Wikimedia Release Engineering Team/MediaWiki on Kubernetes/Meeting notes/2021-02-24
2021-02-24 edit
- [joe] started experimenting on top of dancy's work https://github.com/dancysoft/mw-k8s-dev/pull/1
Always edit
- Core_Platform_Team/Initiatives/MediaWiki_on_Kubernetes
- Wikimedia_Release_Engineering_Team/MediaWiki_on_Kubernetes
- Workboard
- IRC: #mediawiki-mw-on-k8s connect
TODOs from last time edit
General edit
RelEng edit
- Pipelinelib improvements to support building multiversion MW images using single-version image sources.
- Leaning toward packages the l10n files in the image
- Keeps design simple and more secure at runtime.
- Will result in larger images (2GB larger per MW version), so ~6GB for a 2-version image.
- Verified that _current_ production wikipedia config does not actually access the DB when running rebuildLocalisationCache.php.
- Looking into a way to disable or override etcd access when needed (such as during offline l10n file build)
- Working on private settings
- Tried using Files.Glob in chart, but we may not be able to use this to source in files on the deployment server
- Including these in the images may be an option if we can ensure they are applied in the same way as security patches and resulting images are only published to the restricted registry namespace
Serviceops edit
- Removed the last blockers for upgrading k8s
- Working (well?) for the staging cluster. Almost ready
- docker-registry now has a restricted/ namespace for security-patched images, will put the credentials on releases1001/etc. later today
Platform Engineering edit
- Shellbox awaiting security review
https://phabricator.wikimedia.org/T268092 https://phabricator.wikimedia.org/tag/secscrum/
- Can't see this task, can the visibility restrictions be reduced? -lego
- Score extension is Shellbox-aware (https://gerrit.wikimedia.org/r/c/mediawiki/extensions/Score/+/630017)