Page MenuHomePhabricator
Create Task
Maniphest T401721

Provide MediaWiki app image PHP version in helm values
Closed, ResolvedPublic
Actions

Description

Currently, the notion of "what PHP version are we using?" for the MediaWiki app image is available in helm values as php.version.

While this works, it's managed manually, rather than directly coupled to the MediaWiki image build process. This makes it error-prone - e.g., it's easy for the version used in the image to become out of sync with the helm value.

Instead, we should aim to make the image build process authoritative. One way to do that might look like the following:

  1. make-container-image: Store the PHP version selected at build time in an image metadata label (e.g., vnd.wikimedia.mediawiki.php.version).
  2. scap: When mapping helmfile releases to MediaWiki app images, read the label from the selected image, and set php.version accordingly in the /etc/helmfile-defaults/mediawiki/release/ values file.

In this way, PHP version metadata flows from the image build process to helm values.

An alternative to using image metadata labels for communicating build provenance information would be to use the build report file. This would require some thought as to how to cleanly introduce new attributes, while ideally leaving the "schema" of the a more "future-proof" state.

Status: We started with the metadata-labels approach, but encountered unexpected complexity related to querying them (T401721#11096229), and switched gears to using the build report. The latter solution is now what's in active use.

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
mediawiki: bump chart versionoperations/deployment-chartsmaster+1 -1
mediawiki: clean up php.version overridesoperations/deployment-chartsmaster+1 -21
Customize query in gerrit
Related Changes in GitLab:
TitleReferenceAuthorSource BranchDest Branch
make-container-image: remove php version metadata labelrepos/releng/release!209swfrenchwork/swfrench/cleanup-unused-labelmain
make-container-image: clean up unused build-report attributesrepos/releng/release!208swfrenchwork/swfrench/prune-build-reportmain
kubernetes: adopt new report structure and set php.versionrepos/releng/scap!987swfrenchwork/swfrench/flavour-metadatamaster
make-container-image: introduce flavour metadatarepos/releng/release!207swfrenchwork/swfrench/php-metadata-reportmain
Revert "kubernetes: set php.version based on image labels"repos/releng/scap!984swfrenchwork/swfrench/revert-php-metadata-labelsmaster
kubernetes: set php.version based on image labelsrepos/releng/scap!973swfrenchwork/swfrench/php-metadata-labelsmaster
make-container-image: php version metadata labelrepos/releng/release!203swfrenchwork/swfrench/php-metadata-labelsmain
Customize query in GitLab

Related Objects

Event Timeline

Scott_French created this task.Aug 12 2025, 4:59 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptAug 12 2025, 4:59 PM
Scott_French changed the task status from Open to In Progress.Aug 12 2025, 6:48 PM
Scott_French triaged this task as Medium priority.
CodeReviewBot added a project: Patch-For-Review.Aug 12 2025, 6:49 PM

swfrench opened https://gitlab.wikimedia.org/repos/releng/release/-/merge_requests/203

Draft: make-container-image: php version metadata label

CodeReviewBot added a comment.Aug 12 2025, 6:49 PM

swfrench opened https://gitlab.wikimedia.org/repos/releng/scap/-/merge_requests/973

Draft: kubernetes: set php.version based on image labels

Scott_French added a comment.EditedAug 12 2025, 7:21 PM

I should mention here, there's one notable downside to using a metadata label like this: If for some reason the selected image no longer exists on the deployment host (e.g., has been pruned), then the underlying docker image inspect call will fail.

I'm having a hard time coming up with a scenario where that might arise. I suspect it would require both the image to have been pruned and invocation with -Dbuild_mw_container_image:False.

Though the issue could be "fixed" with docker pull (or a rebuild) in this case, it would not even be possible if the PHP version was stored "durably" in the build report. Just something to consider.

dancy added a comment.Aug 12 2025, 8:09 PM
In T401721#11079929, @Scott_French wrote:

I should mention here, there's one notable downside to using a metadata label like this: If for some reason the selected image no longer exists on the deployment host (e.g., has been pruned), then the underlying docker image inspect call will fail.

I'm having a hard time coming up with a scenario where that might arise. I suspect it would require both the image to have been pruned and invocation with -Dbuild_mw_container_image:False.

Though the issue could be "fixed" with docker pull (or a rebuild) in this case, it would not even be possible if the PHP version was stored "durably" in the build report. Just something to consider.

Agreed. Should this unlikely scenario come up, running scap sync-world without flags is an easy recovery.

CodeReviewBot added a comment.Aug 18 2025, 2:46 PM

dancy merged https://gitlab.wikimedia.org/repos/releng/scap/-/merge_requests/973

kubernetes: set php.version based on image labels

CodeReviewBot added a comment.Aug 18 2025, 5:00 PM

swfrench merged https://gitlab.wikimedia.org/repos/releng/release/-/merge_requests/203

make-container-image: php version metadata label

Stashbot added a comment.Aug 18 2025, 5:05 PM

Mentioned in SAL (#wikimedia-operations) [2025-08-18T17:05:23Z] <swfrench@deploy1003> Started scap sync-world: Non-deploy scap run to verify image build and dependent helmfile values - T401721

Stashbot added a comment.Aug 18 2025, 5:30 PM

Mentioned in SAL (#wikimedia-operations) [2025-08-18T17:30:28Z] <swfrench@deploy1003> Started scap sync-world: Deploy new images after verifying dependent helmfile values - T401721

Maintenance_bot removed a project: Patch-For-Review.Aug 18 2025, 5:30 PM
Stashbot added a comment.Aug 18 2025, 6:03 PM

Mentioned in SAL (#wikimedia-operations) [2025-08-18T18:03:52Z] <swfrench@deploy1003> Finished scap sync-world: Deploy new images after verifying dependent helmfile values - T401721 (duration: 36m 38s)

Scott_French mentioned this in T402212: Spurious full MediaWiki image builds during scap deployments.Aug 18 2025, 7:22 PM
CodeReviewBot added a project: Patch-For-Review.Aug 18 2025, 9:39 PM

swfrench opened https://gitlab.wikimedia.org/repos/releng/scap/-/merge_requests/984

Revert "kubernetes: set php.version based on image labels"

CodeReviewBot added a comment.Aug 18 2025, 9:43 PM

dancy merged https://gitlab.wikimedia.org/repos/releng/scap/-/merge_requests/984

Revert "kubernetes: set php.version based on image labels"

Scott_French added a comment.EditedAug 18 2025, 9:54 PM

In short, not all deployers are able to invoke raw docker commands (i.e., in this case, docker image inspect), so the current approach that shares code with scap clean-images (which runs as a privileged user) for extracting image metadata labels will not work.

We either need to delegate that through privileged user (e.g., mwbuilder) or use another channel to feed the metadata back from the build process. One possibility for the latter is to revert to using the build report, as originally planned.

Maintenance_bot removed a project: Patch-For-Review.Aug 18 2025, 10:31 PM
CodeReviewBot added a project: Patch-For-Review.Aug 19 2025, 1:16 AM

swfrench opened https://gitlab.wikimedia.org/repos/releng/release/-/merge_requests/207

Draft: make-container-image: introduce flavour metadata

Scott_French added a comment.Aug 19 2025, 1:25 AM

Alright, after a bit of thought, I believe the simplest option is use the build report. As noted in release!207, I'm not enthusiastic to grow the build report, but this is also an opportunity to clean up and future-proof its structure a bit, which I'm happy to do here.

CodeReviewBot added a comment.Aug 19 2025, 2:30 PM

swfrench opened https://gitlab.wikimedia.org/repos/releng/scap/-/merge_requests/987

Draft: kubernetes: adopt new report structure and set php.version

CodeReviewBot added a comment.Aug 19 2025, 5:13 PM

swfrench merged https://gitlab.wikimedia.org/repos/releng/release/-/merge_requests/207

make-container-image: introduce flavour metadata

Stashbot added a comment.Aug 19 2025, 5:15 PM

Mentioned in SAL (#wikimedia-operations) [2025-08-19T17:15:10Z] <swfrench@deploy1003> Started scap sync-world: No-op deployment to introduce new build report metadata - T401721

Stashbot added a comment.Aug 19 2025, 5:17 PM

Mentioned in SAL (#wikimedia-operations) [2025-08-19T17:17:25Z] <swfrench@deploy1003> Finished scap sync-world: No-op deployment to introduce new build report metadata - T401721 (duration: 02m 52s)

Scott_French added a comment.Aug 19 2025, 5:20 PM

Alright, release!207 is live, and the updated build report looks like what I'd expect: P81547

CodeReviewBot added a comment.Aug 19 2025, 6:09 PM

dancy merged https://gitlab.wikimedia.org/repos/releng/scap/-/merge_requests/987

kubernetes: adopt new report structure and set php.version

Stashbot added a comment.Aug 19 2025, 6:27 PM

Mentioned in SAL (#wikimedia-operations) [2025-08-19T18:27:45Z] <swfrench@deploy1003> Started scap sync-world: Non-deploy scap run to verify image build and dependent helmfile values - T401721

Maintenance_bot removed a project: Patch-For-Review.Aug 19 2025, 6:31 PM
Stashbot added a comment.Aug 19 2025, 6:34 PM

Mentioned in SAL (#wikimedia-operations) [2025-08-19T18:34:41Z] <swfrench@deploy1003> Started scap sync-world: No-code-changes scap sync-world with new helmfile values - T401721

Stashbot added a comment.Aug 19 2025, 6:39 PM

Mentioned in SAL (#wikimedia-operations) [2025-08-19T18:39:29Z] <swfrench@deploy1003> Finished scap sync-world: No-code-changes scap sync-world with new helmfile values - T401721 (duration: 06m 28s)

Scott_French added a comment.Aug 19 2025, 6:46 PM

This is now live and exports php.version as expected, e.g.

swfrench@deploy1003:~$ cat /etc/helmfile-defaults/mediawiki/release/mw-web-main.yaml 
docker:
  registry: docker-registry.discovery.wmnet
main_app:
  image: restricted/mediawiki-multiversion:2025-08-19-170542-publish-81
mw:
  httpd:
    image_tag: restricted/mediawiki-webserver:2025-08-19-082017-webserver-bookworm
php:
  version: '8.1'
Scott_French mentioned this in T401254: Upgrade mw-debug/next to PHP 8.3.Aug 20 2025, 12:40 AM
CodeReviewBot added a project: Patch-For-Review.Aug 20 2025, 1:11 AM

swfrench opened https://gitlab.wikimedia.org/repos/releng/release/-/merge_requests/208

Draft: make-container-image: clean up unused build-report attributes

CodeReviewBot added a comment.Aug 20 2025, 5:02 PM

swfrench merged https://gitlab.wikimedia.org/repos/releng/release/-/merge_requests/208

make-container-image: clean up unused build-report attributes

Stashbot added a comment.Aug 20 2025, 5:05 PM

Mentioned in SAL (#wikimedia-operations) [2025-08-20T17:05:50Z] <swfrench@deploy1003> Started scap sync-world: Deployment to pick up build-report cleanup - T401721

Stashbot added a comment.Aug 20 2025, 5:08 PM

Mentioned in SAL (#wikimedia-operations) [2025-08-20T17:08:10Z] <swfrench@deploy1003> Finished scap sync-world: Deployment to pick up build-report cleanup - T401721 (duration: 02m 41s)

Maintenance_bot removed a project: Patch-For-Review.Aug 20 2025, 5:30 PM
Scott_French updated the task description. (Show Details)Aug 20 2025, 9:56 PM
Scott_French added a comment.Aug 20 2025, 9:58 PM

At this point, the last step is to clean up the now-unused vnd.wikimedia.mediawiki.php.version label. Since this will result in a full image build, it would be nice to consolidate that together with other pending changes that require the same, such as addressing T402424.

CodeReviewBot added a project: Patch-For-Review.Aug 20 2025, 10:06 PM

swfrench opened https://gitlab.wikimedia.org/repos/releng/release/-/merge_requests/209

make-container-image: remove php version metadata label

CodeReviewBot added a comment.Aug 21 2025, 4:18 PM

swfrench merged https://gitlab.wikimedia.org/repos/releng/release/-/merge_requests/209

make-container-image: remove php version metadata label

Maintenance_bot removed a project: Patch-For-Review.Aug 21 2025, 4:33 PM
Scott_French closed this task as Resolved.Aug 21 2025, 4:57 PM

release!209 was picked up with the deployment for T402424 this morning, which wraps this up.

gerritbot added a comment.Aug 22 2025, 3:08 PM

Change #1181149 had a related patch set uploaded (by Scott French; author: Scott French):

[operations/deployment-charts@master] mediawiki: clean up php.version overrides

https://gerrit.wikimedia.org/r/1181149

gerritbot added a project: Patch-For-Review.Aug 22 2025, 3:08 PM
gerritbot added a comment.Aug 25 2025, 5:04 PM

Change #1181149 merged by jenkins-bot:

[operations/deployment-charts@master] mediawiki: clean up php.version overrides

https://gerrit.wikimedia.org/r/1181149

gerritbot added a comment.Aug 25 2025, 5:13 PM

Change #1181747 had a related patch set uploaded (by Scott French; author: Scott French):

[operations/deployment-charts@master] mediawiki: bump chart version

https://gerrit.wikimedia.org/r/1181747

gerritbot added a comment.Aug 25 2025, 5:19 PM

Change #1181747 merged by jenkins-bot:

[operations/deployment-charts@master] mediawiki: bump chart version

https://gerrit.wikimedia.org/r/1181747

Stashbot added a comment.Aug 25 2025, 5:24 PM

Mentioned in SAL (#wikimedia-operations) [2025-08-25T17:24:08Z] <swfrench@deploy1003> Started scap sync-world: Helmfile-only deployment for php.version override cleanup - T401721

Stashbot added a comment.Aug 25 2025, 5:26 PM

Mentioned in SAL (#wikimedia-operations) [2025-08-25T17:26:29Z] <swfrench@deploy1003> Finished scap sync-world: Helmfile-only deployment for php.version override cleanup - T401721 (duration: 03m 34s)

Maintenance_bot removed a project: Patch-For-Review.Aug 25 2025, 5:31 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits