Improvements for Nethserver-Collabora

mark_nl · February 17, 2021, 1:12pm

Continuing this discussion here in this wiki-fied post…

(recap) The objective are :

Improve stability on updates in non interactive shells.
If the NS instance you install nethserver-collabora on has nethserver-nextcloud installed and is the DNS-server: it should work out-off the box on virtual/wopi host collabora.server-domain except for the certificate issue
If a loolwsd VirtualHost prop is set it respects this.
Redirect http > https on virtualhost except for acme http-01 challenge
If the virtual/wopi host does not have a valid cert and nethserver-nextcloud is installed on the same instance try to Disable certificate verification
Enable certificate verification on certifate-save event if the cert is valid.
Update documentation in README/documentation/wiki :
- Reflect the changes made about what the package does.
- Provide documentation to include exception in web-browser if cert is invalid.
- Provide documentation to set AllowWopiHost if Nextcloud runs on an other instance.
Update CODE-brand, loolwsd, collaboraoffice6.x

For the time being enabled issues in my fork to get a bit organized before opening an issue in Nethserver/dev.

(moderator(s) feel free to merge 7 to 14 into this post )

mark_nl · February 17, 2021, 1:30pm

And have a question for more experienced @dev_team members:

github.com

markVnl/nethserver-collabora/blob/344d84e569166833a806f49faf90616237e6eb40/root/etc/e-smith/events/actions/nethserver-collabora-conf#L53


      
              WopiUrl=`config getprop loolwsd VirtualHost`
          else
              WopiUrl=collabora.`config get DomainName`
          fi
          
          #Configure Nethserver-Nextcloud
          if [[ -x "/usr/local/sbin/occ" ]]; then
              /usr/local/sbin/occ app:install richdocuments
              /usr/local/sbin/occ app:enable richdocuments
              /usr/local/sbin/occ config:app:set richdocuments wopi_url --value=https://$WopiUrl
              /usr/bin/curl https://$WopiUrl > /dev/null 2>&1
              if [ $? -eq 60 ]; then
                  /usr/local/sbin/occ config:app:set richdocuments disable_certificate_verification --value=yes
              else
                  /usr/local/sbin/occ config:app:set richdocuments disable_certificate_verification --value=''
              fi
              /usr/local/sbin/occ richdocuments:activate-config
          fi

I want to move line 53 … 58 into an separate action (lets say nethserver-collabora-check-wopi-cert) which can scubribe to a certificate-save event.

How do I call this action on this place in nethserver-collabora-conf ?
(this to prevent code duplication)

stephdl · February 17, 2021, 2:35pm

action takes a number to start before or after the template, and before or after the service start in your createlinks

basically you launch the action

0 < action number < 10 before template expand
10 < action number < 90 after the template expand but before the service start
90 < action number < 100 after the service has been restarted.

in your case create an action with the 21 number

github.com

markVnl/nethserver-collabora/blob/344d84e569166833a806f49faf90616237e6eb40/createlinks#L9


#!/usr/bin/perl -w
use esmith::Build::CreateLinks qw(:all);
my $event = 'nethserver-collabora-update';
event_actions($event, qw(
             initialize-default-databases 00
             nethserver-collabora-conf 20
));
event_templates($event, qw(
  /etc/httpd/conf.d/zz_collabora.conf
));
event_services($event, qw(
               httpd reload
               loolwsd restart
));

this will start you action after the nethserver-collabora-conf

mark_nl · February 17, 2021, 2:58pm

stephdl:

0 < action number < 10 before template expand
10 < action number < 90 after the template expand but before the service start
90 < action number < 100 after the service has been restarted.

Did not known this, learned something (tk)

Ideally it is in between the if statement;
However setting up the wopi_url and check the certificate can be done in a separate action.

Only downside is the wopi_url is set upon every certificate-save event. I can live with this.

stephdl · February 17, 2021, 3:02pm

I did not dive in the code but you can do something like this

my $event = 'nethserver-collabora-update';

event_actions($event, qw(
             initialize-default-databases 00
             nethserver-collabora-conf 20
             newAction                         21
));

$event = 'certificate-save';

event_actions($event, qw(
             newAction                         numberYouNeed
));

stephdl · February 17, 2021, 3:06pm

check in the messages log transaction when you need to start your action

mark_nl · February 17, 2021, 10:13pm

except for the above, think i’v got the objectives. Running some tests and - out of time here.

Feel free to commend/review/scrutinize the changes I made:

mrmarkuz · February 18, 2021, 1:08am

I tested on a running server and a fresh install on a VM but no success this time.
I got an unauthorized wopi host error on the running server and on the VM the connection to the wopi host could not be established…

When the loolwsd virtualhost prop is unset, the Nextcloud app is not configured and collabora.server-domain is not set as wopi_url.

I think something like this would be needed (or maybe use a variable wopiurl when calling occ to have less code) :

#Configure Nethserver-Nextcloud

if [[ -x "/usr/local/sbin/occ" ]]; then

  /usr/local/sbin/occ app:install richdocuments

  if [[ -n `config getprop loolwsd VirtualHost` ]]; then

    /usr/local/sbin/occ config:app:set richdocuments wopi_url --value=https://`config getprop loolwsd VirtualHost`

  else

    /usr/local/sbin/occ config:app:set richdocuments wopi_url --value=https://collabora.`config get DomainName`

  fi

fi

/usr/local/sbin/occ app:enable richdocuments

After that change it’s configured but still not working, so maybe some new/changed loolwsd settings like localhost or IPV4 are a problem.

The cert check seems not working, it’s always set to disable cert verification.

I’m going to do some more tests tomorrow…thanks for your work!

mark_nl · February 18, 2021, 8:02am

hmm, works here

Did you clone my git-repo and locally build nethserver-collabora on the tlc_wip branch to include the commits made so-far?
(NOTE: I tend to --force push on wip-branches to keep it tidy in the end)

As said before have an dns entry in the lan-dnsserver for collabora.server-domain
If curl can not resolve collabora.server-domain it will not exit 60 on an un-trusted cert here:

github.com

markVnl/nethserver-collabora/blob/321593f858941d90e168ca133f951ad2746c38a3/root/etc/e-smith/events/actions/nethserver-collabora-set-wopi-url#L33


      
          if [[ -x "/usr/local/sbin/occ" ]]; then
          
              if [[ -n `config getprop loolwsd VirtualHost` ]]; then
                  WopiUrl=`/sbin/e-smith/config getprop loolwsd VirtualHost`
              else
                  WopiUrl=collabora.`/sbin/e-smith/config get DomainName`
              fi
          
              /usr/local/sbin/occ config:app:set richdocuments wopi_url --value=https://$WopiUrl
              
              /usr/bin/curl https://$WopiUrl > /dev/null 2>&1
              if [ $? -eq 60 ]; then
                  /usr/local/sbin/occ config:app:set richdocuments disable_certificate_verification --value=yes
              else
                  /usr/local/sbin/occ config:app:set richdocuments disable_certificate_verification --value=''
              fi
              
              /usr/local/sbin/occ richdocuments:activate-config
              
          fi

mark_nl · February 18, 2021, 8:45am

Have one strange quirk:
Always need to refresh my (firefox) browser to open a new document

mrmarkuz · February 18, 2021, 8:57am

No, I didn’t checkout the tlc_wip branch.
Tests will follow…

EDIT:

When using the correct branch it’s working like a charm.

Just for info: I needed to browse to collabora.server-domain first and allow the self signed cert in Firefox else Collabora shows an error where it’s not possible to allow the cert.

Same here with Firefox and Chrome.

There’s an open issue:

github.com/nextcloud/richdocuments

Editor is not started on creation of a new document

opened 09:31PM - 03 Feb 21 UTC

closed 09:43AM - 17 Mar 21 UTC

y0va

When I press on *New Document* in the files view of nextcloud, only a new filena…me with empty icon appears in the list and lool is not started. When I reload the page, a standard icon is displayed for the file, and when I click on it lool starts. **Expected behavior** lool shall start when I create a new document. **Screenshots** ![image](https://user-images.githubusercontent.com/21321805/106811245-58f7c280-666e-11eb-812f-1b1e67110974.png) **Client details:** - OS: Manjaro - Browser firefox 85 - Device: desktop ## Server details **Operating system**: debian 10 **Web server:** nginx **Database:** mariadb **PHP version:** 7.3 **Nextcloud version:** 20.0.7.1 **Version of the richdocuments app** 3.7.14 **Version of Collabora Online** 6.4.10.20-20 <details> <summary>Logs</summary> #### Browser log a) The javascript console log ``` Uncaught TypeError: n.$file is undefined onEdit files.js:75 openWithTemplate files.js:268 _createDocumentFromTemplate NewFileMenu.js:107 jQuery 7 _createDocumentFromTemplate NewFileMenu.js:99 _openTemplatePicker NewFileMenu.js:129 jQuery 7 _openTemplatePicker NewFileMenu.js:123 actionHandler NewFileMenu.js:41 _promptFileName merged-index.js:11208 jQuery 9 _promptFileName merged-index.js:11185 jQuery 10 _promptFileName merged-index.js:11182 _onClickAction merged-index.js:11118 jQuery 2 files.js:75:48 onEdit files.js:75 openWithTemplate files.js:268 _createDocumentFromTemplate NewFileMenu.js:107 jQuery 7 _createDocumentFromTemplate NewFileMenu.js:99 _openTemplatePicker NewFileMenu.js:129 jQuery 7 _openTemplatePicker NewFileMenu.js:123 actionHandler NewFileMenu.js:41 _promptFileName merged-index.js:11208 jQuery 9 _promptFileName merged-index.js:11185 jQuery 10 _promptFileName merged-index.js:11182 _onClickAction merged-index.js:11118 _onClickAction self-hosted:1176 jQuery 2 ``` ``` GEThttps://cld.freedomhost.de/index.php/core/preview.png?file=%2F%2Ftest_document3.odt&c=5ccf4f122742ae5ff3c2add958d3e38f&x=250&y=250&forceIcon=0 [HTTP/1.1 404 Not Found 1246ms] GET https://cld.freedomhost.de/index.php/core/preview.png?file=//test_document3.odt&c=5ccf4f122742ae5ff3c2add958d3e38f&x=250&y=250&forceIcon=0 Status404 Not Found VersionHTTP/1.1 Transferred695 B (2 B size) Referrer Policyno-referrer Cache-Control no-cache, no-store, must-revalidate Connection keep-alive Content-Length 2 Content-Security-Policy default-src 'none';base-uri 'none';manifest-src 'self';frame-ancestors 'none' Content-Type application/json; charset=utf-8 Date Wed, 03 Feb 2021 21:29:16 GMT Expires Thu, 19 Nov 1981 08:52:00 GMT Feature-Policy autoplay 'none';camera 'none';fullscreen 'none';geolocation 'none';microphone 'none';payment 'none' Pragma no-cache Referrer-Policy no-referrer Server nginx/1.14.2 X-Download-Options noopen X-Frame-Options SAMEORIGIN X-Permitted-Cross-Domain-Policies none X-Robots-Tag none X-Robots-Tag none X-XSS-Protection 1; mode=block Accept image/webp,*/* Accept-Encoding gzip, deflate, br Accept-Language en-US,en;q=0.5 Connection keep-alive Cookie ---redacted--- Host cld.freedomhost.de User-Agent Mozilla/5.0 (X11; Linux x86_64; rv:85.0) Gecko/20100101 Firefox/85.0 ``` </details>

mark_nl · February 18, 2021, 9:54am

Great feedback again

Same here, guess this needs to be documented (same behavior with M$-Edge).

mrmarkuz · February 18, 2021, 10:04am

Good idea, just to avoid support questions.
Onlyoffice has the same browser issue when using self signed certs.

mark_nl · February 18, 2021, 10:22am

In the end of the day a lot of the possible hickups can be avoided if (default) setup on installation can run on the default virtualhost (ie server FQDN) instead of a virtual host.

No worries about dns settings
If the certificate is invalid the user might have made a exception for this…
Would use the (valid) let’s encrypt cert of the server if requested by the user…

Risk is nethserver-collabora breaks the default virtualhost. Would be a bit more comfortable if loolwsd had it’s own location like /loolwsd (Server-FQDN/loolwsd) and we (Reverse)ProxyPass from there.

mark_nl · February 18, 2021, 7:29pm

My knowledge of the Apache web-server (or web-servers in general to be precise) falls to short to accomplish this.

If someone can make it work, post your configs.
And I’ll try to make a template for it.

mark_nl · February 20, 2021, 9:48am

@syntaxerrormmm found a bug

It is addressed in my tcl-wip branch and to make our live easy opened a PR to invoke the (nethbot) auto-build.

(ATM: nethserver-collabora-0.1.2-1.9.pr7.gfb51eaf.ns7.noarch.rpm)

stephdl · February 20, 2021, 10:41am

what is the state of collabora and php73, I saw it is not released ?

mark_nl · February 20, 2021, 10:54am

If you mean using the same rh-php7x nethserver-nextcloud depends on;
It is fixed and released using the wrapper provided by nethserver-nextcloud.

stephdl · February 20, 2021, 10:58am

what rpm number, I installed yesterday and I use the older php version I bet…

fixed yes but released sure ?

my rpm version are

[root@ns1 ~]# rpm -qa | grep collabora
collaboraoffice6.2-ure-6.2.10.3-3.x86_64
collaboraoffice6.2-6.2.10.3-3.x86_64
collaboraofficebasis6.2-draw-6.2.10.3-3.x86_64
collaboraofficebasis6.2-writer-6.2.10.3-3.x86_64
collaboraofficebasis6.2-core-6.2.10.3-3.x86_64
collaboraofficebasis6.2-images-6.2.10.3-3.x86_64
collaboraofficebasis6.2-impress-6.2.10.3-3.x86_64
collaboraofficebasis6.2-ooolinguistic-6.2.10.3-3.x86_64
collaboraofficebasis6.2-calc-6.2.10.3-3.x86_64
collaboraofficebasis6.2-graphicfilter-6.2.10.3-3.x86_64
collaboraofficebasis6.2-ooofonts-6.2.10.3-3.x86_64
nethserver-collabora-0.1.2-1.ns7.noarch
collaboraofficebasis6.2-extension-pdf-import-6.2.10.3-3.x86_64
collaboraofficebasis6.2-en-US-6.2.10.3-3.x86_64

mark_nl · February 20, 2021, 11:01am

Yes this includes the fix for rh-php7x