Changeset View
Changeset View
Standalone View
Standalone View
src/docs/user/userguide/diffusion_hosting.diviner
@title Diffusion User Guide: Repository Hosting | @title Diffusion User Guide: Repository Hosting | ||||
@group userguide | @group userguide | ||||
Guide to configuring Phabricator repository hosting. | Guide to configuring Phorge repository hosting. | ||||
Overview | Overview | ||||
======== | ======== | ||||
Phabricator can host repositories and provide authenticated read and write | Phorge can host repositories and provide authenticated read and write | ||||
access to them over HTTP and SSH. This document describes how to configure | access to them over HTTP and SSH. This document describes how to configure | ||||
repository hosting. | repository hosting. | ||||
Understanding Supported Protocols | Understanding Supported Protocols | ||||
================================= | ================================= | ||||
Phabricator supports hosting over these protocols: | Phorge supports hosting over these protocols: | ||||
| VCS | SSH | HTTP | | | VCS | SSH | HTTP | | ||||
|-----|-----|------| | |-----|-----|------| | ||||
| Git | Supported | Supported | | | Git | Supported | Supported | | ||||
| Mercurial | Supported | Supported | | | Mercurial | Supported | Supported | | ||||
| Subversion | Supported | Not Supported | | | Subversion | Supported | Not Supported | | ||||
All supported protocols handle reads (pull/checkout/clone) and writes | All supported protocols handle reads (pull/checkout/clone) and writes | ||||
Show All 17 Lines | |||||
SSH is recommended unless you need anonymous access, or are not able to | SSH is recommended unless you need anonymous access, or are not able to | ||||
configure it for technical reasons. | configure it for technical reasons. | ||||
Creating System User Accounts | Creating System User Accounts | ||||
============================= | ============================= | ||||
Phabricator uses two system user accounts, plus a third account if you | Phorge uses two system user accounts, plus a third account if you | ||||
configure SSH access. This section will guide you through creating and | configure SSH access. This section will guide you through creating and | ||||
configuring them. These are system user accounts on the machine Phabricator | configuring them. These are system user accounts on the machine Phorge | ||||
runs on, not Phabricator user accounts. | runs on, not Phorge user accounts. | ||||
The system accounts Phabricator uses are: | The system accounts Phorge uses are: | ||||
- The user the webserver runs as. We'll call this `www-user`. | - The user the webserver runs as. We'll call this `www-user`. | ||||
- The user the daemons run as. We'll call this `daemon-user`. This | - The user the daemons run as. We'll call this `daemon-user`. This | ||||
user is the only user which will interact with the repositories directly. | user is the only user which will interact with the repositories directly. | ||||
Other accounts will `sudo` to this account in order to perform repository | Other accounts will `sudo` to this account in order to perform repository | ||||
operations. | operations. | ||||
- The user that humans will connect over SSH as. We'll call this `vcs-user`. | - The user that humans will connect over SSH as. We'll call this `vcs-user`. | ||||
If you do not plan to make repositories available over SSH, you do not need | If you do not plan to make repositories available over SSH, you do not need | ||||
to create or configure this user. | to create or configure this user. | ||||
To create these users: | To create these users: | ||||
- Create a `www-user` if one does not already exist. In most cases, this | - Create a `www-user` if one does not already exist. In most cases, this | ||||
user will already exist and you just need to identify which user it is. Run | user will already exist and you just need to identify which user it is. Run | ||||
your webserver as this user. | your webserver as this user. | ||||
- Create a `daemon-user` if one does not already exist (you can call this user | - Create a `daemon-user` if one does not already exist (you can call this user | ||||
whatever you want, or use an existing account). Below, you'll configure | whatever you want, or use an existing account). Below, you'll configure | ||||
the daemons to start as this user. | the daemons to start as this user. | ||||
- Create a `vcs-user` if one does not already exist and you plan to set up | - Create a `vcs-user` if one does not already exist and you plan to set up | ||||
SSH. When users clone repositories, they will use a URI like | SSH. When users clone repositories, they will use a URI like | ||||
`vcs-user@phabricator.yourcompany.com`, so common names for this user are | `vcs-user@phorge.yourcompany.com`, so common names for this user are | ||||
`git` or `hg`. | `git` or `hg`. | ||||
Continue below to configure these accounts. | Continue below to configure these accounts. | ||||
Configuring Phabricator | Configuring Phorge | ||||
======================= | ======================= | ||||
Now that you have created or identified these accounts, update the Phabricator | Now that you have created or identified these accounts, update the Phorge | ||||
configuration to specify them. | configuration to specify them. | ||||
First, set `phd.user` to the `daemon-user`: | First, set `phd.user` to the `daemon-user`: | ||||
``` | ``` | ||||
phabricator/ $ ./bin/config set phd.user daemon-user | phorge/ $ ./bin/config set phd.user daemon-user | ||||
``` | ``` | ||||
Restart the daemons to make sure this configuration works properly. They should | Restart the daemons to make sure this configuration works properly. They should | ||||
start as the correct user automatically. | start as the correct user automatically. | ||||
If you're using a `vcs-user` for SSH, you should also configure that: | If you're using a `vcs-user` for SSH, you should also configure that: | ||||
``` | ``` | ||||
phabricator/ $ ./bin/config set diffusion.ssh-user vcs-user | phorge/ $ ./bin/config set diffusion.ssh-user vcs-user | ||||
``` | ``` | ||||
Next, you'll set up `sudo` permissions so these users can interact with one | Next, you'll set up `sudo` permissions so these users can interact with one | ||||
another. | another. | ||||
Configuring Sudo | Configuring Sudo | ||||
================ | ================ | ||||
▲ Show 20 Lines • Show All 100 Lines • ▼ Show 20 Lines | |||||
If you plan to serve repositories over authenticated HTTP, you need to set | If you plan to serve repositories over authenticated HTTP, you need to set | ||||
`diffusion.allow-http-auth` in Config. If you don't plan to serve repositories | `diffusion.allow-http-auth` in Config. If you don't plan to serve repositories | ||||
over HTTP (or plan to use only anonymous HTTP) you can leave this setting | over HTTP (or plan to use only anonymous HTTP) you can leave this setting | ||||
disabled. | disabled. | ||||
If you plan to use authenticated HTTP, you (and all other users) also need to | If you plan to use authenticated HTTP, you (and all other users) also need to | ||||
configure a VCS password for your account in {nav Settings > VCS Password}. | configure a VCS password for your account in {nav Settings > VCS Password}. | ||||
Your VCS password must be a different password than your main Phabricator | Your VCS password must be a different password than your main Phorge | ||||
password because VCS passwords are very easy to accidentally disclose. They are | password because VCS passwords are very easy to accidentally disclose. They are | ||||
often stored in plaintext in world-readable files, observable in `ps` output, | often stored in plaintext in world-readable files, observable in `ps` output, | ||||
and present in command output and logs. We strongly encourage you to use SSH | and present in command output and logs. We strongly encourage you to use SSH | ||||
instead of HTTP to authenticate access to repositories. | instead of HTTP to authenticate access to repositories. | ||||
Otherwise, if you've configured system accounts above, you're all set. No | Otherwise, if you've configured system accounts above, you're all set. No | ||||
additional server configuration is required to make HTTP work. You should now | additional server configuration is required to make HTTP work. You should now | ||||
be able to fetch and push repositories over HTTP. See "Cloning a Repository" | be able to fetch and push repositories over HTTP. See "Cloning a Repository" | ||||
below for more details. | below for more details. | ||||
If you're having trouble, see "Troubleshooting HTTP" below. | If you're having trouble, see "Troubleshooting HTTP" below. | ||||
