- Home
- Docs
- Installation and configuration
- Enterprise
- Docker version
- Installing ONLYOFFICE Docs Enterprise Edition for Docker on KylinOS
Installing ONLYOFFICE Docs Enterprise Edition for Docker on KylinOS
Introduction
Enterprise Edition allows you to install ONLYOFFICE Docs on your local server and integrate online editors with ONLYOFFICE collaboration platform or other popular systems.
ONLYOFFICE Docs is an online office suite comprising viewers and editors for texts, spreadsheets and presentations, fully compatible with Office Open XML formats: .docx, .xlsx, .pptx and enabling collaborative editing in real time.
Functionality
- Document Editor
- Spreadsheet Editor
- Presentation Editor
- Mobile web viewers
- Mobile web editors
- Collaborative editing
- Hieroglyph support
- Support for all the popular formats: DOC, DOCX, TXT, ODT, RTF, ODP, EPUB, ODS, XLS, XLSX, CSV, PPTX, HTML
See the detailed list of features available for ONLYOFFICE Docs Enterprise Edition.
Using it within ONLYOFFICE Workspace, you will be able to:
- share files;
- manage access rights to documents;
- embed documents on a website;
- view and edit files stored on Drive, Box, Dropbox, OneDrive, OwnCloud connected to ONLYOFFICE.
Starting from v7.2, ONLYOFFICE Docs Docker images are reworked for running on Kylin Linux Advanced Server OS release V10. This guide will show you how to install ONLYOFFICE Docs Enterprise Edition Docker version on KylinOS.
System requirements
- CPUdual-core 2 GHz or better
- RAM4 GB or more
- HDDat least 40 GB of free space
- SWAPat least 4 GB, but depends on the host OS. More is better
- OSamd64 Linux distribution with kernel version 3.10 or later
- Docker: any version supported by KylinOS
Installing ONLYOFFICE Docs
/etc/default/docker
file and change the IP address in the following line to the IP address of a DNS server in your local network:
docker_OPTS="--dns 8.8.8.8"
For the RPM based operating systems like CentOS:
-
Create the
/etc/docker/daemon.json
configuration file with the following contents:{ "dns" : [ "8.8.8.8" ] }
-
Restart the Docker service:
sudo systemctl restart docker.service
Disable SELinux
You need to disable SELinux in the /etc/selinux/config
configuration file.
Open the /etc/selinux/config
file using any text editor, replace the SELINUX=enforcing
or SELINUX=permissive
string with the SELINUX=disabled
one, and save the changes.
Reboot your server for the changes to take effect. Make sure that SELinux is disabled:
[root@test ~]# sestatus
SELinux status: disabled
Install ONLYOFFICE Docs
Execute the following command to install ONLYOFFICE Docs:
sudo docker run -i -t -d -p 80:80 --security-opt seccomp=unconfined --restart=always -e JWT_SECRET=my_jwt_secret onlyoffice/documentserver-ee
-e JWT_SECRET=my_jwt_secret
.
If you are not going to use JWT in your installation, use -e JWT_ENABLED=false
.
The --security-opt seccomp=unconfined
key is required to disable security profiles for the container. More details can be found here.
You can also use our custom security profile: kylin-seccomp7.json.
sudo docker run -i -t -d -p <PORT_NUMBER>:80 --security-opt seccomp=unconfined --restart=always -e JWT_SECRET=my_jwt_secret onlyoffice/documentserver-ee
Where <PORT_NUMBER>
is the number of port you want ONLYOFFICE Docs to use.
This will install ONLYOFFICE Docs and all the dependencies it needs (the list of what is being done by the script can be found here).
Add a firewall exception
You also need to add an exception to the firewalld.service
service:
sudo firewall-cmd --zone=public --add-port=80/tcp --permanent
sudo firewall-cmd --reload
Once the configuration is finished, you can enter http://localhost in your browser address bar to open the ONLYOFFICE Docs welcome page, where you will find further instructions on how to enable document examples or integrate online editors into your web application using the provided API.
Storing data outside containers
All the data are stored in the specially-designated directories, data volumes, at the following location:
/var/log/onlyoffice
for ONLYOFFICE Docs logs/var/www/onlyoffice/Data
for certificates/var/lib/onlyoffice
for file cache/var/lib/postgresql
for database
To get access to your data located outside the container, you need to mount the volumes. It can be done by specifying the -v option in the docker run command.
sudo docker run -i -t -d -p 80:80 --security-opt seccomp=unconfined --restart=always \
-v /app/onlyoffice/DocumentServer/logs:/var/log/onlyoffice \
-v /app/onlyoffice/DocumentServer/data:/var/www/onlyoffice/Data \
-v /app/onlyoffice/DocumentServer/lib:/var/lib/onlyoffice \
-v /app/onlyoffice/DocumentServer/db:/var/lib/postgresql -e JWT_SECRET=my_jwt_secret onlyoffice/documentserver-ee
Normally, you do not need to store container data because the container operation does not depend on its state. Saving data will be useful:
- for easy access to container data, such as logs;
- to remove the limit on the size of the data inside the container;
- when using services launched outside the container such as PostgreSQL, Redis, RabbitMQ.
Running ONLYOFFICE Docs using HTTPS
sudo docker run -i -t -d -p 443:443 --security-opt seccomp=unconfined --restart=always \
-v /app/onlyoffice/DocumentServer/data:/var/www/onlyoffice/Data -e JWT_SECRET=my_jwt_secret onlyoffice/documentserver-ee
Access to the onlyoffice application can be secured using SSL to prevent unauthorized access. While a CA certified SSL certificate allows for verification of trust via the CA, self-signed certificates can also provide an equal level of trust verification as long as each client takes some additional steps to verify the identity of your website. The instructions on achieving this are provided below.
To secure the application via SSL, two things are needed:
- Private key (.key)
- SSL certificate (.crt)
So you need to create and install the following files:
/app/onlyoffice/DocumentServer/data/certs/onlyoffice.key
/app/onlyoffice/DocumentServer/data/certs/onlyoffice.crt
When using CA certified certificates (e.g. Let's Encrypt), these files are provided to you by the CA. If you are using self-signed certificates, you need to generate these files yourself.
Switching ONLYOFFICE Docs to HTTPS using certbot
The easiest way to switch ONLYOFFICE Docs to HTTPS is to automatically get Let's Encrypt SSL Certificates using certbot.
Run the ONLYOFFICE Docs Docker container, specifying ports 80 and 443 and setting your own values for the variables:
sudo docker run -i -t -d -p 80:80 -p 443:443 --security-opt seccomp=unconfined --restart=always \
-e LETS_ENCRYPT_DOMAIN=yourdomain.com -e LETS_ENCRYPT_MAIL=email@example.com -e JWT_SECRET=my_jwt_secret onlyoffice/documentserver-ee
Where:
- LETS_ENCRYPT_DOMAIN - a domain name to use for the certificate.
- LETS_ENCRYPT_MAIL - an email used for registration and recovery contact.
The letsencrypt.org CA-signed certificate will be automatically generated and installed to your server. Now, your ONLYOFFICE Docs should be available at the https://yourdomain.com address.
Generation of self-signed certificates
Generation of self-signed SSL certificates involves a simple 3-step procedure:
STEP 1: Create the server private key
openssl genrsa -out onlyoffice.key 2048
STEP 2: Create the certificate signing request (CSR)
openssl req -new -key onlyoffice.key -out onlyoffice.csr
STEP 3: Sign the certificate using the private key and CSR
openssl x509 -req -days 365 -in onlyoffice.csr -signkey onlyoffice.key -out onlyoffice.crt
You have now generated an SSL certificate that's valid for 365 days.
Strengthening the server security
This section provides you with instructions to strengthen your server security.
To achieve this, you need to generate stronger DHE parameters.
openssl dhparam -out dhparam.pem 2048
Installation of the SSL certificates
Out of the four files generated above, you need to install the onlyoffice.key
, onlyoffice.crt
and dhparam.pem
files at the onlyoffice server. The CSR file is not needed, but do make sure you safely back up the file (in case you ever need it again).
The default path that the onlyoffice application is configured to look for the SSL certificates is at /var/www/onlyoffice/Data/certs
, this can however be changed using the SSL_KEY_PATH
, SSL_CERTIFICATE_PATH
and SSL_DHPARAM_PATH
configuration options.
The /var/www/onlyoffice/Data/
path is the path of the data store, which means that you have to create a folder named certs inside /app/onlyoffice/DocumentServer/data/
and copy the files into it and as a measure of security you will update the permission on the onlyoffice.key
file to only be readable by the owner.
mkdir -p /app/onlyoffice/DocumentServer/data/certs
cp onlyoffice.key /app/onlyoffice/DocumentServer/data/certs/
cp onlyoffice.crt /app/onlyoffice/DocumentServer/data/certs/
cp dhparam.pem /app/onlyoffice/DocumentServer/data/certs/
chmod 400 /app/onlyoffice/DocumentServer/data/certs/onlyoffice.key
And restart Docker container:
sudo docker restart {{DOCUMENT_SERVER_ID}}
You are now just one step away from having our application secured.
Available configuration parameters
--env-file
flag, where you can specify all required environment variables in a single file. This will save you from writing a potentially long docker run command.Below is the complete list of parameters that can be set using environment variables.
- ONLYOFFICE_HTTPS_HSTS_ENABLED: Advanced configuration option for turning off the HSTS configuration. Applicable only when SSL is in use. Defaults to
true
. - ONLYOFFICE_HTTPS_HSTS_MAXAGE: Advanced configuration option for setting the HSTS max-age in the onlyoffice NGINX vHost configuration. Applicable only when SSL is in use. Defaults to
31536000
. - SSL_CERTIFICATE_PATH: The path to the SSL certificate to use. Defaults to
/var/www/onlyoffice/Data/certs/tls.crt
. - SSL_KEY_PATH: The path to the SSL certificate private key. Defaults to
/var/www/onlyoffice/Data/certs/tls.key
. - SSL_DHPARAM_PATH: The path to the Diffie-Hellman parameter. Defaults to
/var/www/onlyoffice/Data/certs/dhparam.pem
. - SSL_VERIFY_CLIENT: Enable verification of client certificates using the
CA_CERTIFICATES_PATH file
. Defaults tofalse
. - DB_TYPE: The database type. Supported values are
postgres
,mariadb
ormysql
. Defaults topostgres
. - DB_HOST: The IP address or the name of the host where the database server is running.
- DB_PORT: The database server port number.
- DB_NAME: The name of a database to be created on the image startup.
- DB_USER: The new username with superuser permissions for the database account.
- DB_PWD: The password set for the database account.
- AMQP_URI: The AMQP URI to connect to the message broker server.
- AMQP_TYPE: The message broker type. Supported values are
rabbitmq
oractivemq
. Defaults torabbitmq
. - REDIS_SERVER_HOST: The IP address or the name of the host where the Redis server is running.
- REDIS_SERVER_PORT: The Redis server port number.
- NGINX_WORKER_PROCESSES: Defines the number of NGINX worker processes.
- NGINX_WORKER_CONNECTIONS: Sets the maximum number of simultaneous connections that can be opened by a NGINX worker process.
- SECURE_LINK_SECRET: Defines secret for the nginx config directive secure_link_md5. Defaults to
random string
. - JWT_ENABLED: Specifies the enabling of the JSON web token validation by ONLYOFFICE Docs. Defaults to
true
. - JWT_SECRET: Defines the secret key to validate the JSON web token in the request to ONLYOFFICE Docs. Defaults to random value.
- JWT_HEADER: Defines the HTTP header that will be used to send the JSON web token. Defaults to
Authorization
. - JWT_IN_BODY: Specifies the enabling of the token validation in the request body to the ONLYOFFICE Docs. Defaults to
false
. - WOPI_ENABLED: Specifies the enabling of the wopi handlers. Defaults to
false
. - USE_UNAUTHORIZED_STORAGE: Set to
true
if using self-signed certificates for your storage server, e.g. Nextcloud. Defaults tofalse
. - GENERATE_FONTS: When
true
, regenerates fonts list and the fonts thumbnails etc. at each start. Defaults totrue
. - METRICS_ENABLED: Specifies the enabling StatsD for ONLYOFFICE Docs. Defaults to
false
. - METRICS_HOST: Defines StatsD listening host. Defaults to
localhost
. - METRICS_PORT: Defines StatsD listening port. Defaults to
8125
. - METRICS_PREFIX: Defines StatsD metrics prefix for backend services. Defaults to
ds.
. - LETS_ENCRYPT_DOMAIN: Defines the domain for Let's Encrypt certificate.
- LETS_ENCRYPT_MAIL: Defines the domain administrator mail address for Let's Encrypt certificate.
Registering your Enterprise Edition version
If you bought Enterprise Edition and received the license.lic file, you can place it to your installation to obtain the software full version.
When you are using the docker container, the license.lic file can be placed in any folder (e.g. /app/onlyoffice/DocumentServer/data/license.lic
), but you will need to mount this folder when the container starts:
sudo docker run -i -t -d -p 80:80 --security-opt seccomp=unconfined --restart=always \
-v /app/onlyoffice/DocumentServer/data:/var/www/onlyoffice/Data \
-e JWT_SECRET=my_jwt_secret onlyoffice/documentserver-ee
After that, your version of Enterprise Edition will become registered and full-featured.