Page MenuHomePhabricator
Create Task
Maniphest T314697

Allow use of wmf's MW CLI scripts on snapshot hosts instead of bypassing
Open, LowPublic
Actions

Description

The multiversion/bin/expanddblist CL script exists in the operations/mediawiki-config.git repository for local development. It is an equivalent to the expanddblist script provisioned by Puppet in production on deployment and mwmaint hosts.

I noticed that recently, a usage showed up in production code. Specifically in dump-growth-mentorship.sh as added for T291966 by https://gerrit.wikimedia.org/r/c/operations/puppet/+/740371 (cc @Urbanecm @Tgr @ArielGlenn).

After a brief moment in which I thought this could "simply" be replaced with invoking expanddblist, instead of $multiversion/bin/expanddblist, I realized this was a workaround for a larger problem. The script is also using $multiversion/MWScript.php directly instead of the mwscript helper that we use elsewhere in production.

Proposal

  • Rename scap::scripts in Puppet to mediawiki::cli-helpers. There is basically nothing Scap-related left here. Some scripts are indeed used by Scap, but most are also used by a ton of other things independent from Scap.
  • Remove the various "FIXME" comments atop this manifest that have been resolved.
  • Add mediawiki::cli-helpers to profile::mediawiki::common.
  • Remove redundant other imports of this in various places.
  • Update dump-growth-mentorship.sh to use the prod expanddblist, thus restoring the status quo.
  • Update dump-growth-mentorship.sh as pilot and leading by example to use mwscript. (Others can be done later based on available testing, no rush there.)

See also:

Gotcha:

One of the helpers, sql apparently only works on maintenance and deployment hosts because the mysql client command isn't provisioned elsewhere. I suggest we either provision that package (is there a reason not to?) or move that into a separate manifest like mediawiki::maintenance::sql that provisions both that script and the needed package, instead of the current fragile situation where we sometimes set sql_scripts => absent and then separately in an entirely different file ensure_packages('default-mysql-client').

Note that snapshot::dumps::packages at least already contains this package. So the question is whether we install it on appservers/jobrunners. I don't think we need it there since sql does the same thing no matter where you run it. That's I guess a reason to place it in a separate manifest as otherwise it's hard to include the rest in profile::mediawiki::common.

Related Objects
Search...

Event Timeline

Krinkle created this task.Aug 6 2022, 3:57 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptAug 6 2022, 3:57 AM
Krinkle updated the task description. (Show Details)Aug 6 2022, 5:30 AM
Krinkle added a project: Developer Productivity.Aug 6 2022, 5:45 AM
Hokwelum subscribed.Aug 8 2022, 11:26 AM
Tgr added a comment.Aug 9 2022, 3:58 AM

Why do we even have a separate expanddblist and $multiversion/bin/expanddblist with basically identical content? It will in the end execute code in the multiversion repo anyway, so the security footprint is the same. Why isn't expanddblist just an alias/redirect to the other?

Krinkle added a comment.Aug 9 2022, 11:03 AM
In T314697#8139516, @Tgr wrote:

Why do we even have a separate expanddblist and $multiversion/bin/expanddblist with basically identical content? It will in the end execute code in the multiversion repo anyway, so the security footprint is the same. Why isn't expanddblist just an alias/redirect to the other?

The Puppet-provided script (originally part of the "scap" module that included sync-common-all etc) came first, and those were all pure bash scripts.

There wasn't one in the wmf-config repo until I created one a while back to aid in local development.

I agree a good next step after this task would be to de-duplicate the scripts that naturally have such runtime dependency already, and indeed puppetize them merely as symlinks to files in /srv/mediawiki/bin/. I do note that there has historically been a resistence to Puppet having knowledge of what files may or may not exist in the Git clone at /srv/mediawiki as relying on what files exist there is deemed fragile but virtue of not being Puppet's own responsibility. However, at least for the scripts that explicitly depend at runtime on files in that same directory already, this is a distinction without a difference as the dependency is there either way, just less obvious.

Tgr edited projects, added Growth-Team (Sprint 0 (Growth Team)); removed Growth-Team.Aug 11 2022, 3:48 AM
Tgr moved this task from Incoming to Ready for Development on the Growth-Team (Sprint 0 (Growth Team)) board.
kostajh triaged this task as Low priority.Aug 31 2022, 12:38 PM
RhinosF1 subscribed.Aug 31 2022, 2:33 PM
jijiki moved this task from Incoming 🐫 to 🙈🙉🙊Backlog on the serviceops board.Sep 28 2022, 2:17 PM
jijiki moved this task from 🙈🙉🙊Backlog to 🌻Mediawiki on the serviceops board.Dec 13 2022, 2:56 PM
DMburugu added a parent task: T311850: [Epic] FY 2022-23 Growth Maintenance Work.Jan 12 2023, 10:14 AM
DMburugu moved this task from Sprint 0 (Growth Team) to Triaged on the Growth-Team board.
DMburugu edited projects, added Growth-Team; removed Growth-Team (Sprint 0 (Growth Team)).
ArielGlenn added a project: Dumps-Generation.Feb 3 2023, 9:44 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits