Différences

Ci-dessous, les différences entre deux révisions de la page.

--- nextcloud_dans_lxc_-_2 [2019/10/29 09:47] – [MariaDB] simon
+++ nextcloud_dans_lxc_-_2 [Date inconnue] (Version actuelle) – supprimée - modification externe (Date inconnue) 127.0.0.1
@@ Ligne 1: / Ligne 1: @@
-====== Nextcloud dans lxc - 2 ======
-<WRAP center round important 60%>
-/10/2019 : Essais d'une installation complète en suivant le tutoriel [[https://www.c-rieger.de/nextcloud-installation-guide-debian-9-10/]] et mes notes sur [[lxc]].
-</WRAP>
-===== lxc =====
-<code bash>
-lxc-create -t download -n nextcloud2 -- --dist debian --release buster --arch amd64
-</code>
-On configure ce qu'il faut pour avoir une IP statique (voir [[lxc]]).
-===== prérequis =====
-<code bash>
-# lxc-attach nextcloud2
-root@nextcloud2:/# apt update
-root@nextcloud2:/# apt install curl wget sudo gnupg2 git lsb-release ssl-cert ca-certificates apt-transport-https tree locate software-properties-common dirmngr htop net-tools zip unzip curl ffmpeg ghostscript libfile-fcntllock-perl -y
-</code>
-===== Dépôts pour Nginx, PHP et MariaDB =====
-==== Nginx ====
-<code bash>
-# cd /etc/apt/sources.list.d
-# echo "deb [arch=amd64] http://nginx.org/packages/mainline/debian $(lsb_release -cs) nginx" | tee nginx.list
-# curl -fsSL https://nginx.org/keys/nginx_signing.key | sudo apt-key add -
-</code>
-==== PHP ====
-<code bash>
-# cd /etc/apt/sources.list.d
-# echo "deb [arch=amd64] https://packages.sury.org/php/ $(lsb_release -cs) main" | tee php.list
-# root@nextcloud2:/etc/apt/sources.list.d# wget -q https://packages.sury.org/php/apt.gpg -O- | sudo apt-key add -
-OK
-</code>
-==== MariaDB ====
-<code bash>
-# cd /etc/apt/sources.list.d
-# echo "deb [arch=amd64] http://mirror2.hs-esslingen.de/mariadb/repo/10.4/debian $(lsb_release -cs) main" | tee mariadb.list
-# apt-key adv --recv-keys --keyserver keyserver.ubuntu.com 0xF1656F24C74CD1D8
-Executing: /tmp/apt-key-gpghome.RwXWJVNDat/gpg.1.sh --recv-keys --keyserver keyserver.ubuntu.com 0xF1656F24C74CD1D8
-gpg: clef F1656F24C74CD1D8 : clef publique « MariaDB Signing Key <signing-key@mariadb.org> » importée
-gpg:       Quantité totale traitée : 1
-gpg:                     importées : 1
-</code>
-==== Upgrade ====
-On met à jour :
-<code bash>
-# apt update && apt upgrade -y
-# make-ssl-cert generate-default-snakeoil -y
-# apt remove nginx nginx-extras nginx-common nginx-full -y --allow-change-held-packages
-# apt autoremove
-</code>
-===== Installations et configurations =====
-==== Nginx ====
-<code bash>
-# apt install nginx -y
-# nginx -V
-nginx version: nginx/1.17.5
-# systemctl enable nginx.service
-# mv /etc/nginx/nginx.conf /etc/nginx/nginx.conf.bak && touch /etc/nginx/nginx.conf
-root@nextcloud2:/etc/apt/sources.list.d# ip a
-(...)
-: eth0@if28: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
-(...)
-    inet 10.0.3.162/24 brd 10.0.3.255 scope global dynamic eth0
-(...)
-root@nextcloud2:/etc/apt/sources.list.d# vim /etc/nginx/nginx.conf
-root@nextcloud2:/etc/apt/sources.list.d# cat /etc/nginx/nginx.conf
-user www-data;
-worker_processes auto;
-pid /var/run/nginx.pid;
-events {
-	worker_connections 1024;
-	multi_accept on;
-	use epoll;
-}
-http {
-	server_names_hash_bucket_size 64;
-	upstream php-handler {
-		server unix:/run/php/php7.3-fpm.sock;
-	}
-	set_real_ip_from 127.0.0.1;
-	set_real_ip_from 10.0.3.0/24;
-	real_ip_header X-Forwarded-For;
-	real_ip_recursive on;
-	include /etc/nginx/mime.types;
-	#include /etc/nginx/proxy.conf;
-	#include /etc/nginx/ssl.conf;
-	#include /etc/nginx/header.conf;
-	#include /etc/nginx/optimization.conf;
-	default_type application/octet-stream;
-	access_log /var/log/nginx/access.log;
-	error_log /var/log/nginx/error.log warn;
-	sendfile on;
-	send_timeout 3600;
-	tcp_nopush on;
-	tcp_nodelay on;
-	open_file_cache max=500 inactive=10m;
-	open_file_cache_errors on;
-	keepalive_timeout 65;
-	reset_timedout_connection on;
-	server_tokens off;
-	resolver 10.0.3.162 valid=30s;
-	#resolver 127.0.0.53 valid=30s; is recommended but reuqires a valid resolver configuration
-	resolver_timeout 5s;
-	include /etc/nginx/conf.d/*.conf;
-}
-</code>
-On teste la config et on redémarre nginx :
-<code bash>
-# nginx -t && service nginx restart
-</code>
-On crée le dossier nextcloud et on lui met les bons droits :
-<code bash>
-# mkdir -p /var/nextcloud
-# chown -R www-data:www-data /var/nextcloud/
-</code>
-==== PHP ====
-<code bash>
-# apt update && apt install php7.3-fpm php7.3-gd php7.3-mysql php7.3-curl php7.3-xml php7.3-zip php7.3-intl php7.3-mbstring php7.3-json php7.3-bz2 php7.3-ldap php-apcu imagemagick php-imagick php-smbclient -y
-</code>
-<WRAP center round important 60%>
-Je ne mets pas de "#" devant les commandes suivantes pour simplifier les copier/coller de plusieurs lignes. Elles sont à exécuter en root.
-</WRAP>
-Backup des configurations :
-<code bash>
-cp /etc/php/7.3/fpm/pool.d/www.conf /etc/php/7.3/fpm/pool.d/www.conf.bak
-cp /etc/php/7.3/cli/php.ini /etc/php/7.3/cli/php.ini.bak
-cp /etc/php/7.3/fpm/php.ini /etc/php/7.3/fpm/php.ini.bak
-cp /etc/php/7.3/fpm/php-fpm.conf /etc/php/7.3/fpm/php-fpm.conf.bak
-cp /etc/ImageMagick-6/policy.xml /etc/ImageMagick-6/policy.xml.bak
-</code>
-<code bash>
-cp /etc/php/7.3/fpm/pool.d/www.conf /etc/php/7.3/fpm/pool.d/www.conf.bak
-cp /etc/php/7.3/cli/php.ini /etc/php/7.3/cli/php.ini.bak
-cp /etc/php/7.3/fpm/php.ini /etc/php/7.3/fpm/php.ini.bak
-cp /etc/php/7.3/fpm/php-fpm.conf /etc/php/7.3/fpm/php-fpm.conf.bak
-cp /etc/ImageMagick-6/policy.xml /etc/ImageMagick-6/policy.xml.bak
-sed -i "s/;env\[HOSTNAME\] = /env[HOSTNAME] = /" /etc/php/7.3/fpm/pool.d/www.conf
-sed -i "s/;env\[TMP\] = /env[TMP] = /" /etc/php/7.3/fpm/pool.d/www.conf
-sed -i "s/;env\[TMPDIR\] = /env[TMPDIR] = /" /etc/php/7.3/fpm/pool.d/www.conf
-sed -i "s/;env\[TEMP\] = /env[TEMP] = /" /etc/php/7.3/fpm/pool.d/www.conf
-sed -i "s/;env\[PATH\] = /env[PATH] = /" /etc/php/7.3/fpm/pool.d/www.conf
-sed -i "s/output_buffering =.*/output_buffering = 'Off'/" /etc/php/7.3/cli/php.ini
