Intro

Times are changing. Yunohost (a fully integrated, easy-to-administer server framework) now runs on Debian 10. Debian 10 now supports unprivileged LXC. Nextcloud is integrated within Yunohost. At last there is a simplish way out of my current aging Owncloud install:

  • Install an unprivilged LXC (in lieu of the old root-enabled LXC)
  • Install Debian 10 in it
  • Install Yunohost on it
  • Install Nextcloud
  • Migrate data somehow
  • ???
  • Profit!

(My gripe with Owncloud is that it is no longer supported in Debian; Nextcloud has no package, and I don’t want to install it all by hand; so, having a framework that sets up everything for me suits me just fine.)

Kernel setup

A typical Debian comes with userspace LXC disabled. Enable it with:

sysctl kernel.unprivileged_userns_clone=1

Add the setting in /etc/sysctl.d/local.conf to make it persistent across reboots.

Unprivileged LXC

Right. First we create a user yunohost (or bob if you prefer), and create a default LXC settings file:

$ cat .config/lxc/default.conf
lxc.include = /etc/lxc/default.conf
lxc.idmap = u 0 296608 65536
lxc.idmap = g 0 296608 65536

The UID and GID values correspond to the range of UID attributed by the host to the user. They’re located in /etc/subuid and /etc/subgid.

Then as the user yunohost we create the LXC template, using the download template, as those are modified to run as unpriviliged containers:

$ lxc-create -n yunohost -t download
# Pick 'debian' 'buster' (actually, check what YunoHost requires)  and the result of dpkg --print-architecture

This will download stuff and create the LXC in .local/share/lxc/yunohost, which is the unprivileged equivalent of /var/share/lxc. We add network configuration to .local/share/lxc/yunohost/config, something like:

lxc.net.1.type = veth
lxc.net.1.flags = up
lxc.net.1.link = lxcbr0
lxc.net.1.ipv4.address = 192.168.122.10/24 192.168.122.255
lxc.net.1.ipv4.gateway = auto

Obviously adapt lxcbr0 to your own virtual bridge setting (which I won’t document here but check out Debian’s lxc-net) and the IP address to your addressing plan. Then we need to allow our user to create interfaces on the bridge, which is done by adding to /etc/lxc/lxc-usernet:

yunohost veth lxcbr0 10

which basically means that the user yunohost can create up to 10 virtual ethernet devices on the virtual bridge lxcbr0.

Time to start up!

lxc-start -n yunohost
ping 192.168.122.10     # Should work

UPDATE: On a fresh Debian, it seems the LXC needs to start without an AppArmor profile, which is done by overriding the settings:

lxc.apparmor.profile = unconfined
lxc.apparmor.allow_nesting = 0

in ~/.share/lxc/yunohost/config, after including /etc/lxc/default.conf.

Install YunoHost

lxc-attach -n yunohost
su -       # To load root's environment, otherwise /sbin isn't in $PATH
apt install curl
curl https://install.yunohost.org | bash

Run top in another window to enjoy watching apt work under a very large ID. Go get a cup of coffee, or use that time to download data from your old OwnCloud instance.

Set up whatever plumbing is required from your external IP to the LXC, and go there with a browser for the post-intall (by the way, the install failed on me because of some updating issue. A few cycles of apt-get -f install and apt upgrade seemed to fix that.)

Migrating out of OwnCloud

Assuming you have set up cadaver when you migrated to Owncloud:

cadaver https://owncloud.example.org/owncloud/remove.php/caldav/calendars/$user
$ ls
# Check which calendars are there. Hopefully only 'personal'
$ cd personal
$ mget *

If I had many calendars, or many users, sure I’d automate this. But I don’t. Same goes for contacts at URL /carddav/addressbooks/$user/contacts

And importing will go the other way around using mput.

Even more simple is probably to go into OwnCloud, download the calendars and contacts, then to into Nextcloud, and import the files.

ics_tools worked right away after updating URL in the configuration file.

Done!

Bibliography

This article was written with old knowledge from my brain, old configuration files from my system, the Debian setup guide, a random blog post (a very useful resource), and my former intern Elodie Pham’s work on namespaces, which I hope to publish one day.