Page MenuHomePhabricator

Shell/Python/other scripts should not be generated by ERB files; dynamic parts should be a simple ERB config file
Open, MediumPublic

Description

We have many scripts that are defined as ERB templates.

We often make simple errors when editing them, as there's no tooling for dealing with such a format -- and in fact it's quite hard to write tooling for such, given the format of Puppet catalogs (which elides which template file produced a given generated file).

Instead, let's forbid scripts being generated from templates. (And also set up shellcheck for .sh files.)

original/deprecated follows

Ideally CI would automatically expand the templates as best it could*, and then run all the 'usual' checks we'd run for such a language. However, there's several tricky parts of doing that. Having a way to specify (in a puppet spec test?) to run shell/Python checks on a template given certain inputs might be more achievable.

We could also make this a wrapper around PCC for manual testing of a few key scripts, to start with, if that was easier. Here's a v0 proof of concept that, given PCC output to expand the templates, yoinks the script out of the post-change catalog and runs it through shellcheck (which identifies an issue that caused problems when the patch was merged):

% curl -s https://puppet-compiler.wmflabs.org/compiler1003/22927/puppetmaster1002.eqiad.wmnet/change.puppetmaster1002.eqiad.wmnet.pson \
    | jq -r '.resources[] | select(.title == "/usr/local/bin/puppet-merge") | .parameters.content' \
    | shellcheck -

In - line 181:
if [ $LABS_PRIVATE -eq 1 -a ${LABS_EXIT} -ne 99]; then
^-- SC1009: The mentioned syntax error was in this if expression.
   ^-- SC1073: Couldn't parse this test expression. Fix to allow more checks.
                                                ^-- SC1020: You need a space before the ].
                                                ^-- SC1072: Missing space before ]. Fix any mentioned problems and try again.

from T277892

During Python 3 porting, I discovered a few Python 2 scripts that are erb files which get their configurations filled in through puppet. This makes them difficult to test and
maintain, so we should consider not doing that if possible.

The scripts are these:

modules/beta/templates/wmf-beta-autoupdate.py.erb
modules/profile/templates/hadoop/net-topology.py.erb
modules/profile/templates/hive/client/beeline_wrapper.py.erb

Details

ProjectBranchLines +/-Subject
operations/puppetproduction+10 -3
operations/puppetproduction+18 -20
operations/puppetproduction+3 -2
operations/puppetproduction+1 -6
operations/puppetproduction+1 -4
operations/puppetproduction+0 -2
operations/puppetproduction+36 -19
operations/puppetproduction+43 -2
operations/puppetproduction+55 -50
operations/puppetproduction+7 -13
operations/puppetproduction+13 -5
operations/puppetproduction+5 -4
operations/puppetproduction+12 -11
operations/puppetproduction+1 -1
operations/puppetproduction+1 -1
operations/puppetproduction+5 -3
operations/puppetproduction+16 -4
operations/puppetproduction+3 -5
integration/configmaster+2 -2
integration/configmaster+10 -0
operations/puppetproduction+37 -37
operations/puppetproduction+61 -39
operations/puppetproduction+1 -1
operations/puppetproduction+6 -3
integration/configmaster+2 -2
integration/configmaster+8 -1
operations/puppetproduction+22 -17
operations/puppetproduction+24 -23
operations/puppetproduction+3 -2
operations/puppetproduction+14 -14
operations/puppetproduction+7 -7
Show related patches Customize query in gerrit

Event Timeline

There are a very large number of changes, so older changes are hidden. Show Older Changes

