Page MenuHomePhabricator
Create Task
Maniphest T271274

Security patch workflow for MediaWiki on k8s
Closed, ResolvedPublic
Actions

Description

  • Pipeline creates pre-production image
  • Apply security patches onto production container image
  • If patch application fails then process fails and notifies relevant parties
  • Pushes resulting production container image into private registry from which we can deploy it

Dependency on SRE:

  • Private registry

Can we deploy this to staging somewhere for smoke-tests and mwdebug testing?

Details

SubjectRepoBranchLines +/-
Email notification of security patch failureoperations/mediawiki-configmaster+149 -54
pipeline: Fix how vendor patches are appliedoperations/mediawiki-configmaster+22 -7
Include patches in restricted imageoperations/mediawiki-configmaster+73 -12
Customize query in gerrit

Related Objects
Search...

Event Timeline

thcipriani created this task.Jan 5 2021, 10:05 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJan 5 2021, 10:05 PM
dduvall mentioned this in T271448: Proof of concept for multi-version MediaWiki images.Jan 7 2021, 7:02 PM
dduvall added a parent task: T238771: Get production MW-land images built and published.Jan 7 2021, 7:06 PM
thcipriani assigned this task to dduvall.Feb 2 2021, 9:09 PM
thcipriani added a subtask: T273521: Create restricted docker-registry namespace for security patched images.
sbassett subscribed.Feb 12 2021, 8:45 PM
thcipriani moved this task from Backlog to Ready on the MW-on-K8s board.Feb 16 2021, 9:15 PM
dduvall closed subtask T273521: Create restricted docker-registry namespace for security patched images as Resolved.Mar 12 2021, 5:37 PM
Legoktm reopened subtask T273521: Create restricted docker-registry namespace for security patched images as Open.Mar 15 2021, 9:04 PM
Legoktm closed subtask T273521: Create restricted docker-registry namespace for security patched images as Resolved.Mar 18 2021, 6:33 PM
dancy claimed this task.Mar 23 2021, 6:47 PM
dancy triaged this task as Medium priority.
dancy added a subscriber: dduvall.
gerritbot added a comment.Mar 23 2021, 6:48 PM

Change 674132 had a related patch set uploaded (by Ahmon Dancy; owner: Ahmon Dancy):
[operations/mediawiki-config@master] Include patches in restricted image

https://gerrit.wikimedia.org/r/674132

gerritbot added a project: Patch-For-Review.Mar 23 2021, 6:48 PM
gerritbot added a comment.Mar 25 2021, 6:03 PM

Change 674132 merged by jenkins-bot:
[operations/mediawiki-config@master] Include patches in restricted image

https://gerrit.wikimedia.org/r/674132

Stashbot added a comment.Mar 25 2021, 6:09 PM

Mentioned in SAL (#wikimedia-operations) [2021-03-25T18:09:13Z] <marxarelli> scap sync-file .pipeline Config: [[gerrit:674132|Include patches in restricted image (T271274)]]

Maintenance_bot removed a project: Patch-For-Review.Mar 25 2021, 6:11 PM
dduvall closed subtask T273676: Jenkins job exists for building patched MediaWiki image as Resolved.Mar 25 2021, 10:05 PM
dduvall mentioned this in T273676: Jenkins job exists for building patched MediaWiki image.
thcipriani edited projects, added Release-Engineering-Team-TODO (2021-04-01 to 2021-06-30 (Q4)); removed Release-Engineering-Team-TODO (2021-01-01 to 2021-03-31 (Q3)).Mar 30 2021, 8:13 PM

Pushing to Q4 as the one piece of this task left undone is "notifies relevant parties"; i.e., we don't have notification for security folks (or security patch authors) when patches don't apply.

thcipriani moved this task from INBOX to New Work on the Release-Engineering-Team-TODO (2021-04-01 to 2021-06-30 (Q4)) board.Mar 30 2021, 8:13 PM
gerritbot added a comment.Apr 13 2021, 10:59 PM

Change 679008 had a related patch set uploaded (by Ahmon Dancy; author: Ahmon Dancy):

[operations/mediawiki-config@master] pipeline: Fix how vendor patches are applied

https://gerrit.wikimedia.org/r/679008

gerritbot added a project: Patch-For-Review.Apr 13 2021, 10:59 PM
gerritbot added a comment.Apr 13 2021, 11:15 PM

Change 679008 merged by jenkins-bot:

[operations/mediawiki-config@master] pipeline: Fix how vendor patches are applied

https://gerrit.wikimedia.org/r/679008

Maintenance_bot removed a project: Patch-For-Review.Apr 14 2021, 12:11 AM
thcipriani removed a project: Release-Engineering-Team (Pipeline).Apr 20 2021, 1:25 AM
thcipriani edited projects, added Release-Engineering-Team (Doing); removed Release-Engineering-Team-TODO (2021-04-01 to 2021-06-30 (Q4)).Apr 20 2021, 4:25 AM
gerritbot added a comment.May 14 2021, 8:18 PM

Change 679015 had a related patch set uploaded (by Ahmon Dancy; author: Ahmon Dancy):

[operations/mediawiki-config@master] Email notification of security patch failure

https://gerrit.wikimedia.org/r/679015

gerritbot added a project: Patch-For-Review.May 14 2021, 8:18 PM
gerritbot added a comment.May 14 2021, 8:37 PM

Change 679015 merged by jenkins-bot:

[operations/mediawiki-config@master] Email notification of security patch failure

https://gerrit.wikimedia.org/r/679015

dancy closed this task as Resolved.May 14 2021, 8:39 PM
Maintenance_bot removed a project: Patch-For-Review.May 14 2021, 9:11 PM
thcipriani awarded a token.May 14 2021, 9:43 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits