diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy-12.0.yml similarity index 85% rename from .github/workflows/deploy.yml rename to .github/workflows/deploy-12.0.yml index 7a3760d95..85def0bed 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy-12.0.yml @@ -1,9 +1,9 @@ -name: Deploy CI +name: Deploy CI - 12.0 on: push: branches: - - master + - 12.0 jobs: deploy: @@ -19,4 +19,4 @@ jobs: - run: cd $GITHUB_WORKSPACE - run: git config user.name ci-bot - run: git config user.email ci-bot@seafile.com - - run: mike deploy --push -u 11.0 latest \ No newline at end of file + - run: mike deploy --push -u 12.0 \ No newline at end of file diff --git a/manual/changelog/changelog-for-seafile-professional-server.md b/manual/changelog/changelog-for-seafile-professional-server.md index 800d06a3e..4973af940 100644 --- a/manual/changelog/changelog-for-seafile-professional-server.md +++ b/manual/changelog/changelog-for-seafile-professional-server.md @@ -8,6 +8,15 @@ Please check our document for how to upgrade to 11.0: +### 11.0.15 (2024-10-17) + +* [fix] Check the length of email in login form, preventing too long input +* [fix] Use user name instead of user ID in email content +* [fix] auth-token API also prevent brute force attack +* [fix] Fix invite people in multi-tenancy mode +* [fix] Add option SSO_LDAP_USE_SAME_UID + + ### 11.0.14 (2024-08-22) * [fix] Fix a bug that system admin can not share a library in admin panel diff --git a/manual/deploy/common_problems_for_setting_up_server.md b/manual/deploy/common_problems_for_setting_up_server.md deleted file mode 100644 index 8582efcab..000000000 --- a/manual/deploy/common_problems_for_setting_up_server.md +++ /dev/null @@ -1,40 +0,0 @@ -# Common Problems for Setting up Server - - -#### Seafile fails to start: "failed to run "seaf-server -t" (Ubuntu 20.04) - -![image-20210713171856512](C:\Users\RDB\AppData\Roaming\Typora\typora-user-images\image-20210713171856512.png) - -The MySQL user seafile uses the mysql_native_password plugin to authenticate. The error message means that the user could not connect to the database. - -Connect to the database with the MySQL root user: - -``` -#mysql -u root -p -``` - -Then change the authentication plugin for the user seafile to mysql_native_password: - -```mysql -mysql> ALTER USER 'seafile'@'127.0.0.1' identified with mysql_native_password by 'PASSWORD'; -``` - -PASSWORD is the password of the MySQL user seafile. You can find this password in the log file seafile.conf in /opt/seafile/conf. - - -#### Failed to upload/download file online - -* Check your SERVICE_URL setting in ccnet.conf and FILE_SERVER_ROOT setting in seahub_settings.py -* Make sure you firewall for seafile fileserver is opened. -* Using chrome/firefox debug mode to find which link is given when click download button and what's wrong with this link - - -#### Seafile with Apache / HTTPS has text only (no CSS formatting / images) - -The media folder (Alias location identified in /etc/apache2/sites-enabled/000-default (Ubuntu) has inappropriate permissions - -Solutions: - -1. Run installation script as non-root user -2. Copy /media folder to var/www/ and edit the Alias location in /etc/apache2/sites-enabled/000-default - diff --git a/manual/deploy/deploy_seafile_behind_nat.md b/manual/deploy/deploy_seafile_behind_nat.md deleted file mode 100644 index 0f31c076f..000000000 --- a/manual/deploy/deploy_seafile_behind_nat.md +++ /dev/null @@ -1,103 +0,0 @@ -# Deploy Seafile behind NAT - -A lot of people want to deploy a seafile server in their LAN, and access it from the WAN. - -To achieve this, you need: - -- A router which supports port forwarding -- Use a dynamic DNS Service -- Modify your seafile server configuration - -### Table of Contents - -- [Setup the server](#setup-the-server) -- [Setup port forwarding in your router](#setup-port-forwarding-in-your-router) -- [Use a dynamic dns serivce](#use-a-dynamic-dns-serivce) -- [Modify your seafile configuration](#modify-your-seafile-configuration) - - -## Setup the server - -First, you should follow the guide on [Download and Setup Seafile Server](using_sqlite.md) to setup your Seafile server. - -Before you continue, make sure: - -- You can visit your seahub website -- You can download/sync a library through your seafile client - -## Setup Port Forwarding in Your Router - -### Ensure Your Router Supports Port Forwarding - -First, ensure your router supports port forwarding. - -- Login to the web adminstration page of your router. If you don't know how to do this, you should find the instructions on the manual of the router. If you have no maunal, just google **"XXX router administration page"** where `XXX` is your router's brand. - -- Navigate around in the adminstration page, and check if there is a tag which contains a word such as "forward", "advanced". If your router supports it, chances are that you can find the port forwarding related settings there. - -### Setup Port Forwarding Rules - -Seafile server is composed of several components. If you deployed Seafile behind Apache/Nginx you need to configure port forward for all the components listed below. - -component | default port | protocol --------------------|--------------|---------- -webserver (http) | 80 | TCP -webserver (https) | 443 | TCP - -* If you're not using the default ports, you should adjust the table according to your own customiztion. - -### How to test if your port forwarding is working - -After you have set the port forwarding rules on your router, you can check whether it works by: - -- Open a command line prompt -- Get your WAN IP. A convenient way to get your WAN ip is to visit `http://who.is`, which would show you your WAN IP. -- Try to connect your Seafile server - -```bash -telnet 80 -``` - -If your port forwarding is working, the command above should succeed. Otherwise, you may get a message saying something like *connection refused* or *connection timeout*. - -If your port forwarding is not working, the reasons may be: - -- You have configured a wrong port forwarding -- Your router may need a restart -- You network may be down - -### Set SERVICE_URL - -"SERVICE_URL" in `ccnet.conf` is used to generate the download/upload link for files when you browse files online. Set it using your WAN IP. - -```python -SERVICE_URL = https:// -``` - -Most routers support NAT loopback. When your access Seafile web from intranet, file download/upload still works even when external IP is used. - -## Use a Dynamic DNS Serivce - -### Why use a Dynamic DNS(DDNS) Service? - -Having done all the steps above, you should be able to visit your seahub server outside your LAN by your WAN IP. But for most people, the WAN IP address is likey to change regularly by their ISP(Internet Serice Provider), which makes this approach impratical. - -You can use a dynamic DNS(DDNS) Service to overcome this problem. By using a dynamic DNS service, you can visit your seahub by domain name (instead of by IP), and the domain name will always be mapped to your WAN IP address, even if it changes regularly. - -There are a dozen of dynamic DNS service providers on the internet. If you don't know what service to choose, we recommend using [www.noip.com](http://www.noip.com) since it performs well in our testing. - -The detailed process is beyond the scope of this wiki. But basically, you should: - -1. Choose a DDNS service provider -2. Register an account on the DDNS service provider's website -3. Download a client from your DDNS service provider to keep your domain name always mapped to your WAN IP - -## Modify your seafile configuration - -After you have setup your DDNS service, you need to modify the `ccnet.conf`: - -```python -SERVICE_URL = https:// -``` - -Restart your seafile server after this. diff --git a/manual/deploy/deploy_seahub_at_non-root_domain.md b/manual/deploy/deploy_seahub_at_non-root_domain.md deleted file mode 100644 index 7d7739a65..000000000 --- a/manual/deploy/deploy_seahub_at_non-root_domain.md +++ /dev/null @@ -1,120 +0,0 @@ -# Deploy Seahub at Non-root domain - -## Non-root Domain - -The following will talk about how to deploy Seafile Web using Apache/Nginx at Non-root directory of the website(e.g., www.example.com/seafile/). Please note that the file server path will still be e.g. www.example.com/seafhttp (rather than www.example.com/seafile/seafhttp) because this path is hardcoded in the clients. - -**Note:** We assume you have read [Deploy Seafile with nginx](deploy_with_nginx.md) or [Deploy Seafile with apache](deploy_with_apache.md). - -### Configure Seahub - -First, we need to overwrite some variables in seahub_settings.py: - -``` -MEDIA_URL = '/seafmedia/' -COMPRESS_URL = MEDIA_URL -STATIC_URL = MEDIA_URL + 'assets/' -SITE_ROOT = '/seafile/' -LOGIN_URL = '/seafile/accounts/login/' -FILE_SERVER_ROOT = 'http://www.myseafile.com/seafhttp' -SERVICE_URL = 'http://www.myseafile.com/seafile' -``` - -`MEDIA_URL` can be anything you like, just make sure a trailing slash is appended at the end. - -We deploy Seafile at `/seafile/` directory instead of root directory, so we set `SITE_ROOT` to `/seafile/`. - -**Note:** The file server path MUST be `/seafhttp` because this path is hardcoded in the clients. - -### Webserver configuration - -#### Deploy with Nginx - -Then, we need to configure the Nginx: - -``` -server { - listen 80; - server_name www.example.com; - - proxy_set_header X-Forwarded-For $remote_addr; - - location /seafile { - proxy_pass http://127.0.0.1:8000; - proxy_set_header Host $http_host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Host $server_name; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_read_timeout 1200s; - - # used for view/edit office file via Office Online Server - client_max_body_size 0; - - access_log /var/log/nginx/seahub.access.log; - error_log /var/log/nginx/seahub.error.log; - } - - location /seafhttp { - rewrite ^/seafhttp(.*)$ $1 break; - proxy_pass http://127.0.0.1:8082; - client_max_body_size 0; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_connect_timeout 36000s; - proxy_read_timeout 36000s; - } - - location /seafmedia { - rewrite ^/seafmedia(.*)$ /media$1 break; - root /home/user/haiwen/seafile-server-latest/seahub; - } -} -``` - -### Deploy with Apache - -Here is the sample configuration: - -``` - - ServerName www.example.com - DocumentRoot /var/www - Alias /seafmedia /home/user/haiwen/seafile-server-latest/seahub/media - - - ProxyPass ! - Require all granted - - - RewriteEngine On - - # - # seafile fileserver - # - ProxyPass /seafhttp http://127.0.0.1:8082 - ProxyPassReverse /seafhttp http://127.0.0.1:8082 - RewriteRule ^/seafhttp - [QSA,L] - - # - # seahub - # - SetEnvIf Request_URI . proxy-fcgi-pathinfo=unescape - SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1 - ProxyPreserveHost On - ProxyPass /seafile http://127.0.0.1:8000/seafile - ProxyPassReverse /seafile http://127.0.0.1:8000/seafile - -``` - -We use Alias to let Apache serve static files, please change the second argument to your path. - -### Start Seafile and Seahub - -``` -./seafile.sh start -./seahub.sh start -``` - -### Using Seafile Client - -When logging in on the Seafile client, the server address should now be http://www.example.com/seafile, not http://www.example.com. diff --git a/manual/deploy/using_ldap.md b/manual/deploy/using_ldap.md deleted file mode 100644 index df5934954..000000000 --- a/manual/deploy/using_ldap.md +++ /dev/null @@ -1,137 +0,0 @@ -# Configure Seafile to use LDAP - -Note: This documentation is for the Community Edition. If you're using Pro Edition, please refer to [the Seafile Pro documentation](../deploy_pro/using_ldap_pro.md). - - For version 11.0, please follow the new document [LDAP in version 11.0](./ldap_in_11.0.md). - -## How does LDAP User Management work in Seafile - -When Seafile is integrated with LDAP/AD, users in the system can be divided into two tiers: - -- Users within Seafile's internal user database. Some attributes are attached to these users, such as whether it's a system admin user, whether it's activated. This tier includes two types of users: - * Native users: these users are created by the admin on Seafile's system admin interface. These users are stored in the `EmailUser` table of the `ccnet` database. - * Users imported from LDAP/AD server: When a user in LDAP/AD logs into Seafile, its information will be imported from LDAP/AD server into Seafile's database. These users are stored in the `LDAPUsers` table of the `ccnet` database. -- Users in LDAP/AD server. These are all the intended users of Seafile inside the LDAP server. Seafile doesn't manipulate these users directly. It has to import them into its internal database before setting attributes on them. - -When Seafile counts the number of users in the system, it only counts the **activated** users in its internal database. - -When Seafile is integrated with LDAP/AD, it'll look up users from both the internal database and LDAP server. As long as the user exists in one of these two sources, they can log into the system. - -## Basic LDAP/AD Integration - -The only requirement for Seafile to use LDAP/AD for authentication is that there must be a unique identifier for each user in the LDAP/AD server. Seafile can only use email-address-format user identifiers. So there are usually only two options for this unique identifier: - -- Email address: this is the most common choice. Most organizations assign unique email address for each member. -- UserPrincipalName: this is a user attribute only available in Active Directory. It's format is `user-login-name@domain-name`, e.g. `john@example.com`. It's not a real email address, but it works fine as the unique identifier. - -### Connecting to Active Directory - -To use AD to authenticate user, please add the following lines to ccnet.conf. - -If you choose email address as unique identifier: - - [LDAP] - HOST = ldap://192.168.1.123/ - BASE = cn=users,dc=example,dc=com - USER_DN = administrator@example.local - PASSWORD = secret - LOGIN_ATTR = mail - -If you choose UserPrincipalName as unique identifier: - - [LDAP] - HOST = ldap://192.168.1.123/ - BASE = cn=users,dc=example,dc=com - USER_DN = administrator@example.local - PASSWORD = secret - LOGIN_ATTR = userPrincipalName - -Meaning of each config options: - -* HOST: LDAP URL for the host. ldap://, ldaps:// and ldapi:// are supported. You can also include a port number in the URL, like ldap://ldap.example.com:389. To use TLS, you should configure the LDAP server to listen on LDAPS port and specify ldaps:// here. More details about TLS will be covered below. -* BASE: The root distinguished name (DN) to use when running queries against the directory server. **You cannot use the root DN (e.g. dc=example,dc=com) as BASE**. -* USER_DN: The distinguished name of the user that Seafile will use when connecting to the directory server. This user should have sufficient privilege to access all the nodes under BASE. It's recommended to use a user in the administrator group. -* PASSWORD: Password of the above user. -* LOGIN_ATTR: The attribute used for user's unique identifier. Use `mail` or `userPrincipalName`. - -Tips for choosing BASE and USER_DN: - -* To determine the BASE, you first have to navigate your organization hierachy on the domain controller GUI. - * If you want to allow all users to use Seafile, you can use 'cn=users,dc=yourdomain,dc=com' as BASE (with proper adjustment for your own needs). - * If you want to limit users to a certain OU (Organization Unit), you run `dsquery` command on the domain controller to find out the DN for this OU. For example, if the OU is 'staffs', you can run 'dsquery ou -name staff'. More information can be found [here](https://technet.microsoft.com/en-us/library/cc770509.aspx). -* AD supports 'user@domain.name' format for the USER_DN option. For example you can use administrator@example.com for USER_DN. Sometime the domain controller doesn't recognize this format. You can still use `dsquery` command to find out user's DN. For example, if the user name is 'seafileuser', run `dsquery user -name seafileuser`. More information [here](https://technet.microsoft.com/en-us/library/cc725702.aspx). - -### Connecting to other LDAP servers - -Please add the following options to ccnet.conf: - - [LDAP] - HOST = ldap://192.168.1.123/ - BASE = ou=users,dc=example,dc=com - USER_DN = cn=admin,dc=example,dc=com - PASSWORD = secret - LOGIN_ATTR = mail - -The meaning of the options are the same as described in the previous section. With other LDAP servers, you can only use `mail` attribute as user's unique identifier. - -## Advanced LDAP/AD Integration Options - -### Multiple BASE - -Multiple base DN is useful when your company has more than one OUs to use Seafile. You can specify a list of base DN in the "BASE" config. The DNs are separated by ";", e.g. `ou=developers,dc=example,dc=com;ou=marketing,dc=example,dc=com` - -### Additional Search Filter - -Search filter is very useful when you have a large organization but only a portion of people want to use Seafile. The filter can be given by setting "FILTER" config. The value of this option follows standard LDAP search filter syntax (https://msdn.microsoft.com/en-us/library/aa746475(v=vs.85).aspx). - -The final filter used for searching for users is `(&($LOGIN_ATTR=*)($FILTER))`. `$LOGIN_ATTR` and `$FILTER` will be replaced by your option values. - -For example, add the following line to LDAP config: - -``` -FILTER = memberOf=CN=group,CN=developers,DC=example,DC=com -``` - -The final search filter would be `(&(mail=*)(memberOf=CN=group,CN=developers,DC=example,DC=com))` - -Note that the case of attribute names in the above example is significant. The `memberOf` attribute is only available in Active Directory. - -### Limiting Seafile Users to a Group in Active Directory - -You can use the FILTER option to limit user scope to a certain AD group. - -1. First, you should find out the DN for the group. Again, we'll use the `dsquery` command on the domain controller. For example, if group name is 'seafilegroup', run `dsquery group -name seafilegroup`. -2. Add the following line to LDAP config: - -``` -FILTER = memberOf={output of dsquery command} -``` - -### Using TLS connection to LDAP/AD server - -To use a TLS connection to the directory server, you should install a valid SSL certificate on the directory server. - -The current version of Seafile Linux server package is compiled on CentOS. We include the ldap client library in the package to maintain compatibility with older Linux distributions. But since different Linux distributions have different path or configuration for OpenSSL library, sometimes Seafile is unable to connect to the directory server with TLS. - -The ldap library (libldap) bundled in the Seafile package is of version 2.4. If your Linux distribution is new enough (like CentOS 6, Debian 7 or Ubuntu 12.04 or above), you can use system's libldap instead. - -On Ubuntu 14.04 and Debian 7/8, moving the bundled ldap related libraries out of the library path should make TLS connection work. - -``` -cd ${SEAFILE_INSTALLATION_DIR}/seafile-server-latest/seafile/lib -mkdir disabled_libs_use_local_ones_instead -mv liblber-2.4.so.2 libldap-2.4.so.2 libsasl2.so.2 libldap_r-2.4.so.2 disabled_libs_use_local_ones_instead/ -``` - -On CentOS 6, you have to move the libnssutil library: - -``` -cd ${SEAFILE_INSTALLATION_DIR}/seafile-server-latest/seafile/lib -mkdir disabled_libs_use_local_ones_instead -mv libnssutil3.so disabled_libs_use_local_ones_instead/ -``` - -This effectively removes the bundled libraries from the library search path. -When the server starts, it'll instead find and use the system libraries (if they are installed). -This change has to be repeated after each update of the Seafile installation. - diff --git a/manual/deploy/using_sqlite.md b/manual/deploy/using_sqlite.md deleted file mode 100644 index c598e3504..000000000 --- a/manual/deploy/using_sqlite.md +++ /dev/null @@ -1,248 +0,0 @@ -# Deploying Seafile with SQLite - -> Deploying Seafile with SQLite is no longer supported since version 11.0 - -## Download binary package - -Visit our [download page](http://www.seafile.com/en/download/#server), download the latest server package. - -Choose one of: -- Generic Linux -- Server for Raspberry Pi - -Click the tarball link and save it. - -## Deploying and Directory Layout - -NOTE: If you place the Seafile data directory in external storage, such as NFS, CIFS mount, you should not use SQLite as the database, but use MySQL instead. - -Supposed you've downloaded seafile-server_8.0.* into your home directory. We suggest you to use the following layout for your deployment: -```sh -mkdir /opt/seafile -mv seafile-server_8.0.* /opt/seafile -cd /opt/seafile -tar -xzf seafile-server_8.0.* -``` - -Now you should have the following directory layout -```sh -root@5575983a9804:/opt/seafile# tree . -L 2 -. -|-- seafile-server-8.0.* -| |-- check_init_admin.py -| |-- reset-admin.sh -| |-- runtime -| |-- seaf-fsck.sh -| |-- seaf-fuse.sh -| |-- seaf-gc.sh -| |-- seafile -| |-- seafile.sh -| |-- seahub -| |-- seahub.sh -| |-- setup-seafile-mysql.py -| |-- setup-seafile-mysql.sh -| |-- setup-seafile.sh -| |-- sql -| `-- upgrade -`-- seafile-server_8.0.*_x86-64.tar.gz -``` - -Benefits of this layout are - - - We can place all the config files for Seafile server inside "/opt/seafile/conf" directory, making it easier to manage. - - When you upgrade to a new version of Seafile, you can simply untar the latest package into "/opt/seafile" directory. In this way you can reuse the existing config files in "/opt/seafile/conf" directory and don't need to configure again. - -## Setting Up Seafile Server - -#### Prerequisites - -The Seafile server package requires the following packages have been installed in your system - -``` -# on Ubuntu 20.04 server - -apt-get install -y python3 python3-setuptools python3-pip memcached libmemcached-dev pwgen sqlite3 - -pip3 install --timeout=3600 django==2.2.* future Pillow pylibmc captcha jinja2 psd-tools django-pylibmc django-simple-captcha pycryptodome==3.12.0 cffi==1.14.0 -``` - -``` -# on CentOS 8 server -yum install epel-release -y - -yum install python3 python3-setuptools python3-pip memcached libmemcached libffi-devel pwgen curl python3-devel gcc gcc-c++ sqlite -y - -pip3 install --timeout=3600 django==2.2.* future Pillow pylibmc jinja2 psd-tools django-pylibmc django-simple-captcha captcha pycryptodome==3.12.0 cffi==1.14.0 lxml -``` - -#### Setup - -```sh -cd /opt/seafile/seafile-server-8.0.* -./setup-seafile.sh #run the setup script & answer prompted questions -``` - -If some of the prerequisites are not installed, the Seafile initialization script will ask you to install them. - -The script will guide you through the settings of various configuration options. - -**Seafile configuration options** - -| Option | Description | Note | -| -- | -- | ---- | -| server name | Name of this Seafile server | 3-15 characters, only English letters, digits and underscore ('_') are allowed | -| server ip or domain | The IP address or domain name used by this server | Seafile client program will access the server with this address | -| Seafile data dir | Seafile stores your data in this directory. By default it'll be placed in the current directory. | The size of this directory will increase as you put more and more data into Seafile. Please select a disk partition with enough free space. | -| fileserver port | The TCP port used by Seafile fileserver | Default is 8082. If it's been used by other service, you can set it to another port. | - - -Now you should have the following directory layout: - -```sh -root@5575983a9804:/opt/seafile# tree . -L 2 -. -|-- ccnet -| |-- GroupMgr -| |-- OrgMgr -| |-- PeerMgr -| `-- misc -|-- conf -| |-- __pycache__ -| |-- ccnet.conf -| |-- gunicorn.conf.py -| |-- seafdav.conf -| |-- seafile.conf -| `-- seahub_settings.py -|-- logs -| |-- controller.log -| |-- seafile.log -| `-- seahub.log -|-- pids -| |-- seaf-server.pid -| `-- seahub.pid -|-- seafile-data -| |-- httptemp -| |-- library-template -| |-- seafile.db -| |-- storage -| `-- tmpfiles -|-- seafile-server-8.0.5 -| |-- check_init_admin.py -| |-- reset-admin.sh -| |-- runtime -| |-- seaf-fsck.sh -| |-- seaf-fuse.sh -| |-- seaf-gc.sh -| |-- seafile -| |-- seafile.sh -| |-- seahub -| |-- seahub.sh -| |-- setup-seafile-mysql.py -| |-- setup-seafile-mysql.sh -| |-- setup-seafile.sh -| |-- sql -| `-- upgrade -|-- seafile-server-latest -> seafile-server-8.0.5 -|-- seafile-server_8.0.5_x86-64.tar.gz -|-- seahub-data -| `-- avatars -`-- seahub.db -``` - -The folder seafile-server-latest is a symbolic link to the current Seafile server folder. When later you upgrade to a new version, the upgrade scripts would update this link to keep it always point to the latest Seafile server folder. - -## Running Seafile Server - -#### Before Running - -Since Seafile uses persistent connections between client and server, you should increase Linux file descriptors by ulimit if you have a large number of clients before start Seafile, like: - -``ulimit -n 30000`` - -#### Starting Seafile Server and Seahub Website - -- Start Seafile: -``` -./seafile.sh start # Start Seafile service -``` - -- Start Seahub: -``` -./seahub.sh start # Start Seahub website, port defaults to 8000 -``` - -**Note**: The first time you start Seahub, the script is going to prompt you to create an admin account for your Seafile server. - -After starting the services, you may open a web browser and type in - -``http://192.168.1.111:8000`` - -you will be redirected to the Login page. Just enter the admin username and password. - -**Congratulations!** Now you have successfully setup your private Seafile server. - -#### Run Seahub on another port - -You can assign the port of Seahub by setting the `conf/gunicorn.conf`. - -- stop the Seafile server -``` -./seahub.sh stop -./seafile.sh stop -``` - -- modify the value of SERVICE_URL in the file ccnet.conf (or seahub_settings.py if you use 9.0.0+ version), like this: (assume your ip or domain is 192.168.1.100). You can also modify SERVICE_URL via web UI in "System Admin->Settings". (**Warning**: if you set the value both via Web UI and ccnet.conf, the setting via Web UI will take precedence.) - -``` -SERVICE_URL = http://192.168.1.100:8001 -``` - -- **modify the conf/gunicorn.conf** - -``` -# default localhost:8000 -bind = "0.0.0.0:8001" -``` - -- restart Seafile server -``` -./seafile.sh start -./seahub.sh start -``` - -See Seafile [Server Configuration Manual](../config/ccnet-conf.md) for more details about ``ccnet.conf``. - -## Manage Seafile and Seahub -#### Stopping -``` -./seahub.sh stop # stop seahub website -./seafile.sh stop # stop seafile processes -``` -#### Restarting -``` -./seafile.sh restart -./seahub.sh restart -``` -#### When the Scripts Fail - -Most of the time, `seafile.sh` and `seahub.sh` work fine. But if they fail, you might want to - -- Use pgrep command to check if Seafile/Seahub processes are still running -``` -pgrep -f seafile-controller # check Seafile processes -pgrep -f "seahub" # check Seahub process -``` - -- Use pkill to kill the processes -``` -pkill -f seafile-controller -pkill -f "seahub" -``` - - -## That's it! - -For a production server we highly recommend to setup with Nginx/Apache and enable SSL/TLS. - -That's it! Now you might want read more about Seafile. -- [Administration](../maintain/README.md) diff --git a/manual/deploy_pro/adfs.md b/manual/deploy_pro/adfs.md deleted file mode 100644 index 08879367f..000000000 --- a/manual/deploy_pro/adfs.md +++ /dev/null @@ -1,251 +0,0 @@ -# AD Federation Service or SAML 2.0 Integration - -Note, this document is for Seafile version 9.0 or below. For version 10.0+, please follow the new document [SAML 2.0 in version 10.0+](./saml2_in_10.0.md). - -This documentation describes how to integrate to ADFS with SAML 2.0 protocol. The procedure can also be used to integrate with other SAML 2.0 compliant service with minimal change. - -## Requirements - -To use ADFS to log in to your Seafile, you need the following components: - -1. A Windows Server with [ADFS](https://technet.microsoft.com/en-us/library/hh831502.aspx) installed. For configuring and installing ADFS you can see [this article](https://msdn.microsoft.com/en-us/library/gg188612.aspx). -2. A valid SSL certificate for ADFS server, and here we use **adfs-server.adfs.com** as the domain name example. -3. A valid SSL certificate for Seafile server, and here we use **demo.seafile.com** as the domain name example. - -## Prepare Certs File - -1、x.509 certs for SP (Service Provider) - -You can generate them by: - -``` -openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout sp.key -out sp.crt - -``` - -These x.509 certs are used to sign and encrypt elements like NameID and Metadata for SAML. - -**Note: Do not use some special characters when generating a certificate** - -2、Then copy these two files to `/seahub-data/certs`. (if the certs folder not exists, create it.) - -1. x.509 cert from IdP (Identity Provider) -2. Log into the ADFS server and open the ADFS management. -3. Double click **Service** and choose **Certificates**. -4. Export the **Token-Signing** certificate: - 1. Right-click the certificate and select **View Certificate**. - 2. Select the **Details** tab. - 3. Click **Copy to File** (select **DER encoded binary X.509**). -5. Convert this certificate to PEM format, rename it to **idp.crt** -6. Then copy it to `/seahub-data/certs`. - -## Prepare IdP Metadata File - -1. Open -2. Save this xml file, rename it to **idp_federation_metadata.xml** -3. Copy it to `/seahub-data/certs`. - -## Install Requirements on Seafile Server - -* For Ubuntu 18.04/20.04 - -``` -sudo apt install libxmlsec1 xmlsec1 -``` - -* For Seafile 7.1.x - -``` -sudo pip install cryptography djangosaml2==0.18.1 pysaml2==4.6.0 -``` - -* For Seafile 8.0.x - -``` -sudo pip install cryptography djangosaml2==0.20.0 pysaml2==6.5.1 -``` - - -## Config Seafile - -Add the following lines to **seahub_settings.py** - -``` -from os import path -import saml2 -import saml2.saml - -CERTS_DIR = '/seahub-data/certs' -SP_SERVICE_URL = 'https://demo.seafile.com' -XMLSEC_BINARY = '/usr/bin/xmlsec1' - -# for 9.0 and later -ATTRIBUTE_MAP_DIR = '/seafile-server-latest/seahub/seahub/adfs_auth/attribute-maps' - -# for 8.0 and previous -ATTRIBUTE_MAP_DIR = '/seafile-server-latest/seahub-extra/seahub_extra/adfs_auth/attribute-maps' - -SAML_ATTRIBUTE_MAPPING = { - 'DisplayName': ('display_name', ), - 'ContactEmail': ('contact_email', ), - 'Department': ('department', ), - 'Telephone': ('telephone', ), -} - -ENABLE_ADFS_LOGIN = True -EXTRA_AUTHENTICATION_BACKENDS = ( - - # for 9.0 and later - 'seahub.adfs_auth.backends.Saml2Backend', - - # for 8.0 and previous - 'seahub_extra.adfs_auth.backends.Saml2Backend', -) -SAML_USE_NAME_ID_AS_USERNAME = True -LOGIN_REDIRECT_URL = '/saml2/complete/' -SAML_CONFIG = { - # full path to the xmlsec1 binary programm - 'xmlsec_binary': XMLSEC_BINARY, - - 'allow_unknown_attributes': True, - - # your entity id, usually your subdomain plus the url to the metadata view - 'entityid': SP_SERVICE_URL + '/saml2/metadata/', - - # directory with attribute mapping - 'attribute_map_dir': ATTRIBUTE_MAP_DIR, - - # this block states what services we provide - 'service': { - # we are just a lonely SP - 'sp' : { - "allow_unsolicited": True, - 'name': 'Federated Seafile Service', - 'name_id_format': saml2.saml.NAMEID_FORMAT_EMAILADDRESS, - 'endpoints': { - # url and binding to the assetion consumer service view - # do not change the binding or service name - 'assertion_consumer_service': [ - (SP_SERVICE_URL + '/saml2/acs/', - saml2.BINDING_HTTP_POST), - ], - # url and binding to the single logout service view - # do not change the binding or service name - 'single_logout_service': [ - (SP_SERVICE_URL + '/saml2/ls/', - saml2.BINDING_HTTP_REDIRECT), - (SP_SERVICE_URL + '/saml2/ls/post', - saml2.BINDING_HTTP_POST), - ], - }, - - # attributes that this project need to identify a user - 'required_attributes': ["uid"], - - # attributes that may be useful to have but not required - 'optional_attributes': ['eduPersonAffiliation', ], - - # in this section the list of IdPs we talk to are defined - 'idp': { - # we do not need a WAYF service since there is - # only an IdP defined here. This IdP should be - # present in our metadata - - # the keys of this dictionary are entity ids - 'https://adfs-server.adfs.com/federationmetadata/2007-06/federationmetadata.xml': { - 'single_sign_on_service': { - saml2.BINDING_HTTP_REDIRECT: 'https://adfs-server.adfs.com/adfs/ls/idpinitiatedsignon.aspx', - }, - 'single_logout_service': { - saml2.BINDING_HTTP_REDIRECT: 'https://adfs-server.adfs.com/adfs/ls/?wa=wsignout1.0', - }, - }, - }, - }, - }, - - # where the remote metadata is stored - 'metadata': { - 'local': [path.join(CERTS_DIR, 'idp_federation_metadata.xml')], - }, - - # set to 1 to output debugging information - 'debug': 1, - - # Signing - 'key_file': '', - 'cert_file': path.join(CERTS_DIR, 'idp.crt'), # from IdP - - # Encryption - 'encryption_keypairs': [{ - 'key_file': path.join(CERTS_DIR, 'sp.key'), # private part - 'cert_file': path.join(CERTS_DIR, 'sp.crt'), # public part - }], - - 'valid_for': 24, # how long is our metadata valid -} - -``` - -**Note: Users running the Seafile program should have permission to read all files under **`seahub-data/certs`**.** - -## **Role Map for ADFS** - -Since Pro 7.0.9, you are able to set user role with ADFS as with [Shibboleth](https://download.seafile.com/published/seafile-manual/deploy/shibboleth_config.md#user-content-Affiliation%20and%20user%20role). Details about user role, please refer to [role permissions](https://download.seafile.com/published/seafile-manual/deploy_pro/roles_permissions.md). - -To enable this, add the following configuration information to `seahub_settings.py` to define the role mapping: - -``` -SHIBBOLETH_AFFILIATION_ROLE_MAP = { - 'role@lian-adfs.local': 'can_generate_upload_link_false', - 'role1@lian-adfs.local': 'guest', - 'patterns': ( - ('*@lian-adfs.local', 'guest1'), - ('*@*.local', 'guest2'), - ('*', 'guest3'), - ), -} - -``` - -## Config ADFS Server - -1. Add **Relying Party Trust** - - Relying Party Trust is the connection between Seafile and ADFS. - -1. Log into the ADFS server and open the ADFS management. -2. Double click **Trust Relationships**, then right click **Relying Party Trusts**, select **Add Relying Party Trust…**. -3. Select **Import data about the relying party published online or one a local network**, input `https://demo.seafile.com/saml2/metadata/` in the **Federation metadata address**. -4. Then **Next** until **Finish**. -5. Add **Relying Party Claim Rules** - - Relying Party Claim Rules is used for attribute communication between Seafile and users in Windows Domain. - - **Important**: Users in Windows domain must have the **E-mail** value setted. - -1. Right-click on the relying party trust and select **Edit Claim Rules...** -2. On the Issuance Transform Rules tab select **Add Rules...** -3. Select **Send LDAP Attribute as Claims** as the claim rule template to use. -4. Give the claim a name such as LDAP Attributes. -5. Set the Attribute Store to **Active Directory**, the LDAP Attribute to **E-Mail-Addresses**, and the Outgoing Claim Type to **E-mail Address**. -6. Select **Finish**. -7. Click **Add Rule...** again. -8. Select **Transform an Incoming Claim**. -9. Give it a name such as **Email to Name ID**. -10. Incoming claim type should be **E-mail Address** (it must match the Outgoing Claim Type in rule #1). -11. The Outgoing claim type is **Name ID** (this is required in Seafile settings policy `'name_id_format': saml2.saml.NAMEID_FORMAT_EMAILADDRESS`). -12. the Outgoing name ID format is **Email**. -13. **Pass through all claim values** and click **Finish**. - -## Test - -After re-starting the services, you may open a web browser and type in `https://demo.seafile.com`, there should be a `ADFS` button in login dialog, click that button will redirect you to the ADFS server (adfs-server.adfs.com), if username and password are correct, you will be redirect back to Seafile home page. - -For descktop client, simply click "Shibboleth Login" in "Add a new account" window, type in `https://demo.seafile.com`, click OK button will open a new window display ADFS server login page, if username and password are correct, the window will be closed and show Seafile libraries panel. - -* -* -* - - diff --git a/manual/deploy_pro/cas.md b/manual/deploy_pro/cas.md deleted file mode 100644 index 328a10c1e..000000000 --- a/manual/deploy_pro/cas.md +++ /dev/null @@ -1,35 +0,0 @@ -# Log In By CAS (Deprecated) - -> New in 2019: CAS is not recommend way for SSO. The third party Python library is not well maintained. SAML2 is much better. - -Since Seafile-pro 6.3.0, Seafile supports CAS single-sign-on protocol. - -NOTE: The support for CAS protocol is deprecated due to low maintenance of third-party library. Please use OAuth or SAML protocol. - -## Requirements - -Supposed you have a usable CAS service, and the service can be accessed by the `https://:/cas/`. - -## configure seahub_settings.py - -* Add the following lines in `conf/seahub_settings.py` - - -``` -ENABLE_CAS = True -CAS_SERVER_URL = 'https://192.168.99.100:8443/cas/' -CAS_LOGOUT_COMPLETELY = True -# Uncomment following line if CAS server is using self-signed certificate -#CAS_SERVER_CERT_VERIFY = False - -``` - -* Restart the seahub - - -``` -./seahub.sh restart - -``` - -Now, you can login to Seafile web interface with CAS authentication. Please click the "Single Sign-on" on the Seafile's login page. diff --git a/manual/deploy_pro/ldap_group_sync.md b/manual/deploy_pro/ldap_group_sync.md deleted file mode 100644 index 39166347e..000000000 --- a/manual/deploy_pro/ldap_group_sync.md +++ /dev/null @@ -1,158 +0,0 @@ -# Importing Groups from LDAP/AD - -Since version 4.1.0, the Pro Edition supports importing (syncing) groups from LDAP or Active Directory. - -For version 11.0, please follow the new document [LDAP in version 11.0](./ldap_in_11.0.md#setting-up-ldap-group-sync-optional). - -## How It Works - -The importing or syncing process maps groups from LDAP directory server to groups in Seafile's internal database. This process is one-way. - -* Any changes to groups in the database won't propagate back to LDAP; -* Any changes to groups in the database, except for "setting a member as group admin", will be overwritten in the next LDAP sync operation. If you want to add or delete members, you can only do that on LDAP server. -* The creator of imported groups will be set to the system admin. - -There are two modes of operation: - -* Periodical: the syncing process will be executed in a fixed interval -* Manual: there is a script you can run to trigger the syncing once - -## Prerequisite - -You have to install python-ldap library in your system. - -For Debian or Ubuntu - -``` -sudo apt-get install python-ldap - -``` - -For CentOS or RedHat - -``` -sudo yum install python-ldap - -``` - -## Syncing Groups - -### Configuration - -Before enabling LDAP group sync, you should have configured LDAP authentication. See [Configure Seafile to use LDAP](using_ldap_pro.md) for details. - -The following are LDAP group sync related options. They're in the "\[ldap_sync]" section of [ccnet.conf](../config/ccnet-conf.md). - -Below are summary of options for syncing groups: - -* **ENABLE_GROUP_SYNC**: set to "true" if you want to enable ldap group syncing -* **GROUP_OBJECT_CLASS**: This is the name of the class used to search for group objects. In Active Directory, it's usually "group"; in OpenLDAP or others, you may use "groupOfNames","groupOfUniqueNames" or "posixGroup", depends on your LDAP server. The default value is "group". -* **SYNC_INTERVAL**: The interval to sync. Unit is minutes. You can set it to 60, which means that data is synchronized from the LDAP/AD server every 60 minutes. -* **GROUP_FILTER**: An additional filter to use when searching group objects. If it's set, the final filter used to run search is "(&(objectClass=GROUP_OBJECT_CLASS)(GROUP_FILTER))"; otherwise the final filter would be "(objectClass=GROUP_OBJECT_CLASS)". -* **GROUP_MEMBER_ATTR**: The attribute field to use when loading the group's members. For most directory servers, the attributes is "member", which is the default value.For "posixGroup", it should be set to "memberUid". -* **USER_ATTR_IN_MEMBERUID**: The user attribute set in 'memberUid' option, which is used in "posixGroup".The default value is "uid". -* **DEL_GROUP_IF_NOT_FOUND**: set to "true", will deleted the groups if not found it in LDAP/AD server; need Seafile-pro-6.3.0 and above version -* **SYNC_GROUP_AS_DEPARTMENT**: In 6.3.8 version, a new option SYNC_GROUP_AS_DEPARTMENT is added. If this option is set to "true", the groups will be synced as top-level departments in Seafile, instead of simple groups. Learn more about departments in Seafile [here](https://help.seafile.com/sharing_collaboration/departments/). -* **CREATE_DEPARTMENT_LIBRARY**: If you decide to sync the group as a department, you can set this option to "true". In this way, when the group is synchronized for the first time, a library is automatically created for the department, and the library's name is the department's name. -* **DEFAULT_DEPARTMENT_QUOTA**: If you decide to sync the group as a department, you can set a default space quota for each department when you synchronize a group for the first time. The quota is set to unlimited if this option is not set. Unit is MB. -* **DEPT_NAME_ATTR**: Get the department name. You can set this configuration item to an AD field that represents the "department" name, such as "description". The name of the department created by Seafile will be the department name set in the AD field instead of the OU name. Requires Seafile-pro-7.0.11 and above. -* **DEPT_REPO_PERM**: Set the permissions of the department repo. The default permission is 'rw'. Set permissions for the department repo created during AD synchronization. Requires Seafile-pro-7.0.11 and above. -* **USE_GROUP_MEMBER_RANGE_QUERY**: When a group contains too many members, AD will only return part of them. Set this option to TRUE to make LDAP sync work with large groups. -* **GROUP_UUID_ATTR**: Since Seafile pro 8.0, UUID is used to identify groups in LDAP/AD servers. Before that, group DN is used. So when a group changes name, the old group will be deleted and a new group will be created. This is not a desirable behavior. With the new mechanism, the rename can be detected and the groups in Seafile remains intact. The default attribute is "ObjectGUID", which is available in AD. For other LDAP servers, please refer to https://ldapwiki.com/wiki/Universally%20Unique%20Identifier . - -The search base for groups is the "BASE_DN" set in "\[ldap]" section of ccnet.conf. - -Some LDAP server, such as Active Directory, allows a group to be a member of another group. This is called "group nesting". If we find a nested group B in group A, we should recursively add all the members from group B into group A. And group B should still be imported a separate group. That is, all members of group B are also members in group A. - -In some LDAP server, such as OpenLDAP, it's common practice to use Posix groups to store group membership. To import Posix groups as Seafile groups, set GROUP_OBJECT_CLASS option to posixGroup . A posixGroup object in LDAP usually contains a multi-value attribute for the list of member UIDs. The name of this attribute can be set with the GROUP_MEMBER_ATTR option. It's MemberUid by default. The value of the MemberUid attribute is an ID that can be used to identify a user, which corresponds to an attribute in the user object. The name of this ID attribute is usually uid , but can be set via the USER_ATTR_IN_MEMBERUID option. Note that posixGroup doesn't support nested groups. - -### Example Configurations - -Here is an example configuration for syncing nested groups in Active Directory: - -``` -[LDAP] -HOST = ldap://192.168.1.123/ -BASE = cn=users,dc=example,dc=com -USER_DN = administrator@example.local -PASSWORD = secret -LOGIN_ATTR = mail - -[LDAP_SYNC] -ENABLE_GROUP_SYNC = true -SYNC_INTERVAL = 60 - -``` - -For AD, you usually don't need to configure other options except for "ENABLE_GROUP_SYNC". That's because the default values for other options are the usual values for AD. If you have special settings in your LDAP server, just set the corresponding options. - -Here is an example configuration for syncing nested groups (but not PosixGroups) in OpenLDAP: - -``` -[LDAP] -HOST = ldap://192.168.1.123/ -BASE = ou=users,dc=example,dc=com -USER_DN = cn=admin,dc=example,dc=com -PASSWORD = secret -LOGIN_ATTR = mail - -[LDAP_SYNC] -ENABLE_GROUP_SYNC = true -SYNC_INTERVAL = 60 -GROUP_OBJECT_CLASS = groupOfNames - -``` - -## Sync OU as Departments - -A department in Seafile is a special group. In addition to what you can do with a group, there are two key new features for departments: - -* Department supports hierarchy. A department can have any levels of sub-departments. -* Department can have storage quota. - -Seafile supports syncing OU (Organizational Units) from AD/LDAP to departments. The sync process keeps the hierarchical structure of the OUs. - -Options for syncing departments from OU: - -* **SYNC_DEPARTMENT_FROM_OU**: set to "true" to enable syncing departments from OU. -* **SYNC_INTERVAL**: The interval to sync. Unit is minutes. You can set it to 60, which means that data is synchronized from the LDAP/AD server every 60 minutes. -* **DEL_DEPARTMENT_IF_NOT_FOUND**: If set to "true", sync process will delete a department if the corresponding OU is not found in AD/LDAP server. -* **CREATE_DEPARTMENT_LIBRARY**: set to "true", if you want to automatically create a department library with the OU name. -* **DEFAULT_DEPARTMENT_QUOTA**: default quota for the imported departments in MB. The quota is set to unlimited if this option is not set. -* **DEPT_NAME_ATTR**: Get the department name. You can set this configuration item to an AD field that represents the "department" name, such as "description". The name of the department created by Seafile will be the department name set in the AD field instead of the OU name. Requires Seafile-pro-7.0.11 and above. -* **DEPT_REPO_PERM**: Set the permissions of the department repo. The default permission is 'rw'. Set permissions for the department repo created during AD synchronization. Requires Seafile-pro-7.0.11 and above. -* **GROUP_UUID_ATTR**: Since Seafile pro 8.0, UUID is used to identify groups in LDAP/AD servers. Before that, OU DN is used. So when an OU changes name, the old group will be deleted and a new group will be created. This is not a desirable behavior. With the new mechanism, the rename can be detected and the groups in Seafile remains intact. The default attribute is "ObjectGUID", which is available in AD. For other LDAP servers, please refer to https://ldapwiki.com/wiki/Universally%20Unique%20Identifier . - -**NOTE**: Before 6.3.8, an old configuration syntax is used for syncing OU as departments. That syntax is no long supported. The old syntax cannot support syncing both groups and OU from AD/LDAP at the same time. However this is necessary for many situations. With the new syntax, you can sync both. - -## Periodical and Manual Sync - -Periodical sync won't happen immediately after you restart seafile server. It gets scheduled after the first sync interval. For example if you set sync interval to 30 minutes, the first auto sync will happen after 30 minutes you restarts. To sync immediately, you need to manually trigger it. - -After the sync is run, you should see log messages like the following in logs/seafevents.log. And you should be able to see the groups in system admin page. - -``` -[2015-03-30 18:15:05,109] [DEBUG] create group 1, and add dn pair CN=DnsUpdateProxy,CN=Users,DC=Seafile,DC=local<->1 success. -[2015-03-30 18:15:05,145] [DEBUG] create group 2, and add dn pair CN=Domain Computers,CN=Users,DC=Seafile,DC=local<->2 success. -[2015-03-30 18:15:05,154] [DEBUG] create group 3, and add dn pair CN=Domain Users,CN=Users,DC=Seafile,DC=local<->3 success. -[2015-03-30 18:15:05,164] [DEBUG] create group 4, and add dn pair CN=Domain Admins,CN=Users,DC=Seafile,DC=local<->4 success. -[2015-03-30 18:15:05,176] [DEBUG] create group 5, and add dn pair CN=RAS and IAS Servers,CN=Users,DC=Seafile,DC=local<->5 success. -[2015-03-30 18:15:05,186] [DEBUG] create group 6, and add dn pair CN=Enterprise Admins,CN=Users,DC=Seafile,DC=local<->6 success. -[2015-03-30 18:15:05,197] [DEBUG] create group 7, and add dn pair CN=dev,CN=Users,DC=Seafile,DC=local<->7 success. - -``` - -To trigger LDAP sync manually, - -```sh -cd seafile-server-latest -./pro/pro.py ldapsync - -``` - -For Seafile Docker - -```sh -docker exec -it seafile /opt/seafile/seafile-server-latest/pro/pro.py ldapsync - -``` diff --git a/manual/deploy_pro/ldap_role_sync.md b/manual/deploy_pro/ldap_role_sync.md deleted file mode 100644 index 6f33fe63e..000000000 --- a/manual/deploy_pro/ldap_role_sync.md +++ /dev/null @@ -1,47 +0,0 @@ -# Importing Roles from LDAP/AD - -For version 11.0, please follow the new document [LDAP in version 11.0](./ldap_in_11.0.md#importing-roles-from-ldap). - -Since version 6.1.5, the Pro Edition supports syncing roles from LDAP or Active Directory. - -To enable this feature, add config option `ROLE_NAME_ATTR` to ccnet.conf - -``` -[LDAP_SYNC] -ROLE_NAME_ATTR = title - -``` - -`ROLE_NAME_ATTR` is the attribute field to configure roles in LDAP . -We provide a user-defined function to map the role:Create `custom_functions.py` under conf/ and edit it like: - -``` -#coding=utf-8 -import sys -reload(sys) -sys.setdefaultencoding('utf8') - -def ldap_role_mapping(role): - if 'staff' in role: - return 'Staff' - if 'guest' in role: - return 'Guest' - if 'manager' in role: - return 'Manager' - -``` - -you can rewrite this function (in python) to make your own mapping rules. If the file or function doesn't exist, all roles in `ROLE_NAME_ATTR` will be synced. - -** NOTE: **Make sure that ccnet-server keeps running while doing LDAP role sync. - -Note: If you are using 7.1 version or later, and with Python 3, you should remove the following code from \`custom_functions.py\`: - -``` -import sys -reload(sys) -sys.setdefaultencoding('utf8') - -``` - - diff --git a/manual/deploy_pro/office-preview-yml/docker-compose.yml b/manual/deploy_pro/office-preview-yml/docker-compose.yml deleted file mode 100644 index d9ee9a01b..000000000 --- a/manual/deploy_pro/office-preview-yml/docker-compose.yml +++ /dev/null @@ -1,11 +0,0 @@ -services: - office-preview: - image: seafileltd/office-preview:latest - container_name: seafile-office-preview - environment: - - IGNORE_JWT_CHECK=true - ports: - - "8089:8089" - command: bash start.sh - volumes: - - /opt/office-preview/shared:/shared # the host path can be customized diff --git a/manual/deploy_pro/office_documents_preview.md b/manual/deploy_pro/office_documents_preview.md deleted file mode 100644 index 3bc7f33cb..000000000 --- a/manual/deploy_pro/office_documents_preview.md +++ /dev/null @@ -1,177 +0,0 @@ -# Office Documents Preview with LibreOffice - -> This is a deprecated feature since version 11. Integrating with CollaboraOnline or OnlyOffice is recommended. - -Seafile Professional Server supports previewing office documents online by converting them to PDF. You can follow these steps to use the feature. If you'd like to edit office files online, you can integrate Seafile with Microsoft Office Online server, CollaboraOnline or OnlyOffice. - - -## Version 7.1.x - 8.0.x - -### Install Libreoffice/UNO - -Libreoffice 6.2+ and Python-uno library are required to enable office files online preview. - -On Ubuntu/Debian: - -```bash -sudo apt-get install libreoffice libreoffice-script-provider-python -``` - -> For older version of Ubuntu: `sudo apt-get install libreoffice python-uno` - -On Centos/RHEL, you need to first remove the default libreoffice in the distribution: - -``` -yum remove --setopt=clean_requirements_on_remove=0 libreoffice-* -``` - -Then install version 6.4 or newer ([Installation of LibreOffice on Linux](https://wiki.documentfoundation.org/Documentation/Install/Linux#Terminal-Based_Install)). - -Also, you may need to install fonts for your language, especially for Asians, otherwise the office document may not display correctly. - -### Enable Office Preview - -Open file `seafevents.conf`, in the `OFFICE CONVERTER` section: - -```conf -[OFFICE CONVERTER] -enabled = true -host = 127.0.0.1 -port = 6000 -``` - -After modifying and saving `seafevents.conf`, restart seafile server by `./seafile.sh restart` - -The office converter process will be started and listen on 127.0.0.1:6000 - -In `seahub_settings.py`, add the following config - -``` -OFFICE_CONVERTOR_ROOT = 'http://127.0.0.1:6000/' -``` - -Open a doc/ppt/xls file on Seahub, you should be about the previewing it in your browser. - -### Other Configurable Options - -Here are full list of options you can fine tune: - -```conf -[OFFICE CONVERTER] - -## must be "true" to enable office file online preview -enabled = true - -## How many libreoffice worker processes to run concurrenlty -workers = 1 - -## where to store the converted office/pdf files. Deafult is /tmp/. -outputdir = /tmp/ - -host = 127.0.0.1 -port = 6000 -``` - -## Version 9.0.x or above - -We use Docker to deploy LibreOffice as an example, so you need to install Docker on the server in advance (Docker installation is not introduced here). The office-preview service needs to be deployed on the same machine as the Seafile service. - -### Prepare `docker-compose.yml` - -Download and change [docker-compose.yml](./office-preview-yml/docker-compose.yml). - -``` -services: - office-preview: - image: seafileltd/office-preview:latest - container_name: seafile-office-preview - environment: - - IGNORE_JWT_CHECK=true # Usually, seafile and office-perview are deployed on the same machine and communicate through the intranet, so the jwt check can be ignored. - ports: - - "192.x.x.x:8089:8089" # 192.x.x.x is the IP address of the machine - command: bash start.sh - volumes: - - /opt/office-preview/shared:/shared # the host path can be customized -``` - -### Start `seafile-office-preview` container - -``` -docker compose up -d -``` - -Add `/opt/office-preview/shared/office_convertor_settings.py` manually. - -``` -# Make sure the SECRET_KEY is the same as value in seahub_settings.py -SECRET_KEY = "o@^yktib39k+oor2_busbcxqaach_$b5zq-)4l6l39v#8ky5ta" - -WORKERS = 10 # worker number -OUTPUT_DIR = '/shared/output' # output folder in container -PORT = 8089 # port in container -``` - -Restart `seafile-office-preview` container. -``` -docker restart seafile-office-preview -``` - -### Config seahub_settings.py - -Add the following configuration to `seahub_settings.py`. - -``` -OFFICE_CONVERTOR_ROOT = 'http://192.x.x.x:8089' # 192.x.x.x is the IP address of the machine -``` - -Restart seahub. -``` -./seahub.sh restart -``` - -## FAQ about Office document preview - -#### Document preview doesn't work, where to find more information? - -You can check the log at logs/seafevents.log - -#### My server is CentOS, and I see errors like "/usr/lib64/libreoffice/program/soffice.bin X11 error: Can't open display", how could I fix it? - -This error indicates you have not installed the `libreoffice-headless` package. Install it by `"sudo yum install libreoffice-headless"`. - -#### Document preview doesn't work on my Ubuntu/Debian server, what can I do? - -Current office online preview works with libreoffice 4.0-4.2. If the version of libreoffice installed by `apt-get` is too old or too new, you can solve this by: - -Remove the installed libreoffice: - -``` -sudo apt-get remove libreoffice* python-uno python3-uno -``` - -Download libreoffice packages from [libreoffice official site](https://downloadarchive.documentfoundation.org/libreoffice/old/) - -Install the downloaded pacakges: - -``` -tar xf LibreOffice_4.1.6_Linux_x86-64_deb.tar.gz -cd LibreOffice_4.1.6.2_Linux_x86-64_deb -cd DEBS -sudo dpkg -i *.deb -``` - -Restart your seafile server and try again. It should work now. - -``` -./seafile.sh restart -``` - -#### The browser displays "document conversion failed", and in the logs I see messages like `[WARNING] failed to convert xxx to ...`, what should I do? - -Sometimes the libreoffice process need to be restarted, especially if it's the first time seafile server is running on the server. - -Try to kill the libreoffice process with `pkill -f soffice.bin`. Then try re-opening the preview page in the brower again. If you are deploying seafile in cluster mode, make sure memcached is working on each server. - -#### The above solution does not solve my problem. - -Please check whether the user you run Seafile can correctly start the libreoffice process. There may be permission problems. For example, if you use www-data user to run Seafile, make sure www-data has a home directory and can write to the home directory. diff --git a/manual/deploy_pro/real_time_backup.md b/manual/deploy_pro/real_time_backup.md deleted file mode 100644 index bd5b5fb54..000000000 --- a/manual/deploy_pro/real_time_backup.md +++ /dev/null @@ -1,184 +0,0 @@ -# Seafile Real-Time Backup Server - -Note: This feature is deprecated and not recommended to use in production. If you're looking for backup solution: - -* If you're not using object storage, you can follow the instructions in [backup and recovery](../maintain/backup_recovery.md). -* If you're using object storage, you can use the [migration script](../deploy_pro/migrate.md) to backup the objects. - -Backup is the procedure that copies data from a primary server (which is running production service) to a backup server. - -The real-time backup server uses a syncing algorithm similar to the Seafile desktop client to retrieve data from the primary server. It works as follows: - -- Whenever a library is updated, the primary server notifies the backup server to retrieve the changed data. With a delta syncing algorithm, this procedure runs quickly and updates the backup server in nearly real-time. -- The backup server also checks all libraries on the primary server at a fixed period. Any new or updated libraries will be synced to the backup server. This will pick up any legged updates due to glitches in the above real-time sync procedure. -- The backup server always keep the database and data directory consistent. So no libraries on the backup server will be in corrupted state (unless they're already corrupted on the primary server). -- The full history of all libraries will be backed up. This is not like the desktop client, which only syncs the latest state of a library. - -There are two sets of data that need to be backed up: - -- The seafile-data directory and the core library metadata tables in the seafile database. This data is the core data structures of the libraries in Seafile. They're synced to the backup server with Seafile's syncing algorithm. In this procedure, the metadata tables are kept consistent with the seafile-data directory. -- All other tables in the database (including seafile, ccnet and seahub databases) are backed up with mysqldump. mysqldump can't back up the database in real time. You can setup a crontab for mysqldump at regular intervals. The latency of backup for these tables doesn't affect the integrity of library data. - -In the following discussion, we'll use "primary server" and "master server", "backup server" and "slave server" interchangeably. - -## Configure Real-Time Backup Server - -We assume you already have a primary server running, and now you want to set up a backup server. - -The steps to setup the backup server are: - -1. Install Seafile on the backup server -2. Configure Seafile syncing between the primary server and the backup server -3. Back up the tables in the database by `mysqldump` at regular intervals - -### Install Seafile on the Backup Server - -You should install Seafile Pro Edition on the backup server according to [this documentation](../deploy_pro/download_and_setup_seafile_professional_server.md). Since the real-time backup feature is only available for 5.1.0 or later, you also have to upgrade your primary server to version 5.1.0 or later. - -When installing Seafile on the backup server, you have to notice: - -- The database names (ccnet, seafile and seahub database) should be the same as the names on the primary server. -- You don't need to enable other Pro features, such as Office file preview, search indexing, file auditing etc. -- You can't start the seahub progress on backup server. It means that usually the Seafile backup server can't provide service. - -### Configure Real-time Backup in Seafile - -On the primary server, add following options to seafile.conf: - -``` -[backup] -backup_url = http://backup-server -sync_token = c7a78c0210c2470e14a20a8244562ab8ad509734 -``` - -On the backup server, add following options to seafile.conf: - -``` -[backup] -primary_url = http://primary-server -sync_token = c7a78c0210c2470e14a20a8244562ab8ad509734 -sync_poll_interval = 3 -``` - -- `backup_url`: the backup server's address in url format. You can use HTTP or HTTPS. -- `primary_url`: the primary server's address in url format. -- `sync_token`: a secret shared between the primary and backup server. It's a 40 character SHA1 token generated by the system admin. You can use `uuidgen | openssl sha1` command to generate a random token. -- `sync_poll_interval`: The backup server polls all libraries of the primary server periodically. You can set the poll interval in units of hours. The default interval is 1 hour, which means the backup server will poll the primary every hour. You should choose larger intervals if you have larger libraries. - -If you use HTTPS to sync between primary and backup servers, you must use the correct Seafile server package for your system. If you run CentOS, you should use the Seafile package named without the "Ubuntu" suffix; if you run Debian or Ubuntu, you should use the Seafile package named with "Ubuntu" suffix. Otherwise you may meet CA errors in HTTPS requests. - -After saving the configuration, restart the seafile service on the primary and backup servers. The backup server will automatically start backing up on restart. - -**Note**: Don't start the seahub progress on the Seafile backup server. - -### Back up the Databases - -Backup data from the databases on the primary server's MySQL with mysqldump: - -``` -mysqldump -u -p --databases \ ---ignore-table=.Repo \ ---ignore-table=.Branch \ ---ignore-table=.RepoHead \ - > dbdump.sql -``` - -You should replace ``, `` with your MySQL admin user and password. You should replace ``, `` and `` with your database names. - -The three ignored tables are core tables related to library data, and are synced by Seafile backup server in a real-time manner. They're kept in the seafile database of the backup server and are separated from the mysqldump process. - -**You should set up crontab to run the mysqldump at regular intervals.** - -If you want to back up the tables (except for the 3 tables synced by Seafile) in a more real-time manner, you can deploy the master-slave replication for the MySQL/MariaDB database from the primary node to another database server. **The database running on the backup server must not be used as the target of this replication.** Otherwise you'll end up with replication conflicts, since the db on backup server will also be updated by Seafile backup process too. - -### Checking Backup Status - -After the above setup, you should now have the below layout of your backup data: - -* Library data is backed up and managed by Seafile backup server. The data can be stored on external storage, object storage, or local disk, depending on your setup for the backup server. -* Database tables are split into two parts: - * 3 core library tables are backed up in real-time to the backup node's MySQL database. - * Other tables are regularly dumped to a file with mysqldump. The backup files are stored somewhere other than the primary server. - -`seaf-backup-cmd.sh` provides `status` command to view the backup status. The output is like: - -``` -# ./seaf-backup-cmd.sh status -Total number of libraries: xxx -Number of synchronized libraries: xxx -Number of libraries waiting for sync: xxx -Number of libraries syncing: xxx -Number of libraries failed to sync: xxx - -List of syncing libraries: -xxx -xxx - -List of libraries failed to sync: -xxx -xxx -``` - -There are a few reasons the backup of a library may fail: - -- Some data in the primary server is corrupted. The data may be in the latest state or in history. Since the backup procedure syncs the full history, corruption in history will fail the backup. -- The primary server has run seaf-fsck, which may restore a library back to an older state. - -## Restore from the Backup Server - -In the unfortunate situation where severe data corruption happens on the primary server, you can restore your service quickly directly on the backup server. The recovered service can be run directly on the backup server. - -There are tow steps to restore on the backup server: - -- Import the latest MySQL dump file into the Seafile backup server's MySQL database. -- Enable other Pro features on the Seafile backup server, and start seahub progress `./seahub.sh start`. - -#### Step1: Import MySQL dump file into backup server - -Importing the latest MySQL dump file into the backup server's database: - -``` -mysql -u -p < dbdump.sql -``` - -Replace `` and `` with your MySQL admin user name and password. - -#### Step2: Start the backup server's seahub - -Copy the seafile's configuration to the backup server, then start the seahub progress on the backup server. - -``` -./seahub.sh start -``` - -## Setup Backup Server for Seafile Cluster - -If your primary service runs as a Seafile cluster, you have two points to notice when setting up a backup server: - -1. You should only use one MySQL instance as the replication master, if you're using MariaDB cluster. -2. You have to change seafile.conf and set the `backup_url` and `sync_token` options on each Seafile node. The configuration on all primary Seafile node should be the same. They all point to the same backup server. - -Currently you cannot deploy the backup service **as** a cluster. That is, you can only use a single node as backup server. This support may be added in the future. - -## Managing the Real-time Backup Server - -`seaf-backup-cmd.sh` script is the tool for managing the backup server. The `seaf-backup-cmd.sh` script provides the following commands: - -### Manually Trigger Syncing a Library - -You can use the `sync` command to manually schedule backup of a library: - -``` -# ./seaf-backup-cmd.sh sync -``` - -The command will block until the backup is finished. - -### Handling Backup Errors - -The `--force` option of `sync` command can be used to force failing backup to complete. Permanent backup failures are usually caused by data corruption of a library in the primary server. The `--force` option asks the backup to skip corrupted objects and finish the backup. - -When you find a backup error, follow two steps: - -1. Run seaf-fsck on the primary server, for the failing libraries. Fsck fixes any corruption for the latest state of the libraries. -2. Run `seaf-backup-cmd.sh sync --force ` on the backup server. diff --git a/manual/deploy_pro/seaf_import.md b/manual/deploy_pro/seaf_import.md deleted file mode 100644 index 4f0b09d75..000000000 --- a/manual/deploy_pro/seaf_import.md +++ /dev/null @@ -1,30 +0,0 @@ -# Import Directory To Seafile - -Since seafile 5.1.3 pro edition, we support importing a local directory on the server to seafile. It's a handy tool for the system admin to import files from existing file servers (NFS, Samba etc.). - -To import a directory, use the `seaf-import.sh` script in seafile-server-latest directory. - -``` -usage : -seaf-import.sh - -p - -n - -u -``` - -The specified directory will be imported into Seafile as a library. You can set the name and owner of the imported library. - -Run `./seaf-import.sh -p -n -u `, - -``` -Starting seaf-import, please wait ... -[04/26/16 03:36:23] seaf-import.c(79): Import file ./runtime/seahub.pid successfully. -[04/26/16 03:36:23] seaf-import.c(79): Import file ./runtime/error.log successfully. -[04/26/16 03:36:23] seaf-import.c(79): Import file ./runtime/seahub.conf successfully. -[04/26/16 03:36:23] seaf-import.c(79): Import file ./runtime/access.log successfully. -[04/26/16 03:36:23] seaf-import.c(183): Import dir ./runtime/ to repo 5ffb1f43 successfully. - run done -Done. -``` - -Login to seafile server with the specified library owner, you will find a new library with the specified name. diff --git a/manual/deploy_pro/using_ldap_pro.md b/manual/deploy_pro/using_ldap_pro.md deleted file mode 100644 index a3d2c9f60..000000000 --- a/manual/deploy_pro/using_ldap_pro.md +++ /dev/null @@ -1,368 +0,0 @@ -# Configure Seafile Pro Edition to use LDAP - -For version 11.0, please follow the new document [LDAP in version 11.0](./ldap_in_11.0.md). - -## How does LDAP User Management works with Seafile - -When Seafile is integrated with LDAP/AD, users in the system can be divided into two tiers: - -* Users within Seafile's internal user database. Some attributes are attached to these users, such as whether it's a system admin user, whether it's activated. This tier includes two types of users: - * Native users: these users are created by the admin on Seafile's system admin interface and are stored in the `EmailUser` table of the `ccnet` database. - * Users imported from LDAP/AD server: When a user in LDAP/AD logs into Seafile, its information will be imported from LDAP/AD server into Seafile's database. These users are stored in the `LDAPUsers` table of the `ccnet` database. -* Users in LDAP/AD server. These are all the intended users of Seafile inside the LDAP server. Seafile doesn't manipulate these users directly. It has to import them into its internal database before setting attributes on them. - -When Seafile counts the user number in the system, it only counts the **activated** users in its internal database. - -When Seafile is integrated with LDAP/AD, it'll look up users from both the internal database and LDAP server. As long as the user exists in one of these two sources, he/she can log into the system. - -## Basic LDAP/AD Integration - -The only requirement for Seafile to use LDAP/AD for authentication is that there must be a unique identifier for each user in the LDAP/AD server. Seafile can only use email-address-format user identifiers. So there are usually only two options for this unique identifier: - -* Email address: this is the most common choice. Most organizations assign a unique email address for each member. -* UserPrincipalName: this is a user attribute only available in Active Directory. It's format is `user-login-name@domain-name`, e.g. `john@example.com`. It's not a real email address, but it works fine as the unique identifier. - -### Connecting to Active Directory - -To use AD to authenticate a user, please add the following lines to ccnet.conf. - -If you choose email address as unique identifier: - -``` -[LDAP] -HOST = ldap://192.168.1.123/ -BASE = cn=users,dc=example,dc=com -USER_DN = administrator@example.local -PASSWORD = secret -LOGIN_ATTR = mail - -``` - -If you choose UserPrincipalName as unique identifier: - -``` -[LDAP] -HOST = ldap://192.168.1.123/ -BASE = cn=users,dc=example,dc=com -USER_DN = administrator@example.local -PASSWORD = secret -LOGIN_ATTR = userPrincipalName - -``` - -Meaning of each config options: - -* HOST: LDAP URL for the host. ldap://, ldaps:// and ldapi:// are supported. You can also include port number in the URL, like ldap://ldap.example.com:389. To use TLS, you should configure the LDAP server to listen on LDAPS port and specify ldaps:// here. More details about TLS are covered below. -* BASE: The distinguished name (DN) of the search base when running queries against the directory server. If you want to use the root DN as search base (e.g. dc=example,dc=com), you need to add `FOLLOW_REFERRALS = false` to the configuration. The meaning of this option will be explained in following sections. -* USER_DN: The distinguished name of the user that Seafile will use when connecting to the directory server. This user should have sufficient privileges to access all the nodes under BASE. It's recommended to use a user in the administrator group. -* PASSWORD: Password of the above user. -* LOGIN_ATTR: The attribute used for user's unique identifier. Use `mail` or `userPrincipalName`. - -Tips for choosing BASE and USER_DN: - -* To determine the BASE, you first have to navigate your organization hierachy on the domain controller GUI. - * If you want to allow all users to use Seafile, you can use 'cn=users,dc=yourdomain,dc=com' as BASE (with proper adjustment for your own needs). - * If you want to limit users to a certain OU (Organization Unit), you run `dsquery` command on the domain controller to find out the DN for this OU. For example, if the OU is 'staffs', you can run 'dsquery ou -name staff'. More information can be found [here](https://technet.microsoft.com/en-us/library/cc770509.aspx). -* AD supports 'user@domain.name' format for the USER_DN option. For example you can use administrator@example.com for USER_DN. Sometimes the domain controller doesn't recognize this format. You can still use `dsquery` command to find out user's DN. For example, if the user name is 'seafileuser', run `dsquery user -name seafileuser`. More information [here](https://technet.microsoft.com/en-us/library/cc725702.aspx). - -### Connecting to other LDAP servers - -Please add the following options to ccnet.conf: - -``` -[LDAP] -HOST = ldap://192.168.1.123/ -BASE = ou=users,dc=example,dc=com -USER_DN = cn=admin,dc=example,dc=com -PASSWORD = secret -LOGIN_ATTR = mail - -``` - -The meaning of these options is the same as described in the previous section. With other LDAP servers, you can only use `mail` attribute as user's unique identifier. - -### Testing your LDAP Configuration - -Since 5.0.0 Pro Edition, we provide a command line tool for checking your LDAP configuration. - -To use this tool, make sure you have `python-ldap` package installed on your system. - -``` -sudo apt-get install python-ldap - -``` - -Then you can run the test: - -``` -cd seafile-server-latest -./pro/pro.py ldapsync --test - -``` - -The test script checks your LDAP settings under the `[LDAP]` section of ccnet.conf. If everything works, it'll print the first ten users of the search results. Otherwise, it'll print out possible errors in your config. - -## Setting Up LDAP/AD User Sync (optional) - -In Seafile Pro, except for importing users into internal database when they log in, you can also configure Seafile to periodically sync user information from LDAP/AD server into the internal database. - -* User's full name, department and contact email address can be synced to internal database. Users can use this information to more easily search for a specific user. -* User's Windows or Unix login id can be synced to the internal database. This allows the user to log in with its familiar login id. -* When a user is removed from LDAP/AD, the corresponding user in Seafile will be deactivated. Otherwise, he could still sync files with Seafile client or access the web interface. - -After synchronization is complete, you can see the user's full name, department and contact email on its profile page. - -### Active Directory - -If you're using Active Directory, add the following options to ccnet.conf: - -``` -[LDAP] -...... - -[LDAP_SYNC] -ENABLE_USER_SYNC = true -DEACTIVE_USER_IF_NOTFOUND = true -SYNC_INTERVAL = 60 -USER_OBJECT_CLASS = person -ENABLE_EXTRA_USER_INFO_SYNC = true -FIRST_NAME_ATTR = givenName -LAST_NAME_ATTR = sn -UID_ATTR = sAMAccountName - -``` - -Meaning of each options: - -* **ENABLE_USER_SYNC**: set to "true" if you want to enable ldap user synchronization -* **DEACTIVE_USER_IF_NOTFOUND**: set to "true" if you want to deactivate a user when he/she was deleted in AD server. -* **SYNC_INTERVAL**: The interval to sync. Unit is minutes. Defaults to 60 minutes. -* **USER_OBJECT_CLASS**: This is the name of the class used to search for user objects. In Active Directory, it's usually "person". The default value is "person". -* **ENABLE_EXTRA_USER_INFO_SYNC**: Enable synchronization of additional user information, including user's full name, department, and Windows login name, etc. -* **FIRST_NAME_ATTR**: Attribute for user's first name. It's "givenName" by default. -* **LAST_NAME_ATTR**: Attribute for user's last name. It's "sn" by default. -* **USER_NAME_REVERSE**: In some languages, such as Chinese, the display order of the first and last name is reversed. Set this option if you need it. -* **UID_ATTR**: Attribute for Windows login name. If this is synchronized, users can also log in with their Windows login name. In AD, the attribute `sAMAccountName` can be used as `UID_ATTR`. - -If you choose `userPrincipalName` as the unique identifier for user, Seafile cannot use it as real email address to send notification emails to user. If the users in AD also have an email address attribute, you can sync these email addresses into Seafile's internal database. Seafile can then use them to send emails. The configuration option is: - -* **CONTACT_EMAIL_ATTR**: usually you can set it to the `mail` attribute. - -### Other LDAP servers - -Add the following options to ccnet.conf: - -``` -[LDAP] -...... - -[LDAP_SYNC] -ENABLE_USER_SYNC = true -DEACTIVE_USER_IF_NOTFOUND = true -SYNC_INTERVAL = 60 -USER_OBJECT_CLASS = userOfNames -ENABLE_EXTRA_USER_INFO_SYNC = true -FIRST_NAME_ATTR = givenName -LAST_NAME_ATTR = sn -UID_ATTR = uid - -``` - -Meaning of each option: - -* **ENABLE_USER_SYNC**: set to "true" if you want to enable ldap user synchronization -* **DEACTIVE_USER_IF_NOTFOUND**: set to "true" if you want to deactivate a user when he/she was deleted in LDAP server. -* **SYNC_INTERVAL**: The synchronization interval. Unit is minutes. Defaults to 60 minutes. -* **USER_OBJECT_CLASS**: This is the name of the class used to search for user objects. In OpenLDAP, you can use "userOfNames". The default value is "person". -* **ENABLE_EXTRA_USER_INFO_SYNC**: Enable synchronization of additional user information, including user's full name, department, and Windows/Unix login name, etc. -* **FIRST_NAME_ATTR**: Attribute for user's first name. It's "givenName" by default. -* **LAST_NAME_ATTR**: Attribute for user's last name. It's "sn" by default. -* **USER_NAME_REVERSE**: In some languages, such as Chinese, the display order of the first and last name is reversed. Set this option if you need it. -* **UID_ATTR**: Attribute for Windows/Unix login name. If this is synchronized, users can also log in with their Windows/Unix login name. In OpenLDAP, the attribute `uid` or something similar can be used. - -### Importing Users without Activating Them - -The users imported with the above configuration will be activated by default. For some organizations with large number of users, they may want to import user information (such as user full name) without activating the imported users. Activating all imported users will require licenses for all users in AD/LDAP, which may not be affordable. - -Seafile provides a combination of options for such use case. First, you have to add below option to \[ldap_sync] section of ccnet.conf: - -``` -ACTIVATE_USER_WHEN_IMPORT = false - -``` - -This prevents Seafile from activating imported users. Second, add below option to `seahub_settings.py`: - -``` -ACTIVATE_AFTER_FIRST_LOGIN = True - -``` - -This option will automatically activate users when they login to Seafile for the first time. - - -### Reactivating Users - -When you set the \`**DEACTIVE_USER_IF_NOTFOUND**\` option, a user will be deactivated when it's not found in LDAP server. By default, even after this user reappears in the LDAP server, it won't be reactivated automatically. This is to prevent auto reactivating a user that was manually deactivated by the system admin. - -However, sometimes it's desirable to auto reactivate such users. So in version 7.1.8 we added a new option to provide this behavior. - -``` -AUTO_REACTIVATE_USERS = True - -``` - -### Manually Trigger Synchronization - -To test your LDAP sync configuration, you can run the sync command manually. - -To trigger LDAP sync manually, - -```sh -cd seafile-server-latest -./pro/pro.py ldapsync - -``` - -For Seafile Docker - -```sh -docker exec -it seafile /opt/seafile/seafile-server-latest/pro/pro.py ldapsync - -``` - -## Advanced LDAP/AD Integration Options - -### Multiple BASE - -Multiple base DN is useful when your company has more than one OUs to use Seafile. You can specify a list of base DN in the "BASE" config. The DNs are separated by ";", e.g. `ou=developers,dc=example,dc=com;ou=marketing,dc=example,dc=com` - -### Additional Search Filter - -Search filter is very useful when you have a large organization but only a portion of people want to use Seafile. The filter can be given by setting "FILTER" config. The value of this option follows standard LDAP search filter syntax (). - -The final filter used for searching for users is `(&($LOGIN_ATTR=*)($FILTER))`. `$LOGIN_ATTR` and `$FILTER` will be replaced by your option values. - -For example, add the following line to LDAP config: - -``` -FILTER = memberOf=CN=group,CN=developers,DC=example,DC=com - -``` - -The final search filter would be `(&(mail=*)(memberOf=CN=group,CN=developers,DC=example,DC=com))` - -Note that the cases in the above example is significant. The `memberOf` attribute is only available in Active Directory. - -### Limiting Seafile Users to a Group in Active Directory - -You can use the FILTER option to limit user scope to a certain AD group. - -1. First, you should find out the DN for the group. Again, we'll use `dsquery` command on the domain controller. For example, if group name is 'seafilegroup', run `dsquery group -name seafilegroup`. -2. Add following line to LDAP config: - - -``` -FILTER = memberOf={output of dsquery command} - -``` - -### Using TLS connection to LDAP/AD server - -To use TLS connection to the directory server, you should install a valid SSL certificate on the directory server. - -To make sure Seafile server successfully connect to the directory server with TLS, you have to choose the right version of Seafile Pro servers. - -* If you're using Seafile 9.0 or newer, you should use Docker to run Seafile. There should be no problem connecting with TLS as long as SSL certificate on the directory server is valid. -* If you're using older version of Seafile, you should choose Seafile package based on your OS. For CentOS/RHEL, choose the package for CentOS; for Ubuntu/Debian, choose the package for Ubuntu. - -The Seafile server package bundles the version of libldap from the OS where it's built. So libldap will try to locate OpenSSL library in the same path as the buidling OS. Since different Linux distributions have different path or configuration for OpenSSL library, sometimes Seafile is unable to connect to the directory server with TLS. - -When Seafile fails to connect with TLS, you may try to install ldap client libraries on your OS and ask Seafile to use them instead. - -On Ubuntu and Debian, moving the bundled ldap related libraries out of the library path should make TLS connection work. - -``` -cd ${SEAFILE_INSTALLATION_DIR}/seafile-server-latest/seafile/lib -mkdir disabled_libs_use_local_ones_instead -mv liblber-2.4.so.2 libldap-2.4.so.2 libsasl2.so.2 libldap_r-2.4.so.2 disabled_libs_use_local_ones_instead/ - -``` - -On some CentOS systems, you may have to move the libnssutil library as well: - -``` -cd ${SEAFILE_INSTALLATION_DIR}/seafile-server-latest/seafile/lib -mkdir disabled_libs_use_local_ones_instead -mv libnssutil3.so disabled_libs_use_local_ones_instead/ - -``` - -This effectively removes the bundled libraries from the library search path. -When the server starts, it'll instead find and use the system libraries (if they are installed). -This change has to be repeated after each update of the Seafile installation. - -### Use paged results extension - -LDAP protocol version 3 supports "paged results" (PR) extension. When you have large number of users, this option can greatly improve the performance of listing users. Most directory server nowadays support this extension. - -In Seafile Pro Edition, add this option to LDAP section of ccnet.conf to enable PR: - -``` -USE_PAGED_RESULT = true - -``` - -### Follow referrals - -Starting from Pro Edition 4.0.4, Seafile supports auto following referrals in LDAP search. This is useful for partitioned LDAP or AD servers, where users may be spreaded on multiple directory servers. For more information about referrals, you can refer to [this article](https://technet.microsoft.com/en-us/library/cc978014.aspx). - -To configure, add following option to ccnet.conf in the \[ldap] section: - -``` -FOLLOW_REFERRALS = true - -``` - -### Configure Multi-ldap Servers - -Since seafile 5.1.4 pro edition, we support multi-ldap servers, that is besides base ldap server info in \[ldap] section, you can set other ldap servers info in \[ldap_multi_1], \[ldap_multi_2] ... \[ldap_multi_9] sections, so you can configure ten ldap servers to work with seafile. Multi-ldap servers mean that, when get or search ldap user, it will iterate all configured ldap servers until a match is found; When listing all ldap users, it will iterate all ldap servers to get all users; For Ldap sync it will sync all user/group info in all configured ldap servers to seafile. - -For example I have configured base ldap server in `ccnet.conf` as follow: - -``` -[LDAP] -HOST = ldap://192.168.1.123/ -BASE = ou=users,dc=example,dc=com -USER_DN = cn=admin,dc=example,dc=com -PASSWORD = secret -LOGIN_ATTR = mail - -``` - -Then I can configure another ldap server in `ccnet.conf` as follow: - -``` -[LDAP_MULTI_1] -HOST = ldap://192.168.1.124/ -BASE = ou=users,dc=example,dc=com -USER_DN = cn=admin,dc=example,dc=com -PASSWORD = secret - -``` - -Before 6.3.8, all ldap servers share LOGIN_ATTR, USE_PAGED_RESULT, FOLLOW_REFERRALS attributes in \[ldap] section; For ldap user/group sync, all ldap servers share all ldap sync related attributes in \[ldap_sync] section. - -Since seafile 6.3.8 pro, we support more independent config sections for each ldap server. The LOGIN_ATTR, USE_PAGED_RESULT, FOLLOW_REFERRALS options can be set independently in each \[ldap_multi_x] section. Furthermore, independent \[ldap_sync_multi_x] sections can be set for each LDAP server. That is, each LDAP server can use different LDAP sync options. - -There are still some shared config options that can only be set in \[ldap_sync] section, which is used for all LDAP servers. - -* SYNC_INTERVAL -* DEACTIVE_USER_IF_NOTFOUND -* ACTIVATE_USER_WHEN_IMPORT -* IMPORT_NEW_USER -* DEL_GROUP_IF_NOT_FOUND - -These options are used to control synchronization behaviors, so they're shared for all LDAP servers. - -NOTE: It is recommended to have a \[ldap_sync_multi_x] section for each \[ldap_multi_x] section. Otherwise the LDAP sync process will use the options in \[ldap_sync] section for that LDAP server. diff --git a/manual/docker/deploy_seafile_with_docker.md b/manual/docker/deploy_seafile_with_docker.md index 5c2186c4e..3b2e76b7c 100644 --- a/manual/docker/deploy_seafile_with_docker.md +++ b/manual/docker/deploy_seafile_with_docker.md @@ -12,9 +12,9 @@ The following assumptions and conventions are used in the rest of this document: Use the [official installation guide for your OS to install Docker](https://docs.docker.com/engine/install/). -### Download and modify `docker-compose.yml` +### Download and modify `.env` -Download the `docker-compose.yml` sample file into Seafile's directory and modify the Compose file to fit your environment and settings. +From Seafile Docker 12.0, we recommend that you use `.env`, `seafile-server.yml` and `caddy.yml` files for configuration. **NOTE:** Different versions of Seafile have different compose files. @@ -22,31 +22,41 @@ Download the `docker-compose.yml` sample file into Seafile's directory and modif mkdir /opt/seafile cd /opt/seafile -# Seafile CE 10.0 -wget -O "docker-compose.yml" "https://manual.seafile.com/docker/docker-compose/ce/10.0/docker-compose.yml" +# Seafile CE 12.0 +wget -O .env https://manual.seafile.com/docker/docker-compose/ce/12.0/env +wget https://manual.seafile.com/docker/docker-compose/ce/12.0/seafile-server.yml +wget https://manual.seafile.com/docker/docker-compose/ce/12.0/caddy.yml -# Seafile CE 11.0 -wget -O "docker-compose.yml" "https://manual.seafile.com/docker/docker-compose/ce/11.0/docker-compose.yml" - -nano docker-compose.yml +nano .env ``` The following fields merit particular attention: -* The password of MySQL root (`MYSQL_ROOT_PASSWORD` and `DB_ROOT_PASSWD`) -* The volume directory of MySQL data (volumes) -* The volume directory of Seafile data (volumes). +- `SEAFILE_VOLUME`: The volume directory of Seafile data, default is `/opt/seafile-data` +- `SEAFILE_MYSQL_VOLUME`: The volume directory of MySQL data, default is `/opt/seafile-mysql/db` +- `SEAFILE_CADDY_VOLUME`: The volume directory of Caddy data used to store certificates obtained from Let's Encrypt's, default is `/opt/seafile-caddy` +- `SEAFILE_MYSQL_ROOT_PASSWORD`: The user `root` password of MySQL +- `SEAFILE_MYSQL_DB_USER`: The user of MySQL (`database` - `user` can be found in `conf/seafile.conf`) +- `SEAFILE_MYSQL_DB_PASSWORD`: The user `seafile` password of MySQL +- `JWT`: JWT_PRIVATE_KEY, A random string with a length of no less than 32 characters, generate example: `pwgen -s 40 1` +- `SEAFILE_SERVER_HOSTNAME`: Seafile server hostname or domain +- `SEAFILE_SERVER_PROTOCOL`: Seafile server protocol (http or https) +- `TIME_ZONE`: Time zone (default UTC) +- `SEAFILE_ADMIN_EMAIL`: Admin username +- `SEAFILE_ADMIN_PASSWORD`: Admin password + +NOTE: SSL is now handled by the [caddy server](#about-ssl-and-caddy) from 12.0. ### Start Seafile server Start Seafile server with the following command ```bash -# if `docker-compose.yml` file is in current directory: +# if `.env` file is in current directory: docker compose up -d -# if `docker-compose.yml` file is elsewhere: -docker compose -f /path/to/docker-compose.yml up -d +# if `.env` file is elsewhere: +docker compose -f /path/to/.env up -d ``` Wait for a few minutes for the first time initialization, then visit `http://seafile.example.com` to open Seafile Web UI. @@ -61,22 +71,21 @@ Placeholder spot for shared volumes. You may elect to store certain persistent i * /opt/seafile-data/seafile/logs: This is the directory that would contain the log files of seafile server processes. For example, you can find seaf-server logs in `/opt/seafile-data/seafile/logs/seafile.log`. * /opt/seafile-data/logs: This is the directory for operating system and Nginx logs. * /opt/seafile-data/logs/var-log: This is the directory that would be mounted as `/var/log` inside the container. For example, you can find the nginx logs in `/opt/seafile-data/logs/var-log/nginx/`. -* /opt/seafile-data/ssl: This is directory for certificate, which does not exist by default. ### Find logs To monitor container logs (from outside of the container), please use the following commands: ```bash -# if the `docker-compose.yml` file is in current directory: +# if the `.env` file is in current directory: docker compose logs --follow -# if the `docker-compose.yml` file is elsewhere: -docker compose -f /path/to/docker-compose.yml logs --follow +# if the `.env` file is elsewhere: +docker compose -f /path/to/.env logs --follow # you can also specify container name: docker compose logs seafile --follow -# or, if the `docker-compose.yml` file is elsewhere: -docker compose -f /path/to/docker-compose.yml logs seafile --follow +# or, if the `.env` file is elsewhere: +docker compose -f /path/to/.env logs seafile --follow ``` The Seafile logs are under `/shared/logs/seafile` in the docker, or `/opt/seafile-data/logs/seafile` in the server that run the docker. @@ -84,121 +93,25 @@ The Seafile logs are under `/shared/logs/seafile` in the docker, or `/opt/seafil The system logs are under `/shared/logs/var-log`, or `/opt/seafile-data/logs/var-log` in the server that run the docker. To monitor all Seafile logs simultaneously (from outside of the container), run + ```bash sudo tail -f $(find /opt/seafile-data/ -type f -name *.log 2>/dev/null) ``` ## More configuration options -### Custom admin username and password - -The default admin account is `me@example.com` and the password is `asecret`. You can use a different password by setting the container's environment variables in the `docker-compose.yml`: -e.g. - -```yml -seafile: - ... - - environment: - ... - - SEAFILE_ADMIN_EMAIL=me@example.com - - SEAFILE_ADMIN_PASSWORD=a_very_secret_password - ... - -``` - -### Let's Encrypt SSL certificate - -If you set `SEAFILE_SERVER_LETSENCRYPT` to `true`, the container would request a letsencrypt-signed SSL certificate for you automatically. - -e.g. - -```yml -seafile: - ... - ports: - - "80:80" - - "443:443" - ... - environment: - ... - - SEAFILE_SERVER_LETSENCRYPT=true - - SEAFILE_SERVER_HOSTNAME=seafile.example.com - ... - -``` - -Since version 10.0.x, if you want to use a reverse proxy and apply for a certificate outside docker, you can use `FORCE_HTTPS_IN_CONF` to force write `https://` in the configuration file. - -e.g. - -```yml -seafile: - ... - environment: - ... - - SEAFILE_SERVER_LETSENCRYPT=false - - SEAFILE_SERVER_HOSTNAME=seafile.example.com - - FORCE_HTTPS_IN_CONF=true - ... - -``` - -If you want to use your own SSL certificate, you can mount the certificate into the docker container by setting the container's volumes variables in the `docker-compose.yml`. - -⚠️ Assuming your site name is `seafile.example.com`, then your certificate must have the name `seafile.example.com.crt`, and the private key must have the name `seafile.example.com.key` in container. - -e.g. - -```yml -seafile: - ... - ports: - - "80:80" - - "443:443" - ... - volumes: - ... - - /etc/letsencrypt/live/seafile.example.com/fullchain.pem:/shared/ssl/seafile.example.com.crt - - /etc/letsencrypt/live/seafile.example.com/privkey.pem:/shared/ssl/seafile.example.com.key - environment: - ... - - SEAFILE_SERVER_LETSENCRYPT=false - - SEAFILE_SERVER_HOSTNAME=seafile.example.com - - FORCE_HTTPS_IN_CONF=true - ... - ... -``` - ### Use an existing mysql-server -If you want to use an existing mysql-server, you can modify the `docker-compose.yml` as follows - -```yml -services: - #db: - #image: mariadb:10.11 - #... - - seafile: - ... - environment: - ... - - DB_HOST=192.168.0.2 - - DB_PORT=3306 - - DB_ROOT_PASSWD=mysql_root_password - ... - depends_on: - #- db - - memcached +If you want to use an existing mysql-server, you can modify the `.env` as follows + +```env +SEAFILE_MYSQL_DB_HOST=192.168.0.2 +SEAFILE_MYSQL_DB_PORT=3306 +SEAFILE_MYSQL_ROOT_PASSWORD=ROOT_PASSWORD +SEAFILE_MYSQL_DB_PASSWORD=PASSWORD ``` -* The entire db chapter needs to be removed -* The host of MySQL (`DB_HOST`) -* The port of MySQL (`DB_PORT`) -* The password of MySQL root (`DB_ROOT_PASSWD`) -* db in depends_on chapter needs to be removed -* `DB_ROOT_PASSWD` is needed during installation. Later, after Seafile is installed, the user `seafile` will be used to connect to the mysql-server (in `conf/seafile.conf`). You can remove the `DB_ROOT_PASSWD`. +NOTE: `SEAFILE_MYSQL_ROOT_PASSWORD` is needed during installation. Later, after Seafile is installed, the user `seafile` will be used to connect to the mysql-server (SEAFILE_MYSQL_DB_PASSWORD). You can remove the `SEAFILE_MYSQL_ROOT_PASSWORD`. ### Modify Seafile server configurations @@ -222,18 +135,12 @@ Enter the username and password according to the prompts. You now have a new adm ### Run Seafile as non root user inside docker -Since version 10.0, you can use run seafile as non root user in docker. (**NOTE:** Programs such as `my_init`, Nginx are still run as `root` inside docker.) - -First add the `NON_ROOT=true` to the `docker-compose.yml`. +You can use run seafile as non root user in docker. (**NOTE:** Programs such as `my_init`, Nginx are still run as `root` inside docker.) -```yml -seafile: - ... - environment: - ... - - NON_ROOT=true - ... +First add the `NON_ROOT=true` to the `.env`. +```env +NON_ROOT=true ``` Then modify `/opt/seafile-data/seafile/` permissions. @@ -242,16 +149,6 @@ Then modify `/opt/seafile-data/seafile/` permissions. chmod -R a+rwx /opt/seafile-data/seafile/ ``` -Note: Before version 11.0.9, you have to create a seafile user on the host, and modify the owner to seafile in `/opt/seafile-data/seafile/`. (**NOTE:** Do not change the `uid` and `gid`.) - -```bash -groupadd --gid 8000 seafile - -useradd --home-dir /home/seafile --create-home --uid 8000 --gid 8000 --shell /bin/sh --skel /dev/null seafile - -chown -R seafile:seafile /opt/seafile-data/seafile/ -``` - Then destroy the containers and run them again: ```bash @@ -271,29 +168,6 @@ When files are deleted, the blocks comprising those files are not immediately re The required scripts can be found in the `/scripts` folder of the docker container. To perform garbage collection, simply run `docker exec seafile /scripts/gc.sh`. For the community edition, this process will stop the seafile server, but it is a relatively quick process and the seafile server will start automatically once the process has finished. The Professional supports an online garbage collection. -## Deploy Seafile docker with custom port - -Assume your custom port is 8001, when it is a new installation, you only need to modify the `docker-compose.yml` and start the Seafile docker. - -```yml - seafile: - ... - ports: - - "8001:80" - environment: - ... - - SEAFILE_SERVER_HOSTNAME=seafile.example.com:8001 - ... - ... -``` - -If you have installed the Seafile docker, besides modifying the `docker-compose.yml`, you also need to modify the already generated configuration file `conf/seahub_settings.py`, then restart Seafile: - -```py -SERVICE_URL = "http://seafile.example.com:8001" -FILE_SERVER_ROOT = "http://seafile.example.com:8001/seafhttp" -``` - ## FAQ ### You can run docker commands like `docker exec` to find errors @@ -302,40 +176,11 @@ FILE_SERVER_ROOT = "http://seafile.example.com:8001/seafhttp" docker exec -it seafile /bin/bash ``` -### LetsEncrypt SSL certificate is about to expire - -If the certificate is not renewed automatically, you can execute the following command to manually renew the certificate. - -```bash -# /scripts/ssl.sh /shared/ssl/ -/scripts/ssl.sh /shared/ssl/ example.seafile.com -``` - -### Change the environment variable `SEAFILE_SERVER_LETSENCRYPT=false` value to `true` - -1. If you want to change to https after using http, first back up the `seafile.nginx.conf`: - -```bash -mv /opt/seafile-data/nginx/conf/seafile.nginx.conf /opt/seafile-data/nginx/conf/seafile.nginx.conf.bak -# or -mv /opt/seafile-data/nginx/conf/seafile.nginx.conf{,.bak} -``` - -2. Destroy the containers with `docker compose down`. +### About SSL and Caddy -3. Edit `docker-compose.yml`: change `SEAFILE_SERVER_LETSENCRYPT=false` value to `true`. +From Seafile 12.0, the SSL is handled by [***Caddy***](https://caddyserver.com/docs/). Caddy is a modern open source web server that mainly binds external traffic and internal services in [seafile docker](./seafile_docker_structures.md). The default caddy image is [`lucaslorentz/caddy-docker-proxy:2.9`](https://github.com/lucaslorentz/caddy-docker-proxy), which user only needs to correctly configure the following fields in `.env` to automatically complete the acquisition and update of the certificate: -4. Run `docker compose up -d` again. The new Seafile container will automatically request for an SSL certificate to be generated and installed. - -**Notes:** - -- You need to manually change http to https in other configuration files. - -- `SERVICE_URL` and `FILE_SERVER_ROOT` environment variables in the system admin page also need to be modified. - -- If you have modified the old `seafile.nginx.conf`, now you can modify the new `seafile.nginx.conf` as you want. Then execute the following command: - -```bash -# test the Nginx configuration and, if OK, reload nginx for configuration to take effect: -docker exec seafile nginx -t && docker exec seafile nginx -s reload +```shell +SEAFILE_SERVER_PROTOCOL=https +SEAFILE_SERVER_HOSTNAME=example.com ``` diff --git a/manual/docker/docker-compose/ce/12.0/caddy.yml b/manual/docker/docker-compose/ce/12.0/caddy.yml index 608e5bdb4..3bf7e7314 100644 --- a/manual/docker/docker-compose/ce/12.0/caddy.yml +++ b/manual/docker/docker-compose/ce/12.0/caddy.yml @@ -11,7 +11,7 @@ services: - CADDY_INGRESS_NETWORKS=seafile-net volumes: - /var/run/docker.sock:/var/run/docker.sock - - ${SEAFILE_CADDY_VOLUMES:-/opt/seafile-caddy}:/data/caddy + - ${SEAFILE_CADDY_VOLUME:-/opt/seafile-caddy}:/data/caddy networks: - seafile-net healthcheck: diff --git a/manual/docker/docker-compose/ce/12.0/env b/manual/docker/docker-compose/ce/12.0/env index 3bfd8d441..9caf94880 100644 --- a/manual/docker/docker-compose/ce/12.0/env +++ b/manual/docker/docker-compose/ce/12.0/env @@ -7,9 +7,9 @@ SEAFILE_DB_IMAGE=mariadb:10.11 SEAFILE_MEMCACHED_IMAGE=memcached:1.6.29 SEAFILE_CADDY_IMAGE=lucaslorentz/caddy-docker-proxy:2.9 -SEAFILE_VOLUMES=/opt/seafile-data -SEAFILE_MYSQL_VOLUMES=/opt/seafile-mysql/db -SEAFILE_CADDY_VOLUMES=/opt/seafile-caddy +SEAFILE_VOLUME=/opt/seafile-data +SEAFILE_MYSQL_VOLUME=/opt/seafile-mysql/db +SEAFILE_CADDY_VOLUME=/opt/seafile-caddy SEAFILE_MYSQL_DB_HOST=db SEAFILE_MYSQL_ROOT_PASSWORD=ROOT_PASSWORD @@ -28,7 +28,7 @@ SEAFILE_ADMIN_PASSWORD=asecret SEADOC_IMAGE=seafileltd/sdoc-server:1.0-latest -SEADOC_VOLUMES=/opt/seadoc-data +SEADOC_VOLUME=/opt/seadoc-data ENABLE_SEADOC=false SEADOC_SERVER_URL=http://example.seafile.com/sdoc-server diff --git a/manual/docker/docker-compose/ce/12.0/seadoc.yml b/manual/docker/docker-compose/ce/12.0/seadoc.yml index 240daa5e1..7bc2320ba 100644 --- a/manual/docker/docker-compose/ce/12.0/seadoc.yml +++ b/manual/docker/docker-compose/ce/12.0/seadoc.yml @@ -4,7 +4,7 @@ services: image: ${SEADOC_IMAGE:-seafileltd/sdoc-server:1.0-latest} container_name: seadoc volumes: - - ${SEADOC_VOLUMES:-/opt/seadoc-data/}:/shared + - ${SEADOC_VOLUME:-/opt/seadoc-data/}:/shared # ports: # - "80:80" environment: diff --git a/manual/docker/docker-compose/ce/12.0/seafile-server.yml b/manual/docker/docker-compose/ce/12.0/seafile-server.yml index fcb7eec10..6e3ffd100 100644 --- a/manual/docker/docker-compose/ce/12.0/seafile-server.yml +++ b/manual/docker/docker-compose/ce/12.0/seafile-server.yml @@ -7,7 +7,7 @@ services: - MYSQL_LOG_CONSOLE=true - MARIADB_AUTO_UPGRADE=1 volumes: - - "${SEAFILE_MYSQL_VOLUMES:-/opt/seafile-mysql/db}:/var/lib/mysql" + - "${SEAFILE_MYSQL_VOLUME:-/opt/seafile-mysql/db}:/var/lib/mysql" networks: - seafile-net @@ -24,9 +24,10 @@ services: # ports: # - "80:80" volumes: - - ${SEAFILE_VOLUMES:-/opt/seafile-data}:/shared + - ${SEAFILE_VOLUME:-/opt/seafile-data}:/shared environment: - DB_HOST=${SEAFILE_MYSQL_DB_HOST:-db} + - DB_PORT=${SEAFILE_MYSQL_DB_PORT:-3306} - DB_ROOT_PASSWD=${SEAFILE_MYSQL_ROOT_PASSWORD:?Variable is not set or empty} - DB_PASSWORD=${SEAFILE_MYSQL_DB_PASSWORD:?Variable is not set or empty} - TIME_ZONE=${TIME_ZONE:-Etc/UTC} @@ -35,6 +36,7 @@ services: - SEAFILE_SERVER_HOSTNAME=${SEAFILE_SERVER_HOSTNAME:?Variable is not set or empty} - SEAFILE_SERVER_PROTOCOL=${SEAFILE_SERVER_PROTOCOL:-http} - SITE_ROOT=${SITE_ROOT:-/} + - NON_ROOT=${NON_ROOT:-false} - JWT_PRIVATE_KEY=${JWT_PRIVATE_KEY:?Variable is not set or empty} - ENABLE_SEADOC=${ENABLE_SEADOC:-false} - SEADOC_SERVER_URL=${SEADOC_SERVER_URL:-http://example.example.com/sdoc-server} diff --git a/manual/docker/docker-compose/pro/12.0/caddy.yml b/manual/docker/docker-compose/pro/12.0/caddy.yml index 608e5bdb4..3bf7e7314 100644 --- a/manual/docker/docker-compose/pro/12.0/caddy.yml +++ b/manual/docker/docker-compose/pro/12.0/caddy.yml @@ -11,7 +11,7 @@ services: - CADDY_INGRESS_NETWORKS=seafile-net volumes: - /var/run/docker.sock:/var/run/docker.sock - - ${SEAFILE_CADDY_VOLUMES:-/opt/seafile-caddy}:/data/caddy + - ${SEAFILE_CADDY_VOLUME:-/opt/seafile-caddy}:/data/caddy networks: - seafile-net healthcheck: diff --git a/manual/docker/docker-compose/pro/12.0/env b/manual/docker/docker-compose/pro/12.0/env index 9ae2b92ff..dcbb23fd1 100644 --- a/manual/docker/docker-compose/pro/12.0/env +++ b/manual/docker/docker-compose/pro/12.0/env @@ -8,10 +8,10 @@ SEAFILE_MEMCACHED_IMAGE=memcached:1.6.29 SEAFILE_ELASTICSEARCH_IMAGE=elasticsearch:8.15.0 SEAFILE_CADDY_IMAGE=lucaslorentz/caddy-docker-proxy:2.9 -SEAFILE_VOLUMES=/opt/seafile-data -SEAFILE_MYSQL_VOLUMES=/opt/seafile-mysql/db -SEAFILE_ELASTICSEARCH_VOLUMES=/opt/seafile-elasticsearch/data -SEAFILE_CADDY_VOLUMES=/opt/seafile-caddy +SEAFILE_VOLUME=/opt/seafile-data +SEAFILE_MYSQL_VOLUME=/opt/seafile-mysql/db +SEAFILE_ELASTICSEARCH_VOLUME=/opt/seafile-elasticsearch/data +SEAFILE_CADDY_VOLUME=/opt/seafile-caddy SEAFILE_MYSQL_DB_HOST=db SEAFILE_MYSQL_ROOT_PASSWORD=ROOT_PASSWORD @@ -30,7 +30,7 @@ SEAFILE_ADMIN_PASSWORD=asecret SEADOC_IMAGE=seafileltd/sdoc-server:1.0-latest -SEADOC_VOLUMES=/opt/seadoc-data +SEADOC_VOLUME=/opt/seadoc-data ENABLE_SEADOC=false SEADOC_SERVER_URL=http://example.seafile.com/sdoc-server diff --git a/manual/docker/docker-compose/pro/12.0/seadoc.yml b/manual/docker/docker-compose/pro/12.0/seadoc.yml index 240daa5e1..7bc2320ba 100644 --- a/manual/docker/docker-compose/pro/12.0/seadoc.yml +++ b/manual/docker/docker-compose/pro/12.0/seadoc.yml @@ -4,7 +4,7 @@ services: image: ${SEADOC_IMAGE:-seafileltd/sdoc-server:1.0-latest} container_name: seadoc volumes: - - ${SEADOC_VOLUMES:-/opt/seadoc-data/}:/shared + - ${SEADOC_VOLUME:-/opt/seadoc-data/}:/shared # ports: # - "80:80" environment: diff --git a/manual/docker/docker-compose/pro/12.0/seafile-server.yml b/manual/docker/docker-compose/pro/12.0/seafile-server.yml index 4d9f5a286..51fcf7028 100644 --- a/manual/docker/docker-compose/pro/12.0/seafile-server.yml +++ b/manual/docker/docker-compose/pro/12.0/seafile-server.yml @@ -7,7 +7,7 @@ services: - MYSQL_LOG_CONSOLE=true - MARIADB_AUTO_UPGRADE=1 volumes: - - "${SEAFILE_MYSQL_VOLUMES:-/opt/seafile-mysql/db}:/var/lib/mysql" + - "${SEAFILE_MYSQL_VOLUME:-/opt/seafile-mysql/db}:/var/lib/mysql" networks: - seafile-net @@ -32,7 +32,7 @@ services: hard: -1 mem_limit: 4g volumes: - - "${SEAFILE_MYSQL_VOLUMES:-/opt/seafile-elasticsearch/data}:/usr/share/elasticsearch/data" + - "${SEAFILE_MYSQL_VOLUME:-/opt/seafile-elasticsearch/data}:/usr/share/elasticsearch/data" networks: - seafile-net @@ -42,9 +42,10 @@ services: # ports: # - "80:80" volumes: - - ${SEAFILE_VOLUMES:-/opt/seafile-data}:/shared + - ${SEAFILE_VOLUME:-/opt/seafile-data}:/shared environment: - DB_HOST=${SEAFILE_MYSQL_DB_HOST:-db} + - DB_PORT=${SEAFILE_MYSQL_DB_PORT:-3306} - DB_ROOT_PASSWD=${SEAFILE_MYSQL_ROOT_PASSWORD:?Variable is not set or empty} - DB_PASSWORD=${SEAFILE_MYSQL_DB_PASSWORD:?Variable is not set or empty} - TIME_ZONE=${TIME_ZONE:-Etc/UTC} @@ -53,6 +54,7 @@ services: - SEAFILE_SERVER_HOSTNAME=${SEAFILE_SERVER_HOSTNAME:?Variable is not set or empty} - SEAFILE_SERVER_PROTOCOL=${SEAFILE_SERVER_PROTOCOL:-http} - SITE_ROOT=${SITE_ROOT:-/} + - NON_ROOT=${NON_ROOT:-false} - JWT_PRIVATE_KEY=${JWT_PRIVATE_KEY:?Variable is not set or empty} - ENABLE_SEADOC=${ENABLE_SEADOC:-false} - SEADOC_SERVER_URL=${SEADOC_SERVER_URL:-http://example.example.com/sdoc-server} diff --git a/manual/docker/docker-compose/seadoc/1.0/standalone/env b/manual/docker/docker-compose/seadoc/1.0/standalone/env index 42f4ae683..42eb9a2ce 100644 --- a/manual/docker/docker-compose/seadoc/1.0/standalone/env +++ b/manual/docker/docker-compose/seadoc/1.0/standalone/env @@ -4,7 +4,7 @@ COMPOSE_PATH_SEPARATOR=',' SEADOC_IMAGE=seafileltd/sdoc-server:1.0-latest -SEADOC_VOLUMES=/opt/seadoc-data +SEADOC_VOLUME=/opt/seadoc-data SEAFILE_MYSQL_DB_HOST=192.168.0.2 SEAFILE_MYSQL_DB_USER=seafile diff --git a/manual/docker/docker-compose/seadoc/1.0/standalone/seadoc.yml b/manual/docker/docker-compose/seadoc/1.0/standalone/seadoc.yml index e7f82ee55..c11b864ed 100644 --- a/manual/docker/docker-compose/seadoc/1.0/standalone/seadoc.yml +++ b/manual/docker/docker-compose/seadoc/1.0/standalone/seadoc.yml @@ -4,7 +4,7 @@ services: image: ${SEADOC_IMAGE:-seafileltd/sdoc-server:1.0-latest} container_name: seadoc volumes: - - ${SEADOC_VOLUMES:-/opt/seadoc-data/}:/shared + - ${SEADOC_VOLUME:-/opt/seadoc-data/}:/shared ports: - "80:80" environment: diff --git a/manual/docker/pro-edition/deploy_seafile_pro_with_docker.md b/manual/docker/pro-edition/deploy_seafile_pro_with_docker.md index 356a406c7..36bcc4dc7 100644 --- a/manual/docker/pro-edition/deploy_seafile_pro_with_docker.md +++ b/manual/docker/pro-edition/deploy_seafile_pro_with_docker.md @@ -3,6 +3,7 @@ This manual explains how to deploy and run Seafile Server Professional Edition (Seafile PE) on a Linux server using Docker and Docker Compose. The deployment has been tested for Debian/Ubuntu and CentOS, but Seafile PE should also work on other Linux distributions. ## Requirements + Seafile PE requires a minimum of 2 cores and 2GB RAM. If Elasticsearch is installed on the same server, the minimum requirements are 4 cores and 4 GB RAM, and make sure the [mmapfs counts](https://www.elastic.co/guide/en/elasticsearch/reference/current/index-modules-store.html#mmapfs) do not cause excptions like out of memory, which can be increased by following command (see for futher details): ```shell @@ -36,62 +37,50 @@ Use the [official installation guide for your OS to install Docker](https://docs Log into Seafile's private repository and pull the Seafile image: -``` +```bash docker login docker.seadrive.org -docker pull docker.seadrive.org/seafileltd/seafile-pro-mc:latest +docker pull docker.seadrive.org/seafileltd/seafile-pro-mc:12.0-latest ``` When prompted, enter the username and password of the private repository. They are available on the download page in the [Customer Center](https://customer.seafile.com/downloads). -NOTE: Older Seafile PE versions are also available in the repository (back to Seafile 7.0). To pull an older version, replace 'latest' tag by the desired version. +NOTE: Older Seafile PE versions are also available in the repository (back to Seafile 7.0). To pull an older version, replace '12.0-latest' tag by the desired version. -### Downloading and Modifying docker-compose.yml +### Downloading and Modifying `.env` -Download the docker-compose.yml sample file into Seafile's directory and modify the Compose file to fit your environment and settings. +From Seafile Docker 12.0, we recommend that you use `.env`, `seafile-server.yml` and `caddy.yml` files for configuration. NOTE: Different versions of Seafile have different compose files. -``` +```bash mkdir /opt/seafile cd /opt/seafile -# Seafile PE 7.1 and 8.0 -wget -O "docker-compose.yml" "https://manual.seafile.com/docker/docker-compose/pro/7.1_8.0/docker-compose.yml" - -# Seafile PE 9.0 -wget -O "docker-compose.yml" "https://manual.seafile.com/docker/docker-compose/pro/9.0/docker-compose.yml" +# Seafile PE 12.0 +wget -O .env https://manual.seafile.com/docker/docker-compose/pro/12.0/env +wget https://manual.seafile.com/docker/docker-compose/pro/12.0/seafile-server.yml +wget https://manual.seafile.com/docker/docker-compose/pro/12.0/caddy.yml -# Seafile PE 10.0 -wget -O "docker-compose.yml" "https://manual.seafile.com/docker/docker-compose/pro/10.0/docker-compose.yml" - -# Seafile PE 11.0 -wget -O "docker-compose.yml" "https://manual.seafile.com/docker/docker-compose/pro/11.0/docker-compose.yml" - -nano docker-compose.yml +nano .env ``` The following fields merit particular attention: -* The password of MariaDB root (MYSQL_ROOT_PASSWORD and DB_ROOT_PASSWD) -* The Seafile admin email address (SEAFILE_ADMIN_EMAIL) -* The Seafile admin password (SEAFILE_ADMIN_PASSWORD) -* The listening ports of the container seafile -* The host name (SEAFILE_SERVER_HOSTNAME) -* The use of Let's Encrypt for HTTPS (SEAFILE_SERVER_LETSENCRYPT) - -The new password for MYSQL_ROOT_PASSWORD and DB_ROOT_PASSWD must be identical. - -To enable HTTPS access (which is required for production use) enter the SEAFILE_SERVER_HOSTNAME and uncomment port 443 in the configuration of the container seafile. If you want to use Let's Encrypt to obtain a SSL certificate, set SEAFILE_SERVER_LETSENCRYPT to `true` (and do not comment out port 80 because it is required when requesting a Let's Encrypt certificate). If you want to use your own SSL certificate, leave SEAFILE_SERVER_LETSENCRYPT set to `false` and follow the instructions in section [Configuring a Custom SSL Certificate](https://manual.seafile.com/docker/pro-edition/deploy_seafile_pro_with_docker/#configuring-a-custom-ssl-certificate). - -Additional customizable options in the Compose file are: - -* The volume path for the container db -* The volume path for the container elasticsearch -* The volume path for the container seafile -* The image tag of the Seafile version to install (image) -* The time zone (TIME_ZONE) - -If you have pulled a particular version, modify the image tag accordingly. +- `SEAFILE_VOLUME`: The volume directory of Seafile data, default is `/opt/seafile-data` +- `SEAFILE_MYSQL_VOLUME`: The volume directory of MySQL data, default is `/opt/seafile-mysql/db` +- `SEAFILE_CADDY_VOLUME`: The volume directory of Caddy data used to store certificates obtained from Let's Encrypt's, default is `/opt/seafile-caddy` +- `SEAFILE_ELASTICSEARCH_VOLUME`: The volume directory of Elasticsearch data +- `SEAFILE_MYSQL_ROOT_PASSWORD`: The `root` password of MySQL +- `SEAFILE_MYSQL_DB_USER`: The user of MySQL (`database` - `user` can be found in `conf/seafile.conf`) +- `SEAFILE_MYSQL_DB_PASSWORD`: The user `seafile` password of MySQL +- `JWT`: JWT_PRIVATE_KEY, A random string with a length of no less than 32 characters, generate example: `pwgen -s 40 1` +- `SEAFILE_SERVER_HOSTNAME`: Seafile server hostname or domain +- `SEAFILE_SERVER_PROTOCOL`: Seafile server protocol (http or https) +- `TIME_ZONE`: Time zone (default UTC) +- `SEAFILE_ADMIN_EMAIL`: Admin username +- `SEAFILE_ADMIN_PASSWORD`: Admin password + +NOTE: SSL is now handled by the [caddy server](../deploy_seafile_with_docker.md#about-ssl-and-caddy) from 12.0. To conclude, set the directory permissions of the Elasticsearch volumne: @@ -108,7 +97,7 @@ Run docker compose in detached mode: docker compose up -d ``` -NOTE: You must run the above command in the directory with the docker-compose.yml. +NOTE: You must run the above command in the directory with the `.env`. Wait a few moment for the database to initialize. You can now access Seafile at the host name specified in the Compose file. (A 502 Bad Gateway error means that the system has not yet completed the initialization.) @@ -146,167 +135,60 @@ Placeholder spot for shared volumes. You may elect to store certain persistent i * /opt/seafile-data/seafile/logs: This is the directory that would contain the log files of seafile server processes. For example, you can find seaf-server logs in `/opt/seafile-data/seafile/logs/seafile.log`. * /opt/seafile-data/logs: This is the directory for operating system and Nginx logs. * /opt/seafile-data/logs/var-log: This is the directory that would be mounted as `/var/log` inside the container. For example, you can find the nginx logs in `/opt/seafile-data/logs/var-log/nginx/`. -* /opt/seafile-data/ssl: This is directory for certificate, which does not exist by default. ### Reviewing the Deployment -The command `docker container list` should list the four containers specified in the docker-compose.yml. +The command `docker container list` should list the containers specified in the `.env`. The directory layout of the Seafile container's volume should look as follows: -``` +```bash $ tree /opt/seafile-data -L 2 /opt/seafile-data ├── logs │   └── var-log ├── nginx │   └── conf -├── seafile -│   ├── ccnet -│   ├── conf -│   ├── logs -│   ├── pro-data -│   ├── seafile-data -│   └── seahub-data -└── ssl - ├── account.conf - ├── ca - ├── http.header - ├── SEAFILE_SERVER_HOSTNAME - ├── SEAFILE_SERVER_HOSTNAME.crt - └── SEAFILE_SERVER_HOSTNAME.key +└── seafile +    ├── ccnet +    ├── conf +    ├── logs +    ├── pro-data +    ├── seafile-data +    └── seahub-data ``` -NOTE: The directory `ssl` does not exist if Let's Encrypt is not used for HTTPS. SEAFILE_SERVER_HOSTNAME substitutes for the host name used in the docker-compose.yml file. - All Seafile config files are stored in `/opt/seafile-data/seafile/conf`. The nginx config file is in `/opt/seafile-data/nginx/conf`. Any modification of a configuration file requires a restart of Seafile to take effect: -``` +```bash docker compose restart ``` All Seafile log files are stored in `/opt/seafile-data/seafile/logs` whereas all other log files are in `/opt/seafile-data/logs/var-log`. -## Configuring a Custom SSL Certificate - -NOTE: This section is only relevant when you do not want to use a Let's Encrypt certificate, but a certificate of your own. - -Create a folder for the certificate: - -``` -mkdir /opt/seafile-data/ssl -``` - -Save your certificate and private key in this folder. - -Modify the nginx configuration `seafile.nginx.conf` in `/opt/seafile-data/nginx/conf` to look like this: - -``` -server { - listen 80; - server_name example.seafile.com default_server; - - location / { - rewrite ^ https://$host$request_uri? permanent; - } -} -server { - listen 443; - ssl on; - ssl_certificate /shared/ssl/your-ssl-crt.crt; - ssl_certificate_key /shared/ssl/your-ssl-key.key; - ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS; - - server_name example.seafile.com; - ... - -``` - -Modify the values for server_name, ssl_certificate, and ssl_certificate_key to correspond to your situation. - -Now reload the nginx configuration: - -``` -docker exec -it seafile /usr/sbin/nginx -s reload -``` - -NOTE: If you got the following error when SEAFILE_SERVER_LETSENCRYPT=true is set: - -```log -subprocess.CalledProcessError: Command '/scripts/ssl.sh /shared/ssl cloud.seafile-demo.de' returned non-zero exit status 128. -``` - -In /scripts/ssl.sh (script in seafile container), `git clone git://` has to be replaced with `git clone https://`. - -Then restart the container: - -```shell -docker compose restart -``` - -Since version 9.0.6, we use acme (not acme-tiny) to get certificate and fix this error. - -Since version 10.0.x, if you want to use a reverse proxy and apply for a certificate outside docker, you can use `FORCE_HTTPS_IN_CONF` to force write `https://` in the configuration file. - -e.g. - -``` -seafile: - ... - environment: - ... - - SEAFILE_SERVER_LETSENCRYPT=false - - SEAFILE_SERVER_HOSTNAME=seafile.example.com - - FORCE_HTTPS_IN_CONF=true - ... - -``` - ## Use an existing mysql-server -If you want to use an existing mysql-server, you can modify the `docker-compose.yml` as follows - -```yml -services: - #db: - #image: mariadb:10.11 - #... - - seafile: - ... - environment: - ... - - DB_HOST=192.168.0.2 - - DB_PORT=3306 - - DB_ROOT_PASSWD=mysql_root_password - ... - depends_on: - #- db - - memcached +If you want to use an existing mysql-server, you can modify the `.env` as follows + +```env +SEAFILE_MYSQL_DB_HOST=192.168.0.2 +SEAFILE_MYSQL_DB_PORT=3306 +SEAFILE_MYSQL_ROOT_PASSWORD=ROOT_PASSWORD +SEAFILE_MYSQL_DB_PASSWORD=PASSWORD ``` -* The entire db chapter needs to be removed -* The host of MySQL (DB_HOST) -* The port of MySQL (DB_PORT) -* The password of MySQL root (DB_ROOT_PASSWD) -* db in depends_on chapter needs to be removed -* When Seafile is installed, the user `seafile` will be used to connect to the mysql-server (in conf/seafile.conf). You can remove the `DB_ROOT_PASSWD`. +NOTE: `SEAFILE_MYSQL_ROOT_PASSWORD` is needed during installation. Later, after Seafile is installed, the user `seafile` will be used to connect to the mysql-server (SEAFILE_MYSQL_DB_PASSWORD). You can remove the `SEAFILE_MYSQL_ROOT_PASSWORD`. ## Run Seafile as non root user inside docker -Since version 10.0, you can use run seafile as non root user in docker. (NOTE: Programs such as my_init, Nginx are still run as root inside docker.) +You can use run seafile as non root user in docker. (**NOTE:** Programs such as `my_init`, Nginx are still run as `root` inside docker.) -First add the `NON_ROOT=true` to the docker-compose.yml. +First add the `NON_ROOT=true` to the `.env`. -```yml -seafile: - ... - environment: - ... - - NON_ROOT=true - ... +```env +NON_ROOT=true ``` Then modify `/opt/seafile-data/seafile/` permissions. @@ -315,28 +197,19 @@ Then modify `/opt/seafile-data/seafile/` permissions. chmod -R a+rwx /opt/seafile-data/seafile/ ``` -Note: Before version 11.0.7-pro, you have to create a seafile user on the host, and modify the owner to seafile in `/opt/seafile-data/seafile/`. (**NOTE:** Do not change the `uid` and `gid`.) - -```bash -groupadd --gid 8000 seafile - -useradd --home-dir /home/seafile --create-home --uid 8000 --gid 8000 --shell /bin/sh --skel /dev/null seafile - -chown -R seafile:seafile /opt/seafile-data/seafile/ -``` - -Restarting the container run Seafile use seafile user. (NOTE: Later when do maintenance, other scripts in docker also required to run as seafile user, e.g. `su seafile -c ./seaf-gc.sh`) +Then destroy the containers and run them again: ```bash docker compose down docker compose up -d ``` +Now you can run Seafile as `seafile` user. (**NOTE:** Later, when doing maintenance, other scripts in docker are also required to be run as `seafile` user, e.g. `su seafile -c ./seaf-gc.sh`) + ## Backup and Recovery Follow the instructions in [Backup and restore for Seafile Docker](../../maintain/backup_recovery.md) - ## Garbage Collection When files are deleted, the blocks comprising those files are not immediately removed as there may be other files that reference those blocks (due to the magic of deduplication). To remove them, Seafile requires a ['garbage collection'](https://manual.seafile.com/maintain/seafile_gc/) process to be run, which detects which blocks no longer used and purges them. (NOTE: for technical reasons, the GC process does not guarantee that _every single_ orphan block will be deleted.) @@ -345,15 +218,13 @@ The required scripts can be found in the `/scripts` folder of the docker contain ## OnlyOffice with Docker -You need to manually add the OnlyOffice config to docker-compose.yml +You need to manually add the OnlyOffice config to `.env` * [OnlyOffice with Docker](deploy_onlyoffice_with_docker.md) ## Clamav with Docker -Since version 9.0.6, you can deploy Clamav with Docker. - -You need to manually add the Clamav config to docker-compose.yml +You need to manually add the Clamav config to `.env` * [Deploy Clamav with Docker](../../deploy_pro/deploy_clamav_with_seafile.md) @@ -393,14 +264,13 @@ You need to manually add the Clamav config to docker-compose.yml * [Import Directory to Seafile](../../deploy_pro/seaf_import.md) - ## FAQ Q: I forgot the Seafile admin email address/password, how do I create a new admin account? A: You can create a new admin account by running -``` +```shell docker exec -it seafile /opt/seafile/seafile-server-latest/reset-admin.sh ``` @@ -417,35 +287,3 @@ A: You can view the docker logs using this command: `docker compose logs -f`. Q: I forgot the admin password. How do I create a new admin account? A: Make sure the seafile container is running and enter `docker exec -it seafile /opt/seafile/seafile-server-latest/reset-admin.sh`. - -Q: The Let's Encrypt SSL certificate is about to expire, how do I renew it? - -A: The SSL certificate should be renewed automatically 30 days prior to its expiration. If the automatic renewal fails, these commands renew the certificate manually: -``` -docker exec -it seafile /bin/bash -/scripts/ssl.sh /shared/ssl/ SEAFILE_SERVER_HOSTNAME -``` -SEAFILE_SERVER_HOSTNAME is the host name used in the docker-compose.yml. - -Q: **SEAFILE_SERVER_LETSENCRYPT=false change to true.** - -A: If you want to change to https after using http, first backup and move the seafile.nginx.conf. - -```sh -mv /opt/seafile-data/nginx/conf/seafile.nginx.conf /opt/seafile-data/nginx/conf/seafile.nginx.conf.bak -``` - -Starting the new container will automatically apply a certificate. - -```sh -docker compose down -docker compose up -d -``` - -You need to manually change http to https in other configuration files, SERVICE_URL and FILE_SERVER_ROOT in the system admin page also need to be modified. - -If you have modified the old seafile.nginx.conf, now you can modify the new seafile.nginx.conf as you want. Then execute the following command to make the nginx configuration take effect. - -```sh -docker exec seafile nginx -s reload -``` diff --git a/manual/docker/seafile_docker_overview.md b/manual/docker/seafile_docker_overview.md new file mode 100644 index 000000000..dedf1fcc4 --- /dev/null +++ b/manual/docker/seafile_docker_overview.md @@ -0,0 +1,11 @@ +# Seafile Docker overview + +Seafile docker based installation consist of the following components (docker images): + +- Seafile server: Seafile core services, see [Seafile Components](../overview/components.md) for the details. +- Sdoc server: SeaDoc server, provide a lightweight online collaborative document editor, see [SeaDoc](../extra_setup/setup_seadoc.md#architecture) for the details. +- Database: Stores data related to Seafile and SeaDoc. +- Memcached: Cache server. +- Caddy: Caddy server enables user to access the Seafile service (i.e., Seafile server and Sdoc server) externally and handles `SSL` configuration + +![Seafile Docker Structure](../images/seafile-12.0-docker-structure.png) diff --git a/manual/images/seafile-12.0-docker-structure.png b/manual/images/seafile-12.0-docker-structure.png new file mode 100644 index 000000000..8719a7479 Binary files /dev/null and b/manual/images/seafile-12.0-docker-structure.png differ diff --git a/manual/upgrade/ce-7.0.md b/manual/upgrade/ce-7.0.md deleted file mode 100644 index 1b0e4a6c6..000000000 --- a/manual/upgrade/ce-7.0.md +++ /dev/null @@ -1,50 +0,0 @@ -# ce-7.0 - -## Common Problems - -### Not able to open Markdown file - -If after upgrading to 7.0, you are not able to open Markdown file and if your seahub.log containing the following error, it is caused by you forgot to migrate file comment when you upgrade to 6.3 version. - -![](./image-1558745192334.png) - - - -You can delete the table base_filecomment and recreate the table. - -``` -CREATE TABLE `base_filecomment` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `author` varchar(255) NOT NULL, - `comment` longtext NOT NULL, - `created_at` datetime NOT NULL, - `updated_at` datetime NOT NULL, - `uuid_id` char(32) NOT NULL, - `detail` longtext NOT NULL, - `resolved` tinyint(1) NOT NULL, - - PRIMARY KEY (`id`), - KEY `base_filecomment_uuid_id_4f9a2ca2_fk_tags_fileuuidmap_uuid` (`uuid_id`), - KEY `base_filecomment_author_8a4d7e91` (`author`), - KEY `base_filecomment_resolved_e0717eca` (`resolved`), - CONSTRAINT `base_filecomment_uuid_id_4f9a2ca2_fk_tags_fileuuidmap_uuid` FOREIGN KEY (`uuid_id`) REFERENCES `tags_fileuuidmap` (`uuid`) -) ENGINE=InnoDB DEFAULT CHARSET=utf8; - -``` - -If you are using SQLite, the corresponding SQL is: - -``` -CREATE TABLE "base_filecomment" ( -"id" integer NOT NULL PRIMARY KEY AUTOINCREMENT, - "author" varchar(255) NOT NULL, - "comment" text NOT NULL, -"created_at" datetime NOT NULL, -"updated_at" datetime NOT NULL, -"uuid_id" char(32) NOT NULL REFERENCES "tags_fileuuidmap" ("uuid"), -"detail" text NOT NULL, -"resolved" bool NOT NULL); - -``` - - diff --git a/manual/upgrade/pro-7.0.md b/manual/upgrade/pro-7.0.md deleted file mode 100644 index 10d010beb..000000000 --- a/manual/upgrade/pro-7.0.md +++ /dev/null @@ -1,289 +0,0 @@ -# Upgrade to Pro 7.0 - -Since seafile-pro 7.0.0, we have upgraded Elasticsearch to 5.6. As Elasticsearch 5.6 relies on the Java 8 environment and can't run with root, you need to run Seafile with a non-root user and upgrade the Java version. - -## Upgrade the Java version - -In order to upgrade from 6.3.x to 7.0.x, you may need to upgrade the JDK version. - -Run the following command to view the current Java version information: - -``` -java -version - -``` - -If the current JDK version is 1.7.0, then you need to upgrade to 1.8.0. To upgrade to openjdk-1.8.0, refer to the following command: - -``` -# For CentOS -yum install java-1.8.0-openjdk - -``` - -``` -# For Ubuntu -apt-get install openjdk-8-jre - -``` - ---- - -**In addition, if you previously ran Seafile with root, you would need to run Seafile with a non-root user in order to use search functionality after upgrading to 7.0.x. If Seafile is already running with a non-root user, you can do the upgrade directly.** - -## Switch user if you are using root to run Seafile - -It is recommended that you run Seafile with the `seafile` user. For specific operations, please refer to the following process: - -**Assume that the Seafile installation directory is:** `/opt/seafile` - -**Assume that the Seafile data storage path is:** `/opt/seafile/seafile-data` - -### Stop Seafile Service - -You need to stop the currently running seafile process first. - -``` -cd /opt/seafile/seafile-server-latest -./seafile.sh stop -./seahub.sh stop - -``` - -### Create seafile user - -Create a system account to run the Seafile service. The suggested user name is seafile: - -``` -useradd --system --comment "seafile" seafile --create-home --home-dir /home/seafile - -``` - -### Modify directory permissions - -Modify the owner and group of the Seafile installation directory and the Seafile data storage directory to seafile: - -``` -chown -R seafile.seafile /opt/seafile -chown -R seafile.seafile /opt/seafile/seafile-data -chown -R seafile.seafile /tmp/seafile-office-output - -``` - -### Start the service - -``` -su - seafile -cd /opt/seafile/seafile-server-latest -./seafile.sh start -./seahub.sh start - -``` - -### Modify the startup scripts - -**If you used the systemd manager to implement boot-up:** - -* You need to modify `/etc/systemd/system/seafile.service`: - - -``` -[Unit] -Description=Seafile Server -After=network.target mariadb.service - -[Service] -ExecStart=/opt/seafile/seafile-server-latest/seafile.sh start -ExecStop=/opt/seafile/seafile-server-latest/seafile.sh stop -User=seafile -Group=seafile -Type=oneshot -RemainAfterExit=yes - -[Install] -WantedBy=multi-user.target - -``` - -And `/etc/systemd/system/seahub.service`: - -``` -[Unit] -Description=Seafile Seahub -After=network.target seafile.service - -[Service] -ExecStart=/opt/seafile/seafile-server-latest/seahub.sh start -ExecStop=/opt/seafile/seafile-server-latest/seahub.sh stop -User=seafile -Group=seafile -Type=oneshot -RemainAfterExit=yes - -[Install] -WantedBy=multi-user.target - -``` - -Reload the systemd manager configuration: - -``` -systemctl daemon-reload - -``` - -**If you used the init script to implement boot-up:** - -You need to modify `/etc/init.d/seafile-server`: - -``` -#!/bin/bash -### BEGIN INIT INFO -# Provides: seafile-server -# Required-Start: $remote_fs $syslog mysql -# Required-Stop: $remote_fs $syslog -# Default-Start: 2 3 4 5 -# Default-Stop: 0 1 6 -# Short-Description: Seafile server -# Description: Start Seafile server -### END INIT INFO - -# Author: Alexander Jackson - -# Change the value of "seafile_dir" to your path of seafile installation -user=seafile -seafile_dir=/opt/seafile -script_path=${seafile_dir}/seafile-server-latest -seafile_init_log=${seafile_dir}/logs/seafile.init.log -seahub_init_log=${seafile_dir}/logs/seahub.init.log - -case "$1" in - start) - sudo -u ${user} ${script_path}/seafile.sh $1 >> ${seafile_init_log} - sudo -u ${user} ${script_path}/seahub.sh $1 >> ${seahub_init_log} - ;; - restart) - sudo -u ${user} ${script_path}/seafile.sh $1 >> ${seafile_init_log} - sudo -u ${user} ${script_path}/seahub.sh $1 >> ${seahub_init_log} - ;; - stop) - sudo -u ${user} ${script_path}/seafile.sh $1 >> ${seafile_init_log} - sudo -u ${user} ${script_path}/seahub.sh $1 >> ${seahub_init_log} - ;; - *) - echo "Usage: /etc/init.d/seafile-server {start|stop|restart}" - exit 1 - ;; -esac - -``` - -### Upgrade Seafile - -Stop running the current seafile service: - -``` -su - seafile -cd /opt/seafile/seafile-server-latest -./seafile.sh stop -./seahub.sh stop - -``` - -Download the seafile-pro 7.0.x package and extract it to the Seafile installation directory `/opt/seafile`; then execute the upgrade script: - -``` -cd /opt/seafile/seafile-pro-server-7.0.x/upgrade/ -./upgrade_6.3_7.0.sh - -``` - -After the upgrade script is successfully executed, start the Seafile service: - -``` -cd /opt/seafile/seafile-server-latest -./seafile.sh start -./seahub.sh start - -``` - -## Features Modification - -### Encrypted libraries - -Note, to enable using new encrypted libraries with different salt for different libraries, you need to add the following configuration to seahub_setting.py - -``` -ENCRYPTED_LIBRARY_VERSION = 3 - -``` - -Currently the mobile clients and desktop clients does not supported new version of encrypted library yet. After we upgrade the clients, we will make the setting as default. - -### File history - -Recording file history to database for fast access is enabled by default for 'Markdown, .txt, ppt, pptx, doc, docx, xls, xlsx'. To disable the feature or to modified the file list, you can add the following settings to seafevents.conf - -``` -[FILE HISTORY] -enabled = false -suffix = md,txt,... - -``` - -After enable the feature, the old histories version for markdown, doc, docx files will not be list in the history page. (Only new histories that stored in database will be listed) But the users can still access the old versions in the library snapshots. - -For file types not listed in the `suffix` , histories version will be scanned from the library history as before. - -### File activities - -The file activities feature are redesigned. We use a new database table to record file activities. The old activities will not be displayed. - -### Wikis - -In version 6.3, users can create public or private Wikis. In version 7.0, private Wikis is replaced by column mode view. Every library has a column mode view. So users don't need to explicitly create private Wikis. - -Public Wikis are now renamed to published libraries. - -There are two role permissions that control whether a user can create public Wikis, share link permission and publish library permission. A user must have both the permissions to be able to use public Wikis. - -## Common Problems - -### Not able to open Markdown file - -If after upgrading to 7.0, you are not able to open Markdown file and if your seahub.log containing the following error, it is caused by you forgot to migrate file comment when you upgrade to 6.3 version. - -![](./image-1558745192334.png) - - - -You can delete the table base_filecomment and recreate the table. - -``` -CREATE TABLE `base_filecomment` ( - - `id` int(11) NOT NULL AUTO_INCREMENT, - `author` varchar(255) NOT NULL, - - `comment` longtext NOT NULL, - `created_at` datetime NOT NULL, - - `updated_at` datetime NOT NULL, - `uuid_id` char(32) NOT NULL, - - `detail` longtext NOT NULL, - `resolved` tinyint(1) NOT NULL, - - PRIMARY KEY (`id`), - KEY `base_filecomment_uuid_id_4f9a2ca2_fk_tags_fileuuidmap_uuid` (`uuid_id`), - - KEY `base_filecomment_author_8a4d7e91` (`author`), - - KEY `base_filecomment_resolved_e0717eca` (`resolved`), - - CONSTRAINT `base_filecomment_uuid_id_4f9a2ca2_fk_tags_fileuuidmap_uuid` FOREIGN KEY (`uuid_id`) REFERENCES `tags_fileuuidmap` (`uuid`) -) ENGINE=InnoDB DEFAULT CHARSET=utf8; - -``` - - diff --git a/manual/upgrade/upgrade_docker.md b/manual/upgrade/upgrade_docker.md index ef1c04cff..1d2ad3193 100644 --- a/manual/upgrade/upgrade_docker.md +++ b/manual/upgrade/upgrade_docker.md @@ -119,17 +119,17 @@ wget https://manual.seafile.com/docker/docker-compose/pro/12.0/caddy.yml The following fields merit particular attention: -* The volume directory of Seafile data (SEAFILE_VOLUMES, same as the seafile volumes in the old docker-compose.yml) -* The volume directory of MySQL data (SEAFILE_MYSQL_VOLUMES, same as the mysql volumes in the old docker-compose.yml) -* The volume directory of Elasticsearch data (SEAFILE_ELASTICSEARCH_VOLUMES, pro edition only, same as the elasticsearch volumes in the old docker-compose.yml) -* The volume directory of Caddy data (SEAFILE_CADDY_VOLUMES) -* The user of MySQL (SEAFILE_MYSQL_DB_USER, `database` - `user` can be found in `conf/seafile.conf`) -* The password of MySQL (SEAFILE_MYSQL_DB_PASSWORD, `database` - `password` can be found in `conf/seafile.conf`) -* jwt (JWT_PRIVATE_KEY, A random string with a length of no less than 32 characters, generate example: `pwgen -s 40 1`) -* SEAFILE_SERVER_HOSTNAME (SEAFILE_SERVER_HOSTNAME, same as the SEAFILE_SERVER_HOSTNAME in the old docker-compose.yml) -* SEAFILE_SERVER_PROTOCOL (SEAFILE_SERVER_PROTOCOL, use http or https) - -SSL is now handled by the caddy server. If you have used SSL before, you will also need modify the seafile.nginx.conf. Change server listen 443 to 80. +- `SEAFILE_VOLUME`: The volume directory of Seafile data, default is `/opt/seafile-data` +- `SEAFILE_MYSQL_VOLUME`: The volume directory of MySQL data, default is `/opt/seafile-mysql/db` +- `SEAFILE_CADDY_VOLUME`: The volume directory of Caddy data used to store certificates obtained from Let's Encrypt's, default is `/opt/seafile-caddy` +- `SEAFILE_ELASTICSEARCH_VOLUME`: The volume directory of Elasticsearch data +- `SEAFILE_MYSQL_ROOT_PASSWORD`: The `root` password of MySQL +- `SEAFILE_MYSQL_DB_PASSWORD`: The user `seafile` password of MySQL +- `JWT`: JWT_PRIVATE_KEY, A random string with a length of no less than 32 characters, generate example: `pwgen -s 40 1` +- `SEAFILE_SERVER_HOSTNAME`: Seafile server hostname or domain +- `SEAFILE_SERVER_PROTOCOL`: Seafile server protocol (http or https) + +SSL is now handled by the [caddy server](../docker/deploy_seafile_with_docker.md#about-ssl-and-caddy). If you have used SSL before, you will also need modify the seafile.nginx.conf. Change server listen 443 to 80. Backup the original seafile.nginx.conf file: @@ -199,7 +199,7 @@ wget https://manual.seafile.com/docker/docker-compose/pro/12.0/seadoc.yml ```env COMPOSE_FILE='seafile-server.yml,caddy.yml,seadoc.yml' -SEADOC_VOLUMES=/opt/seadoc-data +SEADOC_VOLUME=/opt/seadoc-data ENABLE_SEADOC=true SEADOC_SERVER_URL=http://example.seafile.com/sdoc-server ``` @@ -207,7 +207,7 @@ SEADOC_SERVER_URL=http://example.seafile.com/sdoc-server The following fields merit particular attention: * Add `seadoc.yml` to the `COMPOSE_FILE` field. -* The volume directory of SeaDoc data (SEADOC_VOLUMES) +* The volume directory of SeaDoc data (SEADOC_VOLUME) * Enable SeaDoc (ENABLE_SEADOC) * SeaDoc service url (SEADOC_SERVER_URL, hostname + `/sdoc-server`) diff --git a/manual/upgrade/upgrade_notes_for_12.0.x.md b/manual/upgrade/upgrade_notes_for_12.0.x.md index 6ef1ad1f2..1b9ad8838 100644 --- a/manual/upgrade/upgrade_notes_for_12.0.x.md +++ b/manual/upgrade/upgrade_notes_for_12.0.x.md @@ -47,7 +47,9 @@ For Ubuntu 22.04/24.04 sudo pip3 install future==1.0.* mysqlclient==2.2.* pillow==10.4.* sqlalchemy==2.0.* gevent==24.2.* captcha==0.6.* django_simple_captcha==0.6.* djangosaml2==1.9.* pysaml2==7.3.* pycryptodome==3.20.* cffi==1.17.0 python-ldap==3.4.* PyMuPDF==1.24.* ``` -## Upgrade to 12.0.x +## Upgrade to 12.0 (for binary installation) + +The following instruction is for binary package based installation. If you use Docker based installation, please see [](./upgrade_docker.md) ### 1) Stop Seafile-11.0.x server @@ -71,40 +73,21 @@ Note: JWT_PRIVATE_KEY, A random string with a length of no less than 32 characte ## Upgrade SeaDoc from 0.8 to 1.0 -If you have deployed SeaDoc extension in version 11.0, please use the following steps to upgrade it to version 1.0. - -Deploying SeaDoc and Seafile binary package on the same server is no longer supported. You can: +If you have deployed SeaDoc v0.8 with Seafile v11.0, you can upgrade it to 1.0 use the following two steps: -* Deploy SeaDoc on a new server and integrate it with Seafile. -* Migrate Seafile to a docker based deployment method and then deploy SeaDoc in the same server. +1. Delete sdoc_db. +2. Re-deploy SeaDoc server. In other words, delete the old SeaDoc deployment and deploy a new SeaDoc server on a separate machine. -If you have deployed SeaDoc extension in version 11.0 on a standalone server, please use the following steps to upgrade it to version 1.0. +Note, deploying SeaDoc and **Seafile binary package** on the same server is no longer supported. If you really want to deploying SeaDoc and Seafile server on the same machine, you should deploy Seafile server with Docker. ### Delete sdoc_db -From version 1.0, SeaDoc is using seahub_db database to store its operation logs and no longer need an extra database sdoc_db. You can simply delete sdoc_db. - +From version 1.0, SeaDoc is using seahub_db database to store its operation logs and no longer need an extra database sdoc_db. The database tables in seahub_db are created automatically when you upgrade Seafile server from v11.0 to v12.0. You can simply delete sdoc_db. ### Deploy a new SeaDoc server -In version 1.0, we use env file to configure SeaDoc docker image, instead of modifying the docker-compose.yml file directly. +Please see the document [Setup SeaDoc](../extra_setup/setup_seadoc.md) to install SeaDoc on a separate machine and integrate with your binary packaged based Seafile server v12.0. -Download [.env](https://manual.seafile.com/docker/docker-compose/seadoc/1.0/standalone/env) and [docker-compose.yml](https://manual.seafile.com/docker/docker-compose/seadoc/1.0/standalone/docker-compose.yml), then modify .env file. - -The following fields merit particular attention: - -* Seafile MySQL host (SEAFILE_MYSQL_DB_HOST) -* Seafile MySQL user (SEAFILE_MYSQL_DB_USER) -* Seafile MySQL password (SEAFILE_MYSQL_DB_PASSWD) -* The volume directory of SeaDoc data (SEADOC_VOLUMES) -* SeaDoc service URL (SDOC_SERVER_HOSTNAME) -* Seafile service URL (SEAHUB_SERVICE_URL) - -Start SeaDoc server with the following command - -```sh -docker compose up -d -``` ## FAQ diff --git a/manual/upgrade/upgrade_with_mysql_or_postgresql.md b/manual/upgrade/upgrade_with_mysql_or_postgresql.md deleted file mode 100644 index 6be912d71..000000000 --- a/manual/upgrade/upgrade_with_mysql_or_postgresql.md +++ /dev/null @@ -1,167 +0,0 @@ -#Seafile -## Upgrade with MySQL or PostgreSQL - -First, download the new version, for example seafile-server_1.6.0_x86-64.tar.gz, and extract it to the directory where you put all Seafile related staff. You should have a directory layout similar to this: - -``` -haiwen - -- seafile-server-1.5.0 - -- seafile-server-1.6.0 - -- ccnet - -- seafile-data -``` - -## Major Continuous Upgrade (like from 1.5 to 1.6) - -Major continuous upgrade including upgrading from 1.5.0 to 1.6.0 or upgrading from 1.5.0 to 1.6.1. It involves four steps: - -1. Stop Seafile/Seahub -2. Update avatars folder and database tables -3. Update Nginx/Apache configs -4. Restart Seafile/Seahub - -### 2. Update avatars folder and database tables (After Seafile Server 2.1.1 for MySQL) - -Since seafile server 2.1.1, You can upgrade the the avatars folder and the databases using the upgrade scripts. The script's name is like `upgrade_X.X_Y.Y.sh`. For example, assume you are upgrading from seafile server 2.0.0 to seafile server 2.1.1, the you should run the `upgrade_2.0_2.1.sh` script. - -```sh -cd seafile-server-2.1.1/ -./upgrade/upgrade_2.0_2.1.sh -``` - -The script would update the avatars folder and the database tables for you. - -### 2. Update avatars folder and database tables (For PostgreSQL and before Seafile Server 2.1.1) - -Before Seafile Server 2.1.1 or if you are using PostgreSQL, you have to manually: - -- update the avatars folder symbolic link -- update and the database tables - -#### Update avatars symbolic link - -Assume your top level directory is `/data/haiwen/`, and you are upgrading to seafile server version 1.6.0: - -``` -cd /data/haiwen -cp -a seafile-server-1.6.0/seahub/media/avatars/* seahub-data/avatars/ -rm -rf seafile-server-1.6.0/seahub/media/avatars -#the new server avatars' folder will be linked to the updated avatars folder -ln -s -t seafile-server-1.6.0/seahub/media/ ../../../seahub-data/avatars/ -``` - -#### Update database tables - -When a new version of seafile server is released, there may be changes to the database of seafile/seahub/ccnet. We provide the sql statements to update the databases: - -- `upgrade/sql//mysql/seahub.sql`, for changes to seahub database -- `upgrade/sql//mysql/seafile.sql`, for changes to seafile database -- `upgrade/sql//mysql/ccnet.sql`, for changes to ccnet database - -To apply the changes, just execute the sqls in the correspondent database. If any of the sql files above do not exist, it means the new version does not bring changes to the correspondent database. - -```sh -seafile-server-1.6.0 -├── seafile -├── seahub -├── upgrade - ├── sql - ├── 1.6.0 - ├── mysql - ├── seahub.mysql - ├── seafile.mysql - ├── ccnet.mysql -``` - - -### 3. Update Nginx/Apache Config - -For Nginx: - -``` - location /media { - root /data/haiwen/seafile-server-1.6.0/seahub; - } -``` - -For Apache: - -``` -Alias /media /data/haiwen/seafile-server-1.6.0/seahub/media -``` - -**Tip:** -You can create a symbolic link `seafile-server-latest`, and make it point to your current seafile server folder (Since seafile server 2.1.0, the `setup-seafile.sh` script will do this for your). Then, each time you run a upgrade script, it would update the `seafile-server-latest` symbolic link to keep it always point to the latest version seafile server folder. - -In this case, you can write: - -``` - location /media { - root /data/haiwen/seafile-server-latest/seahub; - } -``` - -or For Apache: - -``` -Alias /media /data/haiwen/seafile-server-latest/seahub/media -``` - -This way, you no longer need to update the nginx/apache config file each time you upgrade your seafile server. - - -### 4. Restart Seafile/Seahub/Nginx/Apache - -After done above updating, now restart Seafile/Seahub/Nginx/Apache to see the new version at work! - -## Noncontinuous Upgrade (like from 1.1 to 1.3) - -You may also upgrade a few versions at once, e.g. from 1.1.0 to 1.3.0. -The procedure is: - -1. upgrade from 1.1.0 to 1.2.0; -2. upgrade from 1.2.0 to 1.3.0. - - -## Minor upgrade (like from 1.5.0 to 1.5.1) - -Minor upgrade is like an upgrade from 1.5.0 to 1.5.1. - -Here is our dir strutcutre - -``` -haiwen - -- seafile-server-1.5.0 - -- seafile-server-1.5.1 - -- ccnet - -- seafile-data -``` - -### Update the avatar link - -We provide a script for you, just run it: - -```sh -cd seafile-server-1.5.1 -upgrade/minor-upgrade.sh -``` - -### Update Nginx/Apache Config - -For Nginx: - -``` - location /media { - root /data/haiwen/seafile-server-1.5.1/seahub; - } -``` - -For Apache: - -``` -Alias /media /data/haiwen/seafile-server-1.5.1/seahub/media -``` - -### Restart Seafile/Seahub/Nginx/Apache - -After done above updating, now restart Seafile/Seahub/Nginx/Apache to see the new version at work! diff --git a/mkdocs.yml b/mkdocs.yml index ce892d4d2..41dfee1ec 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -7,7 +7,7 @@ repo_name: haiwen/seafile-admin-docs repo_url: https://github.com/haiwen/seafile-admin-docs/ edit_uri: blob/master/manual -copyright: Copyright © 2023 Seafile Ltd. +copyright: Copyright © 2024 Seafile Ltd. theme: name: material @@ -77,6 +77,7 @@ nav: - Setup Seafile cluster with NFS: deploy_pro/setup_seafile_cluster_with_nfs.md - License: deploy_pro/seafile_professional_sdition_software_license_agreement.md - Seafile Setup with Docker: + - Seafile Docker Overview: docker/seafile_docker_overview.md - Seafile Community Installation: docker/deploy_seafile_with_docker.md - Seafile Professional Installation: docker/pro-edition/deploy_seafile_pro_with_docker.md - Seafile Docker Cluster Deployment: docker/cluster/deploy_seafile_cluster_with_docker.md @@ -86,21 +87,15 @@ nav: - Seafile Docker autostart: docker/seafile_docker_autostart.md - Advanced Setup Options: - LDAP/AD Integration: - - LDAP Integration: deploy/using_ldap.md - - LDAP Configuration for Seafile Pro: deploy_pro/using_ldap_pro.md - - Importing Groups from LDAP (Pro): deploy_pro/ldap_group_sync.md - - Importing Roles from LDAP (Pro): deploy_pro/ldap_role_sync.md - - LDAP in version 11.0: deploy/ldap_in_11.0.md - - LDAP in version 11.0 (Pro): deploy_pro/ldap_in_11.0.md + - LDAP Integration: deploy/ldap_in_11.0.md + - LDAP Integration (Pro): deploy_pro/ldap_in_11.0.md - Single Sign On: - Outline: deploy/single_sign_on.md - OAuth Authentication: deploy/oauth.md - Remote User Authentication: deploy/remote_user.md - Shibboleth Authentication: deploy/shibboleth_authentication.md - Auto Login to SeaDrive on Windows: deploy/auto_login_seadrive.md - - SAML 2.0 in version 10.0+ (Pro): deploy_pro/saml2_in_10.0.md - - SAML 2.0 (old) (Pro): deploy_pro/adfs.md - - CAS Authentication (Pro): deploy_pro/cas.md + - SAML 2.0 (Pro): deploy_pro/saml2_in_10.0.md - Switch authentication: deploy/auth_switch.md - Online Office: - LibreOffice Online Integration: deploy/libreoffice_online.md @@ -125,10 +120,7 @@ nav: - Start Seafile at System Bootup: deploy/start_seafile_at_system_bootup.md - Logrotate: deploy/using_logrotate.md - Open Cloud Mesh: deploy/ocm.md - - Deploy Seafile behind NAT: deploy/deploy_seafile_behind_nat.md - - Deploy Seahub at Non-root domain or on custom port: deploy/deploy_seahub_at_non-root_domain.md - Config fail2ban: security/fail2ban.md - - Real-time Backup Server: deploy_pro/real_time_backup.md - Configuration and Customization: - Outline: config/README.md - ccnet.conf: config/ccnet-conf.md @@ -149,7 +141,6 @@ nav: - Seafile FSCK: maintain/seafile_fsck.md - Seafile GC: maintain/seafile_gc.md - Clean database: maintain/clean_database.md - - Import Directory To Seafile (Pro): deploy_pro/seaf_import.md - Upgrade Seafile Server: - Outline: upgrade/upgrade.md - Upgrade Seafile Docker: upgrade/upgrade_docker.md