Wikimedia Labs/Tool Labs/Help
Getting Access
Creating an account
The first step is to get an account on Wikitech, which is the general interface for everything Labs. On the account creation form the field "Instance shell account name" will be your Unix username on all Labs projects. Once you have created an account you will be added to a list of users to be approved for shell access which you can see here.
Setting your SSH key
In order to access Labs servers using SSH, you also need to provide a public SSH key on the 'OpenStack' tab of your Wikitech preferences once you have an account.
Generating a key in Windows
- Open PuttyGen
- Select an SSH-2 RSA key
- Click the Generate button
- Move your mouse around until the progress bar is full
- Type in a passphrase (you will need to remember this) and confirm it
- Save the private key and public key onto your local machine
- From the text field 'Public key for pasting into OpenSSH authorized_keys file' right click and copy
- Inset this into your 'OpenStack' tab of your Wikitech preferences
Generating a key in Linux
Modern Unix systems include the OpenSSH client (if not then install it). To generate a key, use ssh-keygen -t rsa
. This will store your private key in $HOME/.ssh/id_rsa, and your public key in $HOME/.ssh/id_rsa.pub. You can use different file names, but these are the default filenames, so it's easiest to not change them.
Getting access to the Tool Labs
Once you have a Labs account, you can request access to the tools project (you may look at the project page to see a list of current admins).
The tool labs has a public IP; once you have a tool labs account, you can connect using SSH and SFTP to tools-login.wmflabs.org
. You will need to use the shell account name you provided when creating your Wikitech account, and the private key matching the public key you supplied for authentication.
Your tool account
The primary concept of the Tool Lab's organization is the tool account; at its core this is a unix uid-gid pair named local-toolname
which is intended to run the actual tool. Maintainers may have more than one tool account, and tool accounts may have more than one maintainer.
Right now, you have to request a tool account from one of the project administrators; the plan is to make available an interface on wikitech where tool maintainers will be able to create them at need.
The unix group has as its members the tool account itself, as well as the user accounts of the maintainers of the tool. Every member of that group has the authorization to sudo to the tool account.
Along with the unix uid, the following resources are provided by default for each tool:
- A home directory on shared storage:
/data/project/toolname
- A web URI mapped to its
~/public_html
:http://tools.wmflabs.org/toolname
- A mysql database for local use (the credentials to which are stored in
~/.my.cnf
) - Access to the continuous and task queues of the compute grid (explained below)
- Hint
- As a convenience, tool maintainers can switch to the tool account with:
maintainer@tools-login:~$ become toolname local-toolname@tools-login:~$
The grid engine
Every non-trivial task performed by tools should be dispatched by the grid engine so that a suitable place to run them is found with sufficient resources. Gridengine is highly flexible system for assigning resources to jobs, including parallel processing.
You can find documentation on the website; you may wish to pay particular attention to the qsub
, qdel
and qacct
commands which are most important to users.
The basic principle
The basic principle of running jobs is fairly straightforward:
- You submit a job to a work queue from a submission server (-login) and the web servers.;
- The gridengine master finds a suitable execution host to run the job on, and starts it there once resources are available; then
- As it runs, your job will send their output and errors to files until it completes or it is aborted.
You can submit jobs with qsub
, modify some of their settings while they are waiting or running with qalter
, get information on your queued and running jobs with qstat
, and abort or cancel them with qdel
. Those commands are very flexible, but a little complex at first – you might prefer to use the simplified alternatives below.
There are a few caveats to keep in mind when submitting a job:
- You do not normally control which execution host will eventually run it, and should therefore only access directories that are shared between all hosts (specifically,
/data/project
and/home
) - Your job's memory usage has a hard limit it cannot grow beyond. By default, that is 256MB but you can request more (or less) with
qsub
's-l h_vmem=memory
orjsub
's-m memory
options.Bear in mind that jobs that request more memory may be penalized in priority and may have to wait longer before being run until sufficient resources are available.
Submitting Jobs
For most tasks, helper scripts are provided to abstract away some of the complexities of using the grid engine. Almost all use scenarios are covered with reasonable defaults by the jsub
script.
jsub parameters |
---|
|
TODO add sample jsub command and output
By default, jobs are allowed 256MB of memory; you can request more (or less) with the -m
option but keep in mind that a job that requests more resources may be penalized in its priority and may have to wait longer before being run.
