jLuger.de - Owncloud in home directory

This is the first of three blog posts about moving data back from the cloud to my local network. With the rising of smartphones and tablets more and more people got the need to synchronize data between computers (yes, I see tablets and smartphones as computers). Even the tech-savvy user got troubles as the traditional ways of syncing didn't work with the new devices. Cloud providers where happy to get a chance for business and offered solutions. There is only one big problem. As FSFE says it There is no cloud, just other people's computers. Putting data on other peoples computer means to give other people access to your data. Here I describe my effort to keep some of my data in my own network and not to just switch the person to which I give them (as other articles about Google tend to do it). As a tool for this I've chosen owncloud.

Installing owncloud in a directory under control of a webserver with PHP support is easy. The hard part starts when you want to get the data in your home directory. A word of warning: You don't want the data in a home directory when the owncloud serves multiple users. In fact you don't need to continue to read on. All the setup here is setup on three facts:

At first I wanted to use nginx as the webserver but despite several tutorials I couldn't get it to use a custom directory/run it as non-root. A search for alternatives brought me to lighttpd. From there I've got to php5-fpm for the php part.

For an overview to a complete setup see this Dockerfile that I've created to test my setup:
FROM ubuntu:15.10

RUN useradd -ms /bin/bash ocuser

apt-get update && \
apt-get -y upgrade && \
apt-get install -y lighttpd && \
apt-get install -y php5-fpm && \
apt-get install -y crudini && \
apt-get install -y php5-sqlite php5-curl php5-gd

#RUN \
# systemctl disable lighttpd && \
# systemctl stop lighttpd && \
# systemctl disable php5-fpm && \
# systemctl stop php5-fpm && \
RUN crudini --set /etc/php5/fpm/php.ini PHP cgi.fix_pathinfo 1

USER ocuser
WORKDIR /home/ocuser

mkdir ocwd && \
cd ocwd && \
mkdir -p www/html && \
mkdir -p log/lighttpd && \
mkdir run && \
mkdir upload && \
mkdir ssl && \
mkdir compress

WORKDIR /home/ocuser/ocwd

ADD data/*.pem ssl/
ADD data/*.conf ./
ADD data/start_cloud.sh ./
ADD data/owncloud-8.2.2.tar.bz2 www/html/

USER root
RUN chown -R ocuser.ocuser www/html
USER ocuser

CMD ["/bin/sh", "start_cloud.sh"]
A warning first: I only used docker to easily test my setup multiple time on a new system and not to have to deal with cleaning up or living with a spoiled system. That's where docker comes in very handy as it is easy to throw away a system and recreate it. By no means you should use the script to run ownlcoud. For this there are better docker images.
The update of the system at the top of my script is good when you use the Dockerfile only occasionally. During development you better put it in its own file and use an image created with it as a base. It is no fun to always wait for the updates. Even not for the small images used here.
You also see some commands that are commented out. It turned out that under docker there is no systemd running. For a installation at a normal system you want to run them.
The ADD of owncloud-8.2.2.tar.bz2 is actually just an unpack with some "right corruptions". To fix this I've added the chown at the end. On my actual machine I didn't need it.

As for the config files that are added to the system, here is the one for lighttpd:
server.modules = (
# "mod_rewrite",

var.mybase_dir = "/home/ocuser/ocwd"

server.document-root = mybase_dir+"/www/html"
server.errorlog = mybase_dir+"/log/lighttpd/error.log"
server.pid-file = mybase_dir+"/run/lighttpd.pid"
server.port = 8079
server.upload-dirs = (mybase_dir+"/upload")

ssl.engine = "enable"
ssl.pemfile = mybase_dir+"/ssl/host.pem"
ssl.ca-file = mybase_dir+"/ssl/ca-chain.cert.pem"

index-file.names = ( "index.php", "index.html", "index.lighttpd.html" )
url.access-deny = ( "~", ".inc" )
static-file.exclude-extensions = ( ".php", ".pl", ".fcgi" )

compress.cache-dir = mybase_dir+"/compress/"
compress.filetype = ( "application/javascript", "text/css", "text/html", "text/plain" )

# default listening port for IPv6 falls back to the IPv4 port
## Use ipv6 if available
#include_shell "/usr/share/lighttpd/use-ipv6.pl " + server.port
include_shell "/usr/share/lighttpd/create-mime.assign.pl"
#include_shell "/usr/share/lighttpd/include-conf-enabled.pl"
fastcgi.server = ( ".php" =>
"socket" => mybase_dir+"/php5-fpm.sock",
"brocken-scriptfilename" => "enable"
$HTTP["url"] =~ "^/owncloud/data" {
url.access-deny = ("")
Please take a look at the line
#include_shell "/usr/share/lighttpd/include-conf-enabled.pl"
I have tested the config on Ubuntu 15.10 in VirtualBox and the line wasn't commented out. I have tested the config in Ubuntu 15.10 in a docker container and the line wasn't commented out. I've installed the config on my real computer also running Ubuntu 15.10 and the line needed to get away. Argh.

As you see in the lighttpd config I've used php5-fpm for the PHP part. The config is the following:
error_log = /home/ocuser/ocwd/log/fpm-error.log
listen = /home/ocuser/ocwd/php5-fpm.sock
listen.owner = ocuser
listen.group = ocuser
pm = dynamic
pm.max_children = 10
pm.start_servers = 2
pm.min_spare_servers = 1
pm.max_spare_servers = 3
chdir = /

The pem files are worth their own blog post so I won't describe them here.

To start the webserver and the PHP parser I've created the following start script:

lighttpd -D -f lighttpd.conf &
php5-fpm -F -y fpm.conf &
read line
kill $PHP_PID
kill $HTTP_PID
If you look closely you will find out that I've used for both programs a parameter to force them in the foreground and then send them to the background with "&". That's necessary to get their PID. Letting them go to the background by themselves wouldn't give me the PID to stop them.
Oh and the version for docker ended right before the second "&" or else it would keep the system running.

Update 14.05.2016
For ubuntu 16.04/PHP7 see this post for required packages.

This post is part of a series: