Support shell to mw-experimental pod
Open, MediumPublic
Actions

Assigned To

None

Authored By

	Krinkle
	Sep 25 2025, 11:42 PM

Description

Context:

When SSH-ing to mw-experimental one currenty ends up on the kubernetes host, not the pod where PHP is installed.

This means only files for web requests can be debugged and ad-hoc changed (e.g. via browser or curl), not files executed via maintenance scripts. This was something I would do monthly or so on the mwdebug hosts when debugging something, whether via php MWScript.php eval.php or via an existing maintenance script.

Is there a supported way to start a shell inside the mw-experimental pod?

Use cases:

Iterate on a draft wmf-config change in /srv/mediawiki/wmf-config and review runtime impact via mwscript eval.php.
Debug a maintenance script by making ad-hoc changes under /srv/mediawiki/php-/maintenance/ or /srv/mediawiki/php-/extensions/*/maintenance/, and run mwscript something.php.
Profiling, per https://wikitech.wikimedia.org/wiki/WikimediaDebug#Plaintext_CLI_profile.
Using a custom dblist file with foreachwikiindblist. Workaround: T401737

Related Objects

Mentioned Here: T341197: Allow deployers to get a php REPL environment inside the mw-debug pods
P84273 mw-experimental-shell
T401737: Custom dblists for mwscript-k8s
T404804: GrowthExperiments:graduateEligibleMentees.php maintenance scripts OoMs for eswiki
T276994: Provide an mwdebug functionality on kubernetes (mw-experimental)
T341553: Allow running one-off scripts manually
T396767: Make mw-experimental production ready
T397498: Deprecate mwdebugXXXX hosts

Event Timeline

Krinkle created this task.Sep 25 2025, 11:42 PM

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptSep 25 2025, 11:42 PM

Urbanecm_WMF subscribed.Sep 30 2025, 4:26 PM

In T404804#11231334, @Urbanecm_WMF wrote:
I spent some time looking into how we can get more data about this. First, I was thinking how to trigger profiling code from src/Profiler.php (in the config repo) in a maintenance script context. [..]

In production, mw-experimental is the environment for livehacking. This made me ask: how can I run maintenance scripts in mw-experimental?

It turns out that with the mw-experimental-deploy credentials, I can run kubectl exec, shelling into the mw-experimental pod, running /srv/mediawiki/multiversion/MWScript.php manually. So, I made the above-described changes in mw-experimental using the documented process, and then run the maintenance script as follows:
[urbanecm@deploy2002 ~]$ kubectl exec -c mediawiki-pinkllama-app mw-experimental.codfw.pinkllama-779d86d874-znl5n -it -- php /srv/mediawiki/multiversion/MWScript.php Version.php --wiki=dewiki
[..]

Krinkle updated the task description. (Show Details)Oct 22 2025, 9:44 PM

@Krinkle Please have a go running P84273 on the deployment host, and let me know if it helps

In T341197: Allow deployers to get a php REPL environment inside the mw-debug pods, @Joe added mw-debug-repl to get shell.php in the debug pods. Given this is the second pod in which running shell.php makes sense, I'm wondering, should we create a more generic wrapper?

(If we end up adding an extra wrapper, we should probably name it consistently, so either rename mw-debug-repl to mw-debug-shell or the other way around)

(Noting that for some reasons [historical ones, maybe?], mw-debug-repl requires root privileges. However, it seems like this task is now possible using deploy credentials. Maybe it should be rewritten in any case?)

In T405688#11302125, @jijiki wrote:

@Krinkle Please have a go running P84273 on the deployment host, and let me know if it helps

This is great. I've used it several times already!

Managing the file system separately from the shell is a bit confusing (one shell on the worker host with writable filesystem but without MW/PHP, another shell from the deploy host in the container with MW/PHP but without writable filesystem where you then use those files created/edited in the other shell). But, it works!

I wonder if the container could be read-write (i.e. ephemeral empty writable layer over top of /srv/mediawiki in the container?). That might pose some challenges with managing outdated state and forgotten/long-running containers, but would make this a bit closer to the level of ease it used to have on mwdebug hosts. Anyway, this is great!

jijiki triaged this task as Medium priority.Thu, Jan 22, 1:47 PM

jijiki moved this task from Inbox to Backlog on the ServiceOps new board.

jijiki added a project: ServiceOps new.

jijiki added a project: Prod-Kubernetes.Thu, Jan 22, 1:50 PM

jijiki removed a project: serviceops.

jijiki added a project: ServiceOps-SharedInfra.Thu, Jan 22, 2:11 PM

jijiki removed a project: ServiceOps-SharedInfra.

jijiki added a project: ServiceOps-Mediawiki.Thu, Jan 22, 2:13 PM