How to deploy code

From Wikitech
Jump to: navigation, search

This article is mainly about deployment of changes to MediaWiki code to the Wikimedia cluster.

Introduction

  • All configuration and utilities are in version control (in the operations/mediawiki-config.git repository)
  • Each version of MediaWiki (e.g. 1.27.0-wmf.1) is in a branch of the mediawiki/core.git repository, with submodules for the extensions, skins, etc. deployed in that version.
  • This mediawiki-config repository is checked out on the deployment host at /srv/mediawiki-staging, with each branch of the MediaWiki codebase and its extensions checked out in /srv/mediawiki-staging/php-1.XXX subdirectories
  • sync scripts synchronize that working copy on the deployment host onto /srv/mediawiki on hundreds of servers.

See also

Basic common sense

  • Be careful. Breaking the site is surprisingly easy!
    • don't make deployment changes from a development directory, instead use a separate clean git clone just for deployments
    • check git status constantly (or set your shell prompt to show the info).
  • If you're deploying code written by someone else, ask them to be around during deployment so they can troubleshoot if necessary.
  • Make sure you know about anything hairy, such as additional prerequisites (e.g. schema changes) or potential complications when rolling back.
  • Perform operations in the right order. For example, if you're deploying code affecting the databases, you should create or edit SQL tables before deploying a change requiring these tables.
  • Join #wikimedia-operations and #wikimedia-tech on Freenode and be available before and after all changes.

Deployment requirements

Access/rights needed to deploy

  • Production shell access
  • Access to merge changes in wmf deploy branches by being added to the wmf-deployments gerrit group
    • Ask any existing wmf-deployments group member to do this.
  • Join (and read) the operations mailing list (ops@lists.wikimedia.org)
    • This is because announcements that could impact how and/or when to deploy things are primarily sent there.

Other Prerequisites

  • Ask an experienced deployer to tag along once or twice before attempting your own.
  • Remember your common sense. See above
  • Some shiny code
  • A window of time to deploy during (that doesn't overlap with anyone else's window). Deployments is the calendar for planning and recording activities in these windows.
  • A clean local git repository of mediawiki/core (use ssh for speed), in which you have set up git review using git review -s
  • Be present on IRC. #wikimedia-tech and #wikimedia-operations are two places where people will come to yell at you if something goes wrong, you should be able to hear them.

Step 1: get the code in the deployment branch

Before you can deploy anything, it has to be in the deployment branch(es). Our deployment branches are named wmf/1.MAJOR-wmf.MINOR (e.g. php-1.27.0-wmf.7) where MAJOR and MINOR are numbers that increase over time as new branches are cut. A new branch with an incremented MINOR number is cut at the start of each deployment cycle, and after each tarball release MAJOR is incremented and MINOR is reset to 1. Strict access control is enforced on the deployment branches, but you should have access to them if you are a deployer. On the deployment host, the checkout of each deployment branch is in /srv/mediawiki-staging/php-1.MAJOR-wmf.MINOR .

Note that in most cases the cluster will be running on two deployment branches, with some wikis running version N and some running version N+1. To see what versions the cluster is currently running, on the deployment host execute:

$ scap wikiversions-inuse

To see which wiki is running which version, inspect /srv/mediawiki-staging/wikiversions.json (public mirror) or look at Special:Version.

If your code or change needs to go live to all wikis, you will need to change all deployment branches that are in use. An easy way to see all of the versions currently in use is to log onto the deployment host and run mwversionsinuse from the command line. You can also run mwversionsinuse --withdb to see a wiki that is running each version.

NOTE: All examples on this page assume there is a single deployment branch called wmf/1.27.0-wmf.1 checked out on the cluster in php-1.27.0-wmf.1. You need to change this to a current branch name when you run the commands. If you are updating multiple deployment branches, simply repeat the steps for each deployment branch separately.

NOTE: Also, all git examples assume you have a clean working copy, that is, you have no uncommitted changes. To verify this, run git status, it should say nothing added to commit (working directory clean) or nothing added to commit but untracked files present . If you are doing git-fu with a dirty working copy, there is a high probability you will screw things up, so don't do that unless you know what you're doing.

Case 1a: core changes

You are deploying changes to MediaWiki core. This should be rare because core is updated from master every two to three weeks, but in some cases it might be necessary. For core changes, you will simply need to push or submit changes to the wmf/1.27.0-wmf.1 branch in core. The most common use case is to take a commit that is already in the repository somewhere (usually in master, sometimes a commit that's still pending review) and cherry-pick it into the deployment branch, so only that case is documented below.

To cherry-pick a commit into the deployment branch, do the following things locally:

$ cd mediawiki/core      # go to your checkout of mediawiki/core.git

# Set up a local wmf/1.27.0-wmf.1 branch that tracks the remote
# You only need to do this once for each branch; if you've already got a wmf/1.27.0-wmf.1 branch, you can skip this step
# If you get an error, try 'git remote update' or 'git fetch' first
$ git branch --track wmf/1.27.0-wmf.1 origin/wmf/1.27.0-wmf.1
Branch wmf/1.27.0-wmf.1 set up to track remote branch wmf/1.27.0-wmf.1 from origin.

# Switch to the wmf/1.27.0-wmf.1 branch and update it from the remote
$ git checkout wmf/1.27.0-wmf.1
$ git pull
$ git submodule update --init --recursive

# Cherry-pick a commit from master, identified by its patch set hash
$ git cherry-pick ffb1b38ad83927606c539ac941e9f3eb2653a840

# If there are conflicts, this is how you fix them:
# - run 'git status' to see which files are conflicted
# - start fixing conflicted files using your favorite editor
# - use 'git add filename' to tell git you've fixed the conflicts in a file
# - once all conflicts are resolved, commit the result using 'git commit'

# Submit your cherry-pick commit for review
$ git review
# If you don't want or need this to be reviewed, you can +2 your own
# commit if you are in the wmf-deployment group

Case 1b: extension/skin/vendor changes

You are deploying changes to an extension, but you don't just want to deploy master. Instead, you want to deploy the code that is currently deployed, plus your change. (If you do actually want to deploy master, see How to deploy current master branch of an extension.)

Starting with 1.23wmf10, all deployed extensions have automatically-created wmf/1.xxwmfyy branches. Each of these extension branches should be in sync with the corresponding submodule pointer in the corresponding core branch. To deploy an extension update, you make changes to this branch, and Gerrit will update the submodule pointer in core.

Updating the deployment branch

Just like in core, the most common use case for updating a deployment branch is to cherry-pick changes from master. You can do this using the Cherry Pick To button in Gerrit, or from the command line as follows:

$ cd mediawiki/extensions/MyCoolExtension      # go to your extension checkout

# Set up a local wmf/1.27.0-wmf.1 branch that tracks the remote
# You only need to do this once for each branch; if you've already got a wmf/1.27.0-wmf.1 branch, you can skip this step
# If you get an error, try 'git remote update' or 'git fetch' first
$ git branch --track wmf/1.27.0-wmf.1 origin/wmf/1.27.0-wmf.1
Branch wmf/1.27.0-wmf.1 set up to track remote branch wmf/1.27.0-wmf.1 from origin.

# Switch to the wmf/1.27.0-wmf.1 branch and update it from the remote
$ git checkout wmf/1.27.0-wmf.1
$ git pull

# Cherry-pick a commit from master, identified by its patch set hash
$ git cherry-pick 176ffdd3b71e463d3ebaa881a6e77b82acba635d
# If there are conflicts, this is how you fix them:
# run 'git status' to see which files are conflicted
# start fixing conflicted files
# use 'git add filename' to tell git you've fixed the conflicts in a file
# once all conflicts are resolved, commit the result using 'git commit'

# Submit your commit for review
# Note: 'wmf/1.27.0-wmf.1' is the name of the remote branch you are pushing to, not the name of your local tracking
# branch (although in this example they are the same).
$ git review wmf/1.27.0-wmf.1
# If you don't want or need this to be reviewed, you can +2 your own
# commit if you are in the wmf-deployment group and will be deploying this immediately

You can repeat this process multiple times to commit or cherry-pick multiple changes. After you have submitted the updates to gerrit, you can either have them SWAT deployed by adding the updates to the deployment schedule or deploy them yourself by following the other steps below.

