Wikimedia Labs/Tool Labs/Help

Access
The first step is to get an account on Wikitech, the general interface to all things Labs. On the account creation form is a field "Instance shell account name"; that will be your Unix username on all Labs project.

In order to access Labs servers by SSH, you also need to provide a public SSH key on the 'OpenStack' tab of your Wikitech preferences once you have an account.

Add help for Windows and other less experienced users here.

Getting access to the Tool Labs
Once you have a Labs account, you can request access to the tools project (you may look at the project page to see a list of current admins).

The tool labs has a public IP; once you have a tool labs account, you can connect by SSH to  (including for SFTP and WinSCP). You will need to use the shell account name you provided when creating your Wikitech account, and the private key matching the public key you supplied for authentication.

Tool account
The primary concept of the Tool Lab's organization is the tool account; at its core this is a unix uid-gid pair named  which is intended to run the actual tool. Maintainers may have more than one tool account, and tool accounts may have more than one maintainer.

Right now, you have to request a tool account from one of the project administrators; the plan is to make available an interface on wikitech where tool maintainers will be able to create them at need.

The unix group has as its members the tool account itself, as well as the user accounts of the maintainers of the tool. Every member of that group has the authorization to sudo to the tool account.

Along with the unix uid, the following resources are provided by default:
 * A home directory on shared storage:
 * A web URI mapped to its :
 * A mysql database for local use (the credentials to which are stored in )
 * Access to the continuous and task queues of the compute grid

maintainer@tools-login:~$ become toolname local-toolname@tools-login:~$
 * Hint: As a convenience, tool maintainers can switch to the tool account with:

Grid engine
Every non-trivial task performed by tools should be dispatched by the grid engine so that a suitable place to run them is found with sufficient resources. Gridengine is highly flexible system for assigning resources to jobs, including parallel processing.

You can find documentation on the website; you may wish to pay particular attention to the,   and   commands which are most important to users.

How
The basic principle of running jobs is fairly straightforward:
 * You submit a job to a work queue from a submission server (-login, -dev) and the web servers.;
 * The gridengine master finds a suitable execution host to run the job on, and starts it there once resources are available; then
 * As it runs, your job will send their output and errors to files until it completes or it is aborted.

You can submit jobs with, modify some of their settings while they are waiting or running with  , get information on your queued and running jobs with  , and abort or cancel them with. Those commands are very flexible, but a little complex at first – you might prefer to use the simplified alternatives below.

There are a few caveats to keep in mind when submitting a job:
 * You do not normally control which execution host will eventually run it, and should therefore only access directories that are shared between all hosts (specifically,  and  )
 * Your job's memory usage has a hard limit it cannot grow beyond. By default, that is 256MB but you can request more (or less) with  's   or  's   options. Bear in mind that jobs that request more memory may be penalized in priority and may have to wait longer before being run until sufficient resources are available.

Simple utilities
For most tasks, helper scripts are provided to abstract away some of the complexities of using the grid engine. Almost all use scenarios are covered with reasonable defaults by the  script:


 * Options include many (but not all) qsub options, along with:
 * : Send errors that occur during the submission to stderr rather than the error output file (the errors while runnning the script always go do the error file).
 * : Request amount of memory for the job. (Where value is number suffixed by 'k', 'm' or 'g')
 * : Only start one job with the name of this one (see below), fail if another is already started or queued.
 * : Start a self-restarting job on the continuous queue (default if invoked as jstart). Please see the section on continuous jobs below.
 * Some of the more useful  supported are:
 * ,, and  : Selects the file used for standard input, output and error of the job, respectively.  By default,   will append stdout and stderr to the files   and   in the tool account's home directory, and will not have standard input.
 * : send standard output and error together to the output file
 * : Normally,  queues up the job and returns immediately.  This allows you to wait for the job to be complete instead.
 * : Start the script in the same directory you invoked  from.
 * : Pick a different job name (see below).

By default, jobs are allowed 256MB of memory; you can request more (or less) with the  option but keep in mind that a job that requests more resources may be penalized in its priority and may have to wait longer before being run.

Job names
By default, jobs have the same name as the program, minus extensions. (For instance, if you had a program named  which you started with , the job's name would be foobot). You can pick a different name for the job when starting it (with the  option of   and  ); this name identifies the jobs on statuses, but can also be used to control it.

It's important to note that you can have more than one job, running or queued, bearing the same name. Some of the utilities that accept a job name may not behave as expected in those cases.

Simple, one-off job
The simplest scenario is when you want to run a job on demand that has a finite duration (at interval from cron, for instance, or from a web tool or the command line).

$ jsub program-or-script

Will schedule the job to be run as soon as possible, and put eventual output from the job to files in your home; this is done asynchronously in the background. If you need to wait until the job has completed (for instance, to do further processing on its output), you can add the  option to the   command.

If you need to make certain that the job isn't running multiple times (such as when you invoke it from a crontab), you can add the  option. If the job was already running or queued, it will simply mark the failed attempt in the error file and return immediately.

Continuous tasks (such as bots)
Continuous tasks have a dedicated queue, continuous, which has a slightly different setup:
 * Jobs started on that queue are automatically restarted if they, or the node they run on, crash
 * In case of outage or lack of resources, they will be stopped and restarted automatically on a working node
 * only tool accounts can start continuous jobs

The queue will not restart jobs that exited normally (i.e., were not killed) unless they are wrapped in a script to do so; starting a job with the  option of   does so automatically until they exit normally with an exit value of zero, indicating completion.

One would normally start continuous jobs with the  option as well so that they can be managed reliably with   and   utilities.

For convenience, there is an utility to start a continuous bot with reasonable default options: (which is equivalent to  and accepts the same options.  This would start the script program in continuous mode if it is not already running, making certain that it is kept running.


 * Job status:You can see the status of all your running and pending jobs with the  command.  If you know that your job can only have on instance runnning (such as when you use the   option when starting it) you can also use the   command to get its job id (or a more verbose status with  ).  The latter is particularly useful from scripts or web services.

For instance: local-xbot@tools-login:~$ qstat job-ID prior   name       user         state submit/start at     queue                          slots ja-task-ID -    120 0.50000 xbot       local-xbot   r     04/01/2013 21:00:00 continuous@tools-exec-01.pmtpa     1

Reports that you have one job, with id 120 and name xbot that is currently running ( in the state column). You could also have used :

local-xbot@tools-login:~$ job xbot 120 local-xbot@tools-login:~$ job -v xbot Job 'xbot' has been running since 2013-04-01T21:00:00 as id 120


 * Stopping a running job:To stop a running job (or prevent it from being run if it had not already started), you can use the  command.  The job number was output when the job was started, or you can get it from the   command. If you started the job with the   command, or you know there is only one job with the same name, then you can use the   utility command.

Web services
Every tool account has a web interface made available (though, in cases of bots with no web interactivity, you may simply wish to have a static page that describes the tool, or a simple status report). Users do not and can not have a web directory in /home.

Published directories
Each tool account has two corresponding URI that are automatically made available from two directories in its home:
 * http://tools.wmflabs.org/toolname/ :which maps to the tool's
 * http://tools.wmflabs.org/toolname/cgi-bin :which maps to the tool's

The latter directory will attempt to run the files it contains as CGI scripts rather than display them. In addition, files in either directory that end with the  or   extensions will be run as PHP CGI scripts.

All CGI scripts must be marked executable, and are run with the permissions of the user account that owns the script. In almost all cases, you want to make certain that they are owned by the tool account.

The web server allows overrides of  from.

Cookies
Since all tools in the Labs reside under the same domain, you should prefix the name of any cookie you set with your tool's name. In addition, you should be aware that cookies you set may be read by every other web tool your user visits.

Accordingly, you should avoid storing privacy-related or security information in cookies. A simple workaround is to store session information in a database, and use the cookie as an opaque key to that information. Additionally, you can explicitly set a path in a cookie to limit its applicability to your tool; most clients should obey the Path directive properly.

Logs
The access logs for your tool's web interface are placed in the tool account's, in common format. Please note that the web logs are anonymized such that the user's IP address appears to be that of the local host. In general, the privacy policy will not allow logging of personally identifiable information by tool maintainers (including IP addresses); special permission from Foundation legal counsel would be required to get that information.

Error logs, because of limitations of the Apache web server, are not made directly available to tool maintainers. There is a workaround in place for PHP, which allows per-user logging (PHP error logs are placed in the tools account's ), but until a newer version of Apache can be deployed it is recommended that you use your language's facilities to log errors to a file under the tool account's home.

In particular, however, this means that if you have a CGI which is unable to start you will not be able to see the error preventing it without help from a tool labs admin. There are a few common errors you can check against which cover most cases:
 * The CGI's file is not owned by the tool account
 * The CGI's file does not have its execute bits set
 * (You can use the  command to set the script as executable)
 * The CGI is a script and does not start with a Unix "shebang" invocation, or it points to the wrong path:
 * A unix "shebang" is the first line of a script that specifies the program meant to execute that script. It has the form
 * Where the path is, for instance,  for perl scripts.  You can check the path to a language interpreter by using the   command:
 * would output the path to the python interpreter.
 * would output the path to the python interpreter.
 * would output the path to the python interpreter.

Database access
Every tool account automatically gets a database for general usage on the project itself. The information and credentials to that database are put automatically in the account's  on creation. Full control over that database is granted to the tool account (with grant option).

Normally, tools do not have access to create new databases dynamically; please consult with a project admin if you require that functionality.

(Soon) Tool accounts are also granted to the production database replicas, and may create and manage databases there at need. Because of technical limitations, actual revision text is not available on the replicas (but can be fetched at fairly high efficiency with the API).