How to install nextcloud on centos 7 minimal

At first, please update your centos. Every command I use, is used as root 😉

yum -y update

Installing database server MariaDB

Next, we install and create empty database for our nextcloud. Then we start it and enable for autostart after boot.
If you wish, you can skip installations of MariaDB and you can use built-in SQLite. Then you can continue with installing apache web server.

yum -y install mariadb mariadb-server
systemctl start mariadb
systemctl enable mariadb

Now, we run post installation script to finish setting up mariaDB server:

Enter current password for root (enter for none): ENTER
Set root password? [Y/n] Y
Remove anonymous users? [Y/n] Y
Disallow root login remotely? [Y/n] Y
Remove test database and access to it? [Y/n] Y
Reload privilege tables now? [Y/n] Y

Now, we can create a database for nextcloud.

mysql -u root -p
GRANT ALL PRIVILEGES ON nextcloud.* TO 'nextclouduser'@'localhost' IDENTIFIED BY 'YOURPASSWORD';

Installing Apache Web Server with ssl (letsencrypt)

Now, we install Apache web server, and we start it and enable for autostart after boot:

yum install httpd -y
systemctl start httpd.service
systemctl enable httpd.service

Now, we install ssl for apache and allow https service for firewall:

yum -y install epel-release
yum -y install httpd mod_ssl
firewall-cmd --zone=public --permanent --add-service=https
firewall-cmd --reload
systemctl restart httpd.service
systemctl status httpd

Now we can access our server via
If we want signed certificate from letsencrypt, we can do it with next commands. Certboot will ask some questions, so answer them.

yum -y install python-certbot-apache
certbot --apache -d

If we are good, we can see:

 - Congratulations! Your certificate and chain have been saved at

And we can test our page with this:

Install PHP 7

As creators of nextcloud recommends at minimal PHP 5.4, I use php 7.
PHP 5.4 has been end-of-life since September 2015 and is no longer supported by the PHP team. RHEL 7 still ships with PHP 5.4, and Red Hat supports it. Nextcloud also supports PHP 5.4, so upgrading is not required. However, it is highly recommended to upgrade to PHP 5.5+ for best security and performance.
Now we must add some additional repositories:

rpm -Uvh
rpm -Uvh

And we can install php 7.0:

yum -y install php70w.x86_64 php70w-mysql.x86_64 php70w-gd.x86_64 php70w-xml.x86_64 php70w-mbstring.x86_64

Check in:

php --ini |grep Loaded
Loaded Configuration File:         /etc/php.ini
php -v
PHP 7.0.18 (cli) (built: Apr 15 2017 07:09:11) ( NTS )
Copyright (c) 1997-2017 The PHP Group

In my case, I will use nextcloud as my backup device, so I increase the default upload limit to 200MB.

sed -i "s/post_max_size = 8M/post_max_size = 200M/" /etc/php.ini
sed -i "s/upload_max_filesize = 2M/upload_max_filesize = 200M/" /etc/php.ini

Restart web server:

systemctl restart httpd

Installing Nextcloud

At first, I install wget tool for download and unzip:

 yum -y install wget unzip

Now we can download nextcloud (at this time the latest version is 11.0.3). And extract it from archive to final destination. Then we change ownership of this directory:

unzip -d /var/www/html/
chown -R apache:apache /var/www/html/nextcloud/

If you have enabled SELinux, refer to nextcloud admin manual, you can run into permissions problems. Run these commands as root to adjust permissions:

semanage fcontext -a -t httpd_sys_rw_content_t '/var/www/html/nextcloud/data(/.*)?'
semanage fcontext -a -t httpd_sys_rw_content_t '/var/www/html/nextcloud/config(/.*)?'
semanage fcontext -a -t httpd_sys_rw_content_t '/var/www/html/nextcloud/apps(/.*)?'
semanage fcontext -a -t httpd_sys_rw_content_t '/var/www/html/nextcloud/.htaccess'
semanage fcontext -a -t httpd_sys_rw_content_t '/var/www/html/nextcloud/.user.ini'
restorecon -Rv '/var/www/html/nextcloud/'

And finally, we can access our nextcloud and set up administrators password via our web: https://you-ip/nextcloud
Now you must complete the installation via web interface. Set Administrator’s password and locate to MariaDB with used credentials:

Database user: nextclouduser
Database password: YOURPASSWORD
Database name: nextcloud
host: localhost

In my case, I must create a DATA folder under out nextcloud and set permissions:

mkdir /var/www/html/nextcloud/data
chown apache:apache data/ -R
semanage fcontext -a -t httpd_sys_rw_content_t '/var/www/html/nextcloud/data(/.*)?'
restorecon -Rv '/var/www/html/nextcloud/'

For easier access, I created a permanent redirect for my IP/domain Nextcloud root folder. This redirect allow you to open page


and redirect you to:


You must edit httpd.conf file and add this line into directory /var/www/html:

vim /etc/httpd/conf/httpd.conf
RedirectMatch ^/$ https://your-ip/nextcloud

Enable updates via the web interface

To enable updates via the web interface, you may need this to enable writing to the directories:

setsebool httpd_unified on

When the update is completed, disable write access:

setsebool -P httpd_unified off

Disallow write access to the whole web directory

For security reasons it’s suggested to disable write access to all folders in /var/www/ (default):

setsebool -P  httpd_unified  off

A way to enable enhanced security with own configuration file

vim  /etc/httpd/conf.d/owncloud.conf
Alias /nextcloud "/var/www/html/nextcloud/"
<Directory /var/www/html/nextcloud/>
  Options +FollowSymlinks
  AllowOverride All
 <IfModule mod_dav.c>
  Dav off
 SetEnv HOME /var/www/html/nextcloud
 SetEnv HTTP_HOME /var/www/html/nextcloud


27231total visits,123visits today

Setting up logrotate on Centos 7

Yesterday, I met with problem of low capacity /var/log/ partition. Some logs were too big and logrotate is the perfect tool to handle this problem. It is a software designed for reduce amount of space for every log file we have. And it can be done with some ways.
Logrotate Description: logrotate  is  designed  to  ease  administration of systems that generate large numbers of log files.  It allows automatic rotation, compression, removal, and mailing of log files.  Each log file may be handled daily, weekly, monthly, or when  it  grows too large.
Normally,  logrotate  is  run as a daily cron job.  It will not modify a log multiple times in one day So in few words, logrotate is reducing space usage on disk by log files.

Logrotate configuration

Configuration of logrotate is made in one main file: /etc/logrotate.conf and other service specific configuration files which are stored in /etc/logrotate.d/
So main sample configuration is:

# see "man logrotate" for details
# rotate log files weekly specified in /etc/logrotate.d/
# keep 4 weeks of all log files
rotate 4
# create new (empty) log files after rotating old ones
# use date as a suffix of the rotated file
# uncomment this if you want your log files compressed by gzip
# RPM packages drop log rotation information into this directory
#there are all other configurations of services and their logs to rotate
include /etc/logrotate.d

Some samples and real log files configurations

So, we can add a new logs file into /var/log/  by this way:

echo "this is a sample log file" > /var/log/vasil.log
#this create a log file vasil1.log of size 5MB
dd if=/dev/zero of=/var/log/vasil1.log bs=1M count=5

Next, we create a new configuration files which are stored in destination explained above:

vim /etc/logrotate.d/vasil
/var/log/vasil.log {
 minsize 1M
 create 0600 root root
vim /etc/logrotate.d/vasil1
/var/log/vasil1.log {
 minsize 1M
 create 0600 root root

And som explanation of variables:

  • missingok – do not output error if logfile is missing
  • notifempty – do not rotate log file if it is empty
  • compress – Old versions of log files are compressed with gzip by default
  • minsize – Log file is rotated only if it is bigger than 1M
  • daily – ensures daily rotation
  • create – creates a new log file with permissions 600 where owner and group is root user

If you want more options and their explanation, look into manual:

man logrotare

Look at list of /var/log for our log files. We can see, that we have one log vasil.log with size 26b and vasil1.log with size 5MB.

ls -lah /var/log/va*
-rw-r--r--. 1 root root 5.0M Mar  3 13:21 /var/log/vasil1.log
-rw-r--r--. 1 root root   26 Mar  3 13:21 /var/log/vasil.log

Now, we can debug our configuration via this command:

logrotate -d /etc/logrotate.d/vasil1
logrotate -d /etc/logrotate.d/vasil

So, if we want to run logrotate manualy and see, what is happend, run the following command. But be aware because it rotate all your logs, defined in /etc/logrotate.d/

logrotate -f /etc/logrotate.conf

And we can see both log files compressed and two new empty log files created:

 ls -lah /var/log/va*
-rw-------. 1 root root    0 Mar  3 13:23 /var/log/vasil1.log
-rw-r--r--. 1 root root 5.0K Mar  3 13:21 /var/log/vasil1.log-20170303.gz
-rw-------. 1 root root    0 Mar  3 13:23 /var/log/vasil.log
-rw-r--r--. 1 root root   44 Mar  3 13:21 /var/log/vasil.log-20170303.gz

We can look into our compressed log file by this command:

zcat /var/log/vasil.log-20170303.gz
this is a sample log file

Or we can use gunzip to uncompress them by command gzip.
When we use logrotate, sometimes we need restart an application or service. Logrotate can do that by script called “postrotate”. This script can be used in configuration file like httpd. When log are rotated,  script reload service to use new empty log file.

cat /etc/logrotate.d/httpd
/var/log/httpd/*log {
        /bin/systemctl reload httpd.service > /dev/null 2>/dev/null || true

So I hope, that this how to helps somebody 🙂 Have a fun.

27231total visits,123visits today

How to install samba server on centos 7 with and without user and password

First, we must install package samba and accept all dependencies.

yum install samba -y

Create user, who can access our samba secure folder:

useradd -s /sbin/nologin vasil
groupadd smbgroup
usermod -a -G smbgroup vasil
smbpasswd -a vasil

Then, create a directories for samba shares. Chcon command mark our directory with label, that SELinux allows samba service to operate with this folder. Another possibility is disable SELinux, but it is not the right way 🙂

#for anonymous
mkdir -p /mnt/aaa
chmod -R 0777 /mnt/aaa
chcon -t samba_share_t /mnt/aaa -R
chown -R nobody:nobody /mnt/aaa
#for another secure user
mkdir -p /mnt/nfs/kadeco/
chmod -R 0755 /mnt/nfs/kadeco/
chcon -t samba_share_t /mnt/nfs/kadeco/ -R
chown -R vasil:smbgroup /mnt/nfs/kadeco/

Edit samba config for ours anonymous and secure shares

vi /etc/samba/smb.conf
 workgroup = home
 security = user
 passdb backend = tdbsam
 printing = cups
 printcap name = cups
 load printers = yes
 cups options = raw
 map to guest = bad user
        path = /mnt/aaa
        writable = yes
        browsable = yes
        guest ok = yes
        create mode = 0777
        directory mode = 0777
        path = /mnt/nfs/kadeco
        writable = yes
        browsable = yes
        guest ok = no
        valid users = vasil
        create mask = 0755
        directory mask = 0755
        read only = No

Now, we can see our configuration of samba by this command and test it for errors:


Next, if we use firewall, we must add some ports, or service for samba to allow:

firewall-cmd --permanent --zone=public --add-port=137/tcp
firewall-cmd --permanent --zone-public --add-port=138/tcp
firewall-cmd --permanent --zone=public --add-port=139/tcp
firewall-cmd --permanent --zone=public --add-port=445/tcp
firewall-cmd --permanent --zone=public --add-port=901/tcp
firewall-cmd --reload
or we can use simple:
firewall-cmd --permanent --zone=public--add-service=samba
firewall-cmd --reload

And finally, start samba services and enable it, after reboot.

systemctl start smb.service
systemctl start nmb.service
systemctl enable smb.service
systemctl enable nmb.service

A way to restart samba services:

systemctl restart smb
systemctl restart nmb

And now we can user our samba server. Anonymous folder, or secured folder 🙂

If you want to access some folder for read from apache, just made a selinux modify:

Allow samba read/write access everywhere:

setsebool -P samba_export_all_rw 1
or if you want to be a little more descrite about it:
chcon -t public_content_rw_t /mnt/nfs/kadeco
2) setsebool -P allow_smbd_anon_write 1
3) setsebool -P allow_httpd_anon_write 1

This should allow both Samaba and Apache write access to public_content_rw_t context.

Have fun

27231total visits,123visits today

How to set up nfs server on centos 7

Sometimes I need to use fast, simple and no-password storage over the network in bash, or an ISO storage for Xenserver. So nfs sharing is the best way for this.  I have a linux machine with centos 7 and available storage of 1,5TB disk. So, prepare the disk:

fdisk -l /dev/xvdb
> n (new partition), and use default options. The use -t (change partition ID) and change it to 83 (Linux). The use -w (write)
mkfs.xfs /dev/xvdb1
mkdir /mnt/nfs
mount /dev/xvdb1 /mnt/nfs/

If everything is OK, edit /etc/fstab to automount this partition to ours folder, and add this line:

/dev/xvdb1 /mnt/nfs xfs defaults,nosuid,noatime,nodiratime 0 0

The install package nfs-utils, for nfs server:

yum -y install nfs-utils

And allow nfs service in firewalld:

firewall-cmd --permanent --zone=public --add-service=nfs
firewall-cmd --reload
#if sometimes on clients don't working showmount, and it create an error:
showmount -e
rpc mount export: RPC: Unable to receive; errno = No route to host
#we must add another ports to firewall:
firewall-cmd --add-port=2049/tcp --zone=public --permanent
firewall-cmd --add-port=2049/udp --zone=public --permanent
firewall-cmd --add-port=111/udp --zone=public --permanent
firewall-cmd --add-port=111/tcp --zone=public --permanent
firewall-cmd --add-port=662/tcp --zone=public --permanent
firewall-cmd --add-port=662/udp --zone=public --permanent
firewall-cmd --add-port=892/udp --zone=public --permanent
firewall-cmd --add-port=892/tcp --zone=public --permanent
firewall-cmd --reload

And uncoment this lines in: /etc/sysconfig/nfs


Now enable nfs-server to run after poweron server and start it:

systemctl enable nfs-server.service
systemctl start nfs-server.service

Now we must prepare this folder with this permissions, for read and write for everybody:

chown nfsnobody:nfsnobody /mnt/nfs/ -R
chmod 755 /mnt/nfs/

And edit file /etc/exports for this folder to by allowed for everybody in network:

/mnt/nfs *(rw,sync,no_root_squash,no_all_squash)

And apply this change:

exportfs -a

We can see our settings with command “exportfs”:

/mnt/nfs        <world>

And from other linux machine, we can mount this folder:

mount /mnt/nfs/
#see this disk report space
df -h
Filesystem            Size  Used Avail Use% Mounted on
                      1.5T  200G  1.3T  14% /mnt/nfs

And we can test it with 1GB file:

dd if=/dev/zero of=/mnt/nfs/1gb bs=1M count=1000
1048576000 bytes (1.0 GB) copied, 16.4533 s, 63.7 MB/s
ls -lah /mnt/nfs/
drwxr-xr-x. 18 nfsnobody nfsnobody  4.0K Feb 28 10:47 .
drwxr-xr-x.  3 root      root       4.0K Feb 28 10:24 ..
-rw-r--r--.  1 root      root      1000M Feb 28 10:47 1gb

Have a fun 🙂

27231total visits,123visits today

How to create a site-to-site ipsec vpn connection

Install and enable the EPEL using Yum, with some useful software:

yum install epel-release.noarch
yum install htop dstat tcpdump

On Red Hat based Systems (CentOS, Fedora or RHEL):

yum install openswan

Now we disable VPN redirects, if any, in the server using these commands:

for vpn in /proc/sys/net/ipv4/conf/*;
do echo 0 > $vpn/accept_redirects;
echo 0 > $vpn/send_redirects;
echo 0 > $vpn/rp_filter;

Edit /etc/ipsec.conf to debug in pluto.log

#if using NAT, use variable below
#    nat_traversal=yes

Next, we modify the kernel parameters to allow IP forwarding and disable redirects permanently by:

 vim /etc/sysctl.conf
    net.ipv4.ip_forward = 1
    net.ipv4.conf.all.accept_redirects = 0
    net.ipv4.conf.all.send_redirects = 0

Reload /etc/sysctl.conf:

 sysctl -p

Now, we customize firewall to allow ports for ipsec

firewall-cmd --zone=public --permanent --add-rich-rule='rule protocol value="esp" accept'
firewall-cmd --zone=public --permanent --add-rich-rule='rule protocol value="ah" accept'
firewall-cmd --zone=public --permanent --add-port=500/udp
firewall-cmd --zone=public --permanent --add-port=4500/udp
firewall-cmd --permanent --add-service="ipsec"
firewall-cmd --zone=public --permanent --add-port=4500/tcp
firewall-cmd --zone=public --add-port=50/udp --permanent
firewall-cmd --zone=public --add-port=51/udp --permanent

We don’t use masquerade, because ipsec tunnel parameters automatic enable routing in these situations. If  not working, we add masquerade, but first we must add rule for match packets for this tunnel. Like: src leftsubnet dst rightsubnet on both sides

#In some posts in world I found this code, but explanation above cancel this
#code and in my situation it not working with this
#firewall-cmd --zone=public --permanent --add-masquerade

We reload firewalld and check our rules:

firewall-cmd --reload
firewall-cmd --zone=public --list-all

Check if is ipsec OK for itself:

ipsec verify
Verifying installed system and configuration files
Version check and ipsec on-path                         [OK]
Libreswan 3.15 (netkey) on 3.10.0-514.6.1.el7.x86_64
Checking for IPsec support in kernel                    [OK]
 NETKEY: Testing XFRM related proc values
         ICMP default/send_redirects                    [OK]
         ICMP default/accept_redirects                  [OK]
         XFRM larval drop                               [OK]
Pluto ipsec.conf syntax                                 [OK]
Hardware random device                                  [N/A]
Two or more interfaces found, checking IP forwarding    [OK]
Checking rp_filter                                      [OK]
Checking that pluto is running                          [OK]
 Pluto listening for IKE on udp 500                     [OK]
 Pluto listening for IKE/NAT-T on udp 4500              [OK]
 Pluto ipsec.secret syntax                              [OK]
Checking 'ip' command                                   [OK]
Checking 'iptables' command                             [OK]
Checking 'prelink' command does not interfere with FIPSChecking for obsolete ipsec.conf options                 [OK]
Opportunistic Encryption                                [DISABLED]

Now, create a configuration file for our one connection

vim /etc/ipsec.d/blava.conf
conn blava
    right=#public IP other side#

And configuration file for other connection:

vim /etc/ipsec.d/blava.conf
conn blava
    left=#public IP this side#

Now create on both sides secrets file for PSK with your public IP:

vim /etc/ipsec.d/blava.secrets
%any PSK "ahoj12345"
vim /etc/ipsec.d/blava.secrets
------------------------------ %any: PSK "ahoj12345"

Now, restart ipsec for apply configurations

systemctl restart ipsec.service

And if we are good, we must see some like this in pluto.log

 STATE_MAIN_R3: sent MR3, ISAKMP SA established
 STATE_QUICK_R2: IPsec SA established tunnel mode

Or check ipsec status:

ipsec auto --status
Total IPsec connections: loaded 4, active 1
STATE_QUICK_R2 (IPsec SA established); EVENT_SA_REPLACE in 85318s
STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_REPLACE in 27718s;

Some usefull commands for work with ipsec…
When we update configuration file and if we must reload one ipsec tunnel, use these step rather then restart ipsec service itself:

ipsec auto --down blava
ipsec auto --replace blava
ipsec auto --up blava

If we change secrets file and PSK, we must use too, before –up:

ipsec auto --rereadall

27231total visits,123visits today