How to install nextcloud on centos 7 minimal

At first, please update your centos. Every command I use, is used as root 😉

yum -y update

Installing database server MariaDB

Next, we install and create empty database for our nextcloud. Then we start it and enable for autostart after boot.
If you wish, you can skip installations of MariaDB and you can use built-in SQLite. Then you can continue with installing apache web server.

yum -y install mariadb mariadb-server
...
systemctl start mariadb
systemctl enable mariadb

Now, we run post installation script to finish setting up mariaDB server:

mysql_secure_installation
...
Enter current password for root (enter for none): ENTER
Set root password? [Y/n] Y
Remove anonymous users? [Y/n] Y
Disallow root login remotely? [Y/n] Y
Remove test database and access to it? [Y/n] Y
Reload privilege tables now? [Y/n] Y

Now, we can create a database for nextcloud.

mysql -u root -p
...
CREATE DATABASE nextcloud;
GRANT ALL PRIVILEGES ON nextcloud.* TO 'nextclouduser'@'localhost' IDENTIFIED BY 'YOURPASSWORD';
FLUSH PRIVILEGES;
exit;

Installing Apache Web Server with ssl (letsencrypt)

Now, we install Apache web server, and we start it and enable for autostart after boot:

yum install httpd -y
systemctl start httpd.service
systemctl enable httpd.service

Now, we install ssl for apache and allow https service for firewall:

yum -y install epel-release
yum -y install httpd mod_ssl
...
firewall-cmd --zone=public --permanent --add-service=https
firewall-cmd --zone=public --permanent --add-service=http
firewall-cmd --reload
systemctl restart httpd.service
systemctl status httpd

Now we can access our server via https://out.server.sk
If we want signed certificate from letsencrypt, we can do it with next commands. Certboot will ask some questions, so answer them.

yum -y install python-certbot-apache
certbot --apache -d example.com

If we are good, we can see:

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/example.com/fullchain.pem.
...

And we can test our page with this:

https://www.ssllabs.com/ssltest/analyze.html?d=example.com&latest

Install PHP 7

As creators of nextcloud recommends at minimal PHP 5.4, I use php 7.
PHP 5.4 has been end-of-life since September 2015 and is no longer supported by the PHP team. RHEL 7 still ships with PHP 5.4, and Red Hat supports it. Nextcloud also supports PHP 5.4, so upgrading is not required. However, it is highly recommended to upgrade to PHP 5.5+ for best security and performance.
Now we must add some additional repositories:

rpm -Uvh https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
rpm -Uvh https://mirror.webtatic.com/yum/el7/webtatic-release.rpm

And we can install php 7.2:

yum install mod_php72w.x86_64 php72w-common.x86_64 php72w-gd.x86_64 php72w-intl.x86_64 php72w-mysql.x86_64 php72w-xml.x86_64 php72w-mbstring.x86_64 php72w-cli.x86_64 php72w-process.x86_64

Check in:

php --ini |grep Loaded
Loaded Configuration File:         /etc/php.ini
php -v
PHP 7.2.22 (cli) (built: Sep 11 2019 18:11:52) ( NTS )
Copyright (c) 1997-2018 The PHP Group
Zend Engine v3.2.0, Copyright (c) 1998-2018 Zend Technologies

In my case, I will use nextcloud as my backup device, so I increase the default upload limit to 200MB.

sed -i "s/post_max_size = 8M/post_max_size = 200M/" /etc/php.ini
sed -i "s/upload_max_filesize = 2M/upload_max_filesize = 200M/" /etc/php.ini
sed -i "s/memory_limit = 128M/memory_limit = 512M/" /etc/php.ini

Restart web server:

systemctl restart httpd

Installing Nextcloud

At first, I install wget tool for download and unzip:

 yum -y install wget unzip

Now we can download nextcloud (at this time the latest version is 16.0.4). And extract it from archive to final destination. Then we change ownership of this directory:

wget https://download.nextcloud.com/server/releases/nextcloud-16.0.4.zip
...
unzip nextcloud-16.0.4.zip -d /var/www/html/
...
chown -R apache:apache /var/www/html/nextcloud/

Check, if you have enabled SELinux by command sestatus:

sestatus 

SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Max kernel policy version:      31

Refer to nextcloud admin manual, you can run into permissions problems. Run these commands as root to adjust permissions:

semanage fcontext -a -t httpd_sys_rw_content_t '/var/www/html/nextcloud/data(/.*)?'
semanage fcontext -a -t httpd_sys_rw_content_t '/var/www/html/nextcloud/config(/.*)?'
semanage fcontext -a -t httpd_sys_rw_content_t '/var/www/html/nextcloud/apps(/.*)?'
semanage fcontext -a -t httpd_sys_rw_content_t '/var/www/html/nextcloud/.htaccess'
semanage fcontext -a -t httpd_sys_rw_content_t '/var/www/html/nextcloud/.user.ini'
restorecon -Rv '/var/www/html/nextcloud/'

If you see error “-bash: semanage: command not found”, install packages:

yum provides /usr/sbin/semanage
yum install policycoreutils-python-2.5-33.el7.x86_64

And finally, we can access our nextcloud and set up administrators password via our web: https://you-ip/nextcloud
Now you must complete the installation via web interface. Set Administrator’s password and locate to MariaDB with used credentials:

Database user: nextclouduser
Database password: YOURPASSWORD
Database name: nextcloud
host: localhost

In my case, I must create a DATA folder under out nextcloud and set permissions:

mkdir /var/www/html/nextcloud/data
chown apache:apache /var/www/html/nextcloud/data -R
semanage fcontext -a -t httpd_sys_rw_content_t '/var/www/html/nextcloud/data(/.*)?'
restorecon -Rv '/var/www/html/nextcloud/'

For easier access, I created a permanent redirect for my IP/domain Nextcloud root folder. This redirect allow you to open page

https://your-ip

and redirect you to:

https://your-ip/nextcloud

You must edit httpd.conf file and add this line into directory /var/www/html:

vim /etc/httpd/conf/httpd.conf
...
RedirectMatch ^/$ https://your-ip/nextcloud
...
systemctl restart httpd.service

If we see an error like “Your data directory and files are probably accessible from the Internet. The .htaccess file is not working. ” try edit and change variable

vim /etc/httpd/conf/httpd.conf
....
<Directory "/var/www/html">
    AllowOverride All
    Require all granted
    Options Indexes FollowSymLinks
</Directory>

Enable updates via the web interface

To enable updates via the web interface, you may need this to enable writing to the directories:

setsebool httpd_unified on

When the update is completed, disable write access:

setsebool -P httpd_unified off

Disallow write access to the whole web directory

For security reasons it’s suggested to disable write access to all folders in /var/www/ (default):

setsebool -P  httpd_unified  off

A way to enable enhanced security with own configuration file

vim  /etc/httpd/conf.d/owncloud.conf
...
Alias /nextcloud "/var/www/html/nextcloud/"
<Directory /var/www/html/nextcloud/>
  Options +FollowSymlinks
  AllowOverride All
 <IfModule mod_dav.c>
  Dav off
 </IfModule>
 SetEnv HOME /var/www/html/nextcloud
 SetEnv HTTP_HOME /var/www/html/nextcloud
</Directory>

Setting up logrotate on Centos 7

Yesterday, I met with problem of low capacity /var/log/ partition. Some logs were too big and logrotate is the perfect tool to handle this problem. It is a software designed for reduce amount of space for every log file we have. And it can be done with some ways.
Logrotate Description: logrotate  is  designed  to  ease  administration of systems that generate large numbers of log files.  It allows automatic rotation, compression, removal, and mailing of log files.  Each log file may be handled daily, weekly, monthly, or when  it  grows too large.
Normally,  logrotate  is  run as a daily cron job.  It will not modify a log multiple times in one day So in few words, logrotate is reducing space usage on disk by log files.

Logrotate configuration

Configuration of logrotate is made in one main file: /etc/logrotate.conf and other service specific configuration files which are stored in /etc/logrotate.d/
So main sample configuration is:

# see "man logrotate" for details
# rotate log files weekly specified in /etc/logrotate.d/
weekly
# keep 4 weeks of all log files
rotate 4
# create new (empty) log files after rotating old ones
create
# use date as a suffix of the rotated file
dateext
# uncomment this if you want your log files compressed by gzip
compress
# RPM packages drop log rotation information into this directory
#there are all other configurations of services and their logs to rotate
include /etc/logrotate.d

Some samples and real log files configurations

So, we can add a new logs file into /var/log/  by this way:

echo "this is a sample log file" > /var/log/vasil.log
#this create a log file vasil1.log of size 5MB
dd if=/dev/zero of=/var/log/vasil1.log bs=1M count=5

Next, we create a new configuration files which are stored in destination explained above:

vim /etc/logrotate.d/vasil
###
/var/log/vasil.log {
 missingok
 notifempty
 compress
 minsize 1M
 daily
 create 0600 root root
}
vim /etc/logrotate.d/vasil1
###
/var/log/vasil1.log {
 missingok
 notifempty
 compress
 minsize 1M
 daily
 create 0600 root root
}

And som explanation of variables:

  • missingok – do not output error if logfile is missing
  • notifempty – do not rotate log file if it is empty
  • compress – Old versions of log files are compressed with gzip by default
  • minsize – Log file is rotated only if it is bigger than 1M
  • daily – ensures daily rotation
  • create – creates a new log file with permissions 600 where owner and group is root user

If you want more options and their explanation, look into manual:

man logrotare

Look at list of /var/log for our log files. We can see, that we have one log vasil.log with size 26b and vasil1.log with size 5MB.

ls -lah /var/log/va*
-rw-r--r--. 1 root root 5.0M Mar  3 13:21 /var/log/vasil1.log
-rw-r--r--. 1 root root   26 Mar  3 13:21 /var/log/vasil.log

Now, we can debug our configuration via this command:

logrotate -d /etc/logrotate.d/vasil1
or
logrotate -d /etc/logrotate.d/vasil

So, if we want to run logrotate manualy and see, what is happend, run the following command. But be aware because it rotate all your logs, defined in /etc/logrotate.d/

logrotate -f /etc/logrotate.conf

And we can see both log files compressed and two new empty log files created:

 ls -lah /var/log/va*
-rw-------. 1 root root    0 Mar  3 13:23 /var/log/vasil1.log
-rw-r--r--. 1 root root 5.0K Mar  3 13:21 /var/log/vasil1.log-20170303.gz
-rw-------. 1 root root    0 Mar  3 13:23 /var/log/vasil.log
-rw-r--r--. 1 root root   44 Mar  3 13:21 /var/log/vasil.log-20170303.gz

We can look into our compressed log file by this command:

zcat /var/log/vasil.log-20170303.gz
this is a sample log file

Or we can use gunzip to uncompress them by command gzip.
When we use logrotate, sometimes we need restart an application or service. Logrotate can do that by script called “postrotate”. This script can be used in configuration file like httpd. When log are rotated,  script reload service to use new empty log file.

cat /etc/logrotate.d/httpd
/var/log/httpd/*log {
    missingok
    notifempty
    sharedscripts
    delaycompress
    postrotate
        /bin/systemctl reload httpd.service > /dev/null 2>/dev/null || true
    endscript
}

So I hope, that this how to helps somebody 🙂 Have a fun.

How to install samba server on centos 7 with and without user and password

First, we must install package samba and accept all dependencies.

yum install samba -y

Create user, who can access our samba secure folder:

useradd -s /sbin/nologin user
groupadd smbgroup
usermod -a -G smbgroup user
smbpasswd -a user

Then, create a directories for samba shares. Chcon command mark our directory with label, that SELinux allows samba service to operate with this folder. Another possibility is disable SELinux, but it is not the right way 🙂

#for anonymous
mkdir -p /mnt/aaa
chmod -R 0777 /mnt/aaa
chcon -t samba_share_t /mnt/aaa -R
chown -R nobody:nobody /mnt/aaa
#for another secure user
mkdir -p /mnt/nfs/kadeco/
chmod -R 0755 /mnt/nfs/kadeco/
chcon -t samba_share_t /mnt/nfs/kadeco/ -R
chown -R user:smbgroup /mnt/nfs/kadeco/

Edit samba config for ours anonymous and secure shares

vi /etc/samba/smb.conf
[global]
 workgroup = home
 security = user
 passdb backend = tdbsam
 printing = cups
 printcap name = cups
 load printers = yes
 cups options = raw
 map to guest = bad user
[Anonymous-aaa]
        path = /mnt/aaa
        writable = yes
        browsable = yes
        guest ok = yes
        create mode = 0777
        directory mode = 0777
[kadeco]
        path = /mnt/nfs/kadeco
        writable = yes
        browsable = yes
        guest ok = no
        valid users = user
        create mask = 0755
        directory mask = 0755
        read only = No

Now, we can see our configuration of samba by this command and test it for errors:

testparm

Next, if we use firewall, we must add some ports, or service for samba to allow:

firewall-cmd --permanent --zone=public --add-port=137/tcp
firewall-cmd --permanent --zone-public --add-port=138/tcp
firewall-cmd --permanent --zone=public --add-port=139/tcp
firewall-cmd --permanent --zone=public --add-port=445/tcp
firewall-cmd --permanent --zone=public --add-port=901/tcp
firewall-cmd --reload
or we can use simple:
firewall-cmd --permanent --zone=public --add-service=samba
firewall-cmd --reload

And finally, start samba services and enable it, after reboot.

systemctl start smb.service
systemctl start nmb.service
systemctl enable smb.service
systemctl enable nmb.service

A way to restart samba services:

systemctl restart smb
systemctl restart nmb

And now we can user our samba server. Anonymous folder, or secured folder 🙂

If you want to access some folder for read from apache, just made a selinux modify:

Allow samba read/write access everywhere:

setsebool -P samba_export_all_rw 1
or if you want to be a little more descrite about it:
chcon -t public_content_rw_t /mnt/nfs/kadeco
2) setsebool -P allow_smbd_anon_write 1
3) setsebool -P allow_httpd_anon_write 1

This should allow both Samaba and Apache write access to public_content_rw_t context.

Status of samba we can list by this commands:

smbstatus -p
- show list of samba processes
smbstatus -S
- show samba shares
smbstatus -L
- show samba locks

If we need restart samba process, or restart server, we can list locked files by “smbstatus -L”. We can see, which share is locked and which specific file is accessing.

Have fun

How to set up nfs server on centos 7

Sometimes I need to use fast, simple and no-password storage over the network in bash, or an ISO storage for Xenserver. So nfs sharing is the best way for this.  I have a linux machine with centos 7 and available storage of 1,5TB disk. So, prepare the disk:

fdisk -l /dev/xvdb
> n (new partition), and use default options. The use -t (change partition ID) and change it to 83 (Linux). The use -w (write)
reboot
mkfs.xfs /dev/xvdb1
mkdir /mnt/nfs
mount /dev/xvdb1 /mnt/nfs/

If everything is OK, edit /etc/fstab to automount this partition to ours folder, and add this line:

/dev/xvdb1 /mnt/nfs xfs defaults,nosuid,noatime,nodiratime 0 0

The install package nfs-utils, for nfs server:

yum -y install nfs-utils

And allow nfs service in firewalld:

firewall-cmd --permanent --zone=public --add-service=nfs
firewall-cmd --reload
#if sometimes on clients don't working showmount, and it create an error:
showmount -e 11.22.33.44
rpc mount export: RPC: Unable to receive; errno = No route to host
#we must add another ports to firewall:
firewall-cmd --add-port=2049/tcp --zone=public --permanent
firewall-cmd --add-port=2049/udp --zone=public --permanent
firewall-cmd --add-port=111/udp --zone=public --permanent
firewall-cmd --add-port=111/tcp --zone=public --permanent
firewall-cmd --add-port=662/tcp --zone=public --permanent
firewall-cmd --add-port=662/udp --zone=public --permanent
firewall-cmd --add-port=892/udp --zone=public --permanent
firewall-cmd --add-port=892/tcp --zone=public --permanent
firewall-cmd --reload

And uncoment this lines in: /etc/sysconfig/nfs

MOUNTD_PORT=892
STATD_PORT=662

Now enable nfs-server to run after poweron server and start it:

systemctl enable nfs-server.service
systemctl start nfs-server.service

Now we must prepare this folder with this permissions, for read and write for everybody:

chown nfsnobody:nfsnobody /mnt/nfs/ -R
chmod 755 /mnt/nfs/

And edit file /etc/exports for this folder to by allowed for everybody in network:

/mnt/nfs *(rw,sync,no_root_squash,no_all_squash)

And apply this change:

exportfs -a

We can see our settings with command “exportfs”:

/mnt/nfs        <world>

And from other linux machine, we can mount this folder:

mount 11.22.33.44:/mnt/nfs /mnt/nfs/
#see this disk report space
df -h
Filesystem            Size  Used Avail Use% Mounted on
11.22.33.44:/mnt/nfs
                      1.5T  200G  1.3T  14% /mnt/nfs

And we can test it with 1GB file:

dd if=/dev/zero of=/mnt/nfs/1gb bs=1M count=1000
1048576000 bytes (1.0 GB) copied, 16.4533 s, 63.7 MB/s
...
...
ls -lah /mnt/nfs/
drwxr-xr-x. 18 nfsnobody nfsnobody  4.0K Feb 28 10:47 .
drwxr-xr-x.  3 root      root       4.0K Feb 28 10:24 ..
-rw-r--r--.  1 root      root      1000M Feb 28 10:47 1gb

Have a fun 🙂

How to create a site-to-site ipsec vpn connection

Install and enable the EPEL using Yum, with some useful software:

yum install epel-release.noarch
yum install htop dstat tcpdump

On Red Hat based Systems (CentOS, Fedora or RHEL):

yum install openswan

Now we disable VPN redirects, if any, in the server using these commands:

for vpn in /proc/sys/net/ipv4/conf/*;
do echo 0 > $vpn/accept_redirects;
echo 0 > $vpn/send_redirects;
echo 0 > $vpn/rp_filter;
done

Edit /etc/ipsec.conf to debug in pluto.log

    plutostderrlog=/var/log/pluto.log
    protostack=netkey
#if using NAT, use variable below
#    nat_traversal=yes
    virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12

Next, we modify the kernel parameters to allow IP forwarding and disable redirects permanently by:

 vim /etc/sysctl.conf
    net.ipv4.ip_forward = 1
    net.ipv4.conf.all.accept_redirects = 0
    net.ipv4.conf.all.send_redirects = 0

Reload /etc/sysctl.conf:

 sysctl -p

Now, we customize firewall to allow ports for ipsec

firewall-cmd --zone=public --permanent --add-rich-rule='rule protocol value="esp" accept'
firewall-cmd --zone=public --permanent --add-rich-rule='rule protocol value="ah" accept'
firewall-cmd --zone=public --permanent --add-port=500/udp
firewall-cmd --zone=public --permanent --add-port=4500/udp
firewall-cmd --permanent --add-service="ipsec"
firewall-cmd --zone=public --permanent --add-port=4500/tcp
firewall-cmd --zone=public --add-port=50/udp --permanent
firewall-cmd --zone=public --add-port=51/udp --permanent