Change 602645 had a related patch set uploaded (by Jbond; owner: John Bond):
[operations/puppet@production] dumps: fix shellcheck issues

https://gerrit.wikimedia.org/r/602645

Change 602646 had a related patch set uploaded (by Jbond; owner: John Bond):
[operations/puppet@production] confluent: fix shellcheck issues

https://gerrit.wikimedia.org/r/602646

Change 602647 had a related patch set uploaded (by Jbond; owner: John Bond):
[operations/puppet@production] osm: fix shellcheck issues

https://gerrit.wikimedia.org/r/602647

Change 602648 had a related patch set uploaded (by Jbond; owner: John Bond):
[operations/puppet@production] statistics: fix shelcheck issues in hardsync

https://gerrit.wikimedia.org/r/602648

Change 602649 had a related patch set uploaded (by Jbond; owner: John Bond):
[operations/puppet@production] prometheus: fix shellcheck issues in prometheus-local-crontabs.sh

https://gerrit.wikimedia.org/r/602649

Change 602650 had a related patch set uploaded (by Jbond; owner: John Bond):
[operations/puppet@production] planet: fix shellcheck issues in check_https

https://gerrit.wikimedia.org/r/602650

Change 602650 merged by Dzahn:
[operations/puppet@production] planet: fix shellcheck issues in check_https

https://gerrit.wikimedia.org/r/602650

Change 602644 merged by Dzahn:
[operations/puppet@production] mailmain: fix shellcheck issues remove_from_private.sh

https://gerrit.wikimedia.org/r/602644

Change 602643 merged by Jbond:
[operations/puppet@production] misc: fix minor shellcheck issues in a few scripts

https://gerrit.wikimedia.org/r/602643

Change 602693 had a related patch set uploaded (by Jbond; owner: John Bond):
[operations/puppet@production] CI: add CI to check shell scripts

https://gerrit.wikimedia.org/r/602693

Change 602694 had a related patch set uploaded (by Jbond; owner: John Bond):
[operations/puppet@production] CI: add some shell scripts to test the new shellcheck CI check

https://gerrit.wikimedia.org/r/602694

Change 602646 merged by Jbond:
[operations/puppet@production] confluent: fix shellcheck issues

https://gerrit.wikimedia.org/r/602646

Change 602648 merged by Jbond:
[operations/puppet@production] statistics: fix shelcheck issues in hardsync

https://gerrit.wikimedia.org/r/602648

Change 602710 had a related patch set uploaded (by Jbond; owner: John Bond):
[integration/config@master] operations-puppet: add shellcheck to docker image

https://gerrit.wikimedia.org/r/602710

Originally i wanted to do this checking in the Rake checks as that feels like the right place for them. however i cant think of a reasonable way to compile the erb files as we dont know the values of variables that would ordinarily be bound by the parent Puppet manifest. And different variables/hosts/roles etc could produce different outputs. As such im now leaning more to putting this in PCC, however i wonder if this should be in standard and in the main PCC code or if we should just have some helper scripts in utils. Regardless ill probably work on the latter to see how it looks but ideas welcome

Another option is we could just ban templated scripts and add CI to reject any erb file with a shebang in it. This would mean updating any current templated scripts to read a new templated config. i.e. move all the dynamic bits to a template

Change 602710 merged by jenkins-bot:
[integration/config@master] operations-puppet: add shellcheck to docker image

https://gerrit.wikimedia.org/r/602710

Change 602728 had a related patch set uploaded (by Hashar; owner: Hashar):
[integration/config@master] jjb: update puppet.git container for shellcheck

https://gerrit.wikimedia.org/r/602728

Change 602728 merged by jenkins-bot:
[integration/config@master] jjb: update puppet.git container for shellcheck

https://gerrit.wikimedia.org/r/602728

Change 602732 had a related patch set uploaded (by Jbond; owner: John Bond):
[operations/puppet@production] puppet-merge: split dynamic values out of puppet-merge script

https://gerrit.wikimedia.org/r/602732

Change 602738 had a related patch set uploaded (by Jbond; owner: John Bond):
[operations/puppet@production] puppet-merge: fix shellcheck issues

https://gerrit.wikimedia.org/r/602738

Sorry I'm late to this party, just noticed the task. I actually think that this is the wrong approach. We should not have executables that are ERB templates for anything more complex than 10 lines IMHO.
Those should be static scripts that parse a configuration file, and only the configuration file should be templated with ERB.

