Louis-Philippe Véronneau - gnomehttps://veronneau.org/2016-05-30T00:00:00-04:00Mounting ownCloud accounts with davfs2 on GNOME32016-05-30T00:00:00-04:002016-05-30T00:00:00-04:00Louis-Philippe Véronneautag:veronneau.org,2016-05-30:/mounting-owncloud-accounts-with-davfs2-on-gnome3.html<p>This post aims to share how easy it can be to mount ownCloud's WebDAV shares on GNOME3.</p>
<h2>Why do this?</h2>
<p>At SOGÉÉCOM, our users love to use ownCloud. It works nicely, has a beautiful web interface and even gives you access to your files on your phone, be it Android …</p><p>This post aims to share how easy it can be to mount ownCloud's WebDAV shares on GNOME3.</p>
<h2>Why do this?</h2>
<p>At SOGÉÉCOM, our users love to use ownCloud. It works nicely, has a beautiful web interface and even gives you access to your files on your phone, be it Android or iOS.</p>
<p>So yeah, ownCloud is great, but from a sysadmin's point of view, it can be a bit of a trouble sometimes. Our setup involves some client computers running Debian with GNOME3. Since these computers are used by multiple users each day, we cannot use ownCloud's sync client. It would duplicate a lot of files for nothing and users would constantly need to wait for files to sync when they log in.</p>
<p>The solution we found to fix this problem is to dynamically mount a user's ownCloud account through WebDAV. The result is pretty good, but vastly depends on:</p>
<ul>
<li>the latency between the client computer and the server</li>
<li>the speed of the server your running ownCloud on</li>
<li>the speed of your network connection</li>
</ul>
<p>The best setup would thus be if you were able to run ownCloud on a physical server in your office. We don't but our server pings at 100ms and we have a pretty good network connection.</p>
<h2>Introducing davfs2</h2>
<p>The best way to mount WebDAV on Debian is to use <a href="https://savannah.nongnu.org/projects/davfs2">davfs2</a>. To install it, you can run:</p>
<div class="highlight"><pre><span></span><code>$<span class="w"> </span>apt-get<span class="w"> </span>install<span class="w"> </span>davfs2
</code></pre></div>
<p><code>davfs2</code> has two main configuration files:</p>
<ul>
<li><code>/etc/davfs2/davfs2.conf</code></li>
<li><code>/etc/davfs2/secrets</code></li>
</ul>
<p>The first one harbors <code>davfs2</code>'s configurations, while the second lists all the usernames and passwords the program will need to connect to your ownCloud server.</p>
<h3>davfs2.conf</h3>
<p>To know what all parameters do, you can check out the man page of this configuration file:</p>
<div class="highlight"><pre><span></span><code>$<span class="w"> </span>man<span class="w"> </span>davfs2.conf
</code></pre></div>
<p>The default parameters are pretty sane, but a few things should be changed nonetheless:</p>
<ul>
<li>
<p>If <code>ask_auth</code> is set to <code>1</code>, <code>davfs2</code> will interactively ask for credentials if it can't find them in <code>/etc/davfs2/secrets</code>. Since we don't want to bother users with this, set it to <code>0</code>.</p>
</li>
<li>
<p>When we implemented our setup, ownCloud's WebDAV file locking mechanism was pretty buggy, so we decided not to use it. Since then, we have not looked back on it and truly, it was not missed. We recommend to set <code>use_locks</code> to <code>0</code>, but if you want to play around with this parameter, please do so.</p>
</li>
<li>
<p>If you have big filesystems (ours is pretty big), it is a good idea to increase the value of the <code>table_size</code> option, say to <code>2048</code>. This value should be a power of 2.</p>
</li>
<li>
<p>The <code>delay_upload</code> parameter sets how much time <code>davfs2</code> will wait before uploading a file when it is closed. We had some trouble about files disappearing for no reason when they were modified. Setting this option to <code>30</code> fixed it.</p>
</li>
<li>
<p>If you are using a GUI to view your files (chances are pretty good you are) set <code>gui_optimize</code> to <code>1</code>.</p>
</li>
</ul>
<p>The result looks like this:</p>
<div class="highlight"><pre><span></span><code><span class="c1"># version 11</span>
<span class="c1"># ------------------------------------</span>
<span class="c1"># Copyright (C) 2006, 2007, 2008, 2009, 2012, 2013, 2014 Werner Baumann</span>
<span class="c1"># Copying and distribution of this file, with or without modification, are</span>
<span class="c1"># permitted in any medium without royalty provided the copyright notice</span>
<span class="c1"># and this notice are preserved.</span>
<span class="c1"># Please read the davfs2.conf (5) man page for a description of the</span>
<span class="c1"># configuration options and syntax rules.</span>
<span class="c1"># Available options and default values</span>
<span class="c1"># ====================================</span>
<span class="c1"># General Options</span>
<span class="c1"># ---------------</span>
<span class="c1"># dav_user davfs2 # system wide config file only</span>
<span class="c1"># dav_group davfs2 # system wide config file only</span>
<span class="c1"># kernel_fs fuse</span>
<span class="c1"># buf_size 16 # KiByte</span>
<span class="c1"># WebDAV Related Options</span>
<span class="c1"># ----------------------</span>
<span class="c1"># use_proxy 1 # system wide config file only</span>
<span class="c1"># proxy # system wide config file only</span>
<span class="c1"># trust_ca_cert /etc/davfs2/certs/GandiStandardSSLCA.pem</span>
<span class="c1"># servercert # deprecated: use trust_ca_cert</span>
<span class="c1"># trust_server_cert /etc/davfs2/cert.pem</span>
<span class="c1"># clientcert</span>
<span class="c1"># secrets ~/.davfs2/secrets # user config file only</span>
<span class="n">ask_auth</span><span class="w"> </span><span class="mi">0</span>
<span class="n">use_locks</span><span class="w"> </span><span class="mi">0</span>
<span class="c1"># lock_owner <user-name></span>
<span class="c1"># lock_timeout 1800 # seconds</span>
<span class="c1"># lock_refresh 60 # seconds</span>
<span class="c1"># use_expect100 0</span>
<span class="c1"># if_match_bug 0</span>
<span class="c1"># drop_weak_etags 0</span>
<span class="c1"># n_cookies 0</span>
<span class="c1"># precheck 1</span>
<span class="c1"># ignore_dav_header 0</span>
<span class="c1"># use_compression 0</span>
<span class="c1"># follow_redirect 0</span>
<span class="c1"># server_charset</span>
<span class="c1"># connect_timeout 10 # seconds</span>
<span class="c1"># read_timeout 30 # seconds</span>
<span class="c1"># retry 30 # seconds</span>
<span class="c1"># max_retry 300 # seconds</span>
<span class="c1"># add_header</span>
<span class="c1"># Cache Related Options</span>
<span class="c1"># ---------------------</span>
<span class="c1"># backup_dir lost+found</span>
<span class="c1"># cache_dir /var/cache/davfs2 # system wide cache</span>
<span class="c1"># ~/.davfs2/cache # per user cache</span>
<span class="c1"># cache_size 50 # MiByte</span>
<span class="n">table_size</span><span class="w"> </span><span class="mi">2048</span>
<span class="c1"># dir_refresh 60 # seconds</span>
<span class="c1"># file_refresh 1 # second</span>
<span class="n">delay_upload</span><span class="w"> </span><span class="mi">30</span>
<span class="n">gui_optimize</span><span class="w"> </span><span class="mi">1</span>
<span class="c1"># minimize_mem 0</span>
<span class="c1"># Debugging Options</span>
<span class="c1"># -----------------</span>
<span class="c1"># debug # possible values: config, kernel, cache, http, xml,</span>
<span class="w"> </span><span class="c1"># httpauth, locks, ssl, httpbody, secrets, most</span>
</code></pre></div>
<h3>secrets</h3>
<p>This file lists all the usernames and the passwords <code>davfs2</code> will need to connect to ownCloud. You should fill it like this:</p>
<div class="highlight"><pre><span></span><code>user1 user1_password
user2 user2_password
user3 user3_password
</code></pre></div>
<p>This file is pretty sensitive. To be sure no one but the administrator can read it, modify its permissions:</p>
<div class="highlight"><pre><span></span><code>$<span class="w"> </span>chmod<span class="w"> </span><span class="m">600</span><span class="w"> </span>/etc/davfs2/secrets
</code></pre></div>
<h2>Dynamically mounting with PAM</h2>
<p>The "dynamic" part of our mounting process (i.e. when a user logs in, the account in mounted automatically) is done with the help of PAM, a great and powerful tool.</p>
<p>The file we will be modifying here is <code>/etc/security/pam_mount.conf.xml</code>. You can read its man page by typing:</p>
<div class="highlight"><pre><span></span><code>$<span class="w"> </span>man<span class="w"> </span>pam_mount.conf
</code></pre></div>
<p>This file is written in XML and only few things needs to be modified for our setup to work. Your job will mainly consist in writing volume definitions in this style:</p>
<div class="highlight"><pre><span></span><code><volume user="user1" fstype="davfs" path="https://fqdm.org/remote.php/webdav/" mountpoint="the/mountpoint/path" options="uid=user1,gid=user1_group,file_mode=0770,dir_mode=0770" />
</code></pre></div>
<p>The options bit is pretty important, because if you set different permission, users will have trouble reading their files from the mount point.</p>
<p>Since we are potentially dealing with a lot of users here, you should probably read about the behavior of the <a href="https://www.debian.org/doc/debian-policy/#user-configuration-files-dotfiles">/etc/skel</a> directory. We use it to create a standard mountpoint in a user's directory (<code>~/ownCloud</code>).</p>
<p>Our <code>pam_mount.conf.xml</code> kinda looks like this, but with real values:</p>
<div class="highlight"><pre><span></span><code><span class="cp"><?xml version="1.0" encoding="utf-8" ?></span>
<span class="cp"><!DOCTYPE pam_mount SYSTEM "pam_mount.conf.xml.dtd"></span>
<span class="cm"><!--</span>
<span class="cm"> See pam_mount.conf(5) for a description.</span>
<span class="cm">--></span>
<span class="nt"><pam_mount></span>
<span class="w"> </span><span class="cm"><!-- debug should come before everything else,</span>
<span class="cm"> since this file is still processed in a single pass</span>
<span class="cm"> from top-to-bottom --></span>
<span class="nt"><debug</span><span class="w"> </span><span class="na">enable=</span><span class="s">"0"</span><span class="w"> </span><span class="nt">/></span>
<span class="w"> </span><span class="cm"><!-- Volume definitions --></span>
<span class="nt"><volume</span><span class="w"> </span><span class="na">user=</span><span class="s">"user1"</span><span class="w"> </span><span class="na">fstype=</span><span class="s">"davfs"</span><span class="w"> </span><span class="na">path=</span><span class="s">"https://fqdm.org/remote.php/webdav/"</span><span class="w"> </span><span class="na">mountpoint=</span><span class="s">"the/mountpoint/path"</span><span class="w"> </span><span class="na">options=</span><span class="s">"uid=user1,gid=user1_group,file_mode=0770,dir_mode=0770"</span><span class="w"> </span><span class="nt">/></span>
<span class="nt"><volume</span><span class="w"> </span><span class="na">user=</span><span class="s">"user2"</span><span class="w"> </span><span class="na">fstype=</span><span class="s">"davfs"</span><span class="w"> </span><span class="na">path=</span><span class="s">"https://fqdm.org/remote.php/webdav/"</span><span class="w"> </span><span class="na">mountpoint=</span><span class="s">"the/mountpoint/path"</span><span class="w"> </span><span class="na">options=</span><span class="s">"uid=user2,gid=user2_group,file_mode=0770,dir_mode=0770"</span><span class="w"> </span><span class="nt">/></span>
<span class="nt"><volume</span><span class="w"> </span><span class="na">user=</span><span class="s">"user3"</span><span class="w"> </span><span class="na">fstype=</span><span class="s">"davfs"</span><span class="w"> </span><span class="na">path=</span><span class="s">"https://fqdm.org/remote.php/webdav/"</span><span class="w"> </span><span class="na">mountpoint=</span><span class="s">"the/mountpoint/path"</span><span class="w"> </span><span class="na">options=</span><span class="s">"uid=user3,gid=user3_group,file_mode=0770,dir_mode=0770"</span><span class="w"> </span><span class="nt">/></span>
<span class="w"> </span><span class="cm"><!-- pam_mount parameters: General tunables --></span>
<span class="cm"><!--</span>
<span class="cm"><luserconf name=".pam_mount.conf.xml" /></span>
<span class="cm">--></span>
<span class="cm"><!-- Note that commenting out mntoptions will give you the defaults.</span>
<span class="cm"> You will need to explicitly initialize it with the empty string</span>
<span class="cm"> to reset the defaults to nothing. --></span>
<span class="nt"><mntoptions</span><span class="w"> </span><span class="na">allow=</span><span class="s">"nosuid,nodev,loop,encryption,fsck,nonempty,allow_root,allow_other"</span><span class="w"> </span><span class="nt">/></span>
<span class="cm"><!--</span>
<span class="cm"><mntoptions deny="suid,dev" /></span>
<span class="cm"><mntoptions allow="*" /></span>
<span class="cm"><mntoptions deny="*" /></span>
<span class="cm">--></span>
<span class="nt"><mntoptions</span><span class="w"> </span><span class="na">require=</span><span class="s">"nosuid,nodev"</span><span class="w"> </span><span class="nt">/></span>
<span class="nt"><logout</span><span class="w"> </span><span class="na">wait=</span><span class="s">"0"</span><span class="w"> </span><span class="na">hup=</span><span class="s">"0"</span><span class="w"> </span><span class="na">term=</span><span class="s">"0"</span><span class="w"> </span><span class="na">kill=</span><span class="s">"0"</span><span class="w"> </span><span class="nt">/></span>
<span class="w"> </span><span class="cm"><!-- pam_mount parameters: Volume-related --></span>
<span class="nt"><mkmountpoint</span><span class="w"> </span><span class="na">enable=</span><span class="s">"1"</span><span class="w"> </span><span class="na">remove=</span><span class="s">"true"</span><span class="w"> </span><span class="nt">/></span>
<span class="nt"></pam_mount></span>
</code></pre></div>
<p>TAADAAA! If you did follow these instructions correctly, when you log in an account, you should now see an ownCloud WebDAV share mounted.</p>
<p>If not, logging in a terminal session is pretty useful. If something fails, <code>davfs2</code> will tell you. If you can't figure it out, you can always try to get more infos by enabling the <code>debug</code> parameters in <code>davfs2.conf</code> and <code>pam_mount.conf.xml</code>.</p>
<h2>Problems</h2>
<p>As well as this setup works, there are still a few problems you should be aware of:</p>
<ul>
<li>
<p>This is not made for massive file modifications. If someone tries to copy a 30Gb directory with the davfs mount, you will have problems.</p>
</li>
<li>
<p>There can be a quite big lag when opening a directory (10 seconds and more) if you have a bad ping or a bad network connection.</p>
</li>
<li>
<p><strong>All of your users' ownCloud passwords are in kept in plaintext on the client's drive</strong>. Please don't add your administrative account in the list, this could end up badly.</p>
</li>
</ul>