MediaWiki On Kubernetes

From Wikitech
Jump to navigation Jump to search

MediaWiki-on-Kubernetes (or mw-on-k8s for short) is an initiative to transition the MediaWiki at WMF deployment from dedicated Application servers to Kubernetes. This page contains information what is changing as part of this transition.

What traffic is currently served by MediaWiki on k8s

As of today, the following sites are fully served by MediaWiki on k8s:

  • test2.wikipedia.org
  • test.wikidata.org

Server groups

MediaWiki on Kubernetes is deployed to both the main Eqiad and Codfw datacenters, in the wikikube kubernetes clusters. While the situation is in constant evolution, we currently have the following server groups:

  • mw-debug For external requests with X-Wikimedia-Debug, like the old mwdebug VMs. Accessible using the k8s-experimental option of the WikimediaDebug browser extension.
  • mw-web For external requests from web browsers (via the CDN).
  • mw-api-ext For external requests to the API (via the CDN).
  • mw-api-int For internal requests to the API (from other services).
  • mw-jobrunner For internal requests from the JobQueue runners (except videoscaling jobs).

What is in a MediaWiki pod

Each MediaWiki pod in Kubernetes contains 8 containers:

  • mediawiki-main-tls-proxy - running Envoy, as service mesh and TLS terminator.
  • mediawiki-main-httpd - running the Apache httpd daemon.
  • mediawiki-main-app - running the PHP daemon.
  • mediawiki-main-mcrouter - running mcrouter.
  • mediawiki-main-rsyslog - running rsyslog, to collect MediaWiki logs (for Logstash) and Apache access logs.
  • mediawiki-main-{php-fpm,mcrouter,httpd}-exporter - the Prometheus exporters for PHP, mcrouter and Apache httpd.

How to manage changes to the infrastructure

Given we're in a transition phase between the old puppet-managed systems and MediaWiki running on Kubernetes, we tried to keep things shared as much as possible. This means that deploying Puppet changes for app servers influences future mw-on-k8s deploys. However, Puppet merely prepares the host where the Kubernetes images are built, it doesn't perform a Kubernetes deployment. Applying infra-level changes to Kubernetes services and doing a code deployment are exactly the same procedure, but we need additional care when merging infrastructure changes.

Things that propagate from Puppet to MediaWiki-on-Kubernetes include:

  • The list of logging brokers, and the udp2log host.
  • The list of service proxy endpoints to offer, and the list of all available too (out of service::catalog).
  • The list of MediaWiki sites and Apache configuration parameters (e.g. which domain names for Apache vhosts), but not the Apache config template itself!
  • The list of memcached servers.
  • The GeoIP and GeoIPInfo data

So, whenever you want to change any of the above things, you will need to:

  • check what your change would modify on a role::deployment_server::kubernetes host - if it changes a file under /etc/helmfile-defaults/mediawiki then the following applies to your change
  • only merge the change during a "MediaWiki infrastructure" window routinely scheduled on Deployments calendar, or otherwise well outside of any MediaWiki code deployment window. This is done to allow both SREs and MW developers/deployers to monitor their deployments independently and avoid unexpected consequences.
  • after the change is merged, ensure a puppet run happens on the MediaWiki deployment server, then proceed to re-deploy all MediaWiki service groups on Kubernetes.

How to deploy MediaWiki on Kubernetes

Manual deployment

scap sync-world --stop-before-sync rebuilds the image and updates the Helmfile release files, so you can call helmfile apply afterwards to manually update the releases

Automatic deployment

scap sync-world --k8s-only rebuilds the image and only triggers the deployment to mw-on-k8s, leaving the regular Apache targets untouched

Troubleshooting

Dashboards

Retrieved from "https://wikitech.wikimedia.org/w/index.php?title=MediaWiki_On_Kubernetes&oldid=2063397"