Configuring Federation Sharing

Introduction

Federated Cloud Sharing is managed by the Federation app. When you enable the Federation app you can easily and securely link file shares between ownCloud servers, in effect creating a "cloud" of ownCloud installations.

For security reasons federated sharing strictly requires HTTPS (SSL/TLS).

We strongly recommend using HTTP for development and testing purposes. However, to do so, you have to set 'sharing.federation.allowHttpFallback' ⇒ true, in config/config.php.

Configuration

Follow these steps to establish a trusted connection between two servers.

  1. Verify that both servers have SSL certificates. If you open the server URL in your browser and see a lock icon on the left-hand side of the address bar, the certificate is valid.

    Lock icon in the address bars in Firefox, Google Chrome, and Safari.

    Lock icon in Firefox

  2. Verify that the 'overwrite.cli.url' ⇒ 'https://<SERVER_URL>' setting is configured to the correct URL, instead of `localhost, in config.php.

  3. Reset the federation job in your oc_jobs table. This job is required to get the verification token from the other server to establish a federation connection between two servers. The resetting ensures that it will be executed when we run system:cron later.

    mysql -u root -e "update oc_jobs set last_run=0 where class='OCA\\Federation\\SyncJob';" owncloud;
    mysql -u root -e "update oc_jobs set last_checked=0 where class='OCA\\Federation\\SyncJob';" owncloud;
  4. Navigate to admin settings → sharing → Federation

  5. Add server 1 to the trusted servers on server 2.

  6. Add server 2 to the trusted servers on server 1.

  7. Now run the cron job in your ownCloud directory (for example /var/www/owncloud/).

    sudo -u www-data php occ system cron
  8. Now the check should be green

  9. Sync now your users with

    sudo -u www-data php occ dav:sync-system-addressbook
    sudo -u www-data php occ federation:sync-addressbook
  10. Configure automatic acceptance of new federated shares.

    sudo -u www-data php occ config:app:set federation auto_accept_trusted --value '0'
    sudo -u www-data php occ config:app:set federatedfilesharing auto_accept_trusted --value 'yes'

Working With Proxies

There are ownCloud instances that are not connected to the internet. They have no possibility to reach the public network. Therefore Federation will not work without a proxy.

To set the proxy and proxyuserpwd configuration variables, in config/config.php. proxy sets the proxy’s hostname, and proxyuserpwd sets the username and password credentials, in username:password format.

Creating a New Federation Share

Follow these steps to create a new Federation share between two ownCloud servers. This requires no action by the user on the remote server; all it takes is a few steps on the originating server.

  1. Enable the Federation app.

  2. Then, create a federated share by entering username@serveraddress in the sharing dialog (for example freda@https://example.com/owncloud). When ownCloud verifies the link, it displays it with the (remote) label. Click on this label to establish the link.

    image

  3. When the link is successfully completed, you have a single share option, and that is can edit.

    image

    You may disconnect the share at any time by clicking the trash can icon.

Federated Sharing Scanner CronJob Configuration

As part of the migration step to 10.5, before enabling the cronjob described below, make sure to remove the system cron job from your crontab that executes legacy occ incoming-shares:poll

The Federated Sharing Scanner is a background job used to scan the federated shares to ensure the integrity of the file cache.

On each run the scanner will select federated shares that satisfy these requirements:

  1. ensure that within a single cron run, at max [cronjob_scan_external_batch] scans will be performed out of all accepted external shares (default 100)

  2. a scan of that external share has not been performed within the last [cronjob_scan_external_min_scan] seconds (default 3 hours)

  3. the user still exists, and has been active recently, meaning logged in within the last [cronjob_scan_external_min_login] seconds (default 24 hours)

  4. there has been a change in the federated remote share root etag or mtime, signaling a mandatory rescan

To enable the cronjob, go to Settings  Admin Settings  Federated Cloud Sharing and enable the checkbox

Checkbox

Alternatively you can use the command line:

sudo -u www-data php occ config:app:set files_sharing cronjob_scan_external_enabled --value 'yes'

You can also configure these settings of the cronjob:

  1. the minimum amount of time since last login of a user so that a scan is triggered (ensures only active users get fed shares synced)

sudo -u www-data php occ config:app:set files_sharing cronjob_scan_external_min_login --value <integer-seconds>
  1. the minimum amount of time since last scanned so that the next scan is triggered (avoid frequent scan when active collaboration)

sudo -u www-data php occ config:app:set files_sharing cronjob_scan_external_min_scan --value <integer-seconds>
  1. the maximum number of federated share scans per 10 minutes (scan performed only if fed share files got updated)

sudo -u www-data php occ config:app:set files_sharing cronjob_scan_external_batch --value <integer-number>

Use the following command to force a run of the scanner cronjob:

sudo -u www-data php occ background:queue:execute --force --accept-warning <id-of-fed-scanner-job>

Known Issues

Persistent Locks Are Not Guaranteed

There is a known bug propagated persistent locks to federated instances. If a user creates an exclusive lock on a share, no other users should be able to modify it, nor its contents, and all users should see a lock icon on the share.

However, this isn’t the case. The following functionality has been recorded:

  • The user who created the lock sees the lock icon throughout the share.

  • The top-level of the share for receivers shows the lock icon.

  • Sub-items of the share do not show the lock icon.

  • The share and its contents can still be modified by all users; specifically:

    • Sub-items can be deleted.

    • Sub-items can be created.