You are browsing a read-only backup copy of Wikitech. The live site can be found at wikitech.wikimedia.org
MediaWiki On Kubernetes
MediaWiki-on-Kubernetes (or mw-on-k8s for short) is an initiative to transition the MediaWiki at WMF deployment from dedicated Application servers to Kubernetes. This page contains information what is changing as part of this transition.
What traffic is currently served by MediaWiki on k8s
As of today, the following sites are fully served by MediaWiki on k8s:
- test2.wikipedia.org
- test.wikidata.org
Server groups
MediaWiki on Kubernetes is deployed to both the main Eqiad and Codfw datacenters, in the wikikube kubernetes clusters. While the situation is in constant evolution, we currently have the following server groups:
mw-debugFor external requests with X-Wikimedia-Debug, like the old mwdebug VMs. Accessible using thek8s-experimentaloption of the WikimediaDebug browser extension.mw-webFor external requests from web browsers (via the CDN).mw-api-extFor external requests to the API (via the CDN).mw-api-intFor internal requests to the API (from other services).mw-jobrunnerFor internal requests from the JobQueue runners (except videoscaling jobs).
What is in a MediaWiki pod
Each MediaWiki pod in Kubernetes contains 8 containers:
mediawiki-main-tls-proxy- running Envoy, as service mesh and TLS terminator.mediawiki-main-httpd- running the Apache httpd daemon.mediawiki-main-app- running the PHP daemon.mediawiki-main-mcrouter- running mcrouter.mediawiki-main-rsyslog- running rsyslog, to collect MediaWiki logs (for Logstash) and Apache access logs.mediawiki-main-{php-fpm,mcrouter,httpd}-exporter- the Prometheus exporters for PHP, mcrouter and Apache httpd.
How to manage changes to the infrastructure
Given we're in a transition phase between the old puppet-managed systems and MediaWiki running on Kubernetes, we tried to keep things shared as much as possible. This means that deploying Puppet changes for app servers influences future mw-on-k8s deploys. However, Puppet merely prepares the host where the Kubernetes images are built, it doesn't perform a Kubernetes deployment. Applying infra-level changes to Kubernetes services and doing a code deployment are exactly the same procedure, but we need additional care when merging infrastructure changes.
Things that propagate from Puppet to MediaWiki-on-Kubernetes include:
- The list of logging brokers, and the udp2log host.
- The list of service proxy endpoints to offer, and the list of all available too (out of service::catalog).
- The list of MediaWiki sites and Apache configuration parameters (e.g. which domain names for Apache vhosts), but not the Apache config template itself!
- The list of memcached servers.
- The GeoIP and GeoIPInfo data
So, whenever you want to change any of the above things, you will need to:
- check what your change would modify on a
role::deployment_server::kuberneteshost - if it changes a file under/etc/helmfile-defaults/mediawikithen the following applies to your change - only merge the change during a "MediaWiki infrastructure" window routinely scheduled on Deployments calendar, or otherwise well outside of any MediaWiki code deployment window. This is done to allow both SREs and MW developers/deployers to monitor their deployments independently and avoid unexpected consequences.
- after the change is merged, ensure a puppet run happens on the MediaWiki deployment server, then proceed to re-deploy all MediaWiki service groups on Kubernetes.
How to deploy MediaWiki on Kubernetes
Manual deployment
scap sync-world --stop-before-sync rebuilds the image and updates the Helmfile release files, so you can call helmfile apply afterwards to manually update the releases
Automatic deployment
scap sync-world --k8s-only rebuilds the image and only triggers the deployment to mw-on-k8s, leaving the regular Apache targets untouched