[Owasp-board] Fwd: [Owasp-leaders] Downtime for OWASP's wiki of late

Sarah Baso sarah.baso at owasp.org
Mon Jul 8 21:05:11 UTC 2013


Sarah Baso

Begin forwarded message:

*From:* Matt Tesauro <matt.tesauro at owasp.org>
*Date:* July 8, 2013 2:00:01 PM PDT
*To:* owasp leaders list <owasp-leaders at lists.owasp.org>
*Subject:* *[Owasp-leaders] Downtime for OWASP's wiki of late*

Here's the short version of where the wiki was and where it is now plus the
bumpy road between the two:

<wiki status="initial state">

   - Rackspace server on Public Cloud running Ubuntu Server 10-04 LTS
   - MediaWiki version 1.18.0 (EOL/EOS)
   - Zero documentation on setup, extensions, etc
   - 55 MediaWiki extensions in various states of decay, old backup
   versions, tarbals, etc in the /extensions directory
   - Zero backups of any kind
   - Un-rotated log files with a 7.9 GB Apache access log file


<wiki status="current state">

   - Rackspace server on Manged Cloud running Ubuntu 12-04 LTS
   - MediaWiki version 1.19.7 (basically the oldest supported version)
   - All extension updated to the latest supported by 1.19.7
   - Ridiculous amounts of documentation
   - VM, DB and file level backups of all critical data on the server to
   Cloud Files via Cloud Backup


<wiki status="final state">

   - Rackspace server on Manged Cloud running Ubuntu 12-04 LTS
   - MediaWiki version 1.21.1 - latest stable version
   - All extension updated to the latest supported by 1.21.1
   - Ridiculous amounts of documentation and automation
   - VM, DB and file level backups of all critical data on the server to
   Cloud Files via Cloud Backup
   - Protected and monitored (hardening, account auditing, FIM, ...) via
   - [considering] Load-balanced multi-web head version of the wiki for
   greater uptime


A bit more detail:

To get to the current state of 1.19.7, I needed to take a recursive diff of
pristine 1.18.0 source vs what was running on the wiki.  An example of the
status of that diff as of the evening of 2013-07-08:

Besides some random cruft, there were 55 extensions in the /extensions
sub-directory which needed review.  For each plugin, I needed to:

   1. Tons of database schema updates - updating the DB will result in ~20
   minutes of hard down time when I will need to shut off the web server to
   ensure nothing interrupts that process.
   2.  We have 55 extensions added to MediaWiki all of which appear to be
   very out of date and/or vestigial past experiments.  For each extension I
   need to:

   - Find out if its an official one or a custom-written one
   - Find out its version number (if it provides it anywhere in the source)
   - Find out if there is an updated version of the extension
   - Find out if the extension is even enabled
   - For extensions which are not enabled or backups of other plugins,
   remove them from the extension directory
   - For extensions which are enabled and have updates, grab the latest
   version which works with 1.19.7 and replace the currently installed one
   - For extensions which don't have version numbers, do a diff between the
   latest version and what was running on the wiki to see if there are
   meaningful code changes.  Update as necessary.
   - For extensions which are enabled and are abandoned/have no updates,
   try to determine if they are used/needed.

I am pretty close to being complete with the review of the extensions.  You
may notice broken things go unbroken over the next day or two as we find
wrinkles in the update process.  Once the extensions are settled and
stable, updates to more recent stable versions of MediaWiki will be MUCH
simpler.  I've scripted much of the process for the next round of updates
from 1.19.7 to 1.20.6.

Some of the downtime today has been resolved so far by reducing the
somewhat high MaxClients setting on the original configuration of Apache to
reduce the chance of memory/CPU consumption attacks.  If someone has been
attacking a charity's webiste, enjoy the negative karma points, you've
earned them.

Since July 4th, I've put in ~25 hours over the holiday weekend besides
dealing with 5 family members + a dog who came to visit Friday to Sunday.

I'm going to be not so responsive while I finish up the extensions
so apologies in advance if replies are somewhat delayed. The wiki will stay
in Read-Only mode until I get the extensions updated to avoid any issues.

Note:  I have copious notes detailing the migration efforts with the wiki
since things started.  One of my Google Docs currently has it at 23 pages
and 40,467 characters.  I'll clean up my working notes so they become the
standard documentation on how the wiki is setup.  That will come later
after I get all the extensions updated and the wiki running on the latest
MediaWiki source.


-- Matt Tesauro
OWASP WTE Project Lead
http://AppSecLive.org - Community and Download site
OWASP OpenStack Security Project Lead

OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20130708/e0cda45f/attachment.html>

More information about the Owasp-board mailing list