Wikimedia Release Engineering Team/MediaWiki on Kubernetes/Meeting notes/2021-04-21
Appearance
2021-04-21
[edit]Always
[edit]- Core_Platform_Team/Initiatives/MediaWiki_on_Kubernetes
- Wikimedia_Release_Engineering_Team/MediaWiki_on_Kubernetes
- Workboard
- IRC: #mediawiki-mw-on-k8s connect
TODOs from last time
[edit]General
[edit]- firejail
- was used for sandboxing shellouts, which will now be done in shellbox
- doesn't work in docker and no longer needed
- possibly need to disable firejail in the configuration to avoid the warning from extensions
- MW should auto-detect this, but wmf-config is hard-coded to use firejail atm. This will be disabled when shellbox is enabled and could probably get rid of the warning.
- concern that is firejail is present, the extension will not behave properly
- Risks?
- What to do about warnings/errors
- we will ignore the warning for now and when shellbox is enabled it will go away?
- it would be better to have some conditional in wmf-config to check if using a container and disable firejail
- We need an image for mediawiki-webserver that's not restricted :)
RelEng
[edit]- Designing a `scap backport` that would wrap legacy and m8s deployment
- https://phabricator.wikimedia.org/T279322
- Working on a dev environment
Serviceops
[edit]- MediaWiki chart under review. It "works"Â :) https://gerrit.wikimedia.org/r/c/operations/deployment-charts/+/670220
- would be better to move the webserver image to be non-restricted
- this is difficult because of the way we configure usage of the restricted namespace
- SRE and Releng will coordinate on a task to do this
- Anyone wants to add the db/memcache parts for a dev env? :P
Platform Engineering
[edit]TODOs for next time
[edit]- Figure out how to publish mediawiki-webserver image to the public registry namespace while keeping the sensitive images in restricted