Resource icon

Scripted installation of Nextcloud 28 in iocage jail 2018-03-23

danb35

Hall of Famer
Joined
Aug 16, 2011
Messages
15,464
The reason I ask is that I have a different machine running all my other services (web site, home assistant, octoprint, dokuwiki, deconz, VMs, etc.) via nginx, so no need for caddy.
You still need some web server to run Nextcloud, and that's the role Caddy serves (it's also a good reverse proxy, and I use it that way elsewhere, but here it's just acting as a webserver). If you want to put it behind an Nginx (or other) reverse proxy, no problem there, though you'll need to rely on others here for support of that configuration. But you can't just put a bunch of php files in a jail and have them work without a webserver to handle them.
 

Aephir

Dabbler
Joined
Apr 25, 2021
Messages
47
Ahh, I misunderstood then, I thought caddy was used as a reverse proxy here. The downside of relying on docker containers, I guess -> you don't know the details of how the services work.

I already have the nginx configuration working from my last (docker) install, so as soon as I just ran your script and changed the proxy_pass IP for nginx, I had a working nextcloud Thanks for the clarification (and the nice script)!
 
Joined
Jan 4, 2014
Messages
1,644
So Nextcloud 21.0.3 became available to me in the stable channel and I decided to upgrade. After the upgrade, these messages appeared in the Admin Overview:

nc02.jpg


Trying to run the occ command in a terminal session, I got the following error:
Code:
root@nextcloud:/usr/local/www/nextcloud/config # su -m www -c 'php /usr/local/www/nextcloud/occ config:system:set default_phone_region --value="AU"'
An unhandled exception has been thrown:
OC\HintException: [0]: Memcache \OC\Memcache\APCu not available for local cache (Is the matching PHP module installed and enabled?)

It appears that APCu has been deprecated and replaced. See this NC thread [SOLVED] Apcu Caching gives Error. The fix is to manually edit the config file...
Code:
root@nextcloud:/usr/local/www/nextcloud/config # ee config.php

...and change this line...
Code:
'memcache.local' => '\OC\Memcache\APCu',

...to this...
Code:
'memcache.local' => '\OC\Memcache\Redis',


After that, occ commands run successfully. @danb35 I've submitted a pull request to update your script. If anyone is interested in the commands I used to resolve the issues on the Admin Overview, refer to this blog post Upgrading from Nextcloud 20 to 21.
 
Last edited:

danb35

Hall of Famer
Joined
Aug 16, 2011
Messages
15,464
Memcache \OC\Memcache\APCu not available for local cache (Is the matching PHP module installed and enabled?)
Interesting, I'm not able to duplicate this (or the warning on the admin page) with a fresh installation. However, if I apply your PR, I get lots of fatal errors:
Code:
System config value logrotate_size set to string 104847600
System config value memcache.local set to string \OC\Memcache\Redis
An unhandled exception has been thrown:
RedisException: Connection refused in /usr/local/www/nextcloud/lib/private/RedisFactory.php:92
Stack trace:
#0 /usr/local/www/nextcloud/lib/private/RedisFactory.php(92): Redis->connect('127.0.0.1', 6379, 0)
#1 /usr/local/www/nextcloud/lib/private/RedisFactory.php(108): OC\RedisFactory->create()
#2 /usr/local/www/nextcloud/lib/private/Memcache/Redis.php(43): OC\RedisFactory->getInstance()
#3 /usr/local/www/nextcloud/lib/private/Memcache/Factory.php(125): OC\Memcache\Redis->__construct('e2063b6c3a363dc...')
#4 /usr/local/www/nextcloud/lib/private/User/Manager.php(102): OC\Memcache\Factory->createDistributed('user_backend_ma...')
#5 [internal function]: OC\User\Manager->__construct(Object(OC\AllConfig), Object(OC\EventDispatcher\SymfonyAdapter), Object(OC\Memcache\Factory), Object(OC\EventDispatcher\EventDispatcher))
#6 /usr/local/www/nextcloud/lib/private/AppFramework/Utility/SimpleContainer.php(101): ReflectionClass->newInstanceArgs(Array)
#7 /usr/local/www/nextcloud/lib/private/AppFramework/Utility/SimpleContainer.php(109): OC\AppFramework\Utility\SimpleContainer->buildClass(Object(ReflectionClass))
#8 /usr/local/www/nextcloud/lib/private/AppFramework/Utility/SimpleContainer.php(126): OC\AppFramework\Utility\SimpleContainer->resolve('OC\\User\\Manager')
#9 /usr/local/www/nextcloud/lib/private/ServerContainer.php(162): OC\AppFramework\Utility\SimpleContainer->query('OC\\User\\Manager', true)
#10 /usr/local/www/nextcloud/lib/private/AppFramework/Utility/SimpleContainer.php(56): OC\ServerContainer->query('OC\\User\\Manager')
(lots snipped)

I suspect the problem is that Nextcloud doesn't yet know how to connect to Redis (the socket/port are set on the next two lines), but it's late here right now.
 
Joined
Jan 4, 2014
Messages
1,644
I think the difference arises from our starting points - You're using the latest version of the script to install NC 21, while I started with an earlier script version and upgraded to NC 21 via the stable channel. There'll be some script change along the way that will account for the different outcomes. I'll compare the script I used with the latest script and see if I can spot the difference. I'll let you know later on today.
 
Joined
Jan 4, 2014
Messages
1,644
The key difference I've spotted in relation to this issue is the addition of the following line in the latest script (line 436). This line is missing from my version of the script.
Code:
iocage exec "${JAIL_NAME}" chmod 777 /var/run/redis/redis.sock


This is the permission I have set for redis.sock...
Code:
root@nextcloud:/var/run/redis # ls -l
total 1
-rw-r--r--  1 redis  redis  5 Jul  6 22:34 redis.pid
srwxrwx---  1 redis  redis  0 Jul  6 22:34 redis.sock

Interesting, I'm not able to duplicate this (or the warning on the admin page) with a fresh installation.
This line is also absent from the script version I'm using and would account for the warning on the admin page...
Code:
iocage exec "${JAIL_NAME}" su -m www -c "php /usr/local/www/nextcloud/occ config:system:set default_phone_region --value=\"${COUNTRY_CODE}\""

I've attached the version of the script I used when I originally set up Nextcloud early last year. You might be able to spot something else I may have missed.
 

Attachments

  • nextcloud-jail.zip
    5.6 KB · Views: 197
Last edited:
Joined
Jan 27, 2020
Messages
577
I think the difference arises from our starting points - You're using the latest version of the script to install NC 21, while I started with an earlier script version and upgraded to NC 21 via the stable channel. There'll be some script change along the way that will account for the different outcomes. I'll compare the script I used with the latest script and see if I can spot the difference. I'll let you know later on today.
Kinda OT, but did anybody try to update the nc instance with the script? I noticed there are checks for previous installations in the script, but never tried it. Updating everything manually did work very well until now.

EDIT: Above all, would that help with what basil ran into?
 

gt2416

Patron
Joined
Feb 4, 2018
Messages
262
Never tried updating with the script, always used the web updater and its worked so far.
Anyone know how to get rid of the Nextcloud warning "The "Strict-Transport-Security" HTTP header is not set to at least "15552000" seconds. For enhanced security "
I have installed caddy with the no-ssl config and use another caddy instance as a reverse proxy.
I have added
header {
enable HSTS
Strict-Transport-Security max-age=31536000;
}
To both the reverse proxy and backend caddy but still get the error.
 

danb35

Hall of Famer
Joined
Aug 16, 2011
Messages
15,464
Anyone know how to get rid of the Nextcloud warning "The "Strict-Transport-Security" HTTP header is not set to at least "15552000" seconds. For enhanced security "
Probably the most important thing to do is to determine whether you really are sending the header or not--ssllabs.com should tell you.

Edit: Or if it isn't accessible from outside, use testssl.sh:
 
Last edited:
Joined
Jan 4, 2014
Messages
1,644
header {
enable HSTS
Strict-Transport-Security max-age=31536000;
}
The second line is a comment...
Code:
header {
# enable HSTS
Strict-Transport-Security max-age=31536000;
}

You can also shorten this to...
Code:
header Strict-Transport-Security "max-age=31536000;"
 

gt2416

Patron
Joined
Feb 4, 2018
Messages
262
The second line is a comment...

Thanks that fixed it ! Funny how caddy did not complain...

Probably the most important thing to do is to determine whether you really are sending the header or not--ssllabs.com should tell you.

I get a B using ssl labs. Not sure why, nextcloud no longer complains and HSTS is enabled on cloudflare dashboard.
 

danb35

Hall of Famer
Joined
Aug 16, 2011
Messages
15,464
I get a B using ssl labs. Not sure why
It will tell you why. My point wasn't so much to check for the grade, but one of the things it will tell you is whether HSTS is enabled.
 

gt2416

Patron
Joined
Feb 4, 2018
Messages
262
Yes it does say HSTS is enabled thanks! I also got a A grade by setting TLS 1.3 as the minimum requirement.
 
Joined
Jan 27, 2020
Messages
577
Log Rotation seems to not working properly.

Error: rename(/var/log/nextcloud.log,/var/log/nextcloud.log.1): Permission denied at /usr/local/www/nextcloud/lib/public/Log/RotationTrait.php#52

Permission seems to be in order though:
-rw-r----- 1 www wheel 398508909 Jul 10 02:07 nextcloud.log
 

Samuel Tai

Never underestimate your own stupidity
Moderator
Joined
Apr 24, 2020
Messages
5,399
Log Rotation seems to not working properly.

Error: rename(/var/log/nextcloud.log,/var/log/nextcloud.log.1): Permission denied at /usr/local/www/nextcloud/lib/public/Log/RotationTrait.php#52

Permission seems to be in order though:
-rw-r----- 1 www wheel 398508909 Jul 10 02:07 nextcloud.log

What about the permissions for the /var/log directory?
 
Joined
Jan 27, 2020
Messages
577
What about the permissions for the /var/log directory?
Never touched it, so does the script if irrc. root:wheel for everything except redis. That's probably it.

It's maybe a good idea to put the nextcloud.log in a subfolder of var/log. But I don't if that's still accessible for php or other stuff. But giving www ownership of the whole log folder is not cool.
 
Last edited:
Joined
Jan 4, 2014
Messages
1,644

danb35

Hall of Famer
Joined
Aug 16, 2011
Messages
15,464
It probably did. Check /var/log/caddy.log.
Caddy shouldn't have a problem; it runs as root. But PHP runs as www, which is why that user owns the nextcloud.log. Looks like I need to create /var/log/nextcloud/, change its ownership appropriately, and put the nextcloud log there. Strange the issue's never come up before, though.
 
Joined
Jan 27, 2020
Messages
577
Looks like I need to create /var/log/nextcloud/
That's what I was suggesting... would have tried it myself, but wasn't sure what except php needed access to that directory.
 
Top