Nextcloud Notes

How to use occ on the vm
bioapp@bio1000lp:~/www-nextcloud$ scl enable rh-php72 bash
bash-4.2$ php occ -V
Nextcloud 16.0.6'

URL: http://bio1000lp.hs.it.vumc.io
URL: https://vbiostat.app.vumc.org

Security scan of our Nextcloud instance: https://scan.nextcloud.com

bio1000lp.hs.it.vumc.io

Access to the site is enabled via a whitelist. No one can log on to the site unless they are a member of the biostatnextcloud active directory security group.

As of 2019/11/11 we are running Nextcloud 16.0.6.

I am having trouble with permissions and file ownership in the ~/www-nextcloud directory tree. Some files are being written with owner : -rw and group : -rw. Also, some files have ownership of apache:apache rather than bioapp:apache. When this happens Nextcloud throws a ??? error. I believe Nextcloud writes these files with these characteristics when a Nextcloud update is performed and, maybe when a new Apache process is started.

So far, I can issue the command chmod -R g+w ~/www-nextcloud/ to get things going.

bioapp@bio1000lp:~$ 
chmod: changing permissions of ‘www-nextcloud/data/appdata_oc6xhh7jnpzb/css/core/1abd-e05c-server.css’: Operation not permitted
chmod: changing permissions of ‘www-nextcloud/data/appdata_oc6xhh7jnpzb/css/core/1abd-e05c-server.css.deps’: Operation not permitted
chmod: changing permissions of ‘www-nextcloud/data/appdata_oc6xhh7jnpzb/css/core/1abd-e05c-css-variables.css’: Operation not permitted
chmod: changing permissions of ‘www-nextcloud/data/appdata_oc6xhh7jnpzb/css/core/1abd-e05c-css-variables.css.deps’: Operation not permitted
chmod: changing permissions of ‘www-nextcloud/data/appdata_oc6xhh7jnpzb/css/theming/6a15-e05c-theming.css’: Operation not permitted
chmod: changing permissions of ‘www-nextcloud/data/appdata_oc6xhh7jnpzb/css/theming/6a15-e05c-theming.css.deps’: Operation not permitted
bioapp@bio1000lp:~$ cd www-nextcloud/data/appdata_oc6xhh7jnpzb/css/core/
bioapp@bio1000lp:~/www-nextcloud/data/appdata_oc6xhh7jnpzb/css/core$ ll
total 372
drwxrwxr-x  3 bioapp apache   4096 Nov 11 14:14 ./
drwxrwxr-x 15 bioapp apache    227 Nov  1 17:26 ../
-rw-r--r--  1 apache apache    961 Nov 11 14:14 1abd-e05c-css-variables.css
-rw-r--r--  1 apache apache    197 Nov 11 14:14 1abd-e05c-css-variables.css.deps
-rw-r--r--  1 apache apache    435 Nov 11 14:14 1abd-e05c-css-variables.css.gzip
-rw-r--r--  1 apache apache   1189 Nov 11 14:14 1abd-e05c-results.css
-rw-r--r--  1 apache apache    199 Nov 11 14:14 1abd-e05c-results.css.deps
-rw-r--r--  1 apache apache    504 Nov 11 14:14 1abd-e05c-results.css.gzip
-rw-r--r--  1 apache apache 137241 Nov 11 14:14 1abd-e05c-server.css
-rw-r--r--  1 apache apache    857 Nov 11 14:14 1abd-e05c-server.css.deps
-rw-r--r--  1 apache apache  19358 Nov 11 14:14 1abd-e05c-server.css.gzip
-rw-rw-r--  1 bioapp apache    961 Nov 11 13:24 1abd-fa2a-css-variables.css
-rw-rw-r--  1 bioapp apache    197 Nov 11 13:24 1abd-fa2a-css-variables.css.deps
-rw-rw-r--  1 bioapp apache    435 Nov 11 13:24 1abd-fa2a-css-variables.css.gzip
-rw-rw-r--  1 bioapp apache   1189 Nov 11 13:24 1abd-fa2a-results.css
-rw-rw-r--  1 bioapp apache    199 Nov 11 13:24 1abd-fa2a-results.css.deps
-rw-rw-r--  1 bioapp apache    504 Nov 11 13:24 1abd-fa2a-results.css.gzip
-rw-rw-r--  1 bioapp apache 137241 Nov 11 13:24 1abd-fa2a-server.css
-rw-rw-r--  1 bioapp apache    857 Nov 11 13:24 1abd-fa2a-server.css.deps
-rw-rw-r--  1 bioapp apache  19358 Nov 11 13:24 1abd-fa2a-server.css.gzip
drwxrwxr-x  2 bioapp bioapp      6 Nov 11 13:29 save/
bioapp@bio1000lp:~/www-nextcloud/data/appdata_oc6xhh7jnpzb/css/core$ cd ~/www-nextcloud/data/appdata_oc6xhh7jnpzb/css/theming/
bioapp@bio1000lp:~/www-nextcloud/data/appdata_oc6xhh7jnpzb/css/theming$ ll
total 12
drwxrwxr-x  2 bioapp apache 166 Nov 11 13:25 ./
drwxrwxr-x 15 bioapp apache 227 Nov  1 17:26 ../
-rw-r--r--  1 apache apache   0 Nov 11 13:25 6a15-e05c-theming.css
-rw-r--r--  1 apache apache   0 Nov 11 13:25 6a15-e05c-theming.css.deps
-rw-rw-r--  1 bioapp apache 967 Nov 11 13:24 6a15-fa2a-theming.css
-rw-rw-r--  1 bioapp apache 200 Nov 11 13:24 6a15-fa2a-theming.css.deps
-rw-rw-r--  1 bioapp apache 372 Nov 11 13:24 6a15-fa2a-theming.css.gzip
bioapp@bio1000lp:~/www-nextcloud/data/appdata_oc6xhh7jnpzb/css/theming$

ec2-user

Documentation

Email from Rasmussen, Justin D <justin.rasmussen@vumc.org> re log file location...
For application logs, we request the application owner configure Apache to store logs on /app001. Once you have Apache configured to place the logs on /app001, you will also need to configure it to use the bioapp user and group rather than Apache.

We also made sure to give you the ability to start/stop/restart Apache with the sudo commands. Use sudo systemctl start/stop/restart httpd. We’ve configured the permissions on our end to make sure bioapp is the user/group on that directory so Nextcloud shouldn’t be changing permissions like it has been.

Email from Nancy Williams re LDAP configuration...
Dale try this.

Host is ds.vanderbilt.edu
Port is 636
User DN = cn=<Resource Account VUnetID>,cn=users,dc=ds,dc=vanderbilt,dc=edu
Base DN = dc=ds,dc=vanderbilt,dc=edu

If you need LDAP SSL certs, see https://pegasus.mc.vanderbilt.edu/ViewKnowledge.aspx?id=13760.

Let me know how it goes.

Thank you,
Nancy Williams
System Analyst | Identity & Access Operations - Directory Services
Security Operations and Services | VUMC Enterprise Cybersecurity
Vanderbilt University Medical Center 
nancy.a.williams@vumc.org |615-343-5788 

Email from Andrew Roeder ...please submit us a request to have the apache user added to the bioapp group. Apache will then have write access to any files which the bioapp group has write access allowed.

You can then set 775 permissions on the nextcloud directory and files so apache can write there.

Email of 10/24/2019 “Brett, Mariadb was failing to start because it was not yet configured. I’ve applied our default configuration and Dale should be able to start the process now and it will run in /app001/mariadb as the bioapp user.

A database password can be set by the bioapp user as the default root password is blank per the documentation for MariaDB.

Please let Dale know he can contact us directly via email or ticket with questions or issues.”

Checking installed prerequisites...

-bash-4.2$ cat /etc/system-release
Red Hat Enterprise Linux Server release 7.7 (Maipo)

-bash-4.2$ php -v
PHP 7.2.10 (cli) (built: Nov  7 2018 05:32:35) ( NTS )

-bash-4.2$ mysql -V
mysql  Ver 15.1 Distrib 5.5.64-MariaDB, for Linux (x86_64) using readline 5.1

-bash-4.2$ apachectl -v
Server version: Apache/2.4.6 (Red Hat Enterprise Linux)
Server built:   Jun  9 2019 13:01:04

-bash-4.2$ apachectl -t -D DUMP_MODULES | grep 'php'
 php7_module (shared)

Since I don't have privileges to modify /var/www/
cd ~
unzip nextcloud-*.zip
mkdir -p www/html
cp -R nextcloud/ ~/www/html/
mkdir ~/www/html/nextcloud/data
chown -R apache:apache ~/www/html/nextcloud

cd /etc/httpd/conf.d/
touch nextcloud.conf

Contents of /etc/httpd/conf.d/nextcloud.conf
-bash-4.2$ cat /etc/httpd/conf.d/nextcloud.conf
<VirtualHost *:80>
  DocumentRoot /app001/www/html/nextcloud/
  ServerName  bio1000lp.hs.it.vumc.io

  <Directory "/app001/www/html/nextcloud/">
    Require all granted
    AllowOverride All
    Options FollowSymLinks MultiViews

    <IfModule mod_dav.c>
      Dav off
    </IfModule>

  </Directory>
</VirtualHost>

VUMC Virtual Machine

Monday, August 19, 2019 1:12 PM
The pilot host build for 1009565 - Biostatistics Nextcloud” Server Build has been completed.  By end of day, VEC SECURITY ENGINEERING AND OPERATIONS should complete the VPN SSH access to allow the members of GDN_BIO_Admins group, managed by Dale Plummer, to SSH to the host.

The AD group to permit access onto the host (bio_adm) is manageable by Dale Plummer.  Users added to that AD group have the ability to sudo to the bioapp application account ie "sudo su - bioapp".  Sudo functions within the application account can be viewed with the following command: "sudo -l bioapp".  Application related files should be stored in the /app001 volume on the host.

Additional work to the host should be requested through the Pegasus Request Management module using the VUMC IT LINUX - GENERAL REQUEST form.  Be sure to specify the host name where work is to be performed.  LTM work is requested using the Pegasus Request Management forms relating to VUMC IT LINUX - F5 LTM requests.  Applications must be fully configured before submitting requests for LTM work.  Requested packages or versions not available in Red Hat repositories will have to be installed by the customer within the application volume.

Additional work to the host should be requested through the Pegasus Request Management module using the VUMC IT LINUX - GENERAL REQUEST form.  Be sure to specify the host name where work is to be performed.  LTM work is requested using the Pegasus Request Management forms relating to VUMC IT LINUX - F5 LTM requests.  Applications must be fully configured before submitting requests for LTM work.  Requested packages or versions not available in Red Hat repositories will have to be installed by the customer within the application volume.

PROJECT
  • PV Actual Start: 8/14/2019
  • PV Requested start: 8/7/2019
  • PV Requested finish: 10/4/2019
  • Workgroup Assigned: 8/1/2019
  • Host build start: 8/14/2019
  • Host build finish: 8/19/2019
  • Dependent workgroup finish: Pending
  • Customer turn over: 8/19/2019
  • PV Scheduled Finish: 8/26/2019

HOST INFORMATION
  • Name: bio1000lp.hs.it.vumc.io
  • Address: 10.100.128.10

AD INFORMATION
  • Host access group: bio_adm
  • AD GID: 100232
  • Manager of AD group: Dale Plummer
  • Location: ou=AI Unix,ou=Information Management,ou=Organizational Units,dc=ds,dc=vanderbilt,dc=edu

APPLICATION ACCOUNT
  • Name: bioapp
  • UID/GID: 1639
  • Sudo group: bio_adm
  • Application account home directory: /app001
  • Application file directory: /app001

PEGASUS WORKGROUP
Topic revision: r13 - 01 Jul 2020, DalePlummer
 

This site is powered by FoswikiCopyright © 2013-2020 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding Vanderbilt Biostatistics Wiki? Send feedback