My 2 cents.

@Volans

Another option is we could just ban templated scripts and add CI to reject any erb file with a shebang in it. This would mean updating any current templated scripts to read a new templated config. i.e. move all the dynamic bits to a template

John has since gone on to implement this for puppet-merge (patches still pending) and I agree it's probably the right approach.

CDanis renamed this task from automated linting/analysis/other CI of Python/shell scripts generated by ERB to Shell/Python/other scripts should not be generated by ERB files; dynamic parts should be a simple ERB config file.Jun 5 2020, 8:01 PM
CDanis updated the task description. (Show Details)

@CDanis yeah, sorry I noticed that after replying.
Totally agree with this approach, would be nice to have the CI check but we have a bunch of few liners that would become just more complex and probably not gaining a lot, see for example the first part of this list:

$ for file in $(find . -not -path "./.bundle/*" -name "*.erb"); do if grep -q '^#!\/' "$file"; then wc -l "$file"; fi; done | sort -n
       1 ./modules/profile/templates/analytics/refinery/job/refinery-download-project-namespace-map.sh.erb
       2 ./modules/httpbb/templates/httpbb.sh.erb
       2 ./modules/puppetmaster/templates/git/private/pre-commit.erb
       3 ./modules/aptrepo/templates/log.erb
       3 ./modules/profile/templates/icinga/icinga-downtime-absent.sh.erb
       3 ./modules/varnish/templates/varnishmtail.default.erb
       4 ./modules/phabricator/templates/deployment/phab_deploy_promote.erb
       4 ./modules/rsync/templates/quickdatacopy.erb
       5 ./modules/phabricator/templates/deployment/phab_deploy_rollback.erb
       5 ./modules/trafficserver/templates/ats_instance_restart.sh.erb
       6 ./modules/fastnetmon/templates/fastnetmon_notify.sh.erb
       7 ./modules/conftool/templates/conftool-merge.erb
       7 ./modules/profile/templates/ncredir/ncredirlog.sh.erb
       7 ./modules/profile/templates/trafficserver/atslog.sh.erb
       8 ./modules/conftool/templates/safe-depool.erb
       8 ./modules/conftool/templates/safe-pool.erb
       8 ./modules/profile/templates/prometheus/node-directory-size.erb
       8 ./modules/profile/templates/trafficserver/update-ocsp-trafficserver-hook.erb
       8 ./modules/vagrant/templates/mwvagrant.erb
       8 ./modules/vagrant/templates/start-mwvagrant.sh.erb
       9 ./modules/conftool/templates/safe-restart.erb
       9 ./modules/service/templates/check-service.erb
      10 ./modules/role/templates/mariadb/backups/dumps-otrs.sh.erb
      11 ./modules/base/templates/initramfs_sleep.erb
      11 ./modules/cfssl/templates/initca.sh.erb
      11 ./modules/dumps/templates/web/fetches/analytics/job/rsync_script.sh.erb
      11 ./modules/snapshot/templates/set_dump_dirs.sh.erb
      11 ./modules/vagrant/templates/labs-vagrant.erb
      12 ./modules/phabricator/templates/vcs/phabricator-ssh-hook.sh.erb
      12 ./modules/profile/templates/presto/presto_client_ssl_kerberos.erb
      13 ./modules/monitoring/templates/check_dir-not-bad-owner.erb
      13 ./modules/profile/templates/analytics/refinery/job/refinery-drop-mediawiki-xmldumps-pages_meta_history.sh.erb
      13 ./modules/profile/templates/analytics/refinery/job/refinery-eventlogging-saltrotate.erb
      13 ./modules/profile/templates/analytics/refinery/job/refinery-import-mediawiki-dumps.sh.erb
      13 ./modules/profile/templates/kerberos/replicate_krb_database.erb
      13 ./modules/service/templates/node/tail-log.erb
      14 ./modules/package_builder/templates/D05localsources.erb
      14 ./modules/profile/templates/analytics/refinery/job/refinery-sqoop-whole-mediawiki.sh.erb
      15 ./modules/service/templates/node/apply-config.sh.erb
      16 ./modules/package_builder/templates/D01security.erb
      16 ./modules/profile/templates/analytics/search/airflow/airflow-clean-log-dirs.erb
