Page MenuHomePhabricator

Add config var to disable update.php
Closed, ResolvedPublic

Description

Per our conversation in #wikimedia-dev today, it has long been assumed that running update.php on the cluster will result in death and destruction. We've never actually tried, and there's talk of trying it out on test2wiki to see what happens, but for now update.php is still considered very much unsafe.

This isn't really documented, though, it's just well-known... except to newcomers. So it'd be nice to add a config var that, if enabled, makes update.php refuse to run. Lest anyone accidentally run update.php and cause a terrible mess. Of course the default behavior should be to allow update.php to be run, because most wikis aren't special like us :D


Version: 1.20.x
Severity: normal

Details

Reference
bz29558

Event Timeline

bzimport raised the priority of this task from to High.Nov 21 2014, 11:32 PM
bzimport set Reference to bz29558.

Rather than a config var, we could do something with $IP/wmf-config/wikimedia-mode like we do in doMaintenance. Although TBH that whole structure is pretty awful and I'd like to rip it out.

Bryan.TongMinh wrote:

General hook in Maintenance, that we hook in InitialiseSettings.php to abort the script?

(In reply to comment #2)

General hook in Maintenance, that we hook in InitialiseSettings.php to abort
the script?

Sounds good to me, Bryan. Could you implement this?

Bryan.TongMinh wrote:

(In reply to comment #3)

(In reply to comment #2)

General hook in Maintenance, that we hook in InitialiseSettings.php to abort
the script?

Sounds good to me, Bryan. Could you implement this?

No, somebody with shell access should do it, because InitialiseSettings.php is a Wikimedia config file.

I took a quick look into the Maintenance hook though, and it looks like

if ( !wfRunHooks( 'MaintenanceMainBeforeExecute', array( &$maintenance, &$exitCode ) ) ) { exit( $exitCode ); }

just before the try catch block in maintenance/doMaintenance.php would be appropriate.

Chad has already hacked it into the deployment branch, I just figured we must not be the only environment where update.php can't be run and though a config var that triggers a die() or something in update.php would be generally useful in trunk.

I'm not sure piggybacking on $wgMiserMode is a good idea here. Lots of third-party wikis have it enabled (it's recommended in Aaron's performance guide), and it already does about 50 different undocumented things.

(In reply to comment #7)

I'm not sure piggybacking on $wgMiserMode is a good idea here. Lots of
third-party wikis have it enabled (it's recommended in Aaron's performance
guide), and it already does about 50 different undocumented things.

Now it is $wgAllowSchemaUpdates.