Wikina/Technical documentation

Thank you for contributing to this page, collecting public info about the website called wikina, served at https://wiki.wikimedia.it/ and running MediaWiki.

Server

The website is served by server ⚙️ intreccio.

Webserver

The frontend webserver is Apache HTTP. Its configuration is published here:

443

https://gitlab.wikimedia.org/repos/wikimedia-it/wmit-infrastructure/-/blob/main/servers/intreccio/conf/apache2/sites-available/it-wikimedia-wiki-ssl.conf

80

https://gitlab.wikimedia.org/repos/wikimedia-it/wmit-infrastructure/-/blob/main/servers/intreccio/conf/apache2/sites-available/it-wikimedia-wiki-txt.conf

Main

https://gitlab.wikimedia.org/repos/wikimedia-it/wmit-infrastructure/-/blob/main/servers/intreccio/conf/apache2/include/it-wikimedia-wiki-main.conf

In short, Apache HTTPd serves static files as-is.

Dynamic files are proxed to the underlying #PHP FPM webserver.

PHP FPM

The PHP FPM (FastCGI Process Manager) is a dedicated process serving PHP files.

The configuration of PHP FPM is splitted in pools. Relevant pool:

/etc/php/7.3/fpm/pool.d/wikina.conf

TODO: publish this configuration file on git.

The backend PHP FPM webserver does not listen to a port but to a filesystem socket. It is here:

/run/php/php7.3-fpm-wikina.sock

Apache is the only user who can connect to that socket.

Filesystem

This is a filesystem overview:

root@intreccio:/var/www/wikina# ls -la
total 72
drwxr-x--- 11 wmit-wikina wmit-wikina  4096 gen 26 20:54 .
drwxr-xr-x 21 root        root         4096 gen  9 11:37 ..
drwxrwx---  2 wmit-wikina wmit-wikina 20480 gen  9 13:38 cache
drwxr-x---  2 wmit-wikina wmit-wikina  4096 gen  9 13:43 debug
drwxr-xr-x 31 root        root         4096 gen  9 13:28 extensions
drwxr-xr-x  2 root        root         4096 nov 28 19:44 fonts
drwxr-xr-x 24 wmit-wikina wmit-wikina  4096 gen  9 11:37 images
lrwxrwxrwx  1 root        root           83 dic 19 08:32 LocalSettings-public.php -> /etc/wmit-infrastructure/servers/intreccio/projects/wikina/LocalSettings-public.php
-rw-r-----  1 root        wmit-wikina   675 set  3 23:51 LocalSettings-secret.php
drwxr-xr-x 14 root        root         4096 gen  9 13:38 mediawiki-1.35.6
drwxr-xr-x 14 root        root         4096 lug 23  2022 mediawiki-1.35.7
lrwxrwxrwx  1 root        root           67 dic 19 08:32 scripts -> /etc/wmit-infrastructure/servers/intreccio/projects/wikina/scripts/
drwxrwx---  2 wmit-wikina wmit-wikina  4096 gen 27 07:17 tmp
lrwxrwxrwx  1 root        root           16 giu 15  2022 www -> mediawiki-1.35.6

Pathnames that MUST NOT be writable by anyone and MUST be readable by the application:

# chown root:wmit-wikina
# chmod o=
/var/www/wikina/extensions/LocalSettings-secret.php

Pathnames that MUST be private to others and MUST be readable and writable to the application:

# chown wmit-wikina:
# chmod o=
/var/www/wikina/tmp
/var/www/wikina/cache
/var/www/wikina/debug

Pathnames that MUST be read-only and SHOULD be kept public (since they do not contain any secret):

# chown root:
/var/www/wikina/extensions
/var/www/wikina/extensions/fonts
/var/www/wikina/extensions/LocalSettings-public.php
/var/www/wikina/extensions/www
/var/www/wikina/extensions/mediawiki-*/
/var/www/wikina/extensions/scripts

Pathnames that MUST be writable by the application and SHOULD be public (since they do not contain any secret):

# chown wmit-wikina:
/var/www/wikina/images

Unix

There is a dedicated Unix user called wmit-wikina:wmit-wikina.

Some #Filesystem are assigned to that user.

The #Systemd unit is executed by that user.

Non-writable files are assigned to the user root:root, as security hardening.

MediaWiki

MediaWiki configuration

The MediaWiki configuration is published here:

https://gitlab.wikimedia.org/repos/wikimedia-it/wmit-infrastructure/-/blob/main/servers/intreccio/projects/wikina/LocalSettings-public.php

The public configuration is here on the filesystem:

/var/www/wikina/LocalSettings-public.php

The secret configuration is on the server itself and it just contains database password, email credentials, upgrade key, and nothing else.

The secret configuration is here on the filesystem:

nano /var/www/wikina/LocalSettings-secret.php

Systemd unit

There is a systemd unit executing MediaWiki background jobs. Here the unit:

https://gitlab.wikimedia.org/repos/wikimedia-it/wmit-infrastructure/-/blob/main/servers/intreccio/projects/wikina/systemd/wikina-jobs.service

Here its source code:

https://gitlab.wikimedia.org/repos/wikimedia-it/wmit-infrastructure/-/blob/main/servers/intreccio/projects/wikina/scripts/run-jobs.sh

Extensions

Extensions are deployed here:

/var/www/wikina/extensions

Then they can be activated from the #MediaWiki configuration.

Database

The database is a local, standard MariaDB installation.

Database name:

wikina

There is a dedicated username with its credential. It's only stored in the secret #MediaWiki configuration and nowhere else.

Backup

Backup on-site

The database is under a daily on-site backup, executed daily, before midnight. This is the on-site path:

/var/backups/wmi/intreccio.wikimedia.it/daily/databases/wikina.sql.gz

General details:

• Server/Backup onsite

Backup off-site

These resources are pushed, daily, by server ⚙️ intreccio, to the off-site server ⚙️ horror that lives in a different datacenter:

• resources from the #Backup on-site
• resources in /var/www

The off-site destination keeps files for multiple days, rotated on daily basis. Example locations in server ⚙️ horror:

/var/backups/wmi/intreccio.wikimedia.it
/var/backups/wmi.1/intreccio.wikimedia.it
/var/backups/wmi.2/intreccio.wikimedia.it
/var/backups/wmi.3...

Access notes:

• the root user in server ⚙️ intreccio has full access to ssh@⚙️ horror.wikimedia.it:/var/backups/wmi/intreccio.wikimedia.it

  this allows quick recovery

• only the root user in server ⚙️ horror has full access to older locations such as /var/backups/wmi.1/intreccio.wikimedia.it

  this avoids manipulation of old backups in case of security breach in server ⚙️ intreccio

Complete snapshot

There is also a complete daily server snapshot executed from the OpenStack provider, restorable by any "admin" or "superadmin" of this provider:

• 💼 vh

Don't execute a manual snapshot randomly since it can put the server offline for several minutes.

Don't allocate a server snapshot randomly since it consumes paid resources.

Recovery

In case of application data loss / corruption:

• If you discovered your incident quickly (in 24 hours) contact one of these roles (in this order of preference) to recover an #Backup on-site:
  •  Wikina ^sistemisti
  •  Server intreccio ^sistemisti (server ⚙️ intreccio)
• If you discovered your incident late, contact one of these roles to recover an #Backup off-site:
  •  Server horror ^sistemisti (server ⚙️ horror)
• In case the server has nuked, contact one of these roles to recover an OpenStack #Complete snapshot and deploy a new instance:
  •  Fornitore vh ^superadmin (fornitori 💼 vh)

Accessi a: Server intreccio

Elenco di tutti i ruoli e le relative utenze che possono accedere a Server intreccio:

• sistemisti
• superadmin

Per aggiungere un ruolo o una utenza, aggiungere il seguente template nella pagina utente della persona mancante:

{{Accesso|Server intreccio|RUOLO}}

Accessi a: Wikina

Elenco di tutti i ruoli e le relative utenze che possono accedere a Wikina:

Per aggiungere un ruolo o una utenza, aggiungere il seguente template nella pagina utente della persona mancante:

{{Accesso|Wikina|RUOLO}}

Accessi a: Fornitore vh

Elenco di tutti i ruoli e le relative utenze che possono accedere a Fornitore vh:

Per aggiungere un ruolo o una utenza, aggiungere il seguente template nella pagina utente della persona mancante:

{{Accesso|Fornitore vh|RUOLO}}

Bug reports / Questions

To report feature requests / bugs:

• #wmit-infrastructure

Contact

Infrastruttura#Contatti

Thank you for your contributions to this page and on the WMIT infrastructure in general ❤️