Allow deployers to get a php REPL environment inside the mw-debug pods
Closed, ResolvedPublic
Actions

Assigned To

Authored By

	Joe
	Jul 6 2023, 10:49 AM

Description

We want deployers to be able to run a MediaWiki REPL inside kubernetes.

The way to do this is as follows:

read wmfMasterDatacenter from etcd
Find which pods are running right now in mw-debug in that dc, and pick one at random
Run, as superuser, KUBECONFIG=/etc/kubernetes/admin-eqiad.config kubectl -n mw-debug exec <pod> -c mediawiki-pinkunicorn-app -ti -- php /srv/mediawiki/multiversion/MWScript.php shell.php --wiki <wiki>

This would limit deployers to just execute this script as superusers and not have the larger issues related to being able to execute random scripts, which is a larger problem to solve.

Details

Subject	Repo	Branch	Lines +/-
mediawiki::repl: allow execution from everyone	operations/puppet	production	+1 -1
mw-debug-repl: improve UX	operations/puppet	production	+50 -18
deployment_server: add REPL for mw-debug	operations/puppet	production	+74 -0

Customize query in gerrit

Related Objects
Search...

Status	Subtype	Assigned	Task
Open		None	T288685 Establish active/active multi-dc support for Toolhub
Resolved		bd808	T115650 Create an authoritative and well promoted catalog of Wikimedia tools
Resolved		bd808	T271483 Complete and announce initial production deployment of Toolhub
Resolved		Raymond_Ndibe	T276865 Implement text analysis to support stemming
Resolved		bd808	T287285 Remove "Users" group
Resolved	BUG REPORT	Slst2020	T297290 Rename toolhub.apps.crawler.models.RunUrl.tools related_name from "crawer_runs" to "crawler_runs"
Open		None	T290357 Maintenance environment needed for running one-off commands
Resolved		Joe	T341197 Allow deployers to get a php REPL environment inside the mw-debug pods

Event Timeline

Joe created this task.Jul 6 2023, 10:49 AM

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJul 6 2023, 10:49 AM

Joe claimed this task.Jul 6 2023, 10:49 AM

Joe triaged this task as High priority.

Joe moved this task from Incoming 🐫 to Doing 😎 on the serviceops board.

JMeybohm added a parent task: T290357: Maintenance environment needed for running one-off commands.Jul 6 2023, 11:37 AM

Change 936046 had a related patch set uploaded (by Giuseppe Lavagetto; author: Giuseppe Lavagetto):

[operations/puppet@production] deployment_server: add REPL for mw-debug

https://gerrit.wikimedia.org/r/936046

gerritbot added a project: Patch-For-Review.Jul 6 2023, 1:54 PM

Joe mentioned this in T341191: Failed fetching https://wikimedia.org/api/rest_v1/metrics/unique-devices/{parameters}: Connection timed out.Jul 6 2023, 4:38 PM

Change 936046 merged by Giuseppe Lavagetto:

[operations/puppet@production] deployment_server: add REPL for mw-debug

https://gerrit.wikimedia.org/r/936046

Maintenance_bot removed a project: Patch-For-Review.Jul 7 2023, 9:30 AM

I tried the new REPL prompt per @Joe's request, and I have two suggestions for consideration:

My first command to run was sudo mw-debug-repl cswiki (and I expected a REPL prompt for cswiki). I recevied aawiki's prompt, because the script expects -w cswiki.
The current parameter parsing is unintuitive for deployers, as it differs from mwscript, which uses --wiki (or first unnamed parameter after script name; cf. mwscript shell.php cswiki)
Most deployer-focused scripts automatically sudo as the right user, which means the deployer doesn't have to think about sudo'ing as the right user first. I suggest doing that here as well.

In any way, thanks again @Joe for creating this script!

@Urbanecm sadly the last request isn't something we can actually do, as it would complicate quite a bit how the sudo rules would work. I'll add a check for the user being root and recommending running the command as root.

In T341197#8997366, @Joe wrote:

@Urbanecm sadly the last request isn't something we can actually do, as it would complicate quite a bit how the sudo rules would work. I'll add a check for the user being root and recommending running the command as root.

Thanks for the info. I don't understand why though. Does adding [[ "$UID" == 0 ]] || exec sudo "$0" "$@" or similar to the begining of the script break sudo rules in some way that I'm missing?

Change 936280 had a related patch set uploaded (by Giuseppe Lavagetto; author: Giuseppe Lavagetto):

[operations/puppet@production] mw-debug-repl: improve UX

https://gerrit.wikimedia.org/r/936280

gerritbot added a project: Patch-For-Review.Jul 7 2023, 1:55 PM

In T341197#8997371, @Urbanecm wrote:

In T341197#8997366, @Joe wrote:

@Urbanecm sadly the last request isn't something we can actually do, as it would complicate quite a bit how the sudo rules would work. I'll add a check for the user being root and recommending running the command as root.

Thanks for the info. I don't understand why though. Does adding [[ "$UID" == 0 ]] || exec sudo "$0" "$@" or similar to the begining of the script break sudo rules in some way that I'm missing?