Install P4 Code Review on RHEL 8

  • We recommend that the latest stable release is used. At the time of this P4 Code Review release, the latest stable RHEL 8 release is 8.8.

  • P4 Code Review does not support P4 Servers that are configured to use P4AUTH. For more information, see Centralized authorization server (P4AUTH).

P4 Code Review can be connected to P4 Servers (P4D) and commit servers:

Do not connect P4 Code Review to P4 Broker, P4 Proxy, an edge server, forwarding replica, or read-only replica servers.

P4 Code Review does not support P4 Servers that are configured to use P4AUTH. For more information, see Centralized authorization server (P4AUTH).

Installing PHP on RHEL for P4 Code Review 2024.5 and later

P4 Code Review 2024.5 and later supports PHP 8.1, 8.2, or 8.3 . Depending on the PHP version available in your RHEL repositories, some adjustments may be required.

By default, RHEL has an older version of PHP (PHP 8.0, for example), unless you're using a Remi repository. If you're not using the Remi repository, you must manually install a supported version of PHP to meet the requirements for P4 Code Review 2024.5.

For example, install PHP 8.3 on RHEL:

  1. Enable epel repo:

    dnf install -y https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm

  2. Enable remi repo:

    dnf install -y https://rpms.remirepo.net/enterprise/remi-release-8.rpm

  3. Enable PHP 8.3 stream:

    dnf module enable php:remi-8.3 -y

  4. Install PHP 8.3:

    dnf module install -y php:remi-8.3

Installation

  • Review the runtime dependencies before you install P4 Code Review, see Runtime dependencies.

  • Review the PHP requirements before you upgrade P4 Code Review, see PHP.

  • Review the P4 Server requirements before you install P4 Code Review, see P4 Server requirements.
  • Before continuing with the P4 Code Review install process, you must register the RHEL system to Red Hat using the Subscription Manager client.

  1. Configure the Perforce package repository, on the server to host P4 Code Review and on the server hosting your P4 Server.

    If the server hosting your P4 Server cannot use packages, for example when it is running Windows, skip this step on that server.

    As root, create the file /etc/yum.repos.d/perforce.repo with the following content:

    [Perforce]
    name=Perforce
    baseurl=http://package.perforce.com/yum/rhel/8/x86_64/
    enabled=1
    gpgcheck=1

  2. Import the Perforce package signing key, on the server to host P4 Code Review and the server hosting your P4 Server.

    If the server hosting your P4 Server cannot use packages, for example when it is running Windows, skip this step on that server.

    Run the following command as root:

    rpm --import https://package.perforce.com/perforce.pubkey

    For information about how to verify the authenticity of the signing key, see Perforce Packages.

  3. Install the main P4 Code Review package on the server to host P4 Code Review (run these commands as root):

    1. Deploy the epel-release-latest-8.noarch.rpm repository configuration package to give P4 Code Review access to EPEL packages:

      2. dnf install https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm

    2. Deploy the Remi repository configuration package to give P4 Code Review access to PHP 8.x (only required the first time you upgrade to PHP 8.x):

      3. dnf install https://rpms.remirepo.net/enterprise/remi-release-8.rpm

      If you don't deploy the Remi repository, you will see dependency errors when you do the next steps.

    3. Install the yum-utils package to give access to the yum-config-manager command:

      4. dnf install yum-utils

    4. Install the Default/Single version of PHP:
      1. Enable the module stream for PHP 8.2:

        2. dnf module reset php

      2. Install PHP 8.2:

        3. dnf module install php:remi-8.2

      3. Run an upgrade for PHP:

        4. dnf update

    5. Install P4 Code Review and accept the prompts to import the GPG keys for Remi and EPEL when requested:

      6. yum install helix-swarm

      When the P4 Code Review installation has completed, you are prompted to run the configure-swarm.sh post-installation script.

      Do not run this script until you have completed the rest of these Installation instructions. Instructions for running the configure-swarm.sh post-installation script are in the Post-Installation configuration section referenced in the final step of the Installation instructions.

      The firewall configuration may need to be adjusted to allow access to the web server.

      sudo firewall-cmd --permanent --add-service=http
      sudo systemctl reload firewalld

      If you subsequently wish to enable HTTPS, run (as root):

      sudo firewall-cmd --permanent --add-service=https
      sudo systemctl reload firewalld

  4. P4 Code Review needs to know about some P4 Server events to operate correctly. Use P4 Server Extensions (recommended) or P4 Server Triggers to notify P4 Code Review about these events. The P4 Server extension can be installed automatically by the P4 Code Review configure-swarm.sh post-installation script, but Triggers must be manually installed. To use P4 Server Extensions, ignore this step and skip to the next step.

    Trigger installation only (not recommended): Install the P4 Code Review triggers package on the server hosting your P4 Server. This might be the server hosting P4 Code Review or elsewhere on your network.

    • If the server hosting your P4 Server cannot use packages, for example when it is running Windows, you need to copy the appropriate P4 Code Review trigger script from /opt/perforce/swarm/p4-bin/scripts to the server hosting your P4 Server. The swarm-trigger.pl is for both Linux and Windows systems. Once copied, the trigger script needs to be configured. See Installing triggers for details.

    • The package installs a config file at /opt/perforce/etc/swarm-trigger.conf that you will need to modify. See Installing triggers for more details on configuring that file.

    Install the P4 Code Review triggers package on the server hosting your P4 Server (run this command as root):

    yum install helix-swarm-triggers

  5. Optional: Install the P4 Code Review optional package, on the server hosting P4 Code Review.

    While not required, installing this package installs the dependencies required to use the ImageMagick and LibreOffice P4 Code Review modules. These modules provide previews of a variety of image and office documents. Run this command as root:

    yum install helix-swarm-optional

  6. Make your P4 Code Review installation more secure by applying recommendations related to HTTP and P4 Code Review implementation through security groups. See Secure your P4 Code Review installation .

  7. Complete the Post-installation configuration steps.

Secure your P4 Code Review installation

To make your P4 Code Review installation more secure apply the following recommendations for HTTP and P4 Code Review implementation through security groups.

HTTP

Here is a list of best practices to use when port 80 is exposed for HTTP traffic:

  • Redirect to HTTPS: If Port 80 needs to be open to support legacy systems or specific use cases, ensure that all HTTP traffic is redirected to HTTPS to encrypt data in transit.

  • Use HSTS (HTTP Strict Transport Security) headers: Implement HSTS headers to force browsers only to use secure HTTPS connections when interacting with your server.

  • Close port 80: If there is no requirement to use HTTP, Port 80 must be closed entirely to prevent any unencrypted data transmission.

  • Implement SSL/TLS (secure sockets layer and transport layer security) certificates: Ensure that your server is configured with a valid SSL/TLS certificate to enable secure HTTPS connections.

  • Firewall configuration: Configure firewalls to block or filter access to Port 80, particularly from untrusted networks.

  • Continuous monitoring and auditing: Regularly monitor network traffic and audit server configurations to ensure that unnecessary ports are not exposed and that data is transmitted securely.

When you implement HTTPS, you must make the following changes:

  1. Modify your cron job for the P4 Code Review workers.

    Edit the cron configuration file to point to your HTTPS URL, for example, https://HOSTNAME/. For more information about how to edit the cron configuration file, see Set up a recurring task to spawn workers.

    To verify if the cron configuration file points to your HTTPS URL, run the following curl statement:

    curl https://myswarm.host/queue/worker

  2. Modify the P4 Code Review Extension or Trigger configuration.

    If you are using the P4 Code Review extension run the following command and change ExtConfig’s P4 Code Review URL to be your new HTTPS URL:

    p4 extension --configure Perforce:helix-swarm

    If you are using triggers, edit swarm-trigger.pl configuration file and set your SWARM_HOST to be https.

  3. Edit the external_url in the SWARM_ROOT/data/config.php file’s environment block to point to your HTTPS URL. This URL is used in emails, Jira links, and P4 Code Review test’s pass-and-fail outgoing URL parameters.

    If you make a configuration change, P4 Code Review will not use it until the configuration cache has been reloaded, this forces P4 Code Review to use the new configuration.

    You must be an admin or super user to reload the P4 Code Review config cache. Navigate to the User id dropdown menu, select System Information, click the Cache Info tab, and click the Reload Configuration button.

  4. Modify the P4 Server's P4.Swarm.URL property. For more information about P4 Server integration, see Client integration.

    If your Apache server is listening on both HTTPS and HTTP in perforce-swarm-site.conf file, you must set the auto_register_urlconfigurable in the p4 block to false and correctly configure the P4.Swarm.URL property .

    If your Apache server is listening only on HTTPS and if the auto_register_urlconfigurable in the p4 block is set to true (default value), an Apache restart will correct the property.

    To get all your current values for P4.Swarm.URL property, run:

    p4 -Ztag property -A -l -n P4.Swarm.URL

    Ensure that the P4.Swarm.URL property points to your HTTPS URL.

  5. Modify the URL of all applications. Any other applications that reference the URL should be switched to using the HTTPS URL.

P4 Code Review implementation through security groups

Here is a list of best practices for implementation using security groups or the user's preferred setup:

  • Use a trusted proxy: Ensure to only use a trusted proxy, such as allow lists, Content Delivery Networks (CDN), and API Gateways.

  • Backend servers and other proxies or load balancers should be disabled: Ensure that direct access to backend servers and other proxies or load balancers is disabled, except through the trusted proxy mentioned above. This will prevent unauthorized access while ensuring that all requests are filtered through the trusted proxy.

  • Continuous monitoring and logging of the X-Forwarded-For header: Implement monitoring and logging on the X-Forwarded-For header to track and identify any suspicious activities. This can help in identifying and preventing potential malicious activity or security threats.

  • Use a secure protocol: Implement a secure protocol such as HTTPS to encrypt the communications between the client and the load balancers, and between the load balancer and backend server to prevent eavesdropping or tampering with the X-Forwarded-For header.

  • Configure X-Forwarded-For header: Configure the processing mode of the X-Forwarded-For header (append, preserve, or remove) based on specific technical or security requirements.