OpenCloud
Replies: 3 comments 2 replies
-
Unfortunately not. Docker will not provide auto scaling and High availability. That needs Kubernetes as a platform.
For professional use, we outsource both: OIDC provider and LDAP. Our classic is external Keycloak and OpenLDAP. |
Beta Was this translation helpful? Give feedback.
-
|
@micbar Sorry I was not absolutly clear, I updated the initial post. Im not using Docker Standalone, but Docker Swarm. I have RWX volumes, overlay network, task(= pod) schedueling. I do not see what K8S has what I cannot provide. About the keycloak in the example: the OIDC part is okay, and kinda works already. What I do not see where to plug an external LDAP. I mean I can spin up an What still puzzles me, why do I even need that, when Authelia has its own user database albeit its just a file. |
Beta Was this translation helpful? Give feedback.
-
Okay, if that works for you. There are some services which cannot scale, currently only the search service.
These are the settings for the LDAP and Keycloak connection https://github.com/opencloud-eu/opencloud-compose/blob/main/idm/ldap-keycloak.yml#L6-L31
I do not get what you mean with OpenCloud needs to store user information. Authelia has its own user database and stores identifiers and so on. OpenCloud needs to access that data for sharing. There is no defined standard API in OIDC to fetch users. So we need to also store user data for OpenCloud to be avaiable. LDAP is currently the only well known standard to be used across different systems. In the future that may be SCIM. |
Beta Was this translation helpful? Give feedback.
-
|
Thank you @micbar I made huge progress based on your help
see: I spun up an lldap and add it as authentication backend to Authelia, also filled out all the LDAP variables from the keycloack example. Now its 99% works, I can log in, I can scale(!) the OC service to multiple containers. I tried to set OC_ADMIN_USER_ID to one of my Authelia account, or the LDAP admin, but no luck so far. In the examples its always empty, so I assume I should approach this somehow differently. Where does the admin permissions comes in the keycloak-like setup? My current setup as follows: version: "3.9"
services:
nodes:
image: opencloudeu/opencloud-rolling
hostname: opencloud-{{.Task.Slot}}
ports:
- 9201:9200
networks:
- bana_global
entrypoint:
- /bin/sh
command: ["-c", "opencloud init || true; opencloud server"]
environment:
TZ: "Europe/Budapest"
PUID: "1000"
PGID: "1000"
IDM_CREATE_DEMO_USERS: "false"
OC_INSECURE: "true"
PROXY_TLS: "false"
PROXY_HTTP_ADDR: 0.0.0.0:9200
OC_URL: "https://my.domain.com"
OC_LOG_LEVEL: info
OC_LOG_COLOR: "true"
OC_LOG_PRETTY: "true"
# Ldap IDP specific configuration
OC_LDAP_URI: ldap://lldap:3890
OC_LDAP_INSECURE: "true"
OC_LDAP_BIND_DN: "uid=admin,ou=people,dc=domain,dc=com"
OC_LDAP_BIND_PASSWORD: mypass
OC_LDAP_GROUP_BASE_DN: "ou=groups,dc=domain,dc=com"
OC_LDAP_GROUP_SCHEMA_ID: "entryUUID"
OC_LDAP_USER_BASE_DN: "ou=people,dc=domain,dc=com"
OC_LDAP_USER_FILTER: "(objectclass=inetOrgPerson)"
OC_LDAP_USER_SCHEMA_ID: "entryUUID"
OC_LDAP_DISABLE_USER_MECHANISM: "none"
GRAPH_LDAP_SERVER_UUID: "true"
GRAPH_LDAP_GROUP_CREATE_BASE_DN: "ou=custom,ou=groups,dc=domain,dc=com"
GRAPH_LDAP_REFINT_ENABLED: "true"
FRONTEND_READONLY_USER_ATTRIBUTES: "user.onPremisesSamAccountName,user.displayName,user.mail,user.passwordProfile,user.accountEnabled,user.appRoleAssignments"
OC_LDAP_SERVER_WRITE_ENABLED: "false"
OC_ADMIN_USER_ID: ""
#Clustering?
OC_CACHE_STORE: nats-js-kv
OC_CACHE_STORE_NODES: "ocis_nats:9233"
OC_EVENTS_CLUSTER: "NATS"
OC_EVENTS_ENDPOINT: "ocis_nats:9233"
OC_PERSISTENT_STORE: nats-js-kv
OC_PERSISTENT_STORE_NODES: "ocis_nats:9233"
MICRO_REGISTRY: nats-js-kv
MICRO_REGISTRY_ADDRESS: "ocis_nats:9233"
# Authelia - OIDC
OC_OIDC_ISSUER: https://authelia.domain.com
WEB_OIDC_CLIENT_ID: opencloud-web
PROXY_OIDC_ACCESS_TOKEN_VERIFY_METHOD: none
# PROXY_AUTOPROVISION_ACCOUNTS: "true"
PROXY_ROLE_ASSIGNMENT_DRIVER: "default"
PROXY_USER_OIDC_CLAIM: "preferred_username"
PROXY_USER_CS3_CLAIM: "username"
PROXY_OIDC_REWRITE_WELLKNOWN: "true"
## role assignment
PROXY_ROLE_ASSIGNMENT_OIDC_CLAIM: 'groups'
WEB_OIDC_SCOPE: openid profile email groups
GRAPH_ASSIGN_DEFAULT_USER_ROLE: "true"
GRAPH_USERNAME_MATCH: "none"
OC_EXCLUDE_RUN_SERVICES: "idp,idm"
PROXY_CSP_CONFIG_FILE_LOCATION: /etc/opencloud/csp.yaml
volumes:
- oc_data:/var/lib/opencloud
- config:/etc/opencloud
# configs:
# - source: oc-config
# target: /etc/opencloud/opencloud.yaml
deploy:
mode: replicated
replicas: 1
placement:
max_replicas_per_node: 1
radicale:
image: opencloudeu/radicale
hostname: radicale
networks:
- bana_global
volumes:
- radicale_data:/var/lib/radicale
configs:
- source: radicale-config
target: /etc/radicale/config
deploy:
mode: replicated
replicas: 1
placement:
max_replicas_per_node: 1
configs:
# oc-config:
# file: ./opencloud.yaml
radicale-config:
file: ./radicaleconfig
networks:
bana_global:
external: true
volumes:
oc_data:
driver: local
driver_opts:
type: ''
o: bind
device: /data3/opencloud
config:
driver: local
driver_opts:
type: ''
o: bind
device: /config3/opencloud
radicale_data:
driver: local
driver_opts:
type: ''
o: bind
device: /data3/radicale |
Beta Was this translation helpful? Give feedback.
-
|
The roles in openCloud with keycloak are coming from a claim. see https://docs.opencloud.eu/docs/admin/configuration/authentication-and-user-management/external-idp |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
Uh oh!
There was an error while loading. Please reload this page.
-
I'm having a test drive with Opencloud after using OCIS for the last year or so and so far I'm impressed with it. Even managed to integrate Authelia what I could not for the love of my god with OCIS... So my next experiment would be to run more then one instance of it to distribute the load between my nodes and achieve some fault tolerance. All of this with docker swarm not kubernetes (yeah I know... but k8s is just too much for home use)
So far I got to the point that I have Nats for all sorts of caching/event syncing(borowed from my OCIS installation). I went through all the service documentation to check what should I outsource to an external Nats, but correct my config below if I missed something.
I have external IDP as mentioned: Authelia.
Storage is CephFS between my nodes.
/data3 and /config3 are CephFS mount s
Where I'm stucked and cannot really progress is IDM. As I was decyphering the Helm chart provided, and found opencloud-eu/helm#53 where it is stated that I should disable the built in IDM, and use an external LDAP. I'm confused at this point. My user management is handled by Authelia, why would I need an LDAP besides that?
My current docker services look like this:
Nats from my OCIS setup:
Corresponding Authelia config (not sure if any related)
With one replica, AND IDM enabled its works fine.
If I disable the builtin IDM it brakes
If i bump to two or more replicas it brakes no mater with or without IDM.
With loglevel
infoI get no errors justWith
debugI get hundred million log entries, but filtering a bit results me with thisRight now I disabled account autoprovisioning, but did not really help tho.
So my question would be. Am I even on the right track to make OC scalable with docker swarm?
What am I missing? How do I really outsource the userdatabase to an external service like Authelia? As far as I understand, right now its some kind of tandem with the OIDC provider and the built in LDAP.
Beta Was this translation helpful? Give feedback.
All reactions