You are browsing a read-only backup copy of Wikitech. The live site can be found at

Heterogeneous deployment/Train deploys: Difference between revisions

From Wikitech-static
Jump to navigation Jump to search
imported>Brennen Bearnes
(→‎Sync to cluster and verify on testwiki: udpate timings for initial scap sync)
(merged dash)
Line 52: Line 52:
** [[Wikimedia_binaries#logspam-watch|logspam-watch]]
** [[Wikimedia_binaries#logspam-watch|logspam-watch]]
** Logfiles in <code>/srv/mw-log</code>
** Logfiles in <code>/srv/mw-log</code>
* [ Logstash Fatal Monitor]
*[ Logstash MediaWiki Errors]
*[ Logstash MediaWiki Errors]
*Logstash "mediawiki-new-errors" dashboard (linked from logstash front page)
*Logstash "mediawiki-new-errors" dashboard (linked from logstash front page)

Revision as of 16:29, 20 March 2020

Bring new code in a fast, safe and efficient way!

Pairing on the Train

As of October 2019, there are two people assigned to each week's train: One as primary, and one as backup. These are rough guidelines for sharing the work, and should be improved as we learn more.

  • On Monday, communicate with your partner and establish how you'll collaborate over the course of the week.
    • Updates on IRC while your partner is working and updates on the train blocker ticket if they're offline seems to be a useful pattern.
    • Liberal use of video chat for pairing on hard problems is encouraged.
    • It seems to work well to have the primary do the work of cutting the branch, syncing wikis, etc., while the backup keeps an eye on logs, works on improvements to deploy tooling, and is generally an extra pair of eyes for the whole process.
    • If you are in doubt about any part of the process and it's during your partner's working hours, consult them first and get their help in resolving your questions.
  • If one member of the pair is in the European window and one is in the American window, both train deployment windows should be reserved on the Deployments calendar. This gives a backup deployer a defined window for moving the train forward outside the primary's working hours, if it becomes necessary.
  • If the train is blocked or there are any other issues, communicate the transfer of responsibility on the train blocker ticket by assigning it to the responsible party and leaving a note.


There will be times when this process does not go smoothly. There are guidelines for what do to when that happens.

In general, if there is an unexplained error that occurs within 1 hour of a train deployment — always roll back the train. Rolling back the train to eliminate it as the cause of unexplained breakage can be especially important if there are many ongoing possible causes for issues as this helps to eliminate one of those causes as the source of problems.


To rollback a wikiversion change, it should be pretty quick. Go ahead and rollback production before you send patches up to gerrit since waiting on Jenkins may take a while:

USERNAME@deploy1001:/srv/mediawiki-staging$ git revert $(git log -1 --format=%H -- wikiversions.json)
USERNAME@deploy1001:/srv/mediawiki-staging$ scap sync-wikiversions 'Revert "group[0|1] wikis to [VERSION]"'
USERNAME@deploy1001:/srv/mediawiki-staging$ # Now that you've synced the revert, push patches up to gerrit, you have to run git commit --amend to get the changeid
USERNAME@deploy1001:/srv/mediawiki-staging$ git commit --amend
USERNAME@deploy1001:/srv/mediawiki-staging$ git push origin HEAD:refs/for/master/[VERSION]%l=Code-Review+2


USERNAME@deploy1001:/srv/mediawiki-staging$ git push origin HEAD:refs/for/master/1.34.0-wmf.0%l=Code-Review+2
  • Wait for the patch to merge and the fetch back down to the deployment server

Places to Watch for Breakage

Train deployers should check for breakage as they are rolling out train as they are effectively the first line of defense for train deploys. Some of the places to watch for breakage:

If the train is blocked

  • A task will be assigned to you, for example T191059 (1.32.0-wmf.13 deployment blockers)
  • Any open subtasks block the train from moving forward. This means no further deployments until the blockers are resolved.


