Page MenuHomePhabricator
Create Task
Maniphest T283417

[mwcli mwdd] Install and Update are run by root since switch to wmf dev images
Closed, ResolvedPublic
Actions

Description

Spotted while looking at T282360

I have no name!@mediawiki:/var/log/mediawiki$ ls -lahr
total 184K
-rw-r--r-- 1 root root 173K May 22 15:03 debug.log

This also happens to the sqlite databases which really is not great...

I have no name!@mediawiki:/var/www/html/w/data$ ls -lahr
total 1.2M
-rw-r--r--  1 root root    0 May 24 17:10 wikicache.sqlite
drwxr-xr-x  2 root root 4.0K May 24 17:10 locks
-rw-r--r--  1 root root  12K May 24 17:10 default_l10n_cache.sqlite
-rw-r--r--  1 root root  12K May 24 17:10 default_jobqueue.sqlite
-rw-r--r--  1 root root 1.2M May 24 17:10 default.sqlite

As using the dev with sqlite will just mean the db appear to be locked.

Details

SubjectRepoBranchLines +/-
mwdd: Fix permissions of data and logmediawiki/tools/climaster+14 -9
Customize query in gerrit

Related Objects

Event Timeline

Addshore created this task.May 22 2021, 3:27 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMay 22 2021, 3:27 PM
Addshore claimed this task.May 22 2021, 3:27 PM
Addshore moved this task from Inbox to In Progress on the mwcli board.
Restricted Application added a project: User-Addshore. · View Herald TranscriptMay 22 2021, 3:27 PM
Addshore added a comment.May 22 2021, 3:30 PM

This is because the default user in the new fpm images used from T283404 is root, but the web service runs as nobody...

  1 root      20   0   21356   3168   2908 S   0.0  0.0   0:00.04 entrypoint.sh
  9 root      20   0   21356   3240   2976 S   0.0  0.0   0:00.00 php_entrypoint.
 11 root      20   0  676628  36908  28276 S   0.0  0.4   0:00.17 php-fpm7.4
 12 nobody    20   0  685580  57900  43976 S   0.0  0.6   0:01.14 php-fpm7.4
 13 nobody    20   0  685508  61680  47820 S   0.0  0.7   0:01.46 php-fpm7.4
 14 nobody    20   0  685556  54492  40696 S   0.0  0.6   0:00.89 php-fpm7.4
 15 nobody    20   0  683488  50944  39276 S   0.0  0.6   0:00.52 php-fpm7.4
 16 nobody    20   0  683384  53268  41612 S   0.0  0.6   0:00.32 php-fpm7.4
 17 nobody    20   0  685624  60828  46800 S   0.0  0.7   0:01.41 php-fpm7.4
 18 nobody    20   0  685336  54732  41068 S   0.0  0.6   0:01.27 php-fpm7.4
 19 nobody    20   0  685496  63036  49176 S   0.0  0.7   0:01.30 php-fpm7.4
140 root      20   0   21592   3660   3108 S   0.0  0.0   0:00.05 bash
150 root      20   0   44432   3592   3096 R   0.0  0.0   0:00.03 top
Addshore added a comment.May 22 2021, 3:48 PM

This was also an issue with the old image, i just didn't spot it yet!

