OwnCloud

From SME Server
Revision as of 11:01, 26 February 2018 by Arnaud (talk | contribs) (php opcache)
Jump to navigation Jump to search

Is this article helpful to you?
Please consider donating or volunteering
Thank you!

PythonIcon.png Skill level: Medium
The instructions on this page require a basic knowledge of linux.


Important.png Note:
Please note that OwnCloud has been forked by Nextcloud. It seems that the main developers have left OwnCloud and moved over to Nextcloud as per June 2016. Please see their website for more info. Specific Nextcloud instructions will be on the Nextcloud wiki page.


About

  "OwnCloud ( http://owncloud.org ) gives you universal access to your files through a web interface or WebDAV. It also provides a platform to easily view & sync your contacts, calendars and bookmarks across all your devices and enables basic editing right on the web. Installation has minimal server requirements, doesn’t need special permissions and is quick. ownCloud is extendable via a simple but powerful API for applications and plugins."


  Note:
Owncloud requires a higher version of PHP than SME Server 9.x currently provides. Presently, the ownCloud maintainers recommend PHP version 5.5. Please see PHP Software Collections on how to install a supported higher version of PHP alongside the default version of PHP on SME Server 9.x


Forum discussion

This how-to can be discussed on the forums here or here. Search for other posts.

Installation

Download the latest bz2 archive version or find the latest link from here https://owncloud.org/install/#instructions-server

  • Create an ibay in server manager, with the following typical settings:
Information bay name - owncloud, Description - owncloud site, Group - Admin, User access - Write = group, Read = everyone, 
Public access via web - Entire Internet (no password required), Execution of dynamic content - Enabled
  • Check that you have the correct PHP version running for the Owncloud version you like to install: Version 8 doc. Please see PHP Software Collections on how to install a supported higher version of PHP in an Ibay on SME Server 9.x}}
  • Extract ownCloud into the html directory of the new ibay (in this example called 'owncloud' )

In the following code, change the version number of owncloud to suit the current version downloaded from the owncloud website. The latest version and changelog can be found here

cd /home/e-smith/files/ibays/owncloud/html/
wget http://download.owncloud.org/community/owncloud-9.X.X.tar.bz2
tar xvf owncloud-9.X.X.tar.bz2 
mv owncloud/* .
mv owncloud/.htaccess .
rm  index.html 
  • Set appropriate ibay settings at the command line prompt:
db accounts setprop owncloud \
  AllowOverride All \
  FollowSymLinks enabled \
  Group www \
  PHPBaseDir /home/e-smith/files/ibays/owncloud/:/tmp/:/dev/urandom \
  PublicAccess global \
  UserAccess wr-group-rd-everyone
  
  • Update the ibay
signal-event ibay-modify owncloud

  • you also need to allow the "allow_url_fopen"
   mkdir -p /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf
   nano -w /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf/99allow_url_fopen
   
  • and paste the following and save this
   <Directory /home/e-smith/files/ibays/owncloud/html>
   php_admin_flag allow_url_fopen on
   </Directory>
   
  • then at the command line prompt enter:
   expand-template /etc/httpd/conf/httpd.conf
   /etc/init.d/httpd-e-smith restart
   

4. Create a new MySQL database (In this example the database name is owncloud. Change owncloud, username and password with your own choices as required)

Login as root and issue the following command:

mysql
create database owncloud;
grant all privileges on owncloud.* to username@localhost identified by 'password';
flush privileges;
exit


  Note:
To be able to run OwnCloud 9.x on a stock Koozali SME Server 9.x, you must enable the InnoDB engine of MySQL _before_ you run the OwnCloud installation wizzard. To enable the InnoDB engine please THIS SECTION. This is due to the fact that Koozali SME Server comes with a lower version of MySQL than the recommended 5.5.x version which has the InnoDB engine enabled by default.


5. Browse to http://yourserver/owncloud and follow install script

Upgrade

Upgrading from one minor version to the next (e.g., from 8.1.2 to 8.1.3) can be done using the updater app inside ownCloud. Just log in to the web site as admin, go to the admin page, and scroll down to the update center. However, major version upgrades (e.g., 8.1.x to 8.2.x) will require some work at the command line. The steps below assume that you've used PHP software collections to install an appropriate version of PHP for ownCloud, and that you've set your ownCloud ibay to use PHP version 5.6.

You'll first need to download the distribution .tar.bz2 file. Place it in the ownCloud ibay, in the files subdirectory.

Second, put ownCloud in maintenance mode, so that no changes will be made to the database or to the files on disk while you do your upgrade. Do this with

# cd ~owncloud/../html
# sudo -u www scl enable php56 'php occ maintenance:mode --on'

Third, take backups of the ownCloud directory and database.

# cd ~owncloud/..
# rsync -Aaxv html owncloud-dirbkp_`date +"%Y%m%d"`/
# mysqldump --lock-tables owncloud > owncloud-sqlbkp_`date +"%Y%m%d"`.sql

Next, unpack the ownCloud distribution file.

# cd ~owncloud/..
# tar xjfv files/owncloud-8.2.0.tar.bz2

Then you'll need to rename a couple of directories, and move some files around.

# cd ~owncloud/..
# mv html html_old
# mv owncloud html
# mv html_old/data/ html/
# cp html_old/config/config.php html/config/

Once the directories are renamed and the files are back in the right place, you'll want to kick off the upgrade at the command line and then disable maintenance mode. If you do not run the upgrade from the command line, the web interface will prompt you to do this the next time you log in as admin. However, for a larger installation, PHP may time out before finishing the operation. Therefore, it's recommended to do it from the command line.

# cd ~owncloud/../html
# sudo -u www scl enable php56 'php occ upgrade'
# sudo -u www scl enable php56 'php occ maintenance:mode --off'

Your ownCloud installation is now upgraded, and you can log into the web interface to ensure that everything works properly. Once you've confirmed this, you'll probably want to clean up the ibay a little bit.

# cd ~owncloud/..
# bzip2 owncloud-sqlbkp_20151027.sql
# tar -cvjSf owncloud-dirbkp_20151027.tar.bz2 owncloud-dirbkp_20151027/
# rm -rf html_old
  Note:
It is only possible to upgrade one step at a time. E.g. you can not upgrade from version 6 to 8 directly but have to make 2 upgrades from 6 to 7 and then 7 to 8


Optional Addons & Settings

Security

Require HTTPS

You can force https redirection whenever you use the http protocol. See Https_redirection for more information.

In Owncloud versions prior to 8.1.1 you could also force https by checking 'Enforce HTTPS' in the Security section of the Admin section.

Strict Transport Security

Starting with ownCloud version 8.1.1, the admin panel may display this warning:

The "Strict-Transport-Security" HTTP header is not configured to least "15768000" seconds.

HTTP Strict Transport Security can be enabled as described at HSTS and HPKP.

Fail2Ban

If you have installed the Fail2Ban contrib, you can configure it to block ownCloud logins from a given IP address after repeated failures. To do this, you will first need to create a definition file telling Fail2ban what a failed login looks like, then create a template fragment to activate that definition, and finally restart fail2ban.

First, create the definition file:

# nano -w /etc/fail2ban/filter.d/owncloud.conf

This file should contain the following text:

[Definition]
failregex={"reqId":".*","remoteAddr":".*","app":"core","message":"Login failed: '.*' \(Remote IP: '<HOST>\)","level":2,"time":".*"}

ignoreregex =

Press Ctrl-X to exit, and Y to save the file.

Next, create the template fragment:

# mkdir -p /etc/e-smith/templates-custom/etc/fail2ban/jail.conf
# nano -w /etc/e-smith/templates-custom/etc/fail2ban/jail.conf/30Service55owncloud 

That file should contain the following:

[owncloud]
enabled  = true
filter  = owncloud
action   = smeserver-iptables[port="$port",protocol=tcp,bantime=$bantime]
logpath  = /home/e-smith/files/ibays/owncloud/html/data/owncloud.log
maxretry = 3
port = 80,443
protocol = tcp

Again, Ctrl-X to exit, and Y to save. Then reconfigure the fail2ban service:

# signal-event fail2ban-conf

For more information, see this thread on the ownCloud forum.

User login and permissions

owncloud provides several ways for users to login/authenticate. Next to the internal user authentication of owncloud, you can authenticate SME users:

LDAP Authentication

Configure owncloud to authenticate against the internal SME OpenLDAP server (all SME users)

  • log into your owncloud webapp as admin who installed owncloud
  • go to apps and enable ldap authentication backend
  • go to admin, ldap section and use below settings
Server tab:
Host: localhost
Port: 389
Base DN: dc=[yourdomain],dc=[com] (as seen in the 'domains' section in SME server manager)

Users tab:
Select username and email address

Only these object classes: sambaSamAccount
Groups
Only these object classes: sambaGroupMapping 
Advanced tab:
Special attributes -> email field: mail

For the variables between brackets [], use your specific settings. Test creating a specific user and use that username password opposed to using the admin's credentials. For more info on using SME OpenLDAP for authentication please see: LDAP Authentication for applications


LDAP Tweaks

It seems when creating a user in SME, and ownCloud integrated via LDAP, it takes a while before the new user can log into ownCloud. Also, the error "Can't get cache storage, user not logged in" begins to log in the ownCloud Warning Log. To fix this, and allow the new user to log in immediately, go to Settings -> Admin -> LDAP/Advanced Tab Change the Cache Time To Live + or -1. This forces the cache to update, and the new user will be able to log in to ownCloud straight away.


  Note:
When setting up ldap following these instructions you may need to uncheck "tls" in the advanced tab of the ldap admin section in owncloud.


IMAP Authentication

Configure owncloud to authenticate against an IMAP server


Enable and Configure IMAP Authentication
  1. Login to your running owncloud configuration as an administrator
  2. Enable the app named "External user support"
    Note: "External user support" is included with owncloud as an "Internal app". There is an older add-on app named "IMAP user backend" that did not work for me.
  3. Edit <owncloud>/config/config.php and insert the text below inside the $CONFIG array
    • in front of the last closing parenthesis in the file (make sure there's a comma at the end of the preceding entry)
    • Replace [mail.yourdomain.com] with your mail server name or IP address
    • Remove "/novalidate-cert" if your chosen mail server uses a signed SSL certificate):
  'user_backends' => 
    array (
      0 => 
      array (
        'class' => 'OC_User_IMAP',
        'arguments' => 
        array (
          0 => '{[mail.yourdomain.com]:993/imap/ssl/novalidate-cert}',
        ),
      ),
    ),

When done, users will be able to login to your owncloud web interface using their mail server username and password. More information can be found here: http://owncloud.org/support/custom-user-configuration/

Enable Automatic IMAP User Creation

This discussion on the Owncloud bug tracker describes patches that provide more automated IMAP user management: https://github.com/owncloud/apps/issues/302

The patches provide these capabilities:

  • Create new Owncloud users when unrecognized users login using IMAP
  • Add new users to a group named for the domain portion of their email address
  • Optionally set an Owncloud quota based on the user's email domain
  • Update the Owncloud password for any existing user who logs in using IMAP
Sync Issues (Turning off magic quotes in php)

I had issues when deleting files in my client. Turing off magic quotes fixed the problem. Edit your php.ini using custom templates.

cd /etc/e-smith/templates-custom/etc/php.ini
  • Edit template-begin file
  • Add the following and save file:
php_value magic_quotes_gpc = Off
php_value magic_quotes_runtime = Off
php_value magic_quotes_sybase = Off
expand-template /etc/php.ini
sv t httpd-e-smith
Allow Sharing with IMAP Users

To allow sharing with your IMAP users, you need to manually add each IMAP user account to the oc_users table using commands like those below at a shell prompt on your SME server:

mysql owncloud
insert into oc_users (uid,password) values ('[xyzuser@mail.yourdomain.com]','*');
  • owncloud: replace with the name of the database you created for owncloud
  • [xyzuser@mail.yourdomain.com]: replace with the exact login string used by the user when they login
Problems
  • By default:
  • Users who login using IMAP Authentication are not automatically added to the owncloud "oc_users" table. Consequently, they are not offered as options when other users want to share files with them.
  • IMAP authenticated users will be unable to connect using the owncloud client sync program.
  • If your IMAP server allows alternative username syntax, owncloud will create a separate account for each username format that allows successful authentication. That is, if your IMAP server allows users to optionally include or omit the domain name, you might create a user account entry for "xyzuser@mail.yourdomain.com", then find that the user always logs in using simply "xyzuser", which succeeds during the IMAP authentication, but is a different account within owncloud.
Using the Owncloud Client

In order for an IMAP-authenticated user to configure the owncloud client sync program:

  • The system administrator must add the username to the oc_users table manually as described above

Then the user must:

  • login to the web interface
  • open his/her personal settings
  • "change" the password in owncloud to match the password on the IMAP server.

WebDAV interface

The ownCloud admin panel may display the following warning.

Setup Warning Your web server is not yet properly setup to allow files synchronization because the WebDAV interface seems to be broken. Please double check the installation guides.

The issue could come from the use of a bad domain dns name which is different of the ssl certificate. If you feel it is a false positive... simply add 'check_for_working_webdav' => false, to your /config/config.php file and get rid of it. This workaround was successful with ownCloud 7. It has not been tested on ownCloud 6 or with ownCloud 8.

nano /home/e-smith/files/ibays/owncloud/html/config/config.php

and add

'check_for_working_webdav' => false,

Maintenance tasks

Owncloud requires periodic maintenance tasks to run, and offers three different methods to execute them: AJAX, webcron, or through the system's cron process. They may be chosen on the Admin page, under the Cron heading. AJAX checks for tasks each time an owncloud page is loaded. It is simple to use and requires no configuration, but not very reliable since it depends on users logging into the web interface. Webcron relies on using an outside service like easycron.com to load http://yourserver.tld/owncloud/cron.php on a schedule, roughly every 15 minutes. This is simple to configure, but can incur additional cost for the webcron service. Finally, the system's cron process runs commands on a specified schedule. It requires the most complex configuration, but does not rely on any external user or service to operate.

To set up regular maintenance using the system cron process, first select the Cron option under the Cron heading on the Admin page. Then, from the system shell, run the following commands:

# export EDITOR=nano
# crontab -u apache -e

This will open the nano editor with a blank file. Enter the following:

*/15  *  *  *  * scl enable php56 'php -f /home/e-smith/files/ibays/owncloud/html/cron.php > /dev/null 2>&1'

Then press Ctrl-X to exit, and Y to save. This command assumes you've installed the PHP software collections as described above, and that you've chosen to run your ownCloud installation with PHP 5.6. If you'd chosen PHP 5.5, it would read "scl enable php55" instead.

Memory Caching

For improved performance, use of a memory cache for compiled PHP code and data is recommended. As of version 8.1, ownCloud will complain on the Admin page if you don't have this configured. Also, as of version 8.2, ownCloud implements transactional file locking, and it's preferred that this be managed with a memory cache as well. The only suitable memory cache system to support file locking is Redis.

Redis

You'll need to install Redis, as well as its associated PHP module, configure your system to start Redis on startup, and change some configuration settings for both Redis and ownCloud.

To install Redis, you'll need to have both the Remi and Epel repositories set up on your server. Then do

# yum --enablerepo=remi,epel install redis php54-php-pecl-redis php55-php-pecl-redis php56-php-pecl-redis php71-php-pecl-redis php70-php-pecl-redis
# config set redis service status enabled
# cd /etc/rc7.d
# ln -s /etc/rc.d/init.d/e-smith-service S80redis

You'll need to adjust two entries in the Redis configuration file:

# nano -w /etc/redis.conf

Find the line that mentions "unixsocket", uncomment it and the following line, and edit them to appear as follows:

unixsocket /var/run/redis/redis.sock
unixsocketperm 777

and to add the redis user to the www group:

usermod -a -G redis www

Then start the redis server:

# /etc/rc.d/init.d/redis start

You'll now need to edit the ownCloud config file:

# nano -w ~owncloud/../html/config/config.php

Add the following lines:

'filelocking.enabled' => 'true',
'memcache.locking' => '\OC\Memcache\Redis',
'memcache.local' => '\OC\Memcache\Redis',
'redis' => array(
    'host' => '/var/run/redis/redis.sock',
    'port' => 0,
    'timeout' => 0.0,
     ),

Save the file and exit nano. You should now be able to log in to your ownCloud installation as the admin user, and not see a warning message about memory cache or file locking.

APCu

If you don't want to use the memory cache for file locking, ownCloud supports a number of other cache backends, but the easiest to configure is said to be APCu. To configure this, you'll need to install the PHP extension, and activate it in your config.php file. To install the extension, run the following command:

# yum --enablerepo=remi install php54-php-pecl-apcu php55-php-pecl-apcu php56-php-pecl-apcu

If you've set up a system cron job for the ownCloud maintenance operations, you'll need to tell the cache to operate from the CLI as well as from the web. To do this, assuming you're using PHP 5.6 for ownCloud (change the version below as appropriate):

# nano -w /opt/remi/php56/root/etc/php.d/40-apcu.ini

Find the line with "apc.enable_cli", uncomment it (remove the semicolon), and change the value to 1. It should look like this:

apc.enable_cli=1

Then restart the web server:

# /etc/init.d/httpd-e-smith restart

This will install the extension for all PHP Software Collection versions. Then, to activate it, add this line to the ownCloud config.php file:

'memcache.local' => '\OC\Memcache\APCu',

Further information about caching can be found in the ownCloud documentation.

PHP opcache

Into Nextcloud, logged as admin => Parameters => Basic parameters check that Nextcloud doesn't claim for following parameters concerning PHP opcache:

opcache.enable=1
opcache.enable_cli=1
opcache.interned_strings_buffer=8
opcache.max_accelerated_files=10000
opcache.memory_consumption=128
opcache.save_comments=1
opcache.revalidate_freq=1

If it is the case:

In short

  • Edit /etc/opt/remi/php70/php.d/10-opcache.ini and make sure that the above given parameters are set.
  • Restart php: signal-event php-update

With explanations

Check the parameters of php for the ibay where Nextcloud is installed into:

  • create into .../path/to/ibay-Nextcloud/html a file phptest.php and enter in it:
<?php
phpinfo();
phpinfo(INFO_MODULES);
?>
  • from the browser, go to http://server/ibay_nextcloud/phptest.php ans have a look at the parameters and paths concerning opcache
  • modify the proper files with the parameters that Nextcloud claims for. The use of templates-custom may be necessary, depending your configuration.
  • if necessary expand the templates, remove phptest.php
  • restart php

Mozilla Sync

Mozilla Sync is an addon for OwnCloud that allows users to securely synchronize Firefox settings across multiple devices (tabs, bookmarks, history, saved passwords).

The owncloud instructions for installing and configuring Mozilla Sync addon can be found here: https://github.com/owncloud/mozilla_sync/blob/master/INSTALL.md

The Mozilla Sync addon is included by default as of OwnCloud 6 and simply needs to be 'enabled' by an admin.

Install Mozilla Sync in OwnCloud

These instructions assume that you have installed owncloud into an ibay named owncloud:

Using a zipped tarball:

cd /home/e-smith/files/ibays/owncloud/files
  wget https://github.com/owncloud/mozilla_sync/archive/master.zip -O master.zip
  sudo -u www unzip master.zip
  mv mozilla_sync-master /home/e-smith/files/ibays/owncloud/html/apps/mozilla_sync

Using Git:

cd /home/e-smith/files/ibays/owncloud/html/apps
  sudo -u www git clone https://github.com/owncloud/mozilla_sync.git
  sudo -u www git checkout master

Server settings to enable Mozilla Sync

Now, on the server:

  • login to your owncloud instance as an administrator
  • Open the 'Apps' page
  • 'Enable' the Mozilla Sync app
  • Verify that all 'Mozilla Sync' users have a unique email address configured in their user profile (Mozilla sync (in Firefox) authenticates using the user's email address).

Firefox settings to enable Mozilla Sync

Setup sync using the email address you verified above, using the password for the user that matches the email address.

The address for your 'custom server' should look like:
https://'''<path-to-your-owncloud>'''/remote.php/mozilla_sync/

History and advanced topics

The history and some advanced topics can be viewed on these How-To page sections:

References

Interesting relations to other Contribs or How-to's