Hi all!
This is a quick reminder that TechCom is hosting a meeting on IRC about the
following RFC:
"PHP microservice for containerized shell execution"
<https://phabricator.wikimedia.org/T260330>
You can join us at 21:00 UTC (23:00 CEST, 2pm PDT)
in the #wikimedia-office channel on freenode.
Problem
- For security, we need better isolation of external binaries from MediaWiki.
- If we run MediaWiki itself under Kubernetes, the resulting container should be
as small as possible, so it should ideally exclude unnecessary binaries.
- It's difficult to deploy bleeding-edge versions of external binaries when they
necessarily share an OS with MediaWiki.
Proposal
- Have a PHP microservice, accessible via HTTP, which takes POSTed inputs,
writes them to the container's filesystem as temporary files, runs a shell
command, and responds with gathered output files.
Tim has been working on this for a couple of weeks, and has been updating the
task in a steady monologue. Perhaps in the meeting today, we can get more eyes
on the nitty gritty of the proposal.
--
Daniel Kinzler
Principal Software Engineer, Core Platform
Wikimedia Foundation
Show replies by date