Docker image for ownCloud with security in mind.
Why using this image
- It is directly based on Debian stable. No additional image layers which blow up the total image size and might by a security risk.
- Uses nginx as webserver.
- Hardened TLS configuration.
- Generates unique Diffie Hellman parameters to mitigate precomputation based attacks on common parameters. Refs: Guide to Deploying Diffie-Hellman for TLS.
- Local caching enabled by default (APCu).
- Installs the ownCloud tarball directly from https://owncloud.org/ and it securely verifies the GPG signature.
- Makes installing of 3party apps easy and keeps them across updates.
occcommand can be used just by typing
docker exec -ti $owncloud_container_name occ.
- ownCloud can only be updated by redeploying the container. No update via the web interface is possible. The ownCloud installation is fully contained in the container and not made persistent. This allows to make the ownCloud installation write protected for the Webserver and PHP which run as
- Automated database update on ownCloud update during the startup of a redeployed/updated container.
Getting the image
You have two options to get the image:
- Build it yourself with
- Download it via
docker pull jchaney/owncloud(automated build).
ownCloud up and running
Checkout the Makefile for an example or just run
make owncloud which will setup a ownCloud container instance (called "owncloud"). After that, just head over to http://localhost/ and give it a try. You can now create an admin account. For testing purposes you can use SQLite (but remember to use a real database in production).
Running ownCloud in production
Setup a separate container running your database server and link it to the ownCloud container.
For running in production, you need to provide a TLS key and certificate. The
Makefile defaults to
/etc/ssl/certs/ssl-cert-snakeoil.pem. Make sure those files exist or extend
the Makefile (you can include this Makefile and overwrite some variables in
your own Makefile).
You might also want to change variables like
docker_owncloud_permanent_storage to define where the persistent data will be
To generate self signed once you can run the following command:
To setup ownCloud with MariaDB as backend, just run:
In the initial ownCloud setup, you need to supply the database user, password, database name and database host which you can look up via:
Note that this command also shows you the MariaDB root password which you need to write down because you will not be able to access it later (after you run
make owncloud-production again to update the containers, the passwords will be different and not match the once which are actually used).
That should be it :smile:
Update your container and ownCloud
It is recommended to rebuild/pull this image on a regular basis and redeploy your ownCloud container(s) to get the latest security fixes.
Note that ownCloud version jumps are uploaded to the
latest tag of this image once they are tested. You might want to watch this repository to see when this happens.
Once the ownCloud image is up-to-date, just run:
to update your container. ownCloud usually requires a database update when the version of ownCloud is bumped. This process has been automated for this Docker image but remember that you are still in charge of making backups/snapshots prior to updates!
Installing 3party apps
Just write the command(s) needed to install apps in a configuration file and make sure it is present as
/owncloud/3party_apps.conf in your container.
You can also run this image with
docker-compose. First you need to declare all env variables since
docker-compose does not support (yet) default variables.
# Where to store data and database ? export docker_owncloud_permanent_storage="~/owncloud_data" # SSL Certificates to use. export docker_owncloud_ssl_cert="../certs/cloud.cert" export docker_owncloud_ssl_key="../certs/cloud.key" # Servername export docker_owncloud_servername="localhost" export docker_owncloud_http_port="80" export docker_owncloud_https_port="443" export docker_owncloud_in_root_path="1" export docker_owncloud_mariadb_root_password=$(pwgen --secure 40 1) export docker_owncloud_mariadb_user_password=$(pwgen --secure 40 1) export image_owncloud="jchaney/owncloud" export image_mariadb="mysql"
That's all !
Uses Apache as webserver and is based on the official Docker PHP image.
Uses Apache as webserver and is based on a self build LAMP stack based on Arch Linux.
Automation framework for setting up ownCloud on any Debian based system. This offers much
more flexibility and is not limited to Docker. So you can setup a ownCloud
instance in a KVM virtual machine and/or a LXC container for example.
This role is part of the DebOps project which allows
you to automate all the steps mentioned above (setting up a Hypervisor host with
support for KVM and/or LXC, setting up the virtual machine/container and
installing Webserver/PHP/Database and finally ownCloud).
The real fun with this approach begins when you manage multiple instances
because Ansible and this role allow you to run actions like ownCloud updates
or enabling apps or the like on all your instances automatically.
The current maintainer is Robin
List of previous maintainers:
If you get "Command not found" for any of the programs used then install it (make sure you know what you are doing).
Your distribution packages: You should find missing dependencies from the errors yourself. It's your machine, you're supposed to know it.
This project is distributed under GNU Affero General Public License, Version 3.
I finally fighure it out , modify the owncloud/.user.ini in where u store the container
works great ! thanks !
But how to modify the max upload size ?
in the admin console , there`s an limit to 513M
But the config file in the docker shows it should be 10G ?
Thanks for this image, but I cannot make it works... I use it with Nginx Reverse Proxy and owncloud redirect me from http://mycloud.mydomain to https://localhost (which fails because I'm not on the localhost)... Reading Dockerfile, owncloud config must be volume mounted in /owncloud but how to know if it's actually read or what can be wrong?
Thanks in advance !
Hey thx, its pretty cool. I still have to checkout if the webdav stuff is working as well.
How can I change the subdomain/owncloud to subdomain?
Just to say thanks ! I used your automated build to make mine aries4/owncloud (v8, mysql, http only), in order to present this project at my school.
Thanks a lot !
still working well, thank you, but path is at xxx.com/owncloud
docker run -h xxx.com -d \
--name srv-oc \
--link db-oc:db \
-v /opt/dockx/oc/files:/var/www/owncloud/data \
-v /opt/dockx/oc/logs/nginx:/var/log/nginx \
-v /opt/dockx/oc/logs/cron:/var/log/cron \
if working with jwilder/docker-nginx-proxy1
-e 'VIRTUAL_HOST=xxx.com' \
Getting permission error(s) on fresh Fedora 21 or CentOS 7 (official) cloud images:
sudo docker run -h oc.mydomain.com -p 443:443 --name owncloud -v /mnt/files:/var/www/owncloud/data -v /home/fedora/ssl:/root/ssl -e "SSL_KEY=/root/ssl/oc.mydomain.com.key" -e "SSL_CERT=/root/ssl/oc.mydomain.com.cert" jchaney/owncloud
Copying nginx.conf with SSL support.. chown: cannot read directory '/var/www/owncloud/data': Permission denied Starting server.. ==> /var/log/nginx/access.log <== ==> /var/log/nginx/error.log <== 2015/01/14 17:15:15 [emerg] 34#0: BIO_new_file("/root/ssl/oc.mydomain.cert") failed (SSL: error:0200100D:system library:fopen:Permission denied:fopen('/root/ssl/oc.mydomain.com.cert','r') error:2006D002:BIO routines:BIO_new_file:system lib)
'mydomain' is actually a real domain when testing.
If I get the concept of docker correctly, images should be stateless. To achieve this, add
this will store the database setup outside of the image as well, allowing you to do a
docker stop owncloud docker rm owncloud docker pull jchaney/owncloud docker run ...
without loosing any data for upgrades etc.
@kedrigern: Problem is that at the
localhost:8383 is nothing. App is at link:
I have this problem too - doesn't work at localhost. When I run:
docker run -d --name "ocloud-db" -e "POSTGRES_PASSWORD=password" postgres:9 docker run -d --name "ocloud" --link "ocloud-db:db" \ -v "/opt/docker/ocloud/data:/var/www/owncloud/data" \ -p "8383:80" \ "jchaney/owncloud:latest"
I get this error via
Copying nginx.conf without SSL support.. Starting server.. ==> /var/log/nginx/access.log <== ==> /var/log/nginx/error.log <== 2015/01/03 15:28:34 [error] 32#0: *1 directory index of "/var/www/" is forbidden, client: 172.17.42.1, server: , request: "GET / HTTP/1.1", host: "localhost:8383" 2015/01/03 15:28:34 [error] 32#0: *1 FastCGI sent in stderr: "Primary script unknown" while reading response header from upstream, client: 172.17.42.1, server: , request: "GET / HTTP/1.1", upstream: "fastcgi://unix:/var/run/php5-fpm.sock:", host: "localhost:8383"
I have Fedora 21, SELinux in Permisive mode. Run via sudo. With other containers I have no problems.