clock = (lane_num * link_rates[i] * 8) / bpp;
++  if (radeon_connector_encoder_get_dp_bridge_encoder_id(connector) ==
++  ENCODER_OBJECT_ID_NUTMEG) {
++  for 

[MediaWiki-commits] [Gerrit] operations/puppet[production]: Use different host as canary host for debdeploy

[Muehlenhoff (Code Review)]

Muehlenhoff has submitted this change and it was merged.

Change subject: Use different host as canary host for debdeploy
..


Use different host as canary host for debdeploy

mw1001 was decommed quite a while ago, use mw1161 instead.

Change-Id: I206bb2397d1c77b00336768a0d65bbb401188461
---
R hieradata/hosts/mw1161.yaml
1 file changed, 0 insertions(+), 0 deletions(-)

Approvals:
  Muehlenhoff: Looks good to me, approved
  jenkins-bot: Verified



diff --git a/hieradata/hosts/mw1001.yaml b/hieradata/hosts/mw1161.yaml
similarity index 100%
rename from hieradata/hosts/mw1001.yaml
rename to hieradata/hosts/mw1161.yaml

-- 
To view, visit https://gerrit.wikimedia.org/r/321627
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: merged
Gerrit-Change-Id: I206bb2397d1c77b00336768a0d65bbb401188461
Gerrit-PatchSet: 2
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Muehlenhoff 
Gerrit-Reviewer: Muehlenhoff 
Gerrit-Reviewer: jenkins-bot <>

___
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

[MediaWiki-commits] [Gerrit] operations/puppet[production]: Use different host as canary host for debdeploy

[Muehlenhoff (Code Review)]

Muehlenhoff has uploaded a new change for review.

  https://gerrit.wikimedia.org/r/321627

Change subject: Use different host as canary host for debdeploy
..

Use different host as canary host for debdeploy

mw1001 was decommed quite a while ago, use mw1161 instead.

Change-Id: I206bb2397d1c77b00336768a0d65bbb401188461
---
R hieradata/hosts/mw1161.yaml
1 file changed, 0 insertions(+), 0 deletions(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/puppet 
refs/changes/27/321627/1

diff --git a/hieradata/hosts/mw1001.yaml b/hieradata/hosts/mw1161.yaml
similarity index 100%
rename from hieradata/hosts/mw1001.yaml
rename to hieradata/hosts/mw1161.yaml

-- 
To view, visit https://gerrit.wikimedia.org/r/321627
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I206bb2397d1c77b00336768a0d65bbb401188461
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Muehlenhoff 

___
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

[MediaWiki-commits] [Gerrit] operations/puppet[production]: Check whether ferm has been correctly started

[Muehlenhoff (Code Review)]

Muehlenhoff has submitted this change and it was merged.

Change subject: Check whether ferm has been correctly started
..


Check whether ferm has been correctly started

There have been a few cases where ferm failed to start on some hosts
since it could not resolve a DNS name used in one of it's rules.

Provide an Icinga check which checks whether the input policy is
configured to DROP (which is setup by ferm, so if it's not present
ferm has either been stopped or wasn't started at all).

Bug: T148986
Change-Id: I576e7373a1e9c2d9f7b441b6d03ac6d8bbb40866
---
A modules/base/files/firewall/check_ferm
M modules/base/manifests/firewall.pp
2 files changed, 39 insertions(+), 0 deletions(-)

Approvals:
  Muehlenhoff: Looks good to me, approved
  Faidon Liambotis: Looks good to me, but someone else must approve
  jenkins-bot: Verified



diff --git a/modules/base/files/firewall/check_ferm 
b/modules/base/files/firewall/check_ferm
new file mode 100644
index 000..7296fab
--- /dev/null
+++ b/modules/base/files/firewall/check_ferm
@@ -0,0 +1,17 @@
+#!/bin/bash
+# This plugin tests whether ferm has been started on a host by querying
+# the policy for the INPUT chain
+
+if [ ! -x /sbin/iptables ]; then
+echo "WARNING iptables not installed"
+exit 1
+fi
+
+input_policy=$(iptables -nL INPUT | sed -nr 's/^Chain INPUT \(policy 
(.*)\)$/\1/p')
+if [ $input_policy = "DROP" ]; then
+echo "OK ferm input default policy is set"
+exit 0
+else
+echo "ERROR ferm input drop default policy not set, ferm might not have 
been started correctly"
+exit 2
+fi
diff --git a/modules/base/manifests/firewall.pp 
b/modules/base/manifests/firewall.pp
index 680b3ba..69b5b5e 100644
--- a/modules/base/manifests/firewall.pp
+++ b/modules/base/manifests/firewall.pp
@@ -59,4 +59,26 @@
 require   => File['/usr/lib/nagios/plugins/check_conntrack'],
 contact_group => 'admins',
 }
+
+sudo::user { 'nagios_check_ferm':
+ensure => 'present',
+user   => 'nagios',
+privileges => [ 'ALL = NOPASSWD: /usr/lib/nagios/plugins/check_ferm' ],
+require=> File['/usr/lib/nagios/plugins/check_ferm'],
+}
+
+file { '/usr/lib/nagios/plugins/check_ferm':
+source => 'puppet:///modules/base/firewall/check_ferm',
+owner  => 'root',
+group  => 'root',
+mode   => '0555',
+}
+
+nrpe::monitor_service { 'ferm_active':
+ensure=> 'present',
+description   => 'Check whether ferm is active by checking the default 
input chain',
+nrpe_command  => '/usr/bin/sudo /usr/lib/nagios/plugins/check_ferm',
+require   =>  [File['/usr/lib/nagios/plugins/check_ferm'], 
Sudo::User['nagios_check_ferm']],
+contact_group => 'admins',
+}
 }

-- 
To view, visit https://gerrit.wikimedia.org/r/318527
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: merged
Gerrit-Change-Id: I576e7373a1e9c2d9f7b441b6d03ac6d8bbb40866
Gerrit-PatchSet: 9
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Muehlenhoff 
Gerrit-Reviewer: Alexandros Kosiaris 
Gerrit-Reviewer: Faidon Liambotis 
Gerrit-Reviewer: Gehel 
Gerrit-Reviewer: Muehlenhoff 
Gerrit-Reviewer: jenkins-bot <>

___
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

[MediaWiki-commits] [Gerrit] operations...linux44[master]: Update to 4.4.31

[Muehlenhoff (Code Review)]

Muehlenhoff has submitted this change and it was merged.

Change subject: Update to 4.4.31
..


Update to 4.4.31

Change-Id: I712b74c843ab9e7bbcb346899d9510e14d67e007
---
M debian/changelog
D debian/patches/bugfix/all/CVE-2016-7042.patch
A debian/patches/bugfix/all/stable-4.4.31.patch
M debian/patches/series
4 files changed, 1,725 insertions(+), 59 deletions(-)

Approvals:
  Muehlenhoff: Looks good to me, approved
  jenkins-bot: Verified



diff --git a/debian/changelog b/debian/changelog
index b2caccc..e37446f 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,19 @@
+linux (4.4.2-3+wmf8) jessie-wikimedia; urgency=medium
+
+  * Update to 4.4.31:
+https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.31
+- CVE-2016-7042 [03dab869b7b239c4e013ec82aea22e181e441cfc]
+  (drop previously locally applied CVE-2016-7042.patch)
+- CVE-2016-8630 [d9092f52d7e61dd1557f2db2400ddb430e85937e]
+- CVE-2016-8633 [667121ace9dbafb368618dbabcf07901c962ddac]
+- CVE-2016-9178 [different fix upstream, in stable as 
+ dc1555e670c373bfa4ca2e1e2f839d5fe2b4501a]
+- Drop 1d79b67c4a8a98247407dc245ba7cad2692da3c2, which is
+  only needed for recent GGC releases and clashes with
+  Debian-specific patches
+
+ -- Moritz Muehlenhoff   Fri, 11 Nov 2016 15:57:32 
+0100
+
 linux (4.4.2-3+wmf7) jessie-wikimedia; urgency=medium
 
