A completely containerized Phabricator. All persistent data — files, databases,
and repositories — is stored in /var/lib/phabricator, making it a good Docker
volume candidate.
Meant for testing purposes only. Use at your own risk.
- Start the container.
docker run \
-d \
--name miniphab \
-p 80:80 \
-e PORT=80 \
-p 2222:22 \
-e SSH_PORT=2222 \
-v miniphab:/var/lib/phabricator \
awkspace/miniphab- Navigate to http://phabricator.localhost/.
- Register an admin account.
- Configure an authentication provider.
- (Optional) Rerun the container with
-e LOCK_AUTH=1to prevent further changes to authentication.
| Name | Default | Description |
|---|---|---|
VCS_USER |
git |
The user account for working with VCS over SSH. |
| Name | Default | Description |
|---|---|---|
SCHEME |
http |
The user-facing protocol (http or https). |
DOMAIN |
phabricator.localhost |
The domain to use. Phabricator insists it have a dot. |
CDN_DOMAIN |
usercontent.localhost |
A separate domain for uploaded content. Phabricator insists on making this separate. |
PORT |
80 |
The exposed port that Phabricator runs on. |
SSH_PORT |
22 |
The exposed port that Diffusion’s SSH server runs on. |
LOCK_AUTH |
0 |
Once auth is configured, set to 1 to prevent changes. |
TZ |
Etc/UTC |
Set to the PHP timezone of your choice. |
Phabricator requires a lot of things running to operate correctly. Some could
probably be separated out via docker-compose (mysqld, nginx) while others
need to be running on the same host (sshd) for all of Phabricator’s features
to work.
miniphab takes the simpler approach by jamming everything into a single image,
glued together by s6.
A MariaDB installation. Writes to /var/lib/phabricator/db and is available
without authentication at /run/mysqld/mysqld.sock. Signals readiness to s6
once the MariaDB client is able to successfully connect. Runs as mysql.
Phabricator likes to send email. A lot. So much so that it won’t consider itself
fully set up until it can happily spam away. The easiest way to get this running
out-of-the-box without requiring additional configuration is to use postfix to
provide sendmail, so miniphab comes with its own email server. Note that if
you’re running miniphab on a residential connection, Phabricator probably won’t
be able to send mail anyway since most ISPs block port 25. Works just fine on a
cloud server, though.
Runs as postfix.
A workaround for a ridiculous Docker issue that prevents
unprivileged services from logging to /dev/stderr. It’s also the only script
not written in pure execline because I couldn’t wrap my head
around chaining redirfd here.
logpipe creates a named pipe at /run/logpipe that allows unprivileged
services to log to standard error if they insist on logging to something that
looks like a file.
Runs as root because only root is powerful enough to log to standard streams
in the Dockerverse, apparently.
The Phabricator notification system, which runs separately from
Phabricator itself, presumably because WebSockets are a helluva lot easier in
Node. Is necessary for Conpherence to like... work. At all. Runs
as nobody.
Not really a daemon per se, but an execline script configured to act as much
like a systemd oneshot as possible.
This script runs a bunch of stuff that has to wait for mysqld to be available,
but should get run before Phabricator starts in earnest. It runs the database
migrations, ensures the persistent data directories in /var/lib/phabricator
exist with the right permissions, and translates some of the container’s
environment variables into “runtime” configurations for Phabricator.
It also starts phd, the Phabricator daemon manager, but not in a supervised
manner. Turns out that phd does not want to be supervised, which
is of course a perfectly valid point of view, but it means that s6 has
exactly zero awareness of phd and can’t resurrect it if it dies.
It’s possible to run each daemon in debug mode, but Phabricator seems to have no
interest in providing a stable interface with its daemons outside of phd start, so the only viable option is to put our blind trust in a PHP daemon
runner.
The phd daemons run as their own user, phd. For Diffusion to
function properly, the VCS user (default git) and nobody have limited sudo
capabilities to run VCS-related commands as phd because that’s seriously how
Diffusion works.
The classic PHP FastCGI manager. Waits for /run/logpipe because it wants to
log to a file. Runs as nobody.
Used for SSH access to Diffusion repositories because, let’s be honest, SSH is the only way anyone wants to interact with git.
Generates host keys in /var/lib/phabricator/ssh to avoid having to modify
known_hosts every time you rebuild the image. Runs as root.
Defaults to down and is started by the setup “oneshot” to avoid Phabricator
doing anything crafty before the database is ready. Also logs to /run/logpipe.
Runs as nginx.
nginx is configured pretty much per Phabricator’s documentation and
includes websocket forwarding to avoid having to expose another
port.
Phabricator is opinionated in many ways, and one of those ways is that even administrators can’t set user passwords. Instead, all password handling is done via reset links. Phabricator is able to send these via email. If that isn’t an option, you can also generate them via the command line.
Unless you set up third-party authentication, chances are you’ll need to do this for your own account if you want to log in from anywhere else.
docker exec miniphab /phabricator/bin/auth recover <account>