-sed -i "s/max_execution_time =.*/max_execution_time = 3600/" /etc/php/7.3/cli/php.ini
-sed -i "s/max_input_time =.*/max_input_time = 3600/" /etc/php/7.3/cli/php.ini
-sed -i "s/post_max_size =.*/post_max_size = 10240M/" /etc/php/7.3/cli/php.ini
-sed -i "s/upload_max_filesize =.*/upload_max_filesize = 10240M/" /etc/php/7.3/cli/php.ini
-sed -i "s/;date.timezone.*/date.timezone = Europe\/\Brussels/" /etc/php/7.3/cli/php.ini
-sed -i "s/memory_limit = 128M/memory_limit = 512M/" /etc/php/7.3/fpm/php.ini
-sed -i "s/output_buffering =.*/output_buffering = 'Off'/" /etc/php/7.3/fpm/php.ini
-sed -i "s/max_execution_time =.*/max_execution_time = 3600/" /etc/php/7.3/fpm/php.ini
-sed -i "s/max_input_time =.*/max_input_time = 3600/" /etc/php/7.3/fpm/php.ini
-sed -i "s/post_max_size =.*/post_max_size = 10240M/" /etc/php/7.3/fpm/php.ini
-sed -i "s/upload_max_filesize =.*/upload_max_filesize = 10240M/" /etc/php/7.3/fpm/php.ini
-sed -i "s/;date.timezone.*/date.timezone = Europe\/\Berlin/" /etc/php/7.3/fpm/php.ini
-sed -i "s/;session.cookie_secure.*/session.cookie_secure = True/" /etc/php/7.3/fpm/php.ini
-sed -i "s/;opcache.enable=.*/opcache.enable=1/" /etc/php/7.3/fpm/php.ini
-sed -i "s/;opcache.enable_cli=.*/opcache.enable_cli=1/" /etc/php/7.3/fpm/php.ini
-sed -i "s/;opcache.memory_consumption=.*/opcache.memory_consumption=128/" /etc/php/7.3/fpm/php.ini
-sed -i "s/;opcache.interned_strings_buffer=.*/opcache.interned_strings_buffer=8/" /etc/php/7.3/fpm/php.ini
-sed -i "s/;opcache.max_accelerated_files=.*/opcache.max_accelerated_files=10000/" /etc/php/7.3/fpm/php.ini
-sed -i "s/;opcache.revalidate_freq=.*/opcache.revalidate_freq=1/" /etc/php/7.3/fpm/php.ini
-sed -i "s/;opcache.save_comments=.*/opcache.save_comments=1/" /etc/php/7.3/fpm/php.ini
-sed -i "s/rights=\"none\" pattern=\"PS\"/rights=\"read|write\" pattern=\"PS\"/" /etc/ImageMagick-6/policy.xml
-sed -i "s/rights=\"none\" pattern=\"EPI\"/rights=\"read|write\" pattern=\"EPI\"/" /etc/ImageMagick-6/policy.xml
-sed -i "s/rights=\"none\" pattern=\"PDF\"/rights=\"read|write\" pattern=\"PDF\"/" /etc/ImageMagick-6/policy.xml
-sed -i "s/rights=\"none\" pattern=\"XPS\"/rights=\"read|write\" pattern=\"XPS\"/" /etc/ImageMagick-6/policy.xml
-</code>
-<code bash>
-# service php7.3-fpm restart
-# service nginx restart
-</code>
-==== MariaDB ====
-<code bash>
-# apt update && apt install mariadb-server -y
-# mysql --version
-mysql  Ver 15.1 Distrib 10.4.8-MariaDB, for debian-linux-gnu (x86_64) using readline 5.2
-</code>
-Le service ne démarre pas :
-<code bash>
-root@nextcloud2:/etc/apt/sources.list.d# systemctl status mariadb
-● mariadb.service - MariaDB 10.4.8 database server
-   Loaded: loaded (/lib/systemd/system/mariadb.service; enabled; vendor preset: enabled)
-  Drop-In: /etc/systemd/system/mariadb.service.d
-           └─migrated-from-my.cnf-settings.conf
-   Active: failed (Result: exit-code) since Tue 2019-10-29 09:02:09 UTC; 9min ago
-     Docs: man:mysqld(8)
-           https://mariadb.com/kb/en/library/systemd/
-oct 29 09:02:09 nextcloud2 systemd[1]: Starting MariaDB 10.4.8 database server...
-oct 29 09:02:09 nextcloud2 systemd[18087]: mariadb.service: Failed to set up mount namespacing: Permission denied
-oct 29 09:02:09 nextcloud2 systemd[18087]: mariadb.service: Failed at step NAMESPACE spawning /usr/bin/install: Permission denied
-oct 29 09:02:09 nextcloud2 systemd[1]: mariadb.service: Control process exited, code=exited, status=226/NAMESPACE
-oct 29 09:02:09 nextcloud2 systemd[1]: mariadb.service: Failed with result 'exit-code'.
-oct 29 09:02:09 nextcloud2 systemd[1]: Failed to start MariaDB 10.4.8 database server.
-</code>
-Après quelques recherches sur les internets, j'ai vu que le soucis semble causé par AppArmor. Pour le désactiver :
-<code bash>
-# cat /var/lib/lxc/nextcloud2/config
-(...)
-lxc.apparmor.profile = unconfined
-(...)
-</code>
-Il faut ensuite redémarrer le conteneur :
-<code bash>
-# lxc-stop nextcloud2
-# lxc-start nextcloud2
-</code>
-On sécurise l'installation de MariaDB :
-<code bash>
-root@nextcloud2:~# mysql_secure_installation
-NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MariaDB
-      SERVERS IN PRODUCTION USE!  PLEASE READ EACH STEP CAREFULLY!
-In order to log into MariaDB to secure it, we'll need the current
-password for the root user. If you've just installed MariaDB, and
-haven't set the root password yet, you should just press enter here.
-Enter current password for root (enter for none):
-OK, successfully used password, moving on...
-Setting the root password or using the unix_socket ensures that nobody
-can log into the MariaDB root user without the proper authorisation.
-You already have your root account protected, so you can safely answer 'n'.
-Switch to unix_socket authentication [Y/n] N
- ... skipping.
-You already have your root account protected, so you can safely answer 'n'.
-Change the root password? [Y/n] n
- ... skipping.
-By default, a MariaDB installation has an anonymous user, allowing anyone
-to log into MariaDB without having to have a user account created for
-them.  This is intended only for testing, and to make the installation
-go a bit smoother.  You should remove them before moving into a
-production environment.
-Remove anonymous users? [Y/n] y
- ... Success!
-Normally, root should only be allowed to connect from 'localhost'.  This
-ensures that someone cannot guess at the root password from the network.
-Disallow root login remotely? [Y/n] y
- ... Success!
-By default, MariaDB comes with a database named 'test' that anyone can
-access.  This is also intended only for testing, and should be removed
-before moving into a production environment.
-Remove test database and access to it? [Y/n] y
- - Dropping test database...
- ... Success!
- - Removing privileges on test database...
- ... Success!
-Reloading the privilege tables will ensure that all changes made so far
-will take effect immediately.
-Reload privilege tables now? [Y/n] y
- ... Success!
-Cleaning up...
-All done!  If you've completed all of the above steps, your MariaDB
-installation should now be secure.
-Thanks for using MariaDB!
-</code>