Configuring SSH | Configuring SSH | ||||
=============== | =============== | ||||
SSH access requires some additional setup. You will configure and run a second, | SSH access requires some additional setup. You will configure and run a second, | ||||
restricted copy of `sshd` on the machine, on a different port from the standard | restricted copy of `sshd` on the machine, on a different port from the standard | ||||
`sshd`. This special copy of `sshd` will serve repository requests and provide | `sshd`. This special copy of `sshd` will serve repository requests and provide | ||||
other Phabricator SSH services. | other Phorge SSH services. | ||||
NOTE: The Phabricator `sshd` service **MUST** be 6.2 or newer, because | NOTE: The Phorge `sshd` service **MUST** be 6.2 or newer, because | ||||
Phabricator relies on the `AuthorizedKeysCommand` option. | Phorge relies on the `AuthorizedKeysCommand` option. | ||||
Before continuing, you must choose a strategy for which port each copy of | Before continuing, you must choose a strategy for which port each copy of | ||||
`sshd` will run on. The next section lays out various approaches. | `sshd` will run on. The next section lays out various approaches. | ||||
SSHD Port Assignment | SSHD Port Assignment | ||||
==================== | ==================== | ||||
Show All 19 Lines | |||||
and have it forward TCP traffic on port `22` to port `2222`. Then users can | and have it forward TCP traffic on port `22` to port `2222`. Then users can | ||||
clone from `ssh://git@host.com/` without an explicit port number and you don't | clone from `ssh://git@host.com/` without an explicit port number and you don't | ||||
need to do anything else. | need to do anything else. | ||||
This may be very easy to set up, particularly if you are hosted in AWS, and | This may be very easy to set up, particularly if you are hosted in AWS, and | ||||
is often the simplest and cleanest approach. | is often the simplest and cleanest approach. | ||||
**Swap Ports**: You can move the administrative `sshd` to a new port, then run | **Swap Ports**: You can move the administrative `sshd` to a new port, then run | ||||
Phabricator `sshd` on port 22. This is somewhat complicated and can be a bit | Phorge `sshd` on port 22. This is somewhat complicated and can be a bit | ||||
risky if you make a mistake. See "Moving the sshd Port" below for help. | risky if you make a mistake. See "Moving the sshd Port" below for help. | ||||
**Change Client Config**: You can run on a nonstandard port, but configure SSH | **Change Client Config**: You can run on a nonstandard port, but configure SSH | ||||
on the client side so that `ssh` automatically defaults to the correct port | on the client side so that `ssh` automatically defaults to the correct port | ||||
when connecting to the host. To do this, add a section like this to your | when connecting to the host. To do this, add a section like this to your | ||||
`~/.ssh/config`: | `~/.ssh/config`: | ||||
``` | ``` | ||||
Host phabricator.corporation.com | Host phorge.corporation.com | ||||
Port 2222 | Port 2222 | ||||
``` | ``` | ||||
(If you want, you can also add a default `User`.) | (If you want, you can also add a default `User`.) | ||||
Command line tools like `ssh`, `git` and `hg` will now default to port | Command line tools like `ssh`, `git` and `hg` will now default to port | ||||
`2222` when connecting to this host. | `2222` when connecting to this host. | ||||
A downside to this approach is that your users will each need to set up their | A downside to this approach is that your users will each need to set up their | ||||
`~/.ssh/config` files individually. | `~/.ssh/config` files individually. | ||||
This file also allows you to define short names for hosts using the `Host` and | This file also allows you to define short names for hosts using the `Host` and | ||||
`HostName` options. If you choose to do this, be aware that Phabricator uses | `HostName` options. If you choose to do this, be aware that Phorge uses | ||||
remote/clone URIs to figure out which repository it is operating in, but can | remote/clone URIs to figure out which repository it is operating in, but can | ||||
not resolve host aliases defined in your `ssh` config. If you create host | not resolve host aliases defined in your `ssh` config. If you create host | ||||
aliases they may break some features related to repository identification. | aliases they may break some features related to repository identification. | ||||
If you use this approach, you will also need to specify a port explicitly when | If you use this approach, you will also need to specify a port explicitly when | ||||
connecting to administrate the host. Any unit tests or other build automation | connecting to administrate the host. Any unit tests or other build automation | ||||
will also need to be configured or use explicit port numbers. | will also need to be configured or use explicit port numbers. | ||||
Show All 15 Lines | |||||
SSHD Setup | SSHD Setup | ||||
========== | ========== | ||||
Now that you've decided how you'll handle port assignment, you're ready to | Now that you've decided how you'll handle port assignment, you're ready to | ||||
continue `sshd` setup. | continue `sshd` setup. | ||||
If you plan to connect to a port other than `22`, you should set this port | If you plan to connect to a port other than `22`, you should set this port | ||||
as `diffusion.ssh-port` in your Phabricator config: | as `diffusion.ssh-port` in your Phorge config: | ||||
``` | ``` | ||||
$ ./bin/config set diffusion.ssh-port 2222 | $ ./bin/config set diffusion.ssh-port 2222 | ||||
``` | ``` | ||||
This port is not special, and you are free to choose a different port, provided | This port is not special, and you are free to choose a different port, provided | ||||
you make the appropriate configuration adjustment below. | you make the appropriate configuration adjustment below. | ||||
**Configure and Start Phabricator SSHD**: Now, you'll configure and start a | **Configure and Start Phorge SSHD**: Now, you'll configure and start a | ||||
copy of `sshd` which will serve Phabricator services, including repositories, | copy of `sshd` which will serve Phorge services, including repositories, | ||||
over SSH. | over SSH. | ||||
This instance will use a special locked-down configuration that uses | This instance will use a special locked-down configuration that uses | ||||
Phabricator to handle authentication and command execution. | Phorge to handle authentication and command execution. | ||||
There are three major steps: | There are three major steps: | ||||
- Create a `phabricator-ssh-hook.sh` file. | - Create a `phorge-ssh-hook.sh` file. | ||||
- Create a `sshd_phabricator` config file. | - Create a `sshd_phorge config file. | ||||
- Start a copy of `sshd` using the new configuration. | - Start a copy of `sshd` using the new configuration. | ||||
**Create `phabricator-ssh-hook.sh`**: Copy the template in | **Create `phorge-ssh-hook.sh`**: Copy the template in | ||||
`phabricator/resources/sshd/phabricator-ssh-hook.sh` to somewhere like | `phorge/resources/sshd/phorge-ssh-hook.sh` to somewhere like | ||||
chris: Should probably make a note elsewhere to rename the files in `resources/sshd/` so this doesn't… | |||||
Done Inline ActionsMatthew: T15017 | |||||
`/usr/libexec/phabricator-ssh-hook.sh` and edit it to have the correct | `/usr/libexec/phorge-ssh-hook.sh` and edit it to have the correct | ||||
settings. | settings. | ||||
Both the script itself **and** the parent directory the script resides in must | Both the script itself **and** the parent directory the script resides in must | ||||
be owned by `root`, and the script must have `755` permissions: | be owned by `root`, and the script must have `755` permissions: | ||||
``` | ``` | ||||
$ sudo chown root /path/to/somewhere/ | $ sudo chown root /path/to/somewhere/ | ||||
$ sudo chown root /path/to/somewhere/phabricator-ssh-hook.sh | $ sudo chown root /path/to/somewhere/phorge-ssh-hook.sh | ||||
$ sudo chmod 755 /path/to/somewhere/phabricator-ssh-hook.sh | $ sudo chmod 755 /path/to/somewhere/phorge-ssh-hook.sh | ||||
``` | ``` | ||||
If you don't do this, `sshd` will refuse to execute the hook. | If you don't do this, `sshd` will refuse to execute the hook. | ||||
**Create `sshd_config` for Phabricator**: Copy the template in | **Create `sshd_config` for Phorge**: Copy the template in | ||||
`phabricator/resources/sshd/sshd_config.phabricator.example` to somewhere like | `phorge/resources/sshd/sshd_config.phabricator.example` to somewhere like | ||||
`/etc/ssh/sshd_config.phabricator`. | `/etc/ssh/sshd_config.phorge`. | ||||
Open the file and edit the `AuthorizedKeysCommand`, | Open the file and edit the `AuthorizedKeysCommand`, | ||||
`AuthorizedKeysCommandUser`, and `AllowUsers` settings to be correct for your | `AuthorizedKeysCommandUser`, and `AllowUsers` settings to be correct for your | ||||
system. | system. | ||||
This configuration file also specifies the `Port` the service should run on. | This configuration file also specifies the `Port` the service should run on. | ||||
If you intend to run on a non-default port, adjust it now. | If you intend to run on a non-default port, adjust it now. | ||||
**Start SSHD**: Now, start the Phabricator `sshd`: | **Start SSHD**: Now, start the Phorge `sshd`: | ||||
sudo /path/to/sshd -f /path/to/sshd_config.phabricator | sudo /path/to/sshd -f /path/to/sshd_config.phorge | ||||
If you did everything correctly, you should be able to run this command: | If you did everything correctly, you should be able to run this command: | ||||
``` | ``` | ||||
$ echo {} | ssh vcs-user@phabricator.yourcompany.com conduit conduit.ping | $ echo {} | ssh vcs-user@phorge.yourcompany.com conduit conduit.ping | ||||
``` | ``` | ||||
...and get a response like this: | ...and get a response like this: | ||||
```lang=json | ```lang=json | ||||
{"result":"phabricator.yourcompany.com","error_code":null,"error_info":null} | {"result":"phorge.yourcompany.com","error_code":null,"error_info":null} | ||||
``` | ``` | ||||
If you get an authentication error, make sure you added your public key in | If you get an authentication error, make sure you added your public key in | ||||
{nav Settings > SSH Public Keys}. If you're having trouble, check the | {nav Settings > SSH Public Keys}. If you're having trouble, check the | ||||
troubleshooting section below. | troubleshooting section below. | ||||
Authentication Over SSH | Authentication Over SSH | ||||
======================= | ======================= | ||||
Show All 15 Lines | |||||
on troubleshooting. | on troubleshooting. | ||||
Troubleshooting HTTP | Troubleshooting HTTP | ||||
==================== | ==================== | ||||
Some general tips for troubleshooting problems with HTTP: | Some general tips for troubleshooting problems with HTTP: | ||||
- Make sure `diffusion.allow-http-auth` is enabled in your Phabricator config. | - Make sure `diffusion.allow-http-auth` is enabled in your Phorge config. | ||||
- Make sure HTTP serving is enabled for the repository you're trying to | - Make sure HTTP serving is enabled for the repository you're trying to | ||||
clone. You can find this in {nav Edit Repository > Hosting}. | clone. You can find this in {nav Edit Repository > Hosting}. | ||||
- Make sure you've configured a VCS password. This is separate from your main | - Make sure you've configured a VCS password. This is separate from your main | ||||
account password. You can configure this in {nav Settings > VCS Password}. | account password. You can configure this in {nav Settings > VCS Password}. | ||||
- Make sure the main repository screen in Diffusion shows a clone/checkout | - Make sure the main repository screen in Diffusion shows a clone/checkout | ||||
command for HTTP. If it doesn't, something above isn't set up correctly: | command for HTTP. If it doesn't, something above isn't set up correctly: | ||||
double-check your configuration. You should see a `svn checkout http://...`, | double-check your configuration. You should see a `svn checkout http://...`, | ||||
`git clone http://...` or `hg clone http://...` command. Run that command | `git clone http://...` or `hg clone http://...` command. Run that command | ||||
Show All 29 Lines | - Make sure SSH serving is enabled for the repository you're trying to clone. | ||||
Save Changes}. | Save Changes}. | ||||
- Make sure you've added an SSH public key to your account. You can do this | - Make sure you've added an SSH public key to your account. You can do this | ||||
in {nav Settings > SSH Public Keys}. | in {nav Settings > SSH Public Keys}. | ||||
- Make sure the main repository screen in Diffusion shows a clone/checkout | - Make sure the main repository screen in Diffusion shows a clone/checkout | ||||
command for SSH. If it doesn't, something above isn't set up correctly. | command for SSH. If it doesn't, something above isn't set up correctly. | ||||
You should see an `svn checkout svn+ssh://...`, `git clone ssh://...` or | You should see an `svn checkout svn+ssh://...`, `git clone ssh://...` or | ||||
`hg clone ssh://...` command. Run that command verbatim to clone the | `hg clone ssh://...` command. Run that command verbatim to clone the | ||||
repository. | repository. | ||||
- Check your `phabricator-ssh-hook.sh` file for proper settings. | - Check your `phorge-ssh-hook.sh` file for proper settings. | ||||
- Check your `sshd_config.phabricator` file for proper settings. | - Check your `sshd_config.phorge` file for proper settings. | ||||
To troubleshoot SSH setup: connect to the server with `ssh`, without running a | To troubleshoot SSH setup: connect to the server with `ssh`, without running a | ||||
command. You may need to use the `-T` flag, and will need to use `-p` if you | command. You may need to use the `-T` flag, and will need to use `-p` if you | ||||
are running on a nonstandard port. You should see a message like this one: | are running on a nonstandard port. You should see a message like this one: | ||||
$ ssh -T -p 2222 vcs-user@phabricator.yourcompany.com | $ ssh -T -p 2222 vcs-user@phorge.yourcompany.com | ||||
phabricator-ssh-exec: Welcome to Phabricator. | phorge-ssh-exec: Welcome to Phorge. | ||||
You are logged in as alincoln. | You are logged in as alincoln. | ||||
You haven't specified a command to run. This means you're requesting an | You haven't specified a command to run. This means you're requesting an | ||||
interactive shell, but Phabricator does not provide an interactive shell over | interactive shell, but Phorge does not provide an interactive shell over | ||||
SSH. | SSH. | ||||
Usually, you should run a command like `git clone` or `hg push` rather than | Usually, you should run a command like `git clone` or `hg push` rather than | ||||
connecting directly with SSH. | connecting directly with SSH. | ||||
Supported commands are: conduit, git-receive-pack, git-upload-pack, hg, | Supported commands are: conduit, git-receive-pack, git-upload-pack, hg, | ||||
svnserve. | svnserve. | ||||
If you see this message, all your SSH stuff is configured correctly. **If you | If you see this message, all your SSH stuff is configured correctly. **If you | ||||
get a login shell instead, you've missed some major setup step: review the | get a login shell instead, you've missed some major setup step: review the | ||||
documentation above.** If you get some other sort of error, double check these | documentation above.** If you get some other sort of error, double check these | ||||
settings: | settings: | ||||
- You're connecting as the `vcs-user`. | - You're connecting as the `vcs-user`. | ||||
- The `vcs-user` has `NP` in `/etc/shadow`. | - The `vcs-user` has `NP` in `/etc/shadow`. | ||||
- The `vcs-user` has `/bin/sh` or some other valid shell in `/etc/passwd`. | - The `vcs-user` has `/bin/sh` or some other valid shell in `/etc/passwd`. | ||||
- Your SSH private key is correct, and you've added the corresponding | - Your SSH private key is correct, and you've added the corresponding | ||||
public key to Phabricator in the Settings panel. | public key to Phorge in the Settings panel. | ||||
If you can get this far, but can't execute VCS commands like `git clone`, there | If you can get this far, but can't execute VCS commands like `git clone`, there | ||||
is probably an issue with your `sudoers` configuration. Check: | is probably an issue with your `sudoers` configuration. Check: | ||||
- Your `sudoers` file is set up as instructed above. | - Your `sudoers` file is set up as instructed above. | ||||
- You've commented out `Defaults requiretty` in `sudoers`. | - You've commented out `Defaults requiretty` in `sudoers`. | ||||
- You don't have multiple copies of the VCS binaries (like `git-upload-pack`) | - You don't have multiple copies of the VCS binaries (like `git-upload-pack`) | ||||
on your system. You may have granted sudo access to one, while the VCS user | on your system. You may have granted sudo access to one, while the VCS user | ||||
is trying to run a different one. | is trying to run a different one. | ||||
- You've configured `phd.user`. | - You've configured `phd.user`. | ||||
- The `phd.user` has read and write access to the repositories. | - The `phd.user` has read and write access to the repositories. | ||||
It may also be helpful to run `sshd` in debug mode: | It may also be helpful to run `sshd` in debug mode: | ||||
$ /path/to/sshd -d -d -d -f /path/to/sshd_config.phabricator | $ /path/to/sshd -d -d -d -f /path/to/sshd_config.phorge | ||||
This will run it in the foreground and emit a large amount of debugging | This will run it in the foreground and emit a large amount of debugging | ||||
information when you connect to it. | information when you connect to it. | ||||
Finally, you can usually test that `sudoers` is configured correctly by | Finally, you can usually test that `sudoers` is configured correctly by | ||||
doing something like this: | doing something like this: | ||||
$ su vcs-user | $ su vcs-user | ||||
$ sudo -E -n -u daemon-user -- /path/to/some/vcs-binary --help | $ sudo -E -n -u daemon-user -- /path/to/some/vcs-binary --help | ||||
That will try to run the binary via `sudo` in a manner similar to the way that | That will try to run the binary via `sudo` in a manner similar to the way that | ||||
Phabricator will run it. This can give you better error messages about issues | Phorge will run it. This can give you better error messages about issues | ||||
with `sudoers` configuration. | with `sudoers` configuration. | ||||
Miscellaneous Troubleshooting | Miscellaneous Troubleshooting | ||||
============================= | ============================= | ||||
- If you're getting an error about `svnlook` not being found, add the path | - If you're getting an error about `svnlook` not being found, add the path | ||||
where `svnlook` is located to the Phabricator configuration | where `svnlook` is located to the Phorge configuration | ||||
`environment.append-paths` (even if it already appears in PATH). This issue | `environment.append-paths` (even if it already appears in PATH). This issue | ||||
is caused by SVN wiping the environment (including PATH) when invoking | is caused by SVN wiping the environment (including PATH) when invoking | ||||
commit hooks. | commit hooks. | ||||
Moving the sshd Port | Moving the sshd Port | ||||
==================== | ==================== | ||||
If you want to move the standard (administrative) `sshd` to a different port to | If you want to move the standard (administrative) `sshd` to a different port to | ||||
make Phabricator repository URIs cleaner, this section has some tips. | make Phorge repository URIs cleaner, this section has some tips. | ||||
This is optional, and it is normally easier to do this by putting a load | This is optional, and it is normally easier to do this by putting a load | ||||
balancer in front of Phabricator and having it accept TCP traffic on port 22 | balancer in front of Phorge and having it accept TCP traffic on port 22 | ||||
and forward it to some other port. | and forward it to some other port. | ||||
When moving `sshd`, be careful when editing the configuration. If you get it | When moving `sshd`, be careful when editing the configuration. If you get it | ||||
wrong, you may lock yourself out of the machine. Restarting `sshd` generally | wrong, you may lock yourself out of the machine. Restarting `sshd` generally | ||||
will not interrupt existing connections, but you should exercise caution. Two | will not interrupt existing connections, but you should exercise caution. Two | ||||
strategies you can use to mitigate this risk are: smoke-test configuration by | strategies you can use to mitigate this risk are: smoke-test configuration by | ||||
starting a second `sshd`; and use a `screen` session which automatically | starting a second `sshd`; and use a `screen` session which automatically | ||||
repairs configuration unless stopped. | repairs configuration unless stopped. | ||||
Show All 19 Lines | |||||
like `222` (you can choose any port other than 22). | like `222` (you can choose any port other than 22). | ||||
Port 222 | Port 222 | ||||
Very carefully, restart `sshd`. Verify that you can connect on the new port: | Very carefully, restart `sshd`. Verify that you can connect on the new port: | ||||
ssh -p 222 ... | ssh -p 222 ... | ||||
Now you can move the Phabricator `sshd` to port 22, then adjust the value | Now you can move the Phorge `sshd` to port 22, then adjust the value | ||||
for `diffusion.ssh-port` in your Phabricator configuration. | for `diffusion.ssh-port` in your Phorge configuration. | ||||
No Direct Pushes | No Direct Pushes | ||||
================ | ================ | ||||
You may get an error about "No Direct Pushes" when trying to push. This means | You may get an error about "No Direct Pushes" when trying to push. This means | ||||
you are pushing directly to the repository instead of pushing through | you are pushing directly to the repository instead of pushing through | ||||
Phabricator. This is not supported: writes to hosted repositories must go | Phorge. This is not supported: writes to hosted repositories must go | ||||
through Phabricator so it can perform authentication, enforce permissions, | through Phorge so it can perform authentication, enforce permissions, | ||||
write logs, proxy requests, apply rewriting, etc. | write logs, proxy requests, apply rewriting, etc. | ||||
One way to do a direct push by mistake is to use a `file:///` URI to interact | One way to do a direct push by mistake is to use a `file:///` URI to interact | ||||
with the repository from the same machine. This is not supported. Instead, use | with the repository from the same machine. This is not supported. Instead, use | ||||
one of the repository URIs provided in the web interface, even if you're | one of the repository URIs provided in the web interface, even if you're | ||||
working on the same machine. | working on the same machine. | ||||
Another way to do a direct push is to misconfigure SSH (or not configure it at | Another way to do a direct push is to misconfigure SSH (or not configure it at | ||||
all) so that none of the logic described above runs and you just connect | all) so that none of the logic described above runs and you just connect | ||||
normally as a system user. In this case, the `ssh` test described above will | normally as a system user. In this case, the `ssh` test described above will | ||||
fail (you'll get a command prompt when you connect, instead of the message you | fail (you'll get a command prompt when you connect, instead of the message you | ||||
are supposed to get, as described above). | are supposed to get, as described above). | ||||
If you encounter this error: make sure you're using a remote URI given to | If you encounter this error: make sure you're using a remote URI given to | ||||
you by Diffusion in the web interface, then run through the troubleshooting | you by Diffusion in the web interface, then run through the troubleshooting | ||||
steps above carefully. | steps above carefully. | ||||
Sometimes users encounter this problem because they skip this whole document | Sometimes users encounter this problem because they skip this whole document | ||||
assuming they don't need to configure anything. This will not work, and you | assuming they don't need to configure anything. This will not work, and you | ||||
MUST configure things as described above for hosted repositories to work. | MUST configure things as described above for hosted repositories to work. | ||||
The technical reason this error occurs is that the `PHABRICATOR_USER` variable | The technical reason this error occurs is that the `PHABRICATOR_USER` variable | ||||
is not defined in the environment when commit hooks run. This variable is set | is not defined in the environment when commit hooks run. This variable is set | ||||
by Phabricator when a request passes through the authentication layer that this | by Phorge when a request passes through the authentication layer that this | ||||
document provides instructions for configuring. Its absence indicates that the | document provides instructions for configuring. Its absence indicates that the | ||||
request did not pass through Phabricator. | request did not pass through Phorge. | ||||
Next Steps | Next Steps | ||||
========== | ========== | ||||
Once hosted repositories are set up: | Once hosted repositories are set up: | ||||
- learn about commit hooks with @{article:Diffusion User Guide: Commit Hooks}. | - learn about commit hooks with @{article:Diffusion User Guide: Commit Hooks}. |
Content licensed under Creative Commons Attribution-ShareAlike 4.0 (CC-BY-SA) unless otherwise noted; code licensed under Apache 2.0 or other open source licenses. · CC BY-SA 4.0 · Apache 2.0
Should probably make a note elsewhere to rename the files in resources/sshd/ so this doesn't get overlooked later