      16 ./modules/profile/templates/analytics/search/airflow/airflow.sh.erb
      18 ./modules/cescout/templates/metadb-configure.sh.erb
      19 ./modules/conftool/templates/initialize.sh.erb
      20 ./modules/profile/templates/analytics/refinery/job/refinery-sqoop-mediawiki-production.sh.erb
      20 ./modules/profile/templates/icinga/inactive.motd.erb
      21 ./modules/openstack/templates/initscripts/nova-fullstack.erb
      21 ./modules/package_builder/templates/D02archive.erb
      21 ./modules/profile/templates/analytics/refinery/job/refinery-sqoop-mediawiki.sh.erb
      21 ./modules/profile/templates/analytics/refinery/job/spark_job.sh.erb
      21 ./modules/puppetmaster/templates/git-master-postcommit.erb
      22 ./modules/docker/templates/images/build-base-images.erb
      22 ./modules/package_builder/templates/D01apt.wikimedia.org.erb
      22 ./modules/profile/templates/analytics/refinery/job/refinery-import-wikidata-dumps.sh.erb
      22 ./modules/profile/templates/analytics/refinery/job/refinery-sqoop-mediawiki-private.sh.erb
      22 ./modules/profile/templates/debmonitor/server/run_django_command.sh.erb
      22 ./modules/role/templates/icinga/sync_icinga_state.sh.erb
      22 ./modules/tilerator/templates/notify-tilerator.erb
      23 ./modules/profile/templates/kerberos/kadminserver/inactive.motd.erb
      23 ./modules/profile/templates/mediawiki/maintenance/inactive.motd.erb
      23 ./modules/role/templates/deployment/inactive.motd.erb
      24 ./modules/package_builder/templates/D02backports.erb
      24 ./modules/statistics/templates/published-sync.sh.erb
      26 ./modules/profile/templates/install_server/inactive.motd.erb
      26 ./modules/role/templates/releases/rsync_source_warning.motd.erb
      28 ./modules/profile/templates/hadoop/net-topology.py.erb
      28 ./modules/rsync/templates/quickdatacopy-ssl-wrapper.erb
      30 ./modules/osm/templates/import_waterlines.erb
      33 ./modules/monitoring/templates/check_git-needs-merge.erb
      33 ./modules/profile/templates/calico/build-calico.sh.erb
      33 ./modules/role/templates/bastionhost/inactive.motd.erb
      34 ./modules/base/templates/check_eth.erb
      36 ./modules/docker/templates/images/build-alpine.erb
      39 ./modules/phabricator/templates/deployment/phab_deploy_finalize.erb
      44 ./modules/osm/templates/replicate-osm.erb
      46 ./modules/profile/templates/wmcs/dologmsg.erb
      47 ./modules/base/templates/puppet-run.erb
      49 ./modules/openstack/templates/bootstrap/glance/glance_seed.sh.erb
      60 ./modules/httpbb/templates/deploy_apache_change.sh.erb
      61 ./modules/backup/templates/mysql-predump.erb
      65 ./modules/profile/templates/hive/client/beeline_wrapper.py.erb
      68 ./modules/profile/templates/icinga/icinga-downtime.sh.erb
      69 ./modules/bacula/templates/bpipe-mysql-db.erb
      73 ./modules/haproxy/templates/check_haproxy.erb
      78 ./modules/profile/templates/wmcs/nfs/nfs-manage.sh.erb
      91 ./modules/cescout/templates/metadb_s3_tarx.erb
      98 ./modules/profile/templates/initscripts/mariadb/misc/eventlogging/eventlogging_sync.sysvinit.erb
     102 ./modules/spamassassin/templates/sa-update-cron.erb
     109 ./modules/cdh/templates/spark/spark-env.sh.erb
     148 ./modules/beta/templates/wmf-beta-autoupdate.py.erb
     149 ./modules/labstore/templates/tc-setup.sh.erb
     157 ./modules/service/templates/deployment_script.sh.erb
     202 ./modules/puppetmaster/templates/puppet-merge.erb
     221 ./modules/openstack/templates/queens/nova/placement/nova-placement-api.erb
     221 ./modules/openstack/templates/rocky/nova/placement/nova-placement-api.erb
     260 ./modules/phabricator/templates/community_metrics.sh.erb
     328 ./modules/phabricator/templates/project_changes.sh.erb
     446 ./modules/mariadb/templates/mariadb.server.erb

I agree. Example: the first attempt at ./modules/dumps/templates/web/fetches/analytics/job/rsync_script.sh.erb was here https://gerrit.wikimedia.org/r/#/c/operations/puppet/+/594773/2/modules/dumps/manifests/web/fetches/analytics/job.pp so you can see why erb was the natural approach in the end. Another file in there (modules/snapshot/templates/set_dump_dirs.sh.erb) literally just sets some vars to be picked up by the 'real' shell scripts that use it; I favour allowing scripts like these and strongly encouraging folks with long scripts as erb files to refactor them accordingly.

@CDanis yeah, sorry I noticed that after replying.
Totally agree with this approach, would be nice to have the CI check but we have a bunch of few liners that would become just more complex and probably not gaining a lot, see for example the first part of this list:

for scripts that are just one line i think it reasonable to just build the content in puppet, this is a bit of a cheat but for simple one liners i think its a fine compromise. I took a quick look through the files other then the oneliners, some of them don't actually need to be templates as there is no erb and a few others look like they are already config files so we could possibly just remove the shebang . however there are of course some that may be a bit awkward to fit into this model. Perhaps we should just whitelist them. It would at least mean going forward we don't have more violations added.

Ill have a closer look next week and see if how much we can reduce that list with quick wins.

Change 602771 had a related patch set uploaded (by Jbond; owner: John Bond):
[operations/puppet@production] Example: build script in line in puppet

https://gerrit.wikimedia.org/r/602771

I agree. Example: the first attempt at ./modules/dumps/templates/web/fetches/analytics/job/rsync_script.sh.erb was here https://gerrit.wikimedia.org/r/#/c/operations/puppet/+/594773/2/modules/dumps/manifests/web/fetches/analytics/job.pp so you can see why erb was the natural approach in the end. Another file in there (modules/snapshot/templates/set_dump_dirs.sh.erb) literally just sets some vars to be picked up by the 'real' shell scripts that use it; I favour allowing scripts like these and strongly encouraging folks with long scripts as erb files to refactor them accordingly.

sorry i missed this before i responded. I took a look at this script and Created a CR to show how it may look building the script in puppet. like i said its a bit of a cheat but tbh for simple things like this i prefer to see them inline in the puppet manifest instead of having to open a new file. that said i suspect many may disagree

@jbond I added the author of the one patch as a reviewer for their thoughts, since likely analytics folks will wind up maintaining that particular bit.

Change 602647 merged by Ryan Kemper:
[operations/puppet@production] osm: fix shellcheck issues

https://gerrit.wikimedia.org/r/602647

Change 603175 had a related patch set uploaded (by Hashar; owner: Hashar):
[integration/config@master] docker: use more recent shellcheck

https://gerrit.wikimedia.org/r/603175

The CI container is build using Buster which comes with shellcheck 0.5.0 from May 2018. I have proposed a change to borrow the package from buster-backports and get 0.7.1 instead. https://gerrit.wikimedia.org/r/#/c/integration/config/+/603175

Notably because it adds new checks and it also has two interesting options which we might want to use:

  • --severity for filtering by minimum severity. So that potentially we can make the task fail on error but just report on warnings/info etc.
  • --wiki-link-count for showing wiki links . Grants us detailed information

Change 603364 had a related patch set uploaded (by Dzahn; owner: Dzahn):
[operations/puppet@production] phabricator: convert 2 scripts created from erb to files with config files

https://gerrit.wikimedia.org/r/603364

@jbond I added the author of the one patch as a reviewer for their thoughts, since likely analytics folks will wind up maintaining that particular bit.

great thanks

Change 602649 merged by Jbond:
[operations/puppet@production] prometheus: fix shellcheck issues in prometheus-local-crontabs.sh

https://gerrit.wikimedia.org/r/602649

Change 603364 merged by Dzahn:
[operations/puppet@production] phabricator: convert 2 scripts created from erb to files with config files

https://gerrit.wikimedia.org/r/603364

Change 602732 merged by Jbond:
[operations/puppet@production] puppet-merge: split dynamic values out of puppet-merge script

https://gerrit.wikimedia.org/r/602732

Change 602738 merged by Jbond:
[operations/puppet@production] puppet-merge: fix shellcheck issues

https://gerrit.wikimedia.org/r/602738

Change 603490 had a related patch set uploaded (by Dzahn; owner: Dzahn):
[operations/puppet@production] httpbb: convert an .erb.sh script to inline content

https://gerrit.wikimedia.org/r/603490

Change 603492 had a related patch set uploaded (by Dzahn; owner: Dzahn):
[operations/puppet@production] icinga: convert sync_icinga_state.sh.erb to file with config

https://gerrit.wikimedia.org/r/603492

Change 603175 merged by jenkins-bot:
[integration/config@master] docker: use more recent shellcheck

https://gerrit.wikimedia.org/r/603175

Mentioned in SAL (#wikimedia-releng) [2020-06-08T17:55:39Z] <James_F> Docker: Publishing operations-puppet image, now with upgraded shellcheck T254480

Change 603563 had a related patch set uploaded (by Jforrester; owner: Jforrester):
[integration/config@master] jjb: Upgrade puppet jobs to new shellcheck version

https://gerrit.wikimedia.org/r/603563

Change 603563 merged by jenkins-bot:
[integration/config@master] jjb: Upgrade puppet jobs to new shellcheck version

https://gerrit.wikimedia.org/r/603563

Change 603490 merged by Dzahn:
[operations/puppet@production] httpbb: convert an .erb.sh script to inline content

https://gerrit.wikimedia.org/r/603490

Change 603492 merged by Dzahn:
[operations/puppet@production] icinga: convert sync_icinga_state.sh.erb to file with config

https://gerrit.wikimedia.org/r/603492

Change 605261 had a related patch set uploaded (by Jbond; owner: John Bond):
[operations/puppet@production] alytics::refinery::job: build simple script inline in puppet

https://gerrit.wikimedia.org/r/605261

Change 605262 had a related patch set uploaded (by Jbond; owner: John Bond):
[operations/puppet@production] puppetmaster::gitclone: build single line script inline

https://gerrit.wikimedia.org/r/605262

Change 605262 merged by Jbond:
[operations/puppet@production] puppetmaster::gitclone: build single line script inline

https://gerrit.wikimedia.org/r/605262

Change 605267 had a related patch set uploaded (by Jbond; owner: John Bond):
[operations/puppet@production] aptrepo: build single line shell script inline

https://gerrit.wikimedia.org/r/605267

Change 605271 had a related patch set uploaded (by Jbond; owner: John Bond):
[operations/puppet@production] profile::icinga: move single line scripts in line

https://gerrit.wikimedia.org/r/605271

Change 605272 had a related patch set uploaded (by Jbond; owner: John Bond):
[operations/puppet@production] varnish::logging: move default definitions inline

https://gerrit.wikimedia.org/r/605272

Change 605274 had a related patch set uploaded (by Jbond; owner: John Bond):
[operations/puppet@production] phabricator: move template to file as no dynamic values

https://gerrit.wikimedia.org/r/605274

Change 605274 merged by Jbond:
[operations/puppet@production] phabricator: move template to file as no dynamic values

https://gerrit.wikimedia.org/r/605274

Change 605275 had a related patch set uploaded (by Jbond; owner: John Bond):
[operations/puppet@production] rsync: move oneline script inline

https://gerrit.wikimedia.org/r/605275

Change 605276 had a related patch set uploaded (by Jbond; owner: John Bond):
[operations/puppet@production] phabricator: move template to file as no dynamic values

https://gerrit.wikimedia.org/r/605276

Change 605279 had a related patch set uploaded (by Jbond; owner: John Bond):
[operations/puppet@production] trafficserver::instance: move single line scripts inline

https://gerrit.wikimedia.org/r/605279

Change 605276 merged by Jbond:
[operations/puppet@production] phabricator: move template to file as no dynamic values

https://gerrit.wikimedia.org/r/605276

Change 605271 merged by Jbond:
[operations/puppet@production] profile::icinga: move single line scripts in line

https://gerrit.wikimedia.org/r/605271

Change 605267 merged by Jbond:
[operations/puppet@production] aptrepo: build single line shell script inline

https://gerrit.wikimedia.org/r/605267

Change 605275 merged by Jbond:
[operations/puppet@production] rsync: move oneline script inline

https://gerrit.wikimedia.org/r/605275

Change 602771 merged by Jbond:
[operations/puppet@production] Example: build script in line in puppet

https://gerrit.wikimedia.org/r/602771

Change 602645 merged by ArielGlenn:
[operations/puppet@production] dumps: fix shellcheck issues

https://gerrit.wikimedia.org/r/602645

Change 602693 merged by Jbond:
[operations/puppet@production] CI: add CI to check shell scripts

https://gerrit.wikimedia.org/r/c/operations/puppet/ /602693

Change 602694 abandoned by Jbond:
[operations/puppet@production] CI: add some shell scripts to test the new shellcheck CI check

Reason:

https://gerrit.wikimedia.org/r/602694

Change 605272 merged by Jbond:
[operations/puppet@production] varnish::logging: move default definitions inline

https://gerrit.wikimedia.org/r/605272

Change 605279 merged by Jbond:
[operations/puppet@production] trafficserver::instance: move single line scripts inline

https://gerrit.wikimedia.org/r/605279

Change 615413 had a related patch set uploaded (by Filippo Giunchedi; owner: Filippo Giunchedi):
[operations/puppet@production] rsync: fix quickdatacopy sync script

https://gerrit.wikimedia.org/r/615413

Change 615413 merged by Filippo Giunchedi:
[operations/puppet@production] rsync: fix quickdatacopy sync script

https://gerrit.wikimedia.org/r/615413

Change 630257 had a related patch set uploaded (by Dzahn; owner: Dzahn):
[operations/puppet@production] phabricator: don't create chk_phuser shell script from erb (WIP)

https://gerrit.wikimedia.org/r/630257

Change 630257 merged by Dzahn:
[operations/puppet@production] phabricator: don't create chk_phuser shell script from erb

https://gerrit.wikimedia.org/r/630257

Change 605261 merged by Jbond:
[operations/puppet@production] alytics::refinery::job: build simple script inline in puppet

https://gerrit.wikimedia.org/r/605261

I'm scoping part of the broader python3 porting to get rid of .py.erb files also since they break all the tools I'm using to semi-automate parts of the process. :)

Dropping releng/CI, doesn't seem we have anything to do to complete the resolution of this task. It seems decoupling code and configuration can be achieved entirely in the Puppet repo without further tweaking in CI config/jobs.