   * Bump the kernel ABI to 3 (caused by posix ACL changes in 4.4.29)
diff --git a/debian/patches/bugfix/all/CVE-2016-7042.patch 
b/debian/patches/bugfix/all/CVE-2016-7042.patch
deleted file mode 100644
index 5257ea9..000
--- a/debian/patches/bugfix/all/CVE-2016-7042.patch
+++ /dev/null
@@ -1,58 +0,0 @@
-KEYS: Fix short sprintf buffer in /proc/keys show function
-
-Fix a short sprintf buffer in proc_keys_show().  If the gcc stack protector
-is turned on, this can cause a panic due to stack corruption.
-
-The problem is that xbuf[] is not big enough to hold a 64-bit timeout
-rendered as weeks:
-
-   (gdb) p 0xULL/(60*60*24*7)
-   $2 = 30500568904943
-
-That's 14 chars plus NUL, not 11 chars plus NUL.
-
-Expand the buffer to 16 chars.
-
-I think the unpatched code apparently works if the stack-protector is not
-enabled because on a 32-bit machine the buffer won't be overflowed and on a
-64-bit machine there's a 64-bit aligned pointer at one side and an int that
-isn't checked again on the other side.
-
-The panic incurred looks something like:
-
-Kernel panic - not syncing: stack-protector: Kernel stack is corrupted in: 
81352ebe
-CPU: 0 PID: 1692 Comm: reproducer Not tainted 4.7.2-201.fc24.x86_64 #1
-Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011
- 0086 fbbd2679 8800a044bc00 813d941f
- 81a28d58 8800a044bc98 8800a044bc88 811b2cb6
- 8810 8800a044bc98 8800a044bc30 fbbd2679
-Call Trace:
- [] dump_stack+0x63/0x84
- [] panic+0xde/0x22a
- [] ? proc_keys_show+0x3ce/0x3d0
- [] __stack_chk_fail+0x19/0x30
- [] proc_keys_show+0x3ce/0x3d0
- [] ? key_validate+0x50/0x50
- [] ? key_default_cmp+0x20/0x20
- [] seq_read+0x2cc/0x390
- [] proc_reg_read+0x42/0x70
- [] __vfs_read+0x37/0x150
- [] ? security_file_permission+0xa0/0xc0
- [] vfs_read+0x96/0x130
- [] SyS_read+0x55/0xc0
- [] entry_SYSCALL_64_fastpath+0x1a/0xa4
-
-Reported-by: Ondrej Kozina 
-Signed-off-by: David Howells 
-Tested-by: Ondrej Kozina 
 a/security/keys/proc.c 
-+++ a/security/keys/proc.c 
-@@ -181,7 +181,7 @@ static int proc_keys_show(struct seq_file *m, void *v)
-   struct timespec now;
-   unsigned long timo;
-   key_ref_t key_ref, skey_ref;
--  char xbuf[12];
-+  char xbuf[16];
-   int rc;
- 
-   struct keyring_search_context ctx = {
diff --git a/debian/patches/bugfix/all/stable-4.4.31.patch 
b/debian/patches/bugfix/all/stable-4.4.31.patch
new file mode 100644
index 000..2c6363f
--- /dev/null
+++ b/debian/patches/bugfix/all/stable-4.4.31.patch
@@ -0,0 +1,1708 @@
+diff --git a/Makefile b/Makefile
+index 98239d56924c..7c6f28e7a2f6 100644
+--- a/Makefile
 b/Makefile
+@@ -1,6 +1,6 @@
+ VERSION = 4
+ PATCHLEVEL = 4
+-SUBLEVEL = 30
++SUBLEVEL = 31
+ EXTRAVERSION =
+ NAME = Blurry Fish Butt
+ 
+diff --git a/arch/arm/include/asm/floppy.h b/arch/arm/include/asm/floppy.h
+index f4882553fbb0..85a34cc8316a 100644
+--- a/arch/arm/include/asm/floppy.h
 b/arch/arm/include/asm/floppy.h
+@@ -17,7 +17,7 @@
+ 
+ #define fd_outb(val,port) \
+   do {\
+-  if ((port) == FD_DOR)   \
++  if ((port) == (u32)FD_DOR)  \
+   

[MediaWiki-commits] [Gerrit] operations...openssl11[master]: Cope with new libssl1.1 symbols introduced in 1.1.0c

[Muehlenhoff (Code Review)]

Muehlenhoff has submitted this change and it was merged.

Change subject: Cope with new libssl1.1 symbols introduced in 1.1.0c
..


Cope with new libssl1.1 symbols introduced in 1.1.0c

Otherwise the build fails since new symbols are available:

dpkg-gensymbols -Pdebian/libssl1.1/ -plibssl1.1 -c4
dpkg-gensymbols: warning: some new symbols appeared in the symbols file: see 
diff output below
dpkg-gensymbols: warning: debian/libssl1.1/DEBIAN/symbols doesn't match 
completely debian/libssl1.1.symbols
--- debian/libssl1.1.symbols (libssl1.1_1.1.0c-1+wmf1_amd64)
+++ dpkg-gensymbols40IYit   2016-11-10 18:06:04.270220379 +
@@ -1,5 +1,8 @@
 libcrypto.so.1.1 libssl1.1 #MINVER#
+ DSO_dsobyaddr@OPENSSL_1_1_0c 1.1.0c-1+wmf1
+ DSO_pathbyaddr@OPENSSL_1_1_0c 1.1.0c-1+wmf1
  (symver|optional)OPENSSL_1_1_0 1.1.0
  (symver|optional)OPENSSL_1_1_0a 1.1.0a
+ OPENSSL_1_1_0c@OPENSSL_1_1_0c 1.1.0c-1+wmf1
 libssl.so.1.1 libssl1.1 #MINVER#
  (symver|optional)OPENSSL_1_1_0 1.1.0
debian/rules:139: recipe for target 'binary-arch' failed
make: *** [binary-arch] Error 2

Change-Id: I5b5d90ee8e22b4d0c7be003dc66d4d69b955b7f5
---
M debian/changelog
M debian/libssl1.1.symbols
2 files changed, 2 insertions(+), 0 deletions(-)

Approvals:
  Muehlenhoff: Verified; Looks good to me, approved



diff --git a/debian/changelog b/debian/changelog
index d1ff8cd..00dce1a 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -9,6 +9,7 @@
   * Drop no-rpath.patch, merged in 1.1.0c in
 
https://git.openssl.org/?p=openssl.git;a=commit;h=68f3b899105b5709b8d73265549c93a78e0f6e72
   * Refresh debian/d2i-tests.tar
+  * Cope with new libssl1.1 symbols introduced in 1.1.0c
 
  -- Moritz Muehlenhoff   Thu, 10 Nov 2016 16:42:36 
+0100
 
diff --git a/debian/libssl1.1.symbols b/debian/libssl1.1.symbols
index f86fd6c..237c473 100644
--- a/debian/libssl1.1.symbols
+++ b/debian/libssl1.1.symbols
@@ -1,5 +1,6 @@
 libcrypto.so.1.1 libssl1.1 #MINVER#
  *@OPENSSL_1_1_0 1.1.0
  *@OPENSSL_1_1_0a 1.1.0a
+ *@OPENSSL_1_1_0c 1.1.0c
 libssl.so.1.1 libssl1.1 #MINVER#
  *@OPENSSL_1_1_0 1.1.0

-- 
To view, visit https://gerrit.wikimedia.org/r/320814
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: merged
Gerrit-Change-Id: I5b5d90ee8e22b4d0c7be003dc66d4d69b955b7f5
Gerrit-PatchSet: 1
Gerrit-Project: operations/debs/openssl11
Gerrit-Branch: master
Gerrit-Owner: Muehlenhoff 
Gerrit-Reviewer: Muehlenhoff 

___
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

[MediaWiki-commits] [Gerrit] operations...openssl11[master]: Cope with new libssl1.1 symbols introduced in 1.1.0c

[Muehlenhoff (Code Review)]

Muehlenhoff has uploaded a new change for review.

  https://gerrit.wikimedia.org/r/320814

Change subject: Cope with new libssl1.1 symbols introduced in 1.1.0c
..

Cope with new libssl1.1 symbols introduced in 1.1.0c

Otherwise the build fails since new symbols are available:

dpkg-gensymbols -Pdebian/libssl1.1/ -plibssl1.1 -c4
dpkg-gensymbols: warning: some new symbols appeared in the symbols file: see 
diff output below
dpkg-gensymbols: warning: debian/libssl1.1/DEBIAN/symbols doesn't match 
completely debian/libssl1.1.symbols
--- debian/libssl1.1.symbols (libssl1.1_1.1.0c-1+wmf1_amd64)
+++ dpkg-gensymbols40IYit   2016-11-10 18:06:04.270220379 +
@@ -1,5 +1,8 @@
 libcrypto.so.1.1 libssl1.1 #MINVER#
+ DSO_dsobyaddr@OPENSSL_1_1_0c 1.1.0c-1+wmf1
+ DSO_pathbyaddr@OPENSSL_1_1_0c 1.1.0c-1+wmf1
  (symver|optional)OPENSSL_1_1_0 1.1.0
  (symver|optional)OPENSSL_1_1_0a 1.1.0a
+ OPENSSL_1_1_0c@OPENSSL_1_1_0c 1.1.0c-1+wmf1
 libssl.so.1.1 libssl1.1 #MINVER#
  (symver|optional)OPENSSL_1_1_0 1.1.0
debian/rules:139: recipe for target 'binary-arch' failed
make: *** [binary-arch] Error 2

Change-Id: I5b5d90ee8e22b4d0c7be003dc66d4d69b955b7f5
---
M debian/changelog
M debian/libssl1.1.symbols
2 files changed, 2 insertions(+), 0 deletions(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/debs/openssl11 
refs/changes/14/320814/1

diff --git a/debian/changelog b/debian/changelog
index d1ff8cd..00dce1a 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -9,6 +9,7 @@
   * Drop no-rpath.patch, merged in 1.1.0c in
 
https://git.openssl.org/?p=openssl.git;a=commit;h=68f3b899105b5709b8d73265549c93a78e0f6e72
   * Refresh debian/d2i-tests.tar
+  * Cope with new libssl1.1 symbols introduced in 1.1.0c
 
  -- Moritz Muehlenhoff   Thu, 10 Nov 2016 16:42:36 
+0100
 
diff --git a/debian/libssl1.1.symbols b/debian/libssl1.1.symbols
index f86fd6c..237c473 100644
--- a/debian/libssl1.1.symbols
+++ b/debian/libssl1.1.symbols
@@ -1,5 +1,6 @@
 libcrypto.so.1.1 libssl1.1 #MINVER#
  *@OPENSSL_1_1_0 1.1.0
  *@OPENSSL_1_1_0a 1.1.0a
+ *@OPENSSL_1_1_0c 1.1.0c
 libssl.so.1.1 libssl1.1 #MINVER#
  *@OPENSSL_1_1_0 1.1.0

-- 
To view, visit https://gerrit.wikimedia.org/r/320814
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I5b5d90ee8e22b4d0c7be003dc66d4d69b955b7f5
Gerrit-PatchSet: 1
Gerrit-Project: operations/debs/openssl11
Gerrit-Branch: master
Gerrit-Owner: Muehlenhoff 

___
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

[MediaWiki-commits] [Gerrit] operations...openssl11[master]: Fix build failure by updating d2i-tests.tar

[Muehlenhoff (Code Review)]

Muehlenhoff has submitted this change and it was merged.

Change subject: Fix build failure by updating d2i-tests.tar
..


Fix build failure by updating d2i-tests.tar

The openssl build and when investigating the error I realised that there's
a d2i-tests.tar in the debian directory, which replaces the
tests/d2i-tests during build time. This might be a historic leftover, I
don't know why that's done...

This patch refreshes the tarball with the new bad-cms.der test file, which
was added to test CVE-2016-7053

Change-Id: I3c87193952dfd732e61d0f2406dc91682c62ef98
---
M debian/changelog
M debian/d2i-tests.tar
2 files changed, 1 insertion(+), 0 deletions(-)

Approvals:
  Muehlenhoff: Verified; Looks good to me, approved



diff --git a/debian/changelog b/debian/changelog
index 82880eb..d1ff8cd 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -8,6 +8,7 @@
 
https://git.openssl.org/?p=openssl.git;a=commit;h=0f6c9d73cb1e1027c67d993a669719e351c25cfc
   * Drop no-rpath.patch, merged in 1.1.0c in
 
https://git.openssl.org/?p=openssl.git;a=commit;h=68f3b899105b5709b8d73265549c93a78e0f6e72
+  * Refresh debian/d2i-tests.tar
 
  -- Moritz Muehlenhoff   Thu, 10 Nov 2016 16:42:36 
+0100
 
diff --git a/debian/d2i-tests.tar b/debian/d2i-tests.tar
index df9c514..034bb32 100644
--- a/debian/d2i-tests.tar
+++ b/debian/d2i-tests.tar
Binary files differ

-- 
To view, visit https://gerrit.wikimedia.org/r/320808
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: merged
Gerrit-Change-Id: I3c87193952dfd732e61d0f2406dc91682c62ef98
Gerrit-PatchSet: 1
Gerrit-Project: operations/debs/openssl11
Gerrit-Branch: master
Gerrit-Owner: Muehlenhoff 
Gerrit-Reviewer: Muehlenhoff 

___
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

[MediaWiki-commits] [Gerrit] operations...openssl11[master]: Fix build failure by updating d2i-tests.tar

[Muehlenhoff (Code Review)]

Muehlenhoff has uploaded a new change for review.

  https://gerrit.wikimedia.org/r/320808

Change subject: Fix build failure by updating d2i-tests.tar
..

Fix build failure by updating d2i-tests.tar

The openssl build and when investigating the error I realised that there's
a d2i-tests.tar in the debian directory, which replaces the
tests/d2i-tests during build time. This might be a historic leftover, I
don't know why that's done...

This patch refreshes the tarball with the new bad-cms.der test file, which
was added to test CVE-2016-7053

Change-Id: I3c87193952dfd732e61d0f2406dc91682c62ef98
---
M debian/changelog
M debian/d2i-tests.tar
2 files changed, 1 insertion(+), 0 deletions(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/debs/openssl11 
refs/changes/08/320808/1

diff --git a/debian/changelog b/debian/changelog
index 82880eb..d1ff8cd 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -8,6 +8,7 @@
 
https://git.openssl.org/?p=openssl.git;a=commit;h=0f6c9d73cb1e1027c67d993a669719e351c25cfc
   * Drop no-rpath.patch, merged in 1.1.0c in
 
https://git.openssl.org/?p=openssl.git;a=commit;h=68f3b899105b5709b8d73265549c93a78e0f6e72
+  * Refresh debian/d2i-tests.tar
 
  -- Moritz Muehlenhoff   Thu, 10 Nov 2016 16:42:36 
+0100
 
diff --git a/debian/d2i-tests.tar b/debian/d2i-tests.tar
index df9c514..034bb32 100644
--- a/debian/d2i-tests.tar
+++ b/debian/d2i-tests.tar
Binary files differ

-- 
To view, visit https://gerrit.wikimedia.org/r/320808
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I3c87193952dfd732e61d0f2406dc91682c62ef98
Gerrit-PatchSet: 1
Gerrit-Project: operations/debs/openssl11
Gerrit-Branch: master
Gerrit-Owner: Muehlenhoff 

___
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

[MediaWiki-commits] [Gerrit] operations...openssl11[master]: Update to 1.1.0c and drop two merged patches

[Muehlenhoff (Code Review)]

Muehlenhoff has submitted this change and it was merged.

Change subject: Update to 1.1.0c and drop two merged patches
..


Update to 1.1.0c and drop two merged patches

Change-Id: Iff74c299e35ef36b3727e4b5f9961053f18a5d77
---
M debian/changelog
D debian/patches/fix-read-ahead.patch
D debian/patches/no-rpath.patch
M debian/patches/series
4 files changed, 13 insertions(+), 87 deletions(-)

Approvals:
  Muehlenhoff: Verified; Looks good to me, approved



diff --git a/debian/changelog b/debian/changelog
index 21a23af..82880eb 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,16 @@
+openssl (1.1.0c-1+wmf1) jessie-wikimedia; urgency=medium
+
+  * New upstream release
+- Fix CVE-2016-7054
+- Fix CVE-2016-7053
+- Fix CVE-2016-7055
+  * Drop fix-read-ahead.patch, merged in 1.1.0c in
+
https://git.openssl.org/?p=openssl.git;a=commit;h=0f6c9d73cb1e1027c67d993a669719e351c25cfc
+  * Drop no-rpath.patch, merged in 1.1.0c in
+
https://git.openssl.org/?p=openssl.git;a=commit;h=68f3b899105b5709b8d73265549c93a78e0f6e72
+
+ -- Moritz Muehlenhoff   Thu, 10 Nov 2016 16:42:36 
+0100
+
 openssl (1.1.0b-1+wmf2) jessie-wikimedia; urgency=medium
 
   * Cherrypick 0f6c9d73cb1e1027c67d993a669719e351c25cfc from the
diff --git a/debian/patches/fix-read-ahead.patch 
b/debian/patches/fix-read-ahead.patch
deleted file mode 100644
index 436bd0a..000
--- a/debian/patches/fix-read-ahead.patch
+++ /dev/null
@@ -1,70 +0,0 @@
-From 0f6c9d73cb1e1027c67d993a669719e351c25cfc Mon Sep 17 00:00:00 2001
-From: Matt Caswell 
-Date: Wed, 2 Nov 2016 10:34:12 +
-Subject: [PATCH] Fix read_ahead
-
-The function ssl3_read_n() takes a parameter |clearold| which, if set,
-causes any old data in the read buffer to be forgotten, and any unread data
-to be moved to the start of the buffer. This is supposed to happen when we
-first read the record header.
-
-However, the data move was only taking place if there was not already
-sufficient data in the buffer to satisfy the request. If read_ahead is set
-then the record header could be in the buffer already from when we read the
-preceding record. So with read_ahead we can get into a situation where even
-though |clearold| is set, the data does not get moved to the start of the
-read buffer when we read the record header. This means there is insufficient
-room in the read buffer to consume the rest of the record body, resulting in
-an internal error.
-
-This commit moves the |clearold| processing to earlier in ssl3_read_n()
-to ensure that it always takes place.
-
-Reviewed-by: Richard Levitte 
-(cherry picked from commit a7faa6da317887e14e8e28254a83555983ed6ca7)

- ssl/record/rec_layer_s3.c | 24 
- 1 file changed, 12 insertions(+), 12 deletions(-)
-
-diff --git a/ssl/record/rec_layer_s3.c b/ssl/record/rec_layer_s3.c
-index 9c8c23c..4535f89 100644
 a/ssl/record/rec_layer_s3.c
-+++ b/ssl/record/rec_layer_s3.c
-@@ -241,6 +241,18 @@ int ssl3_read_n(SSL *s, int n, int max, int extend, int 
clearold)
- /* ... now we can act as if 'extend' was set */
- }
- 
-+len = s->rlayer.packet_length;
-+pkt = rb->buf + align;
-+/*
-+ * Move any available bytes to front of buffer: 'len' bytes already
-+ * pointed to by 'packet', 'left' extra ones at the end
-+ */
-+if (s->rlayer.packet != pkt && clearold == 1) {
-+memmove(pkt, s->rlayer.packet, len + left);
-+s->rlayer.packet = pkt;
-+rb->offset = len + align;
-+}
-+
- /*
-  * For DTLS/UDP reads should not span multiple packets because the read
-  * operation returns the whole packet at once (as long as it fits into
-@@ -263,18 +275,6 @@ int ssl3_read_n(SSL *s, int n, int max, int extend, int 
clearold)
- 
- /* else we need to read more data */
- 
--len = s->rlayer.packet_length;
--pkt = rb->buf + align;
--/*
-- * Move any available bytes to front of buffer: 'len' bytes already
-- * pointed to by 'packet', 'left' extra ones at the end
-- */
--if (s->rlayer.packet != pkt && clearold == 1) { /* len > 0 */
--memmove(pkt, s->rlayer.packet, len + left);
--s->rlayer.packet = pkt;
--rb->offset = len + align;
--}
--
- if (n > (int)(rb->len - rb->offset)) { /* does not happen */
- SSLerr(SSL_F_SSL3_READ_N, ERR_R_INTERNAL_ERROR);
- return -1;
diff --git a/debian/patches/no-rpath.patch b/debian/patches/no-rpath.patch
deleted file mode 100644
index 4b30b1a..000
--- a/debian/patches/no-rpath.patch
+++ /dev/null
@@ -1,15 +0,0 @@

- Makefile.shared |2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
 a/Makefile.shared
-+++ b/Makefile.shared
-@@ -176,7 +176,7 @@ DO_GNU_SO=\
-   ALLSYMSFLAGS='-Wl,--whole-archive'; \
-   NOALLSYMSFLAGS='-Wl,--no-whole-archive'; \
-   $(DO_GNU_SO_COMMON)

[MediaWiki-commits] [Gerrit] operations...openssl11[master]: Update to 1.1.0c and drop merged fix-read-ahead.patch

[Muehlenhoff (Code Review)]

Muehlenhoff has uploaded a new change for review.

  https://gerrit.wikimedia.org/r/320789

Change subject: Update to 1.1.0c and drop merged fix-read-ahead.patch
..

Update to 1.1.0c and drop merged fix-read-ahead.patch

Change-Id: Iff74c299e35ef36b3727e4b5f9961053f18a5d77
---
M debian/changelog
D debian/patches/fix-read-ahead.patch
M debian/patches/series
3 files changed, 10 insertions(+), 71 deletions(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/debs/openssl11 
refs/changes/89/320789/1

diff --git a/debian/changelog b/debian/changelog
index 21a23af..603c1b6 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,13 @@
+openssl (1.1.0c-1+wmf1) jessie-wikimedia; urgency=medium
+
+  * New upstream release
+- Fix CVE-2016-7054
+- Fix CVE-2016-7053
+- Fix CVE-2016-7055
+  * Drop fix-read-ahead.patch, merged in 1.1.0c
+
+ -- Moritz Muehlenhoff   Thu, 10 Nov 2016 16:42:36 
+0100
+
 openssl (1.1.0b-1+wmf2) jessie-wikimedia; urgency=medium
 
   * Cherrypick 0f6c9d73cb1e1027c67d993a669719e351c25cfc from the
diff --git a/debian/patches/fix-read-ahead.patch 
b/debian/patches/fix-read-ahead.patch
deleted file mode 100644
index 436bd0a..000
--- a/debian/patches/fix-read-ahead.patch
+++ /dev/null
@@ -1,70 +0,0 @@
-From 0f6c9d73cb1e1027c67d993a669719e351c25cfc Mon Sep 17 00:00:00 2001
-From: Matt Caswell 
-Date: Wed, 2 Nov 2016 10:34:12 +
-Subject: [PATCH] Fix read_ahead
-
-The function ssl3_read_n() takes a parameter |clearold| which, if set,
-causes any old data in the read buffer to be forgotten, and any unread data
-to be moved to the start of the buffer. This is supposed to happen when we
-first read the record header.
-
-However, the data move was only taking place if there was not already
-sufficient data in the buffer to satisfy the request. If read_ahead is set
-then the record header could be in the buffer already from when we read the
-preceding record. So with read_ahead we can get into a situation where even
-though |clearold| is set, the data does not get moved to the start of the
-read buffer when we read the record header. This means there is insufficient
-room in the read buffer to consume the rest of the record body, resulting in
-an internal error.
-
-This commit moves the |clearold| processing to earlier in ssl3_read_n()
-to ensure that it always takes place.
-
-Reviewed-by: Richard Levitte 
-(cherry picked from commit a7faa6da317887e14e8e28254a83555983ed6ca7)

- ssl/record/rec_layer_s3.c | 24 
- 1 file changed, 12 insertions(+), 12 deletions(-)
-
-diff --git a/ssl/record/rec_layer_s3.c b/ssl/record/rec_layer_s3.c
-index 9c8c23c..4535f89 100644
 a/ssl/record/rec_layer_s3.c
-+++ b/ssl/record/rec_layer_s3.c
-@@ -241,6 +241,18 @@ int ssl3_read_n(SSL *s, int n, int max, int extend, int 
clearold)
- /* ... now we can act as if 'extend' was set */
- }
- 
-+len = s->rlayer.packet_length;
-+pkt = rb->buf + align;
-+/*
-+ * Move any available bytes to front of buffer: 'len' bytes already
-+ * pointed to by 'packet', 'left' extra ones at the end
-+ */
-+if (s->rlayer.packet != pkt && clearold == 1) {
-+memmove(pkt, s->rlayer.packet, len + left);
-+s->rlayer.packet = pkt;
-+rb->offset = len + align;
-+}
-+
- /*
-  * For DTLS/UDP reads should not span multiple packets because the read
-  * operation returns the whole packet at once (as long as it fits into
-@@ -263,18 +275,6 @@ int ssl3_read_n(SSL *s, int n, int max, int extend, int 
clearold)
- 
- /* else we need to read more data */
- 
--len = s->rlayer.packet_length;
--pkt = rb->buf + align;
--/*
-- * Move any available bytes to front of buffer: 'len' bytes already
-- * pointed to by 'packet', 'left' extra ones at the end
-- */
--if (s->rlayer.packet != pkt && clearold == 1) { /* len > 0 */
--memmove(pkt, s->rlayer.packet, len + left);
--s->rlayer.packet = pkt;
--rb->offset = len + align;
--}
--
- if (n > (int)(rb->len - rb->offset)) { /* does not happen */
- SSLerr(SSL_F_SSL3_READ_N, ERR_R_INTERNAL_ERROR);
- return -1;
diff --git a/debian/patches/series b/debian/patches/series
index 145ae81..5b5a83d 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -5,4 +5,3 @@
 pic.patch
 c_rehash-compat.patch
 #padlock_conf.patch
-fix-read-ahead.patch

-- 
To view, visit https://gerrit.wikimedia.org/r/320789
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: Iff74c299e35ef36b3727e4b5f9961053f18a5d77
Gerrit-PatchSet: 1
Gerrit-Project: operations/debs/openssl11
Gerrit-Branch: master
Gerrit-Owner: Muehlenhoff 

___
MediaWiki-commits mailing list

[MediaWiki-commits] [Gerrit] operations/puppet[production]: Disable connection tracking for kafka broker

[Muehlenhoff (Code Review)]

Muehlenhoff has uploaded a new change for review.

  https://gerrit.wikimedia.org/r/320758

Change subject: Disable connection tracking for kafka broker
..

Disable connection tracking for kafka broker

During several traffic peaks we've run into exhausting
the connection tracking table in the past and rather
than bumping the size further, let's disable connection
tracking as we already do for other high volume services.

Change-Id: If26b300e0cae4d8adf26b1516d18a80d08b4f3de
---
M modules/role/manifests/kafka/main/broker.pp
1 file changed, 4 insertions(+), 3 deletions(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/puppet 
refs/changes/58/320758/1

diff --git a/modules/role/manifests/kafka/main/broker.pp 
b/modules/role/manifests/kafka/main/broker.pp
index 02ca720..a2d940e 100644
--- a/modules/role/manifests/kafka/main/broker.pp
+++ b/modules/role/manifests/kafka/main/broker.pp
@@ -65,11 +65,12 @@
 
 # firewall Kafka Broker.
 ferm::service { 'kafka-broker':
-proto  => 'tcp',
+proto   => 'tcp',
 # TODO: $::confluent::kafka::broker::port doesn't
 # seem to work as expected.  Hardcoding this for now.
-port   => 9092,
-srange => '$PRODUCTION_NETWORKS',
+port=> 9092,
+notrack => true,
+srange  => '$PRODUCTION_NETWORKS',
 }
 
 

-- 
To view, visit https://gerrit.wikimedia.org/r/320758
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: If26b300e0cae4d8adf26b1516d18a80d08b4f3de
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Muehlenhoff 

___
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

[MediaWiki-commits] [Gerrit] operations/puppet[production]: Restrict access to Hive server

[Muehlenhoff (Code Review)]

Muehlenhoff has submitted this change and it was merged.

Change subject: Restrict access to Hive server
..


Restrict access to Hive server

We're getting rid of $INTERNAL, since it's needlessly broad. The Hive
server is accessed from stat100[24] and Spark masters, so restrict
access analytics networks.

Change-Id: I09b03524d927962491349448ef6a3128a8144a42
---
M modules/role/manifests/analytics_cluster/hive/server.pp
1 file changed, 1 insertion(+), 1 deletion(-)

Approvals:
  Ottomata: Looks good to me, but someone else must approve
  Muehlenhoff: Looks good to me, approved
  jenkins-bot: Verified



diff --git a/modules/role/manifests/analytics_cluster/hive/server.pp 
b/modules/role/manifests/analytics_cluster/hive/server.pp
index 2894ccc..48f9a5c 100644
--- a/modules/role/manifests/analytics_cluster/hive/server.pp
+++ b/modules/role/manifests/analytics_cluster/hive/server.pp
@@ -13,7 +13,7 @@
 ferm::service{ 'hive_server':
 proto  => 'tcp',
 port   => '1',
-srange => '$INTERNAL',
+srange => '$ANALYTICS_NETWORKS',
 }
 
 # Include icinga alerts if production realm.

-- 
To view, visit https://gerrit.wikimedia.org/r/320574
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: merged
Gerrit-Change-Id: I09b03524d927962491349448ef6a3128a8144a42
Gerrit-PatchSet: 3
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Muehlenhoff 
Gerrit-Reviewer: Elukey 
Gerrit-Reviewer: Muehlenhoff 
Gerrit-Reviewer: Ottomata 
Gerrit-Reviewer: jenkins-bot <>

___
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

[MediaWiki-commits] [Gerrit] operations/puppet[production]: Configure connection tracking sysctl settings in ferm

[Muehlenhoff (Code Review)]

Muehlenhoff has uploaded a new change for review.

  https://gerrit.wikimedia.org/r/320590

Change subject: Configure connection tracking sysctl settings in ferm
..

Configure connection tracking sysctl settings in ferm

Connection tracking parameters cannot be set via the default
/etc/sysctl.d hierarchy; it needs to be ensured that these
are set after ferm is started (which loads the connection
tracking kernel modules which configure the respective sysctl
options).

Provide a ferm configuration file which runs the sysctl
commands after setting up all the rules and services.

Bug: T136094
Change-Id: I9d1be6387fae30e15207d2047b1e25a717d6bfa6
---
A modules/base/files/firewall/conntrack-sysctl.conf
M modules/base/manifests/firewall.pp
2 files changed, 8 insertions(+), 0 deletions(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/puppet 
refs/changes/90/320590/1

diff --git a/modules/base/files/firewall/conntrack-sysctl.conf 
b/modules/base/files/firewall/conntrack-sysctl.conf
new file mode 100644
index 000..23cedc3
--- /dev/null
+++ b/modules/base/files/firewall/conntrack-sysctl.conf
@@ -0,0 +1,2 @@
+@def $SYSCTL_SET_CONNTRACK_MAX = `/sbin/sysctl -q -w 
net.netfilter.nf_conntrack_max=262144`;
+@def $SYSCTL_SET_CONNTRACK_TIMEOUT = `/sbin/sysctl -q -w 
net.netfilter.nf_conntrack_tcp_timeout_time_wait=65`;
diff --git a/modules/base/manifests/firewall.pp 
b/modules/base/manifests/firewall.pp
index 680b3ba..96c3a7b 100644
--- a/modules/base/manifests/firewall.pp
+++ b/modules/base/manifests/firewall.pp
@@ -37,6 +37,12 @@
 source => 
'puppet:///modules/base/firewall/main-input-default-drop.conf',
 }
 
+ferm::conf { 'sysctl':
+ensure => $ensure,
+prio   => '99',
+source => 'puppet:///modules/base/firewall/conntrack-sysctl.conf',
+}
+
 ferm::rule { 'bastion-ssh':
 ensure => $ensure,
 rule   => 'proto tcp dport ssh saddr $BASTION_HOSTS ACCEPT;',

-- 
To view, visit https://gerrit.wikimedia.org/r/320590
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I9d1be6387fae30e15207d2047b1e25a717d6bfa6
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Muehlenhoff 

___
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

[MediaWiki-commits] [Gerrit] operations/puppet[production]: Restrict access to Hive server

[Muehlenhoff (Code Review)]

Muehlenhoff has uploaded a new change for review.

  https://gerrit.wikimedia.org/r/320574

Change subject: Restrict access to Hive server
..

Restrict access to Hive server

We're getting rid of $INTERNAL, since it's needlessly broad. The Hive
server is only accessed from stat100[24], so restrict access to those.

Change-Id: I09b03524d927962491349448ef6a3128a8144a42
---
M modules/role/manifests/analytics_cluster/hive/server.pp
1 file changed, 1 insertion(+), 1 deletion(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/puppet 
refs/changes/74/320574/1

diff --git a/modules/role/manifests/analytics_cluster/hive/server.pp 
b/modules/role/manifests/analytics_cluster/hive/server.pp
index 2894ccc..5e58ab9 100644
--- a/modules/role/manifests/analytics_cluster/hive/server.pp
+++ b/modules/role/manifests/analytics_cluster/hive/server.pp
@@ -13,7 +13,7 @@
 ferm::service{ 'hive_server':
 proto  => 'tcp',
 port   => '1',
-srange => '$INTERNAL',
+srange => '@resolve((stat1002.eqiad.wmnet stat1004.eqiad.wmnet))',
 }
 
 # Include icinga alerts if production realm.

-- 
To view, visit https://gerrit.wikimedia.org/r/320574
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I09b03524d927962491349448ef6a3128a8144a42
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Muehlenhoff 

___
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

[MediaWiki-commits] [Gerrit] operations/puppet[production]: ssh_pybal: Restrict to production networks

[Muehlenhoff (Code Review)]

Muehlenhoff has uploaded a new change for review.

  https://gerrit.wikimedia.org/r/320556

Change subject: ssh_pybal: Restrict to production networks
..

ssh_pybal: Restrict to production networks

SSH health checks are only coming from production hosts, restrict to
production networks.

Change-Id: I439c36f001df4a785aac73635349c2c8a77fb749
---
M modules/role/manifests/mediawiki/common.pp
1 file changed, 1 insertion(+), 1 deletion(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/puppet 
refs/changes/56/320556/1

diff --git a/modules/role/manifests/mediawiki/common.pp 
b/modules/role/manifests/mediawiki/common.pp
index 26dec47..10f46c1 100644
--- a/modules/role/manifests/mediawiki/common.pp
+++ b/modules/role/manifests/mediawiki/common.pp
@@ -22,7 +22,7 @@
 ferm::service{ 'ssh_pybal':
 proto  => 'tcp',
 port   => '22',
-srange => '$INTERNAL',
+srange => '$PRODUCTION_NETWORKS',
 desc   => 'Allow incoming SSH for pybal health checks',
 }
 

-- 
To view, visit https://gerrit.wikimedia.org/r/320556
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I439c36f001df4a785aac73635349c2c8a77fb749
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Muehlenhoff 

___
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

[MediaWiki-commits] [Gerrit] operations/puppet[production]: role::mediawiki::jobrunner: Restrict to domain networks

[Muehlenhoff (Code Review)]

Muehlenhoff has uploaded a new change for review.

  https://gerrit.wikimedia.org/r/320549

Change subject: role::mediawiki::jobrunner: Restrict to domain networks
..

role::mediawiki::jobrunner: Restrict to domain networks

We're getting rid of $INTERNAL, since it's needlessly broad. Use
$DOMAIN_NETWORKS to restrict access in production to production networks,
while still allowing using it in labs.

Change-Id: I9921adc40c5fc0247f0d32c54fff2c59927b786b
---
M modules/role/manifests/mediawiki/jobrunner.pp
1 file changed, 1 insertion(+), 1 deletion(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/puppet 
refs/changes/49/320549/1

diff --git a/modules/role/manifests/mediawiki/jobrunner.pp 
b/modules/role/manifests/mediawiki/jobrunner.pp
index 74f6c44..686a09e 100644
--- a/modules/role/manifests/mediawiki/jobrunner.pp
+++ b/modules/role/manifests/mediawiki/jobrunner.pp
@@ -24,6 +24,6 @@
 proto   => 'tcp',
 port=> $::mediawiki::jobrunner::port,
 notrack => true,
-srange  => '$INTERNAL',
+srange  => '$DOMAIN_NETWORKS',
 }
 }

-- 
To view, visit https://gerrit.wikimedia.org/r/320549
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I9921adc40c5fc0247f0d32c54fff2c59927b786b
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Muehlenhoff 

___
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

[MediaWiki-commits] [Gerrit] operations/puppet[production]: role::jsbench: Restrict to production networks

[Muehlenhoff (Code Review)]

Muehlenhoff has uploaded a new change for review.

  https://gerrit.wikimedia.org/r/320547

Change subject: role::jsbench: Restrict to production networks
..

role::jsbench: Restrict to production networks

We're getting rid of $INTERNAL, since it's needlessly broad. xvfb is only
accessed from production hosts for debugging, so restrict it to production
networks.

Change-Id: I0a209f803b21d666c8f378c38aa9501a48952230
---
M modules/role/manifests/jsbench.pp
1 file changed, 1 insertion(+), 1 deletion(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/puppet 
refs/changes/47/320547/1

diff --git a/modules/role/manifests/jsbench.pp 
b/modules/role/manifests/jsbench.pp
index 5dbd87d..5a67a90 100644
--- a/modules/role/manifests/jsbench.pp
+++ b/modules/role/manifests/jsbench.pp
@@ -30,7 +30,7 @@
 ferm::service { 've-xvfb':
 proto  => 'tcp',
 port   => '6099',
-srange => '$INTERNAL',
+srange => '$PRODUCTION_NETWORKS',
 }
 
 user { 'jsbench':

-- 
To view, visit https://gerrit.wikimedia.org/r/320547
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I0a209f803b21d666c8f378c38aa9501a48952230
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Muehlenhoff 

___
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

[MediaWiki-commits] [Gerrit] operations/puppet[production]: role::mariadb::sanitarium: Restrict to production networks

[Muehlenhoff (Code Review)]

Muehlenhoff has uploaded a new change for review.

  https://gerrit.wikimedia.org/r/320545

Change subject: role::mariadb::sanitarium: Restrict to production networks
..

role::mariadb::sanitarium: Restrict to production networks

We're getting rid of $INTERNAL, since it's needlessly broad. Restrict to
production networks instead.

Change-Id: Ie00990d7a28cab0afb9d89c79ee625a7ac937655
---
M modules/role/manifests/mariadb.pp
1 file changed, 3 insertions(+), 3 deletions(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/puppet 
refs/changes/45/320545/1

diff --git a/modules/role/manifests/mariadb.pp 
b/modules/role/manifests/mariadb.pp
index 766e100..c6596b5 100644
--- a/modules/role/manifests/mariadb.pp
+++ b/modules/role/manifests/mariadb.pp
@@ -713,19 +713,19 @@
 ferm::service { 'mysqld_sanitarium':
 proto  => 'tcp',
 port   => '3311:3317',
-srange => '$INTERNAL',
+srange => '$PRODUCTION_NETWORKS',
 }
 
 ferm::service { 'gmond_udp':
 proto  => 'udp',
 port   => '8649',
-srange => '$INTERNAL',
+srange => '$PRODUCTION_NETWORKS',
 }
 
 ferm::service { 'gmond_tcp':
 proto  => 'tcp',
 port   => '8649',
-srange => '$INTERNAL',
+srange => '$PRODUCTION_NETWORKS',
 }
 
 # One instance per shard using mysqld_multi.

-- 
To view, visit https://gerrit.wikimedia.org/r/320545
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: Ie00990d7a28cab0afb9d89c79ee625a7ac937655
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Muehlenhoff 

___
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

[MediaWiki-commits] [Gerrit] operations/puppet[production]: Only install python-pygeoip on Ubuntu

[Muehlenhoff (Code Review)]

Muehlenhoff has submitted this change and it was merged.

Change subject: Only install python-pygeoip on Ubuntu
..


Only install python-pygeoip on Ubuntu

Not available on jessie and provenance unknown, skip installing for now
to restore puppet runs on notebook*.

Bug: T150003
Change-Id: Icca0a454ea2fd833664ba99a90b1a4acb77a8e67
---
M modules/statistics/manifests/packages.pp
1 file changed, 7 insertions(+), 1 deletion(-)

Approvals:
  Ottomata: Looks good to me, but someone else must approve
  Muehlenhoff: Looks good to me, approved
  jenkins-bot: Verified



diff --git a/modules/statistics/manifests/packages.pp 
b/modules/statistics/manifests/packages.pp
index adb2e65..510a07e 100644
--- a/modules/statistics/manifests/packages.pp
+++ b/modules/statistics/manifests/packages.pp
@@ -55,7 +55,6 @@
 'python-pandas',# Pivot tables processing
 'python-requests',  # Simple lib to make API calls
 'python-unidecode', # Unicode simplification - converts everything to 
latin set
-'python-pygeoip',   # For geo-encoding IP addresses
 'python-ua-parser', # For parsing User Agents
 'python-matplotlib',  # For generating plots of data
 'python-netaddr',
@@ -67,6 +66,13 @@
 'python-pymysql',
 ])
 
+# This is a custom package and currently not available on jessie, don't 
install on jessie for now 
+if os_version('ubuntu >= trusty') {
+ensure_packages([
+'python-pygeoip', # For geo-encoding IP addresses
+])
+}
+
 # FORTRAN packages (T89414)
 ensure_packages([
 'gfortran',# GNU Fortran 95 compiler

-- 
To view, visit https://gerrit.wikimedia.org/r/320410
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: merged
Gerrit-Change-Id: Icca0a454ea2fd833664ba99a90b1a4acb77a8e67
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Muehlenhoff 
Gerrit-Reviewer: Muehlenhoff 
Gerrit-Reviewer: Ottomata 
Gerrit-Reviewer: jenkins-bot <>

___
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

[MediaWiki-commits] [Gerrit] operations/puppet[production]: Only install python-pygeoip on Ubuntu

[Muehlenhoff (Code Review)]

Muehlenhoff has uploaded a new change for review.

  https://gerrit.wikimedia.org/r/320410

Change subject: Only install python-pygeoip on Ubuntu
..

Only install python-pygeoip on Ubuntu

Not available on jessie and provenance unknown, skip installing for now
to restore puppet runs on notebook*.

Bug: T150003
Change-Id: Icca0a454ea2fd833664ba99a90b1a4acb77a8e67
---
M modules/statistics/manifests/packages.pp
1 file changed, 7 insertions(+), 1 deletion(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/puppet 
refs/changes/10/320410/1

diff --git a/modules/statistics/manifests/packages.pp 
b/modules/statistics/manifests/packages.pp
index adb2e65..510a07e 100644
--- a/modules/statistics/manifests/packages.pp
+++ b/modules/statistics/manifests/packages.pp
@@ -55,7 +55,6 @@
 'python-pandas',# Pivot tables processing
 'python-requests',  # Simple lib to make API calls
 'python-unidecode', # Unicode simplification - converts everything to 
latin set
-'python-pygeoip',   # For geo-encoding IP addresses
 'python-ua-parser', # For parsing User Agents
 'python-matplotlib',  # For generating plots of data
 'python-netaddr',
@@ -67,6 +66,13 @@
 'python-pymysql',
 ])
 
+# This is a custom package and currently not available on jessie, don't 
install on jessie for now 
+if os_version('ubuntu >= trusty') {
+ensure_packages([
+'python-pygeoip', # For geo-encoding IP addresses
+])
+}
+
 # FORTRAN packages (T89414)
 ensure_packages([
 'gfortran',# GNU Fortran 95 compiler

-- 
To view, visit https://gerrit.wikimedia.org/r/320410
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: Icca0a454ea2fd833664ba99a90b1a4acb77a8e67
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Muehlenhoff 

___
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

[MediaWiki-commits] [Gerrit] operations/puppet[production]: statistics::packages: Remove zpubsub

[Muehlenhoff (Code Review)]

Muehlenhoff has submitted this change and it was merged.

Change subject: statistics::packages: Remove zpubsub
..


statistics::packages: Remove zpubsub

This was only needed when eventlogging was still using zeromq and obsolete
since it now uses kafka.

Bug: T150003
Change-Id: I36469e8de53ea6261204f88ca113ecdab0e0eb18
---
M modules/statistics/manifests/packages.pp
1 file changed, 0 insertions(+), 1 deletion(-)

Approvals:
  Ottomata: Looks good to me, but someone else must approve
  Muehlenhoff: Looks good to me, approved
  jenkins-bot: Verified



diff --git a/modules/statistics/manifests/packages.pp 
b/modules/statistics/manifests/packages.pp
index 906d805..adb2e65 100644
--- a/modules/statistics/manifests/packages.pp
+++ b/modules/statistics/manifests/packages.pp
@@ -17,7 +17,6 @@
 'tofrodos',
 'git-review',
 'make', # halfak wants make to manage dependencies
-'zpubsub', # For checking up on eventlogging
 'libwww-perl', # For wikistats stuff
 'php5-cli',
 'php5-curl',

-- 
To view, visit https://gerrit.wikimedia.org/r/320227
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: merged
Gerrit-Change-Id: I36469e8de53ea6261204f88ca113ecdab0e0eb18
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Muehlenhoff 
Gerrit-Reviewer: Elukey 
Gerrit-Reviewer: Muehlenhoff 
Gerrit-Reviewer: Ottomata 
Gerrit-Reviewer: jenkins-bot <>

___
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

[MediaWiki-commits] [Gerrit] operations/puppet[production]: statistics::packages: Remove zpubsub

[Muehlenhoff (Code Review)]

Muehlenhoff has uploaded a new change for review.

  https://gerrit.wikimedia.org/r/320227

Change subject: statistics::packages: Remove zpubsub
..

statistics::packages: Remove zpubsub

This was only needed when eventlogging was still using zeromq and obsolete
since it now uses kafka.

Bug: T150003
Change-Id: I36469e8de53ea6261204f88ca113ecdab0e0eb18
---
M modules/statistics/manifests/packages.pp
1 file changed, 0 insertions(+), 1 deletion(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/puppet 
refs/changes/27/320227/1

diff --git a/modules/statistics/manifests/packages.pp 
b/modules/statistics/manifests/packages.pp
index 906d805..adb2e65 100644
--- a/modules/statistics/manifests/packages.pp
+++ b/modules/statistics/manifests/packages.pp
@@ -17,7 +17,6 @@
 'tofrodos',
 'git-review',
 'make', # halfak wants make to manage dependencies
-'zpubsub', # For checking up on eventlogging
 'libwww-perl', # For wikistats stuff
 'php5-cli',
 'php5-curl',

-- 
To view, visit https://gerrit.wikimedia.org/r/320227
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I36469e8de53ea6261204f88ca113ecdab0e0eb18
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Muehlenhoff 

___
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

[MediaWiki-commits] [Gerrit] operations/puppet[production]: Load connection tracking sysctl values via a separate system...

[Muehlenhoff (Code Review)]

Muehlenhoff has uploaded a new change for review.

  https://gerrit.wikimedia.org/r/320197

Change subject: Load connection tracking sysctl values via a separate systemd 
unit
..

Load connection tracking sysctl values via a separate systemd unit

Connection tracking parameters cannot be set via the default
/etc/sysctl.d hierarchy; it needs to be ensured that these are set
after ferm is started (which loads the connection tracking kernel
modules which configure the respective sysctl options)

Provide a separate systemd unit ferm-sysctl.service which gets
started after ferm.

Bug: T136094
Change-Id: Icdac447b8ab3528cca652901779eeb4d7ea6fc5a
---
A modules/base/files/firewall/ferm-sysctl.service
M modules/base/manifests/firewall.pp
2 files changed, 25 insertions(+), 0 deletions(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/puppet 
refs/changes/97/320197/1

diff --git a/modules/base/files/firewall/ferm-sysctl.service 
b/modules/base/files/firewall/ferm-sysctl.service
new file mode 100644
index 000..e6a7c4b
--- /dev/null
+++ b/modules/base/files/firewall/ferm-sysctl.service
@@ -0,0 +1,13 @@
+[Unit]
+Description=Apply connection tracking sysctl settings for ferm
+After=ferm.service
+ConditionPathIsReadWrite=/proc/sys/
+ConditionPathExists=/etc/ferm/conntrack-sysctl.conf
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+ExecStart=/sbin/sysctl -q --load=/etc/ferm/conntrack-sysctl.conf
+
+[Install]
+WantedBy=multi-user.target
diff --git a/modules/base/manifests/firewall.pp 
b/modules/base/manifests/firewall.pp
index 680b3ba..9c24117 100644
--- a/modules/base/manifests/firewall.pp
+++ b/modules/base/manifests/firewall.pp
@@ -24,6 +24,18 @@
 },
 }
 
+# Connection tracking parameters cannot be set via the default 
/etc/sysctl.d
+# hierarchy; it needs to be ensured that these are set after ferm is 
started
+# (which loads the connection tracking kernel modules which configure the
+# respective sysctl options)
+file { '/lib/systemd/system/ferm-sysctl.service':
+ensure  => $ensure,
+mode=> '0644',
+owner   => 'root',
+group   => 'root',
+source  => 'puppet:///modules/base/firewall/ferm-sysctl.service',
+}
+
 # The sysctl value net.netfilter.nf_conntrack_buckets is read-only. It is 
configured
 # via a modprobe parameter, bump it manually for running systems
 exec { 'bump nf_conntrack hash table size':

-- 
To view, visit https://gerrit.wikimedia.org/r/320197
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: Icdac447b8ab3528cca652901779eeb4d7ea6fc5a
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Muehlenhoff 

___
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

[MediaWiki-commits] [Gerrit] operations...linux-meta[master]: Bump changelog

[Muehlenhoff (Code Review)]

Muehlenhoff has submitted this change and it was merged.

Change subject: Bump changelog
..


Bump changelog

Change-Id: Id3271791fa4fb1d0b4ce0d3fcc48cb8b6d7d489d
---
M debian/changelog
1 file changed, 6 insertions(+), 0 deletions(-)

Approvals:
  Muehlenhoff: Verified; Looks good to me, approved



diff --git a/debian/changelog b/debian/changelog
index 39c7db2..f3f5b21 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+linux-meta (1.11) jessie-wikimedia; urgency=medium
+
+  * Update to new linux package with ABI 3
+
+ -- Moritz Muehlenhoff   Mon, 07 Nov 2016 09:09:01 
+0100
+
 linux-meta (1.10) jessie-wikimedia; urgency=medium
 
   * Update to new linux package with ABI 2

-- 
To view, visit https://gerrit.wikimedia.org/r/320167
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: merged
Gerrit-Change-Id: Id3271791fa4fb1d0b4ce0d3fcc48cb8b6d7d489d
Gerrit-PatchSet: 1
Gerrit-Project: operations/debs/linux-meta
Gerrit-Branch: master
Gerrit-Owner: Muehlenhoff 
Gerrit-Reviewer: Muehlenhoff 

___
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

[MediaWiki-commits] [Gerrit] operations...linux-meta[master]: Bump changelog

[Muehlenhoff (Code Review)]

Muehlenhoff has uploaded a new change for review.

  https://gerrit.wikimedia.org/r/320167

Change subject: Bump changelog
..

Bump changelog

Change-Id: Id3271791fa4fb1d0b4ce0d3fcc48cb8b6d7d489d
---
M debian/changelog
1 file changed, 6 insertions(+), 0 deletions(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/debs/linux-meta 
refs/changes/67/320167/1

diff --git a/debian/changelog b/debian/changelog
index 39c7db2..f3f5b21 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+linux-meta (1.11) jessie-wikimedia; urgency=medium
+
+  * Update to new linux package with ABI 3
+
+ -- Moritz Muehlenhoff   Mon, 07 Nov 2016 09:09:01 
+0100
+
 linux-meta (1.10) jessie-wikimedia; urgency=medium
 
   * Update to new linux package with ABI 2

-- 
To view, visit https://gerrit.wikimedia.org/r/320167
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: Id3271791fa4fb1d0b4ce0d3fcc48cb8b6d7d489d
Gerrit-PatchSet: 1
Gerrit-Project: operations/debs/linux-meta
Gerrit-Branch: master
Gerrit-Owner: Muehlenhoff 

___
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

[MediaWiki-commits] [Gerrit] operations...linux-meta[master]: Depend on new ABI name

[Muehlenhoff (Code Review)]

Muehlenhoff has submitted this change and it was merged.

Change subject: Depend on new ABI name
..


Depend on new ABI name

Change-Id: Icb7a83ca36ceca78532ff46c68a712db37d3da4b
---
M debian/control
1 file changed, 1 insertion(+), 1 deletion(-)

Approvals:
  Muehlenhoff: Looks good to me, approved
  jenkins-bot: Verified



diff --git a/debian/control b/debian/control
index 4897122..23e3a7f 100644
--- a/debian/control
+++ b/debian/control
@@ -15,7 +15,7 @@
 
 Package: linux-meta-4.4
 Architecture: any
-Depends: linux-image-4.4.0-2-amd64 [amd64], initramfs-tools, grub2-common, 
firmware-bnx2x (>= 20151018-2~wmf1)
+Depends: linux-image-4.4.0-3-amd64 [amd64], initramfs-tools, grub2-common, 
firmware-bnx2x (>= 20151018-2~wmf1)
 Description: Meta package for 4.4 kernel images
  This package depends on the latest Linux kernel used in the WMF environment.
  It can also serve to depend on firmware packages not part of the stock Linux

-- 
To view, visit https://gerrit.wikimedia.org/r/319870
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: merged
Gerrit-Change-Id: Icb7a83ca36ceca78532ff46c68a712db37d3da4b
Gerrit-PatchSet: 1
Gerrit-Project: operations/debs/linux-meta
Gerrit-Branch: master
Gerrit-Owner: Muehlenhoff 
Gerrit-Reviewer: Muehlenhoff 
Gerrit-Reviewer: jenkins-bot <>

___
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

[MediaWiki-commits] [Gerrit] operations/puppet[production]: carbon_pickled: Restrict to production networks

[Muehlenhoff (Code Review)]

Muehlenhoff has submitted this change and it was merged.

Change subject: carbon_pickled: Restrict to production networks
..


carbon_pickled: Restrict to production networks

We're getting rid of $INTERNAL, since it's needlessly broad. Restrict
access to production networks as for the other ferm services.

Change-Id: I905da6072ec71cb32fe7e85e6caaf35f248ca045
---
M modules/role/manifests/graphite/production.pp
1 file changed, 1 insertion(+), 1 deletion(-)

Approvals:
  Filippo Giunchedi: Looks good to me, approved
  jenkins-bot: Verified



diff --git a/modules/role/manifests/graphite/production.pp 
b/modules/role/manifests/graphite/production.pp
index ab7661e..7d9e4f6 100644
--- a/modules/role/manifests/graphite/production.pp
+++ b/modules/role/manifests/graphite/production.pp
@@ -75,7 +75,7 @@
 ferm::service { 'carbon_pickled':
 proto  => 'tcp',
 port   => '2004',
-srange => '$INTERNAL',
+srange => '$PRODUCTION_NETWORKS',
 }
 }
 

-- 
To view, visit https://gerrit.wikimedia.org/r/319878
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: merged
Gerrit-Change-Id: I905da6072ec71cb32fe7e85e6caaf35f248ca045
Gerrit-PatchSet: 2
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Muehlenhoff 
Gerrit-Reviewer: Filippo Giunchedi 
Gerrit-Reviewer: Muehlenhoff 
Gerrit-Reviewer: jenkins-bot <>

___
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

[MediaWiki-commits] [Gerrit] operations/puppet[production]: carbon_pickled: Restrict to production networks

[Muehlenhoff (Code Review)]

Muehlenhoff has uploaded a new change for review.

  https://gerrit.wikimedia.org/r/319878

Change subject: carbon_pickled: Restrict to production networks
..

carbon_pickled: Restrict to production networks

We're getting rid of $INTERNAL, since it's needlessly broad. Restrict
access to production networks as for the other ferm services.

Change-Id: I905da6072ec71cb32fe7e85e6caaf35f248ca045
---
M modules/role/manifests/graphite/production.pp
1 file changed, 1 insertion(+), 1 deletion(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/puppet 
refs/changes/78/319878/1

diff --git a/modules/role/manifests/graphite/production.pp 
b/modules/role/manifests/graphite/production.pp
index ab7661e..7d9e4f6 100644
--- a/modules/role/manifests/graphite/production.pp
+++ b/modules/role/manifests/graphite/production.pp
@@ -75,7 +75,7 @@
 ferm::service { 'carbon_pickled':
 proto  => 'tcp',
 port   => '2004',
-srange => '$INTERNAL',
+srange => '$PRODUCTION_NETWORKS',
 }
 }
 

-- 
To view, visit https://gerrit.wikimedia.org/r/319878
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I905da6072ec71cb32fe7e85e6caaf35f248ca045
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Muehlenhoff 

___
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

[MediaWiki-commits] [Gerrit] operations/puppet[production]: elasticsearch::https: Restrict to domain networks

[Muehlenhoff (Code Review)]

Muehlenhoff has uploaded a new change for review.

  https://gerrit.wikimedia.org/r/319875

Change subject: elasticsearch::https: Restrict to domain networks
..

elasticsearch::https: Restrict to domain networks

We're getting rid of $INTERNAL, since it's needlessly broad. Restrict
to DOMAIN_NETWORKS, which restricts access to the production networks
in production, while still allowing tests in labs.

A similar change has been made for the elastic-http ferm service.

Change-Id: I64c591205a3ed6834bbc7731495817a4046876a6
---
M modules/elasticsearch/manifests/https.pp
1 file changed, 1 insertion(+), 1 deletion(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/puppet 
refs/changes/75/319875/1

diff --git a/modules/elasticsearch/manifests/https.pp 
b/modules/elasticsearch/manifests/https.pp
index 1de60f5..6ac9617 100644
--- a/modules/elasticsearch/manifests/https.pp
+++ b/modules/elasticsearch/manifests/https.pp
@@ -47,7 +47,7 @@
 ensure => $ensure,
 proto  => 'tcp',
 port   => '9243',
-srange => '$INTERNAL',
+srange => '$DOMAIN_NETWORKS',
 }
 
 }

-- 
To view, visit https://gerrit.wikimedia.org/r/319875
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I64c591205a3ed6834bbc7731495817a4046876a6
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Muehlenhoff 

___
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits