Tim's Blog

Information, Technology, Security, and other stuff.

Building ownCloud 8 on CentOS 7

Published 2015-02-09

I've tried a number of times now to build ownCloud at home. I've tried a whole heap of guides, and they always seem to take me 80% of the way. I also tried the OpenSUSE ownCloud in a box VM, but it was an incomplete implementation as well.

My biggest gripe with the guides/builds is that they usually just use sqlite as the database, which is not recommended for multi-user deployments.

I also tried running it on Windows, but support for that has been dropped as of Version 8. If someone would like the instructions for that, I'll be happy to provide those.

Part 1: Server Build and Configuration

Let's start by turning off SELinux:

sed -i 's/enforcing/disabled/g' /etc/selinux/config

Note: in production environments, I'd recommend instead determining the SELinux policy that is required for the server instead of just turning it off. I'll try to update this section in the future.

Restart the machine to apply the change:

shutdown -r now

Update the Server:

yum update -y

Install the Prerequisite packages:

yum install yum-cron httpd php php-mysql sqlite php-dom php-mbstring php-gd php-pdo php-json php-xml php-zip php-gd curl php-curl php-pear wget mariadb-server mariadb realmd samba samba-common samba-client oddjob oddjob-mkhomedir sssd ntpdate samba-winbind-clients samba-winbind ntp -y

Note: I'm going to connect this machine to a domain. You can omit all of the packages after "realmd" if you're not joining it to a domain.

Set auto-updates for yum:

sed -i 's/apply_updates = no/apply_updates = yes/g' /etc/yum/yum-cron.conf

Network Configuration:

firewall-cmd --permanent --zone=internal --change-interface=eth0
firewall-cmd --permanent --zone=internal --add-source={internal_network_IP}/24
firewall-cmd --permanent --zone=internal --add-service=http
firewall-cmd --permanent --zone=internal --add-service=ssh
firewall-cmd --permanent --zone=internal --add-service=https
firewall-cmd --permanent --zone=internal --add-service=ntp
firewall-cmd --permanent --zone=internal --add-service=dns
firewall-cmd --permanent --zone=internal --add-service=samba-client
firewall-cmd --permanent --zone=internal --add-service=samba
firewall-cmd --permanent --zone=internal --add-service=smtp
firewall-cmd --reload

Disclaimer: I'm far from being a network security expert, so ensure you review these rules with a professional before deploying them into production. If you know a better way to implement these rules, please share your knowledge.

Set DNS Servers (this is just for my network, as my crappy router doesn't let me define a different DNS Server for DHCP):

echo "{DNS Server in Domain}" >> /etc/sysconfig/network-scripts/ifcfg-eth0
echo "{Backup DNS Server in Domain}" >> /etc/sysconfig/network-scripts/ifcfg-eth0
echo "DNS3=" >> /etc/sysconfig/network-scripts/ifcfg-eth0 # i like to keep Google as a backup DNS, in case my router craps out
sed -i 's/PEERDNS="yes"/PEERDNS="no"/g' /etc/sysconfig/network-scripts/ifcfg-eth0

Restart the network service for the changes to take effect:

systemctl restart network.service

Set the Timezone:

timedatectl set-timezone Australia/Sydney

This is just specific to my environment, as I have a domain:

systemctl enable ntpd.service
ntpdate domaincontroller.domain.example
systemctl start ntpd.service
realm join --client-software=sssd --user=username@domain.example domain.example

And then add my user account to the Sudoers file:

## Add AD Domain Admins to sudoers file
# add:
%domain\ admins@Qdomain.example ALL=(ALL)       ALL

Then finally shut down the machine, and take a snapshot. If it's a physical machine, take an image of the machine.

shutdown now
# take the snapshot

LAMP Configuration

Start Apache and MySQL:

sudo systemctl start mariadb
sudo systemctl start httpd

Set Apache and MySQL to start on boot:

sudo systemctl enable mariadb
sudo systemctl enable httpd

Setup MySQL, substituting {mysqlrootpassword} with your own desired password:

sudo mysql_secure_installation

Now create the OwnCloud database, substituting {ownclouduserpassword} with your own desired password:

mysql -uroot -p
CREATE USER 'ownclouduser'@'localhost' identified by '{ownclouduserpassword}';
GRANT ALL ON owncloud.* TO 'ownclouduser'@'localhost';

Set PHP charset to UTF-8:

sudo vi /etc/php.ini
/UTF-8 (searches for the text UTF-8)
# set default_charset = "UTF-8" (remove the ';')

Part 2: OwnCloud Installation

I chose to install it this way, as it allows for future updates to just come down via yum.

Add the OwnCloud Repository:

cd /etc/yum.repos.d/
sudo wget http://download.opensuse.org/repositories/isv:ownCloud:community/CentOS_CentOS-7/isv:ownCloud:community.repo
sudo wget http://dl.fedoraproject.org/pub/epel/7/x86_64/e/epel-release-7-5.noarch.rpm
sudo rpm -ivh epel-release-7-5.noarch.rpm

Install OwnCloud:

sudo yum install owncloud -y

Now we have to edit one of the files in owncloud, because otherwise it prevents you from installing apps from the owncloud appstore:

sudo vi /var/www/html/owncloud/lib/private/httphelper.php
[:73] (go to line 73)
# add:
                    curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, false);

Now you should be able to browse to the site, by going to http://{server_name}/owncloud

If it worked, take another snapshot in case you break it during the application setup.

Part 3: TLS Enablement

This is fairly straightforward, and there are plenty of guides out there, but I'll include it here for completeness sake.

First we need the mod_ssl module for Apache:

sudo yum install mod_ssl -y

Now create the Key:

sudo mkdir /etc/httpd/ssl
sudo openssl req -new -newkey rsa:2048 -nodes -out /etc/httpd/ssl/apache.csr -keyout /etc/httpd/ssl/apache.key -subj "/C=AU/ST=ACT/L=Canberra/O={org_name}/OU={section_name}/CN={server_name}"

Now output the CSR, to send to your certificate authority:

cat /etc/httpd/ssl/apache.csr

Get the CSR signed, and the copy the resultant certificate contents (as Base64) and put it on the server:

sudo vi /etc/httpd/ssl/apache.crt
# paste the signed certificate here

Configure Apache to use the SSL Certificate:

sudo vi /etc/httpd/conf.d/ssl.conf
# DocumentRoot "/var/www/html"
# ServerName {server_name}:443
# SSLCertificateFile /etc/httpd/ssl/apache.crt
# SSLCertificateKeyFile /etc/httpd/ssl/apache.key

Finally restart apache to have your settings take effect:

sudo service httpd restart