Phabricator is a collection of open source web applications that help software companies build better software. Why use Bitnami Certified Apps? Bitnami certified images are always up-to-date, secure, and built to work right out of the box. Phabricator is a collection of open source web applications that help software companies build better software. Why use Bitnami Helm Charts? Deploying Bitnami applications as Helm Charts is the easiest way to get started with our applications on Kubernetes. Phabricator (pronounced like the word fabricator) is a suite of web applications which make it easier to build software, particularly when working with teams. Phabricator is largely based on Facebook's internal tools.
Guide to configuring Phabricator repository hosting.
Phabricator can host repositories and provide authenticated read and writeaccess to them over HTTP and SSH. This document describes how to configurerepository hosting.
Understanding Supported Protocols
Phabricator supports hosting over these protocols:
All supported protocols handle reads (pull/checkout/clone) and writes(push/commit). Of the two protocols, SSH is generally more robust, secure andperformant, but HTTP is easier to set up and supports anonymous access.
|Security||Better (Asymmetric Key)||Okay (Password)|
Each repository can be configured individually, and you can use eitherprotocol, or both, or a mixture across different repositories.
SSH is recommended unless you need anonymous access, or are not able toconfigure it for technical reasons.
Creating System User Accounts
Phabricator uses two system user accounts, plus a third account if youconfigure SSH access. This section will guide you through creating andconfiguring them. These are system user accounts on the machine Phabricatorruns on, not Phabricator user accounts.
The system accounts Phabricator uses are:
- The user the webserver runs as. We'll call this www-user.
- The user the daemons run as. We'll call this daemon-user. This user is the only user which will interact with the repositories directly. Other accounts will sudo to this account in order to perform repository operations.
- The user that humans will connect over SSH as. We'll call this vcs-user. If you do not plan to make repositories available over SSH, you do not need to create or configure this user.
To create these users:
- Create a www-user if one does not already exist. In most cases, this user will already exist and you just need to identify which user it is. Run your webserver as this user.
- Create a daemon-user if one does not already exist (you can call this user whatever you want, or use an existing account). Below, you'll configure the daemons to start as this user.
- Create a vcs-user if one does not already exist and you plan to set up SSH. When users clone repositories, they will use a URI like [email protected], so common names for this user are git or hg.
Continue below to configure these accounts.
Now that you have created or identified these accounts, update the Phabricatorconfiguration to specify them.
First, set phd.user to the daemon-user:
Restart the daemons to make sure this configuration works properly. They shouldstart as the correct user automatically.
If you're using a vcs-user for SSH, you should also configure that:
Next, you'll set up sudo permissions so these users can interact with oneanother.
The www-user and vcs-user need to be able to sudo as the daemon-userso they can interact with repositories.
To grant them access, edit the sudo system configuration. On many systems,you will do this by modifying the /etc/sudoers file using visudo orsudoedit. In some cases, you may add a new file to /etc/sudoers.d instead.
To give a user account sudo access to run a list of binaries, add a line likethis to the configuration file (this example would grant vcs-user permissionto run ls as daemon-user):
The www-user needs to be able to run these binaries as the daemon-user:
- git (if using Git)
- git-http-backend (if using Git)
- hg (if using Mercurial)
- ssh (if configuring clusters)
If you plan to use SSH, the vcs-user needs to be able to run these binariesas the daemon-user:
- git (if using Git)
- git-upload-pack (if using Git)
- git-receive-pack (if using Git)
- hg (if using Mercurial)
- svnserve (if using Subversion)
- ssh (if configuring clusters)
Identify the full paths to all of these binaries on your system and add theappropriate permissions to the sudo configuration.
Normally, you'll add two lines that look something like this:
This is just a template. In the real configuration file, you need to:
- Replace www-user, daemon-user and vcs-user with the correct usernames for your system.
- List every binary that these users need access to, as described above.
- Make sure each binary path is the full path to the correct binary location on your system.
Before continuing, look for this line in your sudo configuration: Kuckucksuhr wiesbaden.
If it's present, comment it out by putting a # at the beginning of the line.With this option enabled, VCS SSH sessions won't be able to use sudo.
Additional SSH User Configuration
If you're planning to use SSH, you should also edit /etc/passwd and/etc/shadow to make sure the vcs-user account is set up correctly.
