Page MenuHomeDevCentral
Create Task
Maniphest T1547

Consolidate DevCentral Docker image
Open, HighPublic
Actions

Description

Some components are missing from the nasqueron/phabricator image:

  • the ability to fetch code from a private repository for arcanist, libphutil and phabricator
  • the autoupdate mechanism to check if a production branch can be rebased against master
  • the SSH daemons

Currently, they're manually installed. That forbids us to treat this container as an immutable, throwable artifact.

Plan is to include them to nasqueron/phabricator or override in a nasqueron/devcentral image.

Tasks to do

Hosting

To allow to clone repo per SSH and interact with them:

  1. Install relevant packages: sudo openssh-server
  2. Provide a SSH configuration: P292, we can drop Port 5022 as it was only used when DevCentral was on Dwellers and some other containers or locally we needed to interact with DevCentral
  3. Create a vcs user for SSH access: vcs:x:432:433:Phabricator VCS SSH access:/var/vcs:/bin/sh
  4. Give permission to vcs to sudo as app for VCS commands: vcs ALL=(app) SETENV: NOPASSWD: /usr/bin/git, /usr/bin/hg, /usr/bin/svnserve, /usr/bin/git-upload-pack, /usr/bin/git-receive-pack - could be saved as /etc/sudoers.d/phabricator-hosting
  5. Create an unit to launch SSH as /usr/sbin/sshd -f /etc/sudoers.d/phabricator-hosting
  6. Expose port 22
RUN apt-get update && apt-get install sudo openssh-server && \
    cd /opt/phabricator && \
    ./bin/config set phd.user app && \
    ./bin/config set diffusion.ssh-user vcs && \
     # create vcs user

EXPOSE 22

Revisions and Commits

rOPS Nasqueron Operations
D2644rOPS96d1e0df29fb Update DevCentral run instructions

Related Objects
Search...

Event Timeline

dereckson triaged this task as High priority.Dec 6 2019, 07:51
dereckson created this task.
dereckson moved this task from Backlog to Need Dockerfile or config on the Docker images board.Dec 6 2019, 07:55
dereckson added a comment.Dec 6 2019, 07:59

See also T100.

dereckson moved this task from Backlog to Ops on the Technical debt board.Dec 16 2019, 18:50
dereckson added projects: DevCentral, Operations sprints (Consolidate them all).Feb 29 2020, 14:08
dereckson updated the task description. (Show Details)Feb 29 2020, 14:14
dereckson merged a task: T100: Prepare volume and backup for devcentral.nasqueron.org.
dereckson updated the task description. (Show Details)Feb 29 2020, 14:18
dereckson claimed this task.Feb 12 2022, 03:34
dereckson edited projects, added User-Dereckson; removed Operations sprints (Consolidate them all).
dereckson moved this task from Backlog to Next on the User-Dereckson board.Feb 12 2022, 03:37

We need this, as container still runs on Jessie, and, as such, doesn't provide a recent enough Git version to be compatible with Phabricator.

First step is to upgrade to last 7.4 version and bumps OSes a little bit.

In D2520, @WebSpider prepared an upgrade to Debian Buster. That provides out of the box Git 2.20.1 (vs 2.1.4 for Jessie and 2.35.1 the last released Git version).

dereckson added a subtask: T1679: Upgrade PHP 7.4 base Docker image to recent Debian version.Feb 12 2022, 04:15
dereckson mentioned this in T1679: Upgrade PHP 7.4 base Docker image to recent Debian version.
dereckson added a comment.Feb 12 2022, 13:48

If we upgrade image to bullseye, we'll also get Git 2.30.2, but I've a 403 currently with current Dockerfile at D2522, so needs to investigate.

dereckson added a comment.Feb 12 2022, 22:33
In T1547#23264, @dereckson wrote:

If we upgrade image to bullseye, we'll also get Git 2.30.2, but I've a 403 currently with current Dockerfile at D2522, so needs to investigate.

Works fine. Issue was I let zsh autocorrect -v /tmp/wwwwroot:/var/wwwroot/default into -v /tmp/wwwwroot/var/wwwroot/default without :.

dereckson added a comment.EditedFeb 13 2022, 15:49

As a workaround, I've compiled Git to 2.35.1 inside DevCentral container.

Work to update php-fpm image without seeing source here is annoying enough.

dereckson moved this task from Backlog to Custom development on the DevCentral board.Mar 19 2022, 16:27
dereckson added a comment.EditedMar 19 2022, 16:32

Current state of SSH hosting

Service

We can probably run a devcentral_sshd_hosting container with the same image, the same repo folder and
/usr/sbin/sshd -f /etc/ssh/sshd_phabricator_hosting_config -D as command.

If we want to have it in the multi-services container, run like a charm through runit, without any need for the environment:

/etc/service/sshd-hosting
#!/bin/sh
exec /usr/sbin/sshd -f /etc/ssh/sshd_phabricator_hosting_config -D
SSH configuration

In both case we need the SSHD configuration file:

/etc/ssh/sshd_phabricator_hosting_config
AuthorizedKeysCommand /opt/phabricator-ssh-hook.sh
AuthorizedKeysCommandUser nobody
AllowUsers vcs

Port 22
Port 5022
Protocol 2
PermitRootLogin no
AllowAgentForwarding no
AllowTcpForwarding no
PrintMotd no
PrintLastLog no
PasswordAuthentication no
AuthorizedKeysFile none

PidFile /var/run/sshd-phabricator.pid

It's a generic one, with the following notes:

  • listen to 5022 too, so if some tooling uses the container IP for "devcentral.nasqueron.org" in /etc/hosts, repositories URLs will still work in development/testing server
  • only vcs@ user is allowed
  • keys are provided by a provider script (see below)
Keys provider
/opt/phabricator-ssh-hook.sh
#!/bin/sh

# vcs is allowed to use this script for :5022 (hosting)
if [ "$1" != "vcs" ];
then
  exit 1
fi

exec "/opt/phabricator/bin/ssh-auth" $@

Probably redundant with AllowUsers vcs in the configuration, but avoids if SSHD is misconfigured to allow to login as any user.

dereckson added a revision: D2644: Update DevCentral run instructions.Mar 28 2022, 22:00
dereckson added a commit: rOPS96d1e0df29fb: Update DevCentral run instructions.Mar 28 2022, 22:01
dereckson closed subtask T1679: Upgrade PHP 7.4 base Docker image to recent Debian version as Resolved.Mar 23 2023, 23:39
Nasqueron DevCentral · If it had been much bigger the moon would have had a core of ice. · Powered by Phabricator