We don’t use masquerade, because ipsec tunnel parameters automatic enable routing in these situations. If  not working, we add masquerade, but first we must add rule for match packets for this tunnel. Like: src leftsubnet dst rightsubnet on both sides

#In some posts in world I found this code, but explanation above cancel this
#code and in my situation it not working with this
#firewall-cmd --zone=public --permanent --add-masquerade

We reload firewalld and check our rules:

firewall-cmd --reload
firewall-cmd --zone=public --list-all

Check if is ipsec OK for itself:

ipsec verify
------------
Verifying installed system and configuration files
Version check and ipsec on-path                         [OK]
Libreswan 3.15 (netkey) on 3.10.0-514.6.1.el7.x86_64
Checking for IPsec support in kernel                    [OK]
 NETKEY: Testing XFRM related proc values
         ICMP default/send_redirects                    [OK]
         ICMP default/accept_redirects                  [OK]
         XFRM larval drop                               [OK]
Pluto ipsec.conf syntax                                 [OK]
Hardware random device                                  [N/A]
Two or more interfaces found, checking IP forwarding    [OK]
Checking rp_filter                                      [OK]
Checking that pluto is running                          [OK]
 Pluto listening for IKE on udp 500                     [OK]
 Pluto listening for IKE/NAT-T on udp 4500              [OK]
 Pluto ipsec.secret syntax                              [OK]
Checking 'ip' command                                   [OK]
Checking 'iptables' command                             [OK]
Checking 'prelink' command does not interfere with FIPSChecking for obsolete ipsec.conf options                 [OK]
Opportunistic Encryption                                [DISABLED]

Now, create a configuration file for our one connection

vim /etc/ipsec.d/blava.conf
---------------------------
conn blava
    left=%defaultroute
    leftid=192.168.201.75
    leftsubnet=192.168.201.0/24
   
    right=#public IP other side#
    rightid=192.168.202.177
    rightsubnet=192.168.202.0/24
    type=tunnel
    authby=secret
    pfs=no
    auth=esp
    keyexchange=ike
    keyingtries=0
    ikelifetime=28800s
    salifetime=360000s
    esp=3des-sha1
    ike=aes256-sha1;modp1024
    auto=start
    compress=no

And configuration file for other connection:

vim /etc/ipsec.d/blava.conf
---------------------------
conn blava
    left=#public IP this side#
    leftid=192.168.202.177
    leftsubnet=192.168.202.0/24
    right=%any
    rightid=192.168.201.75
    rightsubnet=192.168.201.0/24
    type=tunnel
    authby=secret
    pfs=no
    auth=esp
    keyexchange=ike
    keyingtries=0
    ikelifetime=28800s
    salifetime=360000s
    esp=3des-sha1
    ike=aes256-sha1;modp1024
    auto=add
    compress=no
    keep_alive=30

Now create on both sides secrets file for PSK with your public IP:

vim /etc/ipsec.d/blava.secrets
------------------------------
%any 1.1.1.1: PSK "ahoj12345"
vim /etc/ipsec.d/blava.secrets
------------------------------
1.1.1.1 %any: PSK "ahoj12345"

Now, restart ipsec for apply configurations

systemctl restart ipsec.service

And if we are good, we must see some like this in pluto.log

 STATE_MAIN_R3: sent MR3, ISAKMP SA established
 STATE_QUICK_R2: IPsec SA established tunnel mode

Or check ipsec status:

ipsec auto --status
-------------------
Total IPsec connections: loaded 4, active 1
STATE_QUICK_R2 (IPsec SA established); EVENT_SA_REPLACE in 85318s
STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_REPLACE in 27718s;

Some usefull commands for work with ipsec…
When we update configuration file and if we must reload one ipsec tunnel, use these step rather then restart ipsec service itself:

ipsec auto --down blava
ipsec auto --replace blava
ipsec auto --up blava

If we change secrets file and PSK, we must use too, before –up:

ipsec auto --rereadall