Page MenuHomePhabricator
Create Task
Maniphest T363125

sustainability of wikitech.wikimedia.org
Closed, ResolvedPublic
Actions

Description

Wikitech has long been a weird special-case wiki, receiving only partial attention from SREs and causing intermittent problems to different teams as different edge cases appear. Wikitech also suffers from being a random jumble of tools, serving several unrelated purposes that are best solved elsewhere.

Here are the things wikitech does, today:

  1. Host some of WMF’s technical documentation
  2. Ensure that that documentation is available in case of a datacenter disaster (via wikitech-static replica)
  3. Provide a web UI for creation and editing of developer accounts
  4. Provide a web UI for management of cloud-vps and toolforge ssh keys
  5. Provide an API endpoint for validation of 2fa auth for developer accounts, currently used by striker and horizon

Ideally, Bitu and IDM will address tasks 3-5. Here are some potential futures for the content that is now on Wikitech, addressing cases 1 and 2. These could be end states, or steps along the road to the ideal end state.

All of the following options except for B require functions 3-5 to be moved to idm+bitu before transitional work can begin.

A: SUL wiki hosted on wikikube. This is generally regarded as the ideal end state, but we probably can’t skip straight to his case; we likely need to pass through B, C, or D on the way.

  • Pro (long-term): Wikitech account management is subsumed into existing SUL management
  • Pro (long-term): Wiki management becomes a trivial subcase of existing wiki hosting
  • Con (transitional): Requires reconciling existing wikitech accounts with totally divergent SUL accounts

B: Fishbowl wiki hosted on wikikube, accounts in ldap. This option could be a final state OR a temporary state on the way to the SUL option.

  • Pro (long-term): Wiki management becomes subcase of existing wiki hosting
  • Pro (transitional): No need to reconcile SUL accounts with wikitech accounts
  • Pro (transitional): This wiki could still support use cases 3-5, decoupling us from blockers in bitu and idm.
  • Con (transitional): Wikikube SREs are alternately willing/unwilling to entertain this solution.
  • Con (long-term): Allowing r/w ldap access from wikitech/wikikube may continue to introduce surprising edge cases for product maintenance.
  • Con (long-term): We’d need to continue to maintain and support mediawiki ldap extensions in the wikikube cluster

C: Fishbowl wiki hosted on wikikube, accounts in mariadb. This option could be a final state OR a temporary state on the way to the SUL option.

  • Pro (long-term): Wiki management becomes a trivial subcase of existing wiki hosting
  • Pro (transitional): No need to reconcile SUL accounts with wikitech accounts
  • Con (transitional): Would require password resets for every wikitech account
  • Con (long term): Everyone presently with two accounts(SUL and developer) would have three accounts: SUL, developer, wikitech.
  • Con (long term): Management of this new account type would require ongoing administrative work. E.g. someone would need to either approve new accounts, or detect and remove spammer accounts.

D: SUL wiki hosted on existing WMCS hardware. This option only really makes sense as a temporary state on the way to the SUL + wikikube option.

  • Pro (long-term): Wikitech account management is subsumed into existing SUL management
  • Con (transitional): Requires reconciling existing wikitech accounts with totally divergent SUL accounts
  • Con (long-term): Requires exposing the centralauth database (and all the other SUL wiki databases) to the WMCS hardware

E: Wikitech is abolished, content migrated to a different existing wiki (e.g. mediawiki.org). This option may be impossible without violating copyrights of existing content

  • Pro (long-term): Nothing new to maintain or manage, ever!
  • Con (transitional): Migrating the content while preserving accurate history and attribution may be difficult or impossible.
  • Con (long-term): Existing value (if any) of the separation between Wikitech and Mediawiki.org would be lost. E.g. it might be less obvious which subset of the content to host on wikitech-static.
  • Con (long-term): WMF staff control of the wiki hosting WMF operational docs is lost and staff will need to earn authority via community participation
  • Con (long-term): Further muddies the purpose of mediawiki.org by adding two new documentation use cases of WMF operational docs and Cloud VPS/Toolforge support docs.

Related Objects
Search...

Event Timeline

Andrew created this task.Apr 23 2024, 3:54 AM
Restricted Application added a project: cloud-services-team. · View Herald TranscriptApr 23 2024, 3:54 AM
Andrew added subtasks: T161859: Make Wikitech an SUL wiki, T292707: ☂ Migrate Wikitech to Kubernetes, T161553: Remove OpenStackManager from Wikitech, T359551: Replace wikitech as source of two-factor auth protection for developer accounts, T237773: Move Wikitech onto the production MW cluster, T359544: Disable SSH key management on Wikitech.Apr 23 2024, 3:56 AM
Pppery edited projects, added wikitech.wikimedia.org; removed User-Tgr, Wikimedia-Hackathon-2018, WMF-General-or-Unknown.Apr 23 2024, 4:22 AM
Izno subscribed.Apr 23 2024, 5:53 AM
DannyS712 subscribed.Apr 23 2024, 6:16 AM
taavi added a comment.Apr 23 2024, 7:19 AM

B: Fishbowl wiki hosted on wikikube, accounts in ldap. This option could be a final state OR a temporary state on the way to the SUL option.
Con (long-term): Allowing r/w ldap access from wikitech/wikikube may continue to introduce surprising edge cases for product maintenance.

I don't think Wikitech will require r/w access after T359544: Disable SSH key management on Wikitech is done.

taavi updated the task description. (Show Details)Apr 23 2024, 7:27 AM
MoritzMuehlenhoff added a comment.Apr 23 2024, 7:53 AM
In T363125#9734178, @taavi wrote:

B: Fishbowl wiki hosted on wikikube, accounts in ldap. This option could be a final state OR a temporary state on the way to the SUL option.
Con (long-term): Allowing r/w ldap access from wikitech/wikikube may continue to introduce surprising edge cases for product maintenance.

I don't think Wikitech will require r/w access after T359544: Disable SSH key management on Wikitech is done.

Agreed. Once T359544 is done, I also want to narrow down the access to the r/w LDAP servers via ferm/nftables (T227650)

Peachey88 subscribed.Apr 23 2024, 8:29 AM
zeljkofilipin unsubscribed.Apr 23 2024, 12:22 PM
Andrew added a comment.Apr 23 2024, 1:21 PM
In T363125#9734178, @taavi wrote:

B: Fishbowl wiki hosted on wikikube, accounts in ldap. This option could be a final state OR a temporary state on the way to the SUL option.
Con (long-term): Allowing r/w ldap access from wikitech/wikikube may continue to introduce surprising edge cases for product maintenance.

I don't think Wikitech will require r/w access after T359544: Disable SSH key management on Wikitech is done.

I started out thinking that but I don't think it's so easy to switch to RO ldap. The ldap mw extension will still expect to be able to change things (email address, for example) so if we just flip ldap to RO the UI will have several traps which fail if the user falls for them. Alternatively we can hack on ldapauth to remove those features but we'd need to fork things so as not to break other possible users of the extension.

MoritzMuehlenhoff added a comment.Apr 23 2024, 1:38 PM
In T363125#9735541, @Andrew wrote:

I started out thinking that but I don't think it's so easy to switch to RO ldap. The ldap mw extension will still expect to be able to change things (email address, for example)

Changing the email address is already disabled on wikitech, Taavi did that in https://gerrit.wikimedia.org/r/c/operations/mediawiki-config/+/1013976/

taavi added a comment.Apr 23 2024, 1:59 PM

Password reset have been disabled for a few months now, email addresses since I deployed that patch last week, and I just sent https://gerrit.wikimedia.org/r/c/operations/mediawiki-config/+/1023432 to disable password changes while logged in. After that we have SSH key changes, and T359820: Developer Account Blocking: Migrate the one-stop Developer (un)Blocking from Wikitech to Bitu (which I forgot about earlier) as the only remaining functionality that writes anything to LDAP - there isn't anything in the login process that should need write access.

nshahquinn-wmf edited subscribers, added: nshahquinn-wmf; removed: nshahquinn.Apr 23 2024, 4:23 PM
Tgr added a comment.Apr 24 2024, 11:29 AM

Con (long-term): Existing value (if any) of the separation between Wikitech and Mediawiki.org would be lost. E.g. it might be less obvious which subset of the content to host on wikitech-static.

That value is probably well in the negative (two different places to look up technical documentation, unintuitive and hard to guess which one to use in a given case, templates etc. need to be duplicated, anti-abuse on wikitech is problematic). Static could be handled via a namespace or category.

nshahquinn-wmf added a comment.Apr 24 2024, 8:00 PM
In T363125#9739948, @Tgr wrote:

Con (long-term): Existing value (if any) of the separation between Wikitech and Mediawiki.org would be lost. E.g. it might be less obvious which subset of the content to host on wikitech-static.

That value is probably well in the negative (two different places to look up technical documentation, unintuitive and hard to guess which one to use in a given case, templates etc. need to be duplicated, anti-abuse on wikitech is problematic). Static could be handled via a namespace or category.

Actually, I think it has one very big positive: MediaWiki users get less bogged down with Wikimedia-specific detail. Search is less likely to return it, links are less likely to lead to it, and it encourages writing for a general MediaWiki audience rather than a Wikimedia one.

The benefit isn't as big as it could be, since overall we don't do a great job of that separation, so there's still plenty of Wikimedia-specific stuff on MediaWiki.org. Yes, maintaining and improving the separation is a lot of work. But it's a burden on highly experienced community members like us which helps newbies (like people who are just trying to figure out how to set up their own MediaWiki site). I think that's a better idea than combining the wikis, which would help us and burden newbies.

Yes, we could try to emulate some of the benefits of having separate wikis with separate namespaces and the like. But I think that would be much messier: what if you want multiple namespaces in each bucket? Separate search for each bucket? A visual separation, which is currently provided by the different logos?

So, count at least one big fan of keeping Wikitech and MediaWiki.org separate 😁

Bugreporter subscribed.EditedApr 25 2024, 2:12 AM

MediaWiki users get less bogged down with Wikimedia-specific detail.

Alternatively they can be moved to a "technical" namespace in Meta-Wiki.

Previously I even imagine we should merge meta, outreach and foundation wikis to one single Wikimedia Central Wiki at www.wikimedia.org. See also: 2012 proposal to merge Wikitech and some other wikis https://meta.wikimedia.org/wiki/Wikimedia.org. This is out of scope of this task though.

MSantos subscribed.Apr 25 2024, 11:45 AM
Novem_Linguae subscribed.May 1 2024, 5:49 AM
Andrew added a subscriber: bd808.May 7 2024, 1:53 PM
Bugreporter added a comment.May 18 2024, 4:47 AM

Migrating the content while preserving accurate history and attribution may be difficult or impossible.

Very interesting history: The current Wikitech is merge of two original wikis to one.

bd808 mentioned this in T365370: Password change form not easily discoverable on https://idm.wikimedia.org.May 20 2024, 3:48 PM
Johannnes89 subscribed.May 20 2024, 4:22 PM
taavi closed subtask T359544: Disable SSH key management on Wikitech as Resolved.Jun 11 2024, 5:59 PM
taavi closed subtask T161553: Remove OpenStackManager from Wikitech as Resolved.Jun 19 2024, 5:54 AM
jijiki removed a subtask: T292707: ☂ Migrate Wikitech to Kubernetes.Jul 26 2024, 8:33 AM
jijiki added a parent task: T292707: ☂ Migrate Wikitech to Kubernetes.
jijiki changed the status of subtask T161859: Make Wikitech an SUL wiki from Open to In Progress.Jul 29 2024, 4:13 PM
jijiki closed this task as Resolved.Jul 30 2024, 10:03 AM
jijiki claimed this task.
jijiki subscribed.

Plan has been draften in the "Wikitech Migration Plan" document, and in the interest of not having open tasks around, I am resolving this. Feel free to open again

jijiki removed subtasks: T359544: Disable SSH key management on Wikitech, T237773: Move Wikitech onto the production MW cluster, T359551: Replace wikitech as source of two-factor auth protection for developer accounts, T161553: Remove OpenStackManager from Wikitech, T161859: Make Wikitech an SUL wiki.Jul 30 2024, 10:04 AM
jijiki removed a parent task: T189531: All Wikimedia developer services should use single sign-on.
nshahquinn-wmf added a comment.Jul 30 2024, 5:46 PM
In T363125#10026781, @jijiki wrote:

Plan has been draften in the "Wikitech Migration Plan" document

Thank you—very excited to see this happen! Could you share that document?

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits