Nextcloud 13 на Centos 7 с данными на NFS
Подготовка
Создаём группу и пользователя www-data, поскольку от имени этого пользователя заточена работа Nextcloud
groupadd -g 1990 www-data adduser -g 1990 -u 2000 -s /sbin/nologin -M www-data
Добавляем репозитории
NGINX
vim /etc/yum.repos.d/nginx.repo
[nginx] name=nginx repo baseurl=http://nginx.org/packages/centos/7/$basearch/ gpgcheck=0 enabled=1
MARIADB10
vim /etc/yum.repos.d/MariaDB10.repo
[mariadb] name = MariaDB baseurl = http://yum.mariadb.org/10.2.9/centos7-amd64 gpgkey=https://yum.mariadb.org/RPM-GPG-KEY-MariaDB gpgcheck=1
REMI (Php 7.1)
Активируем репу remi-php71, для этого выполняем команду:
rpm -Uvh http://rpms.remirepo.net/enterprise/remi-release-7.rpm
Уже должен быть установлен репозиторий EPEL, если что
yum install epel-release
Смотрим какие репозитории доступны
ll /etc/yum.repos.d/remi*
Как видите, есть несколько версий php, для активации откройте соответствующий файл, найдите секцию [remi-php71], в ней найдите enabled и поменяйте значение с 0 на 1:
vim /etc/yum.repos.d/remi-php71.repo enabled=1
yum update yum install php
Устанавливаем требуемые пакеты
yum -y install nginx wget unzip nfs-utils mariadb mariadb-server yum --disableexcludes=main install libxslt.x86_64 yum -y install php-common php-gmp php-intl php-imap php-opcache php-fpm php-cli php-gd php-mcrypt php-mysqlnd php-pear php-xml php-mbstring php-pdo php-json php-pecl-apcu php-pecl-apcu-devel php-zip
NFS
vim /etc/fstab
IP:/mnt/Data /usr/share/nginx/html/nextcloud/data nfs defaults 0 0
Если NextCloud настраивается в контейнере LXC, то есть нюанс NFS в контейнере LXC
Генерируем самоподписанные сертификаты
mkdir -p /etc/nginx/cert openssl req -new -x509 -days 365 -nodes -out /etc/nginx/cert/nextcloud.crt -keyout /etc/nginx/cert/nextcloud.key openssl genrsa 2048 >> /etc/nginx/cert/key.pem openssl dhparam 2048 -out /etc/nginx/cert/dh2048.pem
chmod 700 /etc/nginx/cert/ chmod 600 /etc/nginx/cert/*
Настраиваем Nginx
vim /etc/nginx/nginx.conf
user nginx; #you must set worker processes based on your CPU cores, nginx does not benefit from setting more than that worker_processes auto; #some last versions calculate it automatically worker_cpu_affinity auto; #number of file descriptors used for nginx #the limit for the maximum FDs on the server is usually set by the OS. #if you don't set FD's then OS settings will be used which is by default 2000 worker_rlimit_nofile 10000; error_log /var/log/nginx/error.log crit; pid /var/run/nginx.pid; events { worker_connections 2048; multi_accept on; use epoll; } http { include /etc/nginx/mime.types; default_type application/octet-stream; log_format main '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for"'; access_log /var/log/nginx/access.log main; open_file_cache max=200000 inactive=20s; open_file_cache_valid 30s; open_file_cache_min_uses 2; open_file_cache_errors on; server_tokens off; sendfile on; tcp_nopush on; tcp_nodelay on; reset_timedout_connection on; #request timed out -- default 60 client_body_timeout 20; #if client stop responding, free up memory -- default 60 send_timeout 20; #server will close connection after this time -- default 75 keepalive_timeout 30; aio threads; client_body_buffer_size 128k; client_max_body_size 2M; large_client_header_buffers 4 256k; gzip off; include /etc/nginx/conf.d/*.conf; }
Настраиваем PHP-FPM
vim /etc/php-fpm.d/www.conf
user = www-data group = www-data listen = 127.0.0.1:9000 env[HOSTNAME] = $HOSTNAME env[PATH] = /usr/local/bin:/usr/bin:/bin env[TMP] = /tmp env[TMPDIR] = /tmp env[TEMP] = /tmp #Данные опции используются при использовании unix socket listen.owner = nginx listen.group = nginx listen.mode = 0660
Настраиваем APCACHE/CGI
vim /etc/php.ini
#Скрываем версию PHP на сервере expose_php = Off cgi.fix_pathinfo=0
Настраиваем OpCache
vim /etc/php.d/10-opcache.ini
https://www.hostcms.ru/documentation/server/opcache/
zend_extension=opcache.so opcache.enable=1 opcache.enable_cli=0 opcache.memory_consumption=128 opcache.interned_strings_buffer=8 opcache.max_accelerated_files=10000 opcache.revalidate_freq=5 opcache.save_comments=1
Настраиваем MYSQL
vim /etc/my.cnf.d/server.cnf
[server] #skip-name-resolve innodb_buffer_pool_size = 128M innodb_buffer_pool_instances = 1 innodb_flush_log_at_trx_commit = 2 innodb_log_buffer_size = 16M innodb_max_dirty_pages_pct = 90 query_cache_type = 1 query_cache_limit = 2M query_cache_min_res_unit = 2k query_cache_size = 64M tmp_table_size= 64M max_heap_table_size= 64M slow-query-log = 1 slow-query-log-file = /var/log/mariadb/slow.log long_query_time = 1 [mysqld] character-set-server = utf8mb4 collation-server = utf8mb4_general_ci binlog_format = MIXED datadir=/var/lib/mysql symbolic-links=0 ##Enable 4-byte support innodb_large_prefix=true innodb_file_format=barracuda innodb_file_per_table=1 [mysqld_safe] log-error=/var/log/mariadb/mariadb.log pid-file=/var/run/mariadb/mariadb.pid
vim /etc/my.cnf.d/mysql-clients.cnf
[client] default-character-set = utf8mb4
mkdir /var/log/mariadb/ touch /var/log/mariadb/mariadb.log touch /var/log/mariadb/slow.log chown mysql:mysql /var/log/mariadb/*
Запускаем сервисы
systemctl restart nginx php-fpm mariadb systemctl enable php-fpm nginx mariadb
Now configure the MariaDB root password.
mysql_secure_installation
Type in your root password when requested. Set root password? [Y/n] Y New password: Re-enter new password: Remove anonymous users? [Y/n] Y Disallow root login remotely? [Y/n] Y Remove test database and access to it? [Y/n] Y Reload privilege tables now? [Y/n] Y
mysql -u root -p create database nextclouddb; grant all privileges on nextclouddb.* to 'Username'@'localhost' identified by 'password'; flush privileges; exit;
Устанавливаем nextcloud
cd /tmp wget https://download.nextcloud.com/server/releases/nextcloud-13.0.4.zip unzip nextcloud-13.0.4.zip mv nextcloud/ /usr/share/nginx/html/ cd /usr/share/nginx/html/ mkdir /usr/share/nginx/html/nextcloud/data mount /usr/share/nginx/html/nextcloud/data chown -R www-data. /usr/share/nginx/html/nextcloud
Настроим работу Nginx с nextcloud
vim /etc/nginx/conf.d/nextcloud.conf
upstream php-handler { server 127.0.0.1:9000; #server unix:/run/php/php7.0-fpm.sock; } server { listen 80; server_name testcloud.freezl.ru; # Редирект на HTTPS версию сайта. return 301 https://$server_name$request_uri; } server { # Поддержка HTTPS listen 443 ssl; server_name testcloud.freezl.ru; # Задаем главную страницу index index.php index.html index.htm index.nginx-debian.html; # Включаем логгирование error_log /var/log/nginx/cloud.error.log; access_log /var/log/nginx/cloud.access.log; ### SSL CONFIGURATION ### ssl on; ssl_certificate /etc/nginx/cert/nextcloud.crt; ssl_certificate_key /etc/nginx/cert/nextcloud.key; ### КОНЕЦ КОНФИГУРАЦИИ SSL ### # Дополнительные заголовки для увеличения безопасности, в частности, первая строчка добавляет поддержку HSTS add_header Strict-Transport-Security 'max-age=631138519; includeSubDomains; preload' always; #add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' blob data:"; add_header X-Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' blob data:"; add_header X-WebKit-CSP "default-src 'self'; script-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' blob data:"; add_header X-Frame-Options "SAMEORIGIN" always; add_header X-Xss-Protection "1; mode=block" always; add_header X-Content-Type-Options "nosniff" always; add_header X-Proxy-Cache "EXPIRED" always; # Дополнительные заголовки от разработчиков Nextcloud add_header X-Robots-Tag "none" always; add_header X-Download-Options "noopen" always; add_header X-Permitted-Cross-Domain-Policies "none" always; # Корневая директория сайта root /usr/share/nginx/html/nextcloud; # Максимальный размер файла, который мы сможем загрузить и увеличенный буфер client_max_body_size 3G; fastcgi_buffers 64 4K; # C gzip бывают проблемы в случае с Nextcloud, поэтому разработчики рекомендуют его отключить gzip off; # Кастомные страницы ошибок 403 и 404. error_page 403 /core/templates/403.php; error_page 404 /core/templates/404.php; location ~ ^/.well-known/* { root /usr/share/nginx/html/; allow all; } ### Далее мы принудительно разрешаем/запрещаем чтение определенных директорий и файлов ### ### Помимо этого мы устанавливаем редиректы для красивых URL ### rewrite ^/.well-known/carddav /remote.php/carddav/ permanent; rewrite ^/.well-known/caldav /remote.php/caldav/ permanent; # Add index.php to the list if you are using PHP index index.html index.htm index.nginx-debian.html; location / { # First attempt to serve request as file, then # as directory, then fall back to displaying a 404. try_files $uri $uri/ =404; } location = /robots.txt { allow all; log_not_found off; access_log off; } location ~ ^/(?:\.htaccess|data|config|db_structure\.xml|README){ deny all; } location ~ ^/(build|tests|config|lib|3rdparty|templates|data)/ { deny all; } location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) { deny all; } location ~ \.php(?:$|/) { fastcgi_split_path_info ^(.+\.php)(/.+)$; include fastcgi_params; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_param PATH_INFO $fastcgi_path_info; fastcgi_param HTTPS on; fastcgi_param modHeadersAvailable true; #Avoid sending the security headers twice fastcgi_pass php-handler; fastcgi_intercept_errors on; } # Дальше конфиг не проверялся ##########Collabora Online########## #static files location ^~ /loleaflet { proxy_pass https://127.0.0.1:9980; proxy_set_header Host $http_host; } #WOPI discovery URL location ^~ /hosting/discovery { proxy_pass https://127.0.0.1:9980; proxy_set_header Host $http_host; } #main websocket location ~ ^/lool/(.*)/ws$ { proxy_pass https://127.0.0.1:9980; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "Upgrade"; proxy_set_header Host $http_host; proxy_read_timeout 36000s; } #download, presentation and image upload location ~ ^/lool { proxy_pass https://127.0.0.1:9980; proxy_set_header Host $http_host; } #Admin Console websocket location ^~ /lool/adminws { proxy_pass https://127.0.0.1:9980; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "Upgrade"; proxy_set_header Host $http_host; proxy_read_timeout 36000s; } }
Настройка на работу с NFS
При загрузке системы, похоже, сначала стартует сервис php-fpm после него монтируется NFS-шара. Это приводит к некорректной работе службы php-fpm с примонтированной директорией. Если после загрузки системы перезапустить сервис php-fpm, то всё работает корректно. Но делать ручками не наш метод! Требуется автоматизация.
Система инициализации systemd сама занимается монтированием файловых систем - файл /etc/fstab оставлен для обратной совместимости. Автоматическое монтирование в Systemd
Для нашего сценария вместо записи в файл fstab можно создать файл для systemd (но можно использовать запись в fstab - systemd автоматически сгенерит себе .mount-файл и примонтирует NFS-шару)
cat /usr/lib/systemd/system/usr-share-nginx-html-nextcloud-data.mount
[Unit] Description=Mount NFS for Nextcloud After=network.target [Mount] What=IP:/mnt/Data Where=/usr/share/nginx/html/nextcloud/data Type=nfs
Для запуска сервиса php-fpm после того как подмонтируется NFS каталог - поправим файл php-fpm.service
systemctl edit php-fpm.service
Добавим:
[Unit] After=usr-share-nginx-html-nextcloud-data.mount
И перечитаем настройки
systemctl daemon-reload
Installation de Cerbot for Nginx (SSL)
yum install certbot-nginx
Création certificat
certbot --nginx -d example.com --rsa-key-size 4096 (example.com represente le nom de domaine)
Création Diffie-Hellman Parameters
openssl dhparam 4096 -out /var/certs/nginx/dhparam.pem
Intégration des sécurité SSL dans /etc/nginx/ssl.conf
vim /etc/nginx/ssl.conf
##SSL ssl_ecdh_curve secp521r1:secp384r1:prime256v1; #ssl_ecdh_curve secp384r1; # Si nginx pas récent ou openssl > 1.1.0+ ssl_session_cache shared:SSL:10m; ssl_session_tickets off; # Requires nginx >= 1.5.9 ssl_dhparam /var/certs/nginx/dhparam.pem; # utiliser si ecdh non disponible. ssl_session_timeout 5m; ssl_protocols TLSv1.2; ssl_prefer_server_ciphers on; ssl_ciphers EECDH+AESGCM:EECDH+CHACHA20:EECDH+AES256:AES256+EDH:!aNULL:!SHA; #ssl_ciphers AES256+EECDH:AES256+EDH:!aNULL; #ssl_ciphers HIGH:!aNULL:!MD5:!ADH:!RC4:!DH #Resolver DNS FDN resolver 80.67.169.12 80.67.169.40 valid=300s; resolver_timeout 3s; ##HSTS #Cette en-tête permet d'éviter le vol de cookies et le downgrade SSL add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"; #Eviter de se faire piller son site add_header X-Robots-Tag none; # Evite que le contenu soit interprété différemment que définit dans le mime Type add_header X-Content-Type-Options nosniff always; #Protection contre le clickjacking add_header X-Frame-Options "SAMEORIGIN"; #Protection contre les failles X-XSS add_header X-XSS-Protection "1; mode=block" always; #Faille spécifique à IE8 add_header X-Download-Options noopen; # Interdire l'embarquement de tout ou partie de votre site dans un site ou logiciel tiers add_header X-Permitted-Cross-Domain-Policies none;
Renew certificat
crontab -e 5 4 * * 1 /usr/bin/certbot renew --preferred-challenges http --nginx --quiet 18 4 * * 1 /usr/bin/systemctl reload nginx
This tells cron to attempt to renew your certificates every Monday morning at 4:15 AM and reload NGINX 3 minutes later.
Isolation nexcloud
http://howto.wared.fr/ubuntu-installation-nextcloud-nginx/
Création User nextcloud
sudo adduser nextcloud sudo chown -R nextcloud:nginx /usr/share/nginx/html/nextcloud sudo chown -R nextcloud:nginx /media/HDD2/nextcloud sudo chmod -R o-rwx /usr/share/nginx/html/nextcloud sudo chmod -R o-rwx /media/HDD2/nextcloud
Configuration Php-FPM for nextcloud
https://phpprofi.ru/blogs/post/70 можно почитать по параметрам pm*
vim /etc/php-fpm.d/nextcloud.conf
[nextcloud] listen = /var/run/nextcloud.sock listen.owner = nextcloud #nginx? listen.group = nginx user = nextcloud #nginx? group = nginx pm = ondemand pm.max_children = 56 pm.process_idle_timeout = 60s pm.max_requests = 500 env[HOSTNAME] = $HOSTNAME env[PATH] = /usr/local/bin:/usr/bin:/bin env[TMP] = /tmp env[TMPDIR] = /tmp env[TEMP] = /tmp request_terminate_timeout = 300
vim /usr/lib/systemd/system/php-fpm.service
[Service] UMask=0027
systemctl reenable php-fpm.service
systemctl restart nginx mysql php-fpm
Edition des droits pour nextcloud
yum -y install policycoreutils-python
chown nextcloud:nginx -R /usr/share/nginx/html/nextcloud/ chown nextcloud:nginx -R /media/HDD2/nextcloud/ #DATA nextcloud
semanage fcontext -a -t httpd_sys_rw_content_t '/media/HDD2/nextcloud/data(/.)?' semanage fcontext -a -t httpd_sys_rw_content_t '/usr/share/nginx/html/nextcloud/config(/.)?' semanage fcontext -a -t httpd_sys_rw_content_t '/usr/share/nginx/html/nextcloud/apps(/.)?' semanage fcontext -a -t httpd_sys_rw_content_t '/usr/share/nginx/html/nextcloud/assets(/.)?' semanage fcontext -a -t httpd_sys_rw_content_t '/usr/share/nginx/html/nextcloud/.htaccess’ semanage fcontext -a -t httpd_sys_rw_content_t '/usr/share/nginx/html/nextcloud/.user.ini’ restorecon -Rv '/usr/share/nginx/html/nextcloud/' setsebool -P httpd_can_sendmail on
sudo -u nextcloud sed -i "s/upload_max_filesize=./upload_max_filesize=10240M/" /usr/share/nginx/html/nextcloud/.user.ini sudo -u nextcloud sed -i "s/post_max_size=./post_max_size=10240M/” /usr/share/nginx/html/nextcloud/.user.ini sudo -u nextcloud sed -i “s/output_buffering=.*/output_buffering=‘Off’/” /usr/share/nginx/html/nextcloud/.user.ini
Configuration nextcloud (WEB)
Créate Admin User Nextcloud
Storage : /media/HDD2/nextcloud/data
DATABASE : MariaDB
USER/MDP/BDD/localhost
Optimisation nextcloud
vim /usr/share/nginx/html/nextcloud/config/config.php
Add :
‘loglevel’ => 2, ‘logfile’ => ‘/media/HDD2/nextcloud/data/nextcloud.log’, ‘logdateformat’ => ‘F d, Y H:i:s’, ‘cron_log’ => true, ‘memcache.local’ => ‘\OC\Memcache\APCu’, ‘auth.bruteforce.protection.enabled’ => true, ‘updatechecker’ => true, ‘updater.server.url’ => ‘https://updates.nextcloud.com/updater_server/’, ‘updater.release.channel’ => ‘stable’,
systemctl restart nginx php-fpm
Execution du cron pour l’optimisation de nextcloud
mkdir /var/lib/nginx chown nginx:nginx /var/lib/nginx
crontab -u nextcloud -e */15 * * * * php -f /usr/share/nginx/html/nextcloud/cron.php
systemctl restart mysql
mysql -uroot -p
USE INFORMATION_SCHEMA; SELECT CONCAT(“ALTER TABLE ", TABLE_SCHEMA,".", TABLE_NAME, " ROW_FORMAT=DYNAMIC;”) AS MySQLCMD FROM TABLES WHERE TABLE_SCHEMA = “nextcloud_db”; ALTER TABLE nextcloud_db.oc_accounts ROW_FORMAT=DYNAMIC; ALTER TABLE nextcloud_db.oc_activity ROW_FORMAT=DYNAMIC; ALTER TABLE nextcloud_db.oc_activity_mq ROW_FORMAT=DYNAMIC; ALTER TABLE nextcloud_db.oc_addressbookchanges ROW_FORMAT=DYNAMIC; ALTER TABLE nextcloud_db.oc_addressbooks ROW_FORMAT=DYNAMIC; ALTER TABLE nextcloud_db.oc_admin_sections ROW_FORMAT=DYNAMIC; ALTER TABLE nextcloud_db.oc_admin_settings ROW_FORMAT=DYNAMIC; ALTER TABLE nextcloud_db.oc_announcements ROW_FORMAT=DYNAMIC; ALTER TABLE nextcloud_db.oc_announcements_groups ROW_FORMAT=DYNAMIC; ALTER TABLE nextcloud_db.oc_appconfig ROW_FORMAT=DYNAMIC; ALTER TABLE nextcloud_db.oc_audioplayer_album_artists ROW_FORMAT=DYNAMIC; ALTER TABLE nextcloud_db.oc_audioplayer_albums ROW_FORMAT=DYNAMIC; ALTER TABLE nextcloud_db.oc_audioplayer_artists ROW_FORMAT=DYNAMIC; ALTER TABLE nextcloud_db.oc_audioplayer_genre ROW_FORMAT=DYNAMIC; ALTER TABLE nextcloud_db.oc_audioplayer_playlist_tracks ROW_FORMAT=DYNAMIC; ALTER TABLE nextcloud_db.oc_audioplayer_playlists ROW_FORMAT=DYNAMIC; ALTER TABLE nextcloud_db.oc_audioplayer_statistics ROW_FORMAT=DYNAMIC; ALTER TABLE nextcloud_db.oc_audioplayer_tracks ROW_FORMAT=DYNAMIC; ALTER TABLE nextcloud_db.oc_authtoken ROW_FORMAT=DYNAMIC; ALTER TABLE nextcloud_db.oc_bruteforce_attempts ROW_FORMAT=DYNAMIC; ALTER TABLE nextcloud_db.oc_calendarchanges ROW_FORMAT=DYNAMIC; ALTER TABLE nextcloud_db.oc_calendarobjects ROW_FORMAT=DYNAMIC; ALTER TABLE nextcloud_db.oc_calendarobjects_props ROW_FORMAT=DYNAMIC; ALTER TABLE nextcloud_db.oc_calendars ROW_FORMAT=DYNAMIC; ALTER TABLE nextcloud_db.oc_calendarsubscriptions ROW_FORMAT=DYNAMIC; ALTER TABLE nextcloud_db.oc_cards ROW_FORMAT=DYNAMIC; ALTER TABLE nextcloud_db.oc_cards_properties ROW_FORMAT=DYNAMIC; ALTER TABLE nextcloud_db.oc_comments ROW_FORMAT=DYNAMIC; ALTER TABLE nextcloud_db.oc_comments_read_markers ROW_FORMAT=DYNAMIC; ALTER TABLE nextcloud_db.oc_credentials ROW_FORMAT=DYNAMIC; ALTER TABLE nextcloud_db.oc_dashboard_announcements ROW_FORMAT=DYNAMIC; ALTER TABLE nextcloud_db.oc_dashboard_files ROW_FORMAT=DYNAMIC; ALTER TABLE nextcloud_db.oc_dashboard_settings ROW_FORMAT=DYNAMIC; ALTER TABLE nextcloud_db.oc_dav_shares ROW_FORMAT=DYNAMIC; ALTER TABLE nextcloud_db.oc_federated_reshares ROW_FORMAT=DYNAMIC; ALTER TABLE nextcloud_db.oc_file_locks ROW_FORMAT=DYNAMIC; ALTER TABLE nextcloud_db.oc_filecache ROW_FORMAT=DYNAMIC; ALTER TABLE nextcloud_db.oc_files_trash ROW_FORMAT=DYNAMIC; ALTER TABLE nextcloud_db.oc_flow_checks ROW_FORMAT=DYNAMIC; ALTER TABLE nextcloud_db.oc_flow_operations ROW_FORMAT=DYNAMIC; ALTER TABLE nextcloud_db.oc_group_admin ROW_FORMAT=DYNAMIC; ALTER TABLE nextcloud_db.oc_group_folders ROW_FORMAT=DYNAMIC; ALTER TABLE nextcloud_db.oc_group_folders_applicable ROW_FORMAT=DYNAMIC; ALTER TABLE nextcloud_db.oc_group_user ROW_FORMAT=DYNAMIC; ALTER TABLE nextcloud_db.oc_groups ROW_FORMAT=DYNAMIC; ALTER TABLE nextcloud_db.oc_jobs ROW_FORMAT=DYNAMIC; ALTER TABLE nextcloud_db.oc_mail_accounts ROW_FORMAT=DYNAMIC; ALTER TABLE nextcloud_db.oc_mail_aliases ROW_FORMAT=DYNAMIC; ALTER TABLE nextcloud_db.oc_mail_attachments ROW_FORMAT=DYNAMIC; ALTER TABLE nextcloud_db.oc_mail_collected_addresses ROW_FORMAT=DYNAMIC; ALTER TABLE nextcloud_db.oc_mimetypes ROW_FORMAT=DYNAMIC; ALTER TABLE nextcloud_db.oc_mounts ROW_FORMAT=DYNAMIC; ALTER TABLE nextcloud_db.oc_music_albums ROW_FORMAT=DYNAMIC; ALTER TABLE nextcloud_db.oc_music_ampache_sessions ROW_FORMAT=DYNAMIC; ALTER TABLE nextcloud_db.oc_music_ampache_users ROW_FORMAT=DYNAMIC; ALTER TABLE nextcloud_db.oc_music_artists ROW_FORMAT=DYNAMIC; ALTER TABLE nextcloud_db.oc_music_cache ROW_FORMAT=DYNAMIC; ALTER TABLE nextcloud_db.oc_music_playlists ROW_FORMAT=DYNAMIC; ALTER TABLE nextcloud_db.oc_music_tracks ROW_FORMAT=DYNAMIC; ALTER TABLE nextcloud_db.oc_notes_meta ROW_FORMAT=DYNAMIC; ALTER TABLE nextcloud_db.oc_notifications ROW_FORMAT=DYNAMIC; ALTER TABLE nextcloud_db.oc_notifications_pushtokens ROW_FORMAT=DYNAMIC; ALTER TABLE nextcloud_db.oc_oauth2_access_tokens ROW_FORMAT=DYNAMIC; ALTER TABLE nextcloud_db.oc_oauth2_clients ROW_FORMAT=DYNAMIC; ALTER TABLE nextcloud_db.oc_passman_credentials ROW_FORMAT=DYNAMIC; ALTER TABLE nextcloud_db.oc_passman_delete_vault_request ROW_FORMAT=DYNAMIC; ALTER TABLE nextcloud_db.oc_passman_files ROW_FORMAT=DYNAMIC; ALTER TABLE nextcloud_db.oc_passman_revisions ROW_FORMAT=DYNAMIC; ALTER TABLE nextcloud_db.oc_passman_share_request ROW_FORMAT=DYNAMIC; ALTER TABLE nextcloud_db.oc_passman_sharing_acl ROW_FORMAT=DYNAMIC; ALTER TABLE nextcloud_db.oc_passman_vaults ROW_FORMAT=DYNAMIC; ALTER TABLE nextcloud_db.oc_preferences ROW_FORMAT=DYNAMIC; ALTER TABLE nextcloud_db.oc_privatedata ROW_FORMAT=DYNAMIC; ALTER TABLE nextcloud_db.oc_properties ROW_FORMAT=DYNAMIC; ALTER TABLE nextcloud_db.oc_retention ROW_FORMAT=DYNAMIC; ALTER TABLE nextcloud_db.oc_richdocuments_member ROW_FORMAT=DYNAMIC; ALTER TABLE nextcloud_db.oc_richdocuments_wopi ROW_FORMAT=DYNAMIC; ALTER TABLE nextcloud_db.oc_schedulingobjects ROW_FORMAT=DYNAMIC; ALTER TABLE nextcloud_db.oc_share ROW_FORMAT=DYNAMIC; ALTER TABLE nextcloud_db.oc_share_external ROW_FORMAT=DYNAMIC; ALTER TABLE nextcloud_db.oc_spreedme_messages ROW_FORMAT=DYNAMIC; ALTER TABLE nextcloud_db.oc_spreedme_room_participants ROW_FORMAT=DYNAMIC; ALTER TABLE nextcloud_db.oc_spreedme_rooms ROW_FORMAT=DYNAMIC; ALTER TABLE nextcloud_db.oc_storages ROW_FORMAT=DYNAMIC; ALTER TABLE nextcloud_db.oc_systemtag ROW_FORMAT=DYNAMIC; ALTER TABLE nextcloud_db.oc_systemtag_group ROW_FORMAT=DYNAMIC; ALTER TABLE nextcloud_db.oc_systemtag_object_mapping ROW_FORMAT=DYNAMIC; ALTER TABLE nextcloud_db.oc_trusted_servers ROW_FORMAT=DYNAMIC; ALTER TABLE nextcloud_db.oc_twofactor_backupcodes ROW_FORMAT=DYNAMIC; ALTER TABLE nextcloud_db.oc_users ROW_FORMAT=DYNAMIC; ALTER TABLE nextcloud_db.oc_vcategory ROW_FORMAT=DYNAMIC; ALTER TABLE nextcloud_db.oc_vcategory_to_object ROW_FORMAT=DYNAMIC; ALTER DATABASE nextcloud CHARACTER SET utf8mb4 COLLATE utf8mb4_general_ci;
cd /usr/share/nginx/html/nextcloud sudo -u nextcloud php occ config:system:set mysql.utf8mb4 --type boolean --value=“true” sudo -u nextcloud php occ maintenance:repair
Update nextcloud :
Via Interface Web Enable updates via the web interface To enable updates via the web interface, you may need this to enable writing to the directories:
setsebool httpd_unified on
When the update is completed, disable write access:
setsebool -P httpd_unified off
Via shell
cd /usr/share/nginx/html/nextcloud sudo -u nextcloud php updater/updater.phar sudo -u nextcloud php occ maintenance:mode --off
Install Collabora Online: #support:collabora
https://github.com/CollaboraOnline/Docker-CODE/blob/master/scripts/start-libreoffice.sh https://github.com/CollaboraOnline/Docker-CODE/blob/master/scripts/install-libreoffice.sh https://www.collaboraoffice.com/repos/CollaboraOnline/CODE-centos7/
import the signing key
wget https://www.collaboraoffice.com/repos/CollaboraOnline/CODE-centos7/repodata/repomd.xml.key 4 && rpm --import repomd.xml.key
add the repository URL to yum
yum-config-manager --add-repo https://www.collaboraoffice.com/repos/CollaboraOnline/CODE-centos7 2
perform the installation
yum install loolwsd CODE-brand hunspell hunspell-fr* collaboraofficebasis5.3-fr* collaboraoffice5.3-dict-fr collaboraofficebasis5.3-en* collaboraoffice5.3-dict-en
Création certificat en 127.0.0.1
mkdir /var/certs/collabora cd /var/certs/collabora/
openssl genrsa -out privatekey.pem 4096 openssl req -new -x509 -sha512 -days 3650 -key privatekey.pem -out fullchain.pem
Modification fichier host pour trafic en local.
Rajouter votre domaine nextcloud
vim /etc/hosts 127.0.0.1 XXX XXX XXX domainenextcloud.com
Fix Lool resolv.conf
rm /opt/lool/systemplate/etc/resolv.conf ln -s /etc/resolv.conf /opt/lool/systemplate/etc/resolv.conf
Modification fichier conf de loolwsd
cd /etc/loolwsd vim loolwsd.xml
Certificat SSL
<cert_file_path desc="Path to the cert file" relative="false">/var/certs/collabora/fullchain.pem</cert_file_path> <key_file_path desc="Path to the key file" relative="false">/var/certs/collabora/privatekey.pem</key_file_path> <ca_file_path desc="Path to the ca file" relative="false"></ca_file_path> <cipher_list desc="List of OpenSSL ciphers to accept" default=""ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH"">EECDH+AESGCM:EECDH+CHACHA20:EECDH+AES256:AES256+EDH:!aNULL:!SHA</cipher_list>
Acces WOPI
<wopi desc="Allow/deny wopi storage. Mutually exclusive with webdav." allow="true"> <host desc="Regex pattern of hostname to allow or deny." allow="true">localhost</host> <host desc="Regex pattern of hostname to allow or deny." allow="true">domainenextcloud.com</host> <webdav desc="Allow/deny webdav storage. Mutually exclusive with wopi." allow="false"> <host desc="Hostname to allow" allow="true">domainenextcloud.com</host> <host desc="Hostname to allow" allow="true">localhost</host>
Pour accéder a la console d’admin (Fin du fichier) :
<admin_console desc="Web admin console settings."> <username desc="The username of the admin console. Must be set.">User</username> </admin_console>
Créer MDP secure
loolconfig set-admin-password
Ajout Dictionnaire FR/EN
mkdir -p /usr/share/hunspell mkdir -p /usr/share/hyphen mkdir -p /usr/share/mythes mkdir -p /opt/lool/systemplate/usr/share/hyphen for i in find /opt/collaboraoffice5.3/share/extensions/ -name hyph*.dic;do cp $i /opt/lool/systemplate/usr/share/hyphen;done for i in find /opt/collaboraoffice5.3/share/extensions/ -name hyph*.dic;do cp $i /usr/share/hyphen;done cp /opt/collaboraoffice5.3/share/extensions/dict-fr/fr.dic /usr/share/hunspell/fr_FR.dic cp /opt/collaboraoffice5.3/share/extensions/dict-fr/fr.aff /usr/share/hunspell/fr_FR.aff cp /opt/collaboraoffice5.3/share/extensions/dict-en/en_US.* /usr/share/hunspell cp /opt/collaboraoffice5.3/share/extensions/dict-en/en_GB.* /usr/share/hunspell cp /opt/collaboraoffice5.3/share/extensions/dict-fr/thes_fr.dat /usr/share/mythes/th_fr_FR_v2.dat cp /opt/collaboraoffice5.3/share/extensions/dict-en/th_en_US_v2.dat /usr/share/mythes cp /opt/collaboraoffice5.3/share/extensions/dict-fr/thes_fr.idx /usr/share/mythes/th_fr_FR_v2.idx cp /opt/collaboraoffice5.3/share/extensions/dict-en/th_en_US_v2.idx /usr/share/mythes
semanage port --add --type http_port_t --proto tcp 9980 semanage port --add --type http_port_t --proto tcp 9981
Integration Nextcloud
Activer l’application “Collabora Online”
Administration/Collabora Online : “Mettre le domaine de votre serveur nextcloud (ex: https://domainenextcloud.com/ 2)”
Access console admin Collabora : https://domainenextcloud.com/loleaflet/dist/admin/admin.html 8
systemctl enable loolwsd systemctl restart loolwsd
Errors
LOOP -> File permissions in /var/lib/php/ are all wrong if you are using NginX.
chown www-data. /var/lib/php/session/ chown root:www-data /var/lib/php/wsdlcache/ chown root:www-data /var/lib/php/opcache/
WOPI HOST Error -> Delete “add_header Content-Security-Policy”
Else : chmod -R 777 /var/lib/php/session
Error PDF Viewer -> add_header X-Frame-Options “SAMEORIGIN”;
Error update nextcloud.log -> Supprimer le fichier nextcloud.log
Erreur cron php : Fatal Error Unable to create lock file: Bad file descriptor -> chown root:root tmp && chmod 777 -R tmp/
'proxies_priv' entry '@% root@laptop4' ignored in --skip-name-resolve mode.
mysql> SELECT user, host FROM mysql.proxies_priv; +------+-----------+ | user | host | +------+-----------+ | root | laptop4 | | root | localhost | +------+-----------+
The proxies privileges should have been cleaned-up as well but because of the bug it is not. Just delete the record manually:
mysql> DELETE FROM mysql.proxies_priv WHERE host = 'laptop4'; mysql> FLUSH PRIVILEGES;