is a library for remote command execution, and a server for secure command execution. It was primarily implemented to sandbox lilypond (used by the Score extension) and provide a way for MediaWiki to utilize external binaries without needing them to be in the same container. Shellbox relies on Kubernetes (and Linux containers/namespaces) to provide isolation and resource limits for external commands.
Shellbox safely sandboxes unsafe command execution.
Documentation for integration in MediaWiki is available at mw:Shellbox
, operational aspects are here on Wikitech.
Architecture overview of Shellbox
Requests come into an Apache httpd container, which contains the Shellbox secret key as a configmap. The request is passed onto a php-fpm container, which contains the Shellbox code and necessary binaries. Once the request is authenticated, Shellbox executes the command as the www-data user. The response is then sent back. Yeah.
MediaWiki talks to Shellbox over a local envoyproxy.
We currently have two Shellboxes in active use with more on the way:
- shellbox: for Score, with lilypond, ghostscript, fluidsynth, lame and noto fonts installed
- shellbox-constraints: for Wikidata constraint regex checking, with only PHP installed using the RPC interface
- shellbox-media: TBD
- shellbox-syntaxhighlight: for SyntaxHighlight, with pygments installed
- shellbox-timeline: for EasyTimeline, with librsvg, perl, ploticus and various fonts installed
Shellbox provides a /healthz endpoint that can be used to quickly check if the service is up, e.g.:
user@host$ curl https://shellbox.discovery.wmnet:4008/healthz
"__": "Shellbox running",
All other requests are harder to externally construct since they need to be signed with the Shellbox secret key.
All logs from httpd and php-fpm should end up in logstash. You can filter for a specific Shellbox deployment with kubernetes.namespace_name:"shellbox-constraints". The actual log text is under the field log (not message like MediaWiki).
All Shellbox invocations should still be logged under MediaWiki's exec log channel too.
Last edited on 15 September 2021, at 18:24
Content is available under CC BY-SA 3.0
unless otherwise noted.