Migrating Nextcloud to OpenSUSE 16.0

Migrating my Nextcloud instance to OpenSUSE 16.0 is not totally transparent since the 16.0 makes a number of key changes - namely replacing yast with a mixture of myrlyn (for Software Management) and cockpit (for other management tasks), and replacing AppArmor with SELinux.  

So here goes...

First of all, the new installer for OpenSUSE, agama, is still a bit rough round the edges. While a bit more up-to-date in the looks department, and probably easier to use for a novice, it has a few design issues. If you don't want the standard setup, it's not entirely clear what to click on to edit which installation settings. Sometimes it's a button, sometimes a menu, sometimes a non-highlighted clickable bit of text. In that respect the old installer was rather better. 

Anyway, I wanted to not use BTRFS this time just so the Nextcloud console didn't show me the same repeated details for every subvolume since OpenSUSE creates them in abundance. Since I rsnapshot the vital parts of the volume daily I'm not risking much. 

So, logging this somewhat on-the-fly as I do things...  

1. Install with LAMP and Desktop profiles
1. ...and discover cockpit isn't installed
2. ...and discover updates aren't installed (unlike the old installer) 
2. Run myrlyn and install updates
3. Run myrlyn and install cockpit, and cockpit-client-launcher
1. Discover a weird broken dependency incompatibility with busybox-hostname
2. Solution is to select the "deinstall busybox-hostname" option
3. systemctl enable cockpit.socket 
4. systemctl start cockpit.socket 
5. Edit application menu to move cockpit client launcher from the Internet section to the System section because that bugs me
4. Run myrlyn and install the various PHP dependencies that Nextcloud needs
5. Tweak /etc/php8/apache2/php.ini and /etc/php8/apache2/php.ini to meet Nextcloud requirements (see link above)
6. Fire up cockpit client launcher and start+enable apache and mariadb
7. Run mysql_secure_installation to clean things up and set a secure root password
8. Run the commands to set up the nextcloud user and database:
   CREATE USER 'username'@'localhost' IDENTIFIED BY 'password';
   CREATE DATABASE IF NOT EXISTS nextcloud CHARACTER SET utf8mb4 COLLATE utf8mb4_general_ci;
   GRANT ALL PRIVILEGES on nextcloud.* to 'username'@'localhost';
9. Run the command the restore the Nextcloud database backup
   mysql -h [server] -u [username] -p[password] [db_name] < nextcloud-sqlbkp.bak
10. Restore /srv/www and /srv/data directories from backup
11. Edit /etc/sysconfig/apache2 to make sure the modules ssl, headers and rewrite are included, and it starts with the SSL option
12. Restore /etc/apache2 from backup - includes vhosts definitions and ssl details
13. Run myrlyn and install certbot, and cerbot-systemd-timer
14. Restore /etc/letsencrypt from backup 
15. Tweak SELinux to allow webserver write access to nextcloud directories 
    semanage fcontext -a -t httpd_sys_rw_content_t '/srv/data(/.*)?'
    semanage fcontext -a -t httpd_sys_rw_content_t '/var/www/htdocs/nextcloud/config(/.*)?'
    semanage fcontext -a -t httpd_sys_rw_content_t '/var/www/htdocs/nextcloud/apps(/.*)?'
    semanage fcontext -a -t httpd_sys_rw_content_t '/var/www/htdocs/nextcloud/.htaccess'
    semanage fcontext -a -t httpd_sys_rw_content_t '/var/www/htdocs/nextcloud/.user.ini'
    semanage fcontext -a -t httpd_sys_rw_content_t '/var/www/htdocs/nextcloud/3rdparty/aws/aws-sdk-php/src/data/logs(/.*)?'
16. Update restored Nextcloud files to match SELinux policies
    restorecon -Rv '/srv/www/htdocs/nextcloud/'
    restorecon -Rv '/srv/data/'
17. Allow web updates (slightly naughty)
    setsebool -P httpd_unified on
18. Go into cockpit and add ports 80 and 443 to the firewall rules 
19. Allow PHP jit to work
    setsebool -P httpd_execmem on 
20. Allow other Nextcloud functions to work
    setsebool -P httpd_can_network_connect on
    setsebool -P httpd_can_sendmail on
21. Restore /etc/cron.d from backup and restart the service

Got to learn more about SELinux than I wanted! The hope is now I have the requisite policies configured, I can just copy the selinux config folder in future. That's probably hoping for more stability and consistency than is realistic.

Restoring NextCloud to a New OpenSuse build

I have been running my Nextcloud instance on OpenSuse 15.3 which has reached EOL, so it was time to upgrade. Unfortunately, something went awry with the in-place 15.3->15.4 upgrade resulting in a trashed btrfs filesystem. Fair enough, not a problem, I have tiered backups using rsnapshot on a separate volume which include not only the Nextcloud www and data directories but also /etc for good measure. Before each rsnapshot run, I also mysqldump a copy of the Nextcloud database into the top of the data directory.

This time, unlike previous OpenSuse+Nextcloud builds, I'm not going to install the official Nextcloud package since it's always an older verion. I can just plonk the backup copy into /srv/www/htdocs and be done with it. I chose the LAMP server pattern for my OpenSuse install, restore the backup directory, and reload the database into MariaDB. All very simple but it ain't working, so what have I missed?

1. Set permissions on the restored files. They should be owned by wwwrun and be chmod 750
2. Apache config (you can use the Yast sysconfig tool for this),
   
1. Add ssl, rewrite and headers to the modules list in sysconfig
2. Make sure Apache is started with SSL option
3. Restore the /etc/apache2 config directory from backup so it has vhosts and SSL config correct 
3. PHP config (I'm still with PHP 7 at this point)
   
1. Make sure all the Nextcloud PHP module dependencies are installed
2. Install php-apcu and php-cli
   
3. Edit PHP config as outlined in my previous posting to enable opcache, apcu and up the memory limits.
4. Cron config
1. Restore /etc/cron.d from backup
2. Change permissions on all the files to 644
5. Letsencrypt config (seems to be installed be default in the 15.4 LAMP pattern)
   
1. Restore /etc/letsencrypt from backup
6. Networking
1. Make sure hostname and IP address are set so that SSL certificates work externally
2. Open firewall ports for http and https

If you remember these then the rebuild takes maybe an hour. A lot of this is restoring files - I'm using SSD's so if you are stuck with HDD's this might be rather longer.

Another trick is that OpenSuse 15.4 now offers a downloadable updated ISO image which includes patches. This speeds up the install a fair bit.

Running KVM VM's as a regular user on OpenSuse 15.4

 Things you need to do to allow a regular user to use virt-manager for VM's

1. Add user to the following groups: kvm, libvirt, qemu
2. These bits let regular users redirect USB devices to a VM...
   Add the line: org.spice-space.lowlevelusbaccess     yes:no:yes
   to: /etc/polkit-default-privs.local 
3. After this run: /sbin/set_polkit_default_privs
4. Add the line: usr/bin/spice-client-glib-usb-acl-helper  root:root  4755
   to: /etc/permissions.local
5. After this run: chkstat --system --set

Credit to simon at serverfault

Shoehorning Duallies - A Slightly Bigger Build

 

My previous compact dual cpu builds were based around the (now long discontinued) Coolermaster Elite 360 and motherboards that were more or less ATX sized - or SSI CEB which is a little deeper at 10.5 inches rather than 9.6. At 147x380x410mm (WxHxD) the case comes in at 22.9 litres in volume and had two 5.25" bays and two 3.5" bays which provided ample room for storage (and judicious routing of cables). However, those were sold off a while ago.

Looking to reduce my power consumption a bit, now that utility bills are rising, I decided to consolidate my desktop and server machines into a single unit running Linux/KVM. This would need to be quite a beefy unit but I don't want anything too big. Shopping around, I came across the Kolink KLA-002 at overclockers.co.uk which looked rather interesting. At 175x410x385mm (WxDxH) and 27.6 litres, this case is about an inch wider than the Elite 360 but can fit an EATX motherboard with some adjustment. It's also dirt cheap so I'm happy taking a drill to it.

It looks like there are two optical bays up top but the upper bay is blocked by the front panel buttons etc. moulded into the top of the front cover. You could mount an internal drive or two there but I am going to tuck the extra length of the PSU cables in there to keep things neat. 

There are two 2.5 inch mounts on the base plate in front of where an ATX motherboard would fit - however, these would be blocked by an EATX motherboard. There are screw holes at the bottom left of the case to fit either a 3.5" HDD or a 120mm fan (albeit with a fairly restrictive grill). 

There are also two 3.5" drive bays at the bottom right which will need to be removed to get a larger motherboard in. It is possible to slide a board in behind the drive bays but you risk damaging components and reaching any connectors there is impossible. 

To remove it you need to drill out 5 rivets (arrowed). Two on the bottom edge, two under the front cover and one on the base. They can easily be replaced by a screw and a nut if you want to reinstate the bays later. 

Once the bays are removed there is space for an EATX motherboard with some caveats. There are only standoffs in the ATX board positions so you will need some additional board support. You can get plastic standoffs that clip into the empty screw holes but even then the bottom right corner position falls over a hole in the backplate for cable routing. If the board is the full 330mm deep then it will come right up against the front fans which can be tricky if there are, for example, right angle SATA connectors there. In that case, consider investing in slimmer 120mm front fans.  

 
The motherboard I chose for this build was the Huananzhi X99 T8D. Huananzhi is one of the better home-grown Chinese manufacturers who tend to have reasonable VRM designs, functional BIOS's and even a degree of support. This is an unusual board which targets the small number of non-standard OEM Haswell Xeons that support DDR3 as well as DDR4. These were adopted by the likes of cloud providers back in the day so are plentiful and cheap on the second-hand market. Huananzhi have also added some more modern features - bootable M.2 slots for NVME and SATA SSD's, USB 3, onboard BIOS code indicators and onboard power and reset buttons for testing. It also has 7.1 audio and dual (Realtek) Gigabit ethernet. The board is also a fraction smaller than EATX at 290x310mm which makes fitting it into the case a breeze.

To go with this board I have two Xeon E5-2696 v3 CPU's with 18 cores each and a top turbo speed of 3.8GHz. These can be had for under £100 off Aliexpress which is ridiculous for the amount of power you get. Each of the E5's has a multicore Passmark score equivalent to an Intel Core i9-10900K. There is a BIOS mod which will allow the full turbo speed to be applied to all the CPU cores but this can strain the VRM's somewhat. This mod works for all V3 Xeons - search for "S3TurboTool" if you are interested. Usefully this motherboard also supports LRDIMM's which are also remarkably cheap since not all motherboards support them. £260 for 8x32GB DDR3-1600 LRDIMMS from the well-known auction site, which happily overclock to DDR-1866 speeds.

Getting back to the build, all the front panel connections are on the bottom edge of the board. Rather than messily routing the cables through the case, they can be bundled together and fed through the holes in the front of the case cleared by removing the drive bays. All except the USB 3 connector which is too big. This is fed through the slot under the optical drive and tucked out of the way under the bottom edge of the front fans. There is just enough room for the cables round the edge of the optical drive when the front cover is snapped into place. I've also put in some mesh filters over the fans since they are intakes. 

Here is the motherboard fitted into the case. Huananzhi provide suitable plastic standoffs for cases that don't have standoffs in the right place.

The coolers are Raijintek Aidos with the fans replaced with 90mm Arctic PWM PST ones. One annoying feature of the motherboard is that it only has 4-pin fan control for the CPU fans. The PST feature of Arctic fans allows the PWM signal to be passed on to other fans. The front CPU also controls the two 120mm intake fans - which are also Arctic PST models. The rear CPU initially also controlled the rear exhaust fans - two Arctic 80MM PST models that I found got a bit noisy as things warmed up. I ended up connecting the rear fans to one of the 3-pin fan headers with a speed reduction resistor. The fan speed vs temperature profiles for each CPU can be independently configured in the BIOS and it actually works! Unfortunately, the profiles rely on chipset temperature sensors rather than the CPU sensors so there is a bit of a lag in their response. Linux fancontrol can be used to get round this.

The two 8-pin EPS power connectors and the main ATX power connector are all at the top edge of the board so those cables can be tucked above the DVD-RW drive. I found that one of the EPS cables could be fed through the channel on the side of the 5.25" drive bay. The other could be tucked into the gap between the case and the PSU and then down the gap between the PSU and the rear fans. 

The only cables I routed behind the motherboard were the SATA data cable for the DVD-RW drive, and the SATA power for the SSD's. As I've mentioned before, I find the SuperMicro slim SATA cables to be the best for my purposes. You could also run a GPU PCIE power cable down here if needed - I chose a GTX 1650 card which doesn't require a power cable and provides enough oomph for the few games I do play, like Oolite or a bit of Minecraft.

You can also just see the PST signal cable from the front CPU fan which also connects to the two front fans back here.  

Having removed or blocked most of the storage bays in the case, I do need to have some more storage slots than just the on-board M.2 connectors. On the well-known auction site, I found a card that holds two 2.5" SATA drives and fits into a PCI slot. It doesn't take any power or signals from the slot - there are two SATA data and one SATA power connector on the card edge.

Two drives aren't really enough though, so I bought two cards, removed the bracket from one and stacked them together using 8mm spacers and 25mm screws. This gives just enough space to fit a 7mm SSD and four of them occupy a slightly-larger-than-single-slot card. Just found an "official" but bulkier version from DeLock.

 I did have to saw/file off a few of the PCI slot fingers to fit round motherboard components but since there are no connections there it is not a big deal. You can see it fully loaded at the bottom of the whole-case shot above.

I like to have one physical drive per VM using KVM raw pass-through. Easy to move to a new host and there is no storage contention when VM's are doing heavy activity. 

 So there you have it:

2x18 Haswell Xeon cores at up to 3.8 GHz

256GB 8-channel DDR3 1600 LRDIMMS overclocked to 1866

1xM.2 NVME SSD + 4x2.5" SATA SSD's

All in a 27 litre case, and costing well under a grand.           

Nextcloud Address/Calendar Bbackups

I've been looking at an easy way to mirror my Nextcloud instance to a secondary server and came across Bernie_O's calcardbackup which neatly plugs a hole. While it is pretty easy to use rsync or similar to copy the files across the nextcloud database is a bit of a problem. You could use myqsl dump but that replicates the entire installation which is not quite what I want. However, when you get down to it, the bits that really matter are calendars and address books. The rest - user lists etc. are pretty much set up once and left alone.

What the script does is dumps out users calendars and address books in .ics and .vcf format - which can easily be imported when needed. What I do (as the web user) is:

1.  Dump out the users data a files in the nextcloud admins account (not compressing them into a package, and only keeping 14 days backups):
   /usr/bin/calcardbackup/calcardbackup "/srv/www/htdocs/nextcloud" -x -r 14 -o "/srv/www/htdocs/nextcloud/data/admin/files/Backups"
2. Tell nextcloud to rescan the admin's files to make them visible in the nextcloud client
   php /srv/www/htdocs/nextcloud/occ files:scan -p "admin/files/Backups"
3. Once I conformed that these worked OK I added them to the web user's cron jobs to run daily at 2am

The dumps are then rsync'ed along with everything else.

Chuwi Minibook First Look

Received my Chuwi Minibook (crowdfunded on Indiegogo) and have been having a play so here are my first thoughts. For my basic setup I am more-or-less duplicating the configuration I used for my GPD Pocket with updated versions of the packages in question.

I ordered the M3-8100Y version with 16GB of RAM. However, I did not order any additional SSD since I intended to use an M.2 PCI-E MicroSD adapter for an internal drive. This means I can just take the internal MicroSDXC from my GPD Pocket rather than having to copy anything. The card also draws at most maybe 0.5W as a storage device which is a lot less than an equivalent SATA or NVME SSD. Yes, it's slow but I seriously don't notice that much since I'm not a gamer.

Some observations about the Minibook.

1. Chuwi have configured M3-8100Y with TDP-up settings that give a minimum turbo of 1.6GHz. It would be great if this was configurable in a future BIOS with the options of regular TDP (1.1GHz) and TDP-down (800MHz) for those of us who want to extend battery life. I'll detail my experiments with Throttlestop in this area down below.
2. It's annoying that the minimum PD power requirements is 24W (12Vx2A) rather than 18W (9Vx2A) since there are a lot of 18W adapters and power packs around. Not sure whether this might be adjustable or is hard wired. On the other hand, it makes sense considering the potential maximum power draw of the Minibook (15W peak TDP for the CPU alone).
3. It would be nice if the default keyboard light status could be configured in the BIOS to Off/On/Last Setting for mainly for resumption from suspend/hibernate.
4. The screen is a seriously shiny fingerprint magnet and I'm still looking for a good oleophobic matt screen protector in the UK. I ordered at AtFoliX one from eBay and it was far too big.
5. The Intel drivers for the M3-8100Y seem to handle external displays very badly - the GPD Pocket was painless but getting scaling and orientation right with the new control panel doesn't really work.

Now, on to my Throttlestop configuration (I have yet to try XTU)...

1. I have downvolted the CPU core by 100mV and the CPU cache by 50mV to reduce power consumption. This works for me but depends on your CPU. This works for all frequency settings.
2. I have left the TDP limits as they were, since they can't be configured per profile in Throttlestop. Instead I use turbo frequency limits to control power consumption. I haven't fiddled with GPU settings since I don't really game that much - so its power consumtpion is generally minimal. Geekbench 4 figures are in [brackets].
3. Profile 1 is 1.6gGHz limit for both single and dual core turbo (this is as low as it goes) and is the default I use when on battery. Power consumption seems to be around 3.5W peak (CPU only). [2207/3845]
4. Profile 2 is 1.8/2.2GHz and with a CPU peak power of around 5W. The fan doesn't seem to spin up at this level and keeps things quiet. [2798/4807]
5. Profile 3 is 2.2/2.7GHz, with a CPU peak power of around 7W. The fan spins up but is generally not too obtrusive. This is my default when plugged in. [3289/5706]
6. Profile 4 is the default 2/7/3.4Ghz that the Minibook comes with. With undervolting I am seeing a peak of maybe 10W here but the fan does get noisy. [3939/6771]

I have yet to do any thermal mods so there's still more scope for noise limiting. Battery life for Profile 1 running the CPU flat out, display brightness 40% and keyboard light off is around 2.5-3 hours. Idle CPU power draw is around 0.5W so there is scope for quite good longevity under normal use.

For those of you with NVME drives that draw 4+W, default CPU settings and Windows Update/Indexing thrashing both, I'm not surprised battery life is short. Once Windows settles down things will improve a lot but a heavily used power hungry SSD could easily halve battery life.    

Nextcloud on OpenSuse 15.0 Part 2

Now we've got the latest Nextcloud (15.X) running more or less satisfactorily on OpenSuse 15.0, it's now time to do a bit more detailed configuration.

First of all we need to set up a cron job to do the regular housekeeping that nextcloud needs. Currently, it kicks off this activity whenever a page loads but as more content gets added this begins to become a bottleneck. So, in a terminal session do the following as root:

1.  crontab -u wwwrun -e
2. This brings up an editor (vim) for the cron jobs assigned to the user wwwrun (which is the account nextcloud runs under). The editor commands are somewhat cryptic...to go into insert mode, press i and the cursor will move to the top of the screen
3. Enter (or cut and paste) the following: */5  *  *  *  * php -f /srv/www/htdocs/nextcloud/cron.php
4. Do not press Enter! 
5. Now you are done, press Escape to get out of editing mode and then :q to quit and save.
6. This will have scheduled the Nextcloud housekeeping to run every 5 minutes

Now, we need to tell Nextcloud that what has been done.

1. In a browser, log into Nextcloud as the admin and navigate to the Settings | Basic Settings screen
2. In the top Background Jobs section, click on Cron (you have to enter the admin password again to confirm).

Now it makes sense to update the Nextcloud config to ready for external access.

1. Navigate to /srv/www/htdocs/nextcloud/config/ and open config.php in kate (or your text editor of choice).
2. In the trusted domains_array add some entries after 0 => 'localhost', so that the Nextcloud server will work when accessed via other URL's besides localhost. I would suggest the following (adapted to your setup)...
1. 1 => 'the-ip-address-of-the-server',
2. 2 => 'servername.domain.com',
3. 3 => 'servername.localdomain',