If there are blocking tasks, please do the following:

  • Make sure all tasks blocking train are set to UBN! priority in phabricator
  • Comment on the task asking for an ETA or if this can be solved by reverting a recent commit.
  • Send e-mail to:
    • Subject: [Train] {version} status update
    • Body
      The {version} version of MediaWiki is blocked[0].
      The new version is deployed to {group(s){0,1,2}}[1], but can proceed no
      further until these issues are resolved:
      * {Phab task name} - {phab task link}
      Once these issues are resolved train can resume. If these issues are
      resolved on a Friday the train will resume Monday.
      Thank you for your help resolving these issues!
      -- Your humble train toiler
      [0]. <{link to phab task for train}>
      [1]. <>
  • Add relevant people (see Developers/Maintainers) to the blocking task
  • Ping relevant people in IRC
  • Once train is unblocked be sure to thank the folks who helped unblock it

Monday: Sync up with your deployment partner

See the train pairing section above.

Tuesday: New branch creation and deploy

The new branch can be created in Gerrit from anywhere.

Before the deploy window

Depending on how practiced you are and where you choose to run commands (full clones of mediawiki-core from outside the cluster can take a while) the steps will typically take 45 to 90 minutes.


The script to cut a branch is run on your local machine (as of Jan 2020).

Local .netrc setup

Create a .netrc file in your home directory with the following content.

you@yourlaptop:~$ vim .netrc
machine login [USERNAME] password [PASSWORD]

Username and password can obtained from Gerrit:

  • In the new UI go to HTTP Credentials, copy Username and click Generate new password to generate new password.
  • In the old UI, go to HTTP Password, copy Username and click Generate Password to generate new password.

Make sure .netrc file is only readable by you.

you@yourlaptop:~$ chmod go-rwx .netrc

Clone or update mediawiki/tools/release.

USERNAME@yourlaptop:~$ git clone

To run you need to have the pygerrit2 library installed for Python3. In Debian 10 (buster), the python3-pygerrit2 package works.

Create the new branch in Gerrit

you@yourlaptop:~/release/make-release/ $ ./ --core --core-bundle wmf_core --bundle wmf_branch --branchpoint HEAD --core-version [VERSION] [WMF BRANCH]
you@yourlaptop:~/release/make-release/ $ ./ --core --core-bundle wmf_core --bundle wmf_branch --branchpoint HEAD --core-version 1.34.0-wmf.0 wmf/1.34.0-wmf.0

In #wikimedia-operations connect, drop a quick log note that you've kicked off the branch process so that others know it's underway, e.g.:

!log 1.35.0-wmf.14 was branched at fb16374c5bdb9d14729f358fb81638fc91640b4f for T233862

The script will create a release patch, like this one, under your gerrit account. You must C+2 this, and wait for it to merge, to proceed.

tmux or screen

Now that the branch has been cut on your local machine, the remainder of the work will be done on the deployment host: deploy1001.eqiad.wmnet

Some scripts run for 10-60 minutes so consider using tmux or screen.

If you prefer tmux:

USERNAME@deploy1001:~$ tmux new -s train
USERNAME@deploy1001:~$ exit

If you need to leave in the middle you can do ctrl-b d to detach and tmux a -t train to attach.

If you prefer screen:

USERNAME@deploy1001:~$ screen -D -RR train
USERNAME@deploy1001:~$ exit

If you need to leave in the middle you can do ctrl-a d to detach and screen -r train to attach.

In either the tmux or the screen session, you'll want to start an ssh-agent and load your local key there:

USERNAME@deploy1001:~$ eval $(ssh-agent)
USERNAME@deploy1001:~$ ssh-add .ssh/id_ed25519

Clone new branch

This command will create a new /srv/mediawiki-staging/php-[VERSION] directory:

USERNAME@deploy1001:/srv/mediawiki-staging$ scap prep [VERSION]


USERNAME@deploy1001:/srv/mediawiki-staging$ scap prep 1.34.0-wmf.0

This should only take a couple of minutes.

Apply security patches

  • Patches should be named sequentially in the order that they will cleanly apply (e.g. 01-T[NUMBER].patch, 02-T[NUMBER].patch)
  • Check and apply each patch in both /srv/patches/[VERSION]/core and /srv/patches/[VERSION]/extensions/[NAME] to the new core checkout and extensions, respectively.

