Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Run ownCloud Infinite Scale and OnlyOffice with Podman #359

Open
big1tasty opened this issue Jan 28, 2023 · 0 comments
Open

Run ownCloud Infinite Scale and OnlyOffice with Podman #359

big1tasty opened this issue Jan 28, 2023 · 0 comments

Comments

@big1tasty
Copy link

Preparation

Create volumes and network:

  • Config Volume podman volume create ocis-config
  • Data Volume podman volume create ocis-data
  • WOPI Volume podman volume create wopi-recovery
  • OCIS Network podman network create ocis_net
    Note: I use a cloudflare Tunnel (it's free) to access my homelab but any reverse proxy would work to.
  • cloudflare Network podman network create cloudflare_net

Create necessary Files

OCIS "app-registry.yaml"

app_registry:
  mimetypes:
  - mime_type: application/pdf
    extension: pdf
    name: PDF
    description: PDF document
    icon: ''
    default_app: ''
    allow_creation: false
  - mime_type: application/vnd.openxmlformats-officedocument.wordprocessingml.document
    extension: docx
    name: Microsoft Word
    description: Microsoft Word document
    icon: ''
    default_app: OnlyOffice
    allow_creation: true
  - mime_type: application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
    extension: xlsx
    name: Microsoft Excel
    description: Microsoft Excel document
    icon: ''
    default_app: OnlyOffice
    allow_creation: true
  - mime_type: application/vnd.openxmlformats-officedocument.presentationml.presentation
    extension: pptx
    name: Microsoft PowerPoint
    description: Microsoft PowerPoint document
    icon: ''
    default_app: OnlyOffice
    allow_creation: true
  - mime_type: application/vnd.jupyter
    extension: ipynb
    name: Jupyter Notebook
    description: Jupyter Notebook
    icon: ''
    default_app: ''
    allow_creation: true

OCIS app-provider-onlyoffice "entrypoint-override.sh"

#!/bin/sh
set -e

apk add curl

#TODO: app driver itself should try again until OnlyOffice is up...

retries=10
while [[ $retries -gt 0 ]]; do
    if curl --silent --show-error --fail http://onlyoffice/hosting/discovery > /dev/null; then
        ocis app-provider server
    else
        echo "OnlyOffice is not yet available, trying again in 10 seconds"
        sleep 10
        retries=$((retries - 1))
    fi
done
echo 'OnlyOffice was not available after 100 seconds'
exit 1

WOPI "entrypoint-override.sh"

#!/bin/sh
set -e

echo "${WOPISECRET}" > /etc/wopi/wopisecret

cp /etc/wopi/wopiserver.conf.dist /etc/wopi/wopiserver.conf
sed -i 's/wopi.domain.com/'${WOPISERVER_DOMAIN}'/g' /etc/wopi/wopiserver.conf

if [ "$WOPISERVER_INSECURE" == "true" ]; then
    sed -i 's/sslverify\s=\sTrue/sslverify = False/g' /etc/wopi/wopiserver.conf
fi

/app/wopiserver.py

WOPI "wopiserver.conf.dist"

#!/bin/sh
set -e

echo "${WOPISECRET}" > /etc/wopi/wopisecret

cp /etc/wopi/wopiserver.conf.dist /etc/wopi/wopiserver.conf
sed -i 's/wopi.domain.com/'${WOPISERVER_DOMAIN}'/g' /etc/wopi/wopiserver.conf

if [ "$WOPISERVER_INSECURE" == "true" ]; then
    sed -i 's/sslverify\s=\sTrue/sslverify = False/g' /etc/wopi/wopiserver.conf
fi

/app/wopiserver.py
[user@SRV01 ~]$ cat /home/user/ocis/wopi/wopiserver.conf.dist
#
# This config is based on https://github.com/cs3org/wopiserver/blob/master/wopiserver.conf
#
# wopiserver.conf
#
# Default configuration file for the WOPI server for oCIS
#
##############################################################

[general]
# Storage access layer to be loaded in order to operate this WOPI server
# only "cs3" is supported with oCIS
storagetype = cs3

# Port where to listen for WOPI requests
port = 8880

# Logging level. Debug enables the Flask debug mode as well.
# Valid values are: Debug, Info, Warning, Error.
loglevel = Error
loghandler = stream
logdest = stdout

# URL of your WOPI server or your HA proxy in front of it
wopiurl = https://wopi.domain.com

# URL for direct download of files. The complete URL that is sent
# to clients will include the access_token argument
downloadurl = https://wopi.domain.com/wopi/cbox/download

# The internal server engine to use (defaults to flask).
# Set to waitress for production installations.
internalserver = waitress

# List of file extensions deemed incompatible with LibreOffice:
# interoperable locking will be disabled for such files
nonofficetypes = .md .zmd .txt .epd

# List of file extensions to be supported by Collabora (deprecated)
codeofficetypes = .odt .ott .ods .ots .odp .otp .odg .otg .doc .dot .xls .xlt .xlm .ppt .pot .pps .vsd .dxf .wmf .cdr .pages .number .key

# WOPI access token expiration time [seconds]
tokenvalidity = 86400

# WOPI lock expiration time [seconds]
wopilockexpiration = 3600

# WOPI lock strict check: if True, WOPI locks will be compared according to specs,
# that is their representation must match. False (default) allows for a more relaxed
# comparison, which compensates incorrect lock requests from Microsoft Office Online
# on-premise setups.
wopilockstrictcheck = False

# Enable support of rename operations from WOPI apps. This is currently
# disabled by default as it has been observed that both MS Office and Collabora
# Online do not play well with this feature.
# Not supported with oCIS, must always be set to "False"
enablerename = False

# Detection of external Microsoft Office or LibreOffice locks. By default, lock files
# compatible with Office for Desktop applications are detected, assuming that the
# underlying storage can be mounted as a remote filesystem: in this case, WOPI GetLock
# and SetLock operations return such locks and prevent online apps from entering edit mode.
# This feature can be disabled in order to operate a pure WOPI server for online apps.
# Not supported with oCIS, must always be set to "False"
detectexternallocks = False

# Location of the webconflict files. By default, such files are stored in the same path
# as the original file. If that fails (e.g. because of missing permissions),
# an attempt is made to store such files in this path if specified, otherwise
# the system falls back to the recovery space (cf. io|recoverypath).
# The keywords <user_initial> and <username> are replaced with the actual username's
# initial letter and the actual username, respectively, so you can use e.g.
# /your_storage/home/user_initial/username
#conflictpath = /

# ownCloud's WOPI proxy configuration. Disabled by default.
#wopiproxy = https://external-wopi-proxy.com
#wopiproxysecretfile = /path/to/your/shared-key-file
#proxiedappname = Name of your proxied app

[security]
# Location of the secret files. Requires a restart of the
# WOPI server when either the files or their content change.
wopisecretfile = /etc/wopi/wopisecret
# iop secret is not used for cs3 storage type
#iopsecretfile = /etc/wopi/iopsecret

# Use https as opposed to http (requires certificate)
usehttps = no

# Certificate and key for https. Requires a restart
# to apply a change.
wopicert = /etc/grid-security/host.crt
wopikey = /etc/grid-security/host.key

[bridge]
# SSL certificate check for the connected apps
sslverify = True

# Minimal time interval between two consecutive save operations [seconds]
#saveinterval = 200

# Minimal time interval before a closed file is WOPI-unlocked [seconds]
#unlockinterval = 90

# CodiMD: disable creating zipped bundles when files contain pictures
#disablezip = False

[io]
# Size used for buffered reads [bytes]
chunksize = 4194304

# Path to a recovery space in case of I/O errors when reaching to the remote storage.
# This is expected to be a local path, and it is provided in order to ease user support.
# Defaults to the indicated spool folder.
recoverypath = /var/spool/wopirecovery

[cs3]
# Host and port of the Reva(-like) CS3-compliant GRPC gateway endpoint
revagateway = ocis:9142

# Reva/gRPC authentication token expiration time [seconds]
# The default value matches Reva's default
authtokenvalidity = 3600

# SSL certificate check for Reva
sslverify = True

Note: don't forget to make the "entrypoint-override.sh" files executable with chmod +x entrypoint-override.sh.

Run Containers

Cloudflare Tunnel Container

podman run -d \
--name cloudflare \
--label "io.containers.autoupdate=image" \
-e PUID=1000 \
-e PGID=1000 \
-e TZ=Europe/Rome \
--restart unless-stopped \
--network cloudflare_net \
docker.io/cloudflare/cloudflared:latest \
tunnel --no-autoupdate run \
--token $your_secret_token

ownCloud Infinite Scale

initialize OCIS

Infinite Scale needs a first time initialization to set up the environment.

podman run --rm -it \
--name ocis \
-e PUID=1000 \
-e PGID=1000 \
-e TZ=Europe/Rome \
-v ocis-config:/etc/ocis \
-v ocis-data:/var/lib/ocis \
-e IDM_ADMIN_PASSWORD="$yourSecretAdminPasswort" \
--network cloudflare_net \
--network ocis_net \
docker.io/owncloud/ocis init

Run OCIS

podman run -d \
--name ocis \
--restart unless-stopped \
--label "io.containers.autoupdate=image" \
-e PUID=1000 \
-e PGID=1000 \
-e TZ=Europe/Rome \
-e OCIS_URL=https://ocis.domain.com \
-e OCIS_LOG_LEVEL=info \
-e OCIS_LOG_COLOR=false \
-e PROXY_TLS=false \
-e GATEWAY_GRPC_ADDR=0.0.0.0:9142 \
-e OCIS_INSECURE=false \
-e PROXY_ENABLE_BASIC_AUTH=false \
-e IDM_ADMIN_PASSWORD="$yourSecretAdminPasswort" \
-e IDM_CREATE_DEMO_USERS=false \
-v /lokal/path/to/app-registry.yaml:/etc/ocis/app-registry.yaml:Z \
-v ocis-config:/etc/ocis \
-v ocis-data:/var/lib/ocis \
--network ocis_net \
--network cloudflare_net \
docker.io/owncloud/ocis

WOPI Container

podman run -d \
--name wopi \
--restart unless-stopped \
--label "io.containers.autoupdate=image" \
--entrypoint /entrypoint-override.sh \
-e PUID=1000 \
-e PGID=1000 \
-e TZ=Europe/Rome \
-e WOPISERVER_INSECURE=false \
-e WOPISECRET=KorenIpsum494 \
-e WOPISERVER_DOMAIN=wopi.domain.com \
-v /lokal/path/to/wopi/entrypoint-override.sh:/entrypoint-override.sh:Z \
-v /lokal/path/to/wopiserver.conf.dist:/etc/wopi/wopiserver.conf.dist:Z \
-v wopi-recovery:/var/spool/wopirecovery \
--network ocis_net \
--network cloudflare_net \
docker.io/cs3org/wopiserver:latest

OnlyOffice

podman run -d \
--name OnlyOffice \
--restart unless-stopped \
--label "io.containers.autoupdate=image" \
-e PUID=1000 \
-e PGID=1000 \
-e TZ=Europe/Rome \
-e WOPI_ENABLED=true \
-e USE_UNAUTHORIZED_STORAGE=false \
--network ocis_net \
--network cloudflare_net \
docker.io/onlyoffice/documentserver:latest

OCIS app-provider-onlyoffice

podman run -d \
--name ocis-app-office \
--restart unless-stopped \
--label "io.containers.autoupdate=image" \
--user "0" \
--entrypoint /entrypoint-override.sh \
-e PUID=1000 \
-e PGID=1000 \
-e TZ=Europe/Rome \
-e REVA_GATEWAY=ocis:9142 \
-e APP_PROVIDER_GRPC_ADDR=0.0.0.0:9164 \
-e APP_PROVIDER_EXTERNAL_ADDR=ocis-app-office:9164 \
-e APP_PROVIDER_DRIVER=wopi \
-e APP_PROVIDER_WOPI_APP_NAME=OnlyOffice \
-e APP_PROVIDER_WOPI_APP_ICON_URI=https://onlyoffice.domain.com/web-apps/apps/documenteditor/main/resources/img/favicon.ico \
-e APP_PROVIDER_WOPI_APP_URL=https://onlyoffice.domain.com \
-e APP_PROVIDER_WOPI_INSECURE=false \
-e APP_PROVIDER_WOPI_WOPI_SERVER_EXTERNAL_URL=https://wopi.domain.com \
-e APP_PROVIDER_WOPI_FOLDER_URL_BASE_URL=https://ocis.domain.com \
-v /lokal/path/to/ocis/entrypoint-override.sh:/entrypoint-override.sh:Z \
-v ocis-config:/etc/ocis \
--network ocis_net \
--network cloudflare_net \
docker.io/owncloud/ocis

Now you should be able to access your ocis.domain.com!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant