Page MenuHomePhabricator
Create Task
Maniphest T395521

Members of restricted cannot use --dblist
Closed, ResolvedPublic
Actions

Description

It seems that I as a member of restricted am able to run maintenance scripts with mwscript-k8s (since T378429), but not if I specify --dblist="s1".

foks@deploy1003:~$ mwscript-k8s --comment="testing" --dblist="s1" --follow -- Version.php
โณ Starting Version.php on Kubernetes as job mw-script.eqiad.k2ozj7tm ...
๐Ÿš€ Job is running.
๐Ÿ“œ Streaming logs:
no version entry for `Version.php`.

foks@deploy1003:~$ mwscript-k8s --comment="testing" --follow -- Version.php --wiki=enwiki
โณ Starting Version.php on Kubernetes as job mw-script.eqiad.zvi82cgq ...
๐Ÿš€ Job is running.
๐Ÿ“œ Streaming logs:
MediaWiki version: 1.45.0-wmf.2 (built: 23:01, 19 May 2025)

Others with deploy rights seem to get the expected result here.

reedy@deploy1003:~$ mwscript-k8s --comment="T395386" --dblist="s2" --follow --file=/srv/mediawiki-staging/php-1.45.0-wmf.2/extensions/SecurePoll/cli/wm-scripts/u4c2025/u4c2025_tables.sql -- sql.php -- u4c2025_tables.sql
โณ Starting sql.php on Kubernetes as job mw-script.eqiad.yhh9i204 ...
๐Ÿš€ Job is running.
๐Ÿ“œ Streaming logs:
sql.php: Running on s2
-----------------------------------------------------------------
bgwiki
-----------------------------------------------------------------
bgwiki Query OK, 0 row(s) affected
<snip>

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
deployment_server: Update the local helm cache in mwscript-k8soperations/puppetproduction+13 -14
Customize query in gerrit

Related Objects

Event Timeline

jrbs created this task.May 28 2025, 10:18 PM
Restricted Application added a subscriber: Aklapper. ยท View Herald TranscriptMay 28 2025, 10:18 PM
Reedy subscribed.May 28 2025, 10:21 PM

I'm wondering if this is because of the lack of being in the deployment group and/or because of being in restricted?

I'm in deployment and was able to run the commands as mentioned

jrbs mentioned this in T395386: Create and run 2025 U4C election.May 28 2025, 10:43 PM
Novem_Linguae subscribed.May 29 2025, 12:04 AM
Clement_Goubert subscribed.Jun 2 2025, 11:11 AM

There seems to be something wrong with the command line parsing for members of restricted:

cgoubert@deploy1003:/srv/deployment-charts/helmfile.d/services/mw-script$ kubectl describe job mw-script.eqiad.k2ozj7tm
[...]
  Containers:          
   mediawiki-k2ozj7tm-app:           
    Image:      docker-registry.discovery.wmnet/restricted/mediawiki-multiversion-cli:2025-05-28-203847-publish-81
    Port:       <none>                          
    Host Port:  <none>
    Command:   
      /usr/bin/php <--  should be calling /usr/local/bin/foreachwikiindblist
    Args:       
      /srv/mediawiki/multiversion/MWScript.php
      s1                    
      Version.php

compared to members of deployment:

cgoubert@deploy1003:/srv/deployment-charts/helmfile.d/services/mw-script$ kubectl describe job mw-script.eqiad.yhh9i204
[...]
  Containers:                                                                                                  
   mediawiki-yhh9i204-app:
    Image:      docker-registry.discovery.wmnet/restricted/mediawiki-multiversion-cli:2025-05-28-203847-publish-81
    Port:       <none>               
    Host Port:  <none>                                                                                         
    Command:                                    
      /usr/local/bin/foreachwikiindblist
    Args:      
      s2                                                                                                       
      sql.php   
      u4c2025_tables.sql
Scott_French subscribed.Jun 2 2025, 10:45 PM

Many thanks to @jrbs for the discussion out of band.

As @Clement_Goubert notes in T395521#10874927, the configuration of job/mw-script.eqiad.k2ozj7tm looks quite odd:

  1. the command should be /usr/local/bin/foreachwikiindblist, not /usr/bin/php
  2. the args list, which is otherwise "correct" in terms of what mwscript-k8s should generate in the --dblist case, has been prepended with /srv/mediawiki/multiversion/MWScript.php

I think the most likely way to arrive at something like this would be if using a version of the mediawiki helm chart prior to 0.8.17 (https://gerrit.wikimedia.org/r/1147918) merged May 20th.

How would that happen? The special casing we added for HELM_CACHE_HOME in the restricted-group case in https://gerrit.wikimedia.org/r/1138951. I'm pretty sure the helm cache needs updated on every run rather than only once, lest the user end up using a very stale mediawiki chart.

@jrbs - Could you try deleting ~/.cache/helm and then retrying a simple test like mwscript-k8s --comment="testing" --dblist="s1" --follow -- Version.php?

jrbs added a comment.Jun 2 2025, 10:47 PM
In T395521#10877806, @Scott_French wrote:

@jrbs - Could you try deleting ~/.cache/helm and then retrying a simple test like mwscript-k8s --comment="testing" --dblist="s1" --follow -- Version.php?

Seems to work:

foks@deploy1003:~$ mwscript-k8s --comment="testing" --dblist="s1" --follow -- Version.php
โณ Starting Version.php on Kubernetes as job mw-script.eqiad.k74d6fo8 ...
๐Ÿ‘‹ Setting up the Helm cache. Only need to do this the first time...
๐Ÿš€ Job is running.
๐Ÿ“œ Streaming logs:
Version.php: Running on s1
-----------------------------------------------------------------
enwiki
-----------------------------------------------------------------
enwiki MediaWiki version: 1.45.0-wmf.3 (built: 22:09, 26 May 2025)
gerritbot added a comment.Jun 2 2025, 11:26 PM

Change #1152854 had a related patch set uploaded (by Scott French; author: Scott French):

[operations/puppet@production] deployment_server: Update the local helm cache in mwscript-k8s

https://gerrit.wikimedia.org/r/1152854

gerritbot added a project: Patch-For-Review.Jun 2 2025, 11:26 PM
Scott_French added a comment.Jun 2 2025, 11:32 PM

Amazing - thank you very for confirming, @jrbs. I believe https://gerrit.wikimedia.org/r/1152854 should fix this, and should not pose a significant usability issue (the update operation is actually rather quick).

Clement_Goubert added a comment.Jun 3 2025, 9:39 AM
In T395521#10877883, @Scott_French wrote:

Amazing - thank you very for confirming, @jrbs. I believe https://gerrit.wikimedia.org/r/1152854 should fix this, and should not pose a significant usability issue (the update operation is actually rather quick).

Oh good find, I didn't think cache dir.

gerritbot added a comment.Jun 3 2025, 3:43 PM

Change #1152854 merged by Scott French:

[operations/puppet@production] deployment_server: Update the local helm cache in mwscript-k8s

https://gerrit.wikimedia.org/r/1152854

Scott_French closed this task as Resolved.Jun 3 2025, 4:10 PM
Scott_French claimed this task.

With https://gerrit.wikimedia.org/r/1152854 merged, I believe this problem should be fixed.

Thanks again for the detailed report, @jrbs! One last point of note: As discussed out of band, sql.php is one of the handful of scripts that still does not work on k8s [0]. For those, please continue to use the mwscript wrapper to run locally. We'll provide wider guidance soon with the upcoming decom of the mwmaint* hosts, but as previously noted in Reuven's message last month, this will likely move to the deployment host.

[0] https://wikitech.wikimedia.org/wiki/Maintenance_scripts#Not_yet_supported

Maintenance_bot removed a project: Patch-For-Review.Jun 3 2025, 4:31 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. ยท Wikimedia Foundation ยท Privacy Policy ยท Code of Conduct ยท Terms of Use ยท Disclaimer ยท CC-BY-SA ยท GPL ยท Credits