Updating the submodule

This is no longer necessary, a submodule update commit is automatically created and merged when you merge a commit to some extension's wmf/* branch, except when commit is to the VisualEditor extension or you are updating a submodule that is not on a branch that has the same name as the core branch it is included in. In those cases, see /Core submodule update.

Case 1c: new submodule (extension, skin, etc.)

You are adding an entirely new extension that wasn't deployed before, and you're deploying from master (if you need to deploy something other than the master state, that's possible, but it generally shouldn't be done for an initial deployment; master should just be clean and deployable).

You already deployed your new extension to the beta cluster (read instructions) and tested it for weeks, right? Otherwise, STOP and talk to experts.

You need to add a submodule to the core deployment branch:

$ cd mediawiki/core            # Go to your checkout of core

# Set up a local wmf/1.27.0-wmf.1 branch that tracks the remote
# You only need to do this once for each branch; if you've already got a wmf/1.27.0-wmf.1 branch, you can skip this step
# If you get an error, try 'git remote update' or 'git fetch' first
$ git branch --track wmf/1.27.0-wmf.1 origin/wmf/1.27.0-wmf.1
Branch wmf/1.27.0-wmf.1 set up to track remote branch wmf/1.27.0-wmf.1 from origin.

# Switch to the wmf/1.27.0-wmf.1 branch and update it
$ git checkout wmf/1.27.0-wmf.1
$ git pull
# Update the extension submodules. This may take a while when you run it for the first time
$ git submodule update --init --recursive

# Add a submodule for your extension
$ git submodule add https://gerrit.wikimedia.org/r/p/mediawiki/extensions/MyCoolExtension.git extensions/MyCoolExtension
Cloning into extensions/MyCoolExtension...
# Check the diff. Make sure the .gitmodules entry is in line with the others, and check that the subproject commit hash points to master
$ git diff --cached
diff --git a/.gitmodules b/.gitmodules
index 3ab3d48..9a4cc66 100644
--- a/.gitmodules
+++ b/.gitmodules
@@ -346,3 +346,6 @@
 [submodule "extensions/PrefSwitch"]
        path = extensions/PrefSwitch
        url = https://gerrit.wikimedia.org/r/p/mediawiki/extensions/PrefSwitch.git
+[submodule "extensions/MyCoolExtension"]
+       path = extensions/MyCoolExtension
+       url = https://gerrit.wikimedia.org/r/p/mediawiki/extensions/MyCoolExtension.git
diff --git a/extensions/AllTimeZones b/extensions/MyCoolExtension
new file mode 160000
index 0000000..46727ad
--- /dev/null
+++ b/extensions/MyCoolExtension
@@ -0,0 +1 @@
+Subproject commit 46727ad74adda33621323deb2bebdc2527cb4917

# Commit the submodule addition and submit it for review
$ git commit -a -m "Add MyCoolExtension"
$ git review
# If you don't want or need this to be reviewed, you can +2 your own
# commit if you are in the wmf-deployment group

NOTE: When adding a new extension to one branch, you also need to add the extension to any other branches in use on the cluster (typically the wmf.{N-1} branch), even if the extension will not be enabled on any wikis running that branch. Otherwise the localization cache builder will fail.

When adding (and removing) an extension, you need to update the files wmf-config/extension-list and default.conf, see #Add new extension to extension-list and default.conf

Step 2: get the code on the deployment host

$ ssh deployment.codfw.wmnet

Once the code merged in the deployment branch in Gerrit, we pull it down on the deployment host. Avoid plain git pull to avoid unexpected changes (see #Problem: undeployed code).

deployment-host:~$ cd /srv/mediawiki-staging/php-X
# Make sure there are no uncommitted changes. Submodule changes are OK (they usually mean security patches)
deployment-host:/srv/mediawiki-staging/php-X/$ git status
# Fetch remote git commits without updating working directory yet
deployment-host:/srv/mediawiki-staging/php-X/$ git fetch
# View local log
deployment-host:/srv/mediawiki-staging/php-X/$ git log -n25 --oneline --decorate --graph
# View remote log
deployment-host:/srv/mediawiki-staging/php-X/$ git log HEAD..origin/wmf/X

View the local log to ensure there are no local patches that shouldn't be there (e.g. security patches). You may want to alias that command to something convenient like git lg (see mw:Git/aliases).

