diff --git a/modules/admin_manual/images/apps/impersonate/impersonate_enable.png b/modules/admin_manual/images/apps/impersonate/impersonate_enable.png deleted file mode 100644 index bb44ddeda..000000000 Binary files a/modules/admin_manual/images/apps/impersonate/impersonate_enable.png and /dev/null differ diff --git a/modules/admin_manual/images/apps/impersonate/impersonate_group_admins_only.png b/modules/admin_manual/images/apps/impersonate/impersonate_group_admins_only.png deleted file mode 100644 index 7475eb6c7..000000000 Binary files a/modules/admin_manual/images/apps/impersonate/impersonate_group_admins_only.png and /dev/null differ diff --git a/modules/admin_manual/images/apps/impersonate/impersonate_groups_only.png b/modules/admin_manual/images/apps/impersonate/impersonate_groups_only.png deleted file mode 100644 index e14f6cb13..000000000 Binary files a/modules/admin_manual/images/apps/impersonate/impersonate_groups_only.png and /dev/null differ diff --git a/modules/admin_manual/images/apps/impersonate/impersonate_oc_admins_only.png b/modules/admin_manual/images/apps/impersonate/impersonate_oc_admins_only.png deleted file mode 100644 index f9a42fb67..000000000 Binary files a/modules/admin_manual/images/apps/impersonate/impersonate_oc_admins_only.png and /dev/null differ diff --git a/modules/admin_manual/images/apps/impersonate/impersonating-a-user.png b/modules/admin_manual/images/apps/impersonate/impersonating-a-user.png deleted file mode 100644 index ef9ca9a3a..000000000 Binary files a/modules/admin_manual/images/apps/impersonate/impersonating-a-user.png and /dev/null differ diff --git a/modules/admin_manual/images/apps/impersonate/picking-a-user-to-impersonate.png b/modules/admin_manual/images/apps/impersonate/picking-a-user-to-impersonate.png deleted file mode 100644 index 156f0618c..000000000 Binary files a/modules/admin_manual/images/apps/impersonate/picking-a-user-to-impersonate.png and /dev/null differ diff --git a/modules/admin_manual/images/enterprise/external_storage/sharepoint/sharepoint-1.png b/modules/admin_manual/images/enterprise/external_storage/sharepoint/sharepoint-1.png deleted file mode 100644 index 9a67f7879..000000000 Binary files a/modules/admin_manual/images/enterprise/external_storage/sharepoint/sharepoint-1.png and /dev/null differ diff --git a/modules/admin_manual/images/enterprise/external_storage/sharepoint/sharepoint-2.png b/modules/admin_manual/images/enterprise/external_storage/sharepoint/sharepoint-2.png deleted file mode 100644 index 7cbd5aa1f..000000000 Binary files a/modules/admin_manual/images/enterprise/external_storage/sharepoint/sharepoint-2.png and /dev/null differ diff --git a/modules/admin_manual/images/enterprise/external_storage/sharepoint/sharepoint-3.png b/modules/admin_manual/images/enterprise/external_storage/sharepoint/sharepoint-3.png deleted file mode 100644 index dbfaac8e0..000000000 Binary files a/modules/admin_manual/images/enterprise/external_storage/sharepoint/sharepoint-3.png and /dev/null differ diff --git a/modules/admin_manual/images/enterprise/external_storage/sharepoint/sharepoint-4.png b/modules/admin_manual/images/enterprise/external_storage/sharepoint/sharepoint-4.png deleted file mode 100644 index 9e9455dec..000000000 Binary files a/modules/admin_manual/images/enterprise/external_storage/sharepoint/sharepoint-4.png and /dev/null differ diff --git a/modules/admin_manual/images/enterprise/logging/admin_auditing.png b/modules/admin_manual/images/enterprise/logging/admin_auditing.png index 9cb9a4e4c..eadd2c3de 100644 Binary files a/modules/admin_manual/images/enterprise/logging/admin_auditing.png and b/modules/admin_manual/images/enterprise/logging/admin_auditing.png differ diff --git a/modules/admin_manual/pages/configuration/envvars/envvars.adoc b/modules/admin_manual/pages/configuration/envvars/envvars.adoc new file mode 100644 index 000000000..8deac7c9a --- /dev/null +++ b/modules/admin_manual/pages/configuration/envvars/envvars.adoc @@ -0,0 +1,513 @@ += Environment Variables +:toc: right +:description: This page provides a list of available environment variables. + +{description} + +- `OWNCLOUD_ACCESSLOG_LOCATION=/dev/stdout` + + Location of the access log. +- `OWNCLOUD_ACCOUNTS_ENABLE_MEDIAL_SEARCH=` + + Allow medial search on user account properties (see xref:configuration/server/config_sample_php_parameters.adoc#allow-medial-search-on-user-account-properties[documentation]). +- `OWNCLOUD_ACTIVITY_EXPIRE_DAYS=` + + Activity expiration in days (see xref:configuration/server/config_apps_sample_php_parameters.adoc#app-activity[documentation]). +- `OWNCLOUD_ADMIN_AUDIT_GROUPS=` + + Restrict audit logging to specific groups. Comma-separated list of group names (see xref:configuration/server/config_apps_sample_php_parameters.adoc#app-admin-audit[documentation]). +- `OWNCLOUD_ANTIVIRUS_AV_CMD_OPTIONS=` + + Command line options for the clamscan antivirus scanner (see xref:configuration/server/config_apps_sample_php_parameters.adoc#app-files-antivirus[documentation]). +- `OWNCLOUD_ANTIVIRUS_AV_PATH=` + + Path to the clamscan binary in the container (see xref:configuration/server/config_apps_sample_php_parameters.adoc#app-files-antivirus[documentation]). +- `OWNCLOUD_ADMIN_PASSWORD=admin` + + ownCloud admin password. +- `OWNCLOUD_ADMIN_USERNAME=admin` + + ownCloud admin username. +- `OWNCLOUD_ALLOW_SUBADMINS=` + + Enable or disable the subadmin (group admin) feature. Set to `true` to enable; unset leaves it disabled (ownCloud core default) (see xref:configuration/server/config_sample_php_parameters.adoc#allow-or-disallow-the-group-administrator-subadmin-feature[documentation]). +- `OWNCLOUD_ALLOW_USER_TO_CHANGE_DISPLAY_NAME=` + + Allow or disallow users to change their display names (see xref:configuration/server/config_sample_php_parameters.adoc#allow-or-disallow-users-to-change-their-display-names[documentation]). +- `OWNCLOUD_ALLOW_USER_TO_CHANGE_MAIL_ADDRESS=` + + Allow or disallow users to change their email addresses (see xref:configuration/server/config_sample_php_parameters.adoc#allow-or-disallow-users-to-change-their-email-addresses[documentation]). +- `OWNCLOUD_APPS_DEPRECATED=` + + List of deprecated apps that must be removed (automatically) before performing an ownCloud upgrade to avoid upgrade issues. +- `OWNCLOUD_APPS_DISABLE=` + + List of apps to disable on container startup. +- `OWNCLOUD_APPS_ENABLE=$\{OWNCLOUD_APPS_INSTALL}` + + List of apps to enable on container startup. +- `OWNCLOUD_APPS_INSTALL=` + + List of apps to install on container startup. +- `OWNCLOUD_APPS_INSTALL_MAJOR=false` + + By default ownCloud will not install a new major version of an already installed app. To enforce major updates for apps this option need to be set to `true`. +- `OWNCLOUD_APPS_UNINSTALL=` + + List of apps to remove on container startup. +- `OWNCLOUD_BACKGROUND_MODE=cron` + + Service to execute ownCloud backgrouns jobs. It is recommended to keep the default (see xref:configuration/server/background_jobs_configuration.adoc[documentation]). +- `OWNCLOUD_BLACKLISTED_FILES=` + + Define blacklisted files (see xref:configuration/server/config_sample_php_parameters.adoc#define-blacklisted-files[documentation]). +- `OWNCLOUD_BLACKLISTED_FILES_REGEX=` + + Define blacklisted files using regular expressions. Comma-separated list of regex patterns (see xref:configuration/server/config_sample_php_parameters.adoc#define-blacklisted-files[documentation]). +- `OWNCLOUD_CACHE_CHUNK_GC_TTL=` + + Define the TTL for garbage collection (see xref:configuration/server/config_sample_php_parameters.adoc#define-the-ttl-for-garbage-collection[documentation]). +- `OWNCLOUD_CACHE_PATH=` + + Define the location of the cache folder (see xref:configuration/server/config_sample_php_parameters.adoc#define-the-location-of-the-cache-folder[documentation]). +- `OWNCLOUD_CHECK_FOR_WORKING_WELLKNOWN_SETUP=` + + Check for a .well-known setup (see xref:configuration/server/config_sample_php_parameters.adoc#check-for-a-well-known-setup[documentation]). +- `OWNCLOUD_CIPHER=` + + Define the default cipher for encrypting files (see xref:configuration/server/config_sample_php_parameters.adoc#define-the-default-cipher-for-encrypting-files[documentation]). +- `OWNCLOUD_COLLABORA_GROUP=` + + Restrict access to Collabora/Richdocuments to a specific group. Only one group can be defined. Default is empty (no restriction) (see xref:configuration/server/config_apps_sample_php_parameters.adoc#app-richdocuments[documentation]). +- `OWNCLOUD_COMMENTS_MANAGER_FACTORY=` + + Define an alternative Comments Manager (see xref:configuration/server/config_sample_php_parameters.adoc#define-an-alternative-comments-manager[documentation]). +- `OWNCLOUD_CORS_ALLOWED_DOMAINS=` + + Define global list of CORS domains (see xref:configuration/server/config_sample_php_parameters.adoc#define-global-list-of-cors-domains[documentation]). +- `OWNCLOUD_CROND_ENABLED=true` + + Enable or disable the system cron service. Required for `OWNCLOUD_BACKGROUND_MODE=cron`. +- `OWNCLOUD_CROND_SCHEDULE="*/1 * * * *"` + + Cron schedule to run ownCloud background jobs. +- `OWNCLOUD_CRON_LOG=` + + Define logging if cron ran successfully (see xref:configuration/server/config_sample_php_parameters.adoc#define-logging-if-cron-ran-successfully[documentation]). +- `OWNCLOUD_CSRF_DISABLED=` + + Enable or disable ownCloud’s built-in CSRF protection mechanism (see xref:configuration/server/config_sample_php_parameters.adoc#enable-or-disable-ownclouds-built-in-csrf-protection-mechanism[documentation]). +- `OWNCLOUD_CUSTOMCLIENT_ANDROID=` + + Override the Android client download URL shown in the first-run wizard (see xref:configuration/server/config_apps_sample_php_parameters.adoc#app-firstrunwizard[documentation]). +- `OWNCLOUD_CUSTOMCLIENT_DESKTOP=` + + Override the desktop client download URL shown in the first-run wizard (see xref:configuration/server/config_apps_sample_php_parameters.adoc#app-firstrunwizard[documentation]). +- `OWNCLOUD_CUSTOMCLIENT_IOS=` + + Override the iOS client download URL shown in the first-run wizard (see xref:configuration/server/config_apps_sample_php_parameters.adoc#app-firstrunwizard[documentation]). +- `OWNCLOUD_DAV_CHUNK_BASE_DIR=` + + Define the DAV chunk base directory (see xref:configuration/server/config_sample_php_parameters.adoc#define-the-dav-chunk-base-directory[documentation]). +- `OWNCLOUD_DAV_ENABLE_ASYNC=` + + Enable or disable async DAV extensions (see xref:configuration/server/config_sample_php_parameters.adoc#enable-or-disable-async-dav-extensions[documentation]). +- `OWNCLOUD_DAV_PROPFIND_DEPTH_INFINITY=` + + Allow Depth: infinity PROPFIND requests (see xref:configuration/server/config_sample_php_parameters.adoc#enable-or-disable-async-dav-extensions[documentation]). +- `OWNCLOUD_DB_FAIL=true` + + Exit container if the database can't reached during the startup. +- `OWNCLOUD_DB_HOST=` + + Define the database server host name (see xref:configuration/server/config_sample_php_parameters.adoc#define-the-database-server-host-name[documentation]). +- `OWNCLOUD_DB_NAME=owncloud` + + Define the ownCloud database name (see xref:configuration/server/config_sample_php_parameters.adoc#define-the-owncloud-database-name[documentation]). +- `OWNCLOUD_DB_PASSWORD=` + + Define the password for the database user (see xref:configuration/server/config_sample_php_parameters.adoc#define-the-password-for-the-database-user[documentation]). +- `OWNCLOUD_DB_PREFIX=oc_` + + Define the prefix for the ownCloud tables in the database (see xref:configuration/server/config_sample_php_parameters.adoc#define-the-prefix-for-the-owncloud-tables-in-the-database[documentation]). +- `OWNCLOUD_DB_TIMEOUT=180` + + Time to wait for a successful connection to the database on container startup. +- `OWNCLOUD_DB_PLATFORM=` + + Force a specific Doctrine DBAL platform class, e.g. for MariaDB compatibility (see xref:configuration/server/config_sample_php_parameters.adoc#identify-the-database-used-with-this-installation[documentation]). +- `OWNCLOUD_DB_TYPE=sqlite` + + Identify the database used with this installation (see xref:configuration/server/config_sample_php_parameters.adoc#identify-the-database-used-with-this-installation[documentation]). +- `OWNCLOUD_DB_USERNAME=` + + Define the ownCloud database user (see xref:configuration/server/config_sample_php_parameters.adoc#define-the-owncloud-database-user[documentation]). +- `OWNCLOUD_DEBUG=` + + Place this ownCloud instance into debugging mode (see xref:configuration/server/config_sample_php_parameters.adoc#place-this-owncloud-instance-into-debugging-mode[documentation]). +- `OWNCLOUD_DEFAULT_APP=` + + Define the default app to open on user login (see xref:configuration/server/config_sample_php_parameters.adoc#define-the-default-app-to-open-on-user-login[documentation]). +- `OWNCLOUD_DEFAULT_LANGUAGE=en` + + Define the default language of your ownCloud instance (see xref:configuration/server/config_sample_php_parameters.adoc#define-the-default-language-of-your-owncloud-instance[documentation]). +- `OWNCLOUD_DOMAIN=localhost` + + Base domain used in `OWNCLOUD_OVERWRITE_CLI_URL` by default. +- `OWNCLOUD_TRUSTED_DOMAINS=$\{OWNCLOUD_DOMAIN}` + + List of trusted domains to prevent host header poisoning (see xref:configuration/server/config_sample_php_parameters.adoc#define-list-of-trusted-domains-that-users-can-log-into[documentation]). Multiple domains need to be comma-separated. +- `OWNCLOUD_ENABLED_PREVIEW_PROVIDERS=` + + Define preview providers (see xref:configuration/server/config_sample_php_parameters.adoc#define-preview-providers[documentation]). +- `OWNCLOUD_ENABLE_AVATARS=` + + Enable or disable avatars or user profile photos (see xref:configuration/server/config_sample_php_parameters.adoc#enable-or-disable-avatars-or-user-profile-photos[documentation]). +- `OWNCLOUD_ENABLE_CERTIFICATE_MANAGEMENT=` + + Allow the configuration of system-wide trusted certificates (see xref:configuration/server/config_sample_php_parameters.adoc#allow-the-configuration-of-system-wide-trusted-certificates[documentation]). +- `OWNCLOUD_ENABLE_PREVIEWS=` + + Enable preview generation (see xref:configuration/server/config_sample_php_parameters.adoc#enable-preview-generation[documentation]). +- `OWNCLOUD_ENABLE_OIDC_REWRITE_URL=false` + + Rewrites OpenID Connect wellknown URL `.well-known/openid-configuration` to the ownCloud OIDC configuration endpoint (see xref:configuration/user/oidc/oidc.adoc#set-up-service-discovery[documentation]). +- `OWNCLOUD_ENTRYPOINT_INITIALIZED=true` + + Enable or disable loading of files from `/etc/entrypoint.d`. It is recommended to keep the default. +- `OWNCLOUD_ERRORLOG_LOCATION=/dev/stderr` + + Output location for the Apache error log. +- `OWNCLOUD_EXCLUDED_DIRECTORIES=` + + Define excluded directories (see xref:configuration/server/config_sample_php_parameters.adoc#define-excluded-directories[documentation]). +- `OWNCLOUD_EXCLUDED_DIRECTORIES_REGEX=` + + Define excluded directories using regular expressions. Comma-separated list of regex patterns (see xref:configuration/server/config_sample_php_parameters.adoc#define-excluded-directories[documentation]). +- `OWNCLOUD_FILELOCKING_ENABLED=${OWNCLOUD_LOCKING_ENABLED:-true}` + + Enable transactional file locking (see xref:configuration/server/config_sample_php_parameters.adoc#enable-transactional-file-locking[documentation]). +- `OWNCLOUD_FILELOCKING_TTL=` + + Define the TTL for file locking (see xref:configuration/server/config_sample_php_parameters.adoc#define-the-ttl-for-file-locking[documentation]). +- `OWNCLOUD_FILESYSTEM_CACHE_READONLY=` + + Prevent cache changes due to changes in the filesystem (see xref:configuration/server/config_sample_php_parameters.adoc#prevent-cache-changes-due-to-changes-in-the-filesystem[documentation]). +- `OWNCLOUD_FILESYSTEM_CHECK_CHANGES=` + + Define how often filesystem changes are detected (see xref:configuration/server/config_sample_php_parameters.adoc#define-how-often-filesystem-changes-are-detected[documentation]). +- `OWNCLOUD_FILESYSTEM_MAX_MOUNTPOINT_MOVE_ATTEMPTS=` + + Maximum number of failed mountpoint rename attempts before giving up (see xref:configuration/server/config_sample_php_parameters.adoc#define-how-often-filesystem-changes-are-detected[documentation]). +- `OWNCLOUD_FILES_EXTERNAL_ALLOW_NEW_LOCAL=$\{OWNCLOUD_ALLOW_EXTERNAL_LOCAL_STORAGE}` + + Enable or disable the files_external local mount option (see xref:configuration/server/config_sample_php_parameters.adoc#enable-or-disable-the-files_external-local-mount-option[documentation]). +- `OWNCLOUD_GRACE_PERIOD_DEMO_KEY_LINK=` + + Override the link shown in the grace period popup (see xref:installation/installing_with_docker.adoc#enterprise-license-keys[documentation]). +- `OWNCLOUD_GRACE_PERIOD_DEMO_KEY_SHOW_POPUP=` + + Show or hide the grace period demo key popup (see xref:installation/installing_with_docker.adoc#enterprise-license-keys[documentation]). +- `OWNCLOUD_FORWARDED_FOR_HEADERS=` + + Define forwarded_for_headers (see xref:configuration/server/config_sample_php_parameters.adoc#define-forwarded_for_headers[documentation]). +- `OWNCLOUD_GROUPS_ENABLE_MEDIAL_SEARCH=` + + Allow medial search on group IDs (see xref:configuration/server/config_sample_php_parameters.adoc#allow-medial-search-on-user-account-properties[documentation]). +- `OWNCLOUD_HASHING_COST=` + + Define the hashing cost (see xref:configuration/server/config_sample_php_parameters.adoc#define-the-hashing-cost[documentation]). +- `OWNCLOUD_HAS_INTERNET_CONNECTION=` + + Check for an internet connection (see xref:configuration/server/config_sample_php_parameters.adoc#check-for-an-internet-connection[documentation]). +- `OWNCLOUD_INTERNET_CONNECTIVITY_DETECT_URL=` + + URL used to detect internet connectivity (see xref:configuration/server/config_sample_php_parameters.adoc#check-for-an-internet-connection[documentation]). +- `OWNCLOUD_HTACCESS_REWRITE_BASE=$\{OWNCLOUD_SUB_URL}` + + Define clean URLs without /index.php (see xref:configuration/server/config_sample_php_parameters.adoc#define-clean-urls-without-index-php[documentation]). +- `OWNCLOUD_HTTP_COOKIE_SAMESITE=` + + Define how to relax same site cookie settings (see xref:configuration/server/config_sample_php_parameters.adoc#define-how-to-relax-same-site-cookie-settings[documentation]). +- `OWNCLOUD_INTEGRITY_EXCLUDED_FILES=` + + Define files that are excluded from integrity checking (see xref:configuration/server/config_sample_php_parameters.adoc#define-files-that-are-excluded-from-integrity-checking[documentation]). +- `OWNCLOUD_INTEGRITY_IGNORE_MISSING_APP_SIGNATURE=` + + Define apps or themes that are excluded from integrity checking (see xref:configuration/server/config_sample_php_parameters.adoc#define-apps-or-themes-that-are-excluded-from-integrity-checking[documentation]). +- `OWNCLOUD_KNOWLEDGEBASE_ENABLED=` +- `OWNCLOUD_APPSTORE_ENABLED=` +- `OWNCLOUD_LDAP_IGNORE_NAMING_RULES=` + + Ignore LDAP naming rules (see xref:configuration/server/config_apps_sample_php_parameters.adoc#app-ldap[documentation]). +- `OWNCLOUD_LICENSE_KEY=` + + ownCloud Enterprise License Key (see xref:installation/installing_with_docker.adoc#enterprise-license-keys[documentation]). +- `OWNCLOUD_LICENSE_CLASS=` +- `OWNCLOUD_LOGIN_ALTERNATIVES=` + + Define additional login buttons on the logon screen (see xref:configuration/server/config_sample_php_parameters.adoc#define-additional-login-buttons-on-the-logon-screen[documentation]). +- `OWNCLOUD_LOGIN_POLICY_ORDER=` + + Ordered list of login policy class names. Comma-separated (see xref:configuration/server/config_sample_php_parameters.adoc#define-additional-login-buttons-on-the-logon-screen[documentation]). +- `OWNCLOUD_LOG_CONDITIONS=` + + Define conditional logging rules as a JSON-encoded array of condition objects, e.g. `[{"apps":["files_external"],"loglevel":0}]` (see xref:configuration/server/config_sample_php_parameters.adoc#define-log-conditions[documentation]). +- `OWNCLOUD_LOG_DATE_FORMAT=` + + Define the log date format (see xref:configuration/server/config_sample_php_parameters.adoc#define-the-log-date-format[documentation]). +- `OWNCLOUD_LOG_FILE=$\{OWNCLOUD_VOLUME_FILES}/owncloud.log` + + Define the log path (see xref:configuration/server/config_sample_php_parameters.adoc#define-the-log-path[documentation]). +- `OWNCLOUD_LOG_LEVEL=` + + Define the log level (see xref:configuration/server/config_sample_php_parameters.adoc#define-the-log-level[documentation]). +- `OWNCLOUD_LOG_ROTATE_SIZE=$\{OWNCLOUD_LOGSIZE}` + + Define the maximum log rotation file size (see xref:configuration/server/config_sample_php_parameters.adoc#define-the-maximum-log-rotation-file-size[documentation]). +- `OWNCLOUD_LOG_TIMEZONE=` + + Define the log timezone (see xref:configuration/server/config_sample_php_parameters.adoc#define-the-log-timezone[documentation]). +- `OWNCLOUD_LOST_PASSWORD_LINK=` + + Define a custom link to reset passwords (see xref:configuration/server/config_sample_php_parameters.adoc#define-a-custom-link-to-reset-passwords[documentation]). +- `OWNCLOUD_MAIL_DOMAIN=` + + Define the email RETURN address (see xref:configuration/server/config_sample_php_parameters.adoc#define-the-email-return-address[documentation]). +- `OWNCLOUD_MAIL_FROM_ADDRESS=` + + Define the email FROM address (see xref:configuration/server/config_sample_php_parameters.adoc#define-the-email-from-address[documentation]). +- `OWNCLOUD_MAIL_REMOVE_SENDER_DISPLAY_NAME=` + + Strip the display name from the From header in sharing notification emails (see xref:configuration/server/config_sample_php_parameters.adoc#define-the-email-from-address[documentation]). +- `OWNCLOUD_MAIL_SMTP_AUTH=` + + Define the SMTP authentication (see xref:configuration/server/config_sample_php_parameters.adoc#define-the-smtp-authentication[documentation]). +- `OWNCLOUD_MAIL_SMTP_AUTH_TYPE=` + + Define the SMTP authentication type (see xref:configuration/server/config_sample_php_parameters.adoc#define-the-smtp-authentication-type[documentation]). +- `OWNCLOUD_MAIL_SMTP_DEBUG=` + + Enable or disable SMTP class debugging (see xref:configuration/server/config_sample_php_parameters.adoc#enable-or-disable-smtp-class-debugging[documentation]). +- `OWNCLOUD_MAIL_SMTP_HOST=` + + Define the IP address of your mail server host (see xref:configuration/server/config_sample_php_parameters.adoc#define-the-ip-address-of-your-mail-server-host[documentation]). +- `OWNCLOUD_MAIL_SMTP_MODE=` + + Define the mode for sending an email (see xref:configuration/server/config_sample_php_parameters.adoc#define-the-mode-for-sending-an-email[documentation]). +- `OWNCLOUD_MAIL_SMTP_NAME=` + + Define the SMTP authentication username (see xref:configuration/server/config_sample_php_parameters.adoc#define-the-smtp-authentication-username[documentation]). +- `OWNCLOUD_MAIL_SMTP_PASSWORD=` + + Define the SMTP authentication password (see xref:configuration/server/config_sample_php_parameters.adoc#define-the-smtp-authentication-password[documentation]). +- `OWNCLOUD_MAIL_SMTP_PORT=` + + Define the port for sending an email (see xref:configuration/server/config_sample_php_parameters.adoc#define-the-port-for-sending-an-email[documentation]). +- `OWNCLOUD_MAIL_SMTP_SECURE=` + + Define the SMTP security style (see xref:configuration/server/config_sample_php_parameters.adoc#define-the-smtp-security-style[documentation]). +- `OWNCLOUD_MAIL_SMTP_TIMEOUT=` + + Define the SMTP server timeout (see xref:configuration/server/config_sample_php_parameters.adoc#define-the-smtp-server-timeout[documentation]). +- `OWNCLOUD_MAINTENANCE=$\{OWNCLOUD_MAINTENANCE_MODE}` + + Enable maintenance mode to disable ownCloud (see xref:configuration/server/config_sample_php_parameters.adoc#enable-maintenance-mode-to-disable-owncloud[documentation]). +- `OWNCLOUD_MARKETPLACE_CA=` + + Developer option to connect to Marketplace testing instances. +- `OWNCLOUD_MARKETPLACE_KEY=$\{OWNCLOUD_MARKETPLACE_APIKEY}` + + Developer option to get access to unreleased Apps in your Marketplace account. +- `OWNCLOUD_MEMCACHED_ENABLED=false` + + Enabled memory caching via memcached (see xref:configuration/server/config_sample_php_parameters.adoc#memory-caching-backend-for-distributed-data[documentation]). +- `OWNCLOUD_MEMCACHED_HOST=memcached` + + Defines the hosts for memcached (see xref:configuration/server/config_sample_php_parameters.adoc#define-server-details-for-memcached-servers-to-use-for-memory-caching[documentation]). +- `OWNCLOUD_MEMCACHED_OPTIONS=` + + Define connection options for memcached (see xref:configuration/server/config_sample_php_parameters.adoc#define-connection-options-for-memcached[documentation]). +- `OWNCLOUD_MEMCACHED_PORT=11211` + + Defines the ports for memcached (see xref:configuration/server/config_sample_php_parameters.adoc#define-server-details-for-memcached-servers-to-use-for-memory-caching[documentation]). +- `OWNCLOUD_MEMCACHED_STARTUP_TIMEOUT=180` + + Time to wait for a successful connection to the memcached service on container startup. +- `OWNCLOUD_MEMCACHE_LOCAL=${OWNCLOUD_CACHING_CLASS:-\\OC\\Memcache\\APCu}` + + Memory caching backend for locally stored data (see xref:configuration/server/config_sample_php_parameters.adoc#memory-caching-backend-for-locally-stored-data[documentation]). +- `OWNCLOUD_MEMCACHE_LOCKING=` + + Define the memory caching backend for file locking (see xref:configuration/server/config_sample_php_parameters.adoc#define-the-memory-caching-backend-for-file-locking[documentation]). +- `OWNCLOUD_METRICS_SHARED_SECRET=` + + Secret required to access the Metrics dashboard (Enterprise only) (see xref:configuration/server/config_apps_sample_php_parameters.adoc#app-metrics[documentation]). +- `OWNCLOUD_MAX_EXECUTION_TIME=3600` + + Sets PHP option `max_execution_time`. It is recommended to keep the default (see xref:configuration/files/big_file_upload_configuration.adoc#configuring-via-php-global-settings[documentation]). +- `OWNCLOUD_MAX_FILESIZE_ANIMATED_GIFS_PUBLIC_SHARING=` + + Define the maximum filesize for animated GIF´s (see xref:configuration/server/config_sample_php_parameters.adoc#define-the-maximum-filesize-for-animated-gifs[documentation]). +- `OWNCLOUD_MAX_INPUT_TIME=3600` + + Sets PHP option `max_input_time`. It is recommended to keep the default (see xref:configuration/files/big_file_upload_configuration.adoc#configuring-via-php-global-settings[documentation]). +- `OWNCLOUD_MAX_UPLOAD=20G` + + Sets PHP option `upload_max_filesize` and `post_max_size`. It is recommended to keep the default (see xref:configuration/files/big_file_upload_configuration.adoc#configuring-via-php-global-settings[documentation]). +- `OWNCLOUD_MEMORY_LIMIT=512M` + + Sets PHP option `memory_limit`. It is recommended to keep the default (see xref:configuration/files/big_file_upload_configuration.adoc#configuring-via-php-global-settings[documentation]). +- `OWNCLOUD_MINIMUM_SUPPORTED_DESKTOP_VERSION=` + + Define the minimum supported ownCloud desktop client version (see xref:configuration/server/config_sample_php_parameters.adoc#define-the-minimum-supported-owncloud-desktop-client-version[documentation]). +- `OWNCLOUD_MOUNT_FILE=` +- `OWNCLOUD_MYSQL_UTF8MB4=$\{owncloud_utf8mb4_enabled}` + + Define MySQL 3/4 byte character handling (see xref:configuration/server/config_sample_php_parameters.adoc#define-mysql-34-byte-character-handling[documentation]). +- `OWNCLOUD_OBJECTSTORE_BUCKET=owncloud` + + Bucket name to store data. +- `OWNCLOUD_OBJECTSTORE_CLASS=OCA\Files_Primary_S3\S3Storage` + + Class to use for the objectstore. It is recommended to keep the default (see xref:configuration/files/external_storage/s3_compatible_object_storage_as_primary.adoc[documentation]). +- `OWNCLOUD_OBJECTSTORE_ENABLED=false` + + Enabled or disables the objectstore configuration. +- `OWNCLOUD_OBJECTSTORE_ENDPOINT=https://s3.$\{OWNCLOUD_OBJECTSTORE_REGION}.amazonaws.com` + + Endpoint of the objectstore provider (see xref:configuration/files/external_storage/s3_compatible_object_storage_as_primary.adoc[documentation]). +- `OWNCLOUD_OBJECTSTORE_KEY=` + + Access key for the objectstore (see xref:configuration/files/external_storage/s3_compatible_object_storage_as_primary.adoc[documentation]). +- `OWNCLOUD_OBJECTSTORE_PATHSTYLE=false` + + Enabled or disables path style for the objectstore (see xref:configuration/files/external_storage/s3_compatible_object_storage_as_primary.adoc[documentation]). +- `OWNCLOUD_OBJECTSTORE_REGION=us-east-1` + + Objectstore region to use (see xref:configuration/files/external_storage/s3_compatible_object_storage_as_primary.adoc[documentation]). +- `OWNCLOUD_OBJECTSTORE_SECRET=` + + Secret key for the objectstore (see xref:configuration/files/external_storage/s3_compatible_object_storage_as_primary.adoc[documentation]). +- `OWNCLOUD_OBJECTSTORE_VERSION=2006-03-01` + + Objectstore version to use (see xref:configuration/files/external_storage/s3_compatible_object_storage_as_primary.adoc[documentation]). +- `OWNCLOUD_OBJECTSTORE_PART_SIZE=5242880` + + Part size, in bytes, applies to uploads between ownCloud and S3 (see xref:configuration/files/external_storage/s3_compatible_object_storage_as_primary.adoc[documentation]). +- `OWNCLOUD_OBJECTSTORE_CONCURRENCY=3` + + Maximum number of concurrent UploadPart operations allowed during the multipart upload (see xref:configuration/files/external_storage/s3_compatible_object_storage_as_primary.adoc[documentation]). +- `OWNCLOUD_OBJECTSTORE_AVAILABLE_STORAGE=` + + Indicates available storage size in the objectstore in bytes (see xref:configuration/files/external_storage/s3_compatible_object_storage_as_primary.adoc[documentation]). +- `OWNCLOUD_OPENSSL_CONFIG=` + + Path to a custom `openssl.cnf` file, e.g. when using a custom PKI or CA in the container (see xref:configuration/server/config_sample_php_parameters.adoc#define-the-default-cipher-for-encrypting-files[documentation]). +- `OWNCLOUD_OPERATION_MODE=` + + Define ownCloud operation modes (see xref:configuration/server/config_sample_php_parameters.adoc#define-owncloud-operation-modes[documentation]). +- `OWNCLOUD_OVERWRITE_CLI_URL=$\{OWNCLOUD_PROTOCOL}://$\{OWNCLOUD_DOMAIN}$\{OWNCLOUD_SUB_URL}` + + Override cli URL (see xref:configuration/server/config_sample_php_parameters.adoc#override-cli-url[documentation]). +- `OWNCLOUD_OVERWRITE_COND_ADDR=` + + Override condition for the remote IP address with a regular expression (see xref:configuration/server/config_sample_php_parameters.adoc#override-condition-for-the-remote-ip-address-with-a-regular-expression[documentation]). +- `OWNCLOUD_OVERWRITE_HOST=` + + Override automatic proxy detection (see xref:configuration/server/config_sample_php_parameters.adoc#override-automatic-proxy-detection[documentation]). +- `OWNCLOUD_OVERWRITE_PROTOCOL=` + + Override protocol (http/https) usage (see xref:configuration/server/config_sample_php_parameters.adoc#override-protocol-httphttps-usage[documentation]). +- `OWNCLOUD_OVERWRITE_WEBROOT=` + + Override ownClouds webroot (see xref:configuration/server/config_sample_php_parameters.adoc#override-ownclouds-webroot[documentation]). +- `OWNCLOUD_PDF_VIEWER_ENABLE_SCRIPTING=` + + Allow JavaScript execution in PDF files. Security risk — only enable if required (see xref:configuration/server/config_apps_sample_php_parameters.adoc#app-files-pdf-viewer[documentation]). +- `OWNCLOUD_PART_FILE_IN_STORAGE=` + + Define where part files are located (see xref:configuration/server/config_sample_php_parameters.adoc#define-where-part-files-are-located[documentation]). +- `OWNCLOUD_POLLINTERVAL=` + + Suggested client polling interval in milliseconds (see xref:configuration/server/config_sample_php_parameters.adoc#define-the-ttl-for-garbage-collection[documentation]). +- `OWNCLOUD_POST_CRONJOB_PATH=/etc/post_cronjob.d` + + Path to custom scripts that need to be executed after a cron run. +- `OWNCLOUD_POST_INSTALL_PATH=/etc/post_install.d` + + Path to custom scripts that need to be executed after an ownCoud installation command. +- `OWNCLOUD_POST_SERVER_PATH=/etc/post_server.d` + + Path to custom scripts that need to be executed after an ownCloud server startup. +- `OWNCLOUD_PREVIEW_JPEG_IMAGE_DISPLAY_QUALITY=` + + JPEG preview display quality from 1 to 100 (`-1` uses the PHP default of ~75%) (see xref:configuration/server/config_sample_php_parameters.adoc#enable-preview-generation[documentation]). +- `OWNCLOUD_PREVIEW_LIBREOFFICE_PATH=` + + Define the custom path for the LibreOffice / OpenOffice binary (see xref:configuration/server/config_sample_php_parameters.adoc#define-the-custom-path-for-the-libreoffice-openoffice-binary[documentation]). +- `OWNCLOUD_PREVIEW_MAX_DIMENSIONS=` + + Define the maximum dimensions of the original image for preview generation (see xref:configuration/server/config_sample_php_parameters.adoc#define-the-maximum-dimensions-of-the-original-image-for-preview-generation[documentation]). +- `OWNCLOUD_PREVIEW_MAX_FILESIZE_IMAGE=` + + Define the maximum preview filesize limit (see xref:configuration/server/config_sample_php_parameters.adoc#define-the-maximum-preview-filesize-limit[documentation]). +- `OWNCLOUD_PREVIEW_MAX_SCALE_FACTOR=` + + Define the maximum preview scale factor (see xref:configuration/server/config_sample_php_parameters.adoc#define-the-maximum-preview-scale-factor[documentation]). +- `OWNCLOUD_PREVIEW_MAX_X=` + + Define the maximum x-axis width for previews (see xref:configuration/server/config_sample_php_parameters.adoc#define-the-maximum-x-axis-width-for-previews[documentation]). +- `OWNCLOUD_PREVIEW_MAX_Y=` + + Define the maximum y-axis width for previews (see xref:configuration/server/config_sample_php_parameters.adoc#define-the-maximum-y-axis-width-for-previews[documentation]). +- `OWNCLOUD_PREVIEW_OFFICE_CL_PARAMETERS=` + + Define additional arguments for LibreOffice / OpenOffice (see xref:configuration/server/config_sample_php_parameters.adoc#define-additional-arguments-for-libreoffice-openoffice[documentation]). +- `OWNCLOUD_PRE_CRONJOB_PATH=/etc/pre_cronjob.d` + + Path to custom scripts that need to be executed before a cron run. +- `OWNCLOUD_PRE_INSTALL_PATH=/etc/pre_install.d` + + Path to custom scripts that need to be executed before an ownCoud installation command. +- `OWNCLOUD_PRE_SERVER_PATH=/etc/pre_server.d` + + Path to custom scripts that need to be executed before an ownCloud server startup. +- `OWNCLOUD_PROTOCOL=http` + + Protocol used in `OWNCLOUD_OVERWRITE_CLI_URL` by default. +- `OWNCLOUD_PROXY_IGNORE=` + + Comma-separated list of hostnames that bypass the proxy (see xref:configuration/server/config_sample_php_parameters.adoc#define-the-url-of-your-proxy-server[documentation]). +- `OWNCLOUD_PROXY=` + + Define the URL of your proxy server (see xref:configuration/server/config_sample_php_parameters.adoc#define-the-url-of-your-proxy-server[documentation]). +- `OWNCLOUD_PROXY_USERPWD=` + + Define proxy authentication (see xref:configuration/server/config_sample_php_parameters.adoc#define-proxy-authentication[documentation]). +- `OWNCLOUD_QUOTA_INCLUDE_EXTERNAL_STORAGE=` + + Define whether to include external storage in quota calculation (see xref:configuration/server/config_sample_php_parameters.adoc#define-whether-to-include-external-storage-in-quota-calculation[documentation]). +- `OWNCLOUD_REDIS_DB=` + + Define Redis connection details sets the dbindex (see xref:configuration/server/config_sample_php_parameters.adoc#define-redis-connection-details[documentation]). +- `OWNCLOUD_REDIS_ENABLED=false` + + Sets memcache to Redis (see xref:configuration/server/config_sample_php_parameters.adoc#memory-caching-backend-for-distributed-data[documentation]). If sessions need to be stored in redis as well, you must also set `OWNCLOUD_SESSION_SAVE_HANDLER=redis`. +- `OWNCLOUD_REDIS_FAILOVER_MODE=` + + Sets redis failover mode (see xref:configuration/server/config_sample_php_parameters.adoc#define-redis-cluster-connection-details[documentation]). Possible values: `FAILOVER_NONE` for `\RedisCluster::FAILOVER_NONE`, `FAILOVER_ERROR` for `\RedisCluster::FAILOVER_ERROR` or `FAILOVER_DISTRIBUTE` for `\RedisCluster::FAILOVER_DISTRIBUTE`. +- `OWNCLOUD_REDIS_HOST=redis` + + Sets redis host (see xref:configuration/server/config_sample_php_parameters.adoc#define-redis-connection-details[documentation]). +- `OWNCLOUD_REDIS_PASSWORD=` + + Set redis password (see xref:configuration/server/config_sample_php_parameters.adoc#define-redis-connection-details[documentation]). +- `OWNCLOUD_REDIS_PORT=6379` + + Set redis port (see xref:configuration/server/config_sample_php_parameters.adoc#define-redis-connection-details[documentation]). +- `OWNCLOUD_REDIS_READ_TIMEOUT=` + + Sets redis read timeout (see xref:configuration/server/config_sample_php_parameters.adoc#define-redis-cluster-connection-details[documentation]). +- `OWNCLOUD_REDIS_SEEDS=` + + Sets the redis cluster servers (see xref:configuration/server/config_sample_php_parameters.adoc#define-redis-cluster-connection-details[documentation]). +- `OWNCLOUD_REDIS_SESSION_LOCKING_ENABLED=1` + + Sets PHP option `redis.session.locking_enabled` if `OWNCLOUD_SESSION_SAVE_HANDLER=redis`. +- `OWNCLOUD_REDIS_SESSION_LOCK_RETRIES=750` + + Sets PHP option `redis.session.lock_retries` if `OWNCLOUD_SESSION_SAVE_HANDLER=redis`. +- `OWNCLOUD_REDIS_SESSION_LOCK_WAIT_TIME=20000` + + Sets PHP option `redis.session.lock_wait_time` if `OWNCLOUD_SESSION_SAVE_HANDLER=redis`. +- `OWNCLOUD_REDIS_STARTUP_TIMEOUT=180` + + Time to wait for a successful connection to the redis service on container startup. +- `OWNCLOUD_REDIS_TIMEOUT=` + + Sets the redis timeout value (see xref:configuration/server/config_sample_php_parameters.adoc#define-redis-cluster-connection-details[documentation]). +- `OWNCLOUD_REDIS_TLS_ALLOW_SELF_SIGNED=` + + Allow self-signed certificates on the Redis server (`true`/`false`) (see the https://github.com/phpredis/phpredis[phpredis docs]). +- `OWNCLOUD_REDIS_TLS_CAFILE=` + + Path to CA certificate file for TLS-secured Redis connections (see the https://github.com/phpredis/phpredis[phpredis docs]). +- `OWNCLOUD_REDIS_TLS_CAPATH=` + + Directory containing CA certificates for TLS-secured Redis connections (see the https://github.com/phpredis/phpredis[phpredis docs]). +- `OWNCLOUD_REDIS_TLS_CIPHERS=` + + OpenSSL cipher list for Redis TLS connections (see the https://github.com/phpredis/phpredis[phpredis docs]). +- `OWNCLOUD_REDIS_TLS_LOCAL_CERT=` + + Path to client certificate file for mutual TLS to Redis (see the https://github.com/phpredis/phpredis[phpredis docs]). +- `OWNCLOUD_REDIS_TLS_LOCAL_PK=` + + Path to client private key file for mutual TLS to Redis (see the https://github.com/phpredis/phpredis[phpredis docs]). +- `OWNCLOUD_REDIS_TLS_PASSPHRASE=` + + Passphrase for an encrypted Redis client private key (see the https://github.com/phpredis/phpredis[phpredis docs]). +- `OWNCLOUD_REDIS_TLS_PEER_NAME=` + + Expected hostname in the Redis server certificate, overrides the connection host for SNI (see the https://github.com/phpredis/phpredis[phpredis docs]). +- `OWNCLOUD_REDIS_TLS_VERIFY_PEER=` + + Validate the Redis server certificate against the CA (`true`/`false`) (see the https://github.com/phpredis/phpredis[phpredis docs]). +- `OWNCLOUD_REDIS_TLS_VERIFY_PEER_NAME=` + + Validate that the Redis server certificate CN/SAN matches the peer name (`true`/`false`) (see the https://github.com/phpredis/phpredis[phpredis docs]). +- `OWNCLOUD_REMEMBER_LOGIN_COOKIE_LIFETIME=` + + Define the lifetime of the remember-login cookie (see xref:configuration/server/config_sample_php_parameters.adoc#define-the-lifetime-of-the-remember-login-cookie[documentation]). +- `OWNCLOUD_SAVE_VERSION_METADATA=` + + Enable extended version metadata (see https://doc.owncloud.com/server/latest/admin_manual/configuration/files/file_versioning.adoc#extended-version-metadata[description] and https://doc.owncloud.com/server/next/admin_manual/configuration/server/config_sample_php_parameters.adoc#save-additional-metadata-for-versions[documentation]). +- `OWNCLOUD_SECRET=` + + Define ownClouds internal secret (see xref:configuration/server/config_sample_php_parameters.adoc#define-ownclouds-internal-secret[documentation]). +- `OWNCLOUD_SESSION_KEEPALIVE=` + + Enable or disable session keep-alive when a user is logged in to the Web UI (see xref:configuration/server/config_sample_php_parameters.adoc#enable-or-disable-session-keep-alive-when-a-user-is-logged-in-to-the-web-ui[documentation]). +- `OWNCLOUD_SESSION_LIFETIME=` + + Define the lifetime of a session after inactivity (see xref:configuration/server/config_sample_php_parameters.adoc#define-the-lifetime-of-a-session-after-inactivity[documentation]). +- `OWNCLOUD_SESSION_FORCED_LOGOUT_TIMEOUT=` + + Force the user to get logged out after the specified number of seconds when the tab or browser gets closed. Please read the documentation carefully before changing this option (see xref:configuration/server/config_sample_php_parameters.adoc#enable-to-force-user-logout[documentation]). +- `OWNCLOUD_SESSION_SAVE_HANDLER=files` + + Sets PHP option `session.save_handler`. +- `OWNCLOUD_DEFAULT_SOCKET_TIMEOUT=60` + + Sets PHP option `default_socket_timeout`. +- `OWNCLOUD_SESSION_SAVE_PATH=$\{OWNCLOUD_VOLUME_SESSIONS}` + + Sets the PHP option `session.save_path`. If `OWNCLOUD_SESSION_SAVE_HANDLER=redis` is used, this must be set to a proper connection URL including authentication parameters if required by the redis server. It usually follows the following scheme: `tcp://IPADDRESS:PORT?auth=REDISPASSWORD`. +- `OWNCLOUD_SHARE_FOLDER=` + + Define a default folder for shared files and folders other than root (see xref:configuration/server/config_sample_php_parameters.adoc#define-a-default-folder-for-shared-files-and-folders-other-than-root[documentation]). +- `OWNCLOUD_SHARING_FEDERATION_ALLOW_HTTP_FALLBACK=` + + Allow schema fallback for federated sharing servers (see xref:configuration/server/config_sample_php_parameters.adoc#allow-schema-fallback-for-federated-sharing-servers[documentation]). +- `OWNCLOUD_SHARING_MANAGER_FACTORY=` + + Define an alternative Share Provider (see xref:configuration/server/config_sample_php_parameters.adoc#define-an-alternative-share-provider[documentation]). +- `OWNCLOUD_SHARING_SHOW_PUBLIC_LINK_QUICK_ACTION=` + + Show a quick-action button for creating public links in the file list (see xref:configuration/server/config_sample_php_parameters.adoc#define-an-alternative-share-provider[documentation]). +- `OWNCLOUD_SHOW_SERVER_HOSTNAME=` + + Show or hide the server hostname in status.php (see xref:configuration/server/config_sample_php_parameters.adoc#show-or-hide-the-server-hostname-in-status-php[documentation]). +- `OWNCLOUD_SINGLEUSER=` + + Enable or disable single user mode (see xref:configuration/server/config_sample_php_parameters.adoc#enable-or-disable-single-user-mode[documentation]). +- `OWNCLOUD_SKELETON_DIRECTORY=` + + Define the directory where the skeleton files are located (see xref:configuration/server/config_sample_php_parameters.adoc#define-the-directory-where-the-skeleton-files-are-located[documentation]). +- `OWNCLOUD_SKIP_CHMOD=false` + + Enable or disable automatic file permissions correction on container startup. +- `OWNCLOUD_SKIP_CHOWN=false` + + Enable or disable automatic file ownership correction on container startup. +- `OWNCLOUD_SMB_LOGGING_ENABLE=` + + Enable or disable debug logging for SMB access (see xref:configuration/server/config_sample_php_parameters.adoc#enable-or-disable-debug-logging-for-smb-access[documentation]). +- `OWNCLOUD_SQLITE_JOURNAL_MODE=` + + Define sqlite3 journal mode (see xref:configuration/server/config_sample_php_parameters.adoc#define-sqlite3-journal-mode[documentation]). +- `OWNCLOUD_STRICT_LOGIN_ENFORCED=` + + Only validate the exact login name entered by the user, not alternative formats (see xref:configuration/server/config_sample_php_parameters.adoc#enforce-token-only-authentication-for-apps-and-clients-connecting-to-owncloud[documentation]). +- `OWNCLOUD_SUB_URL=/` + + URL path if ownCloud is deployed to a URL sub-path of a domain. +- `OWNCLOUD_SYSTEMTAGS_MANAGER_FACTORY=` + + Define an alternative System Tags Manager (see xref:configuration/server/config_sample_php_parameters.adoc#define-an-alternative-system-tags-manager[documentation]). +- `OWNCLOUD_TELEMETRY_ENABLED=` + + Send daily telemetry reports (Enterprise only) (see xref:configuration/server/config_sample_php_parameters.adoc#define-owncloud-operation-modes[documentation]). +- `OWNCLOUD_TEMP_DIRECTORY=` + + Define the location for temporary files (see xref:configuration/server/config_sample_php_parameters.adoc#define-the-location-for-temporary-files[documentation]). +- `OWNCLOUD_TOKEN_AUTH_ENFORCED=` + + Enforce token only authentication for apps and clients connecting to ownCloud (see xref:configuration/server/config_sample_php_parameters.adoc#enforce-token-only-authentication-for-apps-and-clients-connecting-to-owncloud[documentation]). +- `OWNCLOUD_TRASHBIN_SKIP_DIRECTORIES=` + + Comma-separated list of directory names that bypass the trash bin (see xref:configuration/server/config_sample_php_parameters.adoc#define-the-trashbin-retention-obligation[documentation]). +- `OWNCLOUD_TRASHBIN_SKIP_EXTENSIONS=` + + Comma-separated list of file extensions that bypass the trash bin (see xref:configuration/server/config_sample_php_parameters.adoc#define-the-trashbin-retention-obligation[documentation]). +- `OWNCLOUD_TRASHBIN_SKIP_SIZE_THRESHOLD=` + + Files larger than this size bypass the trash bin (e.g. `1GB`) (see xref:configuration/server/config_sample_php_parameters.adoc#define-the-trashbin-retention-obligation[documentation]). +- `OWNCLOUD_TRASHBIN_PURGE_LIMIT=` + + Define the trashbin purge limit (see xref:configuration/server/config_sample_php_parameters.adoc#define-the-trashbin-purge-limit[documentation]). +- `OWNCLOUD_TRASHBIN_RETENTION_OBLIGATION=` + + Define the trashbin retention obligation (see xref:configuration/server/config_sample_php_parameters.adoc#define-the-trashbin-retention-obligation[documentation]). +- `OWNCLOUD_TRUSTED_PROXIES=` + + Define list of trusted proxy servers (see xref:configuration/server/config_sample_php_parameters.adoc#define-list-of-trusted-proxy-servers[documentation]). +- `OWNCLOUD_UPDATER_SERVER_URL=` + + Define the updatechecker URL (see xref:configuration/server/config_sample_php_parameters.adoc#define-the-updatechecker-url[documentation]). +- `OWNCLOUD_UPDATE_CHECKER=` + + Enable or disable updatechecker (see xref:configuration/server/config_sample_php_parameters.adoc#enable-or-disable-updatechecker[documentation]). +- `OWNCLOUD_UPGRADE_AUTOMATIC_APP_UPDATES=` + + Define whether or not to enable automatic update of market apps (see xref:configuration/server/config_sample_php_parameters.adoc#define-whether-or-not-to-enable-automatic-update-of-market-apps[documentation]). +- `OWNCLOUD_USE_RELATIVE_DOMAIN_NAME=` + + Use only the short hostname (no FQDN) in `status.php` (see xref:configuration/server/config_sample_php_parameters.adoc#show-or-hide-the-server-hostname-in-status-php[documentation]). +- `OWNCLOUD_USER_LDAP_ENABLE_MEDIAL_SEARCH=` + + Enable medial search in the LDAP user backend (see xref:configuration/server/config_apps_sample_php_parameters.adoc#app-ldap[documentation]). +- `OWNCLOUD_USER_SEARCH_MIN_LENGTH=` + + Define minimum characters entered before a search returns results (see xref:configuration/server/config_sample_php_parameters.adoc#define-minimum-characters-entered-before-a-search-returns-results[documentation]). +- `OWNCLOUD_WEB_BASEURL=` + + Base URL for the ownCloud Web UI (see xref:configuration/server/config_sample_php_parameters.adoc#override-cli-url[documentation]). +- `OWNCLOUD_WEB_REWRITE_LINKS=` + + Redirect public/private links to the ownCloud Web UI (see xref:configuration/server/config_sample_php_parameters.adoc#override-cli-url[documentation]). +- `OWNCLOUD_WND_ACTIVITY_REGISTER_EXTENSION=` + + Register the Windows Network Drive app with the Activity app to report what `wnd:process-queue` is doing (`true`/`false`) (Enterprise only) (see xref:configuration/server/config_apps_sample_php_parameters.adoc#app-windows-network-drive-wnd[documentation]). +- `OWNCLOUD_WND_ACTIVITY_SEND_TO_SHAREES=` + + Send activity notifications to sharees of Windows Network Drive files and folders; requires `OWNCLOUD_WND_ACTIVITY_REGISTER_EXTENSION` (`true`/`false`) (Enterprise only) (see xref:configuration/server/config_apps_sample_php_parameters.adoc#app-windows-network-drive-wnd[documentation]). +- `OWNCLOUD_WND_CONNECTOR_OPTS_TIMEOUT=` + + Timeout in milliseconds applied to all Windows Network Drive backend operations and connections (default `20000`) (Enterprise only) (see xref:configuration/server/config_apps_sample_php_parameters.adoc#app-windows-network-drive-wnd[documentation]). +- `OWNCLOUD_WND_ERROR_CODES_PASSWORD_RESET=` + + Comma-separated list of error codes that trigger a password reset for Windows Network Drive (default `13` = access denied); empty disables it (Enterprise only) (see xref:configuration/server/config_apps_sample_php_parameters.adoc#app-windows-network-drive-wnd[documentation]). +- `OWNCLOUD_WND_FILE_INFO_PARSE_ATTRS_MODE=` + + How Windows Network Drive evaluates file attributes: `none`, `stat` (default) or `getxattr` (Enterprise only) (see xref:configuration/server/config_apps_sample_php_parameters.adoc#app-windows-network-drive-wnd[documentation]). +- `OWNCLOUD_WND_GROUP_MEMBERSHIP_CHECK_USER_FIRST=` + + Make the Windows Network Drive group membership component assume an ACL entry is a user and check users first (`true`/`false`) (Enterprise only) (see xref:configuration/server/config_apps_sample_php_parameters.adoc#app-windows-network-drive-wnd[documentation]). +- `OWNCLOUD_WND_IN_MEMORY_NOTIFIER_ENABLE=` + + Enable the in-memory notifier so Windows Network Drive storages reset passwords on detecting a wrong password (`true`/`false`, default `true`) (Enterprise only) (see xref:configuration/server/config_apps_sample_php_parameters.adoc#app-windows-network-drive-wnd[documentation]). +- `OWNCLOUD_WND_LISTEN_EVENTS_SMB_ACL=` + + Listen to events from the `smb_acl` app to update Windows Network Drive storages when an ACL changes (`true`/`false`) (Enterprise only) (see xref:configuration/server/config_apps_sample_php_parameters.adoc#app-windows-network-drive-wnd[documentation]). +- `OWNCLOUD_WND_LISTEN_RECONNECT_AFTER_TIME=` + + Interval in seconds after which the Windows Network Drive listener reconnects to the database to avoid crashes from idle connections (default `28800`) (Enterprise only) (see xref:configuration/server/config_apps_sample_php_parameters.adoc#app-windows-network-drive-wnd[documentation]). +- `OWNCLOUD_WND_LOGGING_ENABLE=` + + Enable additional debug logging for the Windows Network Drive app (`true`/`false`) (Enterprise only) (see xref:configuration/server/config_apps_sample_php_parameters.adoc#app-windows-network-drive-wnd[documentation]). +- `OWNCLOUD_WND_PERMISSION_MANAGER_CACHE_SIZE=` + + Maximum number of items in the Windows Network Drive permission manager per-request cache (default `512`) (Enterprise only) (see xref:configuration/server/config_apps_sample_php_parameters.adoc#app-windows-network-drive-wnd[documentation]). +- `OWNCLOUD_WND2_CACHE_WRAPPER_NORMALIZE=` + + Probe both NFC/NFD UTF-8 forms in the Windows Network Drive collaborative cache wrapper, needed for macOS HFS+ mounts (`true`/`false`) (Enterprise only) (see xref:configuration/server/config_apps_sample_php_parameters.adoc#app-windows-network-drive-wnd[documentation]). +- `OWNCLOUD_WND2_CACHE_WRAPPER_TTL=` + + TTL in seconds for the Windows Network Drive collaborative cache wrapper (default `1800`); use a negative value to disable (Enterprise only) (see xref:configuration/server/config_apps_sample_php_parameters.adoc#app-windows-network-drive-wnd[documentation]). +- `OWNCLOUD_WORKFLOW_RETENTION_ENGINE=` + + Retention engine for the workflow/tagging app: `tagbased` (default) or `userbased` (Enterprise only) (see xref:configuration/server/config_apps_sample_php_parameters.adoc#app-workflow-tagging[documentation]). +- `OWNCLOUD_WOPI_BUSINESS_FLOW_ENABLED=` + + Enable the Microsoft Office 365 business flow for WOPI (`yes`/`no`) (Enterprise only) (see xref:configuration/server/config_apps_sample_php_parameters.adoc#app-microsoft-office-online-wopi[documentation]). +- `OWNCLOUD_WOPI_GROUP=` + + Restrict Microsoft Office Online access to a specific group (Enterprise only) (see xref:configuration/server/config_apps_sample_php_parameters.adoc#app-microsoft-office-online-wopi[documentation]). +- `OWNCLOUD_WOPI_OFFICE_ONLINE_SERVER=` + + URL of the Microsoft Office Online server (Enterprise only) (see xref:configuration/server/config_apps_sample_php_parameters.adoc#app-microsoft-office-online-wopi[documentation]). +- `OWNCLOUD_WOPI_PROXY_URL=` + + Business proxy URL for Microsoft Office 365 (Enterprise only) (see xref:configuration/server/config_apps_sample_php_parameters.adoc#app-microsoft-office-online-wopi[documentation]). +- `OWNCLOUD_WOPI_TOKEN_KEY=` + + Random key (minimum 32 bytes) used to sign WOPI JWT tokens (Enterprise only) (see xref:configuration/server/config_apps_sample_php_parameters.adoc#app-microsoft-office-online-wopi[documentation]). +- `OWNCLOUD_VERSIONS_RETENTION_OBLIGATION=` + + Define the files versions retention obligation (see xref:configuration/server/config_sample_php_parameters.adoc#define-the-files-versions-retention-obligation[documentation]). +- `OWNCLOUD_VERSION_HIDE=` + + Show or hide the ownCloud version information in status.php (see xref:configuration/server/config_sample_php_parameters.adoc#show-or-hide-the-owncloud-version-information-in-status-php[documentation]). +- `OWNCLOUD_VOLUME_APPS=$\{OWNCLOUD_VOLUME_ROOT}/apps` + + Base directory used to store custom installed apps. +- `OWNCLOUD_VOLUME_CONFIG=$\{OWNCLOUD_VOLUME_ROOT}/config` + + Base directory used to store the ownCloud configuration. +- `OWNCLOUD_VOLUME_FILES=$\{OWNCLOUD_VOLUME_ROOT}/files` + + Define the directory where user files are stored (see xref:configuration/server/config_sample_php_parameters.adoc#define-the-directory-where-user-files-are-stored[documentation]). +- `OWNCLOUD_VOLUME_ROOT=/mnt/data` + + Base data directory for ownCloud. +- `OWNCLOUD_VOLUME_SESSIONS=$\{OWNCLOUD_VOLUME_ROOT}/sessions` + + Base directory to store session files. Only used if `OWNCLOUD_SESSION_SAVE_HANDLER=file`. +- `OWNCLOUD_PHP_DISABLE_FUNCTIONS=pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_get_handler,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,pcntl_async_signals,pcntl_unshare,system,phpinfo,show_source,fopen_with_path,dbmopen,dbase_open,filepro_retrieve,posix_mkfifo` + + Some insecure PHP functions are disabled by default, and this option should not be changed for production setup. Use it with caution. +- `OWNCLOUD_IOC_SCANNER_CONFIRMATION=` + + To suppress Indicators of Compromise (IoC) messages the environment variable need to be set to `EXECUTED_ON_ALL_NODES`. This feature requires a valid `OWNCLOUD_LICENSE_KEY`. + diff --git a/modules/admin_manual/pages/configuration/files/mimetypes.adoc b/modules/admin_manual/pages/configuration/files/mimetypes.adoc index a0e627c9f..c518ba03b 100644 --- a/modules/admin_manual/pages/configuration/files/mimetypes.adoc +++ b/modules/admin_manual/pages/configuration/files/mimetypes.adoc @@ -14,12 +14,10 @@ By default, the folder containing the relevant configuration is not part of the [source,docker] ---- -/var/www/owncloud/resources --> -/var/www/owncloud/core/img/filetypes --> + --> /var/www/owncloud/resources + --> /var/www/owncloud/core/img/filetypes ---- - - The folder for the ownCloud config is already a mounted Docker volume and accessible under `/config`. == Mimetype Aliases diff --git a/modules/admin_manual/pages/configuration/files/previews_configuration.adoc b/modules/admin_manual/pages/configuration/files/previews_configuration.adoc index 58507ab6d..e0cb16537 100644 --- a/modules/admin_manual/pages/configuration/files/previews_configuration.adoc +++ b/modules/admin_manual/pages/configuration/files/previews_configuration.adoc @@ -20,6 +20,8 @@ ownCloud supports the preview generation of file types such as PDF, SVG or vario IMPORTANT: Be careful enabling preview thumbnail generation for documents which could contain or reference executable code! ownCloud does NOT take any responsibility for any issues. +IMPORTANT: The ownCloud Docker image provides the `imagick` PHP extension but not the ImageMagick binary, which is required for an enhanced configuration. To resolve this, you need to create a custom image that installs this requirement manually. Please note that other binaries may be required; these are listed in the relevant sections below. + == Important Considerations . Rendering takes place when the user accesses the folder and the preview has not been generated before. This means that each first folder access may create additional load on the server. @@ -60,11 +62,9 @@ If you want to add or change the default list, you MUST define all elements. If When defining your own preview providers, some things need to be considered. For some file types, ownCloud uses ImageMagick to generate previews. -IMPORTANT: The ownCloud Docker Image provides the `imagic` php extension, but not the ImageMagick binary. To mitigate this issue, you need to manually create an image that installs this requirement. Please note that other binaries may be required, which are listed in the relevant sections below. - Starting with version 7 of ImageMagick, additional file formats like SVG or HEIC and many others can be processed. -You can check your ImageMagick version installed in your image by issuing the following command: +You can check your ImageMagick version, if installed in your image, by issuing the following command: [source,docker] ---- diff --git a/modules/admin_manual/pages/configuration/important_notes.adoc b/modules/admin_manual/pages/configuration/important_notes.adoc new file mode 100644 index 000000000..c7155ff36 --- /dev/null +++ b/modules/admin_manual/pages/configuration/important_notes.adoc @@ -0,0 +1,51 @@ += Important Configuration Notes +:toc: right +:page-aliases: installation/configuration_notes.adoc +:description: This page provides some important configuration notes. + +== Introduction + +{description} + +Due to this version's Docker-only approach, some aspects of configuring your ownCloud Classic Server have changed. With a few exceptions, using environment variables is the only way to configure the instance. + +== Environment Variables + +The majority of config keys that are provided by ownCloud can be found in the xref:configuration/envvars/envvars.adoc[Environment Variables] documentation. For the few exceptions, the traditional configuration key approach must be used. The documentation for the configuration keys also refers to the corresponding environment variables. + +== Using Configuration Keys + +IMPORTANT: This approach should only be used if there is no environment variable available. This is noted in the relevant section of the documentation. + +=== Preparation + +In order to add configuration keys instead of using environment variables, some preparation is required. + +* Change to the mounted docker volume where the configuration is stored. ++ +[source,bash] +---- +cd /config +---- + +* Next, create a new file with the same owner and permissions as the existing files. The naming must follow the scheme `.config.php`. Replace `` with the name of choice but consider that the order in which configuration files are read is alphabetical. ++ +IMPORTANT: If a key/value pair exists in a file, it will take precedence over any existing ones defined in a config file that is read earlier. It is therefore crucial that you use a name that makes the file last read. + +* This file must have the following mandatory content: ++ +[source,php] +---- + true, .... +=== Allow or disallow the group administrator (subadmin) feature +`true` allows administrators to delegate user management of specific groups +to non-admin users (group admins / subadmins). + +`false` (default) disables the feature entirely: existing group-admin +assignments are ignored and no new ones can be created. + +SECURITY NOTE: this feature is disabled by default as a risk-mitigation. +Only enable it if you require delegated group administration and understand +that group admins can manage users within their groups. + +==== Code Sample + +[source,php] +.... +'allow_subadmins' => false, +.... + === Define the lifetime of the remember-login cookie The remember-login cookie is set when the user clicks the `remember` checkbox on the login screen. The default is 15 days, expressed in seconds. @@ -1619,6 +1637,7 @@ server configuration above and perform HA on the hostname. Redis Cluster support requires the php module phpredis in version 3.0.0 or higher. Available failover modes: + - \RedisCluster::FAILOVER_NONE - only send commands to primary nodes (default) - \RedisCluster::FAILOVER_ERROR - failover to replicas for read commands if primary is unavailable - \RedisCluster::FAILOVER_DISTRIBUTE - randomly distribute read commands across primary and replica nodes diff --git a/modules/admin_manual/pages/configuration/user/login_policies.adoc b/modules/admin_manual/pages/configuration/user/login_policies.adoc index 7bc6c0bf6..899a30812 100644 --- a/modules/admin_manual/pages/configuration/user/login_policies.adoc +++ b/modules/admin_manual/pages/configuration/user/login_policies.adoc @@ -9,6 +9,8 @@ Login policies will emit a `failed login` event if the user isn't allowed to log in. +// if there will be no one envvar for loginPolicy.groupLoginPolicy.forbidMap , we need to add: include::partial$manual_config_file.adoc[] + == Use Cases Login policies can be used to restrict members of particular groups to use only particular login types. This is especially true for guest users as they do not have an ownCloud account and cannot be validated via OpenID Connect but can log in using their email and password. diff --git a/modules/admin_manual/pages/enterprise/authentication/enterprise_only_auth.adoc b/modules/admin_manual/pages/enterprise/authentication/enterprise_only_auth.adoc index 1dd2e9169..3a38b188e 100644 --- a/modules/admin_manual/pages/enterprise/authentication/enterprise_only_auth.adoc +++ b/modules/admin_manual/pages/enterprise/authentication/enterprise_only_auth.adoc @@ -173,14 +173,16 @@ In general, when using this authentication method, the user and the password use * The username is the same as the `user id` of the ownCloud session. + For example, ownCloud user "Alice" with password "mysecret" (or even without password) will use "Alice" as username and the password from the config.php file to access the storage. Note that for LDAP, the `user id` is usually like _1223-cbdf-cacc-1234...,_ unless the configuration in the user_ldap app is changed. -* The password will be fetched from a key inside the config.php file. + -For details see the section below. Even if the account doesn't have a password like OAuth or OpenIDConnect, etc., the connection with the storage will use the password from config.php. +* The password will be fetched from a key inside the configuration file. + +For details see the section below. Even if the account doesn't have a password like OAuth or OpenIDConnect, etc., the connection with the storage will use the password from the configuration file. + NOTE: The password will be the same for any user accessing the particular mount! ==== Defining key/value pairs in config.php -Key/value pairs in config.php must have the following structure: +include::partial$manual_config_file.adoc[] + +Key/value pairs in the configuration file must have the following structure: .Example having a single array [source,php] diff --git a/modules/admin_manual/pages/enterprise/authentication/kerberos.adoc b/modules/admin_manual/pages/enterprise/authentication/kerberos.adoc index 213053990..484b0f20b 100644 --- a/modules/admin_manual/pages/enterprise/authentication/kerberos.adoc +++ b/modules/admin_manual/pages/enterprise/authentication/kerberos.adoc @@ -9,6 +9,10 @@ With the Kerberos app, you can reuse the authentication ticket generated from a user's Windows domain login for ownCloud and access file server resources via ownCloud without re-authentication. +IMPORTANT: The Docker image does not provide the required Kerberos `krb5` PHP extension and the `krb5-user` CLI tool. This tool is an actual requirement, the Kerberos implementation in the WND app requires the `kvno` command which is contained in the package installed. To mitigate this issue, you need to manually create an image that installs and enables these requirements. Please note that the app will not enable unless the `kvno` tool exists. + +include::partial$manual_config_file.adoc[] + == General Information When using the Kerberos app, the Windows login session from the user is taken to log in to ownCloud. This is very convenient, as the user does not need to re-authenticate for using ownCloud as he already has authenticated to his Domain. In addition by using the Kerberos ticket, the user can also use file resources via the xref:enterprise/external_storage/windows-network-drive_configuration.adoc[Windows Network Drive (WND)] app without the need to re-authenticate. This generates a seamless user experience. This is done by the configuration made, which enables the webserver to make the ticket available for PHP for further processing. @@ -135,10 +139,6 @@ The administration server. This is typically the same as the LDAP/Active Directo ** If this is not the case, you need to https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member[Setting up Samba as a Domain Member]. //// -* {empty} -+ -IMPORTANT: The Docker image does not provide the required Kerberos `krb5` PHP extension and the `krb5-user` CLI tool. This tool is an actual requirement, the Kerberos implementation in the WND app requires the `kvno` command which is contained in the package installed. To mitigate this issue, you need to manually create an image that installs and enables these requirements. - * DNS records + Create a DNS record for the public FQDN of the ownCloud instance (``). ** If there is only a single web site on the web server, the simplest option is to make sure that the public URL of the site is the same as the FQDN of the server configured in the `/etc/hosts` configuration file. Create an A DNS record for this FQDN pointing directly to the server’s IP address. @@ -442,7 +442,7 @@ Tickets destroyed Note that if you issue this command during regular operation, all sessions for users using ownCloud with Kerberos will end and need to re-login. -- -. Create a new ownCloud config file `/path-to-owncloud/config/kerberos.config.php` with the following contents or add only the comment and key to an existing `config.php` file. More Kerberos config options can be found in the xref:configuration/server/config_apps_sample_php_parameters.adoc#app-kerberos[Config Apps Sample] description: +. Add the following contents to your own config file. More Kerberos config options can be found in the xref:configuration/server/config_apps_sample_php_parameters.adoc#app-kerberos[Config Apps Sample] description: + -- [source,php] @@ -456,7 +456,6 @@ Note that if you issue this command during regular operation, all sessions for u ]; ---- -- -A new file will be read xref:configuration/server/config_sample_php_parameters.adoc#introduction[additionally] to existing config files. See the xref:configuration/server/config_apps_sample_php_parameters.adoc[Apps Config.php Parameters] for more Kerberos configuration options. //// === Webserver Side @@ -479,15 +478,6 @@ A new file will be read xref:configuration/server/config_sample_php_parameters.a See the https://modauthkerb.sourceforge.net/configure.html[mod-auth-kerb,window=_blank] documentation for more details on the settings used. -- - -* Restart Apache: -+ --- -[source,bash] ----- -sudo apachectl -k graceful ----- --- //// == Browser Prerequisites diff --git a/modules/admin_manual/pages/enterprise/collaboration/collabora_secure_view.adoc b/modules/admin_manual/pages/enterprise/collaboration/collabora_secure_view.adoc index 3c158493b..9a4fefdd1 100644 --- a/modules/admin_manual/pages/enterprise/collaboration/collabora_secure_view.adoc +++ b/modules/admin_manual/pages/enterprise/collaboration/collabora_secure_view.adoc @@ -3,6 +3,17 @@ :secure-view-label: Secure View (with watermarks) :page-aliases: collabora_online_integration.adoc, enterprise/collaboration/index.adoc +//// + +Secure View is under review. +The required marketplace app is not in ownClouds responsibility but a necessity for the functionality. +If the functionality is dropped, a new OC image is provided no longer showing the sec view capabilities. +Note that in this case, we ned to also remove entries in config.apps.samle (richdocuments) and do a config-to-docs run. +Then we can remove the page, all of the images related and all occ commands that manage sec view (richdocuments). +If the functionality is kept, the app needs to be OC11 ready and either provided in the image or downloadable. + +//// + == Introduction Collabora Online allows you to work with all kinds of Collabora office documents directly in your browser. This application can connect to a Collabora Online (or other) server (WOPI-like client) where ownCloud is the WOPI host. @@ -33,7 +44,6 @@ If a file or folder has been shared multiple times to different groups with diff == Prerequisites -* ownCloud *10.3* or above * _Enterprise Edition_ * {oc-marketplace-url}/apps/richdocuments[ownCloud Collabora Online] app version *2.2.0* or above * Collabora Online Server *4.0.10* or above, set up and integrated @@ -67,15 +77,15 @@ NOTE: Admins can specify that all shares are "_secure view_" by default and that When "_{secure-view-label}_" is enabled, any attempts to download the file will be blocked as shown in the screenshot below. In addition, copy & paste is disabled. -image:enterprise/collaboration/access-denied.png[Access denied to a document when it is protected by secure view, width=80%] +image:enterprise/collaboration/access-denied.png[Access denied to a document when it is protected by secure view, width=350] == Limitations and Security Hardening -To make sure that the secure view feature is deployed securely and cannot be circumvented, it is important to disable the following extensions: +To ensure the Secure View feature is deployed securely and cannot be bypassed, disable the following apps if they were enabled beforehand: -* {oc-marketplace-url}/apps/onlyoffice[ONLYOFFICE] -* {oc-marketplace-url}/apps/wopi[Microsoft Office Online] -* {oc-marketplace-url}/apps/files_texteditor[Text editor] +* ONLYOFFICE +* Microsoft Office Online +* Text editor Additionally, you might want to _disable public link sharing_ via menu:Settings[Admin > Sharing > Allow users to share via link] so that users cannot accidentally share files publicly without secure view protection. diff --git a/modules/admin_manual/pages/enterprise/collaboration/msoffice-wopi-integration.adoc b/modules/admin_manual/pages/enterprise/collaboration/msoffice-wopi-integration.adoc index dfd3d2961..60b034861 100644 --- a/modules/admin_manual/pages/enterprise/collaboration/msoffice-wopi-integration.adoc +++ b/modules/admin_manual/pages/enterprise/collaboration/msoffice-wopi-integration.adoc @@ -1,6 +1,5 @@ = Microsoft Office Online / WOPI Integration :toc: right -:toclevels: 1 :msoffice-online-server-url: https://www.microsoft.com/en-us/microsoft-365/blog/2016/05/04/office-online-server-now-available/ :office365-url: https://products.office.com/en-us/business/office :wopi-protocol-url: https://docs.microsoft.com/en-us/microsoft-365/cloud-storage-partner-program/rest/ @@ -27,7 +26,6 @@ Please bear in mind: * WOPI is only available for ownCloud enterprise. It _is not available_ in the community version. * Out-of-the box only the on-premise version of Microsoft Office Online Server is supported. * If you want to integrate the {office365-url}[Office 365 (cloud)] version of Microsoft Office Online, you need to {oc-support-url}[get in touch with us]. -* This app requires at minimum ownCloud Version 10.5 and php 7.1. ==== == Procedure using Microsoft 365 @@ -52,9 +50,9 @@ All involved servers (Office Online Server and the ownCloud server) need to be a == Configuring the WOPI App in ownCloud -To configure the WOPI app in your ownCloud installation, add the following configuration to `config/config.php`, and adjust it based on the details of your setup: +To configure the WOPI app in your ownCloud installation, add the following environment variables, adjusting them as necessary based on the details of your setup: -[source,php,subs="post_replacements,attributes+"] +[source,.env,subs="post_replacements,attributes+"] ---- # ownCloud Support URL: {oc-support-url} @@ -63,7 +61,7 @@ To configure the WOPI app in your ownCloud installation, add the following confi # For Office 365 (cloud): Request the string from us # (this has to match the `O365_PROXY_SHARED_KEY` # configuration of the O365 proxy) -'wopi.token.key' => 'REPLACE_WITH_WOPI_TOKEN_KEY' +OWNCLOUD_WOPI_TOKEN_KEY= # Office server URL # For Office Online Server: Enter your https://your.office.online.server.tld @@ -73,7 +71,7 @@ To configure the WOPI app in your ownCloud installation, add the following confi # https://ffc-onenote.officeapps.live.com/hosting/discovery # For Office 365 production upstream URL: # https://onenote.officeapps.live.com/hosting/discovery -'wopi.office-online.server' => 'https://THE_OFFICE_SERVER_URL', +OWNCLOUD_WOPI_OFFICE_ONLINE_SERVER='https://THE_OFFICE_SERVER_URL' # Proxy URL # Only for Office 365 (cloud), not needed for Office Online Server @@ -81,27 +79,27 @@ To configure the WOPI app in your ownCloud installation, add the following confi # Note that you will get a working URL from ownCloud Support # post a written declaration that your company has an eligible # Microsoft Business contract. -'wopi.proxy.url' => 'https://o365.example.com', +OWNCLOUD_WOPI_PROXY_URL='https://o365.example.com' # Enable Business Flow # Only for Office 365 (cloud), not needed for Office Online Server # Necessary for the O365 proxy key above. -'wopi.business-flow.enabled' => 'yes', +OWNCLOUD_WOPI_BUSINESS_FLOW_ENABLED=yes # Samesite Cookie # Only for Office 365 (cloud), not needed for Office Online Server # Necessary to allow e.g. opening ownCloud sharing from O365. # Use `None` if you are using OpenID Connect. -'http.cookie.samesite' => 'Lax', +OWNCLOUD_HTTP_COOKIE_SAMESITE=Lax ---- == Restrict Usage to Users in a Specific Group -Microsoft Office Online access can be restricted to users in a specific group, by use of the `wopi_group` configuration key (in `config/config.php`), as in the following example. +Access to Microsoft Office Online can be restricted to users in a specific group by using the `OWNCLOUD_WOPI_GROUP` environment variable, as shown in the following example: -[source,php] +[source,.env] ---- -'wopi_group' => 'admin' +OWNCLOUD_WOPI_GROUP=admin ---- In the example above, only users in the `admin` group would be able to access Microsoft Office Online. @@ -118,7 +116,7 @@ You can always click on the lock icon next to your file name and unlock it manua === Lock Timeout -If a user is editing a file and loses their internet connection, the lock will timeout, freeing the lock after 30 minutes. Refer to {wopi-timeout-documentation-url}[the WOPI documentation] for further information. +If a user is editing a file and loses their internet connection, the lock will timeout, freeing the lock after 30 minutes. Refer to the {wopi-timeout-documentation-url}[WOPI documentation] for further information. == Known Issues diff --git a/modules/admin_manual/pages/enterprise/external_storage/ldap_home_connector_configuration.adoc b/modules/admin_manual/pages/enterprise/external_storage/ldap_home_connector_configuration.adoc index 81bbef55a..380931bfc 100644 --- a/modules/admin_manual/pages/enterprise/external_storage/ldap_home_connector_configuration.adoc +++ b/modules/admin_manual/pages/enterprise/external_storage/ldap_home_connector_configuration.adoc @@ -3,7 +3,7 @@ == Introduction -The {oc-marketplace-url}/apps/files_ldap_home[LDAP Home Connector] app enables you to configure your ownCloud server to display your users’ Windows home directories on the ownCloud Files pages view, just like any other folder. +The `LDAP Home Connector` app enables you to configure your ownCloud server to display your users’ Windows home directories on the ownCloud Files pages view, just like any other folder. Typically, Windows home directories are stored on a network server in a root folder, such as Home, which then contains individual folders for each user. @@ -70,61 +70,67 @@ image:enterprise/external_storage/ldap-home-connector/ldap-home-connector-diagra The following prerequisites are required: -* Mounting cifs is available on the server where ownCloud is installed -* The {oc-marketplace-url}/apps/user_ldap[LDAP Integration] app is enabled and has a working LDAP/Active Directory configuration in ownCloud. - -* The {oc-marketplace-url}/apps/files_ldap_home[LDAP Home Connector] app is installed. +* Mounting cifs is available on the server where ownCloud is hosted. +* The `LDAP Integration` app is enabled and has a working LDAP/Active Directory configuration in ownCloud. +* The `LDAP Home Connector` app is enabled. == Configuration The configuration is done in several steps: -. Mount the root Windows home directory to the ownCloud server +. Mount the root Windows home directory to the server hosting ownCloud +. Provide this mount as volume to the Docker container . Configure Active Directory/LDAP by adding a LDAP attribute to the user profile . Use the LDAP Home Connector app to connect it to ownCloud === Mount the Home Directory -For enhanced security, create a file where the credentials are stored accessing the cifs share like: - +* For enhanced security, create a file where the credentials are stored accessing the cifs share in the server hosting ownCloud such as: ++ [source,plaintext] ---- /etc/credentials ---- -with the username and password on separate lines, replacing the values according your setup: - +* With the username and password on separate lines, replacing the values according your setup: ++ [source,plaintext] ---- username=winhomeuser password=winhomepassword ---- -Create an entry in `/etc/fstab` for the remote Windows root home directory mount and use the credentials file created above, substitute and adapt your parameters and filenames: - +* Create an entry in `/etc/fstab` for the remote Windows root home directory mount and use the credentials file created above, substitute and adapt your parameters and filenames: ++ [source,plaintext] ---- //192.168.1.58/home /mnt/share/users cifs credentials=/etc/credentials,uid=33,gid=33 ---- +* Provide this mount point as volume to the ownCloud container. See the xref:installation/installing_with_docker.adoc#compose-setup[Compose Setup] in the installation documentation for a general example for how to do so. To make handling easier, use the same paths for the source and the container. + === Configure the LDAP Server In Active Directory, open the user profile. Scroll to the *Extensions* section and open the *Attribute Editor* tab. -image:enterprise/external_storage/ldap-home-connector/ldap-home-connector-2.png[Active Directory Attribute editor.] +image:enterprise/external_storage/ldap-home-connector/ldap-home-connector-2.png[Active Directory Attribute editor, width=350] Use any LDAP attribute that is not already in use (UserSharedFolder in this instance) and click *Edit*. Enter the user's home directory. -image:enterprise/external_storage/ldap-home-connector/ldap-home-connector-3.png[Editing the LDAP attribute.] +image:enterprise/external_storage/ldap-home-connector/ldap-home-connector-3.png[Editing the LDAP attribute, width=350] + +NOTE: If different paths are used, it is important that you use the mounted volume of the container as the path and not the source of the mount. This is because this is the one seen by the ownCloud instance. Save your changes. === Configure the LDAP Home Connector * Enable the LDAP Home Connector app. -* Go to the LDAP Home Connector form on your ownCloud admin page. In the *Display folder as:* field enter the name as you want it to appear on your users’ File pages. +* Go to the LDAP Home Connector form on your ownCloud admin page. + +In the *Display folder as:* field enter the name as you want it to appear on your users’ File pages. + * In the *Attribute name:* field enter the LDAP attribute name from above that contains the home directory and press btn:[Save]. -image:enterprise/external_storage/ldap-home-connector/ldap-home-connector-1.png[LDAP Home Connector configuration.] +image:enterprise/external_storage/ldap-home-connector/ldap-home-connector-1.png[LDAP Home Connector configuration, width=350] The Windows user's home directory is now available to the user when they log on in ownCloud. diff --git a/modules/admin_manual/pages/enterprise/external_storage/windows-network-drive_configuration.adoc b/modules/admin_manual/pages/enterprise/external_storage/windows-network-drive_configuration.adoc index 84448c10c..e83219460 100644 --- a/modules/admin_manual/pages/enterprise/external_storage/windows-network-drive_configuration.adoc +++ b/modules/admin_manual/pages/enterprise/external_storage/windows-network-drive_configuration.adoc @@ -36,7 +36,9 @@ Compared to standard SMB access, WND has advanced features like: . Enhanced ACL support . Collaborative WND (CWND) -.Brief Description of Advanced Features: +IMPORTANT: The Docker image does not provide the `smbclient` CLI tool. To mitigate this issue, you need to manually create an image that installs and enables this requirement. + +=== Brief Description of Advanced Features User lockout prevention and password reset:: Depending on the Windows or Samba policy, users could get locked out of their account if they enter a wrong password a number of times. The lockout prevention tries to avoid this from happening by resetting the password if it is wrong. This is also true for Collaborative WND when using `login credentials saved in database` and a repeatedly running files-scan job which may use outdated credentials. In the case of ownCloud's standard SMB connector, the password won't be reset. It could happen that users get locked out of the file server. @@ -94,12 +96,11 @@ Mounts to a Windows or Samba file server are labeled with a little four-pane Win Files are synchronized bidirectionally, and you can create, upload and delete files and folders. ownCloud server admins can create Windows Network Drive mounts and optionally allow users to set up their own personal Windows Network Drive mounts. -Depending on the authentication method, passwords for each mount are encrypted and stored in the ownCloud database, using a long random secret key stored in `config.php`. This allows ownCloud to access the shares when the users who own the mounts are not logged in. This access will not work if the mount is session based, where passwords are not stored and are available only for the current active session. In case other users are granted access to this mount, they will see a red triangle with an exclamation mark on the bottom right of the mount icon identifying lack of access. +Depending on the authentication method, passwords for each mount are encrypted and stored in the ownCloud database, using a long random secret key stored in the configuration file. This allows ownCloud to access the shares when the users who own the mounts are not logged in. This access will not work if the mount is session based, where passwords are not stored and are available only for the current active session. In case other users are granted access to this mount, they will see a red triangle with an exclamation mark on the bottom right of the mount icon identifying lack of access. [IMPORTANT] ==== * For more information on SMB/CIFS in ownCloud, refer to the xref:configuration/files/external_storage/smb.adoc[Samba File Server Configuration] documentation. -* Please note that the referenced document provides additional information on testing an SMB connection with `smbclient`. This CLI tool is not included in the shipped image, but can be added. * If you encounter errors when using the WND app like `NT_STATUS_REVISION_MISMATCH`, please get in touch by {oc-support-url}[Opening a Service Request]. ==== @@ -168,20 +169,20 @@ Follow this procedure to create a new mount point based on WND:: Admins can define that mount points can be shared to all (default), or be restricted to individuals or groups. Note that sharing is not available for all authorization methods. For details please see the xref:enterprise/external_storage/enterprise_only_auth.adoc#authentication-option-details[Enterprise-Only Authentication Options]. In this case, you will also see the following on the mount point: + -image::enterprise/external_storage/windows_network_drive/wnd-available-for.png[WND Sharing Options,width=400] +image:enterprise/external_storage/windows_network_drive/wnd-available-for.png[WND Sharing Options,width=400] .. All menu:Settings[General > Storage]: + If sharing of mounts is allowed by the admin via menu:Settings[Admin > Storage > Allow sharing on user-mounted external storages], users can share the mount via menu:Files[Mountpoint > Details > Sharing]. To avoid accidentally sharing resources, the user must allow sharing a mount in the mount points view upfront by clicking on the gear icon as shown below. btn:[Enable sharing] appears only if sharing is generally allowed by the admin, see above. . Click the gear icon for additional mount options. Previews are enabled by default, but when using large storages with many files, you may want to disable previews as this can significantly increase performance. + -image::enterprise/external_storage/windows_network_drive/wnd-gear-icon.png[WND Gear Icon,width=300] +image:enterprise/external_storage/windows_network_drive/wnd-gear-icon.png[WND Gear Icon,width=300] . Your changes are saved automatically. . Finally, the mount point is created and will look like this example if a user has set it up: + -image::enterprise/external_storage/windows_network_drive/wnd-username-pwd.png[WND mount point created,width=500] +image:enterprise/external_storage/windows_network_drive/wnd-username-pwd.png[WND mount point created,width=500] NOTE: When you create a new mountpoint using login credentials (session-based), you must log out of ownCloud and then log back in so you can access the share. You only have to do this the first time. -- @@ -190,7 +191,7 @@ NOTE: When you create a new mountpoint using login credentials (session-based), The `Config key` to be entered as shown in the screen below, must be taken as described in xref:enterprise/authentication/enterprise_only_auth.adoc#value-to-be-entered-in-the-mount-point-config-key-field[Value to be entered in the mount point config key field]. -image::enterprise/external_storage/windows_network_drive/wnd-config-key.png[WND mountpoint and hardcoded credentials, width=500] +image:enterprise/external_storage/windows_network_drive/wnd-config-key.png[WND mountpoint and hardcoded credentials, width=500] Note that this authentication method can only be used by ordinary users if the admin hands over the `Config key` created. This is secure, as no password is exposed. @@ -198,7 +199,9 @@ Note that this authentication method can only be used by ordinary users if the a NOTE: See the linked section for important information when planning to use xref:#collaborative-wnd[Collaborative WND]. -When the xref:enterprise/authentication/kerberos.adoc[Kerberos Authentication] has been set up, a necessary config key xref:configuration/server/config_apps_sample_php_parameters.adoc#a-map-of-servers-with-the-required-kerberos-data[wnd.kerberos.servers] needs to be provided upfront in `config.php`. +include::partial$manual_config_file.adoc[] + +When the xref:enterprise/authentication/kerberos.adoc[Kerberos Authentication] has been set up, a necessary config key xref:configuration/server/config_apps_sample_php_parameters.adoc#a-map-of-servers-with-the-required-kerberos-data[wnd.kerberos.servers] needs to be provided upfront in the configuration. * `Kerberos Server ID` + This ID can be chosen from the config parameter section `wnd.kerberos.servers` and defines required parameters for the WND Kerberos setup. Multiple ID's with different setups can be created. @@ -311,6 +314,7 @@ Process saved listener changes from the database . wnd:listen:: This command listens to changes for each host and share configured and stores all notifications gathered in the database. + +-- [NOTE] ==== * This command needs configuration in the xref:installation/installing_with_docker.adoc[docker compose environment] to be activated. A prepared example is given but needs configuration. You need to create as many services as you need listeners. @@ -319,16 +323,15 @@ This command listens to changes for each host and share configured and stores al * A _read-only_ permission for the used account should be enough, but may need to be increased. ==== -+ + The command does not produce any output by default, unless an error happens. Each stored notification will be further processed by the `wnd:process-queue` which is described in teh next chapter and will be removed from the database after processing. -+ + The password is a required parameter in the compose example and can be provided in different ways. Replace "password" in the compose example with one of the options below. The password value is always in plain text. -+ + * Directly added as value. * Read from a file. + Neither spaces nor newline characters will be removed from the file by default, unless the `--password-trim` option is added. The password file must be readable by the Apache user `www-data`. Note that you need to add a volume to pass the file to the service. + --- [source,docker] ---- --password-file=/run/secrets/wnd_password --password-trim @@ -337,11 +340,10 @@ Neither spaces nor newline characters will be removed from the file by default, Make sure that the password file is outside of any directory handled by apache (web-readable) for security reasons. + NOTE: If you use the `--password-file` switch, the entire contents of the file will be used for the password, please be careful with newlines. --- + * Using the `service account password`. + -This password is already stored in the ownCloud database if you setup WND in collaborative mode. In this mode, you set the username and the option for the `occ` command to reuse the password stored in the database. The example command looks like: +This password is already stored in the ownCloud database if you setup WND in collaborative mode. In this mode, you set the username and the option for the `occ` command to reuse the password stored in the database. The example parameter for the command is as follows: + --- [source,docker] ---- --password-from-service-account @@ -409,7 +411,7 @@ Check {flock-docs-url}[flock's documentation] for details and more options. === Activity Extension -From version 2.0.0 the Windows Network Drive app includes an extension of the Activity app. This extension will allow the app to send events to the Activity app so the users know what happened in the Windows Network Drive storage. +The Windows Network Drive app includes an extension of the Activity app. This extension will allow the app to send events to the Activity app so the users know what happened in the Windows Network Drive storage. Please see the following figure how a notification can look like. In this example, one user accessing the same host/share has changed a file. Other users will now get an activity notification about this change. @@ -424,11 +426,11 @@ This extension requires the following components: For setting up the `wnd:listen` and `wnd:process-queue` commands, see their respective sections above. -This extension is disabled by default. This means that no activity will reach the users. In order to enable this extension, you can edit your _additional_ xref:installation/configuration_notes.adoc#using-a-configuration-file[configuration file] and add the following configuration: +This extension is disabled by default. This means that no activity will reach the users. In order to enable this extension, you need to add the following environment variable: -[source,php] +[source,.env] ---- -'wnd.activity.registerExtension' => true, +OWNCLOUD_WND_ACTIVITY_REGISTER_EXTENSION=true ---- NOTE: This configuration will affect all the WND mount points. @@ -439,14 +441,14 @@ The events are expected to reach only to the affected users. This filters out th As part of the Activity app configuration, users can decide which events they want to be notified about and how, in the activity stream or via email. -Users who can access the Windows Network Drive storage via share won't receive activity notifications by default. You can edit your _additional_ xref:installation/configuration_notes.adoc#using-a-configuration-file[configuration file] and add the following configuration to enable sending the activity notification to those users: +Users who can access the Windows Network Drive storage via share won't receive activity notifications by default. You can add the following environment variable to enable sending the activity notification to those users: -[source,php] +[source,.env] ---- -'wnd.activity.sendToSharees' => true, +OWNCLOUD_WND_ACTIVITY_SEND_TO_SHAREES=true ---- -NOTE: The `wnd.activity.sendToSharees` key depends on the `wnd.activity.registerExtension` key to take effect. +NOTE: `OWNCLOUD_WND_ACTIVITY_SEND_TO_SHAREES` depends on `OWNCLOUD_WND_ACTIVITY_REGISTER_EXTENSION` to take effect. === Collaborative WND @@ -512,7 +514,7 @@ image:enterprise/external_storage/windows_network_drive/cwnd_fields.png[Enter Co If you encounter issues using Windows network drive, then try the following troubleshooting steps: -First check the connection to the share by using {smbclient-manpage-url}[smbclient] on the command line of the ownCloud hosting server. Here is an example: +First check the connection to the share by using {smbclient-manpage-url}[smbclient] on the command line of the server hosting ownCloud. Here is an example: [source,console,subs="attributes+"] ---- @@ -587,11 +589,11 @@ On the one hand the memory usage is reduced, on the other hand there is more net === Reduce WND Notifier Memory Usage -The WND in-memory notifier for password changes provides the ability to notify all _affected_ WND storages to reset their passwords. This feature is intended to prevent a password lockout for the user in the backend. However, this functionality _can_ consume a significant amount of memory. To disable it, edit your _additional_ xref:installation/configuration_notes.adoc#using-a-configuration-file[configuration file] and add the following key: +The WND in-memory notifier for password changes provides the ability to notify all _affected_ WND storages to reset their passwords. This feature is intended to prevent a password lockout for the user in the backend. However, this functionality _can_ consume a significant amount of memory. To disable it, add the following environment variable: -[source,php] +[source,.env] ---- -'wnd.in_memory_notifier.enable' => false, +OWNCLOUD_WND_IN_MEMORY_NOTIFIER_ENABLE=false ---- NOTE: The password will be reset on the next request, regardless of the flag setting. @@ -612,7 +614,8 @@ To optimize this, `wnd:process-queue` make use of two switches: `–serializer-t | Allowed Values | `--serializer-type` -| `file`. Other valid values may be added in the future, as more implementations are requested. +| `file` + +Other valid values may be added in the future, as more implementations are requested. | `--serializer-param` | Depends on `--serializer-type`, because those will be the parameters that the chosen serializer will use. For the `file` serializer, you need to provide a file location in the host filesystem where the storages will be serialized. You can use `--serializer-param file=/tmp/file` as an example. @@ -711,9 +714,9 @@ It's intended to be run in a different schedule, so there are several executions === Performance on High Number of ACL Targeting Users -The WND app doesn’t know about the users or groups associated with ACLs. This means that an ACL containing "admin" might refer to a user called "admin" or a group called "admin". By default, the group membership component considers the ACLs to target groups, and as such, it will try to get the information for such a group. This works fine if the majority of the ACLs target groups. If the majority of the ACLs contain users, this might be problematic. The cost of getting information on a group is usually higher than getting information on a user. This option makes the group membership component assume the ACL contains a user and checks whether there is a user in ownCloud with such a name first. If the name doesn’t refer to a user, it will get the group information. Note that this will have performance implications if the group membership component can’t discard users in a large number of cases. It is recommended to enable this option only if there are a high number of ACLs targeting users. In order to enable this setting, edit your _additional_ xref:installation/configuration_notes.adoc#using-a-configuration-file[configuration file] and add the following key: +The WND app doesn’t know about the users or groups associated with ACLs. This means that an ACL containing "admin" might refer to a user called "admin" or a group called "admin". By default, the group membership component considers the ACLs to target groups, and as such, it will try to get the information for such a group. This works fine if the majority of the ACLs target groups. If the majority of the ACLs contain users, this might be problematic. The cost of getting information on a group is usually higher than getting information on a user. This option makes the group membership component assume the ACL contains a user and checks whether there is a user in ownCloud with such a name first. If the name doesn’t refer to a user, it will get the group information. Note that this will have performance implications if the group membership component can’t discard users in a large number of cases. It is recommended to enable this option only if there are a high number of ACLs targeting users. In order to enable this setting, add the following environment variable: -[source,php] +[source,.env] ---- -'wnd.groupmembership.checkUserFirst' => true, +OWNCLOUD_WND_GROUP_MEMBERSHIP_CHECK_USER_FIRST=true ---- diff --git a/modules/admin_manual/pages/enterprise/file_management/files_lifecycle.adoc b/modules/admin_manual/pages/enterprise/file_management/files_lifecycle.adoc index b8c12b4b0..5418de5f1 100644 --- a/modules/admin_manual/pages/enterprise/file_management/files_lifecycle.adoc +++ b/modules/admin_manual/pages/enterprise/file_management/files_lifecycle.adoc @@ -1,14 +1,15 @@ = File Lifecycle Management :toc: right +:description: The File Lifecycle Management extension allows service providers to manage the lifecycle of files == Introduction -The File Lifecycle Management extension allows service providers to manage the lifecycle of files within ownCloud to +{description} within ownCloud to: - keep storage usage under control by limiting the time users can work with files before they are cleaned up automatically - comply with regulations (like GDPR or company policies) by imposing automated retention and deletion policies for files that contain e.g., personal data and may only be stored in the company for a certain period of time. -To impose a workflow of Use => Archive => Delete, the extension equips ownCloud with a dedicated archive and allows administrators to define rules for automated archiving (days passed since upload) and subsequent deletion of files (days passed since archiving). Only files are archived as folders do not consume storage space and existing folder structures should be kept available. The archiving and deletion processes are controlled by background jobs. +To impose a workflow of *Use => Archive => Delete*, the extension equips ownCloud with a dedicated archive and allows administrators to define rules for automated archiving (days passed since upload) and subsequent deletion of files (days passed since archiving). Only files are archived as folders do not consume storage space and existing folder structures should be kept available. The archiving and deletion processes are controlled by background jobs. Depending on the desired level of enforcement, the extension provides two policies to control the restoration of files from the archive if they are still needed: @@ -17,7 +18,7 @@ Depending on the desired level of enforcement, the extension provides two polici Users can view the lifecycle status for a file and see when the file is scheduled for archiving or deletion. All lifecycle events of a file are displayed transparently. They can be tracked for individual files as well as for a whole user account using the {oc-marketplace-url}/apps/activity[Activity] stream. -image:apps/files_lifecycle/file-lifecycle-events.png[File Lifecycle Events, width=30%] +image:apps/files_lifecycle/file-lifecycle-events.png[File Lifecycle Events, width=250] To stay informed, users can also receive regular Activity summaries by email. For auditing purposes, the extension integrates with the {oc-marketplace-url}/apps/admin_audit[Auditing] app to provide all events of interest in the logs. diff --git a/modules/admin_manual/pages/enterprise/file_management/files_tagging.adoc b/modules/admin_manual/pages/enterprise/file_management/files_tagging.adoc index 4e559db3c..a7747ce25 100644 --- a/modules/admin_manual/pages/enterprise/file_management/files_tagging.adoc +++ b/modules/admin_manual/pages/enterprise/file_management/files_tagging.adoc @@ -10,9 +10,7 @@ The {oc-marketplace-url}/apps/workflow[Workflow App] enables admins to specify r * Automatic Tagging * Retention -The Workflow App should be enabled by default (Apps page), and the three configuration modules will be visible on your ownCloud Admin page. See -xref:classic_ui:files/webgui/tagging.adoc[Tagging Files] -in the ownCloud User manual to learn how to apply and filter tags on files. +The Workflow App should be enabled by default (Apps page), and the three configuration modules will be visible on your ownCloud Admin page. See xref:classic_ui:files/webgui/tagging.adoc[Tagging Files] in the ownCloud User manual to learn how to apply and filter tags on files. == Tag Manager @@ -34,11 +32,11 @@ Tags are visible only to ownCloud admins. To access this functionality, select menu:Settings[Admin > Workflow & Tags]. -image:enterprise/file_management/workflow-1.png[Tag Manager] +image:enterprise/file_management/workflow-1.png[Tag Manager, width=250] This is an example of what your tags look like in the *Tags* view on your files page. Non-admin users will not see invisible tags, but visible and restricted tags only. -image:enterprise/file_management/workflow-5.png[Tag Manager] +image:enterprise/file_management/workflow-5.png[Tag Manager example, width=250] == Automatic Tagging @@ -46,17 +44,17 @@ The Automatic Tagging module operates on newly-uploaded files. Create a set of c For example, you can assign the invisible tag *iOS Uploads* to all files uploaded from iOS devices. This tag is visible only to admins. -image:enterprise/file_management/workflow-2.png[Automatic tagging] +image:enterprise/file_management/workflow-2.png[Automatic tagging, width=350] When files with this tag are shared with you, you can view them with the Tags filter on the Files page. -image:enterprise/file_management/workflow-3.png[Viewing tagged files] +image:enterprise/file_management/workflow-3.png[Viewing tagged files, width=250] Automatic Tagging is especially useful with the Retention module. The settings of a workflow can be fine-tuned post creation, see the example below: -image:enterprise/file_management/update_workflow.png[Update Workflow, width=50%] +image:enterprise/file_management/update_workflow.png[Update Workflow, width=350] == Retention @@ -64,7 +62,7 @@ The Retention module is your housecleaning power tool, because it automatically NOTE: ownCloud does not preserve directory mtimes (modification time), though it does update file mtimes. -image:enterprise/file_management/workflow-4.png[Setting retention times via tag] +image:enterprise/file_management/workflow-4.png[Setting retention times via tag, width=350] For best performance, retention tags should be applied high in your file hierarchy. If subfolders have the same tags as their parent folders, their tags must also be processed, so it will take a little longer. @@ -73,18 +71,24 @@ For best performance, retention tags should be applied high in your file hierarc There are two retention engines that further allow you to fine-tune your retention settings: TagBasedRetention:: -This is the default setting and checks files that have a particular tag assigned. Then it checks (depth-first) the children of the tagged item, before continuing with the other tagged items. Children that have already been checked will not be checked a second time. + +-- +This is the default setting and checks files that have a particular tag assigned. Then it checks (depth-first) the children of the tagged item, before continuing with the other tagged items. Children that have already been checked will not be checked a second time. + This is optimised for processing smaller numbers of files that have multiple retention tags. +-- UserBasedRetention:: ++ +-- Examines files per user. It first iterates over all files and folders (siblings first), then examines the tags for those items and checks their respective retention periods. This is optimised for many files with few retention tags. -You can define the way that the retention engine behaves by adding the following `config.php` setting. The value can be either +You can define the way that the retention engine behaves by adding the following environment variable. The value can be either `tagbased` (default) or `userbased`. -[source,php] +[source,.env] ---- -'workflow.retention_engine' => 'userbased', +OWNCLOUD_WORKFLOW_RETENTION_ENGINE=userbased ---- +-- diff --git a/modules/admin_manual/pages/enterprise/firewall/file_firewall.adoc b/modules/admin_manual/pages/enterprise/firewall/file_firewall.adoc index 089126fc3..9ad4ecf33 100644 --- a/modules/admin_manual/pages/enterprise/firewall/file_firewall.adoc +++ b/modules/admin_manual/pages/enterprise/firewall/file_firewall.adoc @@ -22,11 +22,11 @@ NOTE: The File Firewall app cannot lock out administrators from the web interfac Figure 1 shows an empty firewall configuration panel. Set your logging level to *Blocked Requests Only* for debugging, and create a new rule set by clicking btn:[Add Group]. After setting up your rules you must click btn:[Save Rules]. -image:enterprise/firewall/firewall-1.png[Figure 1: Empty File Firewall configuration panel] +image:enterprise/firewall/firewall-1.png[Figure 1: Empty File Firewall configuration panel, width=350] Figure 2 shows two rules. The first rule, *No Support outside office hours*, prevents members of the support group from logging into the ownCloud Web interface from 5pm-9am and also blocks client syncing. The second rule prevents members of the "qa-team" group from accessing the Web UI from IP addresses that are outside of the local network. -image:enterprise/firewall/firewall-2.png[Figure 2: Two example rules that restrict logins per user group] +image:enterprise/firewall/firewall-2.png[Figure 2: Two example rules that restrict logins per user group, width=350] All other users are not affected, and can log in anytime from anywhere. @@ -115,11 +115,11 @@ You can combine multiple rules into one rule, e.g., if a rule applies to both th Regular Expression > ^(support|qa-team)$ > is > User group ---- -CAUTION: We do not recommend modifying the configuration values directly in your `config.php`. These use JSON encoding, so the values are difficult to read and a single typo will break all of your rules. +CAUTION: Rules are saved into the configuration file. We do not recommend manipulating it. These rules use JSON encoding, so the values are difficult to read and a single typo will break all of your rules. === Controlling Access to Folders -The easiest way to block access to a folder, starting with ownCloud 9.0, is to use a system tag. A new rule type was added which allows you to block access to files and folders, where at least one of the parents has a given tag. +The easiest way to block access to a folder, is to use a system tag. A new rule type was added which allows you to block access to files and folders, where at least one of the parents has a given tag. Now you just need to add the tag to the folder or file, and then block the tag with the File Firewall. This example blocks access to any folder with the tag "Confidential" from outside access. diff --git a/modules/admin_manual/pages/enterprise/logging/admin_audit.adoc b/modules/admin_manual/pages/enterprise/logging/admin_audit.adoc index 20d00f48c..9a79d0f16 100644 --- a/modules/admin_manual/pages/enterprise/logging/admin_audit.adoc +++ b/modules/admin_manual/pages/enterprise/logging/admin_audit.adoc @@ -7,7 +7,7 @@ == Introduction -The {oc-marketplace-url}/apps/admin_audit[Auditing] app is an Enterprise only app and available on the marketplace. It traces user and admin actions, in particular the following events: +The `Auditing` app is an Enterprise only app and available on the marketplace. It traces user and admin actions, in particular the following events: * Login and logout events of users * File system operations (create / delete / move; including actions on the trash bin and versioning) @@ -23,25 +23,20 @@ The {oc-marketplace-url}/apps/admin_audit[Auditing] app is an Enterprise only ap TIP: You may also want to check out the {splunk-url}[_ownCloud App for Splunk_]. For more information, read this xref:configuration/integration/splunk.adoc[section]. -== Installation and Enabling +== Enabling -Download the {oc-marketplace-url}/apps/admin_audit[Auditing] app from the marketplace and enable it in the ownCloud app settings. +Enable the Auditing app in the ownCloud app settings. .Figure 1 Auditing -image:enterprise/logging/admin_auditing.png[Auditing] +image:enterprise/logging/admin_auditing.png[Auditing, width=350] == Configuration -It is advised to redirect messages into a separate file. To do so, add these lines to `config.php` and adjust the target path accordingly. Otherwise make sure to adjust the server log level to 1 (or 0), or else the Auditing app won't log anything. Configuring a separate file circumvents the global log level. Note that the target path must be writable for the web server user: +It is recommended that messages are redirected to a separate file. To do so, add the relevant environment variable and adjust the parameters accordingly. Note that the path used in the example is the default mounted as a Docker volume, which allows you to read the logs without extra effort. Ensure that you adjust the server log level to 1 (or 0); otherwise, the Auditing app will not log anything. Configuring a separate file bypasses the global log level: -[source,php] +[source,.env] ---- -'log.conditions' => [ - [ - 'apps' => ['admin_audit'], - 'logfile' => '/var/www/owncloud/data/admin_audit.log' - ] -] +OWNCLOUD_LOG_CONDITIONS=[{"apps":["admin_audit"],"loglevel":0,"logfile":"/mnt/data/files/admin_audit.log"}] ---- NOTE: All messages regardless of log level will be logged there. @@ -55,14 +50,11 @@ To ignore all CLI triggered events (default is to include them), set the followi == Grouped Logging -With each log message, a number of users are calculated to be the 'audit context'. This is the list of users which are related to the log message. Additionally, each log message includes a list of groups that the users are a member of, to enable filtering / splitting of the log messages at a later date. In cases when users are members of many groups, to reduce the data output, the group list can be filtered by adding the following to your `config.php`. Change the groups needed accordingly: +With each log message, a number of users are calculated to be the 'audit context'. This is the list of users which are related to the log message. Additionally, each log message includes a list of groups that the users are a member of, to enable filtering / splitting of the log messages at a later date. In cases when users are members of many groups, to reduce the data output, the group list can be filtered by adding the following environment variable. Change the groups needed accordingly: -[source,php] +[source,.env] ---- -'admin_audit.groups' => [ - 'group1', - 'group2' -] +OWNCLOUD_ADMIN_AUDIT_GROUPS='group1','group2' ---- When the filter is configured, only the filtered list of groups will be output in _auditGroups_, else, all groups that the _auditUsers_ are a member of are output. @@ -71,7 +63,7 @@ When the filter is configured, only the filtered list of groups will be output i NOTE: If you have configured a different logfile than the default, you must download it manually. -To download your logfile on your admin page. Click menu:Settings[Admin > Download logfile]. The default location for manually downloading the standard ownCloud log is `data/owncloud.log`. +To download your logfile via your browsers admin page, click menu:Settings[Admin > Download logfile]. The default location of the standard ownCloud log file is `mount_point/files/owncloud.log`. TIP: See xref:configuration/server/logging/logging_configuration.adoc[Logging Configuration] and xref:enterprise/file_management/files_tagging.adoc[File Tagging] for more information on logging and tagging. @@ -89,11 +81,11 @@ Connect to the deployment server, change `input-prd-your-server-here` according === Monitor the `admin_audit.log` -To Monitor the ownCloud Splunk audit log, add this to `inputs.conf`, assuming you use the custom logging path/file from above: +To Monitor the ownCloud Splunk audit log, add this to `inputs.conf`, assuming you use the default containers mount point: [source,plaintext] ---- -[monitor://var/www/owncloud/data/admin_audit.log] +[monitor://files/admin_audit.log] disabled = false sourcetype = _json index = main @@ -118,20 +110,55 @@ Log entries are based upon the internal ownCloud logging system, but utilise ext [width="100%",cols="25%,20%,100%",options="header"] |=== -| Key | Type | Description -| `remoteAddr` | string | The remote client IP -| `user` | string | The UID of the user performing the action, + +| Key +| Type +| Description + +| `remoteAddr` +| string +| The remote client IP + +| `user` +| string +| The UID of the user performing the action, + or `IP x.x.x.x.`, `cron`, `CLI`, `unknown` -| `url` | string | The process request URI -| `method` | string | The HTTP request method -| `userAgent` | string | The HTTP request user agent -| `time` | string | The time of the event e.g.: `2018-05-08T08:26:00+00:00` -| `app` | string | Always `admin_audit` -| `message` | string | Sentence explaining the action -| `action` | string | Unique action identifier e.g.: + + +| `url` +| string +| The process request URI + +| `method` +| string +| The HTTP request method + +| `userAgent` +| string +| The HTTP request user agent + +| `time` +| string +| The time of the event e.g.: `2018-05-08T08:26:00+00:00` + +| `app` +| string +| Always `admin_audit` + +| `message` +| string +| Sentence explaining the action + +| `action` +| string +| Unique action identifier e.g.: + `file_delete` or `public_link_created` -| `CLI` | boolean | If the action was performed from the CLI -| `level` | integer | The log level of the entry (usually `1` for audit events) + +| `CLI` +| boolean +| If the action was performed from the CLI + +| `level` +| integer +| The log level of the entry (usually `1` for audit events) |=== === Output @@ -144,10 +171,21 @@ When a file is created. [width="100%",cols="25%,20%,100%",options="header"] |=== -| Key | Type | Description -| `path` | string | The full path to the create file -| `owner` | string | The UID of the owner of the file -| `fileId` | string | The newly created files identifier +| Key +| Type +| Description + +| `path` +| string +| The full path to the create file + +| `owner` +| string +| The UID of the owner of the file + +| `fileId` +| string +| The newly created files identifier |=== ===== file_read @@ -156,92 +194,197 @@ When a file is read. [width="100%",cols="25%,20%,100%",options="header"] |=== -| Key | Type | Description -| `path` | string | The full path to the file -| `owner` | string | The UID of the owner of the file -| `fileId` | string | The files identifier +| Key +| Type +| Description + +| `path` +| string +| The full path to the file + +| `owner` +| string +| The UID of the owner of the file + +| `fileId` +| string +| The files identifier |=== ===== file_update [width="100%",cols="25%,20%,100%",options="header"] |=== -| Key | Type | Description -| `path` | string | The full path to the updated file -| `owner`| string | The UID of the owner of the file -| `fileId` | string | The updated files identifier +| Key +| Type +| Description + +| `path` +| string +| The full path to the updated file + +| `owner` +| string +| The UID of the owner of the file + +| `fileId` +| string +| The updated files identifier |=== ===== file_delete [width="100%",cols="25%,20%,100%",options="header"] |=== -| Key | Type | Description -| `path` | string | The full path to the updated file -| `owner` | string | The UID of the owner of the file -| `fileId` | string | The updated files identifier +| Key +| Type +| Description + +| `path` +| string +| The full path to the updated file + +| `owner` +| string +| The UID of the owner of the file + +| `fileId` +| string +| The updated files identifier |=== ===== file_copy [width="100%",cols="25%,20%,100%",options="header"] |=== -| Key | Type | Description -| `oldPath` | string | The full path to the source file -| `path` | string | The full path to the new file -| `sourceOwner` | string | The UID of the owner of the source file -| `owner` | string | The UID of the owner of the file -| `sourceFileId` | string | The source files identifier -| `fileId` | string | The new files identifier +| Key +| Type +| Description + +| `oldPath` +| string +| The full path to the source file + +| `path` +| string +| The full path to the new file + +| `sourceOwner` +| string +| The UID of the owner of the source file + +| `owner` +| string +| The UID of the owner of the file + +| `sourceFileId` +| string +| The source files identifier + +| `fileId` +| string +| The new files identifier |=== ===== file_rename [width="100%",cols="25%,20%,100%",options="header"] |=== -| Key | Type | Description -| `oldPath` | string | The original path file -| `path` | string | The new path file -| `fileId` | string | The files identifier +| Key +| Type +| Description + +| `oldPath` +| string +| The original path file + +| `path` +| string +| The new path file + +| `fileId` +| string +| The files identifier |=== ===== file_trash_delete [width="100%",cols="25%,20%,100%",options="header"] |=== -| Key | Type | Description -| `owner` | string | The UID of the owner of the file -| `path` | string | The full path to the deleted file +| Key +| Type +| Description + +| `owner` +| string +| The UID of the owner of the file + +| `path` +| string +| The full path to the deleted file |=== ===== file_trash_restore [width="100%",cols="25%,20%,100%",options="header"] |=== -| Key | Type | Description -| `owner` | string | The UID of the owner of the file -| `fileId` | string | The restored files identifier -| `oldPath` | string | The original path to the file -| `newPath` | string | The new path to the file -| `owner` | string | The UID of the owner of the file +| Key +| Type +| Description + +| `owner` +| string +| The UID of the owner of the file + +| `fileId` +| string +| The restored files identifier + +| `oldPath` +| string +| The original path to the file + +| `newPath` +| string +| The new path to the file + +| `owner` +| string +| The UID of the owner of the file |=== ===== file_version_delete [width="100%",cols="25%,20%,100%",options="header"] |=== -| Key | Type | Description -| `path` | string | The full path to the version file deleted -| `trigger` | string | The delete trigger reasoning +| Key +| Type +| Description + +| `path` +| string +| The full path to the version file deleted + +| `trigger` +| string +| The delete trigger reasoning |=== ===== file_version_restore [width="100%",cols="25%,20%,100%",options="header"] |=== -| Key | Type | Description -| `path` | string | The full path to the file being restored to the new version -| `revision` | string | The revision of the file restored +| Key +| Type +| Description + +| `path` +| string +| The full path to the file being restored to the new version + +| `revision` +| string +| The revision of the file restored |=== ==== Users @@ -250,78 +393,141 @@ When a file is read. [width="100%",cols="25%,20%,100%",options="header"] |=== -| Key | Type | Description -| `targetUser` | string | The UID of the created user +| Key +| Type +| Description + +| `targetUser` +| string +| The UID of the created user |=== ===== user_password_reset [width="100%",cols="25%,20%,100%",options="header"] |=== -| Key | Type | Description -| `targetUser` | string | The UID of the user +| Key +| Type +| Description + +| `targetUser` +| string +| The UID of the user |=== ===== group_member_added [width="100%",cols="25%,20%,100%",options="header"] |=== -| Key | Type | Description -| `targetUser` | string | The UID of the user -| `group` | string | The GID of the group +| Key +| Type +| Description + +| `targetUser` +| string +| The UID of the user + +| `group` +| string +| The GID of the group |=== ===== user_deleted [width="100%",cols="25%,20%,100%",options="header"] |=== -| Key | Type | Description -| `targetUser` | string | The UID of the user +| Key +| Type +| Description + +| `targetUser` +| string +| The UID of the user |=== ===== group_member_removed [width="100%",cols="25%,20%,100%",options="header"] |=== -| Key | Type | Description -| `targetUser` | string | The UID of the user -| `group` | string | The GID of the group +| Key +| Type +| Description + +| `targetUser` +| string +| The UID of the user + +| `group` +| string +| The GID of the group |=== ===== user_state_changed [width="100%",cols="25%,20%,100%",options="header"] |=== -| Key | Type | Description -| `targetUser` | string | The UID of the user -| `enabled` | boolean | If the user is enabled or not +| Key +| Type +| Description + +| `targetUser` +| string +| The UID of the user + +| `enabled` +| boolean +| If the user is enabled or not |=== ===== group_created [width="100%",cols="25%,20%,100%",options="header"] |=== -| Key | Type | Description -| `group` | string | The GID of the group +| Key +| Type +| Description + +| `group` +| string +| The GID of the group |=== ===== group_deleted [width="100%",cols="25%,20%,100%",options="header"] |=== -| Key | Type | Description -| `group` | string | The GID of the group +| Key +| Type +| Description + +| `group` +| string +| The GID of the group |=== ===== user_feature_changed [width="100%",cols="25%,20%,100%",options="header"] |=== -| Key | Type | Description -| `targetUser` | string | The UID of the user -| `group` | string | The GID of the group (or empty string) -| `feature` | string | The feature that was changed -| `value` | string | The new value +| Key +| Type +| Description + +| `targetUser` +| string +| The UID of the user + +| `group` +| string +| The GID of the group (or empty string) + +| `feature` +| string +| The feature that was changed + +| `value` +| string +| The new value |=== ==== Sharing @@ -330,11 +536,25 @@ Sharing events come with a default set of fields [width="100%",cols="25%,20%,100%",options="header"] |=== -| Key | Type | Description -| `fileId` | string | The file identifier for the item shared -| `owner` | string | The UID of the owner of the shared item -| `path` | string | The path to the shared item -| `shareId` | string | The sharing identifier + +| Key +| Type +| Description + +| `fileId` +| string +| The file identifier for the item shared + +| `owner` +| string +| The UID of the owner of the shared item + +| `path` +| string +| The path to the shared item + +| `shareId` +| string +| The sharing identifier + (not available for public_link_accessed or when recipient unshares) |=== @@ -342,165 +562,369 @@ Sharing events come with a default set of fields [width="100%",cols="25%,20%,100%",options="header"] |=== -| Key | Type | Description -| `itemType` | string | `file` or `folder` -| `expirationDate` | string | The text expiration date in format `yyyy-mm-dd` -| `sharePass` | boolean | If the share is password protected -| `permissions` | string | The permissions string e.g.: "READ" -| `shareType` | string | `group` `user` or `link` -| `shareWith` | string | The UID or GID of the share recipient + +| Key +| Type +| Description + +| `itemType` +| string +| `file` or `folder` + +| `expirationDate` +| string +| The text expiration date in format `yyyy-mm-dd` + +| `sharePass` +| boolean +| If the share is password protected + +| `permissions` +| string +| The permissions string e.g.: "READ" + +| `shareType` +| string +| `group` `user` or `link` + +| `shareWith` +| string +| The UID or GID of the share recipient + (not available for public link) -| `shareOwner` | string | The UID of the share owner -| `shareToken` | string | For link shares the `unique token`, else `null` + +| `shareOwner` +| string +| The UID of the share owner + +| `shareToken` +| string +| For link shares the `unique token`, else `null` |=== ===== file_unshared [width="100%",cols="25%,20%,100%",options="header"] |=== -| Key | Type | Description -| `itemType` | string | `file` or `folder` -| `shareType` | string | `group` `user` or `link` -| `shareWith` | string | The UID or GID of the share recipient +| Key +| Type +| Description + +| `itemType` +| string +| `file` or `folder` + +| `shareType` +| string +| `group` `user` or `link` + +| `shareWith` +| string +| The UID or GID of the share recipient |=== ===== share_permission_update [width="100%",cols="25%,20%,100%",options="header"] |=== -| Key | Type | Description -| `itemType` | string | `file` or `folder` -| `shareType` | string | `group` `user` or `link` -| `shareOwner` | string | The UID of the share owner -| `permissions` | string | The new permissions string e.g.: "READ" -| `shareWith` | string | The UID or GID of the share recipient + +| Key +| Type +| Description + +| `itemType` +| string +| `file` or `folder` + +| `shareType` +| string +| `group` `user` or `link` + +| `shareOwner` +| string +| The UID of the share owner + +| `permissions` +| string +| The new permissions string e.g.: "READ" + +| `shareWith` +| string +| The UID or GID of the share recipient + (not available for public link) -| `oldPermissions` | string | The old permissions string e.g.: "READ" + +| `oldPermissions` +| string +| The old permissions string e.g.: "READ" |=== ===== share_name_updated [width="100%",cols="25%,20%,100%",options="header"] |=== -| Key | Type | Description -| `oldShareName` | string | The previous share name -| `shareName` | string | The updated share name +| Key +| Type +| Description + +| `oldShareName` +| string +| The previous share name + +| `shareName` +| string +| The updated share name |=== ===== share_password_updated [width="100%",cols="25%,20%,100%",options="header"] |=== -| Key | Type | Description -| `itemType` | string | `file` or `folder` -| `shareOwner` | string | The UID of the share owner -| `permissions` | string | The full permissions string e.g.: "READ" -| `shareToken` | string | The share token -| `sharePass` | boolean | If the share is password protected +| Key +| Type +| Description + +| `itemType` +| string +| `file` or `folder` + +| `shareOwner` +| string +| The UID of the share owner + +| `permissions` +| string +| The full permissions string e.g.: "READ" + +| `shareToken` +| string +| The share token + +| `sharePass` +| boolean +| If the share is password protected |=== ===== share_expiration_date_updated [width="100%",cols="25%,20%,100%",options="header"] |=== -| Key | Type | Description -| `itemType` | string | `file` or `folder` -| `shareType` | string | `group`, `user` or `link` -| `shareOwner` | string | The UID of the owner of the share -| `permissions` | string | The permissions string e.g.: "READ" -| `expirationDate` | string | The new text expiration date in format `yyyy-mm-dd` -| `oldExpirationDate` | string | The old text expiration date in format `yyyy-mm-dd` +| Key +| Type +| Description + +| `itemType` +| string +| `file` or `folder` + +| `shareType` +| string +| `group`, `user` or `link` + +| `shareOwner` +| string +| The UID of the owner of the share + +| `permissions` +| string +| The permissions string e.g.: "READ" + +| `expirationDate` +| string +| The new text expiration date in format `yyyy-mm-dd` + +| `oldExpirationDate` +| string +| The old text expiration date in format `yyyy-mm-dd` |=== ===== share_accepted [width="100%",cols="25%,20%,100%",options="header"] |=== -| Key | Type | Description -| `itemType` | string | `file` or `folder` -| `path` | string | The path of the shared item -| `owner` | string | The UID of the owner of the shared item -| `fileId` | string | The file identifier for the item shared -| `shareId` | string | The sharing identifier (not available for public_link_accessed) -| `shareType` | string | `group` or `user` +| Key +| Type +| Description + +| `itemType` +| string +| `file` or `folder` + +| `path` +| string +| The path of the shared item + +| `owner` +| string +| The UID of the owner of the shared item + +| `fileId` +| string +| The file identifier for the item shared + +| `shareId` +| string +| The sharing identifier (not available for public_link_accessed) + +| `shareType` +| string +| `group` or `user` |=== ===== share_declined [width="100%",cols="25%,20%,100%",options="header"] |=== -| Key | Type | Description -| `itemType` | string | `file` or `folder` -| `path` | string | The path of the shared item -| `owner` | string | The UID of the owner of the shared item -| `fileId` | string | The file identifier for the item shared -| `shareId` | string | The sharing identifier (not available for public_link_accessed) -| `shareType` | string | `group` or `user` +| Key +| Type +| Description + +| `itemType` +| string +| `file` or `folder` + +| `path` +| string +| The path of the shared item + +| `owner` +| string +| The UID of the owner of the shared item + +| `fileId` +| string +| The file identifier for the item shared + +| `shareId` +| string +| The sharing identifier (not available for public_link_accessed) + +| `shareType` +| string +| `group` or `user` |=== ===== federated_share_received [width="100%",cols="25%,20%,100%",options="header"] |=== -| Key | Type | Description -| `name` | string | The path of shared item -| `targetuser` | string | The target user who sent the item -| `shareType` | string | `remote` +| Key +| Type +| Description + +| `name` +| string +| The path of shared item + +| `targetuser` +| string +| The target user who sent the item + +| `shareType` +| string +| `remote` |=== ===== federated_share_accepted [width="100%",cols="25%,20%,100%",options="header"] |=== -| Key | Type | Description -| `itemType` | string | The path of shared item -| `targetUser` | string | The target user who sent the item -| `shareType` | string | `remote` +| Key +| Type +| Description + +| `itemType` +| string +| The path of shared item + +| `targetUser` +| string +| The target user who sent the item + +| `shareType` +| string +| `remote` |=== ===== federated_share_declined [width="100%",cols="25%,20%,100%",options="header"] |=== -| Key | Type | Description -| `itemType` | string | The path of shared item -| `targetuser` | string | The target user who sent the item -| `shareType` | string | `remote` +| Key +| Type +| Description + +| `itemType` +| string +| The path of shared item + +| `targetuser` +| string +| The target user who sent the item + +| `shareType` +| string +| `remote` |=== ===== public_link_accessed [width="100%",cols="25%,20%,100%",options="header"] |=== -| Key | Type | Description -| `shareToken` | string | The share token -| `success` | boolean | If the request was successful `tue` or `false` +| Key +| Type +| Description + +| `shareToken` +| string +| The share token + +| `success` +| boolean +| If the request was successful `true` or `false` |=== ===== public_link_removed [width="100%",cols="25%,20%,100%",options="header"] |=== -| Key | Type | Description -| `shareType` | string | `link` +| Key +| Type +| Description + +| `shareType` +| string +| `link` |=== ===== public_link_accessed_webdav [width="100%",cols="25%,20%,100%",options="header"] |=== -| Key | Type | Description -| `token` | string | The token used to access the url +| Key +| Type +| Description + +| `token` +| string +| The token used to access the url |=== ===== federated_share_unshared [width="100%",cols="25%,20%,100%",options="header"] |=== -| Key | Type | Description -| `targetUser` | string | The user who initiated the unshare action -| `targetmount` | string | The file/folder unshared -| `shareType` | string | `remote` +| Key +| Type +| Description + +| `targetUser` +| string +| The user who initiated the unshare action + +| `targetmount` +| string +| The file/folder unshared + +| `shareType` +| string +| `remote` |=== ==== Custom Groups @@ -509,51 +933,109 @@ Sharing events come with a default set of fields [width="100%",cols="25%,20%,100%",options="header"] |=== -| Key | Type | Description -| `removedUser` | string | The UID of the user that was removed from the group -| `group` | string | The custom group name +| Key +| Type +| Description + +| `removedUser` +| string +| The UID of the user that was removed from the group + +| `group` +| string +| The custom group name |=== ===== custom_group_user_left [width="100%",cols="25%,20%,100%",options="header"] |=== -| Key | Type | Description -| `removedUser` | string | The UID of the user that left the group -| `group` | string | The custom group name -| `groupId` | integer | The custom group id +| Key +| Type +| Description + +| `removedUser` +| string +| The UID of the user that left the group + +| `group` +| string +| The custom group name + +| `groupId` +| integer +| The custom group id |=== ===== custom_group_user_role_changed [width="100%",cols="25%,20%,100%",options="header"] |=== -| Key | Type | Description -| `targetUser` | string | The UID of the user that changed role -| `group` | string | The custom group name -| `groupId` | integer | The custom group id -| `roleNumber` | integer | The new role number: 0 = member, 1= admin +| Key +| Type +| Description + +| `targetUser` +| string +| The UID of the user that changed role + +| `group` +| string +| The custom group name + +| `groupId` +| integer +| The custom group id + +| `roleNumber` +| integer +| The new role number: 0 = member, 1= admin |=== ===== custom_group_renamed [width="100%",cols="25%,20%,100%",options="header"] |=== -| Key | Type | Description -| `oldGroup` | string | The old custom group name -| `group` | string | The new custom group name -| `groupId` | integer | The custom group id +| Key +| Type +| Description + +| `oldGroup` +| string +| The old custom group name + +| `group` +| string +| The new custom group name + +| `groupId` +| integer +| The custom group id |=== ===== custom_group_created [width="100%",cols="25%,20%,100%",options="header"] |=== -| Key | Type | Description -| `group` | string | The custom group name created -| `groupId` | string | The custom group id -| `addedUser` | string | The UID of the user added -| `admin` | boolean | `true` or `false` +| Key +| Type +| Description + +| `group` +| string +| The custom group name created + +| `groupId` +| string +| The custom group id + +| `addedUser` +| string +| The UID of the user added + +| `admin` +| boolean +| `true` or `false` |=== ==== Comments @@ -562,10 +1044,21 @@ All comment events have the same data: [width="100%",cols="25%,20%,100%",options="header"] |=== -| Key | Type | Description -| `commentId` | string | The comment identifier -| `path` | string | The path to the file that the comment is attached to -| `fileId` | string | The file identifier +| Key +| Type +| Description + +| `commentId` +| string +| The comment identifier + +| `path` +| string +| The path to the file that the comment is attached to + +| `fileId` +| string +| The file identifier |=== // ===== comment_created @@ -580,19 +1073,38 @@ All comment events have the same data: [width="100%",cols="25%,20%,100%",options="header"] |=== -| Key | Type | Description -| `settingName` | string | The key -| `settingValue` | string | The new value -| `oldValue` | string | The old value -| `created` | boolean | If the setting is created for the first time +| Key +| Type +| Description + +| `settingName` +| string +| The key + +| `settingValue` +| string +| The new value + +| `oldValue` +| string +| The old value + +| `created` +| boolean +| If the setting is created for the first time |=== ===== config_delete [width="100%",cols="25%,20%,100%",options="header"] |=== -| Key | Type | Description -| `settingName` | string | The key +| Key +| Type +| Description + +| `settingName` +| string +| The key |=== ==== Console @@ -601,8 +1113,13 @@ All comment events have the same data: [width="100%",cols="25%,20%,100%",options="header"] |=== -| Key | Type | Description -| `command` | string | The exact command that was executed +| Key +| Type +| Description + +| `command` +| string +| The exact command that was executed |=== ==== Tags @@ -611,45 +1128,85 @@ All comment events have the same data: [width="100%",cols="25%,20%,100%",options="header"] |=== -| Key | Type | Description -| `tagName` | string | The tag name +| Key +| Type +| Description + +| `tagName` +| string +| The tag name |=== ===== tag_deleted [width="100%",cols="25%,20%,100%",options="header"] |=== -| Key | Type | Description -| `tagName` | string | The tag name +| Key +| Type +| Description + +| `tagName` +| string +| The tag name |=== ===== tag_updated [width="100%",cols="25%,20%,100%",options="header"] |=== -| Key | Type | Description -| `oldTag` | string | The old tag name -| `tagName` | string | The new tag name +| Key +| Type +| Description + +| `oldTag` +| string +| The old tag name + +| `tagName` +| string +| The new tag name |=== ===== tag_assigned [width="100%",cols="25%,20%,100%",options="header"] |=== -| Key | Type | Description -| `tagName` | string | The tag name -| `fileId` | string | The file identifier to which the tag was assigned -| `path` | string | The path to the file +| Key +| Type +| Description + +| `tagName` +| string +| The tag name + +| `fileId` +| string +| The file identifier to which the tag was assigned + +| `path` +| string +| The path to the file |=== ===== tag_unassigned [width="100%",cols="25%,20%,100%",options="header"] |=== -| Key | Type | Description -| `tagName` | string | The tag name -| `fileId` | string | The file identifier from which the tag was unassigned -| `path` | string | The path to the file +| Key +| Type +| Description + +| `tagName` +| string +| The tag name + +| `fileId` +| string +| The file identifier from which the tag was unassigned + +| `path` +| string +| The path to the file |=== ==== Apps @@ -658,17 +1215,30 @@ All comment events have the same data: [width="100%",cols="25%,20%,100%",options="header"] |=== -| Key | Type | Description -| `targetApp` | string | The app ID of the enabled app -| `groups` | string [] | Array of group IDs if the app was enabled for certain groups +| Key +| Type +| Description + +| `targetApp` +| string +| The app ID of the enabled app + +| `groups` +| string [] +| Array of group IDs if the app was enabled for certain groups |=== ===== app_disabled [width="100%",cols="25%,20%,100%",options="header"] |=== -| Key | Type | Description -| `targetApp` | string | The app ID of the disabled app +| Key +| Type +| Description + +| `targetApp` +| string +| The app ID of the disabled app |=== ==== Auth @@ -677,9 +1247,17 @@ All comment events have the same data: [width="100%",cols="25%,20%,100%",options="header"] |=== -| Key | Type | Description -| `success` | boolean | If the login was successful -| `login` | string | The attempted login value +| Key +| Type +| Description + +| `success` +| boolean +| If the login was successful + +| `login` +| string +| The attempted login value |=== ===== user_logout @@ -696,75 +1274,148 @@ All comment events have the same data: [width="100%",cols="25%,20%,100%",options="header"] |=== -| Key | Type | Description -| `path` | string | The path to the file that was archived -| `owner` | string | The UID of the owner of the file that was deleted -| `fileId` | integer | The file ID for the file that was archived +| Key +| Type +| Description + +| `path` +| string +| The path to the file that was archived + +| `owner` +| string +| The UID of the owner of the file that was deleted + +| `fileId` +| integer +| The file ID for the file that was archived |=== ===== lifecycle_restored [width="100%",cols="25%,20%,100%",options="header"] |=== -| Key | Type | Description -| `path` | string | The path to the file that was restored -| `fileId` | integer | The file ID for the file that was restored +| Key +| Type +| Description + +| `path` +| string +| The path to the file that was restored + +| `fileId` +| integer +| The file ID for the file that was restored |=== ===== lifecycle_expired [width="100%",cols="25%,20%,100%",options="header"] |=== -| Key | Type | Description -| `fileId` | integer | The file id of the file that was expired +| Key +| Type +| Description + +| `fileId` +| integer +| The file id of the file that was expired |=== ===== update_user_preference_value [width="100%",cols="25%,20%,100%",options="header"] |=== -| Key | Type | Description -| `key` | string | The key -| `value` | string | The value associated with the key -| `appname` | string | The name of the app -| `user` | string | The UID of the user who has the preference key-value for the app +| Key +| Type +| Description + +| `key` +| string +| The key + +| `value` +| string +| The value associated with the key + +| `appname` +| string +| The name of the app + +| `user` +| string +| The UID of the user who has the preference key-value for the app |=== ===== user_preference_set [width="100%",cols="25%,20%,100%",options="header"] |=== -| Key | Type | Description -| `key` | string | The key -| `value` | string | The value associated with the key -| `appname` | string | The name of the app -| `user` | string | The UID of the user who has the preference key-value for the app +| Key +| Type +| Description + +| `key` +| string +| The key + +| `value` +| string +| The value associated with the key + +| `appname` +| string +| The name of the app + +| `user` +| string +| The UID of the user who has the preference key-value for the app |=== ===== remove_user_preference_key [width="100%",cols="25%,20%,100%",options="header"] |=== -| Key | Type | Description -| `key` | string | The key -| `appname` | string | The name of the app -| `user` | string | The UID of the user whose preference key is deleted for the app +| Key +| Type +| Description + +| `key` +| string +| The key + +| `appname` +| string +| The name of the app + +| `user` +| string +| The UID of the user whose preference key is deleted for the app |=== ===== remove_preferences_of_user [width="100%",cols="25%,20%,100%",options="header"] |=== -| Key | Type | Description -| `user` | string | The UID of the user whose user preferences are deleted +| Key +| Type +| Description + +| `user` +| string +| The UID of the user whose user preferences are deleted |=== ===== delete_all_user_preference_of_app [width="100%",cols="25%,20%,100%",options="header"] |=== -| Key | Type | Description -| `appname` | string | The name of the app whose user preferences are deleted +| Key +| Type +| Description + +| `appname` +| string +| The name of the app whose user preferences are deleted |=== ==== Impersonate @@ -773,17 +1424,30 @@ All comment events have the same data: [width="100%",cols="25%,20%,100%",options="header"] |=== -| Key | Type | Description -| `user` | string | The current user who did an impersonate action -| `targetUser` | string | The user who is being impersonated +| Key +| Type +| Description + +| `user` +| string +| The current user who did an impersonate action + +| `targetUser` +| string +| The user who is being impersonated |=== ===== impersonate_logout [width="100%",cols="25%,20%,100%",options="header"] |=== -| Key | Type | Description -| `user` | string | The user who performed impersonate action +| Key +| Type +| Description + +| `user` +| string +| The user who performed impersonate action |=== ==== SMB ACL @@ -792,74 +1456,175 @@ All comment events have the same data: [width="100%",cols="25%,20%,100%",options="header"] |=== -| Key | Type | Description -| `user` | string | The user who is trying to set the ACL -| `ocPath` | string | The owncloud instance path -| `smbPath` | string | The SMB path -| `descriptor` | array | The descriptor array. It contains to following keys: +| Key +| Type +| Description + +| `user` +| string +| The user who is trying to set the ACL + +| `ocPath` +| string +| The owncloud instance path + +| `smbPath` +| string +| The SMB path + +| `descriptor` +| array +| The descriptor array. It contains to following keys: |=== [caption=] .`descriptor[] keys` [width="100%",cols="25%,20%,100%",options="header"] |=== -| Key | Type | Description -| `revision` | integer | Always `1` -| `owner` | string | The SMB owner -| `group` | string | The SMB group -| `acl` | array | A list of ACEs. The list could be empty. Each ACE contains following keys: +| Key +| Type +| Description + +| `revision` +| integer +| Always `1` + +| `owner` +| string +| The SMB owner + +| `group` +| string +| The SMB group + +| `acl` +| array +| A list of ACEs. The list could be empty. Each ACE contains following keys: |=== [caption=] .`acl[] keys` [width="100%",cols="25%,20%,100%",options="header"] |=== -| Key | Type | Description -| `trustee` | string | The SMB user affected by this ACE -| `mode` | string | `allowed` or `denied` -| `flags` | string | Inheritance flags -| `mask` | string | Permission mask -| `flagsAsInt` | integer | The inheritance flags as integer value -| `maskAsInt` | integer | The permission mask as integer value +| Key +| Type +| Description + +| `trustee` +| string +| The SMB user affected by this ACE + +| `mode` +| string +| `allowed` or `denied` + +| `flags` +| string +| Inheritance flags + +| `mask` +| string +| Permission mask + +| `flagsAsInt` +| integer +| The inheritance flags as integer value + +| `maskAsInt` +| integer +| The permission mask as integer value |=== ===== after_set_acl [width="100%",cols="25%,20%,100%",options="header"] |=== -| Key | Type | Description -| `user` | string | The user who is trying to set the ACL -| `ocPath` | string | The owncloud instance path -| `smbPath` | string | The SMB path -| `descriptor` | array | The descriptor array. It contains to following keys: +| Key +| Type +| Description + +| `user` +| string +| The user who is trying to set the ACL + +| `ocPath` +| string +| The owncloud instance path + +| `smbPath` +| string +| The SMB path + +| `descriptor` +| array +| The descriptor array. It contains to following keys: |=== [caption=] .`descriptor[] keys` [width="100%",cols="25%,20%,100%",options="header"] |=== -| Key | Type | Description -| `revision` | integer | Always `1` -| `owner` | string | The SMB owner -| `group` | string | The SMB group -| `acl` | array | A list of ACEs. The list could be empty. Each ACE contains following keys: +| Key +| Type +| Description + +| `revision` +| integer +| Always `1` + +| `owner` +| string +| The SMB owner + +| `group` +| string +| The SMB group + +| `acl` +| array +| A list of ACEs. The list could be empty. Each ACE contains following keys: |=== [caption=] .`acl[] keys` [width="100%",cols="25%,20%,100%",options="header"] |=== -| Key | Type | Description -| `trustee` | string | The SMB user affected by this ACE -| `mode` | string | `allowed` or `denied` -| `flags` | string | Inheritance flags -| `mask` | string | Permission mask -| `flagsAsInt` | integer | The inheritance flags as integer value -| `maskAsInt` | integer | The permission mask as integer value +| Key +| Type +| Description + +| `trustee` +| string +| The SMB user affected by this ACE + +| `mode` +| string +| `allowed` or `denied` + +| `flags` +| string +| Inheritance flags + +| `mask` +| string +| Permission mask + +| `flagsAsInt` +| integer +| The inheritance flags as integer value + +| `maskAsInt` +| integer +| The permission mask as integer value |=== [width="100%",cols="25%,20%,100%",options="header"] |=== -| Key | Type | Description -| `oldDescriptor` | array\|false | The previous descriptor array or false if the previous descriptor couldn't be fetched. The previous descriptor will have the same keys +| Key +| Type +| Description + +| `oldDescriptor` +| array\|false +| The previous descriptor array or false if the previous descriptor couldn't be fetched. The previous descriptor will have the same keys |=== diff --git a/modules/admin_manual/pages/enterprise/reporting/metrics.adoc b/modules/admin_manual/pages/enterprise/reporting/metrics.adoc index 646e1e21c..4b0dbe3de 100644 --- a/modules/admin_manual/pages/enterprise/reporting/metrics.adoc +++ b/modules/admin_manual/pages/enterprise/reporting/metrics.adoc @@ -5,19 +5,9 @@ == Introduction -The {oc-marketplace-url}/apps/metrics[Metrics App] provides a building block for reporting of ownCloud -Server. For simple use cases, it ships with an integrated dashboard that summarizes information -about users, storage as well as shares and allows exporting it to a CSV file. Additionally, it adds a -Metrics HTTP API endpoint to ownCloud Classic, which can be used to obtain the Metrics data in regular -intervals. Thus, more sophisticated analysis and visualizations can be conducted. +The `Metrics App` provides a building block for reporting of ownCloud Server. For simple use cases, it ships with an integrated dashboard that summarizes information about users, storage as well as shares and allows exporting it to a CSV file. Additionally, it adds a Metrics HTTP API endpoint to ownCloud Classic, which can be used to obtain the Metrics data in regular intervals. Thus, more sophisticated analysis and visualizations can be conducted. -The Metrics data are provided as snapshot values in the JSON format and are optimized to be consumed by -professional data analyzers (like Splunk, ELK or Prometheus/Grafana) to collect statistics, derive -visualizations and to set alerts for certain events of interest. They can be perfectly combined with the -ownCloud Audit Logs (provided by the {oc-marketplace-url}/apps/admin_audit[Auditing App]) to gather time -series data and to create a reporting engine for ownCloud. - -NOTE: Internet Explorer 11 is not compatible with Metrics, because new web technologies have been used that are not supported by IE 11. +The metrics data is provided as snapshot values in JSON format and is optimised for consumption by professional data analysers, such as Splunk, ELK and Prometheus/Grafana, for the collection of statistics, the creation of visualisations and the setting of alerts for certain events of interest. They can be seamlessly integrated with the ownCloud Audit Logs, which are provided by the xref:enterprise/logging/admin_audit.adoc[Auditing App] to collect time series data and create a reporting engine for ownCloud. If you want to use Splunk in addition, check out xref:configuration/integration/splunk.adoc[ownCloud App for Splunk]. @@ -27,18 +17,18 @@ Specifically, the Metrics extension adds: - API endpoints for downloading metrics as CSV files - a dashboard that displays the snapshot data in the ownCloud Web UI and offers a CSV download in the system view and the user view. -TIP: If you're operating very large instances with regard to users, files or shares, better use a -special setup so you won't put the production database under huge load when gathering the values. For -this, replicate your installation (application server and read-only database) and install and use the -Metrics app on the replica. +TIP: If you're operating very large instances with regard to users, files or shares, better use a special setup so you won't put the production database under huge load when gathering the values. For this, replicate your installation (application server and read-only database) and install and use the Metrics app on the replica. The following screenshots give you an impression of the Metrics app. -.Figure 1. Metrics System Overview -image:enterprise/reporting/metrics/metrics-system.png[Metrics System Overview] +[width=100%,cols="50%,50%",options="header"] +|=== +^| *Metrics System Overview* +^| *Metrics User Overview* -.Figure 2. Metrics User Overview -image:enterprise/reporting/metrics/metrics-user.png[Metrics User Overview] +| image:enterprise/reporting/metrics/metrics-system.png[Metrics System Overview] +| image:enterprise/reporting/metrics/metrics-user.png[Metrics User Overview] +|=== == Available Data @@ -92,8 +82,7 @@ See the following occ command on how to set it. Make up a passphrase, referred t {occ-command-example-prefix-docker} config:system:set "metrics_shared_secret" --value "" ---- -TIP: This token gets stored in config.php as `metrics_shared_secret`, which could also be done manually -instead of using the occ command. +TIP: This token gets stored in config.php as `metrics_shared_secret`, which could also be done manually instead of using the occ command. === Dashboard User Interface @@ -132,14 +121,11 @@ curl -H "OC-MetricsApiKey: " \ "https:///ocs/v1.php/apps/metrics/api/v1/metrics?users=true&files=true&shares=true"a=true&userData=true&format=json" ---- -TIP: Replace `` with your respective system config value and `` -with the URL of your ownCloud instance. +TIP: Replace `` with your respective system config value and `` with the URL of your ownCloud instance. ==== CSV Download Endpoints -Downloading the current user and system metrics as CSV files is possible via the Web UI. If you want to -set up cron jobs for downloading the metrics regularly without admin permissions, there are also public -endpoints that require the configured token instead of admin privileges. +Downloading the current user and system metrics as CSV files is possible via the Web UI. If you want to set up cron jobs for downloading the metrics regularly without admin permissions, there are also public endpoints that require the configured token instead of admin privileges. TIP: In the following `curl` examples, replace `` with your respective system config value and `` with the URL of your ownCloud instance. @@ -165,6 +151,4 @@ curl -H "Content-Type: application/csv" \ == Limitations -The Metrics app was designed for ownCloud deployments up to 250 users. -On deployments with more than 250 users, it can take considerably longer to gather the requested data. -To reduce the time needed, exclude _userData_ and _quota_. +The Metrics app was designed for ownCloud deployments up to 250 users. On deployments with more than 250 users, it can take considerably longer to gather the requested data. To reduce the time needed, exclude _userData_ and _quota_. diff --git a/modules/admin_manual/pages/enterprise/security/ransomware-protection.adoc b/modules/admin_manual/pages/enterprise/security/ransomware-protection.adoc index 90cc29c4f..b5f2812cf 100644 --- a/modules/admin_manual/pages/enterprise/security/ransomware-protection.adoc +++ b/modules/admin_manual/pages/enterprise/security/ransomware-protection.adoc @@ -7,112 +7,61 @@ enterprise/security/index.adoc == Introduction -Ransomware is -https://www.google.de/search?q=ransomware&source=lnms&tbm=nws&sa=X&ved=0ahUKEwiqmvL9rdfXAhWCyaQKHSkgDosQ_AUICigB&biw=1680&bih=908[an ever-present threat], -both for large enterprises as well as for individuals. Once infected, a whole hard disk (or just parts of it) can -become encrypted, leading to unrecoverable data loss. +Ransomware is https://www.google.de/search?q=ransomware&source=lnms&tbm=nws&sa=X&ved=0ahUKEwiqmvL9rdfXAhWCyaQKHSkgDosQ_AUICigB&biw=1680&bih=908[an ever-present threat], both for large enterprises as well as for individuals. Once infected, a whole hard disk (or just parts of it) can become encrypted, leading to unrecoverable data loss. -Once this happens, attackers usually ask victims to pay a ransom, often -via cryptocurrencies such as Bitcoin, in exchange for the decryption key -required to decrypt their data. +Once this happens, attackers usually ask victims to pay a ransom, often via cryptocurrencies such as Bitcoin, in exchange for the decryption key required to decrypt their data. -While paying the ransom works in some cases, it is not recommended, as -there is no guarantee that the attackers will supply the key after -payment is made. To help mitigate such threats and ensure ongoing access -to user data, ownCloud provides the Ransomware Protection app. +While paying the ransom works in some cases, it is not recommended, as there is no guarantee that the attackers will supply the key after payment is made. To help mitigate such threats and ensure ongoing access to user data, ownCloud provides the Ransomware Protection app. -NOTE: It is essential to be aware that user data needs to be synchronized with you ownCloud Classic using the -ownCloud Desktop synchronization client. Data that is not synchronized and stored in ownCloud cannot be protected. +NOTE: It is essential to be aware that user data needs to be synchronized with you ownCloud Classic using the ownCloud Desktop synchronization client. Data that is not synchronized and stored in ownCloud cannot be protected. == About Ransomware Protection -The app is tasked with _detecting_, _preventing_, and _reverting_ -anomalies. Anomalies are file operations (including _create_, _update_, -_delete_, and _move_) not intentionally conducted by the user. It aims -to do so in two ways: xref:prevention-blocking-common-ransomware-file-extensions[prevention], and -xref:other-elements-of-ransomware-protection[protection]. +The app is tasked with _detecting_, _preventing_, and _reverting_ anomalies. Anomalies are file operations (including _create_, _update_, _delete_, and _move_) not intentionally conducted by the user. It aims to do so in two ways: xref:prevention-blocking-common-ransomware-file-extensions[prevention], and xref:other-elements-of-ransomware-protection[protection]. == Prevention: Blocking Common Ransomware File Extensions -Like other forms of cyberattack, ransomware has a range of diverse -characteristics. On the one hand it makes them hard to detect and on the -other it makes them even harder to prevent. Recent ransomware attacks -either encrypt a user’s files and add a specific file extension to them -(e.g., `.crypt`), or they replace the original files with an encrypted -copy and add a particular file extension. +Like other forms of cyberattack, ransomware has a range of diverse characteristics. On the one hand it makes them hard to detect and on the other it makes them even harder to prevent. Recent ransomware attacks either encrypt a user’s files and add a specific file extension to them (e.g., `.crypt`), or they replace the original files with an encrypted copy and add a particular file extension. === File Extension Blacklist -The first line of defense against such threats is a blacklist that -blocks write access to file extensions known to originate from -ransomware. +The first line of defense against such threats is a blacklist that blocks write access to file extensions known to originate from ransomware. -Ransomware Protection ships with https://fsrm.experiant.ca[a static extension list] -of more than 3,000 file extensions. As new extensions are -regularly created, this list also needs to be regularly reviewed and -updated. Future releases of Ransomware Protection will include an -updated list and the ability to update the list via syncing with -https://fsrm.experiant.ca/api/v1/combined[FSRM’s API] by using an -xref:configuration/server/occ_command.adoc[occ command] +Ransomware Protection ships with https://fsrm.experiant.ca[a static extension list] of more than 3,000 file extensions. As new extensions are regularly created, this list also needs to be regularly reviewed and updated. Future releases of Ransomware Protection will include an updated list and the ability to update the list via syncing with https://fsrm.experiant.ca/api/v1/combined[FSRM’s API] by using an xref:configuration/server/occ_command.adoc[occ command] NOTE: Please check the provided ransomware blacklist! It is *strongly recommended* to check the provided ransomware blacklist to ensure that it fits your needs. In some cases, the patterns might be too generic and result in false positives. === File Blocking -The second line of defense is file blocking. As files are uploaded, they -are compared against the file extension blacklist. If a match is found, -the upload is denied. +The second line of defense is file blocking. As files are uploaded, they are compared against the file extension blacklist. If a match is found, the upload is denied. NOTE: File blocking is always enabled. === Account Locking -The third line of defense is account locking. If a client uploads a file -matching a pattern in the ransomware blacklist, the account is locked -(set as read-only) for client access (_create_, _change_, _move_, and -_delete_ operations). Doing this prevents further, malicious, changes. +The third line of defense is account locking. If a client uploads a file matching a pattern in the ransomware blacklist, the account is locked (set as read-only) for client access (_create_, _change_, _move_, and _delete_ operations). Doing this prevents further, malicious, changes. -Following this, clients receive an error (403 Access Forbidden) which -notifies the user that the account is locked by Ransomware Protection. +Following this, clients receive an error (403 Access Forbidden) which notifies the user that the account is locked by Ransomware Protection. NOTE: Write access (e.g., moving and deleting files) is still possible for users when they log in with their web browser. -When an account is locked, administrators can unlock the account using -the `occ ransomguard:unlock` command. Administrators can also manually -lock user accounts, using the `occ ransomguard:lock` command. +When an account is locked, administrators can unlock the account using the `occ ransomguard:unlock` command. Administrators can also manually lock user accounts, using the `occ ransomguard:lock` command. NOTE: When an account is locked, it will still be fully usable from the ownCloud web UI. However, ownCloud clients (as well as other WebDAV clients) will see the account as set to read-only mode. -Users will see a yellow notification banner in the ownCloud web UI -directing them to menu:Settings[Personal > Security] -(`__Ransomware detected: Your account is locked (read-only) for client access to -protect your data. Click here to unlock.__`), where additional -information is displayed and users can unlock their account when -ransomware issues are resolved locally. +Users will see a yellow notification banner in the ownCloud web UI directing them to menu:Settings[Personal > Security] (`__Ransomware detected: Your account is locked (read-only) for client access to protect your data. Click here to unlock.__`), where additional information is displayed and users can unlock their account when ransomware issues are resolved locally. -NOTE: Locking is enabled by default. If this is not desired, an administrator can disable it in the -menu:Settings[Admin > Security] panel. +NOTE: Locking is enabled by default. If this is not desired, an administrator can disable it in the menu:Settings[Admin > Security] panel. == Protection: Data Retention and Rollback -While Ransomware Prevention mitigates risks of a range of ransomware -attacks, it is not a future-proof solution, because ransomware is -becoming ever-more sophisticated. There are known attacks that change -file extensions randomly or keep them unchanged which makes them harder -to detect. +While Ransomware Prevention mitigates risks of a range of ransomware attacks, it is not a future-proof solution, because ransomware is becoming ever-more sophisticated. There are known attacks that change file extensions randomly or keep them unchanged which makes them harder to detect. -Ultimately there is a consensus that only one solution can provide -future-proof protection from ransomware attacks: retaining data and -providing the means to roll back to a particular point in time. +Ultimately there is a consensus that only one solution can provide future-proof protection from ransomware attacks: retaining data and providing the means to roll back to a particular point in time. -ownCloud Ransomware Protection will, therefore, record all changes on an -ownCloud Classic and allow administrators to rollback user data to a -particular point in time, making use of ownCloud’s integrated Versioning -and Trash bin features. +ownCloud Ransomware Protection will, therefore, record all changes on an ownCloud Classic and allow administrators to rollback user data to a particular point in time, making use of ownCloud’s integrated Versioning and Trash bin features. -Doing so allows all user data that is synchronized with the server to be -rolled back to its state before the attack occurred. A combination of -Ransomware prevention and protection reduces risks to a minimum acceptable level. +Doing so allows all user data that is synchronized with the server to be rolled back to its state before the attack occurred. A combination of Ransomware prevention and protection reduces risks to a minimum acceptable level. == Other Elements of Ransomware Protection @@ -127,11 +76,11 @@ Ransomware prevention and protection reduces risks to a minimum acceptable level | First line of defense against ransomware attacks. Ransomware Protection uses a file name pattern blacklist to prevent uploading files that have file extensions associated with ransomware (e.g. `.crypt`) thereby preserving the original files on the ownCloud Classic server. | Ransomguard Scanner -| `occ ransomguard:scan ` +| `occ ransomguard:scan ` *^1^* | A command to scan the ownCloud database for changes in order to discover anomalies in a user’s account and their origin. It enables an administrator to determine the point in time when undesired actions happened as a prerequisite for restoration. | Ransomguard Restorer -| `occ ransomguard:restore ` +| `occ ransomguard:restore ` *^1^* | A command for administrators to revert all operations in a user account that occurred after a certain point in time. | Ransomguard Lock @@ -155,67 +104,47 @@ Ransomware prevention and protection reduces risks to a minimum acceptable level | Update the blacklist file with content from a URL. |=== -`` must be in the Linux timestamp format. +(1) ... `` must be in the Linux timestamp format. == Requirements === Mandatory -1. *File Firewall rule (previous approach for ransomware protection).* -If you have configured the File Firewall rule which was provided as a -preliminary protection mechanism, please remove it. The functionality -(Blocking) is covered by Ransomware Protection in an improved way. -2. *Ransomware Protection.* Ransomware protection needs to be in -operation before an attack occurs, as it needs to record file operations -to be able to revert them, in case of an attack. -3. *ownCloud Versions App.* Required to restore older file versions. -The capabilities of Ransomware Protection depend on its configuration -regarding version retention. -4. *ownCloud Trash Bin App.* Required to restore deleted files. The -capabilities of Ransomware Protection depend on its configuration -regarding trash bin retention. +. *File Firewall rule (previous approach for ransomware protection).* + +If you have configured the File Firewall rule which was provided as a preliminary protection mechanism, please remove it. The functionality (Blocking) is covered by Ransomware Protection in an improved way. + +. *Ransomware Protection.* + +Ransomware protection needs to be in operation before an attack occurs, as it needs to record file operations to be able to revert them, in case of an attack. + +. *ownCloud Versions App.* + +Required to restore older file versions. The capabilities of Ransomware Protection depend on its configuration regarding version retention. + +. *ownCloud Trash Bin App.* + +Required to restore deleted files. The capabilities of Ransomware Protection depend on its configuration regarding trash bin retention. === Optional -1. *Activity app.* For viewing activity logs. +. *Activity app.* + +For viewing activity logs. == Limitations -* Ransomware Protection works with master-key based storage encryption. -With credential-based storage encryption, only Ransomware Prevention +* Ransomware Protection works with master-key based storage encryption. With credential-based storage encryption, only Ransomware Prevention (Blocking) works. + * Rollback is not based on snapshots: -** The -xref:admin_manual:configuration/server/config_sample_php_parameters.adoc#deleted-items-trash-bin[trash bin retention policy] -may delete files, making them unrecoverable. To -avoid this, set `trashbin\_retention\_obligation` to `disabled`, or -choose a conservative policy for trash bin retention. However, please be -aware that this may increase storage requirements. -** Trash bin items may be deleted by the user making them unrecoverable -by Ransomware Protection => Users need to know this. -** Versions have -xref:admin_manual:configuration/server/config_sample_php_parameters.adoc#file-versions[a built-in `thin-out` policy] -which makes it possible that required file -versions are unrecoverable by Ransomware Protection. To help avoid this, -set `versions\_retention\_obligation` to `disabled` or choose a -conservative policy for version retention. Please be aware that this -might increase your storage needs. -+ -* A specific version of a file that is needed for rollback might have -been manually restored, making this version potentially unrecoverable by -Ransomware Protection. Currently, after restoration the restored version -is not a version anymore, e.g., the version is not present in -versioning. -* Recovery capabilities in received shared folders are currently -limited. Changed file contents and deletions can be restored but MOVE -operations can’t. The case when a ransomware attack renames files in a -received shared folder is therefore not yet covered. -* Contents in secondary storages, such as _Windows network drives_, -_Dropbox_, and _Google Drive_, are unrecoverable by Ransomware -Protection, because they do not have versioning or trash bin enabled in -ownCloud. -* Rolling files forward is not _currently_ supported or tested. -Therefore it is vital to: +** The xref:admin_manual:configuration/server/config_sample_php_parameters.adoc#deleted-items-trash-bin[trash bin retention policy] may delete files, making them unrecoverable. To avoid this, set `trashbin\_retention\_obligation` to `disabled`, or choose a conservative policy for trash bin retention. However, please be aware that this may increase storage requirements. + +** Trash bin items may be deleted by the user making them unrecoverable by Ransomware Protection => Users need to know this. + +** Versions have xref:admin_manual:configuration/server/config_sample_php_parameters.adoc#file-versions[a built-in `thin-out` policy] which makes it possible that required file versions are unrecoverable by Ransomware Protection. To help avoid this, set `versions\_retention\_obligation` to `disabled` or choose a conservative policy for version retention. Please be aware that this might increase your storage needs. + +* A specific version of a file that is needed for rollback might have been manually restored, making this version potentially unrecoverable by Ransomware Protection. Currently, after restoration the restored version is not a version anymore, e.g., the version is not present in versioning. + +* Recovery capabilities in received shared folders are currently limited. Changed file contents and deletions can be restored but MOVE operations can’t. The case when a ransomware attack renames files in a received shared folder is therefore not yet covered. + +* Contents in secondary storages, such as _Windows network drives_, _Dropbox_, and _Google Drive_, are unrecoverable by Ransomware Protection, because they do not have versioning or trash bin enabled in ownCloud. + +* Rolling files forward is not _currently_ supported or tested. Therefore it is vital to: ** Carefully decide the point in time to rollback to. -** To have proper backups to be able to conduct the rollback again, if -necessary. +** To have proper backups to be able to conduct the rollback again, if necessary. diff --git a/modules/admin_manual/pages/enterprise/user_management/saml_2.0_sso.adoc b/modules/admin_manual/pages/enterprise/user_management/saml_2.0_sso.adoc index f4fd5fdcc..d7a2b632b 100644 --- a/modules/admin_manual/pages/enterprise/user_management/saml_2.0_sso.adoc +++ b/modules/admin_manual/pages/enterprise/user_management/saml_2.0_sso.adoc @@ -17,11 +17,15 @@ :shibboleth-xml-metadata-provider-url: https://shibboleth.atlassian.net/wiki/spaces/SHIB2/pages/2577072307/NativeSPMetadataProvider :shibboleth-nativespservicesso-url: https://shibboleth.atlassian.net/wiki/spaces/SHIB2/pages/2577072444/NativeSPServiceSSO +== Introduction + +IMPORTANT: The Docker image does not provide the necessary modules for the embedded Apache web server. A customised image must be built for Shibboleth authentication. + +The following description is based on a standard installation and must be adapted to work with the Dockerfile in order to create the required image. + == Preparation -Before you can setup SAML 2.0 based Single Sign-On with -{adfs-url}[Active Directory Federation Services (ADFS)] -and mod-shib, ask your ADFS admin for the relevant server URLs. These are: +Before you can setup SAML 2.0 based Single Sign-On with {adfs-url}[Active Directory Federation Services (ADFS)] and mod-shib, ask your ADFS admin for the relevant server URLs. These are: - The SAML 2.0 single sign-on service URL, e.g., `\https:///ADFS/ls` - The IdP metadata URL, e.g., `\https:///FederationMetadata/2007-06/FederationMetadata.xml` diff --git a/modules/admin_manual/pages/enterprise/user_management/user_auth_shibboleth.adoc b/modules/admin_manual/pages/enterprise/user_management/user_auth_shibboleth.adoc index a7cb57098..477bf81bd 100644 --- a/modules/admin_manual/pages/enterprise/user_management/user_auth_shibboleth.adoc +++ b/modules/admin_manual/pages/enterprise/user_management/user_auth_shibboleth.adoc @@ -6,18 +6,22 @@ == Introduction -The ownCloud Shibboleth user backend application integrates ownCloud with a {shibboleth-url}[Shibboleth] Service Provider (SP) and allows operations in federated and single-sign-on (SSO) infrastructures. +The ownCloud Shibboleth user backend application integrates ownCloud with a {shibboleth-url}[Shibboleth] Service Provider (SP) and allows operations in federated and single-sign-on (SSO) infrastructures. + +IMPORTANT: The Docker image does not provide the necessary modules for the embedded Apache web server. A customised image must be built for Shibboleth authentication. + +include::partial$manual_config_file.adoc[] + Setting up Shibboleth has two big steps: -1. Enable and configure the Apache Shibboleth module. -2. Enable and configure the ownCloud Shibboleth app. +. Enable and configure the Apache Shibboleth module. +. Enable and configure the ownCloud Shibboleth app. -== The Apache Shibboleth module +== The Apache Shibboleth Module -Currently supported installations are based on the {native-apache-integration-url}[native Apache integration]. -The individual configuration of the service provider is highly dependent on the operating system, as well as on the integration with the Identity Providers (IdP), and require case-by-case analysis and installation. +Currently supported installations are based on the {native-apache-integration-url}[native Apache integration]. The individual configuration of the service provider is dependent on the operating system used for the image (Ubuntu), as well as on the integration with the Identity Providers (IdP), and require case-by-case analysis and installation. -A good starting point for the service provider installation can be found in {shibboleth-nativesplinuxinstall-url}[the official Shibboleth Wiki]. +A good starting point for the service provider installation can be found in the {shibboleth-nativesplinuxinstall-url}[official Shibboleth Wiki]. A successful installation and configuration will populate Apache environment variables with at least a unique user id which is then used by the ownCloud Shibboleth app to login a user. @@ -25,16 +29,14 @@ A successful installation and configuration will populate Apache environment var This is an example configuration as installed and operated on a Linux server running the Apache 2.4 Web server. These configurations are highly operating system specific and require a high degree of customization. -The ownCloud instance itself is installed in `/var/www/owncloud/`. -Further Shibboleth specific configuration as defined in `/etc/apache2/conf.d/shib.conf`. +The ownCloud instance itself is installed in `/var/www/owncloud/`. Further Shibboleth specific configuration as defined in `/etc/apache2/conf.d/shib.conf`. [source,apache] ---- include::example$enterprise/user_management/shibboleth/apache-2.4-configuration.conf[] ---- -To allow users to login via the IdP, add a login alternative with the `login.alternatives` option in `config/config.php`. -Depending on the ownCloud Shibboleth app mode, you may need to revisit this configuration. +To allow users to login via the IdP, add a login alternative with the `login.alternatives` option in `config/config.php`. Depending on the ownCloud Shibboleth app mode, you may need to revisit this configuration. == The ownCloud Shibboleth App @@ -44,9 +46,7 @@ image:shib-gui5.png[figure 1: Enabling Shibboleth on the ownCloud Admin page] === Choosing the App Mode -After enabling the app it will be in *Not active* mode, which ignores a Shibboleth session and allows you to login as an administrator and inspect the currently available Apache environment variables. -Use this mode to set up the environment mapping for the other modes, and in case you locked yourself out of the system. -You can also change the app mode and environment mappings by using the `occ` command, like this example on Ubuntu Linux: +After enabling the app it will be in *Not active* mode, which ignores a Shibboleth session and allows you to login as an administrator and inspect the currently available Apache environment variables. Use this mode to set up the environment mapping for the other modes, and in case you locked yourself out of the system. You can also change the app mode and environment mappings by using the `occ` command, like this example on Ubuntu Linux: [source,bash,subs="attributes+"] ---- @@ -54,33 +54,19 @@ You can also change the app mode and environment mappings by using the `occ` com {occ-command-example-prefix-docker} shibboleth:mapping --uid login ---- -In *Single sign-on only* mode the app checks if the environment variable for the Shibboleth session, by default *Shib-Session-Id*, is set. -If that is the case it will take the value of the environment variable as the `uid`, by default `eppn`, and check if a user is known by that `uid`. -In effect, this allows another user backend, e.g., the LDAP app, to provide the `displayname`, `email` and `avatar`. +In *Single sign-on only* mode the app checks if the environment variable for the Shibboleth session, by default *Shib-Session-Id*, is set. If that is the case it will take the value of the environment variable as the `uid`, by default `eppn`, and check if a user is known by that `uid`. In effect, this allows another user backend, e.g., the LDAP app, to provide the `displayname`, `email` and `avatar`. -As an example the IdP can send the `userPrincipalName` which the Apache Shibboleth module writes to a custom Apache environment variable called `login`. -The ownCloud Shibboleth app reads that `login` environment variable and tries to find an LDAP user with that `username`. -For this to work `userPrincipalName` needs to be added to the *Additional Search Attributes* in the LDAP directory settings on xref:configuration/user/user_auth_ldap.adoc[the advanced tab]. -We recommend using a scoped login attribute like `userPrincipalName` or `mail` because otherwise the search might find multiple users and prevent login. +As an example the IdP can send the `userPrincipalName` which the Apache Shibboleth module writes to a custom Apache environment variable called `login`. The ownCloud Shibboleth app reads that `login` environment variable and tries to find an LDAP user with that `username`. For this to work `userPrincipalName` needs to be added to the *Additional Search Attributes* in the LDAP directory settings on xref:configuration/user/user_auth_ldap.adoc[the advanced tab]. We recommend using a scoped login attribute like `userPrincipalName` or `mail` because otherwise the search might find multiple users and prevent login. -In many scenarios Shibboleth is not intended to hide the user's password from the service provider, but only to implement SSO. -If that is the case it is sufficient to protect the ownCloud base URL with Shibboleth. -This will send Web users to the IdP but allow desktop and mobile clients to continue using username and password, preventing popups due to an expired Shibboleth session lifetime. +In many scenarios Shibboleth is not intended to hide the user's password from the service provider, but only to implement SSO. If that is the case it is sufficient to protect the ownCloud base URL with Shibboleth. This will send Web users to the IdP but allow desktop and mobile clients to continue using username and password, preventing popups due to an expired Shibboleth session lifetime. In *Autoprovision Users* mode the app will not ask another user backend, but instead provision users on the fly by reading the two additional environment variables for display name and email address. -image:shib-gui6.png[figure 2: Mapping Shibboleth environment configuration variables to ownCloud user attributes] - -[NOTE] -==== -In ownCloud 8.1 the Shibboleth environment variable mapping was stored in `apps/user_shibboleth/config.php`. -This file was overwritten on upgrades, preventing a seamless upgrade procedure. -In ownCloud 8.2+ the variables are stored in the ownCloud database, making Shibboleth automatically upgradeable. -==== +image:shib-gui6.png[Figure 2: Mapping Shibboleth environment configuration variables to ownCloud user attributes] === Mapping ownCloud User IDs -From 3.1.2 you can now specify a mapper that is used on inbound ownCloud user IDs, to adjust them before usage in ownCloud. You can set the mapper using `occ`: +You can specify a mapper that is used on inbound ownCloud user IDs, to adjust them before usage in ownCloud. You can set the mapper using `occ`: [source,bash,subs="attributes+"] ---- @@ -99,33 +85,32 @@ The following mappers are provided with the app: [cols="2",options="header"] |=== -|Class |Description -|`OCA\User_Shibboleth\Mapper\NoOpMapper` |The default, does not alter the UID -|`OCA\User_Shibboleth\Mapper\ADFSMapper` |Splits the UID around a `;` character and takes the first piece -|`OCA\User_Shibboleth\Mapper\GUIDInMemoryMapper` |Maps in binary GUIDs to strings +|Class +| Description + +|`OCA\User_Shibboleth\Mapper\NoOpMapper` +|The default, does not alter the UID + +|`OCA\User_Shibboleth\Mapper\ADFSMapper` +| Splits the UID around a `;` character and takes the first piece + +|`OCA\User_Shibboleth\Mapper\GUIDInMemoryMapper` +| Maps in binary GUIDs to strings |=== == Shibboleth with Desktop and Mobile Clients -The ownCloud Desktop Client can interact with an ownCloud instance running inside a Shibboleth Service Provider by using OAuth2 tokens to authenticate. -The ownCloud Android and iOS mobile apps also work with OAuth2 tokens. +The ownCloud Desktop Client can interact with an ownCloud instance running inside a Shibboleth Service Provider by using OAuth2 tokens to authenticate.The ownCloud Android and iOS mobile apps also work with OAuth2 tokens. == WebDAV Support -Users of standard WebDAV clients can generate an App Password on the Personal settings page. -Use of App Passwords may be enforced with the `token_auth_enforced` option in `config/config.php`. +Users of standard WebDAV clients can generate an App Password on the Personal settings page. Use of App Passwords may be enforced with the OWNCLOUD_TOKEN_AUTH_ENFORCED environment variable. == Known Limitations === Encryption -File encryption can only be used together with Shibboleth when xref:configuration/server/occ_command.adoc#encryption[master key-based encryption] is used because the per-user encryption requires the user's password to unlock the private encryption key. -Due to the nature of Shibboleth the user's password is not known to the service provider. - -=== PHP-FPM is incompatible - -The provided shibd, apache and ownCloud configuration only works with mod_php. Make sure that you have disable PHP-FPM and enabled mod_php on your server. -CentOS 8 now installs PHP-FPM by default, so make sure to swap. +File encryption can only be used together with Shibboleth when xref:configuration/server/occ_command.adoc#encryption[master key-based encryption] is used because the per-user encryption requires the user's password to unlock the private encryption key. Due to the nature of Shibboleth the user's password is not known to the service provider. === Other Login Mechanisms @@ -136,24 +121,20 @@ You can allow other login mechanisms (e.g., LDAP or ownCloud native) by creating include::example$enterprise/user_management/shibboleth/other-login-mechanisms-vhost.conf[] ---- -NOTE: The second location in the above configuration is *not* protected by Shibboleth, and you can use your other ownCloud login mechanisms. - -NOTE: The above configuration can be used with multi-factor authentication as well. +[NOTE] +==== +* The second location in the above configuration is *not* protected by Shibboleth, and you can use your other ownCloud login mechanisms. +* The above configuration can be used with multi-factor authentication as well. +==== -If you use the above configuration, after it's enabled, configure the alternative logins option with a button to point to `/login-shib`. -This will trigger the Shibboleth session and redirect the user back to `/login`. -At this point, the existing session will be picked up, continuing with the authentication process. +If you use the above configuration, after it's enabled, configure the alternative logins option with a button to point to `/login-shib`. This will trigger the Shibboleth session and redirect the user back to `/login`. At this point, the existing session will be picked up, continuing with the authentication process. === Session Timeout -Session timeout on Shibboleth is controlled by the IdP. -It is not possible to have a session length longer than the length controlled by the IdP. -In extreme cases this could result in re-login on mobile clients and desktop clients every hour. +Session timeout on Shibboleth is controlled by the IdP. It is not possible to have a session length longer than the length controlled by the IdP. In extreme cases this could result in re-login on mobile clients and desktop clients every hour. === UID Considerations and Windows Network Drive Compatibility -To log in LDAP users via SAML for Single Sign On the user in LDAP must be uniquely resolvable by searching for the username that was sent in the SAML token. -For this to work the LDAP attribute containing the username needs to be added to the *Additional Search Attributes* in the LDAP directory settings on xref:configuration/user/user_auth_ldap.adoc[the advanced tab]. -We recommend using a scoped login attribute like `userPrincipalName` or `mail` because otherwise the search might find multiple users and prevent login. +To log in LDAP users via SAML for Single Sign On the user in LDAP must be uniquely resolvable by searching for the username that was sent in the SAML token. For this to work the LDAP attribute containing the username needs to be added to the *Additional Search Attributes* in the LDAP directory settings on the xref:configuration/user/user_auth_ldap.adoc#advanced-settings[advanced settings] tab. We recommend using a scoped login attribute like `userPrincipalName` or `mail` because otherwise the search might find multiple users and prevent login. `user_shibboleth` will do the authentication, and `user_ldap` will provide user details such as `email` and `displayname`. diff --git a/modules/admin_manual/pages/found_a_mistake.adoc b/modules/admin_manual/pages/found_a_mistake.adoc index 4a45851f5..c80e2104c 100644 --- a/modules/admin_manual/pages/found_a_mistake.adoc +++ b/modules/admin_manual/pages/found_a_mistake.adoc @@ -1,4 +1,4 @@ = Have You Found a Mistake In The Documentation? -:new-issue-url: https://github.com/owncloud/docs-server/issues/new +:new-issue-url: https://github.com/owncloud/docs/issues/new -If you have found a mistake in the documentation, no matter how large or small, please let us know by creating a new issue in the {new-issue-url}[docs-server repository]. +If you have found a mistake in the documentation, no matter how large or small, please let us know by creating a new issue in the {new-issue-url}[docs repository]. diff --git a/modules/admin_manual/pages/index.adoc b/modules/admin_manual/pages/index.adoc index aa09f362a..cdf66456d 100644 --- a/modules/admin_manual/pages/index.adoc +++ b/modules/admin_manual/pages/index.adoc @@ -2,9 +2,14 @@ Welcome to the ownCloud Classic Administration Guide. This guide describes administration tasks for ownCloud, the flexible open source file synchronization and sharing solution. -== Installation Changes - -IMPORTANT: Unlike previous releases, ownCloud Classic 11 is only available as a Docker image containing the necessary libraries, such as PHP 8. +== Important Changes + +[IMPORTANT] +==== +* Unlike previous releases, ownCloud Classic 11 is only available as a Docker image containing the necessary libraries, such as PHP 8, as well as an embedded, preconfigured Apache web server. Therefore, to access ownCloud Classic 11, you need to use a proxy web server that handles certificates. +* The majority of apps provided by ownCloud that were formerly available from the Marketplace are now included in the image, including Enterprise-only apps. These apps have been updated to PHP 8. The only requirement is to enable them. For Enterprise-only apps, a licence key is required before they can be enabled. Apps not provided by ownCloud can still be used as long as they meet the PHP 8 compliance prerequisite. +* Some apps, such as the Enterprise-only Sharepoint app have been retired and are not part of the image. +==== == Target Audience diff --git a/modules/admin_manual/pages/installation/apps_management_installation.adoc b/modules/admin_manual/pages/installation/apps/apps_management_installation.adoc similarity index 82% rename from modules/admin_manual/pages/installation/apps_management_installation.adoc rename to modules/admin_manual/pages/installation/apps/apps_management_installation.adoc index a146ac63b..4ddbd9b1d 100644 --- a/modules/admin_manual/pages/installation/apps_management_installation.adoc +++ b/modules/admin_manual/pages/installation/apps/apps_management_installation.adoc @@ -1,15 +1,16 @@ = Installing and Managing Apps :toc: right +:page-aliases: installation/apps_management_installation.adoc :description: After installing ownCloud, you may provide added functionality by installing applications. == Introduction -{description} The Docker image comes with all apps provided by ownCloud, regardless of the licensing scheme. Apps that are not part of the image can be installed at any time. +{description} The Docker image comes with all apps provided by ownCloud, regardless of the licensing scheme. [IMPORTANT] ==== * Any apps that came with the image will reappear when the container is restarted - if you uninstall them. -* Any apps that are installed manually *must be compatible with PHP 8*; otherwise, they will most likely fail to work and make your instance unstable. +* Manually installed apps *must be compatible with PHP 8*; otherwise, they will most likely fail to work and make your instance unstable. ==== == Installing and Managing Apps @@ -26,7 +27,7 @@ NOTE: If you would like to create or add (your own) ownCloud app, please refer t === Installing Apps Manually -All apps that are installed manually, regardless of using the Marketplace or you copy them, will be placed into the `apps` folder of the ownCloud volume. This volume is either the Docker volume or a defined bind mount. This apps folder corresponds to the `apps-external` folder. For more and important details see: xref:installation/mount_folder_structure.adoc[Mount Folder Structure]. +All apps that are installed manually, regardless of the source, will be placed into the `/apps` folder. This volume is either the Docker volume or a defined bind mount. This apps folder corresponds to the `apps-external` folder. For more and important details see: xref:installation/mount_folder_structure.adoc[Mount Folder Structure]. Once the tarball has been extracted into the default app folder. Enable the application, diff --git a/modules/admin_manual/pages/installation/apps_supported.adoc b/modules/admin_manual/pages/installation/apps/apps_supported.adoc similarity index 94% rename from modules/admin_manual/pages/installation/apps_supported.adoc rename to modules/admin_manual/pages/installation/apps/apps_supported.adoc index 300616866..fc789e274 100644 --- a/modules/admin_manual/pages/installation/apps_supported.adoc +++ b/modules/admin_manual/pages/installation/apps/apps_supported.adoc @@ -1,11 +1,10 @@ = Supported Apps in ownCloud :toc: right -:toclevels: 1 -:page-aliases: installation/apps/mediaviewer/index.adoc +:page-aliases: installation/apps/mediaviewer/index.adoc, installation/apps_supported.adoc == AGPL Apps -Please note that apps without a link are now fully integrated into the core system and self-explanatory. +Please note that apps without a link are fully integrated into the core system and self-explanatory. * {oc-marketplace-url}/apps/activity[Activity] * {oc-marketplace-url}/apps/files_antivirus[Anti-Virus] diff --git a/modules/admin_manual/pages/installation/configuration_notes.adoc b/modules/admin_manual/pages/installation/configuration_notes.adoc deleted file mode 100644 index fa6732312..000000000 --- a/modules/admin_manual/pages/installation/configuration_notes.adoc +++ /dev/null @@ -1,17 +0,0 @@ -= Configuration Notes -:toc: right -:description: There are multiple ways to configure ownCloud to run in a Dockerized environment. - -== Introduction - -{description} - -== Using Environment Variables - -The image provides additional environment variables that can be configured for the use with the container. To identify available ones, see the file `overwrite.config.php` which can be found in the `config` folder. This folder is located in `/mnt/data` in the container or locally at the respective bind mount. - -== Using a Configuration File - -Rather than using environment variables to configure your ownCloud instance, you can use *additional* configuration files, as was possible with earlier releases of ownCloud. This configuration method is only possible when using bind mounts, because access to the `config` sub folder is required. - -For more and important details see: xref:installation/mount_folder_structure.adoc[Mount Folder Structure]. diff --git a/modules/admin_manual/pages/installation/deployment_considerations.adoc b/modules/admin_manual/pages/installation/deployment/deployment_considerations.adoc similarity index 98% rename from modules/admin_manual/pages/installation/deployment_considerations.adoc rename to modules/admin_manual/pages/installation/deployment/deployment_considerations.adoc index 3c6a6a619..e1d8fc962 100644 --- a/modules/admin_manual/pages/installation/deployment_considerations.adoc +++ b/modules/admin_manual/pages/installation/deployment/deployment_considerations.adoc @@ -1,5 +1,6 @@ = Deployment Considerations :toc: right +:page-aliases: installation/deployment_considerations.adoc == Hardware @@ -74,7 +75,7 @@ What about the other DBMS? === Docker Volume -When using bind mounts with the Docker volume, consider using a shared directory, such as NFS, as the mount point. This is important if you plan to implement Active-Passive failover scenarios, since the instance taking over must be able to access the configuration and app data.. +When using bind mounts with the Docker volume, consider using a shared directory, such as NFS, as the mount point. This is important if you plan to implement Active-Passive failover scenarios, since the instance taking over must be able to access the configuration and app data. === File Storage diff --git a/modules/admin_manual/pages/installation/deployment_recommendations.adoc b/modules/admin_manual/pages/installation/deployment/deployment_recommendations.adoc similarity index 99% rename from modules/admin_manual/pages/installation/deployment_recommendations.adoc rename to modules/admin_manual/pages/installation/deployment/deployment_recommendations.adoc index 5760c9db3..eb6549d95 100644 --- a/modules/admin_manual/pages/installation/deployment_recommendations.adoc +++ b/modules/admin_manual/pages/installation/deployment/deployment_recommendations.adoc @@ -1,6 +1,6 @@ = Deployment Recommendations :toc: right -:toclevels: 2 +:page-aliases: installation/deployment_recommendations.adoc :owncloud-edition-url: https://owncloud.com/find-the-right-edition/ :ibm-elastic-storage-server-url: https://www.ibm.com/us-en/marketplace/ibm-elastic-storage-server :redhat-ceph-url: https://www.redhat.com/en/technologies/storage/ceph diff --git a/modules/admin_manual/pages/installation/deployment_recommendations/clustered_shared_storage.adoc b/modules/admin_manual/pages/installation/deployment/deployment_recommendations/clustered_shared_storage.adoc similarity index 99% rename from modules/admin_manual/pages/installation/deployment_recommendations/clustered_shared_storage.adoc rename to modules/admin_manual/pages/installation/deployment/deployment_recommendations/clustered_shared_storage.adoc index b5b698c89..069d8bcea 100644 --- a/modules/admin_manual/pages/installation/deployment_recommendations/clustered_shared_storage.adoc +++ b/modules/admin_manual/pages/installation/deployment/deployment_recommendations/clustered_shared_storage.adoc @@ -2,6 +2,7 @@ :toc: right :toclevels: 2 :keywords: cluster, shared storage, nfs, kubernetes, swarm, scale-out, redis, locking, chown +:page-aliases: installation/deployment_recommendations/clustered_shared_storage.adoc :description: How to run the ownCloud Docker image across multiple application nodes that share a common file storage (for example NFS), and the pitfalls to avoid. :k8s-fsgroup-url: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ diff --git a/modules/admin_manual/pages/installation/deployment_recommendations/nfs.adoc b/modules/admin_manual/pages/installation/deployment/deployment_recommendations/nfs.adoc similarity index 99% rename from modules/admin_manual/pages/installation/deployment_recommendations/nfs.adoc rename to modules/admin_manual/pages/installation/deployment/deployment_recommendations/nfs.adoc index 759914f24..defeb2b75 100644 --- a/modules/admin_manual/pages/installation/deployment_recommendations/nfs.adoc +++ b/modules/admin_manual/pages/installation/deployment/deployment_recommendations/nfs.adoc @@ -2,6 +2,7 @@ :toc: right :toclevels: 1 :keywords: nfs, network file system, nfsv4, mtu, async, noasync +:page-aliases: installation/deployment_recommendations/nfs.adoc :description: This guide covers the official ownCloud NFS (Network File System) deployment recommendations. :autofs-url: https://help.ubuntu.com/community/Autofs diff --git a/modules/admin_manual/pages/installation/installing_with_docker.adoc b/modules/admin_manual/pages/installation/installing_with_docker.adoc index faf39ffbb..98626cef4 100644 --- a/modules/admin_manual/pages/installation/installing_with_docker.adoc +++ b/modules/admin_manual/pages/installation/installing_with_docker.adoc @@ -156,15 +156,15 @@ Only a few settings are required, these are: a| `{latest-server-download-version}` or `latest` | `OWNCLOUD_DOMAIN` *^1^* -a| A single ownCloud domain --- -IMPORTANT: Either use: + +a| Only for the use with a single ownCloud domain + +The same rules trusted domains apply to everything else. +[IMPORTANT] +==== +Either use: + pass:[ ] `OWNCLOUD_DOMAIN` + pass:[  ] _OR_ + -pass:[ ] `OWNCLOUD_TRUSTED_DOMAINS`. + -Only use a single domain. + -The same trusted domains rules apply to everything else. --- +pass:[ ] `OWNCLOUD_TRUSTED_DOMAINS`. +==== | `my_domain` or `my_ip` ... diff --git a/modules/admin_manual/pages/maintenance/manually-moving-data-folders.adoc b/modules/admin_manual/pages/maintenance/manually-moving-data-folders.adoc deleted file mode 100644 index 9ae9316ab..000000000 --- a/modules/admin_manual/pages/maintenance/manually-moving-data-folders.adoc +++ /dev/null @@ -1,182 +0,0 @@ -= Manually Move the Data Directory -:toc: right -:description: Use these instructions if you intend to move your ownCloud's data directory from its current location to another without using a symbolic link. - -:mysql-string-replace-function-url: http://www.mysqltutorial.org/mysql-string-replace-function.aspx - -// this needs review for oc10 -> oc11 - -== Introduction - -{description} - -As ownCloud is deployed via Docker, it is easy to move any data for a Dockerised deployment, as this simply involves relocating the contents of the mount point. Additional steps need to be taken into account when upgrading from a standard installation to Docker because the database needs to be updated. - -This guide assumes that: - -* The current Docker volume folder is: `/oc` -* The new Docker volume folder is: `/oc-new` -* ownCloud's database name is `owncloud` -* For a standard installation, the data directory is `var/www/owncloud/data` -* The internal "data folder of a Dockerized installation is `/mnt/data/files` - -Please change the paths above to reflect your environment. - -== Summary - -The following steps are necessary to move the data directory. - -. Stop the web proxy server -. Enable maintenance mode -. Sync your Data directory -. Adjust ownCloud's configuration -. Check permissions -. Disable maintenance mode -. Start the web proxy server - -Look at each section below for a detailed description. - -== Stop the Web Proxy Server - -To ensure there are no active user connections to your ownCloud instance, stop access to it from the web proxy server. Follow the web proxy server description to find out how to do this. - -== Enable Maintenance Mode - -It is necessary to enable maintenance mode to avoid running cron jobs. To enable maintenance mode, run the following command. - -[source,bash,subs="attributes+"] ----- -{occ-command-example-prefix-docker} maintenance:mode --on ----- - -== Sync your Data Directory - -[source,bash] ----- -sudo rsync -avz /files /mnt/ ----- - -Make sure that `.ocdata` and `.htaccess` were synced to the new directory. - -[source,bash] ----- -ls -a | grep -i "^\.[A-Z]" ----- - -== Adjust ownCloud's configuration - -=== Adjust oc_storages table - -Connect to your database and enter following commands: - -[source,sql] ----- -use owncloud; ----- - -=== Update the oc_storages Table - -Run the SQL below: - -[source,sql] ----- -UPDATE oc_storages - SET id='local::/mnt/owncloud/data/' - WHERE id='local::/var/www/owncloud/data/'; ----- - -=== Update the oc_accounts Table - -You next need to update the `home` column in the `oc_accounts` table. -This column contains the absolute path for user folders, e.g., `/mnt/owncloud/data/my_user`. - -If a user does not have the path already set, you have to identify the users `id` and set the path with the following command, user by user. -This example assumes the user name is `my_user` and their id is `1`. Note that id's are incremental, meaning the account you created first will have id `1` and so on. - -Run the SQL below: - -[source,sql] ----- -UPDATE oc_accounts SET home='/mnt/owncloud/data/my_user' - WHERE id=1; ----- - -For all users who already have a path like `/var/www/owncloud/data/` in your database, you can use the `REPLACE` command: - -[source,sql] ----- -UPDATE oc_accounts - SET home = REPLACE( - home, - '/var/www/owncloud/data/', - '/mnt/owncloud/data/' - ); ----- - -For more information follow the complete MySQL {mysql-string-replace-function-url}[REPLACE] command syntax. - -CAUTION: Please don’t copy and paste this example verbatim — nor any of the others. They are examples only. - -=== Update the oc_jobs table - -The next area to check is the `oc_jobs` table. -The logrotate process may have hard-coded a non-standard (or old) value for the data path. -To check it, run the SQL below and see if any results are returned: - -[source,sql] ----- -SELECT * FROM oc_jobs - WHERE class = 'OC\Log\Rotate'; ----- - -If results are returned, run the SQL below to update them, changing the id value as appropriate. - -[source,sql] ----- -UPDATE oc_jobs - SET argument = REPLACE( - argument, - '\\/var\\/www\\/owncloud\\/data\\/', - '\\/mnt\\/owncloud/data\\/' - ) - WHERE id = ; ----- - -CAUTION: The old data path will be written with `\/`. -Therefore you must add one, additional, backslash, like this: `\\/`. - -== Fix the config.php Settings - -To fix the config.php settings: - -[source,bash,subs="attributes+"] ----- -{occ-command-example-prefix-docker} config:system:set --value /mnt/owncloud/data datadirectory ----- - -=== Adjust config.php - -. Change the `datadirectory` key in your `config.php` to the new path. - To do so, start an editor of your choice and open `/var/www/owncloud/config/config.php` - -. Change the value of the key from `'datadirectory' => '/var/www/owncloud/data',` to `'datadirectory' => '/mnt/owncloud/data',`. - -== Disable Maintenance Mode - -To disable maintenance mode of your instance run the following command: - -[source,bash,subs="attributes+"] ----- -{occ-command-example-prefix-docker} maintenance:mode --off ----- - -== Start the Web Proxy Server - -Follow the web proxies server description for how to enable access to teh ownCloud instance. - -== Scan the Files - -[source,bash,subs="attributes+"] ----- -{occ-command-example-prefix-docker} files:scan --all ----- diff --git a/modules/admin_manual/pages/maintenance/migrate_owncloud/migrate-datadirectory.adoc b/modules/admin_manual/pages/maintenance/migrate_owncloud/migrate-datadirectory.adoc new file mode 100644 index 000000000..e796aa4af --- /dev/null +++ b/modules/admin_manual/pages/maintenance/migrate_owncloud/migrate-datadirectory.adoc @@ -0,0 +1,251 @@ += Migrate the Datadirectory +:toc: right +:page-aliases: maintenance/manually-moving-data-folders.adoc +:description: Follow these instructions if you need to migrate the data directory to a Dockerized installation. + +:mysql-string-replace-function-url: http://www.mysqltutorial.org/mysql-string-replace-function.aspx +:mariadb-docker-url: https://mariadb.com/docs/server/server-management/automated-mariadb-deployment-and-administration/docker-and-mariadb/installing-and-using-mariadb-via-docker + +== Introduction + +{description} + +Migrating the data directory, where ownCloud hosts user data, is a critical migration. + +Different steps need to be taken when migrating from an existing installation to a Dockerised one in the following scenarios using ownCloud Classic 11. *In both cases, updating the database is required*: + +. Local, no NFS: + +Copy the `data` directory to a new location. + +. The `data` directory is part of an existing NFS export: + +The old export can be removed and a new export with only the `data` directory needs to be provided and mounted. + +This guide assumes that: + +* The data directory of a local installation is: + +`/var/www/owncloud/data` + +* The Docker volume data directory is: + +`/files` + +* The internal data directory of a Dockerized installation is: + +`/mnt/data/files` + +* The ownCloud's database name is: + +`owncloud` + +Please change the paths above to reflect your environment. + +== Overview of Steps + +The following steps are necessary to migrate the data directory. + +. Stop browser access via the web proxy server +. Enable maintenance mode +. Sync / remount your Data directory +. Adjust ownCloud's configuration +. Check files +. Disable maintenance mode +. Reenable browser access via the web proxy server + +Look at each section below for a detailed description. + +== Preparation + +=== Prevent User Access via the Browser + +To prevent any active user connections to your ownCloud instance, stop access to it via the web (proxy) server. Refer to the web (proxy) server description to find out how to do this. + +=== Check the datadirectory Settings + +When using a Dockerized ownCloud deployment:: ++ +-- +Run the following command to check the current datadirectory setting of the container: + +[source,bash,subs="attributes+"] +---- +{occ-command-example-prefix-docker} config:system:get datadirectory +---- + +This should print out the path which defaults to `/mnt/data/files`. +-- + +When using a native deployment you want to migrate to a dockerized deployment:: ++ +-- +Run the following command to check the current datadirectory setting of the native installation: + +[source,bash,subs="attributes+"] +---- +sudo -uwww-data ./occ config:system:get datadirectory +---- + +This should print out the path which defaults to `/var/www/owncloud/data`. +-- + +=== Enable Maintenance Mode + +It is necessary to enable maintenance mode to avoid running cron jobs. To enable maintenance mode, run the following command. Use the respective command for the native installation you want to migrate. + +[source,bash,subs="attributes+"] +---- +{occ-command-example-prefix-docker} maintenance:mode --on +---- + +=== Database + +Back up your database by making a copy or an export. This way, you can always revert if something goes horribly wrong. + +== Data Directory + +Depending on the Setup, the `data` directory either needs to be copied or remounted. + +For small instances with limited data, copying is probably the best option. For anything with more user data, such as an existing NFS mount, remounting to a different location is preferable. If you have more user data that you are currently hosting locally, now might be a good time to switch to NFS. + +=== Sync to a new Location + +Please note that the target mount point is used intentionally as the Docker volume mount point for ease of handling. In this example, the source and target are on the same server and the source path is the ownCloud's default. Adapt accordingly to suit your needs. + +[source,bash] +---- +sudo rsync -avz /var/www/owncloud/data /files +---- + +=== Mounting with NFS + +If the data directory is already part of a NFS mount point such as `/mnt/owncloud/data`, unmount it, remove the export, create a new export including the data directory and mount it to `/files`. + +IMPORTANT: Only mount the data directory from the source and not the full owncloud directory including the data directory. + +For more information follow the complete MySQL {mysql-string-replace-function-url}[REPLACE] command syntax. + +== Adjust the ownCloud Database Configuration + +CAUTION: Please do not copy and paste this example verbatim, or any of the others. They are just examples. + +{mariadb-docker-url}#connecting-to-mariadb-from-outside-the-container[Connect to your database, window=_blank] and enter the following command to select the ownCloud database: Adapt the database name if it is not named as shown: + +[source,sql] +---- +use owncloud; +---- + +=== Update the oc_storages Table + +First print all the affected paths to be changed: + +[source,sql] +---- +SELECT * FROM oc_storages WHERE id LIKE 'local::%'; +---- + +Then update the database paths and adapt them accordingly. Please note that the internal default for a Dockerized ownCloud deployment is `mnt/data/files` unless otherwise defined: + +[source,sql] +---- +BEGIN TRANSACTION; + +UPDATE oc_storages + SET id = REPLACE( + id, + '/var/www/owncloud/data', + '/mnt/data/files' + ) + WHERE id LIKE 'local::%'; + +# check with the select statement above +# in case something went wrong +# ROLLBACK; + +# otherwise use +# COMMIT; +---- + +=== Update the oc_accounts Table + +Next to be updated is the `home` column in the `oc_accounts` table. This column contains the _absolute path_ for user folders, for example, `/var/www/owncloud/data/my_user`. + +First print all the affected path to be changed. The path without the user component is important for the next step: + +[source,sql] +---- +SELECT * FROM oc_accounts Where home LIKE '%'; +---- + +Then update the database paths and adapt them accordingly. Please note that the internal default for a Dockerized ownCloud deployment is `/mnt/data/files` unless otherwise defined: + +[source,sql] +---- +BEGIN TRANSACTION; + +UPDATE oc_accounts + SET home = REPLACE( + home, + '/var/www/owncloud/data', + '/mnt/data/files' + ) + WHERE home LIKE '/var/www/owncloud/data%'; + +# check with the select statement above +# in case something went wrong +# ROLLBACK; + +# otherwise use +# COMMIT; +---- + +=== Update the oc_jobs table + +The next area to check is the `oc_jobs` table. The logrotate process may have hard-coded a non-standard (or old) value for the data path. To check it, run the SQL query below and see if any results are returned. Note the use of the backslash notation required for proper escaping: + +[source,sql] +---- +SELECT * FROM oc_jobs WHERE class LIKE 'OC\\\\Log\\\\Rotate%'; +---- + +If any results are returned, run the SQL query below to update them, changing the `id` value as necessary. + +[source,sql] +---- +BEGIN TRANSACTION; + +UPDATE oc_jobs + SET argument = REPLACE( + argument, + '\\/var\\/www\\/owncloud\\/data\\/', + '\\/mnt\\/data\\/files\\/' + ) + WHERE id = ; + +# check with the select statement above +# in case something went wrong +# ROLLBACK; + +# otherwise use +# COMMIT; +---- + +CAUTION: The old data path will be written with `\/`. Therefore you must add one, additional, backslash, like this: `\\/`. + +== Scan the Files + +This command checks all files from all users. Please note that this can take a while. + +[source,bash,subs="attributes+"] +---- +{occ-command-example-prefix-docker} files:scan --all +---- + +== Disable Maintenance Mode + +To disable maintenance mode of your instance run the following command: + +[source,bash,subs="attributes+"] +---- +{occ-command-example-prefix-docker} maintenance:mode --off +---- + +== Reenable Browser Access + +Follow the web proxies server description for how to enable access to the ownCloud instance. diff --git a/modules/admin_manual/pages/maintenance/migrate_owncloud/migrating.adoc b/modules/admin_manual/pages/maintenance/migrate_owncloud/migrating.adoc new file mode 100644 index 000000000..567d76f25 --- /dev/null +++ b/modules/admin_manual/pages/maintenance/migrate_owncloud/migrating.adoc @@ -0,0 +1,145 @@ += Migrating an Instance +:toc: right +:description: There are several situations where ownCloud needs to be migrated. + +== Introduction + +{description} + +The following scenarios are described here: + +. Migrating to a different host +. Migrating to a different domain +. Migrating from ownCloud Classic 10 to ownCloud Classic 11 + +Note that any database migration is not covered here. + +IMPORTANT: During the migration process, do not make any changes to the original system except to put it into maintenance mode. This ensures that, should anything unforeseen happen, you can revert to your existing installation and resume its availability while debugging the problem. + +You can find details of the steps for your ownCloud instance in the xref:maintenance/upgrading/manual_upgrade.adoc[Manual ownCloud Upgrade] documentation. + +== Special Migrations + +=== Host Migration + +Migration to a different host is easy with Docker. + +. Enable maintenance mode. +. Prevent browser access via the proxy. +. Down the container. +. Make the data available on the new host: +.. Either copy the Docker volume if not using a shared mount point to the new host, or +.. Create a new shared mount point. +. Copy / adapt the compose yaml file to reflect your changes. +. Bring up the container. +. Disable maintenance mode. +. Reconfigure proxy access to the ownCloud Instance. +. Reenable browser access via the proxy. + +=== Domain Migration + +As the ownCloud Classic 11 image provides an embedded Apache web server, you need a proxy to handle security and other web-related settings anyway. To migrate or add a domain, two steps are required: + +. Update your proxy server settings. +. Update the ownCloud trusted domain settings. + +==== Managing Trusted Domains + +All URLs used to access your ownCloud server must be white-listed using a environment variable. Users are allowed to log into ownCloud only when they point their browsers to a URL that is listed in the `OWNCLOUD_TRUSTED_DOMAINS` setting. + +NOTE: This setting is important when changing or moving to a new domain name. You may use IP addresses and domain names. + +NOTE: The loopback address, `127.0.0.1`, is automatically whitelisted. In the event that a load-balancer is in place, there will be no issues as long as it sends the correct `X-Forwarded-Host` header. + +A typical configuration looks like this: + +[source,.env] +---- +OWNCLOUD_TRUSTED_DOMAINS='server1.example.com','192.168.1.50' +---- + +== ownCloud Classic Migration + +[IMPORTANT] +==== +* The steps shown do not cover any measures that may be necessary when the ownCloud-provided image was or needs to be customised . +* Any third party app used needs to be PHP 8 compliant. In doubt, disable it and do not re-enable until this prerequisite is met. +==== + +[NOTE] +==== +With a few exceptions, ownCloud 11 provides nearly all configuration keys as environment variables. Therefore, it is highly recommended that any configuration keys are migrated to envvars, if possible. See the xref:configuration/important_notes.adoc[Important Configuration Notes] documentation for more details. +==== + +=== Docker to Docker + +If you have previously used a Docker-based installation with ownCloud Classic 10, no data migration is required. + +The main migration steps are the following: + +* Put your instance into maintenance mode. +* Disable and then delete any app that is provided by ownCloud. + +The deleted ownCloud apps were written in PHP 7. + +The updated apps, which are now compliant with PHP 8, are embedded in the image. +* Prevent browser access via the proxy. +* Down the compose environment. +* Define the OC11 image that will be used with the container, then pull it. +* Start the compose environment. +* Turn Maintenance mode off. +* Start the occ upgrade process. +* Reenable browser access via the proxy. + +=== Native to Docker + +This section describes the migration of *ownCloud Classic 10* to *ownCloud Classic 11*, if ownCloud Classic 10 was installed natively. + +Due to the wide range of installation types, the description focuses on the main steps rather than the details. When using encryption with the ownCloud Classic 10 instance, the openSSL requirements must be met without circumventing retired ciphers. See the ownCloud Classic 10 encryption documentation for more details. + +[IMPORTANT] +==== +* If you have used the following apps or customised particular settings, you must create your own image based on the provided one. This is because the provided image does not contain the required binaries. + +** The following apps or functionalities are affected: + +xref:enterprise/authentication/kerberos.adoc[Kerberos Authentication], xref:enterprise/external_storage/windows-network-drive_configuration.adoc[Windows Network Drive] and the xref:configuration/files/previews_configuration.adoc[Preview Configuration]. + +* The setup requires a proxy server that points to the Apache server embedded in the image. This proxy server handles all certificates and terminates the user access. This setup step is *NOT* covered here. +==== + +NOTE: This procedure assumes that the server hosting the native deployment of ownCloud Classic 10 is different from the server hosting ownCloud Classic 11. This is because the _old_ server required a native PHP 7 environment. + +. Prepare the server hosting ownCloud Classic 11. +.. Plan your deployment with regards to the database and the cache that will be used. +.. For details see the xref:installation/installing_with_docker.adoc[Installing with Docker] documentation. +.. For more details see the xref:installation/mount_folder_structure.adoc[Mount Folder Structure] documentation. +.. Please note that starting the container with the default compose configuration will create an empty instance with a new database. This can be beneficial to see if the deployment works but needs to be adapted for the final setup. The generated data must be destroyed! + +. Enable maintenance mode on ownCloud Classic 10. + +. Disable any app that is enabled in ownCloud Classic 10. + +The old ownCloud apps were written in PHP 7. + +The updated ownCloud apps, which are now compliant with PHP 8, are embedded in the image. + +. On the new server, create mount points to bind mount the required Docker volumes. + +. Migrate the data directory. + +More details can be found in the xref:maintenance/migrate_owncloud/migrate-datadirectory.adoc[Migrate the Datadirectory] documentation. + +. Adapt the `docker-compose.yml` and the `.env` file to your needs. ++ +[IMPORTANT] +==== +* Migrate any configurations formerly added to config.php to an environment variable. +* Avoid redefining the `data` or `apps` directory based on your old config. Use the default settings the image provides. +* If any config setting has no environment variable, read the xref:configuration/important_notes.adoc[Important Configuration Notes] documentation for more details. +==== + +. Migrate all apps from ownCloud Classic 10 that are *NOT* part of ownCloud Classic 11 and PHP 8 compliant into the `/apps` directory. + +For more details see the xref:installation/apps_management_installation.adoc[Apps Management] documentation. + +. Bring up the ownCloud Classic 11 container. + +. Re-enable any available apps that were previously disabled. + +. Disable maintenance mode. + +. Enable user access via the proxy web server. diff --git a/modules/admin_manual/pages/maintenance/migrating.adoc b/modules/admin_manual/pages/maintenance/migrating.adoc deleted file mode 100644 index 8f001094c..000000000 --- a/modules/admin_manual/pages/maintenance/migrating.adoc +++ /dev/null @@ -1,121 +0,0 @@ -= Migrating ownCloud -:toc: right -:description: There are several situations where ownCloud needs to be migrated. - -== Introduction - -{description} - -The following scenarios are described here: - -. Migrating to a different host -. Migrating to a different domain -. Migrating from ownCloud Classic 10 to ownCloud Classic 11 - -Note that any database migration is not covered here. - -IMPORTANT: During the migration process, do not make any changes to the original system except to put it into maintenance mode. This ensures that, should anything unforeseen happen, you can revert to your existing installation and resume its availability while debugging the problem. - -== Maintenance Mode - -To issue any occ commands, you must enter the directory where the ownCloud compose file is located. - -* To enable maintenance mode, issue the following command: -+ -[source,bash,subs="attributes+"] ----- -cd /var/www/owncloud/ -{occ-command-example-prefix-docker} maintenance:mode --on ----- - -* To disable maintenance mode, issue the following command: -+ -[source,bash,subs="attributes+"] ----- -cd /var/www/owncloud/ -{occ-command-example-prefix-docker} maintenance:mode --off ----- - -== Migration - -=== Host Migration - -Migration to a different host is easy with Docker. - -. Enable maintenance mode -. Down the container -. Make the data available on the new host: -.. Either copy the Docker volume if not using a shared mount point to the new host, or -.. Create a new shared mount point -. Copy / adapt the compose yaml file to reflect your changes -. Bring up the container -. Disable maintenance mode - -=== Domain Migration - -As the ownCloud Classic 11 image provides an embedded Apache web server, you need a proxy to handle security and other web-related settings anyway. To migrate or add a domain, two steps are required: - -. Update your proxy server settings -. Update the ownCloud trusted domain settings - -==== Managing Trusted Domains - -All URLs used to access your ownCloud server must be white-listed in your configuration file, under the `trusted_domains` setting or via environment variables. Users are allowed to log into ownCloud only when they point their browsers to a URL that is listed in the `trusted_domains` setting. - -NOTE: This setting is important when changing or moving to a new domain name. You may use IP addresses and domain names. - -NOTE: The loopback address, `127.0.0.1`, is automatically white-listed, so as long as you have access to the physical server you can always log in. In the event that a load-balancer is in place, there will be no issues as long as it sends the correct `X-Forwarded-Host` header. - - -A typical configuration via the configuration file looks like this:: -+ --- -[source,php] ----- -'trusted_domains' => [ - 0 => 'localhost', - 1 => 'server1.example.com', - 2 => '192.168.1.50', -], ----- --- - -Here is an example of how this can be used from within a docker-compose.yml file:: -+ --- -In case of a docker based setup, the trusted_domains setting is controlled by the environment variables `OWNCLOUD_TRUSTED_DOMAINS` or `OWNCLOUD_DOMAIN`. The latter only takes effect, if `OWNCLOUD_TRUSTED_DOMAINS` is undefined and can provide one IP-address or hostname. `OWNCLOUD_TRUSTED_DOMAINS` can specify multiple values as a comma-separated list. For more details on environment variables see the xref:installation/installing_with_docker.adoc[Installing With Docker] documentation. - -This will allow access to ownCloud under two different names, and one IP-address, in addition to localhost and 127.0.0.1: - -[source,yaml,subs="attributes+"] ----- -services: - owncloud: - image: owncloud/server:{latest-server-download-version} - environment: - OWNCLOUD_TRUSTED_DOMAINS: "myowncloud.mydomain.com, myowncloud, 12.23.34.45" -... ----- --- - -=== ownCloud Classic Migration - -This section describes the migration of *ownCloud Classic 10* to *ownCloud Classic 11*, if ownCloud Classic 10 was installed natively. It only focuses on ownCloud but not on any migration of the database! - -Due to the wide range of installation types, the description focuses on the main steps rather than the details. When using encryption with the ownCloud Classic 10 instance, the openSSL requirements must be met without circumventing retired ciphers. See the ownCloud Classic 10 encryption documentation for more details. - -. Enable maintenance mode on ownCloud Classic 10 -. Create a mount point to bind mount the Docker volume. + -For more details see the xref:installation/mount_folder_structure.adoc[Mount Folder Structure] documentation. -. Install ownCloud Classic 11 using a bind mount and down the container. + -This will install/prepare ownCloud Classic 11 in a basic way but it is not configured to your needs. + -For details see: xref:installation/installing_with_docker.adoc[Installing With Docker]. -. Adapt the compose yaml file to your needs. + -Remove any environment variables from the compose file that are no longer relevant, such as those for the database. These settings are now covered by a new configuration file, see below. -. Migrate the `data/files` directory into `mount-point/files`. -. Migrate all apps from ownCloud Classic 10 that are NOT part of ownCloud Classic 11 into the `mount-point/apps` directory. + -For more details see the xref:installation/apps_management_installation.adoc[Apps Management] documentation. -. Make a copy of your existing `config.php` file *with a new name* and remove any setting that addresses the `data` directory and `apps` / `apps-external` directories into the `mount-point/config` directory. + -See the important note with regards to the config in the xref:installation/mount_folder_structure.adoc[Mount Folder Structure] documentation. -. Bring up the ownCloud Classic 11 container. -. Disable maintenance mode. diff --git a/modules/admin_manual/pages/maintenance/upgrading/manual_upgrade.adoc b/modules/admin_manual/pages/maintenance/upgrading/manual_upgrade.adoc index fe93ecc2a..38b8d8555 100644 --- a/modules/admin_manual/pages/maintenance/upgrading/manual_upgrade.adoc +++ b/modules/admin_manual/pages/maintenance/upgrading/manual_upgrade.adoc @@ -11,7 +11,7 @@ NOTE: This guide assumes that you have basic knowledge about Unix terminology, c NOTE: To run any occ commands, you must first change to the directory containing the Compose YAML file. -NOTE: Accessing the webroot of ownCloud needs extra compose configuration that is not covered here. +NOTE: Accessing the webroot of ownCloud needs extra deployment configuration that is not covered here. == General Preparation @@ -34,23 +34,25 @@ First, backup ownCloud and the server database as described in section xref:main === Review Third-Party Apps Review any installed third-party apps for compatibility with the new ownCloud release. Ensure that they are all disabled before beginning the upgrade. -Third party apps are all apps that are not distributed by {oc-marketplace-url}/publishers/owncloud[ownCloud] or not listed in xref:installation/apps_supported.adoc[Supported Apps in ownCloud]. +Third party apps are all apps that are not distributed by {oc-marketplace-url}/publishers/owncloud[ownCloud] or not listed in xref:installation/apps/apps_supported.adoc[Supported Apps in ownCloud]. . Disable Apps via Command Line + +-- This command lists all apps by and app version: -+ + [source,bash,subs="attributes+"] ---- {occ-command-example-prefix-docker} app:list ---- -+ + This command disables the app with the given : -+ + [source,bash,subs="attributes+"] ---- {occ-command-example-prefix-docker} app:disable ---- +-- . Disable via Browser + Go to menu:Settings[Admin > Apps] and disable all third-party apps. diff --git a/modules/admin_manual/pages/troubleshooting/general_troubleshooting.adoc b/modules/admin_manual/pages/troubleshooting/general_troubleshooting.adoc index 9d335a4d9..e14f4d172 100644 --- a/modules/admin_manual/pages/troubleshooting/general_troubleshooting.adoc +++ b/modules/admin_manual/pages/troubleshooting/general_troubleshooting.adoc @@ -128,7 +128,7 @@ docker compose logs owncloud -f In a standard ownCloud installation the log level is set to `Normal`. -* To find any issues you need to raise the log level to `All` in your _additional_ xref:installation/configuration_notes.adoc#using-a-configuration-file[configuration file], or to *Everything* on your ownCloud Admin page. Please see xref:configuration/server/logging/logging_configuration.adoc[Logging Configuration] for more information on these log levels. +* To find any issues you need to raise the log level to `All` or to `Everything` via the `OWNCLOUD_LOG_LEVEL` environment variable or via your ownCloud Admin page. Please see xref:configuration/server/logging/logging_configuration.adoc[Logging Configuration] for more information on these log levels. * Some logging - for example JavaScript console logging - needs debugging enabled. + Edit the config and change `'debug' => false,` to `'debug' => true,` Be sure to change it back when you are finished. diff --git a/modules/admin_manual/pages/troubleshooting/path_filename_length.adoc b/modules/admin_manual/pages/troubleshooting/path_filename_length.adoc index 48119c1dd..46989dd43 100644 --- a/modules/admin_manual/pages/troubleshooting/path_filename_length.adoc +++ b/modules/admin_manual/pages/troubleshooting/path_filename_length.adoc @@ -10,7 +10,7 @@ Depending on the underlying filesystem of a mount point, the maximum length of a == Limitations -See the {fs-limits-url}[comparison of file systems] for in depth details on various filesystem path and file name limitations. +See the {fs-limits-url}[comparison of file systems, window=_blank] for in depth details on various filesystem path and file name limitations. NOTE: While a filesystem can handle the limits as described in the table below, applications like Explorer, Finder, the Shell or other apps may have issues handling these limits. See the special notes below the table. diff --git a/modules/admin_manual/pages/troubleshooting/providing_logs_and_config_files.adoc b/modules/admin_manual/pages/troubleshooting/providing_logs_and_config_files.adoc index f49664aa0..a6b08060e 100644 --- a/modules/admin_manual/pages/troubleshooting/providing_logs_and_config_files.adoc +++ b/modules/admin_manual/pages/troubleshooting/providing_logs_and_config_files.adoc @@ -29,7 +29,7 @@ Enable it if it was formerly disabled: === Generate via webUI To generate a config report using the webUI, navigate to: + -menu:Settings[Admin > General > "Generate Config report" > "Download ownCloud config report"]. +menu:Settings[Admin > General > "Generate Config report" > "Download ownCloud config report"] === Generate via Command Line @@ -49,19 +49,19 @@ menu:Settings[Admin > General > Log > "Download logfile"]. === Generate via Command Line -If the log file is too big, you will need to transfer it from the command line. By default it is named `owncloud.log` and located at the Docker Volume `/files`. +If the log file is too big, transferring it via the GUI may cause issues and you will need to do this from the command line. By default it is named `owncloud.log` and located at the Docker Volume `/files`. -Note that you may need to compress the logfile before uploading. +The location of the logfile can be customized. -When not using the default location for the logfile, it can be specified via your _additional_ xref:installation/configuration_notes.adoc#using-a-configuration-file[configuration file]: +include::partial$manual_config_file.adoc[] + +NOTE: You must create a Docker Volume to make the configured path available to the host. [source,php] ---- 'logfile' => '/owncloud.log', ---- -NOTE: You must create a Docker Volume to make the configured path available. - == LDAP Config If LDAP is used, viewing the LDAP configuration is important when checking for errors between your ownCloud instance and your LDAP server. To get the output file, execute this command: diff --git a/modules/admin_manual/partials/manual_config_file.adoc b/modules/admin_manual/partials/manual_config_file.adoc new file mode 100644 index 000000000..4f0fb9cad --- /dev/null +++ b/modules/admin_manual/partials/manual_config_file.adoc @@ -0,0 +1 @@ +IMPORTANT: This setup requires a configuration with configuration keys. No environment variables are available. See the xref:configuration/important_notes.adoc[Important Configuration Notes] documentation for details. diff --git a/modules/admin_manual/partials/nav.adoc b/modules/admin_manual/partials/nav.adoc index 07dbac6b5..86c025994 100644 --- a/modules/admin_manual/partials/nav.adoc +++ b/modules/admin_manual/partials/nav.adoc @@ -6,19 +6,23 @@ ** xref:admin_manual:gdpr.adoc[GDPR] ** Installation -*** xref:admin_manual:installation/deployment_considerations.adoc[Deployment Considerations] -*** xref:admin_manual:installation/deployment_recommendations.adoc[Deployment Recommendations] -**** xref:admin_manual:installation/deployment_recommendations/clustered_shared_storage.adoc[Clustered Deployments with Shared Storage] -**** xref:admin_manual:installation/deployment_recommendations/nfs.adoc[NFS] +*** Deployment +**** xref:admin_manual:installation/deployment/deployment_considerations.adoc[Deployment Considerations] +**** xref:admin_manual:installation/deployment/deployment_recommendations.adoc[Deployment Recommendations] +**** xref:admin_manual:installation/deployment/deployment_recommendations/clustered_shared_storage.adoc[Clustered Deployments with Shared Storage] +**** xref:admin_manual:installation/deployment/deployment_recommendations/nfs.adoc[NFS] *** xref:admin_manual:installation/system_requirements.adoc[System Requirements] *** xref:admin_manual:installation/installing_with_docker.adoc[Installing With Docker] *** xref:admin_manual:installation/create_own_image.adoc[Create an own Docker Image] *** xref:admin_manual:installation/mount_folder_structure.adoc[Mount Folder Structure] -*** xref:admin_manual:installation/configuration_notes.adoc[Configuration Notes] -*** xref:admin_manual:installation/apps_management_installation.adoc[Apps Management] -**** xref:admin_manual:installation/apps_supported.adoc[Supported Apps] +*** Apps +**** xref:admin_manual:installation/apps/apps_management_installation.adoc[Apps Management] +**** xref:admin_manual:installation/apps/apps_supported.adoc[Supported Apps] ** Configuration + +*** xref:admin_manual:configuration/important_notes.adoc[Important Notes] +*** xref:admin_manual:configuration/envvars/envvars.adoc[Environment Variables] *** xref:admin_manual:configuration/database/linux_database_configuration.adoc[Database Configuration] *** xref:admin_manual:configuration/files/encryption/index.adoc[Encryption] @@ -114,10 +118,11 @@ **** xref:admin_manual:maintenance/backup_and_restore/restore.adoc[Restore] *** xref:admin_manual:maintenance/enable_maintenance.adoc[Maintenance Mode] *** xref:admin_manual:maintenance/export_import_instance_data.adoc[Export and Import Instance Data] -*** xref:admin_manual:maintenance/manually-moving-data-folders.adoc[Manually Moving Data Folders] *** Encryption **** xref:admin_manual:maintenance/encryption/migrating-from-user-key-to-master-key.adoc[Migrating from User Key to Master Key Encryption] -*** xref:admin_manual:maintenance/migrating.adoc[Migrating ownCloud] +*** Migrating ownCloud +**** xref:admin_manual:maintenance/migrate_owncloud/migrating.adoc[Migrating an Instance] +**** xref:admin_manual:maintenance/migrate_owncloud/migrate-datadirectory.adoc[Migrate the Datadirectory] *** xref:admin_manual:maintenance/migrating_to_kiteworks.adoc[Migrating to Kiteworks PDN] *** xref:admin_manual:maintenance/migrating_to_ocis.adoc[Migrating to ownCloud Infinite Scale]