Preparation
Create volumes and network:
- Config Volume
podman volume create ocis-config
- Data Volume
podman volume create ocis-data
- WOPI Volume
podman volume create wopi-recovery
- OCIS Network
podman network create ocis_net
Note: I use a cloudflare Tunnel (it's free) to access my homelab but any reverse proxy would work to.
- cloudflare Network
podman network create cloudflare_net
Create necessary Files
OCIS "app-registry.yaml"
app_registry:
mimetypes:
- mime_type: application/pdf
extension: pdf
name: PDF
description: PDF document
icon: ''
default_app: ''
allow_creation: false
- mime_type: application/vnd.openxmlformats-officedocument.wordprocessingml.document
extension: docx
name: Microsoft Word
description: Microsoft Word document
icon: ''
default_app: OnlyOffice
allow_creation: true
- mime_type: application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
extension: xlsx
name: Microsoft Excel
description: Microsoft Excel document
icon: ''
default_app: OnlyOffice
allow_creation: true
- mime_type: application/vnd.openxmlformats-officedocument.presentationml.presentation
extension: pptx
name: Microsoft PowerPoint
description: Microsoft PowerPoint document
icon: ''
default_app: OnlyOffice
allow_creation: true
- mime_type: application/vnd.jupyter
extension: ipynb
name: Jupyter Notebook
description: Jupyter Notebook
icon: ''
default_app: ''
allow_creation: true
OCIS app-provider-onlyoffice "entrypoint-override.sh"
#!/bin/sh
set -e
apk add curl
#TODO: app driver itself should try again until OnlyOffice is up...
retries=10
while [[ $retries -gt 0 ]]; do
if curl --silent --show-error --fail http://onlyoffice/hosting/discovery > /dev/null; then
ocis app-provider server
else
echo "OnlyOffice is not yet available, trying again in 10 seconds"
sleep 10
retries=$((retries - 1))
fi
done
echo 'OnlyOffice was not available after 100 seconds'
exit 1
WOPI "entrypoint-override.sh"
#!/bin/sh
set -e
echo "${WOPISECRET}" > /etc/wopi/wopisecret
cp /etc/wopi/wopiserver.conf.dist /etc/wopi/wopiserver.conf
sed -i 's/wopi.domain.com/'${WOPISERVER_DOMAIN}'/g' /etc/wopi/wopiserver.conf
if [ "$WOPISERVER_INSECURE" == "true" ]; then
sed -i 's/sslverify\s=\sTrue/sslverify = False/g' /etc/wopi/wopiserver.conf
fi
/app/wopiserver.py
WOPI "wopiserver.conf.dist"
#!/bin/sh
set -e
echo "${WOPISECRET}" > /etc/wopi/wopisecret
cp /etc/wopi/wopiserver.conf.dist /etc/wopi/wopiserver.conf
sed -i 's/wopi.domain.com/'${WOPISERVER_DOMAIN}'/g' /etc/wopi/wopiserver.conf
if [ "$WOPISERVER_INSECURE" == "true" ]; then
sed -i 's/sslverify\s=\sTrue/sslverify = False/g' /etc/wopi/wopiserver.conf
fi
/app/wopiserver.py
[user@SRV01 ~]$ cat /home/user/ocis/wopi/wopiserver.conf.dist
#
# This config is based on https://github.com/cs3org/wopiserver/blob/master/wopiserver.conf
#
# wopiserver.conf
#
# Default configuration file for the WOPI server for oCIS
#
##############################################################
[general]
# Storage access layer to be loaded in order to operate this WOPI server
# only "cs3" is supported with oCIS
storagetype = cs3
# Port where to listen for WOPI requests
port = 8880
# Logging level. Debug enables the Flask debug mode as well.
# Valid values are: Debug, Info, Warning, Error.
loglevel = Error
loghandler = stream
logdest = stdout
# URL of your WOPI server or your HA proxy in front of it
wopiurl = https://wopi.domain.com
# URL for direct download of files. The complete URL that is sent
# to clients will include the access_token argument
downloadurl = https://wopi.domain.com/wopi/cbox/download
# The internal server engine to use (defaults to flask).
# Set to waitress for production installations.
internalserver = waitress
# List of file extensions deemed incompatible with LibreOffice:
# interoperable locking will be disabled for such files
nonofficetypes = .md .zmd .txt .epd
# List of file extensions to be supported by Collabora (deprecated)
codeofficetypes = .odt .ott .ods .ots .odp .otp .odg .otg .doc .dot .xls .xlt .xlm .ppt .pot .pps .vsd .dxf .wmf .cdr .pages .number .key
# WOPI access token expiration time [seconds]
tokenvalidity = 86400
# WOPI lock expiration time [seconds]
wopilockexpiration = 3600
# WOPI lock strict check: if True, WOPI locks will be compared according to specs,
# that is their representation must match. False (default) allows for a more relaxed
# comparison, which compensates incorrect lock requests from Microsoft Office Online
# on-premise setups.
wopilockstrictcheck = False
# Enable support of rename operations from WOPI apps. This is currently
# disabled by default as it has been observed that both MS Office and Collabora
# Online do not play well with this feature.
# Not supported with oCIS, must always be set to "False"
enablerename = False
# Detection of external Microsoft Office or LibreOffice locks. By default, lock files
# compatible with Office for Desktop applications are detected, assuming that the
# underlying storage can be mounted as a remote filesystem: in this case, WOPI GetLock
# and SetLock operations return such locks and prevent online apps from entering edit mode.
# This feature can be disabled in order to operate a pure WOPI server for online apps.
# Not supported with oCIS, must always be set to "False"
detectexternallocks = False
# Location of the webconflict files. By default, such files are stored in the same path
# as the original file. If that fails (e.g. because of missing permissions),
# an attempt is made to store such files in this path if specified, otherwise
# the system falls back to the recovery space (cf. io|recoverypath).
# The keywords <user_initial> and <username> are replaced with the actual username's
# initial letter and the actual username, respectively, so you can use e.g.
# /your_storage/home/user_initial/username
#conflictpath = /
# ownCloud's WOPI proxy configuration. Disabled by default.
#wopiproxy = https://external-wopi-proxy.com
#wopiproxysecretfile = /path/to/your/shared-key-file
#proxiedappname = Name of your proxied app
[security]
# Location of the secret files. Requires a restart of the
# WOPI server when either the files or their content change.
wopisecretfile = /etc/wopi/wopisecret
# iop secret is not used for cs3 storage type
#iopsecretfile = /etc/wopi/iopsecret
# Use https as opposed to http (requires certificate)
usehttps = no
# Certificate and key for https. Requires a restart
# to apply a change.
wopicert = /etc/grid-security/host.crt
wopikey = /etc/grid-security/host.key
[bridge]
# SSL certificate check for the connected apps
sslverify = True
# Minimal time interval between two consecutive save operations [seconds]
#saveinterval = 200
# Minimal time interval before a closed file is WOPI-unlocked [seconds]
#unlockinterval = 90
# CodiMD: disable creating zipped bundles when files contain pictures
#disablezip = False
[io]
# Size used for buffered reads [bytes]
chunksize = 4194304
# Path to a recovery space in case of I/O errors when reaching to the remote storage.
# This is expected to be a local path, and it is provided in order to ease user support.
# Defaults to the indicated spool folder.
recoverypath = /var/spool/wopirecovery
[cs3]
# Host and port of the Reva(-like) CS3-compliant GRPC gateway endpoint
revagateway = ocis:9142
# Reva/gRPC authentication token expiration time [seconds]
# The default value matches Reva's default
authtokenvalidity = 3600
# SSL certificate check for Reva
sslverify = True
Note: don't forget to make the "entrypoint-override.sh" files executable with chmod +x entrypoint-override.sh
.
Run Containers
Cloudflare Tunnel Container
podman run -d \
--name cloudflare \
--label "io.containers.autoupdate=image" \
-e PUID=1000 \
-e PGID=1000 \
-e TZ=Europe/Rome \
--restart unless-stopped \
--network cloudflare_net \
docker.io/cloudflare/cloudflared:latest \
tunnel --no-autoupdate run \
--token $your_secret_token
ownCloud Infinite Scale
initialize OCIS
Infinite Scale needs a first time initialization to set up the environment.
podman run --rm -it \
--name ocis \
-e PUID=1000 \
-e PGID=1000 \
-e TZ=Europe/Rome \
-v ocis-config:/etc/ocis \
-v ocis-data:/var/lib/ocis \
-e IDM_ADMIN_PASSWORD="$yourSecretAdminPasswort" \
--network cloudflare_net \
--network ocis_net \
docker.io/owncloud/ocis init
Run OCIS
podman run -d \
--name ocis \
--restart unless-stopped \
--label "io.containers.autoupdate=image" \
-e PUID=1000 \
-e PGID=1000 \
-e TZ=Europe/Rome \
-e OCIS_URL=https://ocis.domain.com \
-e OCIS_LOG_LEVEL=info \
-e OCIS_LOG_COLOR=false \
-e PROXY_TLS=false \
-e GATEWAY_GRPC_ADDR=0.0.0.0:9142 \
-e OCIS_INSECURE=false \
-e PROXY_ENABLE_BASIC_AUTH=false \
-e IDM_ADMIN_PASSWORD="$yourSecretAdminPasswort" \
-e IDM_CREATE_DEMO_USERS=false \
-v /lokal/path/to/app-registry.yaml:/etc/ocis/app-registry.yaml:Z \
-v ocis-config:/etc/ocis \
-v ocis-data:/var/lib/ocis \
--network ocis_net \
--network cloudflare_net \
docker.io/owncloud/ocis
WOPI Container
podman run -d \
--name wopi \
--restart unless-stopped \
--label "io.containers.autoupdate=image" \
--entrypoint /entrypoint-override.sh \
-e PUID=1000 \
-e PGID=1000 \
-e TZ=Europe/Rome \
-e WOPISERVER_INSECURE=false \
-e WOPISECRET=KorenIpsum494 \
-e WOPISERVER_DOMAIN=wopi.domain.com \
-v /lokal/path/to/wopi/entrypoint-override.sh:/entrypoint-override.sh:Z \
-v /lokal/path/to/wopiserver.conf.dist:/etc/wopi/wopiserver.conf.dist:Z \
-v wopi-recovery:/var/spool/wopirecovery \
--network ocis_net \
--network cloudflare_net \
docker.io/cs3org/wopiserver:latest
OnlyOffice
podman run -d \
--name OnlyOffice \
--restart unless-stopped \
--label "io.containers.autoupdate=image" \
-e PUID=1000 \
-e PGID=1000 \
-e TZ=Europe/Rome \
-e WOPI_ENABLED=true \
-e USE_UNAUTHORIZED_STORAGE=false \
--network ocis_net \
--network cloudflare_net \
docker.io/onlyoffice/documentserver:latest
OCIS app-provider-onlyoffice
podman run -d \
--name ocis-app-office \
--restart unless-stopped \
--label "io.containers.autoupdate=image" \
--user "0" \
--entrypoint /entrypoint-override.sh \
-e PUID=1000 \
-e PGID=1000 \
-e TZ=Europe/Rome \
-e REVA_GATEWAY=ocis:9142 \
-e APP_PROVIDER_GRPC_ADDR=0.0.0.0:9164 \
-e APP_PROVIDER_EXTERNAL_ADDR=ocis-app-office:9164 \
-e APP_PROVIDER_DRIVER=wopi \
-e APP_PROVIDER_WOPI_APP_NAME=OnlyOffice \
-e APP_PROVIDER_WOPI_APP_ICON_URI=https://onlyoffice.domain.com/web-apps/apps/documenteditor/main/resources/img/favicon.ico \
-e APP_PROVIDER_WOPI_APP_URL=https://onlyoffice.domain.com \
-e APP_PROVIDER_WOPI_INSECURE=false \
-e APP_PROVIDER_WOPI_WOPI_SERVER_EXTERNAL_URL=https://wopi.domain.com \
-e APP_PROVIDER_WOPI_FOLDER_URL_BASE_URL=https://ocis.domain.com \
-v /lokal/path/to/ocis/entrypoint-override.sh:/entrypoint-override.sh:Z \
-v ocis-config:/etc/ocis \
--network ocis_net \
--network cloudflare_net \
docker.io/owncloud/ocis
Now you should be able to access your ocis.domain.com!