Aurelien Jarno [Sat, 12 Aug 2017 15:54:26 +0000 (17:54 +0200)]
Revert "Revert nrpe dsa2_shutdown command to its state before dsa-is-shutdown-scheduled"
This reverts commit
971573de556cd68ce1ada54f7a07c366c69ed953.
Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
Aurelien Jarno [Sat, 12 Aug 2017 15:52:00 +0000 (17:52 +0200)]
dsa-is-shutdown-scheduled: rewrite the systemd-shutdownd test using pgrep
Otherwise we end up detecting the command started by dsa-is-shutdown-scheduled
when the script is launched twice or more at the same time.
Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
Tollef Fog Heen [Sat, 12 Aug 2017 14:27:48 +0000 (16:27 +0200)]
The ACL file is not actually a template, so do this with puppet instead
Just use two files for now and logic in the puppet recipe.
Tollef Fog Heen [Sat, 12 Aug 2017 14:21:08 +0000 (16:21 +0200)]
Add function to emit the correct geoip format for bind versions
BIND 9.9 and BIND 9.10 have different formats for geoip. Add a
function that DTRT, and test it slightly before doing it to all countries.
Julien Cristau [Fri, 11 Aug 2017 23:12:03 +0000 (19:12 -0400)]
Revert nrpe dsa2_shutdown command to its state before dsa-is-shutdown-scheduled
Let's try if that restores some sanity to mini-nag.
Julien Cristau [Fri, 11 Aug 2017 20:49:39 +0000 (16:49 -0400)]
milanollo on stretch, no more experimental apache
Paul Wise [Thu, 10 Aug 2017 13:30:22 +0000 (09:30 -0400)]
Do not backup the other Apache disk cache
Avoids warnings due to races when it is cleaned/backed up at the same time:
Could not stat "/srv/apache-cache/mod_cache_disk/r/k/txeIh19LMLMAVeQKsKcg.header": ERR=No such file or directory
Aurelien Jarno [Wed, 9 Aug 2017 01:12:31 +0000 (03:12 +0200)]
sshd_config: remove protocol version 1 specific options
These options are useless as they only apply to protocol version 1,
while we explicitely force the protocol to version 2. They have started
to fill logs with deprecation warnings on stretch hosts.
Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
Julien Cristau [Tue, 8 Aug 2017 23:10:27 +0000 (19:10 -0400)]
Fix dell harder
Their packages need libssl1.0.0 which is only in jessie, and don't
depend on it.
Julien Cristau [Tue, 8 Aug 2017 22:43:48 +0000 (18:43 -0400)]
raid/dell: rename aptrepo declaration to avoid conflict with raid/proliant
Julien Cristau [Tue, 8 Aug 2017 22:29:35 +0000 (18:29 -0400)]
Add dell srvadmin tool to try and improve health monitoring
Aurelien Jarno [Tue, 8 Aug 2017 22:36:34 +0000 (00:36 +0200)]
/etc/default/grub: fix serial console on arm64 VMs
arm64 VMs do not have a graphical card and have their serial device
named ttyAMA0.
Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
Aurelien Jarno [Tue, 8 Aug 2017 22:04:37 +0000 (00:04 +0200)]
Add a wrapper to call qemu-system-aarch64 from ganeti
... until things get integrated upstream.
Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
Julien Cristau [Mon, 8 May 2017 08:59:39 +0000 (10:59 +0200)]
Add codesign bits for secure boot
Julien Cristau [Tue, 8 Aug 2017 00:36:27 +0000 (20:36 -0400)]
Remove busoni from static
Julien Cristau [Tue, 8 Aug 2017 00:03:48 +0000 (20:03 -0400)]
Fix update-fastly-ips cron job
/usr/local/bin is not in PATH
Julien Cristau [Mon, 7 Aug 2017 22:57:36 +0000 (18:57 -0400)]
And fixup cron job
Julien Cristau [Mon, 7 Aug 2017 22:56:01 +0000 (18:56 -0400)]
Move shutdown marker around
Julien Cristau [Mon, 7 Aug 2017 22:36:23 +0000 (18:36 -0400)]
One day I'll be able to rename things in all places rather than forgetting half of them
Julien Cristau [Mon, 7 Aug 2017 20:31:03 +0000 (16:31 -0400)]
Export scheduled shutdowns to the web
Move logic from dsa2_shutdown nrpe command to a separate script, and use
it to let http(s) clients know a shutdown is scheduled.
Julien Cristau [Mon, 7 Aug 2017 20:03:33 +0000 (16:03 -0400)]
Rename cron.d entry to make it clear it comes from puppet
Aurelien Jarno [Mon, 7 Aug 2017 17:18:25 +0000 (19:18 +0200)]
Base lvm-conova-ganeti.conf on the stretch lvm.conf
Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
Aurelien Jarno [Mon, 7 Aug 2017 16:34:22 +0000 (18:34 +0200)]
Add missing file from previous commit
Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
Aurelien Jarno [Mon, 7 Aug 2017 16:32:07 +0000 (18:32 +0200)]
Setup aagaard/acker as a ganeti cluster
Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
Tollef Fog Heen [Mon, 7 Aug 2017 16:32:17 +0000 (18:32 +0200)]
Fix typo
Tollef Fog Heen [Mon, 7 Aug 2017 16:30:18 +0000 (18:30 +0200)]
Allow traffic from Fastly to 5141 instead and set up syslog-ng rules
Julien Cristau [Sun, 6 Aug 2017 22:51:09 +0000 (18:51 -0400)]
Fix getfastlyranges harder
Julien Cristau [Sun, 6 Aug 2017 22:29:43 +0000 (18:29 -0400)]
Fix cron job
/srv/puppet.debian.org/puppet-facts is root only
Tollef Fog Heen [Sun, 6 Aug 2017 22:28:27 +0000 (00:28 +0200)]
Update IPs for tfheen
Julien Cristau [Sun, 6 Aug 2017 22:25:37 +0000 (18:25 -0400)]
Fix template syntax
Julien Cristau [Sun, 6 Aug 2017 22:23:15 +0000 (18:23 -0400)]
Handle exceptions from reading fastly IP ranges
Julien Cristau [Sun, 6 Aug 2017 19:45:09 +0000 (15:45 -0400)]
ferm: accept syslog from fastly IPs
Julien Cristau [Sun, 6 Aug 2017 19:16:27 +0000 (15:16 -0400)]
Keep a list of fastly IPs
Aurelien Jarno [Sun, 6 Aug 2017 22:00:26 +0000 (00:00 +0200)]
update-buildd-schroots: shift chroot build time by 1 hour
So we don't try to recreate chroots exactly when the mirrors are being
updated. dak is faster those days and debootstrap still doesn't use
by-hash.
Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
Aurelien Jarno [Sun, 6 Aug 2017 00:30:42 +0000 (02:30 +0200)]
Remove mirror-conova from experimental-apache as it is being upgraded to stretch
Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
Héctor Orón Martínez [Sat, 5 Aug 2017 20:42:36 +0000 (22:42 +0200)]
decomission praetorius rt#6714
Signed-off-by: Héctor Orón Martínez <zumbi@debian.org>
Aurelien Jarno [Sat, 5 Aug 2017 16:04:06 +0000 (18:04 +0200)]
decommission porpora
Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
Luca Filipozzi [Thu, 3 Aug 2017 22:10:37 +0000 (22:10 +0000)]
for DC17, permit another IPv4 address to access vittoria:5432
Luca Filipozzi [Thu, 3 Aug 2017 20:41:22 +0000 (20:41 +0000)]
typo
Luca Filipozzi [Thu, 3 Aug 2017 20:36:30 +0000 (20:36 +0000)]
allow DC17 machine(s) to access postgres on vittoria
Luca Filipozzi [Thu, 3 Aug 2017 15:36:09 +0000 (15:36 +0000)]
Debian SSO rebuilt their CA certificate
Peter Palfrader [Wed, 2 Aug 2017 16:44:49 +0000 (18:44 +0200)]
At least on lobos we no longer seem to require running a 10.0.* hp-health package. Remove the pin everywhere and see how that goes
Peter Palfrader [Wed, 2 Aug 2017 15:49:55 +0000 (17:49 +0200)]
Remove lobos from experimental-apache as it is being upgraded to stretch
Julien Cristau [Wed, 2 Aug 2017 13:43:47 +0000 (15:43 +0200)]
mirror-anu is on stretch, remove from experimental_apache
Aurelien Jarno [Sun, 30 Jul 2017 12:08:50 +0000 (14:08 +0200)]
samhain: disable SUID/SGID checks
The SUID/SGID checks have been enabled in our configuration file
since the beginning, but have been actually active only for stretch
hosts as the jessie version of samhain is built without SUID/SGID
check support.
These checks are not very flexible, as it's only possible to specify a
single excluded directory, while we want to avoid walking both /srv and
/home. However they are also not very useful in our use case, as files
which get a SUID/SGID bit flipped will appear as changed.
Therefore simply disable the SUID/SGID checks.
Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
Paul Wise [Sun, 30 Jul 2017 03:58:40 +0000 (23:58 -0400)]
Do not backup the Apache disk cache
Avoids warnings due to races when it is cleaned/backed up at the same time:
Could not stat "/var/cache/apache2/mod_cache_disk/r/k/txeIh19LMLMAVeQKsKcg.header": ERR=No such file or directory
Peter Palfrader [Wed, 26 Jul 2017 09:13:22 +0000 (11:13 +0200)]
updatemotd exec is not used anywhere anymore. Remove.
Peter Palfrader [Wed, 26 Jul 2017 09:12:02 +0000 (11:12 +0200)]
/var/run/motd no longer exists on stretch, link /etc/motd to /run/motd.dynamic instead
Peter Palfrader [Mon, 24 Jul 2017 14:48:20 +0000 (16:48 +0200)]
These host_blacklist entries seem to not be effective, but the envelope sender entry in blacklist does the job
Peter Palfrader [Mon, 24 Jul 2017 11:11:33 +0000 (13:11 +0200)]
Also add the dnsname healthtorpedo.com to the blacklist
Peter Palfrader [Mon, 24 Jul 2017 11:07:04 +0000 (13:07 +0200)]
envelope from is double-bounce@healthtorpedo.com for the crap we are seeing
Peter Palfrader [Sun, 23 Jul 2017 18:34:04 +0000 (20:34 +0200)]
extend blacklist to 155.133.38.0/24 for sending us backscatter
Peter Palfrader [Sun, 23 Jul 2017 17:58:25 +0000 (19:58 +0200)]
blacklist 155.133.38.26 for sending us backscatter
Peter Palfrader [Sat, 22 Jul 2017 19:06:54 +0000 (21:06 +0200)]
new network space for weasel
Julien Cristau [Sat, 22 Jul 2017 18:35:49 +0000 (20:35 +0200)]
remove senfter from experimental_apache
It's on stretch now.
Julien Cristau [Sat, 22 Jul 2017 16:17:41 +0000 (18:17 +0200)]
wieck is on stretch, remove from experimental_apache
Julien Cristau [Sat, 22 Jul 2017 11:18:39 +0000 (13:18 +0200)]
Add https://release.d.o/oldstable-proposed-updates as an alias to /proposed-updates
Signed-off-by: Julien Cristau <jcristau@debian.org>
Paul Wise [Sat, 22 Jul 2017 04:12:53 +0000 (14:12 +1000)]
Blacklist MAILER-DAEMON@healthtorpedo.com
It is continuing to mail postmaster@debian.com with this output:
Transcript of session follows.
Out: 220 healthtorpedo.com ESMTP Postfix (Ubuntu)
In: EHLO cash-miner.com
Out: 250-healthtorpedo.com
Out: 250-PIPELINING
Out: 250-SIZE
10240000
Out: 250-VRFY
Out: 250-ETRN
Out: 250-STARTTLS
Out: 250-ENHANCEDSTATUSCODES
Out: 250-8BITMIME
Out: 250 DSN
In: MAIL FROM:<postmaster@healthtorpedo.com>
Out: 452 4.3.1 Insufficient system storage
Out: 421 4.7.0 healthtorpedo.com Error: too many errors
Session aborted, reason: too many errors
For other details, see the local mail logfile
Daniel Aleksandersen [Thu, 20 Jul 2017 00:16:22 +0000 (10:16 +1000)]
Bypass web caches for the NetworkManager connection tests
Ensures users are testing their network instead of their cache/proxy.
Reported-in: https://ctrl.blog/entry/network-connection-http-checks
Suggested-in: <
1500474664.14216.2.camel@daniel.priv.no>
Signed-off-by: Paul Wise <pabs@debian.org>
Paul Wise [Thu, 20 Jul 2017 00:07:47 +0000 (10:07 +1000)]
Use full path to bconsole more
The upgrade to stretch removed a compat symlink leading to tracebacks:
Traceback (most recent call last):
File "/etc/bacula/scripts/volumes-delete-old", line 118, in <module>
p = subprocess.Popen(['bconsole'], stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
File "/usr/lib/python3.5/subprocess.py", line 676, in __init__
restore_signals, start_new_session)
File "/usr/lib/python3.5/subprocess.py", line 1282, in _execute_child
raise child_exception_type(errno_num, err_msg)
FileNotFoundError: [Errno 2] No such file or directory: 'bconsole'
Fixes: commit
1abd64e991921cfbc61cf769141e519510d1b671
Paul Wise [Wed, 19 Jul 2017 02:11:34 +0000 (12:11 +1000)]
Use full path to bconsole
The upgrade to stretch removed a compat symlink leading to tracebacks:
Traceback (most recent call last):
File "/etc/bacula/scripts/volumes-delete-old", line 118, in <module>
p = subprocess.Popen(['bconsole'], stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
File "/usr/lib/python3.5/subprocess.py", line 676, in __init__
restore_signals, start_new_session)
File "/usr/lib/python3.5/subprocess.py", line 1282, in _execute_child
raise child_exception_type(errno_num, err_msg)
FileNotFoundError: [Errno 2] No such file or directory: 'bconsole'
Aurelien Jarno [Tue, 18 Jul 2017 08:50:42 +0000 (10:50 +0200)]
setup-dchroot: don't create an lts alias
squeeze-lts is gone and wheezy uses the security suite for lts.
Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
Peter Palfrader [Mon, 17 Jul 2017 13:22:23 +0000 (15:22 +0200)]
Use systemd::override instead of manual bacula-fd.service.d/user.conf
Peter Palfrader [Mon, 17 Jul 2017 13:13:31 +0000 (15:13 +0200)]
only notify service if defined
Peter Palfrader [Mon, 17 Jul 2017 13:12:08 +0000 (15:12 +0200)]
Actually pass-through $ensure
Peter Palfrader [Mon, 17 Jul 2017 13:10:34 +0000 (15:10 +0200)]
Add haveged service override to work around #858134
Peter Palfrader [Mon, 17 Jul 2017 13:09:59 +0000 (15:09 +0200)]
only notify service if defined
Peter Palfrader [Mon, 17 Jul 2017 13:02:41 +0000 (15:02 +0200)]
Add haveged facter
Peter Palfrader [Mon, 17 Jul 2017 09:51:26 +0000 (11:51 +0200)]
ignore libssl1.0.0 postgresql-client-9.4 on storace and backuphost
Peter Palfrader [Mon, 17 Jul 2017 09:50:06 +0000 (11:50 +0200)]
ignore libssl1.0.0 postgresql-client-9.4 on storace and backuphost
Peter Palfrader [Mon, 17 Jul 2017 09:48:12 +0000 (09:48 +0000)]
bacula-director needs DNS to launch
Peter Palfrader [Mon, 17 Jul 2017 09:47:07 +0000 (09:47 +0000)]
override for bacula-sd: set group and supplementary group
Peter Palfrader [Mon, 17 Jul 2017 09:46:48 +0000 (09:46 +0000)]
syntax fix
Peter Palfrader [Mon, 17 Jul 2017 09:45:24 +0000 (09:45 +0000)]
and restart service in question
Peter Palfrader [Mon, 17 Jul 2017 09:44:37 +0000 (09:44 +0000)]
fix notify for systemd::override absent case
Peter Palfrader [Mon, 17 Jul 2017 09:29:35 +0000 (11:29 +0200)]
Add systemd override unit
Peter Palfrader [Wed, 12 Jul 2017 14:33:17 +0000 (16:33 +0200)]
Add 2017 DNS root key
Peter Palfrader [Sat, 15 Jul 2017 21:09:43 +0000 (23:09 +0200)]
Maybe also support shutdown check on stretch
Julien Cristau [Wed, 12 Jul 2017 12:38:44 +0000 (14:38 +0200)]
Revert "Don't push incoming to klecker"
This reverts commit
8518814d3c5330902bd83d12055f43babc293255.
