NextCloud配置与实现

0) 安装MariaDB v10.2
[root@netdisk ~]# yum install yum-plugin-priorities centos-release-scl-rh centos-release-scl -y

[root@netdisk ~]# sed -i -e "s/\]$/\]\npriority=10/g" /etc/yum.repos.d/CentOS-SCLo-scl.repo
[root@netdisk ~]# sed -i -e "s/\]$/\]\npriority=10/g" /etc/yum.repos.d/CentOS-SCLo-scl-rh.repo

[root@netdisk ~]# sed -i -e "s/enabled=1/enabled=0/g" /etc/yum.repos.d/CentOS-SCLo-scl.repo
[root@netdisk ~]# sed -i -e "s/enabled=1/enabled=0/g" /etc/yum.repos.d/CentOS-SCLo-scl-rh.repo

[root@netdisk ~]# yum --enablerepo=centos-sclo-rh install rh-mariadb102-mariadb-server -y

1) 加载MariaDB v10.2的shell环境
[root@netdisk ~]# scl enable rh-mariadb102 bash
[root@netdisk ~]# mysql -V
mysql  Ver 15.1 Distrib 10.2.22-MariaDB, for Linux (x86_64) using  EditLine wrapper

[root@netdisk ~]# vim /etc/profile.d/mariadb102.sh
source /opt/rh/rh-mariadb102/enable
export X_SCLS="`scl enable rh-mariadb102 'echo $X_SCLS'`"

[root@netdisk ~]# source /etc/profile.d/mariadb102.sh

[root@netdisk ~]# vim /etc/opt/rh/rh-mariadb102/my.cnf.d/mariadb-server.cnf
# 于[mysqld]最尾部追加如下内容:
character-set-server=utf8

[root@netdisk ~]# systemctl enable --now rh-mariadb102-mariadb

2) 初始化MariaDB v10.2
[root@netdisk ~]# mysql_secure_installation

NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MariaDB
      SERVERS IN PRODUCTION USE!  PLEASE READ EACH STEP CAREFULLY!
In order to log into MariaDB to secure it, we'll need the current
password for the root user.  If you've just installed MariaDB, and
you haven't set the root password yet, the password will be blank,
so you should just press enter here.

Enter current password for root (enter for none):      # enter
OK, successfully used password, moving on...

Setting the root password ensures that nobody can log into the MariaDB
root user without the proper authorisation.

Set root password? [Y/n] y     # 设置root密码
New password: 
Re-enter new password: 
Password updated successfully!
Reloading privilege tables..
 ... Success!


By default, a MariaDB installation has an anonymous user, allowing anyone
to log into MariaDB without having to have a user account created for
them.  This is intended only for testing, and to make the installation
go a bit smoother.  You should remove them before moving into a
production environment.

Remove anonymous users? [Y/n] y     # 移除anonymous账户
 ... Success!

Normally, root should only be allowed to connect from 'localhost'.  This
ensures that someone cannot guess at the root password from the network.

Disallow root login remotely? [Y/n] y     # 禁用root远程登录
 ... Success!

By default, MariaDB comes with a database named 'test' that anyone can
access.  This is also intended only for testing, and should be removed
before moving into a production environment.

Remove test database and access to it? [Y/n] y     # 移除test数据库
 - Dropping test database...
 ... Success!
 - Removing privileges on test database...
 ... Success!

Reloading the privilege tables will ensure that all changes made so far
will take effect immediately.

Reload privilege tables now? [Y/n] y     # 重新加载privilege
 ... Success!

Cleaning up...

All done!  If you've completed all of the above steps, your MariaDB
installation should now be secure.

Thanks for using MariaDB!

3) 测试MariaDB连接
[root@netdisk ~]# mysql -u root -p
Enter password:     # 输入密码
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 16
Server version: 10.2.22-MariaDB MariaDB Server

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> select user,host,password from mysql.user;
+------+-----------+-------------------------------------------+
| user | host      | password                                  |
+------+-----------+-------------------------------------------+
| root | localhost | *6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9 |
| root | 127.0.0.1 | *6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9 |
| root | ::1       | *6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9 |
+------+-----------+-------------------------------------------+
3 rows in set (0.00 sec)

MariaDB [(none)]> show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| mysql              |
| performance_schema |
+--------------------+
3 rows in set (0.00 sec)

MariaDB [(none)]> exit
Bye
[root@netdisk ~]#

4) 防火墙规则设定
[root@netdisk ~]# firewall-cmd --add-service=mysql --permanent
success
[root@netdisk ~]# firewall-cmd --reload
success

[root@netdisk ~]# yum --enablerepo=centos-sclo-rh install rh-php72 rh-php72-php rh-php72-php-pear \
rh-php72-php-mbstring rh-php72-php-pdo rh-php72-php-intl rh-php72-php-gd rh-php72-php-ldap rh-php72-php-mysqlnd httpd24 -y

[root@netdisk ~]# wget https://download.nextcloud.com/server/releases/nextcloud-20.0.2.zip

[root@netdisk ~]# unzip nextcloud-20.0.2.zip

[root@netdisk ~]# chown -R apache. nextcloud
[root@netdisk ~]# chmod 775 nextcloud
[root@netdisk ~]# mv nextcloud /opt/rh/httpd24/root/var/www/html/

[root@netdisk ~]# systemctl enable --now httpd24-httpd

[root@netdisk ~]# mysql -u root -p
Enter password: 
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 16
Server version: 10.2.22-MariaDB MariaDB Server

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> create database nextcloud;
Query OK, 1 row affected (0.00 sec)

MariaDB [(none)]> grant all privileges on nextcloud.* to nextcloud@'localhost' identified by 'password';
Query OK, 0 rows affected (0.00 sec)

MariaDB [(none)]> grant all privileges on nextcloud.* to nextcloud@'%' identified by 'password';
Query OK, 0 rows affected (0.00 sec)

MariaDB [(none)]> flush privileges;
Query OK, 0 rows affected (0.00 sec)

MariaDB [(none)]> exit
Bye

[root@netdisk ~]# semanage fcontext -a -t httpd_sys_rw_content_t \
/opt/rh/httpd24/root/var/www/html/nextcloud/apps

[root@netdisk ~]# semanage fcontext -a -t httpd_sys_rw_content_t \
/opt/rh/httpd24/root/var/www/html/nextcloud/config

[root@netdisk ~]# restorecon /opt/rh/httpd24/root/var/www/html/nextcloud/apps

[root@netdisk ~]# restorecon /opt/rh/httpd24/root/var/www/html/nextcloud/config

[root@netdisk ~]# firewall-cmd --add-service={http,https} --permanent
success

[root@netdisk ~]# firewall-cmd --reload
success

[浏览器]==>http://netdisk.1000cc.net/nextcloud










# 下载所需要的客户端软件

1) 部署Ceph-Nautilus版本,并完成Ceph Object Gateway的实现及通过测试

2) 部署IPA Server,并创建至少一个IPA 账户

3) 创建使用bucket的账户
[root@srv1 ~]# yum install python-boto -y

[root@srv1 ~]# radosgw-admin user create --uid=snow --display-name="snow chuai" --email=admin@srv5.1000y.cloud
{
    "user_id": "snowchuai",
    "display_name": "Snow Chuai",
    "email": "snow@1000y.cloud",
    "suspended": 0,
    "max_buckets": 1000,
    "subusers": [],
    "keys": [
        {
            "user": "snowchuai",
            "access_key": "30HYLAB0X7UCXMAWRRZX",
            "secret_key": "XldbFTsRy2uZkYs5heRIOHDRGZGxtqABX4LrPrkC"
        }
    ],
    "swift_keys": [],
    "caps": [],
    "op_mask": "read, write, delete",
    "default_placement": "",
    "default_storage_class": "",
    "placement_tags": [],
    "bucket_quota": {
        "enabled": false,
        "check_on_raw": false,
        "max_size": -1,
        "max_size_kb": 0,
        "max_objects": -1
    },
    "user_quota": {
        "enabled": false,
        "check_on_raw": false,
        "max_size": -1,
        "max_size_kb": 0,
        "max_objects": -1
    },
    "temp_url_keys": [],
    "type": "rgw",
    "mfa_ids": []
}

4) 创建bucket
[root@srv1 ~]# vim s3-create-bucket.py
import sys
import boto
import boto.s3.connection

# 此处为创建用户时的accss_key及secret_key
ACCESS_KEY = '30HYLAB0X7UCXMAWRRZX'
SECRET_KEY = 'XldbFTsRy2uZkYs5heRIOHDRGZGxtqABX4LrPrkC'

HOST = 'srv5.1000y.cloud'
PORT = 7480

conn = boto.connect_s3(
    aws_access_key_id = ACCESS_KEY,
    aws_secret_access_key = SECRET_KEY,
    port = PORT,
    host = HOST,
    is_secure = False,
    calling_format = boto.s3.connection.OrdinaryCallingFormat(),
)

bucket = conn.create_bucket('snow-new-bucket')

for bucket in conn.get_all_buckets():
    print "{name}\t{created}".format(
        name = bucket.name,
        created = bucket.creation_date,
    )

[root@srv1 ~]# python s3-create-bucket.py
snow-test       2020-12-05T04:14:08.914Z

5) 结合IPA Server[ldap协议:389/tcp]账户登录NextCloud---[ldaps协议:636/tcp请参看第8小节]











确认LDAP的相关信息及账户信息
[root@srv5 ~]# ldapsearch -x -b "dc=1000y,dc=cloud" | grep uid=thomas
dn: uid=thomas,cn=users,cn=compat,dc=1000y,dc=cloud
dn: uid=thomas,cn=users,cn=accounts,dc=1000y,dc=cloud
mepManagedBy: uid=thomas,cn=users,cn=accounts,dc=1000y,dc=cloud




















6) 配置NextCloud---实现ceph后端存储
[浏览器]==>http://netdisk.1000cc.net/nextcloud





















7) 配置NextCloud---确认文件上传成功
(1) 确认当前的bucket
[root@srv1 ~]# radosgw-admin bucket list
[
    "snow-new-bucket"
]

(2) 确认文件上传成功
[root@srv1 ~]# radosgw-admin bucket list --bucket=snow-new-bucket | grep test.txt
        "name": "_multipart_test.txt.2~cd5ATUeBAV8-BFtJwgtzv6-V5U8InMR.meta",
        "name": "test.txt",

8) 结合IPA Server[ldaps协议:636/tcp]账户登录NextCloud---[ldap协议:389/tcp请参看第5小节]
(1) 设定NextCloud服务端[srv6]的ldap.conf,以支持证书
[root@srv6 ~]# vim /etc/openldap/ldap.conf
# 于文件最底部追加如下内容
......
......

TLS_REQCERT never

[root@srv6 ~]# systemctl restart httpd24-httpd

(2) 设定NextCloud











确认LDAP的相关信息及账户信息
[root@srv5 ~]# ldapsearch -x -b "dc=1000y,dc=cloud" | grep uid=thomas
dn: uid=thomas,cn=users,cn=compat,dc=1000y,dc=cloud
dn: uid=thomas,cn=users,cn=accounts,dc=1000y,dc=cloud
mepManagedBy: uid=thomas,cn=users,cn=accounts,dc=1000y,dc=cloud

1) 安装Docker
[root@srv1 ~]# yum install docker -y

2) 配置加速器
[root@srv1 ~]# vim /etc/docker/daemon.json
{
      "registry-mirrors": ["https://3laho3y3.mirror.aliyuncs.com"]
}

3) 启动Docker
[root@srv1 ~]# systemctl enable --now docker

4) 下载Collabora Online镜像
[root@srv1 ~]# docker pull collabora/code

5) 运行Collabora Online镜像,并指定授权主机
[root@srv1 ~]# docker run -t -d -p 9980:9980 --name oa \
-e 'domain=192\\.168\\.10\\.11|srv1\\.1000y\\.cloud' \
-e "username=admin" -e "password=123456" -e "extra_params=--o:ssl.enable=false" \
--restart always --cap-add MKNOD collabora/code

[root@netdisk ~]# netstat -lantp | grep 9980
tcp6       0      0 :::9980                 :::*                    LISTEN      1865/docker-proxy-c

# Collabora Online启动时间很长，大约5-6分钟时间
6) 访问Collabora Online
[浏览器]===>http://srv1.1000y.cloud:9980/loleaflet/dist/admin/admin.html






7) 使NextCloud集成Collabora Online
(1) 在NextCloud中安装Collabora Online插件






(2) 在NextCloud中使用Collabora Online插件

1) 安装Docker
[root@srv1 ~]# yum install docker -y

2) 配置加速器
[root@srv1 ~]# vim /etc/docker/daemon.json
{
      "registry-mirrors": ["https://3laho3y3.mirror.aliyuncs.com"]
}

3) 启动Docker
[root@srv1 ~]# systemctl enable --now docker

4) 下载NextCloud及Collabora Online镜像
[root@srv1 ~]# docker pull nextcloud
[root@srv1 ~]# docker pull collabora/code

5) 运行NextCloud
[root@srv1 ~]# docker run -d -p 80:80 nextcloud

6) 配置完成NextCloud(默认使用SQL Lite)

7) 运行Collabora Online镜像,并指定授权主机
[root@srv1 ~]# docker run -t -d -p 9980:9980 --name oa \
-e 'domain=192\\.168\\.10\\.11|srv1\\.1000y\\.cloud' \
-e "username=admin" -e "password=123456" -e "extra_params=--o:ssl.enable=false" \
--restart always --cap-add MKNOD collabora/code

[root@netdisk ~]# netstat -lantp | grep 9980
tcp6       0      0 :::9980                 :::*                    LISTEN      1865/docker-proxy-c

# Collabora Online启动时间很长，大约5-6分钟时间
8) 访问Collabora Online
[浏览器]===>http://srv1.1000y.cloud:9980/loleaflet/dist/admin/admin.html






9) 使NextCloud集成Collabora Online
(1) 在NextCloud中安装Collabora Online插件






(2) 在NextCloud中使用Collabora Online插件

1) 建立MariaDB Galera集群。并创建nextcloud数据库及授权账户

2) 为MariaDB Galera集群创建HAproxy-LB机制

3) 使用Nginx部署一个反向代理的upstream集群，客户端用反向代理的IP或FQDN连接nextcloud集群组

4) 创建IPA Server

5) 创建共享存储[gfs/ceph/nfs均可],以存储nextcloud的Apps---本例为GFS作为共享存储

6) 创建Ceph并创建好bucket以便于nextcloud使用

7) 创建2台httpd服务并部署完成php72环境
[root@nextcloud1 ~]# yum --enablerepo=centos-sclo-rh install rh-php72 rh-php72-php rh-php72-php-pear \
rh-php72-php-mbstring rh-php72-php-pdo rh-php72-php-intl rh-php72-php-gd rh-php72-php-ldap rh-php72-php-mysqlnd httpd24 -y

[root@nextcloud2 ~]# yum --enablerepo=centos-sclo-rh install rh-php72 rh-php72-php rh-php72-php-pear \
rh-php72-php-mbstring rh-php72-php-pdo rh-php72-php-intl rh-php72-php-gd rh-php72-php-ldap rh-php72-php-mysqlnd httpd24 -y

[root@nextcloud2 ~]# systemctl enable --now httpd24-httpd

8) 将gfs共享卷nextcloud_vol挂载至httpd服务的指定目录
# 如果长久使用,请写入至/etc/fstab文件中
[root@nextcloud1 ~]# mount -t glusterfs srv10.1000y.cloud:/nextcloud_vol /opt/rh/httpd24/root/var/www/html/
[root@nextcloud2 ~]# mount -t glusterfs srv10.1000y.cloud:/nextcloud_vol /opt/rh/httpd24/root/var/www/html/

9) 将nextcloud压缩包放入至指定目录
[root@nextcloud1 ~]# wget https://download.nextcloud.com/server/releases/nextcloud-20.0.2.zip
[root@nextcloud1 ~]# unzip nextcloud-20.0.2.zip
[root@nextcloud1 ~]# chown -R apache. nextcloud
[root@nextcloud1 ~]# chmod 775 nextcloud
[root@nextcloud1 ~]# mv nextcloud /opt/rh/httpd24/root/var/www/html/

[root@nextcloud1 ~]# systemctl enable --now httpd24-httpd
[root@nextcloud2 ~]# systemctl enable --now httpd24-httpd

10) 配置NextCloud
注意: 
在nextcloud配置页面设定数据库的地址为Haproxy服务器的IP地址及指定的端口号---[详细参看haproxy的配置]

11) 配置完成Nextcloud后，对其config.php进行配置----设定信任的IP地址或FQDN为反向代理服务器的地址或FQDN
[root@nextcloud1 ~]# vim /opt/rh/httpd24/root/var/www/html/nextcloud/config/config.php
......
......
# 找到第7行trusted_domains字段，添加nginx反向代理的IP[即允许nextcloud使用哪个IP或FQDN提供服务]
  'trusted_domains' => ......
......
  array (
    0 => 'nextcloud1.1000y.cloud',
    1 => 'nextcloud2.1000y.cloud',
    2 => 'nginxsrv.1000y.cloud',
  ),
......
......

12) 对config.php进行redis或memcached的配置----[二选一]
(1) 结合redis配置
# 于文件最后追加如下内容
......
......
  'memcache.locking' => '\OC\Memcache\Redis',
  'redis' => array(
     'host' => 'redis.1000y.cloud',
     'port' => 6379,
      ),
);

[root@nextcloud1 ~]# systemctl restart httpd24-httpd

(2) 结合memcached配置---如果由magent请输入magent的IP地址及端口
# 于文件最后追加如下内容
......
......
  'memcache.locking' => '\OC\Memcache\Memcached',
  'memcached_servers' => [
     [ '192.168.1.11', 11211 ],
   ],
);

[root@nextcloud1 ~]# systemctl restart httpd24-httpd



*********以下为无共享存储来构建nextcloud服务
1) 如果没有共享存储---可将第1台nextcloud服务器的nextcloud目录打包并发送至nextcloud2服务器上
[root@nextcloud1 ~]# cd /opt/rh/httpd24/root/var/www/html/
[root@nextcloud1 html]# tar cfpz nextcloud.tgz nextcloud
[root@nextcloud1 html]# scp nextcloud.tgz nextcloud2:~

2) 在第2台nextcloud服务器安装http24及php72环境---暂时不需要启动httpd服务

3) 在第2台nextcloud服务器将第1台nextcloud服务器的包目录解包
[root@nextcloud2 ~]# tar xvfz nextcloud.tgz -C /opt/rh/httpd24/root/var/www/html

4) 在第2台nextcloud服务器上修改nextcloud的config.php文件
[root@nextcloud2 ~]# vim /opt/rh/httpd24/root/var/www/html/nextcloud/config/config.php
# 将这个文件中的所有nextcloud1服务器的IP地址或FQDN全部替换为nextcloud2服务器的IP地址或FQDN
......
......
  'trusted_domains' => 
  array (
    0 => 'nextcloud2.1000y.cloud',
    1 => 'nginxsrv.1000y.cloud',
  ),
......
......

5) 启动nextcloud2服务器的httpd服务
[root@nextcloud2 ~]# chown -R apache. /opt/rh/httpd24/root/var/www/html/nextcloud
[root@nextcloud2 ~]# systemctl enable --now httpd24-httpd

*********无共享存储来构建nextcloud服务结束*********



13) 客户端访问nginx反向代理服务即可以看到nextcloud登录界面
[浏览器]===>http://nginxsrv.1000y.cloud