From Wikitech

You are probably reading Wikitech right now.


Wikitech runs on the eqiad hosts cloudweb1003 and cloudweb1004. Its database name (wiki ID) is labswiki. The MediaWiki install is updated automatically as part of standard WMF deployment. Nevertheless, it is not a vanilla wiki, nor a typical WMF wiki, in several ways:

  • Auth on wikitech uses LDAP accounts ("developer accounts")
  • A successful login on wikitech requires a token from Openstack Keystone in the CloudVPS cluster (currently Keystone runs on virt1000). (Warning: this info may be outdated)
  • Wikitech runs the latest version of OpenStackManager for control of CloudVPS (although most control functionality has moved to Horizon by now).
  • Some of the normal deployment process (especially using mwdebug hosts) does not apply to Wikitech.

There are some MediaWiki config settings that are entirely exclusive to Wikitech. These are set in a separate .php config file, wmf-config/wikitech.php

Some authentication-related wikitech actions affect other developer services:

  • The password change UI affects LDAP passwords
  • 2FA set up here is used by Horizon and Striker
  • Various tools (most notably Striker) refuse to work without OAuth access to wikitech
  • (Infinite, non-partial) wikitech blocks also lock the user out from LDAP (probably? someone more in the know should confirm that)


In addition to normal ways to break (that any server or mw install is subject to), wikitech has a few additional failure cases due to relying on ldap and keystone. If login is failing, turn on the ldap+auth log by uncommenting some lines in wmf-config/wikitech.php

 #$wgPasswordReminderResendTime = 0;
 #$wgPasswordAttemptThrottle = false;
 #$wgShowExceptionDetails = true;
 $wgLDAPDebug = 5;
 $wgDebugLogGroups["ldap"] = "/tmp/ldap-s-1-debug.log";

With that change, /tmp/ldap-s-1-debug.log will fill up with useful info, and you should be able to determine if ldap is breaking, or Keystone, or something else. wikitech.php will revert to its standard commented-out state during the next deploy cycle.

When you connect to labweb1001 or labweb1002, don't forget that they are in the public VLAN so must be reached as, not labweb1001.eqiad.wmnet (but still via a bastion).

Test version

Wikitech has a test/staging version, the unfortunately named with DB name labtestwiki (note the DB names are labswiki vs. labtestwiki).