Register for the iXsystems Community to get an ad-free experience and exclusive discounts in our eBay Store.
Resource icon

Scripted installation of Nextcloud 19 in iocage jail 2018-03-23

danb35

Wizened Sage
Joined
Aug 16, 2011
Messages
11,325
It seems like there are lot of guides here on installing Nextcloud, and a number of people reporting problems with many of them. So, I figured, why not write another one? This is inspired by the work of @kjake in his scripts to build jails for Unifi and Crashplan, and largely follows the process that @dureal99d documented here. The difference between this method and the others is that this method employs a script to create the jail, install all the relevant packages, and configure them. My thought/hope is that by scripting the installation and setup, a lot of the PEBCAK-type errors that come up in such a complex installation can be avoided.

This script uses acme.sh to get a certificate for your jail. In order to obtain the cert, one of two things must be true:
  1. You have a fully-qualified domain name ("$FQDN") that points to your jail, and the jail is reachable from the public Internet with ports 80 and 443 open to the jail--that is, if an Internet user browses to http://$FQDN, they'll reach your jail. -or-
  2. Your DNS host has an API that's supported by acme.sh, allowing automated updates to your DNS records. Cloudflare has such an API, and provides DNS hosting for free. Many other DNS hosts' APIs are also supported; see https://github.com/Neilpang/acme.sh/tree/master/dnsapi
You'll specify which of these is the case in the script's configuration file. In addition, $FQDN needs to should resolve to your jail from inside your network; this is something you'd set up in your router configuration (in pfSense, for example, you'd set it up as a host override under Services -> DNS Resolver). Edit: It's no longer essential that $FQDN resolve to your jail from inside your network, but it's still preferred. You can use the IP address of your jail inside your network, but you'll get certificate errors that way.

This script installs and configures Nextcloud and all its dependencies.

Script and more details here: https://github.com/danb35/freenas-iocage-nextcloud

Edit: This has been tested on just one system right now, using the DNS validation for the cert. But it ran from start to finish, created the jail, installed everything, configured everything, obtained the cert, made the database changes, etc. Do not try this in production at this point.
 
Last edited:

cunningorb

Member
Joined
Feb 5, 2018
Messages
58
You are a rockstar for working on a script! I don't have time for a full post because of family demands on my time. I have deleted my volume and started from scratch entirely 3 times but I keep getting this result:
Code:
Setting up zpool [orb1] for iocage usage
 If you wish to change please use "iocage activate"
Creating orb1/iocage
Creating orb1/iocage/download
Creating orb1/iocage/images
Creating orb1/iocage/jails
Creating orb1/iocage/log
Creating orb1/iocage/releases
Creating orb1/iocage/templates
, please remove it.n nextcloud
' not found!oud


Which eventually says when it is done after about 20 of those not found messages that it was successful. But there is no jail created (no ip address showing in my router).

Here is my config:
Code:
JAIL_IP="192.168.1.2"
DEFAULT_GW_IP="192.168.1.1"
POOL_PATH="/mnt/orb1"
JAIL_NAME="nextcloud"
TIME_ZONE="America/New_York" # See http://php.net/manual/en/timezones.php
HOST_NAME="ireallydohaveadomainbutimnotpostingithere.com"
STANDALONE_CERT=1
DNS_CERT=0


I will edit this or reply as I can!
 

danb35

Wizened Sage
Joined
Aug 16, 2011
Messages
11,325
I'll have to try it some more on a clean VM. Not an iocage genius by any means. Also why I haven't posted this as a resource yet.

Edit: I just tried it in a clean VM, and it created the jail OK, but there are networking issues. I remember having to set some tunables on the other system to make it work; I'll track them down and update the instructions when I get a chance. It also looks like I can use the occ command inside the jail to script the Nextcloud installation piece.
 
Last edited:

jasemo

Member
Joined
Mar 15, 2018
Messages
30
This is awesome, danb.

I'd hoped to offer a "tidy up" of some of the ambiguous parts of dureal's guide, but this makes that idea obsolete. I'll be looking forward to checking it out the script properly when I'm back in a weeks time.

Thanks for the awesome work.
 

danb35

Wizened Sage
Joined
Aug 16, 2011
Messages
11,325
As I said, I tried it on a clean VM, but had networking issues. When I edited the script to stop using vnet, it worked on that VM. I think I'll want to try it on another test machine or two to make sure, but that might be taken care of. @cunningorb, if you want to test it right away, you can try editing line 13 of nextcloud-jail.sh to read like this:
Code:
iocage create --name "${JAIL_NAME}" -p /tmp/pkg.json -r 11.1-RELEASE ip4_addr="YOUR_INTERFACE|${JAIL_IP}/24" defaultrouter="${DEFAULT_GW_IP}" boot="on" host_hostname="${JAIL_NAME}"

...where YOUR_INTERFACE is the name of the network interface you're using on your FreeNAS box (em0, igb0, etc.). Then try the script again.

As I noted above, the occ command can be used to complete the installation of Nextcloud, so I'm testing some other upgrades to the script which should leave you ready to log in, with a secure admin password (that can, of course, be changed to your preference), with a cert ready to go, set up for auto-renew and everything. If all goes well, I hope to have those posted this evening.

Aside from (obviously) confirming that this works, I'd be especially interested in any improvements that can be offered to the config files I'm deploying here. Other than some major changes to nextcloud.conf, they basically track what @dureal99d did in his thread, and I haven't reviewed them to see if they could be improved (and, honestly, wouldn't likely know better if I had).

I'll note that I'm not enabling Strict Transport Security in nextcloud.conf. This is deliberate. Strict Transport Security means that, for the specified time (typically six months), connections to that hostname can only happen over HTTPS. This is a good security measure, but if you have SSL issues, it can lock you out of your site. I'd recommend testing everything thoroughly, ideally through a renewal cycle for Let's Encrypt (i.e., at least 90 days), before enabling this.
 
Last edited:

danb35

Wizened Sage
Joined
Aug 16, 2011
Messages
11,325
If all goes well, I hope to have those posted this evening.
Should be good to go now. If you've already downloaded the script, change to the freenas-iocage-nextcloud directory and do git pull to get the updates.
 

cunningorb

Member
Joined
Feb 5, 2018
Messages
58
As I said, I tried it on a clean VM, but had networking issues. When I edited the script to stop using vnet, it worked on that VM. I think I'll want to try it on another test machine or two to make sure, but that might be taken care of. @cunningorb, if you want to test it right away, you can try editing line 13 of nextcloud-jail.sh to read like this:
Code:
iocage create --name "${JAIL_NAME}" -p /tmp/pkg.json -r 11.1-RELEASE ip4_addr="YOUR_INTERFACE|${JAIL_IP}/24" defaultrouter="${DEFAULT_GW_IP}" boot="on" host_hostname="${JAIL_NAME}"

...where YOUR_INTERFACE is the name of the network interface you're using on your FreeNAS box (em0, igb0, etc.). Then try the script again.

As I noted above, the occ command can be used to complete the installation of Nextcloud, so I'm testing some other upgrades to the script which should leave you ready to log in, with a secure admin password (that can, of course, be changed to your preference), with a cert ready to go, set up for auto-renew and everything. If all goes well, I hope to have those posted this evening.

Aside from (obviously) confirming that this works, I'd be especially interested in any improvements that can be offered to the config files I'm deploying here. Other than some major changes to nextcloud.conf, they basically track what @dureal99d did in his thread, and I haven't reviewed them to see if they could be improved (and, honestly, wouldn't likely know better if I had).

I'll note that I'm not enabling Strict Transport Security in nextcloud.conf. This is deliberate. Strict Transport Security means that, for the specified time (typically six months), connections to that hostname can only happen over HTTPS. This is a good security measure, but if you have SSL issues, it can lock you out of your site. I'd recommend testing everything thoroughly, ideally through a renewal cycle for Let's Encrypt (i.e., at least 90 days), before enabling this.
When you say clean VM, is there any freenas config to be done outside of creating the datasets?
 

danb35

Wizened Sage
Joined
Aug 16, 2011
Messages
11,325
When you say clean VM, is there any freenas config to be done outside of creating the datasets?
Starting with a brand-new installation of 11.1-U2 (hadn't seen -U3), I set the root password, built a pool, created the files and db datasets (a third portsnap dataset wouldn't be a bad idea either, but I didn't make one here), set the system time zone, enabled SSH. I'm 99% sure that's all the config I did on the system.
 

cunningorb

Member
Joined
Feb 5, 2018
Messages
58
Starting with a brand-new installation of 11.1-U2 (hadn't seen -U3), I set the root password, built a pool, created the files and db datasets (a third portsnap dataset wouldn't be a bad idea either, but I didn't make one here), set the system time zone, enabled SSH. I'm 99% sure that's all the config I did on the system.
I fear I've just completed trying it on a totally fresh install of freenas 11.1 u3 in a VM environment using the above mentioned configs prior to running script.

The same issue persisted. I am starting to suspect something is different about my network config from yours that is preventing the script from running. I know I have internet working or else the git clone command would not pull in the files.

What can I help with in checking for you? I am more than happy to test this script until it is working well and even beyond.
 

danb35

Wizened Sage
Joined
Aug 16, 2011
Messages
11,325
Testing has now expanded to two systems: the completely clean VM mentioned above, and a bare metal install with an existing warden plugin jail. The current script works fine on both. However, I don't have any port forwards to the jails, so I've been using DNS validation to get the certificates. The standalone/webroot validation hasn't been tested yet.

Edit: and a third, with a different NIC driver, multiple existing warden jails as well as one or two iocage jails. Again, no issues, though I've still only tested DNS validation.
 
Last edited:

danb35

Wizened Sage
Joined
Aug 16, 2011
Messages
11,325
The same issue persisted.
Well, I'd been running it on 11.1-U2, not -U3, but I'd hope that wouldn't cause the problem. I'm updating the VM now, so I'll see if it makes a difference there.

Let's try breaking it down. Do iocage list to see if it's created a jail, and if so, iocage destroy -f nextcloud to destroy it. Then try manually creating the jail:
Code:
iocage create --name "nextcloud" -r 11.1-RELEASE ip4_addr="YOUR_INTERFACE|192.168.1.2/24" defaultrouter="192.168.1.1" boot="on" host_hostname="nextcloud"

...replacing YOUR_INTERFACE with the name of your NIC, of course. What's the output of that?

Edit: The IP addresses were pulled from the config file you posted earlier--is .1.2 unique to the jail? There's no other device on your LAN with that IP address?
 

cunningorb

Member
Joined
Feb 5, 2018
Messages
58
Well, I'd been running it on 11.1-U2, not -U3, but I'd hope that wouldn't cause the problem. I'm updating the VM now, so I'll see if it makes a difference there.

Let's try breaking it down. Do iocage list to see if it's created a jail, and if so, iocage destroy -f nextcloud to destroy it. Then try manually creating the jail:
Code:
iocage create --name "nextcloud" -r 11.1-RELEASE ip4_addr="YOUR_INTERFACE|192.168.1.2/24" defaultrouter="192.168.1.1" boot="on" host_hostname="nextcloud"

...replacing YOUR_INTERFACE with the name of your NIC, of course. What's the output of that?

Edit: The IP addresses were pulled from the config file you posted earlier--is .1.2 unique to the jail? There's no other device on your LAN with that IP address?
iocage list came up empty.

The result of manually creating the jail:
Code:
nextcloud successfully created!
Traceback (most recent call last):
  File "/usr/local/bin/iocage", line 10, in <module>
	sys.exit(cli())
  File "/usr/local/lib/python3.6/site-packages/click/core.py", line 722, in __call__
	return self.main(*args, **kwargs)
  File "/usr/local/lib/python3.6/site-packages/click/core.py", line 697, in main
	rv = self.invoke(ctx)
  File "/usr/local/lib/python3.6/site-packages/click/core.py", line 1066, in invoke
	return _process_result(sub_ctx.command.invoke(sub_ctx))
  File "/usr/local/lib/python3.6/site-packages/click/core.py", line 895, in invoke
	return ctx.invoke(self.callback, **ctx.params)
  File "/usr/local/lib/python3.6/site-packages/click/core.py", line 535, in invoke
	return callback(*args, **kwargs)
  File "/usr/local/lib/python3.6/site-packages/iocage/cli/create.py", line 145, in cli
	basejail=basejail, empty=empty)
  File "/usr/local/lib/python3.6/site-packages/iocage/lib/iocage.py", line 644, in create
	exit_on_error=self.exit_on_error).create_jail()
  File "/usr/local/lib/python3.6/site-packages/iocage/lib/ioc_create.py", line 86, in create_jail
	return self._create_jail(jail_uuid, location)
  File "/usr/local/lib/python3.6/site-packages/iocage/lib/ioc_create.py", line 449, in _create_jail
	silent=self.silent)
  File "/usr/local/lib/python3.6/site-packages/iocage/lib/ioc_start.py", line 64, in __init__
	self.__start_jail__()
  File "/usr/local/lib/python3.6/site-packages/iocage/lib/ioc_start.py", line 127, in __start_jail__
	vnet_interfaces = self.conf["vnet_interfaces"]
KeyError: 'vnet_interfaces'


IP ending in 1.2 is unique on my network. I will note though that port forwarding for 80 and 443 already point to 1.2 and in the router's host list I have designated 1.2 to be my FQDN. I could turn these configs off if having them set before the script runs could be causing any issue. I have verified with trace routes/ping that 1.2 resolves as my FQDN.

Edit: I have a 2nd interface on this new server. Should I fire that up and configure it for the jail? Just seems like it shouldn't be necessary is all.
 
Last edited:

danb35

Wizened Sage
Joined
Aug 16, 2011
Messages
11,325
I could turn these configs off if having them set before the script runs could be causing any issue.
They shouldn't be. Are you sure you've set the interface name correctly? vnet is very different from vtnet--the latter is what a NIC is called when I install FreeNAS in a Proxmox VM; the former would be using iocage virtual networking, which we aren't doing here.

I've just tested on a 11.1-U3 VM, but it was an upgrade from 11.1-U2 and had previously had this installed--it'd be better to do it on a clean machine, but that will need to wait a day or two, I expect.
 

cunningorb

Member
Joined
Feb 5, 2018
Messages
58
They shouldn't be. Are you sure you've set the interface name correctly? vnet is very different from vtnet--the latter is what a NIC is called when I install FreeNAS in a Proxmox VM; the former would be using iocage virtual networking, which we aren't doing here.

I've just tested on a 11.1-U3 VM, but it was an upgrade from 11.1-U2 and had previously had this installed--it'd be better to do it on a clean machine, but that will need to wait a day or two, I expect.
Frankly no, I'm not sure. Can you share a pic of your interface setup?
 

danb35

Wizened Sage
Joined
Aug 16, 2011
Messages
11,325
Can you share a pic of your interface setup?
upload_2018-3-19_22-8-45.png

vtnet0 is the interface that the web GUI is on (I can tell that because the IP address is listed under that interface), so INTERFACE="vtnet0" in nextcloud-config.
 

danb35

Wizened Sage
Joined
Aug 16, 2011
Messages
11,325
This one's more complicated. The web GUI's IP address is 192.168.1.10 on this server:
upload_2018-3-19_22-22-6.png

It's complicated by the fact that the motherboard has four onboard NICs (igb0-igb3), but I'm not using any of them--I'm using a 10G add-on card that's at cxgbe0.
 

cunningorb

Member
Joined
Feb 5, 2018
Messages
58
I have to hit the hay as they say but I encountered one interesting thing on my last fresh install of freenas and fresh config. When running the script I hit escape a bunch which somehow revealed more of the "not found!oud" message:
not found!^[^[^[^[jail 'nextcloud
I take this to mean the script is not able to create the iocage jail? Let me try again tomorrow or whenever I can escape into this project again.
 

danb35

Wizened Sage
Joined
Aug 16, 2011
Messages
11,325
I take this to mean the script is not able to create the iocage jail?
That does seem to be the case, and that's also what's suggested by what happens when you try to create the jail manually. And though I'm far from an iocage expert, the traceback suggests an interface problem. Check the output of ifconfig for the proper interface name and see what that does.
 

cunningorb

Member
Joined
Feb 5, 2018
Messages
58
That does seem to be the case, and that's also what's suggested by what happens when you try to create the jail manually. And though I'm far from an iocage expert, the traceback suggests an interface problem. Check the output of ifconfig for the proper interface name and see what that does.
I'm unable to get hands on my freenas while at work but last night when I checked ifconfig I was using the correct interface name. I tried this both with and without the 1.2 in a dmz, and I also changed it up and went with a 1.66 just to make sure it wasn't that specific IP causing an issue. The 1.66 attempt was on a fresh image of freenas in VM environment.

Could there be an error log somewhere that would give me some more clues as to what specifically is preventing the iocage jail from being created by a script? I can manually create iocage jails no problem.
 

danb35

Wizened Sage
Joined
Aug 16, 2011
Messages
11,325
I can manually create iocage jails no problem.
...except that, when you ran the command manually above, you couldn't--even though it said it did, the traceback says there's a problem.

Just to confirm, you're using the most recent version of the script? If you're not sure, change into the freenas-iocage-nextcloud/ directory and run git pull. And you've updated nextcloud-config to include the INTERFACE line?

I'm not sure about logging for iocage. I'd think there should be, but I can't put my hands on the system to check right now either.

Edit: Looks like the log is (unsurprisingly enough) in /var/log/iocage.log.
 
Last edited:

cunningorb

Member
Joined
Feb 5, 2018
Messages
58
if you want to test it right away, you can try editing line 13 of nextcloud-jail.sh to read like this:
Code:
iocage create --name "${JAIL_NAME}" -p /tmp/pkg.json -r 11.1-RELEASE ip4_addr="YOUR_INTERFACE|${JAIL_IP}/24" defaultrouter="${DEFAULT_GW_IP}" boot="on" host_hostname="${JAIL_NAME}"

...where YOUR_INTERFACE is the name of the network interface you're using on your FreeNAS box (em0, igb0, etc.). Then try the script again.
Trying to reconcile this post above with the below. Each mentions a different location for placing this script:
iocage create --name "${JAIL_NAME}" -p /tmp/pkg.json -r 11.1-RELEASE ip4_addr="${INTERFACE}|${JAIL_IP}/24" defaultrouter="${DEFAULT_GW_IP}" boot="on" host_hostname="${JAIL_NAME}"
rm /tmp/pkg.json


And you've updated nextcloud-config to include the INTERFACE line?
Edit: Looks like the log is (unsurprisingly enough) in /var/log/iocage.log.
My Edit: Whoa, just realized you updated the nextcloud-config file to include interface. Mine does not have that. That will be my #1 for next attempt. Gracias!
I was adding my interface to nextcloud-jail.sh and then running chmod command. It should have been the most recent script since I did this on a fresh freenas install.
My plan next time I have time to look at this is #1. check the logs you mentioned above (awesome!) and #2 include my interface in the nextcloud-config file as needed depending on best usage for my case. #3 I will read the freenas documentation about setting up a pool to make sure I'm following best practice as I am pretty far removed from January when I was first doing that. Maybe I introduced bad habits somewhere along the way.

Rest assured I am in this for the long haul. I'm a software developer so if I can't help testing a script I've got some problems :)

I still believe there is value in getting nextcloud setup on freenas despite the difficult journey it has been for me. Can't wait for that eureka moment when it all works and I can migrate users onto the platform.

BTW in case you're curious, my router is an Asus RT-N56u running padavan's custom firmware. DNS settings are configured on the router. I don't have any internal DNS and until now didn't think I would need it. Maybe it's time to setup something more robust?
 

danb35

Wizened Sage
Joined
Aug 16, 2011
Messages
11,325
Trying to reconcile this post above with the below. Each mentions a different location for placing this script:
I'm not sure where you're seeing the discrepancy. The two lines you quote (one above, one below) are should be identical except that the second uses the shell variable for the interface, while the former has you enter the interface right into the script. The former was intended as a stopgap edit, just until I got the latter change pushed out to githib. The only hardcoded location on the host system is /tmp/pkg.json, and that's only used for as long as iocage is building the jail.

The script can go anywhere you want. cd /wherever/you/want; git clone https://github.com/danb35/freenas-iocage-nextcloud; cd freenas-iocage-nextcloud; nano nextcloud-config; enter the appropriate settings. If you're using DNS validation to get your Let's Encrypt cert, then cp configs/acme_dns_issue.sh_orig configs/acme_dns_issue.sh, edit acme_dns_issue.sh as needed, chmod +x configs/acme_dns_issue.sh Then chmod +x nextcloud-jail.sh and you should be ready to go.

I'm a software developer
Ah, then you should be much better equipped than I to deal with this--I'm a lawyer.

Maybe it's time to setup something more robust?
I'm quite happy with my pfSense box; it's powerful and flexible, and relevant to this subject, it incorporates a DNS resolver for your LAN. You can configure that so that LAN resources are reachable by hostname, which can be convenient (especially when your dealing with HTTPS, as you'll get certificate errors if you browse by IP address). I know that OPNSense has similar features, and many of the Linux-based router/firewall distributions do as well. But with that said, the script does add the jail's IP as a trusted domain, so you can use that to log in as well--you'll just get certificate errors when you do so.

If you have trouble on the next try, let's just make sure the interface is specified correctly--post the contents of nextcloud-config (mask your domain name if you like, though be aware that it will be public knowledge once Let's Encrypt issues the cert) and the output of ifconfig.
 
Top