  1 root      20   0   21356   3240   2972 S   0.0  0.0   0:00.04 entrypoint.sh
  9 root      20   0   21368   3360   3060 S   0.0  0.0   0:00.00 entrypoint.sh
 15 root      20   0  632188  17852   9600 S   0.0  0.2   0:00.01 php-fpm7.2
 16 root      20   0    4276    756    688 S   0.0  0.0   0:00.00 apache2ctl
 17 nobody    20   0  632188   9704   1452 S   0.0  0.1   0:00.00 php-fpm7.2
 18 nobody    20   0  632188   9704   1452 S   0.0  0.1   0:00.00 php-fpm7.2
 19 nobody    20   0  632188   9704   1452 S   0.0  0.1   0:00.00 php-fpm7.2
 20 nobody    20   0  632188   9708   1452 S   0.0  0.1   0:00.00 php-fpm7.2
 21 nobody    20   0  632188   9708   1452 S   0.0  0.1   0:00.00 php-fpm7.2
 22 nobody    20   0  632188   9708   1452 S   0.0  0.1   0:00.00 php-fpm7.2
 23 nobody    20   0  632188   9708   1452 S   0.0  0.1   0:00.00 php-fpm7.2
 24 nobody    20   0  632188   9708   1452 S   0.0  0.1   0:00.00 php-fpm7.2
 27 root      20   0   95660   6480   4868 S   0.0  0.1   0:00.06 apache2
 28 www-data  20   0  688460   7652   3276 S   0.0  0.1   0:00.01 apache2
 29 www-data  20   0  688460   7652   3276 S   0.0  0.1   0:00.01 apache2
158 root      20   0   21596   3612   3164 S   0.0  0.0   0:00.04 bash
165 root      20   0   44432   3568   3064 R   0.0  0.0   0:00.00 top
root@mediawiki:/var/www/html/w# ls -lahr /var/log/mediawiki
total 184K
-rw-r--r-- 1 root root 174K May 22 15:48 debug.log
drwxr-xr-x 1 root root 4.0K May 22 15:47 ..
drwxr-xr-x 2 root root 4.0K May 22 15:47 .
root@mediawiki:/var/www/html/w#
gerritbot added a comment.May 22 2021, 4:43 PM

Change 693572 had a related patch set uploaded (by Addshore; author: Addshore):

[mediawiki/tools/cli@master] mwdd: Don't use replication in update.php

https://gerrit.wikimedia.org/r/693572

gerritbot added a project: Patch-For-Review.May 22 2021, 4:43 PM
Addshore added a comment.May 22 2021, 7:09 PM

The gerrit patch above was added to the wrong ticket..

As written in IRC...

6:59 PM <addshore> the "issue" right now is... using the dev image I run update.php which outputs logs owned by root. Then the webserivce runs as nobody and can't write to those files. I could run the docker exec as nobody, but then that ties an assumption that will always be the case into the dev env
7:00 PM <addshore> so then for example if the prod image, or some other image doesnt use nobody, it'd then break again
kostajh subscribed.May 22 2021, 8:09 PM

See also T273682. I think we should probably rework the php image to run php-fpm as root.

Addshore added a comment.May 22 2021, 8:11 PM

Hmm, it shouldn't need to run anything as root, but it should be consistent with the users that it uses.
We should go chat on IRC or something :)

Addshore triaged this task as High priority.May 22 2021, 9:43 PM
Addshore mentioned this in T282360: [mwcli mwdd] Provide a command that can easily tail mediawiki logs.
Addshore renamed this task from [mwcli mwdd] the debug log is initially written to by root, and thus not further written to to [mwcli mwdd] Install and Update are run by root since switch to wmf dev images.May 24 2021, 5:17 PM
Addshore updated the task description. (Show Details)
gerritbot added a comment.May 24 2021, 6:46 PM

Change 693937 had a related patch set uploaded (by Addshore; author: Addshore):

[mediawiki/tools/cli@master] mwdd: Fix permissions of data and log

https://gerrit.wikimedia.org/r/693937

Addshore moved this task from In Progress to Pending Release on the mwcli board.May 24 2021, 6:46 PM
gerritbot added a comment.Jul 2 2021, 2:00 PM

Change 693937 merged by jenkins-bot:

[mediawiki/tools/cli@master] mwdd: Fix permissions of data and log

https://gerrit.wikimedia.org/r/693937

jeena mentioned this in rMTCL052ecad8400d: mwdd: Fix permissions of data and log.Jul 2 2021, 2:00 PM
Addshore closed this task as Resolved.Jul 2 2021, 6:29 PM
Addshore moved this task from Pending Release to Done on the mwcli board.May 25 2022, 9:38 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits