In this section of the documentation, it appears that the docker compose plugin and docker-compose executable are being convoluted. Running 'which docker-compose' would provide no output and 'sudo apt-cache policy docker-compose' would indicate it is not installed even when the docker compose plugin is installed on systems such as Debian Bullseye. Further down, it is indicated that the new 2.X (go-based) (which is the docker compose plugin versus the standalone executable) is preferred.

docker-compose:

• invoked with the command 'docker-compose'
• standalone executable
• represented by the 'docker-compose' package in Debian.
• older v1.x python code

docker compose:

• invoked with the command 'docker compose'
• is a sub-command of the docker executable
• represented by the 'docker-compose-plugin' package in Debian
• newer v2.x go code.

Please update the documentation to differentiate between the docker-compose standalone executable and the docker compose plugin. Please update test to use the docker compose plugin syntax if that is the preferred application.

Reference:
https://docs.docker.com/compose/compose-v2/#differences-between-compose-v1-and-compose-v2

• search can not be started multiple times (and there is no plugin replacement), so use in HA / scaled installations is limited.

• idm cannot be started multiple times. Should not be used in HA / scaled installations, but instead replaced by an LDAP server that supports HA / scaling. Even if no HA / scaling is needed, the IDM is only supported up to ~200 (??) users.

• idp cannot be started multiple times. Should not be used in HA / scaled installations, but instead replaced by an OIDC provider server that supports HA / scaling. It has a bare minimum feature set (eg. you cannot easily revoke single sessions)

• store cannot be started multiple times. We are still looking into removing or making the store scale, see owncloud/ocis#3913

• nats cannot be started multiple times. Should not be used in HA / scaled installations, but instead replaced by an NATS installation that is HA / scaled.

see also owncloud/ocis-charts#77 (comment)

References: owncloud/ocis#5846

References: owncloud/ocis#4254 (Allow providing list of services not to start)

Until now if one wanted to use a custom version of a service, one needed to provide OCIS_RUN_SERVICES which is a list of all services to start.

Now one can provide OCIS_EXCLUDE_RUN_SERVICES which is a list of only services not to start

Expects a comma separated list of service names.
Will start all services except of the ones listed. Has no effect when OCIS_RUN_SERVICES is set.

@kobergj fyi

Where

https://doc.owncloud.com/ocis/next/prerequisites/prerequisites.html

What

• Supported versions of iOS
• Supported versions of Android
• Supported versions of Desktop

TBD

References:

• owncloud/ocis#5762
• owncloud/ocis#5737
• #413

To be added (at least): https://doc.owncloud.com/ocis/next/prerequisites/prerequisites.html

List of ocis PR's
owncloud/ocis#4867
owncloud/ocis#4798

Maybe more to reference

@micbar fyi

https://doc.owncloud.com/ocis/next/architecture/architecture.html#spaces

Quota,
Workflow,
Policies,
Ownership - dsgvo --> audit
Images and descriptions,
...

We introduced educational related envvars like:

LDAP_SCHOOL_SCHEMA_SCHOOL_NAME ; GRAPH_LDAP_SCHOOL_NAME_ATTRIBUTE
--> LDAP Attribute to use for the name of a school.

We should start documenting the purpose and how it differs from non educational scenarious.

@tbsbdr @micbar @butonic fyi

We should implement a Knowledge Base / FAQ / Q&A

The name to be decided (my favourite is knowledge base as it is open)

This document should only contain a:

• Table of contents (TOC)
• Introduction
• A section for each topic and a very brief description what is covered here
• A link in each section to read the details. The details are opened on an own page

Only the knowledge base document is referenced in the navigation.
The sub pages not, they are only accessible via the knowledge base (or the link if known). This keeps the main navigation compact.

Benefits:

• The topics to be described can have a big range and it is open for future stuff
• Topics can be resorted or subsectioned without changing the access link
• Each topic is maintained on its own page keeping the main page compact
• Topics are general available and not bound to a particular existing page
• We can link to and from these documents (small scale deployment could link to failtoban without blowing up the document)
  • We can also link to external pages by referencing to guides created by someone else

Example image: (based on a short hack but gives an impressen on how it can look like)

Note that I have intentionally added a new top/sub section so we can add more sub sections on demand.

References: #421

@dragotin fyi

References: owncloud/ocis#4256 (Add a cli for listing and cleaning up expired uploads)

@aduffeck can you pls add some comments regarding

• arguments/options*
• output etc
• when this command is used
• what triggers an admin to run it

References: owncloud/ocis#5700 (Invitations service)

Hello 👋 ,

After landing on https://github.com/owncloud/ocis, I followed the link to https://doc.owncloud.com/ocis/next, and checked the quick start guide: https://doc.owncloud.com/ocis/next/quickguide/quickguide.html

Some admin credentials are printed, but I saw there were other demo users ("Einstein" etc), which I wanted to try, but I didn't find info about their credentials.

Searching for info about the demo users, I found that the bad discoverability has been filed as issue in the past: owncloud/ocis#1782

But its fix only adds documentation about demo users on https://owncloud.dev/ocis/getting-started/demo-users/, which is not linked or otherwise available on https://doc.owncloud.com/ocis/next not easily to find.

I would propose to add a link to the demo user doc page at the bottom of the quickguide page.

Description

The infinite Scale single binary includes a "ready-to-use" search service. This indexes the all files metadata in ocis (file names. folder names, tags)

The search service can also index file content when admins add a third party dependency for the content parsig.

Scope

Deployment example: ocis wopi

Relevant Lines

• https://github.com/owncloud/ocis/blob/master/deployments/examples/ocis_wopi/docker-compose.yml#L218-L222

• https://github.com/owncloud/ocis/blob/master/deployments/examples/ocis_wopi/docker-compose.yml#L76-L77

• Document what the default features of the search service are (metadata indexing)

• Document what needs to be done do add content indexing

  • Add Apache tika as a extra container (https://tika.apache.org/)
  • Explain how to configure the ocis search service to use tika
  • Short notice about how this increases the index size
  • Explain how and when to use the re-index command
  • Impacts and handling of a growing index size

Missing artifacts

• Needs Readme.md for the search service

@butonic fyi

Hello 👋 ,

In the Spaces section of the architecture docs page: https://doc.owncloud.com/ocis/next/architecture/architecture.html#spaces

There's a link to https://owncloud.dev/extensions/storage/spaces/.

That page leads to a 404 Not Found error though.

I assume this one is the correct one? https://owncloud.dev/ocis/storage/spaces/

Is your feature request related to a problem? Please describe.

As an admin I want to have a documentation and well understood and safe mechanism to backup and restore supported storage

Describe the solution you'd like

How can I backup the storage (eg. rsync, rclone, snapshots)
Do I need to verify something (eg. extended attributes are not lost)
What order and which steps need to be performed (eg. take oCIS offline, snapshot disk, snapshot S3 bucket, take oCIS online)

Describe alternatives you've considered

No backup is no option.

Additional context

Highly dependent on storage backend

References: owncloud/ocis#5858 (Add command for inspecting and manipulating node metadata)

Needs to be added here: maintenance/commands

@aduffeck @butonic fyi

References: owncloud/ocis#5652

To be added at: https://doc.owncloud.com/ocis/next/maintenance/commands/commands.html

JWT (Java Web Tokens) need more descriptions when it comes to OIDC. This is because managing the optional KID header can return an error like failed to verify access token: the JWT has an invalid kid: could not find kid in JWT header. In such a case you need to set PROXY_OIDC_ACCESS_TOKEN_VERIFY_METHOD=none.

See the original issue where this came up:
ownCloud: Enable OpenID Connect Authentication and
What's the meaning of the "kid" claim in a JWT token

There are for sure more JWT examples or things that need documentation to guide customers into the right direction when setting up ocis.

• We need infos from development to see where this goes as docs does not have the experience on this topic

@dragotin as discussed
@micbar fyi

Preparation

Create volumes and network:

• Config Volume podman volume create ocis-config
• Data Volume podman volume create ocis-data
• WOPI Volume podman volume create wopi-recovery
• OCIS Network podman network create ocis_net
  Note: I use a cloudflare Tunnel (it's free) to access my homelab but any reverse proxy would work to.
• cloudflare Network podman network create cloudflare_net

Create necessary Files

OCIS "app-registry.yaml"

app_registry:
  mimetypes:
  - mime_type: application/pdf
    extension: pdf
    name: PDF
    description: PDF document
    icon: ''
    default_app: ''
    allow_creation: false
  - mime_type: application/vnd.openxmlformats-officedocument.wordprocessingml.document
    extension: docx
    name: Microsoft Word
    description: Microsoft Word document
    icon: ''
    default_app: OnlyOffice
    allow_creation: true
  - mime_type: application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
    extension: xlsx
    name: Microsoft Excel
    description: Microsoft Excel document
    icon: ''
    default_app: OnlyOffice
    allow_creation: true
  - mime_type: application/vnd.openxmlformats-officedocument.presentationml.presentation
    extension: pptx
    name: Microsoft PowerPoint
    description: Microsoft PowerPoint document
    icon: ''
    default_app: OnlyOffice
    allow_creation: true
  - mime_type: application/vnd.jupyter
    extension: ipynb
    name: Jupyter Notebook
    description: Jupyter Notebook
    icon: ''
    default_app: ''
    allow_creation: true

OCIS app-provider-onlyoffice "entrypoint-override.sh"

#!/bin/sh
set -e

apk add curl

#TODO: app driver itself should try again until OnlyOffice is up...

retries=10
while [[ $retries -gt 0 ]]; do
    if curl --silent --show-error --fail http://onlyoffice/hosting/discovery > /dev/null; then
        ocis app-provider server
    else
        echo "OnlyOffice is not yet available, trying again in 10 seconds"
        sleep 10
        retries=$((retries - 1))
    fi
done
echo 'OnlyOffice was not available after 100 seconds'
exit 1

WOPI "entrypoint-override.sh"

#!/bin/sh
set -e

echo "${WOPISECRET}" > /etc/wopi/wopisecret

cp /etc/wopi/wopiserver.conf.dist /etc/wopi/wopiserver.conf
sed -i 's/wopi.domain.com/'${WOPISERVER_DOMAIN}'/g' /etc/wopi/wopiserver.conf

if [ "$WOPISERVER_INSECURE" == "true" ]; then
    sed -i 's/sslverify\s=\sTrue/sslverify = False/g' /etc/wopi/wopiserver.conf
fi

/app/wopiserver.py

WOPI "wopiserver.conf.dist"

#!/bin/sh
set -e

echo "${WOPISECRET}" > /etc/wopi/wopisecret

cp /etc/wopi/wopiserver.conf.dist /etc/wopi/wopiserver.conf
sed -i 's/wopi.domain.com/'${WOPISERVER_DOMAIN}'/g' /etc/wopi/wopiserver.conf

if [ "$WOPISERVER_INSECURE" == "true" ]; then
    sed -i 's/sslverify\s=\sTrue/sslverify = False/g' /etc/wopi/wopiserver.conf
fi

/app/wopiserver.py
[user@SRV01 ~]$ cat /home/user/ocis/wopi/wopiserver.conf.dist
#
# This config is based on https://github.com/cs3org/wopiserver/blob/master/wopiserver.conf
#
# wopiserver.conf
#
# Default configuration file for the WOPI server for oCIS
#
##############################################################

[general]
# Storage access layer to be loaded in order to operate this WOPI server
# only "cs3" is supported with oCIS
storagetype = cs3

# Port where to listen for WOPI requests
port = 8880

# Logging level. Debug enables the Flask debug mode as well.
# Valid values are: Debug, Info, Warning, Error.
loglevel = Error
loghandler = stream
logdest = stdout

# URL of your WOPI server or your HA proxy in front of it
wopiurl = https://wopi.domain.com

# URL for direct download of files. The complete URL that is sent
# to clients will include the access_token argument
downloadurl = https://wopi.domain.com/wopi/cbox/download

# The internal server engine to use (defaults to flask).
# Set to waitress for production installations.
internalserver = waitress

# List of file extensions deemed incompatible with LibreOffice:
# interoperable locking will be disabled for such files
nonofficetypes = .md .zmd .txt .epd

# List of file extensions to be supported by Collabora (deprecated)
codeofficetypes = .odt .ott .ods .ots .odp .otp .odg .otg .doc .dot .xls .xlt .xlm .ppt .pot .pps .vsd .dxf .wmf .cdr .pages .number .key

# WOPI access token expiration time [seconds]
tokenvalidity = 86400

# WOPI lock expiration time [seconds]
wopilockexpiration = 3600

# WOPI lock strict check: if True, WOPI locks will be compared according to specs,
# that is their representation must match. False (default) allows for a more relaxed
# comparison, which compensates incorrect lock requests from Microsoft Office Online
# on-premise setups.
wopilockstrictcheck = False

# Enable support of rename operations from WOPI apps. This is currently
# disabled by default as it has been observed that both MS Office and Collabora
# Online do not play well with this feature.
# Not supported with oCIS, must always be set to "False"
enablerename = False

# Detection of external Microsoft Office or LibreOffice locks. By default, lock files
# compatible with Office for Desktop applications are detected, assuming that the
# underlying storage can be mounted as a remote filesystem: in this case, WOPI GetLock
# and SetLock operations return such locks and prevent online apps from entering edit mode.
# This feature can be disabled in order to operate a pure WOPI server for online apps.
# Not supported with oCIS, must always be set to "False"
detectexternallocks = False

# Location of the webconflict files. By default, such files are stored in the same path
# as the original file. If that fails (e.g. because of missing permissions),
# an attempt is made to store such files in this path if specified, otherwise
# the system falls back to the recovery space (cf. io|recoverypath).
# The keywords <user_initial> and <username> are replaced with the actual username's
# initial letter and the actual username, respectively, so you can use e.g.
# /your_storage/home/user_initial/username
#conflictpath = /

# ownCloud's WOPI proxy configuration. Disabled by default.
#wopiproxy = https://external-wopi-proxy.com
#wopiproxysecretfile = /path/to/your/shared-key-file
#proxiedappname = Name of your proxied app

[security]
# Location of the secret files. Requires a restart of the
# WOPI server when either the files or their content change.
wopisecretfile = /etc/wopi/wopisecret
# iop secret is not used for cs3 storage type
#iopsecretfile = /etc/wopi/iopsecret

# Use https as opposed to http (requires certificate)
usehttps = no

# Certificate and key for https. Requires a restart
# to apply a change.
wopicert = /etc/grid-security/host.crt
wopikey = /etc/grid-security/host.key

[bridge]
# SSL certificate check for the connected apps
sslverify = True

# Minimal time interval between two consecutive save operations [seconds]
#saveinterval = 200

# Minimal time interval before a closed file is WOPI-unlocked [seconds]
#unlockinterval = 90

# CodiMD: disable creating zipped bundles when files contain pictures
#disablezip = False

[io]
# Size used for buffered reads [bytes]
chunksize = 4194304

# Path to a recovery space in case of I/O errors when reaching to the remote storage.
# This is expected to be a local path, and it is provided in order to ease user support.
# Defaults to the indicated spool folder.
recoverypath = /var/spool/wopirecovery

[cs3]
# Host and port of the Reva(-like) CS3-compliant GRPC gateway endpoint
revagateway = ocis:9142

# Reva/gRPC authentication token expiration time [seconds]
# The default value matches Reva's default
authtokenvalidity = 3600

# SSL certificate check for Reva
sslverify = True

Note: don't forget to make the "entrypoint-override.sh" files executable with chmod +x entrypoint-override.sh.

Run Containers

Cloudflare Tunnel Container

podman run -d \
--name cloudflare \
--label "io.containers.autoupdate=image" \
-e PUID=1000 \
-e PGID=1000 \
-e TZ=Europe/Rome \
--restart unless-stopped \
--network cloudflare_net \
docker.io/cloudflare/cloudflared:latest \
tunnel --no-autoupdate run \
--token $your_secret_token

ownCloud Infinite Scale

initialize OCIS

Infinite Scale needs a first time initialization to set up the environment.

podman run --rm -it \
--name ocis \
-e PUID=1000 \
-e PGID=1000 \
-e TZ=Europe/Rome \
-v ocis-config:/etc/ocis \
-v ocis-data:/var/lib/ocis \
-e IDM_ADMIN_PASSWORD="$yourSecretAdminPasswort" \
--network cloudflare_net \
--network ocis_net \
docker.io/owncloud/ocis init

Run OCIS

podman run -d \
--name ocis \
--restart unless-stopped \
--label "io.containers.autoupdate=image" \
-e PUID=1000 \
-e PGID=1000 \
-e TZ=Europe/Rome \
-e OCIS_URL=https://ocis.domain.com \
-e OCIS_LOG_LEVEL=info \
-e OCIS_LOG_COLOR=false \
-e PROXY_TLS=false \
-e GATEWAY_GRPC_ADDR=0.0.0.0:9142 \
-e OCIS_INSECURE=false \
-e PROXY_ENABLE_BASIC_AUTH=false \
-e IDM_ADMIN_PASSWORD="$yourSecretAdminPasswort" \
-e IDM_CREATE_DEMO_USERS=false \
-v /lokal/path/to/app-registry.yaml:/etc/ocis/app-registry.yaml:Z \
-v ocis-config:/etc/ocis \
-v ocis-data:/var/lib/ocis \
--network ocis_net \
--network cloudflare_net \
docker.io/owncloud/ocis

WOPI Container

podman run -d \
--name wopi \
--restart unless-stopped \
--label "io.containers.autoupdate=image" \
--entrypoint /entrypoint-override.sh \
-e PUID=1000 \
-e PGID=1000 \
-e TZ=Europe/Rome \
-e WOPISERVER_INSECURE=false \
-e WOPISECRET=KorenIpsum494 \
-e WOPISERVER_DOMAIN=wopi.domain.com \
-v /lokal/path/to/wopi/entrypoint-override.sh:/entrypoint-override.sh:Z \
-v /lokal/path/to/wopiserver.conf.dist:/etc/wopi/wopiserver.conf.dist:Z \
-v wopi-recovery:/var/spool/wopirecovery \
--network ocis_net \
--network cloudflare_net \
docker.io/cs3org/wopiserver:latest

OnlyOffice

podman run -d \
--name OnlyOffice \
--restart unless-stopped \
--label "io.containers.autoupdate=image" \
-e PUID=1000 \
-e PGID=1000 \
-e TZ=Europe/Rome \
-e WOPI_ENABLED=true \
-e USE_UNAUTHORIZED_STORAGE=false \
--network ocis_net \
--network cloudflare_net \
docker.io/onlyoffice/documentserver:latest

OCIS app-provider-onlyoffice

podman run -d \
--name ocis-app-office \
--restart unless-stopped \
--label "io.containers.autoupdate=image" \
--user "0" \
--entrypoint /entrypoint-override.sh \
-e PUID=1000 \
-e PGID=1000 \
-e TZ=Europe/Rome \
-e REVA_GATEWAY=ocis:9142 \
-e APP_PROVIDER_GRPC_ADDR=0.0.0.0:9164 \
-e APP_PROVIDER_EXTERNAL_ADDR=ocis-app-office:9164 \
-e APP_PROVIDER_DRIVER=wopi \
-e APP_PROVIDER_WOPI_APP_NAME=OnlyOffice \
-e APP_PROVIDER_WOPI_APP_ICON_URI=https://onlyoffice.domain.com/web-apps/apps/documenteditor/main/resources/img/favicon.ico \
-e APP_PROVIDER_WOPI_APP_URL=https://onlyoffice.domain.com \
-e APP_PROVIDER_WOPI_INSECURE=false \
-e APP_PROVIDER_WOPI_WOPI_SERVER_EXTERNAL_URL=https://wopi.domain.com \
-e APP_PROVIDER_WOPI_FOLDER_URL_BASE_URL=https://ocis.domain.com \
-v /lokal/path/to/ocis/entrypoint-override.sh:/entrypoint-override.sh:Z \
-v ocis-config:/etc/ocis \
--network ocis_net \
--network cloudflare_net \
docker.io/owncloud/ocis

Now you should be able to access your ocis.domain.com!

root@owncloud:~# OCIS_INSECURE=true IDM_CREATE_DEMO_USERS=true PROXY_HTTP_ADDR=0.0.0.0:9200 OCIS_URL=https://localhost:9200 ocis server
{"level":"error","service":"graph","error":"LDAP Result Code 200 "Network Error": dial tcp [::1]:9235: connect: connection refused","time":"2022-06-16T08:27:39Z","message":"could not get ldap Connection"}
{"level":"error","service":"graph","error":"LDAP Result Code 200 "Network Error": dial tcp [::1]:9235: connect: connection refused","time":"2022-06-16T08:27:39Z","message":"autoconnect could not get ldap Connection"}

References: owncloud/ocis#5500 (Space Trash-bin expiration cli)

The changelog contains a good description that can be reused.

https://doc.owncloud.com/ocis/next/deployment/general/general-info.html#initialize-infinite-scale says:

The command line option --force-overwrite is only intended for developer usage. If you set this option, your config will be overwritten, your data, if any is present, will persist, but it will not be accessible anymore. This is, among other things, because the issuer (short iss part of openID Connect) will be overwritten.

A few comments on this:

• The config file created by ocis init does not include any issuer information. Changing the IDP URL (external or internal one) yields the effect you describe, but not when running ocis init.
• force-overwrite could also be used to rotate secrets. But the admin password will not be changed, even if it is changed in the config file (it's only the initial admin password).
• a force-overwrite is only recommended if one didn't modify the autogenerated file, because otherwise you might loose manually added configuration (therefore we backup the file)

As a conclusion:

• running ocis init --force-overwrite should not cause any loss of access on data
• running ocis init shouldn't be a regular thing for production instances

Where

• Overview as a basic framework https://doc.owncloud.com/ocis/next/architecture/architecture.html
• Admin Guide https://doc.owncloud.com/ocis/next/configuration

What

Basic idea / framework

• Enable a differentiation between users based on roles
  a) Segregation of duties in administration
  b) Different types of users (guest, project manager, regular employee, etc.)
• Roles are a composition of different permissions in the system
• The system enables an organization to define their own user roles just as desired

Example

Admin doc

• Which default roles are available?
• How are the default roles composed? Which permissions do they carry?
• Which permissions are available in the system?
• How can I change role composition?
• How can I assign roles to users?
• How does the system work with external LDAP/IdP?
• tbd

@C0rby as you have written a security doc paper, I will take that as template and add it as a own page here is the docs.

As suggested and discussed with @butonic, we are going to use the C4Model to describe the architecture of oCIS in the documentation. The image currently used does not meet the requirements. The C4Model is based on a description file that can be downloaded from the documentation which we will use to generate the necessary svg images. A process is briefly described as comment on top of the file. Because we cant do the work defining the content of that file to describe the architecure, we provided a raw starting point and a first image rendered from that one so you can see where we are. Here is the link to the documentation on staging: https://doc.staging.owncloud.com/ocis/next/architecture/

Our request is, that the oCIS development team refines this file with the details necessary, create a PR in this repo with the update and we will do the imaging on the changes made. Note that you can do this in iterations, but we need to have that ready in only view weeks - means no time to waste...

Info: A C4Model has usually various layers starting from a birds eye view and zooming in. You can use the same file to describe these layers. When you use the linked free website Structurizr DSL to render the file, you can select which layer you want to display and you can see instantly the result from the changes made. Feel free to add additional source files if needed.

You can find the link to the model file we use at:
https://github.com/owncloud/docs-ocis/blob/master/modules/ROOT/attachments/architecture/ocis-c4-model.dsl

@EParzefall fyi

When the data folder is on he same partition than the OS/ocis, it could happen that when a ocis users filles up the space on teh filesystem, the complete system becomes unresponsible as no free space for the OS and its aplications is available.

In a similar way this is true for logs too, but needs checking.

Therefore we need to highlight and advise the admin to consider the impact of the data folder location.

@micbar fyi

In the helm chart we document the S3 bucket policy needed for the S3ng storage driver. We could explain a little bit more how this is done (but not dive too deep into a certain S3 implementation).

This documentation / policy is also relevant when not using Kubernetes, therefore a more general topic.

Came up in owncloud/ocis-charts#98

Document in the "Configuration" section how to connect Infinite Scale to Collabora Online, ONLYOFFICE, MS Office Online via the wopiserver.

@mmattel

There are basic but working Kubernetes Helm Charts available.

The old page is completely outdated.

We need to implement the new HC and add the note that this is a TECH PREVIEW only.

https://github.com/owncloud/ocis-charts
https://github.com/owncloud/ocis-charts/tree/master/charts/ocis (readme)

The documentation points to frontend-config-example.yaml which would be interpreted as frontend-config.yaml, but it actually has to be frontend.yaml. Not sure where this is generated, otherwise i would have made a pullrequest.

Hey!

I am currently trying to install ocis via helm but I can't find the generic-config.yaml. The file is mentioned here:
https://doc.owncloud.com/ocis/next/deployment/container/orchestration/orchestration.html#define-generic-configs
Is the link broken?

As discussed with @butonic, we need to document capabilities to process/deal with metrics

See: owncloud/ocis#4571 ([owncloud/ocis] enable request tracking prometheus middleware in reva)

https://github.com/owncloud-devops/monitoring-tracing-client/blob/master/config/telegraf_specific_config/ocis_single_container.conf

https://github.com/owncloud-devops/monitoring-tracing-client/blob/b58dd872c1bf73d5285f777534cec7bffd7d5180/docker-compose.yml#L37

@wkloucek fyi

owncloud/ocis#4823 (Further distinguish single host deployments from docker compose deployments)

To keep track on code changes that have doc impact

in section https://doc.owncloud.com/ocis/next/deployment/container/orchestration/orchestration.html#docker-compose we have nonexistent link ocis individual services

cc @mmattel

A fail2ban setup was discussed on central.o.o: https://central.owncloud.org/t/brute-force-protection-for-user-logins/41568

It would be nice to have that mentioned as extra hardening for example as addition to the "Small-Scale Deployment with systemd".

needed after owncloud/ocis-charts#92 is merged

Please note somewhere, that ocis does not support ARM 32 bit platforms.
Implications / example: If someone uses a raspberry pi, she / he must install Raspberry OS 64bit in order to run ocis. Raspberry Pi OS 32 Bit won't work with ocis.
this is also the reason, why we dont provide arm32 binaries for download at https://download.owncloud.com/ocis/ocis/daily/

source: owncloud/ocis#4604 (comment)
cc @dragotin

• In General Info
• In Quick Guide
• In Binary Setup
• Local Host is all ok with port 9200
  Setup can be reused but only with reverse proxy when wanting to have something other than https://localhost:9200

we should add to the docs that:

• OnlyOffice has not enabled WOPI by default. You need to enable it, eg: https://github.com/owncloud/ocis/blob/742229472e777b974962f4f05ad2e754405278ca/deployments/examples/ocis_wopi/docker-compose.yml#L189
• Minimum version for OnlyOffice to support WOPI is 6.4 (https://api.onlyoffice.com/editors/wopi/). Don't know if this is still relevant since we're at 7.2 right now and we should not reference to legacy versions (but I didn't find any information if it's already EOL)

Technically a personal space is a space as others are but it does not have the ability for multiple managers. Only the logged in user can be manager of the space with restrictions like not being able to set quotas.

Need to take a look if this belongs to docs-ocis or docs-webui or both.

The OCIS docs mention that I can use an external OpenID Connect provider like Keycloak, and some of the settings for that are in the Helm section, in the example values.yml.

One question the docs don't answer, however, is where do I put my OIDC client credentials? There's no reference to any Kubernetes secret to contain the client ID/secret, nor any environment variables to set or config files to populate. Without those credentials, requests from OCIS will be rejected by my IdP.

References:
owncloud/ocis#4799 (refactor templating, add subject templating)
owncloud/ocis#6038 (Make Emails translatable via transifex)
owncloud/ocis#6098 ([docs-only] Note that we only support language but not language_territory (web frontend))

Referencing: owncloud/ocis#5730 ([tests-only] remove arm from docker releases)

Removing docker arm (32 bit)

Hey!
Thanks for fixing the documentation for the config map example but it is incorrect:

---
apiVersion: v1
kind: ConfigMap
metadata:
  name: storage-users
type: Opaque
data:
  # how to generate: create a UUIDv4
  # example generation command: `cat /proc/sys/kernel/random/uuid`
  # Only set to "1284d238-aa92-42ce-bdc4-0b0000009157" if you
  # migrate an existing oCIS installation from 2.0.0-rc.1 and earlier.
  storage-uuid: XXXXXXXXXXXXX

There"s no type for ConfigMaps, Secrets have types. It must be:

---
apiVersion: v1
kind: ConfigMap
metadata:
  name: storage-users
data:
  # how to generate: create a UUIDv4
  # example generation command: `cat /proc/sys/kernel/random/uuid`
  # Only set to "1284d238-aa92-42ce-bdc4-0b0000009157" if you
  # migrate an existing oCIS installation from 2.0.0-rc.1 and earlier.
  storage-uuid: XXXXXXXXXXXXX

BR
panda

See: https://central.owncloud.org/t/ocis-could-not-initialize-oidcauth-provider/39585

Description

owncloud/ocis#4815 (comment)

Logging Documentation

In ocis, we have the following log levels

FATAL

FATAL means that the application is about to stop a serious problem or corruption from happening. This level of logging shows that the application’s situation is catastrophic, such that an important function is not working. For example the application is unable to connect to the data store due to config errors or not able to parse the config

ERROR (default setting, OCIS_LOG_LEVEL=error)

This is the default log level, all errors on this level are important for admins because they need to fix them. This log level is used when a severe issue is stopping functions within the application from operating correctly. Ocis logs all kind of inter service communication errors on this level because these needs to be addressed.

WARN

The WARN log level is used when ocis detects an unexpected failure during an operation. It is also used if some operations might be incomplete. It does not mean that the application has been harmed, the code should continue to work as usual. Admins should eventually check these warnings just in case the problem reoccurs.

INFO

Messages on this level are documenting the normal behavior of applications. They state what happened. These entries are purely informative to confirm that the application is working as desired. The info log level also enables the ocis Proxy to write a full access log.

DEBUG

This log level provides diagnostic information in a detailed manner. It is verbose and has more information than you would need when using the application. This log level is used to understand problems in the application and during reproduction of problems. This log level could put a very high load on the output device and is not recommended in production environments. You should consider enabling this level only on a single service or very few services to pinpoint issues or bugs.

X-Request-ID

It is a best practise for clients to send an X-Request-ID header with every request. This id should be used when possible in the backend and should be added to the logging metadata.

https://doc.owncloud.com/ocis/next/deployment/binary/binary-setup.html#stopping-infinite-scale references ocis kill, which was removed before 2.0.0-beta1

The web service env's have configurations for owncloud web.
owncloud web uses environment variables from the web service and/or config.json and themes.json where the envs overwrite any *.json value set if applicable. This needs documentation in the web service documentation

Referencing:
owncloud/docs-webui#48 (Make "Configuring ownCloud Web" a partial)
owncloud/docs-webui#49 (Document theming for ownCloud Web)
(more to come)

@kulmann fyi