[HOWTO] Install Owncloud inside a Jail

[raulfg3]

warning - outdated post for latest N4F 10.x, do not use for latest version only valid for N4F 9.x



This HOWTO is inteded to avoid problems with owncloud when you upgrade Nas4Free ( when NAs4Free upgrade PHP Ownclou fails).
It's possible for both install, embeded and full , and it's the recomended way to install packages like owcloud, minidlna, etc.. in the future, because eliminate dependancies of the Nas4Free install so no interaction happend between Packages and Nas4Free.

Prerequisites:

You need to have a fully working jail , to do it , please use fsbruva excelent TheBrig jail manager: viewtopic.php?f=79&t=3894

To install Owncloud use next script done by fsbruva: viewtopic.php?f=79&t=1565#p7046

some screenshot and my install:

putty.zip

mysql user.jpg

mysql user 2.jpg

mysql process.jpg

if lighttpd do not start, probably your jail Ip is not 192.168.1.201 that is default in script, so you need to load lighttpd.conf and finf 192.168.1.201 and change by your jail IP.

Once done, /usr/local/etc/rc.d/lighttpd start must work, so you can access to owncloud by https:// to finalize config.

this is my first attempt to load owncloud:

ownCloud - Mozilla Firefox.jpg

I need to change owner of ownclod folder to www (ID=80), I use WinSCP in the screen Capture, but you can change in shell doing

Code: Select all

 chown -R www:www /usr/local/www/owncloud

www - RNAS - WinSCP.jpg

once done you cann see owncloud welcome screen:

ownCloud.jpg

[fsbruva]

Here's a script that *should* do most of the steps:

1. Will use lighttpd (apache is impossible because it's in a jail)
2. Will use HTTPS only
3. Will only serve Owncloud (no other virtual servers)
4. Will use mysql (better)
5. WIll use mysql sockets (much more secure)
6. Will utilize fast-cgi (as per owncloud's recommendation)
7. Will utilize fast-cgi sockets (much more efficient)

I have tested this about 50 times in a new, blank jail, so take precautions if this is not what you have.

1. Install a jail, per Raul's posts
2. Obtain shell access to the jail ( jexec 1 csh )
3. Get this file into the jail ( fetch http://www.xenopsyche.com/mkempe/oc/owncloud_injail.sh )
4. Mark it executable (chmod a+x owncloud_injail.sh)
5. Run it (./owncloud_injail.sh)

Some notes:
* This must be run at the command line, because it is interactive. There is no way to make it not so.
* You will need to supply some info during the install:
a. A new SQL database root password
b. A private key password (you will enter it, confirm it, then enter it a last time to remove it)
c. The necessary data for your self-signed cert to use for HTTPS. This is up to you, and doesn't really matter.

Once done, I navigate to https://192.168.1.201:81. (note Ip, must be the Ip of your owncloud jail) There I would create the new user account and password to complete the installation. Click on "Advanced", and click on "MySQL". Type in root for the username, whatever root password you set during the database setup, pick a name for a database (doesn't matter), and leave the localhost part. Click Finish Setup, and ENJOY!!!.

LATEST SCRIP: viewtopic.php?f=79&t=1565&start=100#p54828

[himbrr]

Hey fsbruva,
I found a bug in your script.

Code: Select all

root@proto:/ # /usr/local/etc/rc.d/lighttpd onestart
Starting lighttpd.
2012-11-24 22:48:55: (configfile-glue.c.157) ERROR: unexpected value for key: server.use-ipv6 disabled (enable|disable)
/usr/local/etc/rc.d/lighttpd: WARNING: failed to start lighttpd

So you have to change line 103 from

Code: Select all

	sed -r '/^server.use-ipv6/s|"(.*)"|"disabled"|' | \

to

Code: Select all

	sed -r '/^server.use-ipv6/s|"(.*)"|"disable"|' | \

Installing the packages also don't work for me. But I installed it by hand, because I had to set the PACKAGESITE variable manually.

Code: Select all

 setenv PACKAGESITE ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-9.0-stable/Latest/

Maybe this is a failure of my jail. I think this is not related to your script.

EDIT: Sorry, but where stores owncloud the data files of the users?
In the script I replaced this line with the path, where owncloud has to store the files.

Code: Select all

owncloud_data="/mnt/zpool/OwnData"

I created a textfile in the webinterface, but I can't see this in the "owncloud_data path...
If this would work, I want to mount the user dir's in the owncloud_data folder.

[misterredman]

EDIT: Sorry, but where stores owncloud the data files of the users?

Owncloud default data directory is the "data" directory inside owncloud directory (if you install following the instructions in this thread it is:

Code: Select all

/usr/local/www/owncloud/data

It is possible to change the data directory when installing, by clicking on "Advanced" the first time owncloud is loaded (it0s the page that displays the security warning and that let you create the admin user).

It is also possible to change the data directory later by modifying the "datadirectory" entry in

Code: Select all

/usr/local/www/owncloud/conf/conf.php

.

I'd like to add that, in the owncloud docs, there are a couple observation for those using lighttpd concerning security: http://owncloud.org/support/webserver-notes/

It suggests to add a couple entries in the lighttpd.conf file to make sure it's not possible to read the data directory (if it's located in the webserver root) and to disable directory listing.

[fsbruva]

This is an explanation of what's going on in the script I posted 6 posts up.

As Raul mentioned, you should have a jail up and running that has wan access. These instructions are predicated upon you being able to ssh into your Nas4Free machine, and then get to a prompt.

Code: Select all

nas4free# jls

if all is working, you obtain something similar to:

Code: Select all

    JID  IP Address      Hostname                      Path
    1    192.168.1.201   proto.domain.local            /jail/proto

now you need to log into jail.

Code: Select all

proto# jexec 1 csh   # enter jail 1 in our case proto

Now you need to install the necessary packages. Do the extensions first, so you avoid getting mismatched versions of php and extensions.

Code: Select all

pkg_add -r lighttpd
pkg_add -r php5-extensions
pkg_add -r php5-xmlrpc
pkg_add -r php5-gettext
pkg_add -r php5-mcrypt
pkg_add -r php5-mbstring
pkg_add -r php5-zip
pkg_add -r php5-gd
pkg_add -r php5-zlib
pkg_add -r php5-fileinfo
pkg_add -r php5-mysql
pkg_add -r mp3info
pkg_add -r mysql55-server

HOWTO Configure MySQL inside the Jail
Per the Owncloud documentation, if you have multiple users, MySQL is recommended. We need the database to be up and running before we can use Owncloud

1. As you can see above, we installed the mysql-server package, which as of this post is version 5.5:

2. Once completed, enable mysql by modifying the jail's rc.conf

Code: Select all

echo 'mysql_enable="YES"' >> /etc/rc.conf

3. We need to modify the mysql config so that it doesn't involve the network stack:

echo '[mysqld]' >> /var/db/mysql/my.cnf
echo 'skip-networking' >> /var/db/mysql/my.cnf

3. Test that it starts with

Code: Select all

/usr/local/etc/rc.d/mysql-server start

4. Once it starts, you need to tighten up the security of your WIDE open SQL database, with this handy tool:

Code: Select all

mysql_secure_installation

You will want to provide a strong root password, remove the anonymous accounts, disallow remote root access, remove the test database & access, and reload privilege tables.

Next up: webserver config!

[fsbruva]

HOW TO configure lighttpd for HTTPS and fast-cgi
This will detail how to configure your owncloud's lighttpd server to use https and fast-cgi. Since my jail only runs owncloud, I am configuring lighttpd to only ever use https.

1. Create a key for your server - I did this is the root's home folder

Code: Select all

cd ~
openssl genrsa -des3 -out server.key 1024

You'll be prompted for a password. Type in one.

OPTIONAL
If you keep the password protection on the key, you will need to enter the password for lighttpd anytime the server starts. I run a headless install, and expect that after a power outage, everything should just work. So - you can remove the password protection from the key with:

Code: Select all

openssl rsa -in server.key -out no.pwd.server.key

2. Create a certificate request, then self-sign the certificate. For this step, it doesn't matter if you removed the password or not.

Code: Select all

openssl req -new -key server.key -out server.csr

Here you get to enter all manner of fun information about your server. The Common Name should match whatever URL you want your sever to present as. It really doesn't matter, though. Next you need to sign the request.

Code: Select all

openssl x509 -req -days 365 -in /root/server.csr -signkey /root/server.key -out /root/server.crt

This creates a certificate (.crt) good for 365 days. Feel free to use any value you want here.

3. Create your pem file. This is the only step that it matters whether or not you removed the password or not.

Code: Select all

cat server.key server.crt > server.pem

The above code will create a pem file that requires a password. If you took the optional step for removing the password, your code is:

Code: Select all

cat no.pwd.server.key server.crt > server.pem

Since the key remains in a place that is only readable by root, it should be fine. If not, it's all in a jail, so no big deal!

4. Move stuff to their destinations, and set ownership & access

Code: Select all

mkdir /usr/local/etc/lighttpd/ssl
cp server.crt /usr/local/etc/lighttpd/ssl
chown -R www:www /usr/local/etc/lighttpd/ssl/
chmod 0600 server.pem

5. Modify the /usr/local/etc/lighttpd/lighttpd.conf file by adding the following anywhere:

Code: Select all

ssl.engine = "enable"
ssl.pemfile = "/root/server.pem"
ssl.ca-file = "/usr/local/etc/lighttpd/ssl/server.crt"
ssl.cipher-list  = "ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4-SHA:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM"
ssl.honor-cipher-order = "enable"
ssl.disable-client-renegotiation = "enable"

6. Other modifications to the config file will be done to protect from directory listing. Add the following to lighttpd.conf, anywhere (I used the bottom of the file):

Code: Select all

$HTTP["url"] =~ "^/data/" {
     url.access-deny = ("")
   }

$HTTP["url"] =~ "^($|/)" {
     dir-listing.activate = "disable"
   }

cgi.assign = ( ".php" => "/usr/local/bin/php-cgi" )

7. Now we need to personalize the lighttpd config, by supplying the appropriate values for the following variables:

Code: Select all

server.port = 81 #example, you can use other 
server.bind = "192.168.1.17"
server.use-ipv6 = "disable" #mandatory, unless you enable ipv6 for all jails
server.document-root = "/usr/local/www/owncloud"
var.server_root = "/usr/local/www/owncloud"
$SERVER["socket"] == "192.168.1.17:81"

8. The next thing is to enable the fast-cgi module. Do this by editing /usr/local/etc/lighttpd/modules.conf, and uncommenting the following line by removing the '#':

Code: Select all

#include "conf.d/fastcgi.conf"

9. Edit the /usr/local/etc/lighttpd/conf.d/fastcgi.conf file by adding the following code:

Code: Select all

fastcgi.server = ( ".php" =>
  ((
    "socket" => "/tmp/php.socket",
    "bin-path" => "/usr/local/bin/php-cgi",
    "bin-environment" => (
      "PHP_FCGI_CHILDREN" => "16",
      "PHP_FCGI_MAX_REQUESTS" => "10000"
    ),
    "min-procs" => 1,
    "max-procs" => 1,
    "idle-timeout" => 20
  ))
)

10. Edit the lighttpd mime configuration /usr/local/etc/lighttpd/conf.d/mime.conf, and add the following to the list someplace:

Code: Select all

".svg" => "image/svg+xml",
".xht" => "application/xhtml+xml",
".xhtml" =>  "application/xhtml+xml",
".woff" =>  "application/x-font-woff",
".svgz" => "image/svg+xml",

We are now done editing conf files (THANK GOODNESS). If you have made a mistake, you can check the config file's syntax with:

Code: Select all

lighttpd -t -f /usr/local/etc/lighttpd/lighttpd.conf

11. Now we are finally ready for Owncloud's installation.

Code: Select all

cd /tmp
fetch http://download.owncloud.org/community/owncloud-5.0.6.tar.bz2
tar xf owncloud-5.0.6.tar.bz2
cp -r /tmp/owncloud /usr/local/www/
chown -R www:www /usr/local/www/

12. You can now start your server with:

Code: Select all

/usr/local/etc/rc.d/lighttpd start

In the example case, I navigate to https://192.168.1.201:81. There I would create the new user account and password to complete the installation. Click on "Advanced", and click on "MySQL". Type in root for the username, whatever root password you set during the database setup, pick a name for a database (doesn't matter), and leave the localhost part. Click Finish Setup, and ENJOY!!!.

[fsbruva]

I updated the install script in my previous post: viewtopic.php?f=79&t=1565&sid=a15e144fb ... 2912#p7046

This fixes the errors in the previous version, updates the installer to owncloud 5.0.6, and uses mysql and https. ENJOY!!

[fsbruva]

Update: There are some missing directives in the mime.conf file, as well as php.ini. This results in some of the icons not showing up properly, and the php.ini aspect affects app installation within owncloud. I will try and track down the errors, but I make no promises...

[raulfg3]

strange, I notice like you say in chrome, but not in firefox, see my screen capture.

PD: Excelent script and job, I only need 2 minutes to install owncloud inside a jail.

Firefox owncloud.jpg

chrome_owncloud.jpg

[fsbruva]

Did you experience the ownership error, even with my script?

I thought the script took ownership of the owncloud folder.... Line 204:

Code: Select all

chown -R www:www /usr/local/www/

[raulfg3]

Hello to all, I have an annoning issue with locales.

I have some folders and files that contain locales, eg: "1ª temporada", "España", "camión", etc.. I see locales correctly in SMB shares and using WinSCP , and I have mount this Video Folder inside the Onwcloud in read only mode (thank TheBrig), but when I navigate in the Owncloud WebGUI, none of this locales is shown . In fact I will be redirect to owncloud WebGUI root folder when try to see one of my localized folders (Folders & files without locales are show perfectly).

I suppose that I need to define locales inside the jail or somethings.

anyone can help me ?

How to define ISO-8859-1 or UTF-8 inside the jail ?

Is this info usefull:? http://www.b1c1l1.com/blog/2011/05/09/u ... n-freebsd/

how I can change this:

Code: Select all

rnas:~# jls
   JID  IP Address      Hostname                      Path
     1  192.168.1.201   kissdx.local                  /mnt/NAS-A/Jail/kissdx
     2  192.168.1.202   minidlna.local                /mnt/NAS-A/Jail/minidlna
     5  192.168.1.204   www.local                     /mnt/NAS-A/Jail/www
rnas:~# jexec 5 csh
root@www:/ # locale
LANG=en_US.UTF-8
LC_CTYPE="en_US.UTF-8"
LC_COLLATE="en_US.UTF-8"
LC_TIME="en_US.UTF-8"
LC_NUMERIC="en_US.UTF-8"
LC_MONETARY="en_US.UTF-8"
LC_MESSAGES="en_US.UTF-8"
LC_ALL=en_US.UTF-8
root@www:/ # exit

by es_ES.UTF-8

I change /etc/login.conf lines :

Code: Select all

#
# Russian Users Accounts. Setup proper environment variables.
#
# espanish|Espanish Users Accounts:\
	:charset=UTF-8:\
	:lang=es_ES.UTF-8:\
	:tc=default:

and execute

Code: Select all

cap_mkdb -v /etc/login.conf

but do not work:

Code: Select all

root@www:/ # locale
LANG=en_US.UTF-8
LC_CTYPE="en_US.UTF-8"
LC_COLLATE="en_US.UTF-8"
LC_TIME="en_US.UTF-8"
LC_NUMERIC="en_US.UTF-8"
LC_MONETARY="en_US.UTF-8"
LC_MESSAGES="en_US.UTF-8"
LC_ALL=en_US.UTF-8
root@www:/ # cap_mkdb -v /etc/login.conf
cap_mkdb: 8 capability records
root@www:/ # locale
LANG=en_US.UTF-8
LC_CTYPE="en_US.UTF-8"
LC_COLLATE="en_US.UTF-8"
LC_TIME="en_US.UTF-8"
LC_NUMERIC="en_US.UTF-8"
LC_MONETARY="en_US.UTF-8"
LC_MESSAGES="en_US.UTF-8"
LC_ALL=en_US.UTF-8
root@www:/ #

[thermion]

First my thanks to Fsbruva and Raul for their extensive work on Jails and The Brig, and for making the information freely available.

I have managed to establish a working Owncloud (several times now), but every time I find that the upload limit is only 2m. In spite of much research I have not yet found a way to increase this value to something more usable. It seems that the 2m limit is usually set in php.ini. However, I cannot find php.ini anywhere on the system. Yes, have searched using 'find', (and even rather pointlessly done manual searches). I can find the header file, but no '.ini'. Also, I have looked at .htaccess, and the upload limits are more than enough.

Please can anyone suggest where this 2m limit is being set, and how can I increase it?

[alexey123]

It seems that the 2m limit is usually set in php.ini. However, I cannot find php.ini anywhere on the system.

Check into /usr/local/etc folder.

Also, I have looked at .htaccess, and the upload limits are more than enough.

If you use lighttpd, file .htaccess not working

Please can anyone suggest where this 2m limit is being set, and how can I increase it?

Better way - create file, named .user.ini into your webserver document root folder ( where you extract owncloud ) and put into string

Code: Select all

upload_max_filesize = "512M"

Then restart webserver.
For check your php setting create test file such any_name.php in document root folder
Put into string

Code: Select all

<?php phpinfo(); ?>

And check your php setting over webinterface

Code: Select all

http://your_nas_ip/any_name.php

[thermion]

Alexey, many thanks for your quick attention and help OK I stopped webserver /usr/local/etc/rc.d/lighttpd onegracefulstop and created .user.ini as advised. Great! I now have upload limit of 8M. So at least now I can upload photos.

Also, thank you for educating me to check the php setting over webinterface. As no doubt you would expect, I am seeing post_max_size local value: 8M master value: 8M.

Correction: I omitted post_max_size local value: 512M master value 2M. I have tested file upload and it is good to 8M. So, clearly the former 2M limit is being over-ridden.

Follow up: OK I have done the obvious and set post_max_size = "512M" in .user.ini All sorted now and have 512M upload showing in Owncloud.

[mrxeon]

Hello guys, I would like to thank the excellent work, I managed to install FreeNAS owncloud in jail.
I'm not able to deal with are those pendencies.
I installed smbclient, I can connect the terminal, but at owncloud receive these messages. please could help solve?


Warning: "smbclient" is not installed. Mounting of CIFS/SMB shares is not possible. Please ask your system administrator to install it.
Warning: The FTP support in PHP is not enabled or installed. Mounting of FTP shares is not possible. Please ask your system administrator to install it.

Thank you!!

[crest]

Hi fsbruva,

first of all a big THANK YOU for your excellent script "owncloud_injail.sh", it makes the installation as easy as it can be !

I only want to tell you that there is a small bug in the script regarding the Owncloud version variable.
Prior to the installation I changed the variable in the config section of the script to

Code: Select all

owncloud_version=5.0.10

but this was ignored by the fetch command (the version 5.0.6 is hardcoded in the script). So it would be necessary to include the owncloud_version variable there - in the following tar command it is already done.

Best regards,
crest

[djhack1639]

Thanks for the guide everyone.
I did run into the issue of the owncloud version number being hard coded in the install script, but it was easy enough to solve.
I also had to add lighthttpd to the rc.conf in the jail.
After restarting the jail OwnCloud is working!

Start to finish it took maybe 20 mins.

Now to get my mount ponits mapped correctly and set up a sub-domain on ddns and forward the port

[russb123]

thanks for your work on this script! I was able to get it up and running without too much trouble.

One problem tough. I can only access it from my local network. I used port 8181 and setup my router to forward that port to 192.168.1.201. Is there something else I need to add to a configuration file to allow Internet access.

[russb123]

I think I figured out my problem. I edited my rc.conf to put in my network interface (re0 in my case) and added gateway_enable="YES". I can now access owncloud from the internet.

My rc.conf now looks like this:

sendmail_enable="NONE"
syslogd_flags="-ss"
rpc_bind="NO"
network_interfaces="re0"
cron_flags="$cron_flags -J 15"
mysql_enable="YES"
lighttpd_enable="YES"
gateway_enable="YES"

Thanks again for the script!

[MikeMac]

first of all thanks for very usefull script. after a few attempts I had installed owncloud

But I suppose there are a few minor problems, preventing me from hassle-free installation

1) Installation
Time after time in teh middle of install section, normally after
pkg_add -r php5-xml
someting goes wrong and packages could not be installed with "Protocol error" message.
So I had striped script to 4 parts. First one is installation. If someting goes wrong, I could manually install packages

2) Key generation.
Problem is that script is executed at /tmp. So keys are created at /tmp folder. But command
openssl x509 -req -days 365 -in /root/server.csr -signkey /root/no.pwd.server.key -out /root/server.crt
fails due to there is no such file as /root/server.csr
I had added before this section
cd /root

3) I had changed command for fetch owncloud to
fetch "http://download.owncloud.org/community/ ... n}.tar.bz2"

So one sucessfully works now with current ver 5,0.10

4) I do not know why, but lighttpd starts in my system only with the following command

/usr/local/etc/rc.d/lighttpd start -f /usr/local/etc/lighttpd/lighttpd.conf

PS I had uploaded corrected scripts here

[alexey123]

I add 3 posts about protection owncloud with fail2ban inside a jail.

[lindsay]

How to fix this as the jail i use for owncloud was supposed to be 192.168.0.200:81

/usr/local/etc/rc.d/lighttpd onestart
Starting lighttpd.
2013-09-11 08:46:23: (network.c.379) can't bind to port: 192.168.1.201 81 Can't assign requested address
/usr/local/etc/rc.d/lighttpd: WARNING: failed to start lighttpd

[raulfg3]

check in first post ( viewtopic.php?f=79&t=1565#p6725 ) about this:

if lighttpd do not start, probably your jail Ip is not 192.168.1.201 that is default in script, so you need to load lighttpd.conf and finf 192.168.1.201 and change by your jail IP.

please load lighttpd.conf with embeded N4F file editor, find 192.168.1.201 , and change it by 192.168.0.200

[lindsay]

Up and working thanks raulfg3

[lindsay]

How do you symlink to a place outside the jail if it`s possible?
The USB stick is way to small to hold backups for owncloud

[raulfg3]

I use fstab in thebrig as described here: viewtopic.php?f=79&t=3894#p20142

[guljo]

Hi,
Thanks for the excellent guide but, I have problem with first accessing of owncloud.

These are some details of my NAS

1. Processes

processes.png

2. Services

services.png

3. The Brig

TheBrig.png

4. The local IP of my NAS is 192.168.178.37:7900

5. Jail IP 192.168.178.102:32
6. I have change the IP in the script before installing owncloud

Am I doing something wrong?

Thanks for the help.

[raulfg3]

is clear that owncloud is not starting, please provide more info, start onwcloud by hand and post output, post lighttpd.conf and rc.conf (rc.conf inside the jail) to see values.

if you can reinstall ownclod in a clean jail, please provide this time complete output of install script to see errors ( save log session of open shell).

[jasch]

I getting the IP Problem also.

Code: Select all

Starting lighttpd.
2013-10-01 14:55:24: (network.c.379) can't bind to port: 192.168.1.201 81 Can't assign requested address
/usr/local/etc/rc.d/lighttpd: WARNING: failed to start lighttpd

but i have already changed ip in /usr/local/etc/lighttpd/lighttpd.conf

Code: Select all

##  Basic Configuration
## ---------------------
##
server.port = 81

##
## Use IPv6?
##
server.use-ipv6 = "disable"
##
## bind to a specific IP
##
server.bind = "192.168.6.113"
##

[alexey123]

Check $SERVER["socket"] value