Check existing patches:

USERNAME@deploy1001:~$ tree /srv/patches/[VERSION]
├── core
│   ├── 01-T[NUMBER].patch
│   └── 02-T[NUMBER].patch
└── extensions
    └── [EXTENSION]
        ├── 01-T[NUMBER].patch
        └── 02-T[NUMBER].patch
  • You can check a core patch to see if it will apply cleanly with
USERNAME@deploy1001:/srv/mediawiki-staging/php-[VERSION]$ git apply --check --3way /srv/patches/[VERSION]/core/[NUMBER]-T[NUMBER].patch
  • If the patch checks out, apply and commit it with
USERNAME@deploy1001:/srv/mediawiki-staging/php-[VERSION]$ git am --3way /srv/patches/[VERSION]/core/[NUMBER]-T[NUMBER].patch
  • For an extension:
USERNAME@deploy1001:/srv/mediawiki-staging/php-[VERSION]/extensions/[EXTENSION]$ git apply --check --3way /srv/patches/[VERSION]/extensions/[EXTENSION]/[NUMBER]-T[NUMBER].patch

USERNAME@deploy1001:/srv/mediawiki-staging/php-[VERSION]/extensions/[EXTENSION]$ git am --3way /srv/patches/[VERSION]/extensions/[EXTENSION]/[NUMBER]-T[NUMBER].patch
  • If the patch fails to apply, investigate whether it's due to a conflict (git status) or the patch having been merged since the new branch cut (search git log for the commit, etc.). If it turns out to be the latter, remove the patch file from the /srv/patches/[VERSION] directory.
  • If you need extra help, contact Security Team (Wikimedia Foundation, MediaWiki, Office Wiki), currently Brian (bawolff) and Sam (Reedy) in IRC.

Create patches to update wikiversions.json

Create group0 to [VERSION] patch:

USERNAME@deploy1001:/srv/mediawiki-staging/$ scap update-wikiversions group0 [VERSION]
USERNAME@deploy1001:/srv/mediawiki-staging/$ git add wikiversions.json
USERNAME@deploy1001:/srv/mediawiki-staging/$ git commit -m "Group0 to [VERSION]"


USERNAME@deploy1001:/srv/mediawiki-staging/$ scap update-wikiversions group0 1.34.0-wmf.0
USERNAME@deploy1001:/srv/mediawiki-staging/$ git add wikiversions.json
USERNAME@deploy1001:/srv/mediawiki-staging/$ git commit -m "Group0 to 1.34.0-wmf.0"

Send staged patches to Gerrit for review

USERNAME@deploy1001:/srv/mediawiki-staging/$ git push origin HEAD:refs/for/master/[VERSION]


USERNAME@deploy1001:/srv/mediawiki-staging/$ git push origin HEAD:refs/for/master/1.34.0-wmf.0

Discard changes to working directory and index

USERNAME@deploy1001:/srv/mediawiki-staging/$ git reset --hard origin/master

Clean up old stuff

mw:MediaWiki 1.34/Roadmap is a good place to find when a branch was created.

List all branches:

USERNAME@deploy1001:/srv/mediawiki-staging/$ find . -maxdepth 1 -type d -name 'php-*' -print

Find old branches, more than 7 days old:

USERNAME@deploy1001:/srv/mediawiki-staging/$ find . -mindepth 2 -maxdepth 2 -type f -path './php-*/README' -ctime +7 -exec dirname {} \;

For all branches more than 7 days old, drop everything with:

USERNAME@deploy1001:/srv/mediawiki-staging/$ scap clean --delete [some old version from find -ctime +7 output above]


USERNAME@deploy1001:/srv/mediawiki-staging/$ scap clean --delete 1.34.0-wmf.0

Active branches are visible at Wikimedia MediaWiki versions page.

Deleting a branch is a full sync of that directory, and can take 10-15 minutes each.

Sync to cluster and verify on testwiki

  • Edit /srv/mediawiki-staging/wikiversions.json and set testwiki to php-[VERSION]
  • Do not commit and push to Gerrit, only make this change locally on the deployment server
USERNAME@deploy1001:/srv/mediawiki-staging/$ vim wikiversions.json
USERNAME@deploy1001:/srv/mediawiki-staging$ git diff
-    "testwiki": "php-[VERSION-1]",
+    "testwiki": "php-[VERSION]",
  • Run scap to (re)build localization caches and sync changes across the cluster.
  • 🐌 Note: this step may take on the order of 70-80 minutes.
USERNAME@deploy1001:/srv/mediawiki-staging/$ scap sync "testwiki to php-[VERSION] and rebuild l10n cache"


USERNAME@deploy1001:/srv/mediawiki-staging/$ scap sync "testwiki to php-1.34.0-wmf.0 and rebuild l10n cache"

This can take well over an hour. Opening or reloading the version page on testwiki after the scap sync command can take a minute or two.

  • Revert local changes
USERNAME@deploy1001:/srv/mediawiki-staging/$ git checkout -- wikiversions.json

Update deploy notes

  • Deploy notes are automatically generated by the Train Deploy Notes Jenkins job after you cut the branch
  • Be sure to check that the appropriate Changelog was created at[VERSION]/Changelog. Example: MediaWiki 1.34/wmf.4/Changelog

Wait for deploy window

All of the changes above can be done at any time prior to the actual deployment window.

During the deploy window

Switch group0 wikis to [VERSION]

  • CR+2 group0 to [VERSION] patch in Gerrit that you submitted earlier
  • Wait for Gerrit/Zuul/Jenkins to merge the patch(es)
  • Pull patch(es) to deployment server
USERNAME@deploy1001:/srv/mediawiki-staging$ git fetch
  • Check diff to ensure it is what you expect (this should show a bunch of version changes in wikiversions.json for group0 wikis)
USERNAME@deploy1001:/srv/mediawiki-staging$ git diff HEAD..origin/master
  • Apply changes
USERNAME@deploy1001:/srv/mediawiki-staging$ git rebase origin/master
  • Sync the change across the cluster
USERNAME@deploy1001:/srv/mediawiki-staging$ scap sync-wikiversions "group0 to [VERSION]"


USERNAME@deploy1001:/srv/mediawiki-staging$ scap sync-wikiversions "group0 to 1.34.0-wmf.0"

Update roadmap

  • Change the Deployed to group (if you're using VisualEditor) or the 3rd parameter of the WMFReleaseTableRow template (if you're using the wikitext editor) to 0 (deployed to group0) at mw:MediaWiki 1.35/Roadmap.

For wikitext editor, change






Terminate ssh-agents

Terminate the ssh-agent you started earlier so it doesn't linger on after you log out:

pgrep -u "$USER" -laf ssh-agent # list all of your ssh-agent processes
pkill -u "$USER" -f ssh-agent   # kill all your ssh-agent processes
pgrep -u "$USER" -laf ssh-agent # did they all die?

Every other day of the train you need to start a new ssh-agent and kill it later.

Wednesday: group0 to group1 deploy

Switch group1 wikis to [VERSION]

Use the release/bin/deploy-promote script to update wikiversions.json

USERNAME@deploy1001:~$ ./release/bin/deploy-promote
Promote group1 from [PREVIOUS-VERSION] to [VERSION] [y/N]

The script automatically Code-Review +2 the patch in Gerrit. Once CI has merged the patch, hit enter at the 2nd prompt.

Now wait for jenkins to merge the patch, then press enter to continue with git pull && scap sync-wikiversions

After the script run is complete, group1 wikis should be running [VERSION].

The above should take about five minutes, including the waiting time for Gerrit/CI.

Update roadmap

  • Change the Deployed to group (if you're using VisualEditor) or the 3rd parameter of the WMFReleaseTableRow template (if you're using the wikitext editor) to 1 (deployed to group1) at mw:MediaWiki 1.35/Roadmap.

For wikitext editor, change






Thursday: group{0,1} to all deploy

Switch all wikis to [VERSION]

Thursday deploy is very similar to the Wednesday deploy, the only difference in terms of procedure is the target group

Use the release/bin/deploy-promote all script to update wikiversions.json

USERNAME@deploy1001:~$ ./release/bin/deploy-promote all
Promote all from [PREVIOUS-VERSION] to [VERSION] [y/N]

The script automatically Code-Review +2 the patch in Gerrit. Once CI has merged the patch, hit enter at the 2nd prompt.

Now wait for jenkins to merge the patch, then press enter to continue with git pull && scap sync-wikiversions

After the script run is complete, all wikis should be running [VERSION].

Update roadmap

  • Change the Deployed to group (if you're using VisualEditor) or the 3rd parameter of the WMFReleaseTableRow template (if you're using the wikitext editor) to 2 (deployed to all wikis) at mw:MediaWiki 1.35/Roadmap.

For wikitext editor, change






Incident documentation