Peter Palfrader [Wed, 12 Jul 2017 12:12:00 +0000 (14:12 +0200)]
new rsync option from stretch rsync clients
Julien Cristau [Wed, 5 Jul 2017 18:12:41 +0000 (20:12 +0200)]
New ipv6 addresses for klecker
Julien Cristau [Wed, 5 Jul 2017 16:31:30 +0000 (18:31 +0200)]
suchon is an upload host (*.security.upload.debian.org)
Julien Cristau [Wed, 5 Jul 2017 16:09:32 +0000 (18:09 +0200)]
Add suchon
Julien Cristau [Tue, 4 Jul 2017 18:59:29 +0000 (20:59 +0200)]
exim: postgrey in stretch handles host to network address translation
Rather than using ${mask:...} in the exim config, we can let postgrey do
this on its own. Otherwise, it gets confused with ipv6 addresses using
dots instead of colons as separators, and crashes
(https://bugs.debian.org/867201).
Peter Palfrader [Tue, 4 Jul 2017 13:36:13 +0000 (15:36 +0200)]
One bconsole run per truncate run
Peter Palfrader [Tue, 4 Jul 2017 09:39:19 +0000 (11:39 +0200)]
string stuff for py3
Peter Palfrader [Tue, 4 Jul 2017 09:28:15 +0000 (11:28 +0200)]
volumes-delete-old update
Peter Palfrader [Tue, 4 Jul 2017 09:21:29 +0000 (11:21 +0200)]
delete old volumes daily
Peter Palfrader [Tue, 4 Jul 2017 09:21:18 +0000 (11:21 +0200)]
move crontab to file
Peter Palfrader [Tue, 4 Jul 2017 09:20:14 +0000 (11:20 +0200)]
rename get-deleteable-volumes -> volumes-delete-old
Peter Palfrader [Tue, 4 Jul 2017 09:14:07 +0000 (11:14 +0200)]
Add script to find deletable volumes
Peter Palfrader [Tue, 4 Jul 2017 09:10:35 +0000 (11:10 +0200)]
Make volume-purge-action learn about mediatypes from the DB
Tollef Fog Heen [Mon, 3 Jul 2017 09:58:37 +0000 (11:58 +0200)]
Allow thijs tcpdump on klecker
Peter Palfrader [Sun, 2 Jul 2017 18:48:28 +0000 (20:48 +0200)]
fix a link
Peter Palfrader [Sun, 2 Jul 2017 18:45:35 +0000 (20:45 +0200)]
Update apache2 cipher preferences from https://mozilla.github.io/server-side-tls/ssl-config-generator/
Aurelien Jarno [Sat, 1 Jul 2017 19:57:58 +0000 (21:57 +0200)]
Revert "redirect linux updates to security-cdn"
This reverts commit
b6f21532b07dfcb35d059d46913c306ea19c50e8.
Tollef Fog Heen [Sat, 1 Jul 2017 13:18:48 +0000 (15:18 +0200)]
Send stderr from dpkg-query to /dev/null to avoid cron spam
Tollef Fog Heen [Sat, 1 Jul 2017 07:42:04 +0000 (09:42 +0200)]
Fix up tor fact to not complain if the package has been purged
`dpkg -l $package` will return 0 if the package has been purged, so a
proper test for it instead. Also add a pair of quotes to make `dpkg
--compare-versions` not complain.
Julien Cristau [Wed, 28 Jun 2017 16:55:56 +0000 (09:55 -0700)]
Don't push incoming to klecker
klecker is already out of static rotation in auto-dns, and we're having
connectivity issues from fasolo, so this should be safe until we get
that resolved.
Julien Cristau [Wed, 28 Jun 2017 16:58:05 +0000 (09:58 -0700)]
Revert "Don't push incoming to klecker"
This reverts commit
3c6303312627c8662f12ca1431e81c12186847f9.
Turns out incoming and incoming.ports aren't the same thing.