Bug 116080 - Packages on https://www.collaboraoffice.com/code/ improvement
Summary: Packages on https://www.collaboraoffice.com/code/ improvement
Status: RESOLVED FIXED
Alias: None
Product: LibreOffice Online
Classification: Unclassified
Component: LibreOffice (show other bugs)
Version:
(earliest affected)
unspecified
Hardware: All Linux (All)
: medium normal
Assignee: Not Assigned
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2018-02-28 10:33 UTC by trash
Modified: 2018-11-27 20:27 UTC (History)
3 users (show)

See Also:
Crash report or crash signature:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description trash 2018-02-28 10:33:56 UTC
Hi

The binary packages on https://www.collaboraoffice.com/code/ for Debian/Ubuntu/... need some improvements.
They are not working out of the box after installation and debugging is hard because the logfile is disabled by default.

Logfile:
Please consider to change the default value in "/etc/loolwsd/loolwsd.xml" for "<file enable="false">" from "false" to "true" (or add a sed to the postinstall script).
Add this to the postinstall script so the logfile works:
touch /var/log/loolwsd.log
chown lool /var/log/loolwsd.log

Logrotate:
If there is an logfile there should be logrotate.
Please add "/etc/logrotate.d/loolwsd" to the package.
Yes there is a build in logrodate which may be fail because of permissions or something else (So I think logrotate is the better solution)

/etc/logrotate.d/loolwsd (works for me, maybe there is a better solution):
/var/log/loolwsd.log
{
    rotate 7
    daily
    missingok
    notifempty
    delaycompress
    compress
    create 644 lool root
    postrotate
        service loolwsd restart
    endscript
}


Certificates:
This is the reason why the package is not working out of the box (certificates are missing).

Please add this to the postinstall script (or tweak this):
openssl genrsa -out /etc/loolwsd/key.pem 4096
openssl req -out /etc/loolwsd/cert.csr -key /etc/loolwsd/key.pem -new -sha256 -nodes -subj "/CN=$(hostname).$(dnsdomainname)"
openssl x509 -req -days 3650 -in /etc/loolwsd/cert.csr -signkey /etc/loolwsd/key.pem -out /etc/loolwsd/cert.pem
openssl x509 -req -days 3650 -in /etc/loolwsd/cert.csr -signkey /etc/loolwsd/key.pem -out /etc/loolwsd/ca-chain.cert.pem
chown lool:lool /etc/loolwsd/key.pem
chmod 600 /etc/loolwsd/key.pem

This will create self signed certificates valid for 10 years (like the apache snakeoil certificates)



This changes should work on all Debian based distributions (debian/ubuntu).
The logrotate part maybe need some changes for centos or opensuse.

Thanks
Comment 1 Andras Timar 2018-03-13 10:42:59 UTC
Thanks for your suggestions. 

Loolwsd logs to system journal, you can see the logs with 'journalctl -u loolwsd'. With this in mind, I don't think logging under /var/log and logrotate should be configured by default. 

Certificates: I think it's hard to develop a foolproof solution here (e.g. we don't want to overwrite certs). In fact, when loolwsd is behind a reverse proxy on the same host or on a safe internal network, even ssl is not necessary. You still need a key.pem for the admin console access token generation, but you don't need the certs.
Comment 2 trash 2018-03-14 12:22:57 UTC
A if for the certs should be relatively easy:

if [ ! -e "/etc/loolwsd/key.pem" ] && [ ! -e "/etc/loolwsd/cert.pem" ] && [ ! -e "/etc/loolwsd/cert.csr" ] && [ ! -e "/etc/loolwsd/ca-chain.cert.pem" ]
then
  openssl genrsa ...
  ...
fi


A logfile in "/var/log" is currently much more intuitive.
But I see the idea behind journalctl


Maybe the things I describe here should be in a "how to install" guide on https://www.collaboraoffice.com/code/ site.
There are already proxy configs for apache and nginx, an extra note that the packages do not work out of the box you need to ... is maybe enough
Comment 3 Andras Timar 2018-11-27 20:27:17 UTC
OK, here is some update. 
https://www.collaboraoffice.com/code/ page was rewritten last week. Hopefully it became clearer.

There is also an extra note:

"The default configuration is looking for an SSL certificate and key, which are not present, so probably it’s the best to disable SSL, and optionally enable SSL termination, then set up the reverse proxy."

So let's close this, I also find it off-topic to discuss contents of Collabora website and CODE packages on TDF Bugzilla.