RFC discussion today: PHP microservice for containerized shell execution

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

RFC discussion today: PHP microservice for containerized shell execution

Daniel Kinzler-3
Hi all!

This is a quick reminder that TechCom is hosting a meeting on IRC about the
following RFC:

"PHP microservice for containerized shell execution"
<https://phabricator.wikimedia.org/T260330>

You can join us at 21:00 UTC (23:00 CEST, 2pm PDT)
in the #wikimedia-office channel on freenode.

Problem
- For security, we need better isolation of external binaries from MediaWiki.
- If we run MediaWiki itself under Kubernetes, the resulting container should be
  as small as possible, so it should ideally exclude unnecessary binaries.
- It's difficult to deploy bleeding-edge versions of external binaries when they
  necessarily share an OS with MediaWiki.

Proposal
- Have a PHP microservice, accessible via HTTP, which takes POSTed inputs,
  writes them to the container's filesystem as temporary files, runs a shell
  command, and responds with gathered output files.

Tim has been working on this for a couple of weeks, and has been updating the
task in a steady monologue. Perhaps in the meeting today, we can get more eyes
on the nitty gritty of the proposal.

--
Daniel Kinzler
Principal Software Engineer, Core Platform
Wikimedia Foundation

_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l