DokuWiki

Outils pour utilisateurs

Outils du site

Piste :
nextcloud_dans_lxc_-_2

Ceci est une ancienne révision du document !

Table des matières

Nextcloud dans lxc - 2

29/10/2019 : Essais d'une installation complète en suivant le tutoriel https://www.c-rieger.de/nextcloud-installation-guide-debian-9-10/ et mes notes sur lxc.

lxc

lxc-create -t download -n nextcloud2 -- --dist debian --release buster --arch amd64

On configure ce qu'il faut pour avoir une IP statique (voir lxc).

prérequis

# lxc-attach nextcloud2
 
root@nextcloud2:/# apt update
 
root@nextcloud2:/# apt install curl wget sudo gnupg2 git lsb-release ssl-cert ca-certificates apt-transport-https tree locate software-properties-common dirmngr htop net-tools zip unzip curl ffmpeg ghostscript libfile-fcntllock-perl -y

Dépôts pour Nginx, PHP et MariaDB

Nginx

# cd /etc/apt/sources.list.d
 
# echo "deb [arch=amd64] http://nginx.org/packages/mainline/debian $(lsb_release -cs) nginx" | tee nginx.list
 
# curl -fsSL https://nginx.org/keys/nginx_signing.key | sudo apt-key add -

PHP

# cd /etc/apt/sources.list.d
 
# echo "deb [arch=amd64] https://packages.sury.org/php/ $(lsb_release -cs) main" | tee php.list
 
# root@nextcloud2:/etc/apt/sources.list.d# wget -q https://packages.sury.org/php/apt.gpg -O- | sudo apt-key add -
OK

MariaDB

# cd /etc/apt/sources.list.d
 
# echo "deb [arch=amd64] http://mirror2.hs-esslingen.de/mariadb/repo/10.4/debian $(lsb_release -cs) main" | tee mariadb.list
 
# apt-key adv --recv-keys --keyserver keyserver.ubuntu.com 0xF1656F24C74CD1D8
Executing: /tmp/apt-key-gpghome.RwXWJVNDat/gpg.1.sh --recv-keys --keyserver keyserver.ubuntu.com 0xF1656F24C74CD1D8
gpg: clef F1656F24C74CD1D8 : clef publique « MariaDB Signing Key <signing-key@mariadb.org> » importée
gpg:       Quantité totale traitée : 1
gpg:                     importées : 1

Upgrade

On met à jour : 

# apt update && apt upgrade -y
 
# make-ssl-cert generate-default-snakeoil -y
 
# apt remove nginx nginx-extras nginx-common nginx-full -y --allow-change-held-packages
 
# apt autoremove

Installations et configurations

Nginx

# apt install nginx -y
 
# nginx -V       
nginx version: nginx/1.17.5
 
# systemctl enable nginx.service
 
# mv /etc/nginx/nginx.conf /etc/nginx/nginx.conf.bak && touch /etc/nginx/nginx.conf
 
root@nextcloud2:/etc/apt/sources.list.d# ip a
(...)
27: eth0@if28: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
(...)
    inet 10.0.3.162/24 brd 10.0.3.255 scope global dynamic eth0
(...)
 
root@nextcloud2:/etc/apt/sources.list.d# vim /etc/nginx/nginx.conf
 
root@nextcloud2:/etc/apt/sources.list.d# cat /etc/nginx/nginx.conf
user www-data;
worker_processes auto;
pid /var/run/nginx.pid;
 
events {
	worker_connections 1024;
	multi_accept on;
	use epoll;
}
 
http {
	server_names_hash_bucket_size 64;
	upstream php-handler {
		server unix:/run/php/php7.3-fpm.sock;
	}
 
	set_real_ip_from 127.0.0.1;
	set_real_ip_from 10.0.3.0/24;
	real_ip_header X-Forwarded-For;
	real_ip_recursive on;
	include /etc/nginx/mime.types;
	#include /etc/nginx/proxy.conf;
	#include /etc/nginx/ssl.conf;
	#include /etc/nginx/header.conf;
	#include /etc/nginx/optimization.conf;
	default_type application/octet-stream;
	access_log /var/log/nginx/access.log;
	error_log /var/log/nginx/error.log warn;
	sendfile on;
	send_timeout 3600;
	tcp_nopush on;
	tcp_nodelay on;
	open_file_cache max=500 inactive=10m;
	open_file_cache_errors on;
	keepalive_timeout 65;
	reset_timedout_connection on;
	server_tokens off;
	resolver 10.0.3.162 valid=30s;
	#resolver 127.0.0.53 valid=30s; is recommended but reuqires a valid resolver configuration
	resolver_timeout 5s;
	include /etc/nginx/conf.d/*.conf;
}

On teste la config et on redémarre nginx : 

# nginx -t && service nginx restart

On crée le dossier nextcloud et on lui met les bons droits : 

# mkdir -p /var/nextcloud                   
 
# chown -R www-data:www-data /var/nextcloud/

PHP

# apt update && apt install php7.3-fpm php7.3-gd php7.3-mysql php7.3-curl php7.3-xml php7.3-zip php7.3-intl php7.3-mbstring php7.3-json php7.3-bz2 php7.3-ldap php-apcu imagemagick php-imagick php-smbclient -y

Je ne mets pas de “#” devant les commandes suivantes pour simplifier les copier/coller de plusieurs lignes. Elles sont à exécuter en root.

Backup des configurations : 

cp /etc/php/7.3/fpm/pool.d/www.conf /etc/php/7.3/fpm/pool.d/www.conf.bak
cp /etc/php/7.3/cli/php.ini /etc/php/7.3/cli/php.ini.bak
cp /etc/php/7.3/fpm/php.ini /etc/php/7.3/fpm/php.ini.bak
cp /etc/php/7.3/fpm/php-fpm.conf /etc/php/7.3/fpm/php-fpm.conf.bak
cp /etc/ImageMagick-6/policy.xml /etc/ImageMagick-6/policy.xml.bak
cp /etc/php/7.3/fpm/pool.d/www.conf /etc/php/7.3/fpm/pool.d/www.conf.bak
cp /etc/php/7.3/cli/php.ini /etc/php/7.3/cli/php.ini.bak
cp /etc/php/7.3/fpm/php.ini /etc/php/7.3/fpm/php.ini.bak
cp /etc/php/7.3/fpm/php-fpm.conf /etc/php/7.3/fpm/php-fpm.conf.bak
cp /etc/ImageMagick-6/policy.xml /etc/ImageMagick-6/policy.xml.bak
 
sed -i "s/;env\[HOSTNAME\] = /env[HOSTNAME] = /" /etc/php/7.3/fpm/pool.d/www.conf
sed -i "s/;env\[TMP\] = /env[TMP] = /" /etc/php/7.3/fpm/pool.d/www.conf
sed -i "s/;env\[TMPDIR\] = /env[TMPDIR] = /" /etc/php/7.3/fpm/pool.d/www.conf
sed -i "s/;env\[TEMP\] = /env[TEMP] = /" /etc/php/7.3/fpm/pool.d/www.conf
sed -i "s/;env\[PATH\] = /env[PATH] = /" /etc/php/7.3/fpm/pool.d/www.conf
 
sed -i "s/output_buffering =.*/output_buffering = 'Off'/" /etc/php/7.3/cli/php.ini
sed -i "s/max_execution_time =.*/max_execution_time = 3600/" /etc/php/7.3/cli/php.ini
sed -i "s/max_input_time =.*/max_input_time = 3600/" /etc/php/7.3/cli/php.ini
sed -i "s/post_max_size =.*/post_max_size = 10240M/" /etc/php/7.3/cli/php.ini
sed -i "s/upload_max_filesize =.*/upload_max_filesize = 10240M/" /etc/php/7.3/cli/php.ini
sed -i "s/;date.timezone.*/date.timezone = Europe\/\Brussels/" /etc/php/7.3/cli/php.ini
 
sed -i "s/memory_limit = 128M/memory_limit = 512M/" /etc/php/7.3/fpm/php.ini
sed -i "s/output_buffering =.*/output_buffering = 'Off'/" /etc/php/7.3/fpm/php.ini
sed -i "s/max_execution_time =.*/max_execution_time = 3600/" /etc/php/7.3/fpm/php.ini
sed -i "s/max_input_time =.*/max_input_time = 3600/" /etc/php/7.3/fpm/php.ini
sed -i "s/post_max_size =.*/post_max_size = 10240M/" /etc/php/7.3/fpm/php.ini
sed -i "s/upload_max_filesize =.*/upload_max_filesize = 10240M/" /etc/php/7.3/fpm/php.ini
sed -i "s/;date.timezone.*/date.timezone = Europe\/\Berlin/" /etc/php/7.3/fpm/php.ini
sed -i "s/;session.cookie_secure.*/session.cookie_secure = True/" /etc/php/7.3/fpm/php.ini
sed -i "s/;opcache.enable=.*/opcache.enable=1/" /etc/php/7.3/fpm/php.ini
sed -i "s/;opcache.enable_cli=.*/opcache.enable_cli=1/" /etc/php/7.3/fpm/php.ini
sed -i "s/;opcache.memory_consumption=.*/opcache.memory_consumption=128/" /etc/php/7.3/fpm/php.ini
sed -i "s/;opcache.interned_strings_buffer=.*/opcache.interned_strings_buffer=8/" /etc/php/7.3/fpm/php.ini
sed -i "s/;opcache.max_accelerated_files=.*/opcache.max_accelerated_files=10000/" /etc/php/7.3/fpm/php.ini
sed -i "s/;opcache.revalidate_freq=.*/opcache.revalidate_freq=1/" /etc/php/7.3/fpm/php.ini
sed -i "s/;opcache.save_comments=.*/opcache.save_comments=1/" /etc/php/7.3/fpm/php.ini
 
sed -i "s/rights=\"none\" pattern=\"PS\"/rights=\"read|write\" pattern=\"PS\"/" /etc/ImageMagick-6/policy.xml
sed -i "s/rights=\"none\" pattern=\"EPI\"/rights=\"read|write\" pattern=\"EPI\"/" /etc/ImageMagick-6/policy.xml
sed -i "s/rights=\"none\" pattern=\"PDF\"/rights=\"read|write\" pattern=\"PDF\"/" /etc/ImageMagick-6/policy.xml
sed -i "s/rights=\"none\" pattern=\"XPS\"/rights=\"read|write\" pattern=\"XPS\"/" /etc/ImageMagick-6/policy.xml
# service php7.3-fpm restart
# service nginx restart

MariaDB

# apt update && apt install mariadb-server -y
 
# mysql --version
mysql  Ver 15.1 Distrib 10.4.8-MariaDB, for debian-linux-gnu (x86_64) using readline 5.2

Le service ne démarre pas : 

root@nextcloud2:/etc/apt/sources.list.d# systemctl status mariadb
● mariadb.service - MariaDB 10.4.8 database server
   Loaded: loaded (/lib/systemd/system/mariadb.service; enabled; vendor preset: enabled)
  Drop-In: /etc/systemd/system/mariadb.service.d
           └─migrated-from-my.cnf-settings.conf
   Active: failed (Result: exit-code) since Tue 2019-10-29 09:02:09 UTC; 9min ago
     Docs: man:mysqld(8)
           https://mariadb.com/kb/en/library/systemd/
 
oct 29 09:02:09 nextcloud2 systemd[1]: Starting MariaDB 10.4.8 database server...
oct 29 09:02:09 nextcloud2 systemd[18087]: mariadb.service: Failed to set up mount namespacing: Permission denied
oct 29 09:02:09 nextcloud2 systemd[18087]: mariadb.service: Failed at step NAMESPACE spawning /usr/bin/install: Permission denied
oct 29 09:02:09 nextcloud2 systemd[1]: mariadb.service: Control process exited, code=exited, status=226/NAMESPACE
oct 29 09:02:09 nextcloud2 systemd[1]: mariadb.service: Failed with result 'exit-code'.
oct 29 09:02:09 nextcloud2 systemd[1]: Failed to start MariaDB 10.4.8 database server.

Après quelques recherches sur les internets, j'ai vu que le soucis semble causé par AppArmor. Pour le désactiver : 

# cat /var/lib/lxc/nextcloud2/config
(...)
lxc.apparmor.profile = unconfined
(...)

Il faut ensuite redémarrer le conteneur : 

# lxc-stop nextcloud2
# lxc-start nextcloud2

On sécurise l'installation de MariaDB : 

root@nextcloud2:~# mysql_secure_installation
 
NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MariaDB
      SERVERS IN PRODUCTION USE!  PLEASE READ EACH STEP CAREFULLY!
 
In order to log into MariaDB to secure it, we'll need the current
password for the root user. If you've just installed MariaDB, and
haven't set the root password yet, you should just press enter here.
 
Enter current password for root (enter for none): 
OK, successfully used password, moving on...
 
Setting the root password or using the unix_socket ensures that nobody
can log into the MariaDB root user without the proper authorisation.
 
You already have your root account protected, so you can safely answer 'n'.
 
Switch to unix_socket authentication [Y/n] N
 ... skipping.
 
You already have your root account protected, so you can safely answer 'n'.
 
Change the root password? [Y/n] n
 ... skipping.
 
By default, a MariaDB installation has an anonymous user, allowing anyone
to log into MariaDB without having to have a user account created for
them.  This is intended only for testing, and to make the installation
go a bit smoother.  You should remove them before moving into a
production environment.
 
Remove anonymous users? [Y/n] y
 ... Success!
 
Normally, root should only be allowed to connect from 'localhost'.  This
ensures that someone cannot guess at the root password from the network.
 
Disallow root login remotely? [Y/n] y
 ... Success!
 
By default, MariaDB comes with a database named 'test' that anyone can
access.  This is also intended only for testing, and should be removed
before moving into a production environment.
 
Remove test database and access to it? [Y/n] y
 - Dropping test database...
 ... Success!
 - Removing privileges on test database...
 ... Success!
 
Reloading the privilege tables will ensure that all changes made so far
will take effect immediately.
 
Reload privilege tables now? [Y/n] y
 ... Success!
 
Cleaning up...
 
All done!  If you've completed all of the above steps, your MariaDB
installation should now be secure.
 
Thanks for using MariaDB!
nextcloud_dans_lxc_-_2.1572342464.txt.gz · Dernière modification : (modification externe)