Copyright 2016 Hewlett Packard Enterprise Development LP

This work is licensed under a Creative Commons Attribution 3.0
Unported License.


Much of this spec, including the puppet deployment, was implemented. However the Pholio host has been deprecated and removed as of July 2017 due to changing circumstances.

See also

Pholio Service Installation

The OpenStack UX team have determined that the Pholio application in the Phabricator suite best meets their needs and wish to have this service installed.

Problem Description

The OpenStack UX team are currently using Invision to provide feedback on mocks. The team have determined that Pholio best meets their needs and have decided that they are planning to move to Pholio in the near future.

Proposed Change

This spec only covers the deployment of the Pholio service. Data migration from Invision to Pholio will have to be considered and handled separately.

Conceptually, this is straight forward. We need to install a phabricator server and configure it to turn off the services we don’t want.

The puppet-phabricator repo is already imported into infra that is based on work from a POC. It needs to be fleshed out some. It does already contain the config in local.json.erb to turn off the features OpenStack does not want. Examples of features from phabricator that UX does not want to run are the Code Review tool Differential since we have gerrit, the Group Messaging tool Conpherence, because we have IRC, the code hosting tool Diffusion, since we already have the cgit farm, and the wiki tool, Phriction, since we have mediawiki.

For authentication, phabricator needs to be connected first to Launchpad. phabricator does not have openid support - but we can use libapache2-mod-auth-openid to provide OpenID authentication using Launchpad as the provider via REMOTE_USER info. There is a phabricator plugin that consumes REMOTE_USER, so we should use libapache2-mod-auth-openid for auth.

It is envisioned that authentication will be against OpenStackID although if that remains incompatible with Phabricator, Ubuntu Login will be used instead.


I’m currently unaware of what alternatives the UX team considered. It would be useful to have them listed here for future reference.



Primary assignee:


Gerrit Topic

Use Gerrit topic “pholio” for all patches related to this spec.

git-review -t pholio

Work Items

Write a puppet module that performs the following:

  • Installs required packages

  • Installs SSL certificates

  • Pulls Phabricator from github

  • Pulls Arcanist from github

  • Pulls libphutil from github

  • Pulls libphremoteuser from github

  • Enables libphremoteuser in Phabricator

  • Creates / copies across required configuration files

  • Initialises the database

  • Performs the Phabricator storage upgrade

  • Enables Apache2 modules (mod_rewrite, libapache2-mod-auth-openid)

  • Configures Phabricator for the OpenStack environment / UX team needs

  • Ensures services are running

Pre-installation, an infra-root will need to build pholio01.

Post installation, root will be required to make one user, I recommend the PTL, a Phabricator administrator. The syntax on pholio01, assuming the PTL is id 1, would be similar to this:

mysql> update phabricator_user.user set isAdmin = 1 where id = 1;


openstack-infra/puppet-phabricator openstack-infra/system-config


DNS Entries (A record) (CNAME to pholio01)


There is presently no documentation for this service, so it will need to be written.


There are no specific security-related concerns for a deployment of the Pholio service as we shouldn’t expect to host sensitive information on the server.


We’ll need functional testing for sure. We should probably consider a staging server that we can use to test new config changes.