Missing Information in Diffusion User Guide: Repo Hosting
Open, Needs TriagePublic

Description

As already mentioned in T5463 i had some problems providing git-access over ssh. I am new to Phabricator and its community so i'm not sure wether my findings are correct and if this is the preferred way to propagate them:

Issues

When trying to invoke ssh -T git@myinstall.com -vv i received the auth.log-entry

AuthorizedKeysCommand /usr/share/phabricator-ssh-hook.sh returned status 126

That was caused by the fact that the permissions of /srv/phacility were (with 750 root:phacility) too restrictive: the solutions was to widen the permissions to 755.

After that was solved i was able to pull and push repos, but after pushing i got the following error displayed in Diffusion:

Unable to Retrieve Paths: Command failed with error #128! COMMAND git ls-tree -z -l '37853835a8f96384dc0f7908e9d6ecae944f3dec':'' STDOUT (empty) STDERR fatal: failed to read object 37853835a8f96384dc0f7908e9d6ecae944f3dec: Permission denied

It turned out that the git-user (aka vcs-user) created files as phd:phd. In order to fix that i had to modify the sudoers-directive of git from git ALL=(phd) ... to git ALL=(phd:phacility) ..., adding the group explicitly.

Solutions

  1. Even if i really do not understand why All need to have rx-access to the phacility-folders, this might be worth a hint (it took me ~5 hours to assume that).
  2. The statement "We'll call this www-user. If you do not plan to make repositories available over HTTP, you do not need to perform any special configuration for this user." probably leaves out that this user must have access to the repos as well (and is invoking git-commands).
  3. The debug-command ssh -T dweller@secure.phabricator.com is confusing. If connecting with anything else then the vcs-user the ssh-hook should deny the connection immediately.

If there's anything else i could do - let me know!

My Road To Hell

  • Provide the users git, www-data and phd, pool them in the phacility group.
  • Pull Phabricator into /srv/phacility/phabricator, .../arcanist, .../libphutil.
  • Prepare /var/files to be owned by the phacility-group granting rw-access.
  • Apply the git/ssh-guide and do not activate repo-serving via Http.

Version Information

florianb created this task.Apr 25 2016, 2:19 PM

It turned out that the git-user (aka vcs-user) created files as phd:phd

I don't understand this -- git-user should never be creating files.

Specifically, no process should ever interact with working copies as any user except daemon-user (presumably, phd here) so the group should be irrelevant.

In particular, we do not configure any groups at all, which is why this is not mentioned in the documentation.

I don't know how to reproduce this error. I believe the sudo directive is unnecessary (we run a large number of production servers without it).

The debug-command ssh -T dweller@secure.phabricator.com is confusing. If connecting with anything else then the vcs-user the ssh-hook should deny the connection immediately.

I don't understand what's specifically confusing about this.

  • Are you confused that we suggest dweller instead of vcs-user?
  • Are you confused that this is a real command against a live server instead of an example command with a placeholder username/host?
  • Are you confused that secure.phabricator.com has different error behavior than your local install will have?

Oh, I think I have a handle on the first issue -- you can ignore my questions about that.

florianb added a comment.EditedApr 25 2016, 2:38 PM

Pheew.. thanks..

However, i wouldn't exclude that i misunderstood something about the moving parts of Phabricator.

I currently pressed the whole installation and update into a SaltStack-State so i think i'm able to correct any parameter of the configuration pretty fast.

In general, this configuration is a huge horrible mess but I'm having a hard time coming up with ways to really fix it that don't just tell you to run everything as root.

In particular, it's very difficult for us to verify steps and tell you what's wrong because if you make any mistake at all the symptom tends to be "nothing works" + "ssh emits a generic error message".

This is particularly an issue in the context of T10751, which makes this configuration even more complex.

We can just make this document 3x longer and exhaustively document every possible combination of user and group permissions (and e.g., include information about how SSH keys work to resolve T10602, since some users apparently don't find this obvious), but the chance that users will miss or misunderstand instructions (which they already do frequently) rises substantially.

One small simplification we could make is to have you grant sudo access to some wrapper script we control, but almost no one has trouble enumerating the big list of sudo binaries, and this would put a global (and nontrivial) performance penalty on every command we execute.

That is, we normally navigate complex configuration by verifying every step and just telling you what's wrong and how to fix it (e.g., moving all the MySQL, etc., configuration from documentation to automatic setup issues was a huge step forward), but there's basically no test we can perform on most of this chain.

I understand - i didn't wanted you to fix my configuration. I think as soon as i have some experience running phabricator in this setup i can try to help improving the setup, if even possible.

I just wanted you to know what i found out, you might think about taking something over into the documentation or not - i won't take it amiss.

I really appreciated how php- and mysql-setup-issues were treated. Offering something like that without root-permissions is pretty unlikely to achieve, i guess.

Thanks for your care though.

Just throwing my input in here:

For the Docker container that I run, we just have two users; git and nginx. nginx is used for the nginx process, but php-fpm (which actually runs the PHP code that writes files) runs as git, which is also the user that people authenticate as for SSH, and the user that daemons run as. Basically (apart from the Nginx level), it's one user for everything. We don't need to configure any sudo rules in this set up.

florianb added a comment.EditedApr 26 2016, 7:08 AM

Interesting, thanks. I just followed the "Diffusion User Guide" which states that the git user must have access to the repos as the phd-user.

I somehow ended up with the following access-rules:

locationaccessorpermissions
apps.rootwww-data, phd, all (1)r-x
repository.default-local-pathphd, www-data (2)rwx
storage.local-disk.pathphd, www-datarwx

apps.root) the main root containing /phabricator, /arcanist and /libphutil.
1) I was surprised that i had to grant read and execution permissions to all. I couldn't find out which user was effectively trying to access the apps.root (and since there's only Phabricator installed there are not many choices).
2) I understood the guide in the way that that only the phd-user will have to access the repos exclusively.

I wanted to keep the git user and the daemon-user separate, only allowing the two git-operations, since this user gets active on the system and has a login-shell. The sudo rule only allows git to invoke two dedicated commands as the phd-user, which is just more restrictive.