Wikimedia Release Engineering Team/MediaWiki on Kubernetes/Meeting notes/2021-04-21

= 2021-04-21 =

Always

 * Core_Platform_Team/Initiatives/MediaWiki_on_Kubernetes
 * Wikimedia_Release_Engineering_Team/MediaWiki_on_Kubernetes
 * Workboard
 * IRC:

General

 * firejail
 * was used for sandboxing shellouts, which will now be done in shellbox
 * doesn't work in docker and no longer needed
 * possibly need to disable firejail in the configuration to avoid the warning from extensions
 * MW should auto-detect this, but wmf-config is hard-coded to use firejail atm. This will be disabled when shellbox is enabled and could probably get rid of the warning.
 * concern that is firejail is present, the extension will not behave properly
 * Risks?
 * What to do about warnings/errors
 * we will ignore the warning for now and when shellbox is enabled it will go away?
 * it would be better to have some conditional in wmf-config to check if using a container and disable firejail
 * We need an image for mediawiki-webserver that's not restricted :)

RelEng

 * Designing a `scap backport` that would wrap legacy and m8s deployment
 * https://phabricator.wikimedia.org/T279322
 * Working on a dev environment

Serviceops

 * MediaWiki chart under review. It "works" :) https://gerrit.wikimedia.org/r/c/operations/deployment-charts/+/670220
 * would be better to move the webserver image to be non-restricted
 * this is difficult because of the way we configure usage of the restricted namespace
 * SRE and Releng will coordinate on a task to do this
 * Anyone wants to add the db/memcache parts for a dev env? :P

TODOs for next time

 * Figure out how to publish mediawiki-webserver image to the public registry namespace while keeping the sensitive images in restricted