You are browsing a read-only backup copy of Wikitech. The primary site can be found at


From Wikitech-static
Jump to navigation Jump to search
Shellbox safely sandboxes unsafe command execution.

Shellbox is a library for remote command execution, and a server for secure command execution. It was primarily implemented to sandbox lilypond (used by the Score extension) and provide a way for MediaWiki to utilize external binaries without needing them to be in the same container. Shellbox relies on Kubernetes (and Linux containers/namespaces) to provide isolation and resource limits for external commands.

Documentation for integration in MediaWiki is available at mw:Shellbox, operational aspects are here on Wikitech.


Architecture overview of Shellbox

Requests come into an Apache httpd container, which contains the Shellbox secret key as a configmap. The request is passed onto a php-fpm container, which contains the Shellbox code and necessary binaries. Once the request is authenticated, Shellbox executes the command as the www-data user. The response is then sent back. Yeah.

MediaWiki talks to Shellbox over a local envoyproxy.


We currently have five Shellboxes in active use:


Shellbox provides a /healthz endpoint that can be used to quickly check if the service is up, e.g.:

user@host$ curl https://shellbox.discovery.wmnet:4008/healthz
    "__": "Shellbox running",
    "pid": 10782

All other requests are harder to externally construct since they need to be signed with the Shellbox secret key.

Bugs should be reported/tracked in #Shellbox on Phabricator.


All logs from httpd and php-fpm should end up in logstash. You can filter for a specific Shellbox deployment with kubernetes.namespace_name:"shellbox-constraints". The actual log text is under the field log (not message like MediaWiki).

All Shellbox invocations should still be logged under MediaWiki's exec log channel too.

Source code