Wikitech

From Wikitech
Jump to navigation Jump to search

You are probably reading Wikitech right now.

What/Where

Wikitech runs on the eqiad hosts labweb1001 and labweb1002. Its database name (wiki ID) is labswiki. The MediaWiki install is updated automatically as part of standard WMF deployment. Nevertheless, it is not a vanilla wiki, nor a typical WMF wiki, in several ways:

  • Auth on wikitech uses LDAP accounts ("developer accounts")
  • A successful login on wikitech requires a token from Openstack Keystone in the CloudVPS cluster (currently Keystone runs on virt1000). (Warning: this info may be outdated)
  • Wikitech runs the latest version of OpenStackManager for control of CloudVPS (although most control functionality has moved to Horizon by now).
  • Some of the normal deployment process (especially using mwdebug hosts) does not apply to Wikitech.

There are some MediaWiki config settings that are entirely exclusive to wikitech. These are set in a separate .php config file, wikitech.php.

Some authentication-related wikitech actions affect other developer services:

  • The password change UI affects LDAP passwords
  • 2FA set up here is used by Horizon and Striker
  • Various tools (most notably Striker) refuse to work without OAuth access to wikitech
  • (Infinite, non-partial) wikitech blocks also lock the user out from LDAP (probably? someone more in the know should confirm that)

Troubleshooting

In addition to normal ways to break (that any server or mw install is subject to), wikitech has a few additional failure cases due to relying on ldap and keystone. If login is failing, turn on the ldap+auth log by uncommenting some lines in /srv/mediawiki/wmf-config/wikitech.php:

 #$wgPasswordReminderResendTime = 0;
 #$wgPasswordAttemptThrottle = false;
 #$wgShowExceptionDetails = true;
 $wgLDAPDebug = 5;
 $wgDebugLogGroups["ldap"] = "/tmp/ldap-s-1-debug.log";

With that change, /tmp/ldap-s-1-debug.log will fill up with useful info, and you should be able to determine if ldap is breaking, or Keystone, or something else. wikitech.php will revert to its standard commented-out state during the next deploy cycle.

When you connect to labweb1001 or labweb1002, don't forget that they are in the public VLAN so must be reached as labweb1001.wikimedia.org, not labweb1001.eqiad.wmnet (but still via a bastion).

Wikitech has a test/staging version, the unfortunately named labtestwikitech.wikimedia.org with DB name labtestwiki (note the DB names are labswiki vs. labtestwiki).