Job names
By default, jobs have the same name as the program, minus extensions. (For instance, if you had a program named foobot.pl
which you started with jsub
, the job's name would be foobot). You can pick a different name for the job when starting it (with the -N
option of qsub
and jsub
); this name identifies the jobs on statuses, but can also be used to control it.
It's important to note that you can have more than one job, running or queued, bearing the same name. Some of the utilities that accept a job name may not behave as expected in those cases.
Simple, one-off jobs
The simplest scenario is when you want to run a job on demand that has a finite duration (at interval from cron, for instance, or from a web tool or the command line).
$ jsub program-or-script
Will schedule the job to be run as soon as possible, and put eventual output from the job to files in your home; this is done asynchronously in the background. If you need to wait until the job has completed (for instance, to do further processing on its output), you can add the -sync y
option to the jsub
command.
If you need to make certain that the job isn't running multiple times (such as when you invoke it from a crontab), you can add the -once
option. If the job was already running or queued, it will simply mark the failed attempt in the error file and return immediately.
$ jsub -once -N jobname php /data/project/tool/task/execute.php
Continuous jobs (such as bots)
Continuous tasks have a dedicated queue, continuous, which has a slightly different setup:
- Jobs started on that queue are automatically restarted if they, or the node they run on, crash
- In case of outage or lack of resources, they will be stopped and restarted automatically on a working node
- only tool accounts can start continuous jobs
The queue will not restart jobs that exited normally (i.e., were not killed) unless they are wrapped in a script to do so; starting a job with the -continuous
option of jsub
does so automatically until they exit normally with an exit value of zero, indicating completion.
One would normally start continuous jobs with the -once
option as well so that they can be managed reliably with job
and jstop
utilities.
For convenience, there is an utility to start a continuous bot with reasonable default options:
jstart script
(which is equivalent to jsub -once -continuous script
and accepts the same options. This would start the script program in continuous mode if it is not already running, making certain that it is kept running.
Managing Jobs
Job Information
Once your jobs has been submitted to the grid using one of the above commands you will receive an output similar to the one below which includes the job id and job name.
Your job 120 ("xbot") has been submitted
You can see the status of all your running and pending jobs with the qstat
command.
For example:
local-xbot@tools-login:~$ qstat job-ID prior name user state submit/start at queue slots ja-task-ID ----------------------------------------------------------------------------------------------------------------- 120 0.50000 xbot local-xbot r 04/01/2013 21:00:00 continuous@tools-exec-01.pmtpa 1
State | Description |
---|---|
r | running |
qw | queued/waiting |
d | deleted |
E | Error |
If you know that your job can only have one instance running (such as when you use the -once
option when starting it) you can also use the job
command to get its job id (or a more verbose status with -v
). The latter is particularly useful from scripts or web services.
For example:
local-xbot@tools-login:~$ job xbot Job 'xbot' has been running since 2013-04-01T21:00:00 as id 120
Once you have the job Id you can find out more information about a job using the -j
parameter with qstat
command and a job number.
example output for qstat -j 990 |
---|
local-toolname@tools-login:~$ qstat -j 990 ============================================================== job_number: 990 exec_file: job_scripts/990 submission_time: Wed Apr 13 08:32:39 2013 owner: local-toolname uid: 40005 group: local-toolname gid: 40005 sge_o_home: /data/project/toolname/ sge_o_log_name: local-toolname sge_o_path: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/X11R6/bin sge_o_shell: /bin/bash sge_o_workdir: /data/project/toolname sge_o_host: tools-login account: sge stderr_path_list: NONE:NONE:/data/project/toolname//taskname.err hard resource_list: h_vmem=256m mail_list: local-toolname@tools-login.pmtpa.wmflabs notify: FALSE job_name: epm stdout_path_list: NONE:NONE:/data/project/toolname//taskname.out jobshare: 0 hard_queue_list: task env_list: script_file: /data/project/toolname/taskname.py usage 1: cpu=00:21:08, mem=158.09600 GBs, io=0.00373, vmem=127.719M, maxvmem=127.723M |
Stopping Jobs
To stop a running job (or prevent it from being run if it had not already started), you can use the qdel job_number
command. The job number was output when the job was started, or you can get it from the qstat
command.
If you started the job with the jstart
command, or you know there is only one job with the same name, then you can use the jstop jobname
utility command.
Suspending and unsuspending jobs
Suspending a job allows it to be temporarily paused, and then resumed later. To suspend a job use qmod -sj <job_id>
. The job will be paused by sending it SIGSTOP, and will have the 's' state in qstat
. To unsuspend the job and let it continue running use qmod -usj <job_id>
. The job should return to the 'r' state in qstat
Web services
Every tool account has a web interface made available (though, in cases of bots with no web interactivity, you may simply wish to have a static page that describes the tool, or a simple status report). Users do not and can not have a web directory in /home.
Published directories
Each tool account has two corresponding URI that are automatically made available from two directories in its home:
- http://tools.wmflabs.org/toolname/
- which maps to the tool's
~/public_html/
- http://tools.wmflabs.org/toolname/cgi-bin
- which maps to the tool's
~/cgi-bin/
The latter directory will attempt to run the files it contains as CGI scripts rather than display them. In addition, files in either directory that end with the .php
or .php5
extensions will be run as PHP CGI scripts.
All CGI scripts must be marked executable, and are run with the permissions of the user account that owns the script. In almost all cases, you want to make certain that they are owned by the tool account.
The web server allows overrides of AuthConfig FileInfo Options=IncludesNOEXEC
from .htaccess
.
Note: As all tools public_html folder is in the tools home folder you must allow other users to access your home folder in order for the web service to access the public_html within.
Cookies
Since all tools in the Labs reside under the same domain, you should prefix the name of any cookie you set with your tool's name. In addition, you should be aware that cookies you set may be read by every other web tool your user visits.
Accordingly, you should avoid storing privacy-related or security information in cookies. A simple workaround is to store session information in a database, and use the cookie as an opaque key to that information. Additionally, you can explicitly set a path in a cookie to limit its applicability to your tool; most clients should obey the Path directive properly.
Logs
The access logs for your tool's web interface are placed in the tool account's ~/access.log
, in common format. Please note that the web logs are anonymized such that the user's IP address appears to be that of the local host. In general, the privacy policy will not allow logging of personally identifiable information by tool maintainers (including IP addresses); special permission from Foundation legal counsel would be required to get that information.
Error logs, because of limitations of the Apache web server, are not made directly available to tool maintainers. There is a workaround in place for PHP, which allows per-user logging (PHP error logs are placed in the tools account's ~/php_error.log
), but until a newer version of Apache can be deployed it is recommended that you use your language's facilities to log errors to a file under the tool account's home.
In particular, however, this means that if you have a CGI which is unable to start you will not be able to see the error preventing it without help from a tool labs admin. There are a few common errors you can check against which cover most cases:
- The CGI's file is not owned by the tool account
- The CGI's file does not have its execute bits set
- (You can use the
chmod
command to set the script as executable)
- (You can use the
- The CGI is a script and does not start with a Unix "shebang" invocation, or it points to the wrong path:
- A unix "shebang" is the first line of a script that specifies the program meant to execute that script. It has the form
#! /path/to/interpreter
- Where the path is, for instance,
/usr/bin/perl
for perl scripts. You can check the path to a language interpreter by using thewhich
command:maintainer@tools-login:~$ which python
- would output the path to the python interpreter.
- A unix "shebang" is the first line of a script that specifies the program meant to execute that script. It has the form
Database access
Every tool account automatically gets a database for general usage on the project itself. The information and credentials to that database are put automatically in the account's ~/.my.cnf
on creation. Full control over that database is granted to the tool account (with grant option).
To access a tools database become the tool and simple type mysql
. This will load mysql with the data from ~/.my.cnf
.
Normally, tools do not have access to create new databases dynamically; please consult with a project admin if you require that functionality.
(Soon) Tool accounts are also granted to the production database replicas, and may create and manage databases there at need. Because of technical limitations, actual revision text is not available on the replicas (but can be fetched at fairly high efficiency with the API).