/etc/shadow: Open /etc/shadow and find the line for the vcs-useraccount.
The second field (which is the password field) must not be set to !!. Thisvalue will prevent login.
If you have usermod on your system, you can adjust this value with:
If you do not have usermod, carefully edit the file and set the field valueto NP ('no password') instead of !!.
/etc/passwd: Open /etc/passwd and find the line for the vcs-useraccount.
The last field (which is the login shell) must be set to a real shell. If it isset to something like /bin/false, then sshd will not be able to executecommands.
If you have usermod on your system, you can adjust this value with:
If you do not have usermod, carefully edit the file and change the fieldto point at a real shell, usually /bin/sh.
If you plan to serve repositories over authenticated HTTP, you need to setdiffusion.allow-http-auth in Config. If you don't plan to serve repositoriesover HTTP (or plan to use only anonymous HTTP) you can leave this settingdisabled.
If you plan to use authenticated HTTP, you (and all other users) also need toconfigure a VCS password for your account in Settings → VCS Password.
Your VCS password must be a different password than your main Phabricatorpassword because VCS passwords are very easy to accidentally disclose. They areoften stored in plaintext in world-readable files, observable in ps output,and present in command output and logs. We strongly encourage you to use SSHinstead of HTTP to authenticate access to repositories.
Otherwise, if you've configured system accounts above, you're all set. Noadditional server configuration is required to make HTTP work. You should nowbe able to fetch and push repositories over HTTP. See 'Cloning a Repository'below for more details.
If you're having trouble, see 'Troubleshooting HTTP' below.
SSH access requires some additional setup. You will configure and run a second,restricted copy of sshd on the machine, on a different port from the standardsshd. This special copy of sshd will serve repository requests and provideother Phabricator SSH services.
Before continuing, you must choose a strategy for which port each copy ofsshd will run on. The next section lays out various approaches.
SSHD Port Assignment
The normal sshd that lets you administrate the host and the special sshdwhich serves repositories can't run on the same port. In particular, only oneof them can run on port 22, which will make it a bit inconvenient to accessthe other one.
These instructions will walk you through configuring the alternate sshd onport 2222. This is easy to configure, but if you run the service on this portusers will clone and push to URIs like ssh://[email protected]:2222/, which is alittle ugly.
There are several different approaches you can use to mitigate or eliminatethis problem.
Run on Port 2222: You can do nothing, and just run the repository sshd onport 2222 and accept the explicit port in the URIs. This is the simplestapproach, and you can always start here and clean things up later if you growtired of dealing with the port number.
Use a Load Balancer: You can configure a load balancer in front of the hostand have it forward TCP traffic on port 22 to port 2222. Then users canclone from ssh://[email protected]/ without an explicit port number and you don'tneed to do anything else.
This may be very easy to set up, particularly if you are hosted in AWS, andis often the simplest and cleanest approach.
Swap Ports: You can move the administrative sshd to a new port, then runPhabricator sshd on port 22. This is somewhat complicated and can be a bitrisky if you make a mistake. See 'Moving the sshd Port' below for help.
Change Client Config: You can run on a nonstandard port, but configure SSHon the client side so that ssh automatically defaults to the correct portwhen connecting to the host. To do this, add a section like this to your~/.ssh/config:
(If you want, you can also add a default User.)
Command line tools like ssh, git and hg will now default to port2222 when connecting to this host.
A downside to this approach is that your users will each need to set up their~/.ssh/config files individually.
This file also allows you to define short names for hosts using the Host andHostName options. If you choose to do this, be aware that Phabricator usesremote/clone URIs to figure out which repository it is operating in, but cannot resolve host aliases defined in your ssh config. If you create hostaliases they may break some features related to repository identification.
If you use this approach, you will also need to specify a port explicitly whenconnecting to administrate the host. Any unit tests or other build automationwill also need to be configured or use explicit port numbers.
Port Multiplexing: If you have hardware access, you can power down the hostand find the network I/O pins on the motherboard (for onboard networking) ornetwork card.
Carefully strip and solder a short piece of copper wire between the pins forthe external interface 22 and internal 2222, so the external interface canreceive traffic for both services.
(Make sure not to desolder the existing connection between external 22 andinternal 22 or you won't be able to connect normally to administrate thehost.)
The obvious downside to this approach is that it requires physical access tothe machine, so it won't work if you're hosted on a cloud provider.
Now that you've decided how you'll handle port assignment, you're ready tocontinue sshd setup.
If you plan to connect to a port other than 22, you should set this portas diffusion.ssh-port in your Phabricator config:
This port is not special, and you are free to choose a different port, providedyou make the appropriate configuration adjustment below.
Configure and Start Phabricator SSHD: Now, you'll configure and start acopy of sshd which will serve Phabricator services, including repositories,over SSH.
This instance will use a special locked-down configuration that usesPhabricator to handle authentication and command execution.
There are three major steps:
- Create a phabricator-ssh-hook.sh file.
- Create a sshd_phabricator config file.
- Start a copy of sshd using the new configuration.
Create phabricator-ssh-hook.sh: Copy the template inphabricator/resources/sshd/phabricator-ssh-hook.sh to somewhere like/usr/libexec/phabricator-ssh-hook.sh and edit it to have the correctsettings.
Both the script itself and the parent directory the script resides in mustbe owned by root, and the script must have 755 permissions:
If you don't do this, sshd will refuse to execute the hook.
Create sshd_config for Phabricator: Copy the template inphabricator/resources/sshd/sshd_config.phabricator.example to somewhere like/etc/ssh/sshd_config.phabricator.
Open the file and edit the AuthorizedKeysCommand,AuthorizedKeysCommandUser, and AllowUsers settings to be correct for yoursystem.
This configuration file also specifies the Port the service should run on.If you intend to run on a non-default port, adjust it now.
Start SSHD: Now, start the Phabricator sshd:
If you did everything correctly, you should be able to run this command:
..and get a response like this:
If you get an authentication error, make sure you added your public key inSettings → SSH Public Keys. If you're having trouble, check thetroubleshooting section below.
Authentication Over SSH
To authenticate over SSH, users should add their public keys underSettings → SSH Public Keys.
Cloning a Repository
If you've already set up a hosted repository, you can try cloning it now. Todo this, browse to the repository's main screen in Diffusion. You should seeclone commands at the top of the page.
To clone the repository, just run the appropriate command.
If you don't see the commands or running them doesn't work, see below for tipson troubleshooting.
Some general tips for troubleshooting problems with HTTP:
- Make sure diffusion.allow-http-auth is enabled in your Phabricator config.
- Make sure HTTP serving is enabled for the repository you're trying to clone. You can find this in Edit Repository → Hosting.
- Make sure you've configured a VCS password. This is separate from your main account password. You can configure this in Settings → VCS Password.
- Make sure the main repository screen in Diffusion shows a clone/checkout command for HTTP. If it doesn't, something above isn't set up correctly: double-check your configuration. You should see a svn checkout http://.., git clone http://.. or hg clone http://.. command. Run that command verbatim to clone the repository.
If you're using Git, using GIT_CURL_VERBOSE may help assess login failures.To do so, specify it on the command line before the git clone command, likethis:
This will make git print out a lot more information. Particularly, the linewith the HTTP response is likely to be useful:
In many cases, this can give you more information about what's wrong.
Some general tips for troubleshooting problems with SSH:
- Check that you've configured diffusion.ssh-user.
- Check that you've configured phd.user.
- Make sure SSH serving is enabled for the repository you're trying to clone. You can change this setting from a main repository screen in Diffusion by Edit Repository → Edit Hosting → Host Repository on Phabricator → Save and Continue → SSH Read Only or Read/Write → Save Changes.
- Make sure you've added an SSH public key to your account. You can do this in Settings → SSH Public Keys.
- Make sure the main repository screen in Diffusion shows a clone/checkout command for SSH. If it doesn't, something above isn't set up correctly. You should see an svn checkout svn+ssh://.., git clone ssh://.. or hg clone ssh://.. command. Run that command verbatim to clone the repository.
- Check your phabricator-ssh-hook.sh file for proper settings.
- Check your sshd_config.phabricator file for proper settings.
To troubleshoot SSH setup: connect to the server with ssh, without running acommand. You may need to use the -T flag, and will need to use -p if youare running on a nonstandard port. You should see a message like this one:
If you see this message, all your SSH stuff is configured correctly. If youget a login shell instead, you've missed some major setup step: review thedocumentation above. If you get some other sort of error, double check thesesettings:
- You're connecting as the vcs-user.
- The vcs-user has NP in /etc/shadow.
- The vcs-user has /bin/sh or some other valid shell in /etc/passwd.
- Your SSH private key is correct, and you've added the corresponding public key to Phabricator in the Settings panel.
If you can get this far, but can't execute VCS commands like git clone, thereis probably an issue with your sudoers configuration. Check:
- Your sudoers file is set up as instructed above.
- You've commented out Defaults requiretty in sudoers.
- You don't have multiple copies of the VCS binaries (like git-upload-pack) on your system. You may have granted sudo access to one, while the VCS user is trying to run a different one.
- You've configured phd.user.
- The phd.user has read and write access to the repositories.
It may also be helpful to run sshd in debug mode:
This will run it in the foreground and emit a large amount of debugginginformation when you connect to it.
Finally, you can usually test that sudoers is configured correctly bydoing something like this:
That will try to run the binary via sudo in a manner similar to the way thatPhabricator will run it. This can give you better error messages about issueswith sudoers configuration.
- If you're getting an error about svnlook not being found, add the path where svnlook is located to the Phabricator configuration environment.append-paths (even if it already appears in PATH). This issue is caused by SVN wiping the environment (including PATH) when invoking commit hooks.
Moving the sshd Port
If you want to move the standard (administrative) sshd to a different port tomake Phabricator repository URIs cleaner, this section has some tips.
This is optional, and it is normally easier to do this by putting a loadbalancer in front of Phabricator and having it accept TCP traffic on port 22and forward it to some other port.
When moving sshd, be careful when editing the configuration. If you get itwrong, you may lock yourself out of the machine. Restarting sshd generallywill not interrupt existing connections, but you should exercise caution. Twostrategies you can use to mitigate this risk are: smoke-test configuration bystarting a second sshd; and use a screen session which automaticallyrepairs configuration unless stopped.
To smoke-test a configuration, just start another sshd using the -f flag:
You can then connect and make sure the edited config file is valid beforereplacing your primary configuration file.
To automatically repair configuration, start a screen session with a commandlike this in it:
The specific command may vary for your system, but the general idea is to havethe machine automatically restore configuration after some period of time ifyou don't stop it. If you lock yourself out, this can fix things automatically.
Now that you're ready to edit your configuration, open up your sshd config(often /etc/ssh/sshd_config) and change the Port setting to some other port,like 222 (you can choose any port other than 22).
Very carefully, restart sshd. Verify that you can connect on the new port:
Now you can move the Phabricator sshd to port 22, then adjust the valuefor diffusion.ssh-port in your Phabricator configuration.
No Direct Pushes
Bitnami Phabricator Site Not Found
You may get an error about 'No Direct Pushes' when trying to push. This meansyou are pushing directly to the repository instead of pushing throughPhabricator. This is not supported: writes to hosted repositories must gothrough Phabricator so it can perform authentication, enforce permissions,write logs, proxy requests, apply rewriting, etc.
One way to do a direct push by mistake is to use a file:/// URI to interactwith the repository from the same machine. This is not supported. Instead, useone of the repository URIs provided in the web interface, even if you'reworking on the same machine.
Another way to do a direct push is to misconfigure SSH (or not configure it atall) so that none of the logic described above runs and you just connectnormally as a system user. In this case, the ssh test described above willfail (you'll get a command prompt when you connect, instead of the message youare supposed to get, as described above).
If you encounter this error: make sure you're using a remote URI given toyou by Diffusion in the web interface, then run through the troubleshootingsteps above carefully.
Sometimes users encounter this problem because they skip this whole documentassuming they don't need to configure anything. This will not work, and youMUST configure things as described above for hosted repositories to work.
The technical reason this error occurs is that the PHABRICATOR_USER variableis not defined in the environment when commit hooks run. This variable is setby Phabricator when a request passes through the authentication layer that thisdocument provides instructions for configuring. Its absence indicates that therequest did not pass through Phabricator.
Once hosted repositories are set up:
- learn about commit hooks with Diffusion User Guide: Commit Hooks.