Help:Toolforge/shell

This page describes the different shell access levels, and what you can do with them in Toolforge.

Bastion shell

As of today, this is the primary shell that you get access to when you connect to Toolforge via SSH.

The prompt is something like this:

Linux tools-bastion-13 6.1.0-29-cloud-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.123-1 (2025-01-02) x86_64
Debian GNU/Linux 12 (bookworm)
======================================================================
_______  _____   _____         _______  _____   ______  ______ _______
   |    |     | |     | |      |______ |     | |_____/ |  ____ |______
   |    |_____| |_____| |_____ |       |_____| |    \_ |_____| |______
======================================================================
This is a server of the tools Cloud VPS project, the home of community
managed bots, webservices, and tools supporting the Wikimedia movement.

Use of this system is subject to the Toolforge Terms of Use,
Code of Conduct, and Privacy Policies:
- https://wikitech.wikimedia.org/wiki/Help:Toolforge/Terms_and_conditions

General guidance and help can be found at:
- https://toolforge.org/

The last Puppet run was at Thu Mar 20 11:18:45 UTC 2025 (25 minutes ago). 
Last Puppet commit: (4943429561) Vgutierrez - acme_chief::cloud: Avoid leaking designate secrets
Last login: Tue Nov 26 12:16:05 2024 from bastion-restricted-eqiad1-3.bastion.eqiad1.wikimedia.cloud
user@tools-bastion-13:~$

The purpose of this shell is to give you access to the different tool accounts using the become command.

Running workloads from this shell is limited, and in general discouraged.

Tool account shell

This is the shell that you get when you use the become command, see Help:Toolforge/Quickstart#Login_and_"become"_your_tool.

The prompt is something like this:

user@tools-bastion-13:~$ become my-tool
tools.my-tool@tools-bastion-13:~$

The purpose of this shell is to allow you to operate your tool, using the toolforge command.

Running workloads from this shell is limited, and in general discouraged, other than the basic set of utilities to operate your tool, view logs, some lightweight debugging and such.

Example commands you may run:

nano, vim, or other similar terminal-based text editors
grep, tail, less, and other text inspection utilities
git, curl, wget and similar
kubectl to interact with the Toolforge Kubernetes API

Example operations that are discourage to be executed in this shell:

decompressing or parsing large Help:Shared_storage#/public/dumps files, use a tool account runtime shell for this
long-running processes, like background scripts, use a proper tool job for this
compiling or building source code, use the build service for this

Tool account runtime shell

This is the shell that you get when you use the toolforge webservice shell command.

The prompt is something like this:

tools.my-tool@tools-bastion-13:~$ toolforge webservice shell
tools.my-tool@shell-17424701134:~$

This shell is running inside a Kubernetes engine container, on one of the Toolforge worker nodes.

You are free to run whatever workloads from this shell, including:

some heavy processing command
any debugging
inspecting and working with shared storage, like /public/dumps

Infrastructure shell

This is the shell available in Toolforge infrastructure servers. This is not a public-facing part of Toolforge, and access to this shell is usually reserved for system administrators and engineers.

The prompt is something like this:

Linux tools-k8s-control-7 6.1.0-31-cloud-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.128-1 (2025-02-07) x86_64
Debian GNU/Linux 12 (bookworm)
      ^
     / \    This server is part of the Toolforge infrastructure.
    / ! \
   /_____\         "No user-serviceable parts inside."

The last Puppet run was at Thu Mar 20 11:11:31 UTC 2025 (6 minutes ago). 
Last Puppet commit: (4943429561) Vgutierrez - acme_chief::cloud: Avoid leaking designate secrets
Last login: Wed Mar  5 10:33:40 2025 from bastion-restricted-eqiad1-3.bastion.eqiad1.wikimedia.cloud
user@tools-k8s-control-7:~$

You are welcome to participate in the administration and engineering of Toolforge. See also:

Communication and support

Support and administration of the WMCS resources is provided by the Wikimedia Foundation Cloud Services team and Wikimedia movement volunteers. Please reach out with questions and join the conversation:

Discuss and receive general support

Chat in real time in the IRC channel #wikimedia-cloud ^connect or the bridged Telegram group
Discuss via email after you have subscribed to the cloud@ mailing list

Stay aware of critical changes and plans

Subscribe to the cloud-announce@ mailing list (all messages are also mirrored to the cloud@ list)
Read the News wiki page

Track work tasks and report bugs

Use a subproject of the #Cloud-Services Phabricator project to track confirmed bug reports and feature requests about the Cloud Services infrastructure itself

Read stories and WMCS blog posts

Read the Cloud Services Blog (for the broader Wikimedia movement, see the Wikimedia Technical Blog)