Scripted installation of Nextcloud 28 in iocage jail 2018-03-23

[danb35]

Hence I wonder if it is possible to run the scrip on an already exiting jail, provided one coments out the bits that create it?

If you comment out the line that creates the jail, and add lines to install all the packages called for (or install them yourself), I don't see any reason it shouldn't work. That isn't really what it's designed for, though, so no guarantees.

Also, I know this is an OT thing, but I am really curious about your pfSense setup.

What are you curious about? I'm running it on one of the Netgate boxes, which was overpriced when I bought it two years ago, and is now $200 more, so I wouldn't recommend one of them (they're fine, and quite capable, machines, but I don't think the value proposition is very good). Unlike FreeNAS, though, its hardware requirements really are pretty modest. Be aware, though, that the next release will need AES-NI in the CPU, so consider that especially if you're buying hardware for that purpose.

 

[danb35]

Another feature I am looking at at the moment is the integration of zfs snapshotting / file rollback. At least that's what I think the nextcloud snapshot settings are ment for. Is it?

So it appears. Looks like there's a third-party app to expose filesystem snapshots to Nextcloud. I haven't played with it at all, but from what I can read from its docs, you'd first present ZFS to the jail (as you noted), and then need to install and configure this app.

The problem is that the actual data is stored outside of the jail, and therefore snapshots of the dataset that contains the data aren't exposed to the jail even when jail_zfs is turned on. I think implementing this would require some pretty significant structural changes (mainly that the data would need to be stored in the jail), and given that this is a third-party app for Nextcloud, I'm not inclined to mess with it for this reason. Certainly you could fork the repo and make those changes though.

 

[Yaguznal]

The snapshots reside in the root of a dataset as a hidden folder.
So I made a new fstab entry of the root of the dataset of my files to "/mnt/files2/" in the cage, stopped apache, adjust nextclouds config to point to "/mnt/files2/files" instead and started apache again. Set the snapshot format (weard name) to /mnt/files2/.zfs/snapshot and it picked them up.
I do not think I need to enable zfs snapshotting in the cage itself.

You may easily be able to prepare the cage created by your script for the use of this plugin by not mounting the "files" folder within the dataset but the dataset itself.

The only problem now is that yMMdd.HHmm or auto-yMMdd.HHmm-2w does not seem to pick up the dates. Any ideas? My snapshots are called "auto-20180725.1700-2w" for example. I think I got this EEE formating right and tried many iterations but it still won't pick it up. Even his own formatting ymd.Hi doesn't work.

It's unbelievable how many people rely on this feature in dropbox to undo their screw-ups. It's freaking built into freenas so I want to get this going.

 

[Apollo]

Hi Danb35,

My current Nextcloud instance in still running on the old jail and I am trying to migrate to the new iocage environment.
I have been experimenting with your script, but I am facing a few annoying issues that are currently preventing me from making the transition.

My current Nextcloud instance is accessed externally by exposing it to the internet via port forwarding with pfsense.
The setup was done following the original post from Joshua:
https://forums.freenas.org/index.php?threads/how-to-owncloud-using-nginx-php-fpm-and-mysql.17786/
https://forums.freenas.org/index.php?threads/how-to-owncloud-using-nginx-php-fpm-and-mysql.17786/

When I first created my setup, Nextcloud was not yet around. Because of it, I retained the original URL address in the following format:

https://domain.net/owncloud

My relatives and friends who have an account or were given links to Owncloud, now and then, still need to access them after I am able to migrate everything.

For now, when installed from the script, the only way I can access Nextcloud is by entering the following address:

https://domain.net

using the original address might still work, but only for Web based browsers. Android application and Windows Desktop app, as far as I can tell, do not have this flexibility and will cause the app from not being able to access the server any longer.

As far as I can tell, I have to look at the RedirectRule from Apache to handle such condition, but it seems as soon as redirection takes place, I am no longer able to access the server. I don't know if it is SSL certificate issue or not.

I have been trying to setup the new environment to work with HTTP only, even then I am not able to get conclusive results. If I did, then I would be able to play around the RedirectRules. Maybe RedirectRule is not the proper way to go. I am still learning.

Let's assume this above issue gets resolved, then the next one is also a major show stopper.
I want to move away from the port forwarding with pfsense, instead, I want to work with Haproxy.
My requirements are to have Haproxy act as a pass-through to one or more instances of Nextcloud.

I have been somewhat successful at pointing to two instance of Nextcloud (brand new install via your scripts) but I have the following limitations:

- If I perform a fresh install of Nextcloud with your script, and have already my frontend and backend setup for it (HTTP using tcp/http offloading) and (HTTPS using ssl/https (TCP mode)) then Letsencript fails validation and Nextcloud can never be accessed.

To fix it, I must disable Haproxy and go back to standard port forwarding and run Letsencrypt validation again. At that point I am able to get the certificate. Only then can I revert back to Haproxy setup.
The real reason Letsencrypt fails is unclear. It would seem Letsencrypt is expeting answer on port 443 after communition was established over port 80. Could be an issue with my Haproxy frontend ACL's not properly set ( I am still learning how Haproxy ACL work with pfsense).

The goal of this experiment is to be able to install one or more instances of Nextcloud behind a pfsense firewall running Haproxy as SSL pass-through to point to multiple backends while retaining the original address being:

https://domain.net/owncloud


This experiment is currently being performed on separate hardware as not to interfere with my production instance of Nextcloud.

Any feedback, recommendation or adjustment to the script (mostly to enable the use implementation of Rewrite or RedirectRule) would be greatly appreciated.
I don't mind going through the learning curve, but I am making very little progress and I might actually face some Haproxy limitation as well.

 

[Apollo]

The snapshots reside in the root of a dataset as a hidden folder.
So I made a new fstab entry of the root of the dataset of my files to "/mnt/files2/" in the cage, stopped apache, adjust nextclouds config to point to "/mnt/files2/files" instead and started apache again. Set the snapshot format (weard name) to /mnt/files2/.zfs/snapshot and it picked them up.
I do not think I need to enable zfs snapshotting in the cage itself.

You may easily be able to prepare the cage created by your script for the use of this plugin by not mounting the "files" folder within the dataset but the dataset itself.

The only problem now is that yMMdd.HHmm or auto-yMMdd.HHmm-2w does not seem to pick up the dates. Any ideas? My snapshots are called "auto-20180725.1700-2w" for example. I think I got this EEE formating right and tried many iterations but it still won't pick it up. Even his own formatting ymd.Hi doesn't work.

It's unbelievable how many people rely on this feature in dropbox to undo their screw-ups. It's freaking built into freenas so I want to get this going.

Hi Yaguznal,

I am not familiar with the dropbox snapshot feature and how it can be handled with Nextcloud manipulating snapshots.
My main concern with ZFS snapshots on the "files" and "db" datasets are made by ZFS itself and not handled by Nextcloud. While Nextcloud may have the ability to access the snapshots list, you must understand that, unless Nextcloud places the database under maintenance mode, there is a probability the database and files content may become slightly out of sync causing some level of corruption at the database level.
Let's assume Nextcloud will allow you to manipulate snapshots. Let's assume you have several accounts within Nextcloud and one user decided to rollback its changes by revertign to a previous snaphot. What do you think will happen? Well, if snapshot can be rolled back, as it is ZFS rollback, it will destroy every single files, folders and the whatnot that were added, modified since the rolledback snapshot. It will indeed revert the changes for everybody, not just your account. This would be system wide changes.
i would think, that with dropbox, the snapshot are only targetted at the user level not dataset level.
Also, with snapshot rollback, iocage will require to free resources to the "files" and "db" dataset for the rollback to take place (I think) as Freenas (ZFS) might fail the transaction due to the datasets being used by the iocage application.

To an extreme, if you need to recover a previous snapshot, I would think it might be more reasonable to replicate the iocage application into a new iocage environment, clone or replicate the "files" and "db" datasets and then modify the fstab withing the new iocage environment to modify the mounting poing to the new cloned datasets (you can access the iocage jail via ssh under the iocage/jails/YOURJAILNAMEHERE).
You will need to edit with the fstab file, then there is also another file in the same folder which provides iocage jail configuration. You can edit the ip4 address and the likes, and more importantly, changing the name of the iocage jail itself, and upon starting the jail, you will need to edit the domain name for the server and ssl certificate (maybe) in order to access them.
This is a long shot, it is doable. at least it will keep your current version of Nextcloud intact while you are experimenting with the recovery. There may be some limitation in accessing the jail if you are running port forwarding only.
If the above doesn't work, you can limiti yourself to the following:

Turn iocage off, clone the "files" and "db" dataset. Edit the fstab to point to the newly cloned datasets, then restart iocage jail. At this point, you want to be carefull not other useers will access the jail (Windows desktop app, or Android app) as it will cause them to sync with an older verion of the database and folder content. They might loose a lot or add things to the clones dataset rather than the normal datasets.
For that, I would temporarely disable the accounts until the operation is complete.
There is also a high probability you or your users experience difficulties, loosing files and such. I think such experements must be done very carefully on a completely isolated system.

 

[jag131990]

Hi danb,

I spin up my existing warden jails on an an ssdrive here
/mnt/ssdjails/jails

I'd like to place the iocage jail under
/mnt/ssdjails/iocage

Further I'd like to place my files and database under
/mnt/freenas/
Which is where my storage tank is, it appeared to me after I sent my pool path to /mnt/ssdjails/jails that my db and files were here and my jail was created in
/mnt/freenas/iocage

Virtually the opposite of what I wanted. Does you script not accommodate for the location of the actual nextcloud iocage jail location?

 

[Apollo]

Hi danb,

I spin up my existing warden jails on an an ssdrive here
/mnt/ssdjails/jails

I'd like to place the iocage jail under
/mnt/ssdjails/iocage

Further I'd like to place my files and database under
/mnt/freenas/
Which is where my storage tank is, it appeared to me after I sent my pool path to /mnt/ssdjails/jails that my db and files were here and my jail was created in
/mnt/freenas/iocage

Virtually the opposite of what I wanted. Does you script not accommodate for the location of the actual nextcloud iocage jail location?

Hi Jag131990,

I think you can tell Freenas/ZFS to change the location of the active iocage jail system

You can search for freebsd iocage on the net.
I think you can run:

iocage activate ssdjails

You can also do a recursive snapshot of the "/mnt/freenas/iocage" dataset and replicate it to the other pool.

zfs send -R freenas/iocage@date | zfs recv ssdjails/iocage

Then run iocage activate ssdjails

 

[danb35]

Does you script not accommodate for the location of the actual nextcloud iocage jail location?

No, that's beyond the scope of my script--that's something you'd set directly with FreeNAS/iocage.

 

[NasKar]

danb35,
1) In your script you store the mysql database password in .my.cnf in the root directory. Is that secure?
2) Is there a way to securely pass the password to a script that will backup the database short of typing it in or having exposed in a variable located in a backup script? Mysql has a command to hide the credentials "mysql_config_editor" but it doesn't exist in mariadb.

 

[jag131990]

Follow up question, this must be an iocage thing but the script seemed to add another IPv4 address to my Freenas em0 adapter outside of the jail.

I had seen someone else asked a similar question and the response was - this is normal.

However.. when I enter the jail IP in the browser or use my FQDN I land on the freenas login.

Scary as hell

 

[Apollo]

Follow up question, this must be an iocage thing but the script seemed to add another IPv4 address to my Freenas em0 adapter outside of the jail.

I had seen someone else asked a similar question and the response was - this is normal.

However.. when I enter the jail IP in the browser or use my FQDN I land on the freenas login.

Scary as hell

Hi Jag131990,

Indeed. I consider this a major security issue, especially if you use a weak password for the Freenas box.
I think, to get around this issue, you need to force Freenas to bind to its own IP address.
This as also other pitfalls, especially if Freenas is using DHCP as the address could be remapped and it would render Freenas inaccessible, at least from the GUI.

 

[jag131990]

Hi Jag131990,

Indeed. I consider this a major security issue, especially if you use a weak password for the Freenas box.
I think, to get around this issue, you need to force Freenas to bind to its own IP address.
This as also other pitfalls, especially if Freenas is using DHCP as the address could be remapped and it would render Freenas inaccessible, at least from the GUI.

Can anyone offer specific advice to resolve this issue, as it means I cant get to nextcloud.

I have deleted the jail for now.

em0 is set as a static ip in freenas interfaces, dhcp off. Gateway and nameservers under global. All looks normal to me.

 

[danb35]

Can anyone offer specific advice to resolve this issue, as it means I can't get to nextcloud.

I haven't seen the issue, so it's hard to offer specific advice, but turning vnet on for the jail may help.

 

[danb35]

1) In your script you store the mysql database password in .my.cnf in the root directory. Is that secure?

It should be; the file's only readable by root.

Is there a way to securely pass the password to a script that will backup the database short of typing it in or having exposed in a variable located in a backup script?

I'd think using the .my.cnf file should accomplish this and be secure.

 

[twsps]

Hi danb35,
First thanks to this script! I would like to ask what settings would I need if I'm using Cloudflare's SSL full with its CDN (orange clouded). Do I still need LetsEncrypt over here or other settings need to be placed?
Thanks.

 

[danb35]

If you're behind Cloudflare, you can still run the script as is. I'd recommend in that case that you use DNS validation to get the cert (cloudflare DNS is well-supported by acme.sh; I used it myself for a while), as there are a couple of bugs dealing with renewing certs using HTTP validation.

Alternatively, you can use Cloudflare's origin cert, which they provide for free and which lasts much longer than an LE cert. The script really isn't set up to handle that, though, so you'd either need to bang on the script a bit, or go for a manual installation.

 

[Apollo]

Can anyone offer specific advice to resolve this issue, as it means I can't get to nextcloud.

I have deleted the jail for now.

em0 is set as a static IP in freenas interfaces, dhcp off. Gateway and nameservers under global. All looks normal to me.

Hi jag131990,

I have read recently, can't remember where, that you can assign Freenas Web GUI to use a different port. But then again, if I recall correctly, the iocage jails will also be assigned the Web GUI port assignment as well.
I think the better alternative for now is to bind Freenas Web GUI to its own IP.

There were also some mention about mapping the jails to a second network card. I can't answer that one.

 

[Yaguznal]

Let's assume Nextcloud will allow you to manipulate snapshots. Let's assume you have several accounts within Nextcloud and one user decided to rollback its changes by revertign to a previous snaphot. What do you think will happen? Well, if snapshot can be rolled back, as it is ZFS rollback, it will destroy every single files, folders and the whatnot that were added, modified since the rolledback snapshot. It will indeed revert the changes for everybody, not just your account. This would be system wide changes.
i would think, that with dropbox, the snapshot are only targetted at the user level not dataset level.
Also, with snapshot rollback, iocage will require to free resources to the "files" and "db" dataset for the rollback to take place (I think) as Freenas (ZFS) might fail the transaction due to the datasets being used by the iocage application.

My files and database are mounted in different datasets and thus different snapshot databases so that would be no issue. Even if it would rollback my entire file dataset, I could just rescan my files and thus resync database/files again.
The implementation on the front end of the snapshot plug-in clearly indicates that you can only fetch previous versions of one file, not even folders. This means to me that it does not use the command to roll back an entire snapshot by zfs command but just fetches the respective file from the snapshot store via cp command or the like which would be nondestructive to any snapshot store.
To be sure I'd have to dig through the snapshot sourcecode though. Can't imagine the creator of this plugin hasn't thought of this himself and forgot to mention all this in his docs.
ATM there's just some backups from myself so I'll take my chances and report.
I just need to figure out this weird date format.

 

[twsps]

If you're behind Cloudflare, you can still run the script as is. I'd recommend in that case that you use DNS validation to get the cert (cloudflare DNS is well-supported by acme.sh; I used it myself for a while), as there are a couple of bugs dealing with renewing certs using HTTP validation.

Alternatively, you can use Cloudflare's origin cert, which they provide for free and which lasts much longer than an LE cert. The script really isn't set up to handle that, though, so you'd either need to bang on the script a bit, or go for a manual installation.

So with cloudflare's TLS cert, I wouldn't need to do the let's encrypt part, is this correct?

Sent from my Mate 9 using Tapatalk

 

[danb35]

So with cloudflare's TLS cert, I wouldn't need to do the let's encrypt part, is this correct?

Correct. You'd download the origin cert and install it in the jail.