MediaWiki-schroot
Running MediaWiki in a full system chroot is a lightweight alternative to MediaWiki-Vagrant. MediaWiki-schroot will set up such a chroot for you, suitable for installing MediaWiki. A chroot management package called schroot is used. The host must be a Debian variant of some kind, for example Ubuntu.
The goals of this project are to be:
- Easy to understand, easy to modify. Requires only basic UNIX skills and an ability to use the constituent services (HHVM etc.). No puppet.
- Bare metal performance (but can be run on top of a VM if desired).
- Secure
- One easily-reviewable setup script to run as root.
- Trust only HHVM and distro packages.
- No need to trust MediaWiki code.
- All services run inside the chroot.
- Similar to production: HHVM/Apache/MariaDB.
Installation
[edit]Get the MediaWiki-schroot scripts:
git clone https://gerrit.wikimedia.org/r/mediawiki/tools/schroot
Clone MediaWiki, if you don't have it already:
mkdir ~/src/mediawiki cd ~/src/mediawiki git clone https://gerrit.wikimedia.org/r/mediawiki/core git clone https://gerrit.wikimedia.org/r/mediawiki/vendor core/vendor git clone --recursive https://gerrit.wikimedia.org/r/mediawiki/skins git clone https://gerrit.wikimedia.org/r/mediawiki/extensions
You can use --recursive for extensions, but it will take a long time. Instead you can get it without --recursive and then get the extensions you need with
cd extensions git submodule update --init <extension>
Copy the "config.sample" file to "config". Review and edit it if necessary. Then review ./setup and run it as root:
cd /path/to/mediawiki/schroot sudo ./setup
This will install schroot and set up the guest OS. Then start the schroot session and services:
sudo /etc/init.d/mw-chroot start
Then install MediaWiki by navigating to the URL supplied by ./setup. You can start a shell inside the chroot using:
sudo schroot -c mw-session
To run a maintenance script inside the chroot as the appropriate unprivileged user, use the proxy script which is installed in /usr/local/bin/mw-maint:
cd ~/src/mediawiki/core/maintenance mw-maint eval.php
Note that the schroot session must be started before you run this.
Security
[edit]Note that a chroot is, by its nature, less isolated from the host than a virtual machine. The network system is shared, so the chroot can connect to any TCP services running on the host that listen on localhost. And a root user inside the chroot is able to "break out" of the chroot or directly perform privileged actions.
In exchange for reduced isolation, we do get some convenience benefits. Bind mounts allow the webserver to run from the exact same source tree that you edit from the host, there is no need to copy. Changes to the source are instantly live. A shared network stack is simple and requires no configuration. A chroot session starts in under a second, and there is very little memory overhead.