Jump to content

Wikimedia Release Engineering Team/MediaWiki on Kubernetes/Meeting notes/2021-02-24

From mediawiki.org

2021-02-24

[edit]

Always

[edit]

TODOs from last time

[edit]

General

[edit]

RelEng

[edit]
  • Pipelinelib improvements to support building multiversion MW images using single-version image sources.
  • Leaning toward packages the l10n files in the image
    • Keeps design simple and more secure at runtime.
    • Will result in larger images (2GB larger per MW version), so ~6GB for a 2-version image.
    • Verified that _current_ production wikipedia config does not actually access the DB when running rebuildLocalisationCache.php.
      • Looking into a way to disable or override etcd access when needed (such as during offline l10n file build)
  • Working on private settings
    • Tried using Files.Glob in chart, but we may not be able to use this to source in files on the deployment server
    • Including these in the images may be an option if we can ensure they are applied in the same way as security patches and resulting images are only published to the restricted registry namespace


Serviceops

[edit]
  • Removed the last blockers for upgrading k8s
    • Working (well?) for the staging cluster. Almost ready
  • docker-registry now has a restricted/ namespace for security-patched images, will put the credentials on releases1001/etc. later today

Platform Engineering

[edit]
  • Shellbox awaiting security review

https://phabricator.wikimedia.org/T268092 https://phabricator.wikimedia.org/tag/secscrum/

TODOs for next time

[edit]