The remote log shows the commits that would be added to the working copy when we rebase the local branch (e.g. "git pull"). If there are other changes besides yours, go yell at the culprit. Otherwise you're OK to pull your changes into the deployment directory. You must always rebase in case there are security patches locally committed on the deployment host.

/srv/mediawiki-staging/php-X/$ git rebase origin/wmf/X

If you are deploying a change for an extension, you can now simply update the extension submodule with:

deployment-host:/srv/mediawiki-staging/php-1.27.0-wmf.1/$ git submodule update --init --recursive extensions/MyCoolExtension

you should see the commit ID from your work in your local deployment

Pre-deployment testing in production

Part of the deployment process (for e.g. SWAT) is now to deploy first to the server that corresponds to mwdebug1002.eqiad.wmnet. HTTP requests for any production wiki – enwiki, Italian Wikiquote, testwiki etc. – can be routed to this test Apache server. See X-Wikimedia-Debug for how to do this.

The cluster machines have a cache for i18n messages for each release, but this sync from a machine does update its i18n cache. it seems the only way to update these messages is to do a full scap.

Step 3: configuration and other prep work

In certain cases, you'll have to change how Wikimedia sites are configured. We generally have the same codebase everywhere, but with different configurations for each wiki.

Maybe you are just changing one configuration variable. Or, perhaps you are adding a brand-new extension, or activating an extension on some wiki where it's never been before. For all of these cases, and more, you'll have to make the changes to the config files to get the desired results.

Configuration files live in their own revision-controlled repository operations/mediawiki-config. The big difference is the configuration files are not tied to releases — there is no 1.27.0-wmf.1 branch for configuration. This means you cannot commit a configuration change and have it "roll out" across wikis on the release train, it has to work with all branches in use. In general if you're not in operations you should make changes to a local copy of this repository (as explained in How to do a configuration change#In your own repo via gerrit), submit them for gerrit review with a -1 comment to avoid early deployment, then during your deployment window +2 them and get them on the deployment host.

Everything that follows is just a convenient way to make config changes.

If you're deploying an extension or feature that can be switched off, it's usually best to leave it switched off while you deploy and carefully switch it on after that using a simple configuration change (this is called a dark launch). Even if you do this, you should build any configuration infrastructure (e.g. $wmg variable, adding entry in InitialiseSettings with default false) at this time so all you'll have to do later is flip a switch.

For specific preparations, see the sections below as well as How to do a schema change and How to do a configuration change. Best to perform schema changes before making config changes.

Add a configuration switch for an extension

In /srv/mediawiki-staging/wmf-config/CommonSettings.php, add:

if ( $wmgEnableMyExtension ) {
  require_once( "$IP/extensions/MyExtension/MyExtension.php" );
  // Set config vars if needed

  // If you want to export config vars through InitialiseSettings.php, you need to set $wmgMyExtensionThingy there and do
  #$wgMyExtensionThingy = $wmgMyExtensionThingy;
}

In /srv/mediawiki-staging/wmf-config/InitialiseSettings.php, add something like:

'wmgEnableMyExtension' => array(
  'default' => false,
  'eswikibooks' => true,
  // etc.
),
// If needed, set $wmgMyExtensionWhatever vars here too

If your extension requires a large-ish amount of configuration, consider putting it in a separate file instead. Currently, AbuseFilter, LiquidThreads and FlaggedRevs do this.

For more documentation on these files and their formats, see Configuration files.

Add new extension to extension-list and release tools

Note: the location of extension-list will be changing soon, from /srv/mediawiki-staging/wmf-config to /srv/mediawiki-staging/php-VERSION/extension-list - see T125678 for background.

When adding a new extension, you need to add it to the extension list, or its i18n messages won't get picked up. For more information about this setup, see Configuration files.

  1. cd /srv/mediawiki-staging/wmf-config
  2. Edit extension-list and add the path to the extension setup file on a line by itself
  3. commit the change
  4. Run scap sync. Make sure your extension is only enabled on testwiki at this point

After adding a new extension to the deployment branch, you also have to add it to make-wmf-branch/config.json in mediawiki/tools/release.git, most likely in the extensions array, so it'll be picked up when the deployment branch is rebranched.

Disabling an extension

Conversely, when you disable an extension, remove it from wmf-config/extension-list and make-wmf-branch/config.json.

Reedy commented:

If you’re wanting to disable an extension on the cluster, please DO NOT remove it from current deployment branches. Git gets upset and breaks things like git submodule update.
Per Stackoverflow, there isn’t a “git submodule rm foo”, and it’s just a pain for other people to have to clean up their working copies.
So in future, if you’re wanting to disable and remove an extension from production, it’s fine to do so in InitialiseSettings.php/CommonSettings.php, and even remove it from extension-list, but do not remove it from the core deployment branch. Instead, remove it from make-wmf-branch, and as long as the commit is merged before I (or whoever) makes the deployment branch, it won’t be branched for further usage.

When you disable a default extension, make sure it's gone from addWiki.php so that it doesn't cause issues next time someone creates a database.

Getting configuration changes on the deployment host

If you made configuration changes to your local mediawiki-config repository, then once they are merged in gerrit you need to get them on the deployment host. This is similar to step 2, but there's no deployment branch. It's covered in How to do a configuration change#In your own repo via gerrit.

Step 4: synchronize the changes to the cluster

Small changes: sync individual files

If your change only touches one or a few files or directories and does not change i18n messages, you can sync the files/dirs individually with scap sync-file or scap sync-dir as appropriate, rather than having to run scap sync. This is preferable because a scap sync run always shakes the cluster up a bit and takes longer to complete, while a scap sync-file run is very lightweight. However, scap sync-file is only capable of synchronizing files within directories that already exist on the cluster, so it won't work with newly added directories. Also, scap sync-file only synchronizes one file at a time, and creates a log entry each time. Using it repetitively (e.g. with a for loop) to sync multiple files is fine, as long as there's not too many of them (say not more than ~5).

To sync a single file, run scap sync-file [path to file] [summary]. To sync a directory, run scap sync-dir [path to directory] [summary]. The IRC logmsgbot uses the summary to log your sync in #wikimedia-operations, from where it'll go to the server admin log and the identi.ca and Twitter feeds.

  • PITFALL: The path argument has to be relative to the common directory, not to the current directory. To preserve your sanity (and tab-completion functionality), always cd to /srv/mediawiki-staging before running scap sync-file or scap sync-dir.
  • PITFALL: If the summary argument contains spaces, you'll have to put it in quotes or only the first word is used. If your summary contains a $, you'll either have to escape it or put your summary in single quotes, to prevent bash's variable expansion from messing it up
  • PITFALL: scap sync-file and scap sync-dir do not work correctly for syncing i18n changes. They will appear to work, but the i18n changes won't take effect. To sync i18n changes, you must use scap sync.

When running scap sync-file or scap sync-dir, you'll occasionally see errors from a broken server (sample output with multiple broken servers below). If you see unexpected output, ask in #wikimedia-operations. scap sync-file or scap sync-dir usually completes within a few seconds, but in cases where is has trouble connecting to hosts, it may hang for 1 or 2 minutes.

catrope@deployment-host:/srv/mediawiki-staging$ scap sync-file php-1.27.0-wmf.1/api.php 'API security fix'
No syntax errors detected in /srv/mediawiki-staging/php-1.27.0-wmf.1/api.php
copying to apaches
mw60: ssh: connect to host mw60 port 22: Connection timed out
srv189: ssh: connect to host srv189 port 22: Connection timed out
srv174: ssh: connect to host srv174 port 22: Connection timed out
srv266: ssh: connect to host srv266 port 22: Connection timed out

More complex changes: sync everything

If you're adding directories, changing many files, changing i18n messages, or otherwise have a reason why scap sync-file wouldn't work or would be impractical, you'll have to run scap sync, which syncs everything and rebuilds caches. scap sync logs to the server admin log, and reports in #wikimedia-operations (without !log) when it finishes.

awjrichards@deployment-host:/srv/mediawiki-staging$ scap sync 'Log message here'
Checking syntax...
Copying to deployment-host...Done.
Updating serialized data files...
Warning: messages are no longer serialized by this makefile.
Updating ExtensionMessages-1.26.php...
Updating ExtensionMessages-1.27.0-wmf.1.php...
Updating LocalisationCache for 1.19...
Updating LocalisationCache for 1.27.0-wmf.1...
...snip...

Running scap sync can take 30-60 minutes; the LocalisationCache rebuilds (usually two of them, one for each deployed wmf version) cause most of this delay. There is usually a load spike and a few hiccups on the cluster immediately after scapping, but that's normal, as long as it subsides a few minutes after scap sync finishes running.

Remove a dblist

scap sync-dir dblists/ can be used to sync the removal of a dblist. Before syncing, make sure to remove the wiki tag from CommonSettings.php [1]

Test and monitor your live code

Is it doing what you expected? Unfortunately, testwiki is not like a real wiki: extensions respond to a trigger hooks, CentralNotice or Common.js might effect the browser environment, etc. No one environment can simulate all the wikis that we operate, so test your change afterwards on a live wiki to confirm. test2.wikipedia.org is a test wiki that operates as a member of the cluster. Keep in mind also that different projects are configured differently, have different extensions enabled, use different alphabets, etc; it can be worthwhile to double check your changes on multiple projects, particularly to ensure that character encoding and right-to-left formatting is behaving as expected. Also remember that the caching infrastructure on the cluster is likely different than your local or testing environments; keep the different production caching layers/strategies in mind as you're assessing your changes in production.

WMF uses open-source tools including ganglia, graphite, and icinga to monitor its production cluster; you should review their output post-deploy for unexpected spikes.

Logstash + elasticsearch + Kibana aggregates exceptions and fatals and lets you query them.

If you are deploying database changes, you should keep an eye on slow queries and database lag via tendril:

All PHP error logs are routed to the server fluorine in /a/mw-log. Exceptions and fatals happen constantly, so you need to get a sense of changes over time. For example, to see trends in "Maximum execution time exceeded" errors this month, you might run

fluorine$ cd /a/mw-log/archive
fluorine$ zgrep -c 'Maximum execution time' fatal.log-201304*

All apache error logs are (still) routed to fenari in /home/wikipedia/syslog.

For a summary of all of the logs in use, see Logs.

Don't leave town

IZBROKEIT.png

Even if your deploy appears to be working, it's important to be reachable in the hours immediately following your deploy. Ideally, stay online and in IRC channels like #wikimedia-tech and #wikimedia-operations for a couple of hours. Update Deployments with what happened in your deployment window.

If you must go offline, let people know how to reach you (and keep your mobile phone or other communications device on your person). You can use /away messages on IRC, or perhaps send a short email to the ops list.

If you are on Wikimedia staff, now might be a great time to check if your contact info is up to date. If you aren't on staff, ask a staffer to add your contact info to that page, under "Important volunteers".

A note on JavaScript and CSS

Since we have ResourceLoader, there is no need to e.g manually do a "build" (to re-minify/re-cache static files). ResourceLoader does this automatically on-demand. Depending on when the timestamp cache gets a cache-miss, it can take up to five minutes for that to occur.

Occasionally ResourceLoader trips up and does not re-cache files correctly on the bits servers. The symptom of this is typically that stale minified files are served from bits, but if you add ?debug=true to the URL RL serves the new content.

ResourceLoader and localisation

In the case of a localisation update that affects JavaScript and is loaded via the ResourceLoader the live string may remain unchanged after running scap; troubleshooting steps follow:

  1. Check /MediaWiki:<string-key> on the wiki in question to see if the string has been updated, e.g. to check the popups-send-feedback string (from the Popups extension) on enwiki visit https://en.wikipedia.org/wiki/MediaWiki:Popups-send-feedback
  2. If that string has been updated, check the msg_resource table in the database of the appropriate wiki for the appropriate language
    select * from msg_resource where mr_resource='<resource>' and mr_lang='<lang>'\G
    
  3. It may be necessary to truncate the msg_resource database table if the string in msg_resource is out of date, but the wiki does see the new string (checked in step 1)
    truncate msg_resource;
    

Security patches

The last step in fixing security issues in MediaWiki before releasing the fixes publicly is deploying the patches on the cluster. When this happens:

  • All patches / fixes will be committed changes in the local repo
  • An email will be sent to the Ops list to notify everyone that the patches are there, and where the raw patches live on the deployment host in case they need to be modified or reapplied

Please do not revert these. If you are unsure if local, committed changes are security related, please ask someone in platform privately. Please do not discuss the patches publicly (including IRC). In most cases the commit message and knowing the files the commit affected would be enough for a malicious person to figure out the vulnerability.

When there are security patches in deployment, please rebase them on top of any changes you are deploying. This makes it easier to see what's been deployed (no more "Merge branch...." commits), and makes the fact that security patches are live immediately clear.

The only times that these should interfere with your deployment is if the changes conflict. In this case, please contact someone from the platform team to work out the best way to handle the situation.

Creating a Security Patch

See also How to perform security fixes
  1. Create a Phabricator security report if one does not already exist.
  2. Create and test your patch locally (preferably on a branch); then commit locally. Do not commit the patch to Gerrit at all. Drafts are not secure.
  3. Create the patch by running git format-patch HEAD^ --stdout > Txxxxx.patch (where "Txxxxx" is the task id) which will produce a patch file in your working directory.
  4. Upload the patch by attaching it to the Phabricator task. Coordinate with other developers to review your patch.
  5. Apply the patch in the current/affected wmf branches on the deployment host:
    • Check that the patch applies with git apply --check /path/to/patchfile
    • Apply patch with git am /path/to/patchfile
    Note that some config files are made public via noc.wikimedia.org; don't put anything non-public in those.
  6. Set the environment variable DOLOGMSGNOLOG=1 to prevent the automatic logging from revealing too much information about which file or component, then deploy as usual. Log the deployment manually by saying "!log Deployed patch for Txxxxx" in #wikimedia-operations connect.
  7. Ensure the security patch will be applied to future deployment branches:
    • The .patch file should be stored on the deployment host under /srv/patches/<branch>/, for whichever branches have the security patch applied.
      • Patches to MediaWiki core should be stored in /srv/patches/<branch>/core/
      • Patches to extensions should be stored under /srv/patches/<branch>/extensions/ExtensionName.
        • Filenames should be prefixed with a 2-digit number to indicate the order in which patches should be applied in the repo. Your file should be prefixed with '01-' if it is the first patch in the directory, or the next highest number if other patches already exist.
        • Files should be git committed to the local repository.
    • Send an email to the ops list stating that there is a security patch on the cluster and where your patch file lives on the deployment host. As a deployer you should already be subscribed to this.
  8. Work with the security team to make sure the vulnerability is resolved and that your patch makes it into the next security release.

Problem: undeployed code

If you need to deploy something but you find undeployed changes or local changes that are not security fixes, revert all of them and !log your revert, then proceed to your deploy.

If it's uncommitted live-hacks (as in, not even in gerrit), the polite thing is to stash them, so you don't erase someone's work forever.

Background

Roan commented in October 2012:

The problem is that sometimes, people merge things into a deployment branch and then don't deploy them. This is a terrible habit that should be squashed. If you merge something into a wmf branch, you have a responsibility to either deploy it yourself very soon, make sure that someone deploys it very soon, or revert it if you can't make those things happen. The deployment branch should reflect the current state of the cluster, except during those brief moments where something is about to be deployed or in the process of being deployed.

If you are concerned about other commits being pulled in (which should never happen, unless someone has been naughty), then in Step 2 you can run git fetch followed by git log HEAD..@{upstream}. This will list the commits that would be pulled by 'git pull'. In that list, it should be easy to spot commits that aren't yours and identify the person to yell at. If you run git pull and it ends up pulling things you didn't expect, you can use git log to examine what happened, and git reflog (or the output of git pull) to find the hash of the commit you were at before pulling, so you can roll back to it if needed. But if this happens to you, feel free to start yelling at people and/or asking for help.

See also