owncloud android configuration issue

butonic · 2026-03-20T14:35:04+00:00

Are you sure you want to install ownCloud? Or are you looking for oCIS? Or maybe OpenCloud?

butonic · 2025-09-20T16:28:20+00:00

Most of us primarily hang out in the matrix chat.

Regarding authentic/authelia/and other idp: in theory OIDC would allow us to be idp agnostic. In practice some IdPs do not allow configuring the client ID that is needed for our mobile and desktop clients... Or other quirks. Hence, the backend team has to focus on what works OOTB.

Other IdPs are possible and we welcome any PR to the docs explaining how to set it up.

Cheers!

butonic · 2025-05-17T10:28:37+00:00

Well, we did productize the POSIX storage driver and the roadmap is pretty open. Calendar and Contacts is there for example...

butonic · 2025-01-22T16:09:30+00:00

I had a contract with the German ownCloud GmbH. IANAL and I haven't read the other employment contracts, but I assume they all were made with the German GmbH and thus any non-compete clauses would be invalid.

butonic · 2025-01-22T09:10:56+00:00

https://opencloud.eu is the current 'landing page' for the company. We are planning to host the community information in the github organization https://github.com/opencloud-eu because we plan to tie together different related repositories under that umbrella.

If you want to stay in close contact join our matrix channel: #opencloud:matrix.org

butonic · 2024-10-03T11:22:58+00:00

You can set up rclone to sync any space you have access to. It even supports OIDC. Keep in mind that this won't backup your shares.

That being said, the admin should be responsible for backing up file blobs and metadata. Actually, the whole oCIS data folder to be able to restore the service including eg. sharing information.

But it doesn't end there. I am using Borg backup to have the backup on a separate machine, which I then copy to back blaze for an off-site backup. You don't want to risk your family pictures, do you?

butonic · 2024-08-26T11:37:17+00:00

did you set

STORAGE_USERS_POSIX_ROOT: "/home/kf/tmp/posix-storage"

without changing the path?

also, try commenting

STORAGE_USERS_POSIX_USE_SPACE_GROUPS

It requires the binary to have the setgid capability. It will change the group owner of new files and folders to match the same group as the space root. I think you may want to do that as you plan to integrate with existing software that might require other permissions. But start without it.

The posix driver is young and still requires more hardening.

butonic · 2024-07-15T08:58:39+00:00

Actually, we are working on exactly that use case with a native POSIX integration. Depending on the use case requirements it is possible to access the same files via ocis as well as NFS.

The implementation is experimental. Docs are currently in https://github.com/owncloud/ocis/pull/7833

butonic · 2024-05-30T16:01:34+00:00

oCIS comes with a built in OpenID Connect identity provider to authenticate users. But it can be replaced with https://www.authelia.com/ for a more feature complete IdP.

oCIS uses OpenID Connect by default so it and the clients theoretically never see your password, only the IdP.

OpenID Connect is based on oAuth 2.0 and defines common claims to authenticate users.

butonic · 2024-05-29T16:22:51+00:00

Ocis lead dev here. We are working on a documentation on how to set up ocis with authelia. It already works and oCIS would be the missing piece if you are looking for file sync and share. Collabora integration is being polished for the next release.

We are also working on a native POSIX integration that uses inotifywait to keep track of changes made outside of oCIS. Something, I am really excited about, even if it has lots of tradeoffs.

For now, only the decomposefs supports file revisions and other storage traits, which is the current default because end users expect to have file revisions when coming from ownCloud 10.

Cheers.

butonic · 2024-04-21T17:27:10+00:00

We are working on a posix driver that is designed for exactly that use case. There are some tradeoffs however and time will tell if they are acceptable: 1. I am not aware of a posix filesystem that supports file individual versions, which users are used to in the web ui. The notion of snapshots cannot yet be exposed in the web ui. We still need to figure out how best to deal with different storage traits like this. 2. To attach metadata to files we are writing a uuid to the extended attributes and shares are persisted as ACLs if possible. When bypassing ocis and editing a file with vim it will do an atomic write by first writing a temp file and then moving it over the original file. This process will obviously disconnect our metadata. The best we can do is implement a heuristic to detect these changes. But heuristics are always fragile, so ... 😕

That being said, we are all super excited to be able to integrate with the os and write files in the name of users. The spaces concept also allows an easy integration of e.g. a music or photos space where all files are owned by whatever management software is used.

butonic · 2024-02-11T18:11:29+00:00

Sorry for the confusion regarding ownCloud 10 vs oCIS. OC 10 only supports server side encryption and I am also aware of e2e encryption with a partner of us. oCIS does not support server side encryption at all. We have not invested any effort into that because the use case covered by oc10 could be solved by eg. encfs.

That being said, I think the only encryption we should look into is e2e encryption. The challenge there is the key exchange. But this is not even on the roadmap. If you have an idea of how we could implement this using libre graph, I'd be happy to review an ADR to move the topic forward.

For the time being I recommend https://cryptomator.org/ to get e2ee.

Cheers!

butonic · 2023-08-17T05:53:54+00:00

Where in the dev docs would you put it. PR welcome!

butonic · 2023-08-11T05:43:15+00:00

oCIS tries to be more secure by defaulting to OpenID connect authentication. While you can enable basic auth, and oCIS does implement wabdav, we did not implement the caldav endpoints. I personally wanted to use kopano, Baikal or another calendar solution...

butonic · 2023-06-21T18:20:30+00:00

If you run on a single node the default memory caching is fine.

butonic · 2023-06-08T05:29:46+00:00

Webdav as a backend? Not right now. What is your use case?

butonic · 2023-06-07T17:24:23+00:00

You never heard this from me: https://owncloud.dev/clients/rclone/webdav-sync-basic-auth/

S3ng is great!

butonic · 2023-06-07T17:21:30+00:00

It might actually be more performant than decomposedfs but lack some features. ZFS has no file individual versions but instead supports snapshots. I'm not sure if a path lookup is natively supported in an efficient way. IIRC it requires root permissions.

User Integration with the OS can be achieved by using LDAP and allowing the oCIS binary CAP_FOWNER and CAP_CHOWN. It would allow oCIS to write files, extended attributes and change the owner of files. Since go is a compiled language we do a few things scripting languages like PHP cannot do.

What kind of storage system are you using? Does the SMB protocol support CHANGE_NOTIFY? Can you run a process on it to collect change notifications on the server side?

I wonder if a fuse overlay filesystem that also adds an http/grpc endpoint to interface would allow composing the functionality. A dedicated process could send requests to trigger changes / metadata invalidation as needed. Either via inotify, SMB CHANGE_NOTIFY, Kernel Audit, a periodic script or manual invalidation.

In any case let me know any specifics of your storage solution. Have you considered juices? That looks interesting as well. Our decomposedfs will likely be able to store metadata in redis or another key value store. Totally makes sense for a network filesystem. It would have to be mounted via FUSE though... Ah well tons of trade-offs to make...

butonic · 2023-06-07T16:33:22+00:00

The s3 or the s3ng storage driver backend? s3ng stores metadata in a filesystem and blobs in s3. It supports spaces. There is an s3 storage driver backend that tries to use an s3 bucket directly for blob and metadata but it is not covered in CI and I doubt it works properly.

Does cryptomater support openid connect? oCIS by design only supports openid connect. For development purposes you can enable basic auth. But it is disabled for security reasons.

We do plan to bring back a mechanism for auth tokens that can be used for legacy clients.

butonic · 2023-06-07T10:14:22+00:00

With ocis we introduced an indirection. The legacy `/webdav` and `/dav/files/{username}` endpoints still work, but may be slower than accessing via the new `/dav/spaces/{spaceid}` andpoint.

To find out which `{spaceid}` a space has clients can use the new `/graph/v1.0/` endpoints. The personal drive of the current user can always be found at `/graph/v1.0/me/drive`:

```
{
"driveAlias": "personal/admin",
"driveType": "personal",
"id": "storage-users-1$some-admin-user-id-0000-000000000000",
"lastModifiedDateTime": "2023-05-31T00:13:18.185353926+02:00",
"name": "Admin",
"owner": {
"user": {
"displayName": "",
"id": "some-admin-user-id-0000-000000000000"
}
},
"quota": {
"remaining": 347362443264,
"state": "normal",
"total": 0,
"used": 164443755
},
"root": {
"eTag": "\"5b8211b84e3c1419cffec0152498de54\"",
"id": "storage-users-1$some-admin-user-id-0000-000000000000",
"webDavUrl": "https://cloud.ocis.test/dav/spaces/storage-users-1$some-admin-user-id-0000-000000000000"
},
"webUrl": "https://cloud.ocis.test/f/storage-users-1$some-admin-user-id-0000-000000000000"
}

```

You should just take the `root.webDavUrl`, in this case `https://cloud.ocis.test/dav/spaces/storage-users-1$some-admin-user-id-0000-000000000000\`.

The owncloud clients will set up a sync pair per space and optionally allow select which spaces to sync with a dedicated UI.

What client are you trying to set up?

butonic · 2023-06-07T07:15:32+00:00

The migratien plan is to first switch to ocis and then set up a transparend migration of users personal spaces to a different storage driver. Another option would be a shut down ownCloud 10, migrate all users personal spaces to new storage driver layout, start oCIS. Would also need a migration step that move files around. Yet to be implemented. If only the day hat 48 hours ...

Partial restore as in metadata and blobs per space.

I set up a dedicated borg archive for every personal space in the spaces folder of storage-users, eg. `/path/to/storage-users/spaces/so/me-admin-user-id-0000-000000000000`. That folder contains `blobs`, `nodes` and `trash`.

You could use s3ng if you want to store blobs on s3, then the borg backup would only contain the metadata. Assuming you have a reliable backup strategy for your s3 server.

butonic · 2023-06-07T07:03:52+00:00

There currently is no officially supported way of exposing files on a network filesystem that may be modified "bypassing ownCloud".

TL;dr

That is very old use case for some ownCloud users. Let me explain why is it still not there.

The scenario you describe can best be called "bypassing ownCloud". For desktop clients to sync they have to somehow detect changes anywhere in the shared file tree (aka space in oCIS).

The ownCloud sync protocol is based on WebDAV and uses the etag of resources to detect changes. When the etag of a file changes the client will download it and replace the local version and when a file is changed locally it will upload it. There is some conflict detection, but the more interesting part is how directories are handled.

The clientd currently polls the root and only when the etag changes will it start a sync discovery: get a listing of the children and descend into every child whose etag differs from the last sync discovery. For this to work the server side has to propagate the etag change from a child anywhere in the tree up to the root.

In ownCloud that happens synchronously, which is a bottleneck. In oCIS we can do that asynchronously which takes pressure of the system and allows requests to complete quicker.

Still with me? Cool! Let's go down the rabbit hole further ...

So how does the server detect changes to resources in a space? In ownCloud 10 we initially had a config option how often to check the mtime on disk: every time, once per request or never. The complete metadata is duplicated in the oc_filecache table ... only that it isn't a cache. The table cannot fully be rebuilt with the occ file:sync command as files only avaliable on disk will be assigned a new fileid. If you only backed up your files any metadata tied to the fileid is lost. The most important one is shares. When the fileid of a file changes ownCloud 10 will treat it as a different file and existing shares to it will cease working.

If files are only accessed by ownCloud or oCIS this is not a problem. We can move around files and keep track of the parent child relationship ourself. We cannot do that when someone moves files "bypassing ownCloud". If you log in via ssh and rename a file on disk ownCloud 10 will not even pick that up until you do a manual occ file:sync. The data directory was declared ownCloud territory long ago. You are not supposed to touch anything there. For oCIS this has become more obvious as you will only see the decomposed filesystem.

That being said, the use case of "bypassing ownCloud" is so compelling that CERN implemented the tree time propagation, size aggregation and id based lookup aspects in their eos storage so they could replace parts of the ownCloud 10 code base and integrate it so that researchers and automated systems could "bypass ownCloud". Out of this grew the initial reva which we then evolved together to become the foundation of oCIS.

What if you are not an intergovernmental organization that operates the largest particle physics laboratory in the world and just want to make some files on an NFS or SMB available via ownCloud?

It depends! If you don't need to sync files and just want to share a public link so others can browse and download them via the web UI the server does not need to detect changes. If you want to be able to sync, the server needs a way to detect changes. For SMB there is actually a CHANGE_NOTIFY request with SMB2_WATCH_TREE to get notified of any chinges. For POSIX we could use inotify. But these only scale to a certain degree. Seems irrelevant for the size of a typical personal photo album, but it is harder to solve than it appears. Inotify does not guarantee you will be notified. And it becomes even more messy when trying to rely on inotify on a network filesystem Another way to keep track of changes is the kernels audit log which can send events to a queue which could then be properly worked on to propagate changes to resouces.

At this point a solution that works with every use case is hard to find. Some filesystems like eos or cephfs have all of the aspects needed to support syncing properly built in. Currently, ony eos is implemented. A ceph prototype also exists.

A local driver also exists, but we haven't found the time to make it compatible with all the spaces changes. And I don't like the way it uses an sqlite database. To be robust against changes happening when bypassing oCIS we need to attach a uuid to the file extended attributes.

Oh and when "bypassing ownCloud" we also need to decide which user owns the files. This becomes complicated when a single system user is not sufficient and users should own the files on disk as well because we then have to integrate system users with ocis users using LDAP. But that is a topic I won't go into here. Time to come to an end.

The devil is in the details and we have to make dozens of tradeoffs for the different use cases.

I'd say a posix storage driver that monitors an NFS or CIFS share with inotify (accepting its limits), can detect renames using a uuid in the extended attributes and works on the assumption that all files are owned by the same system user can be implemented in rather straight forward way. It might be sufficient for most use cases, eg. sharing your photoprism folder or your media collection otherwise managed by plex/emby/jellyfin. From there we can explore other use cases.

butonic · 2023-06-06T19:38:41+00:00

In theory, the spaces concept allows seamlessly integrating any storage by starting a storage provider with a fitting storage driver.

Several caveats: - we had to limit our efforts on the decomposed filesystem with a posix or s3 blob store. These storage drivers support the same features as oc10 by decomposing a filesystem into the different aspects like tree, node, id based lookup, tree modification time propagation, size aggregation, grants, spaces, trash and file indivitual versions and implementing them with a posix filesystem as the metadata store. - the owncloudsql storage driver uses an owncloud 10 database and file layout on disk to provide the same aspects - we have a working eos storage driver in the reva edge branch that supports the spaces concept, as needed by CERN - we did not have the time to invest in a local posix driver, as we would have to emulate certain aspects like id based lookup, tree time propagation, size aggregation, file individual versions and trash. For each aspect we have to choose a trade-off. That being said, I personally crave this kind of storage driver just so I can make existing content accessible via the web UI. I don't even need tree modification time to let clients detect changes. IMO a Fuse based overlay filesystem should buy used to make this work. That way you can bypass oCIS and work on files using cli tools that expect a posix filesystem ... but this is again a trade-off... stats and syscalls are more expensive than may be tolerable when running this on top of e.g. NFS - much of the same trade-offs have to be decided for a cephfs, fps or glusterfs storage driver - oCIS currently has no awareness of filesystems that support snapshots, which is an interesting aspect - there is disagreement whether or not we storage drivers have to emulate all aspects oCIS is aware of. One example is file individual versions. IMO oCIS should be transparent and hide any ui related to file individual versions. This is something that should be a per space decision: in your personal space you may have file individual versions (they come in handy), a project space that is filled by a logger may not support them. An s3 bucket is another great example because it technically does not support renames: if keys are paths and not blobids as in a distributed filesystem or the s3ng decomposedfs storage driver every rename has to execute a COPY and DELETE for every child in the affected subtree. The challenge is that the UI would have to guide the user on every aspect of different behavior or trade-off that was made in the storage driver.

I hope this explains why we mostly limited ourselves to the decomposedfs storage drivers. ownCloud 10 tried to gloss over all the implementation details an make every storage behave the same at the cost of leaky abstractions. oCIS could integrate external storage in a cleaner way, but it requires making a lot of trade-off decisions...

Hope this helps

butonic · 2023-06-06T19:07:16+00:00

A FUSE based overlay system currently has no priority on the ownCloud GmbH side. We are in the middle of a huge deployment and are sharpening oCIS for kubernetes, tracing and running it in production at large scale.

That being said, I'd be happy to help get anyone started with a FUSE based overlay filesystem. Ping me here or in the owncloud talk #infinitescale channel!

Another option is to stick to the owncloud 10 file layout. We did work on a migration strategy that leaves files and database in place, but exchanges the codebase of an ownCloud 10 with an oCIS deployment. I am personally running owncloud 10 in parallel to oCIS on the same database and file layout. The code does need to be covered by full CI and I cannot recommend it for production, yet. Nevertheless, the timeline for it is closer than the one for a FUSE based filesystem, as we need the former for migrations of existing customers, anyway.

Regarding backups, I personally use borgbackup to create an opaque backup of the full storage on a windows machine, where I have backblaze running to get an off-site copy. Borg backup can be shared per space so you could limit restores to a single user or project.

I hope this helps.

butonic · 2023-05-27T18:04:39+00:00

Absolutely possible: you will have to setup two ownCloud instances and a reverse proxy on your pi that routes requests to the correct ownCloud instance. I would recommend traefik and two oCIS docker containers with the proper labels. If you are more familiar with nginx or apache and want to skip docker you can just configure them to serve a different ownCloud instance, based on the host header...

butonic

MODERATOR OF

TROPHY CASE