Wikimedia Labs/Tool Labs/Help

The first step is to get an account on Wikitech, which is the general interface for everything Labs. On the account creation form the field "Instance shell account name" will be your Unix username on all Labs projects. Once you have created an account you will be added to a list of users to be approved for shell access which you can see here.

In order to access Labs servers using SSH, you also need to provide a public SSH key on the 'OpenStack' tab of your Wikitech preferences once you have an account.

1. Open PuttyGen
2. Select an SSH-2 RSA key
3. Click the Generate button
4. Move your mouse around until the progress bar is full
5. Type in a passphrase (you will need to remember this) and confirm it
6. Save the private key and public key onto your local machine
7. From the text field 'Public key for pasting into OpenSSH authorized_keys file' right click and copy
8. Inset this into your 'OpenStack' tab of your Wikitech preferences

Modern Unix systems include the OpenSSH client (if not then install it). To generate a key, use ssh-keygen -t rsa. This will store your private key in $HOME/.ssh/id_rsa, and your public key in $HOME/.ssh/id_rsa.pub. You can use different file names, but these are the default filenames, so it's easiest to not change them.

Once you have a Labs account, you can request access to the tools project (you may look at the project page to see a list of current admins).

The tool labs has a public IP; once you have a tool labs account, you can connect using SSH and SFTP to tools-login.wmflabs.org. You will need to use the shell account name you provided when creating your Wikitech account, and the private key matching the public key you supplied for authentication.

The primary concept of the Tool Lab's organization is the tool account; at its core this is a unix uid-gid pair named local-toolname which is intended to run the actual tool. Maintainers may have more than one tool account, and tool accounts may have more than one maintainer.

Right now, you have to request a tool account from one of the project administrators; the plan is to make available an interface on wikitech where tool maintainers will be able to create them at need.

The unix group has as its members the tool account itself, as well as the user accounts of the maintainers of the tool. Every member of that group has the authorization to sudo to the tool account.

Along with the unix uid, the following resources are provided by default for each tool:

• A home directory on shared storage: /data/project/toolname
• A web URI mapped to its ~/public_html: http://tools.wmflabs.org/toolname
• A mysql database for local use (the credentials to which are stored in ~/.my.cnf)
• Access to the continuous and task queues of the compute grid (explained below)

Hint

As a convenience, tool maintainers can switch to the tool account with:

maintainer@tools-login:~$ become toolname
local-toolname@tools-login:~$

Every non-trivial task performed by tools should be dispatched by the grid engine so that a suitable place to run them is found with sufficient resources. Gridengine is highly flexible system for assigning resources to jobs, including parallel processing.

You can find documentation on the website; you may wish to pay particular attention to the qsub, qdel and qacct commands which are most important to users.

The basic principle of running jobs is fairly straightforward:

• You submit a job to a work queue from a submission server (-login) and the web servers.;
• The gridengine master finds a suitable execution host to run the job on, and starts it there once resources are available; then
• As it runs, your job will send their output and errors to files until it completes or it is aborted.

You can submit jobs with qsub, modify some of their settings while they are waiting or running with qalter, get information on your queued and running jobs with qstat, and abort or cancel them with qdel. Those commands are very flexible, but a little complex at first – you might prefer to use the simplified alternatives below.

There are a few caveats to keep in mind when submitting a job:

• You do not normally control which execution host will eventually run it, and should therefore only access directories that are shared between all hosts (specifically, /data/project and /home)
• Your job's memory usage has a hard limit it cannot grow beyond. By default, that is 256MB but you can request more (or less) with qsub's -l h_vmem=memory or jsub's -m memory options.

  Bear in mind that jobs that request more memory may be penalized in priority and may have to wait longer before being run until sufficient resources are available.

For most tasks, helper scripts are provided to abstract away some of the complexities of using the grid engine. Almost all use scenarios are covered with reasonable defaults by the jsub script.

TODO add sample jsub command and output

By default, jobs are allowed 256MB of memory; you can request more (or less) with the -m option but keep in mind that a job that requests more resources may be penalized in its priority and may have to wait longer before being run.

By default, jobs have the same name as the program, minus extensions. (For instance, if you had a program named foobot.pl which you started with jsub, the job's name would be foobot). You can pick a different name for the job when starting it (with the -N option of qsub and jsub); this name identifies the jobs on statuses, but can also be used to control it.

It's important to note that you can have more than one job, running or queued, bearing the same name. Some of the utilities that accept a job name may not behave as expected in those cases.

The simplest scenario is when you want to run a job on demand that has a finite duration (at interval from cron, for instance, or from a web tool or the command line).

$ jsub program-or-script

Will schedule the job to be run as soon as possible, and put eventual output from the job to files in your home; this is done asynchronously in the background. If you need to wait until the job has completed (for instance, to do further processing on its output), you can add the -sync y option to the jsub command.

If you need to make certain that the job isn't running multiple times (such as when you invoke it from a crontab), you can add the -once option. If the job was already running or queued, it will simply mark the failed attempt in the error file and return immediately.

$ jsub -once -N jobname php /data/project/tool/task/execute.php

Continuous tasks have a dedicated queue, continuous, which has a slightly different setup:

• Jobs started on that queue are automatically restarted if they, or the node they run on, crash
• In case of outage or lack of resources, they will be stopped and restarted automatically on a working node
• only tool accounts can start continuous jobs

The queue will not restart jobs that exited normally (i.e., were not killed) unless they are wrapped in a script to do so; starting a job with the -continuous option of jsub does so automatically until they exit normally with an exit value of zero, indicating completion.

One would normally start continuous jobs with the -once option as well so that they can be managed reliably with job and jstop utilities.

For convenience, there is an utility to start a continuous bot with reasonable default options: jstart script (which is equivalent to jsub -once -continuous script and accepts the same options. This would start the script program in continuous mode if it is not already running, making certain that it is kept running.

Once your jobs has been submitted to the grid using one of the above commands you will receive an output similar to the one below which includes the job id and job name.

Your job 120 ("xbot") has been submitted

You can see the status of all your running and pending jobs with the qstat command.

For example:

local-xbot@tools-login:~$ qstat
job-ID  prior   name       user         state submit/start at     queue                          slots ja-task-ID 
-----------------------------------------------------------------------------------------------------------------
    120 0.50000 xbot       local-xbot   r     04/01/2013 21:00:00 continuous@tools-exec-01.pmtpa     1        

If you know that your job can only have one instance running (such as when you use the -once option when starting it) you can also use the job command to get its job id (or a more verbose status with -v). The latter is particularly useful from scripts or web services.

For example:

local-xbot@tools-login:~$ job xbot
Job 'xbot' has been running since 2013-04-01T21:00:00 as id 120

Once you have the job Id you can find out more information about a job using the -j parameter with qstat command and a job number.

local-toolname@tools-login:~$ qstat -j 990
==============================================================
job_number:                 990
exec_file:                  job_scripts/990
submission_time:            Wed Apr 13 08:32:39 2013
owner:                      local-toolname
uid:                        40005
group:                      local-toolname
gid:                        40005
sge_o_home:                 /data/project/toolname/
sge_o_log_name:             local-toolname
sge_o_path:                 /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/X11R6/bin
sge_o_shell:                /bin/bash
sge_o_workdir:              /data/project/toolname
sge_o_host:                 tools-login
account:                    sge
stderr_path_list:           NONE:NONE:/data/project/toolname//taskname.err
hard resource_list:         h_vmem=256m
mail_list:                  local-toolname@tools-login.pmtpa.wmflabs
notify:                     FALSE
job_name:                   epm
stdout_path_list:           NONE:NONE:/data/project/toolname//taskname.out
jobshare:                   0
hard_queue_list:            task
env_list:
script_file:                /data/project/toolname/taskname.py
usage    1:                 cpu=00:21:08, mem=158.09600 GBs, io=0.00373, vmem=127.719M, maxvmem=127.723M 

To stop a running job (or prevent it from being run if it had not already started), you can use the qdel job_number command. The job number was output when the job was started, or you can get it from the qstat command.

If you started the job with the jstart command, or you know there is only one job with the same name, then you can use the jstop jobname utility command.

Suspending a job allows it to be temporarily paused, and then resumed later. To suspend a job use qmod -sj <job_id>. The job will be paused by sending it SIGSTOP, and will have the 's' state in qstat. To unsuspend the job and let it continue running use qmod -usj <job_id>. The job should return to the 'r' state in qstat

Every tool account has a web interface made available (though, in cases of bots with no web interactivity, you may simply wish to have a static page that describes the tool, or a simple status report). Users do not and can not have a web directory in /home.

Each tool account has two corresponding URI that are automatically made available from two directories in its home:

http://tools.wmflabs.org/toolname/

which maps to the tool's ~/public_html/

http://tools.wmflabs.org/toolname/cgi-bin

which maps to the tool's ~/cgi-bin/

The latter directory will attempt to run the files it contains as CGI scripts rather than display them. In addition, files in either directory that end with the .php or .php5 extensions will be run as PHP CGI scripts.

All CGI scripts must be marked executable, and are run with the permissions of the user account that owns the script. In almost all cases, you want to make certain that they are owned by the tool account.

The web server allows overrides of AuthConfig FileInfo Options=IncludesNOEXEC from .htaccess.

Note: As all tools public_html folder is in the tools home folder you must allow other users to access your home folder in order for the web service to access the public_html within.

Since all tools in the Labs reside under the same domain, you should prefix the name of any cookie you set with your tool's name. In addition, you should be aware that cookies you set may be read by every other web tool your user visits.

Accordingly, you should avoid storing privacy-related or security information in cookies. A simple workaround is to store session information in a database, and use the cookie as an opaque key to that information. Additionally, you can explicitly set a path in a cookie to limit its applicability to your tool; most clients should obey the Path directive properly.

The access logs for your tool's web interface are placed in the tool account's ~/access.log, in common format. Please note that the web logs are anonymized such that the user's IP address appears to be that of the local host. In general, the privacy policy will not allow logging of personally identifiable information by tool maintainers (including IP addresses); special permission from Foundation legal counsel would be required to get that information.

Error logs, because of limitations of the Apache web server, are not made directly available to tool maintainers. There is a workaround in place for PHP, which allows per-user logging (PHP error logs are placed in the tools account's ~/php_error.log), but until a newer version of Apache can be deployed it is recommended that you use your language's facilities to log errors to a file under the tool account's home.

In particular, however, this means that if you have a CGI which is unable to start you will not be able to see the error preventing it without help from a tool labs admin. There are a few common errors you can check against which cover most cases:

• The CGI's file is not owned by the tool account
• The CGI's file does not have its execute bits set

  (You can use the chmod command to set the script as executable)

• The CGI is a script and does not start with a Unix "shebang" invocation, or it points to the wrong path:

  A unix "shebang" is the first line of a script that specifies the program meant to execute that script. It has the form

  #! /path/to/interpreter

  Where the path is, for instance, /usr/bin/perl for perl scripts. You can check the path to a language interpreter by using the which command:

  maintainer@tools-login:~$ which python

  would output the path to the python interpreter.

Every tool account automatically gets a database for general usage on the project itself. The information and credentials to that database are put automatically in the account's ~/.my.cnf on creation. Full control over that database is granted to the tool account (with grant option).

To access a tools database become the tool and simple type mysql. This will load mysql with the data from ~/.my.cnf.

Normally, tools do not have access to create new databases dynamically; please consult with a project admin if you require that functionality.

(Soon) Tool accounts are also granted to the production database replicas, and may create and manage databases there at need. Because of technical limitations, actual revision text is not available on the replicas (but can be fetched at fairly high efficiency with the API).